Fast and Universally-Composable Oblivious Transfer and Commitment Scheme with Adaptive Security Megha Byali, Arpita Patra, Divya Ravi and Pratik Sarkar Indian Institute of Science, India {megha,arpita,divyar,pratiks}@iisc.ac.in Abstract. Adaptive security embodies one of the strongest notions of security that allows an adversary to corrupt parties at any point during protocol execution and gain access to its internal state. Since it models real-life situations such as “hacking”, efficient adaptively-secure multiparty computation (MPC) protocols are desirable. Such protocols demand primitives such as oblivious transfer (OT) and commitment schemes that are adaptively-secure as building blocks. Efficient realizations of these primitives have been found to be challenging, especially in the no erasure model. We make progress in this direction and provide efficient constructions that are Universally-Composable in the random oracle model. Oblivious Transfer. We present the first round optimal framework for building adaptively-secure OT in the programmable random oracle (PRO) model, relying upon the framework of Peikert et al. (Crypto 2008). When instantiated with Decisional Diffie Hellman assumption, it incurs a minimal communication overhead of one κ bit string and computational overhead of 5 random oracle queries over its static counterpart, where κ is the security parameter. This computation overhead translates to 0.02% and 1% in the LAN and WAN setting. Additionally, we obtain a construction of adaptively-secure 1-out-of-N OT by extending the result of Naor et al. (Journal of Cryptology 2005) that transforms log N copies of 1-outof-2 OTs to one 1-out-of-N OT in the PRO model. We complete the picture of efficient OT constructions by presenting the first adaptively secure OT Extension, extending the protocol of Asharov et al. (Eurocrypt 2015) for the adaptive setting using PRO. Our OT extension enables us to obtain adaptive OTs at an amortized cost of 3 symmetric key operations and communication of 3κ bit strings. It incurs a runtime overhead of 2% and 11.95%, in the LAN and WAN setting and almost no communication overhead over the static OT extension protocol. In concrete terms, the cost is 2 µs and 115 µs for each OT in LAN and WAN. Commitment Scheme. We present an adaptively secure commitment scheme in the Global Random Oracle model solely relying on observable random oracle (ORO). Our commitment scheme has a one-time offline setup phase, where a common reference string (crs) is generated between the parties using an ORO. In the online phase, the parties use the crs and ORO to generate commitments in a non-interactive fashion. Our construction incurs communication of 4κ bit strings and computation of 4 exponentiations and 4 random oracle queries for committing to an arbitrary length message. Empirically, it takes around 0.18ms and 0.2 ms for committing to 128 bits and 2048 bits respectively. It finds applications in secure two-party computation (2PC) protocols that adopt offline-online paradigm, where the crs can be generated in the offline phase and the scheme can be used in the online phase. 1 Introduction Secure multiparty computation (MPC) [Yao82, GMW87] is an area of cryptography that deals with multiple parties who wish to compute a joint function of their private inputs such that the goals of MPC i.e. correctness and privacy of inputs remain intact. Various security notions of MPC are defined in accordance with different types of adversaries. The area of MPC achieving security against a malicious adversary causing static corruptions has been the center of attention in the recent past. Here, static corruption refers to the model in which the adversary corrupts the subset of parties at the outset of the protocol. Most widely known protocols of [Lin13, HKK+ 14, MR17], consider malicious security against static corruptions. Although static security is of interest, it is desirable to achieve security against adaptive adversary. Adaptive security is a stronger corruption model that allows the adversary to choose which parties to corrupt during the protocol execution and models real-life situations in a more comprehensive way. For instance, it captures the event of “hacking”, where a hacker can illegally capitalize on the system and corrupt any workstation while protocols are in execution. Adaptive security is further classified based on secure erasures of the memory. An adaptively-secure protocol assuming erasure allows secure erasure of a workstation’s internal memory once it is corrupted by a hacker. [Can01] argued that security relying on erasures often leads to problems and is impractical, especially for real-life systems. It requires an inherent trust assumption on the part of a workstation that it will erase its memory upon being corrupted. Hence, adaptive security without erasures (referred to simply as adaptivesecurity throughout the paper) is preferable as it precisely models real world “hacking” attacks. However, the current literature of MPC dealing with adaptive adversaries is less explored compared to static security since it turns out to be considerably more challenging. In this paper, we explore the less traveled path of dealing with adaptive adversaries in the Universal Composability (UC) model of [Can01]. We aim at obtaining efficient, adaptively-secure primitives which are instrumental in construction of practical adaptively-secure MPC protocols. We focus on two such primitives in particular: Oblivious Transfer (OT) and Commitment schemes. In the literature, OT has been regarded as the fundamental primitive [Rab81, BCR86, Kil88, NP05, IPS08], known to be complete for MPC [Kil88]. Following that, many flavors of OT such as 1-out-of-2 OT [PVW08, CO15], 1-out-of-N OT [NP05], k-out-of-N OT [GH08], have been explored in past. In its most basic form, a 1-out-of-2 OT consists of two parties, sender S and a receiver R. S has input messages say m0 , m1 and R has a choice bit b. At the end of the protocol, R obtains message mb corresponding to his choice bit and nothing else. S remains oblivious to the message obtained by R. Various constructions of OT (mainly 1-out-of-2) have been proposed providing both static and adaptive security. The protocols of [CO15, PVW08, NP05] deal with malicious adversaries in the static model whereas those of [BCG17, BC16, CKWZ13, GWZ09] address the same in adaptive model. However, the OT protocols that achieve adaptive security lack optimality in terms of efficiency- rounds, computation and communication. We have round optimal and efficient protocols in the literature for the static case. However, designing adaptively-secure protocols has been a challenging task. Infact, there is no known OT protocol in the literature which is round optimal. In this direction, we 2 present the first round optimal OT protocol which is secure against adaptive adversaries without erasures. Another interesting direction to consider for OTs is to reduce the number of public key operations. The impossibility result by [IR89] states that its highly unlikely that OTs can be constructed without public key operations. In order to circumvent this limitation, the concept of OT Extension [Bea96, IKNP03, ALSZ13, ALSZ15, KOS15] was introduced and explored. It allows the parties to execute a small number of OTs, called seed OTs, and then extend them to obtain large number of OTs using cheap symmetric key operations. The amortized cost of generating one single OT reduces to a constant number of symmetric key operations. However, there is no known OT extension protocol in the adaptive setting. An effort towards obtaining adaptively secure OT Extension would be of quite interest as it would open the gates towards constructing large number of efficient adaptively secure OTs using small number of seed OTs. Our paper presents one such result for adaptively-secure OT extension. Commitment Scheme is another fundamental primitive in the MPC literature that draws attention. Informally, we describe a commitment scheme as follows: The sender S commits to a message m in a commitment c and sends c to the receiver R in the commit phase. In the decommit phase, R learns the message m, along with some decommitment information, such that R is convinced that indeed m was committed in the commit phase. Besides its involvement in MPC protocols, commitment schemes in the UC model also have implications in key exchange [DG03] and are non-malleable [CF01] in nature. In this work, we explore UC secure commitment protocols which are secure against adaptive adversaries. 1.1 Related Work The extensive use of fundamental building blocks of MPC has led to substantial work towards attaining efficient primitives. Since our work primarily focuses on universally composable OT and commitment schemes, we outline only the relevant literature below. Oblivious Transfer. The literature of OT is vast and quite diverse in terms of assumptions and security. We highlight few works that are closely related to ours. Firstly, in the standalone model, the works of [NP01, AIR01, HK12, Lin08] are statically-secure against malicious adversary. Secondly, in the UC model, [CLOS02] proposed the first UC secure OT protocol based on general assumptions. Their work includes construction of both static and adaptively UC-secure OTs. Despite being of theoretical interest, [CLOS02] motivated research towards obtaining OTs in the UC model. In the setting of static security, [GMY04] presented a constant round committed bit-OT under Decisional Diffie Hellman (DDH) and RSA assumptions. The work of [JS07] proposed a four round, UC-secure protocol under the Decisional Composite Residue (DCR) assumption. [HK07] provided the first round-optimal protocol that is UC-secure, assuming common reference string (crs). This was followed by the seminal work of Peikert et al. [PVW08], that provided a general framework for round optimal UC-secure OT protocols along with efficient instantiations based on DDH, Quadratic Residue and Learning With Errors (LWE) assumptions in the crs model. We denote the popular DDH based construction of the [PVW08] paper as PVW protocol in rest of the paper. 3 In the setting of adaptive security, the literature can be divided based on the erasure model. The works of [ABB+ 13, CKWZ13, BCG17, BC16, BC15] rely on secure erasures of the memory, whereas [GWZ09, CDMW09a, CDMW09b, BDD+ 17] consider the stronger model of no erasures. [CKWZ13] presented a framework for adaptively-secure OT in the global crs model. They provide instantiations under various assumptions- DLIN, Symmetric External Diffie Hellman (SXDH), DDH and DCR. However, their protocols are not round optimal and achieve adaptive security at the cost of significant overhead in communication and computation compared to the PVW protocol. [CKWZ13] also provided two constructions (Appendix A of [CKWZ13]) of [GWZ09] framework under Decisional Linear (DLIN) assumptions. These instantiations are adaptively-secure with erasures, with computational overhead reduced to constant number of exponentiations. There has been a separate line of work [BCG17, BC16, BC15, ABB+ 13] based on password-authenticated key exchange (PAKE) and smooth projective hash functions. They require atleast 3 rounds of communication, assuming erasures for adaptivity. On the other hand, achieving adaptivity with no erasures is a challenging task. [GWZ09] followed the compiler approach to transform the [PVW08] framework into an adaptively-secure OT using adaptively secure commitments. It was further improved by a recent work of [ABP17]. Both protocols incur an overhead of O(n) exponentiations, where n is the size of sender’s input messages. The works of [CDMW09a, CDMW09b] proposed constructions which are of theoretical interest. [CDMW09a] presented an OT construction using non-committing encryption (NCE). On the other hand, [CDMW09b] compiled protocols that are secure against a semi-honest adaptive adversary into one that is secure against a malicious adaptive adversary. The work of [CO15], the “simplest OT” protocol explored 3-round OT constructions in the PRO model. Although the paper claimed adaptive security, several bugs have been identified [GIR17, BDD+ 17, HL17] recently in their static security proof thereby rendering the protocol of [CO15] insecure in the UC model. Recently two more works ([HL17],[BDD+ 17]1 ) have claimed to achieve adaptive security in the same model. However, in Section 3, we give a justification that these protocols are not UC-secure. We note that the authors of [BDD+ 17] have updated their protocol and their new version presents a 3 round OT framework which can be instantiated under Learning from Parity with Noise, McEliece cryptosystem, QC-MDPC, LWE and Computational Diffie Hellman (CDH) in the PRO model. Their most efficient instantiation (under CDH) incurs twice the amount of communication, while maintaining the same computation cost as ours. Consequently, the problem of attaining an round-optimal, efficient and adaptivelysecure OT continued to remain open, which we try to address through our work. Table 1 summarizes the literature on adaptively-secure OT protocols and our result. We do not compare with [GWZ09, CDMW09a, CDMW09b, ABP17] in the table since they require atleast O(n) exponentiations, where sender’s input message is of n bits, whereas the other protocols in the table require constant number of exponentiations. Among the PAKE-based schemes we compare with the most efficient works of [ABB+ 13, BCG17]. Another interesting factor to consider is the model of security that these protocols satisfy. All of the above protocols (except [BDD+ 17]) are secure in the plain UC1 previous version of their paper 4 model [Can01] which allows private crs. There is a stronger model of security, i.e. the Generalized UC model (GUC) [CDPW07], which guarantees stronger compositional guarantees than the plain UC model. In the GUC model, the parties are not allowed to possess private crs and the random oracle is a public object, shared between arbitrary protocols. This prevents the simulator from manipulating the crs during simulation, rendering the simulation procedure more difficult. Interestingly, the recent work of [CDG+ 18] has shown that the random oracle in the GUC model can satisfy the property of programmability. Such a random oracle is formally known as Global Random Oracle (GRO). Utilizing the programmability feature of the GRO, our protocol and the protocol of [BDD+ 17] achieve adaptive security. Whereas, the other protocols require a local crs, which is private to one instance of the protocol, thereby hampering composition in the GUC model. Oblivious Transfer Extension. Next, we consider the problem of OT Extension, which was introduced by the work of [Bea96], followed by the seminal work of [IKNP03]. The paper of [IKNP03] presented an efficient 1-out-of-2 semi-honest OT Extension protocol which was secure against static adversaries. An optimized version of this protocol appeared in [ALSZ13]. The paper of [ALSZ15, KOS15] presented the actively secure versions. The paper of [KK13] gave constructions for 1-out-of-N case, which were made actively secure by [PSS17, OOS17]. However all of these protocols are in the static setting and it was not known whether adaptively-secure OT Extension protocol is possible. Our work answers it in an affirmative way by proving that existing static OT extension [ALSZ13, ALSZ15] schemes satisfy adaptive security under the PRO assumption. Table 1: Comparison among UC secure Oblivious Transfer Protocols Communication Computation (κ-bit strings / Sender Receiver Rounds Assumptions Group elements) SKE PKE SKE PKE [GWZ09] + [FLM11]1 83 3 26 3 72 4 DLIN [CKWZ13] 59 3 ≥14 2 ≥27 3 DLIN [CKWZ13] 43 3 ≥8 2 ≥15 3 SXDH [CKWZ13] 35 4 19 3 37 4 DDH [CKWZ13] 28 4 13 3 26 4 DCR + [ABB 13] 15 2 13 1 11 3 SXDH [BCG17] 10 4 18 4 9 3 SXDH PVW 6 8 3 2 DDH [BDD+ 17] 15 5 6 2 5 3 CDH Our scheme 7 3 8 2 3 2 DDH Our scheme Static Receiver 3 2 2 3 (by OT Extension) Equivocal OT Protocol Setup Security crs crs crs crs crs crs crs crs PRO PRO Adaptive with erasures Adaptive with erasures Adaptive with erasures Adaptive with erasures Adaptive with erasures Adaptive with erasures Adaptive with erasures Static Adaptive (GUC model) Adaptive (GUC model) PRO Adaptive (GUC model) Notations: SKE - symmetric key encryptions, PKE - exponentiations, GUC - Generalized UC , DDH - Decisional Diffie Hellman, DLIN - Decisional Linear, SXDH - symmetric external Diffie Hellman, CDH - Computational Diffie Hellman, DCR - Decisional Composite Residuosity, PRO - programmable random oracle 1 The commitment scheme used for instantiation is of [FLM11]. 5 Commitment Scheme. The study of UC secure commitment schemes was initiated by the seminal work of [CF01]. It was followed by the works of [CLOS02, DG03, HM04, Lin11, Fuj16, ABP17] and many more. We highlight some of the notable works in the relevant literature classified based on their round complexity, the security they achieve and the security model they are proven to be secure in. The contributions of [DG03, Lin11, GIKW14, Fuj16, FLM11, CJS14, ABP17] based on hardness assumptions such as DDH, DLIN and Discrete Log (DLP) are interactive (involve either an interactive commit or decommit phase) in nature. In contrast, the contributions of [CLOS02, CF01, HM04, FLM11, NFT09, ABP17] present noninteractive commitment (NICOM) schemes where both - commit and decommit phases are non-interactive. The offline-online paradigm also forms an interesting flavour of NICOM schemes. These schemes [CDD+ 15, DDGN14] consist of an input independent setup phase, which is run in the offline phase, while the NICOM is efficiently used in the online phase. The cost of the setup phase can be substantial but it gets amortized over multiple commitments. Our scheme also follows this particular model. Similar to OT literature, the literature regarding commitment schemes is concentrated mainly around static security [Lin11, BCPV13, CJS14, GIKW14, DDGN14, CDD+ 15, Fuj16, CDD+ 16]. Building commitment schemes against adaptive adversaries has been a challenging task, since it involves equivocation of the internal states of the parties in case corruption occurs. There have been few contributions in the past addressing adaptive security. Adaptively-secure schemes can be broadly classified into two categories based on their ability to erase the internal state of the party when corruption occurs. [NFT09, FLM11, BCPV13, Fuj16] proposed adaptively-secure protocols which rely on secure erasure of the party’s internal state whereas the constructions of [CF01, CLOS02, HM04, ABB+ 13, HV15, ABP17, HPV17] achieved the same level of security without erasures. We skim through the protocols in the non-erasure model and compare all the above mentioned works with our protocol in Tab. 2. [HV15] presented a theoretical construction of an interactive adaptive commitment scheme based on the minimal assumption of trapdoor simulatable public-key encryption. Since our focus is on adaptively-secure NICOM schemes, we elaborate the relevant NICOM results. [CF01, CLOS02, ABB+ 13, ABP17] provided schemes for bit commitments, communicating at least O(κ2 ) bits for committing to a κ bit string. [HM04] provided the first efficient NICOM for an arbitrary length message in the RO model and involves communication of constant number of bits for commitment. Programmability of RO is used to attain the property of equivocation in [HM04]. The literature can also be classified based on the security model they are proven secure in. All of the above protocols (except [HM04, CJS14, HPV17]) are proven secure in the plain UC-model [Can01]. Recall, that the work of [CDG+ 18] showed that the GUC model allows observability and programmability from the random oracle. Utilizing the programmability feature of the RO, the protocol of [HM04] achieves adaptive security in the GUC model. Also, the work of [CDG+ 18] showed that the folklore commitment scheme FRO (m; r) is GUC secure assuming programmability from FRO , where FRO is the RO functionality, m is the message and r is the randomness. And it can be trivially shown that it achieves adaptive security too. The work of [CJS14] presents a GUC secure static commitment scheme, relying on the observability prop6 erty of the GRO. [HPV17] presents a theoretical construction of an adaptively secure commitment scheme relying on one way function. They achieve GUC security in the tamper-proof hardware model. From the literature we can observe that, adaptive commitments in the GUC model either asks for programmability from the RO or it incurs a blowup in terms of efficiency. Hence, we can ask the following question: “Can we obtain an efficient, non-interactive commitment scheme based on the nonprogrammable random oracle which is adaptively secure in the GUC model?” Our paper answers it in affirmative by presenting an adaptively-secure NICOM in the offline-online model, relying solely on the observable property of the RO. Table 2 consolidates the comparison of various UC secure commitment schemes alongside our protocol. Table 2: Comparison among UC secure commitment schemes Communication Rounds Message Size (κ-bit strings / (Commit/ (bits) Group elements) Decommit) [Lin11] κ 14 1/4 [Fuj16] κ 10 1/3 [BCPV13] κ 12 1/3 + [CDD 16] κ 1 + o(1) 5/1 ≥9+ 1/1 + [CDD+ 15] κ 2 O(κ ) (one-time) 5 (one-time) [CJS14] poly(κ) 7 2/3 Protocols Assumptions Setup Security DDH + CRHF DDH + CRHF DDH+CRHF OT crs crs crs crs Static Static Static Static OT crs Static DLP ORO Static (GUC model) crs crs (Non-reusable) crs crs Adaptive with erasures Adaptive with erasures crs crs PRO crs crs Adaptive Adaptive Adaptive (GUC model) Adaptive Adaptive ORO Adaptive (GUC model) [FLM11] κ 21 1/1 DLIN + CRHF [NFT09] κ 7 1/1 DDH + sEUF-OT [Fuj16] [BCPV13] κ κ 10 14 3/1 3/1 DDH + CRHF DDH+CRHF [CF01] [CLOS02] [HM04] [ABB+ 13] [ABP17] κ κ poly(κ) κ κ Our Scheme poly(κ) O(κ) 1/1 DDH + UOWHF O(κ) 1/1 TDP 5 1/1 DLP O(κ) 1/1 SXDH O(κ) 1/1 DDH 4+ 1/1 + DLP O(ν|C|) (one-time) 4 (one-time) Adaptive with erasures Adaptive with erasures Notations: DDH - Decisional Diffie Hellman, CRHF - collision resistant hash function, DLP - Discrete Log Problem, DLIN - Decisional Linear, sEUF-OT - strongly unforgeable one-times signature, TDP - trapdoor permutations, UOWHF - universal one-way hash functions, OWF - one-way functions, ORO - observable random oracle, PRO - programmable random oracle, GUC - Generalized UC model ORO - observable random oracle, circuit C computes g x Note : The protocol of [CJS14] and [HM04] requires a non-interactive trapdoor commitment scheme. It has been instantiated with Pedersen commitment since to the best of our knowledge such a commitment scheme does not exist based on OWF. 1.2 Our Results In this work, we focus on optimizing the round complexity while attaining adaptive security in an efficient manner, for two widely used primitives: Oblivious Transfer and Commitment Scheme. We also present an adaptively secure well-defined transformation from log N 1-out-of-2 OTs to 1-out-of-N OT, restricting the number of exponen7 tiations to O(log N). Finally, we conclude with detailed implementation results of our primitives. Our contributions are stated below. Adaptively Secure 1-out-of-2 Oblivious Transfer. We construct the first OT framework that is round-optimal, GUC composable and adaptively-secure assuming no erasures. Our construction is motivated by the vital observation of [CO15] that the crs in OT can be replaced with the PRO. We apply the same observation on the static OT framework of [PVW08]. At the heart of their framework lies the Dual Mode Encryption Scheme (DME) which requires a crs for its functioning. We generate the crs of the Dual Mode Encryption (DME) scheme using the PRO. During simulation the crs can be suitably modified, to equivocate R’s view, by programming the PRO. However, for our scheme it should be possible to generate the crs of the DME using an RO. Hence, we customize the definition of DME, based on our requirements, to obtain a stronger version, called Samplable DME. Once the crs has been generated it can be suitably modified, to extract/equivocate R’s view, by programming the PRO. On the other hand, S’s messages are encrypted using another PRO, such that it enables equivocation of S’s view when required. Thus, we replace the crs in the round-optimal [PVW08] framework with PRO to achieve adaptive security. A similar observation was made by the work of [CJS14] where they tried to generate the crs using the observability property of the GRO. However, their goal was to obtain one-sided simulatable static OT in the GUC model. Whereas, we aim for adaptive security in the GUC model relying on the programmability feature. In our framework, the DME scheme can be instantiated under the DDH and LWE assumptions. Additionally, when instantiated with DDH assumption, our protocol incurs a computation overhead of 5 random oracle queries and a minimal communication overhead of one κ-bit string over the static protocol of PVW (the DDHbased instantiation of [PVW08]).Tab. 1 and Tab. 3 compare our scheme with various other schemes. Empirically our protocol requires 1.676s and 4.3s in LAN and WAN setting, incurring a nominal overhead of 0.02% and 1%, in the same settings, over PVW. The protocol of [BDD+ 17] requires at least the same runtime as ours, since the number of symmetric key operations in [BDD+ 17] is more than us, although the number of public key operations in both the protocols are same. Table 3: Table indicating implementation results for Oblivious Transfer protocol in LAN setting, for n = 128 and κ = 128. Scheme PVW [BDD+ 17] Our Scheme Our Scheme (from OT extension) Our Scheme (from OT extension) Communication Total Runtime Rounds Assumptions Security (bits) (s) 768 2.645 2 DDH Static 1920 > 2.647 3 CDH Adaptive 896 2.647 2 DDH Adaptive 716.7 20.954 × 10−7 3 DDH Adaptive 702 1.043 × 10−7 5 DDH Adaptive 8 Adaptively Secure 1-out-of-N Oblivious Transfer. The work of [NP05] established that log N copies of 1-out-of-2 OTs can be transformed to obtain one 1-out-of-N OT, which is statically-secure against active adversaries. This transformation implies existence of statically-secure 1-out-of-N OT at the expanse of O(log N) exponentiations. We extend their result to provide a formal proof that the transformation satisfies adaptive security under PRO assumption. At present, one adaptive 1-out-of-N OT protocol [ABB+ 13, BC15, BC16, BCG17] incurs atleast O(N) exponentiations. Our adaptive transformation brings down the number of exponentiations to O(log N); thereby matching the efficiency of statically-secure 1-out-of-N OT. Interestingly, it can be shown that for the semi-honest setting the seed OTs can be statically secure, if we consider the simulation of the 1-out-of-2 OTs in a non-blackbox manner. For the active setting, we can show that if the 1-out-of-2 OTs support equivocation of receiver’s view irrespective of equivocation of sender’s view then it is possible to generate adaptively-secure 1-outof-N OT from our transformation, if the simulation of the 1-out-of-2 OTs is performed in a non-blackbox manner. This implies that we can plug-in statically-secure 1-out-of-2 OTs which satisfy the property of receiver equivocability [GKPS18]. Oblivious Transfer Extension. We provide the first adaptively-secure protocols for OT Extension solely relying on the PRO assumption. In this regard we present two results, one corresponding to semi-honest setting and the other for the active setting. Our first result proves that the semi-honest protocol of [ALSZ13] can be made adaptively-secure. Interestingly, we show that the seed OTs can be statically secure, if we invoke them in a non-blackbox way. We know that for adaptive security, blackbox-usage of the seed OTs is not possible in our construction since it would violate the results of [LZ13, IR89]. [LZ13] proves that the existence of OT extension protocol, secure against semi-honest adaptive adversaries, imply OT protocol secure against static semi-honest adversaries. In that case, blackbox usage of seed OTs establishes that PRO would imply static semihonest OT, contradicting the result of [IR89] which states that public key operations are necessary for static OT. Our second result proves that the actively secure protocol of [ALSZ15] can be made adaptively-secure against active adversaries. The paper of [ALSZ15] gave two constructions - a 3 round and a 5 round OT extension in their paper. The 3 round OT extension consists of pair-wise consistency check for all the columns. Whereas, in the 5 round protocol, the parties performed a coin-tossing subprotocol and based on the outcome of the subprotocol, they performed a consistency check on the columns. The 5 round protocol is more efficient than the 3 round one due to reduced number of checks. Similarly, we consider a 3 round and a 5 round variant of our OT extension protocol. Interestingly, we demonstrate that the seed OTs in our case can be replaced with receiver equivocal static OTs which are secure against active adversaries. Our OT Extension protocols preserve the efficiency of the original static protocols, yielding adaptive 1-out-of-2 OTs at an amortized cost of 3 symmetric key operations and 3κ bits communication per OT. Moreover, if we combine the OT Extension protocol with our 1-out-of-N Transformation, then we obtain 1-out-of-N adaptive OTs at an amortized cost of N + 3 log N + 1 symmetric key operations per OT. The other adaptive protocols [ABB+ 13, BC15, BC16, BCG17, BDD+ 17] require O(N) public key operations instead. Next, we briefly highlight the implementation results regarding the OT extension protocol. The 5 round protocol is more efficient than 9 the 3 round one due to reduced number of checks. Empirically, the 3 round protocol has a rough multiplicative overhead of 20 over the 5 round protocol for LAN runtime, while generating 223 OTs together. The overhead will decrease for larger number of extended OTs, as the number of checks remain constant, while the number of extended OTs increase. Throughout the paper our implementation results for the OT extension protocol, correspond to the 5 round protocol unless specified otherwise. Empirically our OT extension protocol has an overhead of 2% and 11.95% over [ALSZ15] in the LAN and WAN setting respectively. The amortized (over 1.25 ∗ 105 ) cost of generating one adaptive 1-out-of-2 drastically reduces to 2.02 µs and 115.5 µs in LAN and WAN setting for OT output length n=16 bits. We also generate 1-out-of-16 OTs from 4 copies of 1-out-of-2 OTs using our transformation. The amortized cost for each 1-out-of-16 OT is 21.3 µs and 145.5 µs in LAN and WAN setting respectively. In Tab. 3 we compare our OT protocols with PVW and [BDD+ 17]. Our extended adaptive OTs are useful in practical MPC applications where the MPC protocols require a large number of OTs. In such a situation it can be observed that if we are given 3 rounds, then we can run our 3 round OT extension protocol to obtain adaptive OTs at a minimal cost of 2.1µs (amortized over 106 OTs), whereas other 3 round protocols (like [BDD+ 17]) would require 2.647s, which is 106 times slower than our extended OTs. The cost of each extended OT reduces drastically with amortization, i.e. the total number of extended OTs. Given 5 rounds, our OT extension protocol generates adaptive OTs at a cost of 0.1043 µs (amortized over 106 OTs). The protocol of [BDD+ 17] would be 12 × 105 times slower than our extended OTs. If we consider our 5 round OT extension protocol then the overhead factor increases to 25 × 106 . Commitment Scheme. We construct a NICOM, in the offline-online model, that is secure against an adaptive adversary without erasures. First, we generate a crs for Pedersen commitment using an ORO in the setup phase. The crs is of the form (g, h), where h = g x for g, h ∈ G and x ∈ Zp . G and Zp denote a multiplicative group of prime order p and a prime field of order p respectively. The setup phase is a 4 round protocol where the parties perform a coin tossing protocol and a Zero Knowledge Proof of Knowledge (ZKPoK) protocol, relying on garbled circuits. Once generated, the crs alongwith the ORO can be reused to construct several instances of the NICOM. Under the hood, the NICOM relies on the Pedersen Commitment [Ped91] for equivocation and the ORO for extraction of a corrupted committer’s input. Moreover, ORO permits committing to a message of length ℓ while incurring the overhead of committing to a κ bit string, where ℓ = poly(κ). Compressing the message from ℓ to κ bits does not break binding since we are in the RO model, where it is hard to find two different messages of arbitrary length s.t. the RO returns the same result upon being queried on those messages. Our protocol involves communication of one κ bit string, 3 group elements, computation of 4 exponentiations and 4 random oracle queries to commit to ℓ bits. This yields an efficient adaptively secure commitment scheme which is practically motivated for 2PC/MPC protocols based on offline-online paradigm [LR15, RR16]. The setup can be run in the offline phase while the commitment scheme can be conveniently used in the online phase. The ORO in our protocol can be instantiated using a SHA-256 hash function and it can be proven secure in GUC model. This renders our commitment scheme useful in real-life situations where concurrently many protocols are run and share the 10 same hash function. Table 2 compares our commitment schemes with the recent literature. In terms of empirical costs, our scheme takes approx. 0.18 ms and 0.20 ms to obtain commitment of 128 bits and 2048 bits respectively. In comparison, the scheme of [HM04] takes approx 0.42 ms and 0.49 ms for commitment of 128 and 2048 bits respectively. The protocol of [HM04] requires a non-interactive trapdoor commitment scheme which has been instantiated with Pedersen commitment since to the best of our knowledge such a commitment scheme does not exist based on OWF. The comparison can be viewed in Table 4. Based on the results, we conclude that our scheme is approximately 2 times faster than [HM04] even though we rely on a weaker assumption from the RO. Table 4: Table indicating implementation results for our Commitment Scheme πCOM and [HM04] in the LAN setting. Message Size (bits) Runtime Runtime Commitment Size of S (ms) of R (ms) (bits) Our Scheme 0.184 0.185 128 + 512 128 [HM04] 0.423 0.418 128 + 640 Our Scheme 0.189 0.187 256 + 512 256 [HM04] 0.435 0.432 256 + 640 Our Scheme 0.192 0.191 1024 + 512 1024 [HM04] 0.455 0.469 1024 + 640 Our Scheme 0.198 0.202 2048 + 512 2048 [HM04] 0.487 0.490 2048 + 640 Note: Commitment Size = message size + (commitment & decommitment size) 1.3 Scheme Roadmap The high-level overview of the primitives and notation used is presented in Section 2. In Section 3 we explain the bugs present in the security proofs of concurrent adaptive OT papers[CO15, BDD+ 17, HL17] in the PRO model. We proceed to the definition of Samplable DME (referred as DME only) in Section. 4. Then we present our OT protocol framework in Section 5. The 1-out-of-2 to 1-out-of-N OT transformation is elaborated in Section 6. Section 7 presents the results on OT Extension. Our commitment scheme is covered in Section 8. The implementation details of our protocols have been illustrated in Section 9. Finally, we conclude with prospective future work in Section 10. We provide a summary of UC framework for static and adaptive security in Appendix A for the sake of completeness. We refer to it for better comprehension of notations used in our security proofs. Appendices C and D present instantiations of our DME based on DDH and LWE assumptions. 11 2 Preliminaries In this section, we describe the notations used in our protocols and give a high-level overview of the primitives that are used in the paper. Notations. For the OT and NICOM protocol, we denote the sender by S and receiver by R. We denote by a ←R D the random sampling of a from a distribution D and the set of elements {1, . . . , n} is represented by [n]. Let PRF denote a secure pseudorandom function. A function neg(·) is said to be negligible, if for every polynomial p(·), there 1 exists a constant c, such that for all n > c, it holds that neg(n) < p(n) . We denote a probabilistic polynomial time algorithm as PPT. We denote the statistical security c s parameter by ν and the computational security parameter by κ. We use ≈ and ≈ to denote computational and statistical indistinguishability, respectively. Let Zp denote the field of order p, where p is a prime. Let G be the multiplicative group corresponding to Z∗p with generator g. For a bit b ∈ {0, 1}, we denote 1 − b by b. Garbled Circuits. The term ‘garbled circuit’ (GC) was coined by Beaver [BMR90] and used extensively only as a technique in secure protocols until they were formalized as a primitive by Bellare et al. [BHR12]. We use notations consistent with [BHR12] (described in Appendix B) for the garbling primitive used to generate CRS for our commitment scheme. Let GCk denote the k th garbled circuit instantiating circuit C. We assume that the randomness used for generating circuit k is derived from a κ-bit random string seedk using a PRF. We assume that the fan-in of each gate is 2. We can assume that each AND gate in the circuit has 2 ciphertexts and XOR gates have 0 ciphertexts, using the Half-Gate construction [ZRE15] as the garbling scheme. Oblivious Transfer. Oblivious transfer (OT) is a protocol between a sender (S) and a receiver (R). In a 1-out-of-2 OT, the sender holds two inputs a0 , a1 ∈ {0, 1}n and the receiver holds a choice bit σ. At the end of the protocol, the receiver obtains aσ . The sender learns nothing about the choice bit, and the receiver learns nothing about the sender’s other input aσ . The ideal OT functionality FOT is recalled below in Figure 1. Similarly a 1-out-of-N OT can be defined as FN-OT functionality in Figure 2. Fig. 1: The ideal functionality FOT for oblivious transfer FOT Choose: On input (rec, sid, σ) from R where σ ∈ {0, 1}; if no message of the form (rec, sid, σ) has been recorded in the memory, store (rec, sid, σ) and send (rec, sid) to S. Transfer: On input (sen, sid, (a0 , a1 )) from S with a0 , a1 ∈ {0, 1}n , if no message of the form (sen, sid, (a0 , a1 )) is recorded and a message of the form (rec, sid, σ) is stored, send (sent, sid, aσ ) to R and (sent, sid) to S. 12 Fig. 2: The ideal functionality FN-OT for oblivious transfer FN-OT Choose: On input (rec, sid, σ) from R where σ ∈ {0, 1}log N ; if no message of the form (rec, sid, σ) is present in memory, store (rec, sid, σ) and send (rec, sid) to S. Transfer: On input (sen, sid, {aj }Nj=1 ) from S with aj ∈ {0, 1}n , if no message of the form (sen, sid, {aj }Nj=1 ) is present in memory and a message of the form (rec, sid, σ) is stored, send (sent, sid, aσ ) to R and (sent, sid) to S. Commitment Schemes. Commitment schemes allow a party S to commit to a message m using randomness r. It keeps the message hidden, while allowing S to reveal the committed message later. We denote an UC secure commitment to message m with randomness r as C OM(m; r). The ideal commitment functionality FCOM has been depicted in Fig. 3. Fig. 3: Functionality FCOM FCOM FCOM interacts with sender S and receiver R: 1. On receiving input (C OMMIT, sid, m) from S, if sid has been recorded, ignore the input. Else record the tuple (sid, S, R, m) and send (R ECEIPT, sid, S, R) to R. 2. On receiving input (D ECOMMIT, sid) from S, if there is a record of the form (sid, S, R, m′ ) return (D ECOMMIT, sid, m′ ) to R. Otherwise, ignore the input. Random Oracle Model. A random oracle functionality is parametrized by a domain and a range and it is as FRO in Fig. 4. A random oracle query on message m is denoted by FRO (m). The random oracle functionality can be broadly classified [CDG+ 18] into three categories based on its features- plain RO, observable RO and programmable RO. A plain RO returns a random string, from its range, upon being queried on a message m, from its domain. An observable RO inherits the properties of the plain RO but in addition it grants the simulator to observe the queries made, to FRO , by the adversary. A programmable RO allows the simulator to program FRO (m) to return any string from the range, upon being queried on m for the first time. 3 Attack in Concurrent Works on UC-secure Adaptive OT Concurrent to our work, the works of [BDD+ 17, HL17] on OT, claim adaptive UC security in the PRO model. The previous version of [BDD+ 17] proposed a general framework for 2-round adaptive OT and provides instantiations under various assumptions such as Learning from Parity with Noise, McEliece cryptosystem, QC-MDPC, Learning With Errors and Computational Diffie Hellman (CDH). We note however that the authors of [BDD+ 17] have fixed their protocol, making it UC secure. [HL17] proposes a construction of 1-out-of-N OT under the CDH assumption. However, both protocols 13 Fig. 4: Functionality FRO FRO FRO is parameterized by a domain D and range R and it proceeds as follows, running on security parameter k: – FRO maintains a list L (which is initially empty) of pairs of values (m̂, ĥ), s.t. m̂ ∈ D and ĥ ∈ R. – Upon receiving a value (sid, m) (where m ∈ D) perform the following: If there is a pair (m, ĥ), for some ĥ ∈ R, in the list L, set h := ĥ. If there is no such pair, sample h ←R R and store the pair (m, h) in L. Once h is set, reply to the activating machine with (sid, h). as well as the ‘simplest OT’ construction of [CO15] are prone to a bug when we consider UC-security even against a statically corrupt receiver R∗ . The attack stems from the late input extraction of a statically-corrupt R as detailed below. The simulator for the case of static corruption of R, playing the role of honest S, can only extract R∗ ’s input by observing R∗ ’s query to RO, made in an attempt to decrypt its chosen message on receiving the last OT message from the sender. This implies that a corrupt R∗ can indefinitely delay the input extraction causing composition-related issues. The delayed input extraction allows us to demonstrate that their constructions do not realise the OT functionality FOT presented in Fig. 1 where S obtains a notification from the functionality, denoting the end of ideal world execution. Rather, they realise only w a weaker version of OT functionality FOT as depicted in Fig. 5. In the weaker variant w FOT , S does not obtain any notification from the functionality. Instead its role is limited w w to sending (sid, a0 , a1 ) to FOT , after which S halts. However, FOT is not composable and cannot be used in a bigger protocol to implement the oblivious transfer functionality. Our observation aligns with the work of [LM16], which states (in page 2, last para w , is not of Section 1) that the naive OT functionality (Fig. 1 in their paper), same as FOT composable whereas the modified/revised OT functionality (Fig. 3 of their paper), same as our FOT , can be proven to be composable. The late input extraction problem is referred to as “timing bug” in their paper (page 3, first paragraph). They explain the issue of composability due to timing bug in the naive OT functionality with an example of OT Extension protocol in Section 3. In Section 4, they address the issue by plugging in the revised OT functionality (FOT in our case). Interestingly, all the currently known UCsecure OT protocols, barring the protocols of [CO15, HL17], implement both FOT and w FOT functionalities and hence they are composable. In what follows, we first show that w . the protocols of [CO15, HL17] do not realise FOT functionality, but realise only FOT w Next, we demonstrate the compositional issue of using FOT in (yet another example) of 2PC protocol based on garbled circuit (GC) approach. To show that the constructions that feature delayed input extraction (a.k.a timing bug) do not realise FOT functionality, we consider an adversarial strategy where R∗ does not decrypt the last OT message. In the ideal world, Sim will not be able to extract R∗ ’s input as R∗ does not proceed to decrypting its chosen message from the last OT message. Consequently, Sim fails to invoke FOT functionality with R∗ ’s input and as a result, the FOT functionality keeps running. This causes a honest S in the ideal 14 w Fig. 5: The ideal functionality FOT for weaker OT w FOT Choose: On input (rec, sid, σ) from R where σ ∈ {0, 1}; if no message of the form (rec, sid, σ) has been recorded in the memory, store (rec, sid, σ) and send (rec, sid) to S. Transfer: On input (sen, sid, (a0 , a1 )) from S with a0 , a1 ∈ {0, 1}n , if no message of the form (sen, sid, (a0 , a1 )) is recorded and a message of the form (rec, sid, σ) is stored, send (sent, sid, aσ ) to R. world keep waiting for notification from the FOT functionality in order to terminate. Therefore, while honest S does not halt in the ideal world, it halts in the real world immediately after sending its last message. This difference in the behavior of honest S w can be used to distinguish between the two worlds by an environment. With FOT functionality, in the scenario mentioned above, an honest S would halt in both the worlds, preserving indistinguishability. w We now illustrate the compositional issue resulted from using FOT by means of a GC based 2PC protocol in the OT-hybrid model, where the evaluator E first involves with the constructor in a set of OT functionalities to choose the circuits that will be used for evaluation and respectively for checking and on completion of OTs, the constructor sends the GCs to the evaluator. When FOT was used, a simulator against a corrupt evaluator E∗ , extracts the inputs of E∗ from the OT and either constructs a fake/simulated w GC or a real GC based on the extracted input of E∗ . However in FOT -hybrid model, the ∗ ∗ simulator for a corrupt evaluator E (playing the role of R ) cannot exact the E∗ ’s input bits to OT and hence cannot substitute certain (evaluation to be specific) GCs with simulated ones (without getting caught with high probability). This difference would enable the environment Z to distinguish between both worlds based on E∗ ’s view. 4 Samplable Dual-Mode Encryption The seminal paper of [PVW08] introduced the primitive of dual mode encryption (DME). It works like a regular public key encryption scheme, alongside a notion of encryption branches. The key generation algorithm, takes a branch σ ∈ {0, 1} as an input, alongside the crs, to generate the public and secret key pair (pk, sk). Messages encrypted using pk, on branch σ, can be decrypted using sk, whereas the messages encrypted on the other branch remains hidden under certain conditions, described next. The encryption scheme can be further initialized in either of the two modes - messy or decryption mode, based on the setup phase. The setup phase is invoked with the mode and it returns (crs, t) to the invoking party, where t is the trapdoor for the crs. If the mode is initialized to messy, then the message encrypted on branch 1 − σ remains statistically hidden. Also, it is possible to extract the branch value 1 − σ (and σ can be computed) given pk and t. Whereas, if the scheme is set to decryption mode, then it is possible to generate secret keys sk0 and sk1 which decrypts ciphertexts on branches 0 and 1 respectively. Formally, a dual mode encryption scheme is defined as follows: 15 – (crs, t) ← SetupMessy(1κ ): It is a randomized algorithm that takes as input the security parameter κ and outputs the crs and the trapdoor information t, for the messy mode. It enables the invocation of FindMessy algorithm. (crs, t) ← SetupDec(1κ ): It is a randomized algorithm that takes as input the security parameter κ and outputs the crs and the trapdoor information t, for the decryption mode. It enables the invocation of DecKeyGen algorithm. – (pk, sk) ← KeyGen(crs, σ): It is a randomized algorithm that takes as input the crs and the branch σ and returns the public/encryption and secret/decryption key pair (pk, sk) for branch σ. – (y, r) ← Enc(pk, σ, m): It is a randomized algorithms that takes as input pk, the branch σ and the message m ∈ {0, 1}κ . It returns the ciphertext y, encrypted on branch σ and the randomness r, used for the encryption. – m ← Dec(sk, y): It is a deterministic algorithm that takes in input sk and y and it returns m only if sk and y correspond to the same branch. – b ← FindMessy(pk, t): It returns the branch value b ∈ {0, 1} given pk and the trapdoor t, when the mode is set to messy. The message encrypted on this branch is statistically hidden. – (pk, sk0 , sk1 ) ← DecKeyGen(t): It is a randomized algorithm that generates a key pair (pk, sk0 , sk1 ) when it is invoked with the trapdoor t as input and the mode is set to decryption. The secret key skb , b ∈ {0, 1}, enables decryption of ciphertexts on branch b. The above defined scheme satisfies correctness and four security properties, as mentioned in the [PVW08] paper. In addition, the dual mode encryption scheme must satisfy another property for our OT protocol. It must be possible to generate a crs for the messy mode from a random oracle query with overwhelming probability. We outline the correctness and security properties as follows: – Correctness: For every mode, for all (crs, t) ← SetupMessy(1κ ) / SetupDec(1κ ), for each σ ∈ {0, 1}, for each (pk, sk) ← KeyGen(crs, σ), and for all m ∈ {0, 1}κ , the following holds Dec(sk, Enc(pk, σ, m)) = m. – Property 1 (Indistinguishability of modes): The crs generated from either modes are indistinguishable, i.e. for all (crs, t) ← SetupMessy(1κ ) and for all (crs′ , t′ ) ← c SetupDec(1κ ), the following holds crs ≈ crs′ . – Property 2 (Indistinguishability of Branches in Messy mode): In messy mode, the public key does not leak the branch value to a computational adversary i.e., for all c crs generated by SetupMessy, the following condition holds true- KeyGen(crs, 0) ≈ KeyGen(crs, 1). – Property 3 (Messy Branch Identification): For each crs generated by SetupMessy and for each pk returned by KeyGen(crs, σ), FindMessy(pk, t) returns the messy branch b, s.t. b = 1−σ. Moreover, any message encrypted on branch b is statistically s hidden, i.e. for every m0 , m1 ∈ {0, 1}κ , Enc(pk, b, m0 ) ≈ Enc(pk, b, m1 ). – Property 4 (Dual Decryptable Branches in decryption mode): For each (crs, t) ← SetupDec(1κ ) and for each (pk, sk0 , sk1 ) ← DecKeyGen(t), the following three conditions hold for all m, m0 , m1 ∈ {0, 1}κ : 16 s s s i. (pk, sk0 ) ≈ KeyGen(crs, 0), (pk, sk1 ) ≈ KeyGen(crs, 1) and (pk, sk0 ) ≈ (pk, sk1 ). ii. Dec(skb , Enc(pk, b, m)) = m for all b ∈ {0, 1}. c iii. Enc(pk, b, m0 ) ≈ Enc(pk, b, m1 ), for all b ∈ {0, 1}. – Property 5 (Samplable crs in Messy mode): for all c ∈ {0, 1}κ , (crs, t) ← SetupMessy(1κ ), the random oracle query FRO (c) is identically distributed to s the crs of messy mode except with negligible probability i.e., FRO (c) ≈ crs. The above DME scheme can be instantiated under the DDH and the LWE assumption, which has been provided in Appendices C and D respectively. The paper of [PVW08] provides proof for correctness and Properties 1-4 of DME instantiations under the two respective assumptions. We further demonstrate, in Appendices C and D, that they satisfy Property 5 too, thereby yielding a samplable DME. 5 Framework for Adaptive Oblivious Transfer In this section, we present our round-optimal framework for adaptive OT given a DME scheme, random oracles FRO1 and FRO2 . We first present a brief overview of our protocol and then we present our proof. R generates the crs by sampling a random string c and invoking the random oracle on c. R obtains a valid crs, in messy mode, except with negligible probability. He invokes the KeyGen with the crs and his choice bit σ to obtain a key pair (pk, sk) which would allow decryption on branch σ using sk. R sends c and pk to S. Property 2 ensures that pk does not leak about σ. S generates the crs using c and encrypts two random pads on both branches using pk. Finally, S encrypts his messages using RO queries on the pads. R can decrypt the pad corresponding to branch σ, due to correctness of the DME scheme, and thus obtain the message corresponding to choice bit σ. The framework has been presented as protocol πOT in Fig. 6. 5.1 Static Security To make the proof of adaptive security more comprehensible, we first prove that πOT realizes the ideal functionality FOT (Fig. 1) in presence of static adversaries. This is extended to adaptive security in Section 5.2. In order to prove static security, we describe a simulator Sim who behaves as the ideal world adversary and generates a view of Z which is indistinguishable from the view generated by the real world adversary Adv in the real world. It does so by invoking FOT , on behalf of the adversary in ideal world, and running a copy of Adv internally, in the head. We denote this internal adversary as AdvInt . Sim simulates the role of the honest parties and the environment to AdvInt in the internal execution. Whenever Adv corrupts a party in the real world, AdvInt also corrupts that party in the internal execution and Sim corrupts that party in the ideal world. At the end of the protocol AdvInt forwards its view to Sim who forwards it to Z as its ideal world view. We refer to Appendix A for clarity of AdvInt notation and details of static security in the UC model [Can01]. For static security, we prove Theorem 1 by considering the four exhaustive corruption cases namely : (1) Both S and R are honest (2) S∗ is corrupt while R is honest (3) S is 17 Fig. 6: Adaptively-Secure Oblivious Transfer Protocol πOT – Functionalities: Random oracles FRO1 : {0, 1}2κ → {0, 1}∗ and FRO2 : {0, 1}2κ → {0, 1}ℓ respectively. – Private Inputs: S has input messages (a0 , a1 ) and R has an input bit σ. Choose: – R samples c ←R {0, 1}κ . – R generates crs ← FRO1 (sid||c). – R computes (pk, sk) ← KeyGen(crs, σ). – R sends (c, pk) to S. Transfer: – S generates crs ← FRO1 (sid||c). – S samples r0 , r1 ←R {0, 1}κ . – S computes sb ← Enc(pk, b, rb ), for b ∈ {0, 1}. – S sets y0 = FRO2 (sid||r0 ) ⊕ a0 and y1 = FRO2 (sid||r1 ) ⊕ a1 . – S sends {(s0 , y0 ), (s1 , y1 )} to R. Local Computation by R: – Computes rσ = Dec(sk, sσ ) and outputs aσ = yσ ⊕ FRO2 (sid||rσ ). honest while R∗ is corrupt (4) Both S∗ and R∗ are corrupt. In each of the above cases we describe a simulator Sim and show that the real world view of Z is indistinguishable from its ideal world view. We first give a brief intuition of the security proof. Revisiting the proof of security for a static adversary [PVW08], note that Sim sets the crs in accordance with which party is corrupt, to enable input extraction of AdvInt in the internal execution. More specifically, while crs of the internal execution is set to messy mode when R is corrupted, it is set to decryption mode when S is corrupted. Sim can perform this by invoking SetupMessy (or SetupDec) to obtain (crs, t) and then program the random oracle to return the same crs. In the former case, FindMessy can be suitably invoked to extract σ. In the latter case, Sim can invoke DecKeyGen to obtain secret keys on both branches and unlock both messages using the secret keys. The simulation of our protocol for static security is similar to that of PVW. We are ready to present the formal proof of Theorem. 1. We design an ideal world adversary Sim who creates an ideal world view IDEALF ,Sim,Z (1κ , z) of Z which is indistinguishable from the real world view REALF ,Adv,Z (1κ , z) of Z. Theorem 1. If DME is a samplable dual mode encryption scheme then protocol πOT securely realizes the FOT functionality against static active adversaries in (FRO1 , FRO2 )hybrid model. The Simulator: We describe the simulator Sim for each possible case of corruption. Case 1. S and R are honest: In this case Sim acts on behalf of both parties in the internal execution. At the end, AdvInt generates his view without corrupting any party and sends it to Sim who forwards it to Z. 18 (i) Simulating the crs and R’s message: Sim obtains (crs, t) ← SetupDec. Sim samples c ←R {0, 1}κ and programs FRO1 (sid||c) to return crs. Sim invokes DecKeyGen(t) to obtain (pk, sk0 , sk1 ) and sends (c, pk) as the first OT message to S on behalf of R in the internal execution. (ii) Simulating S’s message: Sim sets (s0 , s1 ) as per the protocol and (y0 , y1 ) are set randomly. Sim sends the simulated message on behalf of S. (iii) Simulating R’s computation: Sim completes the simulation on behalf of R in the internal world. Case 2. S∗ is corrupted and R is honest: In this case, Sim acts on behalf of R in the internal execution. At the end, AdvInt generates the view of S∗ and sends it to Sim who forwards it to Z. (i) Simulating the crs and R’s message: Same as Case 1. (ii) AdvInt plays the role of S∗ and computes the sender message in the internal world. AdvInt sends the second OT message to R in the internal world. (iii) Simulating R’s computation: Sim decrypts r0 and r1 using secret keys sk0 and sk1 and obtains a0 and a1 from y0 and y1 . Sim invokes FOT with (a0 , a1 ) and completes the simulation on behalf of R in the internal world. Case 3. S is honest and R∗ is corrupted: In this case, Sim acts on behalf of S in the internal execution. At the end, AdvInt generates the view of R∗ and sends it to Sim who forwards it to Z. (i) Simulating the crs: AdvInt plays the role of R∗ and computes the receiver message in the internal world. Whenever AdvInt queries FRO1 (sid||c), Sim invokes SetupMessy to obtain (crs, t) and programs FRO1 (sid||c) to return crs. Sim stores the tuple in a list Q as (sid, c, crs, t). If a query is repeated then Sim returns the crs corresponding to the entry in Q indexed by the sid and c values. AdvInt sends the first OT message to S in the internal world. (ii) Simulating S’s message: Sim extracts the the choice bit, i.e. σ, of R∗ by invoking FindMessy(pk, t). Sim sends σ to FOT on behalf of R in the ideal world, obtains aσ and constructs (sσ , yσ ) honestly. On the other hand, sσ is set honestly and yσ is set randomly. Finally, Sim computes the sender’s message and sends it to R∗ in the internal world. (iii) AdvInt computes on behalf of R∗ and completes the protocol in the internal world. Case 4. Both S∗ and R∗ are corrupted: This is a trivial case of corruption. Sim invokes AdvInt , who simulates messages of both parties and generates the view internally. At the end of execution, AdvInt sends the generated view to Sim who forwards it to Z. Indistinguishability: Here we show that the ideal world view IDEALF ,Sim,Z (1κ , z) of Z is indistinguishable from the real world view REALF ,Adv,Z (1κ , z) of Z. We denote REAL F ,Adv,Z (1κ , z) as hybrid HYBR . The ideal world view of Z varies based on the case of corruption. For case D (D ∈ [4]), we denote the ideal world view as HYBI.d . We prove that HYBR is indistinguishable from the corresponding ideal world view for each of the four exhaustive cases of corruption. 19 Case 1. S and R are honest: We prove that HYBR and the ideal world view i.e HYBI.1 is indistinguishable through a series of intermediate hybrids. – HYB1 : We consider a hybrid HYB1 which is same as HYBR except that here, the crs is generated using SetupDec. Indistinguishability follows from Property 1 of DME, i.e. indistinguishability of the two modes, and random sampling of c. A distinguisher for the hybrids can be used to break Property 1 or guess the exact value of c, both of which happen with negligible probability. - HYB2 : We consider a hybrid HYB2 which is same as HYB1 except that Sim generates pk using DecKeyGen. Indistinguishability follows statistically from Property 4i of DME, i.e. the branch remains statistically hidden when the DME is set to decryption mode. – HYB3 : We consider a hybrid HYB3 similar to HYB2 except that in HYB3 Sim constructs s0 and s1 using r0 and r1 whereas y0 and y1 are formed using different random pads, r0′ and r1′ . Indistinguishability between the hybrids follows from Property 4iii of DME, i.e. indistinguishability of ciphertexts in decryption mode. – HYBI.1 : We consider the ideal world hybrid HYBI.1 similar to HYB3 except that in HYBI.1 , Sim sets y0 and y1 randomly. AdvInt can distinguish between the hybrids only if the values r0′ or r1′ are guessed precisely and queried to the random oracle. This event occurs with negligible probability in the random oracle model and as a result indistinguishabilty between the hybrids follows. Case 2. S∗ is corrupted and R is honest: We prove that HYBR and the ideal world view i.e HYBI.2 is indistinguishable through an intermediate hybrid. – HYB1 : We consider hybrid HYB1 which is same as HYB1 in previous case. Indistinguishability between HYBR and HYB1 follows (similar to the previous case) from Property 1 of DME. – HYBI.2 : We consider a hybrid HYBI.2 similar to HYB1 except that in HYBI.2 Sim decrypts r0 and r1 and obtains a0 and a1 respectively using secret keys on both branches. Indistinguishability follows from Property 4ii of DME, which ensures that Sim can decrypt messages on both branches using the secret keys in the decryption mode. Case 3. S is honest and R∗ is corrupted: We prove that HYBR and the ideal world view i.e HYBI.3 is indistinguishable through a series of intermediate hybrids. – HYB1 : We consider a hybrid HYB1 which is same as HYBR except here the crs is generated using SetupMessy. Indistinguishability follows from Property 5 and 1, i.e. the crs in the messy mode can be sampled using the random oracle and the crs in the messy mode is indistinguishable from the crs in decryption mode. Another possible way of distinguishing is if the distinguisher can guess the value of the crs without querying c to the random oracle, but that happens with negligible probability, due to the random oracle assumption. – HYB2 : We consider a hybrid HYB2 which is same as HYB1 except that, here, Sim extracts the value of σ, by invoking FindMessy(crs, t), and sends it to FOT and obtains aσ . Indistinguishability follows from Property 3 of DME. 20 – HYB3 : We consider a hybrid HYB3 similar to HYB2 except that in HYB3 , Sim constructs sσ using rσ , whereas yσ is formed using different random pad, rσ′ . Indistinguishability between the hybrids follows from the fact that rσ′ remains statistically hidden, due to Property 3, in the messy mode. – HYBI.3 : Finally we consider our ideal world hybrid HYBI.3 where yσ is set randomly. Indistinguishability follows from the random oracle assumption since the distinguisher has to guess rσ′ to distinguish between the two hybrids and this happens with negligible probability. Case 4. Both S∗ and R∗ are corrupted: In this case HYBR and HYBI.4 are generated by Adv and AdvInt after being in control of both honest parties in the real world and internal world respectively. As a result, the two views are identical. 5.2 Adaptive Security Building upon the proof of static security in the previous section, we now prove that πOT securely implements FOT in the presence of adaptive adversaries. We refer to Appendix A for details about the security model. We give a brief overview of the proof and then we present it formally. Following the lines of the static proof, Sim programs the crs of the internal execution to be in messy mode, when the receiver is corrupt in the first round, or in the decryption mode otherwise, to enable extraction of R’s input or S’s input respectively. In addition, Sim has to equivocate the view of R (resp. S), in the internal execution, when R (resp. S) gets corrupted adaptively by AdvInt . The proof demands equivocation only when R gets corrupted after sending the first OT message and/or S gets corrupted after sending the second OT message. This is done to ensure that the ideal world views (messages and internal state) of the simulated honest parties (in the internal execution) are consistent with the real world views (messages and internal state) of the actual honest parties else Z can distinguish between the two views. In the first scenario, when R is corrupted after the first OT message is sent, the mode is set to decryption, and Sim can extract secrets keys for both branches, corresponding to pk, by invoking DecKeyGen. When R gets corrupted and Sim obtains σ as R’s input, Sim can provide skσ as its secret key on branch σ. Equivocation is successful due to Property 4ii of DME. In the second case when S is corrupted after the second OT message is sent, the random values sent corresponding to (y0 , y1 ) by Sim have to be made consistent with sender’s actual input (a0 , a1 ). For this, Sim exploits the programmability of FRO2 to enforce that (y0 , y1 ) decrypts to (a0 , a1 ). We are ready to present the proof of Theorem 2. Theorem 2. If DME is a samplable dual mode encryption scheme then protocol πOT securely realizes FOT functionality against adaptive active adversaries in (FRO1 , FRO2 )hybrid model. Proof. We describe the simulator corresponding to the protocol πOT , for each possible case of adaptive corruption. 21 The Simulator: The simulator Sim that generates the ideal world view, is initialized with input values from Z based on which party is corrupted to facilitate simulation. Outset of the Protocol: Whenever AdvInt queries FRO1 (sid||c), Sim invokes the SetupMessy algorithm to obtain (crs, t) and programs FRO1 (sid||c) to return crs. Sim stores the tuple in a list Q as (sid, c, crs, t). If a query is repeated then Sim returns the crs corresponding to the entry in Q indexed by the sid and c values. R is honest in the first round: Sim computes R’s message similar to case 1(i) (R’s message for (S, R) case) of the static proof. The crs is set in the decryption mode by programming FRO1 (sid||c). Sim invokes DecKeyGen to obtain (pk, sk0 , sk1 ) and he sends c and pk as the first OT message to AdvInt on behalf of R in the internal execution. – S is honest in the second round: Sim acts on behalf of S in the internal execution. Sim simulates according to Case 1(ii) (S’s message for (S, R) case) of static proof. - Case 1(A). R is honest in the first round, S is honest in the second round, R∗ is corrupted after second OT message: Sim obtains σ and aσ in the ideal world. Sim equivocates pk by setting skσ as the secret key on branch σ. Additionally, Sim equivocates yσ s.t. aσ can be obtained from it. For this, Sim programs FRO2 (sid||rσ ) = aσ ⊕ yσ . At the end of the protocol, AdvInt outputs ⊥ and sends its internal state to Sim who forwards it to Z. Post Execution. In case of post execution corruption of S∗ , Sim obtains (a0 , a1 ) and needs to provide the internal randomness of S∗ s.t. y0 and y1 open to a0 and a1 . We note that yσ was previously equivocated. Equivocation of yσ is performed by programming FRO2 (sid||rσ ) = aσ ⊕ yσ . Sim sends the internal state of S∗ to Z who halts with an output. - Case 1(B). R is honest in the first round, S is honest in the second round, R is honest after second OT message: In this case, Sim acts on behalf of both parties throughout the protocol in the internal execution. At the end of the protocol, AdvInt outputs his random tape as its internal state to Sim who forwards it to Z. Post Execution. In case of post execution corruption of R∗ and S∗ , Sim obtains (σ, aσ ) and (a0 , a1 ), and has to provide the internal randomness of R∗ and S∗ to Z. Equivocation of both views is similar to the previous case (Case 1(A) of adaptive simulation) where the view of R∗ is equivocated first and then the view of S∗ is equivocated. Sim sends the equivocated views of R∗ and S∗ to Z, who halts with an output. – Case 2. R is honest in the first round, S∗ is corrupted in the second round: Sim receives the second message on behalf of R from S∗ in the internal execution. Simulation is performed as in Case 2(iii) (R’s computation for (S∗ , R) case) of static proof. AdvInt outputs ⊥ at the end of the protocol and sends its internal state to Sim who forwards it to Z. Post Execution. In case of post execution corruption of R∗ , Sim obtains σ and aσ and he proceeds like the simulator for case 1(A) of adaptive simulation. R∗ is corrupted in the first round: Whenever AdvInt queries FRO1 (sid||c), Sim invokes the SetupMessy algorithm to obtain crs and programs FRO1 (sid||c) to return 22 crs. Sim stores the tuple in a list Q as (sid, c, crs, t). If a query is repeated then Sim returns the the crs corresponding to entry in Q indexed by the sid and c values. AdvInt generates the first OT message which is sent to S in the internal execution. This is similar to Case 3(i) (R’s message for (S, R∗ ) case) in static proof. – Case 3. R∗ is corrupted in the first round, S is honest in the second round: Sim receives the first OT message, on behalf of S, from AdvInt controlling R∗ in the internal execution. Sim continues simulation as in Case 3(ii) (S’s message for (S, R∗ ) case) of static proof. Post Execution. In case of post execution corruption of S∗ , Sim obtains (a0 , a1 ) and needs to equivocate yσ such that it opens to aσ . Sim performs this by programming FRO2 (sid||rσ ) = yσ ⊕ aσ . The internal state of S∗ is revealed to Z who halts with an output. – Case 4. R∗ is corrupted in the first round, S∗ is corrupted in the second round: This is a trivial case since both parties are corrupted by the adversary. The parties are controlled by Adv/Sim/AdvInt in the real/ideal/internal world. AdvInt generates the second OT message similar to Case 4 ((S∗ , R∗ ) case) of static proof. At the end of execution, AdvInt outputs a special symbol ⊥ on behalf of the corrupted parties and hands over the internal state to Sim who in turn forwards it to Z. Post Execution. There is no post execution corruption since both parties are corrupted and Z halts with an output computed from the internal state of AdvInt . Indistinguishability : Here we show that the ideal world view IDEALF ,Sim,Z (1κ , z) of Z is indistinguishable from the real world view REALF ,Adv,Z (1κ , z) of Z. We denote REAL F ,Adv,Z (1κ , z) as hybrid HYBR and show that in each simulation case HYBR is indistinguishable from the ideal world by relying on the static indistinguishability proof. Case 1(A). R is honest in the first round, S is honest in the second round, R∗ is corrupted after second OT message: Simulation of both OT messages follows along the same direction as Case 1 of static proof. When R∗ gets corrupted after second OT message Sim obtains σ and he can provide skσ as the secret key for branch σ. Equivocation is successful due to Property 4ii of DME, i.e. σ is statistically hidden in pk when the crs is generated in decryption mode. In case of post execution corruption, Sim successfully equivocates yσ , s.t. it unlocks aσ by programming FRO2 (sid||rσ ). Adv can query rσ to FRO2 only with negligible probability and hence equivocation is successful. This follows from Property 4iii of DME, i.e. indistinguishability of ciphertexts in the decryption mode. Case 1(B). R is honest in the first round, S is honest in the second round, R is honest after second OT message: In this case we can consider that the post execution corruption occurs in two phases - first R∗ gets corrupted and only after that S∗ gets corrupted. Then it becomes identical to the previous case (case 1(A) of adaptive proof) and indistinguishability follows from the previous argument. Case 2. R is honest in the first round, S∗ is corrupted in the second round: The first message is computed according to Case 1(i) of static proof, which is identical to 23 Case 2(i) of static proof. The rest of the simulation proceeds as Case 2 of static proof. Indistinguishability follows from the indistinguishability of HYBI.2 from HYBR in the static proof. In case of post execution corruption, equivocation of R’s view is possible since the crs is in decryption mode and Sim has secret keys for both branches. skσ can be provided as the secret key for branch σ. Indistinguishability follows from Property 4ii of DME. Case 3. R∗ is corrupted in the first round, S is honest in the second round: Indistinguishability follows from the indistinguishability of HYBI.3 from HYBR in the static proof. In case of post execution corruption equivocation can fail if during the simulation AdvInt unlocks rσ from sσ and queries it to FRO2 . However, this occurs with negligible probability due to Property 3 of DME, i.e. ciphertext indistinguishability in messy mode, and the random oracle assumption. Case 4. R∗ is corrupted in the first round, S∗ is corrupted in the second round: This is identical to case 4 (both (S∗ , R∗ ) are corrupted) in static proof. Hence, indistinguishability of simulation for this case follows from indistinguishability of HYBI.4 from HYBR in the static proof. 5.3 Concrete Instantiations and Optimized Protocol based on DDH We provide concrete instantiations of our protocol by instantiating the DME scheme under the DDH and LWE assumptions in Appendix C and D respectively. Furthermore, we can optimize our protocol, while considering the DDH-based instantiation of the DDH based on the DME. In Figure. 7 we present our optimized adaptive OT protocol πOT DDH DDH assumption. It differs from the original framework since protocol πOT does not send separate messages (s0 , s1 ) for encrypting the random pads. Rather, the random pads and the messages are encrypted in the same ciphertext (w0 , w1 ). This protocol incurs a computation cost of 11 exponentiations and 5 random oracle queries and it has an optimal round complexity of 2. It requires sending a κ bit string - c, two ℓ bit strings - (w0 , w1 ); and 4 group elements– (u0 , u1 ) and (g, h). Interestingly, it is the first round-optimal adaptively-secure OT protocol and it has an overhead of 5 random oracle queries and κ-bit string communication overhead over the static protocol of [PVW08]. The security of our protocol follows from the security of the OT framework and the DME instantiation presented in Appendix C. Hence we avoid presenting it and summarize it in Theorem. 3. Theorem 3. If the Decisional Diffie Hellman problem is hard in group G then protocol DDH πOT securely realizes the FOT functionality against adaptive active adversaries in (FRO1 , FRO2 )- hybrid model. 5.4 Static Version of our Protocol We can optimize our adaptive πOT protocol to obtain an efficient static OT protocol, ′ denoted as πOT . It is similar to the [PVW08] framework, except here we generate the crs 24 Fig. 7: Optimized Adaptively-Secure Oblivious Transfer Protocol from DDH DDH πOT – Functionalities: Random oracles FRO1 : {0, 1}2κ → 4G and FRO2 : {0, 1}κ × G → {0, 1}ℓ . – Private Inputs: S has ℓ-bit input messages (a0 , a1 ) and R has an input bit σ. Choose: – R samples c ←R {0, 1}κ . – R generates crs = (g0 , g1 , h0 , h1 ), s.t. (g0 , g1 , h0 , h1 ) ← FRO1 (sid||c). – R samples α ←R Zp and computes (g, h) = (gσα , hα σ ). – R sends {c, (g, h)} to S. Transfer: – S generates the crs = (g0 , g1 , h0 , h1 ), s.t. (g0 , g1 , h0 , h1 ) ← FRO1 (sid||c). – S samples r0 , r1 , s0 , s1 ←R Zp . – S computes u0 = g0r0 hs00 and u1 = g1r1 hs11 . – S sets w0 = FRO2 (sid||g r0 hs0 ) ⊕ a0 and w1 = FRO2 (sid||g r1 hs1 ) ⊕ a1 . – S sends {(u0 , w0 ), (u1 , w1 )} to R. Local Computation by R: – Computes aσ as aσ = wσ ⊕ FRO2 (sid||uα σ ). ′ from πOT by removing the random oracle invocation using a PRO. We can obtain πOT FRO2 . FRO2 is not required since static corruption does not demand equivocation, of sender’s message, by the Sim. The security of our protocol is summarized in Theorem 4 and the proof is similar to the static security proof of πOT . Theorem 4. If DME is a samplable dual mode encryption scheme then protocol πOT securely realizes the FOT functionality against static active adversaries in FRO1 - hybrid model. ′ Interestingly, πOT satisfies the property of receiver equivocality, which states that the view of the receiver can be equivocated if the receiver gets adaptively corrupted during/after the protocol execution. We analyze this property as two exhaustive subcases as follows : (1) R gets corrupted before the first OT message is sent (2) R gets corrupted after the first OT message is sent. For the first case, the simulator has not sent any message on behalf of R and hence equivocation is not required. In this case the crs is set to messy mode. For the second case, the simulator sets the crs in the decryption mode which enables him to equivocate R’s view on obtaining σ, after R gets corrupted. 6 Adaptively Secure 1-out-of-N Oblivious Transfer. The work of [NP05] implements FN-OT , against static adversaries in the FOT -hybrid model by relying on pseudorandom functions. S has N strings (a1 , a2 , . . . , aN ) as input and R has a log N bit input choice string σ. S samples 2 log N random pads pi0 , pi1 ← {0, 1}κ for i ∈ [log N]. The two parties invoke log N copies of FOT with S’s input as (pi0 , pi1 ) and R’s input as σi respectively. The ith invocation of FOT outputs piσi to R, i.e 25 the pad corresponding to his σi choice bit. Finally, S encrypts aj as wj using the pads corresponding to the bit representation of j, j ∈ [N]. The message aj is encrypted as follows : wj = aj ⊕ log MN PRFpic (j), i=1 where c = ji , i.e. the ith bit of string j. R obtains (w0 , w1 , . . . , wN ) and decrypts wσ for which he possesses all the log N pads. For other w values, R lacks at least one random pad and security follows by applying PRF on that secret random pad. The transformation communicates N ciphertexts, and requires log N invocations of FOT and N log N evaluations of a PRF. It guarantees security against a statically corrupted active adversary. We show in Fig. 8 that the same transformation can be made adaptively-secure (by protocol πN-OT ) by implementing the underlying FOT functionality in an adaptive secure manner. In addition, we replace PRF with a programmable random oracle FRO and modify the formation of wj as follows, where ji denotes the ith bit of j. N wj = aj ⊕ FRO (sid||j, p1j1 ||p2j2 || . . . ||plog jlog N ) = aj ⊕ FRO (sid||j, vj ), N where vj = (p1j1 ||p2j2 || . . . ||plog jlog N ). This reduces the N log N PRF evaluations to N random oracle queries. Later, in this section we further demonstrate that the underlying FOT need not be full adaptively secure. Static OTs with security against adaptive receivers, i.e. receiver equivocal OTs, suffice for the transformation. Hence, we obtain adaptively-secure 1-out-of-N from log N 1-out-of-2 receiver equivocal OTs. 6.1 Security The security of the protocol is proven by constructing a simulator Sim for πN-OT . We first present the static proof and then discuss the adaptive proof. For a statically corrupted S∗ , Sim can extract the pads by invoking the simulator for FOT . Sim forms {vj }j∈[N] and decrypts {wj }j∈[N] to unlock all the input messages of S∗ , i.e. {aj }j∈[N] , and completes the simulation by invoking FN-OT with the input messages. Indistinguishability follows from the FOT hybrid model. For a statically corrupted R∗ , Sim can extract the choice bit σi by invoking the simulator for ith copy of FOT . Sim reconstructs σ and invokes FN-OT with σ to obtain aσ . Sim concludes the simulation by setting wσ correctly while {wj }j∈[N]/σ are set as random strings. R∗ obtains all the random pads (corresponding to σ) from log N invocations of FOT and constructs vσ to unlock aσ . The other {aj }j∈[N]/σ values remain hidden since R∗ lacks at least one random pad for {vj }j∈[N]/σ , and hence FRO (j, vj ) will be indistinguishable from a random string, except with negligible probability, due to the random oracle assumption. In order to prove adaptivity, we need the property of equivocation. The simulated messages have to be equivocated appropriately so that they are indistinguishable from the real world messages of honest parties. Sim can equivocate the simulated message (consisting of only FOT messages) of R by invoking the adaptive simulator for FOT . The simulated message of S consists of the FOT messages and the simulated ciphertexts. 26 The FOT messages can be trivially equivocated by invoking the adaptive simulator for FOT . The simulated ciphertexts can be equivocated by programming FRO (sid||j, vj ) = wj ⊕aj , for j ∈ [N]/σ. Adversary can query FRO (sid||j, vj ) with negligible probability since he lacks atleast one pad in vj and hence simulator can program FRO (sid||j, vj ) successfully to equivocate correctly. The proof of indistinguishability is similar to the one for statically corrupted R∗ . Fig. 8: Adaptively-Secure 1-out-of-N Oblivious Transfer Protocol πN-OT – Functionalities: Random oracle FRO : {0, 1}κ+log N(1+κ) → {0, 1}n . FOT denotes a 1-out-of-2 OT functionality. – Private Inputs: S has input messages {aj }Nj=1 and R has an input choice string σ, where |σ| = log N. Choose: – R invokes FOT functionality log N times. He invokes the ith copy of FOT with input (rec, i, σi ) for i ∈ [log N]. Transfer: – S samples 2 log N random pads (pi0 , pi1 ), where pi0 , pi1 ∈ {0, 1}κ . – S invokes the ith copy of FOT with input (sen, i, (pi0 , pi1 )). N – S encrypts his input messages as wj = aj ⊕ FRO (sid||j, p1j1 ||p2j2 || . . . ||plog jlog N ), for j ∈ [N]. Local Computation by R: N – Computes aσ as aσ = wσ ⊕ FRO (sid||σ, p1σ1 ||p2σ2 || . . . ||plog σlog N ) . 6.2 Efficiency Our protocol invokes FOT functionality log N times and queries FRO for N times. It incurs communication of log N copies of FOT and N ciphertexts of size n bits. 6.3 Instantiating FOT using Static Receiver Equivocal OT We observe that our transformation continues to be adaptively-secure, despite replacing the adaptively-secure 1-out-of-2 OTs in the above result with statically-secure OTs, that support equivocation of receiver’s view irrespective of equivocation of sender’s view. When S∗ or R∗ is corrupted, inputs are extracted by invoking the simulator for the actively-secure static OT protocol. For adaptive security, we need equivocation of S’s and R’s views if corruption occurs during the course of execution or at the end of protocol. In the transformation, S’s view consists of the OT messages and ciphertexts, i.e. {wj }j∈[N] . A simulator, playing the role of S can trivially simulate the OT messages by running the honest S algorithm with random pads, which are independent of S’s inputs. The ciphertexts are equivocated by programming FRO (sid||j, vj ) (see Section 6.1). On the other hand, R’s view consists only of the OT messages which can be 27 ′ trivially equivocated by relying on the receiver equivocal property of the OT. Our πOT protocol (Section 5.4) is a statically-secure protocol satisfying receiver equivocal property; hence we can plug in our protocol to obtain adaptively-secure 1-out-of-N OTs. The security of πN-OT is summarized in Theorem 5. Theorem 5. If FRO is a programmable random oracle and FOT is a static actively secure OT functionality satisfying receiver equivocation, then πN-OT UC-securely realizes the FN-OT functionality in the FOT hybrid model against adaptive (without erasures) active adversaries. 7 Adaptively Secure Oblivious Transfer Extension In this section we present our semi-honest and actively secure OT Extension protocols which are secure against adaptive adversaries, without assuming erasures. 7.1 Adaptively Secure OT Extension against Semi-Honest Adversaries We prove that the semi-honest OT Extension protocol of [ALSZ13] (denoted as ALSZ13 hereby) can be made adaptively secure using PRO. We initiate our proof by  briefly recalling the protocol of ALSZ13. In ALSZ13, S has m pairs of messages - xj,0 , xj,1 for j ∈ [m], and R has m selection bits, denoted as vector r = (r1 , · · · , rm ). R samples two random strings (k0i , k1i ) and S samples a random string s, i ∈ [κ]. R and S performs the seed OT phase by invoking FOT on inputs (k0i , k1i ) and si as sender and receiver respectively. S obtains ksi i from FOT . R computes matrices B and E s.t. Bi = G(k0i ) and Ei = r, where G is a PRG. R sends a correction matrix D to S, s.t. si Di = Bi ⊕ G(ki1 ) ⊕ Ei . S forms the matrix  Q using G(ki ), s and D. The jth row of Q is used to encrypt the jth message pair xj,0 , xj,1 j∈[m] using pads H(j, Qj ) and H(j, Qj ⊕ s) respectively, where H is a correlation robust function [IKNP03]. S sends the ciphertexts to R, who decrypts and obtains xj,rj using H(j, Bj ). The ALSZ13 is similar to the protocol presented in Fig. 9, except FRO1 and FRO2 will be replaced by G and H. Security against a statically corrupt S∗ follows from the sender privacy of FOT , which ensures that one of R’s input (acting as sender in FOT ) to FOT remains hidden from S. On the other hand, a statically corrupt R can break honest sender privacy if he obtains both xj,0 and xj,1 for some j. However, this happens with negligible probability since R has to either guess the value of s or obtain a collision in the random oracle query, s.t. H(j, Bj ) = H(j, Bj ⊕ s). We refer to [ALSZ13] for the full proof. While considering adaptive security, the messages of S and R require equivocation. These messages can be classified into three exhaustive cases. Below, we give a high level overview for equivocating each case : – FOT messages: It can be observed that S and R invoke FOT on random inputs - si and (k0i , k1i ) respectively, independent of their actual inputs. This can be leveraged to reduce the assumption on FOT . More specifically, FOT can be secure only against static adversaries, since the simulator can simulate the view of an honest sender (resp. receiver) by running the honest sender (resp. receiver) algorithm on random inputs. When sender (resp. receiver) gets corrupted, the simulator can produce the 28 Fig. 9: Adaptive OT Extension Protocol secure against passive adversaries

p κ 2 Protocol πALSZ for obtaining 21 -OTm ℓ from 1 -OTm  – Input of S: m pairs xj,0 , xj,1 j∈[m] of ℓ bit strings. – Input of R: m selection bit vector r = (r1 , · · · , rm ) such that each rj ∈ {0, 1}. – Functionalities: Random Oracles FRO1 : {0, 1}2κ → {0, 1}m and FRO2 : {0, 1}κ × [m] × {0, 1}κ → {0, 1}ℓ respectively. FOT denotes a 1-out-of-2 OT functionality. – Notations: In the protocol j ∈ [m] and i ∈ [κ], unless specified otherwise. Seed OT Phase: 1. 2. 3. 4. S chooses s ← {0, 1}κ at random. 1 S computes the first message of πOT as πOT (s). R chooses κ pairs of seeds (k0i , k1i ) each of length κ. S and R invokes the FOT functionality for κ times with inputs (rec, sid, si ) and (rec, sid, (k0i , k0i )) respectively. S receives {ksi i } as output. OT Extension Phase : 1. R forms three m × κ matrices B, E and C in the following way and sends D to S: – Set Bi = FRO1 (sid||k0i ). – Set Ej = (rj || . . . ||rj ). Clearly, Ei = r. – Set Di = Bi ⊕ FRO1 (k1i ) ⊕ Ei . 2. On receiving × κ matrix Q with the jth column of
Q set as Qi =
D, S forms sm i i i i i si ⊙ D ⊕ FRO1
(sid||ki ). Clearly,
(i) Q = B ⊕ (si ⊙ E ) and (ii) Qj = Bj ⊕ (s ⊙ Ej ) = Bj ⊕ (s ⊙ rj ) . 3. For every j ∈ [m], S computes yj,0 = xj,0 ⊕ FRO2 (sid||j, Qj ) and yj,1 = xj,1 ⊕ FRO2 (sid||j, Qj ⊕ s). S sends {yj,0 , yj,1 }j∈[m] to R. 4. For every j ∈ [m], R recovers zj = yj,rj ⊕ FRO2 (sid||j, Bj ). R outputs {zj }j∈[m] . view, generated using random inputs, which is indistinguishable from the honest sender’s (resp. receiver’s) view. – R’s messages : It consists of matrix D which depends on R’s input r. When R gets corrupted, the simulator has to equivocate R’s message, i.e. matrix D, based on R’s input. This is ensured by replacing G with a PRO FRO1 . – S’s messages: It consists of messages - (yj,0 , yj,1 ), which are dependent on S’s inputs (xj,0 , xj,1 ). When S gets corrupted, the simulator has to equivocate S’s message based on S’s inputs. This is ensured by replacing H with a PRO FRO2 . The explanation for the last two subcases will be clear from the next few paragraphs, where we elaborately discuss the equivocation cases. We consider equivocation of S and p R in two separate cases. Our passively secure adaptive OT extension protocol πALSZ is presented in Fig. 9 and the security proof has been summarized in Theorem 6. p Theorem 6. The protocol πALSZ UC-securely realizes the Oblivious Transfer Extension functionality in the (FOT , FRO1 , FRO2 ) hybrid model against adaptive (without erasures) passive adversaries. – Equivocation of S’s view: When S is honest,Sim plays the role of S in the internal world. The view of S consists of his input xj,0 , xj,1 , random vector s, matrix 29 Q and the ciphertexts (yj,0 , yj,1 ). The s vector and Q matrix is independent of S’s inputs and can be simulated correctly without equivocation. The ciphertexts are simulated by relying on the programmability property of FRO2 . We first consider the case where both parties are honest. The formal simulation for S is presented as follows. Sim invokes the FOT simulator with random input si to simulate the ith seed-OT. Sim generates Q following honest sender algorithm. In the OT Extension phase, Sim sends random values for yj,b , where b ∈ {0, 1}. In case of post execution corruption of S, Sim obtains the inputs of S. Sim provides s and Q as part of the view, and this is indistinguishable from the real world view. In addition, Sim opens yj,b to xj,b by programming FRO2 as follows: FRO2 (j, Qj ) = yj,0 ⊕ xj,0 , FRO2 (j, Qj ⊕ s) = yj,1 ⊕ xj,1 . Equivocation is is successful due to the randomness of s and random oracle assumption. An adversary AdvInt can prevent Sim from programming FRO2 if he queries Qj or Qj ⊕ s to FRO2 . This happens with negligible probability as Q and s are randomly chosen. This proves that real and ideal world are indistinguishable. Now, we consider the case where AdvInt corrupts R∗ . Sim obtains the choice vector r. Sim invokes the OT Extension functionality with r and obtains {xj,rj }j∈[m] . Sim computes yj,rj honestly like an honest sender, s.t. yj,rj opens to xj,rj . In case of post execution corruption, Sim obtains (xj,0 , xj,1 ) and he programs FRO2 (j, Qj ⊕ (s ⊙ rj )), s.t. yj,rj opens to xj,rj . To prevent equivocation AdvInt has to guess the value of s and query Qj ⊕ (s ⊙ rj ) = Bj ⊕ s to FRO2 which happens with negligible probability, proving indistinguishability of the two worlds. – Equivocation of R’s view: When R is honest, Sim plays the role of R in the internal world. The view of R consists of his inputs, the seeds (k0i , k1i ) and the matrices, B, E and D. The seeds and B matrix can be simulated without any equivocation since they are independent of R’s input. The other two matrices are simulated by programming FRO1 , since they depend on R’s input. We first consider the case where both parties are uncorrupted. The formal simulation is presented as follows. Sim randomly generates (k0i , k1i ) and simulates ith FOT by invoking FOT with inputs (k0i , k1i ) like an honest R. Sim sets D matrix randomly and the B and E matrices are constructed later as they are not required for the simulation. Sim sends D to S and ends simulation as both parties are honest. The adversary AdvInt (without corrupting S) observes R’s message, which consists only of D matrix. Based on that, he cannot distinguish between real and ideal world since in ideal world D is a random matrix, whereas in real world, it is padded with FRO1 (sid, k0i ) and FRO1 (sid, k1i ), where k0i and k1i remains hidden from AdvInt . Thus, indistinguishability follows from the random oracle assumption. In case of post execution corruption of R, Sim obtains r and he programs FRO (sid||k0i ) and FRO (sid||k1i ) s.t. the following holds true: FRO1 (k0i ) ⊕ FRO1 (k1i ) = Di ⊕ r. (1) The B matrix is constructed after FRO1 has been programmed according to Eq. 1. Equivocation is successful since AdvInt does not obtain k0i and k1i from FOT and 30 he has to guess it, which occurs with negligible probability, in order to prevent equivocation. If AdvInt corrupts S∗ , then Sim obtains s from FOT simulator (since S∗ is the OT receiver) and he sets FRO1 (ksi i ) randomly concluding the simulation. In case of post execution corruption of R∗ , Sim obtains r and constructs E matrix s.t. Ei = r. Sim equivocates D matrix by programming FRO1 (ksi i ) as follows: FRO1 (ksi i ) = FRO1 (ksi i ) ⊕ Di ⊕ r. (2) The B matrix is constructed after FRO1 has been programmed according to Eq. 2. Equivocation is successful since AdvInt does not obtain ksi i from FOT and he has to guess it, in order to prevent equivocation. However, it occurs with negligible probability and hence the two worlds are indistinguishable. 7.2 Adaptively Secure OT Extension against Active Adversaries The ALSZ13 protocol is actively secure against S∗ and passively secure against R∗ , assuming seed OTs to be actively secure. An active R∗ can send a bad D matrix such that Q is malformed and it leaks the s vector. We refer to [ALSZ15] (denoted as ALSZ henceforth) for the exact attack. To address this attack, the ALSZ15 protocol introduces column wise consistency check for every pair of columns. Moreover, for active security we require that the simulator Sim can extract a corrupted party’s input in the protocols from S∗ and (k0i , k1i ) from R∗ , even when the parties are adaptively corrupted. For adaptive security, the simulator also has to simulate the consistency checks when Sim plays the role of R in the ideal world, in addition to the usual equivocation of views of honest parties. In order to extract corrupted parties’ inputs and simulate the consistency checks properly, we observe that the FOT messages are random in the OT extension protocol of ALSZ13 and ALSZ15. Hence, we can modify the protocol s.t. the parties invoke FROT (Fig. 11) instead of FOT . FROT is an OT functionality where R has an input whereas S does not have any input. The functionality returns random messages to S and one of the random messages to R based on his input. Formally stating, FROT takes choice bit σ as input from receiver of FROT , i.e. ROT , and generates two random pads (a0 , a1 ) for sender of FROT , i.e. SOT . It sends aσ to ROT and (a0 , a1 ) to SOT . On a high level, when FROT is invoked in our OT Extension protocol the input of S (playing as ROT ) to the FROT can be extracted by invoking the static simulator for FROT . The seeds for R (playing the role of SOT ) are obtained from FROT . For equivocation of R’s view, Sim runs the honest SOT algorithm to obtain random seeds. The consistency checks are simulated by programming FRO1 and FRO2 . For equivocation of S’s view, Sim invokes the FROT simulator for ROT with a random s vector. Indistinguishability follows since the value of s, sampled by honest S, is random in real world as well. The ciphertexts (yj,0 , yj,1 ) are equivocated by programming FRO3 . Invoking FROT has a significant advantage - FROT can be adaptively implemented by a static receiver equivocal OT (Sec. 5.4), since S does not have any message, whereas implementing FOT in an adaptive way is expensive. a Now we formally describe our protocol πALSZ , which has been presented in Fig. 10. Our protocol is same as ALSZ15, except here the PRG, hash and correlation robust 31 function invocations of ALSZ15 are replaced by PRO invocations. Our protocol has a p seed OT phase similar to the πALSZ protocol. The OT extension phase is divided into two parts, based on R’s and S’s role. R’s role consist of phase I of OT extension, followed by the consistency checks and finally phase II of OT extension consists of S’s role in the OT extension. Similar to ALSZ15, our protocol also contains column wise consistency check for every pair of columns. It has been recently identified by [ALSZ15] team that the checks leak κ2 bits of randomness, on R’s end. In order to counter that, they add κ2 bits of randomness by adding κ columns and κ rows, as dummy choice bits τ . As a result the new choice bit string is r′ = r||τ . The checks ensure that the same r′ has been used in all the columns of D, i.e. Ei = r′ for all i ∈ [k], where k = 2κ. Our static proof of security follows from the security proof of [ALSZ15] and we refer to their paper for the static proof against an active adversary. Adaptive security for our protocol can be proved against active adversaries in the PROM model, provided the underlying seed OTs are adaptive actively secure implementation of FROT (Fig. 11) functionality. a Security of πALSZ has been summarized in Theorem 7. a Theorem 7. If FRO1 , FRO2 and FRO3 are programmable random oracles then πALSZ UC-securely realizes the Oblivious Transfer Extension functionality in the FROT hybrid model against adaptive (without erasures) active adversaries. For proving adaptive security, the views of S and R require equivocation. Equivocation of S’s view follows from the equivocation of S’s view in ALSZ13 protocol. Equivocation of R’s view is similar to that of ALSZ13 but in addition it requires simulating the consistency checks correctly. – Equivocation of S’s view: Sim simulates the seed-OT by invoking the FROT func tionality with a random s to obtain ksi i , for i ∈ [k]. If both parties are honest then the simulation proceeds similar to the simulation for “Equivocation of S’s view” (passive case) in Sec. 7.1. The consistency checks can be trivially simulated since S’s role is limited to verification of the checks. If AdvInt corrupts R∗ then Sim extracts the choice vector r′ . More specifically, Sim extracts R∗ ’s input, (k0i , k1i ), by invoking the FROT simulator and computes r′ = Ei = r||τ from Di using the seeds. Sim invokes the OT Extension functionality with r and obtains {xj,rj }j∈[m+κ] . Sim programs FRO3 (sid||j, Qj ⊕ (s ⊙ rj )) s.t. yj,rj opens to xj,rj . In case of post execution corruption, Sim obtains (xj,0 , xj,1 ) and he programs FRO3 (sid||j, Qj ⊕ (s ⊙ rj )), s.t. yj,rj opens to xj,rj . To prevent equivocation AdvInt has to guess the value of s and query Qj ⊕ (s ⊙ rj ) = Bj ⊕ s to FRO3 which happens with negligible probability. – Equivocation of R’s view: The view of R consists of his inputs, the seeds (k0i , k1i ) and the matrices, B, E and D. When R is honest, Sim plays the role of R in the internal world where Sim obtains (k0i , k1i ) from FROT . If both parties are honest then simulation proceeds similar to the simulation for “Equivocation of R’s view” (passive case) in Sec. 7.1. The consistency checks are simulated by setting ha,b α,β values randomly, for all a, b ∈ {0, 1} and all pairs α, β ⊆ [k 2 ]. In case of post execution corruption, Sim obtains r, and then based on the equivocated B, E and D matrices, Sim can equivocate the ha,b α,β values correctly by programming FRO2 . 32 Fig. 10: Adaptive OT Extension Protocol secure against active adversaries

κ 2 a Protocol πALSZ for obtaining 21 -OTm ℓ from 1 -OTm  – Input of S: m pairs xj,0 , xj,1 j∈[m] of ℓ bit strings. – Input of R: m selection bit vector r = (r1 , · · · , rm ) such that each rj ∈ {0, 1}. – Security Parameter: k = 2κ. – Functionalities: FRO1 : {0, 1}2κ → {0, 1}m+κ , FRO2 : {0, 1}m+κ → {0, 1}κ and FRO3 : {0, 1}κ × [m] × {0, 1}k → {0, 1}ℓ respectively. FOT denotes OT functionality. – Notations: In the protocol j ∈ [m + κ] and i ∈ [k], unless specified otherwise. Seed OT Phase: 1. S samples s ∈ {0, 1}k and invokes FROT with message (rec, sid, (κ, si )) for k times to obtain ksi i seeds.  2. R invokes FROT with message (sen, sid, (transfer, κ)) for k times to obtain (k0i , k1i ) seeds. OT Extension Phase I: 1. R forms three (m + κ) × k matrices B, E and C in the following way and sends D to S: – Sets Bi = FRO1 (sid||k0i ). – Samples τ ← {0, 1}κ and sets r′ = r||τ . – Sets Ej = (rj′ || . . . ||rj′ ). Clearly, Ei = r′ . – Set Di = Bi ⊕ FRO1 (sid||k1i ) ⊕ Ei . 2. On receiving D,
S forms (m + κ) × k matrix Q with the jth column
of Q set as i i i Qi = si ⊙ Di
⊕ FRO1 (ksi i ). Clearly,
(i) Q = B ⊕ (si ⊙ E ) and (ii) Qj = Bj ⊕ (s ⊙ Ej ) = Bj ⊕ (s ⊙ rj ) . Check Phase: 1. For every pair α, β ⊆ [k2 ] and a, b ∈ {0, 1}, R defines the following four values: a b ha,b α,β = FRO2 (sid||FRO1 (sid||kα ) ⊕ FRO1 (sid||kβ )) R sends each ha,b α,β to S. s 2. For every pair α, β ⊆ [k2 ], S knows sα , sβ , ksαα , kββ , Dα and Dβ . S checks that: sα ,sβ s sα (a) hα,β = FRO2 (sid||FRO1 (sid||kα ) ⊕ FRO1 (sid||kββ )). s ,sβ α (b) hα,β s = FRO2 (sid||FRO1 (sid||ksαα ) ⊕ FRO1 (sid||kββ ) ⊕ Dα ⊕ Dβ ) = s FRO1 (sid||kββ ) ⊕ rα ⊕ rβ ), where rα , rβ denotes r FRO2 (sid||FRO1 (sid||ksαα ) ⊕ α β used in D , D respectively. (c) Dα 6= Dβ . In case one of these checks fails, S aborts and outputs ⊥. OT Extension Phase II: 1. For every j ∈ [m], S computes yj,0 = xj,0 ⊕ FRO3 (sid||j, Qj ) and yj,1 = xj,1 ⊕ FRO3 (sid||j, Qj ⊕ s). S sends {yj,0 , yj,1 }j∈[m] to R. 2. For every j ∈ [m], R recovers zj = yj,rj ⊕ FRO3 (sid||j, Bj ). R outputs {zj }j∈[m] . 33 Fig. 11: The ideal functionality FROT for Random Oblivious Transfer FROT Initiate: On input (rec, sid, (ℓ, σ)) from R; if no message of the form (sid, (ℓ, σ)) is present in memory, store (sid, (ℓ, σ)). Send (rec, sid) to S. Transfer: On input (sen, sid, (transfer, ℓ)) from S, if no message of the form (sid, (ℓ, σ)) is present in memory, then abort. Else sample a0 , a1 ←R {0, 1}ℓ . Send (sent, sid, aσ ) to R and (sent, sid, (a0 , a1 )) to S. Corruption: If Adv corrupts S∗ then receive (a0 , a1 ) from Adv and continue execution as above using these values. If Adv corrupts R∗ the usual execution continues. AdvInt lacks k0i and k1i , hence he cannot query the required argument to FRO2 s.t. it would prevent equivocation of ha,b α,β . Thus, the consistency checks can be correctly simulated. If AdvInt corrupts S∗ then Sim extracts s vector from FROT simulator. S computes FRO1 (sid||ksi i ) and simulates the B, E and D matrices according to the simulation strategy in Section 7.1. For simulating the consistency checks the 2 ha,b α,β values are randomly set, for all a, b ∈ {0, 1}. For every pair α, β ⊆ [k ], Sim programs FRO2 as follows : s s ,s α β , FRO2 (sid||FRO1 (sid||ksαα ) ⊕ FRO1 (sid||kββ )) = hα,β s s ,s α β . FRO2 (sid||FRO1 (sid||ksαα ) ⊕ FRO1 (sid||kββ ) ⊕ Dα ⊕ Dβ ) = hα,β (3) If FRO2 is queried on other values by the adversary AdvInt then Sim answers it with a random value. When R∗ gets corrupted, Sim programs FRO1 (sid||ksi i ) according to Eq. 1. Furthermore, he programs FRO2 as follows: s s ,s s s ,s α β FRO2 (sid||FRO1 (sid||ksαα ) ⊕ FRO1 (sid||kββ )) = hα,β α β FRO2 (sid||FRO1 (sid||ksαα ) ⊕ FRO1 (sid||kββ )) = hα,β (4) s AdvInt corrupting S∗ does not obtain ksαα and kββ except with negligible probability as we are in the FROT hybrid model. It allows Sim to correctly program FRO2 s involving ksαα and kββ , according to Eq. 4, permitting equivocation of R’s view and completing the simulation for the consistency checks. Optimized OT Extension: Our 3 round OT extension protocol requires consistency check for each pair of columns, incurring an overhead of O(κ2 ) checks. It can be optimized to O(κ) checks by following the 5 round protocol of [ALSZ15]. In the optimized protocol, the parties perform a 3 round coin-tossing subprotocol, after “OT Extension Phase I”, where the first round of the subprotocol can be run in parallel with the last round of “OT Extension Phase I”. The subprotocol returns a set of O(κ) pairs of column indices. R performs consistency check on those O(κ) pairs of columns and sends the ha,b α,β to S in parallel with the last round of the coin-tossing protocol. S verifies the outcome of the coin-tossing protocol and the consistency checks. After successful 34 verification, S executes “OT Extension Phase II”. The work of [ALSZ15] proved static security for this protocol. Adaptive security follows immediately if we perform the consistency checks using PRO (FRO1 and FRO2 ), similar to the 3 round protocol. S will s lack ksαα and kββ and Sim can equivocate R’s view according to Eq. 3. For empirical results, we implement the 5 round protocol and compare it with the state-of-the-art OT extension protocols. 7.3 Efficiency and Implications p a Our protocols πALSZ and πALSZ requires one extra round, compared to the seed OTs, and it matches with the round complexity of the state-of-the-art static OT extension protocols [ALSZ13, KOS15, PSS17]. They also preserve the efficiency of the semihonest and actively secure protocols of [ALSZ13] and [ALSZ15] respectively. In concrete terms, the amortized cost for generating m copies of both semi-honest and active adaptively secure 1-out-of-2 OTs is 3κ bits communication and 3 symmetric key operations per OT. The other costs - seed OTs, PRG expansion and consistency checks, are independent of m. We present a few implications resulting from our OT Extension protocols: – Our semi-honest OT Extension protocol requires static semi-honest OT protocol for the seed-OTs in a non-blackbox fashion, where we explicitly modified the simulation strategy for the static semi-honest OT. Thus, static semi-honest OT implies adaptive semi-honest OT Extension under the PROM assumption in a non-blackbox manner. Our theorem is summarized in Thm. 8. [LZ11] states that adaptive semihonest oblivious transfer cannot be constructed from static semi-honest oblivious transfer in a black-box manner and we demonstrate that its possible in a nonblackbox way. – If the random OT is instantiated using our receiver equivocal static OT protocol then our actively secure OT Extension protocols requires 3 and 5 rounds, thereby efficiently generating large number of OTs at an amortized cost of 3κ bits communication and 3 symmetric key operations per OT. However, the state-of-the-art adaptively secure 1-out-of-2 OT protocols [BCG17] that have a round complexity of 3 rounds, assume erasures, incur 27 exponentiations and communication of 10 κ bits. Thus, we drastically reduce the cost of generating adaptive OTs. – We can efficiently generate m log N copies of 1-out-of-2 OTs using our OT Extension protocol (following the previous approach) and then apply our adaptive transformation (Sec. 6) to obtain m copies of 1-out-of-N OTs. The amortized cost for each 1-out-of-N OT is N + 3 log N + 1 symmetric key operations. Whereas the state-of-the-art adaptively secure 1-out-of-N OT protocols [BCG17, BDD+ 17] require atleast O(N) exponentiations. We have implemented our adaptively-secure variant of [ALSZ15] and presented the results in Sec. 9. For implementation we have considered the optimized variant where O(κ) are performed. 35 Theorem 8. If there exists an Oblivious Transfer protocol that is secure in the presence of static semi-honest adversaries, then there exists an Oblivious Transfer Extension protocol from κ to poly(κ) that is secure in the presence of adaptive semi-honest adversaries, in a non-blackbox way, under the programmable random oracle assumption. 8 Non-Interactive UC-Secure Commitment Scheme In this section we present our adaptively-secure NICOM scheme C OM, implemented by protocol πCOM . The protocol πCOM (described in Fig. 12) is universally composable and securely realizes the functionality FCOM (described in Fig. 3) in the crs model under ORO assumption and Discrete Log (over a group G) assumption. Later in this section, we demonstrate a protocol πCRS to generate an instance of the Discrete Log problem, as the crs, in 4 rounds. Once the crs is generated, it can be used for subsequent instances of C OM. Our crs generation algorithm is independent of the parties’ inputs and hence it is adaptively-secure, rendering the whole protocol adaptively-secure under the ORO assumption. Our protocol is also secure in the Global Random Oracle model [CJS14] since we generate the local crs within the protocol, using πCRS . 8.1 Protocol Overview We build upon the commitment scheme of Pedersen [Ped91], that relies on hardness of Discrete Log problem. The Pedersen commitment inherently supports equivocation as the message is statistically hidden in their case. However, for UC security the simulator, acting on behalf of R, has to extract the message, of a corrupted S∗ , from the commitment. Our first approach was to apply an observable RO, i.e. FRO1 : {0, 1}poly(κ) → Zp , on the message being committed, i.e. FRO1 (sid||m), and then commit the response of the ORO query in the Pedersen commitment. This would allow the simulator to observe the queries and obtain candidate message values. However, the simulator cannot uniquely identify the message committed. It is necessary to extract the randomness, say r1 , used in the commit phase so that the simulator can match the (message, randomness) with the commitment value. We achieve this by enforcing S to bind to r1 using a second ORO, i.e. FRO2 : {0, 1}κ × Zp → {0, 1}κ . S commits to r1 by means of the query FRO2 (sid||r1 ). The hardness of the Discrete Log Problem ensures that a corrupted S∗ is unable construct more than one such (message, randomness) pair that matches the Pedersen commitment. However, the above technique demands binding to r1 using RO which in turn prevents equivocation by simulator, acting on behalf of S. In order to restore the equivocal property, S is required to pad FRO2 (sid||r1 ) with fresh randomness r2 . This allows the simulator to equivocate the commitments by equivocating the first part of the commitment c1 (Pedersen commitment on the message) separately, fixing r1 to a new value. Now, the second part of the commitment c2 can be equivocated by using r1 and setting r2 accordingly. 36 Fig. 12: Non-Interactive UC-Secure Commitment Scheme C OM πCOM – Public Inputs: The generator of group G is g. crs: (g, h) s.t. g = g and h = g x . – Functionalities: Random Oracles FRO1 : {0, 1}poly(κ) → Zp and FRO2 : Zp → {0, 1}κ denote two random oracles. – Private Inputs: S has input message m and R does not have any input. Commit Phase: On receiving input (C OMMIT, sid, m) S performs the following: – Computes a = FRO1 (sid||m). – Samples r1 , r2 ←R Zp and forms C OM(m; r1 , r2 ) = (g a hr1 mod p, FRO2 (sid||r1 ) ⊕ r2 ) = (c1 , c2 ). – Sends C OM(m; r1 , r2 ) to R as commitment to m. Decommitment Phase: On receiving input (D ECOMMIT, sid), S sends (m, r1 , r2 ) to R. R performs canonical verification of C OM using (m, r1 , r2 ) and outputs ACCEPT if verification succeeds, else outputs REJECT. 8.2 Static Security We show that our non-interactive commitment scheme C OM is secure against static active adversaries and securely realizes the functionality FCOM in the UC model by proving theorem 9. Theorem 9. If FRO1 and FRO2 are observable random oracles and solving the Discrete Log Problem is hard in multiplicative group G, then πCOM UC-securely realizes the FCOM functionality in the crs model against static active adversaries. Proof. Our proof is in the crs model where it is assumed that Sim knows the trapdoor x s.t. h = g x for the crs − (g; h). The proof proceeds in two cases - first, where Adv corrupts R∗ and second, where the Adv corrupts S∗ . R∗ is corrupted: Adv corrupts R∗ in the real world, Sim corrupts R∗ in the ideal world and AdvInt corrupts R∗ in the internal execution. During the commit phase, Sim commits to a random message m′ using (r1′ , r2′ ) as randomness, thereby computing C OM, similar to an honest sender and sends C OM(m′ ; r1′ , r2′ ) to AdvInt . Sim further invokes FCOM on behalf of R∗ to obtain the message (R ECEIPT, sid, S, R). In the decommit phase, Sim invokes FCOM to obtain the message (D ECOMMIT, sid, m). On obtaining the committed message m, Sim provides randomness (r1 , r2 ) s.t. C OM decommits to m. The randomness (r1 , r2 ) is computed by Sim as follows: – Let a = FRO1 (sid||m) and a′ = FRO1 (sid||m′ ). – The trapdoor x is known to Sim. Sim generates (r1 , r2 ) s.t the values of (c1 , c2 ) remain unchanged while the commitment is being equivocated. Sim does so by 37 solving equations 5 and 6: ′ ′ g a hr1 mod p = g a hr1 mod p ′ ′ =⇒ g a+r1 x mod p = g a +r1 x mod p =⇒ a + r1 x = a′ + r1′ x =⇒ r1 = (a′ − a + r1′ x)x−1 (5) FRO2 (sid||r1 ) ⊕ r2 = FRO2 (sid||r1′ ) ⊕ r2′ =⇒ r2 = FRO2 (sid||r1′ ) ⊕ r2′ ⊕ FRO2 (sid||r1 ) (6) Sim provides (m, r1 , r2 ), as opening to the commitment C OM, to AdvInt . At the end of the protocol, AdvInt sends its view to Sim. Sim forwards the view to Z who halts with an output. Indistinguishbaility : We show that the real world view of Z is indistinguishable from the ideal world view by showing that the following two hybrids are statistically indistinguishable. – HYBR : Real world execution of the protocol. – HYBI : Same as HYBR , except that, Sim commits to a random message m′ using (r1′ , r2′ ) as randomness and opens to m in the decommit phase using different randomness (r1 , r2 ). HYBI corresponds to the ideal world view of Z. It follow from Eq. 5 and 6 that the committed message remains statistically hidden in C OM. Hence, ∀m, m′ , r1′ , r2′ , Sim can always find a consistent pair of randomness (r1 , r2 ) s.t the commitment opens to m, provided Sim knows the trapdoor value x. This proves statistical indistinguishability of the two worlds. S∗ is corrupted: Adv corrupts S∗ in the real world, Sim corrupts S∗ in the ideal world and AdvInt corrupts S∗ in the internal execution. Sim emulates the role of an honest R against AdvInt in the internal execution. Sim plays the role of S∗ in FCOM . During the commit phase, Sim obtains the commitment C OM(m) from AdvInt in the internal execution. He observes the random oracle queries (both FRO1 and FRO2 ) made by AdvInt and tries to extract the committed message m. Sim aborts if it fails to extract the message. Let us assume that AdvInt makes s random oracle queries during the commit phase and Sim records them as (q1 , q2 , . . . , qs ). We denote a (qi , qj ) pair as valid, if qi was queried to FRO1 , qj was queried to FRO2 and the following holds: g FRO1 (sid||qi ) hqj mod p = c1 . (7) where C OM(m) = (c1 , c2 ) is received from AdvInt by Sim. Sim runs over all possible pairs of (qi , qj ) to find the valid pair(s). Based on the number of valid pair(s) discovered, Sim performs the following : – If there does not exist any valid pair then Sim samples m′ ←R G and sends (C OMMIT, sid, m′ ) to FCOM . 38 – If there exists a unique valid (qi , qj ) pair then Sim sends (C OMMIT, sid, qi ) to FCOM . – If there exists more than one valid pair then Sim samples m′ ←R G and sends (C OMMIT, sid, m′ ) to FCOM . In the decommitment phase, AdvInt sends (m, r1 , r2 ) to Sim. Sim verifies the commitment and aborts if verification fails in the internal execution. Whereas, Sim aborts in the ideal world as well as in FCOM if the following holds: – Case 1: If there was no valid pair. – Case 2: If there was one valid (qi , qj ) pair, and qi 6= m. – Case 3: If there exists more than one valid pair. If none of the above conditions hold, then Sim has an unique valid (qi , qj ) pair, s.t. qi = m and qj = r1 . He sends (D ECOMMIT, sid) to FCOM to complete simulation of FCOM . At the end of the protocol, AdvInt sends its view to Sim. Sim forwards the view to Z who halts with an output. Indistinguishability : We show that the real world view of Z is indistinguishable from the ideal world view by showing that the following two hybrids are computationally indistinguishable. – HYBR : Real world execution of the protocol. – HYBI : It represents the ideal world execution of the protocol Z can distinguish between the two hybrids (or worlds) if Sim aborts in ideal world and FCOM , while the honest R completes the protocol in real world. This occurs when the decommitment to C OM provided by AdvInt verifies correctly but Sim fails to extract the underlying committed message in the internal execution. This event has been captured as an union of three exhaustive cases presented in the simulation. We will show that each case occurs with negligible probability: - Case 1: This case shows that AdvInt obtained FRO1 (sid||m) and FRO2 (sid||r1 ) without querying m or r1 to the random oracle during the commit phase. The random oracle assumption ensures that the query results would be random. Hence AdvInt can guess FRO1 (sid||m) (or FRO2 (sid||r1 )) without querying m (or r1 ) with negligible probability. - Case 2: This case demonstrates that either AdvInt obtained FRO1 (sid||m) and FRO2 (sid||r1 ) without querying m or r1 to the random oracle during the commit phase, or the AdvInt possesses two valid pairs (qi , qj ) and (m, r). The first event occurs with negligible probability as we are in the RO model. And the occurrence of the second event implies that the DLP problem can be solved by using AdvInt as a blackbox. The adversary AdvDLP will obtain a challenge instance (g, h) = (g, g x ) from the challenger ChallDLP of the DLP game. AdvDLP will invoke the AdvInt while simulating the role of an honest R in the commitment scheme with crs = (g, h). AdvDLP will observe the queries made by AdvInt to obtain a valid pair (qi , qj ). He will receive the commitment C OM 39 from AdvInt . Upon obtaining the decommitment, (m, r), to C OM, AdvDLP will find x as follows: g FRO1 (sid||qi ) hqj = g FRO1 (sid||m) hr mod p =⇒ g FRO1 (sid||qi )+qj x = g FRO1 (sid||m)+rx mod p =⇒ FRO1 (sid||qi ) + qj x = FRO1 (sid||m) + rx =⇒ x = (FRO1 (sid||qi ) − FRO1 (sid||m))(r − qj )−1 (8) However, we assume that the DLP problem is hard in group G and hence this case occurs with negligible probability. - Case 3: This case indicates that AdvInt obtains two or more valid pairs. This again implies that either the DLP problem has been solved by AdvInt or AdvInt found a collision in the random oracle queries. Let us denote two such valid pairs as (qi , qj ) and (qi′ , qj′ ). We will further split this case into two more subcases for analysis based on the equality of FRO1 (sid||qi ) and FRO1 (sid||qi′ ) values. i. qi 6= qi′ , FRO1 (sid||qi ) = FRO1 (sid||qi′ ), qj = qj′ : This indicates that AdvInt found a collision in the random oracle queries as qi 6= qi′ . However, this event occurs with negligible probability as we are in the random oracle model. ii. qi 6= qi′ , FRO1 (sid||qi ) 6= FRO1 (sid||qi′ ), qj 6= qj′ : In this case, AdvInt can be used as blackbox by AdvDLP to solve the DLP problem. AdvDLP will invoke the AdvInt while simulating the role of an honest R in the commitment scheme with crs = (g, h). AdvDLP will observe the queries made by AdvInt to obtain two valid pairs (qi , qj ) and (qi′ , qj′ ) s.t. qi 6= qi′ and qj 6= qj′ . AdvDLP solves the DLP problem by finding x as follows: ′ ′ ′ ′ g FRO1 (sid||qi ) hqj = g FRO1 (sid||qi ) hqj mod p =⇒ =⇒ g FRO1 (sid||qi )+qj x = g FRO1 (sid||qi )+qj x mod p FRO1 (sid||qi ) + qj x = FRO1 (sid||qi′ ) + qj′ x =⇒ x = (FRO1 (sid||qi ) − FRO1 (sid||qi′ ))(qj′ − qj )−1 (9) However, we assume that the DLP problem is hard in group G and hence this case occurs with negligible probability. The other two cases involve FRO1 (sid||qi ) = FRO1 (sid||qi′ ), qj 6= qj′ and FRO1 (sid||qi ) 6= FRO1 (sid||qi′ ), qj = qj′ for qi 6= qi′ . However, in these cases, it is not possible for both (qi , qj ), (qi′ , qj′ ) to be valid pairs (refer condition for ′ ′ valid pair in Eq 7) as g FRO1 (qi ) hqj 6= g FRO1 (qi ) hqj . There maybe atmost one valid pair, for which the analysis follows from Case 1 and 2. 8.3 Adaptive Security Interestingly, our commitment scheme πCOM (Fig 12) also satisfies the stronger security notion of adaptivity under the observable random oracle assumption in the crs setup. We briefly discuss the proof in this section. 40 Theorem 10. If FRO1 and FRO2 are observable random oracles and solving the Discrete Log Problem is hard in multiplicative group G, then protocol πCOM UC-securely realizes the FCOM functionality in the crs model against adaptive active adversaries (without erasures). Proof. To prove adaptive security, we require Sim to equivocate the views of R and S appropriately on adaptive corruption in addition to static security. We divide our simulation into cases based on the party being corrupted: R∗ is corrupted: R does not have any private input or input randomness, and so the role of R in the protocol is restricted to verifying the commitments upon obtaining the message (m) and randomness (r1 and r2 ) during the decommitment phase. When AdvInt corrupts R∗ at any stage, i.e. commit phase, decommitment phase or post execution of the protocol, Sim returns a random tape as the internal randomness of R∗ . S∗ is corrupted: Sim closely imitates the role of the simulator for static corruption when S∗ gets corrupted adaptively. If AdvInt corrupts S∗ in the beginning of the protocol or before the commitment is sent, Sim returns a random tape as the internal randomness of S∗ . If AdvInt corrupts S∗ after the commitment is sent, i.e. in decommitment phase or post execution, then Sim needs to equivocate. Sim initially commits to a dummy message m′ and upon corruption of S∗ , Sim obtains message m and successfully equivocates the commitment to open to m using randomness (r1 , r2 ) (computed as described in the proof of Theorem 9). Z cannot distinguish between the commitment to m′ and commitment to the actual value due to the statistical hiding property of the scheme. Equivocation follows from the equivocal property as proven for the static case. 8.4 Generation of crs using Observable Random Oracle For our protocol πCOM , the involved parties require a crs of the form (g, h), where h = g x . Also, the simulator should have the knowledge of the trapdoor x in order to perform simulation. The crs can be trivially generated if we assume a PRO. The parties can generate the crs as FRO (sid||“com”). Sim samples x and programs the RO to return (g, h) s.t. h = g x . This preserves adaptive security of πCOM when the crs generation algorithm is included as part of πCOM . However we are interested in generating the crs without relying on the programmability of the RO. This can be achieved by executing a 2PC protocol πCRS (Fig. 13) relying solely on the observability property of the RO. Once the crs is generated it can be reused for subsequent commitments between the parties. By generating the crs as part of the protocol it can be concluded that our commitment scheme is adaptively secure in the Global Random Oracle model. Intuition: Our πCRS protocol proceeds in two phases - coin tossing and zero knowledge proof of knowledge (ZKPoK). The parties perform coin tossing to generate random shares hS and hR . These shares are then used to obtain h = hS .hR . Once the coin tossing is performed, they engage in ZKPoK in order to prove the knowledge of trapdoors to their respective shares, i.e. hS and hR respectively. The ZKPoK enables the simulator of πCRS to extract the corrupted party’s share in order to obtain the trapdoor 41 Fig. 13: Generating crs = (g, h) for πCOM using FRO πCRS – Public Inputs: The generator of group G is g. – Functionality: Random oracle FRO : {0, 1}poly(κ) → {0, 1}κ . – Private Inputs: The parties do not have any input. Coin Tossing: – Round 1: - S samples xS ←R Zp , computes hS = g xS mod p and sends FRO (sid||hS ) to R. - R samples xR ←R Zp , computes hR = g xR mod p and sends FRO (sid||hR ) to S. – Round 2: - S sends hS to R. - R sends hR to S. – Computation: - S verifies FRO (sid||hR ) and computes h = hS .hR mod p, else aborts. - R verifies FRO (sid||hS ) and computes h = hS .hR mod p, else aborts. Zero Knowledge Proof of Knowledge: S and R perform the following steps in parallel with their roles interchanged. – Round 1: - R samples a challenge string c ←R {0, 1}ν and sends FRO (sid||c) to S. – Round 2: - S computes ν garbled circuits, by sampling seedi ←R {0, 1}κ and (GCi , ei , di ) ← Gb(PRG(seedi ), C) where C computes g x , for i ∈ [ν]. - S sends FRO (sid||seedi ), FRO (sid||GCi ) and di to R. – Round 3: - R reveals c to S. S verifies FRO (sid||c) and aborts if verification fails. – Round 4: (Let ci denote ith bit of c) - If ci = 0, then GCi is a check circuit and S sends seedi to R. - If ci = 1, then GCi is an evaluation circuit and S sends X = En(xS , ei ) to R. – Computation: - R verifies the check circuit GCi as Ve(C, GCi , ei ), if ci = 0, else he aborts. - R computes y = De(Ev(GCi , X)), if ci = 1, and aborts if y 6= hS . - R stores (g, h) as the crs. to (g, h). Our coin tossing protocol requires 2 rounds and ZKPoK consumes 4 rounds. However, the first 2 rounds of the ZKPoK can be parallelized with the coin tossing protocol, thus yielding a 4 round protocol for crs generation. The coin tossing is performed using the random oracle and the ZKPoK is performed by plugging a simplified ZK version of [HV16] which uses garbled circuits and random oracle only. Note that we need a ZKPoK protocol which can be implemented using an ORO and without relying on any other setup assumption. This rules out the possibilities of using efficient ZKPoK protocol of [JKO13] since it uses an OT, which would further require other setup assumptions. However, the interactive ZKPoK variants of “MPC-in-the-head” protocols [GMO16, AHIV17] also suffices for our purpose. 42 Static Security: We prove that πCRS generates crs in the presence of static active adversaries. Since our protocol is symmetric, we consider the case where S∗ is corrupted and simulator Sim plays the role of honest R. Sim behaves like an honest R throughout the protocol and extracts the trapdoor xS from the ZKPoK sent by S∗ . Sim plays the role of an evaluator in the ZKPoK whereas S∗ plays the role of a constructor. Sim extracts the seeds, for all circuits sent by S∗ , by observing the queries made to FRO and matching them with FRO (sid||seedi ). Sim generates the encoding information of all evaluation circuits from the seeds. Finally, Sim extracts the input witness xS of S∗ , by matching the input wire labels, of the evaluation circuit, with the encoding information, of the evaluation circuit. On the other hand, Sim can simulate the ZKPoK, on behalf of constructor, by behaving like an honest R since he knows the trapdoor xR sampled by him. A corrupt S∗ cannot extract any information about xR due to the privacy of the garbling scheme. Adaptive Security: We prove that protocol πCRS is adaptively-secure by observing that the parties do not have any private inputs at the outset of the protocol. The simulator can simulate by running honest sender/receiver algorithms as required. Upon corruption of a party, the simulator can reveal its random tape for the corresponding party. The simulated honest party’s view will be indistinguishable from the real honest party’s view since in both cases the protocol transcripts are honestly generated using a random tape. This proves that our protocol πCRS UC-securely generates the crs required for our commitment scheme. 8.5 Final Commitment Scheme π = πCRS + πCOM We can combine πCRS and πCOM to obtain an UC-secure protocol π which implements FCOM functionality in the presence of adaptive adversaries solely relying on ORO. The security has been summarized in Theorem. 11. It can be proven secure in the GRO of [CJS14] since it does not require a local crs. Theorem 11. If Garble = (Gb, En, Ev, De, Ve) is a private, verifiable garbling scheme and solving the Discrete Log Problem is hard in multiplicative group G, if πCOM implements FCOM functionality against active adaptive adversaries in the crs, ORO-model and πCRS generates the crs against active adaptive adversaries in the ORO model, then π = πCRS + πCOM implements FCOM functionality against active adaptive adversaries (without erasures) in the ORO-model. 8.6 Efficiency of π We analyze the efficiency of π by analyzing the efficiency of πCRS and πCOM separately. The πCRS protocol requires 4 rounds and has a computation cost of 2 exponentiations, 8ν + 8 oracle queries, construction and evaluation of 2ν circuits. The communication cost is 2ν circuits + (8 + 4ν + 2κ) strings of κ bits. However, it is a one-time cost which would get amortized when multiple commitments are performed using the same crs. Next, we analyze the efficiency of πCOM . The length of our commitment is one group element and one κ bit string, independent of the message length. Decommitment incurs 43 communication of two group elements. The computation is also minimal, incurring one random oracle query on |m| bits, one oracle query on a κ bits string and two exponentiations on sender’s side for committing. Decommitment incurs similar computation overhead on the receiver’s end. It is non-interactive in both commitment and decommitment phase. This yields an efficient adaptively secure commitment scheme which is practically motivated for offline-online 2PC/MPC protocols [HKK+ 14, LR14, LR15, RR16]. The πCRS protocol can be run in the offline phase while the commitment scheme can be conveniently used in the online phase. 9 Implementation Details In this section, we support our theoretical claims with empirical details. First, we talk about the hardware configuration of our system and then we compare our results with other relevant protocols in the literature. We specifically compare against the stateof-the-art statically secure protocols to establish the fact that we achieve upgrade in security with minimal overhead. Hardware Details: We have tested the code in a standard LAN network and a simulated WAN setting. Our machine has 8GB RAM and an Intel Core i5-4690 CPU with 3.5 GHz processor speed. For WAN simulation, we used the tc tool of Linux and introduced a round trip delay of 100 milliseconds into the network, with a bandwidth of 20Mbps. Software Details: To establish OT results, first we compare the performance of our adaptively secure OT with the statically secure PVW OT, both under DDH assumption. Table 5 shows the results for LAN and WAN setting for a message size of 128 bits. Second, for OT Extension, we build upon the OT extension code made available by Encrypto group on github [OTC]. It contains the OT extension implementations of KK13, NNOB and ALSZ in C++, using the Miracl library for elliptic curve arithmetic. Additionally, we have received the code from the authors of [PSS17] and used it in our comparison for 1-out-of-N OT extension. The random oracle in our protocol has been implemented by the use of standard AES-128 and SHA-256 hash function. We require 190, 342, 256 and 190 seed OTs for ALSZ, NNOB, PSS and our protocol respectively to obtain the necessary security. Tables 6 and 7 give a detailed view of cost involved in attaining 1-out-of-2 OT Extension and 1-out-of-N (1-out-of-16) OT Extension respectively in both LAN and WAN setting over various values of m which is the number of OTs generated. For our adaptively secure commitment scheme, we use SHA-256 as a standard replacement to Observable Random Oracle and tabulate efficiency values over various message lengths as depicted in 4. For all implementation purposes, we set the computational security parameter to be κ = 128 and the statistical security parameter to be ν = 40. Comparison: Tables 5, 6 and 7 compares the performance of our adaptively secure protocols against the existing state-of-the-art static protocols. Our adaptively secure OT protocol has a mere overhead of 0.02% and 1.0% over the PVW protocol in the LAN and WAN setting respectively. This overhead is nominal compared to the security 44 Table 5: Table indicating implementation results for Oblivious Transfer protocol in the LAN setting for κ=128. Msg Size Runtime Runtime Comm. (bits) Comm. (bits) Setting n (bits) of S (s) of R (s) of S (s) of R (s) Scheme PVW (Static, DDH based) 128 LAN WAN 1.675 4.321 0.970 1.681 512 512 256 256 Our Scheme (Adaptive, DDH-based) 128 LAN WAN 1.676 4.329 0.971 1.690 512 512 384 384 achieved. We can in fact consider this to be an upgrade in security and ideally suited for real world applications, at the cost of static OT. From Fig. 14 we can see that our protocol has minimal overhead over the static 1-out-of-2 OT extension protocols. We incur an overhead of 2% and 11.95% over ALSZ, 8% and almost no overhead over NNOB in the LAN and WAN setting respectively in terms of computation. Communication wise, we incur 2.4% overhead over ALSZ and none over NNOB. For generating 1-out-of-16 OT, we incur an overhead of 0.6% and 0.6% over ALSZ, 2% and 7% NNOB, 16% and 24% over PSS in LAN and WAN runtime. In concrete terms, each extended 1-out-of-2 adaptive OT costs around .104-2 µs based on the number of OTs generated together. The implementation of KOS [KOS15] is not available in the public domain. ALSZ has 24% overhead over [IKNP03] and KOS has 5% over [IKNP03] in LAN setting. This translates to 18% overhead of ALSZ over KOS. Based on that we can compare accordingly with KOS, by comparing with ALSZ. Similarly each extended 1-out-of-16 adaptive OT costs around 21µs. Hence, our OT extension protocols generates practically efficient OTs which can find useful applications in real-life protocols that demand adaptive security. We compare our commitment scheme with the state-of-the-art adaptive protocol of [HM04]. Our scheme requires around 0.20 ms for committing to a string of length 2048 bits, whereas they require around 0.48ms. This implies our scheme is approx. 2 times faster compared to [HM04]. Tab. 4 compares our protocol with [HM04] for various message sizes and demonstrates our efficiency gain. Table 6: Performance Comparison of our adaptive OT extension with the state-of-the-art static OT extensions for generating 1-out-of-2 OTs. The value of m denotes the number of OTs generated and κ = 128. m Runtime in LAN (in sec) Runtime in WAN (in sec) Communication (in MB) (105 ) ALSZ NNOB Ours ALSZ NNOB Ours ALSZ NNOB Ours 1.25 2.5 5 12.5 0.234 0.350 0.590 1.237 0.127 0.270 0.562 1.329 0.253 0.369 0.610 1.259 14.35 14.75 14.469 11.00 26.44 27.11 26.569 21.96 51.02 52.43 51.14 43.90 123.9 127.43 124.024 109.74 45 13.36 26.70 53.38 133.45 11.024 21.984 43.924 109.764 Table 7: Performance Comparison of our adaptive OT extension with the state-of-the-art static OT extensions for generating 1-out-of-16 OTs. The value of m denotes the number of OTs generated and the value of the security parameter is κ = 128. Runtime in LAN (in sec) Runtime in WAN (in sec) Communication (in MB) ALSZ NNOB PSS Ours ALSZ NNOB PSS Ours ALSZ NNOB PSS Ours m 1.25 × 105 2.5 × 105 5 × 105 1.25 × 106 02.65 05.26 10.04 24.81 02.61 2.30 05.05 4.50 10.10 9.0 24.84 22.50 2.668 5.287 10.062 24.836 18.10 33.80 65.00 158.60 16.90 31.40 60.40 143.20 14.62 26.45 50.75 121.94 18.218 34.019 65.119 159.76 16.67 33.33 66.62 166.54 21.60 43.21 86.39 215.95 4.77 9.54 19.08 47.70 16.693 33.353 66.643 166.563 Fig. 14: Performance Comparison of OT extensions for producing 1-out-of-2 OTs on 16 bits. The x-axis denotes number of OTs (order 105 ) and y-axis denotes runtime for graphs (a); (b) and communication (MB) for graph (c). (b) WAN Runtime 1 0.5 (c) Communication ALSZ NNOB Ours 100 Communication (MB) ALSZ NNOB Ours Runtime (s) Runtime (s) (a) LAN Runtime 50 ALSZ NNOB Ours 100 50 0 1.25 2.5 5 12.5 5 Number of OTs (of order 10 ) 10 1.25 2.5 5 12.5 5 Number of OTs (of order 10 ) 1.25 2.5 5 12.5 Number of OTs (of order 105 ) Conclusion In this paper, we presented UC-secure, efficient round-optimal protocols for cryptographic primitives, secure against adaptive adversaries aided with asymptotic and empirical costs. Our OT and OT extension schemes rely solely on programmability of random oracle as a setup assumption, while our commitment scheme relies on the observability of random oracle. Our OT and commitment scheme are secure in the GRO model, making it the first adaptive OT and commitment scheme in the strong GUC model and thereby realistic for applications. We have validated our claims with robust implementation results supported by tables; graphs depicting the cost incurred for computation and communication in various settings. These results highlight the prospective practicality of our protocols in the adaptive setting. Finally, we leave it as an open problem to obtain a fully simulatable adaptive OT in the GRO model and an OT extension based on assumptions weaker than random oracle. 46 References ABB+ 13. ABP17. AHIV17. AIR01. ALSZ13. ALSZ15. BC15. BC16. BCG17. BCPV13. BCR86. Michel Abdalla, Fabrice Benhamouda, Olivier Blazy, Céline Chevalier, and David Pointcheval. Sphf-friendly non-interactive commitments. In Advances in Cryptology - ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1-5, 2013, Proceedings, Part I, pages 214–234, 2013. Michel Abdalla, Fabrice Benhamouda, and David Pointcheval. Removing erasures with explainable hash proof systems. In Public-Key Cryptography - PKC 2017 20th IACR International Conference on Practice and Theory in Public-Key Cryptography, Amsterdam, The Netherlands, March 28-31, 2017, Proceedings, Part I, pages 151–174, 2017. Scott Ames, Carmit Hazay, Yuval Ishai, and Muthuramakrishnan Venkitasubramaniam. Ligero: Lightweight sublinear arguments without a trusted setup. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, pages 2087–2104, 2017. William Aiello, Yuval Ishai, and Omer Reingold. Priced oblivious transfer: How to sell digital goods. In Advances in Cryptology - EUROCRYPT 2001, International Conference on the Theory and Application of Cryptographic Techniques, Innsbruck, Austria, May 6-10, 2001, Proceeding, pages 119–135, 2001. Gilad Asharov, Yehuda Lindell, Thomas Schneider, and Michael Zohner. More efficient oblivious transfer and extensions for faster secure computation. In 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS’13, Berlin, Germany, November 4-8, 2013, pages 535–548, 2013. Gilad Asharov, Yehuda Lindell, Thomas Schneider, and Michael Zohner. More efficient oblivious transfer extensions with security for malicious adversaries. In Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part I, pages 673–701, 2015. Olivier Blazy and Céline Chevalier. Generic construction of uc-secure oblivious transfer. In Applied Cryptography and Network Security - 13th International Conference, ACNS 2015, New York, NY, USA, June 2-5, 2015, Revised Selected Papers, pages 65–86, 2015. Olivier Blazy and Céline Chevalier. Structure-preserving smooth projective hashing. In Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi, Vietnam, December 4-8, 2016, Proceedings, Part II, pages 339–369, 2016. Olivier Blazy, Céline Chevalier, and Paul Germouty. Almost optimal oblivious transfer from QA-NIZK. In Applied Cryptography and Network Security - 15th International Conference, ACNS 2017, Kanazawa, Japan, July 10-12, 2017, Proceedings, pages 579–598, 2017. Olivier Blazy, Céline Chevalier, David Pointcheval, and Damien Vergnaud. Analysis and improvement of lindell’s uc-secure commitment schemes. In Applied Cryptography and Network Security - 11th International Conference, ACNS 2013, Banff, AB, Canada, June 25-28, 2013. Proceedings, pages 534–551, 2013. Gilles Brassard, Claude Crépeau, and Jean-Marc Robert. All-or-nothing disclosure of secrets. In Advances in Cryptology - CRYPTO ’86, Santa Barbara, California, USA, 1986, Proceedings, pages 234–238, 1986. 47 BDD+ 17. Paulo S. L. M. Barreto, Bernardo David, Rafael Dowsley, Kirill Morozov, and Anderson C. A. Nascimento. A framework for efficient adaptively secure composable oblivious transfer in the ROM. IACR Cryptology ePrint Archive, abs/1710.08256, 2017. Bea96. Donald Beaver. Correlated pseudorandomness and the complexity of private computations. In Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, May 22-24, 1996, pages 479–488, 1996. BHR12. Mihir Bellare, Viet Tung Hoang, and Phillip Rogaway. Foundations of garbled circuits. In the ACM Conference on Computer and Communications Security, CCS’12, Raleigh, NC, USA, October 16-18, 2012, pages 784–796, 2012. BMR90. Donald Beaver, Silvio Micali, and Phillip Rogaway. The round complexity of secure protocols (extended abstract). In Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, May 13-17, 1990, Baltimore, Maryland, USA, pages 503–513, 1990. Can01. Ran Canetti. Universally composable security: A new paradigm for cryptographic protocols. In 42nd Annual Symposium on Foundations of Computer Science, FOCS 2001, 14-17 October 2001, Las Vegas, Nevada, USA, pages 136–145, 2001. CDD+ 15. Ignacio Cascudo, Ivan Damgård, Bernardo Machado David, Irene Giacomelli, Jesper Buus Nielsen, and Roberto Trifiletti. Additively homomorphic UC commitments with optimal amortized overhead. In Public-Key Cryptography - PKC 2015 - 18th IACR International Conference on Practice and Theory in Public-Key Cryptography, Gaithersburg, MD, USA, March 30 - April 1, 2015, Proceedings, pages 495–515, 2015. CDD+ 16. Ignacio Cascudo, Ivan Damgård, Bernardo David, Nico Döttling, and Jesper Buus Nielsen. Rate-1, linear time and additively homomorphic UC commitments. In Advances in Cryptology - CRYPTO 2016 - 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2016, Proceedings, Part III, pages 179–207, 2016. CDG+ 18. Jan Camenisch, Manu Drijvers, Tommaso Gagliardoni, Anja Lehmann, and Gregory Neven. The wonderful world of global random oracles. Cryptology ePrint Archive, Report 2018/165, 2018. https://eprint.iacr.org/2018/165. CDMW09a. Seung Geol Choi, Dana Dachman-Soled, Tal Malkin, and Hoeteck Wee. Improved non-committing encryption with applications to adaptively secure protocols. In Advances in Cryptology - ASIACRYPT 2009, 15th International Conference on the Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6-10, 2009. Proceedings, pages 287–302, 2009. CDMW09b. Seung Geol Choi, Dana Dachman-Soled, Tal Malkin, and Hoeteck Wee. Simple, black-box constructions of adaptively secure protocols. In Theory of Cryptography, 6th Theory of Cryptography Conference, TCC 2009, San Francisco, CA, USA, March 15-17, 2009. Proceedings, pages 387–402, 2009. CDPW07. Ran Canetti, Yevgeniy Dodis, Rafael Pass, and Shabsi Walfish. Universally composable security with global setup. In Theory of Cryptography, 4th Theory of Cryptography Conference, TCC 2007, Amsterdam, The Netherlands, February 21-24, 2007, Proceedings, pages 61–85, 2007. CF01. Ran Canetti and Marc Fischlin. Universally composable commitments. In Advances in Cryptology - CRYPTO 2001, 21st Annual International Cryptology Conference, Santa Barbara, California, USA, August 19-23, 2001, Proceedings, pages 19–40, 2001. 48 CJS14. CKWZ13. CLOS02. CO15. DDGN14. DG03. FLM11. Fuj16. GH08. GIKW14. GIR17. GKPS18. GMO16. Ran Canetti, Abhishek Jain, and Alessandra Scafuro. Practical UC security with a global random oracle. In Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security, Scottsdale, AZ, USA, November 3-7, 2014, pages 597–608, 2014. Seung Geol Choi, Jonathan Katz, Hoeteck Wee, and Hong-Sheng Zhou. Efficient, adaptively secure, and composable oblivious transfer with a single, global CRS. In Public-Key Cryptography - PKC 2013 - 16th International Conference on Practice and Theory in Public-Key Cryptography, Nara, Japan, February 26 - March 1, 2013. Proceedings, pages 73–88, 2013. Ran Canetti, Yehuda Lindell, Rafail Ostrovsky, and Amit Sahai. Universally composable two-party and multi-party secure computation. In Proceedings on 34th Annual ACM Symposium on Theory of Computing, May 19-21, 2002, Montréal, Québec, Canada, pages 494–503, 2002. Tung Chou and Claudio Orlandi. The simplest protocol for oblivious transfer. In Progress in Cryptology - LATINCRYPT 2015 - 4th International Conference on Cryptology and Information Security in Latin America, Guadalajara, Mexico, August 23-26, 2015, Proceedings, pages 40–58, 2015. Ivan Damgård, Bernardo Machado David, Irene Giacomelli, and Jesper Buus Nielsen. Compact VSS and efficient homomorphic UC commitments. In Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7-11, 2014, Proceedings, Part II, pages 213–232, 2014. Ivan Damgård and Jens Groth. Non-interactive and reusable non-malleable commitment schemes. In Proceedings of the 35th Annual ACM Symposium on Theory of Computing, June 9-11, 2003, San Diego, CA, USA, pages 426–437, 2003. Marc Fischlin, Benoı̂t Libert, and Mark Manulis. Non-interactive and re-usable universally composable string commitments with adaptive security. In Advances in Cryptology - ASIACRYPT 2011 - 17th International Conference on the Theory and Application of Cryptology and Information Security, Seoul, South Korea, December 4-8, 2011. Proceedings, pages 468–485, 2011. Eiichiro Fujisaki. Improving practical uc-secure commitments based on the DDH assumption. In Security and Cryptography for Networks - 10th International Conference, SCN 2016, Amalfi, Italy, August 31 - September 2, 2016, Proceedings, pages 257–272, 2016. Matthew Green and Susan Hohenberger. Universally composable adaptive oblivious transfer. In Advances in Cryptology - ASIACRYPT 2008, 14th International Conference on the Theory and Application of Cryptology and Information Security, Melbourne, Australia, December 7-11, 2008. Proceedings, pages 179–197, 2008. Juan A. Garay, Yuval Ishai, Ranjit Kumaresan, and Hoeteck Wee. On the complexity of UC commitments. In Advances in Cryptology - EUROCRYPT 2014 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11-15, 2014. Proceedings, pages 677–694, 2014. Ziya Alper Genç, Vincenzo Iovino, and Alfredo Rial. ”the simplest protocol for oblivious transfer” revisited. IACR Cryptology ePrint Archive, 2017:370, 2017. Chaya Ganesh, Yashvanth Kondi, Arpita Patra, and Pratik Sarkar. Efficient adaptively secure zero-knowledge from garbled circuits. Cryptology ePrint Archive, Report 2018/043, 2018. https://eprint.iacr.org/2018/043. Irene Giacomelli, Jesper Madsen, and Claudio Orlandi. Zkboo: Faster zeroknowledge for boolean circuits. In 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016., pages 1069–1083, 2016. 49 GMW87. GMY04. GPV08. GWZ09. HK07. HK12. HKK+ 14. HL17. HM04. HPV17. HV15. HV16. IKNP03. Oded Goldreich, Silvio Micali, and Avi Wigderson. How to play any mental game or A completeness theorem for protocols with honest majority. In Proceedings of the 19th Annual ACM Symposium on Theory of Computing, 1987, New York, New York, USA, pages 218–229, 1987. Juan A. Garay, Philip MacKenzie, and Ke Yang. Efficient and Universally Composable Committed Oblivious Transfer and Applications, pages 297–316. Springer Berlin Heidelberg, Berlin, Heidelberg, 2004. Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In Proceedings of the 40th Annual ACM Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 1720, 2008, pages 197–206, 2008. Juan A. Garay, Daniel Wichs, and Hong-Sheng Zhou. Somewhat non-committing encryption and efficient adaptively secure oblivious transfer. In Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2009. Proceedings, pages 505–523, 2009. Omer Horvitz and Jonathan Katz. Universally-composable two-party computation in two rounds. In Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007, Proceedings, pages 111–129, 2007. Shai Halevi and Yael Tauman Kalai. Smooth projective hashing and two-message oblivious transfer. J. Cryptology, 25(1):158–193, 2012. Yan Huang, Jonathan Katz, Vladimir Kolesnikov, Ranjit Kumaresan, and Alex J. Malozemoff. Amortizing garbled circuits. In Advances in Cryptology - CRYPTO 2014 - 34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 1721, 2014, Proceedings, Part II, pages 458–475, 2014. Eduard Hauck and Julian Loss. Efficient and universally composable protocols for oblivious transfer from the cdh assumption. IACR Cryptology ePrint Archive, 2017:1011, 2017. Dennis Hofheinz and Jörn Müller-Quade. Universally composable commitments using random oracles. In Theory of Cryptography, First Theory of Cryptography Conference, TCC 2004, Cambridge, MA, USA, February 19-21, 2004, Proceedings, pages 58–76, 2004. Carmit Hazay, Antigoni Polychroniadou, and Muthuramakrishnan Venkitasubramaniam. Constant round adaptively secure protocols in the tamper-proof hardware model. In Public-Key Cryptography - PKC 2017 - 20th IACR International Conference on Practice and Theory in Public-Key Cryptography, Amsterdam, The Netherlands, March 28-31, 2017, Proceedings, Part II, pages 428sss–460, 2017. Carmit Hazay and Muthuramakrishnan Venkitasubramaniam. On black-box complexity of universally composable security in the CRS model. In Advances in Cryptology - ASIACRYPT 2015 - 21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November 29 - December 3, 2015, Proceedings, Part II, pages 183–209, 2015. Carmit Hazay and Muthuramakrishnan Venkitasubramaniam. On the power of secure two-party computation. In Advances in Cryptology - CRYPTO 2016 - 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 1418, 2016, Proceedings, Part II, pages 397–429, 2016. Yuval Ishai, Joe Kilian, Kobbi Nissim, and Erez Petrank. Extending oblivious transfers efficiently. In Advances in Cryptology - CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17-21, 2003, Proceedings, pages 145–161, 2003. 50 IPS08. IR89. JKO13. JS07. Kil88. KK13. KOS15. Lin08. Lin11. Lin13. LM16. LR14. LR15. LZ11. LZ13. Yuval Ishai, Manoj Prabhakaran, and Amit Sahai. Founding cryptography on oblivious transfer - efficiently. In Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2008. Proceedings, pages 572–591, 2008. Russell Impagliazzo and Steven Rudich. Limits on the provable consequences of one-way permutations. In Proceedings of the 21st Annual ACM Symposium on Theory of Computing, May 14-17, 1989, Seattle, Washigton, USA, pages 44–61, 1989. Marek Jawurek, Florian Kerschbaum, and Claudio Orlandi. Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently. In 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS’13, Berlin, Germany, November 4-8, 2013, pages 955–966, 2013. Stanislaw Jarecki and Vitaly Shmatikov. Efficient two-party secure computation on committed inputs. In Advances in Cryptology - EUROCRYPT 2007, 26th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20-24, 2007, Proceedings, pages 97–114, 2007. Joe Kilian. Founding cryptography on oblivious transfer. In Proceedings of the 20th Annual ACM Symposium on Theory of Computing, May 2-4, 1988, Chicago, Illinois, USA, pages 20–31, 1988. Vladimir Kolesnikov and Ranjit Kumaresan. Improved OT extension for transferring short secrets. In Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part II, pages 54–70, 2013. Marcel Keller, Emmanuela Orsini, and Peter Scholl. Actively secure OT extension with optimal overhead. In Advances in Cryptology - CRYPTO 2015 - 35th Annual Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, pages 724–741, 2015. Yehuda Lindell. Efficient fully-simulatable oblivious transfer. Chicago J. Theor. Comput. Sci., 2008, 2008. Yehuda Lindell. Highly-efficient universally-composable commitments based on the DDH assumption. In Advances in Cryptology - EUROCRYPT 2011 - 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15-19, 2011. Proceedings, pages 446–466, 2011. Yehuda Lindell. Fast cut-and-choose based protocols for malicious and covert adversaries. In Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part II, pages 1–17, 2013. Baiyu Li and Daniele Micciancio. Equational security proofs of oblivious transfer protocols. Cryptology ePrint Archive, Report 2016/624, 2016. Yehuda Lindell and Ben Riva. Cut-and-choose yao-based secure computation in the online/offline and batch settings. In Advances in Cryptology - CRYPTO 2014 34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2014, Proceedings, Part II, pages 476–494, 2014. Yehuda Lindell and Ben Riva. Blazing fast 2pc in the offline/online setting with security for malicious adversaries. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October 12-6, 2015, pages 579–590, 2015. Yehuda Lindell and Hila Zarosim. Adaptive zero-knowledge proofs and adaptively secure oblivious transfer. J. Cryptology, 24(4):761–799, 2011. Yehuda Lindell and Hila Zarosim. On the feasibility of extending oblivious transfer. In TCC, pages 519–538, 2013. 51 MR17. NFT09. NP01. NP05. OOS17. OTC. Ped91. PSS17. PVW08. Rab81. RR16. Yao82. ZRE15. Payman Mohassel and Mike Rosulek. Non-interactive secure 2pc in the offline/online and batch settings. In Advances in Cryptology - EUROCRYPT 2017 - 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 - May 4, 2017, Proceedings, Part III, pages 425–455, 2017. Ryo Nishimaki, Eiichiro Fujisaki, and Keisuke Tanaka. Efficient non-interactive universally composable string-commitment schemes. In Provable Security, Third International Conference, ProvSec 2009, Guangzhou, China, November 11-13, 2009. Proceedings, pages 3–18, 2009. Moni Naor and Benny Pinkas. Efficient oblivious transfer protocols. In Proceedings of the Twelfth Annual Symposium on Discrete Algorithms, January 7-9, 2001, Washington, DC, USA., pages 448–457, 2001. Moni Naor and Benny Pinkas. Computationally secure oblivious transfer. J. Cryptology, 18(1):1–35, 2005. Michele Orrù, Emmanuela Orsini, and Peter Scholl. Actively secure 1-out-of-n OT extension with application to private set intersection. In Topics in Cryptology - CTRSA 2017 - The Cryptographers’ Track at the RSA Conference 2017, San Francisco, CA, USA, February 14-17, 2017, Proceedings, pages 381–396, 2017. Encrypto group otextension code. https://github.com/ encryptogroup/OTExtension. Torben P. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In Advances in Cryptology - CRYPTO ’91, 11th Annual International Cryptology Conference, Santa Barbara, California, USA, August 11-15, 1991, Proceedings, pages 129–140, 1991. Arpita Patra, Pratik Sarkar, and Ajith Suresh. Fast actively secure OT extension for short secrets. In 24th Annual Network and Distributed System Security Symposium, NDSS, 2017. Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for efficient and composable oblivious transfer. In Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2008. Proceedings, pages 554–571, 2008. Michael O. Rabin. How to exchange secrets with oblivious transfer, 1981. Harvard University Technical Report 81 talr@watson.ibm.com 12955 received 21 Jun 2005. Peter Rindal and Mike Rosulek. Faster malicious 2-party secure computation with online/offline dual execution. In 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016., pages 297–314, 2016. Andrew Chi-Chih Yao. Protocols for secure computations (extended abstract). In 23rd Annual Symposium on Foundations of Computer Science, Chicago, Illinois, USA, 3-5 November 1982, pages 160–164, 1982. Samee Zahur, Mike Rosulek, and David Evans. Two halves make a whole - reducing data transfer in garbled circuits using half gates. In Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings, Part II, pages 220–250, 2015. A Universal Composability Model We prove security of our protocol in the standard Universal Composability (UC) framework of Canetti [Can01], with static and adaptive corruptions. And we conclude this 52 section with the definition of F-hybrid model, which is instrumental for security proofs in the UC model. A.1 Static Security in the UC Model In this model, the real world execution of protocol π is carried out between the honest parties P1 and P2 and an adversary Adv, in the presence of an external entity called the environment Z. All the parties are PPT Turing machines and Z has an auxiliary information z. At the outset of the protocol the environment initiates the parties with inputs and provides some initial information to Adv. Z is allowed to interact with Adv throughout the protocol. At the outset of the protocol, Adv may or may not corrupt a party. Upon corruption of a party, Adv gets access to the internal state and input of that party. From now on the party will behave according to Adv’s instructions (since we are in the malicious model). At the end of the protocol, the honest parties send their output to Z while Adv outputs ⊥ on behalf of the corrupted parties and its internal state to Z. We denote the view of Z as REALF ,Adv,Z (1κ , z). In the ideal world we consider the honest parties P1 and P2 , a PPT adversary Sim, Z and the functionality F. Sim has a random tape r and security parameter κ. He simulates the role of Adv in the ideal world and whenever Adv corrupts a party in the real world Sim corrupts that party in the ideal world and gets access to its internal state. Sim invokes the algorithm of Adv, in his head, in another internal protocol execution where Sim simulates the view of the honest parties to Adv. We will denote this internal copy of Adv as AdvInt . Based on the reply of AdvInt in the internal execution, Sim behaves accordingly in the ideal world execution. He extracts the inputs of the corrupted parties in the internal execution and invokes F in the ideal world with those inputs to obtain the output. In the internal execution he simulates the protocol in such a way that AdvInt obtains that output. At the end of the protocol, AdvInt forwards his view to Sim who forwards it to Z. We denote the view of Z as IDEALF ,Sim,Z (1κ , z). We say that a protocol π UC-securely implements a functionality F in the presence of static adversaries if the real world and ideal world views are indistinguishable. Definition 1. Let π be a protocol for computing a functionality F. We say that π UCsecurely computes the two party protocol functionality F in the presence of static adversaries if for every PPT adaptive real-world adversary Adv and every environment Z, there exists a PPT ideal-world adversary Sim, such that: REAL F ,Adv,Z (1 A.2 κ c , z) ≈ IDEALF ,Sim,Z (1κ , z) Adaptive Security in the UC Model In the adaptive setting, Z can ask the real world adversary Adv to corrupt an honest party during the real world execution of the protocol or after the execution completes. During the execution, Adv can observe the public transcript of the protocol and based on that he can adaptively corrupt an honest party. Once a party gets corrupted, Adv gets access to the input and private randomness of the party, thus controlling the party from thereon. In case of post execution corruption, Adv observes the output and the 53 transcript of the protocol, and then he corrupts the honest party to get access to the input and private randomness of the party. After post execution corruption occurs, Adv forwards its view to Z. Based on that, Z constructs its real world view, which we denote as REALF ,Adv,Z (1κ , z). Similarly, in the ideal world Z can ask the ideal world adversary Sim to corrupt an honest party during the ideal world execution of the protocol or after the execution completes. When Z instructs Sim to corrupt an honest party in the ideal world, Sim obtains the input of the honest party, in the ideal world, and he instructs the internal world adversary AdvInt to corrupt the corresponding honest party in the internal world. Recall that Sim simulates the honest parties in the internal execution. When AdvInt corrupts an honest party in the internal world, Sim has to produce a private randomness for the simulated honest party such that it matches with the input of the honest party and the simulated transcript produced by Sim, in the internal world, on behalf of the honest party. Sim provides this matching randomness and the input of the simulated honest party to AdvInt in the internal world. In case of post execution corruption of an honest party, Sim obtains the honest party’s input in the ideal world and produces the matching randomness (corresponding to the simulated transcript) in a similar fashion to AdvInt in the internal world. After post execution corruption occurs, Adv forwards its view to Sim, who forwards it to Z. Based on that, Z constructs its ideal world view, which we denote as IDEALF ,Sim,Z (1κ , z). We say that a protocol π UC-securely implements a functionality F in the presence of adaptive adversaries if the real world and ideal world views are indistinguishable. Definition 2. Let π be a protocol for computing a functionality F. We say that π UCsecurely computes the two party protocol functionality F in the presence of adaptive adversaries if for every PPT adaptive real-world adversary Adv and every environment Z, there exists a PPT ideal-world adversary Sim, such that: REAL F ,Adv,Z (1 A.3 κ c , z) ≈ IDEALF ,Sim,Z (1κ , z) The F -hybrid model. In order to construct our protocols, we utilize other secure two-party protocols as subprotocols. The standard way of doing this is to work in a “hybrid model” where both the parties interact with each other (as in the real model) in the outer protocol and use ideal functionality calls (as in the ideal world) for the subprotocols. The UC composition theorem states that if a protocol ρ UC-securely implements a functionality F, then any execution of ρ in a bigger protocol can be replaced with ideal calls to the functionality F. Specifically, while constructing a protocol π that uses ρ as subprotocol, for securely computing some functionality F, the parties can run π and invoke F. The execution of π that invokes F, for each execution of ρ, is called the F-hybrid execution of π and is denoted as π F . The hybrid ensemble HYBπF , A DV, Z (1κ , z) describes Z’s output after interacting with Adv and the parties running protocol π F . Whereas, the execution of π that considers execution of ρ is denoted as π ρ . The hybrid ensemble HYBπρ , A DV, Z (1κ , z) describes Z’s output after interacting with Adv and the parties running protocol π ρ . By UC security, the two hybrids HYBπF , A DV, Z (1κ , z) and 54 HYBπρ , A DV, Z (1κ , z) are indistinguishable. This permits replacing executions of ρ, in π, with ideal calls to F functionality; thereby allowing π to execute in the F-hybrid model. It simplifies the security proof of π F as it can be performed in the F-hybrid model, instead of proving security of ρ within the proof of π ρ . B Garbled Circuits Bellare et al [BHR12] gave an abstraction of garbling schemes for circuits and formalized several notions of security. Using the language of [BHR12] for circuits; the circuit itself is a directed acyclic graph, where each gate g is indexed by its outgoing wire, and its left and right incoming wires A(g) and B(g) are numbered such that g > B(g) > A(g). Also, a circuit output wire can not be an input wire to any gate. We denote the number of input wires, gates and output wires using n, q and m respectively in a circuit C. At a high-level, a garbling scheme consists of the following algorithms: Gb takes a circuit as input and outputs a garbled circuit, encoding information, and decoding information. En takes an input x and encoding information and outputs a garbled input X. Ev takes a garbled circuit and garbled input X and outputs a garbled output Y. Finally, De takes a garbled output Y and decoding information and outputs a plain circuit-output (or an error, ⊥). In [JKO13], there is an additional verification algorithm in the garbling scheme which when accepts a given (GC, e) signifies that the GC is correct, and that the garbled output corresponding to any clear output can be extracted. Formally, a garbling scheme is defined by a tuple of functions Garble = (Gb, En, Ev, De, Ve), described as follows: – Garble algorithm Gb (1κ , C): A randomized algorithm which takes as input the security parameter and a circuit C : {0, 1}n → {0, 1}m and outputs a tuple of strings (GC, e, d), where GC is the garbled circuit, e denotes the input-wire labels, and d denotes the decoding information. – Encode algorithm En (x, e): a deterministic algorithm that outputs the garbled input X corresponding to input x. – Evaluation algorithm Ev (GC, X): A deterministic algorithm which evaluates garbled circuit GC on garbled input X, and outputs a garbled output Y. – Decode algorithm De (Y, d): A deterministic algorithm that outputs the plaintext output corresponding to Y or ⊥ signifying an error if the garbled output Y is invalid. – Verify algorithm Ve (C, GC, e): A deterministic algorithm which takes as input a circuit C : {0, 1}n 7→ {0, 1}m , a garbled circuit (possibly malicious) GC, encoding information e, and outputs d when GC is a valid garbling of C, and ⊥ otherwise. A garbling scheme may satisfy several properties such as correctness, privacy, obliviousness, authenticity and verifiability. We review some of these notions below. The definitions for correctness and authenticity are standard: correctness enforces that a correctly garbled circuit, when evaluated, outputs the correct output of the underlying circuit; authenticity enforces that the evaluator can only learn the output label that corresponds to the value of the function. Verifiability [JKO13] allows one to check that 55 the garbling of a circuit indeed implements the specified plaintext circuit C. Given that verification succeeds for a candidate (C, GC, e), the garbled output corresponding to a given clear output can be extracted. We provide definitions of correctness, privacy and verifiability as we need it for our πCRS protocol. Definition 3. (Correctness) A garbling scheme Garble is correct if for all input lengths n ≤ poly(κ), circuits C : {0, 1}n → {0, 1}m and inputs x ∈ {0, 1}n , the following probability is negligible in κ:
Pr De(Ev(GC, En(e, x)), d) 6= C(x) : (GC, e, d) ← Gb(1κ , C) . Definition 4. (Privacy) A garbling scheme Garble is private if for all input lengths n ≤ poly(κ), circuits C : {0, 1}n → {0, 1}m , there exists a PPT simulator Sim such that for all inputs x ∈ {0, 1}n , for all probabilistic polynomial-time adversaries Adv, the following two distributions are computationally indistinguishable: – REAL(C, x) : run (GC, e, d) ← Gb(1κ , C), and output (GC, En(x, e), d). – IDEALSim (C, C(x)): output (GC′ , X, d′ ) ← Sim(1κ , C, C(x)) Definition 5. (Verifiability) A garbling scheme Garbleis verifiable if for all input lengths n ≤ poly(κ), circuits C : {0, 1}n → {0, 1}m , inputs x ∈ {0, 1}n , and PPT adversaries Adv, the following probability is negligible in κ:   (GC, e, d) ← Adv(1κ , C) Pr De(Ev(GC, En(x, e)), d) 6= C(x) : Ve (C, GC, e) = d 6= ⊥ We are interested in a class of garbling schemes referred to as projective in [BHR12]. When garbling a circuit C : {0, 1}n 7→ {0, 1}m ,
a projective garbling scheme produces encoding information of the form e = K0i , K1i i∈[n] , and the encoded input X corresponding to x = (xi )i∈[n] can be interpreted as X = En(x, e) = (Kxi i )i∈[n] . C Realization of OT Framework Based on DDH In this section we present an instantiation of the DME (from [PVW08]) based on the DDH assumption: – (crs, t) ← SetupMessy(1κ ) : In messy mode, the crs is a non-DDH tuple and it is generated as follows: Sample g0 , g1 ←R G, x, y ←R Zp and initialize h0 = g0x , h1 = g1y . Set crs = (g0 , g1 , h0 , h1 ) and the trapdoor t is set to (x, y). – (crs, t) ← SetupDec(1κ ) : In decryption mode, the crs is a DDH tuple and it is generated as follows: Sample g0 ←R G, x, y ←R Zp and initialize g1 = g0y , h0 = g0x , h1 = g1x . Set crs = (g0 , g1 , h0 , h1 ) and the trapdoor t is set to (x, y). – (pk, sk) ← KeyGen(crs, σ) Given σ ∈ {0, 1} and crs = (g0 , g1 , h0 , h1 ), set pk = (g, h) = (gσα , hα σ ), where α ←R Zp . The secret key sk is set to α. – y ← Enc(pk, b, m) : Given pk = (g, h), m and b ∈ {0, 1}, m is encrypted as follows: Sample s, r ←R Zp and set u = gbs hrb , v = g s hr . The ciphertext is y = (u, v.m) and the corresponding randomness is (s, r). 56 – m ← Dec(sk, y) : Given sk = α and ciphertext y = (c0 , c1 ), the corresponding plaintext s obtained as m = c1 /cα 0. – b ← FindMessy(pk, t) : Given pk = (g, h) and t = (x, y), if h = g x then output that branch b = 0 is messy else output that branch b = 1 is messy. – (pk, sk0 , sk1 ) ← DecKeyGen(t) : Given crs = (g0 , g1 , h0 , h1 ) in decryption mode and t = (x, y) generate public and secret key pairs as follows: Sample r0 ←R Zp and compute r1 = r0 /y. Set pk = (g, h) = (g0r0 , hr00 ), sk0 = r0 and sk1 = r1 . The above DDH-based instantiation correctly implements a DME scheme and it satisfies Properties 1-5 (Section 4). Proof of Property 1-4 follows from the paper of [PVW08]. Next, we show that it also satisfies Property 5, i.e. the crs in the messy mode can be sampled using a random oracle. The crs for the messy mode is required to be a non-DDH tuple. A random oracle query result of size 4|G| bits returns a DDH tuple, with probability : 1 |Zp |3 = |Zp |4 |Zp | With 1 − |Z1p | probability the tuple will be non-DDH and hence a valid crs for messy mode will be generated, satisfying Property 5. D Instantiation of DME based on LWE In this section we provide an instantiation of our DME based on LWE. Before describing the DME instantiation we recall the definition of an LWE encryption scheme from [GPV08], which will be instrumental in the instantiation. The encryption scheme is a collection of following three algorithms: – LWESetup: Choose a matrix A ← Zqm×κ uniformly at random. – LWEKeyGen: Choose a secret decryption key s ← Zκq uniformly at random. The public key is the vector p = AT s + x ∈ Zm q , where x = (x1 , . . . , xm ) and each xi is chosen independently from the error distribution χ for i ∈ [m]. – LWEEnc(p, b): To encrypt a bit b ∈ {0, 1}, choose a vector e ∈ Zm uniformly at random and set the ciphertext as (u, c) = (Ae, pT e + b.⌈q/2⌉) ∈ Zκ+1 . q – LWEDec(s, (u, c)): Compute b′ = c − sT u ∈ Zq . Output 0 if b′ is closer to 0 than to ⌈q/2⌉ mod q, otherwise output 1. The above encryption scheme satisfies the notion of IND-CPA security if we assume that the LWE problem is hard for parameters q = O(κ3 ), m = O(κ log κ) (Lemma. 1). The proof appears in the work of [GPV08] and we refer to their paper for more details. Lemma 1. The cryptosystem above is CPA-secure, assuming that LWE is hard for parameters q, m. Next, we will use the encryption scheme in our DME instantiation. In our instantiation we need an additional algorithm, IsMessy, besides the usual algorithms of DME. IsMessy(t, pk) answers whether pk is messy or not, when it is invoked with trapdoor t on public key pk. Now we are ready to instantiate the algorithms for the DME scheme based on the LWE assumption. The description of the algorithms has been borrowed from the paper of [PVW08]. 57 – (crs, t) ← SetupMessy(1κ ) : In the messy mode the crs is generated as follows: Sample a matrix A ← Zκ×m uniformly at random, along with a trapq door t = (S, A) (as described in Section 5.3.2 of [GPV08]). Sample an independent row vector vb ← Zl×m uniformly at random for every b ∈ {0, 1}. Set q crs = (A, v0 , v1 ) and t = (S, A). – (crs, t) ← SetupDec(1κ ) : In the decryption mode the crs is generated as follows: Sample a matrix A ← Zκ×m uniformly at random. Choose a row vector q w ← Z1×m uniformly at random. For every b ∈ {0, 1}, sample a secret sb ← Znq q uniformly at random and an error row vector xb ← χ1×m (i.e., the m entries are chosen independently from error distribution χ ). Let vb = sT b A + xb w. Set crs = (A, v0 , v1 ) and t = (w, s0 , s1 ). – (pk, sk) ← KeyGen(crs, σ) : Given crs and σ, sample a secret r ← Znq and a row vector x ← χl×m . Set pk = rT A + xv and sk = r. – y ← Enc(pk, b, m) : Given pk = A, m and b ∈ {0, 1}, m is encrypted as y = LWEEnc((A, pk + vb ), m). – m ← Dec(sk, y) : Given sk = r and ciphertext v, the underlying plaintext message is decrypted as m = LWEDec(sk, y). – b ← FindMessy(pk, t) : Given pk and t = (S, A) in messy mode, invoking IsMessy((S, A), pk + vb ) for each b ∈ {0, 1}, outputs the messy branch value for b, and it is correct with overwhelming probability. – (pk, sk0 , sk1 ) ← DecKeyGen(t) : Given the crs = (A, v0 , v1 ) in decryption mode and the trapdoor t = (w, s0 , s1 ), the public and secret keys pair is formed as follows: (pk, sk0 , sk1 ) = (w, s0 , s1 ). The paper of [PVW08] has proven that the above instantiation satisfies correctness and Properties 1-4 of DME. It has also shown in Lemma 7.4 that most of the keys are messy, proving Property 5. In particular, if the crs in the messy mode is generated as crs = (A, v0 , v1 ) ← FRO (sid||c), then FRO (sid||c) returns a messy key except with negligible probability for a random value c, where FRO : {0, 1}2κ → Zκ×m × Z2l×m . q q 58