The Relationship betweenPublic Key Encryption and Oblivious

The Relationship between Publi Key En ryption and Oblivious Transfer Preliminary Version Sampath Kannan University of Pennsylvania Yael Gertner University of Pennsylvania kannan entral. is.upenn.edu ygertnersaul. is.upenn.edu Omer Reingold AT&T Labs | Resear h Tal Malkin AT&T Labs | Resear h omerresear h.att. om talresear h.att. om Mahesh Viswanathan University of Pennsylvania maheshvsaul. is.upenn.edu November 26, 2000 Abstra t In this paper we study the relationships among some of the most fundamental primitives and proto ols in ryptography: publi -key en ryption (i.e. trapdoor predi ates), oblivious transfer (whi h is equivalent to general se ure multi-party omputation), key agreement and trapdoor permutations. Our main results show that publi -key en ryption and oblivious transfer are in omparable under bla k-box redu tions. These separations are tightly mat hed by our positive results where a restri ted (strong) version of one primitive does imply the other primitive. We also show separations between oblivious transfer and key agreement. Finally, we on lude that neither oblivious transfer nor trapdoor predi ates imply trapdoor permutations. Our te hniques for showing negative results follow the ora le separations of Impagliazzo and Rudi h [IR89, Rud91℄. 1 Supported by grants ONR N00014-97-0505 (MURI), NSF CCR 98-20885, and ARO DAAG55-98-1-0393 1 1 Introdu tion The ryptographi resear h of the last few de ades has proposed solutions to almost every \ on eivable" ryptographi task (and to quite a few tasks that rst seemed \in on eivable"). The orre tness and seurity of these solutions was proven under a growing number of (unproven) omputational assumptions put forth by the ommunity. To some extent, this state of a airs is unavoidable: the se urity of \almost any" ryptographi proto ol implies the existen e of one-way fun tions1 [IL89℄ (whi h in parti ular implies P = NP ). Therefore, for most ryptographi proto ols, un onditional proofs of se urity seem well beyond the rea h of omplexity theory. Nevertheless, it might be possible that many of these assumptions are related or even equivalent to one another. Exploring the relationship between these assumptions, and determining those that are integral to ryptography, would thus greatly larify our understanding of the ryptographi world, and is onsidered to be one of the most fundamental goals. For some primitives, this goal has been met with mu h su ess. For example, private key en ryption (Private KE), pseudo-random generators (PSRG), pseudo-random fun tions and permutations, bit ommitment, and digital signatures (Sig), have all been shown to exist if and only if one-way fun tions exist [Yao82, GM84, GGM86, LR88, IL89, NY89, Rom90, Nao91, HILL99℄. Thus, the existen e of one-way fun tions is a powerful assumption that aptures and uni es a large lass of ryptographi primitives. It is, therefore, natural to wonder if all ryptographi primitives are equivalent to one-way fun tions. However, this seems unlikely. For example, it is safe to assert that a onstru tion of trapdoor permutations out of one-way fun tions, if at all possible, would require immense innovation: trapdoor permutations just seem to have mu h more stru ture than one-way fun tions. Yet, onstru ting a formal proof based on this intuition is non-trivial. In fa t, it is not even lear what is the formal meaning to su h a laim, given the ommon belief that both one-way fun tions and trapdoor permutations exist (hen e a \redu tion" an just ignore the one-way fun tions and build trapdoor permutations from s rat h). Indeed over oming these hallenges has proved to be very diÆ ult. While we know of no te hniques that prove the failure of all redu tions, Impagliazzo and Rudi h [IR89℄ gave a method for separating primitives under a restri ted but important sub lass of redu tions, namely, bla k-box redu tions. Informally, a bla kbox redu tion of a primitive P to a primitive Q is a onstru tion of P out of Q that ignores the internal stru ture of the implementation of Q. The exa t de nition of bla k-box redu tions and the Impagliazzo and Rudi h methodology for bla k-box separations are rather substle (see Se tion 2.2). In the introdu tion however we ontinue with a more intuitive treatment of these notions and identify bla k-box redu tions with relativizing redu tions (ones that work relative to any ora le). Hen e, in order to prove that a bla k-box redu tion of P to Q is impossible, it suÆ es to demonstrate an ora le relative to whi h the primitive Q exists whereas P does not. We stress that su h bla k-box seperations have their limitations (as dis ussed below). Nevertheless, as noted by Impagliazzo and Rudi h, almost all onstru tions in ryptography are bla k box. Therefore, if there are no bla k-box redu tions of P to Q then a proof that the existen e of Q implies the existen e of P is most likely very diÆ ult. Using the methodology des ribed above, Impagliazzo and Rudi h [IR89℄ showed that not all ryptographi primitives are equivalent. Spe i ally, they show that there are no bla k-box redu tions from one-way fun tions (OWF) to key agreement (KA). This result immediately implies separations between OWF (and other equivalent primitives) and several other primitives whi h are known to imply KA. In other words, the ryptographi primitives an be divided into two worlds: \private ryptography" onsisting of OWF and all equivalent primitives, and \publi ryptography" onsisting of \harder" primitives su h as KA, publi key en ryption (PKE), Oblivious Transfer (OT), se ure fun tion evaluation (SFE), and trapdoor permutations (TD Perm).2 These impli ations are summarized in Figure 1. An interesting problem to onsider, therefore, is the relationship between the primitives in the publi ryptography world (see e.g. [Gol97℄). This is espe ially importent be ause PKE and OT are two of the most fundamental primitives in ryptography. Essentially all of ryptography is based on them: publi -key en ryption allows parties that \just met" to ex hange se ret messages in the presen e of an eavesdropper, and oblivious transfer allows parties to se urely ompute fun tions [Kil88, Gol98℄. 6 1 The range of ryptographi proto ols that an be proven se ure in a purely information-theoreti sense (su h as en ryption with one-time pad) is extremely limited ompared with the realm of possibilities \ omputational" ryptography o ers. 2 The names \private" vs. \publi " may be misleading: we note that digital signatures, whi h are based on publi keys, are in fa t equivalent to OWF. 1 PKE . Private KE TD Perm ! KA ! OWF # 6" & ! OT ! SFE PSRG ! Sig Figure 1: Separation between \Private Cryptography" and \Publi Cryptography". The rst indi ation that the situation is not as simple in the \publi " world as in the \private" one, was given by Rudi h [Rud91℄.3 Extending the te hniques of [IR89℄, Rudi h proved a bla k-box separation between KA in k + 1 passes (i.e. by ex hanging k + 1 messages between the parties) and KA in k passes, for any k . This implies a separation between KA and PKE sin e PKE is equivalent to KA in one round (i.e. two passes). Another result relating primitives in the \publi " world is of Even, Goldrei h and Lempel [EGL85℄. They showed that PKE with additional underlying properties imply OT. However, in general, very little was known on the relationship between PKE and OT. Thus, most of the relationships between the primitives in the \publi " world were left unresolved. Figure 2 summarizes these relationships that were known before our results. PKE . ! & TD Perm 2-KA # 6" k -KA & . OT Figure 2: Previously known Relationships in the Publi Cryptography World. In this paper we make signi ant progress by resolving the missing relationships, with respe t to bla kbox redu tions. We show rather surprising separations between PKE and OT. This two-sided separation implies that in fa t PKE and OT are in omparable with respe t to bla k-box redu tions, whi h makes it a unique situation. It is espe ially surprising given the result of [EGL85℄ that was interpreted by many as saying that PKE implies OT. Among our additional results are positive results in spe ial ases, orollaries separating OT and KA, and separating trapdoor permutations from PKE and OT. These results are detailed in Se tion 1.2. One way to interpret the results of this paper is as an indi ation that obtaining a simple and lean view of ryptography is even further beyond our rea h than might have been suspe ted. Our results imply that we an not even divide all of ryptography into an hierar hy of assumptions (sin e PKE and OT are in omparable). Furthermore, we demonstrate that the pi ture of \publi rypto" is not likely to simplify in some of its most entral on epts. 1.1 The Primitives and Proto ols In their seminal work, DiÆe and Hellman [DH76℄ gave the foundations for publi -key ryptography. In parti ular, they introdu ed one-way fun tions (OWF) and trapdoor OWF. Informally, a family of fun tions is one way if a fun tion fk hosen from this family is easy to ompute on any input but hard to invert on the average. Su h a family is a family of trapdoor OWF if in addition the key-generation algorithm produ es a trapdoor information t = t(k ) that allows its holder to invert the fun tion fk . One-way permutations and trapdoor one-way permutations are de ned in the same way (for families of permutations). DiÆe and Hellman also introdu ed the notion of key-agreement (KA) and provided the famous DiÆe-Hellman KA 3 In fa t, the re ent separation of [IR00, KSS00℄ between one-way fun tions and permutations implies that the situation is even not ompletely simple in the \private" world. 2 proto ol. Informally, a KA is a proto ol that allows two parties, Ali e and Bob, to agree on a se ret key in the presen e of a polynomial-time (passive) eavesdropper (the key should be indistinguishable from random to su h an eavesdropper). Goldwasser and Mi ali [GM84℄ introdu ed the notion of semanti ally se ure en ryption s hemes. Informally, these are en ryption s hemes su h that any information on the message m that an be eÆ iently omputed from its en ryption = E (m) an also be eÆ iently omputed without a ess to . In this paper, the term publi -key en ryption (PKE) refers to semanti ally se ure s hemes. Goldwasser and Mi ali [GM84℄ also de ned trapdoor predi ates and showed their equivalen e to semanti ally se ure en ryption s hemes. Informally, trapdoor predi ates are families of probabilisti fun tions over f0; 1g su h that: (1) Given a key k it is easy to sample the output of the orresponding fun tion pk on either 0 or 1 but hard to distinguish these two distributions. (2) Given the trapdoor information t = t(k ), it is easy to distinguish an output on 0 from an output on 1. Yao [Yao82℄ showed that trapdoor permutations imply trapdoor predi ates. Re ently, Bellare et al. [BHSV98℄ showed that one-way fun tions imply trapdoor one-way fun tions (with super-polynomial pre-image size). In addition, they showed that trapdoor one-way fun tions with polynomial pre-image size imply trapdoor predi ates. These results imply that in some sense, trapdoor one-way fun tions are interesting if and only if their pre-image size is polynomial (indeed, most works in ryptography fo us on trapdoor permutations). Finally, they showed that trapdoor predi ates imply inje tive trapdoor fun tions in the random ora le model. Oblivious transfer has several equivalent formulations [Rab81, CK88, EGL85, Cre87, BCR86, CS91℄. The

version used in this paper is that of one-out-of-two oblivious transfer ( 21 -OT). Informally, a 21 -OT is a proto ol between two parties Ali e and Bob where Ali e has as input two se ret strings s0 and s1 and Bob has a se ret bit b. If both parties follow the proto ol, Bob learns the se ret sb whereas Ali e learns nothing. In addition, even a heating (polynomial-time) Bob (i.e. one that deviates from the proto ol in an arbitrary way) annot learn more than a single value in fs0 ; s1 g and even a heating Ali e does not learn anything during the run of the proto ol. A somewhat weaker notion than OT is that of OT se ure against honest but urious parties (also known as semi-honest parties). In this ase, even heating parties are assumed to follow the proto ol with the following ex eptions: (1) They keep tra k of all intermediate data during the run of the proto ol. (2) After the last pass is ompleted, they may perform any (eÆ ient) omputation in order to extra t additional information from their re ords. Using zero-knowledge proofs any honest OT proto ol an be transformed into a general (mali ious) OT proto ol. Oblivious transfer implies KA [Rab81, Blu83℄, signing ontra ts [EGL85℄, and in general any se ure multi-party fun tion evaluation [Yao86, Kil88, GMW87℄. Even et al. [EGL85℄ showed how to onstru t OT from PKE that has the additional property that the distribution of ipher texts is \independent" of the en ryption key (for two di erent keys, the orresponding distributions on ipher texts are indistinguishable). As a onsequen e, trapdoor permutations imply OT (see [Gol98℄). Finally, several types of se ure fun tion evaluation in various models have been shown to imply OT [Kil91, KKMO00, BMM99, Kil00℄. 1.2 Our Results We make signi ant progress in understanding both dire tions of the relationship between OT and PKE, as well as the relationships among these and KA, trapdoor permutations and fun tions. Spe i ally, the main questions we address are the following: QUESTION 1: Does OT imply PKE? In the spe i ase in whi h the oblivious transfer proto ol onsists of only one round (i.e. one message from Bob to Ali e and one from Ali e to Bob) we show: Theorem 1 One round OT even for honest parties implies PKE. In the general ase (when the oblivious transfer proto ol onsists of any number of rounds) we show: Theorem 2 There is an ora le relative to whi h there exists multi-round OT (mali ious) and no PKE. 3 QUESTION 2: Does PKE imply OT? We rst generalize the result of [EGL85℄ by onsidering PKE that satis es one of the following two properties:   Property A: Publi keys an be sampled \separately of private keys", (i.e. while preserving the semanti se urity of the en ryption). Property B: Cipher texts an be sampled \separately of plain texts", (i.e. without gaining knowledge on the orresponding plain text). Theorem 3 PKE with properties A or B implies OT. We note that Properties A and B are both natural and have a similar avor. Furthermore, as we show later, property B is implied by the property on PKE assumed by [EGL85℄. Therefore, Theorem 3 strengthens the result of [EGL85℄. In fa t, our proof of the theorem was inspired by [EGL85℄. In the general ase, when the PKE does not have spe ial properties, we show: Theorem 4 There is an ora le relative to whi h there exists PKE and no OT (even for honest parties). QUESTION 3: What is the Relationship Between OT and KA? Generalizing Theorem 1, we obtain: Theorem 5 For every k , k -pass OT for honest parties implies k -pass KA. Extending Theorem 2, we obtain: Theorem 6 For every k  2 there is an ora and no (k 1)-pass KA. le relative to whi h there exists k -pass OT (mali ious or honest) As an immediate (but interesting) orollary of Theorem 4, we get: Corollary 7 There is an ora le relative to whi h there exists KA and no OT (even for honest parties). QUESTION 4: Do PKE and OT Imply Trapdoor Permutations? Sin e trapdoor permutations imply both PKE and OT we obtain the following dire t orollaries of our results: Corollary 8 There is an ora le relative to whi h there exists PKE but no trapdoor permutations. Corollary 9 There is an ora le relative to whi h there exists OT but no trapdoor permutations. In fa t, given the result of [BHSV98℄ we an strengthen this orollary and obtain: Corollary 10 There is an ora le relative to whi h there exists OT but no trapdoor fun tions with polynomial pre-image size. Finally, an interesting and important generalization of Theorem 4, is the following result. Theorem 11 There is an ora le relative to whi h there exist for honest parties). inje tive trapdoor fun tions and no OT (even Therefore, even a very minor weakening of trapdoor permutations does not seem to be enough as a building blo k for OT. 4 Some Remarks on Our Results We note that in all our results, PKE may be repla ed by trapdoor predi ates, as these are equivalent [GM84℄. Furthermore, sin e any two-party fun tion that annot be omputed information-theoreti ally is equivalent to OT (in the mali ious model) [BMM99℄, OT may be repla ed by any su h fun tion (e.g., OR). We have stated all negative results in terms of ora le separations. These imply that there are no bla kbox redu tions between the orresponding primitives. As dis ussed in Se tion 2.2, there are two standard types of bla k-box redu tions (one a weakening of the other). We note that a more areful statement of our results an be shown to apply to both these types (see Se tion 2.2 for more details). As dis ussed above, the importan e of bla k-box separations lies in the fa t that almost all ryptographi redu tions are bla k-box. Another motivation is that these are the only type of redu tion possible when the assumption is physi al, e.g. an OT hannel whi h transmits bits with probability half. Nevertheless, it is important to note that su h results have their limitations | some redu tions used in ryptography are not bla k-box. An important (and almost single) example of a non bla k-box redu tion is the proof that \all of NP has zero knowledge proofs" [GMW91℄ (see [IR89℄ for a more detailed dis ussion of ora le separations in ryptography). In our ase, it is parti ularly important to noti e that the known redu tion of (mali ious) OT to honest OT (the s enario where Ali e and Bob are honest but urious) is also not bla k-box (sin e it relies on zero-knowledge proofs). This is exa tly the reason that in ea h one of the theorems we use honest OT or mali ious OT as to strengthen the result. For example, Theorem 1 gives a stronger result when stated for honest OT than when stated for mali ious OT (sin e OT for mali ious players trivially implies OT for honest but urious players). However, in Theorem 2 we show a negative result. Therefore it is stronger when stated for mali ious OT sin e even when the OT is strong enough to resist mali ious players, it does not imply PKE. The main importan e of the partial impli ations given in Theorems 1 and 3 is that they omplement the separations of Theorems 2 and 4. Nevertheless, Theorem 1 that deals with one-round OT be ame somewhat more interesting on its own given the re ent proposals of one round OT (even for mali ious parties) based on the de isional DiÆe-Hellman assumption (and other homomorphi en ryption s hemes) [AIR00, Nao00℄, and PKE with Property A (as we show below). We stress that all of our separations are proven in the uniform model (as is the ase in [IR89, Rud91℄). In other words, all adversaries are assumed to be probabilisti polynomial-time ma hines rather than polynomial-size ir uits. We see no reason why these separations would not apply to the non-uniform model. However, we note that proofs in the non-uniform model seem substantially harder (see e.g. [GT00℄). Some More Ora le Separations. The Impagliazzo and Rudi h methodology was rst applied in [IR89, Rud91℄ to separate OWF from KA and to separate KA in k passes from KA in k + 1 passes, for any k . These results have several interesting orollaries as des ribed in the introdu tion. In [Sim98℄, Simon gives an ora le separation between OWF and ollision intra table fun tions. Kim, Simon and Tetali [KST99℄, extend the work of [IR89℄ and use ora le separations as a mean to study the eÆ ien y of bla k-box onstru tions (rather than their existen e). In parti ular [KST99℄ show limits on the eÆ ien y of bla k-box onstru tions of universal one-way hash fun tions based on one-way permutations. These bounds are improved by Gennaro and Trevisan [GT00℄ who also give bounds on the eÆ ien y of bla k-box onstru tions of pseudo-random generators based on one-way permutations. In both ases the bounds are tight (in that they mat h the eÆ ien y of known onstru tions). Finally, Impagliazzo and Rudi h [IR00℄ use a result of Kahn, Saks and Smyth [KSS00℄, to give a bla k-box separation between OWF and one-way permutations. Outline In Se tion 2 we provide some details on bla k-box redu tions and the ora le separation paradigm. We also give de nitions and notation. In Se tion 3 we des ribe partial impli ations between primitives, in Se tion 4 we prove that OT does not imply PKE under bla k-box redu tions, and in Se tion 5 we prove that PKE does not imply OT under bla k-box redu tions. Finally, in Se tion 6 we prove our extensions regarding relationships with KA and trapdoor fun tions. 5 2 Preliminaries 2.1 Notation and De nitions In this se tion we give some additional details on the de nitions of the primitives and proto ols that are the fo us of this paper (these primitives were already des ribed in the introdu tion). Our de nitions here are rather informal. For a more formal treatment, the reader is referred to [Gol98℄ and referen es therein. Notation and Conventions We will abbreviate probabilisti polynomial time Turing Ma hine with the notation PPTM. An ora le PPTM is a PPTM that has a ess to a given ora le, su h that in one time step it may re eive the answer to a single query to the ora le. When dis ussing a primitive or a proto ol relative to an ora le , we assume that all the ma hines that are involved (in luding adversaries that try to break the primitive) are in fa t ora le ma hines with a ess to the same xed ora le . We will sometimes refer to an ora le PPTM as simply a PPTM, as appropriate by the ontext. We use the notation poly(
) to refer to some polynomially bounded fun tion and neg(
) to refer to some fun tion that is smaller than 1=p(
) for any polynomial p(
) (for all suÆ iently large inputs). Publi -Key En ryption A publi -key en ryption s heme, onsists of three probabilisti polynomial time algorithms (G; E ; D) su h that (for simpli ity we x ` to be both the se urity parameter and input length): `  G is the algorithm for generating keys. Given 1 as input, G outputs the pair (pk; sk ) of publi key and se ret key s.t. jpkj = jskj = poly(`).  E and D are the en ryption and de ryption algorithms. For every message m of length `, for every pair (pk; sk) generated by G on input 1` , and all possible oin tosses of E, it should hold that Dsk (Epk (m)) = m. Intuitively, a publi -key en ryption s heme is semanti ally se ure [GM84℄ if anything that an be omputed on the plain text m given the ipher text = Epk (m) an also be omputed without a ess to . More formally, (G; E ; D) is semanti ally se ure (against a hosen plain text atta k), if for every PPTM A (the adversary that tries to extra t information from the ipher text) there exists another PPTM A su h that for every eÆ iently sampalable distribution D on plain texts, for every eÆ ient a priori information fun tion h, and every predi ate T (the information A tries to gain) 0 ( ( ( ) ( ) 1`) = T (m)) < P r(A (h(m); 1l ) = T (m)) + neg(`) Where (pk; sk) = G(1` ) and m is a message (of length `) sampled from D. 0 P r A Epk m ; pk; h m ; Two-Party Proto ols A two-party proto ol, is a probabilisti pro ess where two parties, Ali e and Bob, ex hange messages in turns. Ea h message sent by a party is a fun tion of its input, its random string and previous messages ex hanged by the parties during the run of the proto ol. A two-party proto ol is de ned by these round fun tions. A proto ol is eÆ ient if the round fun tions an be omputed in probabilisti polynomial time. A pass of the proto ol onsists of a single message sent from one party to the other. Therefore, ea h run of the proto ol onsists of the the two parties alternating passes. A round of the proto ol onsists of two passes. A proto ol is alled k-rounds (resp. k-passes) if every run of the proto ol onsists of exa tly k-rounds (resp. k -passes). The output of ea h party is omputed after its last pass. In this paper, we shall denote a k -pass proto ol by k-proto ol; so, k-KA refers to a k-pass Key Agreement proto ol, while k-OT refers to a k-pass Oblivious Transfer proto ol. The sequen e of all messages that are ex hanged during a run is alled the onversation. The view of ea h party onsists of its input, random string, and the onversation. In ase the proto ol is performed between ora le ma hines, the view of ea h party also in ludes all the (query,answer) pairs asked by that party during the run. 6 Key Agreement A key agreement proto ol is an eÆ ient proto ol between two parties Ali e and Bob. The input of both Ali e and Bob is the se urity parameter ` written in unary. The outputs of both Ali e and Bob are k -bit strings (for some k = poly (`)). If both output strings are the same, Ali e and Bob are said to agree on a se ret. In this ase, the ommon output is alled the key. A se ure key agreement proto ol (KA) is su h that Corre tness: Ali e and Bob agree with probability 1 (when they follow the proto ol). No PPTM Eve (the passive eavesdropper), that is only given ` and the onversation between Ali e and Bob, an distinguish with non-negligible advantage the key from a uniformly distributed k -bit string Se re y: Oblivious Transfer
Oblivious transfer (OT) has several equivalent avors. The one we use here is 21 -OT and we refer to it as simply OT. An OT proto ol is an eÆ ient proto ol between two parties Ali e and Bob. The inputs of both Ali e and Bob in lude the se urity parameter ` written in unary. In addition, Bob has the bit b, and Ali e has as input two k -bit strings s0 and s1 (where k = poly (`)) 4 The proto ol is orre t if when Ali e and Bob follow the proto ol, Bob outputs the string sb with probability 1; note, that in OT Ali e does not output anything. We de ne the se urity of the proto ol like in se ure fun tion evaluation. In other words, the se urity of the proto ol is ompared to the se urity in an ideal model, where a trusted party Carol, re eives the se rets from Ali e and Bob's bit, and sends sb to Bob. The proto ol is se ure if a heating Ali e (resp. Bob) running the proto ol an be simulated by a heating Ali e (resp. Bob) in the ideal world. In more detail:  The view of any heating Ali e an be eÆ iently simulated by an algorithm that only has a ess to ` and to Ali e's input (i.e. the strings s0 and s1 and any additional a priori information). This means that the output of this ma hine is indistinguishable from the view of the heating Ali e.  The view of any heating Bob an be eÆ iently simulated by an algorithm that only has a ess to `, to Bob's input and to any single value in fs0 ; s1 g of its hoi e. The de nition of an OT proto ol se ure against honest but urious parties is as above with the simplifying assumption that even the heating parties follow the proto ol (i.e. send the orre t messages spe i ed by the proto ol). Noti e that the view of ea h party in ludes all the information that the party had a ess to during the run of the proto ol. One an therefore think of an honest but urious party as one that follows the proto ol with the following restri tions: (1) It does not erase any intermediate data during the run of the proto ol. (2) After the last pass is ompleted, it may perform any (eÆ ient) omputation in order to extra t additional information from its re ords (in luding ora le a ess if this is an ora le ma hine). We sometimes refer to su h a proto ol as an honest OT, and to the general OT proto ol as mali ious OT. 2.2 Bla k-Box Redu tions. The notion of a bla k-box redu tion is somewhat onfusing, as there are two di erent types ommonly referred to as bla k box. We will all these types fully bla k-box redu tions and semi bla k-box redu tions.5 A semi bla k-box redu tion of a primitive P to a primitive Q is a onstru tion of P out of Q that ignores the internal stru ture of Q (both in the onstru tion itself and in its proof of orre tness). Somewhat more formally, this is a onstru tion of a polynomial time ora le ma hine M su h that M C implements the primitive P whenever C implements the primitive Q. Namely, Q is given in the onstru tion as a bla k box rather than, say, as the des ription of an algorithm that implements it. In addition, the proof of orre tness is also limited to a bla k-box a ess to Q. This means that for any polynomial-time ora le ma hine AP , 4 Sometimes OT is de ned where s and s are bits rather than strings. Using the stronger de nition (with strings) does not 0 1 a e t our results sin e in the honest but urious model an OT proto ol for bits an easily be transformed into an OT proto ol for strings (and the transformation does not in rease the number of rounds). 5 [IR89℄ refer to these as bla k-box redu tion, and bla k-box onstru tion, respe tively. A fully bla k-box redu tion is also known as a relativizing redu tion. 7 there exists a polynomial-time ora le ma hine A su h that, if A with a ess to C breaks M (as an implementation of P ), then A with a ess to C breaks C itself (as an implementation of Q). Note that A may use the internal stru ture of A (only C is given as a bla k box). A fully bla k-box redu tion between P and Q is a semi bla k-box redu tion, where in addition the proof is bla k box in a stronger sense: There is a polynomial time adversary A whi h, given ora le a ess to any adversary A that breaks M (as an implementation of P ), manages to break C (as an implementation of Q). Note that this kind of bla k-box argument is more restri ted than the one allowed in semi bla k-box redu tions. In this paper, by bla k-box redu tion we refer to a fully bla k-box redu tion. Q C P Q Q P Q P C Let P; Q be two ryptographi primitives. To separate P and with respe t to bla k-box redu tions it is enough to onstru t an ora le su h that relative to the primitive Q exist whereas P does not. This in itself is enough to on lude that there are no fully bla k-box redu tions from P to Q. In fa t, Impagliazzo and Rudi h [IR89℄ suggested a more powerful methodology whi h we follow in all of our separations. In [IR89℄, is onstru ted as a ombination of an ora le O and a PSPACE omplete ora le. Relative to the PSPACE omplete ora le, P=NP. Therefore in some sense, all of the omputational hardness relative to omes from the ora le O. The steps for separating P and Q are the following. First, prove that there is an implementation of the primitive Q using only O, whi h is se ure with respe t to . That is, the implementation uses polynomial time and polynomial number of queries to O only, but it's se urity is proven with respe t to polynomial time adversaries whi h have a ess both to O and to the PSPACE omplete ora le in . Se ond, prove that if P = N P then relative to O there is no se ure implementation of the primitive P . The proof should extend (given the impli ations of the PSPACE omplete ora le) to showing that relative to , there is no se ure implementation of the primitive P . The impli ation of su h a onstru tion an be interpreted in two ways:  As before, there are no fully bla k-box redu tions from P to Q. But in addition:  P=NP ) There are no semi bla k-box redu tion from P to Q. Equivalently, providing su h a semi bla k-box redu tion is as hard as proving P6=NP. All our separation results follow this paradigm, and so the above two on lusions apply in all of them (we usually use the rst formulation, but all our result an also be stated as the se ond). We will sometime loosely say that Q does not imply P, meaning that there is a separating under bla k-box redu tions, as in the above paradigm. The Ora le Separation Paradigm. Q 3 Partial Impli ations The main result of this paper is that PKE and OT are in omparable under bla k-box redu tions. Nevertheless, we start by showing that PKE (resp. OT) with some spe ial properties does imply the existen e of (full edged) OT (resp. PKE). In addition, we present a \pass-preserving" redu tion from OT to KA. These partial impli ations serve two purposes. First, they show tightness of our separations (that are presented in Se tions 4 and 5). Se ond, from a pedagogi al standpoint, it is useful to understand the limitations of standard redu tions between primitives as a rst step in their separations. 3.1 Equivalen e of PKE and 2-KA We will now review known redu tions between PKE and 2-KA that demonstrate their equivalen e. This equivalen e is used throughout the paper; when trying to onstru t PKE from some primitive, we might instead onstru t 2-KA, or vi e versa. Re all that 2-KA is a 2-pass KA proto ol between two parties Ali e and Bob. Let r be the random string of Ali e and s the random string of Bob. Any 2-KA proto ol has the following general stru ture: Ali e Bob r z = R (r; f1 (s)) 0 f1 (s) ! f2 (r;f1 (s)) s z = R(s; f2 (r; f1 (s))) 8 In the above proto ol, f1 ; f2 ; R; and R0 are some eÆ ient algorithms, and z is the key whi h Ali e and Bob agree upon. Finally, re all that the proto ol is se ure if (no eÆ ient eavesdropper) Eve that is given the ommuni ation hf1 (s); f2 (r; f1 (s))i as input, is able to distinguish between the key z and a uniformly distributed k -bit string, with non-negligible advantage. Given this 2-KA proto ol, we an de ne the three probabilisti algorithms of the PKE s heme (i.e. the generator (G), en ryption (E ), and de ryption (D)), as follows:    : pk : Epk m; r : Dsk G E D = f1 (s), ( ( sk = s. ) = hf2 (r; pk ); R0 (r; pk )  mi. 1; 2) = R(sk; 1 )  2 . The orre tness of E and D, as en ryption and de ryption algorithms, follows from the fa t that Ali e and Bob agree on the key in the 2-KA proto ol. The semanti se urity of the s heme is a simple onsequen e of the se re y of the KA proto ol. Constru ting a 2-KA proto ol from a PKE s heme is straightforward. In the rst pass, Bob sends to Ali e his publi key, pk . In the next pass, Ali e sele ts the key z and sends its en ryption, Epk (z; r). Bob an then ompute the se ret using the de ryption algorithm Dsk , where sk is his se ret key. The orre tness and se re y of the proto ol follow from that of the PKE s heme. Finally, we note that for k > 2, there are no bla k-box onstru tions of PKE out of k -KA (sin e Rudi h [Rud91℄ gave a bla k-box separation between k -KA and (k 1)-KA, and sin e PKE is equivalent to 2-KA). 3.2 Pass-preserving Redu tion of KA to OT That OT implies KA was part of folklore. However, the onstru tion we expli itly present here is pass. Hen e k -OT implies k -KA, and as a onsequen e 2-OT (or 1-round OT) implies PKE. In Se tions 4 and 6, we show that it is not possible to redu e the number of passes when onstru ting KA from OT. More formally, there are no bla k-box onstru tions of (k 1)-KA out of k -OT. This result also shows that, in general, OT does not imply PKE. It is intuitive that an OT may imply a KA. After all, an OT allows Ali e to send one of her two se rets, s0 or s1 to Bob and su h a se ret an serve as the key. The proto ol used below follows this intuition: Ali e sends s0 to Bob and they agree on it as their key. The orre tness of the proto ol is immediate. A more subtle point is to show that s0 remains se ret even when the OT proto ol is performed with Bob's input xed to zero. preserving Theorem 5 For every k , k -OT for honest parties implies k -KA. Proof: The KA proto ol between A and B is the following: A sele ts two random k -bit strings s0 and s1 . and B then simulate Ali e and Bob, respe tively, in an OT proto ol. The inputs of Ali e in the OT are s0 and s1 whereas the input b of Bob is set to 0. Finally, A outputs s0 and B outputs the value Bob re eived in the OT proto ol. By the orre tness of the OT proto ol, Ali e and Bob agree with probability one. It is also immediate that the KA has exa tly the same number of passes as the OT. To omplete the proof it is enough to show that if the KA is not se ure, then neither is the OT. Assume that the KA proto ol is indeed not se ure. This means that there exists an eÆ ient eavesdropper E that, given the ommuni ation between A and B , distinguishes s0 from a uniformly distributed string. There are two possible s enarios: (1) E distinguishes s0 from random even when Bob's input, b, is set to 1 (instead of 0). (2) When Bob's input is set to 1, E has at most a negligible advantage in distinguishing s0 from random. In ea h one of the ases, E an be used to break the OT. More spe i ally, in ea h ase one of the (honest but urious) parties an use E to learn more than they should. In the rst ase, the view of a honest Bob with input 1 gives s1 (with probability one) but also gives information on s0 (namely, the ability to distinguish it from random). In the se ond ase, the view of a honest Ali e gives a way to guess the value of b with non-negligible advantage over 1=2. The predi tion essentially goes as follows: If E distinguishes s0 from random (given the ommuni ation between Ali e and Bob) guess \b = 0". Otherwise, guess \b = 1". Testing whi h is the ase an be done given s0 itself (whi h is also part of the view of the honest Ali e). 2 A 9 Note that, although Theorem 5 is stated for honest OT, it also applies to mali ious OT (as an immediate onsequen e). 3.3 Spe ial Cases of PKE that imply OT In Se tion 3.2 we showed that k -OT implies k -KA. It is therefore natural to explore the onverse dire tion, i.e., does k -KA imply k -OT? In Se tion 5, we show that the answer is no. In fa t, even 2-KA does not imply OT (with any polynomial number of rounds). Yet, in this se tion, we show that if a KA has some spe ial properties then it is possible to onstru t OT from it. We then translate the spe ial properties of the KA to spe ial properties of PKE that are suÆ ient for the onstru tion of OT. Our starting point is the onstru tions in [EGL85, Gol98℄ of OT based on PKE with additional properties (or trapdoor-pernutations). We o er onstru tions based on weaker properties. To this end, we rst abstra t and generalize their onstru tions, viewing them in terms of KA (rather than PKE). Suppose Ali e has a single se ret s that she wants to send to Bob in the presen e of an eavesdropper. Ali e and Bob an perform a KA proto ol. At the last pass Ali e an also send z  s, where z is the key they agree upon. This allows Bob to ompute s while an eavesdropper learns nothing about s. In an OT proto ol, however, Ali e has two se rets s0 and s1 , Bob wants to learn sb and Ali e should not learn b. Finally, Bob should not learn more than one se ret. If we ignore this last requirement, then Ali e an just send both s0 and s1 to Bob using two parallel exe utions of the KA proto ol. Surprisingly, in some ases this simple (and silly) proto ol an be transformed into an OT proto ol for honest parties. The idea is simple, the only hange that is needed is that in the exe ution of the KA that orresponds to s1 b Bob should \fake" his role. Namely, it only a ts as if he is trying to agree on a key, where in fa t he learns nothing about the key that Ali e outputs for that exe ution. More spe i ally, the properties needed from these fake runs are the following: 1. Ali e should not be able to distinguish a fake run from a real run. Therefore, the view of Ali e an be simulated by performing two real (or fake) runs of the KA proto ol. 2. In a fake run, Bob annot distinguish the key Ali e outputs from random. Therefore, it is enough to simulate the view of Bob when instead of sending s1 b , Ali e sends a random string. Su h a view an be easily simulated (given the string sb that is available to the simulator). We now de ne two properties for PKE, su h that if a PKE satis es one of these properties, then a orresponding KA proto ol is fakeable. This will imply that honest-OT an be based on a PKE with one of these properties. A: One an eÆ iently sele t a string pk with a distribution whi h is indistinguishable from that of a publi key generated by G, while preserving the semanti se urity of the en ryption Epk . Namely, even the algorithm that sele ts pk does not learn anything on a message m from Epk (m).6 B: For any publi key pk , one an eÆ iently sele t a string whi h is indistinguishable from a random en ryption of a randomly hosen message m, without having information on the de ryption Dsk ( ). (i.e., Dsk ( ) is pseudo-random even to the algorithm that sele ts ). Proposition 12 PKE having property A implies (2-pass) OT for honest parties. Proof: The fakeable KA proto ol looks as follows: Ali e Sele t z 6 In output pk Epk (z) ! Bob Run G to sele t(pk; sk ) z = Dsk (Epk (z )) parti ular, the semanti pk se urity requirement implies that the sele ting algorithm . Similarly, for property B the sele ting algorithm annot just run G , ignore sk and annot simply en rypt a random message and output the resulting iphertext. 10 To fake this proto ol, Bob sele ts pk using the method guaranteed by property A (instead of running G). In this ase, Bob learns nothing about the key z (whi h is sent en rypted), be ause of the semanti se urity in property A. Nevertheless, sin e pk has an indistinguishable distribution from that obtained by sele ting it using G, we get that the fake run is indistinguishable from a real run (even to Ali e). By the redu tion des ribed above, we an obtain 1-round honest OT proto ol from this fakeable KA proto ol (using parallel exe utions of a real KA and a fake one). We note that this OT proto ol was independently found by [Bei℄. 2 Proposition 13 Proof: PKE with property B implies (3-pass) OT for honest parties. The fakeable KA proto ol looks as follows: Ali e G : (pk; sk) Bob pk ! E r = pk ( ) Sele t z zDsk ( = ! ) Sele t r z = r To fake this proto ol, Bob sele ts using the method guaranteed by property B (instead of applying Epk to r). In this ase, Bob learns nothing sin e Dsk ( ) is indistinguishable to Bob from random. Nevertheless, sin e is a pseudo-random iphertext, the fake run is indistinguishable from a real run (even to Ali e). By the redu tion des ribed above, we an obtain 3-pass honest OT proto ol from this fakeable KA proto ol. 2 Propositions 12 and 13, together, omplete the proof of Theorem 3. These properties are onvenient abstra tions of properties shared by well-known ryptosystems. For example, property A is true for El Gamal En ryption ( orresponding to DiÆe-Hellman KA): A publi key p; g; y (where y = gx for the se ret key x) an be sampled with identi al distribution to that produ ed by the generating algorithm, sin e gx is a permutation and therefore y an be sele ted at random. This is semanti ally se ure if the PKE itself is semanti ally se ure (i.e., under the de ision DH assumption). Property B is true for many PKEs sin e in many ases a iphertext is uniformly distributed on some easily sampalable set. One example is the general onstru tion of PKE based on any trapdoor permutation [Yao82, GM84℄ (where a random iphertext is a uniform string plus a uniform element from the domain of the permutation). As mentioned above, the methodology of our onstru tions (using fakeable KA) is based on generalizing onstru tions of [EGL85℄. There, OT was onstru ted based on PKE with the property that the distribution of iphertexts is essentially the same for any publi key. This is a spe ial ase of our property B (and thus a stronger restri tion). Finally, we note that similar properties were re ently de ned by [DN00℄, for di erent purposes. They all these properties oblivious publi -key generation and oblivious iphertext generation. Dis ussion of the Properties. 4 OT Does Not Imply PKE In this se tion we onstru t an ora le 3 relative to whi h there is 3-OT, but no 2-KA (thus, no PKE). This an be extended (as we argue in Se tion 6) to show that for every k  3 there is an ora le k relative to whi h there is k-OT but no (k 1)-KA. Note that this tightly mat hes our positive result of Se tion 3.2, where we showed that k-OT does imply k-KA. The ora le 3 is de ned as follows.  Three uniformly distributed, length-tripling fun tions f1 (
;
), f2(
;
), and f3 (
;
;
). We restri t f3 to be inje tive.  A fun tion R satisfying R(w; ) = z whenever = f3 (z; r; f2 (w; f1 (z; r)))) for some jz j = jrj = jwj (we all su h pairs (w; ) valid), and random everywhere else. That is, when (w; ) is not a valid pair, R(w; ) returns a random value of size jwj. Note that R is well de ned, sin e f3 is inje tive. 11  a PSPACE- omplete ora le. Note that we an essentially ignore the restri tion that f3 is inje tive sin e, with probability 1, a random length tripling fun tion is inje tive for suÆ iently long inputs. In Se tion 4.1 we will rst show that relative to 3 , 3-KA is possible. We will then observe that this KA is in fa t \fakeable" in the sense dis ussed in Se tion 3.3. We will thus on lude that relative to this ora le, 3-pass honest OT is possible. Finally, we will show how this honest OT proto ol may be modi ed to yield a 3-OT for mali ious parties. In Se tion 4.2 we will show that relative to this ora le, 2-KA is not possible (thus PKE is not possible). The proof of impossibility follows the arguments of Rudi h [Rud91℄, who showed another ora le relative to whi h 2-KA is not possible, but 3-KA is.7 4.1 3-OT Using the Ora le 3-KA proto ol The following is a 3-KA proto ol using Ali e Sele t z; r Output z 1 =f1 (z;r ) ! 2 =f2 (w; 1 ) 3 =f3 (z;r; 2 ) ! 3 : Bob Sele t w Output R(w; 3 ) The orre tness of the proto ol follows from the de nition of R, whi h implies that Bob's output R(w; 3 ) = R(w; f3 (z; r; f2(w; f1 (z; r)))) = z is the same as Ali e's output. To show the se re y of the proto ol, we need to show that given the onversation, z is indistinguishable from a uniformly hosen string. If R was not part of the ora le, proving this is standard using the fa t that the fun tions are random. It an be shown that this remains true even in the presen e of R, sin e, by the fa t that the fun tions are length tripling, it is hard to sample elements from their range without a tually applying the fun tion, and so no \useful" appli ation of R is possible based on the onversation alone. The argument is similar to ones used by [IR89, Rud91℄ and in our Se tion 5, and is omitted here. 3-OT for honest parties Observe that the 3-KA proto ol presented above is in fa t fakeable: Bob in his turn an sele t a random 2 of an appropriate length, and sin e f2 is a random fun tion, this fake 2 is indistinguishable to Ali e from one generated by applying f2 (w; 1 ) for some w. On the other hand, without a w su h that 2 = f2(w; 2 ), Bob annot distinuish z from random (and indeed su h a w not only is hard to nd, but it is likely to not even exist). Sin e the 3-KA is fakeable, a 3-OT for honest parties is possible, as des ribed in Se tion 3.3, by exe uting in parallel a real and a fake run of KA, where Ali e also sends her se rets on ealed with keys agreed upon in the two exe utions. General (mali ious) 3-OT The 3-OT des ribed above is only se ure for honest parties, sin e it relies on honest Bob faking one of the parallel KA exe utions (and not using two real runs). However, relying on the properties of our ora le fun tions, we are able to onstru t a mali ious 3-OT proto ol. In fa t, this 3-OT will be even simpler than the one for honest parties. The proto ol is based on the same idea of exe uting two parallel runs of KA, but this time Bob (even when mali ious) is for ed to run at most one real KA run, while the other run must be fake. This is done by 7 An alternative proof of our result that 3-OT does not imply 2-KA may use a very similar ora le to the one used by [Rud91℄, with a small (but essential) modi ation whi h allows for a 3-OT proto ol (and not only 3-KA). We prefer the alternative presented here, sin e it seems to apture 3-KA in a very general and natural way, ontaining a fun tion for ea h pass, and a fun tion for the re onstru tion. 12 letting Bob hoose 2 for only one of the runs, while for the other run 2 will be su h that Bob annot nd a orresponding w, and thus annot distinguish Ali e's se ret from random, as argued above. To guarantee the latter, we use a simple idea: use the same 2 for both runs. More spe i ally, the 3-OT proto ol is as follows. Ali e input : s0 ; s1 Sele t z0 ; z1; r0 ; r1 ; 0 1 = f1 (s0 ; r0 ); 1 1 Bob input : b 0; 1 1 1 ! = f1 (s1 ; r1 ) f w; 2= 2( 0 3 = f3 (z0 ; r0 ; 2 ); 1 3 = f3 (z1 ; r1 ; 2 ); 0 ; 1 ;z 3 3 0 b) 1 Sele t w s0 ;z1 s1 Output R(w; b3 )  b The se urity of this proto ol follows from the fa t that it is hard to genreate 2 that orresponds to some 1 without a tually applying the fun tion f2 (w; 1 ) for some w , and thus it is hard for Bob, even when mali ious, to nd one 2 that orresponds to both 01 and 11 (moreover, su h an 2 most likely does not even exist). It follows that 2 is \real" for at most one of the runs, whereas for the other run it is fake, namely Bob annot distinguish the orresponding se ret from random. Thus, Bob's view an be simulated by an eÆ ient algorithm that may ask for a single value sb . Simulating the view of a mali ious Ali e is standard, and therefore the OT proto ol is se ure. 0 4.2 = z0  s 0 ; 1 = z1  s 1 ! No 2-KA Relative to the Ora le The proof that no 2-KA proto ol exists relative to 3 is quite ompli ated, but very similar to the proof of Rudi h in [Rud91℄, who showed that no 2-KA is possible relative to his own ora le. His arguments, in turn, rely on te hniques developed by Impagliazzo and Rudi h [IR89℄, some of whi h are sket hed in the following Se tion 5. Sin e the proof of this part ontains no new te hni al ideas beyond those of [Rud91℄, we only present a very informal intuition behind the proof. We note that some of these intuitions are further developed in Se tion 5. First, it is proven in [IR89℄ that for an ora le ontaining a random fun tion and a PSPACE- omplete ora le, no KA is possible. Informally, they show that in that setting, for any proto ol, an evesdropper Eve who is given the onversation an guess \everything both Ali e and Bob know in ommon" with nonnegligible probability. Thus, if Ali e and Bob agree on a se ret, Eve an also guess the se ret. Following the same proof, relative to our ora le 3 there is no KA proto ol whi h never queries R (in any polynomial number of passes). We now want to argue that R is not \useful" in any 2-pass proto ol, and thus no 2-pass KA exists. It is intuitively lear that querying R on inputs (w; ) whi h are not of valid form is not useful, sin e R just outputs a random value, and we are again in a setting similar to that of [IR89℄. Next, it an be shown that, if during a proto ol R was queried on some valid input (w; f3 (z; r; f2(w; f1 (z; r)))), with very high probability it must be the ase that prior to this point f1 was queried on (z; r), then f2 was queried on (w; f1 (z; r)), and then f3 was queried on (z; r; f2(w; f1 (z; r))). Now, onsider any 2-pass prot ol, and onsider the rst \useful" appli ation of R. As explained above, we may assume that with non-negligible probability, Eve knows everything that Ali e and Bob know in ommon before R is applied. Assume (w.l.o.g.) that Ali e is the party about to apply R on some valid input (w; ). Sin e the proto ol is 2-pass and f1; f2 ; f3 should have been applied sequentially, it follows that one of the parties applied both f1 ; f2 or both f2 ; f3 on the orresponding inputs. In either ase, at that point that party knew all of w; z; r. If this party is Ali e, we may eliminate her appli ation of R without hanging the orre tness or se re y of the proto ol, sin e she already knows the output z ; thus, in this ase the appli ation of R is not useful. On the other hand, if this party is Bob, Bob knows w; z; r, and by a essing f1 ; f2 and f3 he an also nd ; thus (w; ) is already known to both Ali e and Bob, and therefore it is known to Eve with non-negligible probability, in whi h ase Eve herself an apply R(s; ). 13 5 PKE Does Not Imply OT In this se tion we onstru t an ora le PKE relative to whi h there is PKE, but no OT (not even honestOT) in any polynomial number of rounds, thus proving Theorem 4. We use a natural ora le ontaining the fun tions f1 ; f2 ; R to be used for key generation, en ryption, and de ryption, respe tively. We must, however, take some are to de ne these fun tions su h that the spe ial properties of Se tion 3.3, under whi h PKE implies OT, do not hold. Towards this end, making f1 and f2 length expanding and random will guarantee that it is hard to generate a valid publi key or a valid en ryption without a tually applying f1 (on the se ret key ) or applying f2 (en rypting some message), respe tively. Furthermore, providing ways to test whether a given string is a valid publi key and whether a given string is a valid en ryption, will guarantee that it is even hard to ome up with strings that \look" valid.8 In Se tion 5.2 we show that these modi ations of f1 ; f2 and R are (not only ne essary but also) suÆ ient in order to guarantee the impossibility of OT. The ora le PKE is thus de ned as follows. is a uniformly distributed, length-tripling fun tion.  f1  f2  R  A P S P AC E - omplete ora le. is an inje tive, uniformly distributed, length tripling fun tion on the set of its valid inputs. An input hm; r; yi is valid for f2 if for some x, both y = f1 (x) and jxj = jmj = jrj. On any invalid input f2 outputs ?. satisfying R( ; x) = m whenever = f2 (m; r; f1 (x)) and jmj = jrj. Otherwise, R( de ned sin e f2 is inje tive. ) =?. ;x R is well We will all an input to R valid if the output on this input is not ? (this is onsistent with the de nition of valid inputs to f2 ). Note that we an essentially ignore the restri tion that f2 is inje tive. This is be ause, with probability 1, a uniformly distributed length-tripling fun tion is one-to-one on all suÆ iently long inputs. Also note that f2 provides a way to test whether a given y is in the range of f1 or not, e.g., by alling f2 (~0; ~0; y) and he king whether ? is returned. Similarly, R provides a way to test whether a given is valid with respe t to x, namely wheter = f2 (m; r; f1 (x)) for some m; r. 5.1 PKE Using the Ora le PKE under this ora le is straightforward: The key generation PPTM G(1l ) hooses a random s 2R f0; 1gl, and sets sk = s, pk = f1 (s); The en ryption PPTM hooses a random string r 2R f0; 1gl and sets Epk (m) = f2 (m; r; pk ); The de ryption PPTM simply alls R, namely Dsk ( ) = R( ; S K ). The orre tness of this PKE follows dire tly from the de nition of the ora le, and se urity an be proved in a standard way from the fa t that f1 and f2 are random fun tions. Note that this PKE proto ol does not use the fa t that the fun tions f1 ; f2 are \testable": The same proto ol would work even if f2 and R returned a random string instead of ? when their input is not valid. The testability property will be ne essary for guaranteeing that no OT exists, as we show next. 5.2 No OT Exists Relative to This Ora le We prove that no OT proto ol exists relative to PKE. Sin e our proof is te hni ally involved, we start by providing a high level overview of the main ideas and hallenges, on entrating on the intuition behind the proof. Some additional te hni al details follow. A omplete proof is de ered to the full version. 8 Without su h a test, hoosing a random string of the appropriate length will look valid. This would mean that Properties A and B of Se tion 3.3 hold for the PKE and therefore a honest OT proto ol is still possible. 14 High Level Overview Informally, we prove that there is no honest-OT by proving that for any proto ol between Ali e and Bob, honest-but- urious Ali e an nd out \everything that Bob an learn about her". This will imply that, in parti ular, she an nd out whi h of her se rets Bob an learn, thus implying that the proto ol annot be a se ure OT (sin e either Bob an learn both se rets, or he annot learn any se ret, or Ali e an nd out whi h se ret he was after). Towards making this intuition more formal, we start by modeling the on ept of \knowledge", as in [IR89, Rud91℄, via the queries made to the ora le (and its answers), and modeling what two parties know in ommon as their interse tion queries, namely queries that they both made to the ora le. Further, we require that any proto ol for OT take a normal form, whi h in ludes the requirement that Ali e queries the ora le on her two se rets, and Bob queries the ora le on the se ret he re overed. Now, we are left with proving that Ali e an indeed nd out all the interse tion queries, and thus no OT exists, as explained above. To see how we go about proving this, let us start by taking a loser look at the way our ora le PKE was onstru ted. First, the ora le ontains random fun tions f1 ; f2 and a P S P AC E - omplete ora le. Following the proof of [IR89℄, if these were the only parts of the ora le, KA would not be possible. Spe i ally, [IR89℄ prove that for su h an ora le there exists an \eavesdropper" PPTM Eve whi h with high probability, given the onversation alone, an nd a polynomial length list ontaining all the interse tion queries (and thus ontaining the agreed key).9 However, by adding R to our ora le, KA be omes possible (as shown in Se tion 5.1). Moreover, as dis ussed above, with f2 or R de ned as random everywhere, OT is also possible. Therefore, a ru ial part of our ora le is that f2 and R are de ned on valid inputs only, thus providing a way to test whether a string is valid. Also ru ial is that valid inputs are hard to guess (sin e f1 and f2 are length expanding and random). We will argue that these properties guarantee that OT is impossible (while still maintaining the possiblity of KA, as shown by the proto ol of Se tion 5.1). What makes the validity tests so powerfull that they prevent OT? The main idea is the following: whenever a new interse tion query is reated the validity tests help dete ting and verifying it. To see that, let us onsider how interse tion queries are reated. One kind of interse tion queries are those reated without the use of R. In some sense, these are not really interesting sin e both parties (and even an eavesdropper) are aware of su h ommon knowledge. Therefore, we only need to are about interse tion queries that are reated by R. A typi al example is the one obtained by the PKE of Se tion 5.1: One party sele ts x and sends y = f1 (x) to the se ond party whi h sele ts m and r and sends = f2 (m; r; y) ba k to the rst party. The knowledge they both have in ommon now ontains m (sin e the rst party an ompute m = R( ; x)). How an Ali e dete t su h interse tion queries? Intuitively, all she needs to do is handle two ases: (1) A new interse tion query is reated. Ali e knows x su h that m = R( ; x) 6=?. If Ali e did not obtain herself (by a previous query to f2 ) she an dedu e that Bob did (sin e the only way to obtain a valid output of f2 is essentially by querying f2 ). Ali e an therefore on lude that m is an interse tion query. (2) A new interse tion query 6=? is reated. Ali e knows m; r and y su h that = f2 (m; r; y). If Ali e did not obtain y herself (by a previous query to f1 ) she an dedu e that Bob did (sin e the only way to obtain a valid output of f1 is essentially by querying f1 ) and he therefore knows x su h that y = f1(x). Ali e an therefore on lude that m is an interse tion query (sin e Bob an ompute m = R( ; x)). The formal proof is of ourse by far more subtle. We now give some details on the proof te hnique. Overview of Proof Te hnique To arry out the intuitive arguments above, we would like to extend the proof te hniques of [IR89℄ to work for our (more omplex) ora le. However, it is lear that in our setting there is no Eve whi h an nd the interse tion queries from the onversation alone, sin e otherwise KA would not be possible. Nevertheless, we are able to use similar te hniques to prove a laim appropriate for our setting. As explained above, this laim is roughly saying that ( urious) Ali e an nd the interse tion queries from her view. One subtle and important di eren e between our laim and the one used by [IR89℄, is that for us it is not enough to merely nd a polynomial size list ontaining the interse tion queries (indeed, this would be trivial for Ali e, by 9 We note that [IR89℄ work with an ora le ontaining a single random fun tion, but the same proof an be extended to an ora le with two fun tions f1 ; f2 where f1 is random, and f2 is random on valid inputs of the form (m; r; f1 (x)), and is otherwise. ? 15 simply outputting all her queries). Instead, for our rationale to go through and imply that no OT exists, the list output by Ali e should also have the property that ( urious) Bob an indeed nd all the queries on the list. This is exa tly where we will use the power to test for validity of a string (from the range of f1 or f2 ): Ali e will use this power to make sure she does not add to her list queries that Bob annot nd. Putting the above intuition together, the main lemma we prove is the following. Main Lemma (informal statement): For every OT proto ol (Ali e, Bob) there are PPTMs EA ; EB (whi h an be thought of as the \ urious" parts of Ali e and Bob, respe tively) su h that EA gets as input Ali e's view and outputs a list LA , EB gets as input Bob's view and outputs a list LB , and the following is satis ed (with good probability): A ontains all interse tion queries.10  L  L A  LB . That is, intuitively, anything Bob learned about Ali e is on her list LA , and anything he annot learn (even when behaving uriously) is not on her list. Thus, if Bob learns one of her se rets but annot learn the other one, Ali e knows whi h is the se ret he learned, and OT is not possible. Some More Details | Repeated Sampling Paradigm Repeated sampling is an important method, used in the de nition of EA and EB in the proof of the main lemma. This method is adapted from [IR89℄. We now give a very high level des ription of repeated sampling in the ontext of [IR89℄ and in the ontext of our proof. Re all that the ora le world of [IR89℄ ontains a random fun tion f and a P S P AC E - omplete ora le. Let Eve be the evesdropper that breaks the KA proto ol in [IR89℄. Eve maintains at ea h stage a polynomial size list L ontaining all interse tion queries between the two parties upto this point. To guess the next interse tion query (if one is made in the next round), Eve repeats polynomialy many times the following pro ess: Simulation Phase Sample an (almost) uniformly distributed run of the proto ol that is onsistent with the ommuni ation so far and the partial knowledge of Eve on f . We stress that any simulated query to f that was not determined so far gets a simulated answer (therefore, the probability distribution of the simulated run is also over random f 's onsistent with Eve's partial knowledge). Based on a result of [JVV86℄ it is shown in [IR89℄ (see their Corollary 3.2), that this sampling phase an be performed eÆ iently (using the P S P AC E - omplete ora le). Updating Phase All the queries of the simulation phase are now asked from the a tual ora le. They are subsequently added to L. Why does this work? Assume that in the next round Bob has a non-negligible han e of making a new interse tion query. In this ase, a non-negligible fra tion of possible Ali e's already made this query, and thus by sampling them Eve has a han e to nd it too. Another way of looking at this intuition is that when sampling Ali e, in ea h exe ution of the pro ess, during the simulation phase all \made-up" ora le answers are either: (1) Consistent with Bob's view of the ora le (i.e., they are not interse tion queries). In this ase the simulated Ali e view is a possible one from Bob's point of view (thus there is nothing \hidden" that Ali e and Bob both know whi h Eve does not); or (2) The answers are not onsistent with Bob's view. In this ase the simulation phase is useless, but during the update phase a new interse tion query will be found, making progress towards having a \good" simulation (as in (1)). The repeated sampling te hnique of [IR89℄ an be partially arried out to our setting. In our ase EA and EB will use repeated sampling to maintain the lists LA and LB that satisfy the desired properties of the main lemma (up to the urrent stage). Nevertheless, the use of repeated sampling in our ontext is more subtle. The main di eren e is that letting EA and EB simulate runs of the proto ol that are onsistent with the onversation alone is not good enough. The pla e where the previous intuition fails with an ora le like ours 10 To be a bit more a urate, L will ontain all queries that are interse tions with probability larger than some xed threshold A ". Nevertheles, su h a list LA is good enough for our arguments. 16 (whi h has R as well), is that now it is possible that a made-up simulated ora le is both in onsistent with Bob's view and does not yield \progress" via an interse tion query. For example, assume Ali e hooses x and sends y = f1(x) to Bob, then re eives = f2 (m; r; y) from him, and applies R(x; ). Then in the simulation phase, a wrong x^ will be sampled (\pretending" that f1 (^x) = y), but asking for the real value of R(^x; ) in the update phase provides useless information. This an happen in every repetition for polynomially many times, without revealing any new interse tion queries. The solution omes from the fa t that EA has a ess to all of (real) Ali e's view, and EB has a eess to (real) Bob's view. Therefore, EA and EB sample runs of the proto ol that are onsistent with both the onversation and this additional information. In the example above, Bob's view already ontains m, and Ali e's view ontains the real x su h that f1 (x) = y, thus after invoking R(x; ) she obtains the real m (and R is never invoked on the useless (^x; )). We on lude with brie y mentioning two additional subtelties of our proof:  The generation of almost uniform runs of a proto ol (that are onsistent with some partial information) is more omplex in our ora le (though still doable).  While reating the list LA , we annot be as ra kless as Eve is in the des ryption above. Namely, EA annot add all the update queries to LA sin e LB may not ontain them. Therefore, EA should be very onservative in reating LA. This is where she uses the validity tests des ribed above. On the othere hand, EB an be mu h more liberal and put all his knowledge into LB (whi h reates the asymmetry between LA and LB ). 6 Relationships with KA and with Trapdoor Fun tions Our results extend beyond the relationship between PKE and OT, to show interesting relationships to KA, trapdoor fun tions, and trapdoor permutations. In this se tion we sket h our additional results (some of whi h follow as dire t orollaries of our previous theorems, and some require extensions of the proofs). 6.1 Relationship between OT and KA Re all that OT is known to imply KA, and that in fa t KA an be onstru ted from OT in a pass-preserving way, as we showed in Se tion 3.2. That is, k-OT implies k-KA. However, we now show that a onstru tion that redu es the passes is not possible. k-OT does not imply (k 1)-KA, for any k  2. In Se tion 4 we have onstru ted an ora le 3 with the desired properties for k = 3. This onstru tion an be generalized to any k in a straightforward way, by using k ontaining (in addition to a PSPACE- omplete ora le) random length tripling fun tions f1 ; : : : ; fk , and a re onstru tion fun tion R su h that R(w; ) = z whenever is of the appropriate form for k sequential appli ations of f1 ; : : : ; fk alternating between appli ations of the form fi (z; r; i 1 ) and of the form fi (w; i 1 ). The ora le is slightly di erent (synta ti ally) in the ase that k is odd and the ase k is even, depending on whether the rst fun tion f1 is de ned on (z; r) (when k is odd), or on w (when k is even). Proving that a k-OT (mali ious) proto ol exists relative to k , as well as proving that no (k 1)-KA proto ol exists, is very similar to the orresponding proofs for k = 3. Note that the above result learly implies a separation between k-KA and (k 1)-KA (whi h was proven in [Rud91℄), and a separation between k-OT and (k 1)-OT (both of whi h are weaker). Sin e we have proved that PKE (or 2-KA) does not imply OT (in any number of rounds), this immediately yields the orollary that, while OT implies KA, the onverse is not true. That is, KA does not imply OT (under bla k-box redu tions). KA does not imply OT. 6.2 Relationships with Trapdoor Fun tions While trapdoor permutations are known to imply PKE, our results imply that the onverse is not true, namely PKE does not imply trapdoor permutations. This is so Trapdoor permutations vs. PKE. 17 sin e trapdoor permutations imply OT, and thus relative to our ora le permutations do not. PKE , PKE exists but trapdoor By the result of Bellare al. [BHSV98℄, trapdoor fun tions with polynomial pre-image size imply PKE. Thus, we on lude that OT does not imply trapdoor fun tions with polynomial pre-image size (obviously, it follows that OT does not imply inje tive trapdoor fun tions, and in parti ular it does not imply trapdoor permutations).11 On the other hand, we may extend our results to prove that inje tive trapdoor fun tions do not imply OT. For this purpose we may use our ora le PKE, for whi h we already know that no OT exists. We may now onsider the family fTy (m; r) = (f2 (m; r; y); r)g where the key generation algorithm rst hooses a random t as the trapdoor information, and sets the key to y = f1 (t). It is easy to see that Ty is easy to ompute, and easy to invert given the trapdoor (and a ess to R). The one-wayness of Ty (without the trapdoor information) follows from the fa t that f2 is random (thus it is hard to invert without a ess to R), and the fa t that f1 is random (thus it is hard to use R in a meaningful way, given y and the output of Ty ). Ty is inje tive sin e f2 is. We may on lude that OT and inje tive trapdoor fun tions are in omparable (and they are both implied by trapdoor permutations). The same onstru tion also implies a separation between trapdoor permutations (i.e. trapdoor fun tions whi h are inje tive and onto), and trapdoor fun tions whi h are inje tive. Trapdoor fun tions vs. OT. A knowledgments We thank Sha Goldwaser for mentioning this open problem and inspiring us to ontinue working on it. We are grateful to Amos Beimel for many insightful remarks and useful dis ussions on previous works as well as our own. Finally, we would like to thank anonymous referees for omments on an earlier version of the paper. Referen es [AIR00℄ W. Aiello, Y. Ishai, and O. Reingold. Oblivious ommer e: How to sell digital goods. Manus ript in Preperation, 2000. [BCR86℄ G. Brassard, C. Crepeau, and J.M. Robert. Information theoreti redu tions among dis losure problems. In Pro eedings of the IEEE Symposium on the Foundations of Computer S ien e, pages 168{173, 1986. [Bei℄ Amos Beimel. Personal ommuni ation. [BHSV98℄ M. Bellare, S. Halevi, A. Sahai, and S. Vadhan. Many-to-one trapdoor fun tions and their relations to publi -key ryptosystems. In Advan es in Cryptology { Crypto '98 Pro eedings, Le ture Notes in Computer S ien e, 1998. [Blu83℄ M. Blum. How to ex hange (se ret) keys. ACM Transa tions of Computer Systems, 1(2):175{ 193, 1983. Preliminary version in the Pro eedings the ACM Symposium on the Theory of Computing, pages 440{447, 1983. [BMM99℄ A. Beimel, T. Malkin, and S. Mi ali. The all-or-nothing nature of two-party se ure omputation. In Advan es in Cryptology { Crypto '99 Pro eedings, volume 1666 of Le ture Notes in Computer S ien e, pages 80 { 97, 1999. [CK88℄ C. Crepeau and J. Kilian. A hieving oblivious transfer using weakened se urity assumptions. In Pro eedings of the IEEE Symposium on the Foundations of Computer S ien e, pages 42{52, 1988. 11 As for trapdoor fun tions with super-polynomial pre-image size, these are implied by (standard) one-way fun tions [BHSV98℄, and thus by OT, as well as PKE, and any other assumption that implies OWF. 18 [Cre87℄ C. Crepeau. Equivalen e between two avours of oblivious transfers. In Advan { Crypto '87 Pro eedings, pages 350{354, 1987. [CS91℄ C. Crepeau and M. Santha. On the reversibility of oblivious transfer. In Pro eedings CRYPT, volume 547 of Le ture Notes in Computer S ien e, pages 106{113, 1991. [DH76℄ W. DiÆe and M.E. Hellman. New dire tions in ryptography. IEEE Transa , 22(6):644{654, 1976. es in Cryptology of EURO- tions in Information Theory [DN00℄ I. Damg ard and J.B. Nielsen. Improved non- ommiting en ryption s hemes based on a general omplexity assumption. In Advan es in Cryptology { Crypto '00 Pro eedings, pages 432{450, 2000. [EGL85℄ S. Even, O. Goldrei h, and A. Lempel. A randomized proto ol for signing ontra ts. ni ations of the ACM, 28(6):637{647, 1985. [GGM86℄ O. Goldrei h, S. Goldwasser, and S. Mi ali. How to onstru t random fun tions. Journal of , 33(4):792{807, O tober 1986. Preliminary version in the Pro eedings of the IEEE Symposium on the Foundations of Computer S ien e, pages 464{479, 1984. Commu- the ACM [GM84℄ S. Goldwasser and S. Mi ali. Probabilisti en ryption. Journal of Computer Se urity, 28:270{ 299, 1984. Preliminary version in the Pro eedings of the ACM Symposium on the Theory of Computing, pages 365{377, 1982. [GMW87℄ O. Goldrei h, S. Mi ali, and A. Wigderson. How to play any mental game, or: A ompletness theorem for proto ols with honest majority. In Pro eedings of the ACM Symposium on Theory of Computing, pages 218{229, 1987. [GMW91℄ O. Goldrei h, S. Mi ali, and A. Wigderson. Proofs that yield nothing but their validity or all languages in np have zero-knowledge proofs. Journal of the ACM, 38(3):691{729, July 1991. Preliminary version in the Pro eedings of the IEEE Symposium on the Foundations of Computer S ien e, pages 174{187, 1986. [Gol97℄ S. Goldwasser. New dire tions in ryptography: Twenty some years later. In Pro eedings IEEE Symposium on the Foundations of Computer S ien e, pages 314{325, 1997. [Gol98℄ O. Goldrei h. Se ure multi-party omputation (working draft). wisdom.weizmann.a .il/~oded/fo .html, 1998. [GT00℄ R. Gennaro and L. Trevisan. Lower bounds on the eÆ ien y of generi ryptographi onstru tions. In Pro eedings of the IEEE Symposium on the Foundations of Computer S ien e, 2000. To Appear. [HILL99℄ J. H_astad, R. Impagliazzo, L.A. Levin, and M. Luby. A pseudorandom generator from any one-way fun tion. SIAM Journal on Computing, 28(4):1364{1396, 1999. [IL89℄ R. Impagliazzo and M. Luby. One-way fun tions are essen ial for omplexity based ryptography. In Pro eedings of the IEEE Symposium on the Foundations of Computer S ien e, pages 230{235, 1989. [IR89℄ R. Impagliazzo and S. Rudi h. Limits on the provable onsequen es of one-way permutations. In Pro eedings of the ACM Symposium on Theory of Computing, pages 44{61, 1989. [IR00℄ R. Impagliazzo and S. Rudi h. Personal ommuni ation. [JVV86℄ M. Jerrum, L. Valiant, and V. Vazirani. Random generation of ombinatorial stru tures from a uniform distribution. Theoreti al Computer S ien e, 43:169{188, 1986. [Kil88℄ J. Kilian. Founding ryptography on oblivious transfer. In Pro on Theory of Computing, pages 20{31, 1988. 19 of the http://www. eedings of the ACM Symposium [Kil91℄ J. Kilian. A general ompleteness theorem for two-party games. In Symposium on Theory of Computing, pages 553{560, 1991. [Kil00℄ J. Kilian. More general ompleteness theorems for se ure two-party omputation. 2000. Pro eedings of the ACM [KKMO00℄ J. Kilian, E. Kushilevitz, S. Mi ali, and R. Ostrovsky. Redu ibility and ompleteness in private omputations. SIAM Journal on Computing, 29(4):1189{1208, 2000. [KSS00℄ J. Kahn, M. Saks, and C. Smyth. A dual version of Reimer's inequality and a proof of Rudi h's onje ture. In Pro eedings of the 15th Annual IEEE Conferen e on Computational Complexity, 2000. [KST99℄ J.H. Kim, D. Simon, and P. Tetali. Limits on the eÆ ien y of one-way permuation-based hash fun tions. In Pro eedings of the IEEE Symposium on the Foundations of Computer S ien e, pages 535{542, 1999. [LR88℄ M. Luby and C. Ra ko . How to onstru t pseudo-random permutations from pseudo-random fun tions. SIAM Journal on Computing, 17(2):373{386, April 1988. Preliminary version in Pro eedings of the ACM Symposium on Theory of Computing, 1986. [Nao91℄ M. Naor. Bit ommitment using pseudorandomness. Journal of Cryptology, 4(2):151{158, 1991. Preliminary version in Advan es in Cryptology { Crypto '89 Pro eedings, pages 128{136, 1989. [Nao00℄ M. Naor. Presentation in DIMACS workshop on Cryptography and Intra tibility, Mar h 2000. [NY89℄ M. Naor and M. Yung. Universal one-way hash fun tions and their ryptographi appli ations. In Pro eedings of the ACM Symposium on Theory of Computing, pages 33{43, 1989. [Rab81℄ M.O. Rabin. How to ex hange se rets by oblivious transfer. Te hni al Report TR-81, Harvard University, 1981. [Rom90℄ J. Rompel. One-way fun tions are ne essary and suÆ ient for se ure signatures. In Pro of the ACM Symposium on Theory of Computing, pages 387{394, 1990. [Rud91℄ S. Rudi h. The use of intera tion in publi ryptosysytems. In Advan es in Cryptology { Crypto '91 Pro eedings, volume 576 of Le ture Notes in Computer S ien e, pages 242{251, 1991. [Sim98℄ D. Simon. Finding ollisions on a one-way street: Can se ure hash fun tions be based on general assumptions. In Pro eedings of EUROCRYPT, volume 1403 of Le ture Notes in Computer S ien e, 1998. [Yao82℄ A. Yao. Theory and appli ations of trapdoor fun tions. In Pro , pages 80{91, 1982. eedings eedings of the IEEE Symposium on the Foundations of Computer S ien e [Yao86℄ A.C. Yao. How to generate and ex hange se rets. In Pro eedings , pages 162{167, 1986. the Foundations of Computer S ien e 20 of the IEEE Symposium on