- Oblivious Transfer: definitions
- Keeping the receiver honest
- Security of the receiver
- Is the sender secure?
- Proof of knowledge
- The OT protocol
- References

Last time we defined Oblivious Transfer, and presented a protocol that is secure, provided the receiver is semihonest. However, if the receiver runs a different protocol, then it can learn both inputs of the senders without even be detected: the receiver can choose both y_0 = f(x_0) and y_1 = f(x_1) such that he knows x_0 and x_1. In this lecture we show how to modify the protocol to make sure that the received behaves in the proper way. Recall the definition of OT for malicious parties.

- For any (possibly cheating) PPT sender S', the ensambles {View_S'[S',R(0)]} and {View_S'[S',R(1)]} are indistinguishable.
- For any (possibly cheating) PPT receiver R', there is an "ideal" adversary that simulates the interaction between R' and S. Here an ideal adversary is a probabilitic machine that given randomness r, outputs a query bit q = Q(r). Then, on input v_q, it outputs the simulated view for R'. We require that {Sim(r,v_{Q(r)})} is computationally indistinguishable from {View_R'[S(v_0,v_1),R']}

In order to make the above protocol secure with respect to arbitrary receivers, we need to make sure that R is following the protocol. This can be achieved using general tools from ZK. Consider the enhanced protocol:

- R chooses a random y', and sends a commitment q = com(y',r) to S
- S chooses permutation f (with trapdoor t) and random y'', and sends (f,y'') to R
- As before, R chooses x_c at random, and set y_c = f(x_c) and y_{not c} = y' + y''.
- R sends y_0, and y_1 to S, and prooves in zero knowledge that (y_0,y_1,q) belongs to the NP language L of all strings such that for some (c,r), com(y_{not c} + y'',r) = q
- If the sender accepts the ZK proof, then it replies with u_0 and u_1 computed as above
- The receiver recovers u_c + B(x_c) mod 2

Last time, we showed that the view of the sender is independent of the receiver input, and therefore the protocol protects the receiver from any (malicious) attempt to learn the receiver input. This time things are not as simple, still, using the ZK property, we can show that the views of the sender (when the receiver input is 0 or 1) are computationally indistinguishable.

Let S' be a cheating sender. We want to prove that distributions View_S'[S',R(0)] and View_S'[S',R(0)] are computationally indistinguishable. We introduce several auxiliary distributions.

First define a cheating verifier V for the ZK proof system for language L. Let (y_0,y_1,q) the input string for the proof system. The verifier V simulate S' as follows: send q to S', and let (f,y'') be the output of S'. Then, send (y_0,y_1) to S', and starts interacting with the prover P. Messages from P are passed to S', and messages from S' are forwarded to P.

Let ZKSim the simulator for ZK proof corresponding to verifier V.

Consider the auxiliary distribution Aux0 obtained as follows: generate distribution View_S'[S',R(0)]. Let y_0, y_1 and q as they appear in the transcript. Run ZKSim(y_0,y_1,q) to obtain a simulated transcript of the interaction between cheating verifier V and prover P. Substitute the interactive proof that (y_0,y_1,q) belongs to L in View_S'[S',R(0)] with the simulated proof output by ZKSim.

It follows from the definition of ZKSim that Aux0 is indistinguishable from View_S'[S',R(0)]. Similarly, define Aux1 starting from View_S'[S',R(1)].

We need to prove that Aux0 and Aux1 are indistinguishable.

Define two more auxiliary distributions: Aux0q obtained from Aux0 replacing q = com(y',r) with q = com(0,r), and Aux1q obtained from Aux1 replacing q=com(y',r) with q=com(0,r). It follows from the hiding property of the commitment scheme that Aux0 is computationally indistinguishable from Aux1q (otherwise we can use the distinguisher to tell a commitment to 0 apart from a commitment to a random value.) Similarly Aux1 is computationally indistinguishable from Aux1q.

Finally, it is easy to check by inspection that distributions Aux0q and Aux1q are identical. To see this consider how the distributions are build:

- Choose y' at random, compute q = com(0,r) and sends q to S'.
- Get (f,y'') from S''
- Choose random x_c, set y_c = f(x_c) and y_{not c} = y' + y''

This concludes the proof that View_S'[S',R(0)] is indistinguishable from
View_S'[S',R(1)]. Formally, if D is a distinguisher such that

|Pr{ D(View_S'[S',R(0)]) = 1 } - Pr{ D(View_S'[S',R(1)]) = 1}| > adv

then, by triangle inequality, one of the following is true

- |Pr{ D(View_S'[S',R(0)]) = 1 } - Pr{ D(Aux0) = 1 }| > adv/4, contradicting the security of the ZK proof
- |Pr{ D(Aux0) = 1 } - Pr{ D(Aux0q) = 1}| > adv/4, contradicting the security of the commitment scheme
- |Pr{ D(Aux1q) = 1 } - Pr{ D(Aux1) = 1}| > adv/4, contradicting the security of the commitment scheme
- |Pr{ D(Aux1) = 1 } - Pr{ D(View_S'[S',R(1)]) = 1}| > adv/4, contradicting the security of the ZK proof

This shows that even if in the new protocol the receiver is sending a lot of additional information to the sender, the use of ZK proofs makes this information computationally hard to be extracted from the sender's view.

We now consider the security of the sender. Let R' be a cheating receiver. We want to construct a corresponding simulator Sim. The simulator works by emulating R' as follows:

- Initialize R' with some randomness
- Get commitment q from R'
- Send random (f,y'') to R'
- Receive (y_0,y_1) from R'
- Engage in an interactive proof with R', where R' proves that (y_0,y_1,q) belongs to L
- If the proof is not accepter than we terminate the simulation with S aborting the protocol

But what if the proof is accepted? In this case we need to send bits u_0 and u_1 to R'. One of them can be easily computed quering the ideal sender for v_c, and setting u_c = v_c + B(f^{-1}(y_c). The other bit u_{not c} is set at random. It can be shown as in the honest receiver case that this is indistinguishable from a real interaction, provided R' "does not know" f^{-1}(y_{not c}). Notice that since the commitment scheme is perfectly binding, then choosing y'' at random effectively induces a uniform probability distribution on y_{not c} = y'+y'', and B(f^{-1}(y_{not c})) is computationally unpredictable. The problem is: how do we find out the right value of c? If we knew the value of y', then we could easily find out c by comparing y'+y'' with y_0 and y_1.

Assume for simplicity that the interactive proof is always accepted. (The general case is similar, but some care is needed to make the sender abort with the right probability.) After reaching step 5, we rewind R' to step 3 and send a different (randomly chosen) Y'', to get Y_0 and Y_1. Since the commitment is perfectly binding, in order to get both (y_0,y_1,q) and (Y_0,Y_1,q) in L it must be y_0 - y'' = Y_0 - Y'' or y_1 - y'' = Y_1 - Y'' (or both). Let c be such that y_{not c} - y'' = Y_{not c} - Y''. Then it must be y' = y_c - y''.

Once we know y', when we receive (y_0,y_1) we can recover c by comparing y'+y'' with y_0 and y_1.

Several details are missing from the above proof. Can you complete the proof? Is this protocol secure? Can you find an attack? Think about it. We will answer this question in the next lecture.

Most of the material presented in this lecture can be extracted from the survey/tutorial

O. Goldreich, Secure Multi-Party Computation.

Section 2.3 presents the general method to enforce honest behaviour based on zero knowledge. Our construction is essentially a specialized version of the transformation described in Section 2.3.