Oblivious Transfer

In this paper we address the issue of privacy preserving data mining. Specifically, we consider a scenario in which two parties owning confidential databases wish to run a data mining algorithm on the union of their databases, without revealing any unnecessary information. Our work is motivated by the need both to protect privileged information and to enable its use for research or other purposes.

Digital Rights Management (DRM) is required to provide balanced protection for both the content provider and the users in a content distribution system. The content provider demands secure content delivery so that only authorized users are able to access the content and use it properly. On the other hand, users require that their privacy be protected. However, most DRM systems tend to put greater emphasis on content providers' security and neglect users' privacy. This study aims to improve DRM by constructing a content distribution protocol that preserves the security of content provider and the privacy of users. To achieve this goal, we utilize the oblivious transfer (OT) concept. This concept allows a sender to securely send a set of information to a receiver in such a way that, at the end of the protocol, the receiver cannot learn more than he was supposed to learn, while the sender cannot determine what the receiver has learned. Assuming that tamper-proof device exists, ...

We consider the problem of designing an efficient oblivious transfer (OT) protocol that is provably secure in a concurrent setting, i.e., where many OT sessions may be running concurrently with their messages interleaved arbitrarily. Known OT protocols use zero-knowledge proofs, and no concurrent zero-knowledge proofs are known that use less than a poly-logarithmic number of rounds (at least without requiring a pre-processing phase, a public random string, an auxiliary string, timing constraints, or pre-distributed public keys). We introduce a model for proving security of concurrent OT protocols, and present a protocol that is proven secure in this model based on the Decisional Diffie-Hellman problem. The protocol is efficient, requiring only a slightly non-constant number of rounds.

First and foremost, I would like to thank Markulf Kohlweiss, who has been a great supervisor for me. I am grateful to him for all the work he has done for this thesis, for the interest he has always shown, for his patience when answering questions, for all the time he has spent with me, for being kind and helpful and for everything I have learnt from him. My gratitude also goes to Claudia Diaz for letting me work at COSIC and for supporting and helping me whenever necessary. My sincere thanks for her useful advices and discussions. Gregory Neven has been an inexhaustible source of inspiration. Since many concepts developed here are based on his previous work, I feel that I have been truly privileged having him as my assessor. I am grateful for his interest and for his important comments. I am very grateful to Caroline Sheedy, who has also collaborated on this work. I would like to thank her for encourage me and for all the discussions we had. I would also like to thank Jan Camenisch for proposing the data retention scenario. The ESAT-SCD-COSIC research group at Katholieke Universiteit Leuven has been a motivating and helpful environment. Particularly, I am very grateful to my officemate Stefan Schiffner for creating a nice working atmosphere, for helping me with every technical or administrative doubt and for his comments on how to structure and typeset a thesis.

In the Probabilistic I/O Automata (PIOA) framework, nondeterministic choices are resolved using perfect-information schedulers, which are similar to history-dependent policies for Markov decision processes (MDPs). These schedulers are too powerful in the setting of security analysis, leading to unrealistic adversarial behaviors. Therefore, we introduce in this paper a novel mechanism of task partitions for PIOAs. This allows us to define partial-information adversaries in a systematic manner, namely, via sequences of tasks. The resulting task-PIOA framework comes with simple notions of external behavior and implementation, and supports simple compositionality results. A new type of simulation relation is defined and proven sound with respect to our notion of implementation. To illustrate the potential of this framework, we summarize our verification of an Oblivious Transfer protocol, where we combine formal and computational analyses. Finally, we present an extension with extra expressive power, using local schedulers of individual components.

We present protocols for two flavors of oblivious transfer (OT): the Rabin and 1-out-of-2 OT based on the assumptions related to security of the McEliece cryptosystem and two zero-knowledge identification (ZKID) schemes, Stern's from Crypto '93 and Shamir's from Crypto '89, which are based on syndrome decoding and permuted kernels, respectively. This is a step towards diversifying computational assumptions on which OT-cryptographic primitive of central importance-can be based. As a by-product, we expose new interesting applications for both ZKID schemes: Stern's can be used for proving correctness of McEliece encryption, while Shamir's-for proving that some matrix represents a permuted subcode of a given code. Unfortunately, it turned out to be difficult to reduce the sender's security of both schemes to a hard problem, although the intuition suggests a successful attack may allow to solve some long-standing problems in coding theory.

In today's heterogeneous network environment, there is a growing demand for distrusted parties to jointly execute distributed algorithms on private data whose secrecy needed to be safeguarded. Protocols that support such kind of joint computation without complete sharing of information are called Secure Multiparty Computation (SMC) protocols. Applying SMC protocols in image processing is a challenging problem. Most of the existing SMC protocols are implemented based on cryptographic primitives like Oblivious Transfer that are too computational intensive for pixel-based operations. In this paper, we develop two efficient SMC protocols for distributed linear image filtering between two parties, one party with the original image and the other with the image filter. The first protocol is based on a combination of rank reduction and random permutation. The second one uses random perturbation with the help of a noncolluding third party. Experimental results show that both of them execute significantly faster than oblivious-transfer based techniques.

ABSTRACT In this paper, we provide the first scheme that realises an attribute-based access control system for static resources that offers maximal privacy and is secure in the universal composability framework (UC). More precisely, we offer a protocol for adaptive oblivious transfer, where the sender can enforce an attribute-based access control policy for each record and nevertheless learns neither which record a user retrieves nor which attributes a user has. As additional results we provide a new structure-preserving signature scheme from the SXDH assumption and a new universally composable adaptive oblivious transfer protocol that is secure under two DDH-like assumptions and is the most efficient one secure under ``non $q$-type'' assumptions. We believe the new signature scheme to be of independent interest as a building block that is compatible with Groth-Sahai non-interactive zero-knowledge proofs.

Advances in modern cryptography coupled with rapid growth in processing and communication speeds make secure two-party computation a realis- tic paradigm. Yet, thus far, interest in this paradigm has remained mostly theoretical. This paper introduces Fairplay (29), a full-fledged system that implements generic secure function eval- uation (SFE). Fairplay comprises of a high level pro- cedural definition language called SFDL

We consider the problem of sending messages \into the future." Previous constructions for this task were either based on heuristic assumptions or did not provide anonymity to the sender of the message. In the public-key setting, we present an e cient and secure timed-release encryption scheme using a \time server" which inputs the current time into the system. The server has to only interact with the receiver and never learns the sender's identity. The scheme's computational and communicational cost per request are only logarithmic in the time parameter. The construction of our scheme is based on a novel cryptographic primitive: a variant of oblivious transfer which we call conditional oblivious transfer. We de ne this primitive (which may be of independent interest) and show an e cient construction for an instance of this new primitive based on the quadratic residuosity assumption.

Recent results of Ajtai on the hardness of lattice problems have inspired several cryptographic protocols. At Crypto ’97, Goldreich, Goldwasser and Halevi proposed a public-key cryptosystem based on the closest vector problem in a lattice, which is known to be NP-hard. We show that there is a major flaw in the design of the scheme which has two implications: any ciphertext leaks information on the plaintext, and the problem of decrypting ciphertexts can be reduced to a special closest vector problem which is much easier than the general problem. As an application, we solved four out of the five numerical challenges proposed on the Internet by the authors of the cryptosystem. At least two of those four challenges were conjectured to be intractable. We discuss ways to prevent the flaw, but conclude that, even modified, the scheme cannot provide sufficient security without being impractical.

We show how to implement cryptographic primitives based on the realistic assumption that quantum storage of qubits is noisy. We thereby consider individual-storage attacks, i.e. the dishonest party attempts to store each incoming qubit separately. Our model is similar to the model of bounded-quantum storage, however, we consider an explicit noise model inspired by present-day technology. To illustrate the power of this new model, we show that a protocol for oblivious transfer (OT) is secure for any amount of quantum-storage noise, as long as honest players can perform perfect quantum operations. Our model also allows the security of protocols that cope with noise in the operations of the honest players and achieve more advanced tasks such as secure identification.

It was shown in [WST08] that cryptographic primitives can be implemented based on the assumption that quantum storage of qubits is noisy. In this work we analyze a protocol for the universal task of oblivious transfer that can be implemented using quantum-key-distribution (QKD) hardware in the practical setting where honest participants are unable to perform noisefree operations. We derive trade-offs between the amount of storage noise, the amount of noise in the operations performed by the honest participants and the security of oblivious transfer which are greatly improved compared to the results in [WST08]. As an example, we show that for the case of depolarizing noise in storage we can obtain secure oblivious transfer as long as the quantum bit-error rate of the channel does not exceed 11% and the noise on the channel is strictly less than the quantum storage noise. This is optimal for the protocol considered. Finally, we show that our analysis easily carries over to quantum protocols for secure identification.

The main cryptographic primitives (Bit Commitment (BC) and Oblivious Transfer (OT) protocols) based on noisy channels have been considered in [1] for asymptotic case. Non-asymptotic behavior of BC protocol has been demonstrated in [2]. The current paper provides stricter asymptotic conditions on Binary Symmetric Channel (BSC) to be feasible OT protocol proposed in [1]. We also generalize this protocol using different encoding and decoding methods that require to regain formulas for Renyi entropy. Nonasymptotic case (finite length of blocks transmitted between parties) is also presented. Some examples are given to demonstrate that these protocols are in fact reliable and information-theoretically secure. We also discuss the problem-how to extend (1 2)-OT protocol to (1 L)-OT protocol and how to arrange BSC connecting parties. Both BC and OT protocols can be used as components of more complex and more important for practice protocols like "Digital cash", "Secure election" or "Distance bounding".

The authors present some general techniques for establishing the cryptographic strength of a wide variety of games. As case studies, they analyze some weakened versions of the standard forms of oblivious transfer. They also consider variants of oblivious transfer that are motivated by coding theory and physics. Among their results, they show that a noisy telephone line is in fact a very sophisticated cryptographic device. They also present an application to quantum cryptography

The basic idea of our protocol is establishing a conference key based on oblivious transfer which can be used in either asymmetric or symmetric cryptography, such that we can reduce the number of decryptions for the key confirmation without sacrificing the level of security. In our proposed method, we break the conference key into several individual secret keys in accordance with the amount of members within the group. This individual key will be used by each member to sign (encrypt (asymmetrically)) the established conference key in the key confirmation procedure. Then, each member multiplies all signed conference keys and decrypting (asymmetrically) the multiplied signed conference key using the multiplicative inverse of his locally calculated conference key. Thus, each member only needs to perform one decryption for the key confirmation. Furthermore, by using the individual secret key, each member can directly communicate with each other by a support of the leader, while the leader does not gain any knowledge of messages which is exchanged between the communicating members. The last features can not be found in the previous method except in Li-Pieprzyk's. However, for the key generation we need only a less modular exponentiations than the former.

Designing efficient cryptographic protocols tolerating adaptive adversaries, who are able to corrupt parties on the fly as the computation proceeds, has been an elusive task. Indeed, thus far no efficient protocols achieve adaptive security for general multi-party computation, or even for many specific two-party tasks such as obliv- ious transfer (OT). In fact, it is difficult and expensive to achieve

In this paper we present an eficient protocol for "Committed Oblivious Transfer" to perform oblivious transfer on committed bits: suppose Alice is committed to bits 00 and a1 and Bob is committed to b, they both want Bob to learn and commit to Ob without Alice learning b nor Bob learning ah. Our protocol, based on the properties of error correcting codes, uses Bit Commitment (BC) and one-out-of-two Oblivious Transfer (OT) as black boxes. Consequently the protocol may be implemented with or without a computational assumption, depending on the kind of BC and OT used by the participants. Assuming a Broadcast Channel is also available, we exploit this result to obtain a protocol for Private Multi-Party Computation, without making assumptions about a specific number or fraction of participants being honest. We analyze the protocol's efficiency in terms of BCs and OTS performed. Our approach connects Zero Knowledge proofs on BCS, Oblivious Circuit Evaluation and Private Multi-Party Computations in a conceptually simple and ejficient way.

Digital Rights Management (DRM) is required to provide balanced
protection for both the content provider and the users in a content distribution system. The content provider demands secure content delivery so that only authorized users are able to access the content and use it properly. On the other hand, users require that their privacy be protected. However, most DRM systems tend to put greater emphasis on content providers‘ security and neglect users‘ privacy. This study aims to improve DRM by constructing
a content distribution protocol that preserves the security of content provider and the privacy of users. To achieve this goal, we utilize the oblivious transfer (OT) concept. This concept allows a sender to securely send a set of information to a receiver in such a way that, at the end of the protocol, the receiver cannot learn more than he was supposed to learn, while the sender cannot determine what the receiver has learned. Assuming that tamper-proof device exists, the constructed protocol achieves perfect security for the content provider and privacy for the users. This oblivious content distribution ultimately enables DRM to be a privacy-aware protection system. The system does not merely focus on content providers‘ rights, but also seriously considers users‘ privacy protection.

Deniable encryption is an important that allows a user (a sender and/or a receiver) to escape a coercion attempted by a coercive adversary. Such an adversary approaches the coerced user after transmission forcing him to reveal all his random inputs used during encryption or decryption. Since traditional encryption schemes commit the user to his random inputs, the user is forced to reveal the true values of all his random inputs (including the encrypted/decrypted messages and the encryption/decryption keys) which are verifiable by this coercer using the intercepted cipher text. In this scenario, a coercer may force the user to perform actions against his wish. An appealing property in the mediated RSA, PKI was introduced that, the user has no information, neither about his full private (decryption) key, nor the factorization of the RSA public modulus, which represents an excellent step toward achieving in forcibility in public key encryption, since, a coercer cannot ask the user to reveal such unknown information. In this pa-per we present a scheme for receiver-deniable public-key encryption, by which, the receiver is able to lie about the decrypted message to a coercer and hence, escape a coercion. On one hand, the receiver is able to decrypt for the correct message, on the other hand, all the information held by the receiver, when opened to a coercer, do not allow this coercer to verify the encrypted message and consequently, approaching this user becomes useless from the very beginning.

We use interactive hashing to achieve the most ecient OT protocol to date based solely on the assumption that trapdoor permutations (TDP) exist. Our protocol can be seen as the following (simple) modication of either of the two famous OT constructions: 1) In the one by Even et al (1985), a receiver must send a random domain element to a sender through IH; 2) In the one by Ostrovsky et al (1993), the players should use TDP instead of one-way permutation. A similar approach is employed to achieve oblivious transfer based on the security of the McEliece cryptosystem. In this second protocol, the receiver inputs a public key into IH, while privately keeping the corresponding secret key. Two dierent versions of IH are used: the computationally secure one in the rst protocol, and the informationtheoretically secure one in the second.

Abstract. We present two efficient protocols for two flavors of oblivious transfer (OT): the Rabin and 1-out-of-2 OT using the McEliece cryptosystem and Shamir’s zero-knowledge identification scheme based on permuted kernels. This is a step towards diversifying computational assumptions on which OT – the primitive of central importance – can be based. Although we obtain a weak version of Rabin OT (where the malicious receiver may decrease his erasure probability), it can nevertheless be reduced to secure 1-out-of-2 OT. Elaborating on the first protocol, we provide a practical construction for 1-out-of-2 OT.

We present protocols for two flavors of oblivious transfer (OT): the Rabin and 1-out-of-2 OT based on the assumptions related to security of the McEliece cryptosystem and two zero-knowledge identification (ZKID) schemes, Stern's from Crypto '93 and Shamir's from Crypto '89, which are based on syndrome decoding and permuted kernels, respectively. This is a step towards diversifying computational assumptions on which OT-cryptographic primitive of central importance-can be based. As a by-product, we expose new interesting applications for both ZKID schemes: Stern's can be used for proving correctness of McEliece encryption, while Shamir's-for proving that some matrix represents a permuted subcode of a given code. Unfortunately, it turned out to be difficult to reduce the sender's security of both schemes to a hard problem, although the intuition suggests a successful attack may allow to solve some long-standing problems in coding theory.

—In pay-TV, a service provider offers TV programs and channels to users. To ensure that only authorized users gain access, conditional access systems (CAS) have been proposed. In existing CAS, users disclose to the service provider the TV programs and channels they purchase. We propose a pay-per-view and a pay-per-channel CAS that protect users' privacy. Our pay-per-view CAS employs priced oblivious transfer (POT) to allow a user to purchase TV programs without disclosing which programs were bought to the service provider. In our pay-per-channel CAS, POT is employed together with broadcast attribute-based encryption (BABE) to achieve low storage overhead, collusion resistance, efficient revocation and broadcast efficiency. We propose a new POT scheme and show its feasibility by implementing and testing our CAS on a representative mobile platform.

Secure computation platforms are becoming one of the most demanded cryptographic tools utilized in diverse applications, where the performance is critical. This point makes important the optimization of every component of secure computation systems. Oblivious Transfer (OT) is a fundamental cryptographic primitive heavily used in such protocols. Most of the OT protocols used today are based on public-key cryptography, hence their efficiency suffers heavily from the number of modular exponentiation operations done. OT extensions were introduced to reduce the number of basic OT protocol execution rounds requiring public-key cryptography operations. Recently an OT protocol based on white-box cryptography (WBOT) was introduced that avoids using expensive public-key operations. In this article extension protocols for WBOT are presented, that further improve the novel approach by dramatically decreasing the protocol invocation count required.

We consider a new model for online secure computation on encrypted inputs in the presence of malicious adversaries. The inputs are independent of the circuit computed in the sense that they can be contributed by separate third parties. The model attempts to emulate as closely as possible the model of "Computing with Encrypted Data" that was put forth in 1978 by Rivest, Adleman and Dertouzos which involved a single online message. In our model, two parties publish their public keys in an offline stage, after which any party (i.e., any of the two and any third party) can publish encryption of their local inputs. Then in an on-line stage, given any common input circuit C and its set of inputs from among the published encryptions, the first party sends a single message to the second party, who completes the computation.

We present a protocol issue that arises with the use of oblivious transfer in the malicious case of several two-party computation protocols based on Yao's garbled circuit. We describe this issue for a protocol by Pinkas (Eurocrypt 2003) and for the Fairplay protocol, and we discuss why this issue still persists for a recently suggested modification of the Fairplay protocol. We propose a solution using committed oblivious transfer instead of (plain) oblivious transfer. We also introduce the notion of committing oblivious transfer, which leads to an alternative, potentially more efficient solution.

We present the design and implementation of a compiler that automatically generates protocols that perform two-party computations. The input to our protocol is the specification of a computation with secret inputs (e.g., a signature algorithm) expressed using operations in the field Õ of integers modulo a prime Õ and in the multiplicative subgroup of order Õ in £ Ô for Õ Ô ½ with generator . The output of our compiler is an implementation of each party in a two-party protocol to perform the same computation securely, i.e., so that both parties can together compute the function but neither can alone. The protocols generated by our compiler are provably secure, in that their strength can be reduced to that of the original cryptographic computation via simulation arguments. Our compiler can be applied to various cryptographic primitives (e.g., signature schemes, encryption schemes, oblivious transfer protocols) and other protocols that employ a trusted party (e.g., key retrieval, key distribution).

Quantum 2-party cryptography differs from its classical counterpart in at least one important way: Given blak-box access to a perfect commitment scheme there exists a secure 1-2 quantum oblivious transfer. This reduction proposed by Crépeau and Kilian was proved secure against any receiver by Yao, in the case where perfect commitments are used. However, quantum commitments would normally be based on computational assumptions. A natural question therefore arises: What happens to the security of the above reduction when computationally secure commitments are used instead of perfect ones? In this paper, we address the security of 1-2 QOT when computationally binding string commitments are available. In particular, we analyse the security of a primitive called Quantum Measurement Commitment when it is constructed from unconditionally concealing but computationally binding commitments. As measuring a quantum state induces an irreversible collapse, we describe a QMC as an instance of “computational collapse of a quantum state”. In a QMC a state appears to be collapsed to a polynomial time observer who cannot extract full information about the state without breaking a computational assumption. We reduce the security of QMC to a weak binding criteria for the string commitment. We also show that secure QMCs implies QOT using a straightforward variant of the reduction above.

A non-local box is an abstract device into which Alice and Bob input bits x and y respectively and receive outputs a and b respectively, where a, b are uniformly distributed and a⊕b = x∧y. Such boxes have been central to the study of quantum or generalized non-locality, as well as the simulation of non-signaling distributions. In this paper, we start by studying how many non-local boxes Alice and Bob need in order to compute a Boolean function f . We provide tight upper and lower bounds in terms of the communication complexity of the function both in the deterministic and randomized case. We show that non-local box complexity has interesting applications to classical cryptography, in particular to secure function evaluation, and study the question posed by Beimel and Malkin [BM04] of how many Oblivious Transfer calls Alice and Bob need in order to securely compute a function f . We show that this question is related to the non-local box complexity of the function and conclude by greatly improving their bounds. Finally, another consequence of our results is that traceless two-outcome measurements on maximally entangled states can be simulated with 3 non-local boxes, while no finite bound was previously known.

Nowadays it is widely accepted to formulate the security of a protocol carrying out a given task via the "trusted-party paradigm," where the protocol execution is compared with an ideal process where the outputs are computed by a trusted party that sees all the inputs. A protocol is said to securely carry out a given task if running the protocol with a realistic adversary amounts to "emulating" the ideal process with the appropriate trusted party. In the Universal Composability (UC) framework the program run by the trusted party is called an ideal functionality. While this simulation-based security formulation provides strong security guarantees, its usefulness is contingent on the properties and correct specification of the ideal functionality, which, as demonstrated in recent years by the coexistence of complex, multiple functionalities for the same task as well as by their "unstable" nature, does not seem to be an easy task. In this paper we address this problem, by introducing a general methodology for the sound specification of ideal functionalities. First, we introduce the class of canonical ideal functionalities for a cryptographic task, which unifies the syntactic specification of a large class of cryptographic tasks under the same basic template functionality. Furthermore, this representation enables the isolation of the individual properties of a cryptographic task as separate members of the corresponding class. By endowing the class of canonical functionalities with an algebraic structure we are able to combine basic functionalities to a single final canonical functionality for a given task. Effectively, this puts forth a bottom-up approach for the specification of ideal functionalities: first one defines a set of basic constituent functionalities for the task at hand, and then combines them into a single ideal functionality taking advantage of the algebraic structure. In our framework, the constituent functionalities of a task can be derived either directly or, following a translation strategy we introduce, from existing game-based definitions; such definitions have in many cases captured desired individual properties of cryptographic tasks, albeit in less adversarial settings. Our translation methodology entails a sequence of steps that systematically derive a corresponding canonical functionality given a game-based definition, effectively "lifting" the game-based definition to its composition-safe version. We showcase our methodology by applying it to a variety of basic cryptographic tasks, including commitments, digital signatures, zero-knowledge proofs, and oblivious transfer. While in some cases our derived canonical functionalities are equivalent to existing formulations, thus attesting to the validity of our approach, in others they differ, enabling us to "debug" previous definitions and pinpoint their shortcomings.

We develop cryptographically secure techniques to guarantee unconditional privacy for respondents to polls. Our constructions are efficient and practical, and are shown not to allow cheating respondents to affect the "tally" by more than their own vote --- which will be given the exact same weight as that of other respondents. We demonstrate solutions to this problem based on both traditional cryptographic techniques and quantum cryptography.

One-time proxy signatures are one-time signatures for which a primary signer can delegate his or her signing capability to a proxy signer. In this work we propose two one-time proxy signature schemes with different security properties. Unlike other existing one-time proxy signatures that are constructed from public key cryptography, our proposed schemes are based one-way functions without trapdoors and so they inherit the communication and computation efficiency from the traditional one-time signatures. Although from a verifier point of view, signatures generated by the proxy are indistinguishable from those created by the primary signer, a trusted authority can be equipped with an algorithm that allows the authority to settle disputes between the signers. In our constructions, we use a combination of one-time signatures, oblivious transfer protocols and certain combinatorial objects. We characterise these new combinatorial objects and present constructions for them.

We present an efficient construction of Yao's "garbled circuits" protocol for securely computing any two-party circuit on committed inputs. The protocol is secure in a universally composable way in the presence of malicious adversaries under the decisional composite residuosity (DCR) and strong RSA assumptions, in the common reference string model. The protocol requires a constant number of rounds (four-five in the standard model, two-three in the random oracle model, depending on whether both parties receive the output), O(|C|) modular exponentiations per player, and a bandwidth of O(|C|) group elements, where |C| is the size of the computed circuit. Our technical tools are of independent interest. We propose a homomorphic, semantically secure variant of the Camenisch-Shoup verifiable cryptosystem, which uses shorter keys, is unambiguous (it is infeasible to generate two keys which successfully decrypt the same ciphertext), and allows efficient proofs that a committed plaintext is encrypted under a committed key. Our second tool is a practical four-round (two-round in ROM) protocol for committed oblivious transfer on strings (string-COT) secure against malicious participants. The string-COT protocol takes a few exponentiations per player, and is UC-secure under the DCR assumption in the common reference string model. Previous protocols of comparable efficiency achieved either committed OT on bits, or standard (non-committed) OT on strings.

The Distributed Computing Column covers the theory of systems that are composed of a number of interacting computing elements. These include problems of communication and networking, databases, distributed shared memory, multiprocessor architectures, operating systems, verification, Internet, and the Web. This issue consists of: • "Delayed Password Disclosure," by Markus Jakobsson and Steven Myers. Many thanks to them for their contribution to this issue. Request for Collaborations: Please send me any suggestions for material I should be including in this column, including news and communications, open problems, and authors willing to write a guest column or to review an event related to theory of distributed computing.

We present the design and implementation of a compiler that automatically generates protocols that perform two-party computations. The input to our protocol is the specification of a computation with secret inputs (e.g., a signature algorithm) expressed using operations in the field Õ of integers modulo a prime Õ and in the multiplicative subgroup of order Õ in £ Ô for Õ Ô ½ with generator . The output of our compiler is an implementation of each party in a two-party protocol to perform the same computation securely, i.e., so that both parties can together compute the function but neither can alone. The protocols generated by our compiler are provably secure, in that their strength can be reduced to that of the original cryptographic computation via simulation arguments. Our compiler can be applied to various cryptographic primitives (e.g., signature schemes, encryption schemes, oblivious transfer protocols) and other protocols that employ a trusted party (e.g., key retrieval, key distribution).

We consider a new model for online secure computation on encrypted inputs in the presence of malicious adversaries. The inputs are independent of the circuit computed in the sense that they can be contributed by separate third parties. The model attempts to emulate as closely as possible the model of "Computing with Encrypted Data" that was put forth in 1978 by Rivest, Adleman and Dertouzos which involved a single online message. In our model, two parties publish their public keys in an offline stage, after which any party (i.e., any of the two and any third party) can publish encryption of their local inputs. Then in an on-line stage, given any common input circuit C and its set of inputs from among the published encryptions, the first party sends a single message to the second party, who completes the computation.

We explore the security of blind signatures under aborts where the user or the signer may stop the interactive signature issue protocol prematurely. Several works on blind signatures discuss security only in regard of completed executions and usually do not impose strong security requirements in case of aborts. One of the exceptions is the paper of Camenisch, Neven and Shelat (Eurocrypt 2007) where the notion of selectivefailure blindness has been introduced. Roughly speaking, selective-failure blindness says that blindness should also hold in case the signer is able to learn that some executions have aborted.

Abstract. We present protocols for two flavors of oblivious transfer (OT): the Rabin and 1-out-of-2 OT based on the assumptions related to security of the McEliece cryptosystem and two zero-knowledge identification (ZKID) schemes, Stern’s from Crypto ’93 and Shamir’s from Crypto ’89, which are based on syndrome decoding and permuted kernels, respectively. This is a step towards diversifying computational assumptions on which OT – cryptographic primitive of central importance – can be based. As a by-product, we expose new interesting applications for both ZKID schemes: Stern’s can be used for proving correctness of McEliece encryption, while Shamir’s – for proving that some matrix represents a permuted subcode of a given code. Unfortunately, it turned out to be difficult to reduce the sender’s security of both schemes to a hard problem, although the intuition suggests a successful attack may allow to solve some long-standing problems in coding theory.

Traceability schemes (also known as traitor tracing schemes) have been proposed as a method to establish copyright protection of broadcast information. With asymmetric traceability, the merchant cannot frame an innocent user, while no user can abuse the system without being detected. We propose an asymmetric solution for traceability, based on a very efficient symmetric scheme [4]. We do not make any trust assumptions about the broadcasting center or other authorities. Furthermore, we establish anonymity protection for all honest users: the identity of a user is protected, until a "fingerprint" of that user is found on a pirate decoder. We make use of well-known cryptographic techniques, such as oblivious transfer, time-lock puzzles and blind signatures

We analyze the situation where computationally binding string commitment schemes are used to force the receiver of a BB84 encoding of a classical bitstring to measure upon reception. Since measuring induces an irreversible collapse to the received quantum state, even given extra information after the measurement does not allow the receiver to evaluate reliably some predicates apply to the classical bits encoded in the state. This fundamental quantum primitive is called quantum measure commitment (QMC) and allows for secure two-party computation of classical functions. An adversary to QMC is one that can both provide valid proof of having measured the received states while still able to evaluate a predicate applied to the classical content of the encoding. We give the first quantum black-box reduction for the security of QMC to the binding property of the string commitment. We characterize a class of quantum adversaries against QMC that can be transformed into adversaries against a w...

i\ (:)-OT, (one-out-of-two Bit Oblivious Transfer) is a technique by which a party S owning two secret bits b , b l , can transfer one of them b, to another party R, who chooses c. This is done in a way that does not release any bias about bz to R nor any bias about c to S. How can one build a 2TO-(i) ((;)-OT2 from R to S) given a (i)-OT, (from S to a)? This question is interesting because in many scenarios, one of the two parties will be much more powerful than the other. In the current paper we answer this question and show a number of related extensions. One interesting extension of this transfer is the (:)-OTk (one-out-of-two String O.T.) in which the two secrets qo, q1 are elements of CFk(2) instead of bits. We show that $TO-(:) can be obtained at about the same cost as (3-OT:, in terms of number of c a b to (i)-OTz. Assume now that we are in a scenario where one party is much more powerful in terms of computational ower or simply in terms of technology than the other pasty. In such a setting it is likely that (3-OT2 can be implemented in one direction but not the other. In particular one can make a computational assumption of the '*weaker" party but not of the other. This scenario was also studied by Ostrovsky, Venkatesan and Yung in [OVYSl] where they independently give a reduction similar to 2.1. Also if quantum technology is used [Cre90,BC91] it might be the case that one party is limited in the equipment it can carry (especially if one participant sits on a smart card!). Therefore a fundamental question is:"Can w e reverse (i)-OT,?". 'This work waa performed while the authors were viaiting the Universitit des Saarlandes, Saarbruckea. 'Supported in part by an NSERC Postdoctorate Scholarship.