"The Simplest Protocol for Oblivious Transfer" Revisited

Abstract In 2015, Chou and Orlandi presented an oblivious transfer protocol that already drew a lot of attention both from theorists and practitioners due to its extreme simplicity and high efficiency. Chou and Orlandi claimed that their protocol is universally composable secure (UC-secure) in the random oracle model under dynamic corruptions. UC-security is a very strong security guarantee that assures that, not only the protocol in itself is secure, but can be also used safely in larger protocols. Unfortunately, in this work we point out a flaw in their security proof for the case of a corrupt sender. In more detail, we define a decisional problem and we prove that, if a correct security proof for the Chou and Orlandi's protocol is provided, then this problem can be solved correctly with overwhelming probability. Therefore, the protocol of Chou and Orlandi cannot be instantiated securely with groups for which our decisional problem cannot be solved correctly with overwhelming probability. Consequently, the protocol of Chou and Orlandi cannot be instantiated with all groups G in which the CDH problem is intractable, but only with groups in which both the CDH problem is intractable and our decisional problem can be solved with overwhelming probability. After the appearance of our work, Chou and Orlandi acknowledged the problems we pointed out in their security proof and subsequent works showed additional issues, removing the claims of UC security of their protocol.

[1]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[2]  Julian Loss,et al.  Efficient and Universally Composable Protocols for Oblivious Transfer from the CDH Assumption , 2017, IACR Cryptol. ePrint Arch..

[3]  Gilles Brassard,et al.  All-or-Nothing Disclosure of Secrets , 1986, CRYPTO.

[4]  Yuval Ishai,et al.  Founding Cryptography on Oblivious Transfer - Efficiently , 2008, CRYPTO.

[5]  Matthew K. Franklin,et al.  Identity-Based Encryption from the Weil Pairing , 2001, CRYPTO.

[6]  Joe Kilian,et al.  Founding crytpography on oblivious transfer , 1988, STOC '88.

[7]  Stephen Wiesner,et al.  Conjugate coding , 1983, SIGA.

[8]  Silvio Micali,et al.  A Completeness Theorem for Protocols with Honest Majority , 1987, STOC 1987.

[9]  Abhi Shelat,et al.  Secure Two-party Threshold ECDSA from ECDSA Assumptions , 2018, 2018 IEEE Symposium on Security and Privacy (SP).

[10]  Daniele Micciancio,et al.  Equational Security Proofs of Oblivious Transfer Protocols , 2018, IACR Cryptol. ePrint Arch..

[11]  Ran Canetti,et al.  Universally composable security: a new paradigm for cryptographic protocols , 2001, Proceedings 2001 IEEE International Conference on Cluster Computing.

[12]  Andrew Chi-Chih Yao,et al.  How to generate and exchange secrets , 1986, 27th Annual Symposium on Foundations of Computer Science (sfcs 1986).

[13]  Michael O. Rabin,et al.  How To Exchange Secrets with Oblivious Transfer , 2005, IACR Cryptol. ePrint Arch..

[14]  Abhi Shelat,et al.  Simulatable Adaptive Oblivious Transfer , 2007, EUROCRYPT.

[15]  Arpita Patra,et al.  Fast and Universally-Composable Oblivious Transfer and Commitment Scheme with Adaptive Security , 2017, IACR Cryptol. ePrint Arch..

[16]  Claudio Orlandi,et al.  The Simplest Protocol for Oblivious Transfer , 2015, IACR Cryptol. ePrint Arch..