C. Crepeau and J. Kilian. Achieving oblivious transfer using weakened security assumptions. In Proc. of the 29th Annu. IEEE Symp. on Foundations of Computer Science, pages 42-52, 24-26 October 1988.  Home/Search   Document Not in Database   Summary   Related Articles   Check

....been illustrated how such noise can be used for unconditionally secure secret key agreement and, furthermore, that it is advantageous to combine error control coding and cryptographic coding in a communication system. Noise in communication channels has also been shown useful in other respects. In [5] and [4] for instance it was shown how to realize various cryptographic primitives, such as bit commitment or oblivious transfer, based on a noisy channel. It is a classical cryptographic problem to transmit a message M from a sender (referred to as Alice) to a receiver (Bob) over an insecure ....

C. Cr'epeau and J. Kilian, "Achieving oblivious transfer using weakened security assumptions," in 29th Symposium on Foundations of Computer Science, pp. 42--52, IEEE, 1988.

.... example, as a means of eliminating errors introduced by dark counts and other apparatus faults in quantum cryptographic key distribution protocols (see, e.g. 6] They are likewise a critical component in the implementation of oblivious transfer and key agreement protocols over both quantum [7, 14] and noisy channels (see, e.g. 13] Error correcting codes can also be employed in the construction of traditional cryptographic primitives. In [24] McEliece elaborates a well known public key cryptosystem whose hardness is based on the NP hard problem of decoding an arbitrary linear code ....

C. Crepeau and J. Kilian. Achieving oblivious transfer using weakened security assumptions. In Proceedings of the 29th IEEE Symposium on the Foundations of Computer Science, pages 42-52, 1988.

....Sender is computationally unbounded, a commitment scheme may be based on any hard on average problem in PSPACE. Some researchers have explored information theoretic models, based on the assumption of noisy communication channels. For example, Cr epeau[10] improves on his earlier work with Kilian[9] by giving efficient algorithms for bit commitment and oblivious transfer over a binary symmetric channel. Later, Damgard, Kilian, and Salvail[12] explore such questions further based on unfair noisy channels and related assumptions. Other researchers have explored bit commitment in models of ....

C. Cr`epeau and J. Kilian. Achieving oblivious transfer using weakened security assumptions. In Proc. 29th FOCS Conference, pages 42--52. IEEE, 1988.

....to Bob in such a way that with probability 1=2 Bob will receive the same message Alice wanted to send, and with probability 1=2 Bob will receive nothing. Moreover, Alice does not know which of the two events really happened. There are other equivalent formulations of Oblivious Transfer (see, e.g. [8, 9, 15, 3, 21]) This primitive has found numerous applications (see, e.g. 19, 16, 29, 17] In this paper, we consider a variant of Oblivious Transfer, which we call Conditional Oblivious Transfer. In this variant, Bob and Alice have private inputs and share a public predicate that is evaluated over the ....

C. Cr'epeau and J. Kilian, Achieving Oblivious Transfer Using Weakened Security Assumptions, in Proc. of FOCS 1988.

....notice that two sided black boxes might be implementable via tamperproof hardware or in some other physical model, but, as explained above, no protocol can securely implement a two sided black box for a function f against malicious parties. 9 Reduction Models. Black box reductions (as those of [CK88,Kil91,KKMO98]) are an elegant way to build new secure protocols. While two sided boxes are not implementable by secure protocols against malicious parties, one sided black boxes can be (under certain complexity assumptions) Thus, one may consider completeness under one sided black box reductions. However, as ....

C. Cr'epeau and J. Kilian. Achieving oblivious transfer using weakened security assumptions. In Proc. of the 29th IEEE Symp. on Foundations of Computer Science, pages 42--52, 1988.

..... Definition 5.1 (error(p) OBT) protocol specification: S b R ( c fl j ; b 0 ) 2 R 8 : 0; 0) 1 2 (1; b) 1 Gammap 2 (1; 1 Gamma b) p 2 common p Techniques similar to but more complicated than those of chapter 3, yield the following result: Theorem 5. 2 ([CK88]) For any fixed p 1 2 there exists a statistically correct and private reduction of i 2 1 j OBT to error(p) OBT. The very powerful tools of probability theory used by this reduction can be applied to obtain the following much more surprising result. 5.2 Correct and Private Oblivious ....

....noisy communication channel, in which a bit is flipped with probability p 1 2 . It is a very natural primitive that has been extensively studied. The entire field of coding theory has been developed around this model. This definition leads to a result similar to that of chapter 4. Theorem 5. 4 ([CK88]) For any fixed p 1 2 there exists a statistically correct and private reduction of i 2 1 j OBT to p NT. It seems paradoxical that noise can be made so useful. Surprisingly, it can be domesticated and be used in a very constructive way as long as it is stable enough. Something looking ....

[Article contains additional citation context not shown here]

C. Cr'epeau and J. Kilian. Achieving oblivious transfer using weakened security assumptions. In 28 th Symp. on Found. of Computer Sci. IEEE, 1988. submitted to FOCS '88.

....want the buyer to obtain information about any other secret and the buyer does not want the merchant to learn anything about the string he has chosen. Oblivious transfer, and consequently ANDOS, can be based on various assumptions like the existence of trapdoor functions [16] of noisy channels [12] or of quantum channels [3] From a practical point of view, efficient implementation can be based on the quadratic residuosity problem [7, 25] or on the Diffie Hellman assumption [1, 23] In this paper we use ANDOS as a cryptographic primitive. In order to formalize its properties, let us ....

C. Cr'epeau and J. Kilian. Achieving Oblivious Transfer Using Weakened Security Assumptions. In Proc. of the 29th FOCS, pages 42--52. IEEE, 1988.

.... and All or Nothing Disclosure of Secrets (a generalization of one out of two oblivious transfer) of Brassard, Cr epeau and Robert [15] All these different tasks were shown equivalent: any one of them can be implemented securely starting with a secure protocol of any other one of them [14, 20, 24, 23, 21]. In particular, any of these protocols can be used to achieve the following very general task [44, 33, 17, 39, 22] Secure two party computation: Consider a twoparameter polynomial time computable function f . One party knows input x and the other party knows input y. The protocol allows both ....

....been rather disappointing since at least in the case of [3] this approach was shown insecure, while in the case of [43] it is still not clear if the new approach leads to a secure protocol or not. More recently, a theoretical implementation of the one out of two Oblivious Transfer was proposed in [23], but was totally useless in a realistic scenario were errors could occur during the quantum transmission. A more complete description of that work and more thorough proofs may be found in [21] Finally, joint work of myself with Bennett and Brassard, together with my student Marie H el ene ....

[Article contains additional citation context not shown here]

C. Cr'epeau and J. Kilian. Achieving oblivious transfer using weakened security assumptions. In 29 th Symp. on Found. of Computer Sci., pages 42--52. IEEE, 1988.

....first solution) solutions based on Oblivious Transfers are more interesting because they can be implemented in non computational scenarios. Oblivious Transfer can be implemented under the assumption that quantum mechanics is correct [9, 3] or under the assumption that reliable noisy channels exist [10]. for the 10th anniversary of the CWI Crypto course. 3 Section 5 describes a new simple and e#cient protocol based on the existence of a one out of two Oblivious Transfer. The scheme of Fagin, Naor and Winkler uses O(n 2 ) one out of two Oblivious Transfers while ours, based on coding theory, ....

....the extra information y = P is su#cient to calculate x from f(x) x 2 . In non computational models, as mentioned in the introduction, 2 1 OT 2 can be implemented under the assumption that quantum mechanics is correct [9, 3] or under the assumption that reliable noisy channels exist [10]. 3.4 Oblivious Transfer of two bits In protocol 5 below, we use a One out of two Oblivious Transfer of two bit elements from F 4 , denoted by 2 1 OT 4 . Each such transfer is achieved securely (even if one party tries to cheat) using only 3 instances of 2 1 OT 2 by a simple ....

Cr epeau, C. and J. Kilian, "Achieving oblivious transfer using weakened security assumptions", In Proceedings of the 29th Annual IEEE Symposium on Foundations of Computer Science, pp. 42 -- 52, 1988.

....on top of oblivious transfer, but it is believed that the reverse reductions are not possible. Despite the fact that Wiesner s protocol for oblivious transfer ( multiplexing channel ) had been shown insecure from the start (circa 1969) it was not until 1988 that Claude Cr epeau and Joe Kilian [29] presented the first alternative protocol. This protocol was clearly secure provided neither parties could store photons for long periods of time and only von Neumann measurements were allowed [25, 26] The vulnerability to photon storage was easy to circumvent if only a secure bit commitment ....

....(computational for instance) in order to restrict the behaviour of the players and later drop this short term assumption to obtain a quantum bit commitment not relying on any long term assumption. This idea is very natural since the bit commitment required for the oblivious transfer protocols of [29, 10] is only used on a short term basis. Similarly, a protocol for quantum bit commitment, inspired by these oblivious transfer protocols, is described in [27] The resulting scheme also requires to rely temporarily on a different kind of bit commitment. The first approach that comes to mind to ....

Cr' epeau, C. and J. Kilian, "Achieving oblivious transfer using weakened security assumptions ", Proceedings of 29th Annual IEEE Symposium on Foundations of Computer Science, 1988, pp. 42 -- 52.

....f( b; r) m; r 0 1 ; r 0 2 ) on its output tape, where f( b; r) m; r 0 1 ; r 0 2 ) m 8 b; r 0 2 ) if r = r 0 1 , and = m; 1 8 r 0 2 ) if r 6= r 0 1 . There are many other types of Oblivious Transfer that have all been shown to be equivalent to the simple one [26] 37] [38]. One important alternative is called 1 2 Oblivious Transfer [40] abbreviated 1 2 OT ) In this version, player A begins with two secret bits b 0 and b 1 . Player B can choose to receive exactly one of these bits, without letting A know which bit was chosen. Oblivious Transfer is one of the ....

....there is no t private protocol among n players when n 3t; this follows directly from the lower bound for Byzantine Agreement [59] For the case of a passive adversary, more is known about when a function does or does not have a t private protocol among n players when n 2t. Chor and Kushilevitz [38] find a gap in the maximum level of privacy, in the non cryptographic zero error setting for boolean functions. If a function has a t private protocol, n 2t, then it has an (n 0 1) private protocol. Moreover, every such n ary function is equivalent to an xor of n single input functions. For the ....

C. Cr'epeau and J. Kilian, "Achieving oblivious transfer using weakened security assumptions," IEEE FOCS 1988, 42-52.

.... basic variants, OT, Gamma 2 1 Delta OT, and GOT, in terms of each other [BCR86, Cr e88] even in a way where an online protocol uses only precomputed transfers [Bea95] Several ways to weaken the security assumptions for oblivious transfer were considered previously by Cr epeau and Kilian [CK88]. Research on reductions from Gamma 2 1 Delta OT k string OT to bitwise Gamma 2 1 Delta OT has for a long time concentrated on using self intersecting codes for the constructions [BCS96] but recent work by Brassard and Cr epeau [BC97] shows that the reduction can be done much more ....

Claude Cr'epeau and Joe Kilian, Achieving oblivious transfer using weakened security assumptions, Proc. 29th IEEE Symposium on Foundations of Computer Science (FOCS), 1988.

....r) m; r 0 1 ; r 0 2 ) on its output tape, where f( b; r) m; r 0 1 ; r 0 2 ) m Phi b; r 0 2 ) if r = r 0 1 , and = m; 1 Phi r 0 2 ) if r 6= r 0 1 . There are many other types of Oblivious Transfer that have all been shown to be equivalent to the simple one [34] 54] [55]. One important alternative is called 1 2 Oblivious Transfer [65] abbreviated 1 2 OT ) In this version, player A begins with two secret bits b 0 and b 1 . Player B can choose to receive exactly one of these bits, without letting A know which bit was chosen. Oblivious Transfer is one of the ....

....there is no t private protocol among n players when n 3t; this follows directly from the lower bound for Byzantine Agreement [103] For the case of a passive adversary, more is known about when a function does or does not have a t private protocol among n players when n 2t. Chor and Kushilevitz [55] find a gap in the maximum level of privacy, in the non cryptographic zero error setting for boolean functions. If a function has a t private protocol, n 2t, then it has an (n Gamma 1) private protocol. Moreover, every such n ary function is equivalent to an xor of n single input functions. ....

[Article contains additional citation context not shown here]

C. Cr'epeau and J. Kilian, "Achieving oblivious transfer using weakened security assumptions," IEEE FOCS 1988, 42--52.

....realistic case where the adversary receives the random source via a much better channel than the legitimate users. The power of a noisy channel was also demonstrated by Cr epeau and Kilian who showed that unconditionally secure bit commitment and oblivious transfer can be based on this primitive [11, 10]. In this paper, we show how to realize unconditionally secure encryption based on a third assumption: a limit on the memory size of the adversary. This means that an enemy can use unlimited computing power to compute any probabilistic function of some huge amount of public data, which is ....

C. Cr'epeau and J. Kilian, "Achieving oblivious transfer using weakened security assumptions, " in Proc. 29th IEEE Symposium on Foundations of Computer Science (FOCS), 1989.

....RAND. k CNRS URA 410. Laboratoire de Recherche en Informatique, Universit e Paris Sud, Batiment 490, 91405 Orsay, France. e mail: santha lri.fr. to appear in IEEE Transactions on Information Theory 2 1 Introduction The equivalence between cryptographic primitives is a major research topic [6, 11, 16, 30, 12, 25, 13, 31, 18, 19, 15, 17]. A large number of cryptographic protocols have been shown equivalent to one another. One out of two String Oblivious Transfer, denoted ( 2 1 ) OT k 2 , is a primitive that originates with [43] under the name of multiplexing ) a paper that marked the birth of quantum cryptography. ....

C. Cr'epeau and J. Kilian, "Achieving oblivious transfer using weakened security assumptions ", Proceedings of 29th Annual IEEE Symposium on Foundations of Computer Science, 1988, pp. 42 -- 52.

....first solution) solutions based on Oblivious Transfers are more interesting because they can be implemented in non computational scenarios. Oblivious Transfer can be implemented under the assumption that quantum mechanics is correct [9, 3] or under the assumption that reliable noisy channels exist [10]. Section 5 describes a new simple and efficient protocol based on the existence of a one out of two Oblivious Transfer. The scheme of Fagin, Naor and Winkler uses O(n 2 ) one out of two Oblivious Transfers while ours, based on coding theory, uses only O(n) such Transfers. 2. Computational ....

....information y = P is sufficient to calculate x from f(x) x 2 . In non computational models, as mentioned in the introduction, Gamma 2 1 Delta OT 2 can be implemented under the assumption that quantum mechanics is correct [9, 3] or under the assumption that reliable noisy channels exist [10]. 3.4. Oblivious Transfer of two bits In protocol 5 below, we use a One out of two Oblivious Transfer of two bit elements from F 4 , denoted by Gamma 2 1 Delta OT 4 . Each such transfer is achieved securely (even if one party tries to cheat) using only 3 instances of Gamma 2 1 Delta ....

C. Cr' epeau and J. Kilian (1988) Achieving oblivious transfer using weakened security assumptions, In Proceedings of the 29th Annual IEEE Symposium on Foundations of Computer Science, pp. 42 -- 52, 1988.

....between learning bit a 0 or a 1 prepared by Alice but she does not learn his choice b. Bob learns a b and obtains no information about a b . Implementations of ot can only exist under some assumption. For instance, ot can be constructed if trapdoor functions exist [16] from a noisy channel [11, 12], or from a quantum channel [2, 10] It is also a well known fact that using O(n) of Rabin s Oblivious Transfers [26] one can construct one out of two Oblivious Transfer [7] In a Bit Commitment Alice sends a committed bit a to Bob in such a way that she is able to reveal it later in a unique way ....

C. Cr'epeau, J. Kilian, Achieving Oblivious Transfer Using Weakened Security Assumptions, 29th IEEE Symposium on Foundation of Computer Science, 1988, pp. 42--52.

.... two decades ago [30] Over the years, a large number of theoretical applications of quantum physics to cryptography have been discovered: unforgeable bank notes and multiplexing channel [30] unforgeable subway tokens [5] self winding one time pad [4] key distribution [3] oblivious transfer [13], coin flipping [3, 8] and bit commitment [8] Recently, much excitement was created [29, 18, 14, 26, 15, 28, etc. when the success of a first experimental prototype was reported for the quantum key distribution protocol [1] Until now, not only was this prototype the first physical realization ....

.... protocols have been proposed for both these tasks, but either they leaked too much information [30] or they could not have been implemented in practice because they required one party to generate pure single photon light pulses [3] or because they could not tolerate errors due to detector noise [13, 8]. Before we proceed, let us recall the purpose of Oblivious Transfer (OT) In Rabin s original OT [27] Alice sends a one bit message to Bob, which he receives with probability 50 , while receiving nothing otherwise. Bob finds out whether or not he received Alice s bit, but Alice remains totally ....

[Article contains additional citation context not shown here]

Cr'epeau, C. and J. Kilian, "Achieving oblivious transfer using weakened security assumptions ", Proceedings of 29th IEEE Symposium on the Foundations of Computer Science, October 1988, pp. 42 -- 52.

....Claude Cr epeau Universit e de Montr eal April 9, 1996 Abstract The Wire Tap Channel of Wyner [20] shows that a Binary Symmetric Channel may be used as a basis for exchanging a secret key, in a cryptographic scenario of two honest people facing an eavesdropper. Later Cr epeau and Kilian [9] showed how a BSC may be used to implement Oblivious Transfer in a cryptographic scenario of two possibly dishonest people facing each other. Unfortunately this result is rather impractical as it requires Omega Gamma n 11 ) bits to be transmitted through the BSC to accomplish a single OT. The ....

....we make is that Alice and Bob are connected by a Binary Symmetric Channel (BS ffl ) that is a channel that will change the value of a bit b with probability ffl as it travels from one party to the other. A first protocol to accomplish Oblivious Transfer from a Noisy Channel was presented in [9]. Unfortunately, that protocol is quite complex and requires Omega Gamma n 11 ) bits sent through the BSC to perform a single Oblivious Transfer, where n is a security parameter that specifies the reliability of the protocol. As a consequence, any two party computations may be performed from ....

C. Cr'epeau and J. Kilian. Achieving oblivious transfer using weakened security assumptions. In 29 th Symposium on Foundations of Computer Science, pages 42--52. IEEE, 1988.

....instructions to break these schemes In those early days, only the security of quantum key distribution was conceivable. We will look more closely at the quantum bit commitment scheme behind Bennett Brassard s coin flipping protocol and its attack in section 2. More recently, Cr epeau and Kilian [12] have presented an alternative protocol for oneout of two Oblivious Transfer. Cr epeau [9, 10] showed that this protocol is secure if neither parties can store photons for long periods of time and if only Von Neumann measurements are allowed. Alternatively, the first restriction may be dropped if ....

C. Cr'epeau and J. Kilian, "Achieving oblivious transfer using weakened security assumptions ", Proceedings of 29th Annual IEEE Symposium on Foundations of Computer Science, 1988, pp. 42 -- 52.

....(Qu ebec) Canada H3C 3J7. e mail: crepeau iro.umontreal.ca. Abstract. The Wire Tap Channel of Wyner [19] shows that a Binary Symmetric Channel may be used as a basis for exchanging a secret key, in a cryptographic scenario of two honest people facing an eavesdropper. Later Cr epeau and Kilian [9] showed how a BSC may be used to implement Oblivious Transfer in a cryptographic scenario of two possibly dishonest people facing each other. Unfortunately this result is rather impractical as it requires Omega (n 11 ) bits to be transmitted through the BSC to accomplish a single OT. The current ....

....assumption we make is that A and B are connected by a Binary Symmetric Channel (BS ffl ) that is a channel that will change the value of a bit b with probability ffl as it travels from one party to the other. A first protocol to accomplish Oblivious Transfer from a Noisy Channel was presented in [9]. Unfortunately, that protocol is quite complex and requires Omega (n 11 ) bits sent through the BSC to perform a single Oblivious Transfer, where n is a security parameter that specifies the reliability of the protocol. As a consequence, any two party computations may be performed from the ....

C. Cr'epeau and J. Kilian. Achieving oblivious transfer using weakened security assumptions. In 29 th Symposium on Foundations of Computer Science, pages 42--52. IEEE, 1988.

No context found.

C. Crepeau and J. Kilian. Achieving oblivious transfer using weakened security assumptions. In Proc. of the 29th Annu. IEEE Symp. on Foundations of Computer Science, pages 42-52, 24-26 October 1988.

No context found.

C. Cr'epeau and J. Kilian. Achieving oblivious transfer using weakened security assumptions (extended abstract). In Proc. of 29th FOCS, pages 42--52, 1988.

No context found.

C. Cr'epeau and J. Kilian, "Achieving oblivious transfer using weakened security assumptions ", 28 th Symp. on Found. of Computer Sci., 1988, pp. 42 -- 52,

No context found.

Claude Cr'epeau and Joe Kilian, Achieving oblivious transfer using weakened security assumptions, Proc. 29th IEEE Symposium on Foundations of Computer Science (FOCS), 1988.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC