Fast and Universally-Composable Oblivious Transfer
and Commitment Scheme with Adaptive Security
Megha Byali, Arpita Patra, Divya Ravi and Pratik Sarkar
Indian Institute of Science, India
{megha,arpita,divyar,pratiks}@iisc.ac.in
Abstract. Adaptive security embodies one of the strongest notions of security
that allows an adversary to corrupt parties at any point during protocol execution
and gain access to its internal state. Since it models real-life situations such as
“hacking”, efficient adaptively-secure multiparty computation (MPC) protocols
are desirable. Such protocols demand primitives such as oblivious transfer (OT)
and commitment schemes that are adaptively-secure as building blocks. Efficient
realizations of these primitives have been found to be challenging, especially in
the no erasure model. We make progress in this direction and provide efficient
constructions that are Universally-Composable in the random oracle model.
Oblivious Transfer. We present the first round optimal framework for building
adaptively-secure OT in the programmable random oracle (PRO) model, relying
upon the framework of Peikert et al. (Crypto 2008). When instantiated with Decisional Diffie Hellman assumption, it incurs a minimal communication overhead
of one κ bit string and computational overhead of 5 random oracle queries over its
static counterpart, where κ is the security parameter. This computation overhead
translates to 0.02% and 1% in the LAN and WAN setting. Additionally, we obtain a construction of adaptively-secure 1-out-of-N OT by extending the result of
Naor et al. (Journal of Cryptology 2005) that transforms log N copies of 1-outof-2 OTs to one 1-out-of-N OT in the PRO model. We complete the picture of
efficient OT constructions by presenting the first adaptively secure OT Extension,
extending the protocol of Asharov et al. (Eurocrypt 2015) for the adaptive setting
using PRO. Our OT extension enables us to obtain adaptive OTs at an amortized
cost of 3 symmetric key operations and communication of 3κ bit strings. It incurs
a runtime overhead of 2% and 11.95%, in the LAN and WAN setting and almost
no communication overhead over the static OT extension protocol. In concrete
terms, the cost is 2 µs and 115 µs for each OT in LAN and WAN.
Commitment Scheme. We present an adaptively secure commitment scheme in
the Global Random Oracle model solely relying on observable random oracle
(ORO). Our commitment scheme has a one-time offline setup phase, where a
common reference string (crs) is generated between the parties using an ORO.
In the online phase, the parties use the crs and ORO to generate commitments
in a non-interactive fashion. Our construction incurs communication of 4κ bit
strings and computation of 4 exponentiations and 4 random oracle queries for
committing to an arbitrary length message. Empirically, it takes around 0.18ms
and 0.2 ms for committing to 128 bits and 2048 bits respectively. It finds applications in secure two-party computation (2PC) protocols that adopt offline-online
paradigm, where the crs can be generated in the offline phase and the scheme can
be used in the online phase.
1
Introduction
Secure multiparty computation (MPC) [Yao82, GMW87] is an area of cryptography
that deals with multiple parties who wish to compute a joint function of their private
inputs such that the goals of MPC i.e. correctness and privacy of inputs remain intact.
Various security notions of MPC are defined in accordance with different types of adversaries. The area of MPC achieving security against a malicious adversary causing
static corruptions has been the center of attention in the recent past. Here, static corruption refers to the model in which the adversary corrupts the subset of parties at the outset
of the protocol. Most widely known protocols of [Lin13, HKK+ 14, MR17], consider
malicious security against static corruptions. Although static security is of interest, it is
desirable to achieve security against adaptive adversary. Adaptive security is a stronger
corruption model that allows the adversary to choose which parties to corrupt during the
protocol execution and models real-life situations in a more comprehensive way. For instance, it captures the event of “hacking”, where a hacker can illegally capitalize on the
system and corrupt any workstation while protocols are in execution. Adaptive security
is further classified based on secure erasures of the memory. An adaptively-secure protocol assuming erasure allows secure erasure of a workstation’s internal memory once
it is corrupted by a hacker. [Can01] argued that security relying on erasures often leads
to problems and is impractical, especially for real-life systems. It requires an inherent
trust assumption on the part of a workstation that it will erase its memory upon being
corrupted. Hence, adaptive security without erasures (referred to simply as adaptivesecurity throughout the paper) is preferable as it precisely models real world “hacking”
attacks. However, the current literature of MPC dealing with adaptive adversaries is
less explored compared to static security since it turns out to be considerably more
challenging. In this paper, we explore the less traveled path of dealing with adaptive adversaries in the Universal Composability (UC) model of [Can01]. We aim at obtaining
efficient, adaptively-secure primitives which are instrumental in construction of practical adaptively-secure MPC protocols. We focus on two such primitives in particular:
Oblivious Transfer (OT) and Commitment schemes.
In the literature, OT has been regarded as the fundamental primitive [Rab81, BCR86,
Kil88, NP05, IPS08], known to be complete for MPC [Kil88]. Following that, many flavors of OT such as 1-out-of-2 OT [PVW08, CO15], 1-out-of-N OT [NP05], k-out-of-N
OT [GH08], have been explored in past. In its most basic form, a 1-out-of-2 OT consists
of two parties, sender S and a receiver R. S has input messages say m0 , m1 and R has
a choice bit b. At the end of the protocol, R obtains message mb corresponding to his
choice bit and nothing else. S remains oblivious to the message obtained by R. Various
constructions of OT (mainly 1-out-of-2) have been proposed providing both static and
adaptive security. The protocols of [CO15, PVW08, NP05] deal with malicious adversaries in the static model whereas those of [BCG17, BC16, CKWZ13, GWZ09] address
the same in adaptive model. However, the OT protocols that achieve adaptive security
lack optimality in terms of efficiency- rounds, computation and communication. We
have round optimal and efficient protocols in the literature for the static case. However, designing adaptively-secure protocols has been a challenging task. Infact, there is
no known OT protocol in the literature which is round optimal. In this direction, we
2
present the first round optimal OT protocol which is secure against adaptive adversaries
without erasures.
Another interesting direction to consider for OTs is to reduce the number of public
key operations. The impossibility result by [IR89] states that its highly unlikely that
OTs can be constructed without public key operations. In order to circumvent this limitation, the concept of OT Extension [Bea96, IKNP03, ALSZ13, ALSZ15, KOS15] was
introduced and explored. It allows the parties to execute a small number of OTs, called
seed OTs, and then extend them to obtain large number of OTs using cheap symmetric
key operations. The amortized cost of generating one single OT reduces to a constant
number of symmetric key operations. However, there is no known OT extension protocol in the adaptive setting. An effort towards obtaining adaptively secure OT Extension
would be of quite interest as it would open the gates towards constructing large number
of efficient adaptively secure OTs using small number of seed OTs. Our paper presents
one such result for adaptively-secure OT extension.
Commitment Scheme is another fundamental primitive in the MPC literature that
draws attention. Informally, we describe a commitment scheme as follows: The sender
S commits to a message m in a commitment c and sends c to the receiver R in the
commit phase. In the decommit phase, R learns the message m, along with some decommitment information, such that R is convinced that indeed m was committed in
the commit phase. Besides its involvement in MPC protocols, commitment schemes in
the UC model also have implications in key exchange [DG03] and are non-malleable
[CF01] in nature. In this work, we explore UC secure commitment protocols which are
secure against adaptive adversaries.
1.1
Related Work
The extensive use of fundamental building blocks of MPC has led to substantial work
towards attaining efficient primitives. Since our work primarily focuses on universally
composable OT and commitment schemes, we outline only the relevant literature below.
Oblivious Transfer. The literature of OT is vast and quite diverse in terms of assumptions and security. We highlight few works that are closely related to ours. Firstly, in
the standalone model, the works of [NP01, AIR01, HK12, Lin08] are statically-secure
against malicious adversary. Secondly, in the UC model, [CLOS02] proposed the first
UC secure OT protocol based on general assumptions. Their work includes construction of both static and adaptively UC-secure OTs. Despite being of theoretical interest,
[CLOS02] motivated research towards obtaining OTs in the UC model. In the setting
of static security, [GMY04] presented a constant round committed bit-OT under Decisional Diffie Hellman (DDH) and RSA assumptions. The work of [JS07] proposed
a four round, UC-secure protocol under the Decisional Composite Residue (DCR) assumption. [HK07] provided the first round-optimal protocol that is UC-secure, assuming common reference string (crs). This was followed by the seminal work of Peikert et
al. [PVW08], that provided a general framework for round optimal UC-secure OT protocols along with efficient instantiations based on DDH, Quadratic Residue and Learning With Errors (LWE) assumptions in the crs model. We denote the popular DDH
based construction of the [PVW08] paper as PVW protocol in rest of the paper.
3
In the setting of adaptive security, the literature can be divided based on the erasure model. The works of [ABB+ 13, CKWZ13, BCG17, BC16, BC15] rely on secure erasures of the memory, whereas [GWZ09, CDMW09a, CDMW09b, BDD+ 17]
consider the stronger model of no erasures. [CKWZ13] presented a framework for
adaptively-secure OT in the global crs model. They provide instantiations under various assumptions- DLIN, Symmetric External Diffie Hellman (SXDH), DDH and DCR.
However, their protocols are not round optimal and achieve adaptive security at the
cost of significant overhead in communication and computation compared to the PVW
protocol. [CKWZ13] also provided two constructions (Appendix A of [CKWZ13])
of [GWZ09] framework under Decisional Linear (DLIN) assumptions. These instantiations are adaptively-secure with erasures, with computational overhead reduced to
constant number of exponentiations. There has been a separate line of work [BCG17,
BC16, BC15, ABB+ 13] based on password-authenticated key exchange (PAKE) and
smooth projective hash functions. They require atleast 3 rounds of communication, assuming erasures for adaptivity. On the other hand, achieving adaptivity with no erasures is a challenging task. [GWZ09] followed the compiler approach to transform the
[PVW08] framework into an adaptively-secure OT using adaptively secure commitments. It was further improved by a recent work of [ABP17]. Both protocols incur an
overhead of O(n) exponentiations, where n is the size of sender’s input messages. The
works of [CDMW09a, CDMW09b] proposed constructions which are of theoretical
interest. [CDMW09a] presented an OT construction using non-committing encryption
(NCE). On the other hand, [CDMW09b] compiled protocols that are secure against
a semi-honest adaptive adversary into one that is secure against a malicious adaptive
adversary.
The work of [CO15], the “simplest OT” protocol explored 3-round OT constructions
in the PRO model. Although the paper claimed adaptive security, several bugs have been
identified [GIR17, BDD+ 17, HL17] recently in their static security proof thereby rendering the protocol of [CO15] insecure in the UC model. Recently two more works
([HL17],[BDD+ 17]1 ) have claimed to achieve adaptive security in the same model.
However, in Section 3, we give a justification that these protocols are not UC-secure.
We note that the authors of [BDD+ 17] have updated their protocol and their new version
presents a 3 round OT framework which can be instantiated under Learning from Parity
with Noise, McEliece cryptosystem, QC-MDPC, LWE and Computational Diffie Hellman (CDH) in the PRO model. Their most efficient instantiation (under CDH) incurs
twice the amount of communication, while maintaining the same computation cost as
ours. Consequently, the problem of attaining an round-optimal, efficient and adaptivelysecure OT continued to remain open, which we try to address through our work. Table 1
summarizes the literature on adaptively-secure OT protocols and our result. We do not
compare with [GWZ09, CDMW09a, CDMW09b, ABP17] in the table since they require atleast O(n) exponentiations, where sender’s input message is of n bits, whereas
the other protocols in the table require constant number of exponentiations. Among the
PAKE-based schemes we compare with the most efficient works of [ABB+ 13, BCG17].
Another interesting factor to consider is the model of security that these protocols
satisfy. All of the above protocols (except [BDD+ 17]) are secure in the plain UC1
previous version of their paper
4
model [Can01] which allows private crs. There is a stronger model of security, i.e. the
Generalized UC model (GUC) [CDPW07], which guarantees stronger compositional
guarantees than the plain UC model. In the GUC model, the parties are not allowed
to possess private crs and the random oracle is a public object, shared between arbitrary protocols. This prevents the simulator from manipulating the crs during simulation, rendering the simulation procedure more difficult. Interestingly, the recent work of
[CDG+ 18] has shown that the random oracle in the GUC model can satisfy the property
of programmability. Such a random oracle is formally known as Global Random Oracle
(GRO). Utilizing the programmability feature of the GRO, our protocol and the protocol of [BDD+ 17] achieve adaptive security. Whereas, the other protocols require a local
crs, which is private to one instance of the protocol, thereby hampering composition in
the GUC model.
Oblivious Transfer Extension. Next, we consider the problem of OT Extension, which
was introduced by the work of [Bea96], followed by the seminal work of [IKNP03].
The paper of [IKNP03] presented an efficient 1-out-of-2 semi-honest OT Extension
protocol which was secure against static adversaries. An optimized version of this protocol appeared in [ALSZ13]. The paper of [ALSZ15, KOS15] presented the actively
secure versions. The paper of [KK13] gave constructions for 1-out-of-N case, which
were made actively secure by [PSS17, OOS17]. However all of these protocols are in
the static setting and it was not known whether adaptively-secure OT Extension protocol is possible. Our work answers it in an affirmative way by proving that existing
static OT extension [ALSZ13, ALSZ15] schemes satisfy adaptive security under the
PRO assumption.
Table 1: Comparison among UC secure Oblivious Transfer Protocols
Communication
Computation
(κ-bit strings /
Sender Receiver Rounds Assumptions
Group elements) SKE PKE SKE PKE
[GWZ09] + [FLM11]1
83
3 26 3 72
4
DLIN
[CKWZ13]
59
3 ≥14 2 ≥27
3
DLIN
[CKWZ13]
43
3 ≥8 2 ≥15
3
SXDH
[CKWZ13]
35
4 19 3 37
4
DDH
[CKWZ13]
28
4 13 3 26
4
DCR
+
[ABB 13]
15
2 13 1 11
3
SXDH
[BCG17]
10
4 18 4
9
3
SXDH
PVW
6
8
3
2
DDH
[BDD+ 17]
15
5
6
2
5
3
CDH
Our scheme
7
3
8
2
3
2
DDH
Our scheme
Static Receiver
3
2
2
3
(by OT Extension)
Equivocal OT
Protocol
Setup
Security
crs
crs
crs
crs
crs
crs
crs
crs
PRO
PRO
Adaptive with erasures
Adaptive with erasures
Adaptive with erasures
Adaptive with erasures
Adaptive with erasures
Adaptive with erasures
Adaptive with erasures
Static
Adaptive (GUC model)
Adaptive (GUC model)
PRO Adaptive (GUC model)
Notations:
SKE - symmetric key encryptions, PKE - exponentiations, GUC - Generalized UC ,
DDH - Decisional Diffie Hellman, DLIN - Decisional Linear, SXDH - symmetric external Diffie Hellman,
CDH - Computational Diffie Hellman, DCR - Decisional Composite Residuosity, PRO - programmable random oracle
1 The commitment scheme used for instantiation is of [FLM11].
5
Commitment Scheme. The study of UC secure commitment schemes was initiated by
the seminal work of [CF01]. It was followed by the works of [CLOS02, DG03, HM04,
Lin11, Fuj16, ABP17] and many more. We highlight some of the notable works in the
relevant literature classified based on their round complexity, the security they achieve
and the security model they are proven to be secure in.
The contributions of [DG03, Lin11, GIKW14, Fuj16, FLM11, CJS14, ABP17]
based on hardness assumptions such as DDH, DLIN and Discrete Log (DLP) are interactive (involve either an interactive commit or decommit phase) in nature. In contrast,
the contributions of [CLOS02, CF01, HM04, FLM11, NFT09, ABP17] present noninteractive commitment (NICOM) schemes where both - commit and decommit phases
are non-interactive. The offline-online paradigm also forms an interesting flavour of
NICOM schemes. These schemes [CDD+ 15, DDGN14] consist of an input independent setup phase, which is run in the offline phase, while the NICOM is efficiently used
in the online phase. The cost of the setup phase can be substantial but it gets amortized
over multiple commitments. Our scheme also follows this particular model.
Similar to OT literature, the literature regarding commitment schemes is concentrated mainly around static security [Lin11, BCPV13, CJS14, GIKW14, DDGN14,
CDD+ 15, Fuj16, CDD+ 16]. Building commitment schemes against adaptive adversaries has been a challenging task, since it involves equivocation of the internal states
of the parties in case corruption occurs. There have been few contributions in the past
addressing adaptive security. Adaptively-secure schemes can be broadly classified into
two categories based on their ability to erase the internal state of the party when corruption occurs. [NFT09, FLM11, BCPV13, Fuj16] proposed adaptively-secure protocols
which rely on secure erasure of the party’s internal state whereas the constructions of
[CF01, CLOS02, HM04, ABB+ 13, HV15, ABP17, HPV17] achieved the same level of
security without erasures. We skim through the protocols in the non-erasure model and
compare all the above mentioned works with our protocol in Tab. 2.
[HV15] presented a theoretical construction of an interactive adaptive commitment
scheme based on the minimal assumption of trapdoor simulatable public-key encryption. Since our focus is on adaptively-secure NICOM schemes, we elaborate the relevant
NICOM results. [CF01, CLOS02, ABB+ 13, ABP17] provided schemes for bit commitments, communicating at least O(κ2 ) bits for committing to a κ bit string. [HM04]
provided the first efficient NICOM for an arbitrary length message in the RO model and
involves communication of constant number of bits for commitment. Programmability
of RO is used to attain the property of equivocation in [HM04].
The literature can also be classified based on the security model they are proven secure in. All of the above protocols (except [HM04, CJS14, HPV17]) are proven secure
in the plain UC-model [Can01]. Recall, that the work of [CDG+ 18] showed that the
GUC model allows observability and programmability from the random oracle. Utilizing the programmability feature of the RO, the protocol of [HM04] achieves adaptive
security in the GUC model. Also, the work of [CDG+ 18] showed that the folklore
commitment scheme FRO (m; r) is GUC secure assuming programmability from FRO ,
where FRO is the RO functionality, m is the message and r is the randomness. And
it can be trivially shown that it achieves adaptive security too. The work of [CJS14]
presents a GUC secure static commitment scheme, relying on the observability prop6
erty of the GRO. [HPV17] presents a theoretical construction of an adaptively secure
commitment scheme relying on one way function. They achieve GUC security in the
tamper-proof hardware model. From the literature we can observe that, adaptive commitments in the GUC model either asks for programmability from the RO or it incurs a
blowup in terms of efficiency. Hence, we can ask the following question:
“Can we obtain an efficient, non-interactive commitment scheme based on the nonprogrammable random oracle which is adaptively secure in the GUC model?”
Our paper answers it in affirmative by presenting an adaptively-secure NICOM in
the offline-online model, relying solely on the observable property of the RO. Table 2
consolidates the comparison of various UC secure commitment schemes alongside our
protocol.
Table 2: Comparison among UC secure commitment schemes
Communication
Rounds
Message Size (κ-bit strings /
(Commit/
(bits)
Group elements) Decommit)
[Lin11]
κ
14
1/4
[Fuj16]
κ
10
1/3
[BCPV13]
κ
12
1/3
+
[CDD 16]
κ
1 + o(1)
5/1
≥9+
1/1 +
[CDD+ 15]
κ
2
O(κ ) (one-time) 5 (one-time)
[CJS14]
poly(κ)
7
2/3
Protocols
Assumptions
Setup
Security
DDH + CRHF
DDH + CRHF
DDH+CRHF
OT
crs
crs
crs
crs
Static
Static
Static
Static
OT
crs
Static
DLP
ORO
Static (GUC model)
crs
crs
(Non-reusable)
crs
crs
Adaptive with erasures
Adaptive with erasures
crs
crs
PRO
crs
crs
Adaptive
Adaptive
Adaptive (GUC model)
Adaptive
Adaptive
ORO
Adaptive (GUC model)
[FLM11]
κ
21
1/1
DLIN + CRHF
[NFT09]
κ
7
1/1
DDH + sEUF-OT
[Fuj16]
[BCPV13]
κ
κ
10
14
3/1
3/1
DDH + CRHF
DDH+CRHF
[CF01]
[CLOS02]
[HM04]
[ABB+ 13]
[ABP17]
κ
κ
poly(κ)
κ
κ
Our Scheme
poly(κ)
O(κ)
1/1
DDH + UOWHF
O(κ)
1/1
TDP
5
1/1
DLP
O(κ)
1/1
SXDH
O(κ)
1/1
DDH
4+
1/1 +
DLP
O(ν|C|) (one-time) 4 (one-time)
Adaptive with erasures
Adaptive with erasures
Notations:
DDH - Decisional Diffie Hellman, CRHF - collision resistant hash function, DLP - Discrete Log Problem, DLIN - Decisional Linear,
sEUF-OT - strongly unforgeable one-times signature, TDP - trapdoor permutations, UOWHF - universal one-way hash functions,
OWF - one-way functions, ORO - observable random oracle, PRO - programmable random oracle, GUC - Generalized UC model
ORO - observable random oracle, circuit C computes g x
Note : The protocol of [CJS14] and [HM04] requires a non-interactive trapdoor commitment scheme. It has been instantiated with
Pedersen commitment since to the best of our knowledge such a commitment scheme does not exist based on OWF.
1.2
Our Results
In this work, we focus on optimizing the round complexity while attaining adaptive
security in an efficient manner, for two widely used primitives: Oblivious Transfer and
Commitment Scheme. We also present an adaptively secure well-defined transformation from log N 1-out-of-2 OTs to 1-out-of-N OT, restricting the number of exponen7
tiations to O(log N). Finally, we conclude with detailed implementation results of our
primitives. Our contributions are stated below.
Adaptively Secure 1-out-of-2 Oblivious Transfer. We construct the first OT framework
that is round-optimal, GUC composable and adaptively-secure assuming no erasures.
Our construction is motivated by the vital observation of [CO15] that the crs in OT can
be replaced with the PRO. We apply the same observation on the static OT framework
of [PVW08]. At the heart of their framework lies the Dual Mode Encryption Scheme
(DME) which requires a crs for its functioning. We generate the crs of the Dual Mode
Encryption (DME) scheme using the PRO. During simulation the crs can be suitably
modified, to equivocate R’s view, by programming the PRO. However, for our scheme
it should be possible to generate the crs of the DME using an RO. Hence, we customize the definition of DME, based on our requirements, to obtain a stronger version,
called Samplable DME. Once the crs has been generated it can be suitably modified,
to extract/equivocate R’s view, by programming the PRO. On the other hand, S’s messages are encrypted using another PRO, such that it enables equivocation of S’s view
when required. Thus, we replace the crs in the round-optimal [PVW08] framework
with PRO to achieve adaptive security. A similar observation was made by the work
of [CJS14] where they tried to generate the crs using the observability property of the
GRO. However, their goal was to obtain one-sided simulatable static OT in the GUC
model. Whereas, we aim for adaptive security in the GUC model relying on the programmability feature. In our framework, the DME scheme can be instantiated under the
DDH and LWE assumptions. Additionally, when instantiated with DDH assumption,
our protocol incurs a computation overhead of 5 random oracle queries and a minimal
communication overhead of one κ-bit string over the static protocol of PVW (the DDHbased instantiation of [PVW08]).Tab. 1 and Tab. 3 compare our scheme with various
other schemes. Empirically our protocol requires 1.676s and 4.3s in LAN and WAN setting, incurring a nominal overhead of 0.02% and 1%, in the same settings, over PVW.
The protocol of [BDD+ 17] requires at least the same runtime as ours, since the number
of symmetric key operations in [BDD+ 17] is more than us, although the number of
public key operations in both the protocols are same.
Table 3: Table indicating implementation results for Oblivious Transfer protocol in
LAN setting, for n = 128 and κ = 128.
Scheme
PVW
[BDD+ 17]
Our Scheme
Our Scheme
(from OT extension)
Our Scheme
(from OT extension)
Communication Total Runtime
Rounds Assumptions Security
(bits)
(s)
768
2.645
2
DDH
Static
1920
> 2.647
3
CDH
Adaptive
896
2.647
2
DDH
Adaptive
716.7
20.954 × 10−7
3
DDH
Adaptive
702
1.043 × 10−7
5
DDH
Adaptive
8
Adaptively Secure 1-out-of-N Oblivious Transfer. The work of [NP05] established
that log N copies of 1-out-of-2 OTs can be transformed to obtain one 1-out-of-N OT,
which is statically-secure against active adversaries. This transformation implies existence of statically-secure 1-out-of-N OT at the expanse of O(log N) exponentiations.
We extend their result to provide a formal proof that the transformation satisfies adaptive security under PRO assumption. At present, one adaptive 1-out-of-N OT protocol
[ABB+ 13, BC15, BC16, BCG17] incurs atleast O(N) exponentiations. Our adaptive
transformation brings down the number of exponentiations to O(log N); thereby matching the efficiency of statically-secure 1-out-of-N OT. Interestingly, it can be shown that
for the semi-honest setting the seed OTs can be statically secure, if we consider the
simulation of the 1-out-of-2 OTs in a non-blackbox manner. For the active setting, we
can show that if the 1-out-of-2 OTs support equivocation of receiver’s view irrespective
of equivocation of sender’s view then it is possible to generate adaptively-secure 1-outof-N OT from our transformation, if the simulation of the 1-out-of-2 OTs is performed
in a non-blackbox manner. This implies that we can plug-in statically-secure 1-out-of-2
OTs which satisfy the property of receiver equivocability [GKPS18].
Oblivious Transfer Extension. We provide the first adaptively-secure protocols for OT
Extension solely relying on the PRO assumption. In this regard we present two results,
one corresponding to semi-honest setting and the other for the active setting. Our first
result proves that the semi-honest protocol of [ALSZ13] can be made adaptively-secure.
Interestingly, we show that the seed OTs can be statically secure, if we invoke them in a
non-blackbox way. We know that for adaptive security, blackbox-usage of the seed OTs
is not possible in our construction since it would violate the results of [LZ13, IR89].
[LZ13] proves that the existence of OT extension protocol, secure against semi-honest
adaptive adversaries, imply OT protocol secure against static semi-honest adversaries.
In that case, blackbox usage of seed OTs establishes that PRO would imply static semihonest OT, contradicting the result of [IR89] which states that public key operations
are necessary for static OT. Our second result proves that the actively secure protocol of [ALSZ15] can be made adaptively-secure against active adversaries. The paper
of [ALSZ15] gave two constructions - a 3 round and a 5 round OT extension in their
paper. The 3 round OT extension consists of pair-wise consistency check for all the
columns. Whereas, in the 5 round protocol, the parties performed a coin-tossing subprotocol and based on the outcome of the subprotocol, they performed a consistency
check on the columns. The 5 round protocol is more efficient than the 3 round one due
to reduced number of checks. Similarly, we consider a 3 round and a 5 round variant of our OT extension protocol. Interestingly, we demonstrate that the seed OTs in
our case can be replaced with receiver equivocal static OTs which are secure against
active adversaries. Our OT Extension protocols preserve the efficiency of the original
static protocols, yielding adaptive 1-out-of-2 OTs at an amortized cost of 3 symmetric key operations and 3κ bits communication per OT. Moreover, if we combine the
OT Extension protocol with our 1-out-of-N Transformation, then we obtain 1-out-of-N
adaptive OTs at an amortized cost of N + 3 log N + 1 symmetric key operations per
OT. The other adaptive protocols [ABB+ 13, BC15, BC16, BCG17, BDD+ 17] require
O(N) public key operations instead. Next, we briefly highlight the implementation results regarding the OT extension protocol. The 5 round protocol is more efficient than
9
the 3 round one due to reduced number of checks. Empirically, the 3 round protocol
has a rough multiplicative overhead of 20 over the 5 round protocol for LAN runtime,
while generating 223 OTs together. The overhead will decrease for larger number of
extended OTs, as the number of checks remain constant, while the number of extended
OTs increase. Throughout the paper our implementation results for the OT extension
protocol, correspond to the 5 round protocol unless specified otherwise. Empirically
our OT extension protocol has an overhead of 2% and 11.95% over [ALSZ15] in the
LAN and WAN setting respectively. The amortized (over 1.25 ∗ 105 ) cost of generating
one adaptive 1-out-of-2 drastically reduces to 2.02 µs and 115.5 µs in LAN and WAN
setting for OT output length n=16 bits. We also generate 1-out-of-16 OTs from 4 copies
of 1-out-of-2 OTs using our transformation. The amortized cost for each 1-out-of-16 OT
is 21.3 µs and 145.5 µs in LAN and WAN setting respectively. In Tab. 3 we compare
our OT protocols with PVW and [BDD+ 17]. Our extended adaptive OTs are useful in
practical MPC applications where the MPC protocols require a large number of OTs. In
such a situation it can be observed that if we are given 3 rounds, then we can run our 3
round OT extension protocol to obtain adaptive OTs at a minimal cost of 2.1µs (amortized over 106 OTs), whereas other 3 round protocols (like [BDD+ 17]) would require
2.647s, which is 106 times slower than our extended OTs. The cost of each extended OT
reduces drastically with amortization, i.e. the total number of extended OTs. Given 5
rounds, our OT extension protocol generates adaptive OTs at a cost of 0.1043 µs (amortized over 106 OTs). The protocol of [BDD+ 17] would be 12 × 105 times slower than
our extended OTs. If we consider our 5 round OT extension protocol then the overhead
factor increases to 25 × 106 .
Commitment Scheme. We construct a NICOM, in the offline-online model, that is secure against an adaptive adversary without erasures. First, we generate a crs for Pedersen commitment using an ORO in the setup phase. The crs is of the form (g, h), where
h = g x for g, h ∈ G and x ∈ Zp . G and Zp denote a multiplicative group of prime order
p and a prime field of order p respectively. The setup phase is a 4 round protocol where
the parties perform a coin tossing protocol and a Zero Knowledge Proof of Knowledge
(ZKPoK) protocol, relying on garbled circuits. Once generated, the crs alongwith the
ORO can be reused to construct several instances of the NICOM. Under the hood, the
NICOM relies on the Pedersen Commitment [Ped91] for equivocation and the ORO
for extraction of a corrupted committer’s input. Moreover, ORO permits committing
to a message of length ℓ while incurring the overhead of committing to a κ bit string,
where ℓ = poly(κ). Compressing the message from ℓ to κ bits does not break binding
since we are in the RO model, where it is hard to find two different messages of arbitrary length s.t. the RO returns the same result upon being queried on those messages.
Our protocol involves communication of one κ bit string, 3 group elements, computation of 4 exponentiations and 4 random oracle queries to commit to ℓ bits. This yields
an efficient adaptively secure commitment scheme which is practically motivated for
2PC/MPC protocols based on offline-online paradigm [LR15, RR16]. The setup can be
run in the offline phase while the commitment scheme can be conveniently used in the
online phase. The ORO in our protocol can be instantiated using a SHA-256 hash function and it can be proven secure in GUC model. This renders our commitment scheme
useful in real-life situations where concurrently many protocols are run and share the
10
same hash function. Table 2 compares our commitment schemes with the recent literature. In terms of empirical costs, our scheme takes approx. 0.18 ms and 0.20 ms to
obtain commitment of 128 bits and 2048 bits respectively. In comparison, the scheme
of [HM04] takes approx 0.42 ms and 0.49 ms for commitment of 128 and 2048 bits
respectively. The protocol of [HM04] requires a non-interactive trapdoor commitment
scheme which has been instantiated with Pedersen commitment since to the best of our
knowledge such a commitment scheme does not exist based on OWF. The comparison
can be viewed in Table 4. Based on the results, we conclude that our scheme is approximately 2 times faster than [HM04] even though we rely on a weaker assumption from
the RO.
Table 4: Table indicating implementation results for our Commitment Scheme πCOM
and [HM04] in the LAN setting.
Message Size
(bits)
Runtime Runtime
Commitment Size
of S (ms) of R (ms)
(bits)
Our Scheme 0.184
0.185
128 + 512
128
[HM04]
0.423
0.418
128 + 640
Our Scheme 0.189
0.187
256 + 512
256
[HM04]
0.435
0.432
256 + 640
Our Scheme 0.192
0.191
1024 + 512
1024
[HM04]
0.455
0.469
1024 + 640
Our Scheme 0.198
0.202
2048 + 512
2048
[HM04]
0.487
0.490
2048 + 640
Note: Commitment Size = message size + (commitment & decommitment size)
1.3
Scheme
Roadmap
The high-level overview of the primitives and notation used is presented in Section 2.
In Section 3 we explain the bugs present in the security proofs of concurrent adaptive
OT papers[CO15, BDD+ 17, HL17] in the PRO model. We proceed to the definition of
Samplable DME (referred as DME only) in Section. 4. Then we present our OT protocol
framework in Section 5. The 1-out-of-2 to 1-out-of-N OT transformation is elaborated
in Section 6. Section 7 presents the results on OT Extension. Our commitment scheme
is covered in Section 8. The implementation details of our protocols have been illustrated in Section 9. Finally, we conclude with prospective future work in Section 10.
We provide a summary of UC framework for static and adaptive security in Appendix
A for the sake of completeness. We refer to it for better comprehension of notations
used in our security proofs. Appendices C and D present instantiations of our DME
based on DDH and LWE assumptions.
11
2
Preliminaries
In this section, we describe the notations used in our protocols and give a high-level
overview of the primitives that are used in the paper.
Notations. For the OT and NICOM protocol, we denote the sender by S and receiver by
R. We denote by a ←R D the random sampling of a from a distribution D and the set
of elements {1, . . . , n} is represented by [n]. Let PRF denote a secure pseudorandom
function. A function neg(·) is said to be negligible, if for every polynomial p(·), there
1
exists a constant c, such that for all n > c, it holds that neg(n) < p(n)
. We denote
a probabilistic polynomial time algorithm as PPT. We denote the statistical security
c
s
parameter by ν and the computational security parameter by κ. We use ≈ and ≈ to
denote computational and statistical indistinguishability, respectively. Let Zp denote
the field of order p, where p is a prime. Let G be the multiplicative group corresponding
to Z∗p with generator g. For a bit b ∈ {0, 1}, we denote 1 − b by b.
Garbled Circuits. The term ‘garbled circuit’ (GC) was coined by Beaver [BMR90]
and used extensively only as a technique in secure protocols until they were formalized
as a primitive by Bellare et al. [BHR12]. We use notations consistent with [BHR12]
(described in Appendix B) for the garbling primitive used to generate CRS for our
commitment scheme. Let GCk denote the k th garbled circuit instantiating circuit C.
We assume that the randomness used for generating circuit k is derived from a κ-bit
random string seedk using a PRF. We assume that the fan-in of each gate is 2. We
can assume that each AND gate in the circuit has 2 ciphertexts and XOR gates have 0
ciphertexts, using the Half-Gate construction [ZRE15] as the garbling scheme.
Oblivious Transfer. Oblivious transfer (OT) is a protocol between a sender (S) and a
receiver (R). In a 1-out-of-2 OT, the sender holds two inputs a0 , a1 ∈ {0, 1}n and the
receiver holds a choice bit σ. At the end of the protocol, the receiver obtains aσ . The
sender learns nothing about the choice bit, and the receiver learns nothing about the
sender’s other input aσ . The ideal OT functionality FOT is recalled below in Figure 1.
Similarly a 1-out-of-N OT can be defined as FN-OT functionality in Figure 2.
Fig. 1: The ideal functionality FOT for oblivious transfer
FOT
Choose: On input (rec, sid, σ) from R where σ ∈ {0, 1}; if no message of the form
(rec, sid, σ) has been recorded in the memory, store (rec, sid, σ) and send (rec, sid)
to S.
Transfer: On input (sen, sid, (a0 , a1 )) from S with a0 , a1 ∈ {0, 1}n , if no message of the
form (sen, sid, (a0 , a1 )) is recorded and a message of the form (rec, sid, σ) is stored,
send (sent, sid, aσ ) to R and (sent, sid) to S.
12
Fig. 2: The ideal functionality FN-OT for oblivious transfer
FN-OT
Choose: On input (rec, sid, σ) from R where σ ∈ {0, 1}log N ; if no message of the form
(rec, sid, σ) is present in memory, store (rec, sid, σ) and send (rec, sid) to S.
Transfer: On input (sen, sid, {aj }Nj=1 ) from S with aj ∈ {0, 1}n , if no message of the
form (sen, sid, {aj }Nj=1 ) is present in memory and a message of the form (rec, sid, σ)
is stored, send (sent, sid, aσ ) to R and (sent, sid) to S.
Commitment Schemes. Commitment schemes allow a party S to commit to a message
m using randomness r. It keeps the message hidden, while allowing S to reveal the
committed message later. We denote an UC secure commitment to message m with
randomness r as C OM(m; r). The ideal commitment functionality FCOM has been depicted in Fig. 3.
Fig. 3: Functionality FCOM
FCOM
FCOM interacts with sender S and receiver R:
1. On receiving input (C OMMIT, sid, m) from S, if sid has been recorded, ignore the
input. Else record the tuple (sid, S, R, m) and send (R ECEIPT, sid, S, R) to R.
2. On receiving input (D ECOMMIT, sid) from S, if there is a record of the form
(sid, S, R, m′ ) return (D ECOMMIT, sid, m′ ) to R. Otherwise, ignore the input.
Random Oracle Model. A random oracle functionality is parametrized by a domain
and a range and it is as FRO in Fig. 4. A random oracle query on message m is denoted
by FRO (m). The random oracle functionality can be broadly classified [CDG+ 18] into
three categories based on its features- plain RO, observable RO and programmable RO.
A plain RO returns a random string, from its range, upon being queried on a message
m, from its domain. An observable RO inherits the properties of the plain RO but in
addition it grants the simulator to observe the queries made, to FRO , by the adversary.
A programmable RO allows the simulator to program FRO (m) to return any string from
the range, upon being queried on m for the first time.
3
Attack in Concurrent Works on UC-secure Adaptive OT
Concurrent to our work, the works of [BDD+ 17, HL17] on OT, claim adaptive UC security in the PRO model. The previous version of [BDD+ 17] proposed a general framework for 2-round adaptive OT and provides instantiations under various assumptions
such as Learning from Parity with Noise, McEliece cryptosystem, QC-MDPC, Learning With Errors and Computational Diffie Hellman (CDH). We note however that the
authors of [BDD+ 17] have fixed their protocol, making it UC secure. [HL17] proposes
a construction of 1-out-of-N OT under the CDH assumption. However, both protocols
13
Fig. 4: Functionality FRO
FRO
FRO is parameterized by a domain D and range R and it proceeds as follows, running on
security parameter k:
– FRO maintains a list L (which is initially empty) of pairs of values (m̂, ĥ), s.t. m̂ ∈ D
and ĥ ∈ R.
– Upon receiving a value (sid, m) (where m ∈ D) perform the following: If there is a
pair (m, ĥ), for some ĥ ∈ R, in the list L, set h := ĥ. If there is no such pair, sample
h ←R R and store the pair (m, h) in L. Once h is set, reply to the activating machine
with (sid, h).
as well as the ‘simplest OT’ construction of [CO15] are prone to a bug when we consider UC-security even against a statically corrupt receiver R∗ . The attack stems from
the late input extraction of a statically-corrupt R as detailed below. The simulator for
the case of static corruption of R, playing the role of honest S, can only extract R∗ ’s
input by observing R∗ ’s query to RO, made in an attempt to decrypt its chosen message
on receiving the last OT message from the sender. This implies that a corrupt R∗ can
indefinitely delay the input extraction causing composition-related issues.
The delayed input extraction allows us to demonstrate that their constructions do not
realise the OT functionality FOT presented in Fig. 1 where S obtains a notification from
the functionality, denoting the end of ideal world execution. Rather, they realise only
w
a weaker version of OT functionality FOT
as depicted in Fig. 5. In the weaker variant
w
FOT , S does not obtain any notification from the functionality. Instead its role is limited
w
w
to sending (sid, a0 , a1 ) to FOT
, after which S halts. However, FOT
is not composable
and cannot be used in a bigger protocol to implement the oblivious transfer functionality. Our observation aligns with the work of [LM16], which states (in page 2, last para
w
, is not
of Section 1) that the naive OT functionality (Fig. 1 in their paper), same as FOT
composable whereas the modified/revised OT functionality (Fig. 3 of their paper), same
as our FOT , can be proven to be composable. The late input extraction problem is referred to as “timing bug” in their paper (page 3, first paragraph). They explain the issue
of composability due to timing bug in the naive OT functionality with an example of OT
Extension protocol in Section 3. In Section 4, they address the issue by plugging in the
revised OT functionality (FOT in our case). Interestingly, all the currently known UCsecure OT protocols, barring the protocols of [CO15, HL17], implement both FOT and
w
FOT
functionalities and hence they are composable. In what follows, we first show that
w
.
the protocols of [CO15, HL17] do not realise FOT functionality, but realise only FOT
w
Next, we demonstrate the compositional issue of using FOT in (yet another example) of
2PC protocol based on garbled circuit (GC) approach.
To show that the constructions that feature delayed input extraction (a.k.a timing
bug) do not realise FOT functionality, we consider an adversarial strategy where R∗
does not decrypt the last OT message. In the ideal world, Sim will not be able to extract R∗ ’s input as R∗ does not proceed to decrypting its chosen message from the last
OT message. Consequently, Sim fails to invoke FOT functionality with R∗ ’s input and
as a result, the FOT functionality keeps running. This causes a honest S in the ideal
14
w
Fig. 5: The ideal functionality FOT
for weaker OT
w
FOT
Choose: On input (rec, sid, σ) from R where σ ∈ {0, 1}; if no message of the form
(rec, sid, σ) has been recorded in the memory, store (rec, sid, σ) and send (rec, sid)
to S.
Transfer: On input (sen, sid, (a0 , a1 )) from S with a0 , a1 ∈ {0, 1}n , if no message of the
form (sen, sid, (a0 , a1 )) is recorded and a message of the form (rec, sid, σ) is stored,
send (sent, sid, aσ ) to R.
world keep waiting for notification from the FOT functionality in order to terminate.
Therefore, while honest S does not halt in the ideal world, it halts in the real world
immediately after sending its last message. This difference in the behavior of honest S
w
can be used to distinguish between the two worlds by an environment. With FOT
functionality, in the scenario mentioned above, an honest S would halt in both the worlds,
preserving indistinguishability.
w
We now illustrate the compositional issue resulted from using FOT
by means of a
GC based 2PC protocol in the OT-hybrid model, where the evaluator E first involves
with the constructor in a set of OT functionalities to choose the circuits that will be used
for evaluation and respectively for checking and on completion of OTs, the constructor
sends the GCs to the evaluator. When FOT was used, a simulator against a corrupt evaluator E∗ , extracts the inputs of E∗ from the OT and either constructs a fake/simulated
w
GC or a real GC based on the extracted input of E∗ . However in FOT
-hybrid model, the
∗
∗
simulator for a corrupt evaluator E (playing the role of R ) cannot exact the E∗ ’s input bits to OT and hence cannot substitute certain (evaluation to be specific) GCs with
simulated ones (without getting caught with high probability). This difference would
enable the environment Z to distinguish between both worlds based on E∗ ’s view.
4
Samplable Dual-Mode Encryption
The seminal paper of [PVW08] introduced the primitive of dual mode encryption (DME).
It works like a regular public key encryption scheme, alongside a notion of encryption
branches. The key generation algorithm, takes a branch σ ∈ {0, 1} as an input, alongside the crs, to generate the public and secret key pair (pk, sk). Messages encrypted
using pk, on branch σ, can be decrypted using sk, whereas the messages encrypted on
the other branch remains hidden under certain conditions, described next. The encryption scheme can be further initialized in either of the two modes - messy or decryption
mode, based on the setup phase. The setup phase is invoked with the mode and it returns
(crs, t) to the invoking party, where t is the trapdoor for the crs. If the mode is initialized to messy, then the message encrypted on branch 1 − σ remains statistically hidden.
Also, it is possible to extract the branch value 1 − σ (and σ can be computed) given pk
and t. Whereas, if the scheme is set to decryption mode, then it is possible to generate
secret keys sk0 and sk1 which decrypts ciphertexts on branches 0 and 1 respectively.
Formally, a dual mode encryption scheme is defined as follows:
15
– (crs, t) ← SetupMessy(1κ ): It is a randomized algorithm that takes as input the
security parameter κ and outputs the crs and the trapdoor information t, for the
messy mode. It enables the invocation of FindMessy algorithm.
(crs, t) ← SetupDec(1κ ): It is a randomized algorithm that takes as input the
security parameter κ and outputs the crs and the trapdoor information t, for the
decryption mode. It enables the invocation of DecKeyGen algorithm.
– (pk, sk) ← KeyGen(crs, σ): It is a randomized algorithm that takes as input the
crs and the branch σ and returns the public/encryption and secret/decryption key
pair (pk, sk) for branch σ.
– (y, r) ← Enc(pk, σ, m): It is a randomized algorithms that takes as input pk, the
branch σ and the message m ∈ {0, 1}κ . It returns the ciphertext y, encrypted on
branch σ and the randomness r, used for the encryption.
– m ← Dec(sk, y): It is a deterministic algorithm that takes in input sk and y and it
returns m only if sk and y correspond to the same branch.
– b ← FindMessy(pk, t): It returns the branch value b ∈ {0, 1} given pk and the
trapdoor t, when the mode is set to messy. The message encrypted on this branch
is statistically hidden.
– (pk, sk0 , sk1 ) ← DecKeyGen(t): It is a randomized algorithm that generates a
key pair (pk, sk0 , sk1 ) when it is invoked with the trapdoor t as input and the
mode is set to decryption. The secret key skb , b ∈ {0, 1}, enables decryption of
ciphertexts on branch b.
The above defined scheme satisfies correctness and four security properties, as mentioned in the [PVW08] paper. In addition, the dual mode encryption scheme must satisfy another property for our OT protocol. It must be possible to generate a crs for the
messy mode from a random oracle query with overwhelming probability. We outline
the correctness and security properties as follows:
– Correctness: For every mode, for all (crs, t) ← SetupMessy(1κ ) / SetupDec(1κ ),
for each σ ∈ {0, 1}, for each (pk, sk) ← KeyGen(crs, σ), and for all m ∈ {0, 1}κ ,
the following holds Dec(sk, Enc(pk, σ, m)) = m.
– Property 1 (Indistinguishability of modes): The crs generated from either modes
are indistinguishable, i.e. for all (crs, t) ← SetupMessy(1κ ) and for all (crs′ , t′ ) ←
c
SetupDec(1κ ), the following holds crs ≈ crs′ .
– Property 2 (Indistinguishability of Branches in Messy mode): In messy mode, the
public key does not leak the branch value to a computational adversary i.e., for all
c
crs generated by SetupMessy, the following condition holds true- KeyGen(crs, 0) ≈
KeyGen(crs, 1).
– Property 3 (Messy Branch Identification): For each crs generated by SetupMessy
and for each pk returned by KeyGen(crs, σ), FindMessy(pk, t) returns the messy
branch b, s.t. b = 1−σ. Moreover, any message encrypted on branch b is statistically
s
hidden, i.e. for every m0 , m1 ∈ {0, 1}κ , Enc(pk, b, m0 ) ≈ Enc(pk, b, m1 ).
– Property 4 (Dual Decryptable Branches in decryption mode): For each (crs, t) ←
SetupDec(1κ ) and for each (pk, sk0 , sk1 ) ← DecKeyGen(t), the following three
conditions hold for all m, m0 , m1 ∈ {0, 1}κ :
16
s
s
s
i. (pk, sk0 ) ≈ KeyGen(crs, 0), (pk, sk1 ) ≈ KeyGen(crs, 1) and (pk, sk0 ) ≈
(pk, sk1 ).
ii. Dec(skb , Enc(pk, b, m)) = m for all b ∈ {0, 1}.
c
iii. Enc(pk, b, m0 ) ≈ Enc(pk, b, m1 ), for all b ∈ {0, 1}.
– Property 5 (Samplable crs in Messy mode): for all c ∈ {0, 1}κ , (crs, t) ←
SetupMessy(1κ ), the random oracle query FRO (c) is identically distributed to
s
the crs of messy mode except with negligible probability i.e., FRO (c) ≈ crs.
The above DME scheme can be instantiated under the DDH and the LWE assumption, which has been provided in Appendices C and D respectively. The paper
of [PVW08] provides proof for correctness and Properties 1-4 of DME instantiations
under the two respective assumptions. We further demonstrate, in Appendices C and D,
that they satisfy Property 5 too, thereby yielding a samplable DME.
5
Framework for Adaptive Oblivious Transfer
In this section, we present our round-optimal framework for adaptive OT given a DME
scheme, random oracles FRO1 and FRO2 . We first present a brief overview of our protocol and then we present our proof. R generates the crs by sampling a random string
c and invoking the random oracle on c. R obtains a valid crs, in messy mode, except
with negligible probability. He invokes the KeyGen with the crs and his choice bit σ to
obtain a key pair (pk, sk) which would allow decryption on branch σ using sk. R sends
c and pk to S. Property 2 ensures that pk does not leak about σ. S generates the crs using c and encrypts two random pads on both branches using pk. Finally, S encrypts his
messages using RO queries on the pads. R can decrypt the pad corresponding to branch
σ, due to correctness of the DME scheme, and thus obtain the message corresponding
to choice bit σ. The framework has been presented as protocol πOT in Fig. 6.
5.1
Static Security
To make the proof of adaptive security more comprehensible, we first prove that πOT
realizes the ideal functionality FOT (Fig. 1) in presence of static adversaries. This is
extended to adaptive security in Section 5.2.
In order to prove static security, we describe a simulator Sim who behaves as the
ideal world adversary and generates a view of Z which is indistinguishable from the
view generated by the real world adversary Adv in the real world. It does so by invoking
FOT , on behalf of the adversary in ideal world, and running a copy of Adv internally,
in the head. We denote this internal adversary as AdvInt . Sim simulates the role of the
honest parties and the environment to AdvInt in the internal execution. Whenever Adv
corrupts a party in the real world, AdvInt also corrupts that party in the internal execution
and Sim corrupts that party in the ideal world. At the end of the protocol AdvInt forwards
its view to Sim who forwards it to Z as its ideal world view. We refer to Appendix A
for clarity of AdvInt notation and details of static security in the UC model [Can01].
For static security, we prove Theorem 1 by considering the four exhaustive corruption
cases namely : (1) Both S and R are honest (2) S∗ is corrupt while R is honest (3) S is
17
Fig. 6: Adaptively-Secure Oblivious Transfer Protocol
πOT
– Functionalities: Random oracles FRO1 : {0, 1}2κ → {0, 1}∗ and FRO2 : {0, 1}2κ →
{0, 1}ℓ respectively.
– Private Inputs: S has input messages (a0 , a1 ) and R has an input bit σ.
Choose:
– R samples c ←R {0, 1}κ .
– R generates crs ← FRO1 (sid||c).
– R computes (pk, sk) ← KeyGen(crs, σ).
– R sends (c, pk) to S.
Transfer:
– S generates crs ← FRO1 (sid||c).
– S samples r0 , r1 ←R {0, 1}κ .
– S computes sb ← Enc(pk, b, rb ), for b ∈ {0, 1}.
– S sets y0 = FRO2 (sid||r0 ) ⊕ a0 and y1 = FRO2 (sid||r1 ) ⊕ a1 .
– S sends {(s0 , y0 ), (s1 , y1 )} to R.
Local Computation by R:
– Computes rσ = Dec(sk, sσ ) and outputs aσ = yσ ⊕ FRO2 (sid||rσ ).
honest while R∗ is corrupt (4) Both S∗ and R∗ are corrupt. In each of the above cases
we describe a simulator Sim and show that the real world view of Z is indistinguishable
from its ideal world view.
We first give a brief intuition of the security proof. Revisiting the proof of security
for a static adversary [PVW08], note that Sim sets the crs in accordance with which
party is corrupt, to enable input extraction of AdvInt in the internal execution. More
specifically, while crs of the internal execution is set to messy mode when R is corrupted, it is set to decryption mode when S is corrupted. Sim can perform this by
invoking SetupMessy (or SetupDec) to obtain (crs, t) and then program the random
oracle to return the same crs. In the former case, FindMessy can be suitably invoked
to extract σ. In the latter case, Sim can invoke DecKeyGen to obtain secret keys on
both branches and unlock both messages using the secret keys. The simulation of our
protocol for static security is similar to that of PVW.
We are ready to present the formal proof of Theorem. 1. We design an ideal world
adversary Sim who creates an ideal world view IDEALF ,Sim,Z (1κ , z) of Z which is
indistinguishable from the real world view REALF ,Adv,Z (1κ , z) of Z.
Theorem 1. If DME is a samplable dual mode encryption scheme then protocol πOT securely realizes the FOT functionality against static active adversaries in (FRO1 , FRO2 )hybrid model.
The Simulator: We describe the simulator Sim for each possible case of corruption.
Case 1. S and R are honest: In this case Sim acts on behalf of both parties in the
internal execution. At the end, AdvInt generates his view without corrupting any party
and sends it to Sim who forwards it to Z.
18
(i) Simulating the crs and R’s message: Sim obtains (crs, t) ← SetupDec. Sim
samples c ←R {0, 1}κ and programs FRO1 (sid||c) to return crs. Sim invokes
DecKeyGen(t) to obtain (pk, sk0 , sk1 ) and sends (c, pk) as the first OT message
to S on behalf of R in the internal execution.
(ii) Simulating S’s message: Sim sets (s0 , s1 ) as per the protocol and (y0 , y1 ) are set
randomly. Sim sends the simulated message on behalf of S.
(iii) Simulating R’s computation: Sim completes the simulation on behalf of R in the
internal world.
Case 2. S∗ is corrupted and R is honest: In this case, Sim acts on behalf of R in the
internal execution. At the end, AdvInt generates the view of S∗ and sends it to Sim who
forwards it to Z.
(i) Simulating the crs and R’s message: Same as Case 1.
(ii) AdvInt plays the role of S∗ and computes the sender message in the internal world.
AdvInt sends the second OT message to R in the internal world.
(iii) Simulating R’s computation: Sim decrypts r0 and r1 using secret keys sk0 and
sk1 and obtains a0 and a1 from y0 and y1 . Sim invokes FOT with (a0 , a1 ) and
completes the simulation on behalf of R in the internal world.
Case 3. S is honest and R∗ is corrupted: In this case, Sim acts on behalf of S in the
internal execution. At the end, AdvInt generates the view of R∗ and sends it to Sim who
forwards it to Z.
(i) Simulating the crs: AdvInt plays the role of R∗ and computes the receiver message in the internal world. Whenever AdvInt queries FRO1 (sid||c), Sim invokes
SetupMessy to obtain (crs, t) and programs FRO1 (sid||c) to return crs. Sim stores
the tuple in a list Q as (sid, c, crs, t). If a query is repeated then Sim returns the crs
corresponding to the entry in Q indexed by the sid and c values. AdvInt sends the
first OT message to S in the internal world.
(ii) Simulating S’s message: Sim extracts the the choice bit, i.e. σ, of R∗ by invoking
FindMessy(pk, t). Sim sends σ to FOT on behalf of R in the ideal world, obtains
aσ and constructs (sσ , yσ ) honestly. On the other hand, sσ is set honestly and yσ is
set randomly. Finally, Sim computes the sender’s message and sends it to R∗ in the
internal world.
(iii) AdvInt computes on behalf of R∗ and completes the protocol in the internal world.
Case 4. Both S∗ and R∗ are corrupted: This is a trivial case of corruption. Sim invokes AdvInt , who simulates messages of both parties and generates the view internally.
At the end of execution, AdvInt sends the generated view to Sim who forwards it to Z.
Indistinguishability: Here we show that the ideal world view IDEALF ,Sim,Z (1κ , z) of
Z is indistinguishable from the real world view REALF ,Adv,Z (1κ , z) of Z. We denote
REAL F ,Adv,Z (1κ , z) as hybrid HYBR . The ideal world view of Z varies based on the
case of corruption. For case D (D ∈ [4]), we denote the ideal world view as HYBI.d .
We prove that HYBR is indistinguishable from the corresponding ideal world view for
each of the four exhaustive cases of corruption.
19
Case 1. S and R are honest: We prove that HYBR and the ideal world view i.e HYBI.1
is indistinguishable through a series of intermediate hybrids.
– HYB1 : We consider a hybrid HYB1 which is same as HYBR except that here,
the crs is generated using SetupDec. Indistinguishability follows from Property
1 of DME, i.e. indistinguishability of the two modes, and random sampling of c.
A distinguisher for the hybrids can be used to break Property 1 or guess the exact
value of c, both of which happen with negligible probability.
- HYB2 : We consider a hybrid HYB2 which is same as HYB1 except that Sim generates pk using DecKeyGen. Indistinguishability follows statistically from Property
4i of DME, i.e. the branch remains statistically hidden when the DME is set to
decryption mode.
– HYB3 : We consider a hybrid HYB3 similar to HYB2 except that in HYB3 Sim
constructs s0 and s1 using r0 and r1 whereas y0 and y1 are formed using different random pads, r0′ and r1′ . Indistinguishability between the hybrids follows from
Property 4iii of DME, i.e. indistinguishability of ciphertexts in decryption mode.
– HYBI.1 : We consider the ideal world hybrid HYBI.1 similar to HYB3 except that
in HYBI.1 , Sim sets y0 and y1 randomly. AdvInt can distinguish between the hybrids only if the values r0′ or r1′ are guessed precisely and queried to the random
oracle. This event occurs with negligible probability in the random oracle model
and as a result indistinguishabilty between the hybrids follows.
Case 2. S∗ is corrupted and R is honest: We prove that HYBR and the ideal world
view i.e HYBI.2 is indistinguishable through an intermediate hybrid.
– HYB1 : We consider hybrid HYB1 which is same as HYB1 in previous case. Indistinguishability between HYBR and HYB1 follows (similar to the previous case)
from Property 1 of DME.
– HYBI.2 : We consider a hybrid HYBI.2 similar to HYB1 except that in HYBI.2
Sim decrypts r0 and r1 and obtains a0 and a1 respectively using secret keys on
both branches. Indistinguishability follows from Property 4ii of DME, which ensures that Sim can decrypt messages on both branches using the secret keys in the
decryption mode.
Case 3. S is honest and R∗ is corrupted: We prove that HYBR and the ideal world
view i.e HYBI.3 is indistinguishable through a series of intermediate hybrids.
– HYB1 : We consider a hybrid HYB1 which is same as HYBR except here the crs
is generated using SetupMessy. Indistinguishability follows from Property 5 and
1, i.e. the crs in the messy mode can be sampled using the random oracle and
the crs in the messy mode is indistinguishable from the crs in decryption mode.
Another possible way of distinguishing is if the distinguisher can guess the value of
the crs without querying c to the random oracle, but that happens with negligible
probability, due to the random oracle assumption.
– HYB2 : We consider a hybrid HYB2 which is same as HYB1 except that, here, Sim
extracts the value of σ, by invoking FindMessy(crs, t), and sends it to FOT and
obtains aσ . Indistinguishability follows from Property 3 of DME.
20
– HYB3 : We consider a hybrid HYB3 similar to HYB2 except that in HYB3 , Sim
constructs sσ using rσ , whereas yσ is formed using different random pad, rσ′ . Indistinguishability between the hybrids follows from the fact that rσ′ remains statistically hidden, due to Property 3, in the messy mode.
– HYBI.3 : Finally we consider our ideal world hybrid HYBI.3 where yσ is set randomly. Indistinguishability follows from the random oracle assumption since the
distinguisher has to guess rσ′ to distinguish between the two hybrids and this happens with negligible probability.
Case 4. Both S∗ and R∗ are corrupted: In this case HYBR and HYBI.4 are generated
by Adv and AdvInt after being in control of both honest parties in the real world and
internal world respectively. As a result, the two views are identical.
5.2
Adaptive Security
Building upon the proof of static security in the previous section, we now prove that πOT
securely implements FOT in the presence of adaptive adversaries. We refer to Appendix
A for details about the security model. We give a brief overview of the proof and then
we present it formally. Following the lines of the static proof, Sim programs the crs
of the internal execution to be in messy mode, when the receiver is corrupt in the first
round, or in the decryption mode otherwise, to enable extraction of R’s input or S’s
input respectively.
In addition, Sim has to equivocate the view of R (resp. S), in the internal execution,
when R (resp. S) gets corrupted adaptively by AdvInt . The proof demands equivocation
only when R gets corrupted after sending the first OT message and/or S gets corrupted
after sending the second OT message. This is done to ensure that the ideal world views
(messages and internal state) of the simulated honest parties (in the internal execution)
are consistent with the real world views (messages and internal state) of the actual honest parties else Z can distinguish between the two views. In the first scenario, when R is
corrupted after the first OT message is sent, the mode is set to decryption, and Sim can
extract secrets keys for both branches, corresponding to pk, by invoking DecKeyGen.
When R gets corrupted and Sim obtains σ as R’s input, Sim can provide skσ as its
secret key on branch σ. Equivocation is successful due to Property 4ii of DME. In the
second case when S is corrupted after the second OT message is sent, the random values sent corresponding to (y0 , y1 ) by Sim have to be made consistent with sender’s
actual input (a0 , a1 ). For this, Sim exploits the programmability of FRO2 to enforce
that (y0 , y1 ) decrypts to (a0 , a1 ). We are ready to present the proof of Theorem 2.
Theorem 2. If DME is a samplable dual mode encryption scheme then protocol πOT securely realizes FOT functionality against adaptive active adversaries in (FRO1 , FRO2 )hybrid model.
Proof. We describe the simulator corresponding to the protocol πOT , for each possible
case of adaptive corruption.
21
The Simulator: The simulator Sim that generates the ideal world view, is initialized
with input values from Z based on which party is corrupted to facilitate simulation.
Outset of the Protocol: Whenever AdvInt queries FRO1 (sid||c), Sim invokes the
SetupMessy algorithm to obtain (crs, t) and programs FRO1 (sid||c) to return crs. Sim
stores the tuple in a list Q as (sid, c, crs, t). If a query is repeated then Sim returns the
crs corresponding to the entry in Q indexed by the sid and c values.
R is honest in the first round: Sim computes R’s message similar to case 1(i) (R’s
message for (S, R) case) of the static proof. The crs is set in the decryption mode by
programming FRO1 (sid||c). Sim invokes DecKeyGen to obtain (pk, sk0 , sk1 ) and he
sends c and pk as the first OT message to AdvInt on behalf of R in the internal execution.
– S is honest in the second round: Sim acts on behalf of S in the internal execution.
Sim simulates according to Case 1(ii) (S’s message for (S, R) case) of static proof.
- Case 1(A). R is honest in the first round, S is honest in the second round,
R∗ is corrupted after second OT message: Sim obtains σ and aσ in the ideal
world. Sim equivocates pk by setting skσ as the secret key on branch σ. Additionally, Sim equivocates yσ s.t. aσ can be obtained from it. For this, Sim
programs FRO2 (sid||rσ ) = aσ ⊕ yσ . At the end of the protocol, AdvInt outputs
⊥ and sends its internal state to Sim who forwards it to Z.
Post Execution. In case of post execution corruption of S∗ , Sim obtains (a0 , a1 )
and needs to provide the internal randomness of S∗ s.t. y0 and y1 open to a0
and a1 . We note that yσ was previously equivocated. Equivocation of yσ is
performed by programming FRO2 (sid||rσ ) = aσ ⊕ yσ . Sim sends the internal
state of S∗ to Z who halts with an output.
- Case 1(B). R is honest in the first round, S is honest in the second round,
R is honest after second OT message: In this case, Sim acts on behalf of
both parties throughout the protocol in the internal execution. At the end of
the protocol, AdvInt outputs his random tape as its internal state to Sim who
forwards it to Z.
Post Execution. In case of post execution corruption of R∗ and S∗ , Sim obtains
(σ, aσ ) and (a0 , a1 ), and has to provide the internal randomness of R∗ and S∗
to Z. Equivocation of both views is similar to the previous case (Case 1(A)
of adaptive simulation) where the view of R∗ is equivocated first and then the
view of S∗ is equivocated. Sim sends the equivocated views of R∗ and S∗ to
Z, who halts with an output.
– Case 2. R is honest in the first round, S∗ is corrupted in the second round:
Sim receives the second message on behalf of R from S∗ in the internal execution.
Simulation is performed as in Case 2(iii) (R’s computation for (S∗ , R) case) of
static proof. AdvInt outputs ⊥ at the end of the protocol and sends its internal state
to Sim who forwards it to Z.
Post Execution. In case of post execution corruption of R∗ , Sim obtains σ and aσ
and he proceeds like the simulator for case 1(A) of adaptive simulation.
R∗ is corrupted in the first round: Whenever AdvInt queries FRO1 (sid||c), Sim invokes the SetupMessy algorithm to obtain crs and programs FRO1 (sid||c) to return
22
crs. Sim stores the tuple in a list Q as (sid, c, crs, t). If a query is repeated then Sim
returns the the crs corresponding to entry in Q indexed by the sid and c values. AdvInt
generates the first OT message which is sent to S in the internal execution. This is
similar to Case 3(i) (R’s message for (S, R∗ ) case) in static proof.
– Case 3. R∗ is corrupted in the first round, S is honest in the second round: Sim
receives the first OT message, on behalf of S, from AdvInt controlling R∗ in the
internal execution. Sim continues simulation as in Case 3(ii) (S’s message for (S,
R∗ ) case) of static proof.
Post Execution. In case of post execution corruption of S∗ , Sim obtains (a0 , a1 )
and needs to equivocate yσ such that it opens to aσ . Sim performs this by programming FRO2 (sid||rσ ) = yσ ⊕ aσ . The internal state of S∗ is revealed to Z who halts
with an output.
– Case 4. R∗ is corrupted in the first round, S∗ is corrupted in the second round:
This is a trivial case since both parties are corrupted by the adversary. The parties
are controlled by Adv/Sim/AdvInt in the real/ideal/internal world. AdvInt generates
the second OT message similar to Case 4 ((S∗ , R∗ ) case) of static proof. At the end
of execution, AdvInt outputs a special symbol ⊥ on behalf of the corrupted parties
and hands over the internal state to Sim who in turn forwards it to Z.
Post Execution. There is no post execution corruption since both parties are corrupted and Z halts with an output computed from the internal state of AdvInt .
Indistinguishability : Here we show that the ideal world view IDEALF ,Sim,Z (1κ , z) of
Z is indistinguishable from the real world view REALF ,Adv,Z (1κ , z) of Z. We denote
REAL F ,Adv,Z (1κ , z) as hybrid HYBR and show that in each simulation case HYBR is
indistinguishable from the ideal world by relying on the static indistinguishability proof.
Case 1(A). R is honest in the first round, S is honest in the second round, R∗ is
corrupted after second OT message: Simulation of both OT messages follows along
the same direction as Case 1 of static proof. When R∗ gets corrupted after second OT
message Sim obtains σ and he can provide skσ as the secret key for branch σ. Equivocation is successful due to Property 4ii of DME, i.e. σ is statistically hidden in pk when
the crs is generated in decryption mode. In case of post execution corruption, Sim successfully equivocates yσ , s.t. it unlocks aσ by programming FRO2 (sid||rσ ). Adv can
query rσ to FRO2 only with negligible probability and hence equivocation is successful. This follows from Property 4iii of DME, i.e. indistinguishability of ciphertexts in
the decryption mode.
Case 1(B). R is honest in the first round, S is honest in the second round, R is
honest after second OT message: In this case we can consider that the post execution
corruption occurs in two phases - first R∗ gets corrupted and only after that S∗ gets
corrupted. Then it becomes identical to the previous case (case 1(A) of adaptive proof)
and indistinguishability follows from the previous argument.
Case 2. R is honest in the first round, S∗ is corrupted in the second round: The
first message is computed according to Case 1(i) of static proof, which is identical to
23
Case 2(i) of static proof. The rest of the simulation proceeds as Case 2 of static proof.
Indistinguishability follows from the indistinguishability of HYBI.2 from HYBR in the
static proof. In case of post execution corruption, equivocation of R’s view is possible
since the crs is in decryption mode and Sim has secret keys for both branches. skσ can
be provided as the secret key for branch σ. Indistinguishability follows from Property
4ii of DME.
Case 3. R∗ is corrupted in the first round, S is honest in the second round: Indistinguishability follows from the indistinguishability of HYBI.3 from HYBR in the static
proof. In case of post execution corruption equivocation can fail if during the simulation
AdvInt unlocks rσ from sσ and queries it to FRO2 . However, this occurs with negligible probability due to Property 3 of DME, i.e. ciphertext indistinguishability in messy
mode, and the random oracle assumption.
Case 4. R∗ is corrupted in the first round, S∗ is corrupted in the second round:
This is identical to case 4 (both (S∗ , R∗ ) are corrupted) in static proof. Hence, indistinguishability of simulation for this case follows from indistinguishability of HYBI.4
from HYBR in the static proof.
5.3
Concrete Instantiations and Optimized Protocol based on DDH
We provide concrete instantiations of our protocol by instantiating the DME scheme
under the DDH and LWE assumptions in Appendix C and D respectively. Furthermore,
we can optimize our protocol, while considering the DDH-based instantiation of the
DDH
based on the
DME. In Figure. 7 we present our optimized adaptive OT protocol πOT
DDH
DDH assumption. It differs from the original framework since protocol πOT
does not
send separate messages (s0 , s1 ) for encrypting the random pads. Rather, the random
pads and the messages are encrypted in the same ciphertext (w0 , w1 ). This protocol
incurs a computation cost of 11 exponentiations and 5 random oracle queries and it
has an optimal round complexity of 2. It requires sending a κ bit string - c, two ℓ bit
strings - (w0 , w1 ); and 4 group elements– (u0 , u1 ) and (g, h). Interestingly, it is the first
round-optimal adaptively-secure OT protocol and it has an overhead of 5 random oracle
queries and κ-bit string communication overhead over the static protocol of [PVW08].
The security of our protocol follows from the security of the OT framework and the
DME instantiation presented in Appendix C. Hence we avoid presenting it and summarize it in Theorem. 3.
Theorem 3. If the Decisional Diffie Hellman problem is hard in group G then protocol
DDH
πOT
securely realizes the FOT functionality against adaptive active adversaries in
(FRO1 , FRO2 )- hybrid model.
5.4
Static Version of our Protocol
We can optimize our adaptive πOT protocol to obtain an efficient static OT protocol,
′
denoted as πOT
. It is similar to the [PVW08] framework, except here we generate the crs
24
Fig. 7: Optimized Adaptively-Secure Oblivious Transfer Protocol from DDH
DDH
πOT
– Functionalities: Random oracles FRO1 : {0, 1}2κ → 4G and FRO2 : {0, 1}κ × G →
{0, 1}ℓ .
– Private Inputs: S has ℓ-bit input messages (a0 , a1 ) and R has an input bit σ.
Choose:
– R samples c ←R {0, 1}κ .
– R generates crs = (g0 , g1 , h0 , h1 ), s.t. (g0 , g1 , h0 , h1 ) ← FRO1 (sid||c).
– R samples α ←R Zp and computes (g, h) = (gσα , hα
σ ).
– R sends {c, (g, h)} to S.
Transfer:
– S generates the crs = (g0 , g1 , h0 , h1 ), s.t. (g0 , g1 , h0 , h1 ) ← FRO1 (sid||c).
– S samples r0 , r1 , s0 , s1 ←R Zp .
– S computes u0 = g0r0 hs00 and u1 = g1r1 hs11 .
– S sets w0 = FRO2 (sid||g r0 hs0 ) ⊕ a0 and w1 = FRO2 (sid||g r1 hs1 ) ⊕ a1 .
– S sends {(u0 , w0 ), (u1 , w1 )} to R.
Local Computation by R:
– Computes aσ as aσ = wσ ⊕ FRO2 (sid||uα
σ ).
′
from πOT by removing the random oracle invocation
using a PRO. We can obtain πOT
FRO2 . FRO2 is not required since static corruption does not demand equivocation, of
sender’s message, by the Sim. The security of our protocol is summarized in Theorem
4 and the proof is similar to the static security proof of πOT .
Theorem 4. If DME is a samplable dual mode encryption scheme then protocol πOT
securely realizes the FOT functionality against static active adversaries in FRO1 - hybrid
model.
′
Interestingly, πOT
satisfies the property of receiver equivocality, which states that
the view of the receiver can be equivocated if the receiver gets adaptively corrupted
during/after the protocol execution. We analyze this property as two exhaustive subcases as follows : (1) R gets corrupted before the first OT message is sent (2) R gets
corrupted after the first OT message is sent. For the first case, the simulator has not sent
any message on behalf of R and hence equivocation is not required. In this case the crs
is set to messy mode. For the second case, the simulator sets the crs in the decryption
mode which enables him to equivocate R’s view on obtaining σ, after R gets corrupted.
6
Adaptively Secure 1-out-of-N Oblivious Transfer.
The work of [NP05] implements FN-OT , against static adversaries in the FOT -hybrid
model by relying on pseudorandom functions. S has N strings (a1 , a2 , . . . , aN ) as input
and R has a log N bit input choice string σ. S samples 2 log N random pads pi0 , pi1 ←
{0, 1}κ for i ∈ [log N]. The two parties invoke log N copies of FOT with S’s input as
(pi0 , pi1 ) and R’s input as σi respectively. The ith invocation of FOT outputs piσi to R, i.e
25
the pad corresponding to his σi choice bit. Finally, S encrypts aj as wj using the pads
corresponding to the bit representation of j, j ∈ [N]. The message aj is encrypted as
follows :
wj = aj ⊕
log
MN
PRFpic (j),
i=1
where c = ji , i.e. the ith bit of string j. R obtains (w0 , w1 , . . . , wN ) and decrypts
wσ for which he possesses all the log N pads. For other w values, R lacks at least one
random pad and security follows by applying PRF on that secret random pad. The
transformation communicates N ciphertexts, and requires log N invocations of FOT and
N log N evaluations of a PRF. It guarantees security against a statically corrupted active
adversary.
We show in Fig. 8 that the same transformation can be made adaptively-secure
(by protocol πN-OT ) by implementing the underlying FOT functionality in an adaptive
secure manner. In addition, we replace PRF with a programmable random oracle FRO
and modify the formation of wj as follows, where ji denotes the ith bit of j.
N
wj = aj ⊕ FRO (sid||j, p1j1 ||p2j2 || . . . ||plog
jlog N ) = aj ⊕ FRO (sid||j, vj ),
N
where vj = (p1j1 ||p2j2 || . . . ||plog
jlog N ). This reduces the N log N PRF evaluations to N random oracle queries. Later, in this section we further demonstrate that the underlying
FOT need not be full adaptively secure. Static OTs with security against adaptive receivers, i.e. receiver equivocal OTs, suffice for the transformation. Hence, we obtain
adaptively-secure 1-out-of-N from log N 1-out-of-2 receiver equivocal OTs.
6.1
Security
The security of the protocol is proven by constructing a simulator Sim for πN-OT . We
first present the static proof and then discuss the adaptive proof. For a statically corrupted S∗ , Sim can extract the pads by invoking the simulator for FOT . Sim forms
{vj }j∈[N] and decrypts {wj }j∈[N] to unlock all the input messages of S∗ , i.e. {aj }j∈[N] ,
and completes the simulation by invoking FN-OT with the input messages. Indistinguishability follows from the FOT hybrid model. For a statically corrupted R∗ , Sim can
extract the choice bit σi by invoking the simulator for ith copy of FOT . Sim reconstructs
σ and invokes FN-OT with σ to obtain aσ . Sim concludes the simulation by setting wσ
correctly while {wj }j∈[N]/σ are set as random strings. R∗ obtains all the random pads
(corresponding to σ) from log N invocations of FOT and constructs vσ to unlock aσ .
The other {aj }j∈[N]/σ values remain hidden since R∗ lacks at least one random pad
for {vj }j∈[N]/σ , and hence FRO (j, vj ) will be indistinguishable from a random string,
except with negligible probability, due to the random oracle assumption.
In order to prove adaptivity, we need the property of equivocation. The simulated
messages have to be equivocated appropriately so that they are indistinguishable from
the real world messages of honest parties. Sim can equivocate the simulated message
(consisting of only FOT messages) of R by invoking the adaptive simulator for FOT . The
simulated message of S consists of the FOT messages and the simulated ciphertexts.
26
The FOT messages can be trivially equivocated by invoking the adaptive simulator for
FOT . The simulated ciphertexts can be equivocated by programming FRO (sid||j, vj ) =
wj ⊕aj , for j ∈ [N]/σ. Adversary can query FRO (sid||j, vj ) with negligible probability
since he lacks atleast one pad in vj and hence simulator can program FRO (sid||j, vj )
successfully to equivocate correctly. The proof of indistinguishability is similar to the
one for statically corrupted R∗ .
Fig. 8: Adaptively-Secure 1-out-of-N Oblivious Transfer Protocol
πN-OT
– Functionalities: Random oracle FRO : {0, 1}κ+log N(1+κ) → {0, 1}n . FOT denotes a
1-out-of-2 OT functionality.
– Private Inputs: S has input messages {aj }Nj=1 and R has an input choice string σ,
where |σ| = log N.
Choose:
– R invokes FOT functionality log N times. He invokes the ith copy of FOT with input
(rec, i, σi ) for i ∈ [log N].
Transfer:
– S samples 2 log N random pads (pi0 , pi1 ), where pi0 , pi1 ∈ {0, 1}κ .
– S invokes the ith copy of FOT with input (sen, i, (pi0 , pi1 )).
N
– S encrypts his input messages as wj = aj ⊕ FRO (sid||j, p1j1 ||p2j2 || . . . ||plog
jlog N ), for
j ∈ [N].
Local Computation by R:
N
– Computes aσ as aσ = wσ ⊕ FRO (sid||σ, p1σ1 ||p2σ2 || . . . ||plog
σlog N ) .
6.2
Efficiency
Our protocol invokes FOT functionality log N times and queries FRO for N times. It
incurs communication of log N copies of FOT and N ciphertexts of size n bits.
6.3
Instantiating FOT using Static Receiver Equivocal OT
We observe that our transformation continues to be adaptively-secure, despite replacing the adaptively-secure 1-out-of-2 OTs in the above result with statically-secure OTs,
that support equivocation of receiver’s view irrespective of equivocation of sender’s
view. When S∗ or R∗ is corrupted, inputs are extracted by invoking the simulator for
the actively-secure static OT protocol. For adaptive security, we need equivocation of
S’s and R’s views if corruption occurs during the course of execution or at the end of
protocol. In the transformation, S’s view consists of the OT messages and ciphertexts,
i.e. {wj }j∈[N] . A simulator, playing the role of S can trivially simulate the OT messages by running the honest S algorithm with random pads, which are independent of
S’s inputs. The ciphertexts are equivocated by programming FRO (sid||j, vj ) (see Section 6.1). On the other hand, R’s view consists only of the OT messages which can be
27
′
trivially equivocated by relying on the receiver equivocal property of the OT. Our πOT
protocol (Section 5.4) is a statically-secure protocol satisfying receiver equivocal property; hence we can plug in our protocol to obtain adaptively-secure 1-out-of-N OTs.
The security of πN-OT is summarized in Theorem 5.
Theorem 5. If FRO is a programmable random oracle and FOT is a static actively secure OT functionality satisfying receiver equivocation, then πN-OT UC-securely realizes
the FN-OT functionality in the FOT hybrid model against adaptive (without erasures)
active adversaries.
7
Adaptively Secure Oblivious Transfer Extension
In this section we present our semi-honest and actively secure OT Extension protocols
which are secure against adaptive adversaries, without assuming erasures.
7.1
Adaptively Secure OT Extension against Semi-Honest Adversaries
We prove that the semi-honest OT Extension protocol of [ALSZ13] (denoted as ALSZ13
hereby) can be made adaptively secure using PRO. We initiate our proof by
briefly recalling the protocol of ALSZ13. In ALSZ13, S has m pairs of messages - xj,0 , xj,1
for j ∈ [m], and R has m selection bits, denoted as vector r = (r1 , · · · , rm ). R samples two random strings (k0i , k1i ) and S samples a random string s, i ∈ [κ]. R and
S performs the seed OT phase by invoking FOT on inputs (k0i , k1i ) and si as sender
and receiver respectively. S obtains ksi i from FOT . R computes matrices B and E s.t.
Bi = G(k0i ) and Ei = r, where G is a PRG. R sends a correction matrix D to S, s.t.
si
Di = Bi ⊕ G(ki1 ) ⊕ Ei . S forms the matrix
Q using G(ki ), s and D. The jth row of
Q is used to encrypt the jth message pair xj,0 , xj,1 j∈[m] using pads H(j, Qj ) and
H(j, Qj ⊕ s) respectively, where H is a correlation robust function [IKNP03]. S sends
the ciphertexts to R, who decrypts and obtains xj,rj using H(j, Bj ). The ALSZ13 is
similar to the protocol presented in Fig. 9, except FRO1 and FRO2 will be replaced by G
and H. Security against a statically corrupt S∗ follows from the sender privacy of FOT ,
which ensures that one of R’s input (acting as sender in FOT ) to FOT remains hidden
from S. On the other hand, a statically corrupt R can break honest sender privacy if he
obtains both xj,0 and xj,1 for some j. However, this happens with negligible probability since R has to either guess the value of s or obtain a collision in the random oracle
query, s.t. H(j, Bj ) = H(j, Bj ⊕ s). We refer to [ALSZ13] for the full proof.
While considering adaptive security, the messages of S and R require equivocation.
These messages can be classified into three exhaustive cases. Below, we give a high
level overview for equivocating each case :
– FOT messages: It can be observed that S and R invoke FOT on random inputs - si
and (k0i , k1i ) respectively, independent of their actual inputs. This can be leveraged
to reduce the assumption on FOT . More specifically, FOT can be secure only against
static adversaries, since the simulator can simulate the view of an honest sender
(resp. receiver) by running the honest sender (resp. receiver) algorithm on random
inputs. When sender (resp. receiver) gets corrupted, the simulator can produce the
28
Fig. 9: Adaptive OT Extension Protocol secure against passive adversaries
p
κ
2
Protocol πALSZ
for obtaining 21 -OTm
ℓ from 1 -OTm
– Input of S: m pairs xj,0 , xj,1 j∈[m] of ℓ bit strings.
– Input of R: m selection bit vector r = (r1 , · · · , rm ) such that each rj ∈ {0, 1}.
– Functionalities: Random Oracles FRO1 : {0, 1}2κ → {0, 1}m and FRO2 : {0, 1}κ ×
[m] × {0, 1}κ → {0, 1}ℓ respectively. FOT denotes a 1-out-of-2 OT functionality.
– Notations: In the protocol j ∈ [m] and i ∈ [κ], unless specified otherwise.
Seed OT Phase:
1.
2.
3.
4.
S chooses s ← {0, 1}κ at random.
1
S computes the first message of πOT as πOT
(s).
R chooses κ pairs of seeds (k0i , k1i ) each of length κ.
S and R invokes the FOT functionality for κ times with inputs (rec, sid, si ) and
(rec, sid, (k0i , k0i )) respectively. S receives {ksi i } as output.
OT Extension Phase :
1. R forms three m × κ matrices B, E and C in the following way and sends D to S:
– Set Bi = FRO1 (sid||k0i ).
– Set Ej = (rj || . . . ||rj ). Clearly, Ei = r.
– Set Di = Bi ⊕ FRO1 (k1i ) ⊕ Ei .
2. On receiving
× κ matrix Q with the jth column ofQ set as Qi =
D, S forms sm
i
i
i
i
i
si ⊙ D ⊕ FRO1
(sid||ki ). Clearly,
(i) Q = B ⊕ (si ⊙ E ) and (ii) Qj =
Bj ⊕ (s ⊙ Ej ) = Bj ⊕ (s ⊙ rj ) .
3. For every j ∈ [m], S computes yj,0 = xj,0 ⊕ FRO2 (sid||j, Qj ) and yj,1 = xj,1 ⊕
FRO2 (sid||j, Qj ⊕ s). S sends {yj,0 , yj,1 }j∈[m] to R.
4. For every j ∈ [m], R recovers zj = yj,rj ⊕ FRO2 (sid||j, Bj ). R outputs {zj }j∈[m] .
view, generated using random inputs, which is indistinguishable from the honest
sender’s (resp. receiver’s) view.
– R’s messages : It consists of matrix D which depends on R’s input r. When R gets
corrupted, the simulator has to equivocate R’s message, i.e. matrix D, based on R’s
input. This is ensured by replacing G with a PRO FRO1 .
– S’s messages: It consists of messages - (yj,0 , yj,1 ), which are dependent on S’s
inputs (xj,0 , xj,1 ). When S gets corrupted, the simulator has to equivocate S’s
message based on S’s inputs. This is ensured by replacing H with a PRO FRO2 .
The explanation for the last two subcases will be clear from the next few paragraphs,
where we elaborately discuss the equivocation cases. We consider equivocation of S and
p
R in two separate cases. Our passively secure adaptive OT extension protocol πALSZ
is
presented in Fig. 9 and the security proof has been summarized in Theorem 6.
p
Theorem 6. The protocol πALSZ
UC-securely realizes the Oblivious Transfer Extension functionality in the (FOT , FRO1 , FRO2 ) hybrid model against adaptive (without
erasures) passive adversaries.
– Equivocation of S’s view: When S is honest,Sim plays the role of S in the internal
world. The view of S consists of his input xj,0 , xj,1 , random vector s, matrix
29
Q and the ciphertexts (yj,0 , yj,1 ). The s vector and Q matrix is independent of
S’s inputs and can be simulated correctly without equivocation. The ciphertexts are
simulated by relying on the programmability property of FRO2 . We first consider
the case where both parties are honest. The formal simulation for S is presented as
follows. Sim invokes the FOT simulator with random input si to simulate the ith
seed-OT. Sim generates Q following honest sender algorithm. In the OT Extension
phase, Sim sends random values for yj,b , where b ∈ {0, 1}. In case of post execution corruption of S, Sim obtains the inputs of S. Sim provides s and Q as part of
the view, and this is indistinguishable from the real world view. In addition, Sim
opens yj,b to xj,b by programming FRO2 as follows:
FRO2 (j, Qj ) = yj,0 ⊕ xj,0 ,
FRO2 (j, Qj ⊕ s) = yj,1 ⊕ xj,1 .
Equivocation is is successful due to the randomness of s and random oracle assumption. An adversary AdvInt can prevent Sim from programming FRO2 if he
queries Qj or Qj ⊕ s to FRO2 . This happens with negligible probability as Q
and s are randomly chosen. This proves that real and ideal world are indistinguishable. Now, we consider the case where AdvInt corrupts R∗ . Sim obtains the
choice vector r. Sim invokes the OT Extension functionality with r and obtains
{xj,rj }j∈[m] . Sim computes yj,rj honestly like an honest sender, s.t. yj,rj opens
to xj,rj . In case of post execution corruption, Sim obtains (xj,0 , xj,1 ) and he programs FRO2 (j, Qj ⊕ (s ⊙ rj )), s.t. yj,rj opens to xj,rj . To prevent equivocation
AdvInt has to guess the value of s and query Qj ⊕ (s ⊙ rj ) = Bj ⊕ s to FRO2 which
happens with negligible probability, proving indistinguishability of the two worlds.
– Equivocation of R’s view: When R is honest, Sim plays the role of R in the internal
world. The view of R consists of his inputs, the seeds (k0i , k1i ) and the matrices, B,
E and D. The seeds and B matrix can be simulated without any equivocation since
they are independent of R’s input. The other two matrices are simulated by programming FRO1 , since they depend on R’s input. We first consider the case where
both parties are uncorrupted. The formal simulation is presented as follows. Sim
randomly generates (k0i , k1i ) and simulates ith FOT by invoking FOT with inputs
(k0i , k1i ) like an honest R. Sim sets D matrix randomly and the B and E matrices are constructed later as they are not required for the simulation. Sim sends D
to S and ends simulation as both parties are honest. The adversary AdvInt (without corrupting S) observes R’s message, which consists only of D matrix. Based
on that, he cannot distinguish between real and ideal world since in ideal world
D is a random matrix, whereas in real world, it is padded with FRO1 (sid, k0i ) and
FRO1 (sid, k1i ), where k0i and k1i remains hidden from AdvInt . Thus, indistinguishability follows from the random oracle assumption. In case of post execution corruption of R, Sim obtains r and he programs FRO (sid||k0i ) and FRO (sid||k1i ) s.t. the
following holds true:
FRO1 (k0i ) ⊕ FRO1 (k1i ) = Di ⊕ r.
(1)
The B matrix is constructed after FRO1 has been programmed according to Eq. 1.
Equivocation is successful since AdvInt does not obtain k0i and k1i from FOT and
30
he has to guess it, which occurs with negligible probability, in order to prevent
equivocation. If AdvInt corrupts S∗ , then Sim obtains s from FOT simulator (since
S∗ is the OT receiver) and he sets FRO1 (ksi i ) randomly concluding the simulation.
In case of post execution corruption of R∗ , Sim obtains r and constructs E matrix
s.t. Ei = r. Sim equivocates D matrix by programming FRO1 (ksi i ) as follows:
FRO1 (ksi i ) = FRO1 (ksi i ) ⊕ Di ⊕ r.
(2)
The B matrix is constructed after FRO1 has been programmed according to Eq.
2. Equivocation is successful since AdvInt does not obtain ksi i from FOT and he
has to guess it, in order to prevent equivocation. However, it occurs with negligible
probability and hence the two worlds are indistinguishable.
7.2
Adaptively Secure OT Extension against Active Adversaries
The ALSZ13 protocol is actively secure against S∗ and passively secure against R∗ ,
assuming seed OTs to be actively secure. An active R∗ can send a bad D matrix such
that Q is malformed and it leaks the s vector. We refer to [ALSZ15] (denoted as ALSZ
henceforth) for the exact attack. To address this attack, the ALSZ15 protocol introduces
column wise consistency check for every pair of columns. Moreover, for active security
we require that the simulator Sim can extract a corrupted party’s input in the protocols from S∗ and (k0i , k1i ) from R∗ , even when the parties are adaptively corrupted. For
adaptive security, the simulator also has to simulate the consistency checks when Sim
plays the role of R in the ideal world, in addition to the usual equivocation of views of
honest parties.
In order to extract corrupted parties’ inputs and simulate the consistency checks
properly, we observe that the FOT messages are random in the OT extension protocol of
ALSZ13 and ALSZ15. Hence, we can modify the protocol s.t. the parties invoke FROT
(Fig. 11) instead of FOT . FROT is an OT functionality where R has an input whereas
S does not have any input. The functionality returns random messages to S and one
of the random messages to R based on his input. Formally stating, FROT takes choice
bit σ as input from receiver of FROT , i.e. ROT , and generates two random pads (a0 , a1 )
for sender of FROT , i.e. SOT . It sends aσ to ROT and (a0 , a1 ) to SOT . On a high level,
when FROT is invoked in our OT Extension protocol the input of S (playing as ROT )
to the FROT can be extracted by invoking the static simulator for FROT . The seeds for
R (playing the role of SOT ) are obtained from FROT . For equivocation of R’s view,
Sim runs the honest SOT algorithm to obtain random seeds. The consistency checks are
simulated by programming FRO1 and FRO2 . For equivocation of S’s view, Sim invokes
the FROT simulator for ROT with a random s vector. Indistinguishability follows since
the value of s, sampled by honest S, is random in real world as well. The ciphertexts
(yj,0 , yj,1 ) are equivocated by programming FRO3 . Invoking FROT has a significant
advantage - FROT can be adaptively implemented by a static receiver equivocal OT (Sec.
5.4), since S does not have any message, whereas implementing FOT in an adaptive way
is expensive.
a
Now we formally describe our protocol πALSZ
, which has been presented in Fig.
10. Our protocol is same as ALSZ15, except here the PRG, hash and correlation robust
31
function invocations of ALSZ15 are replaced by PRO invocations. Our protocol has a
p
seed OT phase similar to the πALSZ
protocol. The OT extension phase is divided into two
parts, based on R’s and S’s role. R’s role consist of phase I of OT extension, followed
by the consistency checks and finally phase II of OT extension consists of S’s role in the
OT extension. Similar to ALSZ15, our protocol also contains column wise consistency
check for every pair of columns. It has been recently identified by [ALSZ15] team that
the checks leak κ2 bits of randomness, on R’s end. In order to counter that, they add
κ2 bits of randomness by adding κ columns and κ rows, as dummy choice bits τ . As
a result the new choice bit string is r′ = r||τ . The checks ensure that the same r′ has
been used in all the columns of D, i.e. Ei = r′ for all i ∈ [k], where k = 2κ. Our static
proof of security follows from the security proof of [ALSZ15] and we refer to their
paper for the static proof against an active adversary. Adaptive security for our protocol
can be proved against active adversaries in the PROM model, provided the underlying
seed OTs are adaptive actively secure implementation of FROT (Fig. 11) functionality.
a
Security of πALSZ
has been summarized in Theorem 7.
a
Theorem 7. If FRO1 , FRO2 and FRO3 are programmable random oracles then πALSZ
UC-securely realizes the Oblivious Transfer Extension functionality in the FROT hybrid
model against adaptive (without erasures) active adversaries.
For proving adaptive security, the views of S and R require equivocation. Equivocation
of S’s view follows from the equivocation of S’s view in ALSZ13 protocol. Equivocation of R’s view is similar to that of ALSZ13 but in addition it requires simulating the
consistency checks correctly.
– Equivocation of S’s view: Sim simulates
the seed-OT by invoking the FROT func
tionality with a random s to obtain ksi i , for i ∈ [k]. If both parties are honest
then the simulation proceeds similar to the simulation for “Equivocation of S’s
view” (passive case) in Sec. 7.1. The consistency checks can be trivially simulated since S’s role is limited to verification of the checks. If AdvInt corrupts R∗
then Sim extracts the choice vector r′ . More specifically, Sim extracts R∗ ’s input,
(k0i , k1i ), by invoking the FROT simulator and computes r′ = Ei = r||τ from
Di using the seeds. Sim invokes the OT Extension functionality with r and obtains {xj,rj }j∈[m+κ] . Sim programs FRO3 (sid||j, Qj ⊕ (s ⊙ rj )) s.t. yj,rj opens
to xj,rj . In case of post execution corruption, Sim obtains (xj,0 , xj,1 ) and he programs FRO3 (sid||j, Qj ⊕ (s ⊙ rj )), s.t. yj,rj opens to xj,rj . To prevent equivocation
AdvInt has to guess the value of s and query Qj ⊕ (s ⊙ rj ) = Bj ⊕ s to FRO3 which
happens with negligible probability.
– Equivocation of R’s view: The view of R consists of his inputs, the seeds (k0i , k1i )
and the matrices, B, E and D. When R is honest, Sim plays the role of R in the
internal world where Sim obtains (k0i , k1i ) from FROT . If both parties are honest
then simulation proceeds similar to the simulation for “Equivocation of R’s view”
(passive case) in Sec. 7.1. The consistency checks are simulated by setting ha,b
α,β
values randomly, for all a, b ∈ {0, 1} and all pairs α, β ⊆ [k 2 ]. In case of post
execution corruption, Sim obtains r, and then based on the equivocated B, E and
D matrices, Sim can equivocate the ha,b
α,β values correctly by programming FRO2 .
32
Fig. 10: Adaptive OT Extension Protocol secure against active adversaries
κ
2
a
Protocol πALSZ
for obtaining 21 -OTm
ℓ from 1 -OTm
– Input of S: m pairs xj,0 , xj,1 j∈[m] of ℓ bit strings.
– Input of R: m selection bit vector r = (r1 , · · · , rm ) such that each rj ∈ {0, 1}.
– Security Parameter: k = 2κ.
– Functionalities: FRO1 : {0, 1}2κ → {0, 1}m+κ , FRO2 : {0, 1}m+κ → {0, 1}κ and
FRO3 : {0, 1}κ × [m] × {0, 1}k → {0, 1}ℓ respectively. FOT denotes OT functionality.
– Notations: In the protocol j ∈ [m + κ] and i ∈ [k], unless specified otherwise.
Seed OT Phase:
1. S samples s ∈ {0, 1}k and invokes FROT with message (rec, sid, (κ, si )) for k times
to obtain ksi i seeds.
2. R invokes FROT with message (sen, sid, (transfer, κ)) for k times to obtain (k0i , k1i )
seeds.
OT Extension Phase I:
1. R forms three (m + κ) × k matrices B, E and C in the following way and sends D to
S:
– Sets Bi = FRO1 (sid||k0i ).
– Samples τ ← {0, 1}κ and sets r′ = r||τ .
– Sets Ej = (rj′ || . . . ||rj′ ). Clearly, Ei = r′ .
– Set Di = Bi ⊕ FRO1 (sid||k1i ) ⊕ Ei .
2. On receiving D,S forms (m + κ) × k matrix Q with the jth column
of Q set as
i
i
i
Qi = si ⊙ Di ⊕ FRO1 (ksi i ). Clearly,
(i) Q = B ⊕ (si ⊙ E ) and (ii) Qj =
Bj ⊕ (s ⊙ Ej ) = Bj ⊕ (s ⊙ rj ) .
Check Phase:
1. For every pair α, β ⊆ [k2 ] and a, b ∈ {0, 1}, R defines the following four values:
a
b
ha,b
α,β = FRO2 (sid||FRO1 (sid||kα ) ⊕ FRO1 (sid||kβ ))
R sends each ha,b
α,β to S.
s
2. For every pair α, β ⊆ [k2 ], S knows sα , sβ , ksαα , kββ , Dα and Dβ . S checks that:
sα ,sβ
s
sα
(a) hα,β = FRO2 (sid||FRO1 (sid||kα ) ⊕ FRO1 (sid||kββ )).
s ,sβ
α
(b) hα,β
s
= FRO2 (sid||FRO1 (sid||ksαα ) ⊕ FRO1 (sid||kββ ) ⊕ Dα ⊕ Dβ ) =
s
FRO1 (sid||kββ )
⊕ rα ⊕ rβ ), where rα , rβ denotes r
FRO2 (sid||FRO1 (sid||ksαα ) ⊕
α
β
used in D , D respectively.
(c) Dα 6= Dβ .
In case one of these checks fails, S aborts and outputs ⊥.
OT Extension Phase II:
1. For every j ∈ [m], S computes yj,0 = xj,0 ⊕ FRO3 (sid||j, Qj ) and yj,1 = xj,1 ⊕
FRO3 (sid||j, Qj ⊕ s). S sends {yj,0 , yj,1 }j∈[m] to R.
2. For every j ∈ [m], R recovers zj = yj,rj ⊕ FRO3 (sid||j, Bj ). R outputs {zj }j∈[m] .
33
Fig. 11: The ideal functionality FROT for Random Oblivious Transfer
FROT
Initiate: On input (rec, sid, (ℓ, σ)) from R; if no message of the form (sid, (ℓ, σ)) is present
in memory, store (sid, (ℓ, σ)). Send (rec, sid) to S.
Transfer: On input (sen, sid, (transfer, ℓ)) from S, if no message of the form (sid, (ℓ, σ))
is present in memory, then abort. Else sample a0 , a1 ←R {0, 1}ℓ . Send (sent, sid, aσ )
to R and (sent, sid, (a0 , a1 )) to S.
Corruption: If Adv corrupts S∗ then receive (a0 , a1 ) from Adv and continue execution as
above using these values. If Adv corrupts R∗ the usual execution continues.
AdvInt lacks k0i and k1i , hence he cannot query the required argument to FRO2 s.t. it
would prevent equivocation of ha,b
α,β . Thus, the consistency checks can be correctly
simulated. If AdvInt corrupts S∗ then Sim extracts s vector from FROT simulator.
S computes FRO1 (sid||ksi i ) and simulates the B, E and D matrices according to
the simulation strategy in Section 7.1. For simulating the consistency checks the
2
ha,b
α,β values are randomly set, for all a, b ∈ {0, 1}. For every pair α, β ⊆ [k ], Sim
programs FRO2 as follows :
s
s ,s
α β
,
FRO2 (sid||FRO1 (sid||ksαα ) ⊕ FRO1 (sid||kββ )) = hα,β
s
s ,s
α β
.
FRO2 (sid||FRO1 (sid||ksαα ) ⊕ FRO1 (sid||kββ ) ⊕ Dα ⊕ Dβ ) = hα,β
(3)
If FRO2 is queried on other values by the adversary AdvInt then Sim answers it with
a random value. When R∗ gets corrupted, Sim programs FRO1 (sid||ksi i ) according
to Eq. 1. Furthermore, he programs FRO2 as follows:
s
s ,s
s
s ,s
α β
FRO2 (sid||FRO1 (sid||ksαα ) ⊕ FRO1 (sid||kββ )) = hα,β
α β
FRO2 (sid||FRO1 (sid||ksαα ) ⊕ FRO1 (sid||kββ )) = hα,β
(4)
s
AdvInt corrupting S∗ does not obtain ksαα and kββ except with negligible probability
as we are in the FROT hybrid model. It allows Sim to correctly program FRO2
s
involving ksαα and kββ , according to Eq. 4, permitting equivocation of R’s view
and completing the simulation for the consistency checks.
Optimized OT Extension: Our 3 round OT extension protocol requires consistency
check for each pair of columns, incurring an overhead of O(κ2 ) checks. It can be optimized to O(κ) checks by following the 5 round protocol of [ALSZ15]. In the optimized
protocol, the parties perform a 3 round coin-tossing subprotocol, after “OT Extension
Phase I”, where the first round of the subprotocol can be run in parallel with the last
round of “OT Extension Phase I”. The subprotocol returns a set of O(κ) pairs of column indices. R performs consistency check on those O(κ) pairs of columns and sends
the ha,b
α,β to S in parallel with the last round of the coin-tossing protocol. S verifies
the outcome of the coin-tossing protocol and the consistency checks. After successful
34
verification, S executes “OT Extension Phase II”. The work of [ALSZ15] proved static
security for this protocol. Adaptive security follows immediately if we perform the consistency checks using PRO (FRO1 and FRO2 ), similar to the 3 round protocol. S will
s
lack ksαα and kββ and Sim can equivocate R’s view according to Eq. 3. For empirical
results, we implement the 5 round protocol and compare it with the state-of-the-art OT
extension protocols.
7.3
Efficiency and Implications
p
a
Our protocols πALSZ
and πALSZ
requires one extra round, compared to the seed OTs,
and it matches with the round complexity of the state-of-the-art static OT extension
protocols [ALSZ13, KOS15, PSS17]. They also preserve the efficiency of the semihonest and actively secure protocols of [ALSZ13] and [ALSZ15] respectively. In concrete terms, the amortized cost for generating m copies of both semi-honest and active
adaptively secure 1-out-of-2 OTs is 3κ bits communication and 3 symmetric key operations per OT. The other costs - seed OTs, PRG expansion and consistency checks,
are independent of m. We present a few implications resulting from our OT Extension
protocols:
– Our semi-honest OT Extension protocol requires static semi-honest OT protocol
for the seed-OTs in a non-blackbox fashion, where we explicitly modified the simulation strategy for the static semi-honest OT. Thus, static semi-honest OT implies
adaptive semi-honest OT Extension under the PROM assumption in a non-blackbox
manner. Our theorem is summarized in Thm. 8. [LZ11] states that adaptive semihonest oblivious transfer cannot be constructed from static semi-honest oblivious
transfer in a black-box manner and we demonstrate that its possible in a nonblackbox way.
– If the random OT is instantiated using our receiver equivocal static OT protocol
then our actively secure OT Extension protocols requires 3 and 5 rounds, thereby
efficiently generating large number of OTs at an amortized cost of 3κ bits communication and 3 symmetric key operations per OT. However, the state-of-the-art
adaptively secure 1-out-of-2 OT protocols [BCG17] that have a round complexity
of 3 rounds, assume erasures, incur 27 exponentiations and communication of 10 κ
bits. Thus, we drastically reduce the cost of generating adaptive OTs.
– We can efficiently generate m log N copies of 1-out-of-2 OTs using our OT Extension protocol (following the previous approach) and then apply our adaptive
transformation (Sec. 6) to obtain m copies of 1-out-of-N OTs. The amortized cost
for each 1-out-of-N OT is N + 3 log N + 1 symmetric key operations. Whereas
the state-of-the-art adaptively secure 1-out-of-N OT protocols [BCG17, BDD+ 17]
require atleast O(N) exponentiations.
We have implemented our adaptively-secure variant of [ALSZ15] and presented the
results in Sec. 9. For implementation we have considered the optimized variant where
O(κ) are performed.
35
Theorem 8. If there exists an Oblivious Transfer protocol that is secure in the presence
of static semi-honest adversaries, then there exists an Oblivious Transfer Extension protocol from κ to poly(κ) that is secure in the presence of adaptive semi-honest adversaries, in a non-blackbox way, under the programmable random oracle assumption.
8
Non-Interactive UC-Secure Commitment Scheme
In this section we present our adaptively-secure NICOM scheme C OM, implemented by
protocol πCOM . The protocol πCOM (described in Fig. 12) is universally composable and
securely realizes the functionality FCOM (described in Fig. 3) in the crs model under
ORO assumption and Discrete Log (over a group G) assumption. Later in this section,
we demonstrate a protocol πCRS to generate an instance of the Discrete Log problem, as
the crs, in 4 rounds. Once the crs is generated, it can be used for subsequent instances
of C OM. Our crs generation algorithm is independent of the parties’ inputs and hence
it is adaptively-secure, rendering the whole protocol adaptively-secure under the ORO
assumption. Our protocol is also secure in the Global Random Oracle model [CJS14]
since we generate the local crs within the protocol, using πCRS .
8.1
Protocol Overview
We build upon the commitment scheme of Pedersen [Ped91], that relies on hardness of
Discrete Log problem. The Pedersen commitment inherently supports equivocation as
the message is statistically hidden in their case. However, for UC security the simulator,
acting on behalf of R, has to extract the message, of a corrupted S∗ , from the commitment. Our first approach was to apply an observable RO, i.e. FRO1 : {0, 1}poly(κ) → Zp ,
on the message being committed, i.e. FRO1 (sid||m), and then commit the response of
the ORO query in the Pedersen commitment. This would allow the simulator to observe the queries and obtain candidate message values. However, the simulator cannot
uniquely identify the message committed. It is necessary to extract the randomness, say
r1 , used in the commit phase so that the simulator can match the (message, randomness)
with the commitment value. We achieve this by enforcing S to bind to r1 using a second
ORO, i.e. FRO2 : {0, 1}κ × Zp → {0, 1}κ . S commits to r1 by means of the query
FRO2 (sid||r1 ). The hardness of the Discrete Log Problem ensures that a corrupted S∗
is unable construct more than one such (message, randomness) pair that matches the
Pedersen commitment.
However, the above technique demands binding to r1 using RO which in turn prevents equivocation by simulator, acting on behalf of S. In order to restore the equivocal
property, S is required to pad FRO2 (sid||r1 ) with fresh randomness r2 . This allows the
simulator to equivocate the commitments by equivocating the first part of the commitment c1 (Pedersen commitment on the message) separately, fixing r1 to a new value.
Now, the second part of the commitment c2 can be equivocated by using r1 and setting
r2 accordingly.
36
Fig. 12: Non-Interactive UC-Secure Commitment Scheme C OM
πCOM
– Public Inputs: The generator of group G is g. crs: (g, h) s.t. g = g and h = g x .
– Functionalities: Random Oracles FRO1 : {0, 1}poly(κ) → Zp and FRO2 : Zp → {0, 1}κ
denote two random oracles.
– Private Inputs: S has input message m and R does not have any input.
Commit Phase:
On receiving input (C OMMIT, sid, m) S performs the following:
– Computes a = FRO1 (sid||m).
– Samples r1 , r2 ←R Zp and forms C OM(m; r1 , r2 ) = (g a hr1 mod p, FRO2 (sid||r1 ) ⊕
r2 ) = (c1 , c2 ).
– Sends C OM(m; r1 , r2 ) to R as commitment to m.
Decommitment Phase:
On receiving input (D ECOMMIT, sid), S sends (m, r1 , r2 ) to R. R performs canonical verification of C OM using (m, r1 , r2 ) and outputs ACCEPT if verification succeeds, else outputs
REJECT.
8.2
Static Security
We show that our non-interactive commitment scheme C OM is secure against static
active adversaries and securely realizes the functionality FCOM in the UC model by
proving theorem 9.
Theorem 9. If FRO1 and FRO2 are observable random oracles and solving the Discrete
Log Problem is hard in multiplicative group G, then πCOM UC-securely realizes the
FCOM functionality in the crs model against static active adversaries.
Proof. Our proof is in the crs model where it is assumed that Sim knows the trapdoor
x s.t. h = g x for the crs − (g; h). The proof proceeds in two cases - first, where Adv
corrupts R∗ and second, where the Adv corrupts S∗ .
R∗ is corrupted: Adv corrupts R∗ in the real world, Sim corrupts R∗ in the ideal world
and AdvInt corrupts R∗ in the internal execution. During the commit phase, Sim commits to a random message m′ using (r1′ , r2′ ) as randomness, thereby computing C OM,
similar to an honest sender and sends C OM(m′ ; r1′ , r2′ ) to AdvInt . Sim further invokes
FCOM on behalf of R∗ to obtain the message (R ECEIPT, sid, S, R). In the decommit
phase, Sim invokes FCOM to obtain the message (D ECOMMIT, sid, m). On obtaining
the committed message m, Sim provides randomness (r1 , r2 ) s.t. C OM decommits to
m. The randomness (r1 , r2 ) is computed by Sim as follows:
– Let a = FRO1 (sid||m) and a′ = FRO1 (sid||m′ ).
– The trapdoor x is known to Sim. Sim generates (r1 , r2 ) s.t the values of (c1 , c2 )
remain unchanged while the commitment is being equivocated. Sim does so by
37
solving equations 5 and 6:
′
′
g a hr1 mod p = g a hr1 mod p
′
′
=⇒ g a+r1 x mod p = g a +r1 x mod p
=⇒ a + r1 x = a′ + r1′ x
=⇒ r1 = (a′ − a + r1′ x)x−1
(5)
FRO2 (sid||r1 ) ⊕ r2 = FRO2 (sid||r1′ ) ⊕ r2′
=⇒ r2 = FRO2 (sid||r1′ ) ⊕ r2′ ⊕ FRO2 (sid||r1 )
(6)
Sim provides (m, r1 , r2 ), as opening to the commitment C OM, to AdvInt .
At the end of the protocol, AdvInt sends its view to Sim. Sim forwards the view to Z
who halts with an output.
Indistinguishbaility : We show that the real world view of Z is indistinguishable
from the ideal world view by showing that the following two hybrids are statistically
indistinguishable.
– HYBR : Real world execution of the protocol.
– HYBI : Same as HYBR , except that, Sim commits to a random message m′ using (r1′ , r2′ ) as randomness and opens to m in the decommit phase using different
randomness (r1 , r2 ). HYBI corresponds to the ideal world view of Z. It follow
from Eq. 5 and 6 that the committed message remains statistically hidden in C OM.
Hence, ∀m, m′ , r1′ , r2′ , Sim can always find a consistent pair of randomness (r1 , r2 )
s.t the commitment opens to m, provided Sim knows the trapdoor value x. This
proves statistical indistinguishability of the two worlds.
S∗ is corrupted: Adv corrupts S∗ in the real world, Sim corrupts S∗ in the ideal world
and AdvInt corrupts S∗ in the internal execution. Sim emulates the role of an honest R
against AdvInt in the internal execution. Sim plays the role of S∗ in FCOM . During the
commit phase, Sim obtains the commitment C OM(m) from AdvInt in the internal execution. He observes the random oracle queries (both FRO1 and FRO2 ) made by AdvInt
and tries to extract the committed message m. Sim aborts if it fails to extract the message. Let us assume that AdvInt makes s random oracle queries during the commit phase
and Sim records them as (q1 , q2 , . . . , qs ). We denote a (qi , qj ) pair as valid, if qi was
queried to FRO1 , qj was queried to FRO2 and the following holds:
g FRO1 (sid||qi ) hqj mod p = c1 .
(7)
where C OM(m) = (c1 , c2 ) is received from AdvInt by Sim. Sim runs over all possible pairs of (qi , qj ) to find the valid pair(s). Based on the number of valid pair(s)
discovered, Sim performs the following :
– If there does not exist any valid pair then Sim samples m′ ←R G and sends
(C OMMIT, sid, m′ ) to FCOM .
38
– If there exists a unique valid (qi , qj ) pair then Sim sends (C OMMIT, sid, qi ) to
FCOM .
– If there exists more than one valid pair then Sim samples m′ ←R G and sends
(C OMMIT, sid, m′ ) to FCOM .
In the decommitment phase, AdvInt sends (m, r1 , r2 ) to Sim. Sim verifies the commitment and aborts if verification fails in the internal execution. Whereas, Sim aborts in
the ideal world as well as in FCOM if the following holds:
– Case 1: If there was no valid pair.
– Case 2: If there was one valid (qi , qj ) pair, and qi 6= m.
– Case 3: If there exists more than one valid pair.
If none of the above conditions hold, then Sim has an unique valid (qi , qj ) pair, s.t.
qi = m and qj = r1 . He sends (D ECOMMIT, sid) to FCOM to complete simulation of
FCOM . At the end of the protocol, AdvInt sends its view to Sim. Sim forwards the view
to Z who halts with an output.
Indistinguishability : We show that the real world view of Z is indistinguishable from
the ideal world view by showing that the following two hybrids are computationally
indistinguishable.
– HYBR : Real world execution of the protocol.
– HYBI : It represents the ideal world execution of the protocol Z can distinguish
between the two hybrids (or worlds) if Sim aborts in ideal world and FCOM , while
the honest R completes the protocol in real world. This occurs when the decommitment to C OM provided by AdvInt verifies correctly but Sim fails to extract the
underlying committed message in the internal execution. This event has been captured as an union of three exhaustive cases presented in the simulation. We will
show that each case occurs with negligible probability:
- Case 1: This case shows that AdvInt obtained FRO1 (sid||m) and FRO2 (sid||r1 )
without querying m or r1 to the random oracle during the commit phase. The
random oracle assumption ensures that the query results would be random.
Hence AdvInt can guess FRO1 (sid||m) (or FRO2 (sid||r1 )) without querying m
(or r1 ) with negligible probability.
- Case 2: This case demonstrates that either AdvInt obtained FRO1 (sid||m) and
FRO2 (sid||r1 ) without querying m or r1 to the random oracle during the commit phase, or the AdvInt possesses two valid pairs (qi , qj ) and (m, r). The first
event occurs with negligible probability as we are in the RO model. And the
occurrence of the second event implies that the DLP problem can be solved by
using AdvInt as a blackbox. The adversary AdvDLP will obtain a challenge instance (g, h) = (g, g x ) from the challenger ChallDLP of the DLP game. AdvDLP
will invoke the AdvInt while simulating the role of an honest R in the commitment scheme with crs = (g, h). AdvDLP will observe the queries made by
AdvInt to obtain a valid pair (qi , qj ). He will receive the commitment C OM
39
from AdvInt . Upon obtaining the decommitment, (m, r), to C OM, AdvDLP will
find x as follows:
g FRO1 (sid||qi ) hqj = g FRO1 (sid||m) hr mod p
=⇒
g FRO1 (sid||qi )+qj x = g FRO1 (sid||m)+rx mod p
=⇒
FRO1 (sid||qi ) + qj x = FRO1 (sid||m) + rx
=⇒ x = (FRO1 (sid||qi ) − FRO1 (sid||m))(r − qj )−1
(8)
However, we assume that the DLP problem is hard in group G and hence this
case occurs with negligible probability.
- Case 3: This case indicates that AdvInt obtains two or more valid pairs. This
again implies that either the DLP problem has been solved by AdvInt or AdvInt
found a collision in the random oracle queries. Let us denote two such valid
pairs as (qi , qj ) and (qi′ , qj′ ). We will further split this case into two more subcases for analysis based on the equality of FRO1 (sid||qi ) and FRO1 (sid||qi′ )
values.
i. qi 6= qi′ , FRO1 (sid||qi ) = FRO1 (sid||qi′ ), qj = qj′ : This indicates that AdvInt
found a collision in the random oracle queries as qi 6= qi′ . However, this
event occurs with negligible probability as we are in the random oracle
model.
ii. qi 6= qi′ , FRO1 (sid||qi ) 6= FRO1 (sid||qi′ ), qj 6= qj′ : In this case, AdvInt can
be used as blackbox by AdvDLP to solve the DLP problem. AdvDLP will
invoke the AdvInt while simulating the role of an honest R in the commitment scheme with crs = (g, h). AdvDLP will observe the queries made
by AdvInt to obtain two valid pairs (qi , qj ) and (qi′ , qj′ ) s.t. qi 6= qi′ and
qj 6= qj′ . AdvDLP solves the DLP problem by finding x as follows:
′
′
′
′
g FRO1 (sid||qi ) hqj = g FRO1 (sid||qi ) hqj mod p
=⇒
=⇒
g FRO1 (sid||qi )+qj x = g FRO1 (sid||qi )+qj x mod p
FRO1 (sid||qi ) + qj x = FRO1 (sid||qi′ ) + qj′ x
=⇒ x = (FRO1 (sid||qi ) − FRO1 (sid||qi′ ))(qj′ − qj )−1
(9)
However, we assume that the DLP problem is hard in group G and hence
this case occurs with negligible probability.
The other two cases involve FRO1 (sid||qi ) = FRO1 (sid||qi′ ), qj 6= qj′ and
FRO1 (sid||qi ) 6= FRO1 (sid||qi′ ), qj = qj′ for qi 6= qi′ . However, in these cases,
it is not possible for both (qi , qj ), (qi′ , qj′ ) to be valid pairs (refer condition for
′
′
valid pair in Eq 7) as g FRO1 (qi ) hqj 6= g FRO1 (qi ) hqj . There maybe atmost one
valid pair, for which the analysis follows from Case 1 and 2.
8.3
Adaptive Security
Interestingly, our commitment scheme πCOM (Fig 12) also satisfies the stronger security
notion of adaptivity under the observable random oracle assumption in the crs setup.
We briefly discuss the proof in this section.
40
Theorem 10. If FRO1 and FRO2 are observable random oracles and solving the Discrete Log Problem is hard in multiplicative group G, then protocol πCOM UC-securely
realizes the FCOM functionality in the crs model against adaptive active adversaries
(without erasures).
Proof. To prove adaptive security, we require Sim to equivocate the views of R and
S appropriately on adaptive corruption in addition to static security. We divide our
simulation into cases based on the party being corrupted:
R∗ is corrupted: R does not have any private input or input randomness, and so the
role of R in the protocol is restricted to verifying the commitments upon obtaining the
message (m) and randomness (r1 and r2 ) during the decommitment phase. When AdvInt
corrupts R∗ at any stage, i.e. commit phase, decommitment phase or post execution of
the protocol, Sim returns a random tape as the internal randomness of R∗ .
S∗ is corrupted: Sim closely imitates the role of the simulator for static corruption
when S∗ gets corrupted adaptively. If AdvInt corrupts S∗ in the beginning of the protocol or before the commitment is sent, Sim returns a random tape as the internal randomness of S∗ . If AdvInt corrupts S∗ after the commitment is sent, i.e. in decommitment phase or post execution, then Sim needs to equivocate. Sim initially commits to a
dummy message m′ and upon corruption of S∗ , Sim obtains message m and successfully equivocates the commitment to open to m using randomness (r1 , r2 ) (computed
as described in the proof of Theorem 9). Z cannot distinguish between the commitment
to m′ and commitment to the actual value due to the statistical hiding property of the
scheme. Equivocation follows from the equivocal property as proven for the static case.
8.4
Generation of crs using Observable Random Oracle
For our protocol πCOM , the involved parties require a crs of the form (g, h), where
h = g x . Also, the simulator should have the knowledge of the trapdoor x in order to
perform simulation. The crs can be trivially generated if we assume a PRO. The parties can generate the crs as FRO (sid||“com”). Sim samples x and programs the RO to
return (g, h) s.t. h = g x . This preserves adaptive security of πCOM when the crs generation algorithm is included as part of πCOM . However we are interested in generating
the crs without relying on the programmability of the RO. This can be achieved by executing a 2PC protocol πCRS (Fig. 13) relying solely on the observability property of the
RO. Once the crs is generated it can be reused for subsequent commitments between
the parties. By generating the crs as part of the protocol it can be concluded that our
commitment scheme is adaptively secure in the Global Random Oracle model.
Intuition: Our πCRS protocol proceeds in two phases - coin tossing and zero knowledge proof of knowledge (ZKPoK). The parties perform coin tossing to generate random shares hS and hR . These shares are then used to obtain h = hS .hR . Once the coin
tossing is performed, they engage in ZKPoK in order to prove the knowledge of trapdoors to their respective shares, i.e. hS and hR respectively. The ZKPoK enables the
simulator of πCRS to extract the corrupted party’s share in order to obtain the trapdoor
41
Fig. 13: Generating crs = (g, h) for πCOM using FRO
πCRS
– Public Inputs: The generator of group G is g.
– Functionality: Random oracle FRO : {0, 1}poly(κ) → {0, 1}κ .
– Private Inputs: The parties do not have any input.
Coin Tossing:
– Round 1:
- S samples xS ←R Zp , computes hS = g xS mod p and sends FRO (sid||hS ) to R.
- R samples xR ←R Zp , computes hR = g xR mod p and sends FRO (sid||hR ) to S.
– Round 2:
- S sends hS to R.
- R sends hR to S.
– Computation:
- S verifies FRO (sid||hR ) and computes h = hS .hR mod p, else aborts.
- R verifies FRO (sid||hS ) and computes h = hS .hR mod p, else aborts.
Zero Knowledge Proof of Knowledge:
S and R perform the following steps in parallel with their roles interchanged.
– Round 1:
- R samples a challenge string c ←R {0, 1}ν and sends FRO (sid||c) to S.
– Round 2:
- S computes ν garbled circuits, by sampling seedi ←R {0, 1}κ and (GCi , ei , di ) ←
Gb(PRG(seedi ), C) where C computes g x , for i ∈ [ν].
- S sends FRO (sid||seedi ), FRO (sid||GCi ) and di to R.
– Round 3:
- R reveals c to S. S verifies FRO (sid||c) and aborts if verification fails.
– Round 4: (Let ci denote ith bit of c)
- If ci = 0, then GCi is a check circuit and S sends seedi to R.
- If ci = 1, then GCi is an evaluation circuit and S sends X = En(xS , ei ) to R.
– Computation:
- R verifies the check circuit GCi as Ve(C, GCi , ei ), if ci = 0, else he aborts.
- R computes y = De(Ev(GCi , X)), if ci = 1, and aborts if y 6= hS .
- R stores (g, h) as the crs.
to (g, h). Our coin tossing protocol requires 2 rounds and ZKPoK consumes 4 rounds.
However, the first 2 rounds of the ZKPoK can be parallelized with the coin tossing protocol, thus yielding a 4 round protocol for crs generation. The coin tossing is performed
using the random oracle and the ZKPoK is performed by plugging a simplified ZK version of [HV16] which uses garbled circuits and random oracle only. Note that we need
a ZKPoK protocol which can be implemented using an ORO and without relying on
any other setup assumption. This rules out the possibilities of using efficient ZKPoK
protocol of [JKO13] since it uses an OT, which would further require other setup assumptions. However, the interactive ZKPoK variants of “MPC-in-the-head” protocols
[GMO16, AHIV17] also suffices for our purpose.
42
Static Security: We prove that πCRS generates crs in the presence of static active adversaries. Since our protocol is symmetric, we consider the case where S∗ is corrupted
and simulator Sim plays the role of honest R. Sim behaves like an honest R throughout the protocol and extracts the trapdoor xS from the ZKPoK sent by S∗ . Sim plays
the role of an evaluator in the ZKPoK whereas S∗ plays the role of a constructor. Sim
extracts the seeds, for all circuits sent by S∗ , by observing the queries made to FRO and
matching them with FRO (sid||seedi ). Sim generates the encoding information of all
evaluation circuits from the seeds. Finally, Sim extracts the input witness xS of S∗ , by
matching the input wire labels, of the evaluation circuit, with the encoding information,
of the evaluation circuit. On the other hand, Sim can simulate the ZKPoK, on behalf
of constructor, by behaving like an honest R since he knows the trapdoor xR sampled
by him. A corrupt S∗ cannot extract any information about xR due to the privacy of the
garbling scheme.
Adaptive Security: We prove that protocol πCRS is adaptively-secure by observing that
the parties do not have any private inputs at the outset of the protocol. The simulator
can simulate by running honest sender/receiver algorithms as required. Upon corruption
of a party, the simulator can reveal its random tape for the corresponding party. The
simulated honest party’s view will be indistinguishable from the real honest party’s
view since in both cases the protocol transcripts are honestly generated using a random
tape. This proves that our protocol πCRS UC-securely generates the crs required for our
commitment scheme.
8.5
Final Commitment Scheme π = πCRS + πCOM
We can combine πCRS and πCOM to obtain an UC-secure protocol π which implements
FCOM functionality in the presence of adaptive adversaries solely relying on ORO. The
security has been summarized in Theorem. 11. It can be proven secure in the GRO of
[CJS14] since it does not require a local crs.
Theorem 11. If Garble = (Gb, En, Ev, De, Ve) is a private, verifiable garbling scheme
and solving the Discrete Log Problem is hard in multiplicative group G, if πCOM implements FCOM functionality against active adaptive adversaries in the crs, ORO-model
and πCRS generates the crs against active adaptive adversaries in the ORO model, then
π = πCRS + πCOM implements FCOM functionality against active adaptive adversaries
(without erasures) in the ORO-model.
8.6
Efficiency of π
We analyze the efficiency of π by analyzing the efficiency of πCRS and πCOM separately.
The πCRS protocol requires 4 rounds and has a computation cost of 2 exponentiations,
8ν + 8 oracle queries, construction and evaluation of 2ν circuits. The communication
cost is 2ν circuits + (8 + 4ν + 2κ) strings of κ bits. However, it is a one-time cost which
would get amortized when multiple commitments are performed using the same crs.
Next, we analyze the efficiency of πCOM . The length of our commitment is one group
element and one κ bit string, independent of the message length. Decommitment incurs
43
communication of two group elements. The computation is also minimal, incurring one
random oracle query on |m| bits, one oracle query on a κ bits string and two exponentiations on sender’s side for committing. Decommitment incurs similar computation overhead on the receiver’s end. It is non-interactive in both commitment and decommitment
phase. This yields an efficient adaptively secure commitment scheme which is practically motivated for offline-online 2PC/MPC protocols [HKK+ 14, LR14, LR15, RR16].
The πCRS protocol can be run in the offline phase while the commitment scheme can
be conveniently used in the online phase.
9
Implementation Details
In this section, we support our theoretical claims with empirical details. First, we talk
about the hardware configuration of our system and then we compare our results with
other relevant protocols in the literature. We specifically compare against the stateof-the-art statically secure protocols to establish the fact that we achieve upgrade in
security with minimal overhead.
Hardware Details: We have tested the code in a standard LAN network and a simulated
WAN setting. Our machine has 8GB RAM and an Intel Core i5-4690 CPU with 3.5 GHz
processor speed. For WAN simulation, we used the tc tool of Linux and introduced a
round trip delay of 100 milliseconds into the network, with a bandwidth of 20Mbps.
Software Details: To establish OT results, first we compare the performance of our
adaptively secure OT with the statically secure PVW OT, both under DDH assumption. Table 5 shows the results for LAN and WAN setting for a message size of 128
bits. Second, for OT Extension, we build upon the OT extension code made available
by Encrypto group on github [OTC]. It contains the OT extension implementations of
KK13, NNOB and ALSZ in C++, using the Miracl library for elliptic curve arithmetic.
Additionally, we have received the code from the authors of [PSS17] and used it in our
comparison for 1-out-of-N OT extension. The random oracle in our protocol has been
implemented by the use of standard AES-128 and SHA-256 hash function. We require
190, 342, 256 and 190 seed OTs for ALSZ, NNOB, PSS and our protocol respectively
to obtain the necessary security. Tables 6 and 7 give a detailed view of cost involved in
attaining 1-out-of-2 OT Extension and 1-out-of-N (1-out-of-16) OT Extension respectively in both LAN and WAN setting over various values of m which is the number of
OTs generated. For our adaptively secure commitment scheme, we use SHA-256 as a
standard replacement to Observable Random Oracle and tabulate efficiency values over
various message lengths as depicted in 4. For all implementation purposes, we set the
computational security parameter to be κ = 128 and the statistical security parameter
to be ν = 40.
Comparison: Tables 5, 6 and 7 compares the performance of our adaptively secure
protocols against the existing state-of-the-art static protocols. Our adaptively secure
OT protocol has a mere overhead of 0.02% and 1.0% over the PVW protocol in the
LAN and WAN setting respectively. This overhead is nominal compared to the security
44
Table 5: Table indicating implementation results for Oblivious Transfer protocol in the
LAN setting for κ=128.
Msg Size
Runtime Runtime Comm. (bits) Comm. (bits)
Setting
n (bits)
of S (s) of R (s)
of S (s)
of R (s)
Scheme
PVW
(Static, DDH based)
128
LAN
WAN
1.675
4.321
0.970
1.681
512
512
256
256
Our Scheme
(Adaptive, DDH-based)
128
LAN
WAN
1.676
4.329
0.971
1.690
512
512
384
384
achieved. We can in fact consider this to be an upgrade in security and ideally suited for
real world applications, at the cost of static OT. From Fig. 14 we can see that our protocol has minimal overhead over the static 1-out-of-2 OT extension protocols. We incur
an overhead of 2% and 11.95% over ALSZ, 8% and almost no overhead over NNOB in
the LAN and WAN setting respectively in terms of computation. Communication wise,
we incur 2.4% overhead over ALSZ and none over NNOB. For generating 1-out-of-16
OT, we incur an overhead of 0.6% and 0.6% over ALSZ, 2% and 7% NNOB, 16% and
24% over PSS in LAN and WAN runtime. In concrete terms, each extended 1-out-of-2
adaptive OT costs around .104-2 µs based on the number of OTs generated together.
The implementation of KOS [KOS15] is not available in the public domain. ALSZ has
24% overhead over [IKNP03] and KOS has 5% over [IKNP03] in LAN setting. This
translates to 18% overhead of ALSZ over KOS. Based on that we can compare accordingly with KOS, by comparing with ALSZ. Similarly each extended 1-out-of-16
adaptive OT costs around 21µs. Hence, our OT extension protocols generates practically efficient OTs which can find useful applications in real-life protocols that demand
adaptive security. We compare our commitment scheme with the state-of-the-art adaptive protocol of [HM04]. Our scheme requires around 0.20 ms for committing to a string
of length 2048 bits, whereas they require around 0.48ms. This implies our scheme is
approx. 2 times faster compared to [HM04]. Tab. 4 compares our protocol with [HM04]
for various message sizes and demonstrates our efficiency gain.
Table 6: Performance Comparison of our adaptive OT extension with the state-of-the-art static
OT extensions for generating 1-out-of-2 OTs. The value of m denotes the number of OTs generated and κ = 128.
m Runtime in LAN (in sec) Runtime in WAN (in sec) Communication (in MB)
(105 ) ALSZ NNOB Ours ALSZ NNOB Ours ALSZ NNOB Ours
1.25
2.5
5
12.5
0.234
0.350
0.590
1.237
0.127
0.270
0.562
1.329
0.253
0.369
0.610
1.259
14.35 14.75 14.469 11.00
26.44 27.11 26.569 21.96
51.02 52.43 51.14 43.90
123.9 127.43 124.024 109.74
45
13.36
26.70
53.38
133.45
11.024
21.984
43.924
109.764
Table 7: Performance Comparison of our adaptive OT extension with the state-of-the-art static
OT extensions for generating 1-out-of-16 OTs. The value of m denotes the number of OTs generated and the value of the security parameter is κ = 128.
Runtime in LAN (in sec)
Runtime in WAN (in sec)
Communication (in MB)
ALSZ NNOB PSS Ours ALSZ NNOB PSS Ours ALSZ NNOB PSS Ours
m
1.25 × 105
2.5 × 105
5 × 105
1.25 × 106
02.65
05.26
10.04
24.81
02.61 2.30
05.05 4.50
10.10 9.0
24.84 22.50
2.668
5.287
10.062
24.836
18.10
33.80
65.00
158.60
16.90
31.40
60.40
143.20
14.62
26.45
50.75
121.94
18.218
34.019
65.119
159.76
16.67
33.33
66.62
166.54
21.60
43.21
86.39
215.95
4.77
9.54
19.08
47.70
16.693
33.353
66.643
166.563
Fig. 14: Performance Comparison of OT extensions for producing 1-out-of-2 OTs on 16 bits.
The x-axis denotes number of OTs (order 105 ) and y-axis denotes runtime for graphs (a); (b) and
communication (MB) for graph (c).
(b) WAN Runtime
1
0.5
(c) Communication
ALSZ
NNOB
Ours
100
Communication (MB)
ALSZ
NNOB
Ours
Runtime (s)
Runtime (s)
(a) LAN Runtime
50
ALSZ
NNOB
Ours
100
50
0
1.25
2.5
5
12.5
5
Number of OTs (of order 10 )
10
1.25
2.5
5
12.5
5
Number of OTs (of order 10 )
1.25
2.5
5
12.5
Number of OTs (of order 105 )
Conclusion
In this paper, we presented UC-secure, efficient round-optimal protocols for cryptographic primitives, secure against adaptive adversaries aided with asymptotic and empirical costs. Our OT and OT extension schemes rely solely on programmability of
random oracle as a setup assumption, while our commitment scheme relies on the observability of random oracle. Our OT and commitment scheme are secure in the GRO
model, making it the first adaptive OT and commitment scheme in the strong GUC
model and thereby realistic for applications. We have validated our claims with robust
implementation results supported by tables; graphs depicting the cost incurred for computation and communication in various settings. These results highlight the prospective
practicality of our protocols in the adaptive setting. Finally, we leave it as an open problem to obtain a fully simulatable adaptive OT in the GRO model and an OT extension
based on assumptions weaker than random oracle.
46
References
ABB+ 13.
ABP17.
AHIV17.
AIR01.
ALSZ13.
ALSZ15.
BC15.
BC16.
BCG17.
BCPV13.
BCR86.
Michel Abdalla, Fabrice Benhamouda, Olivier Blazy, Céline Chevalier, and David
Pointcheval. Sphf-friendly non-interactive commitments. In Advances in Cryptology - ASIACRYPT 2013 - 19th International Conference on the Theory and Application of Cryptology and Information Security, Bengaluru, India, December 1-5,
2013, Proceedings, Part I, pages 214–234, 2013.
Michel Abdalla, Fabrice Benhamouda, and David Pointcheval. Removing erasures
with explainable hash proof systems. In Public-Key Cryptography - PKC 2017 20th IACR International Conference on Practice and Theory in Public-Key Cryptography, Amsterdam, The Netherlands, March 28-31, 2017, Proceedings, Part I,
pages 151–174, 2017.
Scott Ames, Carmit Hazay, Yuval Ishai, and Muthuramakrishnan Venkitasubramaniam. Ligero: Lightweight sublinear arguments without a trusted setup. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications
Security, CCS 2017, Dallas, TX, USA, October 30 - November 03, 2017, pages
2087–2104, 2017.
William Aiello, Yuval Ishai, and Omer Reingold. Priced oblivious transfer: How to
sell digital goods. In Advances in Cryptology - EUROCRYPT 2001, International
Conference on the Theory and Application of Cryptographic Techniques, Innsbruck,
Austria, May 6-10, 2001, Proceeding, pages 119–135, 2001.
Gilad Asharov, Yehuda Lindell, Thomas Schneider, and Michael Zohner. More
efficient oblivious transfer and extensions for faster secure computation. In 2013
ACM SIGSAC Conference on Computer and Communications Security, CCS’13,
Berlin, Germany, November 4-8, 2013, pages 535–548, 2013.
Gilad Asharov, Yehuda Lindell, Thomas Schneider, and Michael Zohner. More
efficient oblivious transfer extensions with security for malicious adversaries. In
Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria,
April 26-30, 2015, Proceedings, Part I, pages 673–701, 2015.
Olivier Blazy and Céline Chevalier. Generic construction of uc-secure oblivious
transfer. In Applied Cryptography and Network Security - 13th International Conference, ACNS 2015, New York, NY, USA, June 2-5, 2015, Revised Selected Papers,
pages 65–86, 2015.
Olivier Blazy and Céline Chevalier. Structure-preserving smooth projective hashing. In Advances in Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of Cryptology and Information Security, Hanoi,
Vietnam, December 4-8, 2016, Proceedings, Part II, pages 339–369, 2016.
Olivier Blazy, Céline Chevalier, and Paul Germouty. Almost optimal oblivious
transfer from QA-NIZK. In Applied Cryptography and Network Security - 15th
International Conference, ACNS 2017, Kanazawa, Japan, July 10-12, 2017, Proceedings, pages 579–598, 2017.
Olivier Blazy, Céline Chevalier, David Pointcheval, and Damien Vergnaud. Analysis and improvement of lindell’s uc-secure commitment schemes. In Applied Cryptography and Network Security - 11th International Conference, ACNS 2013, Banff,
AB, Canada, June 25-28, 2013. Proceedings, pages 534–551, 2013.
Gilles Brassard, Claude Crépeau, and Jean-Marc Robert. All-or-nothing disclosure
of secrets. In Advances in Cryptology - CRYPTO ’86, Santa Barbara, California,
USA, 1986, Proceedings, pages 234–238, 1986.
47
BDD+ 17.
Paulo S. L. M. Barreto, Bernardo David, Rafael Dowsley, Kirill Morozov, and Anderson C. A. Nascimento. A framework for efficient adaptively secure composable
oblivious transfer in the ROM. IACR Cryptology ePrint Archive, abs/1710.08256,
2017.
Bea96.
Donald Beaver. Correlated pseudorandomness and the complexity of private computations. In Proceedings of the Twenty-Eighth Annual ACM Symposium on the
Theory of Computing, Philadelphia, Pennsylvania, USA, May 22-24, 1996, pages
479–488, 1996.
BHR12.
Mihir Bellare, Viet Tung Hoang, and Phillip Rogaway. Foundations of garbled circuits. In the ACM Conference on Computer and Communications Security, CCS’12,
Raleigh, NC, USA, October 16-18, 2012, pages 784–796, 2012.
BMR90.
Donald Beaver, Silvio Micali, and Phillip Rogaway. The round complexity of secure protocols (extended abstract). In Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, May 13-17, 1990, Baltimore, Maryland, USA, pages
503–513, 1990.
Can01.
Ran Canetti. Universally composable security: A new paradigm for cryptographic
protocols. In 42nd Annual Symposium on Foundations of Computer Science, FOCS
2001, 14-17 October 2001, Las Vegas, Nevada, USA, pages 136–145, 2001.
CDD+ 15. Ignacio Cascudo, Ivan Damgård, Bernardo Machado David, Irene Giacomelli, Jesper Buus Nielsen, and Roberto Trifiletti. Additively homomorphic UC commitments with optimal amortized overhead. In Public-Key Cryptography - PKC 2015
- 18th IACR International Conference on Practice and Theory in Public-Key Cryptography, Gaithersburg, MD, USA, March 30 - April 1, 2015, Proceedings, pages
495–515, 2015.
CDD+ 16. Ignacio Cascudo, Ivan Damgård, Bernardo David, Nico Döttling, and Jesper Buus
Nielsen. Rate-1, linear time and additively homomorphic UC commitments. In
Advances in Cryptology - CRYPTO 2016 - 36th Annual International Cryptology
Conference, Santa Barbara, CA, USA, August 14-18, 2016, Proceedings, Part III,
pages 179–207, 2016.
CDG+ 18. Jan Camenisch, Manu Drijvers, Tommaso Gagliardoni, Anja Lehmann, and Gregory Neven. The wonderful world of global random oracles. Cryptology ePrint
Archive, Report 2018/165, 2018. https://eprint.iacr.org/2018/165.
CDMW09a. Seung Geol Choi, Dana Dachman-Soled, Tal Malkin, and Hoeteck Wee. Improved
non-committing encryption with applications to adaptively secure protocols. In
Advances in Cryptology - ASIACRYPT 2009, 15th International Conference on the
Theory and Application of Cryptology and Information Security, Tokyo, Japan, December 6-10, 2009. Proceedings, pages 287–302, 2009.
CDMW09b. Seung Geol Choi, Dana Dachman-Soled, Tal Malkin, and Hoeteck Wee. Simple,
black-box constructions of adaptively secure protocols. In Theory of Cryptography, 6th Theory of Cryptography Conference, TCC 2009, San Francisco, CA, USA,
March 15-17, 2009. Proceedings, pages 387–402, 2009.
CDPW07. Ran Canetti, Yevgeniy Dodis, Rafael Pass, and Shabsi Walfish. Universally composable security with global setup. In Theory of Cryptography, 4th Theory of Cryptography Conference, TCC 2007, Amsterdam, The Netherlands, February 21-24,
2007, Proceedings, pages 61–85, 2007.
CF01.
Ran Canetti and Marc Fischlin. Universally composable commitments. In Advances
in Cryptology - CRYPTO 2001, 21st Annual International Cryptology Conference,
Santa Barbara, California, USA, August 19-23, 2001, Proceedings, pages 19–40,
2001.
48
CJS14.
CKWZ13.
CLOS02.
CO15.
DDGN14.
DG03.
FLM11.
Fuj16.
GH08.
GIKW14.
GIR17.
GKPS18.
GMO16.
Ran Canetti, Abhishek Jain, and Alessandra Scafuro. Practical UC security with
a global random oracle. In Proceedings of the 2014 ACM SIGSAC Conference
on Computer and Communications Security, Scottsdale, AZ, USA, November 3-7,
2014, pages 597–608, 2014.
Seung Geol Choi, Jonathan Katz, Hoeteck Wee, and Hong-Sheng Zhou. Efficient,
adaptively secure, and composable oblivious transfer with a single, global CRS. In
Public-Key Cryptography - PKC 2013 - 16th International Conference on Practice and Theory in Public-Key Cryptography, Nara, Japan, February 26 - March 1,
2013. Proceedings, pages 73–88, 2013.
Ran Canetti, Yehuda Lindell, Rafail Ostrovsky, and Amit Sahai. Universally composable two-party and multi-party secure computation. In Proceedings on 34th
Annual ACM Symposium on Theory of Computing, May 19-21, 2002, Montréal,
Québec, Canada, pages 494–503, 2002.
Tung Chou and Claudio Orlandi. The simplest protocol for oblivious transfer. In
Progress in Cryptology - LATINCRYPT 2015 - 4th International Conference on
Cryptology and Information Security in Latin America, Guadalajara, Mexico, August 23-26, 2015, Proceedings, pages 40–58, 2015.
Ivan Damgård, Bernardo Machado David, Irene Giacomelli, and Jesper Buus
Nielsen. Compact VSS and efficient homomorphic UC commitments. In Advances in Cryptology - ASIACRYPT 2014 - 20th International Conference on the
Theory and Application of Cryptology and Information Security, Kaoshiung, Taiwan, R.O.C., December 7-11, 2014, Proceedings, Part II, pages 213–232, 2014.
Ivan Damgård and Jens Groth. Non-interactive and reusable non-malleable commitment schemes. In Proceedings of the 35th Annual ACM Symposium on Theory
of Computing, June 9-11, 2003, San Diego, CA, USA, pages 426–437, 2003.
Marc Fischlin, Benoı̂t Libert, and Mark Manulis. Non-interactive and re-usable
universally composable string commitments with adaptive security. In Advances in
Cryptology - ASIACRYPT 2011 - 17th International Conference on the Theory and
Application of Cryptology and Information Security, Seoul, South Korea, December
4-8, 2011. Proceedings, pages 468–485, 2011.
Eiichiro Fujisaki. Improving practical uc-secure commitments based on the DDH
assumption. In Security and Cryptography for Networks - 10th International Conference, SCN 2016, Amalfi, Italy, August 31 - September 2, 2016, Proceedings,
pages 257–272, 2016.
Matthew Green and Susan Hohenberger. Universally composable adaptive oblivious transfer. In Advances in Cryptology - ASIACRYPT 2008, 14th International
Conference on the Theory and Application of Cryptology and Information Security,
Melbourne, Australia, December 7-11, 2008. Proceedings, pages 179–197, 2008.
Juan A. Garay, Yuval Ishai, Ranjit Kumaresan, and Hoeteck Wee. On the complexity of UC commitments. In Advances in Cryptology - EUROCRYPT 2014 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11-15, 2014. Proceedings, pages
677–694, 2014.
Ziya Alper Genç, Vincenzo Iovino, and Alfredo Rial. ”the simplest protocol for
oblivious transfer” revisited. IACR Cryptology ePrint Archive, 2017:370, 2017.
Chaya Ganesh, Yashvanth Kondi, Arpita Patra, and Pratik Sarkar. Efficient adaptively secure zero-knowledge from garbled circuits. Cryptology ePrint Archive,
Report 2018/043, 2018. https://eprint.iacr.org/2018/043.
Irene Giacomelli, Jesper Madsen, and Claudio Orlandi. Zkboo: Faster zeroknowledge for boolean circuits. In 25th USENIX Security Symposium, USENIX
Security 16, Austin, TX, USA, August 10-12, 2016., pages 1069–1083, 2016.
49
GMW87.
GMY04.
GPV08.
GWZ09.
HK07.
HK12.
HKK+ 14.
HL17.
HM04.
HPV17.
HV15.
HV16.
IKNP03.
Oded Goldreich, Silvio Micali, and Avi Wigderson. How to play any mental game
or A completeness theorem for protocols with honest majority. In Proceedings of
the 19th Annual ACM Symposium on Theory of Computing, 1987, New York, New
York, USA, pages 218–229, 1987.
Juan A. Garay, Philip MacKenzie, and Ke Yang. Efficient and Universally Composable Committed Oblivious Transfer and Applications, pages 297–316. Springer
Berlin Heidelberg, Berlin, Heidelberg, 2004.
Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices
and new cryptographic constructions. In Proceedings of the 40th Annual ACM
Symposium on Theory of Computing, Victoria, British Columbia, Canada, May 1720, 2008, pages 197–206, 2008.
Juan A. Garay, Daniel Wichs, and Hong-Sheng Zhou. Somewhat non-committing
encryption and efficient adaptively secure oblivious transfer. In Advances in Cryptology - CRYPTO 2009, 29th Annual International Cryptology Conference, Santa
Barbara, CA, USA, August 16-20, 2009. Proceedings, pages 505–523, 2009.
Omer Horvitz and Jonathan Katz. Universally-composable two-party computation
in two rounds. In Advances in Cryptology - CRYPTO 2007, 27th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 19-23, 2007,
Proceedings, pages 111–129, 2007.
Shai Halevi and Yael Tauman Kalai. Smooth projective hashing and two-message
oblivious transfer. J. Cryptology, 25(1):158–193, 2012.
Yan Huang, Jonathan Katz, Vladimir Kolesnikov, Ranjit Kumaresan, and Alex J.
Malozemoff. Amortizing garbled circuits. In Advances in Cryptology - CRYPTO
2014 - 34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 1721, 2014, Proceedings, Part II, pages 458–475, 2014.
Eduard Hauck and Julian Loss. Efficient and universally composable protocols
for oblivious transfer from the cdh assumption. IACR Cryptology ePrint Archive,
2017:1011, 2017.
Dennis Hofheinz and Jörn Müller-Quade. Universally composable commitments
using random oracles. In Theory of Cryptography, First Theory of Cryptography
Conference, TCC 2004, Cambridge, MA, USA, February 19-21, 2004, Proceedings,
pages 58–76, 2004.
Carmit Hazay, Antigoni Polychroniadou, and Muthuramakrishnan Venkitasubramaniam. Constant round adaptively secure protocols in the tamper-proof hardware
model. In Public-Key Cryptography - PKC 2017 - 20th IACR International Conference on Practice and Theory in Public-Key Cryptography, Amsterdam, The Netherlands, March 28-31, 2017, Proceedings, Part II, pages 428sss–460, 2017.
Carmit Hazay and Muthuramakrishnan Venkitasubramaniam. On black-box complexity of universally composable security in the CRS model. In Advances in Cryptology - ASIACRYPT 2015 - 21st International Conference on the Theory and Application of Cryptology and Information Security, Auckland, New Zealand, November
29 - December 3, 2015, Proceedings, Part II, pages 183–209, 2015.
Carmit Hazay and Muthuramakrishnan Venkitasubramaniam. On the power of secure two-party computation. In Advances in Cryptology - CRYPTO 2016 - 36th
Annual International Cryptology Conference, Santa Barbara, CA, USA, August 1418, 2016, Proceedings, Part II, pages 397–429, 2016.
Yuval Ishai, Joe Kilian, Kobbi Nissim, and Erez Petrank. Extending oblivious transfers efficiently. In Advances in Cryptology - CRYPTO 2003, 23rd Annual International Cryptology Conference, Santa Barbara, California, USA, August 17-21,
2003, Proceedings, pages 145–161, 2003.
50
IPS08.
IR89.
JKO13.
JS07.
Kil88.
KK13.
KOS15.
Lin08.
Lin11.
Lin13.
LM16.
LR14.
LR15.
LZ11.
LZ13.
Yuval Ishai, Manoj Prabhakaran, and Amit Sahai. Founding cryptography on oblivious transfer - efficiently. In Advances in Cryptology - CRYPTO 2008, 28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17-21,
2008. Proceedings, pages 572–591, 2008.
Russell Impagliazzo and Steven Rudich. Limits on the provable consequences of
one-way permutations. In Proceedings of the 21st Annual ACM Symposium on
Theory of Computing, May 14-17, 1989, Seattle, Washigton, USA, pages 44–61,
1989.
Marek Jawurek, Florian Kerschbaum, and Claudio Orlandi. Zero-knowledge using
garbled circuits: how to prove non-algebraic statements efficiently. In 2013 ACM
SIGSAC Conference on Computer and Communications Security, CCS’13, Berlin,
Germany, November 4-8, 2013, pages 955–966, 2013.
Stanislaw Jarecki and Vitaly Shmatikov. Efficient two-party secure computation on
committed inputs. In Advances in Cryptology - EUROCRYPT 2007, 26th Annual
International Conference on the Theory and Applications of Cryptographic Techniques, Barcelona, Spain, May 20-24, 2007, Proceedings, pages 97–114, 2007.
Joe Kilian. Founding cryptography on oblivious transfer. In Proceedings of the
20th Annual ACM Symposium on Theory of Computing, May 2-4, 1988, Chicago,
Illinois, USA, pages 20–31, 1988.
Vladimir Kolesnikov and Ranjit Kumaresan. Improved OT extension for transferring short secrets. In Advances in Cryptology - CRYPTO 2013 - 33rd Annual
Cryptology Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part II, pages 54–70, 2013.
Marcel Keller, Emmanuela Orsini, and Peter Scholl. Actively secure OT extension
with optimal overhead. In Advances in Cryptology - CRYPTO 2015 - 35th Annual
Cryptology Conference, Santa Barbara, CA, USA, August 16-20, 2015, Proceedings, Part I, pages 724–741, 2015.
Yehuda Lindell. Efficient fully-simulatable oblivious transfer. Chicago J. Theor.
Comput. Sci., 2008, 2008.
Yehuda Lindell. Highly-efficient universally-composable commitments based on
the DDH assumption. In Advances in Cryptology - EUROCRYPT 2011 - 30th Annual International Conference on the Theory and Applications of Cryptographic
Techniques, Tallinn, Estonia, May 15-19, 2011. Proceedings, pages 446–466, 2011.
Yehuda Lindell. Fast cut-and-choose based protocols for malicious and covert adversaries. In Advances in Cryptology - CRYPTO 2013 - 33rd Annual Cryptology
Conference, Santa Barbara, CA, USA, August 18-22, 2013. Proceedings, Part II,
pages 1–17, 2013.
Baiyu Li and Daniele Micciancio. Equational security proofs of oblivious transfer
protocols. Cryptology ePrint Archive, Report 2016/624, 2016.
Yehuda Lindell and Ben Riva. Cut-and-choose yao-based secure computation in
the online/offline and batch settings. In Advances in Cryptology - CRYPTO 2014 34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2014,
Proceedings, Part II, pages 476–494, 2014.
Yehuda Lindell and Ben Riva. Blazing fast 2pc in the offline/online setting with
security for malicious adversaries. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, Denver, CO, USA, October
12-6, 2015, pages 579–590, 2015.
Yehuda Lindell and Hila Zarosim. Adaptive zero-knowledge proofs and adaptively
secure oblivious transfer. J. Cryptology, 24(4):761–799, 2011.
Yehuda Lindell and Hila Zarosim. On the feasibility of extending oblivious transfer.
In TCC, pages 519–538, 2013.
51
MR17.
NFT09.
NP01.
NP05.
OOS17.
OTC.
Ped91.
PSS17.
PVW08.
Rab81.
RR16.
Yao82.
ZRE15.
Payman Mohassel and Mike Rosulek. Non-interactive secure 2pc in the offline/online and batch settings. In Advances in Cryptology - EUROCRYPT 2017
- 36th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Paris, France, April 30 - May 4, 2017, Proceedings, Part III,
pages 425–455, 2017.
Ryo Nishimaki, Eiichiro Fujisaki, and Keisuke Tanaka. Efficient non-interactive
universally composable string-commitment schemes. In Provable Security, Third
International Conference, ProvSec 2009, Guangzhou, China, November 11-13,
2009. Proceedings, pages 3–18, 2009.
Moni Naor and Benny Pinkas. Efficient oblivious transfer protocols. In Proceedings of the Twelfth Annual Symposium on Discrete Algorithms, January 7-9, 2001,
Washington, DC, USA., pages 448–457, 2001.
Moni Naor and Benny Pinkas. Computationally secure oblivious transfer. J. Cryptology, 18(1):1–35, 2005.
Michele Orrù, Emmanuela Orsini, and Peter Scholl. Actively secure 1-out-of-n OT
extension with application to private set intersection. In Topics in Cryptology - CTRSA 2017 - The Cryptographers’ Track at the RSA Conference 2017, San Francisco,
CA, USA, February 14-17, 2017, Proceedings, pages 381–396, 2017.
Encrypto
group
otextension
code.
https://github.com/
encryptogroup/OTExtension.
Torben P. Pedersen. Non-interactive and information-theoretic secure verifiable secret sharing. In Advances in Cryptology - CRYPTO ’91, 11th Annual International
Cryptology Conference, Santa Barbara, California, USA, August 11-15, 1991, Proceedings, pages 129–140, 1991.
Arpita Patra, Pratik Sarkar, and Ajith Suresh. Fast actively secure OT extension for
short secrets. In 24th Annual Network and Distributed System Security Symposium,
NDSS, 2017.
Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for efficient
and composable oblivious transfer. In Advances in Cryptology - CRYPTO 2008,
28th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 17-21, 2008. Proceedings, pages 554–571, 2008.
Michael O. Rabin. How to exchange secrets with oblivious transfer, 1981. Harvard
University Technical Report 81 talr@watson.ibm.com 12955 received 21 Jun 2005.
Peter Rindal and Mike Rosulek. Faster malicious 2-party secure computation with
online/offline dual execution. In 25th USENIX Security Symposium, USENIX Security 16, Austin, TX, USA, August 10-12, 2016., pages 297–314, 2016.
Andrew Chi-Chih Yao. Protocols for secure computations (extended abstract). In
23rd Annual Symposium on Foundations of Computer Science, Chicago, Illinois,
USA, 3-5 November 1982, pages 160–164, 1982.
Samee Zahur, Mike Rosulek, and David Evans. Two halves make a whole - reducing data transfer in garbled circuits using half gates. In Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the Theory
and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015,
Proceedings, Part II, pages 220–250, 2015.
A Universal Composability Model
We prove security of our protocol in the standard Universal Composability (UC) framework of Canetti [Can01], with static and adaptive corruptions. And we conclude this
52
section with the definition of F-hybrid model, which is instrumental for security proofs
in the UC model.
A.1
Static Security in the UC Model
In this model, the real world execution of protocol π is carried out between the honest
parties P1 and P2 and an adversary Adv, in the presence of an external entity called
the environment Z. All the parties are PPT Turing machines and Z has an auxiliary
information z. At the outset of the protocol the environment initiates the parties with
inputs and provides some initial information to Adv. Z is allowed to interact with Adv
throughout the protocol. At the outset of the protocol, Adv may or may not corrupt a
party. Upon corruption of a party, Adv gets access to the internal state and input of that
party. From now on the party will behave according to Adv’s instructions (since we are
in the malicious model). At the end of the protocol, the honest parties send their output
to Z while Adv outputs ⊥ on behalf of the corrupted parties and its internal state to Z.
We denote the view of Z as REALF ,Adv,Z (1κ , z).
In the ideal world we consider the honest parties P1 and P2 , a PPT adversary Sim,
Z and the functionality F. Sim has a random tape r and security parameter κ. He
simulates the role of Adv in the ideal world and whenever Adv corrupts a party in the
real world Sim corrupts that party in the ideal world and gets access to its internal state.
Sim invokes the algorithm of Adv, in his head, in another internal protocol execution
where Sim simulates the view of the honest parties to Adv. We will denote this internal
copy of Adv as AdvInt . Based on the reply of AdvInt in the internal execution, Sim
behaves accordingly in the ideal world execution. He extracts the inputs of the corrupted
parties in the internal execution and invokes F in the ideal world with those inputs to
obtain the output. In the internal execution he simulates the protocol in such a way
that AdvInt obtains that output. At the end of the protocol, AdvInt forwards his view to
Sim who forwards it to Z. We denote the view of Z as IDEALF ,Sim,Z (1κ , z). We say
that a protocol π UC-securely implements a functionality F in the presence of static
adversaries if the real world and ideal world views are indistinguishable.
Definition 1. Let π be a protocol for computing a functionality F. We say that π UCsecurely computes the two party protocol functionality F in the presence of static adversaries if for every PPT adaptive real-world adversary Adv and every environment
Z, there exists a PPT ideal-world adversary Sim, such that:
REAL F ,Adv,Z (1
A.2
κ
c
, z) ≈ IDEALF ,Sim,Z (1κ , z)
Adaptive Security in the UC Model
In the adaptive setting, Z can ask the real world adversary Adv to corrupt an honest
party during the real world execution of the protocol or after the execution completes.
During the execution, Adv can observe the public transcript of the protocol and based
on that he can adaptively corrupt an honest party. Once a party gets corrupted, Adv
gets access to the input and private randomness of the party, thus controlling the party
from thereon. In case of post execution corruption, Adv observes the output and the
53
transcript of the protocol, and then he corrupts the honest party to get access to the
input and private randomness of the party. After post execution corruption occurs, Adv
forwards its view to Z. Based on that, Z constructs its real world view, which we denote
as REALF ,Adv,Z (1κ , z).
Similarly, in the ideal world Z can ask the ideal world adversary Sim to corrupt
an honest party during the ideal world execution of the protocol or after the execution
completes. When Z instructs Sim to corrupt an honest party in the ideal world, Sim
obtains the input of the honest party, in the ideal world, and he instructs the internal
world adversary AdvInt to corrupt the corresponding honest party in the internal world.
Recall that Sim simulates the honest parties in the internal execution. When AdvInt
corrupts an honest party in the internal world, Sim has to produce a private randomness
for the simulated honest party such that it matches with the input of the honest party and
the simulated transcript produced by Sim, in the internal world, on behalf of the honest
party. Sim provides this matching randomness and the input of the simulated honest
party to AdvInt in the internal world. In case of post execution corruption of an honest
party, Sim obtains the honest party’s input in the ideal world and produces the matching
randomness (corresponding to the simulated transcript) in a similar fashion to AdvInt in
the internal world. After post execution corruption occurs, Adv forwards its view to
Sim, who forwards it to Z. Based on that, Z constructs its ideal world view, which we
denote as IDEALF ,Sim,Z (1κ , z). We say that a protocol π UC-securely implements a
functionality F in the presence of adaptive adversaries if the real world and ideal world
views are indistinguishable.
Definition 2. Let π be a protocol for computing a functionality F. We say that π UCsecurely computes the two party protocol functionality F in the presence of adaptive
adversaries if for every PPT adaptive real-world adversary Adv and every environment
Z, there exists a PPT ideal-world adversary Sim, such that:
REAL F ,Adv,Z (1
A.3
κ
c
, z) ≈ IDEALF ,Sim,Z (1κ , z)
The F -hybrid model.
In order to construct our protocols, we utilize other secure two-party protocols as subprotocols. The standard way of doing this is to work in a “hybrid model” where both
the parties interact with each other (as in the real model) in the outer protocol and use
ideal functionality calls (as in the ideal world) for the subprotocols. The UC composition theorem states that if a protocol ρ UC-securely implements a functionality F, then
any execution of ρ in a bigger protocol can be replaced with ideal calls to the functionality F. Specifically, while constructing a protocol π that uses ρ as subprotocol,
for securely computing some functionality F, the parties can run π and invoke F. The
execution of π that invokes F, for each execution of ρ, is called the F-hybrid execution of π and is denoted as π F . The hybrid ensemble HYBπF , A DV, Z (1κ , z) describes
Z’s output after interacting with Adv and the parties running protocol π F . Whereas,
the execution of π that considers execution of ρ is denoted as π ρ . The hybrid ensemble HYBπρ , A DV, Z (1κ , z) describes Z’s output after interacting with Adv and the parties running protocol π ρ . By UC security, the two hybrids HYBπF , A DV, Z (1κ , z) and
54
HYBπρ , A DV, Z (1κ , z) are indistinguishable. This permits replacing executions of ρ, in
π, with ideal calls to F functionality; thereby allowing π to execute in the F-hybrid
model. It simplifies the security proof of π F as it can be performed in the F-hybrid
model, instead of proving security of ρ within the proof of π ρ .
B Garbled Circuits
Bellare et al [BHR12] gave an abstraction of garbling schemes for circuits and formalized several notions of security. Using the language of [BHR12] for circuits; the
circuit itself is a directed acyclic graph, where each gate g is indexed by its outgoing wire, and its left and right incoming wires A(g) and B(g) are numbered such that
g > B(g) > A(g). Also, a circuit output wire can not be an input wire to any gate. We
denote the number of input wires, gates and output wires using n, q and m respectively
in a circuit C.
At a high-level, a garbling scheme consists of the following algorithms: Gb takes
a circuit as input and outputs a garbled circuit, encoding information, and decoding
information. En takes an input x and encoding information and outputs a garbled input
X. Ev takes a garbled circuit and garbled input X and outputs a garbled output Y. Finally,
De takes a garbled output Y and decoding information and outputs a plain circuit-output
(or an error, ⊥).
In [JKO13], there is an additional verification algorithm in the garbling scheme
which when accepts a given (GC, e) signifies that the GC is correct, and that the garbled output corresponding to any clear output can be extracted. Formally, a garbling
scheme is defined by a tuple of functions Garble = (Gb, En, Ev, De, Ve), described as
follows:
– Garble algorithm Gb (1κ , C): A randomized algorithm which takes as input the
security parameter and a circuit C : {0, 1}n → {0, 1}m and outputs a tuple of
strings (GC, e, d), where GC is the garbled circuit, e denotes the input-wire labels,
and d denotes the decoding information.
– Encode algorithm En (x, e): a deterministic algorithm that outputs the garbled input
X corresponding to input x.
– Evaluation algorithm Ev (GC, X): A deterministic algorithm which evaluates garbled circuit GC on garbled input X, and outputs a garbled output Y.
– Decode algorithm De (Y, d): A deterministic algorithm that outputs the plaintext
output corresponding to Y or ⊥ signifying an error if the garbled output Y is invalid.
– Verify algorithm Ve (C, GC, e): A deterministic algorithm which takes as input a
circuit C : {0, 1}n 7→ {0, 1}m , a garbled circuit (possibly malicious) GC, encoding
information e, and outputs d when GC is a valid garbling of C, and ⊥ otherwise.
A garbling scheme may satisfy several properties such as correctness, privacy,
obliviousness, authenticity and verifiability. We review some of these notions below.
The definitions for correctness and authenticity are standard: correctness enforces that
a correctly garbled circuit, when evaluated, outputs the correct output of the underlying circuit; authenticity enforces that the evaluator can only learn the output label that
corresponds to the value of the function. Verifiability [JKO13] allows one to check that
55
the garbling of a circuit indeed implements the specified plaintext circuit C. Given that
verification succeeds for a candidate (C, GC, e), the garbled output corresponding to a
given clear output can be extracted. We provide definitions of correctness, privacy and
verifiability as we need it for our πCRS protocol.
Definition 3. (Correctness) A garbling scheme Garble is correct if for all input lengths
n ≤ poly(κ), circuits C : {0, 1}n → {0, 1}m and inputs x ∈ {0, 1}n , the following
probability is negligible in κ:
Pr De(Ev(GC, En(e, x)), d) 6= C(x) : (GC, e, d) ← Gb(1κ , C) .
Definition 4. (Privacy) A garbling scheme Garble is private if for all input lengths
n ≤ poly(κ), circuits C : {0, 1}n → {0, 1}m , there exists a PPT simulator Sim such
that for all inputs x ∈ {0, 1}n , for all probabilistic polynomial-time adversaries Adv,
the following two distributions are computationally indistinguishable:
– REAL(C, x) : run (GC, e, d) ← Gb(1κ , C), and output (GC, En(x, e), d).
– IDEALSim (C, C(x)): output (GC′ , X, d′ ) ← Sim(1κ , C, C(x))
Definition 5. (Verifiability) A garbling scheme Garbleis verifiable if for all input lengths
n ≤ poly(κ), circuits C : {0, 1}n → {0, 1}m , inputs x ∈ {0, 1}n , and PPT adversaries
Adv, the following probability is negligible in κ:
(GC, e, d) ← Adv(1κ , C)
Pr De(Ev(GC, En(x, e)), d) 6= C(x) :
Ve (C, GC, e) = d 6= ⊥
We are interested in a class of garbling schemes referred to as projective in [BHR12].
When garbling a circuit C : {0, 1}n 7→ {0, 1}m , a projective garbling scheme produces
encoding information of the form e = K0i , K1i i∈[n] , and the encoded input X corresponding to x = (xi )i∈[n] can be interpreted as X = En(x, e) = (Kxi i )i∈[n] .
C Realization of OT Framework Based on DDH
In this section we present an instantiation of the DME (from [PVW08]) based on the
DDH assumption:
– (crs, t) ← SetupMessy(1κ ) : In messy mode, the crs is a non-DDH tuple and it
is generated as follows: Sample g0 , g1 ←R G, x, y ←R Zp and initialize h0 = g0x ,
h1 = g1y . Set crs = (g0 , g1 , h0 , h1 ) and the trapdoor t is set to (x, y).
– (crs, t) ← SetupDec(1κ ) : In decryption mode, the crs is a DDH tuple and it
is generated as follows: Sample g0 ←R G, x, y ←R Zp and initialize g1 = g0y ,
h0 = g0x , h1 = g1x . Set crs = (g0 , g1 , h0 , h1 ) and the trapdoor t is set to (x, y).
– (pk, sk) ← KeyGen(crs, σ) Given σ ∈ {0, 1} and crs = (g0 , g1 , h0 , h1 ), set
pk = (g, h) = (gσα , hα
σ ), where α ←R Zp . The secret key sk is set to α.
– y ← Enc(pk, b, m) : Given pk = (g, h), m and b ∈ {0, 1}, m is encrypted
as follows: Sample s, r ←R Zp and set u = gbs hrb , v = g s hr . The ciphertext is
y = (u, v.m) and the corresponding randomness is (s, r).
56
– m ← Dec(sk, y) : Given sk = α and ciphertext y = (c0 , c1 ), the corresponding
plaintext s obtained as m = c1 /cα
0.
– b ← FindMessy(pk, t) : Given pk = (g, h) and t = (x, y), if h = g x then output
that branch b = 0 is messy else output that branch b = 1 is messy.
– (pk, sk0 , sk1 ) ← DecKeyGen(t) : Given crs = (g0 , g1 , h0 , h1 ) in decryption
mode and t = (x, y) generate public and secret key pairs as follows: Sample r0 ←R
Zp and compute r1 = r0 /y. Set pk = (g, h) = (g0r0 , hr00 ), sk0 = r0 and sk1 = r1 .
The above DDH-based instantiation correctly implements a DME scheme and it
satisfies Properties 1-5 (Section 4). Proof of Property 1-4 follows from the paper of
[PVW08]. Next, we show that it also satisfies Property 5, i.e. the crs in the messy mode
can be sampled using a random oracle. The crs for the messy mode is required to be
a non-DDH tuple. A random oracle query result of size 4|G| bits returns a DDH tuple,
with probability :
1
|Zp |3
=
|Zp |4
|Zp |
With 1 − |Z1p | probability the tuple will be non-DDH and hence a valid crs for messy
mode will be generated, satisfying Property 5.
D Instantiation of DME based on LWE
In this section we provide an instantiation of our DME based on LWE. Before describing the DME instantiation we recall the definition of an LWE encryption scheme from
[GPV08], which will be instrumental in the instantiation. The encryption scheme is a
collection of following three algorithms:
– LWESetup: Choose a matrix A ← Zqm×κ uniformly at random.
– LWEKeyGen: Choose a secret decryption key s ← Zκq uniformly at random. The
public key is the vector p = AT s + x ∈ Zm
q , where x = (x1 , . . . , xm ) and each xi
is chosen independently from the error distribution χ for i ∈ [m].
– LWEEnc(p, b): To encrypt a bit b ∈ {0, 1}, choose a vector e ∈ Zm uniformly at
random and set the ciphertext as (u, c) = (Ae, pT e + b.⌈q/2⌉) ∈ Zκ+1
.
q
– LWEDec(s, (u, c)): Compute b′ = c − sT u ∈ Zq . Output 0 if b′ is closer to 0 than
to ⌈q/2⌉ mod q, otherwise output 1.
The above encryption scheme satisfies the notion of IND-CPA security if we assume
that the LWE problem is hard for parameters q = O(κ3 ), m = O(κ log κ) (Lemma. 1).
The proof appears in the work of [GPV08] and we refer to their paper for more details.
Lemma 1. The cryptosystem above is CPA-secure, assuming that LWE is hard for parameters q, m.
Next, we will use the encryption scheme in our DME instantiation. In our instantiation we need an additional algorithm, IsMessy, besides the usual algorithms of DME.
IsMessy(t, pk) answers whether pk is messy or not, when it is invoked with trapdoor t
on public key pk. Now we are ready to instantiate the algorithms for the DME scheme
based on the LWE assumption. The description of the algorithms has been borrowed
from the paper of [PVW08].
57
– (crs, t) ← SetupMessy(1κ ) : In the messy mode the crs is generated as follows: Sample a matrix A ← Zκ×m
uniformly at random, along with a trapq
door t = (S, A) (as described in Section 5.3.2 of [GPV08]). Sample an independent row vector vb ← Zl×m
uniformly at random for every b ∈ {0, 1}. Set
q
crs = (A, v0 , v1 ) and t = (S, A).
– (crs, t) ← SetupDec(1κ ) : In the decryption mode the crs is generated as follows: Sample a matrix A ← Zκ×m
uniformly at random. Choose a row vector
q
w ← Z1×m
uniformly at random. For every b ∈ {0, 1}, sample a secret sb ← Znq
q
uniformly at random and an error row vector xb ← χ1×m (i.e., the m entries
are chosen independently from error distribution χ ). Let vb = sT
b A + xb w. Set
crs = (A, v0 , v1 ) and t = (w, s0 , s1 ).
– (pk, sk) ← KeyGen(crs, σ) : Given crs and σ, sample a secret r ← Znq and a row
vector x ← χl×m . Set pk = rT A + xv and sk = r.
– y ← Enc(pk, b, m) : Given pk = A, m and b ∈ {0, 1}, m is encrypted as y =
LWEEnc((A, pk + vb ), m).
– m ← Dec(sk, y) : Given sk = r and ciphertext v, the underlying plaintext message is decrypted as m = LWEDec(sk, y).
– b ← FindMessy(pk, t) : Given pk and t = (S, A) in messy mode, invoking
IsMessy((S, A), pk + vb ) for each b ∈ {0, 1}, outputs the messy branch value for
b, and it is correct with overwhelming probability.
– (pk, sk0 , sk1 ) ← DecKeyGen(t) : Given the crs = (A, v0 , v1 ) in decryption
mode and the trapdoor t = (w, s0 , s1 ), the public and secret keys pair is formed as
follows: (pk, sk0 , sk1 ) = (w, s0 , s1 ).
The paper of [PVW08] has proven that the above instantiation satisfies correctness
and Properties 1-4 of DME. It has also shown in Lemma 7.4 that most of the keys are
messy, proving Property 5. In particular, if the crs in the messy mode is generated as
crs = (A, v0 , v1 ) ← FRO (sid||c), then FRO (sid||c) returns a messy key except with
negligible probability for a random value c, where FRO : {0, 1}2κ → Zκ×m
× Z2l×m
.
q
q
58