-
Notifications
You must be signed in to change notification settings - Fork 61
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security of CO15 ciphertext computation #74
Comments
Note that |
Yes, this is in keeping with CO15's definition of |
Oh I see. I vaguely remember this is to make sure that the Adv (as malicious receiver) queries the RO so that the simulator can extract the choice bit. But the protocol ends up not being simulation-secure, so I'm not sure if that really needed. Maybe we should provide a PVW OT |
Ah, interesting. What's PVW? |
Thanks. So to recap: is this simplified encryption function |
If safe means no attack, I think so. |
Currently, the CO15 OT sender output uses the encryption algorithm
E(k, m) = k ⊕ m
. But this is not the algorithm that CO15 use themselves!CO15 use a quasi-authenticated cipher of the form
E'(k, m) = (k₁ ⊕ m, k₂)
wherek₁
andk₂
are the two 128-bit halves ofk
. Importantly, they argue thatE'
is non-committing and robust as per definitions 1 and 2 (see screenshot; it's from page 5). On the other hand,E
is NOT robust:V_{S,e}
always equalsS
in the definition, since decryption never fails.Is the choice of the encryption algorithm
E
secure here, then?The text was updated successfully, but these errors were encountered: