thesis/chap-OT-LWE.tex
2018-05-07 10:59:46 +02:00

151 lines
16 KiB
TeX

\section{Adaptive Oblivious Transfer}
\label{sec:def-OT}
In the syntax of \cite{CNs07}, an adaptive $k$-out-of-$N$ OT scheme $\OT_k^N$ is a tuple of stateful $\ppt$ algorithms $(\SI, \RI, \ST, \RT)$.
The sender $\mathsf{S}=(\SI,\ST)$ consists of two interactive algorithms $\SI$ and $\ST$ and the receiver has a similar representation as algorithms $\RI$ and $\RT$.
In the \textit{initialization phase}, the sender and the receiver run interactive algorithms $\SI$ and $\RI$, respectively, where $\SI$ takes as input messages $M_1, \ldots, M_N$ while $\RI$ has no input.
This phase ends with the two algorithms $\SI$ and $\RI$ outputting their state information $S_0$ and $R_0$ respectively.
During the $i$-th \textit{transfer}, $1 \leq i \leq k$, both parties run an interactive protocol via the $\RT$ and $\ST$ algorithms.
The sender starts runs $\ST(S_{i-1})$ to obtain its updated state information $S_i$ while the receiver runs $\RT(R_{i-1}, \rho_i)$ on input of its previous state $R_{i-1}$ and the index $\rho_i \in \{1, \ldots, N \}$ of the message it wishes to retrieve. At the end, $\RT$ outputs an updated state $R_i$ and a message $M'_{\rho_i}$.
\textit{Correctness} mandates that, for all $M_1, \ldots, M_N$, for all $\rho_1, \ldots, \rho_k \in [ N]$ and all coin tosses $\varpi$ of the (honestly run) algorithms, we have $M'_{\rho_i} = M_{\rho_i}$ for all $i$. \\
\indent We consider protocols that are secure (against static corruptions) in the sense of simulation-based definitions. The security
properties against a cheating sender and a cheating receiver are formalized via the ``real-world/ideal-world'' paradigm. The
security definitions of \cite{CNs07} are recalled in the following Section.
\subsection{Security Definitions for Adaptive $k$-out-of-$N$ Oblivious Transfer} \label{def-AOT}
Security is defined via the ``real-world/ideal-world'' paradigm which was first introduced in the Universal Composability (UC) framework~\cite{Can01}. Like \cite{CNs07,CDN09}, however, we do not incorporate all the formalities of the UC framework.
We define two experiments: the \textbf{Real} experiment, where the two parties run the actual protocol, and the \textbf{Ideal} experiment wherein a \textit{trusted third party} assumes the role of the functionality.
The model of \cite{CNs07} formalizes two security notions called \textit{sender security} and \textit{receiver security}.
The former considers the security of honest senders against cheating senders whereas the latter considers the security of honest receivers interacting
with malicious senders.
For an adaptive OT protocol $\OT_k^N$ comprised of algorithms $(\SI, \ST, \RI, \RT)$, we denote define the honest sender $\mathsf S$ as the algorithm that runs
$\SI(M_1, \ldots, M_N)$ during the initialization phase, runs $\ST$ at each transfer and eventually returns $S_k = \epsilon$ as its final output.
Similarly, the honest receiver $\mathsf R$ is the algorithm that runs $\RI$ in the initialization phase, runs $\RT(R_{i-1}, \rho_i)$ during the $i$-th transfer and eventually returns $R_k = (M'_{\rho_1}, \ldots, M'_{\rho_k})$ as its final output.
\medskip
\paragraph{Real Experiment.}
Here, a sender $\hS$ and a receiver $\hR$ which proceed as follows for experiment $\textbf{Real\,}_{\hS, \hR}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k)$.\\ \smallskip
The sender $\hS$ is given messages $M_1, \ldots, M_N$ and interacts with $\hR$ which does not have any input in the initialization phase.
At end of the latter, $\hS$ and \hR output their initial states $S_0$ and $R_0$ respectively. Then, $\hS$ and \hR start $k$ sequential interactions:
for $i \in [k]$, in the $i$-th transfer, the sender $\hS$ and the receiver $\hR$ run $S_i \gets \hS(S_{i-1})$ and $(R_i, M'_{\rho_i}) \gets \hR(R_{i-1}, \rho_i)$, where $\rho_i \in [N]$ is a message index and $(S_i,R_i)$ denote updated states for $\hS$ and $\hR$, respectively.
Note that $M'_{\rho_i}$ may be different from $M_{\rho_i}$ if one of the participant deviates from the protocol. At the end of the $k$-th interaction, $\hS$ and $\hR$ output strings $S_k$ and $R_k$ respectively. The output of $\textbf{Real\,}_{\hS,\hR}$ is the pair $(S_k, R_k)$.
\smallskip
The honest sender $\mathsf{S}$ is the algorithm that runs $\mathsf{S}(M_1,\ldots,M_N)$ as in the initialization phase, runs $\mathsf{S}_\mathsf{T}$ in all subsequent interactions
and always outputs $S_k=\varepsilon$. The honest receiver $\mathsf{R}$ is the algorithm that runs $\mathsf{R}_\mathsf{I}$ in the initialization phase, runs
$\mathsf{R}_{\mathsf{T}}(\mathsf{R}_{i-1},\rho_i)$ at the $i$-th transfer and returns the list of received messages
$R_k=(M_{\rho_1}',\ldots,M_{\rho_k}')$ as its final output.
\medskip
\paragraph{Ideal Experiment.}
The experiment $\textbf{Ideal\,}_{\hS', \hR'}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k)$ is defined as follows. The (possibly malicious)
algorithm $\hS'(M_1, \ldots, M_N)$ generates messages $M'_1, \ldots, M'_N$ which are given to the trusted party $\mathsf{T}$. In each of the $k$ transfers, $\mathsf{T}$ obtains
a bit $b_i$ from the sender $\hS'$ and an index $\rho'_i$ from the (possibly malicious) receiver $\hR'(\rho_i)$. If $b_i = 1$, and
$\rho_i' \in [N]$,
then $\mathsf{T}$ reveals $M'_{\rho_i}$ to the receiver $\hR'$.
Otherwise, $\hR'$ receives $\bot$ from $\mathsf{T}$. At the end of the $k$-th transfer, $\hS'$ and $\hR'$ output a string $S_k$ and $R_k$ and
the
output of the experiment is the pair $(S_k, R_k)$.\\
\indent The ideal sender $\mathsf{S}'(M_1,\ldots,M_N)$ is defined the be the sender that sends $(M_1,\ldots,M_N)$ which sends the messages
$(M_1,\ldots,M_N)$ to $\mathsf{T}$ in the initialization phase, sends $b_i=1$ in each transfer and outputs the final state $S_k=\varepsilon$. The honest
ideal receiver $\mathsf{R}'$ is defined to be the algorithm that sends $\mathsf{T}$ the real selection index $\rho_i$ at each transfer and eventually outputs
the list of all received messages $R_k=(M_{\rho_1}',\ldots,M_{\rho_k}')$ as its final state.
The bit $b_i$ sent by $\hS'$ at each transfer models its capability of making the transfer fail. By forcing $\hS'$ to choose $b_i$ without seeing
$\rho_i$, the definition prevents the cheating sender
$\hS'$ from deciding to cause a failure of the transfer for specific values of $\rho_i$.
\begin{definition}[Sender Security] \label{def:sender-sec}
An $\OT_k^N$ protocol is \textit{sender-secure} if, for any PPT real-world cheating receiver $\hR$, there exists a PPT ideal-world receiver $\hR'$ such that, for any polynomial $N_m(\lambda)$, any $N \in [N_m(\lambda)]$, any $k \in [N]$, any messages $M_1, \ldots, M_N$, and any indices $\rho_1, \ldots, \rho_k \in [N]$, no PPT distinguisher can separate the two following distributions with noticeable advantage:
\[ \mathbf{Real}_{\mathsf{S},\hR}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k) \]
and
\[ \mathbf{Ideal}_{\mathsf{S}', \hR'}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k). \]
\end{definition}
\begin{definition}[Receiver Security] \label{def:receiver-sec}
An $\OT_k^N$ protocol is \textit{receiver-secure} if, for any PPT real-world cheating sender $\hS$, there exists a PPT ideal-world sender $\hS'$ such that, for any polynomial $N_m(\lambda)$, any $N \in [N_m(\lambda)]$, any $k \in [N]$, any messages $M_1, \ldots, M_N$, and any indices $\rho_1, \ldots, \rho_k \in [N]$, no PPT distinguisher can tell apart the two following distributions with non-negligible advantage:
\[ \mathbf{Real}_{\hS,\mathsf{R}}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k) \]
and
\[ \mathbf{Ideal}_{\hS', \mathsf{R}'}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k). \]
\end{definition}
\subsection{Adaptive Oblivious Transfer with Access Control} \label{se:def-AC-OT}
Camenisch \textit{et al.} ~\cite{CDN09} define oblivious transfer with access control (OT-AC)
as a tuple of PPT algorithms/protocols $(\ISetup, \Issue, \DBSetup, \Transfer)$ such that:
\begin{description}
\item[$\ISetup$:] takes as inputs public parameters $\pp$ specifying a set $\mathcal{P}$ of access policies and generates a key pair $(PK_I, SK_I)$ for the issuer.
\item[$\Issue$:] is an interactive protocol between the issuer \textsf{I} and a stateful user $\USR$ under common input $(\pp, {x})$, where $x$ is an attribute string. The issuer \textsf{I} takes as inputs its key pair $(PK_I, SK_I)$ and a user pseudonym $P_\USR$. The user takes as inputs its state information $st_\USR$. The user $\USR$ outputs either an error symbol $\bot$ or a credential $\mathsf{Cred}_\USR$, and an updated state $st'_\USR$.
\item[$\DBSetup$:] is an algorithm that takes as input the issuer's public key $PK_I$, a database $DB = \left(M_i, \mathsf{AP}_i \right)_{i=1}^N$ containing records $M_i$ whose access is restricted by an access policy $\mathsf{AP}_i$ and outputs a database public key $PK_\mathsf{DB}$, an encryption of the records $(ER_i)_{i=1}^N$ and a database secret key $SK_\mathsf{DB}$.
\item[$\Transfer$:] is a protocol between the database $\mathsf{DB}$ and a user $\USR$ with common inputs $(PK_I, PK_\mathsf{DB})$. $\mathsf{DB}$ inputs $SK_\mathsf{DB}$ and
$\USR$ inputs $(\rho, st_\USR, ER_\rho, \mathsf{AP}_\rho)$, where $\rho \in [N]$ is a record index to which $\USR$ is requesting access. The interaction ends with $\USR$ outputting $\bot$ or a string $M_{\rho'}$ and an updated state $st'_\USR$.
\end{description}
We assume private communication links, so that communications between a user and the issuer are authenticated, and those between a user and the database are anonymized: otherwise, anonymizing the $\Transfer$ protocol is impossible.
The security definitions formalize two properties called \textit{user anonymity} and \textit{database security}. The former captures that the database should be unable to tell which {honest user} is making a query and neither can tell which records are being accessed. This should remain true even if the database colludes with corrupted users and the issuer. As for database security, the intuition is that a cheating user cannot access a record for which it does not have the required credentials, even when colluding with other dishonest users. In case the issuer is colluding with these cheating users, they cannot obtain more records from the database than they retrieve.
Similarly to the \OTA case, security is defined by requiring that any PPT real-world adversary $\mathcal A$ and any environment $\env$, there exists a PPT adversary $\mathcal A'$ which controls the same parties and such that no environment $\mathcal E$ can tell if it is
running in the real world interacting with the real $\mathcal A$ or in the ideal-world interacting with $\adv'$.
The distribution of outputs of the environment in the different settings is denoted by $\mathbf{Real}_{\mathcal{E}, \adv}(\lambda)$ and $\mathbf{Ideal}_{\mathcal E, \adv'}(\lambda)$ for real-world adversary $\adv$ and ideal-world adversary $\adv'$, respectively.
% This captures the security notions described in the above paragraph.
\medskip
\begin{definition}
An AC-OT protocol is said to securely implement the functionality if for any real-world adversary $\adv$ and any real world environment $\mathcal E$, there exists an ideal-world simulator $\mathcal A'$ controlling the same parties in the ideal-world as $\adv$ does in the real-world, such that
\[ | \mathbf{Real}_{\mathcal E, \adv}(\lambda) - \mathbf{Ideal}_{\mathcal{E}, \adv}(\lambda) | = \negl(\lambda). \]
\end{definition}
\paragraph{Real World.}
We describe the way that real-world algorithms interact when all participants (i.e., the real-world users $\USR_1,\ldots, \USR_{U}$, the database $\mathsf{DB}$ and the issuer $\mathsf{I}$) are honest. The issuer starts by generating a key pair $(PK_I, SK_I) \gets \mathsf{ISetup}(\pp)$, and sends $PK_I$ to all users $\{\USR_i\}_{i=1}^U$ and the database $\mathsf{DB}$.\\
\indent When $\mathcal E$ sends a message $\bigl(\texttt{initdb}, \mathrm{DB} = (M_i, \mathsf{AP}_i)_{i=1}^N\bigr)$ to the database $\mathsf{DB}$, the latter encrypts the database $\mathrm{DB}$ by running $\DBSetup$ and sends the encrypted records to all users.\\
\indent When $\mathcal E$ sends a message $(\texttt{issue}, {x})$ to user $\USR_i$, this user starts an $\Issue$ protocol with the issuer on common input ${x}$, at the end of which it returns $1$ to the environment if the protocol succeeded or $0$ otherwise.\\
\indent When $\mathcal E$ sends a message $(\texttt{transfer}, \rho)$ to user $\USR_i$, this user first checks if its credentials $\mathsf{Cred}_\USR$ are sufficient to access the record $M_\rho$. If it is the case, it engages in a $\Transfer$ protocol with the database $\mathsf{DB}$, at the end of which it receives either the message $M_\rho$, or an error symbol $\bot$. If it failed at any steps, the user returns $0$ to $\mathcal E$, or $1$ if it succeeded.
Notice that in this setting, neither the database nor the issuer return any outputs to the environment.
\medskip
\paragraph{Ideal World.}
In the ideal world, participants only communicate via the trusted party $\mathsf{T}$ which implements the functionality of the protocol. We describe how
$\mathsf{T}$ proceeds when receiving inputs from the ideal-world users $\{\USR'_i\}_{i=1}^U$, issuer $\mathsf{I}'$ and database $\mathsf{DB}'$. $\mathsf{T}$ maintains an initially empty set $C_i$ for each user $\USR'_i$ and sets $\mathrm{DB} \gets \bot$. It handles the queries of the different parties as follows:\\
\begin{itemize}
\item[$\bullet$ ] When receiving a message $(\texttt{initdb}, \mathrm{DB} = (M_i, \mathsf{AP}_i)_{i=1}^N)$ from $\mathsf{DB}'$, $\mathsf{T}$ sets $\mathrm{DB} = (M_i, \mathsf{AP}_i)_{i=1}^N$.
\item[ $\bullet$] When receiving $(\texttt{issue}, {x})$ from $\USR'_i$, $\mathsf{T}$ sends $(\texttt{issue}, \USR'_i, {x})$ to $\mathsf{I}'$ which
replies with a bit $b$. If $b=1$, then $\mathsf{T}$ adds ${x}$ to $C_i$. In any cases, $\mathsf{T}$ sends $b$ to $\USR'_i$.
\item[ $\bullet$ ] When receiving $(\texttt{transfer}, \rho)$ from $\USR'_i$, the trusted party $\mathsf{T}$ acts as follows. If $\USR_i'$ previously sent
a message of the form $(\texttt{transfer},.)$, $\mathsf{T}$ defines $f_{\USR',DB}=1$. Otherwise, it sets $f_{\USR',DB}=0$.
If $\mathrm{DB} \neq \bot$,
it sends $(\texttt{transfer},f_{\USR',DB})$ to $\mathsf{DB}'$, who sends a bit $b$. If $b=1$ and if $st_i$ contains a vector $\mathbf{x}$ such that $\mathsf{AP}_i({x})=1$, then it sends the record to $\USR'_i$. In any other cases, it sends $\bot$ to $\USR'_i$.
\end{itemize}
In other words, the ideal-world users, database and issuer relay inputs and outputs between the environment $\mathcal E$ and the trusted party $\mathsf{T}$.
Note that, like \cite{CDN09}, the ideal functionality allows the database to learn whether a given user interacts with the database for the first time or
not. The reason is that, like the protocol of \cite{CDN09}, our basic OT-AC scheme requires the database to provide a particular interactive zero-knowledge proof at the very first time each user queries the database.
In protocols where the database generates such an interactive proof, it is inevitable for $\USR$ to reveal his state bit $f_{DB}$ to $\mathsf{DB}$.
In constructions where the zero-knowledge proof is made non-interactive and made publicly available at the same time as the database itself,
this can be avoided and we can prevent $\mathsf{DB}$ from learning the state bit $f_{DB}$. In this case, $\mathsf{T}$ does not send $f_{\USR',DB}$ to $\mathrm{DB}'$ in
the ideal-world experiment.
\medskip
The ideal world thus implies the following security properties.
\begin{description}
\item[User Anonymity.] The database cannot tell which user a given query comes from and neither can it tell which record is being accessed.
It only learns whether the user previously queried the database or not. Otherwise, two transfers involving the same users are unlinkable.
%This is captured by the fact that the functionality is securely implemented whenever the database or the issuer is cheating.\\
\item[Database Security.] A single cheating user cannot access a record for which he does not have a certified authorized attribute string.
Colluding users cannot pool their credentials to gain access to a record which none of them can individually access.
Moreover, if the issuer colludes with some users, the protocol still provides the equivalent of sender security in the \OTA functionality.
%This is captured by the security of the scheme with an honest database.
\end{description}