Public Key Encryption

1
Public Key Encryption Oblivious Transfer
Sampath Kannan
ATT and U. Penn
Joint work with Yael Gertner, Tal Malkin, Omer
Reingold, Mahesh Viswanathan
2
Public key cryptography is founded on (unproven)
complexity-theoretic assumptions. For example,
the El Gamal cryptosystem is based on the
assumption that finding discrete logarithms is
hard. Since any assumption could turn out to be
false we would like to base the feasibility of
each cryptographic task on the weakest possible
assumption.
Notation PPTM probabilistic poly-time
machine... most parties in protocols will be
PPTMs.
3
Important Cryptographic tasks

• 1. Oblivious Transfer (OT)
• (1-out-of-2)-OT protocol between PPTMs
  Alice and Bob
• Alice has two k-bit secrets .
• Bob has bit b.

• Secure OT protocol (malicious OT)
• Bob learns with probability 1.
• There is no PPTM A which learns b when
  interacting with Bob with probability gt 1/2
  1/poly.
• There is no PPTM B which learns when
  interacting with Alice with probability gt 1/2
  1/poly.

Variant (Honest OT) Above definition,
but A and B are required to follow the
correct protocol. They may try to compute
additional information at the end.
4

• 2. Public Key Encryption
• PKE Three PPTMs (G,E,D)
• G is algorithm for key generation... generates
  pair (PK,SK).
• E and D are encryption and decryption
  algorithms satisfying D(E(m,PK),SK) m for
  all messages m, all pairs (PK,SK), and all
  coin tosses of E.

The security requirement on PKE is semantic
security, i.e., for a passive attacker the
encrypted message conveys no information about
the message that was not already known.
5
State of Knowledge Before Our Work
One way functions
PKE Trapdoor Predicates 2-round Key Agreement
OT Multiparty Computation
?
Trapdoor Permutations
6
Prior Separation Results

• There is an oracle relative to which one-way
  functions exist but secret key agreement is
  not possible. Impagliazzo Rudich
• There is an oracle relative to which k1-round
  secret key agreement is possible but not
  k-round secret key agreement. Rudich

What do these results mean? (e.g., the
first.) It means that there is no black box way
of using one way functions to get a protocol for
secret key agreement (since black box proofs
relativize). Most known reductions in
cryptography are black box reductions.
7
Our results

• Oracle relative to which PKE exists but not OT.
• Oracle relative to which OT exists but not PKE.
• 2-round OT implies PKE.
• PKE with special assumptions implies OT.
• While k-round OT implies k-round secret key
  agreement, there is an oracle relative to which
  there is secret key agreement but not OT.

8
2-round OT implies PKE
General 2-round OT protocol
A
B
PKE from above protocol

• G chooses at random, runs and
  outputs
• E on message m runs and sets
  ciphertext
• D given SK and c runs to produce
  .

Security of PKE can be proved from security of OT.
9
Oracle allowing 3-round OT but not PKE

• Oracle contains following functions
• Function f such that f(x) is random and f(x)
  3x (with probability 1, f is 1-1 on large
  inputs).
• Function R such that R(x, f(y.f(x))) R(y,
  f(x.f(y))) random output of length x y.
  R is random everywhere else.

(R is motivated by the intuition behind the
Diffie-Hellman secret-key agreement protocol
which is based on the difficulty of the discrete
log.)
10

• Honest OT based on oracle
• Alice receives and Bob receives bit .
• Alice picks random and sends
  .
• Bob picks random If he
  sends

to Alice.

• Alice sends

• Bob can compute the secret

11
Conclusions Our upper and lower bounds are
fairly tight. For example, we show that
2-round OT implies PKE but 3-round OT does
not, at least in a black box sense. We also
show that PKE with one of two assumptions
implies OT, but there is an oracle relative to
which there is PKE (not satisfying either
assumption) and no OT. There are several
corollaries to be drawn from these results
For example there is a world in which trapdoor
predicates exist, but no trapdoor permutations.