Security Analysis of Polynomial Interpolation-Based Distributed Oblivious Transfer Protocols

Abstract

In an unconditionally secure Distributed Oblivious Transfer (DOT) protocol, a receiver contacts at least \(k\) servers to obtain one of the \(n\) secrets held by a sender. Once the protocol has been executed, the sender does not know which secret was chosen by the receiver and the receiver has not gained information on the secrets she did not choose. In practical applications, the probability distribution of the secrets may not be uniform, e.g., when DOT protocols are used in auctions, some bids may be more probable than others.

In this kind of scenario, we show that the claim “a party cannot obtain more than a linear combination of secrets” is incorrect; depending on the probability distribution of the secrets, some existing polynomial interpolation-based DOT protocols allow a cheating receiver, or a curious server, who has obtained a linear combination of the secrets to determine all the secrets.

Appendices

A Characteristics of Some DOT Protocols

1.1 A.1 Naor and Pinkas’s DOT [8]

In the sparse polynomial interpolation-based DOT protocol introduced by Naor and Pinkas [8], the number of secrets is \(n = 2\), the threshold parameter is \(k\), the sender’s privacy and strong privacy parameters are \(\lambda _{S} = k - 1\) and \(\lambda _{C} = 0\), the hiding parameter is \(N = 2\) and the encoding parameter is \(e = 2\). The encoding function is \(E(s) = \left( \, 1, \delta _{s}^{2} \,\right) \) and the polynomials \(U_{i}\) and \(V_{i}\) (\(1 \le i \le N\)) are:

• \(U_{1}(x) = \omega _{1} + \sum _{i = 1}^{k - 1}{a_{i}x^{i}}\), where coefficients \(a_{i}\) are randomly selected in \(\mathbb {K}\), and \(U_{2}(x) = \omega _{2} - \omega _{1}\),

• \(V_{i}(y_{1}, y_{2}) = y_{i}\) for \(i = 1, 2\).

On the receiver’s side, the number of contacted servers is \(t = k\), the receiver’s privacy parameter is \(\lambda _{R} = k - 1\) and the first element of the encoding function being constant and public, it is not shared (i.e., \(Z_{1} = 1\)) and is not included in the request transmitted by the receiver to the contacted servers.

1.2 A.2 Blundo Et Al.’s DOT [2]

The protocol introduced by Blundo, D’Arco, De Santis and Stinson [2] is an extension of Naor and Pinkas’s sparse polynomial interpolation-based DOT protocol [8]. Only the following characteristics are different from those described in Appendix A.1.

• \(n \ge 2\),

• \(N = n\),

• \(E( s ) = \left( \, 1, \delta _{s}^{2}, \delta _{s}^{3},\ldots , \delta _{s}^{n} \,\right) \),

• \(U_{i}( x ) = \omega _{i} - \omega _{1}\) for \(i = 2, 3,\ldots , N\),

• \(V_{i}( y_{1}, y_{2},\ldots , y_{e} ) = y_{i}\) for \(i = 1, 2,\ldots , N\).

1.3 A.3 Blundo Et Al.’s DOT [3]

The characteristics of the protocol introduced by Blundo, D’Arco, De Santis and Stinson [3] are similar to those of the protocol they presented in 2002 (see Appendix A.2). However, to improve the protocol, the secrets are masked twice:

• To prevent the servers from learning a linear combination of secrets, each secret \(\omega _{i}\) (\(2 \le i \le n\)) is multiplied by a mask \(r_{i}\) randomly selected in \(\mathbb {K}\). Each mask is shared amongst the \(m\) servers involved in the protocol, thanks to Shamir’s secret sharing schemes [10],

• To prevent the receiver from learning a linear combination of secrets, each secret \(\omega _{i}\) (\(1 \le i \le n\)) is masked with a mask \(c_{i}\) randomly selected in \(\mathbb {K}^{*}\) and the receiver needs, with one request only, to collect shares of the chosen masked secret \(c_{\sigma }\omega _{\sigma }\), but also of the corresponding mask \(c_{\sigma }\).

More specifically, in the set-up phase, the sender \(\mathcal{S}\) first selects masks \(c_{i}\) (\(1 \le i \le n\)) in \(\mathbb {K}^{*}\), which gives him two lists of secret values: \(\left( \, c_{1}\omega _{1}, c_{2}\omega _{2},\ldots , c_{n}\omega _{n} \,\right) \) and \(\left( \, c_{1}, c_{2},\ldots , c_{n} \,\right) \). Second, \(\mathcal{S}\) selects random masks \(r^{(1)}_{i}\) and \(r^{(2)}_{i}\) (\(2 \le i \le n\)) in \(\mathbb {K}\) and builds two lists \(L_{1} = \left( \, c_{1}\omega _{1}, r^{(1)}_{2}c_{2}\omega _{2}, r^{(1)}_{3}c_{3}\omega _{3},\ldots , r^{(1)}_{n}c_{n}\omega _{n} \,\right) \) and \(L_{2} = \left( \, c_{1}, r^{(2)}_{2}c_{2}, r^{(2)}_{3}c_{3},\ldots , r^{(2)}_{n}c_{n} \,\right) \). Then, a set of \(N\) polynomials \(U^{(1)}_{i}\) (\(1 \le i \le N\)) is generated to hide the secrets values of \(L_{1}\) and another set of of \(N\) polynomials \(U^{(2)}_{i}\) (\(1 \le i \le N\)) is generated to hide the secrets values of \(L_{2}\):

• \(U^{(1)}_{1}( x ) = c_{1}\omega _{1} + \sum _{i = 1}^{k - 1}{a^{(1)}_{i}x^{i}}\), where coefficients \(a^{(1)}_{i}\) are randomly selected in \(\mathbb {K}\), and for \(i = 2, 3,\ldots , n\), \(U^{(1)}_{i}( x ) = r^{(1)}_{i}c_{i}\omega _{i} - c_{1}\omega _{1}\),

• \(U^{(2)}_{1}( x ) = c_{1} + \sum _{i = 1}^{k - 1}{a^{(2)}_{i}x^{i}}\), where coefficients \(a^{(2)}_{i}\) are randomly selected in \(\mathbb {K}\), and for \(i = 2, 3,\ldots , n\), \(U^{(2)}_{i}( x ) = r^{(2)}_{i}c_{i} - c_{1}\),

The \(e\)-variate polynomials \(V_{i}\) (\(i = 1, 2,\ldots , N\)) are the same as those defined in Appendix A.2. Still in the set-up phase, each server \(S_{j}\) (\(j \in \mathcal{I}_{m}\)) receives

$$ \varvec{u}^{(1)}_{j} = \left( \, U^{(1)}_{1}( j ), r^{(1)}_{2}c_{2}\omega _{2} - c_{1}\omega _{1}, r^{(1)}_{3}c_{3}\omega _{3} - c_{1}\omega _{1},\ldots , r^{(1)}_{n}c_{n}\omega _{n} - c_{1}\omega _{1} \,\right) $$

and

$$ \varvec{u}^{(2)}_{j} = \left( \, U^{(2)}_{1}( j ), r^{(2)}_{2}c_{2} - c_{1}, r^{(2)}_{3}c_{3} - c_{1}\omega _{1},\ldots , r^{(2)}_{n}c_{n} - c_{1} \,\right) , $$

as well as the shares \([r^{(1)}_{2}]_{j}, [r^{(1)}_{3}]_{j},\ldots , [r^{(1)}_{n}]_{j}\) and \([r^{(2)}_{2}]_{j}, [r^{(2)}_{3}]_{j},\ldots , [r^{(2)}_{n}]_{j}\) (If \(F^{(s)}_{t}\) is the hiding polynomial determined in Shamir’s secret sharing scheme to share \(r^{(s)}_{t}\), the share \(F^{(s)}_{t}( j )\) allocated to server \(S_{j}\) is denoted \([r^{(s)}_{t}]_{j}\).)

In the oblivious phase, on reception of the request \(\varvec{z}_{j}\), a server \(S_{j}\) (\(j \in \mathcal{I}\)) calculates \(\varvec{v}_{j} = \left( \, V_{1}( \varvec{z}_{j} ), V_{2}( \varvec{z}_{j} ),\ldots , V_{N}( \varvec{z}_{j} ) \,\right) \) and returns and , with the two sets of \(n - 1\) shares of \(\left( \, r^{(1)}_{2}, r^{(1)}_{3},\ldots , r^{(1)}_{n} \,\right) \) and \(\left( \, r^{(2)}_{2}, r^{(2)}_{3},\ldots , r^{(2)}_{n} \,\right) \) to the receiver. From the collected values, \(\mathcal{R}\) interpolates two polynomials \(R^{(1)}\) and \(R^{(2)}\) and, if \(\sigma = 1\), calculates \(R^{(1)}( 0 ) = c_{\sigma }\omega _{\sigma }\) and \(R^{(2)}( 0 ) = c_{\sigma }\). If \(\sigma \ne 1\), \(\mathcal{R}\) calculates \(R^{(1)}( 0 ) = c_{\sigma }r^{(1)}_{\sigma }\omega _{\sigma }\) and \(R^{(2)}( 0 ) = c_{\sigma }r^{(2)}_{\sigma }\) and also determines from the \(k\) collected shares \([r^{(1)}_{\sigma }]_{j}\) the value of \(r^{(1)}_{\sigma }\) and similarly, from the \(k\) collected shares \([r^{(2)}_{\sigma }]_{j}\) the value of \(r^{(2)}_{\sigma }\). Then, with simple division(s), \(\mathcal{R}\) determines \(c_{\sigma }\) first and \(\omega _{\sigma }\) second.

1.4 A.4 Nikov Et Al.’s DOT [9]

The sparse polynomial interpolation-based DOT protocol introduced by Nikov, Nikova, Preneel and Vandewalle [9] is characterized by the following parameters: the number of secrets \(n \ge 2\), the threshold parameter \(k\), the sender’s privacy parameter \(\lambda _{S} \le k - 1\), the receiver’s privacy parameter \(\lambda _{R} \le k - 1\), the hiding parameter \(N = n\) and the encoding parameter \(e = n\). The parameter \(\lambda _{C}\) is defined such that \(\lambda _{R} + \lambda _{C} \le k - 1\). In addition, the encoding function is \(E( s ) = \left( \, 1, \delta _{s}^{2}, \delta _{s}^{3},\ldots , \delta _{s}^{n} \,\right) \) and the polynomials \(U_{i}\) and \(V_{i}\) (\(1 \le i \le N\)) are:

• \(U_{1}( x ) = \omega _{1} + \sum _{\ell = 1}^{k - 1}{a_{1,\ell }x^{\ell }}\), where coefficients \(a_{1,\ell }\) are randomly selected in \(\mathbb {K}\), and for \(i = 2, 3,\ldots , N\), \(U_{i}( x ) = \omega _{i} - \omega _{1} + \sum _{\ell = 1}^{\lambda _{C}}{a_{i,\ell }x^{\ell }}\), where coefficients \(a_{i,\ell }\) are randomly selected in \(\mathbb {K}\),

• \(V_{i}( y_{1}, y_{2},\ldots , y_{e} ) = y_{i}\) for \(i = 1, 2,\ldots , N\).

Like in Naor and Pinkas’s and in Blundo et al.’s DOT protocols (see Appendices A.1 and A.2 above), on the receiver’s side, the number of contacted servers is \(t = k\) and the first element of the encoding function being constant and public, it is not shared (i.e., \(Z_{1} = 1\)) and is not included in the request transmitted by the receiver to the contacted servers.

1.5 A.5 Beimel Et Al.’s DOT [1]

In [1], Beimel, Chee, Wang and Zhang propose a specific reduction from a DOT protocol to a polynomial interpolation-based information-theoretic private information retrieval protocol. The characteristics of the protocol are: the number of secrets \(n \ge 2\), the threshold parameter \(k\), the sender’s privacy and strong privacy parameters \(\lambda _{S} = \lambda _{C} \le k - 1\), the receiver’s privacy parameter \(\lambda _{R} \le k - 1\), the hiding parameter \(N = n + 1\) and the encoding parameter \(e > 0\). The polynomials \(U_{i}\) and \(V_{i}\) (\(1 \le i \le N\)) are:

• \(U_{1}( x ) = \sum _{i = 0}^{k - 1}{a_{1,i}x^{i}}\), where coefficients \(a_{1,i}\) are randomly selected in \(\mathbb {K}\), and for \(i = 2, 3,\ldots , N\), the polynomial \(U_{i}\) is defined by \(U_{i}( x ) = ( \omega _{i - 1} - a_{1,0} ) + \sum _{j = 1}^{\lambda _{C}}{a_{i,j}x^{j}}\), where coefficients \(a_{i,j}\) are randomly selected in \(\mathbb {K}\),

• \(V_{1}( y_{1}, y_{2},\ldots , y_{e} ) = 1\) and for \(i = 2, 3,\ldots , N\), the polynomial \(V_{i}\) and the encoding function \(E\) must satisfy \(V_{i}( E( \ell ) ) = \delta _{\ell }^{i - 1}\) for \(\ell \in [n]\).

On the receiver’s side, the number of contacted servers is \(t = k\). In addition, for efficiency purposes, each contacted server \(S_{j}\) (\(j \in \mathcal{I}_{t}\)) transforms the share into a split \(s_{j}\), which is sent back to the receiver. The receiver has just to calculate the sum \(\omega _{\sigma } = \sum _{j \in \mathcal{I}_{t}}{s_{j}}\) to obtain the chosen secret.

B Example of Insecurity in Blundo et al.’s DOT Protocol

—— Public Information ——

• Finite field \(\mathbb {F}_{ 11 }\)

• Threshold \(k = 3 \)

• Number of secrets \(n = 2\)

• \(p_{\omega _{1}}( 6 ) = 0.5\), \(p_{\omega _{1}}( 2 ) = 0.5\), \(p_{\omega _{1}}(i) = 0\) if \(i \ne 6 \) and \(i \ne 2 \)

• \(p_{\omega _{2}}( 1 ) = 0.5\), \(p_{\omega _{2}}( 3 ) = 0.5\), \(p_{\omega _{2}}(i) = 0\) if \(i \ne 1 \) and \(i \ne 3 \)

—— Set-up phase ——

Information private to the sender:

• \(\omega _{1} = 6 \) and \(\omega _{2} = 1 \)

• \(c_{1} = 5\) and \(c_{2} = 7\)

• \(r^{(1)}_{1} = 1 \) and \(r^{(1)}_{2} = 2\)

• \(r^{(2)}_{1} = 4 \) and \(r^{(2)}_{2} = 5\)

Intermediate calculus to prepare the sharing polynomials:

• \(r^{(1)}_{1} \times c_{1} \times \omega _{1} = 8\)

• \(r^{(1)}_{2} \times c_{2} \times \omega _{2} = 3\)

• \(r^{(2)}_{1} \times c_{1} = 9 \)

• \(r^{(2)}_{2} \times c_{2} = 2 \)

• Sharing polynomial \(U^{(1)}_{1} = 8 + 2X + 9X^2\)

• Sharing polynomial \(U^{(2)}_{1} = 9 + X + 4X^2\)

• \(S_{ 1 }\) receives \(\varvec{u}^{(1)}_{1} = \left( \, 8, 6 \,\right) \) and \(\varvec{u}^{(2)}_{1} = \left( \, 3, 4 \,\right) \)

• \(S_{ 2 }\) receives \(\varvec{u}^{(1)}_{2} = \left( \, 4, 6 \,\right) \) and \(\varvec{u}^{(2)}_{2} = \left( \, 5, 4 \,\right) \)

• \(S_{ 3 }\) receives \(\varvec{u}^{(1)}_{3} = \left( \, 7, 6 \,\right) \) and \(\varvec{u}^{(2)}_{3} = \left( \, 4, 4 \,\right) \)

—— Transfer phase ——

• Request generated by the receiver: \(\varvec{z}_{j} = \left( \, 1, 6 \,\right) \)

• \(\varvec{v}_{j} = \varvec{z}_{j} = \left( \, 1, 6 \,\right) \)

• \(S_{ 1 }\) replies with and

• \(S_{ 2 }\) replies with and

• \(S_{ 3 }\) replies with and

—— The receiver tries to obtain all secrets ——

• Interpolated polynomal from \((\, 1, 0 \,)\), \((\, 2, 7 \,)\), and \((\, 3, 10 \,)\): \(R^{(1)} = 2X + 9X^2 \)

• \(r^{(1)}_{2}c_{2}\omega _{2} + r^{(1)}_{1}c_{1}\omega _{1} = 2 \times R^{(1)}(0) = 0 \)

• Interpolated polynomal from \((\, 1, 5 \,)\), \((\, 2, 7 \,)\), and \((\, 3, 6 \,)\): \(R^{(2)} = X + 4X^2 \)

• \(r^{(2)}_{2}c_{2} + r^{(2)}_{1}c_{1} = 2 \times R^{(2)}(0) = 0 \)

• From the received mask shares, the receiver determines \(r^{(1)}_{1} = 1 \), \(r^{(1)}_{2} = 2 \), \(r^{(2)}_{1} = 4 \) and \(r^{(2)}_{2} = 5 \).

So, the receiver can infer the two equations:

$$ \left\{ \begin{aligned}&2 \times c_{2}\omega _{2} + 1 \times c_{1}\omega _{1} = 0 \\&5 \times c_{2} + 4 \times c_{1} = 0 \end{aligned} \right. $$

From the second equation, the receiver infers that \(c_{2} = 8 \times c_{1}\). Reporting the equality in the first equation, she obtains: \(c_{1} \times ( 5 \times \omega _{2} + 1 \times \omega _{1}) = 0 \). If \(\left( \, \omega _{1}, \omega _{2} \,\right) =\)

• \(\left( \, 6 , 1 \,\right) \), then \( 5 \times \omega _{2} + 1 \times \omega _{1} = 0 \),

• \(\left( \, 2 , 1 \,\right) \), then \( 5 \times \omega _{2} + 1 \times \omega _{1} = 7 \),

• \(\left( \, 6 , 3 \,\right) \), then \( 5 \times \omega _{2} + 1 \times \omega _{1} = 10 \),

• \(\left( \, 2 , 3 \,\right) \), then \( 5 \times \omega _{2} + 1 \times \omega _{1} = 6 \).

The only pair of secrets which satisfies the first equation is: \(\left( \, 6, 1 \,\right) \). The greedy receiver has obtained all secrets.