fmouhart/thesis
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

OT

Browse Source
This commit is contained in:
Fabrice Mouhartem
2018-05-07 10:59:46 +02:00
parent 87c0f7e621
commit d0f761c0fc
1 changed files with 11 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

25
chap-OT-LWE.tex
View File

@@ -28,23 +28,21 @@ $\SI(M_1, \ldots, M_N)$ during the initialization phase, runs $\ST$ at each tran
Similarly, the honest receiver $\mathsf R$ is the algorithm that runs $\RI$ in the initialization phase, runs $\RT(R_{i-1}, \rho_i)$ during the $i$-th transfer and eventually returns $R_k = (M'_{\rho_1}, \ldots, M'_{\rho_k})$ as its final output.
\medskip
\noindent \textsc{Real Experiment.} \;
Here, a sender $\hS$ and a receiver $\hR$ which proceed as follows for experiment $\textbf{Real\,}_{\hS, \hR}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k)$. The sender
$\hS$ is given messages $M_1, \ldots, M_N$ and interacts with $\hR$ which does not have any input in the initialization phase.
\paragraph{Real Experiment.}
Here, a sender $\hS$ and a receiver $\hR$ which proceed as follows for experiment $\textbf{Real\,}_{\hS, \hR}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k)$.\\ \smallskip
The sender $\hS$ is given messages $M_1, \ldots, M_N$ and interacts with $\hR$ which does not have any input in the initialization phase.
At end of the latter, $\hS$ and \hR output their initial states $S_0$ and $R_0$ respectively. Then, $\hS$ and \hR start $k$ sequential interactions:
for $i \in [k]$, in the $i$-th transfer, the sender $\hS$ and the receiver $\hR$ run $S_i \gets \hS(S_{i-1})$ and $(R_i, M'_{\rho_i}) \gets \hR(R_{i-1}, \rho_i)$, where $\rho_i \in [N]$ is a message index and $(S_i,R_i)$ denote updated states for $\hS$ and $\hR$, respectively.
Note that $M'_{\rho_i}$ may be different from $M_{\rho_i}$ if one of the participant deviates from the protocol. At the end of the $k$-th interaction, $\hS$ and $\hR$ output strings $S_k$ and $R_k$ respectively. The output of $\textbf{Real\,}_{\hS,\hR}$ is the pair $(S_k, R_k)$.
\smallskip
The honest sender $\mathsf{S}$ is the algorithm that runs $\mathsf{S}(M_1,\ldots,M_N)$ as in the initialization phase, runs $\mathsf{S}_\mathsf{T}$ in all subsequent interactions
and always outputs $S_k=\varepsilon$. The honest receiver $\mathsf{R}$ is the algorithm that runs $\mathsf{R}_\mathsf{I}$ in the initialization phase, runs
and always outputs $S_k=\varepsilon$. The honest receiver $\mathsf{R}$ is the algorithm that runs $\mathsf{R}_\mathsf{I}$ in the initialization phase, runs
$\mathsf{R}_{\mathsf{T}}(\mathsf{R}_{i-1},\rho_i)$ at the $i$-th transfer and returns the list of received messages
$R_k=(M_{\rho_1}',\ldots,M_{\rho_k}')$ as its final output.
$R_k=(M_{\rho_1}',\ldots,M_{\rho_k}')$ as its final output.
\medskip
\smallskip \smallskip
\noindent \textsc{Ideal Experiment.} \;
\paragraph{Ideal Experiment.}
The experiment $\textbf{Ideal\,}_{\hS', \hR'}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k)$ is defined as follows. The (possibly malicious)
algorithm $\hS'(M_1, \ldots, M_N)$ generates messages $M'_1, \ldots, M'_N$ which are given to the trusted party $\mathsf{T}$. In each of the $k$ transfers, $\mathsf{T}$ obtains
a bit $b_i$ from the sender $\hS'$ and an index $\rho'_i$ from the (possibly malicious) receiver $\hR'(\rho_i)$. If $b_i = 1$, and
@@ -81,7 +79,7 @@ $\hS'$ from deciding to cause a failure of the transfer for specific values of $
\subsection{Adaptive Oblivious Transfer with Access Control} \label{se:def-AC-OT}
Camenisch \textit{et al.} ~\cite{CDN09} define oblivious transfer with access control (OT-AC)
as a tuple of PPT algorithms/protocols $(\ISetup, \Issue, \DBSetup, \Transfer)$ such that: \vspace{-0.1 cm}
as a tuple of PPT algorithms/protocols $(\ISetup, \Issue, \DBSetup, \Transfer)$ such that:
\begin{description}
\item[$\ISetup$:] takes as inputs public parameters $\pp$ specifying a set $\mathcal{P}$ of access policies and generates a key pair $(PK_I, SK_I)$ for the issuer.
\item[$\Issue$:] is an interactive protocol between the issuer \textsf{I} and a stateful user $\USR$ under common input $(\pp, {x})$, where $x$ is an attribute string. The issuer \textsf{I} takes as inputs its key pair $(PK_I, SK_I)$ and a user pseudonym $P_\USR$. The user takes as inputs its state information $st_\USR$. The user $\USR$ outputs either an error symbol $\bot$ or a credential $\mathsf{Cred}_\USR$, and an updated state $st'_\USR$.
@@ -105,9 +103,8 @@ The distribution of outputs of the environment in the different settings is deno
\[ | \mathbf{Real}_{\mathcal E, \adv}(\lambda) - \mathbf{Ideal}_{\mathcal{E}, \adv}(\lambda) | = \negl(\lambda). \]
\end{definition}
\smallskip
\noindent\textsc{Real World.} \;
\paragraph{Real World.}
We describe the way that real-world algorithms interact when all participants (i.e., the real-world users $\USR_1,\ldots, \USR_{U}$, the database $\mathsf{DB}$ and the issuer $\mathsf{I}$) are honest. The issuer starts by generating a key pair $(PK_I, SK_I) \gets \mathsf{ISetup}(\pp)$, and sends $PK_I$ to all users $\{\USR_i\}_{i=1}^U$ and the database $\mathsf{DB}$.\\
\indent When $\mathcal E$ sends a message $\bigl(\texttt{initdb}, \mathrm{DB} = (M_i, \mathsf{AP}_i)_{i=1}^N\bigr)$ to the database $\mathsf{DB}$, the latter encrypts the database $\mathrm{DB}$ by running $\DBSetup$ and sends the encrypted records to all users.\\
\indent When $\mathcal E$ sends a message $(\texttt{issue}, {x})$ to user $\USR_i$, this user starts an $\Issue$ protocol with the issuer on common input ${x}$, at the end of which it returns $1$ to the environment if the protocol succeeded or $0$ otherwise.\\
@@ -116,7 +113,7 @@ We describe the way that real-world algorithms interact when all participants
Notice that in this setting, neither the database nor the issuer return any outputs to the environment.
\medskip
\noindent\textsc{Ideal World.} \;
\paragraph{Ideal World.}
In the ideal world, participants only communicate via the trusted party $\mathsf{T}$ which implements the functionality of the protocol. We describe how
$\mathsf{T}$ proceeds when receiving inputs from the ideal-world users $\{\USR'_i\}_{i=1}^U$, issuer $\mathsf{I}'$ and database $\mathsf{DB}'$. $\mathsf{T}$ maintains an initially empty set $C_i$ for each user $\USR'_i$ and sets $\mathrm{DB} \gets \bot$. It handles the queries of the different parties as follows:\\
\begin{itemize}
@@ -133,7 +130,7 @@ In other words, the ideal-world users, database and issuer relay inputs and outp
Note that, like \cite{CDN09}, the ideal functionality allows the database to learn whether a given user interacts with the database for the first time or
not. The reason is that, like the protocol of \cite{CDN09}, our basic OT-AC scheme requires the database to provide a particular interactive zero-knowledge proof at the very first time each user queries the database.
In protocols where the database generates such an interactive proof, it is inevitable for $\USR$ to reveal his state bit $f_{DB}$ to $\mathrm{DB}$.
In protocols where the database generates such an interactive proof, it is inevitable for $\USR$ to reveal his state bit $f_{DB}$ to $\mathsf{DB}$.
In constructions where the zero-knowledge proof is made non-interactive and made publicly available at the same time as the database itself,
this can be avoided and we can prevent $\mathsf{DB}$ from learning the state bit $f_{DB}$. In this case, $\mathsf{T}$ does not send $f_{\USR',DB}$ to $\mathrm{DB}'$ in
the ideal-world experiment.