Improved Non-Committing Encryption with Applications to Adaptively Secure Protocols Seung Geol Choi1⋆ , Dana Dachman-Soled1⋆ , Tal Malkin1⋆ , and Hoeteck Wee2⋆⋆ 1 Columbia University. {sgchoi,dglasner,tal}@cs.columbia.edu 2 Queens College, CUNY. hoeteck@cs.qc.cuny.edu Abstract. We present a new construction of non-committing encryption schemes. Unlike the previous constructions of Canetti et al. (STOC ’96) and of Damgård and Nielsen (Crypto ’00), our construction achieves all of the following properties: – Optimal round complexity. Our encryption scheme is a 2-round protocol, matching the round complexity of Canetti et al. and improving upon that in Damgård and Nielsen. – Weaker assumptions. Our construction is based on trapdoor simulatable cryptosystems, a new primitive that we introduce as a relaxation of those used in previous works. We also show how to realize this primitive based on hardness of factoring. – Improved efficiency. The amortized complexity of encrypting a single bit is O(1) public key operations on a constant-sized plaintext in the underlying cryptosystem. As a result, we obtain the first non-committing public-key encryption schemes under hardness of factoring and worst-case lattice assumptions; previously, such schemes were only known under the CDH and RSA assumptions. Combined with existing work on secure multi-party computation, we obtain protocols for multi-party computation secure against a malicious adversary that may adaptively corrupt an arbitrary number of parties under weaker assumptions than were previously known. Specifically, we obtain the first adaptively secure multi-party protocols based on hardness of factoring in both the stand-alone setting and the UC setting with a common reference string. Key words: public-key encryption, adaptive corruption, non-committing encryption, secure multi-party computation. 1 Introduction Secure multi-party computation (MPC) allows several mutually distrustful parties to perform a joint computation without compromising, to the greatest ⋆ ⋆⋆ supported in part by NSF Grants CCF-0347839, CNS-0716245, CNS-0831094 and SBE0245014. partially supported by a PSC-CUNY Award, and part of this work was done while a post-doc at Columbia University. extent possible, the privacy of their inputs or the correctness of the outputs. An important criterion in evaluating the security guarantee is how many parties an adversary is allowed to corrupt and when the adversary determines which parties to corrupt. Ideally, we want to achieve the strongest notion of security, namely, against an adversary that corrupts an arbitrary number of parties, and adaptively determines who and when to corrupt during the course of the computation (and without assuming erasures3 ). Even though the latter is a very natural and realistic assumption about the adversary, most of the MPC literature only addresses security against a static adversary, namely one that chooses (and fixes) which parties to corrupt before the protocol starts executing. And if indeed such protocols do exist, it is important to answer the following question: What are the cryptographic assumptions under which we can realize MPC protocols secure against a malicious, adaptive adversary that may corrupt a majority of the parties? Towards answering this question, we revisit the problem of constructing non-committing encryption schemes, a cryptographic primitive first introduced by Canetti et al. [CFGN 96] as a tool for building adaptively secure MPC protocols in the presence of an honest majority. Informally, non-committing encryption schemes are semantically secure, possibly interactive encryption schemes, with the additional property that a simulator can generate special ciphertexts that can be opened to both a 0 and a 1. In a more recent work, Canetti et al. [CLOS 02] (extending [B 98]) showed how to construct adaptively secure oblivious transfer protocols starting from non-committing public-key encryption schemes (i.e. the key generation algorithm must be non-interactive), which may in turn be used to construct MPC protocols secure against a malicious, adaptive adversary that may corrupt an arbitrary number of parties. Unfortunately, the only known constructions of non-committing publickey encryption schemes (PKEs) are based on the CDH and RSA assumptions [CFGN 96] and the construction exploits in a very essential way that these assumptions give rise to families of trapdoor permutations with a common domain. If we allow for an interactive key generation phase, Damgård and Nielsen [DN 00], building on [B 97,CFGN 96], constructed 3-round non-committing encryption schemes based on a more general assumption, that of simulatable PKEs, which may in turn be realized from DDH, CDH, RSA and more recently, worst-case lattice assumptions [GPV 08] (see figure 1). 3 Refer to [C 00, Section 5.2] for a discussion on how trusted erasures may be a problematic assumption. 1.1 Our results First, we present a new construction of non-committing encryption schemes, which simultaneously improves upon all of the previous constructions in [CFGN 96,DN 00]: Optimal Round Complexity. We provide a construction of non-committing PKEs from simulatable cryptosystems. Our construction is surprisingly simple - a twist to the standard cut-and-choose techniques used in [DN 00,KO 04] - and also admits a fairly straight-forward simulation and analysis. In particular, our construction and the analysis are conceptually and technically simpler than those in [CFGN 96,DN 00]; we avoid having to analyze the number of one’s in certain Binomial distributions as in [CFGN 96] and to consider a subtle failure mode as in [DN 00]. Reducing the assumptions. Informally, a simulatable PKE is an encryption scheme with special algorithms for obliviously sampling public keys and random ciphertexts without learning the corresponding secret keys and plaintexts; in addition, both of these oblivious sampling algorithms should be efficiently invertible. We define a weaker assumption, which we refer to as trapdoor simulatable cryptosystems, and prove that it is sufficient for our construction and analysis to go through. Roughly speaking, we provide the inverting algorithms in a simulatable cryptosystem with additional trapdoor information (hence the modifier “trapdoor”), which makes it easier to design a simulatable cryptosystem. Improved efficiency. While the main focus of this work is feasibility results (notably, reducing the computational assumptions for both non-committing encryption schemes and adaptively secure MPC), we show how to combine a variant of our basic construction with the use of error-correcting codes to achieve better efficiency. That is, the amortized complexity of encrypting a single bit is O(1) public-key operations on a constant-sized plaintext in the underlying cryptosystem. Thus, we obtain the following. Theorem 1 (informal). There exists a black-box construction of a non-committing public-key encryption scheme, starting from any trapdoor simulatable cryptosystem. Factoring-based constructions. Next, we derive trapdoor simulatable cryptosystems from a variant of Rabin’s trapdoor permutations (c.f. [H 99,S 96,FF 02]) based on the hardness of factoring Blum integers. CDH, RSA DDH, LWE / simulatable common-domain TDP  / simulatable PKE    / 2-round NCE o_ _ ED   / 3-round NCE   BC factoring BI _ _ _ _/ trapdoor simulatable PKE _ _ _ _ _ _ _ _ _ _ _ Fig. 1. Summary of previous results (solid lines) along with our contributions (dashed lines). Theorem 2 (informal). Suppose factoring Blum integers is hard on average. Then, there exists a trapdoor simulatable cryptosystem. We stress that we do not know how to construct a simulatable cryptosystem under the same assumptions; specifically, inverting the sampling algorithm for ciphertexts in our construction without the trapdoor (the factorization of the Blum integer modulus) appears to be as hard as factoring Blum integers. This shows that trapdoor simulatable cryptosystems is indeed a meaningful and useful relaxation. In the process, we also obtain the first factoring-based dense cryptosystems.4 When combined with enhanced trapdoor permutations, this yields the first factoring-based non-interactive proofs of knowledge [DP 92]. Oblivious transfer and MPC. We consider the applications of our main result to the constructions of adaptively secure oblivious transfer and general MPC protocols in both the stand-alone setting and the UC setting (c.f. [CLOS 02,IPS 08,CDSMW 09]). Theorem 3 (informal). There exists a black-box construction of a 6-round 1out-of-ℓ oblivious transfer protocol for strings in the FCOM -hybrid model5 in the UC setting that is secure against a malicious, adaptive adversary, starting from any trapdoor simulatable cryptosystem. We add that if the oblivious key generation algorithm in the trapdoor simulatable cryptosystem achieves statistical indistinguishability (which is the case for all of the afore-mentioned constructions), then we obtain an OT protocol that is secure against a computationally unbounded malicious sender. While our OT protocol is not as efficient as that in the recent work of Garay, Wichs and 4 5 These are PKE schemes where a random string has a inverse polynomial probability of being a valid public key. FCOM is an ideal functionality for commitment. Zhou [GWZ 09] (we incur an additional multiplicative overhead that is linear in the security parameter), our protocol along with our general framework offers several advantages: – In addition to relying on the FCOM functionality and a simulatable PKE (to implement non-committing encryption) as in our work, the [GWZ 09] framework requires a so-called enhanced dual-mode cryptosystem. This is a relatively high-level CRS-based primitive from [PVW 08] augmented with two main additional properties: the first has a flavor of oblivious sampling; the second requires that the underlying CRS be a common random string (modulo some system parameters) and not just a common reference string. This requirement is inherent to their framework, since this CRS is generated using a coin-tossing protocol. This latter requirement is very restrictive, and the only known construction of an enhanced dual-mode cryptosystem is based on the quadratic residuocity assumption. – Our protocol immediately handles 1-out-of-ℓ OT, whereas [GWZ 09] only addresses 1-out-of-2 OT, a limitation inherited from [PVW 08]. Combined with [CLOS 02,IPS 08,CDSMW 09], we obtain the following corollaries: Corollary 1 (informal). Assuming the existence of trapdoor simulatable cryptosystems, there exists adaptively secure multi-party protocols in the standalone setting and in the FCOM -hybrid model in the UC setting against a malicious adversary that may adaptively corrupt any number of parties. Specifically, we obtain the first adaptively secure multi-party protocols based on hardness of factoring in both the stand-alone setting and the UC setting with a common reference string. 1.2 Additional related work The problem of constructing encryption schemes that are secure against adaptive corruptions was first addressed in the work of Beaver and Haber [BH 92]. They considered a simpler scenario where the honest parties have the ability to securely and completely erase previous states. For instance, an honest sender could erase the randomness used for encryption after sending the ciphertext, so that upon being corrupted, the adversary only gets to see the corresponding plaintext. An intermediate model, wherein we assume secure erasures for either the sender or receiver but not both (or, by limiting the adversary to corrupting at most one of the two parties), has been considered in several other works [JL 00,CHK 05,KO 04]. Organization. We present an overview of our constructions in Section 2, preliminaries in Section 3, the formulation of a trapdoor simulatable PKE in Section 4, our factoring-based trapdoor simulatable PKE in Section 6, and our non-committing encryption scheme in Section 5. In Section 7, we show the construction of a 6-round oblivious transfer protocol. 2 Overview of our constructions At a high level, our non-committing PKE is similar to that from previous works [CFGN 96,DN 00,KO 04]. The receiver generates a collection of public keys in such a way that it only knows an α fraction of the corresponding secret keys; this can be achieved by generating an α fraction of the public keys using the key generation algorithm and the remaining 1 − α fraction obliviously. Similarly, the sender generates a collection of ciphertexts in such a way that it only knows an α fraction of the corresponding plaintexts. Previous constructions all work with the natural choice of α = 1/2 so that the simulator generates a collection of ciphertexts half of which are encryptions of 0 and the other half are encryptions of 1. As noted in [KO 04], this is sufficient for obtaining noncommitting PKEs wherein at most one party is corrupted. Roughly speaking, the difficulty in handling simultaneous corruptions of both the sender and the receiver with α = 1/2 is that in the simulation, the sender’s choice of the α fraction of keys completely determine the receiver’s choice of the α fraction of ciphertexts whereas in an actual honest encryption, these choices are completely independent (we elaborate on this later in this section). The key insight in our construction is to work with a smaller value of α (turns out 1/4 is good enough). A toy construction. Consider the following encryption scheme, which is a simplification of that in [KO 04,DN 00]. The receiver generates a pair of public keys (PK0 , PK1 ) by generating one key (selected at random) using the keygeneration algorithm, and the other using the oblivious sampling algorithm. To encrypt a bit b, the sender generates a pair of ciphertexts (C0 , C1 ) as follows: pick a random bit r, set Cr to be EncPKr (b) and choose C1−r using the oblivious sampling algorithm. To decrypt, the receiver decrypts exactly one of C0 , C1 using the secret key that it knows. This construction corresponds to α = 1/2 where α is the fraction of public keys for which the receiver knows the secret key, and also the fraction of ciphertexts for which the sender knows the plaintext. Observe that this encryption scheme has the following properties: – It has a constant decryption error of 1/4 if an obliviously sampled ciphertext is equally likely to decrypt to 0 or 1. As shown in [KO 04], this error can be reduced by standard repetition techniques. – It tolerates corruption of either the sender or the receiver, but not both. Consider a simulator that generates both of (PK0 , PK1 ) (along with SK0 , SK1 ) using the key-generation algorithm, and a ciphertext (C0 , C1 ) as follows: pick a random bit β, and set C0 to be EncPK0 (β) and C1 to be EncPK1 (1−β). Suppose the simulator later learns that this is an encryption of 0. If only the sender is corrupted, the simulator claims r = β and that C1−β is obliviously sampled. If only the receiver is corrupted, it claims that it knows SKβ and that PK1−β is oblivious sampled. We highlight two subtleties in the above simulation strategy. First, it achieves 0 decryption error (as opposed to 1/4 in an honest encryption); this can be fixed with a somewhat more involved simulation strategy. This in turn becomes pretty complicated once we use standard repetition techniques to reduce the decryption error. Next, it is always the case in the simulation that either both PK0 and C0 are obliviously sampled, or both PK1 and C1 are obliviously sampled. As such, this simulation strategy fails if both the sender and the receiver are corrupted, because in an actual encryption, which of PK0 , PK1 and which of C0 , C1 are obliviously sampled are determined independently. Our encryption scheme. As noted in the introduction, the key insight in our construction is to work with a small value of α. In addition, following [DN 00], we use a random k-bit encoding of 0 and 1, where k is the security parameter: – The receiver generates 4k public keys PK1 , . . . , PK4k : k of them are generated using the key-generation algorithm, and the remaining 3k are generated using the oblivious sampling algorithm. The receiver then sends PK 1 , . . . , PK4k along with two random k-bit messages M0 , M1 . – To encrypt a bit b, the sender sends 4k ciphertexts (one for each of PK 1 , . . . , PK4k ), of which k are encryptions of Mb , and the remaining ones are obliviously sampled. – To decrypt, the receiver decrypts the k ciphertexts for which it knows the corresponding secret key. If any of the k plaintexts matches M0 , it outputs 0 and otherwise, it outputs 1. Encoding 0 and 1 randomly as M0 and M1 is useful for two reasons: – That an obliviously sampled ciphertext is equally likely to decrypt to 0 or 1 is no longer needed to guarantee correctness (c.f. [DN 00]). Indeed, reasoning about decryptions of obliviously sampled ciphertext is non-trivial for the lattice-based simulatable PKEs in [GPV 08]. – Constructing a simulator becomes much easier as we avoid having to generate distributions over k independent biased bits conditioned on the majority of the bits being 0, say. Generating such distributions arises for instance in [CFGN 96] and is related to the first subtlety associated with the naive simulation strategy. In our construction, the simulated ciphertext comprises k encryptions of M0 , k encryptions of M1 , and 2k obliviously generated ciphertexts. Having these extra 2k obliviously generated ciphertexts (which is possible because α < 1/2) is crucial for handling simultaneous corruptions of the sender and the receiver. Trapdoor Simulatable PKEs from factoring. Our factoring-based trapdoor simulatable PKE construction consists of two main steps. First, we modify the Rabin trapdoor permutations based on squaring modulo Blum integer so that it remains a permutation over any arbitrary integer modulus. This relies on the following number-theoretical structural lemma implicit in [H 99,S 96,FF 02]6 : k Let N be an arbitrary odd k-bit integer, and let QN = {a2 (mod N ) | ∗ }. Then, the map ψ : x 7→ x2 defines a permutation over Q . a ∈ ZN N We also provide an efficient algorithm for inverting ψ given the factorization of N . Note that the standard algorithm for computing square roots does not guarantee that the output lies in QN . Moreover, the probability that a random square root lies in QN may be exponential small so we cannot repeatedly computing random square roots until we find one in QN ; it’s also not clear a-priori how to test membership in QN even given the factorization of N . The next step transforms the family of trapdoor permutations ψ acting on the domain QN into a family of “enhanced” trapdoor permutations with the same domain QN , using an idea from [G 04, Section C.1]. The latter has the property that we can obliviously sample a random element y in QN so that given y along with the coin tosses used to sample y, it is infeasible to compute the preimage of y under the permutation (note that the naive algorithm for sampling a random element of QN gives away its preimage under ψ). We will need the oblivious sampling algorithm for a random element in QN in our oblivious sampling algorithm for random ciphertexts. We will also need to realize trapdoor invertibility for the latter, which requires an efficient algorithm that given the factorization of N and an element y in QN , outputs a random 2k ’th root of y.7 6 7 ∗ It was shown in [H 99] that ψ defines a permutation over the subgroup ON of ZN of odd order, and that ON contains QN ; turns out ON = QN . While QN is trivially sampleable, it is not clear a-priori how to sample from ON . If we are given just N and not its factorization, this problem is at least as hard as factoring random Blum integers. This is in essence why we only obtain a factoring-based trapdoor simulatable PKE and not a simulatable PKE. Note that iteratively computing random square roots k times does not work: after computing the first square root, we may not end up with a 2k−1 ’th power. 3 Preliminaries If A is a probabilistic polynomial time (hereafter, ppt) algorithm that runs on input x, A(x) denotes the random variable according to the distribution of the output of A on input x. We denote by A(x; r) the output of A on input x and random coins r. To simplify the notation, we will often omit quantifying over the distribution for r; it will usually be clear from the context when r is not fixed, that it is drawn from the uniform distribution over strings of the appropriate length. We assume that the reader is familiar with the standard definitions of publickey encryption schemes and semantic security (c.f. [GM 84,G 04]). We stress that we allow decryption errors that are exponentially small in k: Definition 1 (encryption scheme). A triple (Gen, Enc, Dec) is an encryption scheme, if Gen and Enc are ppt algorithms and Dec is a deterministic polynomial-time algorithm such that for every message m ∈ {0, 1}∗ of polynomial length, Pr[Gen(1k ) → (PK, SK), EncPK (m) → c; DecSK (c) 6= m] < 2−Ω(k) . Non-committing encryption. For simplicity, we present the definition of a non-committing public-key encryption scheme for single-bit messages: Definition 2 (non-committing encryption [CFGN 96]). A non-committing (bit) encryption scheme consists of a tuple (NCGen, NCEnc, NCDec, NCSim) where (NCGen, NCEnc, NCDec) is an encryption scheme and NCSim is the simulation algorithm that on input 1k , outputs (e, c, σG0 , σE0 , σG1 , σE1 ) with the following property: for b = 0, 1 the following distributions are computationally indistinguishable: – the joint view of an honest sender and an honest receiver in a normal encryption of b: {(e, c, σG , σE ) | (e, d) = NCGen(1k ; σG ), c = NCEnce (b; σE )} – simulated view of an encryption of b: {(e, c, σGb , σEb ) | NCSim(1k ) → (e, c, σG0 , σE0 , σG1 , σE1 )} It follows from the definition that a non-committing encryption scheme is also semantically secure. Encrypting longer messages. Starting with a non-committing bit encryption scheme (NCGen, NCEnc, NCDec, NCSim), we may encrypt a longer message of length n by generating n independent public keys using NCGen, encrypting each bit of the message using a different public key and then concatenating the n ciphertexts. Note that this is different from the case of semantically secure encryption, where we may encrypt each bit using the same public key. 4 Trapdoor Simulatable Public Key Encryption A ℓ-bit trapdoor simulatable encryption scheme consists of an encryption scheme (Gen, Enc, Dec) augmented with (oGen, oRndEnc, rGen, rRndEnc). Here, oGen and oRndEnc are the oblivious sampling algorithms for public keys and ciphertexts, and rGen and rRndEnc are the respective inverting algorithms8 . We require that, for all messages m ∈ {0, 1}ℓ , the following distributions are computationally indistinguishable: {rGen(rG ), rRndEnc(rG , rE , m), PK, c | (PK, SK) = Gen(1k ; rG ), c = EncPK (m; rE )} k ˆ , ĉ | (PK ˆ , ⊥) = oGen(1k ; r̂G ), ĉ = oRndEncPK and {r̂G , r̂E , PK ˆ (1 ; r̂E )} It follows from the definition that a trapdoor simulatable encryption scheme is also semantically secure. Encrypting longer messages. We note that if we started only with a trapdoor simulatable PKE for single bits, we may encrypt a longer message of length n by generating a single public key PK using Gen, and concatenating each of the message encrypted under PK. 5 Non-Committing Encryption from Weaker Assumptions Theorem 4. Suppose there exists a trapdoor simulatable encryption scheme. Then, there exists a non-committing encryption scheme as well as a universally composable oblivious transfer protocol secure against semi-honest, adaptive adversaries. We show how to construct a non-committing bit encryption scheme (NCGen, NCEnc, NCDec, NCSim) from a k-bit trapdoor simulatable PKE (Gen, Enc, Dec) (augmented with (oGen, oRndEnc, rGen, rRndEnc)). This is sufficient to establish the theorem by the connection between encrypting single bits and multiple bits as discussed in Sections 3 and 4. Our construction is presented in Figures 2 and 3. 8 Existence of such inverting algorithms is called trapdoor invertibility. Compared to the simulatable cryptosystem (without trapdoor) defined in [DN 00], rGen (resp. rRndEnc) takes rG (resp. (rG , rE , m)) as the additional trapdoor information. Key Generation NCGen(1k ): 1. Pick M0 , M1 at random from {0, 1}k . 2. Choose a random subset T ⊆ [4k] of size k. 3. For i = 1, 2, . . . , 4k, generate a pair (PKi , SKi ) as follows: ( Gen(1k ) if i ∈ T (PKi , SKi ) = oGen(1k ) otherwise Set e = [M0 , M1 , PK1 , . . . , PK4k ] and d = [T, SK1 , . . . , SK4k ]. Encryption NCEncPK (b): 1. Choose a random subset S ⊆ [4k] of size k. 2. For i = 1, 2, . . . , 4k, generate a ciphertext ci as follows: ( EncPKi (Mb ) if i ∈ S ci = k oRndEncPKi (1 ) otherwise Set c = [c1 , . . . , c4k ]. Decryption NCDecPK (c): 1. Compute J = {DecPKi (ci )|i ∈ T }. 2. If M0 ∈ J, output 0; else, output 1. Fig. 2. Non-Committing Encryption Scheme (NCGen, NCEnc, NCDec) Correctness. We begin by establishing correctness. – Assume that the input [c1 , . . . , c4k ] to the decryption algorithm is a random encryption of 0. Recall that J = {DecSKi (ci ) | i ∈ T } and
we
will output 4k −Ω(k) 0 unless M0 ∈ / J. It is easy to see that Pr[M0 ∈ / J] ≤ 3k / k k +2 where the first summand comes from the probability that S ∩ T = ∅ and the second bounds the probability of a decryption error in the underlying encryption scheme (Gen, Enc, Dec). – Assume that the input [c1 , . . . , c4k ] to the decryption algorithm is a random encryption of 1. Recall that J = {DecSKi (ci ) | i ∈ T } and we will output 1 unless M0 ∈ J. To bound Pr[M0 ∈ J], observe that the distribution of J depends only on M1 , PK1 , . . . , PK4k , T, SK1 , . . . , SK4k and the coin tosses used to generate c1 , . . . , c4k , and is therefore independent of the choice of a random M0 . This means that for each i ∈ T , the probability that DecSKi (ci ) equals M0 is 2−k . Taking a union bound, we obtain Pr[M0 ∈ J] ≤ k · 2−k . Security. We need to show that for each b = 0, 1, a normal encryption of b and a simulated encryption of b are computationally indistinguishable. Note that the view in a normal encryption of b contains two sets T, S which we will label as Simulation NCSim: 1. Pick M0 , M1 at random from {0, 1}k . 2. Picking the sets S0 , S1 , T0 , T1 : – Pick two random subsets S0 , T0 of [4k] each of size k. – Pick two random subsets S1 , T1 of [4k]\(S0 ∪T0 ) such that |S1 ∩T1 | = |S0 ∩T0 |. 3. Generating the keys: for i = 1, 2, . . . , 4k, set ( Gen(1k ; rGi ) if i ∈ T0 ∪ S0 ∪ T1 ∪ S1 (PKi , SKi ) = k i oGen(1 ; r̂G ) otherwise 4. Generating the ciphertext: for i = 1, 2, . . . , 4k, set  i  EncPKi (M0 ; rE ) if i ∈ S0 i ci = EncPKi (M1 ; rE ) if i ∈ S1   oRndEncPKi (r̂Ei ) otherwise 5. Simulating an opening to b: set σGb b,4k {Sb , ub,1 }, where E , . . . , uE  i   rG b,i uG = rGen(rGi )   i r̂G  i   rE b,i uE = rRndEnc(rGi , rEi , M1−b )   i r̂E = b,4k {Tb , ub,1 } and σEb G , . . . , uG = if i ∈ Tb if i ∈ T0 ∪ T1 ∪ S0 ∪ S1 \ Tb otherwise if i ∈ Sb if i ∈ S1−b otherwise Set e = [M0 , M1 , PK1 , . . . , PK4k ], c = [c1 , . . . , c4k ]. Additionally output σG0 , σE0 , σG1 , σE1 . Fig. 3. Non-Committing Encryption Scheme NCSim Tb , Sb and we will append to the view two sets T1−b , S1−b that are determined as follows: pick two random subsets S1−b , T1−b of [4k] \ (Sb ∪ Tb ) such that |S1 ∩ T1 | = |S0 ∩ T0 |; call this distribution H0 . We will also append to the view in a simulated encryption of b the sets T1−b , S1−b as determined by the experiment NCSim; call this distribution H4k . We will show that the augmented distributions H0 and H4k are computationally indistinguishable in two steps: Reasoning about the sets. First, we claim that the 4-tuple (S0 , T0 , S1 , T1 ) in the augmented distribution H0 and in H4k are identically distributed. If b = 0, this is obvious since the distributions are defined in exactly the same way. The case for b = 1 follows from a symmetry argument, namely that if we switch (S0 , T0 ) with (S1 , T1 ) in the experiment NCSim, we get exactly the same distribution. Henceforth, it suffices to argue that H0 and H4k are computationally indistinguishable, conditioned on some fixed (S0 , T0 , S1 , T1 ) in both H0 and H4k . We may now WLOG focus on the case b = 0. In fact, we may as well also fix M0 , M1 in both H0 and H4k . In addition to S0 , T0 , S1 , T1 , M0 , M1 , the distributions H0 , H4k comprise: – – – – 4k public keys PK1 , . . . , PK4k (generated using either Gen or oGen); 4k ciphertexts c1 , . . . , c4k (generated using either Enc or oRndEnc); 4k sets of coin tosses u1G , . . . , u4k G for generating the public/secret keys; and 4k sets of coin tosses u1E , . . . , u4k E for generating the ciphertexts. That is, we have 4k tuples of the form (PKi , ci , uiG , uiE ), i = 1, . . . , 4k in each view. Since S0 , T0 , S1 , T1 are fixed, each of these 4k tuples are independently sampled from some distribution that only depends on the index i. Denote by X1 , . . . , X4k the random variables for the 4k tuples in H0 , and Y1 , . . . , Y4k the random variables for the 4k tuples in H4k . The hybrid argument. Next, we argue that Xi and Yi are computationally indistinguishable for i = 1, . . . , 4k, from which the indistinguishability of H0 and H4k follows via a hybrid argument. There are several cases we need to consider: – i ∈ T0 or i ∈ [4k] \ (T0 ∪ S0 ∪ T1 ∪ S1 ). It is easy to verify that in either of these cases, Xi and Yi are identically distributed. – i ∈ S1 (“oGen, oRndEnc ∼ = Gen, Enc”). Here, Xi is the distribution ˆ , ĉ, r̂G , r̂E | (PK ˆ , ⊥) = oGen(r̂G ), ĉ = oRndEncPK {PK ˆ (r̂E )} and Yi is the distribution {PK, c, rGen(rG ), rRndEnc(rG , rE , M1 ) | (PK, SK) = Gen(rG ), c = EncPK (M1 ; rE )}. Indistinguishability follows immediately from the security of the trapdoor simulatable PKE. – i ∈ S0 \ T0 (“oGen, Enc ∼ = Gen, Enc”). Here, Xi is the distribution ˆ , c, r̂G , rE | (PK ˆ , ⊥) = oGen(r̂G ), c = EncPK {PK ˆ (M0 ; rE )} and Yi is the distribution {PK, c, rGen(rG ), rE | (PK, SK) = Gen(rG ), c = EncPK (M0 ; rE )}. Indistinguishability follows again from the security of the trapdoor simulatable PKE. – i ∈ T1 \ S1 (“oGen, oRndEnc ∼ = Gen, oRndEnc”). Here, Xi is the distribution ˆ , ĉ, r̂G , r̂E | (PK ˆ , ⊥) = oGen(r̂G ), ĉ = oRndEncPK {PK ˆ (r̂E )} and Yi is the distribution {PK, ĉ, rGen(rG ), r̂E | (PK, SK) = Gen(rG ), ĉ = oRndEncPK (r̂E )}. Indistinguishability follows again from the security of the trapdoor simulatable PKE. Improving the efficiency. Instead of using sets S, T ⊂ [4k] of size k, we choose S, T ⊂ [40] of size 10. The previous analysis still goes through, except we now have a constant decryption error. To address this problem, we first encode the message9 with a linear-rate error-correcting code that corrects a constant fraction of errors, and then encrypt the codeword with the encryption scheme with constant error. 6 Trapdoor Simulatable PKE from Hardness of Factoring Theorem 5. Suppose factoring Blum integers is hard on average, and that Blum integers are dense, then there exists a trapdoor simulatable PKE. For simplicity, we only present a 1-bit trapdoor simulatable encryption scheme; we may encrypt longer messages by encrypting bit by bit. A number-theoretic lemma. Fix any k-bit integer modulus N and we will ∗ . We will use factor(N ) to denote the factorization of work with the group ZN k ∗ }. Now, consider the map ψ : Q → N , and we define QN = {a2 | a ∈ ZN N N QN given by ψN (x) = x2 (mod N ). As shown in [H 99, Facts 3.5-3.7], ψN defines a permutation on QN . We provide a more direct proof which also yields an efficient algorithm to invert ψN given factor(N ). Claim. The map ψN defines a permutation on QN . Proof. Let q denote the largest odd divisor of φ(N ), where φ(·) is the Euler’s totient function. It is easy to see that φ(N ) divides 2k q, since N < 2k . Take k any y ∈ QN , where y = a2 . Then by Euler’s theorem, y q = 1 (mod N ) and thus ψN (y (q+1)/2 ) = y (mod N ). Clearly, y (q+1)/2 ∈ QN , so the map ψN is surjective. Moreover, the range and domain of ψN have equal sizes, so ψN must define a bijection. ⊓ ⊔ The construction. We sketch the construction here; the formal construction is shown in Figure 4. S TEP 1: First, we construct a family of “weakly one-way” enhanced trapdoor permutations. We start by modifying ψN to obtain a new family of permutations πN ; the modification is analogous to that in [G 04, Section C.1] to obtain enhanced trapdoor permutations from Rabin’s trapdoor permutations. 9 The codeword length (or, equivalently the message length) should be Ω(k). Then, by Chernoff bound, the number of decryption errors remains a constant fraction of the codeword length with overwhelming probability. Key generation Gen(1k ): 1. Run Bach’s algorithm using the randomness rG to sample random N1 , . . . , Nk3 ∈ {0, 1}k along with their factorization factor(N1 ), . . . , factor(Nk3 ). 2. Set PK = [N1 , . . . , Nk3 ] and SK = [factor(N1 ), . . . , factor(Nk3 )]. Encryption Enc(b): ∗ ∗ ×· · ·×ZN , r1 , . . . , rk3 ∈ {0, 1}k 1. Parse the randomness rE as (a1 , . . . , ak3 ) ∈ ZN 1 k3 and b1 , . . . , bk3 −1 ∈ {0, 1}. 2. Compute bk3 = b ⊕ b1 ⊕ · · · ⊕ bk3 −1 . k 3. Compute xi = a2i ∈ QNi , i = 1, . . . , k 3 . 4. Output [πNi (xi ), ri , (xi · ri ) ⊕ bi , i = 1, . . . , k 3 ]. Decryption Dec(c): 1. Parse c as [yi , ri , βi , i = 1, . . . , k 3 ]. −1 2. Compute bi = (πN (yi ) · ri ) ⊕ βi , i = 1, . . . , k 3 . i 3. Output b1 ⊕ · · · ⊕ bk3 . Oblivious key generation oGen(1k ): 4 1. Parse the randomness r̂G ∈ {0, 1}k as N1 , . . . , Nk3 ∈ {0, 1}k . 2. Output (N1 , . . . , Nk3 ). Trapdoor invertibility key generation rGen(rG ): 1. Run Gen(rG ) to obtain r̂G = (N1 , . . . , Nk3 ). 2. Output r̂G . Oblivious sampling of ciphertexts oRndEnc(1k ): ∗ ∗ 1. Parse the randomness r̂E as (γ1 , . . . , γk3 ) ∈ ZN ×· · ·×ZN , s1 , . . . , sk3 ∈ {0, 1}k 1 k3 and β1 , . . . , βk3 ∈ {0, 1}. k 2. Compute yi = γi2 ∈ QNi , i = 1, . . . , k 3 . 3. Output [yi , si , βi , i = 1, . . . , k 3 ]. Trapdoor invertibility for ciphertexts rRndEnc(rG , rE , b): 1. Use rG to compute factor(N1 ), . . . , factor(Nk ). and parse rE as in Enc. 2. Set si = ri and βi = (xi · ri ) ⊕ bi , i = 1, . . . , k 3 . k ∗ 3. Pick a random γi uniformly from the set {γi ∈ ZN | γi2 = πNi (xi )}. i 4. Output r̂E = (γ1 , . . . , γk3 , s1 , . . . , sk3 , β1 , . . . , βk3 ). Fig. 4. Trapdoor Simulatable PKE from hardness of factoring Blum integers The permutations πN : QN → QN are indexed by a k-bit integer N and is given by: k+1 def k+1 πN (x) = ψN (x) = x2 (mod N ) and the trapdoor is factor(N ). We may sample from this family by running Bach’s algorithm [B 88,K 02] to pick a random k-bit integer along with its factorization. It is easy to verify πN is a family of trapdoor permutations. Clearly, πN is a permutation because it is the (k +1)-fold iterate of a permutation ψN . Given the index N , πN is efficiently computable by repeated squaring. Given −1 the trapdoor factor(N ), πN is efficiently computable given factor(N ), by k+1 simply mapping y to y ((q+1)/2) , i.e., raising y to the (q + 1)/2’th power k + 1 times. Here, q denotes the largest odd divisor of φ(N ), which is easy to compute with the trapdoor. Moreover, we can show that if N is a Blum integer (which occurs with probability Ω(1/k 2 ) [GM 04,RS 94]), then inverting πN given N is at least as hard as factoring N . This implies that πN is one-way with probability Ω(1/k 2 ) over the choice of N . S TEP 2: Construct a “weak” encryption scheme using the standard construction of PKE from trapdoor permutations via the Goldreich-Levin hardcore predicate. The public key is N , the secret key is factor(N ), and to encrypt a bit b, we pick a random x ∈ QN , r ∈ {0, 1}k and output (πN (x), r, (x·r)⊕b), where x·r is the standard dot-product of k-bit strings. Again, this scheme will be semantically secure with probability Ω(1/k 2 ) over the choice of N . S TEP 3: To boost the security of the “weak” encryption scheme, we define a new scheme where the public key is k 3 random k-bit strings N1 , . . . , Nk3 (with overwhelming probability, one of these is a Blum integer), and to encrypt a bit b, we pick random b1 , . . . , bk3 such that b = b1 ⊕ · · · · bk3 and concatenate the encryptions of b1 , . . . , bk3 under the respective public keys N1 , . . . , Nk3 . By a standard argument (c.f. [Y 82,DP 92]), this encryption scheme is semantically secure in the standard sense. Analysis. Indeed, we claim something stronger – that the encryption scheme derived in Step 3 is a trapdoor simulatable PKE. – (Oblivious sampling & trapdoor invertibility for key generation) This is trivial, since a random public key corresponds to a string in {0, 1}4k . We can clearly sample such a public key without learning the secret key. – (Oblivious sampling & trapdoor invertibility for random ciphertext) For simplicity, we present the algorithms for sampling random ciphertext for the scheme obtained in Step 2. Here, sampling is easy: on input the public ∗ , s ∈ {0, 1}k , β ∈ {0, 1}) and output (γ 2k , s, β). key N , pick γ ∈ ZN To implement reverse sampling, we need an efficient algorithm that given ∗ | factor(N ) and x ∈ QN , output a random element of the set {γ ∈ ZN k k+1 2 2 γ = πN (x) = x }. This can be accomplished as follows: pick a k k ∗ random η ∈ ZN and output x2 · η/(η 2 )((q+1)/2) , where q is as before k k the largest odd divisor of φ(N ). This works because η/(η 2 )((q+1)/2) will be a random 2k ’th root of 1 (mod N ). For the actual proof of security, we will need to show that if N is a random Blum integer, then the following distributions are computationally indistinguishable for every b: k {(N, γ, πN (x), r, (x · r) ⊕ b)} and {(N, γ, γ 2 , r, β)} The first distribution corresponds to an encryption of b using modulus N and randomness (x, r) along with γ the output of rRndEnc (a random solution to k the equation γ 2 = πN (x)). The second corresponds to an obliviously generated ciphertext along with the randomness. If there exists an efficient distinguisher, −1 2k then there exists an efficient procedure A that on input N, γ, outputs πN (γ ) with noticeable probability. Since squaring is a bijection on quadratic residues modulo Blum integers, the output of A is also the 4th root of γ 2 . We may then use a reduction in [G 04, Section C.1] to derive from A an algorithm for factoring N with noticeable probability. 7 Oblivious Transfer and MPC We describe the construction underlying Theorem 3, which proceeds in two steps: S TEP 1: We begin with the [CLOS 02] construction of a semi-honest OT protocol as applied to our non-committing encryption scheme, and observe that the protocol is secure against malicious senders. For that, we just need to show how to extract the sender’s input when the receiver is honest. In this case, the simulator will generate the public keys sent by the receiver in the first message along with the secret keys, so that it can then extract the malicious sender’s input by decrypting. S TEP 2: Next, we apply the compiler in [CDSMW 09] to “boost” the security guarantee from tolerating semi-honest receivers to tolerating malicious receivers. (Note that we will not need to apply OT reversal as in [CDSMW 09].) Acknowledgements. We thank Ran Canetti, Yuval Ishai, Jonathan Katz, and Chris Peikert for helpful discussions and clarifications. References [B 88] E. Bach. How to generate factored random numbers. SIAM J. Comput., 17(2):179– 193, 1988. [B 97] D. Beaver. Plug and play encryption. In CRYPTO, pages 75–89, 1997. [B 98] D. Beaver. Adaptively secure oblivious transfer. In ASIACRYPT, pages 300–314, 1998. [BH 92] D. Beaver and S. Haber. Cryptographic protocols provably secure against dynamic adversaries. In EUROCRYPT, pages 307–323, 1992. [C 00] R. Canetti. Security and composition of multiparty cryptographic protocols. J. Cryptology, 13(1):143–202, 2000. [CDSMW 09] S. G. Choi, D. Dachman-Soled, T. Malkin, and H. Wee. Simple, black-box constructions of adaptively secure protocols. In TCC, pages 387–402, 2009. [CFGN 96] [CHK 05] [CLOS 02] [DN 00] [DP 92] [FF 02] [G 04] [GM 84] [GM 04] [GPV 08] [GWZ 09] [H 99] [IPS 08] [JL 00] [K 02] [KO 04] [PVW 08] [RS 94] [S 96] [Y 82] R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively secure multiparty computation. In STOC, pages 639–648, 1996. Longer version at http://www.wisdom.weizmann.ac.il/~naor/PAPERS/nce_abs.html. R. Canetti, S. Halevi, and J. Katz. Adaptively-secure, non-interactive public-key encryption. In TCC, pages 150–168, 2005. R. Canetti, Y. Lindell, R. Ostrovsky, and A. Sahai. Universally composable twoparty and multi-party secure computation. In STOC, pages 494–503, 2002. I. Damgård and J. B. Nielsen. Improved non-committing encryption schemes based on a general complexity assumption. In CRYPTO, pages 432–450, 2000. A. De Santis and G. Persiano. Zero-knowledge proofs of knowledge without interaction. In FOCS, pages 427–436, 1992. M. Fischlin and R. Fischlin. The representation problem based on factoring. In CT-RSA, pages 96–113, 2002. O. Goldreich. Foundations of Cryptography: Volume II, Basic Applications. Cambridge University Press, 2004. S. Goldwasser and S. Micali. Probabilistic encryption. J. Comput. Syst. Sci., 28(2):270–299, 1984. A. Granville and G. Martin. Prime number races, 2004. http://arxiv.org/abs/math/0408319. C. Gentry, C. Peikert, and V. Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In STOC, pages 197–206, 2008. J. A. Garay, D. Wichs, and H.-S. Zhou. Somewhat non-committing encryption and efficient adaptively secure oblivious transfer. In CRYPTO, 2009. To appear. Also, Cryptology ePrint Archive, Report 2008/534. S. Halevi. Efficient commitment schemes with bounded sender and unbounded receiver. J. Cryptology, 12(2):77–89, 1999. Y. Ishai, M. Prabhakaran, and A. Sahai. Founding cryptography on oblivious transfer - efficiently. In CRYPTO, pages 572–591, 2008. S. Jarecki and A. Lysyanskaya. Adaptively secure threshold cryptography: Introducing concurrency, removing erasures. In EUROCRYPT, pages 221–242, 2000. A. Kalai. Generating random factored numbers, easily. In SODA, pages 412–412, 2002. J. Katz and R. Ostrovsky. Round-optimal secure two-party computation. In CRYPTO, pages 335–354, 2004. C. Peikert, V. Vaikuntanathan, and B. Waters. A framework for efficient and composable oblivious transfer. In CRYPTO, pages 554–571, 2008. M. Rubinstein and P. Sarnak. Chebyshevs bias. Experiment. Math, 3(3):173–197, 1994. C.-P. Schnorr. Security of 2t -root identification and signatures. In CRYPTO, pages 143–156, 1996. A. C.-C. Yao. Theory and applications of trapdoor functions. In FOCS, pages 80–91, 1982.