Keywords

1 Introduction

Oblivious Transfer (OT) is a notion introduced by Rabin in [53]. In its classical 1-out-of-\(n\) version, it allows a user \(\mathcal {U}\) to access a single line of a database while interacting with the server \(\mathcal {S}\) owning the database. The user should be oblivious to the other line values, while the server should be oblivious to which line was indeed received. Oblivious transfer has a fundamental role for achieving secure multi-party computation: It is for example needed for every bit of input in Yao’s protocol [59] as well as for Oblivious RAM ([56] for instance), for every AND gate in the Boolean circuit computing the function in [35] or for almost all known garbled circuits [6].

Private Information Retrieval (PIR) schemes [25] allow a user to retrieve information from a database, while ensuring that the database does not learn which data were retrieved. With the increasing need for user privacy, these schemes are quite useful in practice, be they used for accessing records for email repositories, collection of webpages, music... But while protecting the privacy of the user, it is equally important that the user should not learn more information than he is allowed to. This is called database privacy and the corresponding protocol is called a Symmetrically Private Information Retrieval (SPIR), which could be employed in practice, for medical data or biometric information. This notion is closely related to Oblivious Transfer.

Due to their huge interest in practice, it is important to achieve low communication on these Oblivious Transfer protocols. A usual drawback is that the server usually has to send a message equivalent to the whole database each time the user requests a line. If it is logical, in the \(\mathsf {UC}\) framework, that an \(\mathsf {OT} \) protocol requires a cost linear in the size of the database for the first line queried. One may then hope to amortize the cost for further queries between the same server and the same user (or even another user, if possible), reducing the efficiency gap between Private Information Retrieval schemes and their stronger equivalent Oblivious Transfer schemes. We thus deal in this paper with a more efficient way, which is to achieve Adaptive Oblivious Transfer, in which the user can adaptively ask several lines of the database. In such schemes, the server only sends his database once at the beginning of the protocol, and all the subsequent communication is in \(o(n)\), more precisely logarithmic. The linear cost is batched once and for all in this preprocessing phase, achieving then a logarithmic complexity similar to the best PIR schemes.

Smooth Projective Hash Functions (SPHF), used in conjunction with Commitments have become the standard way to deal with such secret message transfers. In a commitment scheme, the sender is going to commit to the line required (i.e. to give the receiver an analogue of a sealed envelope containing his value i) in such a way that he should not be able to open to a value different from the one he committed to (binding property), and that the receiver cannot learn anything about i (hiding property) before a potential opening phase. During the opening phase, however, the committer would be asked to reveal i in such a way that the receiver can verify it was indeed i that was contained in the envelope.

But, in our applications, there cannot be an opening phase, due to the oblivious requirements on the protocols and the secrecy of the database line i sent. The decommitment (opening phase) will thus be implicit, which means that the committer does not really open its commitment, but rather convinces the receiver that it actually committed to the value it pretended to. We achieve this property thanks to Smooth Projective Hash Functions [26, 33], which have been widely used in such circumstances (see [1, 2, 8, 9, 45] for instance). These hash functions are defined in such a way that their value can be computed in two different ways if the input belongs to a particular subset (the language), either using a private hashing key or a public projection key along with a private witness ensuring that the input belongs to the language. The hash value obtained is indistinguishable from random in case the input does not belong to the language (smoothness) and in case the input does belong to the language but no witness is known (pseudo-randomness).

In a nutshell, to ensure implicit decommitment, the sender will thus simply mask the database line with this hash value computed using the private hashing key. He will then send it along with the public projection key to the user, who will be able to compute the same hash value thanks to the randomness of the commitment of this line he sent in the first place (the randomness is the witness of the membership of the commitment to the language of commitments of this specific line). In order to ensure adaptive security in the universal composability framework, the commitments used are usually required to be both extractable (meaning that a simulator can recover the value i committed to thanks to a trapdoor) and equivocable (meaning that a simulator can open a commitment to a value \(i'\) different from the value i it committed to thanks to a trapdoor).

In order to simplify these commitments, which can be quite technical, we choose here to rely on words in more complex languages rather than on simple line numbers. More precisely, the user will first compute an equivocable commitment on the line number required, which will be his word w in the language. This word will then be encrypted under a \(\mathsf {CCA}\) encryption scheme, and the \(\mathsf {SPHF} \) will be constructed for this word (rather than for the line number), which will be simpler. Furthermore, this abstraction consisting in encoding line numbers as words in more complex languages will reveal useful in more general contexts, not only Oblivious Transfer, the simplest of which being Oblivious Signature Based Envelope.

Oblivious Signature-Based Envelope (OSBE) was introduced by Li, Du and Boneh in [49]. OSBE schemes consider the case where Alice (the receiver) is a member of an organization and possesses a certificate produced by an authority attesting she actually belongs to this organization. Bob (the sender) wants to send a private message P to members of this organization. However due to the sensitive nature of the organization, Alice does not want to give Bob neither her certificate nor a proof she belongs to the organization. OSBE lets Bob send an obfuscated version of this message P to Alice, in such a way that she will be able to find P if and only if she is in the required organization. In the process, Bob cannot decide whether Alice does really belong to the organization. We even manage to construct a more general framework to capture many protocols around trust negotiation, where the user receives a message if and only if he possesses some credentials or specific accreditations. As a reference to OSBE, we call this framework Oblivious Language-Based Envelope (OLBE).

1.1 Related Work

Since the original paper [53], several instantiations and optimizations of OT protocols have appeared in the literature  [23, 51], including proposals in the UC framework. More recently, new instantiations have been proposed, trying to reach round-optimality [41], and/or low communication costs [52]. Recent schemes like [1, 9] manage to achieve round-optimality while maintaining a small communication cost. Choi et al.  [24] also propose a generic method and an efficient instantiation secure against adaptive corruptions in the CRS model with erasures, but it is only 1-out-of-2 and it does not scale to 1-out-of-\(n\) \(\mathsf {OT}\), for \(n>2\). As far as adaptive versions of those protocols are concerned, this problem was first studied by [37, 47, 50], and more recently UC secure instantiations were proposed, but unfortunately either under the Random Oracle, or under not so standard assumptions such as q-Hidden \(\mathsf {LRSW}\) or later on q-\(\mathsf {SDH} \) [17, 20, 39, 43, 54], but without allowing adaptive corruptions.

Concerning automated trust negotiation, two frameworks have been proposed to encompass the symmetric protocols (Password-based Authenticated Key-Exchange, Secret Handshakes and Verfier-Based PAKE): The Credential Authenticated Key Exchange [16], and Language-based Authenticated Key Exchange (LAKE) [7], in which two parties establish a common session key if and only if they hold credentials that belong to specific (and possibly independent) languages chosen by the other party. As for \(\mathsf {OSBE}\), the authors in [13] improved the security model initially proposed in [49], showing how to use Smooth Projective Hash Functions to do implicit proof of knowledge, and proposed the first efficient instantiation of OSBE, under a standard hypothesis. It fits, as well as Access Controlled Oblivious Transfer [18, 19], Priced Oblivious Transfer [4, 54]) and Conditional Oblivious Transfer [28], into the generic notion of Conditional Disclosure of Secrets (see for instance [4, 5, 15, 32, 34, 42, 48, 58]).

1.2 Contributions

Our first contribution is to give the first round-optimal adaptive Oblivious Transfer protocol secure in the UC framework with adaptive corruptions under standard assumptions (\(\mathsf {MDDH} \)) and assuming reliable erasures. We show how to instantiate the needed building blocks using standard assumptions, using or extending various basic primitives in order to fit the \(\mathsf {MDDH} \) framework introduced in [30]. In our scheme, the server first preprocesses its database in a time linear in the length of the database and transfers it to the receiver. After that, the receiver and the sender can run many instances of the protocol on the same database as input and adaptively chosen inputs from the receiver, with a cost sublinear in the database.

It is interesting to note that our resulting adaptive Oblivious Transfer scheme has an amortized complexity in \({\mathcal O}(\log |DB|)\), which is similar to current Private Information Retrieval instantiations [46], that have weaker security prerequisites, and much better than current UC secure Oblivious Transfer under standard assumptions (as they are in \({\mathcal O}(|DB|)\). For a fair comparison it should be stated that the PIR schemes allow this complexity directly from the first query while in our case due to the preprocessing, this amortized cost is only reached after a high number of queries. However, it is interesting to see this convergence in spite of hugely different security models and expectation. Compared to existing versions cited above (either proven in classical security models, or in the UC framework but only with static corruptions and under non-standard assumptions), we manage to prove its security under standard assumptions, like \(\mathsf {SXDH}\), and allow \(\mathsf {UC}\) security with adaptive user corruptions.

As a side result, it is worth noting that we follow some ideas developed in the construction explained in [37] around Blind Identity-Based Encryption and provide techniques in order to transform \(\mathsf {IBE}\) schemes into blind ones, applying them to revisit the one given in [12], in order to show how we can answer blind user secret key-retrieval, which can be of independent interest.

As a second contribution, we propose our new notion, that we call Oblivious Language-Based Envelope. We provide a security model by giving a UC ideal functionality, and show that this notion supersedes the classical asymmetric automated trust negotiation schemes recalled above such as Oblivious Transfer and Oblivious Signature-Based Envelope. We show how to choose the languages in order to obtain from our framework all the corresponding ideal functionalities, recovering the known ones (such as OT) and providing the new ones (such as OSBE, to the best of our knowledge). We then give a generic construction scheme fulfilling our ideal functionality, which directly gives generic constructions for the specific cases (OT, OSBE). Finally, we show how to instantiate the different simple building blocks in order to recover the standard efficient instantiations of these schemes from our framework. In addition to the two cases most studied (OT, OSBE), we also propose what we call Conditioned Oblivious Transfer, which encompasses Access Controlled Oblivious Transfer, Priced Oblivious Transfer and Conditional Oblivious Transfer, and in which the access to each line of the database is hidden behind some possibly secret restriction, be it a credential, a price, or an access policy. The advantage of the OLBE framework on the notion of Conditional Disclosure of Secrets is to allow generic constructions of a large subclass of schemes, as long as two participants are involved. It can be easily applied to any language expressing some new access control policy. Furthermore, those instantiations fit into a global security model, allowing to uniformize (for the better) the security expectations for such schemes. In particular, we allow security in the UC framework with adaptive corruptions for all our constructions (which was already known for some primitives cited above, but not all), and manage to achieve this level of security while staying in the standard model with standard hypothesis.

2 Definitions and Building Blocks

2.1 Notations for Classical Primitives

Throughout this paper, we use the notation \(\mathfrak {K}\) for the security parameter.

Digital Signature. A digital signature scheme \(\mathcal {S}\) [29, 36] allows a signer to produce a verifiable proof that he indeed produced a message. It is described through four algorithms \(\sigma = ( \mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Sign}, \mathsf {Verify})\). The formal definitions are given in the paper full version [10].

Encryption. An encryption scheme \({\mathcal {C}}\) is described through four algorithms \(( \mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Encrypt}, \mathsf {Decrypt})\). The formal definitions are given in the paper full version [10].

Commitment and Chameleon Hash. Commitments allow a user to commit to a value without revealing it, but without the possibility to later change his mind. It is composed of four algorithms \(( \mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Commit}, \mathsf {Decommit})\). Informally, it is extractable if a simulator knowing a certain trapdoor can recover the value committed to, and it is equivocable if a simulator, knowing another trapdoor, can open the commitment to another value than the one it actually committed to. This directly echoes to Chameleon Hashes, traditionally defined by three algorithms \(\mathsf {CH}= ( \mathsf {KeyGen}, \mathsf {CH}, \mathsf {Coll})\). The formal definitions are given in the paper full version [10].

2.2 Identity-Based Encryption, Identity-Based Key Encapsulation

Identity Based encryption was first introduced by Shamir in [55] who was expecting an encryption scheme where no public key will be needed for sending a message to a precise user, defined by his identity. Thus any user wanting to send a private message to a user only need this user’s identity and a master public key. It took 17 years for the cryptographic community to find a way to realize this idea. The first instantiation was proposed in [14] by Boneh and Franklin. It can be described as an identity-based key encapsulation (IBKEM) scheme \(\mathsf {IBKEM}\) which consists of four algorithms \(\mathsf {IBKEM}=(\mathsf {Gen},\mathsf {USKGen},\mathsf {Enc},\mathsf {Dec})\). Every \(\mathsf {IBKEM}\) can be transformed into an ID-based encryption scheme \(\mathsf {IBE}\) using a (one-time secure) symmetric cipher.

Definition 1 (Identity-based Key Encapsulation Scheme)

An identity-based key encapsulation scheme \(\mathsf {IBKEM}\) consists of four PPT algorithms \(\mathsf {IBKEM}=(\mathsf {Gen},\mathsf {USKGen},\mathsf {Enc},\mathsf {Dec})\) with the following properties.

  • : returns the (master) public/secret key . We assume that \({\mathsf {mpk}}\) implicitly defines an identity space \({\mathcal {ID}}\), a key space \({\mathcal {KS}}\), and ciphertext space \(\mathsf {CS} \).

  • : returns the user secret-key \({\mathsf {usk}}[{\mathsf {id}}]\) for identity \({\mathsf {id}} \in {\mathcal {ID}}\).

  • : returns the symmetric key \(\mathsf {K}\in \mathcal {KS}\) together with a ciphertext \({\mathsf {C}} \in {\mathsf {CS}}\) with respect to identity \({\mathsf {id}}\).

  • : returns the decapsulated key or the reject symbol \(\bot \).

For perfect correctness we require that for all \(\mathfrak {K}\in \mathbb {N}\), all pairs \((\mathsf {mpk},\mathsf {msk})\) generated by \(\mathsf {Gen}(\mathfrak {K})\), all identities \(\mathsf {id}\in \mathcal {ID}\), all \(\mathsf {usk}[\mathsf {id}]\) generated by \(\mathsf {USKGen}(\mathsf {msk},\mathsf {id})\) and all \((\mathsf {K},\mathsf {C})\) output by \(\mathsf {Enc}(\mathsf {mpk},\mathsf {id})\): \(\Pr [\mathsf {Dec}(\mathsf {usk}[\mathsf {id}],\mathsf {id},\mathsf {C})=\mathsf {K}]=1.\)

The security requirements for an IBKEM we consider here are indistinguishability and anonymity against chosen plaintext and identity attacks (\(\mathsf {IND\text {-}ID\text {-}CPA}\) and \(\mathsf {ANON\text {-}ID\text {-}CPA}\)). Instead of defining both security notions separately, we define pseudorandom ciphertexts against chosen plaintext and identity attacks (\(\mathsf {PR\text {-}ID\text {-}CPA}\)) which means that challenge key and ciphertext are both pseudorandom. Note that \(\mathsf {PR\text {-}ID\text {-}CPA}\) trivially implies \(\mathsf {IND\text {-}ID\text {-}CPA}\) and \(\mathsf {ANON\text {-}ID\text {-}CPA}\). We define \(\mathsf {PR\text {-}ID\text {-}CPA}\)-security of \(\mathsf {IBKEM}\) formally via the games given in Fig. 1.

Fig. 1.
figure 1

Security Games \(\mathsf {PR\text {-}ID\text {-}CPA}_{\mathsf {real}}\) and \({\mathsf {PR\text {-}ID\text {-}CPA}_{\mathsf {rand}}}\) (boxed) used for defining \(\mathsf {PR\text {-}ID\text {-}CPA}\)-security.

Full size image

Definition 2

( \({{\mathsf {PR\text {-}ID\text {-}CPA}}}\) Security). An ID-based key encapsulation scheme \(\mathsf {IBKEM}\) is \(\mathsf {PR\text {-}ID\text {-}CPA}\)-secure if for all PPT \(\mathscr {A}\), the following advantage is negligible: \({\mathsf {Adv}}^{\mathsf {pr\text {-}id\text {-}cpa}}_{\mathsf {IBKEM}}(\mathscr {A}):=|\Pr [\mathsf {PR\text {-}ID\text {-}CPA}_{\mathsf {real}}^\mathscr {A}\Rightarrow 1]-\Pr [{\mathsf {PR\text {-}ID\text {-}CPA}_{\mathsf {rand}}}^\mathscr {A}\Rightarrow 1]|\).

2.3 Smooth Projective Hashing and Languages

Smooth projective hash functions ( \(\mathsf {SPHF} \) ) were introduced by Cramer and Shoup in [26] for constructing encryption schemes. A projective hashing family is a family of hash functions that can be evaluated in two ways: using the (secret) hashing key, one can compute the function on every point in its domain, whereas using the (public) projected key one can only compute the function on a special subset of its domain. Such a family is deemed smooth if the value of the hash function on any point outside the special subset is independent of the projected key. The notion of \(\mathsf {SPHF} \) has already found applications in various contexts in cryptography (e.g. [2, 33, 44]). A Smooth Projective Hash Function over a language \(\mathfrak {L}\subset X\), onto a set \(\mathcal {G}\), is defined by five algorithms \(( \mathsf {Setup}, \mathsf {HashKG}, \mathsf {ProjKG}, \mathsf {Hash}, \mathsf {ProjHash})\):

  •  \( \mathsf {Setup}(1^\mathfrak {K})\) where \(\mathfrak {K}\) is the security parameter, generates the global parameters \( \mathsf {param}\) of the scheme, and the description of an \(\mathcal {NP}\) language \(\mathfrak {L}\);

  •  \( \mathsf {HashKG}(\mathfrak {L}, \mathsf {param})\), outputs a hashing key \(\mathsf {hk}\) for the language \(\mathfrak {L}\);

  •  \( \mathsf {ProjKG}(\mathsf {hk},(\mathfrak {L}, \mathsf {param}),W)\), derives the projection key \(\mathsf {hp}\) from the hashing key \(\mathsf {hk}\) and the word W.

  •  \( \mathsf {Hash}(\mathsf {hk},(\mathfrak {L}, \mathsf {param}),W)\), outputs a hash value \(v\in \mathcal {G}\), using the hashing key \(\mathsf {hk}\) and the word W.

  •  \( \mathsf {ProjHash}(\mathsf {hp},(\mathfrak {L}, \mathsf {param}),W,w)\), outputs the hash value \(v' \in \mathcal {G}\), using the projection key \(\mathsf {hp}\) and the witness w that the word \(W \in \mathfrak {L}\).

In the following, we assume \(\mathfrak {L}\) is a hard-partitioned subset of X, i.e. it is computationally hard to distinguish a random element in \(\mathfrak {L}\) from a random element in \(X \setminus \mathfrak {L}\). An \(\mathsf {SPHF} \) should satisfy the following properties:

  • Correctness: Let \(W \in \mathfrak {L}\) and w a witness of this membership. Then, for all hashing keys \(\mathsf {hk}\) and associated projection keys \(\mathsf {hp}\) we have

    $$\begin{aligned} \mathsf {Hash}(\mathsf {hk},(\mathfrak {L}, \mathsf {param}),W) = \mathsf {ProjHash}(\mathsf {hp},(\mathfrak {L}, \mathsf {param}),W,w). \end{aligned}$$

  • Smoothness: For all \(W \in X \setminus \mathfrak {L}\) the following distributions are statistically indistinguishable:

This is formalized by: \({\mathsf {Adv}}^{ \mathsf {smooth}}_{\mathsf {SPHF}}(\mathfrak {K}) = \sum _{V\in \mathbb {G}} \left| \Pr _{\varDelta _1}[v=V] - \Pr _{\varDelta _0}[v=V] \right| \) is negligible.

  • Pseudo-Randomness: If \(W \in \mathfrak {L}\), then without a witness of membership the two previous distributions should remain computationally indistinguishable. For any adversary \(\mathcal {A}\) within reasonable time, this advantage is negligible:

$${\mathsf {Adv}}^{ \mathsf {pr}}_{\mathsf {SPHF},\mathcal {A}}(\mathfrak {K}) = |\mathop {\Pr }\limits _{\varDelta _1}[\mathcal {A}(\mathfrak {L}, \mathsf {param},W,\mathsf {hp},v)=1] - \mathop {\Pr }\limits _{\varDelta _0}[\mathcal {A}(\mathfrak {L}, \mathsf {param},W,\mathsf {hp},v)=1]|$$

Languages. The language \(\mathfrak {L}\subset X\) used in the definition of an \(\mathsf {SPHF} \) should be a hard-partitioned subset of X, i.e. it is computationally hard to distinguish a random element in \(\mathfrak {L}\) from a random element not in \(\mathfrak {L}\) (see formal definition in [3, 33]). The languages used here are more complex and should fulfill the following propertiesFootnote 1:

  • Publicly Verifiable: Given a word x in X, anyone should be able to decide in polynomial time whether \(x\in \mathfrak {L}\) or not.

  • Self-Randomizable: Given a word in the language, anyone should be able to sample a new word in the languageFootnote 2, and the distribution of this resampling should be indistinguishable from an honest distribution. This will be used in order to prevent an adversary, or the authority in charge of distributing the words, to learn which specific form of the word was used by the user.

In case we consider several languages \((\mathfrak {L}_1,\dots ,\mathfrak {L}_n)\), we also assume it is a Trapdoor Collection of Languages: It is computationally hard to sample an element in \(\mathfrak {L}_1\cap \dots \cap \mathfrak {L}_n\), except if one possesses a trapdoor \(\mathsf {tk}\) (without the knowledge of the potential secret keys)Footnote 3. For instance, if for all i, \(\mathfrak {L}_i\) is the language of the equivocable commitments on words in an inner language \(\widetilde{\mathfrak {L}}_i = \{i\}\) (as we will consider for \(\mathsf {OT} \)), the common trapdoor key can be the equivocation trapdoor.

Depending on the applications, we can assume a Keyed Language, which means that it is set by a trusted authority, and that it is hard to sample fresh elements from scratch in the language without the knowledge of a secret language key \(\mathsf {sk}_\mathfrak {L}\). In this case, the authority is also in charge of giving a word in the language to the receiver.

In case the language is keyed, we assume it is also a Trapdoor Language: We assume the existence of a trapdoor \(\mathsf {tk}_L\) allowing a simulator to sample an element in \(\mathfrak {L}\) (without the knowledge of the potential secret key \(\mathsf {sk}_\mathfrak {L}\)). For instance, for a language of valid Waters signatures of a message M (as we will consider for \(\mathsf {OSBE}\)), one can think of \(\mathsf {sk}_\mathfrak {L}\) as being the signing key, whereas the trapdoor \(\mathsf {tk}_\mathfrak {L}\) can be the discrete logarithm of h in basis g.Footnote 4

2.4 Security Assumptions

Due to lack of space, instantiations of the primitives recalled above are given in the paper full version [10] and we only give here the security assumptions.

Security Assumption: Pairing groups and Matrix Diffie-Hellman Assumption. Let \(\mathsf {GGen}\) be a probabilistic polynomial time (PPT) algorithm that on input \(1^\mathfrak {K}\) returns a description \(\mathcal {G}=(p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e,g_1,g_2)\) of asymmetric pairing groups where \(\mathbb {G}_1\), \(\mathbb {G}_2\), \(\mathbb {G}_T\) are cyclic groups of order p for a \(\mathfrak {K}\)-bit prime p, \(g_1\) and \(g_2\) are generators of \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively, and \(e: \mathbb {G}_1\times \mathbb {G}_2\) is an efficiently computable (non-degenerated) bilinear map. Define \(g_T:=e(g_1, g_2)\), which is a generator in \(\mathbb {G}_T\).

We use implicit representation of group elements as introduced in [30]. For \(s \in \{1,2,T\}\) and \(a \in \mathbb {Z}_p\) define \([a]_s = g_s^a \in \mathbb {G}_s\) as the implicit representation of a in \(\mathbb {G}_s\). More generally, for a matrix \({{\varvec{A}}} = (a_{ij}) \in \mathbb {Z}_p^{n\times m}\) we define \([{{\varvec{A}}}]_s\) as the implicit representation of \({{\varvec{A}}}\) in \(\mathbb {G}_s\):

$$[{{\varvec{A}}}]_s := \begin{pmatrix} g_s^{a_{11}} &{} ... &{} g_s^{a_{1m}}\\ &{} &{} \\ g_s^{a_{n1}}&{} ... &{} g_s^{a_{nm}} \end{pmatrix} \in \mathbb {G}_s^{n \times m}$$

We will always use this implicit notation of elements in \(\mathbb {G}_s\), i.e., we let \([a]_s \in \mathbb {G}_s\) be an element in \(\mathbb {G}_s\). Note that from \([a]_s \in \mathbb {G}_s\) it is generally hard to compute the value a (discrete logarithm problem in \(\mathbb {G}_s\)). Further, from \([b]_{T}\in \mathbb {G}_{T}\) it is hard to compute the value \([b]_1 \in \mathbb {G}_1\) and \([b]_2 \in \mathbb {G}_2\) (pairing inversion problem). Obviously, given \([a]_s \in \mathbb {G}_s\) and a scalar \(x \in \mathbb {Z}_p\), one can efficiently compute \([ax]_s \in \mathbb {G}_s\). Further, given \([a]_1, [b]_2\) one can efficiently compute \([ab]_T\) using the pairing e. For \({\varvec{a}}, {\varvec{b}} \in \mathbb {Z}_p^k\) define \(e([{\varvec{a}}]_1, [{\varvec{b}}]_2):= [{\varvec{a}}^\top {\varvec{b}}]_T \in \mathbb {G}_T\). We recall the definition of the matrix Diffie-Hellman (\(\mathsf {MDDH} \)) assumption [30].

Definition 3 (Matrix Distribution)

Let \(k\in \mathbb {N}\). We call \(\mathcal {D}_{k}\) a matrix distribution if it outputs matrices in \(\mathbb {Z}_p^{(k+1)\times k}\) of full rank k in polynomial time.

Without loss of generality, we assume the first k rows of \({\varvec{A}} \mathop {\leftarrow }\limits ^{{}_\$}\mathcal {D}_{k}\) form an invertible matrix, we denote this matrix \(\overline{{\varvec{A}}}\), while the last line is denoted \(\underline{A}\). The \(\mathcal {D}_k\)-Matrix Diffie-Hellman problem is to distinguish the two distributions \(([{\varvec{A}}], [{\varvec{A}} {\varvec{w}}])\) and \(([{\varvec{A}} ],[{\varvec{u}}])\) where \({\varvec{A}}\mathop {\leftarrow }\limits ^{{}_\$}\mathcal {D}_{k}\), \({\varvec{w}}\mathop {\leftarrow }\limits ^{{}_\$}\mathbb {Z}_p^k\) and \({\varvec{u}}\mathop {\leftarrow }\limits ^{{}_\$}\mathbb {Z}_p^{k+1}\).

Definition 4

\(\mathbf{(}{\varvec{\mathcal {D}_{k}}}{} \mathbf{{{\text {-}}Matrix Diffie{\text {-}}Hellman Assumption}}~{\varvec{\mathcal {D}_{k}}}{} \mathbf{{\text{- }}}\mathsf {MDDH} \mathbf{).}\) Let \(\mathcal {D}_{k}\) be a matrix distribution and \(s \in \{1,2,T\}\). We say that the \(\mathcal {D}_{k}\)-Matrix Diffie-Hellman (\(\mathcal {D}_{k}\)-\(\mathsf {MDDH}\)) Assumption holds relative to \(\mathsf {GGen}\) in group \(\mathbb {G}_s\) if for all PPT adversaries \(\mathcal {D}\),

$$\begin{aligned} \mathbf {Adv}_{\mathcal {D}_{k},\mathsf {GGen}}(\mathcal {D}) :=| \Pr [\mathcal {D}(\mathcal {G},[{{\varvec{A}}}]_s, [{{\varvec{A}}} {\varvec{w}}]_s)=1]-\Pr [\mathcal {D}(\mathcal {G},[{{\varvec{A}}}]_s, [{\varvec{u}} ]_s) =1] |= { \mathsf {negl}}(\lambda ), \end{aligned}$$

where the probability is taken over \(\mathcal {G}\mathop {\leftarrow }\limits ^{{}_\$}\mathsf {GGen}(1^\lambda )\), \({{\varvec{A}}} \mathop {\leftarrow }\limits ^{{}_\$}\mathcal {D}_{k}, {\varvec{w}} \mathop {\leftarrow }\limits ^{{}_\$}\mathbb {Z}_p^k, {\varvec{u}} \mathop {\leftarrow }\limits ^{{}_\$}\mathbb {Z}_p^{k+1}\).

For each \(k \ge 1\), [30] specifies distributions \(\mathcal {L}_k\), \(\mathcal {U}_k\), \(\ldots \) such that the corresponding \(\mathcal {D}_k\)-\(\mathsf {MDDH}\) assumption is the k-Linear assumption, the k-uniform and others. All assumptions are generically secure in bilinear groups and form a hierarchy of increasingly weaker assumptions. The distributions are exemplified for \(k=2\), where \(a_1, \ldots , a_6 \mathop {\leftarrow }\limits ^{{}_\$}\mathbb {Z}_p\).

$$\begin{aligned} \mathcal {L}_2: {{\varvec{A}}}= \left( \begin{matrix} a_1 &{} 0\\ 0 &{} a_2\\ 1 &{} 1 \end{matrix} \right) \quad \mathcal {U}_{2}: {{\varvec{A}}}= \left( \begin{matrix} a_1 &{} a_2\\ a_3 &{} a_4\\ a_5 &{} a_6 \end{matrix} \right) . \end{aligned}$$

It was also shown in [30] that \(\mathcal {U}_k\)-\(\mathsf {MDDH}\) is implied by all other \(\mathcal {D}_k\)-\(\mathsf {MDDH}\) assumptions.

Lemma 5

(Random self reducibility [30]). For any matrix distribution \(\mathcal {D}_{k}\), \(\mathcal {D}_{k}\)-\(\mathsf {MDDH}\) is random self-reducible. In particular, for any \(m \ge 1\) and for all PPT adversaries \(\mathcal {D}\) and \(\mathcal {D}'\),

$$\begin{aligned} \mathbf {Adv}_{\mathcal {D}_{k},\mathsf {GGen}}(\mathcal {D})+\frac{1}{q-1} \ge \mathbf {Adv}^m_{\mathcal {D}_{k},\mathsf {GGen}}(\mathcal {D}') \end{aligned}$$

where \(\mathbf {Adv}^m_{\mathcal {D}_{k},\mathsf {GGen}}(\mathcal {D}') := \Pr [\mathcal {D}'(\mathcal {G},[{{\varvec{A}}}], [{{\varvec{A}}} {{\varvec{W}}}])\Rightarrow 1]-\Pr [\mathcal {D}'(\mathcal {G},[{{\varvec{A}}}], [{{\varvec{U}}} ]) \Rightarrow 1],\) with \(\mathcal {G}\leftarrow \mathsf {GGen}(1^\lambda )\), \({{\varvec{A}}} \mathop {\leftarrow }\limits ^{{}_\$}\mathcal {D}_{k}, {{\varvec{W}}} \mathop {\leftarrow }\limits ^{{}_\$}\mathbb {Z}_p^{k \times m}, {{\varvec{U}}} \mathop {\leftarrow }\limits ^{{}_\$}\mathbb {Z}_p^{(k+1) \times m}\).

Remark: It should be noted that \(\mathcal {L}_1,\mathcal {L}_2\) are respectively the \(\mathsf {SXDH}\) and \(\mathsf {DLin} \) assumptions.

2.5 Security Models

UC Framework. The goal of the \(\mathsf {UC}\) framework [21] is to ensure that \(\mathsf {UC}\)-secure protocols will continue to behave in the ideal way even if executed in a concurrent way in arbitrary environments. It is a simulation-based model, relying on the indistinguishability between the real world and the ideal world. In the ideal world, the security is provided by an ideal functionality \(\mathcal {F}\), capturing all the properties required for the protocol and all the means of the adversary. In order to prove that a protocol \(\varPi \) emulates \(\mathcal {F}\), one has to construct, for any polynomial adversary \(\mathscr {A}\) (which controls the communication between the players), a simulator \(\mathscr {S}\) such that no polynomial environment \(\mathcal {Z}\) can distinguish between the real world (with the real players interacting with themselves and \(\mathscr {A}\) and executing the protocol \(\pi \)) and the ideal world (with dummy players interacting with \(\mathscr {S}\) and \(\mathcal {F}\)) with a significant advantage. The adversary can be either adaptive, i.e. allowed to corrupt users whenever it likes to, or static, i.e. required to choose which users to corrupt prior to the execution of the session \(\mathsf {sid}\) of the protocol. After corrupting a player, \(\mathscr {A}\) has complete access to the internal state and private values of the player, takes its entire control, and plays on its behalf.

Simple UC Framework. Canetti, Cohen and Lindell formalized a simpler variant in [22], that we use here. This simplifies the description of the functionalities for the following reasons (in a nutshell): All channels are automatically assumed to be authenticated (as if we worked in the \(\mathcal {F}_{{\textsc {Auth}}}\)-hybrid model); There is no need for public delayed outputs (waiting for the adversary before delivering a message to a party), neither for an explicit description of the corruptions. We refer the interested reader to [22] for details.

3 UC-secure Adaptive Oblivious Transfer

As explained in the introduction, the classical \(\mathsf {OT} \) constructions based on the commitment/\(\mathsf {SPHF} \) paradigm (with so-called implicit decommitment), among the latest in the UC framework [1, 9, 24], require the server to send an encryption of the complete database for each line required by the user (thus \(O(n)\) each time). We here give a protocol requiring \(O(\log (n))\) for each line (except the first one, still in \(O(n)\)), in the UC framework with adaptive corruptions under classical assumptions (\(\mathsf {MDDH} \)). This protocol builds upon the more efficient known scheme secure in the UC framework [9] and we use ideas from [37] to make it adaptive.

Using implicit decommitment in the UC framework implies a very strong commitment primitive (formalized as \(\mathsf {SPHF} \)-friendly commitments in [1]), which is both extractable and equivocable. Our idea is here to split these two properties by using on the one hand an equivocable commitment and on the other hand an (extractable) \(\mathsf {CCA}\) encryption scheme by generalizing the way to access a line in the database. But this is infeasible with simple line numbers. Indeed, we suggest here not to consider anymore the line numbers as numbers in \(\{1,\dots ,n\}\) but rather to “encode” them (the exact encoding will depend on the protocol): For every line i, a word \(W_i\) in the language \(\mathfrak {L}_i\) will correspond to a representation of line i. This representation must be publicly verifiable, in the sense that anyone can associate i to a word \(W_i\). We formalize this in the following definition of oblivious transferFootnote 5, given without loss of generalityFootnote 6 (the classical notion of OT being easily captured using \(\mathfrak {L}_i = \{i\}\)).

3.1 Definition and Security Model for Oblivious Transfer

In such a protocol, a server \(\mathcal {S}\) possesses a database of \(n\) lines \((m_1,\dots ,m_n)\in (\{0,1\}^\mathfrak {K})^n\). A user \(\mathcal {U}\) will be able to recover \(m_k\) (in an oblivious way) as soon as he owns a word \(W_{k}\in \mathfrak {L}_{k}\). The languages \((\mathfrak {L}_1, \dots ,\mathfrak {L}_n)\) will be assumed to be a trapdoor collection of languages, publicly verifiable and self-randomizable. As we consider simulation-based security (in the UC framework), we allow a simulated setup \( \mathsf {SetupT}\) to be run instead of the classical setup \( \mathsf {Setup}\) in order to allow the simulator to possess some trapdoors. Those two setup algorithms should be indistinguishable.

Definition 6 (Oblivious Transfer)

An \(\mathsf {OT} \) scheme is defined by five algorithms \(( \mathsf {Setup}, \mathsf {KeyGen}, \mathsf {DBGen}, \mathsf {Samp}, \mathsf {Verify})\), along with an interactive protocol \(\mathsf {Protocol}\langle \mathcal {S}, \mathcal {U} \rangle \):

  •  \( \mathsf {Setup}(1^\mathfrak {K})\), where \(\mathfrak {K}\) is the security parameter, generates the global parameters \( \mathsf {param}\), among which the number \(n\);

    or \( \mathsf {SetupT}(1^\mathfrak {K})\), where \(\mathfrak {K}\) is the security parameter, additionally allows the existenceFootnote 7 of a trapdoor \(\mathsf {tk}\) for the collection of languages \((\mathfrak {L}_1,\dots ,\mathfrak {L}_n)\).

  •  \( \mathsf {KeyGen}( \mathsf {param},\mathfrak {K})\) generates, for all \(i\in \{1,\dots ,n\}\), the description of the language \(\mathfrak {L}_i\) (as well as the language key \(\mathsf {sk}_{\mathfrak {L}_i}\) if need be). If the parameters \( \mathsf {param}\) were defined by \( \mathsf {SetupT}\), this implicitly also defines the common trapdoor \(\mathsf {tk}\) for the collection of languages \((\mathfrak {L}_1,\dots ,\mathfrak {L}_n)\).

  •  \(\mathsf {Samp}( \mathsf {param})\) or \(\mathsf {Samp}( \mathsf {param},(\mathsf {sk}_{\mathfrak {L}_i})_{i\in \{1,\dots ,n\}})\) generates a word \(W_i\in \mathfrak {L}_i\);

  •  \( \mathsf {Verify}_i(W_i,\mathfrak {L}_i)\) checks whether \(W_i\) is a valid word in the language \(\mathfrak {L}_i\). It outputs 1 if the word is valid, 0 otherwise;

  •  \(\mathsf {Protocol}\langle \mathcal {S}((\mathfrak {L}_1,\dots ,\mathfrak {L}_n),(m_1,\dots ,m_n)), \mathcal {U}((\mathfrak {L}_1,\dots ,\mathfrak {L}_n),W_i) \rangle \), which is executed between the server \(\mathcal {S}\) with the private database \((m_1,\dots ,m_n)\) and corresponding languages \((\mathfrak {L}_1,\dots ,\mathfrak {L}_n)\), and the user \(\mathcal {U}\) with the same languages and the word \(W_i\), proceeds as follows. If the algorithm \( \mathsf {Verify}_i(W_i,\mathfrak {L}_i)\) returns 1, then \(\mathcal {U}\) receives \(m_k\), otherwise it does not. In any case, \(\mathcal {S}\) does not learn anything.

The ideal functionality of an Oblivious Transfer (\(\mathsf {OT}\)) protocol was given in [1, 21, 24], and an adaptive version in [38]. We here combine them and rewrite it in simple UC and using our language formalism (instead of directly giving a number line s to the functionality, the user will give it a word \(W_s \in \mathfrak {L}_s\)). The resulting functionality \(\mathcal {F}^{\mathfrak {L}}_{\text {OT}}\) is given in Fig. 2. Recall that there is no need to give an explicit description of the corruptions in the simple version of UC [22].

Fig. 2.
figure 2

Ideal Functionality for (Adaptive) Oblivious Transfer \(\mathcal {F}^{\mathfrak {L}}_{\text {OT}}\)

Full size image

3.2 High Level Idea of the Construction of the Adaptive Oblivious Transfer Scheme

Our construction builds upon the UC-secure OT scheme from [9], with ideas inspired from [37], who propose a neat framework allowing to achieve adaptive Oblivious Transfer (but not in the UC framework). Their construction is quite simple: It requires a blind Identity-Based Encryption, in other words, an \(\mathsf {IBE}\) scheme in which there is a way to query for a user key generation without the authority (here the server) learning the targeted identity (here the line in the database). Once such a Blind \(\mathsf {IBE}\) is defined, one can conveniently obtain an oblivious transfer protocol by asking the database to encrypt (once and for all) each line for an identity (the j-th line being encrypted for the identity j), and having the user do a blind user key generation query for identity i in order to recover the key corresponding to the line i he expects to learn.

This approach is round-optimal: After the database preparation, the first flow is sent by the user as a commitment to the identity i, and the second one is sent by the server with the blinded expected information. But several technicalities arise because of the UC framework we consider here. For instance, the blinded expected information has to be masked, we do this here thanks to an \(\mathsf {SPHF} \). Furthermore, instead of using simple line numbers as identities, we have to commit to words in specific languages (so as to ensure extractability and equivocability) as well as to fragment the \(\mathsf {IBE}\) keys into bits in order to achieve \(O(\log n)\) in both flows. This allows us to achieve the first UC-secure adaptive \(\mathsf {OT} \) protocol allowing adaptive corruptions. More details follow in the next sessions.

3.3 Main Building Block: Constructing a Blind Fragmented IBKEM from an IBKEM

Definition and Security Properties of a Blind IBKEM Scheme. Following [12], we recalled in Sect. 2.2 page 6 the definitions, notations and security properties for an IBE scheme, seen as an Identity-Based Key Encapsulation (IBKEM) scheme. We continue to follow the KEM formalism by adapting the definition of a Blind IBE scheme given in [37] to this setting.

Definition 7 (Blind Identity-Based Key Encapsulation Scheme)

A Blind Identity-Based Key Encapsulation scheme \(\mathsf {BlindIBKEM}\) consists of four PPT algorithms \((\mathsf {Gen},\mathsf {BlindUSKGen},\mathsf {Enc},\mathsf {Dec})\) with the following properties:

  •  \(\mathsf {Gen}\), \(\mathsf {Enc}\) and \(\mathsf {Dec}\) are defined as for a traditional \(\mathsf {IBKEM}\) scheme.

  •  \(\mathsf {BlindUSKGen}(\langle (\mathcal {S},\mathsf {msk})(\mathcal {U},\mathsf {id},\ell ;\varvec{\rho }) \rangle )\) is an interactive protocol, in which an honest user \(\mathcal {U}\) with identity \(\mathsf {id}\in \mathcal {ID}\) obtains the corresponding user secret key \(\mathsf {usk}[\mathsf {id}]\) from the master authority \(\mathcal {S}\) or outputs an error message, while \(\mathcal {S}\)’s output is nothing or an error message (\(\ell \) is a label and \(\varvec{\rho }\) the randomness).

Defining the security of a \(\mathsf {BlindIBKEM}\) requires two additional properties, stated as follows (see [37, pages 6 and 7] for the formal security games):

  1. 1.

    Leak-free Secret Key Generation (called Leak-free Extract for Blind \(\mathsf {IBE}\) security in the original paper): A potentially malicious user cannot learn anything by executing the \(\mathsf {BlindUSKGen}\) protocol with an honest authority which he could not have learned by executing the \(\mathsf {USKGen}\) protocol with an honest authority; Moreover, as in \(\mathsf {USKGen}\), the user must know the identity for which he is extracting a key.

  2. 2.

    Selective-failure Blindness: A potentially malicious authority cannot learn anything about the user’s choice of identity during the \(\mathsf {BlindUSKGen}\) protocol; Moreover, the authority cannot cause the \(\mathsf {BlindUSKGen}\) protocol to fail in a manner dependent on the user’s choice.

    For our applications, we only need a weakened property for blindness:Footnote 8

  3. 3.

    Weak Blindness: A potentially malicious authority cannot learn anything about the user’s choice of identity during the \(\mathsf {BlindUSKGen}\) protocol.

High-Level Idea of the Transformation. We now show how to obtain a \(\mathsf {BlindIBKEM}\) scheme from any \(\mathsf {IBKEM}\) scheme. From a high-level point of view, this transformation mixes two pre-existing approaches.

First, we are going to consider a reverse Naor transform [14, 27]: He drew a parallel between Identity-Based Encryption schemes and signature schemes, by showing that a user secret key on an identity can be viewed as the signature on this identity, the verification process therefore being a test that any chosen valid ciphertext for the said identity can indeed be decrypted using the signature scheme.

Then, we are going to use Fischlin [31] round-optimal approach to blind signatures, where the whole interaction is done in one pass: First, the user commits to the message, then he recovers a signature linked to his commitment. For sake of simplicity, instead of using a Non-Interactive Zero-Knowledge Proof of Knowledge of a signature, we are going to follow the [11, 13] approach, where thanks to an additional term, the user can extract a signature on the identity from a signature on the committed identity.

Omitting technical details described more precisely in the following sections, the main idea of the transformation of the \(\mathsf {IBKEM}\) scheme in order to blind a user key request is described in Fig. 3.

Fig. 3.
figure 3

Generic Transformation of an \(\mathsf {IBKEM}\) into a Blind \(\mathsf {IBKEM}\) (naive approach)

Full size image

Generic Transformation of an \(\mathsf {IBKEM}\) into a Blind \(\mathsf {IBKEM}\) . It now remains to explain how one can fulfill the idea highlighted in Fig. 3. The technique to blind a user key request uses a smooth projective hash function (see Sect. 2.3), and is often called implicit decommitment in recent works: the \(\mathsf {IBKEM}\) secret key is sent hidden in such a way that it can only be recovered if the user knows how to open the initial commitment on the correct identity. We assume the existence of a labeled \(\mathsf {CCA}\)-encryption scheme \({\mathcal {E}}=( \mathsf {Setup}_\mathrm {cca}, \mathsf {KeyGen}_{\mathrm {cca}}, \mathsf {Encrypt}^\ell _\mathrm {cca}, \mathsf {Decrypt}^\ell _\mathrm {cca})\) compatible with an \(\mathsf {SPHF} \) defined by \(( \mathsf {Setup}, \mathsf {HashKG}, \mathsf {ProjKG}, \mathsf {Hash}, \mathsf {ProjHash})\) onto a set G (where \(\ell \) is a label defined by the global protocol). By “compatible”, we mean that the \(\mathsf {SPHF} \) can be defined over a language \(\mathfrak {L}^c_{\mathsf {id}}\subset X\), where \(\mathfrak {L}^c_{\mathsf {id}}= \{ C ~|~ \exists \varvec{\rho }\text { such that } C = \mathsf {Encrypt}_\mathrm {cca}^\ell (\mathsf {id};\varvec{\rho }) \}\). In the \( \mathsf {KeyGen}\) algorithm, the description of the language \(\mathfrak {L}_\mathsf {id}= \{\mathsf {id}\}\) thus implicitly defines the language \(\mathfrak {L}^c_{\mathsf {id}}\) of \(\mathsf {CCA}\)-encryptions of elements of \(\mathfrak {L}_\mathsf {id}\). We additionally use a key derivation function KDF to derive a pseudo-random bit-string \(K\in \{0,1\}^\mathfrak {K}\) from a pseudo-random element \(v \in G\). One can use the Leftover-Hash Lemma [40], with a random seed defined in \( \mathsf {param}\) during the global setup, to extract the entropy from v, then followed by a pseudo-random generator to get a long enough bit-string. Many uses of the same seed in the Leftover-Hash Lemma just lead to a security loss linear in the number of extractions. This gives the following protocol for \(\mathsf {BlindUSKGen}\), described in Fig. 4.

Fig. 4.
figure 4

Summary of the Generic Construction of \(\mathsf {BlindUSKGen}(\langle (\mathcal {S},\mathsf {msk})(\mathcal {U},\mathsf {id},\ell ;\varvec{\rho }) \rangle )\) for a blind \(\mathsf {IBE}\)

Full size image

Theorem 8

If \(\mathsf {IBKEM}\) is a \(\mathsf {PR\text {-}ID\text {-}CPA}\)-secure identity-based key encapsulation scheme and \({\mathcal {E}}\) a labeled \(\mathsf {CCA}\)-encryption scheme compatible with an \(\mathsf {SPHF} \), then \(\mathsf {BlindIBKEM}\) is leak free and weak blind.

Proof

First, \(\mathsf {BlindIBKEM}\) satisfies leak-free secret key generation since it relies on the \(\mathsf {CCA}\) security on the encryption scheme, forbidding a user to open it to another identity than the one initially encrypted. Furthermore, the pseudo-randomness of the \(\mathsf {SPHF} \) ensures that the blinded user key received for \(\mathsf {id}\) is indistinguishable from random if he encrypted \(\mathsf {id}'\ne \mathsf {id}\). Finally, the weak blindness also relies on the \(\mathsf {CCA}\) security on the encryption scheme, since an encryption of \(\mathsf {id}\) is indistinguishable from a encryption of \(\mathsf {id}' \ne \mathsf {id}\).   \(\square \)

Using a Blind \(\mathsf {IBKEM}\) in our Application to Adaptive Oblivious Transfer. The previous approach allows to transform an \(\mathsf {IBKEM}\) into a Blind \(\mathsf {IBKEM}\), but it has a huge drawback in our context: Since we assume an exponential identity space, it requires an exponential number of answers from the authority, which cannot help us to fulfill logarithmic complexity in our application. However, if we focus on the special case of affine \(\mathsf {IBE}\) with bitwise functionFootnote 9, a user key can be described as the list \((\mathsf {usk}[0], \mathsf {usk}[0,\mathsf {id}_0], \dots , \mathsf {usk}[m-1,\mathsf {id}_{m-1}])\) if \(\mathsf {id}_i\) is the i-th bit of the identity \(\mathsf {id}\). One can thus manage to be much more efficient by sending each “bit” evaluation on the user secret key, hidden with a smooth projective hash value on the language “the i-th bit of the identity is a 0 (or 1)”, which is common to all identities. We can thus reduce the number of languages from the number of identities (which is exponential) to the length of an identity (which is polynomial). For security reasons, one cannot give directly the evaluation value, but as we are considering the sum of the evaluations for each bit, we simply add a Shamir-like secret sharing, by adding randomness that is going to cancel out at the end.

Fig. 5.
figure 5

Summary of the Generic Construction of \(\mathsf {BlindUSKGen}(\langle (\mathcal {S},\mathsf {msk})(\mathcal {U},\mathsf {id},\ell ;\varvec{\rho }) \rangle )\) for a Blind affine IBE

Full size image

As a last step, we finally need to make our construction compatible with the UC framework with adaptive corruptions. In this context, interactions should make sense for any possible input chosen by the environment and learnt a posteriori in the simulation during the corruption of an honest party. From the user side, this implies that the last flow should contain enough recoverable information so that a simulator, having sent a commitment to an incorrect identity, can extract the proper user secret key corresponding to the correct identity recovered after the corruption. From the server side, this implies that the \(\mathsf {IBKEM}\) scheme is defined such as one is able to adapt the user secret keys in order to correspond to the new database learnt a posteriori. Of course, not all schemes allow this property, but this will be the case in the pairing scenario considered in our concrete instantiation.

To deal with corruptions of the user, recall that a simulated server (knowing the secret key of the encryption scheme) is already able to extract the identity committed to. But we now consider that, for all \(\mathsf {id}\), \(\mathfrak {L}_{\mathsf {id}}\) is the language of the equivocable commitments on words in the inner language \(\widetilde{\mathfrak {L}}_{\mathsf {id}} = \{\mathsf {id}\}\). We assume them to be a Trapdoor Collection of Languages, which means that it is computationally hard to sample an element in \(\mathfrak {L}_1\cap \dots \cap \mathfrak {L}_n\), except for the simulator, who possesses a trapdoor \(\mathsf {tk}\) (the equivocation trapdoor) allowing it to sample an element in the intersection of languages. This allows a simulated user (knowing this trapdoor) not to really bind to any identity during the commitment phase. The only difference with the algorithm described in Fig. 5 is that the user now encrypts this word \(W\) (which is an equivocable commitment on his identity \(\mathsf {id}\)) rather than directly encrypting his identity \(\mathsf {id}\): \(C = \mathsf {Encrypt}_\mathrm {cca}^\ell (W;\varvec{\rho })\). This technique is also explained as an application of our \(\mathsf {OLBE}\) framework, in the paper full version [10]. We will directly prove this protocol during the proof of the oblivious transfer scheme.

3.4 Generic Construction of Adaptive OT

We derive from here our generic construction of \(\mathsf {OT} \) (depicted in Fig. 6). We additionally assume the existence of a Pseudo-Random Generator (\(\mathsf {PRG}\)) F with input size equal to the plaintext size, and output size equal to the size of the messages in the database and an \( \mathsf {IND\text {-}CPA}\) encryption scheme \({\mathcal {E}}=( \mathsf {Setup}_\mathrm {cpa}, \mathsf {KeyGen}_{\mathrm {cpa}}, \mathsf {Encrypt}_\mathrm {cpa}, \mathsf {Decrypt}_\mathrm {cpa})\) with plaintext size at least equal to the security parameter. First, the owner of the database generates the keys for such an IBE scheme, and encrypts each line i of the database for the identity i. Then when a user wants to request a given line, he runs the blind user key generation algorithm and recovers the key for the expected given line. This leads to the following security result, proven in the paper full version [10].

Theorem 9

Assuming that \(\mathsf {BlindUSKGen}\) is constructed as described above, the adaptive Oblivious Transfer protocol described in Fig. 6 UC-realizes the functionality \(\mathcal {F}^{\mathfrak {L}}_{\text {OT}}\) presented in Fig. 2 with adaptive corruptions assuming reliable erasures.

Fig. 6.
figure 6

Adaptive \(\mathsf {UC}\)-Secure 1-out-of-\(n\) \(\mathsf {OT}\) from a Fragmented Blind IBE

Full size image

3.5 Pairing-Based Instantiation of Adaptive OT

Affine Bit-Wise Blind IBE. In [12], the authors propose a generic framework to move from affine Message Authentication Code to IBE, and they propose a tight instantiation of such a MAC, giving an affine bit-wise IBE, which seems like a good candidate for our setting (making it blind and fragmented).

We are thus going to use the family of IBE described in the following picture (Fig. 7), which is their instantiation derived from a Naor-Reingold MACFootnote 10. In the following, \(h_i()\) are injective deterministic public functions mapping a bit to a scalar in \(\mathbb {Z}_p\).

Fig. 7.
figure 7

A fragmentable affine \(\mathsf {IBKEM}\).

Full size image

A property that was not studied in this paper was the blind user key generation: How to generate and answer blind user secret key queries? We answer to this question by proposing the \(k-\mathsf {MDDH} \)-based variation presented in Fig. 8. To fit the global framework we are going to consider the equivocable language of each chameleon hash of the identity bits (\({\varvec{a}}_i, {\varvec{b}}_{i,m_i}\)), and then a Cramer-Shoup like encryption of \({\varvec{b}}\) into \({\varvec{d}}\) (more details in the paper full version [10]). We denote this process as \(\mathsf {Har}\) in the following protocol, and by \(\mathfrak {L}_{\mathsf {Har},i,\mathsf {id}_i}\) the language on identity bits. We thus obtain the following security results.

Fig. 8.
figure 8

\(\mathsf {BlindUSKGen}(\langle (\mathcal {S},\mathsf {msk})(\mathcal {U},\mathsf {id},\ell ;\varvec{\rho }) \rangle )\).

Full size image

Theorem 10

This construction achieves both the weak Blindness, and the leak-free secret key generation requirements under the \(k-\mathsf {MDDH} \) assumption.

The first one is true under the indistinguishability of the generalized Cramer-Shoup encryption recalled in the paper full version [10], as the server learns nothing about the line requested during the first flow. It should even be noted that because of the inner chameleon hash, a simulator is able to use the trapdoor to do a commitment to every possible words of the set of languages at once, and so can adaptively decide which \(\mathsf {id}\) he requested. The proof of the second result is delayed to the paper full version [10].

For sake of generality, any bit-wise affine IBE could work (like for example Waters IBE [57]), the additional price paid for tightness here is very small and allows to have a better reduction in the proof, but it not required by the framework itself.

Adaptive UC-Secure Oblivious Transfer. We finally get our instantiation by combining this \(k-\mathsf {MDDH} \)-based blind IBE with a \(k-\mathsf {MDDH} \) variant of El Gamal for the CPA encryption needed (see the paper full version [10] for details). The requirement on the \(\mathsf {IBE}\) blind user secret key generation (being able to adapt the key if the line changes) is achieved assuming that the server knows the discrete logarithms of the database lines. This is quite easy to achieve by assuming that for all line s, \(DB(s) = [db(s)]_1\) where db(s) is the real line (thus known). It implies a few more computation on the user’s side in order to recover db(s) from DB(s), but this remains completely feasible if the lines belong to a small space. For practical applications, one could imagine to split all 256-bit lines into 8 pieces for a decent/constant trade-off in favor of computational efficiency.

For \(k=1\), so under the classical \(\mathsf {SXDH}\) assumption, the first flow requires \(8 \log |DB|\) elements in \(\mathbb {G}_1\) for the CCA encryption part and \(\log (|DB|+1)\) in \(\mathbb {G}_2\) for the chameleon one, while the second flow would now require \(1 + 4 \log |DB|\) elements in \(\mathbb {G}_1\), \(1+2 \log |DB|\) for the fragmented masked key, and \(2 \log |DB|\) for the projection keys.

4 Oblivious Language-Based Envelope

The previous construction opens new efficient applications to the already known Oblivious-Transfer protocols. But what happens when someone wants some additional access control by requesting extra properties, like if the user is only allowed to ask two lines with the same parity bits, the user can only request lines for whose number has been signed by an authority, or even finer control provided through credentials?

In this section we propose to develop a new primitive, that we call Oblivious Language-Based Envelope (\(\mathsf {OLBE}\)). The idea generalizes that of Oblivious Transfer and \(\mathsf {OSBE}\), recalled right afterwards, for \(n\) messages (with \(n\) polynomial in the security parameter \(\mathfrak {K}\)) to provide the best of both worlds.

4.1 Oblivious Signature-Based Envelope

We recall the definition and security requirements of an \(\mathsf {OSBE}\) protocol given in [13, 49], in which a sender \(\mathcal {S}\) wants to send a private message \(m\in \{0,1\}^\mathfrak {K}\) to a recipient \(\mathcal {R}\) in possession of a valid certificate/signature on a public message M (given by a certification authority).

Definition 11 (Oblivious Signature-Based Envelope)

An \(\mathsf {OSBE}\) scheme is defined by four algorithms \(( \mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Sign}, \mathsf {Verify})\), and one interactive protocol \(\mathsf {Protocol}\langle \mathcal {S}, \mathcal {R} \rangle \):

  •  \( \mathsf {Setup}(1^\mathfrak {K})\), where \(\mathfrak {K}\) is the security parameter, generates the global parameters \( \mathsf {param}\);

  •  \( \mathsf {KeyGen}(\mathfrak {K})\) generates the keys \((\mathsf {vk},\mathsf {sk})\) of the certification authority;

  •  \( \mathsf {Sign}(\mathsf {sk},M)\) produces a signature \(\sigma \) on the input message M, under the signing key \(\mathsf {sk}\);

  •  \( \mathsf {Verify}(\mathsf {vk},M,\sigma )\) checks whether \(\sigma \) is a valid signature on M, w.r.t. the public key \(\mathsf {vk}\); it outputs 1 if the signature is valid, and 0 otherwise.

  •  \(\mathsf {Protocol}\langle \mathcal {S}(\mathsf {vk},M,P),\mathcal {R}(\mathsf {vk},M,\sigma ) \rangle \) between the sender \(\mathcal {S}\) with the private message P, and the recipient \(\mathcal {R}\) with a certificate \(\sigma \). If \(\sigma \) is a valid signature under \(\mathsf {vk}\) on the common message M, then \(\mathcal {R}\) receives \(m\), otherwise it receives nothing. In any case, \(\mathcal {S}\) does not learn anything.

The authors of [13] proposed some variations to the original definitions from [49], in order to prevent some interference by the authority. Following them, an \(\mathsf {OSBE}\) scheme should fulfill the following security properties. The formal security games are given in [13]. No UC functionality has already been given, to the best of our knowledge.

  • correct: the protocol actually allows \(\mathcal {R}\) to learn P, whenever \(\sigma \) is a valid signature on M under \(\mathsf {vk}\);

  • semantically secure: the recipient learns nothing about \(\mathcal {S}\)’s input \(m\) if it does not use a valid signature \(\sigma \) on M under \(\mathsf {vk}\) as input. More precisely, if \(\mathcal {S}_0\) owns \(P_0\) and \(\mathcal {S}_1\) owns \(P_1\), the recipient that does not use a valid signature cannot distinguish an interaction with \(\mathcal {S}_0\) from an interaction with \(\mathcal {S}_1\) even if he has eavesdropped on several interactions \(\langle \mathcal {S}(\mathsf {vk},M,P),\mathcal {R}(\mathsf {vk},M,\sigma ) \rangle \) with valid signatures, and the same sender’s input P;

  • escrow-free (oblivious with respect to the authority): the authority (owner of the signing key \(\mathsf {sk}\)), playing as the sender or just eavesdropping, is unable to distinguish whether \(\mathcal {R}\) used a valid signature \(\sigma \) on M under \(\mathsf {vk}\) as input.

  • semantically secure w.r.t. the authority: after the interaction, the authority (owner of the signing key \(\mathsf {sk}\)) learns nothing about \(m\) from a passive access to a challenge transcript.

4.2 Definition of an Oblivious Language-Based Envelope

In such a protocol, a sender \(\mathcal {S}\) wants to send one or several private messages (up to \(n_{\mathrm {max}}\le n\)) among \((m_1,\dots ,m_n)\in (\{0,1\}^\ell )^n\) to a recipient \(\mathcal {R}\) in possession of a tuple of words \(W= (W_{i_1},\dots ,W_{i_{n_{\mathrm {max}}}})\) such that some of the words \(W_{i_j}\) may belong to the corresponding language \(\mathfrak {L}_{i_j}\). More precisely, the receiver gets each \(m_{i_j}\) as soon as \(W_{i_j}\in \mathfrak {L}_{i_j}\) with the requirement that he gets at most \(n_{\mathrm {max}}\) messages. In such a scheme, the languages \((\mathfrak {L}_1, \dots ,\mathfrak {L}_n)\) are assumed to be a trapdoor collection of languages, publicly verifiable and self-randomizable (see Sect. 2.3 for the definitions of the properties of the languages).

The collections of words can be a single certificate/signature on a message M (encompassing \(\mathsf {OSBE}\), with \(n=n_{\mathrm {max}}=1\)), a password, a credential, a line number (encompassing 1-out-of-\(n\) oblivious transferFootnote 11, with \(n_{\mathrm {max}}=1\)), k line numbers (encompassing k-out-of-n oblivious transfer, with \(n_{\mathrm {max}}=k\)), etc. (see the paper full version [10] for detailed examples). Following the definitions for \(\mathsf {OSBE}\) recalled above and given in [13, 49], we give the following definition for \(\mathsf {OLBE}\). As we consider simulation-based security (in the UC framework), we allow a simulated setup \( \mathsf {SetupT}\) to be run instead of the classical setup \( \mathsf {Setup}\) in order to allow the simulator to possess some trapdoors. Those two setup algorithms should be indistinguishable.

Definition 12 (Oblivious Language-Based Envelope)

An \(\mathsf {OLBE}\) scheme is defined by four algorithms \(( \mathsf {Setup}, \mathsf {KeyGen}, \mathsf {Samp}, \mathsf {Verify})\), and one interactive protocol \(\mathsf {Protocol}\langle \mathcal {S}, \mathcal {R} \rangle \):

  •  \( \mathsf {Setup}(1^\mathfrak {K})\), where \(\mathfrak {K}\) is the security parameter, generates the global parameters \( \mathsf {param}\), among which the numbers \(n\) and \(n_{\mathrm {max}}\);

    or \( \mathsf {SetupT}(1^\mathfrak {K})\), where \(\mathfrak {K}\) is the security parameter, additionally allows the existenceFootnote 12 of a trapdoor \(\mathsf {tk}\) for the collection of languages \((\mathfrak {L}_1,\dots ,\mathfrak {L}_n)\).

  •  \( \mathsf {KeyGen}( \mathsf {param},\mathfrak {K})\) generates, for all \(i\in \{1,\dots ,n\}\), the description of the language \(\mathfrak {L}_i\) (as well as the language key \(\mathsf {sk}_{\mathfrak {L}_i}\) if need be). If the parameters \( \mathsf {param}\) were defined by \( \mathsf {SetupT}\), this implicitly also defines the common trapdoor \(\mathsf {tk}\) for the collection of languages \((\mathfrak {L}_1,\dots ,\mathfrak {L}_n)\).

  •  \(\mathsf {Samp}( \mathsf {param},I)\) or \(\mathsf {Samp}( \mathsf {param},I, (\mathsf {sk}_{\mathfrak {L}_i})_{i\in I})\) such that \(I\subset \{1,\dots ,n\}\) and \(|I|=n_{\mathrm {max}}\), generates a list of words \((W_i)_{i\in I}\) such that \(W_i\in \mathfrak {L}_i\) for all \(i\in I\);

  •  \( \mathsf {Verify}_i(W_i,\mathfrak {L}_i)\) checks whether \(W_i\) is a valid word in the language \(\mathfrak {L}_i\). It outputs 1 if the word is valid, 0 otherwise;

  •  \(\mathsf {Protocol}\langle \mathcal {S}((\mathfrak {L}_1,\dots ,\mathfrak {L}_n),(m_1,\dots ,m_n)), \mathcal {R}((\mathfrak {L}_1,\dots ,\mathfrak {L}_n),(W_i)_{i\in I}) \rangle \), which is executed between the sender \(\mathcal {S}\) with the private messages \((m_1,\dots ,P_n)\) and corresponding languages \((\mathfrak {L}_1,\dots ,\mathfrak {L}_n)\), and the recipient \(\mathcal {R}\) with the same languages and the words \((W_i)_{i\in I}\) with \(I \subset \{1,\dots ,n\}\) and \(|I|=n_{\mathrm {max}}\), proceeds as follows. For all \(i\in I\), if the algorithm \( \mathsf {Verify}_i(W_i,\mathfrak {L}_i)\) returns 1, then \(\mathcal {R}\) receives \(m_i\), otherwise it does not. In any case, \(\mathcal {S}\) does not learn anything.

4.3 Security Properties and Ideal Functionality of OLBE

Since we aim at proving the security in the universal composability framework, we now describe the corresponding ideal functionality (depicted in Fig. 9). However, in order to ease the comparison with an \(\mathsf {OSBE}\) scheme, we first list the security properties required, following [13, 49]:

  • correct: the protocol actually allows \(\mathcal {R}\) to learn \((m_i)_{i\in I}\), whenever \((W_i)_{i\in I}\) are valid words of the languages \((\mathfrak {L}_i)_{i\in I}\), where \(I \subset \{1, \dots , n\}\) and \(|I| =n_{\mathrm {max}}\);

  • semantically secure (sem): the recipient learns nothing about the input \(m_i\) of \(\mathcal {S}\) if it does not use a word in \(\mathfrak {L}_i\). More precisely, if \(\mathcal {S}_0\) owns \(m_{i,0}\) and \(\mathcal {S}_1\) owns \(m_{i,1}\), the recipient that does not use a word in \(\mathfrak {L}_i\) cannot distinguish between an interaction with \(\mathcal {S}_0\) and an interaction with \(\mathcal {S}_1\) even if the receiver has seen several interactions

    $$\begin{aligned} \langle \mathcal {S}((\mathfrak {L}_1,\dots ,\mathfrak {L}_n),(m_1,\dots ,m_n)), \mathcal {R}((\mathfrak {L}_1,\dots ,\mathfrak {L}_n),(W'_j)_{j\in I}) \rangle \end{aligned}$$

    with valid words \(W'_i \in \mathfrak {L}_i\), and the same sender’s input \(m_i\);

  • escrow free (oblivious with respect to the authority): the authority corresponding to the language \(\mathfrak {L}_i\) (owner of the language secret key \(\mathsf {sk}_{\mathfrak {L}_i}\) – if it exists), playing as the sender or just eavesdropping, is unable to distinguish whether \(\mathcal {R}\) used a word \(W_i\) in the language \(\mathfrak {L}_i\) or not. This requirement also holds for anyone holding the trapdoor key \(\mathsf {tk}\).

  • semantically secure w.r.t. the authority (\(sem^*\)): after the interaction, the trusted authority (owner of the language secret keys if they exist) learns nothing about the values \((m_i)_{i\in I}\) from the transcript of the execution. This requirement also holds for anyone holding the trapdoor key \(\mathsf {tk}\).

Moreover, the Setups should be indistinguishable and it should be infeasible to find a word belonging to two or more languages without the knowledge of \(\mathsf {tk}\).

Fig. 9.
figure 9

Ideal Functionality for Oblivious Language-Based Envelope \(\mathcal {F}_{\text {OLBE}}\)

Full size image

The ideal functionality is parametrized by a set of languages \((\mathfrak {L}_1,\dots ,\mathfrak {L}_n)\). Since we show in the following sections that one can see \(\mathsf {OSBE}\) and \(\mathsf {OT} \) as special cases of \(\mathsf {OLBE}\), it is inspired from the oblivious transfer functionality given in [1, 21, 24] in order to provide a framework consistent with works well-known in the literature. As for oblivious transfer (Fig. 2), we adapt them to the simple UC framework for simplicity (this enables us to get rid of \( \texttt {Sent} \) and \( \texttt {Received} \) queries from the adversary since the delayed outputs are automatically considered in this simpler framework: We implicitly let the adversary determine if it wants to acknowledge the fact that a message was indeed sent). The first step for the sender (\( \texttt {Send} \) query) consists in telling the functionality he is willing to take part in the protocol, giving as input his intended receiver and the messages he is willing to send (up to \(n_{\mathrm {max}}\) messages). For the receiver, the first step (\( \texttt {Receive} \) query) consists in giving the functionality the name of the player he intends to receive the messages from, as well as his words. If the word does belong to the language, the receiver recovers the sent message, otherwise, he only gets a special symbol \(\bot \).

4.4 Generic UC-Secure Instantiation of OLBE with Adaptive Security

For the sake of clarity, we now concentrate on the specific case where \(n_{\mathrm {max}}=1\). This is the most classical case in practice, and suffices for both \(\mathsf {OSBE}\) and 1-out-of-\(n\) \(\mathsf {OT} \). In order to get a generic protocol in which \(n_{\mathrm {max}}>1\), one simply has to run \(n_{\mathrm {max}}\) protocols in parallel. This modifies the algorithms \(\mathsf {Samp}\) and \( \mathsf {Verify}\) as follows: \(\mathsf {Samp}( \mathsf {param},\{i\})\) or \(\mathsf {Samp}( \mathsf {param},\{i\},\{\mathsf {sk}_{\mathfrak {L}_i}\})\) generates a word \(W=W_i\in \mathfrak {L}_i\) and \( \mathsf {Verify}_j(W,\mathfrak {L}_j)\) checks whether \(W\) is a valid word in \(\mathfrak {L}_j\).

Let us introduce our protocol \(\mathsf {OLBE}\): we will call \(\mathcal {R}\) the receiver and \(\mathcal {S}\) the sender. If \(\mathcal {R}\) is an honest receiver, then he knows a word \(W=W_i\) in one of the languages \(\mathfrak {L}_i\). If \(\mathcal {S}\) is an honest sender, then he wants to send up a message among \((m_1,\dots ,m_n)\in (\{0,1\}^\mathfrak {K})^n\) to \(\mathcal {R}\). We assume the languages \(\mathfrak {L}_i\) to be self-randomizable and publicly verifiable. We also assume the collection of languages \((\mathfrak {L}_1,\dots ,\mathfrak {L}_n)\) possess a trapdoor, that the simulator is able to find by programming the common reference string. As recalled in the previous section, this trapdoor enables him to find a word lying in the intersection of the \(n\) languages. This should be infeasible without the knowledge of the trapdoor. Intuitively, this allows the simulator to commit to all languages at once, postponing the time when it needs to choose the exact language he wants to bind to. On the opposite, if a user was granted the same possibilities, this would prevent the simulator to extract the chosen language.

Fig. 10.
figure 10

\(\mathsf {UC}\)-Secure \(\mathsf {OLBE}\) for One Message (Secure Against Adaptive Corruptions)

Full size image

We assume the existence of a labeled \(\mathsf {CCA}\)-encryption scheme \({\mathcal {E}}=( \mathsf {Setup}_\mathrm {cca}, \mathsf {KeyGen}_{\mathrm {cca}}, \mathsf {Encrypt}^\ell _\mathrm {cca}, \mathsf {Decrypt}^\ell _\mathrm {cca})\) compatible with an \(\mathsf {SPHF} \) onto a set G. In the \( \mathsf {KeyGen}\) algorithm, the description of the languages \((\mathfrak {L}_1,\dots ,\mathfrak {L}_n)\) thus implicitly defines the languages \((\mathfrak {L}^c_{1},\dots ,\mathfrak {L}^c_{n})\) of \(\mathsf {CCA}\)-encryptions of elements of the languages \((\mathfrak {L}_1,\dots ,\mathfrak {L}_n)\). We additionally use a key derivation function KDF to derive a pseudo-random bit-string \(K\in \{0,1\}^\mathfrak {K}\) from a pseudo-random element \(v \in G\). One can use the Leftover-Hash Lemma [40], with a random seed defined in \( \mathsf {param}\) during the global setup, to extract the entropy from v, then followed by a pseudo-random generator to get a long enough bit-string. Many uses of the same seed in the Leftover-Hash Lemma just lead to a security loss linear in the number of extractions. We also assume the existence of a Pseudo-Random Generator (\(\mathsf {PRG}\)) F with input size equal to the plaintext size, and output size equal to the size of the messages in the database and an \( \mathsf {IND\text {-}CPA}\) encryption scheme \({\mathcal {E}}=( \mathsf {Setup}_\mathrm {cpa}, \mathsf {KeyGen}_{\mathrm {cpa}}, \mathsf {Encrypt}_\mathrm {cpa}, \mathsf {Decrypt}_\mathrm {cpa})\) with plaintext size at least equal to the security parameter.

We follow the ideas of the oblivious transfer constructions given in [1, 9], giving the protocol presented on Fig. 10. For the sake of simplicity, we only give the version for adaptive security, in which the sender generates a public key \(\mathsf {pk}\) and ciphertext c to create a somewhat secure channel (they would not be used in the static version).

Theorem 13

The oblivious language-based envelope scheme described in Fig. 10 is \(\mathsf {UC}\)-secure in the presence of adaptive adversaries, assuming reliable erasures, an \( \mathsf {IND\text {-}CPA} \) encryption scheme, and an \( \mathsf {IND\text {-}CCA} \) encryption scheme admitting an \(\mathsf {SPHF}\) on the language of valid ciphertexts of elements of \(\mathfrak {L}_i\) for all i, as soon as the languages are self-randomizable, publicly-verifiable and admit a common trapdoor. The proof is given in the paper full version [10].

4.5 Oblivious Primitives Obtained by the Framework

Classical oblivious primitives such as Oblivious Transfer (both 1-out-of-n and k-out-of-n) or Oblivious Signature-Based Envelope directly lie in this framework and can be seen as examples of Oblivious Language-Based Envelope. We provide in the paper full version [10] details about how to describe the languages and choose appropriate smooth projective hash functions to readily achieve current instantiations of Oblivious Signature-Based Envelope or Oblivious Transfer from our generic protocol. The framework also enables us to give a new instantiation of Access Controlled Oblivious Transfer under classical assumptions. In such a primitive, the user does not automatically gets the line he asks for, but has to prove that he possesses one of the credential needed to access this particular line.

For the sake of simplicity, all the instantiations given are pairing-based but techniques explained in [9] could be used to rely on other families of assumptions, like decisional quadratic residue or even LWE.