Using Probabilistic I/O Automata to Analyze an Oblivious Transfer Protocol

Abstract

We demonstrate how to carry out cryptographic security analysis ofdistributed protocols within the Probabilistic I/O Automataframework of Lynch, Segala, and Vaandrager. This framework providestools for arguing rigorously about the concurrency and schedulingaspects of protocols, and about protocols presented at differentlevels of abstraction. Consequently, it can help in makingcryptographic analysis more precise and less susceptible to errors.We concentrate on a relatively simple two-party Oblivious Transferprotocol, in the presence of a semi-honest adversary (essentially,an eavesdropper). For the underlying cryptographic notion ofsecurity, we use a version of Canetti's Universally Composablesecurity.In spite of the relative simplicity of the example, the exercise isquite nontrivial. It requires taking many fundamental issues intoaccount, including nondeterministic behavior, scheduling,resource-bounded computation, and computational hardness assumptionsfor cryptographic primitives.