Dissertationen zum Thema „Oblivious transfer protocols“

Security is a major issue for electronic commerce. Crytography is the foundation of security and oblivious transfer (OT) protocols are one primitive of modern cryptography. The main goal of this dissertation is to develop new and more efficient OT protocols and explore their applications in electronic commerce. A new m out of n OT scheme is proposed, its implementation, security and efficiency are discussed, and it is compared with a previous OT scheme. The analysis shows that the previous OT protocol can be regarded as a special case of the new proposed OT scheme. The new OT scheme's applicability in blind signatures is explored. A new non-interactive m out of n OT scheme is proposed that includes a newly developed public keys generation algorithm based on the discrete log problem and an OT protocol based on the Diffie-Hellman problem. The security of this scheme is discussed. A new buying digital goods scheme is proposed using the new m out of n priced OT which is based on the priced OT protocol developed by Bill Aiello, Yuval Isahai, and Omer Reingold. Tools used in this scheme are discussed and its security is analyzed. A concrete homomorphic protocol is given<br>Master of Science (Hons)

Security is a major issue for electronic commerce. Crytography is the foundation of security and oblivious transfer (OT) protocols are one primitive of modern cryptography. The main goal of this dissertation is to develop new and more efficient OT protocols and explore their applications in electronic commerce. A new m out of n OT scheme is proposed, its implementation, security and efficiency are discussed, and it is compared with a previous OT scheme. The analysis shows that the previous OT protocol can be regarded as a special case of the new proposed OT scheme. The new OT scheme's applicability in blind signatures is explored. A new non-interactive m out of n OT scheme is proposed that includes a newly developed public keys generation algorithm based on the discrete log problem and an OT protocol based on the Diffie-Hellman problem. The security of this scheme is discussed. A new buying digital goods scheme is proposed using the new m out of n priced OT which is based on the priced OT protocol developed by Bill Aiello, Yuval Isahai, and Omer Reingold. Tools used in this scheme are discussed and its security is analyzed. A concrete homomorphic protocol is given

The problem of secure computation considers a set of parties who do not trust each other and yet want to perform public computations on data sets held privately by each individual. The most important property of secure computations is that they are input-privacy preserving. Intuitively this means that after the computation has finished no party can say something meaningful about the inputs of the other parties -beyond what is implicit in the outcome of the computation. This thesis focuses on the design and analysis of protocols in the pre-processing model with a majority of dishonest parties. This model presupposes an initial set-up that produces a large number of independent data to be used as auxiliary input at a later stage, when the actual secure computation takes place. The' current state of the art for producing such precomputed data employs homomorphic encryption and techniques derived from oblivious transfer. As a side effect we also dwell on the problem of extending oblivious transfer.

L'avènement de l'informatique quantique permet de réétudier les primitives cryptographiques avec une sécurité inconditionnelle, c'est à dire sécurisé même contre des adversaires tout puissants. En 1984, Bennett et Brassard ont construit un protocole quantique de distribution de clé. Dans ce protocole, deux joueurs Alice et Bob coopèrent pour partager une clé secrète inconnue d'une tierce personne Eve. Ce protocole a une sécurité inconditionnelle et n'a pasd'équivalent classique.Dans ma thèse, j'ai étudié les primitives cryptographiques à deux joueurs où ces joueurs ne se font pas confiance. J'étudie principalement le pile ou face quantique et la mise-en-gage quantique de bit. En informatique classique, ces primitivessont réalisables uniquement avec des hypothèses calculatoires, c'est-à-dire en supposant la difficulté d'un problème donné. Des protocoles quantiques ont été construits pour ces primitives où un adversaire peut tricher avec une probabilité constante strictement inférieure à 1, ce qui reste impossible classiquement. Néanmoins, Lo et Chau ont montré l'impossibilité de créer ces primitives parfaitement même en utilisant l'informatique quantique. Il reste donc à déterminer quelles sont les limites physiques de ces primitives.Dans une première partie, je construis un protocole quantique de pile ou face où chaque joueur peut tricher avec probabilité au plus 1/racine(2) + eps pour tout eps &gt; 0. Ce résultat complète un résultat de Kitaev qui dit que dans un jeu de pile ou face quantique, un joueur peut toujours tricher avec probabilité au moins 1/racine(2). J'ai également construit un protocole de mise-en-gage de bit quantique optimal où un joueur peut tricher avec probabilité au plus 0,739 + eps pour tout eps &gt; 0 puis ai montré que ce protocole est en fait optimal. Finalement, j'ai dérivé des bornes inférieures et supérieures pour une autre primitive: la transmission inconsciente, qui est une primitive universelle.Dans une deuxième partie, j'intègre certains aspects pratiques dans ces protocoles. Parfois les appareils de mesure ne donnent aucun résultat, ce sont les pertes dans la mesure. Je construis un protocole de lancer de pièce quantique tolérant aux pertes avec une probabilité de tricher de 0,859. Ensuite, j'étudie le modèle dispositif-indépendant où on ne suppose plus rien sur les appareils de mesure et de création d'état quantique.Finalement, dans une troisième partie, j'étudie ces primitives cryptographiques avec un sécurité computationnelle. En particulier, je fais le lien entre la mise en gage de bit quantique et les protocoles zero-knowledge quantiques<br>Quantum computing allows us to revisit the study of quantum cryptographic primitives with information theoretic security. In 1984, Bennett and Brassard presented a protocol of quantum key distribution. In this protocol, Alice and Bob cooperate in order to share a common secret key k, which has to be unknown for a third party that has access to the communication channel. They showed how to perform this task quantumly with an information theoretic security; which is impossible classically.In my thesis, I study cryptographic primitives with two players that do not trust each other. I study mainly coin flipping and bit commitment. Classically, both these primitives are impossible classically with information theoretic security. Quantum protocols for these primitives where constructed where cheating players could cheat with probability stricly smaller than 1. However, Lo, Chau and Mayers showed that these primitives are impossible to achieve perfectly even quantumly if one requires information theoretic security. I study to what extent imperfect protocols can be done in this setting.In the first part, I construct a quantum coin flipping protocol with cheating probabitlity of 1/root(2) + eps for any eps &gt; 0. This completes a result by Kitaev who showed that in any quantum coin flipping protocol, one of the players can cheat with probability at least 1/root(2). I also constructed a quantum bit commitment protocol with cheating probability 0.739 + eps for any eps &gt; 0 and showed that this protocol is essentially optimal. I also derived some upper and lower bounds for quantum oblivious transfer, which is a universal cryptographic primitive.In the second part, I study some practical aspects related to these primitives. I take into account losses than can occur when measuring a quantum state. I construct a Quantum Coin Flipping and Quantum Bit Commitment protocols which are loss-tolerant and have cheating probabilities of 0.859. I also construct these primitives in the device independent model, where the players do not trust their quantum device. Finally, in the third part, I study these cryptographic primitives with information theoretic security. More precisely, I study the relationship between computational quantum bit commitment and quantum zero-knowledge protocols

碩士<br>南台科技大學<br>資訊管理系<br>96<br>Oblivious transfer protocol is an important research topic in the field of cryptography. It includes two parties: Sender and Receiver, where sender wants to convey secret values to receiver, and receiver can choose the secret value he wanted. But the sender cannot know which secret value the receiver chose. Moreover, the receiver cannot get any secret values that he did not choose. According to the amount of secret values that the sender holds and the receiver can choose, oblivious transfer protocols can be classified as all or nothing oblivious transfer protocols, 1 out of 2 oblivious transfer protocols, 1 out of n oblivious transfer protocols and t out of n oblivious transfer protocols. However, only 1 out of 2 oblivious transfer protocols based on elliptic curve cryptography are designed. Therefore, this essay will propose 1 out of n oblivious transfer protocol and t out of n oblivious transfer protocol based on elliptic curve cryptography to enhance the effects and extend the applied environments.

碩士<br>國立嘉義大學<br>資訊工程研究所<br>93<br>The oblivious transfer has a critical problem on the sender’s communication complexity. Therefore, in this thesis, we develop an efficient k-out-of-n Oblivious Transfer whose result is superior to all previous solutions in terms of sender’s communication complexity. In our k-out-of-n Oblivious Transfer protocol, the sender cannot determine which k secret messages the receiver received, and the receiver cannot get the other remaining n-k secret messages if solving the factorization problem is hard. When k=1, we particularly suggest an efficient solution. The priced oblivious transfer which can be applied to sell digital goods, was introduced by Aiello et al. However, in the previous work, such as Aiello et al.’s and Tobias’s papers, a customer buys only one item in each transaction but must receive n ciphertexts from the vendor, which is inefficient because of increasing n-1 non-essential transmissions. For this reason, we present an efficient priced k-out-of-n scheme. In our scheme, the communication cost of the vendor can be greatly reduced.

The security of digital goods buyers and sellers is unbalanced. Of course, the property of sellers is protected; for example, when customers acquire digital books or films from Internet's merchants, they only receive the products they have paid for. Unfortunately, the buyers' privacy is rarely respected: purchases are often — without the buyers' knowledge — monitored, recorded, analysed, and sometimes sold to marketing companies. As a consequence, even if the customers do not intend to acquire additional products, their computer screens are later invaded with targeted advertisements. The main purpose of this thesis is to propose some methods to restore the balance and guarantee the buyers' privacy, while protecting the interests of the sellers. To this end, it is worth looking into the area of cryptography and more specifically, it is worth studying and designing some protocols called distributed oblivious transfer (DOT) protocols. A DOT protocol allows a party A to obtain one of the secret pieces of information (a secret for short) held by a party B so that the following two fundamental conditions are satisfied: • A chooses the secrets she wishes to obtain and does not obtain anything on the secrets she has not chosen, • B does not learn which secret was obtained by A. Furthermore, to improve the availability of the information, the protocol is distributed. That is, the party B transmits his secret information to m servers and the party A needs to contact at least k of these servers to obtain the chosen secret. The servers are not fully trusted, neither by A, nor by B. Therefore, from the information exchanged with A and B, no coalition of servers should be able to learn the secrets of B or the choice of A. The results of a preliminary literature review are surprising. In fact, the number of publications on DOT protocols is small (fewer than 20) compared to, for example, the number of publications on a similar concept, secret sharing (100s of publications). And yet, oblivious transfer is a fundamental component of more complex cryptographic protocols such as multi-party computation protocols, which allow a group of participants to securely calculate any function of their joint secret inputs. So, one could expect many variants, for example of the original DOT protocol introduced in 2002 by Naor and Pinkas [74], to fulfil the requirements of specific scenarios. The design of variants of DOT protocols in traditional cryptography has been the guiding thread of my research. My contribution mainly consists in (a) a critical analysis of the existing protocols, demonstrating their limitations, weaknesses, and in some cases, flaws; and (b) the design of the following protocols,well adapted to some specific situations: A Strongly Secure DOT Protocol. This DOT protocol addresses the most important weakness of unconditionally secure, one-round, polynomial interpolation-based DOT protocols: after the protocol has been executed, if the party A corrupts only one server, she can learn all the secrets of the party B. The protocol is secure even if A corrupts up to k - 1 servers. A Verifiable DOT Protocol. The party A should obtain the secret she has chosen, even when some servers are controlled by a malicious adversary whose objective is to sabotage the protocol. This is the case with this protocol, assuming that the adversary cannot control more than k - 1 servers. A Multiple Secrets DOT Protocol. When the party A wishes to obtain n > 1 secrets, the current protocols have to be executed n times. In this context, they are inefficient. The DOT protocol introduced here allows the party A, by contacting in the same session k - 1 + n servers, to collect n secrets. Adaptive DOT Protocols. The previous protocol allows the party A to request several secrets. However, the request of one secret may depend on the values of secrets already obtained. Two efficient protocols are presented in this scenario. The first one allows A to receive a limited number of secrets and therefore, is well adapted to a single receiver. For several receivers, a second protocol is proposed. This second protocol accepts an unlimited number of queries, but requires communications amongst the servers. A Threshold DOT protocol. Most existing DOT protocols rely on threshold secret sharing schemes. In a k-threshold protocol or scheme, security is guaranteed not only when k parties are contacted, but also when more than k parties are contacted. However, the existing DOT protocols based on k-threshold secret sharing schemes require an additional mechanism to control that exactly k servers are contacted, which is an under-utilisation of the underlying functionality. The proposed protocol is the first k-threshold DOT protocol which allows the party A to contact as many servers as she wishes to obtain the chosen secret, provided that at least k servers are contacted. This research is limited to unconditionally secure protocols, i.e., protocols whose security does not depend on mathematical (unproven) assumptions; within the limits of the given security models, the protocols are secure even against an adversary with unlimited computing power and time. In brief, the results presented in this thesis are a significant advance to the state of the art research on DOT protocols because on one hand, they point out the weaknesses of the DOT protocols most commonly accepted by the cryptographic community and on the other hand, they contribute to the cryptographic field through the design of new protocols, secure and efficient.

碩士<br>南台科技大學<br>資訊管理系<br>93<br>Due to the rapid development of information technology, data communication is more frequent in the network. When two parties need to communicate in secret, they have to share a secret key in advance. The sender encrypts data, and then delivers it to the receiver. The receiver decrypts it using the same secret key. They can share the secret key by public key cryptography. In order to against breaking, the length of the secret key has to be increased. However, even the length of the secret key is long, they still cannot against the attacks of quantum computers. Fortunately, Bennett and Brassard in 1984 proposed a BB84 quantum key distribution protocol, which is secure from the attack of quantum computers. Since BB84 protocol, the communication security has stepped forward to a new milestone. However, the key sharing efficiency is only 50% in BB84 protocol. Therefore, this master thesis will propose two new protocols: The first one is Bases Probability Adjustment (BPA); The second one is Preset Bases Quantum Key Distribution Protocol. These two protocols can improve the key sharing efficiency without affecting the security of BB84. Another research topic of this master thesis is quantum oblivious transfer. It will introduce Crépeau’s 1-out-of-2 quantum oblivious transfer protocol in 1994, and show how to use quantum bit commitment mechanism to prevent the storage attack. This thesis also proposes 1-out-of-2, 1-out-of-n, and m-out-of-n quantum oblivious transfer protocols.

碩士<br>南台科技大學<br>資訊管理系<br>94<br>Oblivious transfer is an important and basic technique in the field of cryptography. Basically, an oblivious transfer protocol includes two parties, Sender and Receiver. Sender has many secrets, and Receiver can freely choose one from those secrets. However, Receiver’s choice is a secret to Sender; Receiver learns nothing from the other secrets. Oblivious transfer protocols can be applied to private information retrieval, exchange secret, fair electronic contract signing, and Internet auction. Oblivious transfer protocols often need to be reused in many applications. After the initial phase of oblivious transfer protocols is completed and the initial parameters can be used repeatedly, the computation cost and transmission cost will be reduced. However, some security problems could be appeared because of reuse. In 2005, Huang and Chang proposed an efficient t-out-of-n oblivious transfer protocol, but this protocol suffers from the un-chosen message replay attack. This thesis will propose a reusable oblivious transfer protocol, which can resist the un-chosen message replay attack. Besides, Wu, Zhang, and Wang in 2003 proposed another t-out-of-n oblivious transfer protocol, which mentioned it cannot efficiently prevent the man-in-the-middle attack in an insecure channel. Hence, this study proposes two authenticated oblivious transfer protocols. One is an oblivious transfer protocol with explicated user authentication, and the other is an oblivious transfer protocol with implicated user authentication. Both protocols can efficiently avoid man-in-the-middle attack.

碩士<br>義守大學<br>資訊工程學系<br>92<br>In this paper, we design two quantum oblivious transfer protocols by current quantum technology. The first one is constructed by using the probabilistic teleportation and entanglement matching [1]. We adjust the coefficients of the EPR pairs and add a Hadamard operation to design the quantum oblivious transfer protocol. The second is designed by the technology of Quantum key distribution via quantum encryption [2]. We design the second quantum oblivious transfer protocol by adding a Hadamard operation and using the technique of Quantum Oblivious Transfer [3] proposed by Crepeau in 1994.

碩士<br>中原大學<br>電機工程研究所<br>106<br>In this thesis, we apply cryptography to propose improved a scheme for password, an improved authentication protocol for Global System for Mobile Communications (GSM) and some new oblivious transfer protocols. At first, with the popularity of the internet and increasing population of users, the great amount of user information need to be managed. We propose an improved model of password system which can reduce transfer times and computing costs by using XOR operator and linear congruential method instead of original encryption and decryption operations, not only simplify infrastructure but also keep the security. Furthermore, the demand for international roaming services is largely fuelled by the increasing availability of mobile devices and increasing frequency of going abroad. We propose an improved scheme for GSM that prompts the challenge to provide the response at the same time from Mobile Station (MS) and Home Location Register (HLR) by Visitor Location Register (VLR) that used to prompt by HLR. As this scheme, it can reduce the times and steps of verification process. Finally, oblivious transfer is an important tool for designing secure protocols and has been widely used in various applications like fairly signing contracts, obliviously searching database, privacy-preserving auctions, secure multiparty computations, playing mental poker games, and so on. It is a protocol by which a sender can send some messages to a receiver without the receiver&apos;&apos;s knowing which part of the messages can be obtained. We design ten new schemes for oblivious transfer protocol which are based on RSA, discrete logarithm and Rabin’s cryptosystems, respectively. There are three results provided in our thesis as follows: 1. We propose an improved password system that keep the security with simple infrastructure. 2. We propose an improved scheme for GSM Authentication Protocol that can reduce the times and steps of verification process. 3. We propose 4 new Schemes for Oblivious Transfer Protocols based on RSA. 4. We propose 4 new Schemes for Oblivious Transfer Protocols based on discrete logarithm. 5. We propose 2 new Schemes for Oblivious Transfer Protocols based on Rabin’s cryptosystems. It is believed that the results of our study in this thesis will be much helpful for the future research in the area of password, GSM and oblivious transfer protocols.

碩士<br>南台科技大學<br>資訊管理系<br>97<br>How to protect the privacy and security of transmitting data in the Internet is a very important issue. Cryptographic techniques are the important tools to enhance the network transmission security. Oblivious transfer protocol is one of the key tools in the contemporary cryptography. In the original oblivious transfer protocol, a sender holds one secret message and a receiver can get the secret message with 1/2 probability. Now, t out of n oblivious transfer protocol allows that the sender holds n secret messages and the receiver only can choose and get t messages. The transmission efficiency is obviously improved. However, All oblivious transfer protocols evaluate secret messages with the same price and weight. But in some environments, the prices of those secret messages are different due to the cost, new/old or capability, e.g., multi-weighted digital data transactions, multi-weighted electronic contract signing and grading secret exchange, etc. Therefore, traditional oblivious transfer protocols are not suitable for these environments and applications. The only way to expand to those applications is to add weights to secret messages. But how to calculate and verify the weights will become main key point for designing weighted oblivious transfer protocols. The thesis will propose t out of n weighted oblivious transfer protocols by using RSA cryptosystem and key exchange encryption technologies. The protocols can be used to enhance the efficiency and extend the applied environments of oblivious transfer.

We demonstrate how to carry out cryptographic security analysis ofdistributed protocols within the Probabilistic I/O Automata frameworkof Lynch, Segala, and Vaandrager.This framework provides tools for arguing rigorously about theconcurrency and scheduling aspects of protocols, and about protocolspresented at different levels of abstraction.Consequently, it can help in making cryptographic analysis moreprecise and less susceptible to errors.We concentrate on a relatively simple two-party Oblivious Transferprotocol, in the presence of a semi-honest adversary (essentially, aneavesdropper).For the underlying cryptographic notion of security, we use a versionof Canetti's Universally Composable security.In spite of the relative simplicity of the example, the exercise isquite nontrivial.It requires taking many fundamental issues into account,including nondeterministic behavior, scheduling, resource-boundedcomputation, and computational hardness assumptions for cryptographicprimitives.

碩士<br>國立雲林科技大學<br>資訊管理系碩士班<br>100<br>Because the rapid development of network, the e-commerce also flourishing. There is an existing transaction protocol called Priced Oblivious Transfer (POT). It is applied that when a buyer wants to perform transactions with a seller, he would not disclose what he purchased. But, if there is a malicious buyer release the digital product illegally after buying it, the seller cannot be protected. Therefore, the protocol has been developed to protect the copyright for sellers, it called PBSW protocol. We discovered there are some defects in the POT protocol, when seller send the digital product to buyer, the privacy of buyer might be disclosed. The mechanism is not secure enough for buyer to perform purchase. In this paper, we revised these defects of POT protocol. In order to achieve protecting buyers’ privacy, we add a trust distributor in whole trade model. Because the watermarking technique in PBSW protocol is embedded the watermark into the digital product, the quality of product will be reduced. So, we also change the watermarking mechanism, we utilize the visual cryptography technique and proposed a Revised Priced Oblivious Transfer Protocol (RPOT). Our study achieves the definition in POT protocol by re-planning its model. In our experiment, we take the picture as an example, and utilize Visual Cryptography Technique to test robustness. The result of experiment, our watermarking mechanism is robust enough to resist attacks. The main contributions include the following. First, we improved the POT protocol and let buyers can buy in an environment which is privacy. Second, we conduct the process of generating secret share to make it more practical.

碩士<br>東海大學<br>資訊管理學系<br>104<br>The Internet is an open, public and transparent environment in which various security threats and malicious attack are hidden during communications. Cryptosystems are therefore utilized for protecting the privacy of communication parties. An oblivious transfer protocol has been regarded as an important secure communication technique in cryptology, mainly because the oblivious transfer mechanism could be applied to e-commerce, confidential information exchange, e-contract, and so on. In the t-out-of-n oblivious transfer protocol, the sender possesses n pieces of information, from which the receiver could choose t pieces of information. However, the sender could not know which information is selected by the receiver and the receiver does not know the contents of the rest n-t pieces of information. Comparing to other cryptosystems, applying elliptic curve cryptosystems to the oblivious transfer protocol and replacing exponent operations with point operations not only could reduce the computational cost of oblivious transfer but also reinforce the protocol security. Current elliptic curve cryptosystem based oblivious transfer systems could be divided into the operation models of “first encrypting message and then calculating the key” and “first calculating the key and then encrypting message”. The former is the commonest oblivious transfer mechanism currently, with which 1-out-of-2, 1-out-of-n, and t-out-of-n oblivious transfer protocols have been derived from various algorithms and transfer protocols and discussed. Nevertheless, most research, under the model of “first calculating the key and then encrypting message”, focuses on 1-out-of-2 and 1-out-of-n oblivious transfer protocols. More practical and complicated t-out-of-n problems are lack of complete research discussion and design implementation. Aiming at such a problem, the t-out-of-n oblivious transfer protocol based on the model of “first calculating the key and then encrypting information” under the elliptic curve cryptosystem technology is proposed in this study. In addition to largely reducing the calculation amount with the characteristics of elliptic curve cryptosystems, the proposed t-out-of-n oblivious transfer protocol also designs the key with Cantor pairing function to effectively distinguish t pieces of selected and decrypted information. Nonetheless, the overall information transfer amount through this protocol is higher than general t-out-of-n oblivious transfer protocols under the model of “first encrypting message and then calculating the key”. The application of Cantor pairing function to oblivious transfer protocols is therefore extended in this study to reduce the total information transfer amount and allow t-out-of-n oblivious transfer better conforming to the practical requirements of high security, high efficiency, and low bandwidth.

Oblivious Transfer (OT) is one of the most fundamental cryptographic primitives with wide-spread application in general secure multi-party computation (MPC) as well as in a number of tailored and special-purpose problems of interest such as private set intersection (PSI), private information retrieval (PIR), contract signing to name a few. Often the instantiations of OT require prohibitive communication and computation complexity. OT extension protocols are introduced to compute a very large number of OTs referred as extended OTs at the cost of a small number of OTs referred as seed OTs. We present a fast OT extension protocol for small secrets in active setting. Our protocol when used to produce 1-out-of-n OTs outperforms all the known actively secure OT extensions. Our protocol is built on the semi-honest secure extension protocol of Kolesnikov and Kumaresan of CRYPTO'13 (referred as KK13 protocol henceforth) which is the best known OT extension for short secrets. At the heart of our protocol lies an efficient consistency checking mechanism that relies on the linearity of Walsh-Hadamard (WH) codes. Asymptotically, our protocol adds a communication overhead of O( log ) bits over KK13 protocol irrespective of the number of extended OTs, where and refer to computational and statistical security parameter respectively. Concretely, our protocol when used to generate a large enough number of OTs adds only 0:011-0:028% communication overhead and 4-6% runtime overhead both in LAN and WAN over KK13 extension. The runtime overheads drop below 2% when in addition the number of inputs of the sender in the extended OTs is large enough. As an application of our proposed extension protocol, we show that it can be used to obtain the most efficient PSI protocol secure against a malicious receiver and a semi-honest sender.