Some protocols used in TLSNotary need to convert two-party sharings of products or sums of some field elements into each other. For this purpose we use share conversion protocols which use oblivious transfer (OT) as a sub-protocol. Here we want to have a closer look at the security guarantees these protocols offer.
Our goal is to add covert security to our share conversion protocols. This
means that we want an honest party to be able to detect a malicious adversary,
who is then able to abort the protocol. Our main concern is that the adversary
might be able to leak private inputs of the honest party without being noticed.
For this reason we require that the adversary cannot do anything which would
give him a better chance than guessing the private input at random, which is
guessing bits with a probability of for not being detected.
In the following we want to have a closer look at how the sender and receiver can deviate from the protocol.
Note that in our protocol a malicious receiver cannot forge the protocol output, since he does not send anything to the sender during protocol execution. Even when this protocol is embedded into an outer protocol, where at some point the receiver has to open his output or a computation involving it, then all he can do is to open an output with , which is just equivalent to changing his input from .
In the case of a malicious sender the following things can happen:
- The sender can impose an arbitrary field element as input onto the receiver without him noticing. To do this he simply sends in every OT, where is i-th bit of .
- The sender can execute a selective-failure attack, which allows him to learn any predicate about the receiver's input. For each OT round , the sender alters one of the OT values to be , where . This will cause that in the end the equation no longer holds but only if the forged OT value has actually been picked by the receiver.
- The sender does not use a random number generator with a seed to sample the masks , instead he simply chooses them at will.
Without loss of generality let us recall the Multiplication-To-Addition (M2A) protocol, but our observations also apply to the Addition-To-Multiplication (A2M) protocol, which is very similar. We start with a short review of the M2A protocol.
Let there be a sender with some field element and some receiver with another field element . After protocol execution the sender ends up with and the receiver ends up with , so that .
- - rng seed
- - bit-length of elements in
- - bit-length of rng seed
- Sample some random masks:
- For every compute:
- Compute new share:
- Send OTs to receiver:
- Set (from OT)
- Compute new share:
In order to mitigate the mentioned protocol deviations in the case of a malicious sender we will introduce a replay protocol.
In this section we will use capital letters for values sent in the replay protocol, which in the case of an honest sender are equal to their lowercase counterparts.
The idea for the replay protocol is that at some point after the conversion protocol, the sender has to reveal the rng seed and his input to the receiver. In order to do this, he will send and to the receiver after the conversion protocol has been executed. If the sender is honest then of course and . The receiver can then check if the value he picked during protocol execution does match what he can now reconstruct from and , i.e. that .
Using this replay protocol the sender at some point reveals all his secrets because he sends his rng seed and protocol input to the receiver. This means that we can only use covertly secure share conversion with replay as a sub-protocol if it is acceptable for the outer protocol, that the input to share-conversion becomes public at some later point.
Now in practice we often want to execute several rounds of share-conversion, as we need to convert several field elements. Because of this we let the sender use the same rng seed to seed his rng once and then he uses this rng instance for all protocol rounds. This means we have protocol executions , and all masks produced from this rng seed . So the sender will write his seed and all the to some tape, which in the end is sent to the receiver. As a security precaution we also let the sender commit to his rng seed before the first protocol execution. In detail:
- Sender has some inputs and picks some rng seed .
- Sender commits to his rng seed and sends the commitment to the receiver.
- Sender sends all his OTs for protocol executions.
- Sender sends tape which contains the rng seed and all the .
- Receiver checks that is indeed the committed rng seed.
- For every protocol execution the receiver checks that .
Having a look at the ways a malicious sender could cheat from earlier, we notice:
- The sender can no longer impose an arbitrary field element onto the receiver, because the receiver would notice that during the replay.
- The sender can still carry out a selective-failure attack, but this is equivalent to guessing bits of at random with a probability of for being undetected.
- The sender is now forced to use an rng seed to produce the masks, because during the replay, these masks are reproduced from and indirectly checked via .