On the Composability of Statistically Secure Random Oblivious Transfer

08/30/2018
by   Rafael Dowsley, et al.
KIT
Aarhus Universitet
0

We show that stand-alone statistically secure random oblivious transfer protocols based on two-party stateless primitives are statistically universally composable. I.e. they are simulatable secure with an unlimited adversary, an unlimited simulator and an unlimited environment machine. Our result implies that several previous oblivious transfer protocols in the literature which were proven secure under weaker, non-composable definitions of security can actually be used in arbitrary statistically secure applications without lowering the security.

READ FULL TEXT VIEW PDF
POST COMMENT

Comments

There are no comments yet.

Authors

page 1

page 2

page 3

page 4

11/30/2020

Oblivious Transfer is in MiniQCrypt

MiniQCrypt is a world where quantum-secure one-way functions exist, and ...
04/11/2019

Privacy protocols

Security protocols enable secure communication over insecure channels. P...
05/31/2019

Secure Memory Erasure in the Presence of Man-in-the-Middle Attackers

Memory erasure protocols serve to clean up a device's memory before the ...
08/09/2019

Composable and Finite Computational Security of Quantum Message Transmission

Recent research in quantum cryptography has led to the development of sc...
10/18/2019

Universal Composability is Secure Compilation

Universal composability is a framework for the specification and analysi...
04/20/2018

Securing Email

Email is the most ubiquitous and interoperable form of online communicat...
01/13/2021

Secure Process Algebra

Based on our previous work on truly concurrent process algebras APTC, we...
This week in AI

Get the week's most popular data science and artificial intelligence research sent straight to your inbox every Saturday.

I Introduction

Oblivious transfer (OT) [1] is a primitive of central importance in modern cryptography and implies secure computation [2, 3]. Several flavors of OT were proposed, but they are all equivalent [4]. In this work we focus on the so-called one-out-of-two random oblivious transfer. This is a two-party primitive in which a sender (Alice) gets two uniformly random bits , and a receiver (Bob) gets a uniformly random choice bit and . Bob remains ignorant about . On the other hand, Alice cannot learn the choice bit .

A very large number of OT protocols are known in the stand-alone setting, based on various assumptions (both computational and physical), but this notion does not guarantee security when multiple copies of the protocol are executed, or when the OT protocols are used as building blocks within other protocols. This is an unsatisfactory state of affairs, as the major utility of OT is in the modular designing of larger protocols. Following the simulation paradigm used in [5] to define the seminal notion of zero-knowledge proofs of knowledge, many simulation-based definitions of security for multi-party protocols were proposed (e.g. [2, 6]) and they guarantee that the protocols are sequentially composable [7], however this paradigm of security does not guarantee general composability of the protocols. UC-security [8] emerges as a very desirable notion of security for OT since it guarantees that the security of the protocol holds even when the OT scheme is concurrently composed with an arbitrary set of protocols. UC-security is a very powerful notion of security that allows to fully enjoy the nice properties of OT within other protocols.

Some questions about the equivalence of stand-alone and composable security notions in the case of statistically secure protocols were studied [9, 10]. In general, these security notions are not equivalent [10]. Therefore, it is an interesting question to study if there are restricted scenarios where this equivalence holds.

Our Results: In this paper we show that random OT protocols that are based on certain stateless two-party functionalities and that match a certain list of information-theoretical security properties are not only secure in a simulation-based way, but are actually UC-secure. Note that Random OT can be straightforwardly used to obtain OT for arbitrary inputs in a composable way [11]. Note also that most OT protocols based on two-party stateless functionalities already internally run a random OT protocol and then use derandomization techniques to obtain OT for arbitrary inputs. We think that this approach is interesting because, in this scenario, a protocol designer can worry only about meeting the list-based security notion and the protocol inherits the UC-security. The setting studied in this paper covers the case of statistically secure protocols based on noisy channels, cryptogates and pre-distributed correlated data. As a consequence of our result, several previously proposed protocol implementing oblivious transfer that were proven secure in weaker models automatically have their security upgraded to a simulation-based, composable one for free [11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25].

I-a Related Work

OT can be constructed based both on generic computational assumptions such as the existence of enhanced trapdoor permutations [26, 27] and on the computational hardness of many specific problems such as factoring [1], Diffie-Hellman [28, 29], LWE [30], variants of LPN [31] and McEliece assumptions [32, 33]. However, the focus of this work is on statistically secure OT. When aiming for statistical security, OT can be based on noisy channels [12, 13, 14, 15, 16, 17, 18, 19, 20], cryptogates [21, 22], pre-distributed correlated data [11, 23, 17], the bounded storage model [34, 35, 36, 37] and on hardware tokens [24, 25].

Canetti and Fischlin [38] showed that OT cannot be UC-realized in the plain model, so additional setup assumptions are required. UC-secure OT protocols were initially constructed in the common reference string (CRS) model [39, 40, 30]. In the CRS model there exists an honestly generated random string that is available to the parties (the simulator can generate its own string as long as it looks indistinguishable from the honestly generated one). In the public key infrastructure model, Damgård and Nielsen [41] proposed an OT protocol that is UC-secure against adaptive adversaries under the assumption that threshold homomorphic encryption exists. Katz [42] proved that two-party and multi-party computation are possible assuming a tamper-proof hardware.

The question about the equivalence of stand-alone and composable security definitions for statistically secure protocols has been previously addressed in [9, 10], where it was proven that the equivalence does not hold in general. In [43] it was proven that perfectly secure OT protocols according to a list of properties are sequentially composable, this result being extended to statistical security in [44].

It was shown that for statistically secure commitment schemes based on two-party stateless primitives stand-alone security implies UC-security [45]. While this result implies the possibility of building UC-secure OT protocols based on these commitment protocols, this is not the most efficient way of obtaining OT and it does not prove any additional security property about the existing OT protocols.

Even if the resources available to the parties to implement OT are asymmetric, Wolf and Wullschleger [46] showed a very simple way to reverse the OT’s direction (indeed all complete two-party functionalities are reversible as proved recently by Khurana et al. [47]).

Ii Preliminaries

Ii-a Notation

Domains of random variables will be denoted by calligraphic letters, the random variables by upper case letters and the realizations by lower case letters. For a random variables

over and over , with

denotes the probability distribution of

, the marginal probability distribution and

the conditional probability distribution if

. The statistical distance between and with alphabet is given by

We say and are -close if . Following Crépeau and Wullschleger [44], let the statistical information of and given be defined as

Ii-B The UC Framework

Here we briefly review the main concepts of the UC framework, for more details please refer to the original work of Canetti [8]. In the UC framework, the security of a protocol to carry out a certain task is ensured in three phases:

  1. One formalizes the framework, i.e., the process of executing a protocol in the presence of an adversary and an environment machine.

  2. One formalizes an ideal protocol for carrying out the task in an ideal protocol using a “trusted party”. In the ideal protocol the trusted party captures the requirements of the desired task and the parties do not communicate among themselves.

  3. One proves that the real protocol emulates the ideal protocol, i.e., for every adversary in the real model there exists an ideal adversary (also known as the simulator) in the ideal model such that no environment machine can distinguish if it is interacting with the real or the ideal world.

The environment in the UC framework represents all activity external to the running protocol, so it provides inputs to the parties running the protocol and receives the outputs that the parties generate during the execution of the protocol. As stated above the environment also tries to distinguish between attacks on real executions of the protocol and simulated attacks against the ideal functionality. If no environment can distinguish the two situations, the real protocol emulates the ideal functionality. Proving that a protocol is secure in the UC framework provides the following benefits:

  1. The ideal functionality describes intuitively the desired properties of the protocol.

  2. The protocols are secure under composition.

  3. The security is retained when the protocol is used as a sub-protocol to replace an ideal functionality that it emulates.

The ideal world

An ideal functionality represents the desired properties of a given task. Conceptually, is treated as a local subroutine by the several parties that use it, and so the communication between the parties and is supposedly secure (i.e., messages are sent by input and output tapes). The ideal protocol also involves a simulator , an environment on input and a set of dummy parties that interacts as defined below. Whenever a dummy party is activated with input , it writes onto the input tape of . Whenever the dummy party is activated with value on its subroutine output tape, it writes on subroutine output tape of . The simulator has no access to the contents of messages sent between dummy parties and , and it should send corruption messages directly to , who is responsible for determining the effects of corrupting any dummy party. The ideal functionality receives messages from the dummy parties by reading its input tape and sends messages to them by writing to their subroutine output tape. In the ideal protocol there is no communication among the parties. The environment can set the inputs to the parties and read their outputs, but cannot see the communication with the ideal functionality.

The real world

In the real world, the protocol is executed by parties with some adversary and an environment machine with input . can set the inputs for the parties and see their outputs, but not the communication among the parties. The parties can invoke subroutines, pass inputs to them and receive outputs from them. They can also write messages on the incoming communication tape of the adversary. These messages may specify the identity of the final destination of the message. can send messages to any party ( delivers the message). In addition, they may use the ideal functionalities that are provided to the real protocol. can communicate with and the ideal functionalities that are provided to the real protocol. also controls the corrupt parties (the environment always knows which parties are corrupted).

Functionality

interacts with and .
Alice’s Check-in: Upon receiving (Distribute, , …) from , if is honest sample uniformly random ; otherwise set the bits as specified in ’s message. Record and ignore future (Distribute, , …) from .

Bob’s Check-in: Upon receiving (Distribute, , …) from , if is honest sample a uniformly random ; otherwise set the bit as specified in ’s message. Record and ignore future (Distribute, , …) from .

Distribution: Upon having recorded values , and for some , send (Output, ) to . Upon an answer (Output, ) from , deliver (Output, , ) to and (Output, , ) to .
Fig. 1: The one-out-of-two bit random oblivious transfer functionality.

The adversarial model

The network is asynchronous without guaranteed delivery of messages. The communication is public, but authenticated (i.e., the adversary cannot modify the messages). The adversary is active in its control over corrupted parties. Any number of parties can be corrupted. Finally, the adversary, the environment and the simulator are allowed unbounded complexity. This assumption on the computational power of the simulator somehow weakens our result as the composition theorem cannot be applied several times if the real adversary were restricted to polynomial time, because the “is at least as secure as” relation cannot be proven to be transitive anymore. However, arbitrary composition is allowed when considering statistically secure protocols and this situation is common in the literature when proving general results on the composability of statistically secure protocols [10, 9, 44, 43].

Realizing an ideal functionality

A protocol statistically UC-realizes an ideal functionality if for any real-life adversary there exists a simulator such that no environment , on any input , can tell with non-negligible probability whether it is interacting with and parties running in the real-life process, or it is interacting with and in the ideal protocol. This means that, from the point of view of the environment, running protocol is statistically indistinguishable from the ideal world with .

The Oblivious Transfer Functionality

We present in Figure 1 the one-out-of-two bit random oblivious transfer functionality . The sender will be denote by and the receiver by .

Ii-C Setup Assumption

In this work we consider the scenario in which and have access to the functionality that given inputs from Alice and from Bob samples the outputs and according to the conditional probability distribution , and gives the outputs and to and , respectively. The functionality is described in Figure 2. Note that this functionality captures setup assumptions that are commonly used for obtaining statistically secure OT protocols, such as the existence of a stateless noisy channel between the parties, cryptogates and pre-distributed correlated data.

Functionality

interacts with and and is parametrized by the conditional probability distribution .
Alice’s Input: Upon receiving (Input, , ) from , if then record (, ). Ignore future messages (Input, , …) from .
Bob’s Input: Upon receiving (Input, , ) from , if then record (, ). Ignore future messages (Input, , …) from .
Output: Upon obtained valid inputs from and for some , pick according to and output (Output, , ) to and (Output, , ) to .
Fig. 2: The functionality that given valid inputs, samples outputs according to the conditional probability distribution and delivers the outputs to and .

Iii Random Oblivious Transfer Based on Statistically Secure Two Party Stateless Functionalities

In this section we define a stand-alone security model for random OT protocols that achieve statistical security by using as a setup assumption. and have two resources available between them:

  • a bidirectional authenticated noiseless channel denoted as and

  • the functionality .

We model the probabilistic choices of by a random variable and those of by a random variable , so that we can use deterministic functions in the protocol. As usual, we assume that the noiseless messages exchanged by the players and their personal randomness are taken from .

Protocol

and interact and in the end of the execution gets and gets , for picked uniformly at random. The security parameter is , and determines how many times the parties can use the functionality : in the -th round and input symbols and to the functionality , which generates the outputs and according to and delivers them to and , respectively. Let , , and

denote the vectors of these variables until

-th round. The parties can use

at any moment. Let

denote all the noiseless messages exchanged between the players.

We call the view of all the data in his possession, i.e. and , and denote it by . is defined similarly. We denote the output of the (possibly malicious) parties and by and , respectively. The stand-alone definition of security that is henceforth considered in this paper follows the lines of Crépeau and Wullschleger [44]. The protocol is said to be secure if there exists an that is a negligible function of the security parameter and is such that the following properties are satisfied:

Correctness

If both parties are honest, then and for and uniformly random . Additionally,

Security for

If is honest, then for uniformly random and there exists a random variable such that

and

Security for

If is honest, then for and uniformly random ; and

Iv UC-Security Implication

In this section we address the question of whether random OT protocols that are secure according to the definitions of Section III also enjoy statistical UC-security. We will show that this is indeed the case. Intuitively this follows from the fact that the security in those protocols is based on the correlated randomness that is provided by the functionality to and . Since in the ideal world the simulator controls , it can leverage this knowledge in order to extract the outputs of the corrupted parties and forward them to the random oblivious transfer functionality , thus allowing the ideal execution to be indistinguishable from the real execution from the environment’s point of view. First we prove some lemmas that will be used later on to prove the main result of this work.

We first show that in any random OT protocol that is stand-alone secure, if is honest, then given ’s input to and output from the functionality and all the noiseless communication exchanged by and through it is possible to extract both outputs that would get with and in the random OT protocol.

Lemma IV.1

Let be a stand-alone secure random OT protocol and let be honest. Given ’s input to and output from and all the noiseless communication exchanged by and through during the execution of , with overwhelming probability it is possible to extract the output that would get both in the case that and .

Lets consider an execution of the protocol in which has random coins and gets for and uniformly random (as the protocol is stand-alone secure). Denote by the set of messages exchanged between and concatenated with the noiseless messages between and . We claim that there should exist so that for the same , if executed the protocol with he should have been able with overwhelming probability to get with and . If that were not the case, would know that is unable to obtain a valid output when the choice bit is , thus gaining knowledge on the choice bit and breaking the protocol security. Given that

we get

and so there are events and such that

Therefore if and happen, then does not provide information about and should exist. Thus, given we are left with an extraction procedure. One just computes and that for this produce outputs and , respectively, and simulates the protocol execution for each specified ’s randomness.

We now prove that given access to the messages that exchanges with and , there is a point in the protocol execution in which it is possible to extract the choice bit and still equivocate to any value, i.e., it is possible to find an ’ view that is compatible with the current view of and the new values of and .

Lemma IV.2

Let be a stand-alone secure random OT protocol and let be honest. Given access to all messages that ’s exchanges with and all the noiseless communication exchanged by and through during the execution of , with overwhelming probability it is possible to extract the choice bit at some point of the execution of the protocol . Additionally at this point it is still possible to change and to any desired values.

We first prove that there is a point in the protocol execution where we can extract the choice bit given the messages that exchanged with and the functionality . Let denote these messages in a given protocol execution. Let denote the set of messages that allow to obtain the bit with overwhelming probability (the probability taken over , and the randomness of ). And let be defined similarly for . From the stand-alone security for Alice we have that

and

and so we get that with overwhelming probability (over and the randomness of ) cannot be in both and , since this fact would imply that the resulting protocol would be insecure for . This fact gives us a procedure for obtaining the choice bit given . We just check if is in or .

We now turn to the equivocation property. From the previous reasoning, we know that there should exist a point in the protocol where sends a message to that fixes the choice bit (i.e. the choice bit can be extracted from his messages from/to and ). Let be the index of such message. Suppose the -th message is the very last one in the protocol. Then has all the information necessary to compute his output even before sending the -th message. As the choice bit is only fixed in the next message, should be able to compute both and , breaking ’s security. Thus, the -th message should not be the last one. The same reasoning implies that from ’s point of view, none of ’s outputs and can be fixed before the -th message: (1) if both and are fixed from ’s point of view before the -th message, then he could obtain both and and break the stand-alone security; (2) if only is fixed, then can still change his choice to and obtain both and , thus breaking the stand-alone security. Therefore, we should have that when the -th message is sent by , ’s outputs and are still equivocable.

We now use two lemmas to prove our main result:

Theorem IV.3

Any stand-alone statistically secure protocol of random oblivious transfer based on and UC-realizes .

We construct the simulator as follows. runs a simulated copy of in a black-box way, plays the role of the ideal functionality and simulates a copy of the hybrid interaction of for the simulated adversary . In addition, forwards the messages between and . Below we describe the procedures of the simulator in each occasion:

Only is corrupted: samples the randomness of the simulated and proceeds with the simulated execution of the protocol by producing his noiseless messages as well as his inputs to . Additionally, once the inputs and to are fixed, simulates the outputs of the functionality and sends to . As plays the role of , when the execution is done, extracts the output bits of the corrupted using the result of lemma IV.1 and forwards to . then allows to deliver the output.

Only is corrupted: samples the randomness of the simulated and proceeds with the simulated execution of the protocol by producing her noiseless messages as well as her inputs to . Additionally, once the inputs and to are fixed, simulates the outputs of the functionality and sends to . Then using the result of lemma IV.2, extracts the choice bit of the corrupted , inputs to , receives and finishes the simulated protocol execution in such way that the received bit in the hybrid interaction is equal to the received bit in the ideal protocol with overwhelming probability.

Neither party is corrupted: samples the randomness and and proceeds with the simulated execution of the protocol by simulating the noiseless messages as well as the inputs/outputs of , and reveals the noiseless messages to . If the simulated would output in the hybrid interaction, then allows to output the bit .

Both parties are corrupted: just simulates .

We analyze below the probabilities of the events that can result in different views for the environment between the real world execution with the protocol and the adversary , and the ideal world execution with functionality and the simulator :

  • When only is corrupted, ’s view in the real and ideal worlds are equal if: (1) succeeds to extract both of ’s outputs bits to forward to ; (2) does not learn the choice bit in the simulated protocol execution. By lemma IV.1, the extraction works with overwhelming probability. By the stand-alone security, with overwhelming probability does not learn .

  • When only is corrupted, ’s view in the real and ideal worlds are equal if: (1) succeeds to extract the bit and finish the protocol in such way that the received bit in the simulated protocol execution is equal to ; (2) cannot learn in the simulated protocol execution. By lemma IV.2, the first condition is satisfied with overwhelming probability. By the stand-alone security, with overwhelming probability cannot learn

  • When neither party is corrupted, ’s procedures statistically emulate the hybrid execution for the adversary , as cannot learn from the noiseless messages alone.

  • When both parties are corrupted, ’s procedures perfectly emulate the hybrid execution for the adversary .

We conclude that since all events that can result in different views have negligible probabilities, the protocol UC-realizes .

V Conclusion

In this paper, we prove that random oblivious transfer protocols based on two-party stateless functionalities matching a list of security properties are universally composable when unbounded simulators are allowed. As previously commented, this assumption on the simulator gives us secure universal composability with other statistically secure protocols. The restriction to random oblivious transfer protocols is not restrictive (since random OT can be used to obtain OT for arbitrary inputs [11], proving the composability of such reduction is straightforward). And most of the OT protocols based on two-party stateless functionalities are in fact designed to initially run an internal random OT protocol and then derandomize the values. In this case the universally composability implication can be applied directly to the inner random OT protocol. However, it is an interesting problem to generalize the results presented here to arbitrary OT. Our result immediately imply that several previously proposed OT protocols can have their security upgraded for free [12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 11, 23, 24, 25].

References

  • [1] M. O. Rabin, “How to exchange secrets by oblivious transfer,” Aiken Computation Laboratory, Harvard University, Tech. Rep. Technical Memo TR-81, 1981.
  • [2] O. Goldreich, S. Micali, and A. Wigderson, “How to play any mental game or A completeness theorem for protocols with honest majority,” in

    19th Annual ACM Symposium on Theory of Computing

    , A. Aho, Ed.   ACM Press, May 1987, pp. 218–229.
  • [3] J. Kilian, “Founding cryptography on oblivious transfer,” in 20th Annual ACM Symposium on Theory of Computing.   ACM Press, May 1988, pp. 20–31.
  • [4] C. Crépeau, “Equivalence between two flavours of oblivious transfers,” in Advances in Cryptology – CRYPTO’87, ser. Lecture Notes in Computer Science, C. Pomerance, Ed., vol. 293.   Springer, Heidelberg, Aug. 1988, pp. 350–354.
  • [5] S. Goldwasser, S. Micali, and C. Rackoff, “The knowledge complexity of interactive proof systems,” SIAM Journal on Computing, vol. 18, no. 1, pp. 186–208, 1989.
  • [6] D. Beaver, “Foundations of secure interactive computing,” in Advances in Cryptology – CRYPTO’91, ser. Lecture Notes in Computer Science, J. Feigenbaum, Ed., vol. 576.   Springer, Heidelberg, Aug. 1992, pp. 377–391.
  • [7] R. Canetti, “Security and composition of multiparty cryptographic protocols,” Journal of Cryptology, vol. 13, no. 1, pp. 143–202, 2000.
  • [8] ——, “Universally composable security: A new paradigm for cryptographic protocols,” in 42nd Annual Symposium on Foundations of Computer Science.   IEEE Computer Society Press, Oct. 2001, pp. 136–145.
  • [9] E. Kushilevitz, Y. Lindell, and T. Rabin, “Information-theoretically secure protocols and security under composition,” in 38th Annual ACM Symposium on Theory of Computing, J. M. Kleinberg, Ed.   ACM Press, May 2006, pp. 109–118.
  • [10] M. Backes, J. Müller-Quade, and D. Unruh, “On the necessity of rewinding in secure multiparty computation,” in TCC 2007: 4th Theory of Cryptography Conference, ser. Lecture Notes in Computer Science, S. P. Vadhan, Ed., vol. 4392.   Springer, Heidelberg, Feb. 2007, pp. 157–173.
  • [11] D. Beaver, “Commodity-based cryptography (extended abstract),” in 29th Annual ACM Symposium on Theory of Computing.   ACM Press, May 1997, pp. 446–455.
  • [12] C. Crépeau and J. Kilian, “Achieving oblivious transfer using weakened security assumptions (extended abstract),” in 29th Annual Symposium on Foundations of Computer Science.   IEEE Computer Society Press, Oct. 1988, pp. 42–52.
  • [13] C. Crépeau, “Efficient cryptographic protocols based on noisy channels,” in Advances in Cryptology – EUROCRYPT’97, ser. Lecture Notes in Computer Science, W. Fumy, Ed., vol. 1233.   Springer, Heidelberg, May 1997, pp. 306–317.
  • [14] I. Damgård, J. Kilian, and L. Salvail, “On the (im)possibility of basing oblivious transfer and bit commitment on weakened security assumptions,” in Advances in Cryptology – EUROCRYPT’99, ser. Lecture Notes in Computer Science, J. Stern, Ed., vol. 1592.   Springer, Heidelberg, May 1999, pp. 56–73.
  • [15] D. Stebila and S. Wolf, “Efficient oblivious transfer from any non-trivial binary-symmetric channel,” in Information Theory, 2002. Proceedings. 2002 IEEE International Symposium on, Lausanne, Switzerland, Jun. 30 – Jul. 5, 2002, p. 293.
  • [16] C. Crépeau, K. Morozov, and S. Wolf, “Efficient unconditional oblivious transfer from almost any noisy channel,” in SCN 04: 4th International Conference on Security in Communication Networks, ser. Lecture Notes in Computer Science, C. Blundo and S. Cimato, Eds., vol. 3352.   Springer, Heidelberg, Sep. 2005, pp. 47–59.
  • [17] A. C. A. Nascimento and A. Winter, “On the oblivious-transfer capacity of noisy resources,” Information Theory, IEEE Transactions on, vol. 54, no. 6, pp. 2572–2581, Jun. 2008.
  • [18] A. C. B. Pinto, R. Dowsley, K. Morozov, and A. C. A. Nascimento, “Achieving oblivious transfer capacity of generalized erasure channels in the malicious model,” Information Theory, IEEE Transactions on, vol. 57, no. 8, pp. 5566–5571, Aug. 2011.
  • [19] R. Ahlswede and I. Csiszár, “On oblivious transfer capacity,” in Information Theory, Combinatorics, and Search Theory, ser. Lecture Notes in Computer Science, H. Aydinian, F. Cicalese, and C. Deppe, Eds.   Springer Berlin Heidelberg, 2013, vol. 7777, pp. 145–166.
  • [20] R. Dowsley and A. C. A. Nascimento, “On the oblivious transfer capacity of generalized erasure channels against malicious adversaries: The case of low erasure probability,” IEEE Transactions on Information Theory, vol. 63, no. 10, pp. 6819–6826, Oct 2017.
  • [21] J. Kilian, “More general completeness theorems for secure two-party computation,” in 32nd Annual ACM Symposium on Theory of Computing.   ACM Press, May 2000, pp. 316–324.
  • [22] A. Beimel, T. Malkin, and S. Micali, “The all-or-nothing nature of two-party secure computation,” in Advances in Cryptology – CRYPTO’99, ser. Lecture Notes in Computer Science, M. J. Wiener, Ed., vol. 1666.   Springer, Heidelberg, Aug. 1999, pp. 80–97.
  • [23] R. L. Rivest, “Unconditionally secure commitment and oblivious transfer schemes using private channels and a trusted initializer,” 1999, preprint available at http://people.csail.mit.edu/rivest/Rivest- commitment.pdf.
  • [24] N. Döttling, D. Kraschewski, and J. Müller-Quade, “Unconditional and composable security using a single stateful tamper-proof hardware token,” in TCC 2011: 8th Theory of Cryptography Conference, ser. Lecture Notes in Computer Science, Y. Ishai, Ed., vol. 6597.   Springer, Heidelberg, Mar. 2011, pp. 164–181.
  • [25] R. Dowsley, J. Müller-Quade, and T. Nilges, “Weakening the isolation assumption of tamper-proof hardware tokens,” in ICITS 15: 8th International Conference on Information Theoretic Security, ser. Lecture Notes in Computer Science, A. Lehmann and S. Wolf, Eds., vol. 9063.   Springer, Heidelberg, May 2015, pp. 197–213.
  • [26] S. Even, O. Goldreich, and A. Lempel, “A randomized protocol for signing contracts,” Commun. ACM, vol. 28, no. 6, pp. 637–647, Jun. 1985. [Online]. Available: http://doi.acm.org/10.1145/3812.3818
  • [27] O. Goldreich, Foundations of Cryptography: Basic Applications.   Cambridge, UK: Cambridge University Press, 2004, vol. 2.
  • [28] M. Bellare and S. Micali, “Non-interactive oblivious transfer and spplications,” in Advances in Cryptology – CRYPTO’89, ser. Lecture Notes in Computer Science, G. Brassard, Ed., vol. 435.   Springer, Heidelberg, Aug. 1990, pp. 547–557.
  • [29] M. Naor and B. Pinkas, “Efficient oblivious transfer protocols,” in 12th Annual ACM-SIAM Symposium on Discrete Algorithms, S. R. Kosaraju, Ed.   ACM-SIAM, Jan. 2001, pp. 448–457.
  • [30] C. Peikert, V. Vaikuntanathan, and B. Waters, “A framework for efficient and composable oblivious transfer,” in Advances in Cryptology – CRYPTO 2008, ser. Lecture Notes in Computer Science, D. Wagner, Ed., vol. 5157.   Springer, Heidelberg, Aug. 2008, pp. 554–571.
  • [31] B. David, R. Dowsley, and A. C. A. Nascimento, “Universally composable oblivious transfer based on a variant of LPN,” in CANS 14: 13th International Conference on Cryptology and Network Security, ser. Lecture Notes in Computer Science, D. Gritzalis, A. Kiayias, and I. G. Askoxylakis, Eds., vol. 8813.   Springer, Heidelberg, Oct. 2014, pp. 143–158.
  • [32] R. Dowsley, J. van de Graaf, J. Müller-Quade, and A. C. A. Nascimento, “Oblivious transfer based on the McEliece assumptions,” in ICITS 08: 3rd International Conference on Information Theoretic Security, ser. Lecture Notes in Computer Science, R. Safavi-Naini, Ed., vol. 5155.   Springer, Heidelberg, Aug. 2008, pp. 107–117.
  • [33] R. Dowsley, J. van de Graaf, J. Müller-Quade, and A. C. A. Nascimento, “Oblivious transfer based on the McEliece assumptions,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E95-A, no. 2, pp. 567–575, 2012.
  • [34] C. Cachin, C. Crépeau, and J. Marcil, “Oblivious transfer with a memory-bounded receiver,” in 39th Annual Symposium on Foundations of Computer Science.   IEEE Computer Society Press, Nov. 1998, pp. 493–502.
  • [35] R. Dowsley, F. Lacerda, and A. C. A. Nascimento, “Oblivious transfer in the bounded storage model with errors,” in Information Theory (ISIT), 2014 IEEE International Symposium on, Honolulu, HI, USA, Jun. 29 – Jul. 4, 2014, pp. 1623–1627.
  • [36] Y. Z. Ding, D. Harnik, A. Rosen, and R. Shaltiel, “Constant-round oblivious transfer in the bounded storage model,” in TCC 2004: 1st Theory of Cryptography Conference, ser. Lecture Notes in Computer Science, M. Naor, Ed., vol. 2951.   Springer, Heidelberg, Feb. 2004, pp. 446–472.
  • [37] R. Dowsley, F. Lacerda, and A. C. A. Nascimento, “Commitment and oblivious transfer in the bounded storage model with errors,” IEEE Transactions on Information Theory, vol. 64, no. 8, pp. 5970–5984, Aug 2018.
  • [38] R. Canetti and M. Fischlin, “Universally composable commitments,” in Advances in Cryptology – CRYPTO 2001, ser. Lecture Notes in Computer Science, J. Kilian, Ed., vol. 2139.   Springer, Heidelberg, Aug. 2001, pp. 19–40.
  • [39] R. Canetti, Y. Lindell, R. Ostrovsky, and A. Sahai, “Universally composable two-party and multi-party secure computation,” in 34th Annual ACM Symposium on Theory of Computing.   ACM Press, May 2002, pp. 494–503.
  • [40] J. A. Garay, “Efficient and universally composable committed oblivious transfer and applications,” in TCC 2004: 1st Theory of Cryptography Conference, ser. Lecture Notes in Computer Science, M. Naor, Ed., vol. 2951.   Springer, Heidelberg, Feb. 2004, pp. 297–316.
  • [41] I. Damgård and J. B. Nielsen, “Universally composable efficient multiparty computation from threshold homomorphic encryption,” in Advances in Cryptology – CRYPTO 2003, ser. Lecture Notes in Computer Science, D. Boneh, Ed., vol. 2729.   Springer, Heidelberg, Aug. 2003, pp. 247–264.
  • [42] J. Katz, “Universally composable multi-party computation using tamper-proof hardware,” in Advances in Cryptology – EUROCRYPT 2007, ser. Lecture Notes in Computer Science, M. Naor, Ed., vol. 4515.   Springer, Heidelberg, May 2007, pp. 115–128.
  • [43] C. Crépeau, G. Savvides, C. Schaffner, and J. Wullschleger, “Information-theoretic conditions for two-party secure function evaluation,” in Advances in Cryptology – EUROCRYPT 2006, ser. Lecture Notes in Computer Science, S. Vaudenay, Ed., vol. 4004.   Springer, Heidelberg, May / Jun. 2006, pp. 538–554.
  • [44] C. Crépeau and J. Wullschleger, “Statistical security conditions for two-party secure function evaluation,” in ICITS 08: 3rd International Conference on Information Theoretic Security, ser. Lecture Notes in Computer Science, R. Safavi-Naini, Ed., vol. 5155.   Springer, Heidelberg, Aug. 2008, pp. 86–99.
  • [45] R. Dowsley, J. van de Graaf, J. Müller-Quade, and A. C. A. Nascimento, “On the composability of statistically secure bit commitments,” Journal of Internet Technology, vol. 14, no. 3, pp. 509–516, 2013.
  • [46] S. Wolf and J. Wullschleger, “Oblivious transfer is symmetric,” in Advances in Cryptology – EUROCRYPT 2006, ser. Lecture Notes in Computer Science, S. Vaudenay, Ed., vol. 4004.   Springer, Heidelberg, May / Jun. 2006, pp. 222–232.
  • [47] D. Khurana, D. Kraschewski, H. K. Maji, M. Prabhakaran, and A. Sahai, “All complete functionalities are reversible,” in Advances in Cryptology – EUROCRYPT 2016, Part II, ser. Lecture Notes in Computer Science, M. Fischlin and J.-S. Coron, Eds., vol. 9666.   Springer, Heidelberg, May 2016, pp. 213–242.