Somewhat Non-Committing Encryption
and Efficient Adaptively Secure Oblivious Transfer
Juan A. Garay∗
Daniel Wichs†
Hong-Sheng Zhou‡
April 15, 2009
Abstract
Designing efficient cryptographic protocols tolerating adaptive adversaries, who are able to corrupt parties
on the fly as the computation proceeds, has been an elusive task. Indeed, thus far no efficient protocols achieve
adaptive security for general multi-party computation, or even for many specific two-party tasks such as oblivious transfer (OT). In fact, it is difficult and expensive to achieve adaptive security even for the task of secure
communication, which is arguably the most basic task in cryptography.
In this paper we make progress in this area. First, we introduce a new notion called semi-adaptive security
which is slightly stronger than static security but significantly weaker than fully adaptive security. The main
difference between adaptive and semi-adaptive security is that, for semi-adaptive security, the simulator is not
required to handle the case where both parties start out honest and one becomes corrupted later on during the
protocol execution. As such, semi-adaptive security is much easier to achieve than fully adaptive security.
We then give a simple, generic protocol compiler which transforms any semi-adaptively secure protocol into a
fully adaptively secure one. The compilation effectively decomposes the problem of adaptive security into two
(simpler) problems which can be tackled separately: the problem of semi-adaptive security and the problem of
realizing a weaker variant of secure channels.
We solve the latter problem by means of a new primitive that we call somewhat non-committing encryption
resulting in significant efficiency improvements over the standard method for realizing (fully) secure channels
using (fully) non-committing encryption. Somewhat non-committing encryption has two parameters: an equivocality parameter ℓ (measuring the number of ways that a ciphertext can be “opened”) and the message sizes k.
Our implementation is very efficient for small values ℓ, even when k is large. This translates into a very efficient
compilation of many semi-adaptively secure protocols (in particular, for a task with small input/output domains
such as bit-OT) into a fully adaptively secure protocol.
Finally, we showcase our methodology by applying it to the recent Oblivious Transfer protocol by Peikert et
al. [Crypto 2008], which is only secure against static corruptions, to obtain the first efficient, adaptively secure
and composable OT protocol. In particular, to transfer an n-bit message, we use a constant number of rounds
and O(n) public key operations.
1 Introduction
When defining the security of cryptographic protocols, we generally strive to capture as wide a variety of adversarial attacks as possible. The most popular method of doing so is the simulation paradigm [GMW87] where the
security of a real-world protocol is compared to that of an ideal-world (perfectly secure) implementation of the same
task. Within the simulation paradigm there are several flavors. Firstly, basic simulation only guarantees security
for single copy of a protocol executing in isolation. The Universal Composability (UC) framework [Can01, Can05]
extends the simulation paradigm and defines security for protocols executed in arbitrary environments, where executions may be concurrent and even maliciously interleaved. Secondly, we generally distinguish between static
and adaptive security. Static security protects against an adversary who controls some fixed set of corrupted parties
throughout the computation. Adaptive security, on the other hand, defends against an adversary who can corrupt
parties adaptively at any point during the course of the protocol execution (for example by bribing them or hacking
∗
AT&T Labs – Research, 180 Park Avenue, Florham Park, NJ 07932, USA. Email: garay@research.att.com.
Computer Science Department, New York University, NY 10012, USA. Email: wichs@cs.nyu.edu.
‡
University of Connecticut, Computer Science & Engineering, Storrs, CT 06269, USA. Email: hszhou@cse.uconn.edu.
†
1
into their machines). For adaptive security, we also make a distinction between the erasure model, where honest
parties are trusted to securely erase data as mandated by the protocol, and the non-erasure model, where no such
assumptions are made. Given the difficulty of erasing data securely it is valuable to construct protocols in the latter
model, which is the subject of this work.
The seminal result of [CLOS02] shows that it is theoretically possible to design an adaptively secure and universally composable protocol for almost any task assuming the presence of some trusted setup such as a randomly
selected common reference string (CRS). Unfortunately, the final protocol of [CLOS02] should be viewed as a
purely theoretical construction. Its reliance on expensive Cook-Levin reductions precludes a practical implementation. Alternative efficient approaches to two-party and multi-party computation received a lot of attention in the
recent works of [DN03, KO04, GMY04, JS07, LP07, IPS08, Lin09]. However, all of these results sacrifice some
aspect of security to get efficiency. Concretely, the work of [LP07] only provides stand-alone static security, [JS07]
provides UC static security, [GMY04, Lin09] provide UC/concurrent adaptive security but only in the erasure
model, and [DN03] provides UC adaptive security but only for an honest majority, and [KO04] do not allow for
an adversary that eventually corrupts all parties. The recent work of [IPS08] can provide UC adaptive security but
only given an efficient adaptively secure Oblivious Transfer (OT) protocol. However, as we will discuss, no such
protocols were known. Lastly, we mention the work of [CDD+ 04], which gives a generic compiler from static to
adaptive security using secure channels. Unfortunately, this compiler does not provide full adaptive security (does
not allow for post-execution corruptions) and, as was noted in [Lin09], crucially relies on rewinding and hence
cannot be used in the UC framework.
Indeed, thus far no efficient protocols for general multi-party computation, or even for many specific twoparty function evaluation tasks, achieve adaptive security. This is not surprising given the difficulty of realizing
adaptive security for even the most fundamental task in cryptography: secure communication. As was observed
in [CFGN96], standard security notions for encryption do not suffice. Adaptively secure communication schemes,
also called non-committing encryption schemes, were introduced and constructed in [CFGN96] and studied further
in [Bea97, DN00], but these protocols are fairly complicated and inefficient for large messages.
It turns out that many useful two-party tasks (e.g., Oblivious Transfer, OR, XOR, AND, Millionaires’ problem,
etc.) are strictly harder to achieve than secure communication, the reason being that these tasks allow two honest
parties to communicate by using the corresponding ideal functionality. For example, using Oblivious Transfer
(OT), an honest sender can transfer a message to a receiver by setting it as both of his input values. Therefore, an
adaptively secure OT protocol for the transfer of k bit messages can be used as a non-committing encryption of a k
bit message and so all of the difficulty and inefficiency of non-committing encryption must also appear in protocols
for tasks such as OT. Further, unlike secure communication, many tasks also require security against the active and
malicious behavior of the participants. This might lead us to believe that the two difficulties will be compounded
making efficient adaptively secure implementations of such tasks infeasible or too complicated to contemplate.
Taking Oblivious Transfer as an example, this indeed seems to be the case. The recent work of [LZ09], proves a
(black-box) separation between enhanced trapdoor permutations (which allow for static OT) and adaptively secure
OT, showing that the latter is indeed “more complex” in a theoretical sense. This complexity is reflected in practice
as well. We are aware of only two examples (albeit inefficient) of adaptively secure OT protocols, from [Bea98] and
[CLOS02]. Both of these works first construct an OT protocol for the honest-but-curious setting and then compile
it into a fully-secure protocol using generic and inefficient zero knowledge proofs. In both constructions, the
underlying honest-but-curious OT protocols rely on ideas from non-committing encryption1 and hence inherit its
complexity. Since the full constructions require us to run zero knowledge proofs on top of the complex underlying
honest-but-curious protocol, there is little hope of making them efficient by only using proofs for simple relations.
This is in contrast to static security (and adaptive security in the erasure model) for which we have recently seen
efficient constructions of OT protocols. For example, [GMY04, JS07, DNO08] construct OT protocols by only
using simple and efficient zero-knowledge proofs. Interestingly, Ishai et al. [IKLP06] give the first OT protocol
constructions against malicious corruptions without using zero knowledge proofs; this result was later strengthened
in [Hai08]. Two very recent and efficient concrete protocols not using zero-knowledge proofs are given in [PVW08,
Lin08]. The protocol of [PVW08] is particularly exciting since it is a UC-secure protocol in the CRS model which
runs in two rounds and uses a constant number of public key operations. Achieving adaptive security based on
these protocols has, however, remained as an open problem.
1
The protocol of [Bea98] implicitly uses the plug-and-play approach from [Bea97], while the protocol of [CLOS02] uses non-committing
encryption in a generic way.
2
In summary, we can use ideas from non-committing encryption to get honest-but-curious adaptively secure OT
protocols, or we can use various clever ideas to achieve static security in the malicious setting, but there has been
no known way to combine these techniques.
1.1
Our contributions
In this work we construct the first efficient (constant round, constant number of public-key operations) adaptively
secure Oblivious Transfer protocol in the non-erasure model. Along the way we develop several techniques of
independent interest which are applicable to adaptive security in general.
First, we introduce a new notion called semi-adaptive security which is slightly stronger than static security
but significantly weaker than fully adaptive security. In particular, a semi-adaptively secure protocol for a task like
OT, does not yield a non-committing encryption scheme and hence does not (necessarily) inherit its difficulty. We
then give a generic compiler which transforms any semi-adaptively secure protocol into a (fully) adaptively secure
protocol. The compiler is fairly simple: we take the original protocol and execute it over a secure communication
channel (i.e., all communication from one party to another is sent over a secure channel). The compilation effectively decomposes the problem of adaptive security into two (simpler) problems which can be tackled separately:
the problem of semi-adaptive security and the problem of realizing secure channels. We note that a similar compiler
was studied in [CDD+ 04]. As we mentioned, that compiler only works in the stand-alone setting and transforms
a statically secure protocol into one which is adaptively secure without post-execution corruptions. In contrast,
our protocol works in the UC setting, and results in fully adaptive security, but requires the starting protocol to be
semi-adaptively secure (a new notion which we formally define later).
Unfortunately, we saw that the construction of secure-channels is a difficult problem and existing solutions
are not very efficient. Also, as we already mentioned, we cannot completely bypass this problem since adaptive
security for many tasks implies secure channels. However, for the sake of efficiency, we would like to limit the use
of secure channels (and hence the use of non-committing encryption) to a minimum. For example, we know that
an OT protocol for one-bit messages implies a non-committing encryption of a one-bit message. However, to get
adaptive security for a bit-OT protocol, our compiler, as described above, would use non-committing encryption to
encrypt the entire protocol transcript, and hence much more than one bit!
We fix this discrepancy by introducing a new notion called somewhat non-committing encryption. Somewhat
non-committing encryption has two parameters: the equivocality ℓ (measuring just how non-committing the scheme
is) and the message size k. We first observe that somewhat non-committing encryption is efficient for small values
of the equivocality parameter ℓ, even when k is large (i.e., when we encrypt long messages). Secondly, we observe
that our compiler can use somewhat non-committing encryption where the equivocality ℓ is proportional to the size
of the input and output domains of the functionality. As a result, we obtain a very efficient compiler transforming
any semi-adaptively secure protocol for a task with small input/output domains (such as bit-OT) into a fully adaptively secure protocol. We also show that this methodology can, in special cases, be applied to tasks with larger
domain sizes such as string-OT with long strings.
We apply our methodology to the OT protocol of Peikert et al. [PVW08], resulting in the first efficient and
adaptively secure OT protocols. Peikert et al. actually present a general framework for constructing static OT, and
instantiate this framework using the Quadratic Residuocity (QR), Decisional Diffie-Hellman (DDH), and Latticebased assumptions. In this work, we concentrate on the QR and DDH based schemes. We show that relatively
small modifications suffice to make these schemes semi-adaptively secure. We then employ our compiler, using
somewhat non-committing encryption, to convert them into (fully) adaptively UC-secure OT protocols.
1.2
Concurrent and independent work
Following the line of work of [IKLP06, Hai08], the recent result of [CDMW09] gives a generic black-box compiler
from semi-honest adaptively secure OT to fully malicious adaptively secure OT, using cut-and-choose techniques.
Although the end result of our work is the same (adaptively secure OT), the two works take very different approaches which complement each other well: the compiler of [CDMW09] transforms semi-honest + adaptive security into malicious + adaptive security in the special case of OT, while our compiler is a general transformation from
malicious + semi-adaptive security to malicious + adaptive security. The two starting notions of security (semihonest + adaptive vs. malicious + semi-adaptive) are incomparable and thus both compilers are useful in different
scenarios. In particular, our compiler can be used in conjunction with the OT protocol of [PVW08] and results in
3
an extremely efficient adaptively-secure OT protocol using a constant number of rounds and O(n) public-key operations to transfer an n-bit string.2 In contrast, the compiler of [CDMW09] shows how to base adaptively-secure
OT on a simulatable cryptosystem in a black-box way, but at the expense of running Ω(λ2 ) copies of the underlying
semi-honest OT protocol, where λ is the security parameter, and thus requiring Ω(λ2 n) operations for n-bit OT.
Therefore our protocol can be significantly more efficient.
To avoid diluting the main ideas of the paper, we put all proofs in the appendix, together with background
material, efficiency considerations, our enhanced version of the QR dual-mode cryptosystem, and our DDH version
of adaptively secure bit- and string-OT.
2 Somewhat Non-Committing Encryption and Adaptive Security
2.1
Adaptive security in two-party protocols
What are some of the challenges in achieving adaptive security for a two-party protocol? Let’s assume that a
protocol π between two parties P0 , P1 realizes a task F with respect to static adversaries. That means that there is
a static simulator which can simulate the three basic cases: both parties are honest throughout the protocol, exactly
one party is corrupted throughout the protocol or both parties are corrupted throughout the protocol. To handle
adaptive adversaries, we require two more capabilities from our simulator: the ability to simulate a first corruption
(i.e., the case that both parties start out honest and then one of them becomes corrupted) and simulating the second
corruption (i.e., the case that one party is already corrupted and the other party becomes corrupted as well).
Simulating the first corruption is often the harder of the two cases. The simulator must produce the internal state
for the corrupted party in a manner that is consistent with the protocol transcript so far and with the actual inputs of
that party (of which the simulator had no prior knowledge). Moreover, the simulator needs to have all the necessary
trapdoors to continue the simulation while only one party is corrupted. Achieving both of these requirements at
once is highly non-trivial and this is one of the reasons why efficient protocols for adaptively secure two-party
computation have remained elusive.
Interestingly, simulating the first corruption becomes much easier if the protocol π employs secure channels
for all communication between parties. At a high level, the simulator does not have to do any work while both
parties are honest, since the real-world adversary does not see any relevant information during this time! When the
first party becomes corrupted, we can just run a static simulation for the scenario in which this party was corrupted
from the beginning but acting honestly and using its input. Then, we can “lie” and pretend that this communication
(generated ex post facto) actually took place over the secure channel when both parties were honest. The lying
is performed by setting the internal state of the corrupted party accordingly. Since our lie corresponds to the
simulation of a statically corrupted party (which happens to act honestly), all of the trapdoors are in place to handle
future mischievous behavior by that (freshly corrupted) party. The only problem left is in handling the second
corruption – but this is significantly easier! To formalize this, we will define a notion of semi-adaptive security
where the simulator needs to be able to simulate static corruptions as well as the case where one party starts out
corrupted and the other party becomes corrupted later on (but not the case where both parties start out honest
and may become corrupted later). The formal notion (with some additional restrictions imposed on the simulator)
appears in Section 2.4. Informally, we have argued the following claim:
Claim 2.1. (Simplified and incorrect version) Assume that a two-party protocol π for a task F is semi-adaptively
secure. Then the protocol is also fully adaptively secure if all communication between the parties is sent over an
idealized secure channel.
The above claim (when formalized and corrected) will already allow us to compile many protocols for tasks like
OT into adaptively secure ones. However, we would like to improve the efficiency of this compilation. Unfortunately, idealized secure channels are hard to achieve physically and implementing such channels cryptographically
in the real world requires the inefficient use of non-committing encryption to encrypt the entire protocol transcript.
Luckily, it turns out that we often do not need to employ fully non-committing encryption to make the transformation of Claim 2.1 hold. We define a weaker primitive called somewhat non-committing encryption and show
that this primitive can be implemented with significantly greater efficiency than (fully) non-committing encryption.
2
Technically, if one thinks of n as a function of λ, we require O(max(λ, n)) operations.
4
Finally, we show that somewhat non-committing encryption is often good enough to transform a semi-adaptively
secure protocol into a fully adaptively secure protocol when the sizes of the input/output domains are small.
2.2
Defining somewhat non-committing encryption
Let us first recall the notion of non-committing encryption from [CFGN96]. This is a protocol used to realize
secure channels in the presence of an adaptive adversary. In particular, this means that a simulator can produce
“fake” ciphertexts and later explain them as encryptions of any possible given message. The idea of realizing
secure channels against adaptive adversaries as part of a compilation of adaptively secure protocols goes back to
[BH92] where this is done in the erasure model. Several non-committing encryption schemes in the non-erasure
model have appeared in literature [CFGN96, Bea97, DN00] but the main disadvantage of such schemes is the
computational cost. All of the schemes are interactive (which was shown to be necessary in [Nie02]) and the most
efficient schemes require Ω(1) public-key operations (e.g. exponentiations) per bit of plaintext.3
We notice that it is often unnecessary to require that the simulator can explain a ciphertext as the encryption
of any later-specified plaintext. Instead, we define a new primitive, which we call somewhat non-committing
encryption, where the simulator is given a set of ℓ messages during the generation of the fake ciphertext and must
later be able to plausibly explain the ciphertext as the encryption of any one of those ℓ messages. In a sense, we
distinguish between two parameters: the plaintext size (in bits) k and the equivocality ℓ (the number of messages
that the simulator can plausibly explain). For fully non-committing encryption, the equivocality and the message
size are related by ℓ = 2k . Somewhat non-committing encryption, on the other hand, is useful in accommodating
the case where the equivocality ℓ is very small, but the message size k is large.
N
Functionality FSC
N
The ideal functionality FSC
interacts with an initiator I and a receiver R. It consists of a channel-setup phase, after
which the two parties can send arbitrarily many messages from one to another. The functionality is parameterized by a
non-information oracle N . It verifies that sid = (I, R, sid ′ ) is consistent for all received messages and ignores otherwise.
Channel setup: Upon receiving an input (ChSetup, sid , I) from party I, initialize the machine N and record the tuple
(sid , N ). Pass the message (ChSetup, I) to R. In addition, pass this message to N and forward its output to S.
Message transfer: Upon receiving an input (Send, sid , P, m) from party P where P ∈ {I, R}, find a tuple (sid , N )
and, if none exists, ignore the message. Otherwise, send the message (Send, sid , P, m) to the other party P =
{I, R} − {P }. In addition, invoke N with (Send, sid , P, m) and forward its output to the adversary S.
Corruption: Upon receiving a message (Corrupt, sid , P ) from the adversary, send (Corrupt, sid , P ) to N and forward its output to the adversary. After the first corruption, stop the execution of N and give the adversary S
complete control over the functionality (i.e. the adversary S learns all inputs and can specify any outputs).
N .
Figure 1: The parameterized secure-channel ideal functionality, FSC
It is challenging to define an ideal-functionality for somewhat non-committing encryption, for the same reason
that it is difficult to define ideal functionalities for many useful primitives like witness indistinguishable proofs of
knowledge: the ideal world often captures a notion of security which is too strong. Here, we take the approach
of [CK02] where ideal-world functionalities are weakened by the inclusion of a non-information oracle which is
a PPT TM that captures the information leaked to the adversary in the ideal world. The ideal world functionality
for secure channels in Figure 1, is parameterized using a non-information oracle N which gets the values of the
exchanged messages m and outputs some side information to the adversary S. The security of the secure channel
N depends on the security properties required for the machine N and thus we can capture several
functionality FSC
meaningful notions. Let us first start with the most secure option which captures (fully) non-committing encryption.
Definition 2.2. Let N full be the oracle, which, on input (Send, sid , P, m), produces the output (Send, sid , P, |m|)
and, on any inputs corresponding to the ChSetup, Corrupt commands, produces no output. We call the function3
No such lower bound has appeared in literature and proving it, or providing a more efficient scheme, seems like an interesting though
difficult open problem.
5
full
N
ality FSC
, or just FSC for brevity, a (fully) non-committing secure channel. A real-world protocol which realizes
FSC is called a non-committing encryption scheme (NCE).
In the above definition, the oracle N never reveals anything about messages m exchanged by two honest
parties, even if (both of the) parties later get corrupted. Hence the functionality is fully non-committing. To define
somewhat non-committing encryption we first start with the following definitions of non-information oracles.
Definition 2.3. A machine R is called a message-ignoring oracle if, on any input (Send, sid , P, m), it ignores the
value m and processes only the input (Send, sid , P, |m|). A machine M called a message-processing oracle if it
has no such restrictions. We call a pair of machines (M, R) well-matched if no PPT distinguisher D (with oracle
access to either M or R) can distinguish the message-processing oracle M from the message-ignoring oracle R.
We are now ready to define the non-information oracle used by a somewhat non-committing secure channel
ideal functionality.
Definition 2.4. Let (M, R) be a well-matched pair which consists of a message-processing and a messageignoring oracle respectively. Let N ℓ be a (stateful) oracle with the following structure.
$
Upon initialization, N ℓ chooses a uniformly random index i ← {1, . . . , ℓ}. In addition it initializes a tuple of
ℓ independent TMs: hN1 , . . . , Nℓ i where Ni = M and, for j 6= i, the machines Nj are independent copies of
the message-ignoring oracle R.
Whenever N ℓ receives inputs of the form (ChSetup, sid , P ) or (Send, sid , P, m), it passes the input to each
machine Ni receiving an output yi . It then outputs the vector (y1 , . . . , yℓ ).
Upon receiving an input (Corrupt, sid , P ), the oracle reveals the internal state of the message-processing
oracle Ni only.
N ℓ an ℓ-equivocal non-committing secure channel. For brevity,
For any such oracle N ℓ , we call the functionality FSC
ℓ to denote F N ℓ for some such oracle N ℓ . Lastly, a real world protocol which
we will also use the notation FSC
SC
ℓ is called an ℓ-equivocal non-committing encryption scheme (ℓ-NCE).
realizes FSC
As before, no information about messages m is revealed during the “send” stage. However, the internal state
of the message-processing oracle Ni , which is revealed upon corruption, might be “committing”. Nevertheless,
a simulator can simulate the communication between two honest parties over a secure channel, as modeled by
ℓ , in a way that allows him to later explain this communication as any one of ℓ possibilities. In particular,
FSC
the simulator creates ℓ message-processing oracles and, for every Send command, the simulator chooses ℓ distinct messages m1 , . . . , mℓ that he passes to the oracles M1 , . . . , Mℓ respectively. Since message-processing and
message-ignoring oracles are indistinguishable, this looks indistinguishable from the side-information produced by
ℓ . Later, when a corruption occurs, the simulator can convincingly explain the entire transcript of communiFSC
cation to any one of the ℓ possible options, by providing the internal state of the appropriate message-processing
oracle Mi .
2.3
The ℓ-NCE scheme construction
The construction of ℓ-NCE is based on a simulatable public-key system, which was defined in [DN00]. A simulatable public-key system is one in which it is possible to generate public keys obliviously, without knowing the
corresponding secret key, and to explain an honestly (non-obliviously) generated public key as one which was
obliviously generated. In a similar way, there should be a method for obliviously generating ciphertexts (without
knowing any plaintext) and to explain honestly generated (non-oblivious) ciphertexts as obliviously generated ones.
We review the syntax and security properties of such a scheme in Appendix B. Our ℓ-NCE protocol construction,
shown in Figure 2, uses a fully non-committing secure channel, but only to send a very short message during the
setup phase. Hence, for long communications, our ℓ-NCE scheme is significantly more efficient than (full) NCE.
ℓ ideal functionality
Theorem 2.5. The protocol in Figure 2 is an ℓ-NCE scheme. Specifically it UC-realizes the FSC
in the presence of an active and adaptive adversary.
6
f Enc
g be the corresponding oblivious key generator and
Let (KG, Enc, Dec) be an oblivious public key system and KG,
oblivious ciphertext generator algorithms. Furthermore, let (KGsym , Encsym , Decsym ) be a symmetric key encryption
scheme in which the ciphertexts are indistinguishable from uniformly random values of the same length.
Channel Setup. An initiator I sets up a channel with a receiver R as follows:
1.
The initiator I sends a random index i ∈ {1, . . . , ℓ} to R over a fully non-committing secure channel.
2.
f are sampled obliviously,
The initiator I generates ℓ public keys. For j ∈ {1, . . . , ℓ} \ {i}, the keys pkj ← KG()
while (pki , ski ) ← KG() is sampled correctly. The keys pk1 , . . . , pkℓ are sent to R while I stores ski .
3.
The receiver R chooses a random key K ← KGsym and computes Ci = Encpki (K) correctly. In addition, R
g pk () obliviously for j ∈ {1, . . . , ℓ} \ {i} and sends the ciphertexts C1 , . . . , Cℓ to I.
samples Cj ← Enc
j
4.
The initiator I decrypts the key K ← Decski (Ci ). Both parties store the tuple (K, i).
Encryption. An initiator I encrypts a message m to a receiver R as follows:
1.
The initiator I computes Ci ← Encsym
K (m) and chooses Cj for j ∈ {1, . . . , ℓ} \ {i} as uniformly random and
independent values of length |Ci |. The tuple (C1 , . . . , Cℓ ) is sent to R.
2.
The receiver R ignores all values other than Ci . It computes m ← Decsym
K (Ci ).
Figure 2: Construction of an ℓ-NCE protocol.
In Appendix C we analyze the efficiency of the above scheme with appropriate instantiations of the underlying
secure-channel implementation (using full NCE), simulatable public-key system and symmetric key encryption
scheme. We show that our scheme uses a total of (expected) O(log ℓ) public key operations, O(ℓ) communication
and (expected) constant rounds of interaction for the channel setup phase. After channel-setup, encryption is noninteractive and requires only symmetric-key operations. However, the encryption of a k bit message requires O(ℓk)
bits of communication.
2.4
The adaptive security protocol compiler for two-party SFE
As an application of ℓ-NCE, we give a general theorem, along the lines of Claim 2.1, showing that a protocol with
semi-adaptive security can be compiled into a protocol with (full) adaptive security when all of the communication
is encrypted using ℓ-NCE for some appropriate ℓ. However, we must first give a formal definition of semi-adaptive
security. The main part of the definition is to look at corruption strategies which are more restricted than fully
adaptive ones, but less so than static ones.
Definition 2.6. An adversarial strategy is second-corruption adaptive if either at least one of the parties is corrupted prior to protocol execution or no party is ever corrupted. In the former case, the other party can be adaptively corrupted at any point during or after protocol execution. In other words, the first corruption (if it occurs)
must be static and the second corruption can then be adaptive.
Intuitively, we’d like to say that a protocol is semi-adaptively secure if it is secure with respect to secondcorruption adaptive strategies. Unfortunately, there are two subtleties that we must consider. Firstly, we know that
most tasks cannot be realized in the Universal Composability framework without the use of trusted setup. However,
the use of trusted setup complicates our transformation. The point of using (somewhat) non-committing encryption
is that the simulator can lie about anything that occurs while both parties are honest. However, we often rely on
trusted setup in which some information is given to the adversary even when both parties are honest. For example,
the usual modeling of a common reference string (see Appendix A) specifies that this string is made public and
given to the adversary even when none of the participants in the protocol are corrupted. In this case the simulator
is committed to such setup even if the parties communicate over secure channels. Therefore we require that, when
trusted setup is used, the semi-adaptive simulator simulates this setup independently of which party is corrupted.
We call this property setup-adaptive simulation.
Definition 2.7. A simulator S = (S setup , S prot ) is setup-adaptive if it proceeds by first running S setup to simulate
all trusted setup and then running S prot (which is given any output generated by S setup ) to simulate the protocol
execution. Moreover S setup does not get to see which parties are corrupted (but S prot does).
7
The second subtlety comes from the following type of problem. As we outlined in our informal discussion,
we wish to run the semi-adaptive simulator once the first party gets corrupted and then “lie” that the simulated
conversation took place over the secure channel. However, when the first party gets corrupted after the protocol
execution, then the ideal functionality has already computed the outputs using the honest inputs and will therefore
not accept anymore inputs from the semi-adaptive simulator. Recall that we run the semi-adaptive simulator with
respect to an adversary A which follows the protocol execution using the corrupted party’s honest input x. If the
semi-adaptive simulator extracts the same input x as the one used by A, then we also know the corresponding
output and can give it to the semi-adaptive simulator on behalf of the ideal functionality. Therefore it is crucial that
the semi-adaptive simulator can only submit the actual input x. We call this property input-preserving.
Definition 2.8. We say that an adversary A is protocol-honest if it corrupts one of the parties P prior to protocol
execution and then follows the honest protocol specification using some input x on behalf of the corrupted party. A
simulator S is input-preserving if, during the simulation of a protocol-honest adversary that corrupts P and runs
f
the honest protocol with input x, the simulator S submits the same input x to the ideal functionality FSFE
on behalf
of P .
Putting Definition 2.6, Definition 2.7 and Definition 2.8 together, we are finally ready to define semi-adaptive
security.
Definition 2.9. We say that a protocol π semi-adaptively realizes the ideal functionality F if there exists a setupadaptive and input-preserving PPT simulator S such that, for any PPT adversary A and environment Z which
c
follow a second-corruption adaptive adversarial strategy, we have REALπ,A,Z ≈ IDEALF ,S,Z .
Lastly, we define the notion of a well-structured protocol. Since even non-committing encryption commits
the simulator to the lengths of the exchanged messages, the number of such messages, and the identities of the
sender and receiver of each message, we require that this information is fixed and always the same. In other words,
a protocol execution should have the same number of messages, message lengths and order of communication
independent of the inputs or random tape of the participating parties. Almost all known constructed protocols for
cryptographic tasks are well-structured and any protocol can be easily converted into a well-structured protocol.
The formal definition of well-structured protocols is relegated to Appendix D.
f
Functionality FSFE
f
interacts with an initiator I and a responder R. The functionality verifies that all received
The functionality FSFE
messages share a consistent value sid = (I, R, sid ′ ) and ignores them otherwise.
Input: Upon receiving the input value (InputI , sid , xI ) from the initiator I, record the value hI, xI i and send the
message (InputI , sid ) to the adversary S. Ignore future (InputI , . . .) inputs. Similarly, upon receiving
the input value (InputR , sid , xR ) from the responser R, record the value hR, xR i and send the message
(InputR , sid ) to the adversary S. Ignore future (InputR , . . .) inputs.
Output: Upon receiving the message (OutputI , sid ) from the adversary S, if either hI, xI i or hR, xR i is not
recorded, ignore the message. Else if hyI , yR i is not recorded, then compute (yI , yR ) ← f (xI , xR ) and
record hyI , yR i; send the output value (OutputI , sid , yI ) to I. Ignore future (OutputI , . . .) messages
from the adversary. Similarly, upon receipt of (OutputR , sid ) from the adversary, send the output value
(OutputR , sid , yR ) to R. Ignore future (OutputR , . . .) messages from the adversary.
Figure 3: A two-party secure evaluation functionality for function f : XI × XR → YI × YR .
We now have all the definitions needed to formally state the correctness of our compilers for transforming a
semi-adaptively secure protocol into a (fully) adaptively secure protocol. First we look at the simple compiler using
idealized secure channels. We now state the corrected version of Claim 2.1.
f
Theorem 2.10. Let FSFE
be the two-party ideal functionality which computes some function f as defined in Figf
is semi-adaptively secure. Let π ′ be the protocol
ure 3. Assume that a well-structured two-party protocol π for FSFE
in which the parties run π but only communicate with each other using non-committing secure channels as modeled
by FSC . Then π ′ is (fully) adaptively secure.
8
The intuition behind the above theorem was explained in Section 2.1. Also, as we mentioned, this compiler
is usually not very efficient because of its excessive use of secure channels and hence NCE. Recall that secure
channels are employed so that, when both parties are honest, the adversary does not see any useful information
and so this case is easy to simulate. Then, when the first party gets corrupted, our simulator simply makes up the
transcript of the communication that should have taken place ex post facto. This transcript is generated based on
which party got corrupted, what its inputs were and what its outputs were. However, we notice that for many simple
protocols there are not too many choices for this information. The simulator must simply be able to credibly lie
that the communication which took place over the secure channel corresponds to any one of these possible choices.
Using this intuition, we are now ready to show that a more efficient compiler using ℓ-NCE (for some small ℓ)
suffices.
f
Theorem 2.11. Let FSFE
be the two-party ideal functionality computing some function f : XI × XR → YI × YR ,
f
is semi-adaptively secure.
as defined in Figure 3. Assume that a well-structured two-party protocol π for FSFE
′
Let π be the protocol in which the parties run π but only communicate with each other using ℓ-equivocal secure
ℓ where ℓ = |X ||Y | + |X ||Y |. Then π ′ is (fully) adaptively secure.
channels as modeled by FSC
I
I
R
R
Next we will apply our adaptive security compiler of Theorem 2.11 to the concrete problem of bit OT, resulting
in the first efficient protocol for this task.
3 Efficient and Adaptively Secure Oblivious Transfer
We start by giving an ideal functionality for OT, following the modeling of [Can05].
Functionality FOT
FOT interacts with a sender S and a receiver R and the adversary S. For each input or message, the functionality
verifies that sid = (R, S, sid ′ ); it ignores it otherwise.
Upon receiving an input (Sender, sid , x0 , x1 ) from party S, where each xi ∈ {0, 1}, record (x0 , x1 ) and send
(Sender, sid ) to the adversary. Ignore further (Sender, . . .) inputs.
Upon receiving an input (Receiver, sid , σ) from party R, where σ ∈ {0, 1}, record σ and send
(Receiver, sid ) to the adversary. Ignore further (Receiver, . . .) inputs.
Upon receiving a message (Output, sid ) from the adversary, if either x0 , x1 or σ is not recorded, ignore the
message. Else send output (Output, sid , xσ ) to R. Ignore further (Output, . . .) messages from the adversary.
Figure 4: The oblivious transfer ideal functionality, FOT .
3.1
The PVW oblivious transfer protocol
In [PVW08], Peikert et al. construct an efficient OT protocol in the CRS model with UC security against a malicious
but static adversary. They do so by introducing a new primitive called a dual-mode cryptosystem, which almost
immediately yields an OT protocol in the CRS model, and give constructions of this primitive under the DDH, QR
and lattice hardness assumptions. We therefore first present a brief (informal and high-level) review of dual-mode
encryption as in [PVW08], and then will formally define a modified version of this primitive which will allow us
to get adaptive security.
A dual-mode cryptosystem is initialized with system parameters which are generated by a trusted third party.
For any choice of system parameters, the cryptosystem has two types of public/private key pairs: left key pairs and
right key pairs. The key-generation algorithm can sample either type of key pair and the user specifies which type
is desired. Similarly, the encryption algorithm can generate a left encryption or a right encryption of a message.
When the key pair type matches the encryption type (i.e. a left encryption of a message under a left public key)
then the decryption algorithm (which uses the matching secret key) correctly recovers the message.
As shown in [PVW08], a dual-mode cryptosystem can be used to get an OT protocol as shown in Figure 5. The
receiver chooses to generate a left or right key depending on his input bit σ, and the sender uses left-encryption
9
crs ot
Sender
x0 , x1
σ
pk
Receiver
(pk, sk) ← KG(crs ot , σ)
for b = 0, 1
(yb , ζb ) ← Enc(crs ot , pk, b, xb )
y0 , y1
xσ ← Dec(crs ot , pk, sk, yσ )
xσ
Figure 5: The generic OT protocol in [PVW08].
(b = 0) for the left message x0 and right-encryption for the right message. The receiver then uses the secret key to
correctly decrypt the chosen message.
Security against malicious (static) adversaries in the UC model relies on the two different modes for generating
the system parameters: messy mode and decryption mode. In messy mode, the system parameters are generated
together with a messy trapdoor. Using this trapdoor, any public key (even one which is maliciously generated) can
be easily labeled a left key or a right key. Moreover, in messy mode, when the encryption type does not match
the key type (e.g. a left encryption using a right public key) then the ciphertext is statistically independent of the
message. Messy mode is useful to guarantee security against a corrupt receiver: the messy trapdoor makes it easy
to extract the receiver bit and to create a fake ciphertext for the message which should not be transferred. On the
other hand, in decryption mode, the system parameters are generated together with a decryption trapdoor which can
be used to decrypt both left and right ciphertexts. Moreover, in decryption mode, left public keys are statistically
indistinguishable from right public keys. Decryption mode is useful to guarantee security against a corrupt sender:
the decryption trapdoor is used to create a public key which completely hides the receiver’s selection bit, and to
compute a decryption trapdoor and extracting both of the sender’s messages. In each mode, the security of one
party (i.e., the sender in messy mode, and the receiver in decryption mode) is guaranteed information theoretically.
To achieve security for both parties simultaneously all that is needed is one simple computational requirement: the
system parameters generated in messy mode need to be computationally indistinguishable from those generated in
decryption mode.
3.2
Semi-adaptively secure OT
In order to make the PVW OT protocol adaptively secure using our methodology, we need to make it semiadaptively secure (Section 2.4). We do so by a series of simple transformations.
First, we observe that in the PVW protocol, the simulator must choose the CRS crs ot based on which party is
corrupt – i.e. the CRS should be in messy mode to handle a corrupt receiver or in decryption mode to handle a
corrupt sender. This is a problem for us since the definition of semi-adaptive security requires that the simulator is
setup-adaptive which means that it must simulate the CRS independently of any information on which parties are
corrupted. We solve this issue by using a coin-tossing protocol to choose the CRS of the PVW OT protocol. Of
course, coin-tossing requires the use of a UC secure commitment scheme which also need their own CRS (crs com )!
However, if we use an (efficient) adaptively secure commitment scheme (e.g. [DN02, DG03]) then the simulator’s
choice of crs com can be independent on which party is corrupted. Unfortunately, this approach only works if the
CRS for the OT protocol comes from a uniform distribution (over some group) and this too is not the case in all
instantiations of the PVW protocol. However, we observe that the CRS of the OT protocol (crs ot ) can be divided
into two parts crs ot = (crs sys , crs tmp ), where a system CRS crs sys can be independent of which party is corrupted
(i.e. can be the same for both messy and decryption mode) but may not be uniform, while crs tmp determines the
mode (messy or decryption) and thus needs to depend on which party is corrupted, but this part is required to be
uniform. Therefore we can use an ideal CRS functionality to choose the setup for our protocol which consists of
(crs com , crs sys ) and then run a coin-flipping protocol to choose the uniform value crs tmp .
Secondly, we must now consider the cases where one party is corrupted from the beginning, but the second party
10
becomes corrupted adaptively during the protocol execution. Let us first consider the case where the sender starts
out corrupted. In this case, to handle the corrupt sender, the simulator needs to simulate the execution in decryption
mode. Moreover, to extract the sender’s value, the simulator uses the decryption trapdoor to create a dual public
key (on behalf of the receiver) which comes with both a left and a right secret key. Later, if the receiver becomes
corrupted, the simulator needs to explain the randomness used by the receiver during key generation to create such a
public key. Luckily, current dual-mode schemes already make this possible and we just update the definition with a
property called encryption key duality to capture this. Now, consider the case where the receiver is corrupted at the
beginning but the sender might also become corrupted later on. In this case the simulator simulates the execution in
messy mode. In particular, the simulator uses the messy trapdoor to identify the receiver key type (right or left) and
thus extract the receiver bit. Then the simulator learns the appropriate sender message for that bit and (honestly)
produces the ciphertext for that message. In addition, the simulator must produce a “fake” ciphertext for the other
message. Since, in messy mode, this other ciphertext is statistically independent of the message, it is easy to do
so. However, if the sender gets corrupted later, the simulator must explain the fake ciphertext as an encryption of
some particular message. To capture this ability, we require the existence of internal state reconstruction algorithm
which can explain the fake ciphertext as an encryption of any message. Again, we notice that the QR instantiation
of the PVW scheme already satisfies this new notion as well.
Enhanced Dual-Mode Encryption. A dual-mode cryptosystem for message space {0, 1}n is defined by the following polynomial-time algorithms:
(crs, τ ) ← PG(1λ , µ). The parameter generation algorithm PG is a randomized algorithm which takes security
parameter λ and mode µ ∈ {mes, dec} as input, and outputs (crs, τ ), where crs is a common reference
string and τ is the corresponding trapdoor information. For notational convenience, the random coins used for
parameter generation are also included in τ . Note that our parameter generation PG includes two stages PGsys
and PGtmp , i.e., compute (G, crs sys , τsys ) ← PGsys (1λ ) and (crs tmp , τtmp ) ← PGtmp (µ, G, crs sys , τsys )
where G is a group with operator “+”, and set crs ← (crs sys , crs tmp ) and τ ← (τsys , τtmp ). Note that the
system CRS is independent of mode µ.
(pk , sk ) ← KG(crs, σ). The key generation algorithm KG is a randomized algorithm which takes crs and a
key type σ ∈ {0, 1}, and outputs a key pair (pk , sk ), where pk is an encryption key and sk the corresponding
decryption key for message encrypted on key type σ. The random coins used for key generation are also
included in sk .
(c, ζ) ← Enc(crs, pk, b, m). The encryption algorithm Enc is a randomized algorithm which outputs a ciphertext c for a message m on encryption type b. Here ζ is the random coins used for encryption.
m ← Dec(crs, pk , sk , c). The decryption algorithm Dec is a deterministic algorithm which decrypts ciphertext
c into plaintext m.
ρ ← MessyId(crs, τ, pk ). The messy branch identification algorithm MessyId is a deterministic algorithm
which based on the trapdoor τ computes the key type ρ corresponding to a messy branch of pk .
(c, ω) ← FakeEnc(crs, τ, pk , ρ). The fake encryption algorithm FakeEnc is a randomized algorithm. For the
messy branch ρ, the ciphertext c is faked by using the trapdoor τ , and some internal information ω is saved for
reconstructing the random coins used for encryption.
ζ ← Recons(crs, τ, pk , ρ, c, ω, m). The internal state reconstruction algorithm Recons is a deterministic algorithm. When the plaintext m is supplied for the faked ciphertext c in messy branch ρ, the algorithm recover the
used random coins ζ based on previously generated internal information ω.
(pk , sk 0 , sk 1 ) ← DualKG(crs, τ ). The dual key generation algorithm DualKG is a randomized algorithm,
which based on the trapdoor τ , outputs an encryption key pk , and two decryption keys sk 0 , sk 1 corresponding
to key type 0 and 1, respectively.
Definition 3.1 (Enhanced Dual-Mode Encryption). An enhanced dual-mode cryptosystem is a tuple of algorithms
as described above satisfying the following properties:
C OMPLETENESS : For every µ ∈ {0, 1}, (crs, τ ) ← PG(1λ , µ), m ∈ {0, 1}n , σ ∈ {0, 1}, and (pk , sk ) ←
KG(crs, σ), the decryption on branch σ is correct except with negligible probability; i.e., Dec(crs, pk , sk ,
c) = m, where (c, ζ) ← Enc(crs, pk, σ, m).
E NHANCED MODE INDISTINGUISHABILITY: The CRSes generated by PG in messy mode and in decryption mode are
indistinguishable in the sense that (i) the both system CRSes are identically distributed, and (ii) the two tem11
poral CRSes are computationally indistinguishable from random elements in group G, i.e.,
c
c
{crs tmp }(crs,τ )←PG(1λ ,mes) ≈ {crs tmp }
$
crs tmp ←G
≈ {crs tmp }(crs,τ )←PG(1λ ,dec)
M ESSY BRANCH IDENTIFICATION AND CIPHERTEXT EQUIVOCATION : For every (crs, τ ) ← PG(1λ , mes) and every
pk , MessyId(crs, τ, pk ) outputs a branch value ρ such that for every m ∈ {0, 1}n , Enc(crs, pk , ρ, ·) is
s
simulatable, i.e., {c, ζ}(c,ζ)←Enc(crs,pk ,ρ,m) ≈ {c, ζ}(c,ω)←FakeEnc(crs,τ,pk ,ρ),ζ←Recons(crs,τ,pk ,ρ,c,ω,m)
E NCRYPTION KEY DUALITY: For every (crs, τ ) ← PG(1λ , dec), there exists (pk , sk 0 , sk 1 ) ← DualKG(crs, τ )
such that for every σ ∈ {0, 1}, (pk , sk σ ) is statistically indistinguishable from the honestly generated key
s
pair, i.e., {pk , sk σ }(pk ,sk 0 ,sk 1 )←DualKG(crs,τ ) ≈ {pk , sk }(pk ,sk )←KG(crs,σ)
Construction. Based on the above transformations, a generic construction for a semi-adaptively secure OT protocol
is given in Figure 6. It consists of two phases, the coin tossing phase and the transferring phase (which is separated
by a dot line in the figure). The CRS consists of two pieces: the first piece is a system CRS denoted as crs sys ,
while the second piece is for an adaptively secure UC commitment protocol which will be used for constructing a
coin tossing protocol. The UC commitment includes two stages, the commit and the open stages which could be
interactive; a randomly selected value r is committed by the receiver for the sender in the commit stage, and after
receiving a randomly selected value s from the sender, the receiver open the committed r to the sender, and both
sender and the receiver can compute a temporal CRS crs tmp based on s and r. The temporal CRS crs tmp together
with the system CRS crs sys will be used as the CRS for the transferring phase and we denote it as crs ot . With crs ot
in hand, we “plug in” the PVW protocol (Figure 5) but based on the enhanced dual-mode cryptosystem to achieve
message transferring.
Theorem 3.2. Given an adaptively UC-secure commitment scheme and an enhanced dual-mode cryptosystem as
in Definition 3.1, the protocol in Figure 6 semi-adaptively realizes FOT in the FCRS -hybrid model.
By “plugging in” efficient instantiations of the two building blocks above, we obtain efficient concrete protocols
for semi-adaptively secure OT. For example, good candidates for adaptively secure UC commitments can be found
in [DN02, DG03], while a QR-based dual-mode encryption scheme is presented in [PVW08]. In Appendix F,
we show that this scheme also satisfies Definition 3.1. As mentioned in Section 1, a semi-adaptively secure OT
protocol can also be based on the DDH assumption. In this case, however, in order to make ciphertext equivocation
possible, we also need an efficient Σ-protocol for the equality of discrete logs. (See Appendix G for more details.)
3.3
Efficient and adaptively secure Bit OT protocol
We now apply our compiler from Section 2.4 to the protocol in Figure 6, to immediately obtain an efficient adaptively secure OT protocol in the UC framework.
Corollary 3.3. Assume that the DDH, QR, and DCR assumptions hold. Then there exists an adaptively secure
protocol that UC-realizes the bit-OT functionality FOT in the FCRS -hybrid world, running in (expected) constant
number of rounds and using (expected) constant number of public-key operations.
Justification for the assumptions is as follows: efficient adaptive UC commitments can be realized in the CRS model
under the DCR assumption [DN02], non-committing and somewhat non-committing encryption can be constructed
under DDH ([DN00] and Section 2, respectively), while enhanced dual-model encryption exists under the QR
assumption ([PVW08] and Section 3).
3.4
Efficient and adaptively secure string OT
In Appendix G we show how to instantiate our framework using the DDH version of PVW. We also show how
to then efficiently implement string OT in Appendix G.3. Although this does not follow our framework in a strict
sense, it does rely on the use of somewhat non-committing encryption and the properties of the PVW protocol. The
resulting efficiency is captured by the following theorem.
12
crs sys , crs com , G
Sender
x0 , x1
σ
crs com
V
$
s←G
V
open
for b = 0, 1
(yb , ζb ) ← Enc(crs ot , pk, b, xb )
C
crs tmp ← r + s
crs ot ← (crs sys , crs tmp )
crs ot
crs ot
S
C
s
crs tmp ← r + s
r
crs ot ← (crs sys , crs tmp )
x0 , x1
$
r←G
r, crs com
commit
Receiver
pk
y0 , y1
σ
(pk, sk) ← KG(crs ot , σ)
R
xσ ← Dec(crs ot , pk, sk, yσ )
xσ
xσ
commit
open
Figure 6: Generic semi-adaptively secure OT protocol. Here C =====⇒ V and C ===⇒ V denote the
commit and the open stages of an adaptive UC-secure commitment protocol based on CRS crs com . crs sys is the
system CRS, and S ⇆ R is the PVW protocol (Figure 5), but based on our enhanced dual-mode encryption
scheme.
Theorem 3.4. Assume that the DDH and DCR assumptions hold. Then there exists an adaptively secure protocol
that UC-realizes the string-OT functionality FOT in the FCRS -hybrid world, and can transfer an n-bit string in
(strict) constant number of rounds and using (strict) O(n) public-key operations.
Acknowledgements
We thank Ran Canetti, Yevgeniy Dodis, Yuval Ishai, Stas Jarecki and Aggelos Kiayias for their help. Specially, an
early discussion with Ran advances this work.
References
[Bea97]
Donald Beaver. Plug and play encryption. In Burton S. Kaliski Jr., editor, CRYPTO, volume 1294 of Lecture
Notes in Computer Science, pages 75–89. Springer, 1997.
[Bea98]
Donald Beaver. Adaptively secure oblivious transfer. In Kazuo Ohta and Dingyi Pei, editors, ASIACRYPT,
volume 1514 of Lecture Notes in Computer Science, pages 300–314. Springer, 1998.
13
[BH92]
Donald Beaver and Stuart Haber. Cryptographic protocols provably secure against dynamic adversaries. In
EUROCRYPT, pages 307–323, 1992.
[Can01]
Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. In FOCS, pages
136–145. IEEE Computer Society, 2001.
[Can05]
Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. In Cryptology
ePrint Archive, Report 2000/067, December 2005. Latest version at http://eprint.iacr.org/2000/
067/.
[CDD+ 04] Ran Canetti, Ivan Damgård, Stefan Dziembowski, Yuval Ishai, and Tal Malkin. Adaptive versus non-adaptive
security of multi-party protocols. J. Cryptology, 17(3):153–207, 2004.
[CDMW09] Seung Geol Choi, Dana Dachman-Soled, Tal Malkin, and Hoeteck Wee. Simple, black-box constructions of
adaptively secure protocols. In Omer Reingold, editor, TCC, volume 5444 of Lecture Notes in Computer Science,
pages 387–402. Springer, 2009.
[CFGN96]
Ran Canetti, Uriel Feige, Oded Goldreich, and Moni Naor. Adaptively secure multi-party computation. In
STOC, pages 639–648, 1996.
[CK02]
Ran Canetti and Hugo Krawczyk. Universally composable notions of key exchange and secure channels. In
Lars R. Knudsen, editor, EUROCRYPT, volume 2332 of Lecture Notes in Computer Science, pages 337–351.
Springer, 2002. Full version at http://eprint.iacr.org/2002/059/.
[CKL06]
Ran Canetti, Eyal Kushilevitz, and Yehuda Lindell. On the limitations of universally composable two-party
computation without set-up assumptions. J. Cryptology, 19(2):135–167, 2006. Preliminary version appeared in
Eurocrypt 2003.
[CLOS02]
Ran Canetti, Yehuda Lindell, Rafail Ostrovsky, and Amit Sahai. Universally composable two-party and multiparty secure computation. In STOC, pages 494–503. ACM, 2002. Full version at http://eprint.iacr.
org/2002/140/.
[Coc01]
Clifford Cocks. An identity based encryption scheme based on quadratic residues. In Bahram Honary, editor,
IMA Int. Conf., volume 2260 of Lecture Notes in Computer Science, pages 360–363. Springer, 2001.
[Dam00]
Ivan Damgård. Efficient concurrent zero-knowledge in the auxiliary string model. In EUROCRYPT, pages
418–430, 2000.
[DG03]
Ivan Damgård and Jens Groth. Non-interactive and reusable non-malleable commitment schemes. In STOC,
pages 426–437. ACM, 2003. Full version at http://www.brics.dk/˜jg/STOC03NMcommitment.
pdf.
[DN00]
Ivan Damgård and Jesper Buus Nielsen. Improved non-committing encryption schemes based on a general
complexity assumption. In Mihir Bellare, editor, CRYPTO, volume 1880 of Lecture Notes in Computer Science,
pages 432–450. Springer, 2000.
[DN02]
Ivan Damgård and Jesper Buus Nielsen. Perfect hiding and perfect binding universally composable commitment
schemes with constant expansion factor. In Moti Yung, editor, CRYPTO, volume 2442 of Lecture Notes in
Computer Science, pages 581–596. Springer, 2002. Full version at http://www.brics.dk/RS/01/41/
BRICS-RS-01-41.pdf.
[DN03]
Ivan Damgård and Jesper Buus Nielsen. Universally composable efficient multiparty computation from threshold
homomorphic encryption. In Dan Boneh, editor, CRYPTO, volume 2729 of Lecture Notes in Computer Science,
pages 247–264. Springer, 2003.
[DNO08]
Ivan Damgård, Jesper Buus Nielsen, and Claudio Orlandi. Essentially optimal universally composable oblivious
transfer. In Pil Joong Lee and Jung Hee Cheon, editors, ICISC, volume 5461 of Lecture Notes in Computer
Science, pages 318–335. Springer, 2008. Available at http://eprint.iacr.org/2008/220/.
[GMW87]
Oded Goldreich, Silvio Micali, and Avi Wigderson. How to play any mental game or A completeness theorem
for protocols with honest majority. In STOC, pages 218–229. ACM, 1987.
[GMY04]
Juan A. Garay, Philip MacKenzie, and Ke Yang. Efficient and universally composable committed oblivious
transfer and applications. In Moni Naor, editor, TCC, volume 2951 of Lecture Notes in Computer Science, pages
297–316. Springer, 2004.
[Hai08]
Iftach Haitner. Semi-honest to malicious oblivious transfer – the black-box way. In Ran Canetti, editor, TCC,
volume 4948 of Lecture Notes in Computer Science, pages 412–426. Springer, 2008.
14
[IKLP06]
Yuval Ishai, Eyal Kushilevitz, Yehuda Lindell, and Erez Petrank. Black-box constructions for secure computation. In STOC, pages 99–108. ACM, 2006.
[IPS08]
Yuval Ishai, Manoj Prabhakaran, and Amit Sahai. Founding cryptography on oblivious transfer – efficiently. In
David Wagner, editor, CRYPTO, volume 5157 of Lecture Notes in Computer Science, pages 572–591. Springer,
2008.
[JS07]
Stanislaw Jarecki and Vitaly Shmatikov. Efficient two-party secure computation on committed inputs. In Moni
Naor, editor, EUROCRYPT, volume 4515 of Lecture Notes in Computer Science, pages 97–114. Springer, 2007.
[KO04]
Jonathan Katz and Rafail Ostrovsky. Round-optimal secure two-party computation. In Matthew K. Franklin,
editor, CRYPTO, volume 3152 of Lecture Notes in Computer Science, pages 335–354. Springer, 2004.
[Lin08]
Andrew Y. Lindell. Efficient fully-simulatable oblivious transfer. In Tal Malkin, editor, CT-RSA, volume 4964
of Lecture Notes in Computer Science, pages 52–70. Springer, 2008.
[Lin09]
Yehuda Lindell. Adaptively secure two-party computation with erasures. In CT-RSA, 2009. Available at http:
//eprint.iacr.org/2009/031/. To appear.
[LP07]
Yehuda Lindell and Benny Pinkas. An efficient protocol for secure two-party computation in the presence of
malicious adversaries. In Moni Naor, editor, EUROCRYPT, volume 4515 of Lecture Notes in Computer Science,
pages 52–78. Springer, 2007.
[LZ09]
Yehuda Lindell and Hila Zarosim. Adaptive zero-knowledge proofs and adaptively secure oblivious transfer.
In Omer Reingold, editor, TCC, volume 5444 of Lecture Notes in Computer Science, pages 183–201. Springer,
2009.
[Nie02]
Jesper Buus Nielsen. Separating random oracle proofs from complexity theoretic proofs: The non-committing
encryption case. In Moti Yung, editor, CRYPTO, volume 2442 of Lecture Notes in Computer Science, pages
111–126. Springer, 2002.
[Nie03]
Jesper Buus Nielsen. On protocol security in the cryptographic model. Dissertation Series DS-03-8, BRICS,
2003. http://www.brics.dk/DS/03/8/BRICS-DS-03-8.pdf.
[Nie05]
Jesper Buus Nielsen. Universally composable zero-knowledge proof of membership. Manuscript, 2005. Available at http://www.daimi.au.dk/˜buus/n05.pdf.
[PVW08]
Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for efficient and composable oblivious
transfer. In David Wagner, editor, CRYPTO, volume 5157 of Lecture Notes in Computer Science, pages 554–571.
Springer, 2008. Available at http://people.csail.mit.edu/cpeikert/pubs/OTpaper.pdf.
15
A
The Universal Composability Framework
The UC framework was proposed by Canetti for defining the security and composition of protocols [Can01]. In this
framework one first defines an “ideal functionality” of a protocol, and then proves that a particular implementation
of this protocol operating in a given computational environment securely realizes this ideal functionality. The basic
entities involved are n players P1 , . . . , Pn , an adversary A, and an environment Z. The real execution of a protocol
π, run by the players in the presence of A and an environment machine Z, with input z, is modeled as a sequence
of activations of the entities. The environment Z is activated first, generating in particular the inputs to the other
players. Then the protocol proceeds by having A exchange messages with the players and the environment. Finally,
the environment outputs one bit, which is the output of the protocol.
The security of the protocols is defined by comparing the real execution of the protocol to an ideal process in
which an additional entity, the ideal functionality F, is introduced; essentially, F is an incorruptible trusted party
that is programmed to produce the desired functionality of the given task. The players are replaced by dummy
players, who do not communicate with each other; whenever a dummy player is activated, it forwards its input to
F. Let A denote the adversary in this idealized execution. As in the real-life execution, the output of the protocol
execution is the one-bit output of Z. Now a protocol π securely realizes an ideal functionality F if for any real-life
adversary A there exists an ideal-execution adversary S such that no environment Z, on any input, can tell with
non-negligible probability whether it is interacting with A and players running π in the real-life execution, or with S
and F in the ideal execution. More precisely, if the two binary distribution ensembles, REALπ,A,Z and IDEALF ,S,Z ,
describing Z’s output after interacting with adversary A and players running protocol π (resp., adversary S and
c
ideal functionality F), are computationally indistinguishable (denoted REALπ,A,Z ≈ IDEALF ,S,Z ). For further
details on the UC framework refer to [Can05].
As was observed in [CKL06], most functionalities cannot be realized in the UC framework without some setup.
D
One common form of setup is the common reference string (CRS). We model a CRS as an ideal functionality FCRS
which is shown in Figure 7.
D
Functionality FCRS
D
is parameterized by a PPT sampling algorithm D.
FCRS
On input (CRS, sid ) from P , verify that sid = (P, sid ′ ) where P is a set of identities, and P ∈ P; else ignore
the input. Next if there is no value crs recorded then choose crs ← D() and record it. Send (CRS, sid , crs, P )
to S; when receiving (CRS, sid , crs) from S, send (CRS, sid , crs) to P .
Figure 7: The common reference string ideal functionality, FCRS .
B
Review of Simulatable Public Key Systems from [DN00]
A simulatable public key system is defined by a tuple (KG, Enc, Dec) consisting of the key-generation, encryption
and decryption algorithms respectively. For the definition of security, we also require the existence of an oblivif and a corresponding key-faking algorithm KG
f −1 . Similarly, we require an oblivious
ous public key generator KG
g and a corresponding ciphertext-faking algorithm Enc
g −1 . Intuitively, the key-faking alciphertext generator Enc
gorithm is used to explain a legitimately generated public key as an obliviously generated public key. Similarly,
the ciphertext-faking algorithm is used to explain a legitimately generated ciphertext as an obliviously generated
ciphertext.
The simulatable pubic key system has the following three properties.
Semantic Security: For all m0 , m1 in the appropriate domain, consider the experiment (pk, sk) ← KG(), C0 ←
c
Encpk (m0 ), C1 ← Encpk (m1 ). Then (pk, m0 , m1 , C0 ) ≈ (pk, m0 , m1 , C1 ).
f
Oblivious PK Generation: Consider the experiment (pk, sk) ← KG(), r ← KG
c
′
′
(r, pk) ≈ (r , pk ).
16
−1
f ′ ). Then
(pk) and pk ′ ← KG(r
Oblivious Cipher-text generation: For any message m in the appropriate domain, consider the experiment (pk, sk) ←
g pk (r1 ), C2 ← Encpk (m; r2 ), r′ ← Enc
g −1 (C2 ). Then
KG(), C1 ← Enc
1
pk
c
(pk, r1 , C1 ) ≈ (pk, r1′ , C2 )
C
Efficiency of Our ℓ-NCE Scheme
Let us look at the efficiency of the construction. For concreteness we will assume that the secure channel used
to encrypt the index i are implemented using the NCE protocol of [DN00]. The simulatable public-key system
(which we use during channel setup and also which is used in the protocol of [DN00]) can be instantiated with e.g.
ElGamal Encryption. Lastly, the symmetric key system can be implemented very efficiently using some variable
length encryption algorithm e.g. AES in CBC mode.
The protocol of [DN00] is an expected 6 round protocol which exchanges a t bit message using an expected
O(t) number of operations.4 Since we use the NCE protocol to send an index i ∈ {1, . . . , ℓ}, this requires O(log ℓ)
number of public key operations. In addition to NCE, we use the simulatable public key system. However, we
only use it to perform one encryption/decryption operation and O(ℓ) oblivious key-sampling, ciphertext-sampling
operations. For ElGamal, this just means choosing random group elements which is efficient and hence we do not
count it as a public key operation. Lastly, for the encryption phase we only use symmetric key operations. This
gives us a total of (expected) O(log ℓ) public key operations, O(ℓ) communication and fewer than (expected) 8
rounds of interaction for the channel setup phase. After channel-setup, encryption is non-interactive and requires
only symmetric key operations. However, the encryption of a k bit message requires O(ℓk) communication.
D
Well-Structured Protocols
f
Definition D.1. A protocol π for the functionality FSFE
is well-structured if, on input (InputI , sid , xI ) the initiator I sends some message of length k0 to R. The responder R stores messages from I until receiving its input
(InputR , sid , xR ). Then the execution of the protocol proceeds in rounds i = 1, . . . , n where, in each round i the
party bi sends a message mi of length ki to the party 1 − bi where bi switches in each round. In other words, the
first message from the initiator I can be considered round 0 so that Pb0 is the initiator and, for each successive
round i, bi = 1 − bi−1 .
We require that the message sizes ki and the number of rounds n are completely determined by the protocol and
are independent of the input values or random coins of the parties.
E
Proofs
E.1 Proof of Theorem 2.5
ℓ functionality described in Definition 2.4. This
We need to show that our protocol in Figure 2 realizes the FSC
functionality is parametrized by two oracles: the message-ignoring oracle R and the message-processing oracle
M. We define these oracles based on our actual protocol construction. In essence the oracle M corresponds to
the actions of the parties for the index i chosen during channel setup, while the oracle R corresponds to all other
indices in {1, . . . , ℓ}. In particular:
• On input (ChSetup, sid ), the oracle M samples (pk, sk) ← KG(), K ← KGsym (), C ← Encpk (K). The
f C ← Enc
g pk ().
oracle R samples pk ← KG(),
• On input (Send, sid , m), the oracle M samples C ← Encsym
K (m). The oracle R samples C randomly.
We must first show that the oracles M and R are indistinguishable. We do so using a hybrid argument.
4
For large messages (larger than the security parameter) the protocol of [DN00] can be made guaranteed 3 round. However, the tradeoff
is that the number of public key operations is at least security parameter. Since we consider very small messages (3 bits) we settle for the
expected 6 round protocol.
17
1. We start with the message-processing oracle M.
2. We now modify the oracle so that, for all Send commands, it chooses the symmetric-key ciphertext C randomly instead of computing C ← Encsym
K (m). This modification is indistinguishable from the initial oracle
since ciphertexts produced by the symmetric key scheme are indistinguishable from random ciphertexts.
3. We now modify the oracle from step 2 so that, for all ChSetup commands, instead of computing C ←
g pk (). This oracle is indistinguishable from that of step 2 by the oblivious
Encpk (K), it computes C ← Enc
ciphertext generation property.
4. Lastly we modify the oracle from step 3 so that, for ChSetup commands, instead of computing (pk, sk) ←
f
KG() it computes pk ← KG().
This oracle is indistinguishable from that of step 3 by the oblivious key
generation property.
The last step yields the message-ignoring oracle R. Hence M and R are computationally indistinguishable.
The two oracle M, R now define the complete non-information oracle N ℓ and hence the ℓ-equivocal secure
N ℓ . We must now describe an ideal-world simulation of our ℓ-NCE protocol.
channel functionality FSC
The simulation while both parties are honest is actually very simple since the non-information oracle N actually
runs the protocol and hence there is little that our simulator S must do! Essentially, to simulate the secure transfer
of the index i, the simulator simply sends the length of the message (which is known since ℓ is known) to the
adversary A. To simulate the rest of the channel setup phase and also any encryption commands, the simulator S
just passes all information from N to the adversary A.
The only difficult part is simulating the first corruption. In the ideal world, the simulator is only given the
internal state of the single machine Ni which is the message-processing oracles. In the real-world the state of the
corrupted party also includes the randomness for all of the obliviously-generated public keys and ciphertexts (i.e.
the internal state of all of the message-ignoring oracles). But the simulator can simulate this easily by using the
ciphertext-faking and key-faking algorithms. In other words, for each symmetric key ciphertext C sym produced by
an oracle Ni , the simulator simply sets the random coins of the sender as C sym (since it is just a uniformly random
g −1 (C).
value). Moreover, for each public key ciphertext C, the simulator sets the internal state of its sender as Enc
−1
pk
f (pk).
Lastly for each public key pk, the simulator sets the internal state of its sender as KG
We can view the real world protocol as a series of the same ℓ oracles N1 , . . . , Nℓ where Ni (for the transferred
index i) is the above described message-processing oracle and the rest are message-ignoring oracles. Hence the only
difference between the real world and the ideal world is how the random coins of the corrupted party for its messageignoring oracles are generated. In the real-world the adversary gets the actual coins while in the ideal-world the
adversary gets coins produced by the faking algorithms. Let us denote the worlds by tuples showing which oracles
are running for all indices other than i (i.e. either message-processing or messsage-ignoring) and how the state is
generated (i.e. actual state, faked state). So the real world can be represented as a tuple (message-ignoring, actual).
But, by the properties of the simulatable public key system, this is indistinguishable from the world (messageprocessing, faked). Lastly, since the fake algorithms do not use any secrets, and message-ignoring oracles are
indistinguishable from message processing oracles, the world (message-processing, faked) is indistinguishable
from (message-ignoring, faked). But this is the ideal world, and hence we have shown that the real-world is
indistinguishable from the ideal world.
E.2 Proof of Theorem 2.10
By assumption, the underlying protocol π is well-structured and there is a simulator Ssemi which is setup-adaptive
f
and input-preserving, such that π realizes the two-party functionality FSFE
against a second-corruption adaptive
adversary. In particular for any second-corruption adaptive adversary Asec there is Ssemi such that for any environment Zsec
c
REALπ,Asec ,Zsec ≈ IDEALF f ,S ,Z
sec
SFE
π′
semi
We now construct a simulator S for the protocol that uses fully non-committing secure channels. The simulator
S runs an internal copy of the (fully adaptive) adversary A attacking the protocol π ′ . We can assume, without
loss of generality, that the adversary A is just the “dummy” adversary which only follows instructions from the
environment Z. We define the simulation in terms of the following four stages:
18
I. The setup phase while both parties are honest.
II. The communication phase while both parties are honest.
III. The first corruption.
IV. Execution after the first corruption.
I. The setup phase while both parties are honest. First our simulator S initializes a copy of the semi-adaptive
setup
prot
setup
simulator Ssemi = (Ssemi
, Ssemi
). For stage (I), the entire setup phase of the protocol π is simulated by Ssemi
which is oblivious of which parties are corrupted (recall Definition 2.7).
II. The communication phase while both parties are honest. The main idea behind this simulation is that the
real-world adversary does not see much at this time – just the message lengths and identities of the sender and
receiver. However, because the protocol π is well-structured, these are known ahead of time. Hence the simulator
S can simulate this phase by simply forwarding this publicly known data. Recall that the communication phase
proceeds in rounds i = 0, . . . , n where in each round i the party bi sends a message of length ki to party 1 − bi . The
party b0 is the initiator, and afterwards bi = 1 − bi−1 . The simulator S proceeds with “rounds” i = 1, . . . , n and in
each round i sends the message (Send, sid , Pbi , ki ) to A on behalf of FSC . We call this the dummy execution since
the simulator S does not run any protocol behind the scenes but only passes message lengths to Z. The adversary
A may corrupt a party at any point during this interaction.
III. The first corruption. Assume that the first corruption is that of the party Pfirst . Then the simulator S gets the
entire content of the ideal-world view of Pfirst including its input xfirst from the environment and (possible) outputs
f
yfirst from FSFE
depending on the point at which the corruption occurs.
The simulator S then produces an imagined execution between P0 and P1 as follows. It constructs a machine
first which is a (new) environment that corrupts P
Zsec
first immediately after the setup phase but honestly uses the
prot
inputs specified by Z to run the protocol π on behalf of Pfirst . The simulator S then activates the machine Ssemi
setup
prot
first (the adversary A
(passing it any output from Ssemi
) and runs the simulation by Ssemi
for the environment Zsec
is always dummy w.l.o.g. and hence we do not specify it). It runs this simulation, for as many rounds of the
communication phase as occurred before Pfirst was corrupted.
f
prot
prot
In addition, S acts as the ideal functionality FSFE
for Ssemi
. If Ssemi
attempts to give input to the ideal funcprot
tionality then, since Ssemi is input-preserving (recall Definition 2.8), this input is xfirst and S just ignores this. If
prot
Ssemi
asks for output (at a point after both inputs have been submitted) then S passes it the actual output yfirst on
f
behalf of FSFE
.
first
Once Zsec reaches the point where the environment Z corrupted Pfirst , the simulator S takes the internal state
first (i.e. the randomness used to run the protocol on behalf of the party P
of Zsec
first and the view of the protocol
execution) and sets it as the internal state of Pfirst to be given to the actual environment Z. This corresponds to
patching the dummy execution by claiming that the imagined execution took place over the secure channel.
prot
IV. Execution after the first corruption. After the first corruption, the simulator Ssemi
is left to simulate the
execution without interference.
Indistinguishability of Simulation: Now we need to argue the indistinguishability of the simulation. Intuitively,
this follows simply from the fact that Ssemi can simulate a second-corruption adaptive adversary. In the following
arguments we assume that the environment Z corrupts some party at some point. If not then in the ideal world as
well as the real world, the environment Z only sees the lengths of the messages defined by the protocol π so the real
world and ideal world are indistinguishable. If a corruption does occur at some point, then we use the following
hybrid argument for a series of indistinguishable games.
Game 1 – The Ideal World: We define Game 1 to be IDEALF f ,S,Z - that is the ideal-world simulation with the
SFE
environment Z and the simulator S (as described above) interacting with the ideal functionality F.
19
Game 2 – Second Corruption Adaptive Ideal World: In the simulation, the imagined execution is generated after the first party is corrupted ex post facto. We now define a new execution in which the imagined execution
is the one that executes all along.
More precisely, we define an environment Zsec , which runs an internal copy of Z. However Zsec chooses a
bit b ← {0, 1} randomly and corrupts the party Pb prior to protocol execution. The environment Zsec gets
the input xb for Pb from Z, and runs a the protocol for Pb honestly using the input xb and randomness rb . In
b passes the message lengths, and identities of sender and receiver to Z.
addition Zsec
If Z requests the corruption of a party Pfirst then, if first 6= b the environment Zsec gives the output 0 and
quits. Else, if first = b, give the randomness rb and the actual messages produced and received on behalf of
the party Pb to the environment Z. From this point on, Zsec just executes Z (allowing Z to produce the final
output).
Now we consider the ideal world game with the environment Zsec and the simulator Ssemi . We note that, if
b = first, then this is a syntactical re-writing of IDEALF ,S,Z where the “imagined execution” produced by S
b . Let G be an event that this is the case (i.e. first = b). Then
is actually being run by the environment Zsec
conditioned on G, Game 2 matches Game 1.
c
{IDEALF ,S,Z } ≈ {IDEALF ,Ssemi ,Zsec | G}
Game 3 – Second Corruption adaptive Real World: We now use the semi-adaptive security of the protocol π
(as simulated by Ssemi ) to switch from the ideal-world (with environment Zsec and simulator Ssemi ) to the
real-world (with environment Zsec and a dummy-adversary A). In particular we claim:
c
{IDEALF ,Ssemi ,Zsec | G} ≈ {REALπ,A,Zsec | G}
To see this, we note that the event G occurs with probability 1/2 (since the view of Z is independent of the
choice of b by Zsec ). Also, if G does not occur, then the output of both of games is 0. Assume that our claim
does not hold, and so
Pr[IDEALF ,Ssemi ,Zsec = 1 | G] − Pr[REALπ,A,Zsec = 1 | G] ≥ ǫ
for some ǫ which is not negligible. Then
Pr[IDEALF ,Ssemi ,Zsec = 1] − Pr[REALπ,A,Zsec = 1]
= Pr[G](Pr[IDEALF ,Ssemi ,Zsec = 1 | G] − Pr[REALπ,A,Zsec = 1 |G])
+ Pr[¬G](Pr[IDEALF ,Ssemi ,Zsec = 1 | ¬G] − Pr[REALπ,A,Zsec = 1 |¬G])
= Pr[G](Pr[IDEALF ,Ssemi ,Zsec = 1 | G] − Pr[REALπ,A,Zsec = 1 |G])
= ǫ/2
where the summand in the 3rd line is 0 since, conditioned on ¬G, Zsec always outputs 0. This contradicts
the semi-adaptive security of π and hence out claim follows.
Game 4 – Real World: Now we notice that,
c
{REALπ,A,Zsec |G} ≈ REALπ′ ,A,Z
This follows simply from the fact that, conditioned on G the left-hand side is simply a syntactic rewriting of
the right-hand side, where the environment Z runs the protocol on behalf of Pb and passes the state of Pb to
Z.
By the hybrid argument, we therefore get
c
IDEALF ,S,Z ≈ REALπ′ ,A,Z
which completes the proof.
20
E.3 Proof sketch of Theorem 2.11
The simulation and the proof are similar to that of Theorem 2.10 as presented above. The main difference is that S
needs to set-up ℓ possibilities for how to explain the communication over the ℓ-non-committing channel. Formally,
the simulator S simulates stage (I) as in the proof of Theorem 2.10.
prot
Then for stage (II), the simulator S creates ℓ copies of the simulators Ssemi
and creates ℓ “honest-environments”
b
ITMs Zsec (x, y): one (environment, simulator) pair for each choice of party b, its input x ∈ Xb and its output
y ∈ Yb . We use the tuples (b, x, y) as indices and denote the (environment, simulator) pairs by
n
o
b
Ssemi , Zsec (x, y)
b∈{0,1},x∈Xb ,y∈Yb
b (x, y) runs the code of the party P as described by the protocol π using input
Each “honest-environment” Zsec
b
f
x. In addition, if S sec needs to be given output on behalf of FSFE
, it is given y. To simulate the communication,
S runs all ℓ simulations. It then initiates ℓ message-processing oracles Mi and randomly associates each i with
b (x, y). On each tuple of messages produced by the ℓ (environment,simulator) pairs, these
an environment Zsec
messages are given to the appropriate oracles and the output of the oracles is then used as side-channel information
given by S to Z. This is essentially a slightly more complicated version of the dummy communication phase used
in the simulation for Theorem 2.10.
For stage (III), when a party Pfirst is corrupted, the simulator S learns the input x and (possibly) output y of the
party Pfirst . It then explain the communication in stage II, by providing the internal state of the oracle corresponding
first (x, y) (if no input or output has been received then S can
to the (environment, simulator) pair for environment Zsec
first (x, y) (i.e.
choose one of few consistent options for which environment to open). It passes the internal state of Zsec
its random coins and view of the protocol execution) to Z on behalf of Pfirst .
For stage (IV), the simulator S continues the simulation by using the copy of Ssemi chosen in the above step.
Indistinguishability of Simulation:
games argument.
This is similar to the proof of Theorem 2.10 and proceeds as a series of
Game 1 – The Ideal World: We define Game 1 to be IDEALF f ,S,Z - that is the ideal-world simulation with the
SFE
environment Z and the simulator S (as described above) interacting with the ideal functionality Ff .
Game 2 – Second Corruption Adaptive Ideal World: This is similar to Game 2 of the proof of Theorem 2.10.
The one difference is that, for stage (II), the environment Zsec now produces the side-information for Z by
using a message-processing oracle to encrypt the actual protocol execution by Pb , and ℓ−1 message-ignoring
oracles for the rest. Again, we define the event G as in Game 2 of the proof for Theorem 2.10. It is easy to
see that:
c
{IDEALF ,S,Z } ≈ {IDEALF ,Ssemi ,Zsec | G}
Indeed, the two worlds are syntactical re-writings of each other, in the sense that the left hand side has Z being
simulated by S which runs a conversation Zsec and Ssemi while, on the right hand side, Zsec is running the
whole time and is simulated by Ssemi . The one difference is that, in Game 1, there are ℓ message-processing
oracles, while in Game 2, there is only one and the rest are message-ignoring. However, by assumption, these
are indistinguishable.
Game 3 – Second Corruption adaptive Real World: We now use the second-corruption adaptive security of the
protocol π (as simulated by Ssemi ) to switch from the ideal-world to the real-world. In particular we get:
c
{IDEALF ,Ssemi ,Zsec | G} ≈ {REALπ,A,Zsec | G}
The argument is the same as in the proof of Theorem 2.10.
Game 4 – Real World: Now we claim that,
c
{REALπ,A,Zsec |G} ≈ REALπ′ ,A,Z
This follows simply from the fact that, conditioned on G the left-hand side is simply a syntactic rewriting of
the right-hand side, where the environment Z runs the protocol on behalf of Pb and passes the state of Pb to
Z.
21
By the hybrid argument, we therefore get
c
IDEALF ,S,Z ≈ REALπ′ ,A,Z
which completes the proof.
E.4 Proof of Theorem 3.2
To finish the proof, we first need to construct a simulator such that there is no PPT environment Z which follows a
second-corruption adaptive adversarial strategy can distinguish the execution with the adversary A and OT protocol
in the FCRS -hybrid world (see Figure 6), and the execution with the setup-adaptive simulator S and ideal functionality FOT . We further need to show the constructed simulator is input preserving as defined in Definition 2.8.
We give the construction of the simulator. Note that the underlying commitment is an adaptively secure commitment; so the simulator can take advantage of the extractability and equivocality of the UC commitment to set up
crs ot in the coins tossing stage based on the mode information. The simulation is very similar to that in [PVW08].
But now the underlying dual mode encryption satisfies an enhanced definition, and the simulator has more power
to handle the second-corruption adaptive attacks from the adversaries; the simulator can use the FakeEnc and
Recons algorithms to handle a further corruption of the sender if the receiver is initially corrupted, and use DualKG
algorithm to handle a further corruption of the receiver if the sender is initially corrupted.
Simulating the communication with Z. The simulator S simulates the adversary A internally which can
interact with the external environment Z, i.e., whenever A and Z exchange messages with each other, the
simulator will forward such messages between them. Further whenever A corrupts a party, S corrupts the
corresponding dummy party.
Trusted setup. Note that our S should be a setup-adaptive simulator which includes two parts S setup and
S prot . Here we give the construction of S setup . The simulator computes the CRS in the following way:
generate (crs com , τcom ) for the UC commitment, and generate (G, crs sys , τsys ) ← PGsys (1λ ), and further set
crs com and crs sys as crs, and set the corresponding trapdoor τcom and τsys as the trapdoor τ . When parties
query FCRS , return (CRS, sid , crs). Note that the CRS can be learned by A even no party is corrupted, and no
mode information has been committed by the simulator in the trusted setup stage. In next several items, we
construct the other part of the simulator, i.e., S prot .
Simulation of the initially corrupted receiver case. Given the adversary A is the second-corruption adaptive
adversary, here we consider the case that the receiver is corrupted initially while the sender is honest, and the
sender could be further corrupted at any point in the communication stage. The simulator chooses the messy
mode and simulates the sender as follows.
First, the simulator generates (crs tmp , τtmp ) ← PGtmp (mes, G, crs sys , τsys ), where (G, crs sys , τsys ) is
generated in the trusted setup, and now the messy trapdoor τot = (τsys , τtmp ) and the CRS crs ot = (crs sys , crs tmp );
then in the coin-tossing phase, the simulator computes s such that crs tmp = r + s, where r is extracted from
the commitment value from a corrupted receiver. Further, in the transfer phase, the simulator can obtain the
sender’s input x1−ρ for the non-messy branch 1 − ρ by querying the functionality FOT with the input bit 1 − ρ,
i.e., the simulator in the name of corrupted receiver sends (Receiver, sid , 1 − ρ) to the functionality and
obtain (Output, sid , x1−ρ ) from the functionality; note that here ρ is extracted by using the messy trapdoor
τot from the pk computed by the corrupted receiver; then the simulator computes y1−ρ honestly for x1−ρ by
using randomly selected ζ1−ρ , and computes yρ by running the fake encryption algorithm, i.e., (yρ , ωρ ) ←
FakeEnc(crs ot , τot , pk , ρ). Later if the sender is corrupted, then the simulator based on the learned xρ runs
the internal state reconstruction algorithm to compute ζρ , i.e., ζρ ← Recons(crs ot , τot , pk , ρ, yρ , ωρ , xρ ), and
returns (ζ0 , ζ1 ) as the sender’s internals.
Simulation of the initially corrupted sender case. Here we consider the case that the sender is corrupted initially while the receiver is honest, and the receiver could be further corrupted at any point in the communication
stage. The simulator chooses the decryption mode and simulates the receiver as follows.
First, in the coin-tossing phase, the simulator computes a fake commitment value based on (crs com , τcom );
then the simulator generates (crs tmp , τtmp ) ← PGtmp (dec, G, crs sys , τsys ), where (G, crs sys , τsys ) is previously generated in the trusted setup, now the decryption trapdoor τot = (τsys , τtmp ) and the CRS crs ot =
(crs sys , crs tmp ); after obtaining s, the simulator computes r such that crs tmp = r + s, where s is received
22
from a corrupted sender; later the simulator equivocates the previous fake commitment value into r. Further, in
the transfer part, the simulator runs (pk , sk 0 , sk 1 ) ← DualKG(crs ot , τot ). After receiving ciphertexts (y0 , y1 ),
the simulator decrypts them into (x0 , x1 ), e.g., xb ← Dec(crs ot , pk , sk b , yb ) for b = 0, 1. Then S sends
(Sender, sid , hx0 , x1 i) to the functionality FOT . Later if the receiver is corrupted the simulator, based on the
learned σ, reveals sk σ as the receiver’s internals.
Simulation of the remaining cases. If both parties are corrupted, the simulator just follows the internal A’s
instructions to simulate the transcripts between the two corrupted parties. If both parties are hones then the
simulator runs two parties honestly based on randomly selected inputs.
We next need to argue that no PPT environment can distinguish with non-negligible probability the interaction
with the protocol in the CRS hybrid world and second-corruption adaptive adversary A, or with the functionality
and simulator S described above.
H1 This is the CRS hybrid world.
H2 Based on H1, we change the CRS setup, and run (G, crs sys , τsys ) ← PGsys (1λ ). Now trapdoor τsys is known.
H1 and H2 are indistinguishable given that the system CRS are identically distributed and τsys is not used
yet.
H3 Based on H2, we change the CRS setup, generate (crs com , τcom ) for the UC commitment, and the trapdoor τcom
is known. If it is the case that the sender is honest but the receiver is initially corrupted, we do the following
further modification. We generate (crs tmp , τtmp ) ← PGtmp (mes, G, crs sys , τsys ), where (G, crs sys , τsys ) is,
as generated in H1. Next in the coin-tossing phase, compute s such that crs tmp = r + s, where r is extracted
from the commitment transcripts from the corrupted receiver. Now the messy trapdoor τot = (τsys , τtmp ) and
the CRS crs ot = (crs sys , crs tmp ). If later receive a corruption command from the adversary that an honest
sender is further corrupted, just reveal its input to the adversary.
H2 and H3 are indistinguishable given that the underlying commitment is UC secure and that the mode
indistinguishability of the underlying enhanced dual mode encryption.
H4 Based on H3, if it is the case that the sender is honest but the receiver is initially corrupted, we do the following
modification. Instead of honestly producing the ciphertexts (y0 , y1 ) for both branches, we extract the messy
branch number and use the faking encryption to produce the ciphertext for the messy branch, and later run
the state reconstruction algorithm to compute the internals when the sender is further corrupted. For the
non-messy branch, we compute the ciphertext honestly.
H3 and H4 are indistinguishable given the messy branch identification and ciphertext equivocation property
of the underlying enhanced dual mode encryption.
H5 We make a further modification based on H4. Now we turn to consider the case that the sender is corrupted
initially but the receiver is honest. In the coin-tossing phase, we fake the commitment transcripts from the receiver based on (crs com , τcom ) with the adversary. Further generate (crs tmp , τtmp ) ← PGtmp (dec, G, crs sys , τsys ),
where (G, crs sys , τsys ) is previously generated in H1. After obtaining s from the adversary, compute r such
that crs tmp = r + s. Now the decryption trapdoor τot = (τsys , τtmp ) and the CRS crs ot = (crs sys , crs tmp ).
Later we can equivocate the previous faked commitment transcripts into r if the receiver is further corrupted.
H4 and H5 are indistinguishable given that the underlying commitment is UC secure and that the mode
indistinguishability of the underlying enhanced dual mode encryption.
H6 Based on H5, if it is the case that the sender is corrupted initially but the receiver is honest, we do the following
modification. Instead of honestly producing the pk based on the receiver’s input, we use the dual key generation to produce pk and sk 0 , sk 1 , later reveals the corresponding decryption key as its internal state when the
receiver is further corrupted.
H5 and H6 are indistinguishable given the encryption key duality property of the underlying enhanced dual
mode encryption.
23
H7 Based on H6, now we consider the cases that both parties are initially corrupted and that both parties are
honest. For the former, just follow the adversary’s instruction, and for the latter generate the transcripts
honestly based on randomly selected inputs and the real inputs are not used.
H6 and H7 are indistinguishable given that the underlying dual mode encryption is secure.
H8 The ideal world running with the simulator S and the ideal functionality FOT .
In H7, the inputs for honest parties are not used. So H7 and H8 are indistinguishable. Therefore the difference
between the CRS hybrid world and the ideal world are negligible.
Based on the above argument, we conclude that the protocol in Figure 6 is second-corruption adaptively secure.
Next we need to show the constructed simulator is input-preserving as defined in Definition 2.8. This can
be easily verified. For the case with a corrupted sender and an honest receiver, if the corrupted sender honestly
follows the protocol using input hx0 , x1 i, the input can be extracted as in the description of S; further S must
submit the extracted hx0 , x1 i to the functionality, otherwise the environment can distinguish the two worlds based
on the output from the honest receiver. Similarly for the case with an honest sender and a corrupted receiver, if the
corrupted receiver honestly follows the protocol using input σ, the input can be extracted as in the description of
S; further S must submit the extracted bit σ to the functionality to learn xσ , otherwise if S submit a different bit
1 − σ to the functionality and learn x1−σ , the simulator has no idea of xσ , and the environment can distinguish the
two worlds based on the output from the corrupted receiver.
Together we show the protocol based on Figure 6 is semi-adaptively secure to realize FOT in the CRS hybrid
model. This finishes the proof.
F
QR-Based Enhanced Dual Mode Encryption
We first review the dual mode encryption based on quadratic residuosity (QR) assumption in [PVW08], then we
show this scheme is actually an enhanced dual mode encryption as defined in Definition 3.1 under the same assumption.
The QR-based dual mode encryption in [PVW08] is based on a variant of Cocks’ encryption scheme [Coc01]
as follows. For N ∈ N, let JN denote the set of all x ∈ ZN with Jacobi symbol +1, and QRN ⊂ JN denote the set
of all quadratic residues in Z∗N , and ( Nt ) denote the Jacobi symbol of t in Z∗N . The message space is {±1}.
The key generation algorithm (pk , sk ) ← CocKG(1λ ): Randomly select two λ-bit primes p and q and set
$
N ← pq. Randomly select r ← Z∗N and set y ← r2 . Set pk ← (N, y), and sk ← r. Output (pk , sk ).
$
The encryption algorithm (c, s) ← CocEnc(pk, m): Parse pk as (N, y). Randomly select s ← Z∗N such that
( Ns ) = m, and compute c ← s + y/s. Output (c, s).
The decryption algorithm m ← CocDec(sk , c): Parse sk as r. Compute the Jacobi symbol of c + 2r, i.e.,
m ← ( c+2r
N ). Output m.
We next present the enhanced dual mode cryptosystem which is based on the above scheme.
• The parameter generation algorithm (crs, τ ) ← PG(1λ , µ) for the messy mode and the decryption mode are
presented as follows where µ ∈ {mes, dec}, crs = (JN , crs sys , crs tmp ), and τ = (τsys , τtmp ).
⋆ (JN , crs sys , τsys ) ← PGsys (1λ ): Randomly select two λ-bit primes p and q and set N ← pq. Set
crs sys ← N and τsys ← (p, q). Output (JN , crs sys , τsys ).
$
⋆ (crs tmp , τtmp ) ← PGtmp (mes, JN , crs sys , τsys ): Randomly select y ← JN \ QRN . Set crs tmp ← y and
τ ← ∅. Output (crs tmp , τtmp ).
$
⋆ (crs tmp , τtmp ) ← PGtmp (dec, JN , crs sys , τsys ): Randomly select s ← Z∗N and set y ← s2 mod N . Set
crs tmp ← y and τtmp ← s. Output (crs tmp , τtmp ).
• The key generation algorithm (pk , sk ) ← KG(crs, σ):
$
Parse the crs as (JN , N, y). Randomly select r ← Z∗N , set sk ← r and pk ← r2 /y σ . Output (pk , sk ).
24
• The encryption algorithm (c, ζ) ← Enc(crs, pk, b, m):
Parse the crs as (JN , N, y). Set pk b ← (N, pk · y b ). Compute (c, ζ) ← CocEnc(pk b , m). Output (c, ζ).
• The decryption algorithm m ← Dec(crs, pk , sk , c):
Parse the crs as (JN , N, y). Compute m ← CocDec(sk , c). Output m.
• The messy branch identification algorithm ρ ← MessyId(crs, τ, pk ):
Parse the crs as (JN , N, y) where y ∈ JN \ QRN . Parse the trapdoor τ as (p, q) where N = pq. If
pk ∈ QRN , then set ρ ← 1; otherwise set ρ ← 0. Output ρ.
• The fake encryption algorithm (c, ω) ← FakeEnc(crs, τ, pk , ρ):
Parse the crs as (JN , N, y) where y ∈ JN \ QRN . Parse the trapdoor τ as (p, q) where N = pq. Set
y ′ ← pk · y ρ and set pk ρ ← (N, y ′ ); note that y ′ ∈ JN \ QRN . Compute (c, ζ0 ) ← CocEnc(pk ρ , m), i.e.,
and compute c ← ζ0 + y ′ /ζ0 . Based on the messy characterization explored in Lemma 6.1 in [PVW08],
compute ζ1 , ζ2 , ζ3 such that ζ1 = ζ0 mod p and ζ1 = y ′ /ζ0 mod q, ζ2 = y ′ /ζ0 mod p and ζ2 = ζ0 mod q,
ζi
) are +1, and the other two are −1. Set
ζ3 = y ′ /ζ0 mod p and ζ3 = y ′ /ζ0 mod q; note that two of ( N
ω ← (ζ0 , ζ1 , ζ2 , ζ3 ). Output (c, ω).
• The internal state reconstruction algorithm ζ ← Recons(crs, τ, pk , ρ, c, ω, m):
Parse the crs as (JN , N, y) where y ∈ JN \ QRN . Parse the trapdoor τ as (p, q) where N = pq. Set ζ ← ζi
ζi
) = m. Output ζ.
where ζi is from ω such that ( N
• (pk , sk 0 , sk 1 ) ← DualKG(crs, τ ):
Parse crs as (JN , N, y) and the trapdoor τ as s where y = s2 mod N and N = pq. Randomly select
$
r ← Z∗N , set sk b ← r · sb for b ∈ {0, 1}, and pk ← r2 . Output (pk , sk 0 , sk 1 ).
Theorem F.1. Under the quadratic residuosity assumption, the above scheme is an enhanced dual mode encryption
as defined in Definition 3.1.
Proof sketch. The proof is very similar to that of Theorem 6.2 in [PVW08]. The first two properties can be argued
directly based on their proof. The fourth property can also be argued based on their proof because in the key
generation, the randomness used by the KG is exactly the decryption information which is included in decryption
key sk . For the third property, besides their argument, we need further to show for all m ∈ {±1}, the distribution of
(c, ζ) from the honest encryption algorithm is identical to that produced by the fake encryption and reconstruction
algorithms.
$
For m = +1, the former distribution can be written as {(c, ζ)|ζ ← JN , c = ζ + y/ζ}; the latter distribution
$
can be written as {(c, ζ0 )|ζ0 ← JN , c = ζ0 + y/ζ0 = ζ1 + y/ζ1 , ζ1 = ζ0 mod p, ζ1 = y/ζ0 mod q} which can be
$
further rewritten as {(c, ζ0 )|ζ0 ← JN , c = ζ0 + y/ζ0 }; so the two distribution are identical.
$
For m = −1, the former distribution can be written as {(c, ζ)|ζ ← Z∗N \JN , c = ζ +y/ζ}; the latter distribution
$
can be written as {(c, ζ1 )|ζ0 ← JN , c = ζ0 + y/ζ0 = ζ1 + y/ζ1 , ζ1 = ζ0 mod p, ζ1 = y/ζ0 mod q} which can
$
be further rewritten as {(c, ζ1 )|ζ0 ← JN , c = ζ0 + y/ζ0 = ζ1 + y/ζ1 , ζ1 = ζ0 mod p, ( ζN1 ) = ( yq )( ζN0 )}; note that
$
$
( ζN1 ) = ( yq )( ζN0 ) = −1 · ( ζN0 ) since y ∈ JN \ QRN ; given ζ0 ← JN , we can have ζ1 ← Z∗N \ JN ; therefore the latter
$
distribution can be rewritten as {(c, ζ1 )|ζ1 ← Z∗N \JN , c = ζ0 +y/ζ0 = ζ1 +y/ζ1 , ζ1 = ζ0 mod p, ( ζN1 ) = ( yq )( ζN0 )},
$
and then {(c, ζ1 )|ζ1 ← Z∗N \ JN , c = ζ1 + y/ζ1 } which is identical to the former distribution.
Together we show the two distributions are identical, which concludes that the third property is also satisfied.
This completes the proof.
25
G DDH-based Adaptively Secure Bit and String OT
Here we give a high-level description of adaptively-secure OT constructions from the DDH-based protocol in
[PVW08]. We first review the original DDH-based OT construction from PVW. Then we show how to use it to
construct adaptively secure bit OT and finally string OT.
G.1 Dual Mode Encryption Based on DDH
We assume that the parties agree to work in the DDH group G of order p where p is chosen based on the security
parameter.
• Common Random String: The common random string consists of four group elements crs = (g0 , h0 , g1 , h1 ).
– PG(“messy”). In messy mode the four group elements are uniformly and independently distributed.
They are generated by choosing g0 , g1 randomly in G, (x0 , x1 ) randomly in Zp and setting h0 =
g x0 , h1 = g x1 . The messy trapdoor is t = (x0 , x1 ). We output hcrs = (g0 , h0 , g1 , h1 ), ti.
– PG(“decryption”) In decryption mode the four group elements form a DDH tuple: g0 is chosen randomly in G and two values x, y are chosen randomly in Zp . We set g1 = g0y , h0 = g0x , h1 = g1x = g0xy .
The decryption trapdoor is t = y. We output hcrs = (g0 , h0 , g1 , h1 ), ti.
The main difference between messy mode and decryption mode is that in decryption mode, Dlogg0 (h0 ) =
Dlogg1 (h1 ) while in messy mode this happens with negligible probability.
• KG(σ): Given a bit σ ∈ {0, 1}, choose r ← Zp . Let g = gσr , h = hrσ . Set pk = (g, h), sk = r. Output
(pk, sk, σ).
• Enc(pk, m, b): Given a public key pk = (g, h), a message m and a bit b, choose s, t ← Zp and set u := gbs htb
v := g s ht . Set the ciphertext c = (u, v · m). Output (c, b).
• Dec(sk, b, σ, c) : Given a secret key sk = r with label σ and a ciphertext c = (c0 , c1 ) with label b = σ,
output m′ = cr0 /c1 .
• MessyId(pk, t): Given the messy trapdoor t = (x0 , x1 ) and a public key pk = (g, h) test for h = g0x . If the
test passes, label the key as a left-key by outputting e = 0. Otherwise label it as a right key by outputting
e = 1.
• DualKG(t): Given the decryption trapdoor t = y, we can compute a key pair (pk, sk) which can be used to
decrypt both left and right decryptions. To do so compute (g, h) = (g0r0 , hr00 ), where r0 is chosen randomly,
and then compute r1 = r/y so that (g, h) = (g1r1 , hr11 ). Output (pk, sk = (r0 , r1 )). Later, we can call the
Dec procedure with secret keys r0 or r1 to decrypt both left and right ciphertexts.
G.2 Bit OT
There is one main problem in the above scheme when it comes to adaptive security. When the key and the encryption type do not match in messy mode (i.e. a left encryption under a right key) the encryption is statistically hiding.
However, for adaptive security, the simulator also needs to be able to generate a valid looking ciphertext of this
form and later be able to explain it as a valid encryption of any specified message. Unfortunately, in the current
scheme, this might not be possible since the encryption can be binding even for a simulator who knows the messy
trapdoor.
To see this in detail, recall that the receiver can choose an arbitrary public key g, h. If h 6= g x0 , then left
r(s+tx′1 )
encryption is statistically hiding since u = g0s ht0 = g0s+tx0 , v = g s ht = g0
for some r, x′1 6= x0 and hence
u, v are statistically independent. However, for any left ciphertext (c0 , c1 ), if the simulator can explain the ciphertext
as an encryption of either one of two different messages m 6= m′ , then the simulator can compute s, t, s′ , t′ such
′
′
that g s ht m = c1 = g s ht m′ . This presents two problems. Firstly, the simulator must know Dlogg (h) but g, h can
be chosen arbitrarily by the receiver. Secondly, the simulator must know Dlogg (m) but m is also chosen arbitrarily
without input from the simulator.
26
The second problem is the easier of the two to solve - we simply shrink the message space of the encryption
scheme to 1 bit: to encrypt a bit e ∈ {0, 1} we simply use the original scheme on the message m = g e ∈ {1, g}.
This way, the simulator knows Dlogg (m) for both eligible messages.
The first problem is a little trickier, but we notice that the honest receiver always chooses g, h such that
Dlogg (h) ∈ {x0 , x1 }. Somehow we need to disallow the cheating receiver from choosing arbitrary g, h. To do
so, we want the receiver to prove that either Dlogg (h) = Dlogg0 (h0 ) or Dlogg (h) = Dlogg1 (h1 ). Actually, we can
make the receiver prove an equivalent statement that either Dlogg0 (g) = Dlogh0 (h) or Dlogg1 (g) = Dlogh1 (h).
We take advantage of the fact that there are efficient Σ protocols for the equality of discrete logs. Actually we need
the Σ protocol to be non-erasure in the sense that if the receiver, after generating the transcript with the sender,
is corrupted, the simulator can “explain” such Σ protocol transcript. Further the Σ protocol is required to defend
against a dishonest verifier; we can use a trick by Damgård [Dam00] to transform a Σ protocol against honest verifier into one against dishonest verifier by using an equivocal commitment to “hide” the first move of the Σ protocol
until receiving the challenge from the verifier. Please refer to [Nie03, Section 2.9] and [Nie05] for more details.
Let (a, c, z) be the three moves of the non-erasure Σ-protocol against a dishonest verifier. The protocol therefore
becomes:
• Let crs ot = (g0 , g1 , h0 , h1 ).
• The receiver chooses a key pk = (g, h), sk using the key generation algorithm on his bit σ. In addition the
receiver computes the first message a of a Σ-protocol. Here the relation associated with the Σ-protocol is
defined as R = {(pk, crs ot ), r|(g = g0r ∧ h = hr0 ) ∨ (g = g1r ∧ h = hr1 )}.
• The sender sends a challenge c.
• The receiver sends a response z.
• The sender verifies that (a, c, z) is accepting and, if so, computes a left encryption of m0 = g e0 for the left
message e0 ∈ {0, 1} and a right encryption of m1 = g e1 for the right message e0 ∈ {0, 1} under pk.
The above yields a semi-adaptively secure bit-OT protocol. We now apply our compiler from Section 2.4, and
use somewhat non-committing encryption to protect the protocol transcripts to obtain a very efficient adaptively
secure bit OT based on the DDH assumption. We further remark that short (logarithmic size) string OT can be
similarly obtained.
G.3 String OT
The above approach for semi-adaptively secure bit OT based on DDH can be efficiently extended to obtain semiadaptively secure string OT, for larger strings of n bits. There are two issues that we must face in order to convert
the bit-OT scheme into a string-OT scheme. Firstly, we cannot simply increase the message space to all of Zp since
that would not allow for efficient equivocation. Secondly, we cannot use our standard somewhat non-committing
compilation since such a compiler is only efficient for small domains/ranges. Here we take a detour; we simply
“bundle” n copies of bit OT into a string OT for n bits. This can be done as follows. First the receiver computes
an equivocal commitment of his bit σ. Then, the sender and the receiver run n copies of bit-OTs in parallel, and
the Σ-protocol guarantees not only that each “public key” pk chosen by the receiver is well-formed, but also that
all public keys are based on same bit σ, which matches the commitment. Using Pedersen commitments, we have
efficient Σ-protocols for this language.
This already gets us an adaptive OT protocol assuming secure channels. However, we now show how to
efficiently use somewhat non-committing encryption to improve computational efficiency. The idea is that each
of the seperate bit-OT protocols is executed over its own “ℓ-equivocal channel” (essentially a fresh independent
channel for somewhat NCE). It is easy to show that this still allows the simulator to simulate the “initial corruption”.
Moreover, we notice that it is very efficient to set up n separate ℓ-NCE channels using (strict) O(n) public key
operations and strict constant number of rounds.5 This results in the parameters mentioned in Theorem 3.4.
5
Essentially, we need to use fully non-committing encryption to send n indices in the range [1, ℓ]. We can do so with the above efficiency
assuming n = Ω(λ). Recall that previously, for NCE of a single bit, we did not wish to sacrifice O(λ) operations and thus were forced to
use expected constant number of rounds/operations.
27
crs
x0 , x1
Sender
σ
Receiver
Commit(σ)
xn0 , xn1
crs
crs
Sn
{
xi0 , xi1
σ
Rn
n
xnσ
crs
p
co
ies
Si
crs
σ
of
Ri
bi
t-O
x10 , x11
xiσ
i
Ts
crs
crs
σ
n
l
lle
ra
pa
R1
S1
x1σ
xσ
Figure 8: DDH-based fully adaptively-secure String-OT protocol. The protocol consists of two stages. In the
first stage, the receiver sends an equivocal commitment on its input σ; for the purpose of giving a concrete examσ hγ . In the
ple, we here instantiate the equivocal commitment with Peterson commitment c = Commit(σ) = g△
△
second stage, the sender and the receiver run n copies of fully adaptively-secure bit-OTs explored in Section G.2
but with the relation updated in the Σ protocol, i.e., in i-th bit-OT, S i ⇐⇒ Ri , the relation is updated into
i
i
i
i
Ri = {(c, pk i , crs iot ), (ri , γ)|(g i = (g0i )(r ) ∧hi = (hi0 )(r ) ∧c = hγ△)∨(g i = (g1i )(r ) ∧hi = (hi1 )(r ) ∧c = g△hγ△)}
where crs iot = hg0i , hi0 , g1i , hi1 , Gi is obtained by S i and Ri after coin tossing phase, and pk i is in the first
move in transferring phase. Further G = (G, p, g∗ ) is a cyclic group with prime order p and generator g∗ , and
g0i , hi0 , g1i , hi1 , g△, h△ ∈ G.
28