 Hello, my name is Stanley Mosley, and I thank you for listening to this talk. I hope that you are well despite of the situation with COVID-19 right now. In this talk, I want to talk about two round oblivious transfer from CDH or LPN, and this is a joint work with Nico Dettling, Sanjam Garp, Mohamed Haji Abadi, and Daniel Wicks. The result in our paper is actually more generic than the title of the paper suggests. Because we consider a different security notion for oblivious transfer, then we show that a very weak notion can be accomplished by CDH or LPN. Then we give a sequence of generic transformations from this very weak security notion to a very strong security notion. But before going into the details of the paper, I want to introduce some basic concepts, for example, oblivious transfer. Oblivious transfer is a protocol between two parties, a sender and a receiver. The sender has two inputs, SCR and S1, and the receiver has as input a choice bit seed. The goal of the protocol is that in the end, the receiver learns the input string of the sender that corresponds to his choice bit seed. Oblivious transfer protocol is trivial if we don't consider any notion of security. And intuitively, notions of security should somehow guarantee that the sender does not learn the input of the receiver seed, and at the same time, the receiver should not learn both of the input strings of the sender, but only the input string that corresponds to his choice bit. But of course, this is a very weak or vague security definition, and I want to be more formal. A very common security definition is simulation-based security. Here we consider security for the sender. We want to have that for any adversary A that maliciously interact with a sender for inputs SCR and S1, there exists also an adversary A prime that interacts with an perfectly secure ideal OT functionality, and this ideal OT functionality requests the choice bit seed and outputs SC where SC is the input of the sender that corresponds to the choice bit seed. We want to have that these two adversaries have the same output distribution. The only way our adversary A prime can accomplish the same output distribution as adversary A is by running it internally, but he needs to do more than that. He actually needs to simulate the interaction with the honest sender in order to produce the same output distribution, but the issue here is now that our adversary A prime doesn't have the inputs SC or S1, and he can only learn one of them using the ideal OT primitive, and he needs to be very careful which one he learns because there might be one of the inputs that the adversary A can learn for sure. So he needs to extract that choice bit in order to learn the correct string. So this can make this simulation-based security definition very cumbersome because it requires extracting the input of a malicious receiver. At the same time, the simulation-based security is very useful. Let us consider security for the receiver now. For the receiver, we can also have simulation-based security, which is basically the same except with the difference that A prime now needs to extract the inputs of the malicious sender, which is SC or S1. But when we consider security for the receiver, there's actually a simpler security definition, weaker definition, which is called indistinguishability-based security, and this only asks that the malicious sender cannot distinguish an interaction with an honest receiver for input 0 from an interaction with an honest receiver for input 1. So this is much easier to accomplish, much more handy. So we would like to have something similar when we also for the security for the sender. So let me give you an overview over our results. In the first part of our results, we show that you can accomplish fully simulation-based security if you assume that there is an OT, which comprises simulation-based security for the sender and indistinguishability security for the receiver. So how do we show that? We show that this notion of OT actually implies a two-round zero-knowledge protocol. And this, again, is helpful when we construct fully simulation-based security, because together with this notion of OT tilde, it implies simulation-based security. In the rest of the talk, I don't want to go into the details of this part of our results, and I refer you to the paper for the details. I want to go into the details of our second part of the result, which has to construct this notion of OT tilde, which accomplishes simulation-based security for the sender and indistinguishability security for the receiver from CDH or LPN. So how do we accomplish that? First, we consider different security notion of OT, in particular very weak notions. But for all of these notions of security, we will always assume indistinguishability security for the receiver. But security for the sender will be much weaker. We will show that CDH or LPN implies the weakest notion. And then starting from the weakest notion, we give a sequence of generic transformations up to the notion of this OT tilde. Let me give you a summary over the talk. So we will show in the talk how to construct OT tilde from CDH. Again, here I will not go into the details of the construction from LPN, and I will refer you to the paper for the details. As a first step, I will show you how to construct a very weak notion that we call elementary OT from CDH. Elementary OT implies search OT, another notion that we introduce in the paper. Again, this notion implies indistinguishable OT, which is another notion that we introduce. And this indistinguishable OT implies this notion of OT tilde. So let me define what elementary OT is. What could be the weakest security notion that is still useful that we could consider for an oblivious transfer? A very weak notion is when we consider an adversary that maliciously interacts with the sender for inputs S0 and S1, that outputs two strings Y0 and Y1. We say that this adversary breaks the elementary security of the OT if he can output exactly the strings that correspond to the input strings of the sender with non-negligible probability. This is, of course, a very weak notion because if that happens, if there's an adversary that can do that, any OT should be considered broken, at least if you consider malicious security. But at the same time, this notion is very weak, such that we have hope that we can construct it from CDH. Let me now show you how to construct this notion of OT from CDH. And we use the OT protocol introduced by Belarion Mikari and we show that this actually suffices elementary OT. So we have a sender and a receiver, and we also have a common reference string, which is capital X, which is G to the X. The sender in the first round will sample a random exponent R and define a term H0, which corresponds to G to the R, times capital X to the minus C, where C corresponds to the input of the receiver. He sends over H0. Sender will compute H1, which is H0 times capital X. We will also sample a random exponent, define capital X as G to the S, and send over capital S as his message. Finally, the receiver will output S to the R, and the sender will output two strings, H0 to the S and H1 to the S. Here we emphasize that the sender doesn't really have input strings, so we will consider these output strings to be the sender's OT strings. Now we need to show that this indeed doesn't correct OT scheme, so we need to show that the receiver computes SC. So how is SC defined? SC is defined as HC to the S, and if we plug in HC, it exactly corresponds to H0 times capital X to the C, and the whole thing to the S. If we now plug in H0, which is G to the R times capital X to the minus C, it will cancel out the other X to the C, and we will just obtain G to the R to the S, which is equivalent to capital S to the R. So therefore we have shown correctness because the receiver outputs capital S to the R, which is exactly the OT string that corresponds to his choice with C. But now what about security? How can we show elementary security of this oblivious transfer? An adversary that breaks elementary security of the OT needs to output both of the strings. So let us see how the other string S1 minus C looks like. By basically the same computation, we can show that it's equivalent to capital X to the one minus two times C times S times capital S to the R. And here C can only be either zero or one, so this term will be either X to the S or X to the minus S. Let me recap what computational Diffie-Hellman is about. We have received a challenge G to the A and G to the B, and we are asked to compute G to the A times B in order to break C to the H. In our case, we will consider the challenge to be part of the CRS capital X, and the sender's message capital S. So we will consider capital X and capital S to be the challenge, and we will send it to the malicious receiver. The malicious receiver will now output both of the OT strings S0 and S1. But now we can just compute S0 divided by S1, such that the term capital S to the R cancels out, and what will remain will be some term related to X to the S or capital X to the S, and this will be exactly G to the X times S, which will be the solution for the CDH challenge capital X, capital S. So therefore, if you break elementary security, you also break computational Diffie-Hellman. But now, what is the reason why this elementary OT is interesting? It's interesting because it implies a notion that we call search OT. The search OT, we consider an adversary that has two stages. In the first stage, he outputs his message OTR, and in the second stage, he will receive a state. He will also receive the message generated by the honest sender, and he will also receive a bit W, and he is asked to output YW. And intuitively, what we want to ask is that the adversary can output SW correctly. So he will win this game intuitively if he is able to output SW, even though he only got to know W after he has committed to the OTR message. So this means the adversary can only really break the OT scheme if he doesn't commit to his choice bit in the first message. So let me be more formal with the security definition. The security definition of search OT states that with overwhelming probability of the random coins of the adversary, we want to have that there exists a W such that with a probability over the OTS, over the randomness in the OTS strings, the adversary will not be able to output SW, at least one of the SW with non-negligible probability. So how is this search OT security notion interesting? We show that elementary OT implies the search OT security definition. Let us first consider a very strong adversary that breaks the search OT security by assuming that there's an adversary that breaks the security that only with non-negligible probability, but he can output SW with a very high probability, like higher than three over four. That means that for the same OTS message, he can output S zero with probability three over four, and he can also output S one with probability three over four. That means they exist a good fraction of OTS for which he is able to output both of them. Hence, it implies that it breaks the elementary security of OT because for elementary OT, it needs to output both of the OT strings with non-negligible probability. But the question now is how can we obtain such a very strong adversary against the security of the search OT? In particular, we need to use a very weak adversary and somehow lift it up to a very strong adversary. The way we do that is by using hardness amplification, and that's a technique introduced by Kaneti, Alevi and Steiner. And intuitively, we will repeat the OT protocol many times, and we ask the adversary to break this repetition of the OT scheme. And if he is able to do so, then he needs to be extremely good in breaking each individual OT scheme that we have repeated. In particular, if we repeat it often enough, he needs to be able to break a single OT with a very high probability, for example, more than three over four. So this way we obtain this very strong adversary. But again, I don't want to go too much into the details and I refer you for the details to the paper. Search OT is interesting because it implies indistinguishable OT. Indistinguishable OT is just an indistinguishable version of search OT in the following sense that now the adversary doesn't need to compute the OT strings, but he can choose them. Like in that case, it will be M0 and M1. And he has to decide whether the sender actually uses these OT strings or whether he replaces one of them with uniform. Again, we want to be a little bit more formal. We want to have that with overwhelming probability over the random coins of the adversary. They exist at least one bit W, such that the adversary cannot distinguish whether the sender has used MW or whether he has replaced MW with a uniform string. This notion can be obtained from search OT by using Godreich-Leven-Hartkorps predicates. This will obtain only OT for a string length, which is logarithmic in the security parameter, but by repeating it many times for the same OTR message, which we actually can do, we obtain oblivious transfer for sufficiently long string length. Again, I don't want to go too much into the technical details and I'll refer you again to the paper. So why is this indistinguishable oblivious transfer interesting? It's interesting because we can construct our notion of this OT tilde. And the way we do that is by using a CRS, which consists of the IoT CRS string and a public key. And in the beginning, the receiver will encrypt his choice bit under the public key, which is part of the common reference string to get under some randomness R, send over the cypher text, and he will submit his choice bit and the randomness as his inputs to the IoT protocol. The sender now defines a circuit that hardwires the cypher text, the common reference string in the two OT messages, M0 and M1. And this circuit will take as input the choice bit and the randomness. This circuit will check whether the cypher text sent by the receiver is consistent with the encryption of the choice bit on the public key PK and randomness R. If that's the case, if it's consistent, then it outputs the message MC. Otherwise, it doesn't output anything. The sender now gobbles the circuit and sends the labels as input to the indistinguishable OT protocol. He will take the role of the sender and he sends the Galbo circuit over to the receiver. Now the receiver learns the labels that correspond to his choice bit C and the randomness R, such that he can evaluate the Galbo circuit for the correct input. And so he will learn the message that correspond to his choice bit. This implies correctness, but why is this scheme secure? So let us first consider the receiver indistinguishability security. I emphasize again that the IoT scheme is as receiver indistinguishability security. So the IoT scheme doesn't leak information about the cypher text or the randomness and therefore the cypher text itself also doesn't leak information about the choice bit of the receiver. So therefore the malicious sender cannot learn the receiver's input C. But what about simulation based security for the sender against the malicious receiver? The simulation based security definition requires that we extract the choice bit of the receiver. How can we do that? We can do that by programming the CRS to be a public key for which we know the secret key. So therefore we can decrypt the cypher text and obtain the choice bit. At the same time, the receiver needs to be consistent with its choice bit that is submitted to the IoT primitive or protocol and the encryption of the public key encryption scheme because otherwise he will only get labels for which the garbled circuit will output a bottom symbol. So in order to be useful, he actually needs to correct that to encrypt the correct challenge such that he learns the message MC. But why doesn't this leak M1-C? In particular, we need to simulate now with this adversary A prime the whole protocol only knowing the message MC because that's what we received from the ideal primitive but without knowing M1-C. So how can we simulate in particular the IoT scheme which has labels that also correspond to M1-C and how can we simulate the garbled circuit C head? In particular, if we have only this weaker notion of security for IoT and no simulation based security. So first we need to exploit the security of garbled circuits. For garbled circuits, we know that if we have all input labels, of course the garbled circuit leaks both message M0 and M1 but if we only have one side of the labels only the labels that correspond to choice bit C and randomness R then the garbled circuit only leaks MC and not M1-C. But we submit all the labels to the IoT scheme. So somehow we need to ensure that we only submit the labels that correspond to choice bit C and randomness R to the IoT and we want to send some garbage label for all of the rest of the labels. Some uniformly chosen labels that are not used by the garbling scheme. So we want to use independent labels for all labels that don't correspond to choice bit and randomness for the garbled circuit procedure and the IoT. How can we do that? We can do that by using a distinguishing dependent simulation that's a technique introduced by chain Kalei, Burana and Rotblum. What we can do is we can exploit the notion of indistinguishable OT. This notion says that there exists a bit W such that the labels corresponding to W are indistinguishable from uniform. So how can we put the issue is now that we don't know what this W is. So we can test run the adversary many times to learn this W. If he is not consistent in this W if this W is sometimes zero and one times one we would break the security of the indistinguishable OT. So therefore during the test runs the W needs to be always consistent. But if it is always consistent then we can be also confident that it will be consistent in the actual simulation. So we can assume that it's consistent and therefore we can use the W that we have learned during the test run in order to replace the labels corresponding to W with uniform labels in the IoT. And that means that our simulation works and now this gobble circuit doesn't leak anything about the message M1-C because we don't use the labels that correspond to M1-C. So this gives you an overview over the proof. Let me give a summary over the talk and our results. CDHLPN implies elementary OT. This implies search OT which again implies indistinguishable OT. Indistinguishable OT is sufficient to provide simulation-based security for the sender and indistinguishability-based security for the receiver which again is sufficient to get fully simulation-based secure OT. I thank you for your attention during my talk and I'm happy to answer your questions during the live session of EuroCrypt 2020. I hope to see you there. Goodbye.