Last time we consider an OT protocol that is intuitively secure even with respect to cheating parties. We showed that using zero knowledge proofs one can formally prove that the receiver is still secure, albeit only in a computational sense. The question we didn't completely answer is: is the sender secure?

As a reminder, this is the protocol:

- R chooses a random y', and sends a commitment q = com(y',r) to S
- S chooses permutation f (with trapdoor t) and random y'', and sends (f,y'') to R
- As before, R chooses x_c at random, and set y_c = f(x_c) and y_{not c} = y' + y''.
- R sends y_0, and y_1 to S, and prooves in zero knowledge that (y_0,y_1,q) belongs to the NP language L of all strings such that for some (c,r), com(y_{not c} + y'',r) = q
- If the sender accepts the ZK proof, then it replies with u_0 and u_1 computed as above
- The receiver recovers u_c + B(x_c) mod 2

Well, it turns out that the protocol is not secure, stressing the importance of rigorous proofs when security is at stake. Consider the following attack: the receiver commits to a random y', receives (f,y'') from the sender, and set y_0 = y_1 = y' + y''. Clearly, (y_0,y_0,q) belongs to L, and R knows an NP witness, so the sender accepts the zero knowledge proof, and replies with u_0 = v_0 + B(x) and u_1 = u_1 + B(x). One can show that the receiver does not learn neither v_0 nor v_1. However, R learns partial information about both bits: R learns if v_0 and v_1 are the same or not.

The receiver is not learning v_0, is not learning v_1, but still it is learning something! In order to solve this problem, we need to modify the protocol in such a way that the receiver proves not only that he is not learning one of the bits, but also that he is learning the other one. Technically, the receiver needs to prove that one of the y_c has been computed as y_c = f(x_c), and the receiver "knows" x_c. What we want to prove is not just membership of a string in an NP language (using the witness to efficiently implement the prover), but prove that the prover knows an NP witness.

An interactive proof system (P,V) for an NP language L = {x | xRw for some w} is a proof of knowledge (of NP-witness w), if there exists a probabilistic polynomial time algorithm K (the knowledge extractor) such that for any x in L, and possibly cheating prover P', if (P',V(x)) makes V accepts (with high probability), then K (given oracle access to P') outputs a w such that xRw. Formally, we require that there a negligible function m(.) and a probabilistic polynomial time oracle machine K, such that for every x,w and r, if P'(x,w,r) makes V accepts with probability bigger than m(s), then xR(Output_K[K(x),P'(x,y,r)]) with probability at least 1 - m(s).

Remark: the above definition is a so called "STONG proog of knowledge". Weaker notions include a (possibly nonnegligible) "knowledge error" and typically use knowledge extractors that run in expected polynomial time. The function m(.) is introduced for technical reasongs to avoid some complications related to the notion of expected polynomial time. You can assume m(.) is a very small function, say, an exponentially decreasing m(s) = 1/2^s.

A zero knowledge proof of knowledge is a proof of knowledge that satisfies the standard definition of ZK for interactive proof systems. It is easy to see that the (sequential repetition of s copies of the) zero knowledge proof system for Hamiltonian graph described earlier is a ZKPK. The intuition is that the knowledge extractor K, given a prover P' such that (P',V(x)) accepts with probability higher than 1/2, simulates P' and asks first question 0, then rewinds P', and ask question 1. From the two answers, one can efficiently reconstruct a Hamiltonian cycle. See references for details.

In order to prove the security of the protocol, we replace the ZK proof that (y_0,y_1,q) belongs to L with a ZKPK of (c,r,x) such that com(y_{not c} + y'',r) = q and y_c = f(x). Notice that since f is a permutation, this relation defines exaclty the same language L as before, however, the witnesses for this new relation contain more information that the original witnesses. We use these witnesses, together with the knowledge extractor, to prove the security of the new protocol. Notice that any ZKPK is also a zero knowledge proof. So the proof of security for the receiver is the same as before.

We prove the security of the sender. Let R' be the cheating verifier and assume wlog that R' is deterministic. Let q be the commitment output by R'. Since the commitment scheme is perfectly binding, this uniquely determine an opening value y'. First of all we want to determine this value. Consider the prover for the ZKPK obtained passing a random f and y'' to R'. (At this point R' output (y_0,y_1) and then perform a ZKPK.) Using the knowledge extractor we obtain (c,r,x) such that y' = y_{not c} + y''. If the knowledge extractor fail, then we know that (except with negligible probability), the proof of knowledge is always rejected by the sender, and we can easily simulate R' view without knowing the sender's inputs. Using the knowledge of x, we can easily simulate the view of the receiver: after the end of the proof of knowledge, the sender transmits u_c = B(x) + v_c and a random u_{not c}.

Some care is needed to ensure that aborting conversations are produced with the right probability. The proof that the simulated distribution is computationally indistinguishable from the real view of R' is essentially the same as for the semihonest case: if one can tell the difference between the two distributions, then one can predict hardcore predicate B. Details follow.

The simulator for the cheating receiver R' works as follow. Let m(.) be the negligible functions associated to the ZKPK used. (Notice, the zero knowledge property is relevant only to protect the receiver. The sender should be secure whether or not the proof of knowledge is zero knowledge.)

- Simulate the cheating receiver R' to get a commitment q. This uniquely defines a committed value y', although at this point this value is not known to the simulator.
- Pass to R' a randomly chosen f and y''.
- Get (y_0,y_1) from R'. Let P' be the residual computation of R' after sending (y_0,y_1)
- Run the knowledge extractor with access to P'.
- If K outputs a solution (c,r,x) such that y' = y_{not c} + y'',
com(y',r) = q and y_c = f(x):
- Ask for the value of x_c in the ideal protocol.
- Resume the simulation of R' (from step 3), running it with the honest verifier V.
- If V rejects the proof, then the sender aborst, otherwise it replies with u_0,u_1, where u_c = v_c + B(x) and u_{not c} is random

- If K fails, then resume the simulation of R' (from step 3), running it with the honest verifier V. If V rejects the proof, then the sender aborts the protocol. If V accepts the proof than the simulator fails.

We need to prove that the output of this simulator is indistinguishable from the view View_R'[S(x_0,x_1),R']. Notice that the simulated interaction at steps 1,2,3 is exactly the same as in the real view. After step 4, we distinguish two cases:

- The probability that P' convinces V is less than m(sec.param.). Either if we execute step 5 or step 6, the verifier V is going to reject the proof with probability at least 1 - negligible. So, with probability close to 1, the output of the simulator consists of a rejecting conversation between P' and V, and the sender aborting the protocol. This is statistically close (up to m(s) statistical distance) from the real view of R'
- The probability that P' convinces V is at least m(sec. param.). In this case, the knoweldge extractor finds (y',c,r,x) and we execute step 5. The output of the simulator at step 5 is identical to the real view of R', except possibly for the value of u_{not c}. We need to prove that telling if this last bit is correct is computationally unfeasible. The proof is similar to the honest receiver case: we show that if you can tell the difference, you can predict B(X) from a random f(X). Let Y = f(X) be a random value for which we want to compute B(X). We run R' to get the same commitment q = com(y',r), and reply with (f,y'' = Y+y'). The rest of the proof is analogous to the honest receiver case.

Most of the material presented in this lecture can be extracted from the survey/tutorial

O. Goldreich, Secure Multi-Party Computation.

Section 2.3 presents the general method to enforce honest behaviour based on ZKPK. Our construction is essentially a specialized version of the transformation described in Section 2.3. The ZKPK for Hamiltonian cycle described earlier is briefly presented in Chapter 1 of the survey. For a more extensive introduction to ZKPK see

Oded Goldreich, Foundations of
Cryptography, vol. 1 (Basic tools), Cambridge Univ. Press., 2001

(Fragments of a preliminary version of the book are available here.)