Communications in Cryptology IACR CiC

Tighter Concrete Security for the Simplest OT

Authors

Iftach Haitner, Gil Segev
Iftach Haitner ORCID
Stellar Development Foundation, USA
Tel-Aviv University, Israel
iftachh at tauex dot tau dot ac dot il
Gil Segev ORCID
School of Computer Science and Engineering, Hebrew University of Jerusalem, Israel
Coinbase, USA
segev at cs dot huji dot ac dot il
Keywords: Oblivious Transfer Concrete Security

Abstract

The Chou-Orlandi batch oblivious transfer (OT) protocol is a particularly attractive OT protocol that bridges the gap between practical efficiency and strong security guarantees and is especially notable due to its simplicity. The security analysis provided by Chou and Orlandi bases the security of their protocol on the hardness of the computational Diffie-Hellman (CDH) problem in prime-order groups. Concretely, in groups in which no better-than-generic algorithms are known for the CDH problem, their security analysis yields that an attacker running in time $t$ and issuing $q$ random-oracle queries breaks the security of their protocol with probability at most $\epsilon \leq q^2 \cdot t / 2^{\kappa/2}$, where $\kappa$ is the bit-length of the group's order. This concrete bound, however, is somewhat insufficient for 256-bit groups (e.g., for $\kappa = 256$, it does not provide any guarantee already for $t = 2^{48}$ and $q = 2^{40}$).

In this work, we establish a tighter concrete security bound for the Chou-Orlandi protocol. First, we introduce the list square Diffie-Hellman problem and present a tight reduction from the security of the protocol to the hardness of solving the list square Diffie-Hellman problem. That is, we completely shift the task of analyzing the concrete security of the protocol to that of analyzing the concrete hardness of the list square Diffie-Hellman problem. Second, we reduce the hardness of the list square Diffie-Hellman problem to that of the decisional Diffie-Hellman (DDH) problem without incurring a multiplicative loss. Our key observation is that although CDH and DDH have the same assumed concrete hardness, relying on the hardness of DDH enables our reduction to efficiently test the correctness of the solutions it produces.

Concretely, in groups in which no better-than-generic algorithms are known for the DDH problem, our analysis yields that an attacker running in time $t$ and issuing $q \leq t$ random-oracle queries breaks the security of the Chou-Orlandi protocol with probability at most $\epsilon \leq t / 2^{\kappa/2}$ (i.e., we eliminate the above multiplicative $q^2$ term). We prove our results within the standard real-vs-ideal framework considering static corruptions by malicious adversaries, and provide a concrete security treatment by accounting for the statistical distance between a real-model execution and an ideal-model execution.

References

[AIR01]
William Aiello, Yuval Ishai, and Omer Reingold. Priced Oblivious Transfer: How to Sell Digital Goods. In Birgit Pfitzmann, editor, Advances in Cryptology – EUROCRYPT 2001, volume 2045 of Lecture Notes in Computer Science, pages 119–135. May 2001. DOI: 10.1007/3-540-44987-6_8
Google Scholar ePrint
[ANS10]
Yuriy Arbitman, Moni Naor, and Gil Segev. Backyard Cuckoo Hashing: Constant Worst-Case Operations with a Succinct Representation. In 51st Annual Symposium on Foundations of Computer Science, pages 787–796. October 2010. IEEE Computer Society Press. DOI: 10.1109/FOCS.2010.80
Google Scholar ePrint
[BCP04]
Emmanuel Bresson, Olivier Chevassut, and David Pointcheval. New Security Results on Encrypted Key Exchange. In Feng Bao, Robert Deng, and Jianying Zhou, editors, PKC 2004: 7th International Workshop on Theory and Practice in Public Key Cryptography, volume 2947 of Lecture Notes in Computer Science, pages 145–158. March 2004. Springer, Heidelberg. DOI: 10.1007/978-3-540-24632-9_11
Google Scholar ePrint
[BM90]
Mihir Bellare and Silvio Micali. Non-Interactive Oblivious Transfer and Applications. In Gilles Brassard, editor, Advances in Cryptology – CRYPTO'89, volume 435 of Lecture Notes in Computer Science, pages 547–557. August 1990. DOI: 10.1007/0-387-34805-0_48
Google Scholar ePrint
[Can01]
Ran Canetti. Universally Composable Security: A New Paradigm for Cryptographic Protocols. In 42nd Annual Symposium on Foundations of Computer Science, pages 136–145. October 2001. IEEE Computer Society Press. DOI: 10.1109/SFCS.2001.959888
Google Scholar ePrint
[CO15a]
Tung Chou and Claudio Orlandi. The Simplest Protocol for Oblivious Transfer. In Kristin E. Lauter and Francisco Rodríguez-Henríquez, editors, Progress in Cryptology - LATINCRYPT 2015: 4th International Conference on Cryptology and Information Security in Latin America, volume 9230 of Lecture Notes in Computer Science, pages 40–58. August 2015. Springer, Heidelberg. DOI: 10.1007/978-3-319-22174-8_3
Google Scholar ePrint
[CO15b]
Tung Chou and Claudio Orlandi. The Simplest Protocol for Oblivious Transfer. https://eprint.iacr.org/2015/267. Cryptology ePrint Archive, Report 2015/267. 2015.
Google Scholar ePrint
[EGL85]
Shimon Even, Oded Goldreich, and Abraham Lempel. A Randomized Protocol for Signing Contracts.. Communications of the ACM, 28(6):637-647, 1985. DOI: 10.1145/3812.3818
Google Scholar ePrint
[FS87]
Amos Fiat and Adi Shamir. How to Prove Yourself: Practical Solutions to Identification and Signature Problems. In Andrew M. Odlyzko, editor, Advances in Cryptology – CRYPTO'86, volume 263 of Lecture Notes in Computer Science, pages 186–194. August 1987. DOI: 10.1007/3-540-47721-7_12
Google Scholar ePrint
[KLR10]
Eyal Kushilevitz, Yehuda Lindell, and Tal Rabin. Information-Theoretically Secure Protocols and Security under Composition. SIAM Journal on Computing, 39(5):2090–2112, 2010. DOI: 10.1137/090755886
Google Scholar ePrint
[Lin08]
Andrew Y. Lindell. Efficient Fully-Simulatable Oblivious Transfer. In Tal Malkin, editor, Topics in Cryptology – CT-RSA 2008, volume 4964 of Lecture Notes in Computer Science, pages 52–70. April 2008. DOI: 10.1007/978-3-540-79263-5_4
Google Scholar ePrint
[Mau05]
Ueli M. Maurer. Abstract Models of Computation in Cryptography (Invited Paper). In Nigel P. Smart, editor, 10th IMA International Conference on Cryptography and Coding, volume 3796 of Lecture Notes in Computer Science, pages 1–12. December 2005. DOI: 10.1007/11586821_1
Google Scholar ePrint
[NP01]
Moni Naor and Benny Pinkas. Efficient Oblivious Transfer Protocols. In S. Rao Kosaraju, editor, 12th Annual ACM-SIAM Symposium on Discrete Algorithms, pages 448–457. January 2001. ACM-SIAM.
Google Scholar ePrint
[Pag00]
Rasmus Pagh. Faster deterministic dictionaries. In David B. Shmoys, editor, 11th Annual ACM-SIAM Symposium on Discrete Algorithms, pages 487–493. January 2000. ACM-SIAM.
Google Scholar ePrint
[PR04]
Rasmus Pagh and Flemming Friche Rodler. Cuckoo hashing. Journal of Algorithms, 51(2):122-144, 2004. DOI: https://doi.org/10.1016/j.jalgor.2003.12.002
Google Scholar ePrint
[PVW08]
Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A Framework for Efficient and Composable Oblivious Transfer. In David Wagner, editor, Advances in Cryptology – CRYPTO 2008, volume 5157 of Lecture Notes in Computer Science, pages 554–571. August 2008. DOI: 10.1007/978-3-540-85174-5_31
Google Scholar ePrint
[Rab81]
Michael O. Rabin. How to exchange secret by oblivious transfer. Technical Report TR-81, Harvard University. 1981.
Google Scholar ePrint
[Sho97]
Victor Shoup. Lower Bounds for Discrete Logarithms and Related Problems. In Walter Fumy, editor, Advances in Cryptology – EUROCRYPT'97, volume 1233 of Lecture Notes in Computer Science, pages 256–266. May 1997. Springer, Heidelberg. DOI: 10.1007/3-540-69053-0_18
Google Scholar ePrint

PDFPDF Open access

DOI: https://doi.org/10.62056/akp2fhsfg
History
Submitted: 2024-12-31
Accepted: 2025-03-11
Published: 2025-04-08
How to cite

Iftach Haitner and Gil Segev, Tighter Concrete Security for the Simplest OT. IACR Communications in Cryptology, vol. 2, no. 1, Apr 08, 2025, doi: 10.62056/akp2fhsfg.

License

Copyright is held by the author(s)

This work is licensed under a Creative Commons Attribution (CC BY) license.