TRABALHO DE GRADUAÇÃO

Provably Secure Commitments and Oblivious Transfer

Based on Noisy Channels and the McEliece Assumptions

Rafael Baião Dowsley

Brasília, julho de 2008

UNIVERSIDADE DE BRASÍLIA

FACULDADE DE TECNOLOGIA

UNIVERSIDADE DE BRASILIAFaculdade de Tecnologia

TRABALHO DE GRADUAÇÃO

Provably Secure Commitments and Oblivious Transfer

Based on Noisy Channels and the McEliece Assumptions

Rafael Baião Dowsley

Relatório submetido ao Departamento de Engenharia Elétricacomo requisito parcial para obtenção do grau de

Engenheiro de Redes de Comunicação

Banca Examinadora

Anderson C. A. Nascimento - Ph.D.,UnB/ENE (Orientador)

Rafael T. de Sousa Jr. - Ph.D., Unb/ENE(Membro Interno)

FICHA CATALOGRÁFICA

DOWSLEY, RAFAEL BAIÃO. Provably Secure Commitments and Oblivious TransferBased on Noisy Channels and the McEliece Assumptions. [Distrito Federal] 2008.

iii, 37p. (ENE/FT/UnB, Engenheiro de Redes de Comunicação, 2008)Monografia de Graduação - Universidade de Brasília. Faculdade de Tecnologia.Departamento de Engenharia Elétrica.

1. Criptografia 2. Commitment3. Universal Composability 4. Oblivious TransferI. ENE/FT/UnB II. Título (série)

REFERÊNCIA BIBLIOGRÁFICADOWSLEY, RAFAEL BAIÃO (2008). Provably Secure Commitments and Oblivious Transfer Based onNoisy Channels and the McEliece Assumptions. Monografia de Graduação, Publicação ENE 01/2008,Departamento de Engenharia Elétrica, Universidade de Brasília, Brasília, DF, 37p.

CESSÃO DE DIREITOS

NOMES DOS AUTORES: Rafael Baião Dowsley

TÍTULO: Provably Secure Commitments and Oblivious Transfer Based on Noisy Channels and the McElieceAssumptions.

GRAU / ANO: Engenheiro de Redes de Comunicação / 2008.

É concedida à Universidade de Brasília permissão para reproduzir cópias desta monografia de graduação epara emprestar ou vender tais cópias somente para propósitos acadêmicos e científicos. Os autores reservamoutros direitos de publicação e nenhuma parte desta monografia de graduação pode ser reproduzida sem aautorização por escrito dos autores.

Rafael Baião DowsleySQSW 303, Bloco I, Apt. 206 - SudoesteCEP 70673-309 - Brasília - DF - Brasil.

Dedication

To my family.

Rafael Baião Dowsley

Acknowledgements

First of all, I would like to thank my advisor, Anderson Nascimento, for presenting methe area of cryptographic research, providing the ideas behind this thesis and for hisenormous patience and aid during the development of this work.I would also like to thank all the people I worked with during the development of thiswork for their great help, especially Jörn Müller-Quade and Jeroen van de Graaf. Spe-cial thanks to my Professors in UnB, especially Rafael T. de Sousa Jr. for co-refereeingthis work, and to the members of LabRedes.Finally, I would like to thank my family and my friends who helped me during my studies.

Rafael Baião Dowsley

RESUMO

Nesse trabalho provamos que um protocolo de commitment baseado em canais ruidosos que sejaseguro no modelo stand-alone também será seguro no modelo UC, dessa forma provando umaequivalência entre essas noções diferentes de segurança nesse caso e implicando dessa formaque os protocolos de commitment baseados em canais ruidosos podem ser compostos de formasegura. Também criamos um protocolo de Oblivious Transfer baseado nas hipóteses de McEliecee demonstramos a sua segurança. Devido ao fato de que fatorar números inteiros e calcular ologaritmo discreto são tarefas fáceis em computadores quânticos, vários outros protocolos deOblivious Transfer se tornarão inseguros caso os computadores quânticos se tornem práticos. Onosso protocolo é portanto uma alternativa no caso em que computadores quânticos se tornempráticos.

ABSTRACT

In this work we show that a protocol of commitment based on noisy channels that is secure inthe stand-alone setting will also be secure in the UC framework, thus proving in this case anequivalence between these different notions of security and thus implying that the protocols ofcommitment based on noisy channels can be securely composed. We have also developed aprotocol of Oblivious Transfer based on assumptions of McEliece and demonstrated its security.Due to the fact that factoring integers and calculating the discrete logarithm are easy tasks inquantum computers, several other protocols of Oblivious Transfer will become insecure if thequantum computers become practical, so our protocol is therefore an alternative in this case.

i

CONTENTS

1 INTRODUCTION . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1 CONTEXT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11.1.1 COMMITMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21.1.2 OBLIVIOUS TRANSFER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31.2 STATEMENT OF RESULTS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41.3 ORGANIZATION OF THIS WORK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

2 UC FRAMEWORK. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.1 OVERVIEW OF THE UC FRAMEWORK . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.1.1 THE COMPUTATIONAL MODEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62.1.2 THE ADVERSARIAL MODEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.1.3 PROTOCOL EXECUTION IN THE REAL-LIFE MODEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72.1.4 IDEAL PROTOCOLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92.1.5 REALIZING AN IDEAL FUNCTIONALITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102.1.6 HYBRID PROTOCOLS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.1.7 UNIVERSAL COMPOSITION. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112.2 SOME IDEAL FUNCTIONALITIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.2.1 THE COMMITMENT FUNCTIONALITY . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122.2.2 THE UC DISCRETE MEMORYLESS NOISY CHANNEL MODEL . . . . . . . . . . . . . . . . . . . . . . . 13

3 SECURITY OF COMMITMENTS BASED ON NOISY CHANNELS . . . . . . . . . . . . . . . . . . 153.1 COMMITMENT BASED ON NOISY CHANNEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.2 UC COMMITMENT BASED ON NOISY CHANNEL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

4 OBLIVIOUS TRANSFER BASED ON THE MCELIECE ASSUMPTIONS . . . . . . . . . . . 204.1 PRELIMINARIES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204.1.1 SECURITY DEFINITION OF OBLIVIOUS TRANSFER . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 214.1.2 SECURITY DEFINITION OF STRING COMMITMENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224.1.3 MCELIECE CRYPTOSYSTEM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224.1.4 SECURITY ASSUMPTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234.2 PASSIVELY SECURE PROTOCOL FOR OT.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 244.3 FULLY SECURE PROTOCOL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264.3.1 RANDOM OT WITH HIGH PROBABILITY OF B CHEATING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264.3.2 DERANDOMIZING THE PREVIOUS PROTOCOL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284.3.3 REDUCING THE PROBABILITY OF B CHEATING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

5 CONCLUSIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

REFERENCES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

ii

LIST OF FIGURES

2.1 The real-life model of protocol execution. ................................................................. 82.2 Interaction among the dummy parties, the ideal protocol adversary and the ideal functionality. 102.3 The universal composition operation. ....................................................................... 14

iii

1 INTRODUCTION

1.1 CONTEXT

In the end of 70’s, Diffie and Hellman published the famous article [30] in which they defined public-

key cryptography. This important paper and the growth of computer networks encouraged the definition

and implementation of new features that were necessary to the secure execution of networks applications,

such as: two-party secure computation [76, 77], multiparty secure computation [45, 19, 18], digital signa-

tures [48], electronic cash [20] and zero-knowledge proofs [46, 41, 8].

The first definitions of security for distributed computing were based on lists of necessary properties.

To prove the security of a protocol, someone had to demonstrate that it met all the required properties. The

problem with this approach is that the list of requirements is not complete, so often there were discovered

some property that is essential to the security of some task and that was not listed. To solve this problem a

new approach was developed: the simulation based approach [45]. In this new approach, an ideal protocol

to some task is used as reference. The ideal protocol has access to a “trusted party” which performs

all necessary computations, delivers the correct outputs for each party and cannot be corrupted. In this

approach, a protocol is secure if it is equivalent to the ideal protocol. But this approach also known as

stand-alone simulation based approach does not guarantee security when multiple copies of the protocol

run at the same time, or when the protocol is used within other protocols. These characteristics of the

stand-alone setting prevent that the development of complex protocols using simple protocols as modules

of construction, which is one of the most used techniques in computing today.

For these reasons there has been, in recent years, a search for security definitions that allow the compo-

sition of protocols. One of these definitions is Universal Composability (UC) [12, 13], that came with the

intention of allowing a protocol to be securely concurrently composed with an arbitrary set of protocols. In

concurrent composition, the protocols can be composed both parallelly and sequentially. So, this notion of

security is very useful, because it allows the construction of complex protocols in a modular approach. In

order to do so, first we divide the task that the protocol should run into several sub-tasks, then we specify

a protocol to carry out the task from the sub-tasks and finally we construct secure sub-protocols that carry

out these sub-tasks. The composition theorem ensure that the protocol composed this way is secure.

1

Before stating this thesis results, we introduce the definitions of two important cryptographic primi-

tives.

1.1.1 Commitment

Commitment is one of the most fundamental cryptographic protocols. It was defined in the work

of Shimon Even [36], although it appeared implicitly in the work of Manuel Blum [7]. A commitment

protocol involves two players: the committer and the receiver. The idea behind the notion of commitment is

simple: the committer provides the receiver with a digital equivalent of a “sealed envelope”. This envelope

should contain a value x in the commitment phase of the protocol. Before the committer helps the receiver

in opening the envelope, the receiver should learn nothing about the value x (envelopes are concealing).

Additionally, the committer should not be able to change x after the commitment phase (envelopes are

binding). When the committer helps the receiver in opening the envelope in the decommitment phase, the

receiver learns the value x. Commitment is used as a sub-protocol in applications such as secure multiparty

computation, contract signing [37] and zero-knowledge proofs.

A very large number of commitment protocols are known based on various computational and physical

assumptions in the stand-alone setting. There are two flavors of commitment protocols based on computa-

tional assumptions: statistically binding but computationally concealing and computationally binding but

statistically concealing. The first type can be constructed based on any one-way function [64, 51]. The sec-

ond type can be constructed based on any claw-free permutation [17, 43], any one-way permutation [66]

or any collision-free hash function [50]. Commitment protocols can also be based on physical assumption

such as noisy channel [22, 54]. In this case the commitment can be statistically binding and concealing.

Universally Composable (UC) Commitment [13, 14] is a notion of security so strong that is impossible

to obtain UC commitment protocol if no set-up assumption is provided, as demonstrated by Canetti and

Fischlin [14]. UC commitment protocols were constructed based on some set-up assumptions, as described

below. In the common reference string (CRS) model [14, 15, 29, 27] is possible to realize an UC Com-

mitment. In the CRS model there exists an honestly generated random string at the system initialization;

the simulator can generate its own string (as long as it looks indistinguishable from the honestly generated

one). Barak et. al. [4] show how to make the above schemes work in the key set-up model in the presence

of a static adversary. In this model, parties have certified public keys. Dodis et. al. [31] extend these re-

sults to adaptive corruptions. A UC commitment protocol was constructed in the random oracle model by

2

Hofheinz and Müller-Quade [52]. Prabhakaran and Sahai [67] introduced a model in which all the parties,

the adversary and the simulator are given oracle access to super-polynomial angels. In this model one can

securely implement any multiparty functionality without setup assumptions. In [57, 63] UC Commitment

protocols based on tamper-proof hardware were proposed.

The potential of the noisy channel for cryptography purposes was first used by Wyner [75] for exchang-

ing a secret key in the presence of an eavesdropper. Later Maurer [60], Ahlswede and Csiszár [1] extended

the results. Crépeau and Kilian [25] implemented the first bit commitment based on noisy channel that is

information theoretically secure. Their idea was later improved and extended in [22, 28, 54].

1.1.2 Oblivious Transfer

1-2 Oblivious transfer is a primitive of central importance in modern cryptography as it implies two-

party secure computation [45, 58] and multi-party computation [24]. 1-2 Oblivious Transfer (OT) is a

cryptographic primitive in which the sender chooses two bits b0 and b1, the receiver chooses a bit c and

receives the bit bc, but does not have any information about the bit b1−c. Furthermore the sender has no

information on the bit c. This primitive was defined in [74, 37], a similar primitive in [68] and several

other variants of OT later. These variants are all equivalent, in [23] it was demonstrated that OT can be

implemented from the Rabin’s variant, in [10] that string-OT can be implemented from OT, in [32] that the

number of receiver’s choices may be increased and in [9, 11] that OT can be implemented from XOT, GOT

and UOT with repetitions (which are weaker variants of OT)

Impagliazzo and Rudich [55] showed that a black-box reduction between OT computationally secure

and one-way function do not exist, this shows that if there is a reduction between those primitives it will

be difficult to find, because the vast majority of the reductions in cryptography are black-box. But it is

possible to construct a computationally secure OT based on generic assumptions such as enhanced trap-

door permutations [37, 42] or dense trapdoor permutations [49]. Computationally secure OT can also be

based on specific assumptions such as factoring [68], Diffie-Hellman [5, 65, 2], Quadratic or Higher-Order

Residuosity, or from the Extended Riemann Hypothesis [56]. In the UC framework, an implementation of

OT assuming the existence of a common reference string was proposed in [39]. It is possible to implement

OT based on physical assumptions, such as noise [25, 26].

3

1.2 STATEMENT OF RESULTS

In this work we solve some open problems related to commitment and oblivious transfer primitives.

Equivalence of Universal Composability and Stand-Alone Security in the Case of Commitments

based on Noisy Channels. In Chapter 3, that is based on a joint work with Prof. Jörn Müller-Quade

(Universität Karlsruhe) and Prof. Anderson Nascimento (Universidade de Brasília, UnB), we prove that is

possible to realize UC Commitments based on noisy channels thus introducing a new setup assumption.

Moreover, we prove that any commitment protocol based on noisy channel that is secure in the stand-alone

setting is also secure in the UC framework proving the equivalence of these apparently different security

definitions in the case of bit commitment based on noisy channels. So, we can build secure complex pro-

tocols using commitments as sub-protocols if these commitments are based on noisy channels and secure

in the stand-alone setting.

Oblivious Transfer based on the McEliece Assumptions. In Chapter 4, that is part of a joint work with

Jeroen van de Graaf (Universidade Federal de Minas Gerais, UFMG), Prof. Jörn Müller-Quade (Universität

Karlsruhe) and Prof. Anderson Nascimento (Universidade de Brasília, UnB), we focus on 1-2 Oblivious

Transfer (OT) and build OT based on the two assumptions used in the McEliece cryptosystem [62]: (1)

hardness of decoding of a random linear code (known to be NP-complete [6], and known to be equivalent

to the learning parity with noise (LPN) problem [69]); and (2) indistinguishability of the scrambled gen-

erating matrix of the Goppa code [61] from a random one. It is noteworthy that there exists no black box

reduction from Public Key Cryptography to OT [40]. However, by exploiting some algebraic properties of

cyphertexts generated by the McEliece Cryptosystem we bypass the negative results of [40].

As showed in [73], factoring integers and computing the discrete logarithms are easy in quantum com-

puters, so if quantum computers become practical the assumptions about the difficult of doing these compu-

tations will be broken. To our knowledge, this is the first oblivious transfer protocol based on the McEliece

assumptions only and, concurrently with [59], the first computationally secure oblivious transfer protocol

not known to be broken by a quantum computer. However, for obtaining a protocol of equivalent com-

plexity, [59] uses additional assumptions: the random oracle assumption and permuted kernels. Also, [59]

needs Shamir’s zero knowledge proofs [71] which are avoided in our simpler construction.

We consider only static adversaries, i.e., we assume that either Alice or Bob is corrupted before the

4

protocol begins.

1.3 ORGANIZATION OF THIS WORK

In the Chapter 2, we explain the most important definitions of the UC Framework. These definitions are

used in subsequent chapters. Chapter 3 presents the equivalence result between stand-alone security and

UC security for commitments based on noisy channels. Chapter 4 shows the new 1-2 Oblivious Transfer

based on the McEliece assumptions. In Chapter 5, we discuss the conclusions of this work and state some

open problems.

5

2 UC FRAMEWORK

2.1 OVERVIEW OF THE UC FRAMEWORK

This section summarizes the parts of the Universally Composable (UC) framework [13, 12] that are

relevant to this work. In this framework, the security of a protocol to carry out a task is established in three

phases:

1. We should formalize the process of executing a protocol in the presence of an adversary and an

environment.

2. We should formalize an ideal protocol for carrying out the task using a “trusted party”. In the

ideal protocol the trusted party captures the requirements of the desired task and the parties cannot

communicate among themselves.

3. We prove that the real protocol emulates the ideal protocol.

The environment in the UC framework represents all activity external to the running protocol, so it

provides inputs to the parties running the protocol and receives the outputs that the parties generate during

the execution of the protocol. The environment tries to distinguish between attacks on real executions of

the protocol and simulated attacks against the ideal functionality. If no environment can distinguish the

two situations, the real protocol emulates the ideal functionality.

2.1.1 The Computational Model

We should have an appropriate computational model to represent the distributed systems and the proto-

cols executed by them. The UC Framework uses a computational model that extends the Interactive Turing

Machine (ITM) model [47, 41]. The programs run by parties are represented as Turing machines with

shared tapes. Specifically, the communication tapes model messages sent to and received from the network

and the input and output tapes model inputs and outputs that are received from and given to other trusted

programs, that normally run on the same machine. Below we define a system of ITMs, that represents a

network among multiple computers that communicate with each other. The system of ITMs models the

way that the multiple computers communicate with each other, it does not provide any notion of security.

6

An ITM instance (ITI) is an instance of a program running on specific data. A system (I , C) of ITMs

consists of an initial ITM I and a control function C. When the execution of the system starts, an instance

of I is invoked with external input and is called initial ITM. Each ITI can invoke other ITIs and write

messages on some tapes of the others ITIs, the control function C determines which tapes of which ITIs

can be written by the ITI. In addition, each ITI has a unique ID that specifies two fields: the session ID

(SID) that identifies the instances of a protocol and the party ID (PID) that identifies the parties within

some instance of the protocol.

At any time only one ITI is active, it can execute its code and also write only once to the tape of other

ITI, following the rules of the control function. The output of an execution of a system is the output of I ,

and the execution of the system ends when I halts. Adversarial entities are also modeled as ITMs. Once

the active ITI enters the waiting state, a ITI whose tapes were written to becomes active. If there are no ITI

in such condition, the initial ITI is activated.

Extending the definition given in [41, Ch. 4.2.1], an ITM M is locally probabilistic polynomial time

(PPT) if, at any point during the execution of any ITI µ with code M :

1. The overall running time so far is bounded by a polynomial in the security parameter and the overall

length of input.

2. The number of bits written on the input tapes of other ITIs, plus the number of other ITIs invoked by

µ, is less than the length of µ’s input so far.

2.1.2 The Adversarial Model

The parties have unique identities and are locally PPT. The network is asynchronous without guaranteed

delivery of messages. The communication is public, but authenticated (i.e., the adversary cannot modify

the messages without it being noticed by the parties). The adversary is adaptive in corrupting parties, and is

active in its control over corrupted parties. Any number of parties can be corrupted. Finally, the adversary,

the environment and the simulator are allowed unbounded complexity.

2.1.3 Protocol Execution in the Real-life Model

We sketch the process of executing a given protocol π (run by parties P1, . . . , Pn) with some adversary

A and an environment machine Z with input z. The model of executing π is the extended system of ITMs

7

Figure 2.1: The real-life model of protocol execution.

(Z ,Cπ,AEXEC), where Z is the initial environment and Cπ,AEXEC is the control function.

The first ITI to be invoked by Z is set by the control function to be A. Z can also invoke an unlimited

number of ITIs, give inputs to them, and receive outputs from them, but Z can only invoke ITIs with the

same SID and the code of these ITIs is set by Cπ,AEXEC to be the code of π. Z can communicate only with

the above ITIs.

Parties and sub-parties of π can invoke ITIs and pass inputs and outputs to other ITIs of the same

instance of π. Parties of π can also pass outputs to the environment. They can also write messages on

the incoming communication tape of the adversary. These messages may specify the identity of the final

destination of the message. A can send messages to any ITI (A delivers the message). The parties cannot

communicate with each other directly through the communication tapes.

A cannot invoke ITIs as subroutines (it can invoke new ITIs by delivering messages to them), but it can

corrupt parties or sub-parties of π. After receiving a special message (Corrupt id) from the environment,

the adversary corrupts a party or sub-party by delivering the message (Corrupt). By the definition of the

process of corrupting, the environment always knows which parties are corrupted.

The figure 2.1 illustrates the real-life model of protocol execution.

Let REALπ,A,Z(k, z,−→r ) denote the output of environment Z when interacting with adversary A and

parties running protocol π on security parameter k, input z and random input −→r = rZ , rA, r1 . . . rn as

8

described above (z and rZ for Z , rA for A; ri for party Pi). Let REALπ,A,Z(k, z) denote the random vari-

able describing REALπ,A,Z(k, z,−→r ) when −→r is uniformly chosen. Let REALπ,A,Z denote the ensemble

{REALπ,A,Z(k, z)}k∈N,z∈{0,1}∗ .

It is important to note that the environment Z only access the inputs and outputs tapes of the parties

of π, it cannot access the communication tapes of the parties nor the inputs and outputs tapes of the sub-

parties of π. This is due to the fact that the environment models the protocol that provides the inputs and

collects the outputs of π. Meanwhile, the adversary A can access the communication tapes of the parties,

because it models the insecure network in which the parties communicate to each other. But the adversary

cannot access the inputs and outputs of the parties. The environment and the adversary can freely exchange

information, but the separation of them is crucial to notion of security used in this framework.

2.1.4 Ideal Protocols

An ideal functionality F represents the desired properties of a given task. Conceptually, F is treated

as a local subroutine by the several parties that use it, and so the communication between the parties and

F is supposedly secure (i.e., messages are sent by input and output tapes). Therefore, F is an ITM with

input tape that many ITIs can write on it and F can write on the subroutine output tapes of multiple ITIs.

The PID of F is set to ⊥, and it expects that all inputs come from ITIs with SID equal to its. Finally, F

can communicate with the adversary by using its communication tape and it is responsible for determining

the effects of corrupting. In subsections 2.2.1 we define the ideal functionalities for commitment that we

use in this work.

The ideal protocol for an ideal functionality F (IDEALF ) involves an ideal protocol adversary S (also

know as simulator), an environmentZ on input z and a set of dummy parties that interacts as defined below.

Whenever a dummy party is activated with input x, it writes x onto the input tape of F(sid,⊥). Whenever

the dummy party is activated with value x on its subroutine output tape, it writes x on the subroutine output

tape of Z . The ideal protocol adversary S has no access to the contents of messages sent between dummy

parties and F , and it should send corruption messages directly to F that is responsible for determining the

effects of corrupting any dummy party. The ideal functionality receives messages from the dummy parties

by reading its input tape and sends messages to them by writing to their subroutine output tape. In the ideal

protocol there is no communication among the parties using the adversary to deliver the message.

The figure 2.2 illustrates the interaction among the dummy parties, the ideal protocol adversary and the

9

Figure 2.2: Interaction among the dummy parties, the ideal protocol adversary and the ideal functionality.

ideal functionality.

Let IDEALF ,S,Z(k, z,−→r ) denote the output of environment Z after interacting with adversary S and

ideal functionality F in the ideal protocol, on security parameter k, input z, and random input −→r =

rZ , rS , rF as described above (z and rZ for Z , rS for S, rF for F). Let IDEALF ,S,Z(k, z) denote the

random variable describing IDEALF ,S,Z(k, z,−→r ) when −→r is uniformly chosen. Let IDEALF ,S,Z denote

the ensemble {IDEALF ,S,Z(k, z)}k∈N,z∈{0,1}∗ .

2.1.5 Realizing an Ideal Functionality

A function f mapping non-negative integers to non-negative reals is called negligible if for all positive

numbers c, there exists an integer n0 such that for all n > n0, we have f(n) < 1/nc.

Definition 2.1.1 Two sequences {Xn}n∈N and {Yn}n∈N of random variables are called statistically indis-

tinguishable if1

2·∑s∈Sn

|Pr[Xn = s]− Pr[Yn = s]|

is negligible, where Sn is the union of the supports of Xn and Yn.

We say that a protocol π statistically UC-realizes an ideal functionality F if for any real-life adversary

A there exists an ideal-protocol adversary S such that no environment Z , on any input z, can tell with non-

10

negligible probability whether it is interacting with A and parties running π in the real-life process, or it is

interacting with S and F in the ideal protocol. This means that, from the point of view of the environment,

running protocol π is statistically indistinguishable of interacting with an ideal protocol for F .

Definition 2.1.2 Let n ∈ N. Let F be an ideal functionality and let π be an n-party protocol. We say that

π statistically UC-realizes F if for any adversary A there exists an ideal-protocol adversary S such that

for any environment Z we have that REALπ,A,Z and IDEALF ,S,Z are statistically indistinguishable.

2.1.6 Hybrid Protocols

In hybrid protocols in addition to sending messages to other parties using the adversary to deliver

them in the usual way, the parties can also use instances of ideal functionalities. This is done by calling

the corresponding instances of the ideal protocol for these functionalities invoking dummy parties for F ,

which in turn invoke an instance of F (i.e. in an F-hybrid protocol the parties can include subroutine

calls to IDEALF ). Each copy of F is identified via a session identifier (SID) chosen by the parties of the

F-hybrid protocol. The communication between the dummy parties and F mimics the ideal protocol.

2.1.7 Universal Composition.

Let π be a protocol that makes subroutine calls to some instances of F , and let ρ be a protocol that

statistically UC-emulates F . The composed protocol πρ/F is constructed by modifying the code of each

ITM in π so that messages sent to each dummy party ofF with identity (sid, pid) in protocol π are replaced

with messages sent to a copy of ρ with the same identity (sid, pid) in the protocol πρ/F . Each output value

generated by a copy of ρ with identity (sid, pid) is treated as a message received from the corresponding

dummy party of F with identity (sid, pid) in protocol π.

A protocol ρ is subroutine respecting if the only input/output interface between each instance of ρ and

other protocol instances is done by the actual parties of ρ (i.e., the sub-parties of ρ exchange input/output

only with parties or sub-parties of this instance.).

The composition theorem basically says that if ρ statistically UC-emulates protocolF then an execution

of the composed protocol πρ/F “emulates” an execution of protocol π.

Theorem 2.1.3 Let ρ be a protocol that statistically UC-realizes ideal functionality F and ρ is subroutine

respecting. Then protocol πρ/F statistically UC-emulates protocol π.

11

The figure 2.3 illustrates the universal composition operation, substituting an instance of an ideal func-

tionality F for some protocol ρ that statistically UC-realizes F .

A specific corollary of the composition theorem states that if π statistically UC-realizes some func-

tionality G in the F-hybrid model, and ρ statistically UC-realizes F in the real-life model, then πρ/F

statistically UC- realizes G in the real-life model.

Corollary 2.1.4 Let F , G be ideal functionalities. Let π be a subroutine respecting protocol that statisti-

cally UC-realizes G in the F-hybrid model and let ρ be a protocol that statistically UC-realizes F . Then

protocol πρ/F statistically UC-realizes G.

2.2 SOME IDEAL FUNCTIONALITIES

In this section we present and discuss some UC ideal functionalities that will be used in the subsequent

chapters of this work.

2.2.1 The Commitment Functionality

We present the ideal bit commitment functionality as described in [13] (a modified version of the first

formalized functionality in [14]). The functionality is similar to the idea of a “sealed envelope” containing

a value x. Before the committer helps the receiver in opening the envelope, the receiver learns nothing

about the value x. But the sender cannot change the value after the commitment phase. When the sender

helps the receiver in opening the envelope in the decommitment phase, the receiver learns the value x.

Below we describe the functionality FCOM .

1. Upon receiving an input (Commit, sid, x) from P , verify that sid = (P,R, sid′) for some R, else

ignore the input. Next, record x and generate a public delayed output (Receipt, sid) to R. Once x is

recorded, ignore any subsequent Commit inputs.

2. Upon receiving an input (Open, sid) from P , proceed as follows: If there is a recorded value x then

generate a public delayed output (Open, sid, x) to R. Otherwise, do nothing.

3. Upon receiving a message (Corrupt-committer, sid) from the adversary, send x to the adversary.

Furthermore, if the adversary now provides a value x′, and the Receipt output was not yet written on

12

R’s tape, then change the recorded value to x′.

The commitment phase is modeled in item 1 of the functionality in which the FCOM receives the

value committed to, records the value and send a public delayed output to the receiver to notify that a

commitment was received (i.e. the message is first sent to the adversary, and later sent to the receiver when

the confirmation from the adversary is received). The sid must contain the identities of the committer and

receiver.

The opening phase takes place when the committer sends a message to FCOM to open the commitment

as indicated in item 2 of FCOM . If the committer has already recorded a value then a public delayed output

with the value is generated to the receiver.

Item 3 of the functionality models the response when the adversary corrupts some party. The FCOM

sends the recorded value to the adversary and lets him modify the value if the Receipt message was not yet

written to the receiver’s tape.

2.2.2 The UC Discrete Memoryless Noisy Channel Model

The Discrete Memoryless Noisy Channel (DMC) model is the hybrid model in which the participants

have ideal access to a Discrete Memoryless Noisy Channel with transition matrix W . Below we describe

the functionality FDMC,W , where P is the sender and R the receiver.

1. Upon receiving an input (Send, sid, x) from P , verify that sid = (P,R, sid′) for some R and that

x ∈ X , else ignore the input. Next, choose the output y according to the transition matrix W and

output (Sent, sid, y) to R.

In the ideal process for the functionality FCOM (described in section 2.2.1) the DMC is not used, so

the ideal protocol adversary (simulator) that simulates a real-life adversary can play the role of FDMC,W

for the simulated adversary.

13

Figure 2.3: The universal composition operation.

14

3 SECURITY OF COMMITMENTS BASED ON NOISY

CHANNELS

In this chapter that is based on [35, 34], we prove that universal composability and stand-alone security are

actually equivalent in the case of bit commitment protocols based on noisy channels. So, complex secure

protocols can build using commitments as sub-protocols if these commitments are based on noisy channels

and secure in the standalone setting.

We believe that our result can be generalized to unfair noisy channels and stateless two party primitives

in general. We leave those generalizations as future work.

3.1 COMMITMENT BASED ON NOISY CHANNEL

In this section we define a model for commitments protocols using noisy channel that is based on [54].

A protocol has two phases: commitment and decommitment. In both phases the participants have a bidi-

rectional noiseless channel available between them. In the commitment phase the sender can also use an

Discrete Memoryless Noisy Channel with input alphabet X , output alphabet Y and transition matrix W .

We model the probabilistic choices of the sender by a random variable M and of the receiver by a random

variable N , so we can use deterministic functions in the protocol.

Commitment Phase: The sender has an input bit b ∈ {0, 1} that it wants to commit to. The protocol has

t rounds of noiseless communications between the sender and the receiver. After the round i, the sender

transmits a symbol Xi through the noisy channel to the receiver who sees Yi = W (Xi). We will denote K

all the noiseless messages and Ki the noiseless messages sent until round i. So Xi = F (b,M,Ki) for a

deterministic function F . In the end of this phase, the receiver outputs (Receipt, sid).

Decommitment Phase: The parties send messages in the noiseless channel that we represent by the ran-

dom variable L, the sender announces the value b′ that it claims that was the value it committed to in the

first phase. Then, the receiver executes his test β(Y t, N,K,L, b′) for a deterministic function β. The test

can accept or reject b′. If the receiver accepts b′, it outputs (Open, sid, b′).

15

We will now define the security of a protocol. A protocol is ε−concealing if for any possible behavior

of Bob in the commitment phase,

1

2·

∑yt∈Y t,n∈N,k∈K

|Pr[yt, n, k|b = 0]− Pr[yt, n, k|b = 1]| ≤ ε

A protocol is δ− sound−and− binding, if for honest receiver and sender executing the protocol and

b ∈ {0, 1},

Pr[β(Y t, N,K,L, b) = accept] ≥ 1− δ

and, for all choices the sender does during the two phases

Pr[β(Y t, N,K,L, 0) = accept & β(Y t, N,K,L, 1) = accept] ≤ δ

We call the protocol stand− alone secure if ε and δ are negligible in t.

3.2 UC COMMITMENT BASED ON NOISY CHANNEL

We first review a result first proved in [54].

Proposition 3.2.1 Consider a δ–binding commitment of uniform b ∈ {0, 1} based only on noiseless mes-

sage exchange: formally, let U be Alice’s communication, V Bob’s and M , N Alice’s and Bob’s private

randomness such that all their actions in the multi–round interactive commit phase depend deterministi-

cally on their private randomness and all previous communications.

Then Bob has an estimator b = b(UNV

)with the property that Pr{b 6= b} ≤ 3δ.

We will now prove two lemmas that we will use later to prove the main result of this paper. We first

show that, in any stand-alone secure bit commitment protocol based on noisy channels, given Alice’s input

to the channel and all the noiseless communication exchanged by Alice and Bob, one can almost surely

infer Alice’s commitment (this property is known as extractability).

Lemma 3.2.2 Any stand-alone secure protocol of commitment based on noisy channel supports extraction

16

of Alice’s commitment given her input to the channel and all the noiseless communication.

If Alice’s input to the noisy channel is available, one can apply Proposition 3.2.1 and estimate b with

an error probability at most δ. As the protocol is secure δ is negligible.

We now prove that for any possible view of Bob after the commit phase is finished, there exists at least

one view of Alice that passes the test executed by Bob at the end of the opening phase for any possible

committed value b (the so-called equivocability property of the commitment protocol).

Lemma 3.2.3 Any stand-alone secure protocol of commitment based on noisy channel has the equivoca-

bility property.

After the commitment phase, Bob possesses Y t, N,K. Let honest Alice’s opening information be L, b.

From the correctness property of the protocol we know that

Pr[β(Y t, N,K,L, b) = accept] ≥ 1− δ.

We claim that there exists L so that

Pr[β(Y t, N,K, L, b) = accept] ≥ 1− δ.

If it were not the case, Bob could break the concealing condition computing Pr[β(Y t, N,K,L, b) =

accept] for all the possible values of L and b and Alice’s correct commitment would be the only one that

would produce an overwhelmingly acceptance probability.

We now use lemmas 3.2.2 and 3.2.3 to prove our main result that is stated below:

Theorem 3.2.4 Any stand-alone secure protocol of commitment based on noisy channel statistically UC-

realize FCOM using FAUTH and FDMC,W .

We construct the ideal-protocol adversary S as follows. S runs a simulated copy of A in a black-box

way, plays the role of the ideal functionality FDMC,W and simulates a copy of the hybrid interaction of π

for the simulated adversary A. In addition, S forwards all inputs from Z to A′s input and all outputs from

A to Z . S should be able to extract the committed value from the messages that it receives from A if the

sender is corrupted and also should be able to send a commitment in the hybrid interaction and later open

it to any value. Below we describe the procedures of the simulator in each occasion:

17

1. If the environment Z writes a message (Commit, sid, b) on the input tape of an uncorrupted party

P , P copies the message to the functionality FCOM and S is informed about the commitment. If the

receiver is corrupted, S simulates for A the messages of an honest sender in each round of noiseless

communication. It waits until A delivers all the noiseless messages of one round i, then it sends

random yi ∈ Yi as the output of noisy channel and proceed to the next round. If the receiver is also

uncorrupted, S simulates for A the messages that both parties send in each round of the noiseless

communication. When S finishes the procedures for the t rounds, it allowsFCOM to output (Receipt,

sid) to the receiver in the ideal protocol if it is uncorrupted.

2. If Z writes a message (Open, sid) on the input tape of some uncorrupted party P , P copies the

message to the functionality FCOM . If P has previously committed to a value b, S will receive the

bit b. By the equivocability property, S can find xt and M such that after the exchange of messages

in the decommitment phase, denoted L, the bit b will be accepted in an honest receiver’s test. If

the receiver is corrupted, S simulates the messages sent by the sender in this phase. If the receiver

is uncorrupted, S simulates the messages of both parties in this phase and allows FCOM to output

(Open, sid, b) to the receiver in the ideal protocol if A delivers all messages.

3. If A lets some corrupted party P commit to a bit b, S can extract b according to lemma 3.2.2. S just

simulates the received yt in the case that the receiver is also corrupted; otherwise, it simulates the

noiseless messages sent by the honest receiver and sends the message (Commit, sid, b) to FCOM

when all the t rounds are finished.

4. If A tells some corrupted party P to open a valid commitment with bit b′ and the receiver is not

corrupted, then S simulates the messages sent by the honest receiver in the decommitment interaction

with A and also simulates the received yt. It then checks b′ following the procedures used by an

honest receiver in the hybrid interaction. If an honest user would reject it, then S stops; otherwise S

sends (Open, sid) to FCOM .

5. IfA corrupts the sender, then S corrupts the sender in the ideal protocol and learns b. If the (Receipt,

sid) output was not written on the receiver tape before the corruption, then A has not yet delivered

all the messages from the commitment phase and A can play the role of the sender in the remaining

rounds of this phase. S uses the equivocability property to find valid xi and m for the i rounds

already finished, follows the same procedures as in item 3 in the remaining rounds, extracts the new

value b′ and sends b′ to FCOM . In the case that the (Receipt, sid) output was written on the receiver

18

tape before the corruption, the adversary knows k and possibly yt (only if the receiver is already

corrupted), S finds a valid xt and m using the equivocability property and sends them to A.

6. If A corrupts the receiver, then S corrupts the receiver in the ideal protocol. If the receiver is cor-

rupted after round i of the commitment stage and before the opening, S plays the role of FDMC,W

and thus it can send N and a valid yi to A (i.e., random yi if the sender is not corrupted, otherwise

it simulates yi according to xi and W ). If the receiver is corrupted after the opening, S also learns b

and can thus send also b to A.

We analyze below the probabilities of the events that can result in different views REALπ,A,Z and

IDEALF ,S,Z . In item 2, REALπ,A,Z and IDEALF ,S,Z differ if an honest committer in the hybrid interac-

tion is unable to open a valid commitment. The output generated in item 4 will differ from REALπ,A,Z only

if a dishonest committer in the hybrid interaction succeeds to open a bit other than the bit he committed to

in the commitment phase. But, by the δ− sound− and− binding property of the stand− alone secure

protocol these probabilities are negligible.

A dishonest receiver that knows yt, n, k in the hybrid interaction has, before the decommitment, negli-

gible information about b according to the ε− concealing property of the stand−alone secure protocol.

As all events that can result in different views have negligible probabilities, REALπ,A,Z and IDEALF ,S,Z

are statistically indistinguishable. This completes the security proof of the protocol, and so the theorem is

valid.

19

4 OBLIVIOUS TRANSFER BASED ON THE MCELIECE

ASSUMPTIONS

In this chapter that is based on [33], we focus on 1-2 Oblivious Transfer (OT) and build OT based on the

two assumptions used in the McEliece cryptosystem [62]: (1) hardness of decoding of a random linear

code (known to be NP-complete [6], and known to be equivalent to the learning parity with noise (LPN)

problem [69]); and (2) indistinguishability of the scrambled generating matrix of the Goppa code [61] from

a random one. We consider only static adversaries, i.e., we assume that either Alice or Bob is corrupted

before the protocol begins.

To our knowledge, this is the first oblivious transfer protocol based on the McEliece assumptions only

and, concurrently with [59], the first computationally secure oblivious transfer protocol not known to be

broken by a quantum computer. However, for obtaining a protocol of equivalent complexity, [59] uses

additional assumptions: the random oracle assumption and permuted kernels. Also, [59] needs Shamir’s

zero knowledge proofs [71] which are avoided in our simpler construction. Our protocol is unconditionally

secure for Bob and computationally secure for Alice.

4.1 PRELIMINARIES

In this section, we establish our notation and provide some facts from coding theory and formal defini-

tions of security for oblivious transfer and bit commitment. Then, for the sake of completeness, we describe

the McEliece cryptosystem and introduce the assumptions on which its security, and also the security of

our protocol is based.

Henceforth, we will denote by x ∈R D a uniformly random choice of element x from its domain D;

and by ⊕ a bit-wise exclusive OR of strings. All logarithms are to the base 2.

Two sequences {Xn}n∈N and {Yn}n∈N of random variables are called computationally indistinguish-

able, denoted X c= Y , if for every non-uniform probabilistic polynomial-time distinguisher D there exists

a negligible function ε(·) such that for every n ∈ N,

20

|Pr[D(Xn) = 1]− Pr[D(Yn) = 1]| < ε(n)

4.1.1 Security Definition of Oblivious Transfer

Let us denote by V iewA

(A(z), B(c)) and V iewB

(A(b0, b1), B(z)) the views of dishonest Alice and

Bob, respectively, which represent their inputs z, results of all local computations, and messages ex-

changed. Our definition of security is based on the one shown in [56] (conveniently adapted to protocols

with more than two messages).

Definition 4.1.1 A protocol [A,B](b0, b1; c) is said to securely implement oblivious transfer, if at the end

of its execution by the sender Alice and the receiver Bob which are modelled as probabilistic polynomial

time (PPT) Turing machines having as their input a security parameter N , the following properties hold:

− Completeness: when the players honestly follow the protocol, Bob outputs bc while Alice has no

output.

− Security for Alice: For every PPT adversary B, every input z, and a (sufficiently long) random tape

RB chosen at random, there exists a choice bit c such that for bc ∈ {0, 1} the distribution (taken over

Alice’s randomness) of runs of B(z) using randomness RB with Alice having input bc and bc = 0

is computationally indistinguishable from the distribution of runs with Alice having input bc and

bc = 1.

− Security for Bob: For any PPT adversary A, any security parameter N and any input z of size poly-

nomial inN , the view that A(z) obtains when Bob inputs c = 0 is computationally indistinguishable

from that of when Bob inputs c = 1, denoted:

V iewA

(A(z), B(0))|zc= V iew

A(A(z), B(1))|z.

A protocol is said to be secure against honest-but-curious players, if the previous definition holds in the

case Alice and Bob follow the protocol. An oblivious-transfer protocol is unconditionally secure against a

player if the given properties hold even when this player is not computationally bounded.

21

4.1.2 Security Definition of String Commitment

We also need commitment schemes in our constructions. A string commitment protocol consists of

two stages. In the first one, called Commit, the sender (Alice) provides the receiver (Bob) with evidence

about her input bit-string b. Bob cannot learn it before the second stage, called Open, where Alice reveals

her commitment to Bob, such that she cannot open a value different from b without being caught with

high probability. Let us denote by V iewA

(A(z), B(a)) and V iewB

(A(b), B(z)) the views of dishonest

Alice and Bob, respectively, which represent their inputs z, results of all local computations, and messages

exchanged. Our definition is based on [64].

Definition 4.1.2 A protocol [A,B](b) is said to securely implement string commitment, if at the end of its

execution by the sender Alice and the receiver Bob, which are represented as PPT Turing machines having

as their input a security parameter N , the following properties hold:

− Completeness: when the players honestly follow the protocol, Bob accepts b.

− Hiding: For any PPT adversary B, any security parameter N , any input z of size polynomial in N ,

and any k ∈ N, after the Commit stage, but before the Open stage, the view of B(z) when Alice

inputs b ∈ {0, 1}k is computationally indistinguishable from the view where Alice inputs any other

b′ ∈ {0, 1}k, b′ 6= b:

V iewB

(A(b), B(z))|zc= V iew

B(A(b′), B(z))|z

− Binding: For any PPT adversary A, any security parameter N and any input z of size polynomial

in N , any k ∈ N, there exists b ∈ {0, 1}k which can be computed by Alice after the Commit stage,

such that the probability that A(b′), b′ 6= b is accepted by Bob in the Open stage is negligible in N .

A string commitment protocol is unconditionally secure against a player if the properties in Definition

4.1.2 hold even when this player is not computationally bounded.

4.1.3 McEliece Cryptosystem

The folowing definition was taken from [59]. The McEliece cryptosystem [62] consists of a triplet of

probabilistic algorithms ME = (GenME,EncME,DecME) and M = {0, 1}k.

− Key generation algorithm: The PPT key generation algorithm GenME works as follows:

22

1. Generate a k × n generator matrix G of a Goppa code, where we assume that there is an

efficient error-correction algorithm Correct which can always correct up to t errors.

2. Generate a k × k random non-singular matrix S.

3. Generate a n× n random permutation matrix T.

4. Set P = SGT, and output pk = (P, t) and sk = (S,G,T).

− Encryption algorithm: EncME takes a plaintext m ∈ {0, 1}k and the public-key pk as input and

outputs ciphertext c = mP⊕ e, where e ∈ {0, 1}n is a random vector of Hamming weight t.

− Decryption algorithm: DecME works as follows:

1. Compute cT−1(= (mS)G⊕ eT−1), where T−1 denotes the inverse matrix of T.

2. Compute mS = Correct(cT−1).

3. Output m = (mS)S−1.

4.1.4 Security Assumptions

In this subsection, we briefly introduce and discuss the McEliece assumptions used in this work. First,

we assume that there is no efficient algorithm which can distinguish the scrambled (according to the de-

scription in the previous Subsection) generating matrix of the Goppa code P and a random matrix of the

same size. Currently, the best algorithm by Courtois et al. [21] works as follows: enumerate each Goppa

polynomial and verify whether the corresponding code and the generator matrix G are “permutation equiv-

alent” or not by using the support splitting algorithm [70], which is nt(1 + o(1))-time algorithm, with n

and t as defined in the previous subsection.

Assumption 4.1.3 There is no PPT algorithm which can distinguish the public-key matrixP of the McEliece

cryptosystem from a random matrix of the same size with non-negligible probability.

We note that this assumption was utilized in [21] to construct a digital signature scheme.

The underlying assumption on which McEliece is the hardness of decoding random linear codes.

This problem is known to be NP-complete [6], and all currently known algorithms to solve this prob-

lem are exponential. In particular, for small number of errors, the best one was presented by Canteaut and

Chabaud [16].

23

Assumption 4.1.4 The Syndrome Decoding Problem problem is hard for every PPT algorithm.

We will also need a bit commitment scheme based on the same assumption. Of course we could use a

modification of the McEliece system which is semantical secure, see [53]. However, we can do better.

According to a well-known result by Naor [64], bit commitment scheme can be constructed using

a pseudorandom generator. The latter primitive can be built efficiciently using the Syndrome Decoding

problem as described by Fischer and Stern [38]. Naor’s scheme is unconditionally binding, computation-

ally hiding and meets the completeness property. So using this construction we are using only one of the

McEliece assumption. In addition, for string commitment Naor’s construction is very efficient.

4.2 PASSIVELY SECURE PROTOCOL FOR OT

For now, assume Alice and Bob to be honest-but-curious. We first sketch the intuition behind this

protocol. We construct it according to the paradigm presented in [5]. Bob sends to Alice an object which is

either a public key or a randomized public key for which the decoding problem is difficult. To randomize

a public key, we use bitwise-XOR with a random matrix. Alice, in turn, computes the bitwise-XOR of

the received entity with the same random matrix, hereby obtaining the second “key”. She encrypts b0 and

b1 with the received and computed keys, respectively, and sends the encryptions to Bob. The protocol

is secure for Bob because Alice cannot distinguish a public key from a random matrix. The protocol is

complete because Bob can always decrypt bc. At the same time, it is also secure for Alice, because Bob is

unable to decrypt the second bit as he cannot decode the random code.

Recall that Alice’s inputs are the bits b0 and b1 while Bob inputs the bit c wishing to receive bc. Denote

the Hamming weight of a vector z by wH(z).

Protocol 4.2.1

1. Alice chooses a k × n random binary matrix Q and sends it to Bob.

2. Bob generates a secret key (S,G, T ) following the procedures of the McEliece algorithm, sets Pc =

SGT and P1−c = Pc ⊕Q and sends P0, t to Alice.

3. Alice computes P1 = P0 ⊕ Q, then encrypts two random bit strings r0, r1 ∈R {0, 1}k with P0 and

P1, respectively, i.e., for i = 0, 1 : yi = riPi ⊕ zi, where zi ∈ {0, 1}n, wH(zi) = t, computes for

24

i = 0, 1: mi ∈R {0, 1}k, encrypts b0 and b1 as follows: for i = 0, 1 : bi = bi ⊕ 〈ri,mi〉 where

“〈·, ·〉” denotes a scalar product modulo 2 and finally sends for i = 0, 1 : yi,mi, bi to Bob.

4. Bob decrypts rc and computes bc = bc ⊕ 〈rc,mc〉.

The next theorem formally states the security of the above protocol.

Theorem 4.2.2 Protocol 4.2.1 is complete and secure for both Alice and Bob against passive attacks

according to Definition 4.1.1 under Assumptions 4.1.3 and 4.1.4.

Given that under passive attacks, the players always follow the protocol, we argue the properties listed

in Definition 4.1.1.

Completeness: This follows by observing that Bob always receives a valid encryption of rc that allows

him to compute bc in Step 4.

Security for Alice: Let B be any PPT passively cheating receiver. Let c be the bit such that b1−c =

b1−c⊕〈r1−c,m1−c〉 and y1−c = r1−c(Pc⊕Q)⊕ z1−c. Note that Q is chosen randomly and independently

from Pc, so from B’s point of view, learning r1−c is equivalent to decoding a random linear code with

generating matrix Pc ⊕ Q. This is known to be hard [6]. It was proven in [44] that 〈r,m〉 is a hard-core

predicate for any one-way function f given f(r) and m. Hence, by Assumption 4.1.4, the distribution

(taken over Alice’s randomness) of runs of B(z) using randomness R with Alice having input bc and

bc = 0 is computationally indistinguishable from the distribution of runs with Alice having input bc and

bc = 1.

Security for Bob: This follows directly from Assumption 4.1.3. Honest-but-curious Alice is unable to

distinguish between P = SGT and a random k×n matrix, and hence she is also unable to tell Pc = SGT

from P1−c = SGT ⊕Q for any c ∈ {0, 1}. This implies computational indistinguishability of the protocol

views for Alice.

Unfortunately, Protocol 4.2.1 is not secure if the parties cheat actively. One problem is that, given a

random matrix Q, Bob can come up with two matrices P ′, P ′′, where P ′ ⊕ P ′′ = Q, such that they are

the generating matrices of the codes with some reasonably good decoding properties. It is clear that in this

case, Bob will be able to partially decode both b0 and b1.

25

4.3 FULLY SECURE PROTOCOL

In order to arm the passive protocol with security against malicious parties one could use a general

compiler as the one in [42]. However, we present a direct and more efficient aproach:

1. Implement a randomized oblivious transfer in which Bob is forced to choose his the public key

before and therefore independent of Q, if not he will be detected with probability at least 12 .

2. Convert the randomized oblivious transfer into an oblivious transfer for specific inputs with the same

characteristics of security;

3. Reduce the probability that a malicious Bob learns simultaneously information on both b0 and b1.

4.3.1 Random OT with high probability of B cheating

First, we implement a protocol that outputs two random bits a0, a1 to Alice and outputs a random bit d

and ad to Bob. In this protocol, Alice detects with probability at least 12 − ε a malicious Bob that chooses

the public key depending of Q.

To achieve this, Bob generates two different McEliece keys by following the same procedures of pro-

tocol 4.2.1 and by using two random bits c0, c1. He commits to P0,c0 and P1,c1 . Then, Bob receives two

random matrices Q0 and Q1 from Alice, computes P0,1−c0 = P0,c0 ⊕ Q0 and P1,1−c1 = P1,c1 ⊕ Q1 and

sends P0,0, P1,0, t to her. Alice chooses one of the commitments for Bob to open and checks if the opened

information is consistent with an honest procedure; otherwise, she stops the protocol. Finally, she encrypts

a0 and a1 using the matrices associated to the commitment that was not opened.

Protocol 4.3.1

1. Bob generates two McEliece secret keys (S0, G0, T0) and (S1, G1, T1). He chooses c0, c1 ∈R {0, 1}

and sets P0,c0 = S0G0T0 and P1,c1 = S1G1T1. He commits to P0,c0 and P1,c1 .

2. Alice chooses Q0 and Q1 uniformly at random and sends them to Bob.

3. Bob computes P0,1−c0 = P0,c0 ⊕Q0 and P1,1−c1 = P1,c1 ⊕Q1. He sends P0,0, P1,0, t to Alice.

4. Alice computes P0,1 = P0,0⊕Q0 and P1,1 = P1,0⊕Q1. Then she chooses the challenge j ∈R {0, 1}

and sends it to Bob.

26

5. Bob opens his commitment to P1−j,c1−j and sets d = cj

6. Alice checks the following: P1−j,c1−j must be equal to P1−j,0 or P1−j,1, otherwise she stops the

protocol.

7. Alice encrypts two random bit strings r0, r1 ∈R {0, 1}k with Pj,0 and Pj,1, respectively, i.e., for

i = 0, 1 : yi = riPj,i ⊕ zi, where zi ∈ {0, 1}n, wH(zi) = t, computes for i = 0, 1: mi ∈R {0, 1}k,

encrypts a0, a1 ∈R {0, 1} as follows: for i = 0, 1 : ai = ai⊕〈ri,mi〉 where “〈·, ·〉” denotes a scalar

product and finally sends for i = 0, 1 : yi,mi, ai to Bob.

8. Bob decrypts rd and computes ad = ad ⊕ 〈rd,md〉. If Bob encounters a decoding error while

decrypting rd, then he outputs ad = 0.

Theorem 4.3.2 Assuming the used bit commitment scheme secure, protocol 4.3.1 implements a random-

ized oblivious transfer that is complete and secure for Bob against active attacks according to Defini-

tion 4.1.1 under Assumptions 4.1.3 and 4.1.4. Additionally, the probability that a malicious Bob learns

both a0 and a1 is at most 12 + ε(n) where ε(n) is a negligible function.

Completeness: An honest Bob always passes the test of Step 6 and receives a valid encryption of rd, so he

can compute ad.

Security for Alice: In order to obtain simultaneously information on a0 and a1, Bob must learn r0 and r1.

The encryptions of r0 and r1 only depend on Pj,0 and Pj,1, respectively.

If Bob sends both P0,0 and P1,0 chosen according to the protocol (honest procedure), then the proba-

bility that he learns both inputs of Alice is the same as in the passive protocol, i.e., it is negligible. If Bob

chooses in a malicious way both P0,0 and P1,0, then with overwhelming probability Alice will stop the

protocol in step 6 and Bob will learn neither r0 nor r1.

The best strategy for Bob is to choose honestly one of the matrices and choose the other in a malicious

way, thus he can cheat and partially decode both r0 and r1 in case Alice asks him to open the matrix

correctly chosen. However, note that with probability 12 , Alice asks him to open the matrix maliciously

chosen. In this case, Bob will be able to open the commitment with the value that Alice expects in step 6

only with negligible probability. Thus, the probability that a malicious Bob learns both a0 and a1 is at most

12 + ε(n) where ε(n) is a negligible function.

27

Security for Bob: The commitment to Pj,cj = Pj,d is not opened, so the security for Bob follows from

Assumption 4.1.3 as in the protocol 4.2.1.

As long as the commitment is secure, possible differences from the passive scenario are the following

ones:

− Alice could cheat by sending a specially chosen matrix Q, however by Assumption 4.1.3, she cannot

tell Pj,cj from random, hence her choice of Q will not affect her ability to learn d;

− For some i ∈ {0, 1}, Alice may use a different matrix instead of Pj,i for encrypting ri in Step 7

hoping that i = d so that Bob will encounter the decoding error and then complain, hereby disclosing

his choice. However, the last instruction of Step 8 thwarts such attack by forcing Bob to accept with

a fixed output “0”. Sending a “wrong” syndrome is then equivalent to the situation when Alice sets

his input ai = 0.

Thus, it follows that the protocol is secure against Alice.

4.3.2 Derandomizing the previous protocol

Subsequently, we use the method of [3] to transform the randomized oblivious transfer into an (ordi-

nary) oblivious transfer with the same characteristics of security.

Protocol 4.3.3

1. Bob and Alice execute the protocol 4.3.1. Alice receives a0, a1 and Bob receives d, ad.

2. Bob chooses c, sets e = c⊕ d and sends e to Alice.

3. Alices chooses b0, b1 ∈ {0, 1}, computes f0 = b0 ⊕ ae and f1 = b1 ⊕ a1⊕e and sends f0, f1 to Bob.

4. Bob computes bc = fc ⊕ ad.

Theorem 4.3.4 Protocol 4.3.3 implements an oblivious transfer with the same characteristics of security

of the protocol 4.3.1.

Completeness: fc = bc ⊕ ac⊕e = bc ⊕ ad, so an honest Bob can recover bc because he knows ad.

Security for Alice: f1⊕c = b1⊕c ⊕ a1⊕c⊕e = b1⊕c ⊕ a1⊕d, so Bob can recover both b0 and b1 only if he

knows a0 and a1.

28

Security for Bob: Alice has to discover d in order to compute c, thus the security for Bob follows from

the protocol 4.3.1.

4.3.3 Reducing the probability of B cheating

Finally, we use the reduction of [28] to minimize the probability that a malicious Bob learns both inputs

of Alice. In this reduction, protocol 4.3.3 is executed s times in parallel, where s is a security parameter.

The inputs in each execution are chosen in such way that Bob must learn both bits in all executions to be

able to compute both inputs of Alice in protocol 4.3.5.

Protocol 4.3.5

1. Alice chooses b0, b1 ∈ {0, 1} and b0,1, b0,2, . . . , b0,s, b1,1, b1,2, . . . , b1,s ∈R {0, 1} such that b0 =

b0,1 ⊕ b0,2 ⊕ . . .⊕ b0,s and b1 = b1,1 ⊕ b1,2 ⊕ . . .⊕ b1,s.

2. Bob chooses c ∈ {0, 1}.

3. Protocol 4.3.3 is executed s times, with inputs b0,i, b1,i from Alice and ci = c from Bob for i =

1 . . . s.

4. Bob computes bc = bc,1 ⊕ bc,2 ⊕ . . .⊕ bc,s.

Theorem 4.3.6 Assuming that the bit commitment scheme used in protocol 4.3.1 is secure, protocol 4.3.5

is complete and secure for both Alice and Bob against active attacks according to Definition 4.1.1 under

Assumptions 4.1.3 and 4.1.4.

Completeness: An honest Bob learns all bc,i for i = 1 . . . s in the s executions of protocol 4.3.3 and

therefore he can compute bc.

Security for Alice: Bob must discover both bits in all executions of protocol 4.3.3 in order to learn some-

thing simultaneously on b0 and b1. The probability that a malicious Bob learns both bits in an execution

of protocol 4.3.3 is at most 12 + ε(n), where ε(n) is a negligible function. There exists an n0 such that

ε(n) < 14 for any n > n0. We can choose n > n0, so β = 1

2 + ε(n) < 34 and the probability that a

malicious Bob learns both b0 and b1 is less than (34)s, which is negligible in s. Thus, the protocol is secure

for Alice.

29

Security for Bob: Alice discovers c if she learns any ci, but this probability is negligible because the

probability that she learns a specific ci in the respective execution of the protocol 4.3.3 is negligible and

the number of executions of the protocol 4.3.3 is polynomial.

30

5 CONCLUSIONS

This thesis has two main contributions: a proof of equivalence between universal composable security and

list-based security (a seemingly much weaker definition) for the case of commitment protocols based on

noisy channels; and the first oblivious-transfer protocol based on the hardness of the McEliece assumptions.

Our first result is of practical and theoretical interest, as it immediately implies that all the noisy chan-

nels based commitment protocols proposed in the literature have a much higher level of security than

previously thought. On the theoretical side, we introduce a new setup assumption for achieving universal

composability. This very strong notion of security (UC) is much useful in the modular designing of com-

plex secure protocol. We believe our result will arouse interest in the search for new setup assumptions for

obtaining UC security and in looking for a better understanding of physical security assumptions.

We believe that our result can be generalized to unfair noisy channels and stateless two party primitives

in general. We leave those generalizations as future work. Another open problem is finding protocols of

bit commitment based on noisy channels for which the simulator is efficient. This last result would be

particularly useful when composing computationally secure protocols with unconditionally secure ones.

In Chapter 4, we describe an 1-2 OT based solely on the two McEliece assumptions. These assumptions

were used in one of the first cryptosystem and in their original formulation were not broken until now, even

with quantum computers . This fact gives us some confidence in the veracity of these assumptions. One

of the McEliece assumptions (hardness of decoding of a random linear code) is in fact NP-complete and

if someone proves that decoding a random linear code is easy, this would imply that P = NP (one of the

most important open problems in computer science).

To our knowledge, this is the first oblivious transfer protocol based on the McEliece assumptions only

and, concurrently with [59], the first computationally secure oblivious transfer protocol not known to be

broken by a quantum computer. We think that is important to build secure 1-2 OT protocols based on other

computational assumptions not known to be broken by a quantum computer because 1-2 OT is one of the

fundamentals primitives for Secure Multiparty Computation.

One open problem is to build and prove the security of a protocol for 1-2 OT based solely on McEliece

assumptions that is secure against dynamic adversaries. Another open related problem is to prove the secu-

rity of some 1-2 OT protocol based on McEliece assumptions using the simulation paradigm, especially in

31

the UC framework. We obtain security in what is known in the literature as the "half-simulatable" model.

We feel that building protocols that UC-realizes Oblivious Transfer and that are not based on assumptions

for which we know efficient quantum algorithms is one fundamental question because of the importance

of OT to the Secure Multiparty Computation.

In conclusion, we think that due to the importance that the primitives of Commitment and Oblivious

Transfer have for cryptographic applications, a great effort should be made to build new protocols for these

primitives and to prove the security of protocols that carry out such primitives according to the various

security definitions, preferably in accordance with the stronger security definitions such as UC security.

32

REFERENCES

[1] AHLSWEDE, R.; CSISZÁR, I. Common Randomness in Information Theory and Cryptography – Part

I: Secret Sharing. IEEE Trans. Inf. Theory. vol. 39, no. 4, pp. 1121–1132, 1993.

[2] AIELLO, W.;ISHAI, Y.;REINGOLD, O. Priced Oblivious Transfer: How to Sell Digital Goods. In

EUROCRYPT’01. pp. 119–135. 2001.

[3] BEAVER, D. Precomputing Oblivious Transfer. CRYPTO 1995. 97-109. 1995.

[4] BARAK, B.; CANETTI, R.; NIELSEN, J.; PASS, R. Universally Composable Protocols with Relaxed

Set-Up Assumptions. 36th FOCS, pp.186–195. 2004.

[5] BELLARE, M.;MICALI S. Non-Interactive Oblivious Transfer and Applications, CRYPTO’89. LNCS

435. pp. 547-557. 1990.

[6] BERLEKAMP, E.;MCELIECE R.;VAN TILBORG, H. On the Inherent Intractability of Certain Cod-

ing Problems. IEEE Trans. Inf. Theory vol. 24. pp.384–386. 1978.

[7] BLUM, M. Coin Flipping by Telephone. CRYPTO 1981. pp. 11-15. 1981.

[8] BRASSARD, G.; CHAUM, D.; CRÉPEAU, C. Minimum Disclosure Proofs of Knowledge. JCSS, Vol.

37, No. 2, p. 156–189, 1988.

[9] BRASSARD, G.; CRÉPEAU, C. Oblivious transfers and privacy amplification. In Advances in Cryp-

tology - EUROCRYPT ’97. Volume 1233 of Lecture Notes in Computer Science. pages 334-347.

Springer-Verlag. 1997.

[10] BRASSARD, G.; CRÉPEAU, C.; ROBERT, J. Information theoretic reductions among disclosure

problems. In Proceedings of the 27th Annual IEEE Symposium on Foundations of Computer Science

(FOCS ’86). pages 168-173. 1986.

[11] BRASSARD, G.; CRÉPEAU, C.; WOLF, S. Oblivious transfers and privacy amplification. Journal

of Cryptology. 16(4):219-237. 2003.

[12] CANETTI, R. Universally Composable Security: A New Paradigm for Cryptographic Protocols.

42nd Symposium on Foundations of Computer Science (FOCS) 2001., p. 136–145. 2001.

33

[13] CANETTI, R. Universally Composable Security: A New Paradigm for Cryptographic Protocols.

Available at http://eprint.iacr.org/2000/067. Extended Abstract appeared in: 42nd Symposium on Foun-

dations of Computer Science (FOCS), 2001.

[14] CANETTI , R.; FISCHLIN, M. Universally composable commitments. In: Advances in Cryptology -

Crypto 2001. pp. 19–40. 2001.

[15] CANETTI , R.; LINDELL, Y.; OSTROVSKY, R.; SAHAI, A. Universally composable two party and

multi-party secure computation. In: 34th STOC 2002. pp. 494–503. 2002.

[16] CANTEAUT, A.;CHABAUD, F. A new algorithm for finding minimum-weight words in a linear

code: application to primitive narrow-sense BCH codes of length 511. IEEE Trans. Inf. Theory. vol.

44(1). pp.367–378. 1998.

[17] CHAUM, D. Demonstrating That a Public Predicate Can Be Satisfied Without Revealing Any Infor-

mation About How. CRYPTO 1986 pp. 195-199. 1986.

[18] CHAUM, D.; CRÉPEAU, C.; DAMGÅRD, I. Multiparty Unconditionally Secure Protocols (Ex-

tended Abstract) STOC 1988. pp. 11–19. 1988.

[19] CHAUM, D.; DAMGÅRD, I.; VAN DE GRAAF, J. Multiparty Computations Ensuring Privacy of

Each Party’s Input and Correctness of the Result. CRYPTO 1987. pp. 87–119. 1987.

[20] CHAUM, D.; FIAT, A.; NAOR, M. Untraceable Electronic Cash. CRYPTO 1988. pp. 319–327. 1988.

[21] COURTOIS, N.; FINIASZ, M.; SENDRIER, N. How to Achieve a McEliece Digital Signature

Scheme. In: Asiacrypt’2001 LNCS 2248. pp. 157–174. 2001.

[22] CRÉPEAU, C. Efficient Cryptographic Protocols Based on Noisy Channels. Advances in Cryptology:

Proceedings of Eurocrypt ‘97. p. 306–317, 1997.

[23] CRÉPEAU, C. Equivalence between two flavors of oblivious transfers Proc. CRYPTO ’87, LNCS,

vol. 293. pp. 350–354. 1988.

[24] CRÉPEAU, C.; VAN DE GRAAF, J.; TAPP, A. Committed Oblivious Transfer and Private Multi-

Party Computations. Proc. CRYPTO ’95. 1995.

[25] CRÉPEAU, C.; KILIAN, J. Achieving oblivious transfer using weakened security assumptions. Proc.

29th FOCS. pp. 42–52. 1988.

34

[26] CRÉPEAU, C.; MOROZOV, K.; WOLF, S. Efficient unconditional oblivious transfer from almost any

noisy channel. In Proceedings of Fourth Conference on Security in Communication Networks (SCN).

Volume 3352 of Lecture Notes in Computer Science. Pages 47-59. Springer-Verlag. 2004.

[27] DAMGÅRD, I.; GROTH, J. Non interactive and reusable non-malleable commitment schemes. 34th

STOC, p. 426–437. 2003.

[28] DAMGÅRD, I.; KILIAN, J.; SALVAIL, L. On the (Im)possibility of Basing Oblivious Transfer and

Bit Commitment on Weakened Security Assumptions. Advances in Cryptology: EUROCRYPT 1999.

pp. 56–73. 1999.

[29] DAMGÅRD, I.; NIELSEN, J. Perfect Hiding and Perfect Binding Universally Composable Commit-

ment Schemes with Constant Expansion Factor. CRYPTO 2002, p. 581–596. 2002.

[30] DIFFIE, W.; HELLMANN, M. New Directions in Cryptography. IEEE Transactions on Information

Theory. vol. IT-22. pp. 644–654. 1976.

[31] DODIS, Y.; PASS, R.; WALFISH, S. Fully Simulatable Multiparty Computation. Manuscript, 2005.

[32] DODIS, Y.; MICALI, S. Lower bounds for oblivious transfer reductions. In Advances in Cryptology -

EUROCRYPT ’99. Volume 1592 of Lecture Notes in Computer Science. pages 42-55. Springer-Verlag.

1999.

[33] DOWSLEY, R.; VAN DE GRAAF, J.; MÜLLER-QUADE, J.; NASCIMENTO, A. C. A. Oblivious

Transfer Based on the McEliece Assumptions. To appear on ICITS 2008. 2008.

[34] DOWSLEY, R.; VAN DE GRAAF, J.; MÜLLER-QUADE, J.; NASCIMENTO, A. C. A. On the

Composability of Statistically Secure Bit Commitments. Manuscript. 2008.

[35] DOWSLEY, R.; MÜLLER-QUADE, J.; NASCIMENTO, A. C. A. On Possibility of Universally

Composable Commitments Based on Noisy Channels. SBSEG 2008. 2008.

[36] EVEN, S. Protocol for Signing Contracts. CRYPTO 1981. pp. 148-153. 1981.

[37] EVEN, S.; GOLDREICH, O.; LEMPEL, A. A Randomized Protocol for Signing Contracts. Commu-

nications of the ACM 28(6), 637–647, 1985.

[38] FISCHER, J.;STERN, J. An Efficient Pseudo-Random Generator Provably as Secure as Syndrome

Decoding. EUROCRYPT 1996: 245-255. 1996.

35

[39] GARAY, J.; MACKENZIE, P.; YANG, K. Efficient and universally composable committed oblivious

transfer and applications. In Theory of Cryptography Conference - TCC ’04. Volume 2951 of Lec-

tureNotes in Computer Science. Pages 297-316. Springer-Verlag. 2004.

[40] GERTNER, Y;KANNAN, S.;MALKIN T.;REINGOLD O.;VISWANATHAN, M. The Relationship

between Public Key Encryption and Oblivious Transfer. FOCS 2000. pp. 325-335. 2000.

[41] GOLDREICH, O. Foundations of Cryptography : Volume 1 - Basic Tools. Cambridge University

Press. 2001.

[42] GOLDREICH, O. Foundations of Cryptography : Volume 2 Basic Applications. Cambridge Univer-

sity Press. 2004.

[43] GOLDREICH, O.;KAHAN, A. How to Construct Constant-Round Zero-Knowledge Proof Systems

for NP. J. Cryptology 9(3). pp. 167-190. 1996.

[44] GOLDREICH, O.;LEVIN, L. Hard-Core Predicates for Any One-Way Function. In 21st ACM Sym-

posium on the Theory of Computing. pages 25-32. 1989.

[45] GOLDREICH, O.; MICALI, S.; WIGDERSON, A. How to Play Any Mental Game or a Complete-

ness Theorem for Protocols with Honest Majority. STOC ’87. 1987.

[46] GOLDREICH, O.; MICALI, S.; WIGDERSON, A. Proofs that Yield Nothing but their Validity or

All Languages in NP have Zero-Knowledge Proof System. J. ACM 38(3): 691–729. 1991.

[47] GOLDWASSER, S.; MICALI, S.; RACKOFF, C. The Knowledge Complexity of Interactive Proof

Systems. SIAM Journal on Comput., v. 18, n. 1, p. 186–208, 1989.

[48] GOLDWASSER, S.; MICALI, S.; RIVEST, R. A Digital Signature Scheme Secure Against Adaptive

Chosen-Message Attacks. SIAM J. Comput. 17(2). pp. 281–308. 1988.

[49] HAITNER, I. Implementing Oblivious Transfer Using Collection of Dense Trapdoor Permutations.

In: TCC’04. LNCS 2951. pp. 394–409. 2004.

[50] HALEVI, S.; MICALI, S. Practical and Provably-Secure Commitment Schemes from Collision-Free

Hashing. CRYPTO 1996 pp. 201-215. 1996.

[51] HÅSTAD, J.; IMPAGLIAZZO, R.; LEVIN, L.; LUBY, M. A Pseudorandom Generator from any

One-way Function. SIAM J. Comput. 28(4) pp. 1364-1396. 1999.

36

[52] HOFHEINZ, D.; MÜLLER-QUADE, J. Universally Composable Commitments Using Random Or-

acles. Theory of Cryptography Conference (TCC), p. 58–74. 2004.

[53] IMAI, H.; KOBARA, K.; MOROZOV, K.; NOJIMA, R. Semantic Security for the McEliece Cryp-

tosystem without Random Oracles. in Proceedings of International Workshop on Coding and Cryptog-

raphy (WCC) 2007. pp. 257-268. INRIA. 2007.

[54] IMAI, H.; NASCIMENTO, A.; WINTER, A. Commitment Capacity of Discrete Memoryless Chan-

nels. IMA Int. Conf. 2003. p. 35–51. 2003.

[55] IMPAGLIAZZO, R.; RUDICH, S. Limits on the provable consequences of one-way permutations. In

Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC ’89). pages 186-208.

ACM Press. 1989.

[56] KALAI, Y. Smooth Projective Hashing and Two-Message Oblivious Transfer. In EUROCRYPT’05.

LNCS 3494. pp. 78–95. 2005.

[57] KATZ, J. Universally Composable Multi-party Computation Using Tamper-Proof Hardware. EURO-

CRYPT 2007. pp. 115–128. 2007.

[58] KILIAN, J. Founding Cryptography on Oblivious Transfer. In: 20th ACM STOC. ACM Press. pp.

20–31. 1988.

[59] KOBARA, K.;MOROZOV, K.;OVERBECK, R. Oblivious Transfer via McEliece’s PKC and Per-

muted Kernels. Cryptology ePrint Archive 2007/382. 2007.

[60] MAURER, U. Protocols for Secret Key Agreement by Public Discussion Based on Common Infor-

mation, Advances in Cryptology: CRYPTO 1992. pp. 461–470. 1993.

[61] MCELIECE, R. The Theory of Information and Coding Vol. 3 of The Encyclopedia of Mathematics

and Its Applications., Reading, Mass., Addison-Wesley. 1977.

[62] MCELIECE, R. A Public-Key Cryptosystem Based on Algebraic Coding Theory. In Deep Space

Network progress Report. 1978.

[63] MORAN, T.; SEGEV, G. David and Goliath Commitments: UC Computation for Asymmetric Parties

Using Tamper-Proof Hardware. EUROCRYPT 2008. pp. 527–544. 2008.

[64] NAOR, M. Bit Commitment Using Pseudorandomness. J. Cryptology 4(2). pp. 151-158. 1991.

37

[65] NAOR, M.; PINKAS, B. Efficient Oblivious Transfer Protocols, SODA’01 (SIAM Symposium on

Discrete Algorithms). 2001.

[66] NAOR, M.; OSTROVSKY, R.; VENKATESAN R.; YUNG, M. Perfect Zero-Knowledge Arguments

for NP Using Any One-Way Permutation. J. Cryptology 11(2). pp. 87-108. 1998.

[67] PRABHAKARAN, M; SAHAI, A. New Notions of Security: Achieving Universal Composability

without Trusted Setup. In Proc. of STOC, 2004.

[68] RABIN, M. How to Exchange Secrets by Oblivious Transfer. Technical Memo TR-81, Aiken Com-

putation Laboratory, Harvard University. 1981.

[69] REGEV, O. On Lattices, Learning with Errors, Random Linear Codes, and Cryptography. Proc. 37th

STOC. pp. 84-93. 2005.

[70] SENDRIER, N. Finding the Permutation Between Equivalent Linear Codes: The Support Splitting

Algorithm. IEEE Trans. Inf. Theory. 46(4). pp.1193–1203. 2000.

[71] SHAMIR, A. An efficient identification scheme based on permuted kernels. In Proc. of CryptoŠ89.

volume 435 of LNCS. pages 606-U609. Springer Verlag. 1990.

[72] SHANNON, C. Communication Theory of Secrecy Systems. Bell Systems Technical Journal. vol. 28.

p. 656–715. 1949.

[73] SHOR, P. Algorithms for quantum computation: Discrete logarithms and factoring, Proc. 35nd An-

nual Symposium on Foundations of Computer Science (Shafi Goldwasser, ed.). IEEE Computer Society

Press. pp. 124–134. 1994.

[74] WIESNER, S. Conjugate coding. Sigact News, vol. 15, no. 1. pp. 78–88. 1983.

[75] WYNER, A. The Wire Tap Channel. Bell System Technical Journal. vol. 54. p. 1355–1387. 1975.

[76] YAO, A. Protocols for Secure Computations (Extended Abstract). FOCS 1982. pp. 160–164. 1982.

[77] YAO, A. How to Generate and Exchange Secrets (Extended Abstract) FOCS 1986. pp. 162–167.

1986.

38