2009 | OriginalPaper | Buchkapitel
Somewhat Non-committing Encryption and Efficient Adaptively Secure Oblivious Transfer
verfasst von : Juan A. Garay, Daniel Wichs, Hong-Sheng Zhou
Erschienen in: Advances in Cryptology - CRYPTO 2009
Verlag: Springer Berlin Heidelberg
Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden. powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden. powered by
Designing efficient cryptographic protocols tolerating adaptive adversaries, who are able to corrupt parties on the fly as the computation proceeds, has been an elusive task. In this paper we make progress in this area. First, we introduce a new notion called
semi-adaptive
security which is slightly stronger than static security but
significantly weaker than fully adaptive security
. The main difference between adaptive and semi-adaptive security is that semi-adaptive security allows for the case where one party starts out corrupted and the other party becomes corrupted later on, but
not
the case where both parties start out honest and become corrupted later on. As such, semi-adaptive security is much easier to achieve than fully adaptive security. We then give a simple, generic protocol compiler which transforms any semi-adaptively secure protocol into a fully adaptively secure one. The compilation effectively decomposes the problem of adaptive security into two (simpler) problems which can be tackled separately: the problem of semi-adaptive security and the problem of realizing a weaker variant of secure channels.
We solve the latter problem by means of a new primitive that we call
somewhat non-committing encryption
resulting in significant efficiency improvements over the standard method for realizing secure channels using (fully) non-committing encryption. Somewhat non-committing encryption has two parameters: an equivocality parameter ℓ (measuring the number of ways that a ciphertext can be “opened”) and the message sizes
k
. Our implementation is very efficient for small values ℓ,
even
when
k
is large. This translates into a very efficient compilation of semi-adaptively secure protocols for tasks with small input/output domains (such as bit-OT) into fully adaptively secure protocols.
Indeed, we showcase our methodology by applying it to the recent Oblivious Transfer protocol by Peikert
etal
[Crypto 2008], which is only secure against static corruptions, to obtain the first efficient, adaptively secure and composable OT protocol. In particular, to transfer an
n
-bit message, we use a constant number of rounds and
O
(
n
) public key operations.