Abstract
Adaptive security is a strong security notion that captures additional security threats that are not addressed by static corruptions. For instance, it captures realworld scenarios where “hackers” actively break into computers, possibly while they are executing secure protocols. Studying this setting is interesting from both theoretical and practical points of view. A primary building block in designing adaptively secure protocols is a noncommitting encryption (NCE) that implements secure communication channels in the presence of adaptive corruptions. Current constructions require a number of public key operations that grow linearly with the length of the message. Furthermore, general twoparty protocols require a number of NCE calls that dependent both on the circuit size and on the security parameter. In this paper, we study the twoparty setting in which at most one of the parties is adaptively corrupted, and demonstrate the feasibility of (1) NCE with constant number of public key operations for large message spaces, (2) oblivious transfer with constant number of public key operations for large sender’s input spaces, and (3) constant round secure computation protocols with an overall number of public key operations that is linear in the circuit size. Our study demonstrates that such primitives indeed exist in the presence of single corruptions without erasures, while this is not known for fully adaptive security under standard assumptions (where both parties may get corrupted). Our results are shown in the UC setting with a CRS setup.
Introduction
Background
Secure TwoParty Computation
In the setting of secure twoparty computation, two parties with private inputs wish to jointly compute some function of their inputs while preserving certain security properties like privacy, correctness and more. In this setting, security is formalized by comparing a protocol execution to a protocol executed in an ideal setting where the parties send inputs to a trusted party that performs the computation and returns its result (also known by simulationbased security). Starting with the works of [27, 51], it is by now well known that any polynomialtime function can be compiled into a secure function evaluation protocol with practical complexity; see [1, 25, 42, 45] for a few recent works. The security proofs of these constructions assume that parties are statically corrupted. Meaning, corruptions take place at the outset of the protocol execution and the identities of the corrupted parties are fixed throughout the computation. A stronger notion is adaptive security where corruptions take place at any point during the course of the protocol execution. That is, upon corruption the adversary learns the internal state of the corrupted party which includes its input, randomness and the incoming messages. This notion is much stronger than static security since the adversary may choose at any point which party to corrupt, even after the protocol is completed! It therefore models realworld threats more accurately.
Typically, when dealing with adaptive corruptions we distinguish between corruptions with erasures and without erasures. In the former case, honest parties are trusted to erase data if they are instructed to do so by the protocol, whereas in the latter case no such assumption is made. This assumption is often problematic since it relies on the willingness of the honest parties to carry out this instruction, even though they know that no other party will be able to verify whether they have carried out the instruction or not. In settings where the parties are distrustful it may not be a good idea to base security on such an assumption. In addition, it is generally unrealistic to trust parties to fully erase data since this may depend on the operating system. Nevertheless, assuming that there are no erasures come with a price since the complexity of adaptively secure protocols without erasures is much higher than the analogue complexity of protocols that rely on erasures. In this paper, we do not rely on erasures.
Adaptive Security
It is known by now that security against adaptive attacks capture important realworld concerns that are not addressed by static corruptions. For instance, such attacks capture scenarios where “hackers” actively break into computers, possibly while they are running secure protocols, or when the adversary learns from the communication which parties are worth to corrupt more than others. This later issue can be demonstrated by the following example. Consider a protocol where some party (denoted by the dealer) shares a secret among a public set of \(\sqrt{n}\) parties, picked at random from a larger set of n parties. This scheme is insecure in the adaptive model if the adversary corrupts \(\sqrt{n}\) parties since it can always corrupt the particular set of parties that share the secret. On the other hand, in the static setting the adversary can only corrupt the exact same set of parties that share the secret with a negligible probability in n.
Further difficulties arise when proving security. For instance, consider the following protocol for transferring a message: A receiver picks a public key and sends it to a sender that uses it to encrypt its message. Then, security in the static model is simple and relies on the semantic security of the underlying encryption scheme. Nevertheless, this protocol is insecure in the adaptive model since standard semantically secure encryption binds the receiver to a single message (meaning, given the public key, a ciphertext can only be decrypted into a single plaintext). Thus, upon corrupting the receiver after simulating its communication, it would not be possible to “explain” the simulated ciphertext with respect to the real message. This implies that adaptive security is much harder to achieve.
In the twoparty setting, there may be scenarios where the system is comprised of only two parties that do not communicate with any external device. In this case, it makes more sense to study the system’s security in the presence of single corruptions (namely, when at most one party is under attack). This is because we have no security guarantee once both parties are under attack. In this paper, we study secure twoparty computation with single adaptive corruptions in the nonerasure model. To distinguish this notion from fully adaptive security, where both parties may get corrupted, we denote it by onesided adaptive security. Our goal in this work is to make progress in the study of the asymptotic efficiency of secure twoparty protocols with onesided security.
Our measure of efficiency is associated with the number of public key encryption (PKE) operations, where our underlying primitives are parameterized by a PKE scheme for which we count the number of key generation/encryption/decryption operations. These operations are captured by the number of exponentiations in several important groups, i.e. groups where the decisional Diffie–Hellman (DDH) assumption is hard, as well as compositeorder groups where the decisional composite residuosity (DCR) and quadratic residuosity (QR) hardness assumptions are believed to hold. Finally, our proofs are given with universal composable (UC) security proofs [6] in the common reference string (CRS) setting. We note that the reductions of our noncommitting encryption (NCE) and oblivious transfer (OT) with onesided security are tight, whereas the reductions of our general twoparty protocols are tighter than proofs in prior works; see more details below. All our theorems are not known to hold in the fully adaptive setting.
Our Results
New OneSided NCE Constructions
A noncommitting encryption (NCE) scheme [12] implements a secure channel between two parties in the presence of adaptive corruptions and is an important building block in designing adaptively secure protocols. Onesided NCE (resp. NCE) implies a secure channel where a single (resp. both) parties are adaptively corrupted. Theoretically speaking, onesided NCE was demonstrated in [22] under a strictly weaker hardness assumption than the assumption needed for NCE [9, 22], where the later assumption is simulatable PKE scheme. Nevertheless, all known schemes, in both security settings, require a number of PKE operations that grow linearly with the bit representation of the transmitted message. It was unknown whether this bound is tight for onesided NCE or whether the overhead can be made closer to the overhead of PKE.
We suggest a new approach for designing NCE with security against onesided adaptive attacks. Our protocols are built based on two public key building blocks that are noncommitting with respect to a single party. We denote these primitives by NCE for the sender and NCE for the receiver. Noncommitting for the receiver (NCER) implies that one can efficiently generate a secret key that decrypts a fake ciphertext into any plaintext, whereas noncommitting for the sender (NCES) implies that one can efficiently generate randomness for any plaintext for proving that a ciphertext, encrypted under a fake key, encrypts this plaintext. A core building block in our onesided construction is (a variant) of the following protocol, in which the receiver generates two sets of public/secret keys, one pair of keys for each public key system, and sends these public keys to the sender. Next, the sender partitions its message into two shares and encrypts the distinct shares under the distinct public keys. Finally, the receiver decrypts the ciphertexts and reconstructs the message. Our construction is slightly more technical since it must allow the simulator to decide whether to send fake keys/ciphertexts only after corruption takes place. To ensure that, we use an additional tool, denoted by \(\ell \)equivocal NCE, which is discussed in details below (informally, this primitive improves NCE constructions for small equivocation space) . We note that our protocol is secure as long as either the sender or the receiver are adaptively corrupted, but not both. Informally, we prove that
Theorem 1.1
Assume the existence of NCER, NCES and \(\ell \)equivocal NCE, and then there exists onesided NCE with a constant number of invocations of these primitives and \(\ell =2\).
Secure realizations of NCER and NCES exist under several concrete assumptions. Specifically, NCER implementations were shown in [14, 37] under the respective DDH and DCR hardness assumptions, whereas NCES was realized under the DDH assumption in [4]. In this paper, we further show how to realize NCES under the DCR assumption. Note that when viewing these primitives as tworound protocols, where the receiver forwards the sender its public key that is followed by a ciphertext sent by the sender, these primitives are equivalent in the sense that it is possible to convert one primitive to another at the expense of one additional round. Specifically, given a tworound NCER protocol, a threeround NCES can be constructed as follows: the sender creates a public key/secret key pair for the NCER and forwards the public key to the receiver. The receiver then encrypts a onetime pad masking under the public key. Finally, the sender uses this pad to mask its message in the third round. An NCER protocol can be constructed from an NCES protocol in a similar way.
Our theorem is also interesting in the sense that it implies onesided NCE with a number of PKE operations that is independent of the message length. Concretely, if the underlying NCER and NCES are implemented using a constant number of PKE operations, that is independent of the message length, then this also holds for our onesided NCE. In this paper, we consider implementations for NCER/NCES that are efficient in that sense which implies efficient DCRbased onesided NCE with a constant overhead. We further consider DDHbased constructions that achieve the same overhead, but for polynomialsize domains. We provide comparison with prior work in Table 1.
Witness Equivocal UC ZK PoK for Compound Statements
A basic tool in constructing maliciously secure protocols that we exploit in this paper is zeroknowledge (ZK) proofs. More specifically, in this work we focus on compound statements (where the statement is comprised of substatements for which the prover only knows a subset of the witnesses). We consider a new notion of witness equivocal UC ZK proofs of knowledge (PoK) where the simulator knows the witnesses for all substatements but not which subset is known to the real prover, and show how to build adaptively secure witness equivocal proofs for a large class of \(\Sigma \)protocols. In particular, the security proof for this notion implies that the simulator convinces the adaptive adversary that it knows the exact same subset of witnesses known also to the real prover. We demonstrate that even though this notion is weaker than onesided security (which requires simulation without any knowledge of witnesses), it is still meaningful in designing onesided secure protocols.
As a side result, we demonstrate a technique for efficiently generating statically secure UC ZK PoK for the same class of \(\Sigma \)protocols. Our protocols use a new approach where the prover commits to an additional transcript which enables to extract the witness in the CRS setting with a constant overhead where previously, \(\Sigma \)protocols were complied into the UC setting using UC commitments [11].
OneSided Oblivious Transfer
In the next step, we combine our onesided NCE and witness equivocal proofs in order to implement onesided 1outof2 OT. We build our protocol based on the generic framework of [48] with the following modifications. (1) First, we require that the sender sends its ciphertexts via a onesided noncommitting channel (based on our previous result, this only inflates the overhead by a constant). (2) We fix the common parameters in a single mode (whereas the [31] and [48] proofs need to alternate between the two modes). To ensure correctness with respect to the receiver’s message, we employ a witness equivocal ZK PoK. Informally, we prove that
Theorem 1.2
Assume the existence of onesided NCE, dualmode PKE (cf. Definition 4.1; see also [48]) and witness equivocal ZK PoK, and then there exists onesided OT with O(1) PKE operations.
Considering efficiency, our construction requires a number of PKE operations that is independent of the sender’s input space. This is significantly better than all prior work on fully adaptively UC secure OT that require O(1) such operations for implementing bit OT; see Table 2 for comparison with prior work.
We note that this protocol further serves as the basis for the cutandchoose OT protocol we design next. In addition, a semihonest variant of our OT protocol can be considered if the parties mutually generate the CRS using a coin tossing protocol that is UC secure. By pluggingin this onesided semihonest OT protocol into the [27] static semihonest protocol, we obtain a onesided semihonest adaptively secure protocol, with round complexity that depends on the computed circuit’s depth. This implies the following theorem,
Theorem 1.3
Assume the existence of onesided semihonest OT and statically secure UC commitment scheme, and then there exists a semihonest onesided adaptively secure twoparty protocol that requires (O(C)) public key operations.
Constant Round OneSided Secure Computation
Notably, in the plain model any statically secure protocol can be transformed into a protocol with onesided adaptive security by encrypting the communication of the static protocol using NCE. This approach, taken by [38], implies that the number of public key operations grows linearly with the communication complexity of the static protocol. Moreover, currently the overhead of generic protocols using this approach depends on the circuit’s size times the security parameter.^{Footnote 1}
In this work, we revisit the general compiler of [38] and design improved generic onesided constant round protocols tolerating semihonest and malicious behaviour. This improvement is based on the observation that it is sufficient to employ onesided NCE rather than NCE (that is fully secure) in order to secure the communication. Moreover, by pluggingin our onesided NCE we obtain a better transformation from static semihonest/malicious security into the corresponding attack model with onesided security. It is important to note that this transformation does not hold in the UC setting due to the additional setup. Specifically, the security proof may crucially rely on the fact that the CRS is chosen dependently on the identity of the corrupted party, as for instance in [48]. Nevertheless, since this identity is not known in advance in the adaptive setting, fixing the CRS in one particular mode breaks down the static security proof.
To conclude, in the semihonest setting (when no trusted setup is required) we prove that our transformation applies even in the UC setting. Informally, we first prove that
Theorem 1.4
Assume the existence of oneside NCE. Then: (1) statically secure semihonest secure computation implies onesided semihonest UC computation, and (2) statically secure malicious secure computation implies onesided malicious secure computation.
As a corollary, we obtain that constant round semihonest secure computation can be achieved based on the assumptions needed in [41] and onesided NCE. Informally stating,
Corollary 1.5
Under the assumptions of achieving security in [41] and onesided NCE, there exists a constant round onesided semihonest UC secure twoparty protocol that requires O(C)) public key operations, where C is the computed circuit.
We provide a detailed comparison with prior work for the semihonest setting in Table 3. Next, in order to obtain onesided UC security against malicious attacks we adapt the cutandchoosebased protocol from [42], which relies heavily on [48] DDHbased OT protocol. The idea of the cutandchoose technique is to ask one party to send s garbled circuits and later open half of them by the choice of the other party. This ensures that with very high probability the majority of the unopened circuits are valid. Proving security in the onesided setting requires dealing with new subtleties and designing a modified cutandchoose building blocks, since [42] defines the public parameters for these building blocks in a way that precludes equivocation of the parties’ inputs. Informally,
Theorem 1.6
Under the assumptions of achieving static malicious UC security in [42], onesided cutandchoose OT and simulatable PKE, there exists a constant round onesided malicious UC secure twoparty protocol that requires O(sC) public key operations where s is a statistical parameter that determines the cutandchoose soundness error.
We provide a details comparison with prior work for the malicious setting in Table 4.
To conclude, our results imply that onesided security is easier to achieve than fully adaptive security. We leave open the efficiency of constant round onesided secure protocols in the multiparty setting. Currently, it is not clear how to extend our techniques beyond the twoparty setting (such as for the [5] protocol). Another open problem is whether it is feasible to achieve secure constructions with a number of PKE operations that are strictly less than what we achieve here.
Prior Work
We describe prior work on NCE, adaptively secure OT and adaptively secure twoparty computation.
NonCommitting Encryption
(Onesided) NCE was introduced in [12] which demonstrated its feasibility under the RSA assumption. Next, NCE was studied in [9, 22]. More concretely, the construction of [22] requires constant rounds on the average and is based on simulatable PKE, whereas [9] presented an improved expected two rounds NCE based on a weaker primitive. [22] further presented onesided NCE based on a weakened simulatable PKE notion. The computational overhead of all these constructions depends on the message length. Following that, the relatively new \(\ell \)equivocal NCE notion was introduced in [31]. This primitive enables to send arbitrarily long messages at the cost of \(\log \ell \) PKE operations, where \(\ell \) is the equivocality parameter, and improves over NCE for sufficiently small \(\ell \)’s. In [44], Nielsen proved that NCE must have a decryption key that is at least as long as the transmitted message. Finally, Hemenway et al. [33] presented the first tworound NCE construction under the \(\Phi \)hiding hardness assumption where the communication complexity of the second message is \(O(m\log m + n)\) where m is the message length and n is the security parameter, which improves over all prior constructions.
Adaptively Secure Oblivious Transfer
In [2, 15], semihonest adaptively secure OT protocols were shown that were then compiled into the malicious setting using generic ZK proofs. More recently, in a weaker model that assumes erasures, Lindell [40] used the method of [50] to design an efficient transformation from static OT to semihonest composable adaptive OT. Another recent work by Garay et al. [31] presented a UC adaptively secure OT, building on the static OT of [48] and \(\ell \)equivocal NCE. This paper introduced an OT protocol with security under a weaker semiadaptive notion that is then compiled into an adaptive OT by encrypting the transcript of the protocol using \(\ell \)equivocal NCE.^{Footnote 2} Finally, [10] presented a compiler for UC adaptive OT in the malicious setting based on semihonest adaptive OT and UC commitment schemes.
Adaptively Secure TwoParty Computation
The work by Katz and Ostrovsky [38] was the first to study the round complexity of onesided secure protocols. Their round efficient protocol takes a naive approach of encrypting the entire communication using NCE. Next, the work of [35] provided allbutone adaptively secure protocols based on honest majority adaptively secure protocols (where their particular instantiation uses the constant rounds protocol from [18]). Finally, a recent work by Garg and Sahai [30] presents adaptively secure constant round protocols tolerating allbutone corrupted parties using a nonblack box simulation approach. Their approach uses the OT hybrid compiler of [35].
Adaptive secure computation has been extensively studied as well. In the nonerasure model, the work of [15] demonstrated the feasibility of adaptive UC security of any wellformed functionality. The followup work of [24] showed how to use a threshold encryption to achieve UC adaptive security but required honest majority. A generic compiler from static to adaptive security was shown in [7] (yet without considering postexecution corruptions). Assuming erasures, which significantly simplify the problem, one of the earliest works by Beaver and Haber [3] showed an efficient generic transformation from adaptively secure protocols with ideally secure communication channels, to adaptively secure protocols with standard (authenticated) communication channels. A more recent work by Lindell [40] presented an efficient semihonest constant round twoparty protocol with adaptive security.
A recent line of works [13, 21, 29] studies constant rounds adaptively secure computation using obfuscation techniques. This approach is different than all prior work on adaptive security since it obfuscates the circuit that computes the next message in the protocol and places the result in the CRS.
Preliminaries
We denote the security parameter by n. A function \(\mu (\cdot )\) is negligible if for every polynomial \(p(\cdot )\) there exists a value N such that for all \(n>N\) it holds that \(\mu (n)<\frac{1}{p(n)}\). We write PPT for probabilistic polynomialtime. We denote the message spaces of our NCE schemes and the message space of the sender in our OT protocols by \(\{0,1\}^{q}\) for \(q=n\).
We specify the definitions of computational indistinguishability and statistical distance.
Definition 2.1
(Computational indistinguishability by circuits) Let \(X=\left\{ X_n(a)\right\} _{n\in \mathbb {N},a\in \{0,1\}^*}\) and \(Y=\left\{ Y_n(a)\right\} _{n\in \mathbb {N},a\in \{0,1\}^*}\) be distribution ensembles. We say that X and Y are computationally indistinguishable, denoted \(X \approx _c Y\), if for every family \(\{\mathcal{C}_n\}_{n\in \mathbb {N}}\) of polynomialsize circuits, there exists a negligible function \(\mu (\cdot )\) such that for all \(a\in \{0,1\}^*\),
Definition 2.2
(Statistical distance) Let \(X_n\) and \(Y_n\) be random variables accepting values taken from a finite domain \(\Omega \subseteq \{0,1\}^n\). The statistical distance between \(X_n\) and \(Y_n\) is
We say that \(X_n\) and \(Y_n\) are \(\epsilon \)close if their statistical distance is at most \(\mathrm{SD}(X_n,Y_n) \le \epsilon (n)\). We say that \(X_n\) and \(Y_n\) are statistically close, denoted \(X_n\approx _s Y_n\), if \(\epsilon (n)\) is negligible in n.
Security Definitions
In the following, we formalize the notion of UC onesided adaptive security [6]. Formally, a twoparty computation protocol is cast by specifying the participating parties \(P_0\) and \(P_1\) and a function \(f: \{0,1\}^* \times \{0,1\}^* \rightarrow \{0,1\}^* \times \{0,1\}^*\), where \(f = (f_0,f_1)\) mapping pairs of inputs to pairs of outputs (one for each party). That is, for every pair of inputs \(x_0,x_1 \in \{0,1\}^n\) the output pair is a random variable \((f_0(x_0,x_1),f_1(x_0,x_1))\) ranging over pair of strings. The first party with input \(x_0\) wishes to receive \(f_0(x_0,x_1)\), while the second party with input \(x_1\) wishes to obtain \(f_1(x_0,x_1)\).
OneSided Adaptive Security
In the twoparty setting, a real execution of some protocol \(\Pi _f\) that implements f is run between two parties \(P_0\) and \(P_1\) in the presence of an adversary \(\textsc {Adv}\) and an environment \(\textsc {Env}\) (that is given an input z, a random tape \(r_\textsc {Env}\) and a security parameter n) and is modelled as a sequence of activations of the entities. \(\textsc {Env}\) is activated first and generates the inputs for the other entities. Then the protocol proceeds by having the parties communicate with each other and \(\textsc {Adv}\) exchange messages with \(\textsc {Env}\). Upon completing the real execution \(\textsc {Env}\) outputs a bit. In the ideal model, the computation involves an incorruptible trusted third party \(\mathcal{F}_f\) which receives the parties’ inputs, computes the function f on these inputs and returns to each party its respective output. The parties are replaced by dummy parties that do not communicate with each other, such that whenever a dummy party is activated it sends its input to the ideal functionality. Upon completing the ideal execution \(\textsc {Env}\) outputs a bit. We say that a protocol \(\Pi _f\) UC realizes functionality \(\mathcal{F}_f\) if for any realworld adversary \(\textsc {Adv}\) there is a idealworld adversary \(\textsc {Sim}\) such that no \(\textsc {Env}\) can tell with nonnegligible probability whether it is interacting with \(\textsc {Adv}\) and the parties running \(\Pi _f\) in a real execution or with \(\textsc {Sim}\) and the dummy parties in an ideal execution; details follow.
Execution in the real model. We now proceed with a realworld execution, where a real twoparty protocol is executed. Whenever \(\textsc {Env}\) is activated, it first fixes input \(x_i \in \{0,1\}^*\) for party \(P_i\). Each party \(P_i\) then starts the execution with an input \(x_i \in \{0,1\}^*\), a random tape \(r_i\) and a security parameter n. A onesided adversary \(\textsc {Adv}\) is a probabilistic polynomialtime interactive Turing machine that is given a random tape \(r_\textsc {Adv}\) and a security parameter n and is allowed to corrupt at most one party. At the outset of the protocol, \(\textsc {Adv}\) receives some initial information from \(\textsc {Env}\). Then the computation proceeds in rounds such that in each round \(\textsc {Adv}\) sees all the messages sent between the parties. At the beginning of each round, \(\textsc {Adv}\) may choose to corrupt \(P_{i^*}\) for \(i^* \in \{0,1\}\). Upon corrupting \(P_{i^*}\), \(\textsc {Adv}\) learns its input and the random tape, and notifies \(\textsc {Env}\), obtaining back some auxiliary information. In case \(\textsc {Adv}\) is malicious \(P_{i^*}\) follows \(\textsc {Adv}\)’s instructions from the time it is corrupted. At the end of the protocol execution, the honest parties locally compute their outputs and output the value specified by the protocol, whereas the corrupted party outputs a special symbol \(\perp \). The adversary \(\textsc {Adv}\) outputs an arbitrary function of its internal state that includes, \(r_\textsc {Adv}\), the messages received from \(\textsc {Env}\) and the corrupted party’s view. Next, a postexecution corruption process begins where \(\textsc {Env}\) first learns the outputs. Then, \(\textsc {Adv}\) and \(\textsc {Env}\) interact in at most one additional round. If none of the parties is corrupted yet, \(\textsc {Env}\) can ask \(\textsc {Adv}\) to corrupt \(P_{i^*}\) for \(i^* \in \{0,1\}\), receiving back the state of this party. At the end, \(\textsc {Env}\) outputs a bit.
Let f be as specified above and \(\Pi _f\) be a twoparty protocol that computes f. We denote by the variable \(\mathbf{OREAL}_{\Pi _f,\textsc {Adv},\textsc {Env}}(n,x_0,x_1,z,\mathbf {r})\) the output of \(\textsc {Env}\) on input z, random tape \(r_\textsc {Env}\) and a security parameter n upon interacting with \(\textsc {Adv}\) and parties \(P_0,P_1\) that engage in protocol \(\Pi _f\) on inputs \(r_\textsc {Adv}\) and \((x_0, r_0),(x_1,r_1)\), respectively, where \(\mathbf {r} = (r_\textsc {Env},r_\textsc {Adv},r_0,r_1)\). Let \(\mathbf{OREAL}_{\Pi _f,\textsc {Adv},\textsc {Env}}(n,x_0,x_1,z)\) denote a random variable describing \(\mathbf{OREAL}_{\Pi _f,\textsc {Adv},\textsc {Env}}(n,x_0,x_1,z,\mathbf {r})\) where the random tapes are chosen uniformly. Let \(\mathbf{OREAL}_{\Pi _f,\textsc {Adv},\textsc {Env}}\) denote the distribution ensemble:
Execution in the ideal model. A onesided idealworld adversary \(\textsc {Sim}\) is a probabilistic polynomialtime interactive Turing machine that is given a random tape \(r_\textsc {Sim}\) and a security parameter n and is allowed to corrupt at most one party. The ideal process is defined with respect to a trusted party that implements functionality \(\mathcal{F}_f\) as follows:
 First corruption phase: :

\(\textsc {Sim}\) receives some auxiliary information from \(\textsc {Env}\). Next, \(\textsc {Sim}\) may decide whether to corrupt party \(P_{i^*}\) for \(i^* \in \{0,1\}\). Upon corrupting party \(P_{i^*}\), \(\textsc {Sim}\) notifies to \(\textsc {Env}\) and learns its input \(x_{i^*}\). In addition, \(\textsc {Env}\) hands some auxiliary information to \(\textsc {Sim}\).
 Computation phase: :

In the semihonest setting, each party forwards its input to the trusted party. In the malicious settings, the corrupted party hands \(\mathcal{F}_f\) the values handed to it by \(\textsc {Sim}\). The trusted party computes \((y_0,y_1) = f(x_0,x_1)\) and hands each \(P_i\) the value \(y_i\). \(\textsc {Sim}\) receives the output of the corrupted party.
 Second corruption phase: :

\(\textsc {Sim}\) continues to another corruption phase, where it might choose to corrupt \(P_{i^*}\) for \(i^* \in \{0,1\}\) (in case it did not corrupt any party in the first corruption phase), where this choice is made based on \(\textsc {Sim}\)’s random tape and all the information gathered so far. Upon corrupting \(P_{i^*}\), \(\textsc {Sim}\) notifies to \(\textsc {Env}\) and learns the party’s input \(x_{i^*}\). \(\textsc {Env}\) hands \(\textsc {Sim}\) some auxiliary information.
 Output: :

The uncorrupted party \(P_{1i^*}\) outputs \(y_{1i^*}\) and the corrupted party outputs \(\bot \). \(\textsc {Sim}\) outputs an arbitrary efficient function of its view. \(\textsc {Env}\) learns all the outputs.
 Postexecution corruption phase: :

After the outputs are generated, \(\textsc {Sim}\) proceeds with \(\textsc {Env}\) in at most one round of interaction, where \(\textsc {Env}\) can instruct \(\textsc {Sim}\) to corrupt \(P_{i^*}\) for \(i^* \in \{0,1\}\) (if none of the parties are corrupted yet). \(\textsc {Sim}\) generates some arbitrary answer and might choose to corrupt \(P_{i^*}\). The interaction continues until \(\textsc {Env}\) halts with an output.
Then we define security as follows.
Definition 2.3
Let \(\mathcal{F}_f\) and \(\Pi _f\) be as defined above. Protocol \(\Pi _f\) UC realizes \(\mathcal{F}_f\) in the presence of onesided semihonest/malicious adversaries if for every nonuniform probabilistic polynomialtime onesided semihonest/malicious adversary \(\textsc {Adv}\), there exists a onesided nonuniform probabilistic polynomialtime ideal adversary \(\textsc {Sim}\) such that:
where \(x_0 = x_1\).
Composition. In order to simplify our security proofs we consider a hybrid setting where the parties implement some functionalities using ideals calls. We rely on the composition theorem introduced by Canetti [6] in the adaptive setting. (Note that we are only interested in cases where the same party is corrupted with respect to all composed protocols.)
Concrete Functionalities
We specify the definition of three important functionalities for this work.
Secure communication (SC). We define the functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) for securely communicating a message m from \({\textsc {SEN}}\) to \({\textsc {REC}}\), following the notations from [31]. To handle the appropriate leakage to the adversary in the ideal setting, the functionality is parameterized using a noninformation oracle \(\mathcal{{O}}\) which gets the values of the exchanged messages m and outputs some side information to the adversary. The security of this functionality depends on the security properties required for the oracle and thus can capture several notions such as NCE and \(\ell \)equivocal NCE (see Sect. 3.1). Specifically, for NCE the oracle only leaks the length of the message, whereas for \(\ell \)equivocal NCE with equivocality parameter \(\ell \) the oracle leaks an \(\ell \)length vector such that the ith element in the vector depends on m, for some \(i \in \{1,\ldots ,\ell \}\). In Fig. 1 we define the message transfer functionality with respect to oracle \(\mathcal{{O}}\). Next, we define the oracles for the cases of NCE and \(\ell \)equivocal NCE, starting with the former.
Definition 2.4
Let \(\mathcal{{O}}\) be an oracle, which on input \((\mathsf{send}, sid,{\textsc {SEN}},m)\), produces the output \((\mathsf{send}, sid,{\textsc {SEN}},m)\), and on any inputs corresponding to the \(\mathsf{ChSetup}\), \(\mathsf{Corrupt}\) commands produce no output. We call the functionality \(\mathcal{F}^{\mathcal{{O}}}_{\scriptscriptstyle \mathrm {SC}}\) or just \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) for brevity, an NCE ideal functionality. A realworld protocol which realizes \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) is called an NCE scheme.
In order to define \(\mathcal{{O}}\) for \(\ell \)equivocal NCE, we present the following definitions first.
Definition 2.5
An oracle \(\mathcal{I}\) is called messageignoring oracle if, on any input \((\mathsf{send}, sid,{\textsc {SEN}},m)\), it ignores the message value m and processes only the input \((\mathsf{send}, sid,{\textsc {SEN}},m)\). An oracle \(\mathcal{M}\) is called messageprocessing oracle if it has no such restrictions. We call a pair of oracles \((\mathcal{M},\mathcal{I})\) wellmatched if no PPT distinguisher \(\mathcal{D}\) (with oracle access to either \(\mathcal{M}\) or \(\mathcal{I}\)) can distinguish the messageprocessing oracle \(\mathcal{M}\) from the messageignoring oracle \(\mathcal{I}\).
Definition 2.6
Let \((\mathcal{M},\mathcal{I})\) be a wellmatched pair which consists of a messageprocessing and a messageignoring oracle, respectively. Let \(\mathcal{{O}}^\ell \) be a (stateful) oracle with the following structure.

Upon initialization, \(\mathcal{{O}}^\ell \) chooses a uniformly random index \(i \leftarrow \{1,\ldots ,\ell \}\). In addition it initializes a tuple of \(\ell \) independent oracles: \((\mathcal{{O}}_1,\ldots ,\mathcal{{O}}_\ell )\), where \(\mathcal{{O}}_i =\mathcal{M}\) and for \(j \not = i\), the oracles \(\mathcal{{O}}_j\) are independent copies of the messageignoring oracle \(\mathcal{I}\).

Whenever \(\mathcal{{O}}^\ell \) receives inputs of the form \((\mathsf{ChSetup}, sid, {\textsc {SEN}})\) or \((\mathsf{send}, sid,{\textsc {SEN}},m)\), it passes the input to each oracle \(\mathcal{{O}}_i\) receiving an output \(y_i\). It then outputs the vector \((y_1,\ldots ,y_\ell )\).
Upon receiving an input \((\mathsf{corrupt}, sid,P)\), the oracle reveals the internal state of the messageprocessing oracle \(\mathcal{{O}}_i\) only.
For any such oracle \(\mathcal{{O}}^\ell \), we call the functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^{\mathcal{{O}}^\ell }\) an \(\ell \)equivocal NCE. For brevity, we will also use the notation \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \) to denote \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^{\mathcal{{O}}^\ell }\) for some such oracle \(\mathcal{{O}}^\ell \). Lastly, a realworld protocol which realizes \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \) is called an \(\ell \)equivocal NCE scheme.
As before, no information about messages m is revealed during the “send” stage. However, the internal state of the messageprocessing oracle \(\mathcal{{O}}_i\), which is revealed upon corruption, might be “committing”. Nevertheless, a simulator can simulate the communication between two honest parties over a secure channel, as modelled by \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \), in a way that allows it to later explain this communication as any one of \(\ell \) possibilities.
Oblivious transfer (OT). The 1outof2 OT functionality \(\mathcal{F}_{{\scriptscriptstyle \mathrm {OT}}}\) is defined in Fig. 2.
OneSided Adaptively Secure NCE
In this section, we discuss our first result regarding onesided NCE, that is building on the cryptographic primitives NCE for the receiver (NCER), NCE for the sender (NCES) and \(\ell \)equivocal NCE. Before presenting our construction we review the security definitions of these primitives.
NCER, NCES and \(\ell \)Equivocal NCE
NCE for the Receiver
NCE for the receiver is a secure PKE with an additional property that enables generating a secret key that decrypts a fake ciphertext into any plaintext. Specifically, the scheme operates in two modes. The real mode enables to encrypt and decrypt as in the standard definition of PKE, whereas the fake mode enables to generate fake ciphertexts that are computationally indistinguishable from real ciphertexts, such that using a special trapdoor one can produce a secret key that decrypts a fake ciphertext into any plaintext. More formally, an NCE for the receiver encryption scheme with message space \(m\in \{0,1\}^n\) consists of a tuple of probabilistic algorithms \((\mathsf {Gen},\mathsf {Enc},\mathsf {Enc}^*,\mathsf {Dec},\mathsf {Equivocate})\) specified as follows:

\(\mathsf {Gen},\mathsf {Enc},\mathsf {Dec}\) are as specified in Definition 7.4.

\(\mathsf {Enc}^*\), given the public key \(\textsc {PK}\) output a ciphertext \(c^*\) and a trapdoor \(t_{c^*}\).

\(\mathsf {Equivocate}\), given the secret key \(\textsc {SK}\), trapdoor \(t_{c^*}\) and a plaintext \(m\in \{0,1\}^n\), output \(\textsc {SK}^*\) such that \(m=\mathsf {Dec}_{\textsc {SK}^*}(c^*)\).
Definition 3.1
]rm(NCER) NCE for the receiver is a tuple of algorithms defined above that satisfy the following properties:

1.
\(\mathsf {Gen},\mathsf {Enc},\mathsf {Dec}\) imply an INDCPA secure encryption scheme as in Definition 7.5.

2.
Ciphertext indistinguishability. For any \(m\in \{0,1\}^n\) the following distributions are computationally indistinguishable:
$$\begin{aligned}&\left\{ (\textsc {PK},\textsc {SK},c,m)~~(\textsc {PK},\textsc {SK})\leftarrow \mathsf {Gen}(1^n),c\leftarrow \mathsf {Enc}_{\textsc {PK}}(m)\right\} \hbox { and }\\&\left\{ (\textsc {PK},\textsc {SK}^*,c^*,m)~~(\textsc {PK},\textsc {SK})\leftarrow \mathsf {Gen}(1^n),(c^*,t_{c^*})\leftarrow \mathsf {Enc}^*(\textsc {PK}),\right. \\&\left. \textsc {SK}^* \leftarrow \mathsf {Equivocate}(\textsc {SK},c^*,t_{c^*},m)\right\} . \end{aligned}$$
NCER can be realized under the DDH assumption [14, 37] for polynomialsize message spaces and under the DCR assumption for exponentialsize message spaces [14].
NCE for the Sender
NCE for the sender is a secure PKE with an additional property that enables generating a fake public key, such that any ciphertext encrypted under this key can be viewed as the encryption of any message together with the matched randomness. Specifically, the scheme operates in two modes. The real mode enables to encrypt and decrypt as in standard definition of PKE, whereas the fake mode enables to generate fake public keys and an additional trapdoor, such that the two modes keys are computationally indistinguishable. In addition, given this trapdoor and a ciphertext generated using a fake public key, one can produce randomness that is consistent with any plaintext. More formally, an NCE for the sender encryption scheme with message space \(m\in \{0,1\}^n\) consists of a tuple of probabilistic algorithms \((\mathsf {Gen},\mathsf {Gen}^*,\mathsf {Enc},\mathsf {Dec},\mathsf {Equivocate})\) specified as follows:

\(\mathsf {Gen},\mathsf {Enc},\mathsf {Dec}\) are as specified in Definition 7.4.

\(\mathsf {Gen}^*\) generates public key \(\textsc {PK}^*\) and a trapdoor \(t_{\textsc {PK}^*}\).

\(\mathsf {Equivocate}\), given a ciphertext \(c^*\) computed using \(\textsc {PK}^*\), a trapdoor \(t_{\textsc {PK}^*}\) and a plaintext \(m\in \{0,1\}^n\), output r such that \(c^* =\mathsf {Enc}(m;r)\).
Definition 3.2
(NCES) An NCE for the sender is a tuple of algorithms defined above that satisfy the following properties:

1.
\(\mathsf {Gen},\mathsf {Enc},\mathsf {Dec}\) imply an INDCPA secure encryption scheme as in Definition 7.5.

2.
Public key indistinguishability. For any \(m\in \{0,1\}^n\) the following distributions are computationally indistinguishable:
$$\begin{aligned}&\{(\textsc {PK},r,m,c)~~(\textsc {PK},\textsc {SK})\leftarrow \mathsf {Gen}(1^n),c\leftarrow \mathsf {Enc}_{\textsc {PK}}(m;r)\} \hbox { and }\\&\{(\textsc {PK}^*,r^*,m, c^*)~~(\textsc {PK}^*, t_{\textsc {PK}^*})\leftarrow \mathsf {Gen}^*(1^n),c^* \leftarrow \mathsf {Enc}_{\textsc {PK}^*}(m';r'),r^*\\&\quad \leftarrow \mathsf {Equivocate}(c^*,t_{\textsc {PK}^*},m)\}. \end{aligned}$$
NCES can be realized under the DDH assumption [4] for polynomialsize message spaces and under the DCR assumption for exponentialsize message spaces. The later construction is presented in Section 3.1.4.
\(\ell \)Equivocal NCE [31].
The idea of \(\ell \)equivocal NCE is to exploit the fact that it is often unnecessary for the simulator to explain a fake ciphertext with respect to any potential plaintext. Instead, the simulator is given a set of \(\ell \) messages during the generation of the fake ciphertext and must later be able to plausibly explain the ciphertext as the encryption of any one of those \(\ell \) messages (where \(\ell \) might be as small as 2). Specifically, two parameters are considered here: a plaintext of bit length \(\ell '\) and an equivocality parameter \(\ell \) which denotes the potential number of plaintexts (namely, the noncommitted domain size). The parameter \(\ell \) further dominates the overhead of the \(\ell \)equivocal NCE construction from [31] and thus improves over NCE whenever \(\ell \) is very small, but the plaintext length is large. Specifically, the [31] construction requires \(O(\log \ell )\) PKE operations. In this paper, we use this primitive to encrypt plaintexts domains of length n with constant overhead. \(\ell \)equivocal NCE is realized in [31] under the same hardness assumptions that imply NCE.
NCES for ExponentialSize Message Spaces
In what follows, we introduce a new NCE for the sender based on the security of the DCR assumption. Our scheme is based on the PKE from [14], building on earlier work by Cramer and Shoup [16]. Let \(N=pq\) be an RSA modulus, then define \(\Pi _{\scriptscriptstyle \mathrm {NCES}}^{{\scriptscriptstyle \mathrm {DCR}}}=(\mathsf {Gen},\mathsf {Gen}^*,\mathsf {Enc},\mathsf {Dec},\mathsf {Equivocate})\) an NCES as follows.

\(\mathsf {Gen}\), given the security parameter n, generate an RSA modulus \(N=pq\) with \(p = 2p' +1\) and \(q = 2q'+1\) where \(p,q,p',q'\) are primes. Pick \(g'\leftarrow {\mathbb Z}_{N^2}^*\) and \(\alpha \leftarrow {\mathbb Z}_{N^2/4}\) and set \(g_0=g'^{2N}\hbox { mod }N^2\) and \(h_0=g_0^\alpha \hbox { mod }N^2\). Choose a random \(r\leftarrow {\mathbb Z}_{N/4}\) and compute \(g_1=g_0^{r}\hbox { mod }N^2, h_1=((1+N)\cdot h_0^{r})\hbox { mod }N^2\). Output \(\textsc {PK}= (N,g_0,h_0,g_1,h_1)\) and secret key \(\textsc {SK}= \alpha \).

\(\mathsf {Gen}^*\), given the security parameter n, generate \(N,g_0,h_0\) as in \(\mathsf {Gen}\). Choose a random \(r\leftarrow {\mathbb Z}_{N/4}\) and compute \(g_1=g_0^{r}\hbox { mod }N^2, h_1= h_0^{r}\hbox { mod }N^2\). Output \(\textsc {PK}^* = (N,g_0,h_0,g_1,h_1)\) and trapdoor \(t_{\textsc {PK}^*} = r\).

\(\mathsf {Enc}\), given the public key \(\textsc {PK}= (N,g_0,h_0,g_1,h_1)\) (or \(\textsc {PK}^*\)) and a message \(m\in {\mathbb Z}_N\), choose a random \(t \leftarrow {\mathbb Z}_{N/4}\) and output the ciphertext
$$\begin{aligned} c \leftarrow \mathsf {Enc}(m;t) = \left( (g_1^m g_0^{t})\hbox { mod }N^2, (h_1^m h_0^{t})\hbox { mod }N^{2}\right) . \end{aligned}$$ 
\(\mathsf {Dec}\), given the public key \(\textsc {PK}= (N,g_0,h_0,g_1,h_1)\), secret key \(\textsc {SK}= \alpha \) and ciphertext \(c = (g_c,h_c)\), compute \(\hat{m}\) as follows and output \(m\in {\mathbb Z}_N\) such that \(\hat{m} = 1+mN\).
$$\begin{aligned} \hat{m} = \left( h_c/g_c^{\alpha }\right) ^{N+1} = [(1+N)^{m}]^{N+1} = (1+N)^{m}. \end{aligned}$$ 
\(\mathsf {Equivocate}\), given \(\Phi (N)\), the fake key \(\textsc {PK}^* = (N,g_0,h_0,g_1,h_1)\), trapdoor \(t_{\textsc {PK}^*} = r\), a ciphertext \(c^* \leftarrow \mathsf {Enc}_{\textsc {PK}^*}(m;t) = (g_c,h_c)\) and a message \(m'\), output \(t' = (r m+trm')\hbox { mod }\Phi (N)/4\). It is easy to see that
$$\begin{aligned} \mathsf {Enc}_{\textsc {PK}^*}(m';t')= & {} \left( (g_1^{m'} g_0^{t'}), h_1^{m'} h_0^{t'})\right) \\= & {} \left( (g_0^{r m'} g_0^{(r m+tr m')}), (h_0^{r m'} h_0^{(r m+tr m')}) \right) = c. \end{aligned}$$
Next, we show that this scheme meets Definitions 3.2.
Proposition 6.1
Assume that the DCR assumption is hard in \({\mathbb Z}_{N^2}^*\), then \(\Pi _{\scriptscriptstyle \mathrm {NCES}}^{{\scriptscriptstyle \mathrm {DCR}}}\) is a NCES.
Proof
Given the public key \(\textsc {PK}= (N,g_0,h_0,g_1,h_1)\) and two messages \(m,m'\in {\mathbb Z}_N\), it holds that encryptions of any two messages m and \(m'\), namely the tuples (1) \(\left( (g_1^m g_0^{t})\hbox { mod }N^2, (h_1^m h_0^{t})\hbox { mod }N^{2}\right) \) and (2) \(\left( (g_1^{m'} g_0^{t})\hbox { mod }N^2, (h_1^{m'} h_0^{t})\hbox { mod }N^{2}\right) \), are computationally close. This follows immediately from the INDCPA security proof for the modified scheme in [19] (cf. Theorem 2 of [19]). The fact that fake and valid public keys are computationally indistinguishable follows from the INDCPA security of [14] and [16], as the former key is an encryption of zero, whereas the latter key is an encryption of one. \(\square \)
Our Construction
The idea of our protocol is to have the receiver create two public/secret key pairs where the first pair is for NCES and the second pair is for NCER. The receiver sends the public keys, and the sender encrypts two shares of its message m, each share with a different key. Upon receiving the ciphertexts, the receiver recovers the message by decrypting the ciphertexts. We stress that this idea only works if the simulator knows the identity of the corrupted party prior to the protocol execution, since the simulator must decide in advance whether the keys or the ciphertexts should be explained as valid upon corruption (as we cannot have both generated in a fake mode). Nevertheless, in the onesided setting we cannot tell which party will be adaptively corrupted prior to the execution. We thus resolve this issue using \(\ell \)equivocal NCE in order to commit to the choice of having fake/valid keys and ciphertexts (so the simulator can postpone its decision regarding having either fake keys or ciphertexts to the point where corruption occurs). The fact that this choice induces a binary equivocation space enables to design a protocol with a constant overhead. We are now ready to introduce our protocol in the \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \)hybrid model (for \(\ell =2\)). Formally, let \(\Pi _{\scriptscriptstyle \mathrm {NCES}}=(\mathsf {Gen},\mathsf {Gen}^*,\mathsf {Enc},\mathsf {Dec},\mathsf {Equivocate})\) and \(\Pi _{\scriptscriptstyle \mathrm {NCER}}=(\mathsf {Gen},\mathsf {Enc},\mathsf {Enc}^*,\mathsf {Dec},\mathsf {Equivocate})\), respectively, denote NCES and NCER for message space \(\{0,1\}^n\). Then, consider the following protocol that realizes \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) with onesided security.
Protocol 2
(Onesided NCE (\(\Pi _{\scriptscriptstyle \mathrm {OSC}}\)))

Inputs: Sender \({\textsc {SEN}}\) is given input message \(m\in \{0,1\}^n\). Both parties are given security parameter \(1^n\).

The Protocol:

1.
Message from the receiver. \({\textsc {REC}}\) invokes \(\mathsf {Gen}(1^n)\) of \(\Pi _{\scriptscriptstyle \mathrm {NCES}}\) and \(\Pi _{\scriptscriptstyle \mathrm {NCER}}\) and obtains two public/secret key pairs \((\textsc {PK}_S,\textsc {SK}_S)\) and \((\textsc {PK}_R,\textsc {SK}_R)\), respectively. \({\textsc {REC}}\) then forwards \((\mathsf{ChSetup}, sid, {\textsc {REC}})\) and \((\mathsf{send}, sid,{\textsc {REC}},\textsc {PK}_S)\) to \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \), and the message \(\textsc {PK}_R\) to \({\textsc {SEN}}\).

2.
Message from the sender. Upon receiving \((\mathsf{send}, sid,{\textsc {REC}},\textsc {PK}_S)\) from \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \) and \(\textsc {PK}_R\) from \({\textsc {REC}}\), \({\textsc {SEN}}\) creates two shares of m, \(m_S\) and \(m_R\), such that \(m = m_S \oplus m_R\). It then encrypts \(m_S\) (resp. \(m_R\)) using \(\textsc {PK}_S\) (resp. \(\textsc {PK}_R\)), creating ciphertext \(c_S\) (resp. \(c_R\)), and forwards \(\mathrm{(\mathsf{ChSetup}, sid', {\textsc {SEN}})}\), \(\mathrm{(\mathsf{send}, sid',{\textsc {SEN}},c_S)}\) and \(\mathrm{(\mathsf{ChSetup}, sid'', {\textsc {SEN}})}\), \((\mathsf{send}, sid'',{\textsc {SEN}},c_R)\) to \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \)

3.
Output. Upon receiving \(\mathrm{(\mathsf{send}, sid',{\textsc {SEN}},c_S)}\) and \(\mathrm{(\mathsf{send}, sid'',{\textsc {SEN}},c_R)}\) from \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \), \({\textsc {REC}}\) decrypts \(c_S\) (resp. \(c_R\)) using \(\textsc {SK}_S\) (resp. \(\textsc {SK}_R\)) and outputs the bitwise XOR of the decrypted plaintexts.

1.
Our protocol can be instantiated using DDHbased NCES and NCER for polynomialsize message spaces, and using DCRbased NCES and NCER for exponentialsize message spaces. Note that the message space of our onesided NCE is implied by the message spaces of the underlying NCES/NCER schemes. Therefore, when instantiated with the above concrete constructions, our protocol can transmit nbits messages using a constant number of PKE operations, as opposed to NCE that requires O(n) such operations. We conclude with the following theorem and the complete proof.
Theorem 3.4
Assume the existence of NCER and NCES. Then Protocol 1 UC realizes \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) in the \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \)hybrid model (for \(\ell =2\)) in the presence of onesided adaptive malicious adversaries.
Intuitively, security follows due to the fact that the simulator is not committed to either valid keys or valid ciphertexts as it plays the role of functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \). Thus, upon corrupting one of the parties it is able to explain that party’s internal state while equivocating the communication with respect to message m.
Proof
Let \(\textsc {Adv}\) be a malicious probabilistic polynomialtime adversary attacking Protocol 1 by adaptively corrupting one of the parties. We construct an adversary \(\textsc {Sim}\) for the ideal functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) such that no environment \(\textsc {Env}\) distinguishes with a nonnegligible probability whether it is interacting with \(\textsc {Adv}\) in the hybrid setting or with \(\textsc {Sim}\) in the ideal setting. We recall that \(\textsc {Sim}\) interacts with the ideal functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) and the environment \(\textsc {Env}\). We refer to the interaction of \(\textsc {Sim}\) with \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) and \(\textsc {Env}\) as the external interaction. The interaction of \(\textsc {Sim}\) with the simulated \(\textsc {Adv}\) is the internal interaction. We explain the strategy of the simulation for all corruption cases.
 Simulating the communication with Env.:

Every input value received by the simulator from \(\textsc {Env}\) is written on \(\textsc {Adv}\)’s input tape. Likewise, every output value written by \(\textsc {Adv}\) on its output tape is copied to the simulator’s output tape (to be read by the environment \(\textsc {Env}\)).
 SEN is corrupted at the outset of the protocol. :

\(\textsc {Sim}\) begins by activating \(\textsc {Adv}\) and sends the message \((\mathsf{corrupt}, sid, {\textsc {SEN}})\) to \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\), receiving back the message \((\mathsf{send}, sid,{\textsc {SEN}},m)\) and the sender’s input m. It then picks two public/secret key pairs \((\textsc {PK}_S,\textsc {SK}_S)\) and \((\textsc {PK}_R,\textsc {SK}_R)\). It then emulates functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \) and the honest receiver by forwarding \(\textsc {Adv}\) the message \((\mathsf{send}, sid, {\textsc {REC}}, \textsc {PK}_S)\) from \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \) and \(\textsc {PK}_R\) from \({\textsc {REC}}\). Upon receiving \((\mathsf{send}, sid',{\textsc {SEN}},c_S)\) and \((\mathsf{send}, sid'',{\textsc {SEN}},c_R)\) from \(\textsc {Adv}\), \(\textsc {Sim}\) extracts m (that may be different than the message received from \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\)) by computing \(m=\mathsf {Dec}_{\textsc {SK}_S}(c_S) \oplus \mathsf {Dec}_{\textsc {SK}_R}(c_R)\). In case decryption does not follow correctly, \(\textsc {Sim}\) fixes m to be a default value. It then externally forwards \((\mathsf{ChSetup}, sid, {\textsc {SEN}})\) and \((\mathsf{send}, sid,{\textsc {SEN}},m)\) to the ideal functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\). Note that corruption takes place at the outset of the protocol execution and thus the simulator is able to simulate the transcript exactly as in the hybrid setting.
 REC is corrupted at the outset of the protocol. :

\(\textsc {Sim}\) begins by activating \(\textsc {Adv}\) and sends the message \((\mathsf{corrupt}, sid, {\textsc {SEN}})\) to \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\), receiving back the message \((\mathsf{send}, sid,{\textsc {SEN}},m)\) and the receiver’s output m. \(\textsc {Sim}\) invokes \(\textsc {Adv}\) and receives \((\mathsf{send}, sid, {\textsc {SEN}}, \textsc {PK}_S)\) (which is the message sent to \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \)), and \(\textsc {PK}_R\). Next, \(\textsc {Sim}\) completes the execution playing the role of the honest sender on input m. Note that it does not make a difference whether \({\textsc {REC}}\) generates valid or invalid public keys since \(\textsc {Sim}\) knows m and thus perfectly emulates the receiver’s view.
 SEN is corrupted between Steps 1 and 2. :

Upon receiving the sender’s input m, \(\textsc {Sim}\) completes the simulation exactly as in the previous case when \({\textsc {SEN}}\) was corrupted at the outset of the protocol execution, as no message was sent yet on behalf of the sender.
 REC is corrupted between Steps 1 and 2. :

Upon receiving the receiver’s output message m, \(\textsc {Sim}\) explains the receiver’s internal state as follows. Specifically, it reveals the randomness for generating \(\textsc {PK}_S,\textsc {SK}_S\) and \(\textsc {PK}_R,\textsc {SK}_R\), and explains \(\textsc {PK}_S\) as the message that was sent to \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \). \(\textsc {Sim}\) then completes the simulation while playing the role of the honest sender with input message m.
Note that in the \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \)hybrid model the simulation and the hybrid executions are identically distributed since the transcript only includes \(\textsc {PK}_R\).
If none of the above corruption cases occur, \(\textsc {Sim}\) emulates the sender’s message as follows. It first chooses two random shares \(m'_S,m'_R\) and generates a pair of ciphertexts \((c'_S,c^*_S)\) for \(\Pi _{\scriptscriptstyle \mathrm {NCES}}\) where both encrypt \(m'_S\), respectively, using \(\textsc {PK}_S\) and \(\textsc {PK}^*_S\). It then generates a pair of ciphertexts \((c'_R,c^*_R)\) for \(\Pi _{\scriptscriptstyle \mathrm {NCER}}\) such that \(c'_R\) is a valid encryption of \(m'_R\) under public key \(\textsc {PK}_R\), and \(c^*_R\) is a fake ciphertext generated using \(\mathsf {Enc}^*\) and \(\textsc {PK}_R\). (Recall that the sender’s message is sent via \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \) thus it is not part of the transcript seen by the adversary).
 SEN is corrupted after Step 2 is concluded. :

Upon receiving the sender’s input m from \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\), the simulator explains the sender’s internal state as follows. It first explains \(\textsc {PK}_S^*\) for being the public key received from \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \). Furthermore, it explains \(c^*_S\) and \(c'_R\) as the ciphertexts sent to \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \). Finally, it computes \(r'' \leftarrow \mathsf {Equivocate}(c_S^*,t_{\textsc {PK}_S^*},m''_S)\) for \(m''_S\) such that \(m=m''_S\oplus m'_R\), and presents \(r''\) as the randomness used to generate \(c^*_S\) for encrypting \(m''_S\). The randomness used for generating \(c'_R\) is revealed honestly.
Consider the adversary’s view which is comprised from three invocations of \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \) (one played with the role of the receiver and two with the role of the sender) and a public key \(\textsc {PK}_R\) that was honestly generated. Note that the message received via the first \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \) invocation is a fake public key \(\textsc {PK}^*_S\). Moreover, the remaining two invocations are for sending the honestly generated ciphertexts relative to keys \(\textsc {PK}^*_S\) and \(\textsc {PK}_R\). Now, since the only different between the simulated and hybrid views is with respect to the key for NCES, we reduce the security of this case to the security of \(\Pi _{\scriptscriptstyle \mathrm {NCES}}\).
Specifically, here the difference boils down to the key indistinguishability property of \(\Pi _{\scriptscriptstyle \mathrm {NCES}}\). Given m and a tuple in one of these forms \((\textsc {PK}^*,r^*,\tilde{m}, c^*)\) or \((\textsc {PK},r,\tilde{m},c)\) for an arbitrary \(\tilde{m}\), as specified in Definition 3.2, a distinguisher \(\mathbf {Adv}_{\scriptscriptstyle \mathrm {NCES}}\) continues as follows. Say it was given \((\textsc {PK}',r',\tilde{m}, c')\), then \(\mathbf {Adv}_{\scriptscriptstyle \mathrm {NCES}}\) emulates the role of the honest receiver and forwards the key \(\textsc {PK}'\) to \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \) and a valid key \(\textsc {PK}_R\) to \({\textsc {SEN}}\). It then completes the simulation as the simulator would do while pluggingin \(c'\) as the ciphertext that encrypts \(\tilde{m}\) under \(\textsc {PK}'\). The distinguisher then explains the sender’s internal state as in the simulation. Clearly, any advantage in distinguishing the hybrid and simulated views can be reduced to breaking the indistinguishability of \(\Pi _{\scriptscriptstyle \mathrm {NCES}}\) since \(\mathbf {Adv}_{\scriptscriptstyle \mathrm {NCES}}\) generates a view that is distributed according to one of these executions.
 REC is corrupted after Step 2 is concluded. :

Upon receiving the receiver’s message m from \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\), the simulator explains the receiver’s internal state as follows. It explains \(\textsc {PK}_S\) for being the public key sent to \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \) and presents the randomness for generating \((\textsc {PK}_S,\textsc {SK}_S)\) and \((\textsc {PK}_R,\textsc {SK}^*_R)\) where \(\textsc {SK}^*_R\) is as defined below. It then explains \(c_S\) and \(c^*_R\) for being the ciphertexts received from \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \). Specifically, \(\textsc {SK}^*_R\) is defined such that \(m''_R \leftarrow \mathsf {Dec}_{\textsc {SK}^*_R}(c^{*}_R)\) and \(m''_R \oplus m'_S = m\).
Security is proven similarly to the case the sender is corrupted at the end. Namely, the receiver’s view is comprised from three invocations of \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}^\ell \) and ciphertexts \(c_S,c_R^*\). Security follows due to the security of \(\Pi _{\scriptscriptstyle \mathrm {NCER}}\), where a distinguisher \(\mathbf {Adv}_{\scriptscriptstyle \mathrm {NCER}}\) that wishes to distinguish between a fake and a real ciphertext receives either \((\textsc {PK},\textsc {SK}^*_R,c^*_R,m''_R)\) or \((\textsc {PK},\textsc {SK},c_R,m''_R)\). \(\square \)
OneSided Adaptively Secure OT
\(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\), formally defined in Figure 2, is one of the fundamental functionalities in secure computation. In this section we design onesided OT based on the [48] construction which is designed based on dualmode PKE. We recall this definition first.
DualMode PKE
Loosely speaking, a dualmode PKE is a PKE that is initialized with system parameters that can be defined in two modes. For each mode it is possible to generate public and secret keys that are associated with a branch \(\sigma \in \{0,1\}\). Similarly, the encryption algorithm generates ciphertexts with respect to a branch \(\beta \in \{0,1\}\). Moreover, if the key branch matches the ciphertext branch (that is, \(\sigma =\beta \)), then the ciphertext can be correctly decrypted. The security of dualmode PKE relies on the indistinguishability of the two system parameters modes, which are denoted by messy and decryption. In messy mode the system parameters are generated together with a messy trapdoor, which imply that any public key (even malformed keys) can be associated with any branch. Moreover, when the key branch does not match the ciphertext branch, the ciphertext becomes statistically independent of the plaintext. On the other hand, in decryption mode the system parameters allow to generate two secret keys that correctly decrypt the ciphertexts generated for either branch. Formally, a dualmode PKE \(\Pi _{\scriptscriptstyle \mathrm {DUAL}}\) with message space \(\{0,1\}^n\) consists of a tuple of probabilistic algorithms \((\mathsf {Setup},\mathsf {dGen},\mathsf {dEnc},\mathsf {dDec},\mathsf {FindBranch},\mathsf {TrapKeyGen})\) specified as follows:

\(\mathsf {Setup}(1^n,\mu )\), given security parameter n and mode \(\mu \in \{0,1\}\), outputs \((\textsc {CRS}, t)\). The CRS is a common string for the remaining algorithms, and t is a trapdoor value that is given to either \(\mathsf {FindBranch}\) or \(\mathsf {TrapKeyGen}\), depending on the mode.
The setup algorithms for messy and decryption modes are denoted by \(\mathsf {SetupMessy}\) and \(\mathsf {SetupDecryption}\), respectively; namely \(\mathsf {SetupMessy}(1^n) := \mathsf {Setup}(1^n,0)\) and \(\mathsf {SetupDecryption}(1^n) := \mathsf {Setup}(1^n,1)\).
All the remaining algorithms take \(\textsc {CRS}\) as their first input. For clarity, we usually omit it from their lists of arguments.

\(\mathsf {dGen}(\sigma )\), given a desired decryptable branch value \(\sigma \), outputs \((\textsc {PK},\textsc {SK})\) where \(\textsc {PK}\) is a public encryption key and \(\textsc {SK}\) is a corresponding secret decryption key for messages encrypted in branch \(\sigma \). For our purpose, the secret decryption key denotes the randomness used by \(\mathsf {dGen}\) which further induces the secret key.

\(\mathsf {dEnc}(\textsc {PK},\beta ,m)\), given a public key \(\textsc {PK}\), a branch value \(\beta \in \{0,1\}\) and a message \(m\in \{0,1\}^n\), outputs a ciphertext c encrypted on branch \(\beta \).

\(\mathsf {dDec}(\textsc {SK},c)\), given a secret key \(\textsc {SK}\) and a ciphertext c, outputs a message \(m\in \{0,1\}^n\).

\(\mathsf {FindBranch}(t,\textsc {PK})\), given a trapdoor t and some (possibly even malformed) public key \(\textsc {PK}\), outputs a branch value \(\beta \in \{0,1\}\) corresponding to a messy branch of \(\textsc {PK}\).

\(\mathsf {TrapKeyGen}(t)\), given a trapdoor t, outputs \((\textsc {PK},\textsc {SK}_0,\textsc {SK}_1)\), where \(\textsc {PK}\) is a public encryption key and \(\textsc {SK}_0,\textsc {SK}_1\) are corresponding secret decryption keys for branches 0 and 1, respectively.
Definition 4.1
(Dualmode PKE) A dualmode PKE is a tuple of algorithms described above that satisfy the following properties:

1.
Completeness for decryptable branch. For every \(\sigma \in \{0,1\}\), every \((\textsc {CRS}, t) \leftarrow \mathsf {Setup}(1^n, \sigma )\), every \((\textsc {PK},\textsc {SK}) \leftarrow \mathsf {dGen}(\sigma )\), and every \(m\in \{0,1\}^n\), decryption is correct on branch \(\sigma \), i.e. \(\mathsf {dDec}_{\textsc {SK}}(\mathsf {dEnc}_{\textsc {PK}}(m,\sigma )) = m\).

2.
Indistinguishability of modes. The CRS generated by \(\mathsf {SetupMessy}\) and \(\mathsf {SetupDecryption}\) is computationally indistinguishable, i.e. \(\mathsf {SetupMessy}(1^n) \approx _c \mathsf {SetupDecryption}(1^n)\).

3.
Trapdoor extraction of a messy branch (messy mode). For every \((\textsc {CRS}, t) \leftarrow \mathsf {SetupMessy}(1^n)\) and every (possibly malformed) \(\textsc {PK}\), \(\mathsf {FindBranch}(t,\textsc {PK})\) outputs a branch value \(\beta \in \{0,1\}\) such that \(\mathsf {dEnc}(\textsc {PK},\beta ,\cdot )\) is messy. Namely, for every \(m_0,m_1 \in \{0,1\}^n\), \(\mathsf {dEnc}_\textsc {PK}(m_0,\beta )\approx _s \mathsf {dEnc}_\textsc {PK}(m_1,\beta )\).

4.
Trapdoor generation of keys decryptable on both branches (decryption mode). For every \((\textsc {CRS}, t) \leftarrow \mathsf {SetupDecryption}(1^n)\), \(\mathsf {TrapKeyGen}(t)\) outputs \((\textsc {PK}, \textsc {SK}_0, \textsc {SK}_1)\) such that for every \(\sigma \in \{0,1\}\), \((\textsc {PK}, \textsc {SK}_\sigma )\approx _c \mathsf {dGen}(\sigma )\).
This notion was introduced by Peikert et al. in [48], which further showed how to instantiate it based on the DDH, QR and Learning with Errors hardness assumptions. We note that our definition is slightly different than the original [48] definition in the sense that algorithm \(\mathsf {dGen}\) returns the randomness it uses in order to generate the secret key and the public key. This is required for equivocating the internal state of the receiver upon being adaptively corrupted (and is not required in the static setting). We note that this modification does not effect the former two instantiations in [48] and further arises in [31].
Our Construction
We now concentrate on designing our onesided OT based on the [48] construction. Recall that in PVW protocol [48] the receiver first generates public and secret keys for branch \(\sigma \). In response, the sender returns the encryptions of \(x_0\) with respect to branch 0 and \(x_1\) with respect to branch 1. Finally, the receiver decrypts the ciphertext for branch \(\sigma \). Our onesided OT requires the following modifications with respect to [48]. First, we fix the system parameters of the dualmode PKE in decryption mode (where originally the system parameters are defined in either messy mode or decryption mode). Specifically, fixing the system parameters in decryption mode as we suggest here implies that in the security proof the simulator can extract the sender’s input and equivocate the receiver’s input. In addition, in order to be able to equivocate the sender’s input in the security proof we encrypt its message using our onesided NCE (see Section 3.1). Finally, in order to extract the receiver’s bit, we ask the receiver to prove its behaviour using a special ZK PoK type for compound statements. In particular, the receiver proves that it knows a secret key for either branch 0 or 1, where the extracted branch value implies the extraction of \(\sigma \). We design this proof so that it exploits the fact that the simulator knows the secret keys for both branches. Specifically, the proof allows the simulator to use both secret keys when emulating the receiver’s role and later convince the adversary that it only knows the \(\sigma \)th secret key. We denote these types of proofs by witness equivocal and explain them in more details in Section 6.2. More formally, the compound relation \({\mathcal{R}}_{\scriptscriptstyle \mathrm {LR}}\) we use in our OT protocol is combined of the following two relations:
where \(\textsc {CRS}\) are the system parameters and \(\mathsf {dGen}\) is the key generation algorithm for the underlying dualmode system. Similarly, we define \({\mathcal{R}}_{\scriptscriptstyle \mathrm {ONE}}\) for public keys generated with respect to branch 1. Then, the compound relation \({\mathcal{R}}_{{\scriptscriptstyle \mathrm {LR}}}\) is defined by
In Section 6.2 we consider two instantiations of \({\mathcal{R}}_{\scriptscriptstyle \mathrm {LR}}\) based on the DDH and QR assumptions.
We are now ready to describe our protocol in details. Formally, we denote the dualmode PKE of [48] by \(\Pi _{\scriptscriptstyle \mathrm {DUAL}}= (\mathsf {SetupMessy},\mathsf {SetupDecryption},\mathsf {dGen},\mathsf {dEnc},\mathsf {dDec},\mathsf {FindBranch},\mathsf {TrapKeyGen})\) and describe our construction in the \((\mathcal{F}_{\scriptscriptstyle \mathrm {SC}},\mathcal{F}_{{\scriptscriptstyle \mathrm {LR}}})\)hybrid model, where \(\mathcal{F}_{\scriptscriptstyle \mathrm {LR}}\) is the ideal functionality that verifies the relation \({\mathcal{R}}_{\scriptscriptstyle \mathrm {LR}}\) and returns \(\texttt {Accept}\) to the verifier only if the witness provided by the prover meets the definition of \({\mathcal{R}}_{\scriptscriptstyle \mathrm {LR}}\). More formally,
Protocol 3
(Onesided OT ( \(\Pi _{\scriptscriptstyle \mathrm {OT}}\)))

Inputs: Sender \({\textsc {SEN}}\) has \(x_0,x_1 \in \{0,1\}^n\) and receiver \({\textsc {REC}}\) has \(\sigma \in \{0,1\}\).

CRS: \(\textsc {CRS}\) such that \((\textsc {CRS},t) \leftarrow \mathsf {SetupDecryption}\).

The Protocol:

1.
\({\textsc {REC}}\) generates \((\textsc {PK},\textsc {SK}) \leftarrow \mathsf {dGen}(\textsc {CRS},\sigma )\) and sends \(\textsc {PK}\). \({\textsc {REC}}\) further calls \(\mathcal{F}_{\scriptscriptstyle \mathrm {LR}}\) with \((\textsc {PK},(\textsc {SK},\sigma ))\).

2.
Upon receiving \(\texttt {Accept}\) from \(\mathcal{F}_{\scriptscriptstyle \mathrm {LR}}\) and \(\textsc {PK}\) from \({\textsc {REC}}\), \({\textsc {SEN}}\) generates \(c_0 \leftarrow \mathsf {dEnc}_\textsc {PK}(x_0,0)\) and \(c_1 \leftarrow \mathsf {dEnc}_\textsc {PK}(x_1,1)\). \({\textsc {SEN}}\) sends \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) the messages \((\mathsf{send}, sid, {\textsc {SEN}}, c_0)\) and \((\mathsf{send}, sid', {\textsc {SEN}}, c_1)\).

3.
Upon receiving \((\mathsf{send}, sid, {\textsc {SEN}}, c_0)\) and \((\mathsf{send}, sid', {\textsc {SEN}}, c_1)\) from \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\), \({\textsc {REC}}\) outputs \(\mathsf {dDec}_\textsc {SK}(c_\sigma )\).

1.
Note that our protocol implies OT with constant number of PKE operations for sender’s input space \(\{0,1\}^n\) if the underlying onesided NCE requires a constant overhead for message space \(\{0,1\}^n\), as holds for our construction from Section 3.1.
Theorem 4.2
Assume the existence of onesided NCE and dualmode PKE. Then Protocol 2 UC realizes \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) in the \((\mathcal{F}_{\scriptscriptstyle \mathrm {SC}},\mathcal{F}_{{\scriptscriptstyle \mathrm {LR}}})\)hybrid model in the presence of onesided adaptive malicious adversaries.
Proof
Let \(\textsc {Adv}\) be a probabilistic polynomialtime malicious adversary attacking Protocol 2 by adaptively corrupting one of the parties. We construct an adversary \(\textsc {Sim}\) for the ideal functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) such that no environment \(\textsc {Env}\) distinguishes with a nonnegligible probability whether it is interacting with \(\textsc {Adv}\) in the hybrid setting or with \(\textsc {Sim}\) in the ideal setting. We recall that \(\textsc {Sim}\) interacts with the ideal functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) and the environment \(\textsc {Env}\). We refer to the interaction of \(\textsc {Sim}\) with \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) and \(\textsc {Env}\) as the external interaction. The interaction of \(\textsc {Sim}\) with the simulated \(\textsc {Adv}\) is the internal interaction. Upon computing \((\textsc {CRS},t) \leftarrow \mathsf {SetupDecryption}(1^n)\), \(\textsc {Sim}\) proceeds as follows:
 Simulating the communication with Env.:

Every input value received by the simulator from \(\textsc {Env}\) is written on \(\textsc {Adv}\)’s input tape. Likewise, every output value written by \(\textsc {Adv}\) on its output tape is copied to the simulator’s output tape (to be read by its environment \(\textsc {Env}\)).
 SEN is corrupted at the outset of the protocol. :

\(\textsc {Sim}\) begins by activating \(\textsc {Adv}\) and emulates the receiver by running \((\textsc {PK},\textsc {SK}_0,\textsc {SK}_1) \leftarrow \mathsf {TrapKeyGen}(t)\). It then sends \(\textsc {PK}\) to the adversary on behalf of the honest receiver and an \(\texttt {Accept}\) message on behalf of \(\mathcal{F}_{\scriptscriptstyle \mathrm {LR}}\). Next, upon receiving from \(\textsc {Adv}\) the messages \((\mathsf{send}, sid, {\textsc {SEN}}, c_1)\) and \((\mathsf{send}, sid', {\textsc {SEN}}, c_1)\), sent to \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\), \(\textsc {Sim}\) computes \(x_0=\mathsf {dDec}_{\textsc {SK}_0}(c_0)\) and \(x_1=\mathsf {dDec}_{\textsc {SK}_1}(c_1)\). It then forwards \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) the message \((\mathsf{sender}, sid, x_0, x_1)\) and completes the execution playing the role of the receiver using an arbitrary \(\sigma \).
Note that, in contrast to the hybrid execution where the receiver uses its real input \(\sigma \) as input to \(\mathsf {dGen}\) in order to create public/secret keys pair, the simulator does not know \(\sigma \) and thus creates the keys using \(\mathsf {TrapKeyGen}\). Nevertheless, when the CRS is set in a decryption mode the left public key is statistically indistinguishable from the right public key. Furthermore, the keys \((\textsc {PK},\textsc {SK}_i)\) that are generated by \(\mathsf {TrapKeyGen}\) are statistically close to the keys generated by \(\mathsf {dGen}\) with input bit i. This implies that the hybrid and simulated executions are statistically close.
 REC is corrupted at the outset of the protocol. :

\(\textsc {Sim}\) begins by activating \(\textsc {Adv}\) and receives a public key \(\textsc {PK}\) and a witness \(\textsc {SK}_\sigma \) as the input to \(\mathcal{F}_{\scriptscriptstyle \mathrm {LR}}\). Given \(\textsc {SK}_\sigma \), \(\textsc {Sim}\) checks if \(\textsc {PK}\) is the left or the right key and uses it to extract the receiver’s input \(\sigma \). If the adversary’s message is invalid then \(\textsc {Sim}\) aborts, sending \(\bot \) to \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\). Otherwise, it forwards the message \((\mathsf{receiver},sid,\sigma )\), receiving back \(x_\sigma \). Finally, \(\textsc {Sim}\) computes the sender’s message using \(x_\sigma \) and an arbitrary \(x'_{1\sigma }\).
Note that unlike in the hybrid execution, the simulator uses an arbitrary \(x'_{1\sigma }\) instead of the real \(x_{1\sigma }\). However, a decryption mode implies computational privacy of \(x_{1\sigma }\). This follows from the same proof in [48]. Therefore, the hybrid view is also computationally indistinguishable from the simulated view as in the static setting.
If none of the above corruption cases occur, \(\textsc {Sim}\) invokes \((\textsc {PK},\textsc {SK}_0,\textsc {SK}_1) \leftarrow \mathsf {TrapKeyGen}(t)\) and emulates the message \(\textsc {PK}\) sent to the sender.
 SEN is corrupted between Steps 1 and 2. :

\(\textsc {Sim}\) trivially explains the sender’s internal state since \({\textsc {SEN}}\) did not compute any message so far. The simulator completes the simulation by playing the role of \({\textsc {REC}}\) using an arbitrary bit \(\sigma \) as in the case when the sender is corrupted at the outset of the execution.
Indistinguishability for this case follows similarly to the prior corruption case when \({\textsc {SEN}}\) is corrupted at the outset of the execution since the simulator uses the same simulation strategy as above. Namely, the adversary’s simulated view is identically distributed in both simulation cases. This is because this view only contains the public key which is statically independent of \(\sigma \) in a decryption mode.
 REC corrupted between Steps 1 and 2. :

Upon corrupting the receiver \(\textsc {Sim}\) obtains \((sid, \sigma , x_\sigma )\) from \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) and explains the receiver’s internal state as follows. It first explains \(\textsc {SK}_\sigma \) as the witness given to \(\mathcal{F}_{\scriptscriptstyle \mathrm {LR}}\) and \(\textsc {PK}\) as the outcome of \(\mathsf {dGen}(\textsc {CRS},\sigma )\). The simulator then completes the simulation playing the role of the honest sender with \(x_\sigma \) and an arbitrary \(x'_{1\sigma }\).
Indistinguishability for this case follows similarly to the prior corruption case since the simulator did not emulate the sender’s message yet.
 SEN is corrupted after Step 2. :

Upon corrupting the sender, \(\textsc {Sim}\) obtains \((sid,x_0,x_1)\) from \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\). It then explains the sender’s internal state as follows. It first computes \(c_{0},c_1\) that, respectively, encrypt \(x_0\) and \(x_1\). It then explains \(c_{0}\) and \(c_{1}\) as being sent to the receiver using \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\).
Indistinguishability follows as in the prior corruption case of the sender since the onesided noncommitting channel enables the simulator to “rewind” the simulation back, assuming that the sender is corrupted before simulating its message. Therefore, the same simulation strategy as before, of emulating the sender’s incoming message using an arbitrary bit \(\sigma \), works here as well.
 REC is corrupted after Step 2. :

Upon corrupting the receiver, \(\textsc {Sim}\) obtains \({\textsc {REC}}\)’s input and output \((sid,\sigma ,x_\sigma )\) from \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\). It then explains the receiver’s internal state as follows. It first explains \(\textsc {SK}_\sigma \) as the witness given to \(\mathcal{F}_{\scriptscriptstyle \mathrm {LR}}\) and \(\textsc {PK}\) as the outcome of \(\mathsf {dGen}(\textsc {CRS},\sigma )\). Finally, it explains the output of \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) as \(c_0,c_1\), so that \(c_{\sigma }\) is a valid encryption of \(x_\sigma \) under \(\textsc {PK}\) and \(c_{1\sigma }\) is an encryption of an arbitrary input.
Indistinguishability follows similarly to a static corruption case of the receiver. \(\square \)
Concrete instantiations. A DDHbased instantiation implies that the CRS is a Diffie–Hellman tuple \((g_0,g_1,h_0,h_1)\) and the trapdoor is \(\log _{g_0} {g_1}\). Moreover, the witness equivocal ZK PoK is realized with the statement and witness relation \(\big (((g_0h_0, g_\sigma ^r h_\sigma ^r),(g_1h_1,g_\sigma ^rh_\sigma ^r)), r\big )\) such that \(\textsc {PK}= (g_\sigma ^r,h_\sigma ^r)\), \(\textsc {SK}= r\) and \(r\leftarrow {\mathbb Z}_p\). An additional QRbased instantiation implies that the CRS is a quadratic residue y from \({\mathbb Z}^*_N\), whereas the trapdoor is s such that \(y = s^2 \hbox { mod }N\), where N is an RSA composite. Finally, the ZK PoK is realized with the statement and witness \(\big ((y\cdot \textsc {PK}, \textsc {PK}), r\big )\) such that \(\textsc {PK}= r^2/y^\sigma \), \(\textsc {SK}= r\) and \(r \leftarrow {\mathbb Z}^*_N\).
OneSided Adaptively Secure Computation
In the following, we demonstrate the feasibility of onesided adaptively secure protocols in the plain model with overhead that grows linearly with the static communication complexity (Section 5.1) and in the presence of malicious adversaries in the UC setting (Section 5.2). Our generic compiler requires from the parties to communicate with each other using noncommitting secure channels that achieve onesided security (as formally modelled by \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) in Section 3.1). This transformation demonstrates the feasibility of semihonest (UC) security in the presence of onesided attacks with the specified overhead. Moreover, in the plain model our compiler implies onesided malicious security with the same overhead. We recall that it is not clear how to compile static maliciously secure protocols into the onesided setting while preserving UC security, which is due to the additional setup. We thus build a concrete maliciously onesided secure construction by modifying the [42] static Yao based protocol. Our construction is constant round UC secure which requires a number of PKE operations that depend linearly on the circuit’s size times a statistical parameter.
From Static to OneSided Security with no Setup
In this section, we present a simple compiler that achieves onesided adaptive security given a static protocol. Loosely speaking, given a protocol \(\Pi \) our compiler encrypts the communication of \(\Pi \) using onesided NCE. The intuition behind the security proof follows from the fact that onesided NCE allows to equivocate the communication until the point corruption takes place. Specifically, whenever corruption occurs the simulator can essentially “rewind” back to the outset of the execution and recompute the entire protocol transcript using the corrupted party’s input, while pretending that this party was statically corrupted and that it follows the protocol execution until the corruption point. It then presents the adversary the generated transcript. As explained in [31], a subtlety arises in the malicious setting where it must hold that the simulator submits to the ideal functionality the exact same input used by the corrupted party (whom we assume to follow the protocol). This is because the ideal functionality cannot accept a different input, as it already computed the outputs using the honest inputs. This property is denoted by input preserving; see [31] for more details. We are now ready to prove the following theorem, our proof follows similarly to the proof from [31] which demonstrates a compiler from semiadaptive security into fully adaptive.
Theorem 5.1
Let f be a deterministic sameoutput functionality and let \(\Pi \) be a statically secure protocol with input preserving simulation. Then protocol \(\Pi '\), in which the parties run \(\Pi \) but only communicate with each other using onesided NCE is onesided adaptively secure.
Proof
Let \(\textsc {Adv}\) be a malicious PPT adversary attacking Protocol \(\Pi \). We construct a simulator \(\textsc {Sim}'\) such that no PPT \(\textsc {Env}\) distinguishes the real and the simulated views, i.e. the following computational indistinguishability holds
Simulator \(\textsc {Sim}'\) internally invokes a copy of the real adversary \(\textsc {Adv}\) and externally interacts with the ideal functionality f and environment \(\textsc {Env}\). We neglect static corruptions (since these are covered by the statically secure protocol \(\Pi \)) and describe the strategy of \(\textsc {Sim}'\) for the following two corruption cases: (1) Simulation with no corruptions. (2) Simulation when the first adaptive corruption takes place. Our proof follows in the \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\)hybrid model. As in the [31] proof, we assume that \(\Pi \) is a wellstructured protocol. Namely, a protocol execution should have the same number of messages, message lengths and order of communication independent of the inputs or random tape of the participating parties. This technicality is needed for simulating the communication of \(\Pi \). As pointed out in [31], almost all known constructed protocols for cryptographic tasks are well structured and any protocol can be easily converted into a wellstructured protocol.
Simulation with no corruptions. In case both parties are honest, simulator \(\textsc {Sim}'\) initializes a copy of the static simulator \(\textsc {Sim}\) that completes the setup phase (if required). Next, relying on the fact that \(\Pi \) is well structured, \(\textsc {Sim}'\) simulates the communication between the parties by simply forwarding publicly known data. Specifically, for wash round i, the simulator forwards the message \((\mathsf{send}, sid,P_{b_i},k_i)\) to \(\textsc {Adv}\) on behalf of \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\), where \(b_i\) is the identity of the party that sends the message in round i and \(k_i\) is its length.
Simulation for the first adaptive corruption. Denote the identity of the first corrupted party by \(P_\mathbf{1}\) and the other identity by \(P_\mathbf{2}\). Then \(\textsc {Sim}'\) receives from f the corrupted party’s input \(x_\mathbf{1}\) and (possible) output \(y_\mathbf{1}\). Let \(\textsc {Adv}_\mathbf{1}\) denote a PPT adversary that corrupts party \(P_\mathbf{1}\) right after the setup phase, yet uses the real input of \(P_\mathbf{1}\) in the execution, and let \(\textsc {Sim}_\mathbf{1}\) denote the simulator for that adversary. Then \(\textsc {Sim}'\) invokes \(\textsc {Sim}_\mathbf{1}\) until party \(P_\mathbf{1}\) is corrupted while playing the role of functionality f. Note that by the input preserving property \(\textsc {Sim}_\mathbf{1}\) can only submits the input \(x_\mathbf{1}\). If it expects to receive an output, \(\textsc {Sim}'\) forwards \(\textsc {Sim}_\mathbf{1}\) the value \(y_\mathbf{1}\). Once the simulation reaches the point where \(P_\mathbf{1}\) is corrupted, \(\textsc {Sim}'\) takes the internal state of \(\textsc {Sim}_\mathbf{1}\) and sets it as the internal state of \(P_\mathbf{1}\).
Indistinguishability follows easily since in the hybrid \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\)model the adversary’s views are identical. \(\square \)
One implication of our compiler is that it implies the feasibility of constant rounds onesided security with O(C) symmetric key operations and O(C) public key operations by applying our compiler to the semihonest twoparty protocol from [41, 51]. More formally,
Theorem 5.2
(Onesided semihonest) Let f be a deterministic sameoutput functionality and assume the assumptions specified in [41] and onesided NCE. Then there exists a constant rounds protocol with semihonest onesided adaptive security that UC realizes f with O(C) public key operations.
In addition, since our compiler is applied to any protocol in the plain model, even with malicious security, by combining our result with [42] we obtain the following theorem,
Theorem 5.3
(Onesided malicious) Let f be a deterministic sameoutput functionality and assume the assumptions specified in [42] and onesided NCE. Then there exists a constant rounds protocol with malicious onesided adaptive security that realizes f with O(sC) public key operations.
In the following section, we present an alternative malicious twoparty construction with onesided security that is also based on [42] yet obtains UC security.
UC Security against Malicious Adversaries
As mentioned in the introduction, it is insufficient to simply encrypt the communication using onesided NCE as in the semihonest setting, due to the additional CRS setup which might be based on which party is corrupted. Instead, we take a different approach and directly compile the [42] protocol (which is based on the DDH hardness assumption) into a protocol that achieves onesided malicious security in the UC setting, proving the feasibility of UC constant round with malicious onesided security. The [42] protocol relies on a cutandchoose technique for which \(P_0\) sends s garbled circuits and later open half of them (aka, check circuits) by the choice of \(P_1\). This ensures that with very high probability the majority of the unopened circuits (aka, evaluation circuits) are valid. The cutandchoose OT primitive of [42] allows \(P_1\) to choose a secret random subset \(\mathcal{J}\) of size s / 2 for which it learns both keys for each input wire that corresponds to the check circuits, and the individual keys associated with its input with respect to the evaluation circuits.
In order to ensure that \(P_0\) hands \(P_1\) consistent input keys for all the circuits, the [42] protocol ensures that the keys associated with \(P_0\)’s input are obtained via a Diffie–Hellman pseudorandom synthesizer [46]. Namely, \(P_0\) chooses values \(g^{a^0_1},g^{a^1_1},\ldots ,g^{a^0_n},g^{a^1_n}\) and \(g^{c_1},\ldots ,g^{c_s}\), where n is the input/output length, s is the cutandchoose parameter and g is a generator of a primeorder group \({\mathbb G}\). So that the pair of keys associated with the ith input of \(P_0\) in the jth circuit is \((g^{a^0_ic_j},g^{a^1_ic_j})\).^{Footnote 3} Given values \(\{g^{a^0_i},g^{a^1_i},g^{c_j}\}\) and any subset of keys associated with \(P_0\)’s input, the remaining keys associated with its input are pseudorandom by the DDH assumption. Furthermore, when the keys are prepared this way \(P_0\) can efficiently prove that it used the same input for all circuits. \(P_1\) then evaluates the evaluation circuits and takes the majority value for the final output. In Section 5.2.1 we demonstrate how to adapt the cutandchoose OT protocol into the onesided setting using the building blocks introduced in this paper. This requires dealing with new subtleties regarding the system parameters and the ZK proofs.
Onesided Single Choice CutandChoose OT
We describe next the single choice cutandchoose OT functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {CCOT}}\) from [42] and present a protocol that implements this functionality with UC onesided malicious security. In Sect. 5.2.2, we briefly describe our batch single choice cutandchoose OT construction using a single choice cutandchoose OT, which is used as a building block in the twoparty protocol. Formally, \(\mathcal{F}_{\scriptscriptstyle \mathrm {CCOT}}\) is defined as follows,

1.
Inputs:

(a)
\({\textsc {SEN}}\) inputs a vector of pairs \(\{(x^j_0,x^j_1)\}_{j=1}^s\).

(b)
\({\textsc {REC}}\) inputs a bit \(\sigma \) and a set of indices \(\mathcal{J}\subset [s]\) of size exactly s / 2.

(a)

2.
Output: If \(\mathcal{J}\) is not of size s / 2, then \({\textsc {SEN}}\) and \({\textsc {REC}}\) receive \(\bot \) as output. Otherwise,

(a)
For all \(j \in \mathcal{J}\), \({\textsc {REC}}\) obtains the pair \((x^j_0,x^j_1)\).

(b)
For all \(j \not \in \mathcal{J}\), \({\textsc {REC}}\) obtains \(x^j_\sigma \).

(a)
This functionality is implemented in [42] using s instances of the DDHbased OT from [48], where the receiver generates the system parameters in a decryption mode for the s / 2 indices that correspond to \(\mathcal{J}\), whereas the remaining system parameters are generated in a messy mode. Specifically, the decryption mode trapdoor enables the receiver to learn both of the sender’s inputs for the instances within \(\mathcal{J}\). This idea is coupled with two proofs that ensure the correctness of the receiver’s computations. Our first step towards making the [42] construction onesided adaptively secure is to invoke s instances of our onesided OT where all system parameters are generated in a decryption mode.
Similarly to [42], our construction includes two phases: a setup phase and a transfer phase. In the setup phase, the receiver generates the system parameters in a decryption mode for the s / 2 instances that correspond to indices in \(\mathcal{J}\), while the remaining system parameters are generated in the same mode but in a way that does not allow \({\textsc {REC}}\) to learn the trapdoor. This is obtained by fixing two random generators \(g_0,g_1\) in the CRS, so that the CRS for all onesided OT instances \(j \not \in \mathcal{J}\) include \(g_0\) and a power of \(g_1\), whereas the CRS for OT instances \(j \in \mathcal{J}\) includes \(g_0\) and an element that is a power of \(g_0\). This ensures that \({\textsc {REC}}\) does not know \(\log _{g_0} g_1\) which is the decryption mode trapdoor for \(j \not \in \mathcal{J}\). To ensure correctness, \({\textsc {REC}}\) proves that it knows the discrete logarithm of the second element with respect to \(g_1\) of at least s / 2 pairs. We denote this relation by \({\mathcal{R}}_{{\scriptscriptstyle \mathrm {DL}},\scriptscriptstyle \mathrm {COMP}(s,s/2)}\) and present discuss more details in Section 6.
In the transfer phase, the receiver uses these system parameters to create a public/secret key pair for the OT instances not in \(\mathcal{J}\). For the rest of the OT executions, the receiver invokes the \(\mathsf {TrapKeyGen}\) algorithm of the dualmode PKE and obtains a public key together with a pair of secret keys that enable it to decrypt both of the sender’s inputs. The receiver then proves that it used the same input \(\sigma \) for all OT instances using a relation denoted by \({\mathcal{R}}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}(s)}\). Formally, let the DDHbased dualmode PKE of [48] be specified by the set of algorithms \(\Pi _{\scriptscriptstyle \mathrm {DUAL}}= (\mathsf {SetupMessy},\mathsf {SetupDecryption}, \mathsf {dGen},\mathsf {dEnc},\mathsf {dDec},\mathsf {FindBranch},\mathsf {TrapKeyGen})\). We denote our onesided OT by \(\Pi _{\scriptscriptstyle \mathrm {CCOT}}\) and present it in the \((\mathcal{F}_{\scriptscriptstyle \mathrm {SC}},\mathcal{F}_{{\scriptscriptstyle \mathrm {DL}},\scriptscriptstyle \mathrm {COMP}(s,s/2)},\mathcal{F}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}(s)})\)hybrid model (where \(\mathcal{F}_{{\scriptscriptstyle \mathrm {DL}},\scriptscriptstyle \mathrm {COMP}(s,s/2)},\mathcal{F}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}(s)}\) ideally implement the corresponding relations \({\mathcal{R}}_{{\scriptscriptstyle \mathrm {DL}},\scriptscriptstyle \mathrm {COMP}(s,s/2)},{\mathcal{R}}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}(s)}\)).
Protocol 4
(Onesided adaptive single choice cutandchoose OT ())

Inputs: \({\textsc {SEN}}\) inputs a vector of pairs \(\{(x^i_0,x^i_1)\}_{i=1}^s\) and \({\textsc {REC}}\) inputs a bit \(\sigma \) and a set of indices \(\mathcal{J}\subset [s]\) of size exactly s / 2.

Auxiliary Inputs: Both parties hold a security parameter \(1^n\) and \({\mathbb G}, p\), where \({\mathbb G}\) is an efficient representation of a group of order p and p is of length n.

CRS: The CRS consists of a pair of random group elements \(g_0,g_1\) from \({\mathbb G}\).

Setup phase:

1.
\({\textsc {REC}}\) chooses a random \(x_j\in {\mathbb Z}_p\) and sets \(g^j_1 = g_0^{x_j}\) for all \(j \in \mathcal{J}\) and \(g^j_1 = g_1^{x_j}\) otherwise.
For all j, \({\textsc {REC}}\) chooses a random \(y_j \in {\mathbb Z}_p\) and sets \(\textsc {CRS}_j = \big (g_0,g^j_1,h^j_0 = (g_0)^{y_j}, h^j_1 = (g^j_1)^{y_j}\big )\).
Finally, for all \(j\in \mathcal{J}\), \({\textsc {REC}}\) stores trapdoor \(t_j=x_j\). It then sends \(\{\textsc {CRS}_j\}_{j=1}^s\) to \({\textsc {SEN}}\).

2.
\({\textsc {REC}}\) calls \(\mathcal{F}_{{\scriptscriptstyle \mathrm {DL}},\scriptscriptstyle \mathrm {COMP}(s,s/2)}\) with \((\{g_1,g^j_1\}_{j=1}^{s}, \{x_j\}_{j \in \mathcal{J}})\) to prove the knowledge of the discrete logarithms of s / 2 values within the second element in \(\{\textsc {CRS}_j\}_j\) and with respect to \(g_1\).

1.

Transfer phase (repeated in parallel for all j):

1.
For all \(j \!\not \in \! \mathcal{J}\), \({\textsc {REC}}\) computes \((\textsc {PK}_j,\textsc {SK}_j) \!=\! ((g_j,h_j),r_j) \leftarrow \mathsf {dGen}(\textsc {CRS}_j,\sigma )\).
For all \(j \in \mathcal{J}\), \({\textsc {REC}}\) computes \((\textsc {PK}_j,\textsc {SK}^0_j,\textsc {SK}_j^1) = ((g_j,h_j),r_j,r_j/t_j) \leftarrow \mathsf {TrapKeyGen}(\textsc {CRS}_j,t_j)\).
Finally, \({\textsc {REC}}\) sends the set \(\{\textsc {PK}_j\}_{j=1}^s\) and stores the secret keys.

2.
\({\textsc {REC}}\) calls \(\mathcal{F}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}(s)}\) with input \(((\{(g_0,h^j_0, g_j,h_j)\}_{j =1 }^s,\{(g^j_1,h^j_1, g_j,h_j)\}_{j =1}^s), \{r_j\}_{j=1}^s)\) to prove that all the tuples in one of the sets \(\{(g_0,h^j_0, g_j,h_j)\}_{j =1 }^s\) or \(\{(g^j_1,h^j_1, g_j,h_j)\}_{j =1}^s\) are DH tuples.

3.
For all j, \({\textsc {SEN}}\) generates \(c^j_0 \leftarrow \mathsf {dEnc}_{\textsc {PK}_j}(x^j_0,0)\) and \(c^j_1 \leftarrow \mathsf {dEnc}_{\textsc {PK}_j}(x^j_1,1)\). Let \(c^j_0 = (c^j_{00},c^j_{01})\) and \(c^j_1 = (c^j_{10},c^j_{11})\). \({\textsc {SEN}}\) calls \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) with \((\mathsf{send}, sid, {\textsc {SEN}}, c^j_{01})\) and \((\mathsf{send}, sid, {\textsc {SEN}}, c^j_{11})\) and sends \(c^j_{00},c^j_{10}\) to \({\textsc {REC}}\).

1.

Output: Upon receiving \((\mathsf{send}, sid, {\textsc {SEN}}, c^j_{01})\) and \((\mathsf{send}, sid, {\textsc {SEN}}, c^j_{11})\) from \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\), and \(c^j_{00},c^j_{10}\), \({\textsc {REC}}\) defines ciphertexts \(c^j_0 = (c^j_{00},c^j_{01})\) and \(c^j_1 = (c^j_{10},c^j_{11})\) for all \(j\notin \mathcal{J}\).

1.
\({\textsc {REC}}\) outputs \(x_{\sigma }^j \leftarrow \mathsf {dDec}_{\textsc {SK}_j}(c^j_\sigma )\).

2.
\({\textsc {REC}}\) outputs \((x_0^j,x_1^j) \leftarrow (\mathsf {dDec}_{\textsc {SK}^0_j}(c^j_0), \mathsf {dDec}_{\textsc {SK}^1_j}(c^j_1))\).

1.
Theorem 5.4
Assume that the DDH assumption is hard in \({\mathbb G}\). Then Protocol 3 UC realizes \(\mathcal{F}_{\scriptscriptstyle \mathrm {CCOT}}\) in the \((\mathcal{F}_{\scriptscriptstyle \mathrm {SC}},\mathcal{F}_{{\scriptscriptstyle \mathrm {DL}},\scriptscriptstyle \mathrm {COMP}(s,s/2)},\mathcal{F}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}(s)})\)hybrid model in the presence of onesided malicious adversaries.
Proof
Let \(\textsc {Adv}\) be a probabilistic polynomialtime malicious adversary attacking Protocol 3 by adaptively corrupting one of the parties. We construct an adversary \(\textsc {Sim}\) for the ideal functionality of a single choice cutandchoose OT \(\mathcal{F}_{\scriptscriptstyle \mathrm {CCOT}}\) such that no environment \(\textsc {Env}\) distinguishes with a nonnegligible probability whether it is interacting with \(\textsc {Adv}\) in the hybrid setting or with \(\textsc {Sim}\) in the ideal setting. We recall that \(\textsc {Sim}\) interacts with the ideal functionality and the environment \(\textsc {Env}\). We refer to the interaction of \(\textsc {Sim}\) with the ideal functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {CCOT}}\) and \(\textsc {Env}\) as the external interaction. The interaction of \(\textsc {Sim}\) with the simulated \(\textsc {Adv}\) is the internal interaction. We describe the simulator’s strategy for all corruption cases. \(\textsc {Sim}\) begins by creating a CRS \((g_0,g_1)\) and storing \(x = \log _{g_0}g_1\). It then proceeds as follows:
 Simulating the communication with Env.:

Every input value received by the simulator from \(\textsc {Env}\) is written on \(\textsc {Adv}\)’s input tape. Likewise, every output value written by \(\textsc {Adv}\) on its output tape is copied to the simulator’s output tape (to be read by its environment \(\textsc {Env}\)).
 The sender is corrupted at the onset of the protocol. :

\(\textsc {Sim}\) begins by activating \(\textsc {Adv}\) and emulates the receiver as follows. In the setup phase, it picks s system parameters in a decryption mode in which it knows their trapdoors. Namely for each \(j\in [s]\), it creates \(\textsc {CRS}_j=(g_0,g^j_1,h^j_0,h^j_1)\) where \(g^j_1 = (g_0)^{x_j}\), \(h^j_0 = (g_0)^{y_j}\) and \(h^j_1 = (g^j_1)^{y_j} = (g_0^{x_j})^{y_j}\) for random \(x_j\)’s and \(y_j\)’s, and records the trapdoor \(t_j = x_j\). The simulator further computes \(x'_j=\log _{g_1}g^j_1\) for all j using the knowledge of \(x = \log _{g_0}g_1\). It then sends the adversary the system parameters, chooses an arbitrary set \(\mathcal{J}'\) of size s / 2 and sends \(\texttt {Accept}\) to \(\textsc {Adv}\) on behalf of \(\mathcal{F}_{{\scriptscriptstyle \mathrm {DL}},\scriptscriptstyle \mathrm {COMP}(s,s/2)}\) for the statement \(\{g_1,g^j_1\}_{j=1}^{s}\). Note that the simulator knows the discrete logarithms for each pair \((g_1,g^j_1)\) within the statement.
In the transfer phase, the simulator invokes \(\mathsf {TrapKeyGen}\) for all \(j\in [s]\) and computes \((\textsc {PK}_j,\textsc {SK}^0_j,\textsc {SK}_j^1) = ((g_j,h_j),r_j,r_j/t_j) \leftarrow \mathsf {TrapKeyGen}(\textsc {CRS}_j,t_j)\) for \(j \in [s]\), and sends the public keys to \({\textsc {SEN}}\). It further sends \(\texttt {Accept}\) to \(\textsc {Adv}\) on behalf of \(\mathcal{F}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}(s)}\). Upon receiving \(\textsc {Adv}\)’s message, \(\textsc {Sim}\) extracts the sender’s input \((x_0^j,x_1^j)\) using \(\textsc {SK}^0_j,\textsc {SK}_j^1\) for every \(j\in [s]\) and sends it to the ideal functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {CCOT}}\).
Note that the adversary’s views differ only with respect to the ZK statements, since in a decryption mode the receiver’s bit is perfectly hidden as well as the subset picked by the receiver. Now, since the proofs are run via ideal calls the simulated and hybrid views are statistically close.
 The receiver is corrupted at the onset of the protocol. :

\(\textsc {Sim}\) begins by activating \(\textsc {Adv}\) and emulates the honest sender as well as the ideal functionalities \(\mathcal{F}_{{\scriptscriptstyle \mathrm {DL}},\scriptscriptstyle \mathrm {COMP}(s,s/2)}\) and \(\mathcal{F}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}(s)}\). It extracts \(\mathcal{J}\) and \(\sigma \) from the inputs to these functionalities and sends them to \(\mathcal{F}_{\scriptscriptstyle \mathrm {CCOT}}\), receiving back \((x_0^j,x_1^j)\) for all \(j \in \mathcal{J}\) and \(x_\sigma ^j\) for all \(j \not \in \mathcal{J}\). \(\textsc {Sim}\) chooses an arbitrary \(x_{1\sigma }^j\) for all \(j\not \in \mathcal{J}\) and emulates the role of \({\textsc {SEN}}\) using inputs \((x_0^j,x_1^j)\) for all \(j\in [s]\).
Note that the difference between the simulated and hybrid views is with respect to inputs \(x_{1\sigma }^j\) for all \(j\not \in \mathcal{J}\) for which the simulator uses arbitrary values. Indistinguishability is implied by the privacy of the dualmode PKE when a left ciphertext is computed with a right key (or vice versa).
 The sender is corrupted between Steps 2 and 3. :

Upon corrupting \({\textsc {SEN}}\), \(\textsc {Sim}\) explains the internal state of the sender by honestly presenting the randomness used so far on the sender’s behalf. Finally, \(\textsc {Sim}\) completes the execution in the transfer phase by playing the role of the receiver using an arbitrarily chosen \(\sigma '\). Indistinguishability follows due to the same argument as in the previous corruption case since the simulator follows the same strategy relative to the sender.
 The receiver is corrupted between Steps 2 and 3. :

Upon corrupting \({\textsc {REC}}\), \(\textsc {Sim}\) receives \(\mathcal{J}\) and \(\sigma \) from \(\mathcal{F}_{\scriptscriptstyle \mathrm {CCOT}}\), as well as \((x_0^j,x_1^j)\) for all \(j \in \mathcal{J}\) and \(x_\sigma ^j\) for all \(j \not \in \mathcal{J}\). It then explains the internal state of \({\textsc {REC}}\) as follows. It first explains the witness for the ZK PoK functionality \(\mathcal{F}_{{\scriptscriptstyle \mathrm {DL}},\scriptscriptstyle \mathrm {COMP}(s,s/2)}\) as the discrete logarithms of \(\{g^j_1\}_{j \not \in \mathcal{J}}^s\) with respect to \(g_1\). It also explains the witness for \(\mathcal{F}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}(s)}\) as the witness for the \(\sigma \)th set. Finally, it plays the role of the sender as in the previous corruption case. Indistinguishability follows similarity to the previous corruption case due to the security of the dualmode PKE and the fact that the simulator follows the same strategy.
 The sender is corrupted after Step 3 is concluded. :

Upon corrupting \({\textsc {SEN}}\), \(\textsc {Sim}\) receives \((x^j_0,x^j_1)\) for all \(j\in [s]\) from \(\mathcal{F}_{\scriptscriptstyle \mathrm {CCOT}}\). It then explains the internal state of \({\textsc {SEN}}\) as in the previous corruption case and further explains the inputs to \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) as ciphertexts that encrypt the real inputs. Indistinguishability follows from the fact that the receiver’s input is statistically hidden given the public keys.
 The receiver is corrupted after Step 3 is concluded. :

Upon corrupting \({\textsc {REC}}\), \(\textsc {Sim}\) receives \(\mathcal{J},\sigma \), from \(\mathcal{F}_{\scriptscriptstyle \mathrm {CCOT}}\) as well as \((x_0^j,x_1^j)\) for all \(j \in \mathcal{J}\) and \(x_\sigma ^j\) for all \(j \not \in \mathcal{J}\). It then explains the internal state of \({\textsc {REC}}\) as in the previous corruption case and further explains the messages received from \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) as the encryptions of \(\{x^j_0,x^j_1\}_{j \in \mathcal{J}}\) and \(\{x^j_\sigma \}_{j \not \in \mathcal{J}}\). Indistinguishability follows as above. \(\square \)
Malicious OneSided Adaptively Secure TwoParty Computation
First, we remark that the single choice cutandchoose protocol from Section 5.2.1 is executed for every input bit of \(P_1\) in the main twoparty protocol, but with respect to the same set \(\mathcal{J}\). In order to ensure that the same \(\mathcal{J}\) is indeed used the parties engage in a batch single choice cutandchoose OT where a single setup phase is run first, followed by n parallel invocations of the transfer phase. Note that CRS and the set \(\mathcal{J}\) are fixed in the setup phase and remain the same for all n parallel invocations of the transfer phase. The same modifications can be carried out relative to our single choice onesided OT. We denote the batch functionality by \(\mathcal{F}^{\scriptscriptstyle \mathrm {BATCH}}_{\scriptscriptstyle \mathrm {CCOT}}\). Next, in order to achieve onesided malicious security we modify the [42] twoparty protocol by using our batch single choice cutandchoose OT with onesided security as a building block. In addition, we use our onesided NCE from Section 3.1 in order to encrypt the garbled circuits, as well as the input keys that depend on \(P_0\)’s inputs. We are now ready to formally describe our protocol \(\Pi _f^{\scriptscriptstyle \mathrm {MAL}}\).
Protocol 5
(Onesided adaptively secure malicious Yao (\(\Pi ^{\scriptscriptstyle \mathrm {MAL}}_f\)))

Inputs: \(P_0\) has \(x_0 \in \{0,1\}^n\) and \(P_1\) has \(x_1 \in \{0,1\}^n\). Let \(x_0 = x^1_0,\ldots ,x^n_0\) and \(x_1= x^1_1,\ldots ,x^n_1\).

Auxiliary Input: A boolean circuit C such that for every \(x_0,x_1 \in \{0,1\}^n\), \(C(x,y) = f(x,y)\) where \(f: \{0,1\}^n \times \{0,1\}^n \rightarrow \{0,1\}^n\). Furthermore, we assume that C is such that if a circuitoutput wire leaves some gate, then the gate has no other wires leading from it into other gates (i.e. no circuitoutput wire is also a gateoutput wire). Likewise, a circuitinput wire that is also a circuitoutput wire enters no gates.
Convention: Unless specified differently, \(i\in [n]\). We further assume that the gates of circuit C induce a topological sort.

The Protocol:

1.
Garbled circuit computation. \(P_0\) constructs s independent garbled circuits for C as follows:

(a)
\(P_0\) picks n pairs of random values \(((a^0_1, a_1^1),\ldots ,(a^0_n,a^1_n)) \in {\mathbb Z}_q\) and \(c_1,\ldots ,c_s \in _R {\mathbb Z}_q \).

(b)
Let \(w_1,\ldots ,w_n\) be the input wires corresponding to \(P_0\)’s input in C, and denote by \(w_{i,j}\) the instance of wire \(w_i\) in the jth garbled circuit. Further let \(k^b_{i,j}\) denote the key associated with bit b on wire \(w_{i,j}\). Then \(P_0\) sets the keys for its input wires to \((k_{i,j}^0=H(g^{a^0_ic_j}),k_{i,j}^1=H(g^{a^1_ic_j}))\), where H is a randomness extractor such as a universal hash function [17, 32, 36].

(c)
\(P_0\) constructs s independent garbled circuits for C, denoted as \(GC_1,\ldots , GC_s\), using random keys except for the wires \(w_1,\ldots ,w_n\) for which the keys are as above.

(a)

2.
Oblivious transfers. The parties call \(\mathcal{F}^{\scriptscriptstyle \mathrm {BATCH}}_{\scriptscriptstyle \mathrm {CCOT}}\) with their respective inputs and obtain outputs as follows:

(a)
\(P_0\) defines vectors \(\mathbf {z_1},\ldots ,\mathbf {z_n}\), where \(\mathbf {z_i}\) contains the s pairs of random symmetric keys associated with \(P_1\)’s ith input bit \(x_1^i\) in all garbled circuits \(GC_1,\ldots ,GC_s\).

(b)
\(P_1\) inputs a random subset \(\mathcal{J}\subset [s]\) of size s / 2 and the bits \(x^1_1,\ldots ,x^n_1\).

(c)
\(P_1\) receives from \(\mathcal{F}^{\scriptscriptstyle \mathrm {BATCH}}_{\scriptscriptstyle \mathrm {CCOT}}\) all the keys that are associated with its input wires for the circuits \(GC_i\) with \(i \in \mathcal{J}\) (denoted as the check circuits). In addition, it receives the keys that correspond to its input for the remaining circuits (denoted the evaluation circuits).

(a)

3.
Sending garbled circuits and commitments. \(P_0\) transfers \(P_1\) s encrypted copies of the garbled circuit using \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\), and the values \(((g^{a^0_1}, g^{a_1^1}),\ldots ,(g^{a^0_n},g^{a^1_n}),(g^{c_1},\ldots ,g^{c_s}))\) along with the “seed” of the hash function H which constitutes the commitments to the input keys on the wires associated with \(P_0\)’s input.^{Footnote 4}

4.
Revealing \(\mathcal{J}\). \(P_1\) reveals \(\mathcal{J}\) and proves that it used this subset in the cutandchoose OT protocol by sending the pair of keys associated with \(P_1\)’s first input bit in each check circuit, i.e. for every \(GC_i\) with \(i \in \mathcal{J}\). Note that \(P_1\) knows the key pair only for the check circuits. If the values received from \(P_1\) are wrong, then \(P_0\) aborts.

5.
Decommitting \(\mathbf {P_0}\) ’s input keys. In order to let \(P_1\) know the keys for the input wires of \(P_0\) within the check circuits, \(P_0\) sends \(c_j\) for all \(j\in \mathcal{J}\). \(P_1\) computes the key pair \((H(g^{a^0_ic_j}),H(g^{a^1_ic_j}))\).

6.
Verifying the check circuits. \(P_1\) verifies the validity of the check circuits using all the keys associated with their input wires. This ensures that the evaluation circuits are correct with high probability.

7.
Sending the garbled inputs for the evaluation circuits. In order to complete the evaluation, phase \(P_1\) is given the keys for the input wires of \(P_0\). \(P_0\) must be forced to give the keys that are associated with the same input for all circuits. Specifically, the following code is executed for all input bits of \(P_0\):

(a)
For every evaluation circuit \(GC_j\), \(P_0\) transfers \(\tau _{i,j}=g^{a_i^{x_0^i}c_j}\) using \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\), where \(x_0^i\) is the ith input bit of \(P_0\).

(b)
\(P_0\) then proves that \(a_i^{x_0^i}\) is in common for all keys associated with the ith input bit, which is reduced to showing that either the set \(\{(g,g^{a_i^{x_0^i}},g^{c_j},\tau _{i,j})\}_{j =1}^s\) or the set \(\{(g,g^{a_i^{1x_0^i}},g^{c_j},\tau _{i,j})\}_{j =1}^s\) is comprised of DH tuples. Notably, it is sufficient to use a single UC ZK proof for the simpler relation \({\mathcal{R}}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}}\) since the above statement can be compressed into a compound statement of two DH tuples as follows: \(P_0\) first chooses s random values \(\gamma _1,\ldots ,\gamma _s\in {\mathbb Z}_p\) and sends them to \(P_1\). Both parties compute \(\tilde{g} = \prod _{j=1}^{s}(g^{c_j})^{\gamma _j}\), \(\tilde{\tau }= \prod _{j=1}^{s}(\tau _{i,j})^{\gamma _j}\), of which \(P_0\) proves that either \((g,g^{a_i^{x_0^i}}, \tilde{g}, \tilde{\tau })\) or \((g,g^{a_i^{1x_0^i}}, \tilde{g}, \tilde{\tau })\) is a DH tuple. Thus, \(P_0\) invokes \(\mathcal{F}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}}\) with \(\sum _{j=1}^{s} c_j \gamma _j\) as the witness.

(a)

8.
Circuit evaluation. Upon receiving \(\texttt {Accept}\) from \(\mathcal{F}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}}\), \(P_1\) completes the evaluation of the circuits and sets the majority of these values as the output y.

9.
Output communication. \(P_1\) sends y using \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\).

1.
Informally, to ensure the onesided security of \(\Pi ^{\scriptscriptstyle \mathrm {MAL}}_f\) we realize the functionalities used in the protocol as follows: (1) \(\mathcal{F}^{\scriptscriptstyle \mathrm {BATCH}}_{\scriptscriptstyle \mathrm {CCOT}}\) is realized in Step 2 using our onesided batch single choice cutandchoose OT. This implies the equivocation of \(P_1\)’s input. (2) Moreover, recall that the statement for the relation \({\mathcal{R}}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}}\) is encrypted in Step 7(a) using onesided NCE. Thus, it is sufficient to employ a standard static proof to realize \({\mathcal{R}}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}}\) where the prover sends the third message of the proof using onesided NCE. This implies the equivocation of \(P_0\)’s input. Next, we prove
Theorem 5.5
(Onesided malicious) Let f be a deterministic sameoutput functionality and assume that the encryption scheme for garbling has indistinguishable encryptions under chosen plaintext attacks, an elusive and efficiently verifiable range, and that the DDH and DCR assumptions are hard in the respective groups. Then Protocol \(\Pi ^\textsc {mal}_f\) UC realizes \(\mathcal{F}_f\) in the presence of onesided malicious adversaries using only O(sC) private key operations and O(s(C)) public key operations where s is a statistical parameter that determines the cutandchoose soundness error.
We recall that the DDH and DCR hardness assumptions imply a cutandchoose OT with constant number of PKE operations for large sender’s input spaces (where DCR is required in order to implement the ideal functionalities \((\mathcal{F}_{\scriptscriptstyle \mathrm {SC}},\mathcal{F}_{{\scriptscriptstyle \mathrm {DL}},\scriptscriptstyle \mathrm {COMP}(s,s/2)},\mathcal{F}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}(s)})\)). In addition, we recall the [42] protocol is secure under the DDH assumption and INDCPA symmetric key encryption scheme with the above special properties.
Proof
Our proof is shown in the \((\mathcal{F}_{\scriptscriptstyle \mathrm {SC}},\mathcal{F}^{\scriptscriptstyle \mathrm {BATCH}}_{\scriptscriptstyle \mathrm {CCOT}},\mathcal{F}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}})\)hybrid model. Let \(\textsc {Adv}\) be a probabilistic polynomialtime malicious adversary attacking Protocol 4 by adaptively corrupting one of the parties. We construct an adversary \(\textsc {Sim}\) for the ideal functionality \(\mathcal{F}_f\) such that no environment \(\textsc {Env}\) distinguishes with a nonnegligible probability whether it is interacting with \(\textsc {Adv}\) in the real setting or with \(\textsc {Sim}\) in the ideal setting. We recall that \(\textsc {Sim}\) interacts with the ideal functionality \(\mathcal{F}_f\) and the environment \(\textsc {Env}\). We refer to the interaction of \(\textsc {Sim}\) with \(\mathcal{F}_f\) and \(\textsc {Env}\) as the external interaction. The interaction of \(\textsc {Sim}\) with the simulated \(\textsc {Adv}\) is the internal interaction.
We now explain the actions of the simulation for the following corruption cases: (1) no corruption takes place; (2) corruption takes place at the outset; (3) corruption takes place between Steps 2 and 3; (4) corruption takes place between Steps 3 and 7; (5) corruption takes place between Steps 7 and 9; (6) Corruption takes place at the end. We describe a simulator for all these cases considering the corruption of each party. These cases cover all potential cases of corruption.
No corruption. When no corruption takes place the simulator simulates both \(P_0\) and \(P_1\) as follows:

1.
Garbled circuit construction. No communication is carried out in this step. \(\textsc {Sim}\) internally picks n pairs of random values \((a^0_1, a_1^1),\ldots ,(a^0_n,a^1_n) \leftarrow {\mathbb Z}_q\times {\mathbb Z}_p\) and \(c_1,\ldots ,c_s \leftarrow {\mathbb Z}_q \) (which define the keys for \(P_0\)’s input). It further picks a pair of random keys that correspond to each input bit of \(P_1\).

2.
Oblivious transfers. No communication is carried out in this step due to the ideal call to \(\mathcal{F}^{\scriptscriptstyle \mathrm {BATCH}}_{\scriptscriptstyle \mathrm {CCOT}}\). \(\textsc {Sim}\) internally chooses a random subset \(\mathcal{J}\) on the behalf of \(P_1\).

3.
Sending garbled circuits and commitments. No communication is carried out with respect to the garbled circuit due to the ideal call to \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\). \(\textsc {Sim}\) emulates the honest \(P_0\) sending the values \(((g^{a^0_1},g^{a_1^1}),\ldots ,(g^{a^0_n},g^{a^1_n}),(g^{c_1},\ldots ,g^{c_s}))\).

4.
Revealing \(\mathbf {\mathcal{J}}\). \(\textsc {Sim}\) emulates the honest \(P_1\) and sends \(\mathcal{J}\) together with the pair of keys that are associated with \(P_1\)’s first input bit for each check circuit.

5.
Decommitting \(\mathbf {P_0}\) ’s input keys. \(\textsc {Sim}\) emulates the honest \(P_0\) and sends \(c_j\) for all \(j\in \mathcal{J}\).

6.
Verifying the check circuits. No communication is carried out in this step.

7.
Sending the garbled inputs for the evaluation circuits. No communication is carried out in this step as it involves calling the two ideal functionalities \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) and \(\mathcal{F}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}}\).

8.
Circuit evaluation. No communication is carried out in this step.

9.
Output communication. No communication is carried out in this step due to the ideal call to \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\).
Note that the simulated the hybrid executions are statistically close. Specifically, communication takes place only in Steps 3, 4, and 5 independently of the parties’ inputs and outputs. Therefore, indistinguishability follows trivially for this case.
Corruption at the outset of the protocol execution

\(P_0\) is corrupted. In Step 2, \(\textsc {Sim}\) emulates \(\mathcal{F}^{\scriptscriptstyle \mathrm {BATCH}}_{\scriptscriptstyle \mathrm {CCOT}}\), receiving the input of \(\textsc {Adv}\) for this functionality, namely the key pairs that correspond to all the input wires of the circuit. In Step 3, \(\textsc {Sim}\) receives s garbled circuits from \(\textsc {Adv}\) on the behalf of \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) and the commitments to the key pairs that correspond to \(\textsc {Adv}\)’s input. In Step 4, the simulator sends a random subset \(\mathcal{J}\) and the pairs of the input keys that are associated with \(P_1\)’s first input wire in each check circuit \(GC_i\) for which \(i \in \mathcal{J}\) (recall that \(\textsc {Sim}\) knows all the input keys in Step 2). In Step 5, the simulator receives \(c_j\) for all \(j \in \mathcal{J}\) from \(\textsc {Adv}\). In Step 6, the simulator verifies the check circuits just as the honest \(P_1\) would do, and aborts if a problem is detected. In Step 7, the simulator receives the keys \(\{\tau _{i,j}\}_{i\in \{1,\ldots ,n\},j \not \in \mathcal{J}}\) as well as the statement and its corresponding witness for the ideal call of \(\mathcal{F}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}}\). If the witness is verified correctly, then \(\textsc {Sim}\) extracts \(\textsc {Adv}\)’s input as follows. For some fixed \(j\notin \mathcal{J}\), \(\textsc {Sim}\) extracts the ith bit of \(\textsc {Adv}\)’s input \(x'_0\) by applying the hash function H on \(\tau _{i,j}\) and then checking whether the result matches either \(H(g^{a^0_ic_j})\) which implies that \(x'^i_0=0\), or \(H(g^{a^1_ic_j})\) which implies that \(x'^i_0=1\). \(\textsc {Sim}\) sends \(x'_0\) to \(\mathcal{F}_f\) and receives the output \(y'\). Next it sends \(y'\) to \(\textsc {Adv}\) on behalf of \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) in Step 9 and concludes the simulation.

\(P_1\) is corrupted. \(\textsc {Sim}\) mimics the [42] simulation that is designed for the static case, building fake circuits that always compute \(y'=f(x_0,x'_1)\) for \(x'_1\) the input of \(\textsc {Adv}\). Specifically, in Step 1 \(\textsc {Sim}\) emulates \(P_0\) as in the no corruption case, i.e. it picks key pairs that correspond to the input wires of both parties. In Step 2, \(\textsc {Sim}\) emulates \(\mathcal{F}^{\scriptscriptstyle \mathrm {BATCH}}_{\scriptscriptstyle \mathrm {CCOT}}\) and receives \(\textsc {Adv}\)’s input \(x'_1\) and the subset \(\mathcal{J}\) and returns the adversary’s output. It then sends \(x'_1\) to \(\mathcal{F}_f\) and receives back the output \(y'\). Then in Step 3, \(\textsc {Sim}\) constructs s / 2 correct circuits that correspond to indices from \(\mathcal{J}\) and additional s / 2 fake circuits that always output \(y'\) irrespective of the input. It then sends this set of correct and fake garbled circuits to \(\textsc {Adv}\) on behalf of \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\). It further sends the commitments to the correct key pairs that correspond to the inputs wires of \(P_0\). In Step 4, the simulator receives \(\mathcal{J}\) and the key pairs that correspond to the first input bit of \(\textsc {Adv}\) for all the circuits \(GC_i\) such that \(i \in \mathcal{J}\). If \(\textsc {Adv}\) sends invalid keys, or the set \(\mathcal{J}\) does not match the set \(\textsc {Sim}\) obtains in Step 2 during the simulation of the ideal cutandchoose OT, then \(\textsc {Sim}\) aborts. In Step 5, \(\textsc {Sim}\) correctly decommits \(c_j\) such that \(j \in \mathcal{J}\). In Step 7, \(\textsc {Sim}\) plays the role of the honest \(P_0\) with input \(0^n\). Following that, \(\textsc {Sim}\) emulates the ideal functionality for \(\mathcal{F}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}}\) and sends \(\texttt {Accept}\) to \(\textsc {Adv}\). In Step 9 the simulator receives output \(y''\) from \(\textsc {Adv}\) via \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\). If \(y''\) is not equal \(y'\) then \(\textsc {Sim}\) aborts.
We note that in the \((\mathcal{F}_{\scriptscriptstyle \mathrm {SC}},\mathcal{F}^{\scriptscriptstyle \mathrm {BATCH}}_{\scriptscriptstyle \mathrm {CCOT}},\mathcal{F}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}})\)hybrid execution, corruption at the onset of the protocol is proven similarly to the static proof provided in [42]. Specifically, the only difference between the proofs is that some parts of the communication of our protocol are transferred via \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) (where this communication is sent nonencrypted in [42]). Therefore, when corruption takes place later in the protocol, the simulator can pretend that the computation was carried out correctly and consistently with the corrupted party’s input. Specifically, the adaptive security reduces to static security.
Corruption between Steps 2 and 3

\(P_0\) is corrupted. \(\textsc {Sim}\) simulates \(P_0\) and \(P_1\) in Steps 1 and 2 as in the no corruption case. Then, whenever \(P_0\) is corrupted \(\textsc {Sim}\) constructs s garbled circuits correctly using the keys that were picked in Step 1. It then discloses the circuits and the input keys to the adversary. It further explains the internal state of \(P_0\) so that its input to the OT functionality \(\mathcal{F}^{\scriptscriptstyle \mathrm {BATCH}}_{\scriptscriptstyle \mathrm {CCOT}}\) is consistent with the above input keys. Finally, \(\textsc {Sim}\) emulates the honest \(P_1\) exactly as in the case when \(P_0\) is corrupted at the outset.
Note that the adversary’s views in case \(P_0\) is corrupted at the outset of the protocol execution and in case \(P_0\) is corrupted between Steps 2 and 3 is identical since \(P_0\) does not use its input yet at this point, and thus the simulation in both corruption cases is essentially the same.

\(P_1\) is corrupted. \(\textsc {Sim}\) simulates \(P_0\) and \(P_1\) in Steps 1 and 2 as in the no corruption case. Then, whenever \(P_1\) is corrupted \(\textsc {Sim}\) receives its input and output \((x_1,y)\). \(\textsc {Sim}\) explains the internal state of \(P_1\) such that the input of \(P_1\) to the \(\mathcal{F}^{\scriptscriptstyle \mathrm {BATCH}}_{\scriptscriptstyle \mathrm {CCOT}}\) functionality is \(x_1\) and a random subset \(\mathcal{J}\). It then discloses the keys that \(P_1\) should have received upon entering \(x_1\) and \(\mathcal{J}\) to \(\mathcal{F}^{\scriptscriptstyle \mathrm {BATCH}}_{\scriptscriptstyle \mathrm {CCOT}}\) in Step 2. \(\textsc {Sim}\) completes the simulation by simulating \(P_0\) exactly as in the case when \(P_1\) is corrupted at the outset.
Note that in the hybrid setting the adversary’s views in case \(P_1\) are corrupted at the outset of the protocol execution and in case \(P_1\) are corrupted between Steps 2 and 3, which is identical since the simulator can equivocate \(P_1\)’s input to \(\mathcal{F}^{\scriptscriptstyle \mathrm {BATCH}}_{\scriptscriptstyle \mathrm {CCOT}}\). This implies that the adversary’s internal state until corruption takes place is identically distributed to the real internal state of the honest \(P_1\). Moreover, the simulation proceeds exactly as in the static case.
Corruption between Steps 3 and 7

\(P_0\) is corrupted. \(\textsc {Sim}\) simulates \(P_0\) and \(P_1\) in Step 1–3 as in the no corruption case. Then, whenever \(P_0\) is corrupted, \(\textsc {Sim}\) constructs s garbled circuits correctly using the keys that were picked in Step 1. It then discloses the circuits and the input keys to the adversary. It further explains the internal state of \(P_0\) so that its inputs to \(\mathcal{F}^{\scriptscriptstyle \mathrm {BATCH}}_{\scriptscriptstyle \mathrm {CCOT}}\) in Step 2 and to \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) in Step 3 are consistent with garbled circuits constructed above. \(\textsc {Sim}\) completes the simulation by simulating \(P_1\) exactly as in the case when \(P_0\) is corrupted at the outset.
Note that in this corruption case \(P_0\) does not use its input yet and thus the indistinguishability argument is as in the prior corruption case.

\(P_1\) is corrupted. \(\textsc {Sim}\) simulates \(P_0\) and \(P_1\) in Steps 1–3 as in the no corruption case. Then, whenever \(P_1\) is corrupted, \(\textsc {Sim}\) receives its input and output \((x_1,y)\). \(\textsc {Sim}\) explains the internal state of \(P_1\) such that the input of \(P_1\) to the \(\mathcal{F}^{\scriptscriptstyle \mathrm {BATCH}}_{\scriptscriptstyle \mathrm {CCOT}}\) functionality is \(x_1\) and a random subset \(\mathcal{J}\). It further discloses the input keys that \(P_1\) should have received upon entering inputs \(x_1\) and \(\mathcal{J}\) to \(\mathcal{F}^{\scriptscriptstyle \mathrm {BATCH}}_{\scriptscriptstyle \mathrm {CCOT}}\) in Step 2. Next, \(\textsc {Sim}\) constructs s / 2 correct circuits that correspond to indices from \(\mathcal{J}\) and s / 2 additional fake circuits that always output y. It then explains the internal state of \(P_1\) such that \(P_1\) has received the garbled circuits constructed as above (so that the correct circuits are the check circuits). \(\textsc {Sim}\) concludes the simulation by simulating \(P_0\) exactly as in the case when \(P_1\) is corrupted at the outset.
The adversary’s view is distributed as in the static corruption case relying on security of \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) that transfers the garbled circuits. In the static corruption case, \(\textsc {Sim}\) sends a set of garbled circuits containing s / 2 fake circuits and s / 2 good circuits on behalf of \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\). No equivocation is required since \(\textsc {Sim}\) knows \(P_1\) is corrupted at the outset. In the current scenario, \(\textsc {Sim}\) equivocates and explains to \(\textsc {Adv}\) that such a set is delivered by \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\). In \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\)hybrid model, the security reduces to the security of static corruption case.
Corruption between Steps 7 and 9

\(P_0\) is corrupted. \(\textsc {Sim}\) simulates \(P_0\) and \(P_1\) in Steps 1–7 as in the no corruption case. Then, whenever \(P_0\) is corrupted \(\textsc {Sim}\) receives its input and output \((x_0,y)\) and explains the internal state of \(P_0\) until Step 7 as in the prior corruption case. Next, \(\textsc {Sim}\) explains the inputs of \(P_0\) to the ideal call of \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) in Step 7 so that they are consistent with the input \(x_0\). Namely, the ith input wire of \(P_0\) in the jth evaluation circuit is explained as \(g^{a_i^{x_0^i}c_j}\). It further explains the witness to \(\mathcal{F}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}}\) correctly as \(\sum _{j=1}^{s} c_j \gamma _j\) (recall that \(\gamma _1,\ldots ,\gamma _s\) are random elements that enable to combine s proofs into a single proof). The simulator concludes by simulating the honest \(P_1\) exactly as in the case when \(P_0\) is corrupted at the outset.
In the hybrid setting, indistinguishability follows easily as above since the privacy of \(P_1\) follows from the privacy of the OT protocol. Moreover, all the messages sent by \(P_0\) are emulated as being sent by the honest \(P_0\), and therefore security is reduced to the static corruption case.

\(P_1\) is corrupted. \(\textsc {Sim}\) simulates \(P_0\) and \(P_1\) in Steps 1–7 as in the no corruption case. Then, whenever \(P_1\) is corrupted \(\textsc {Sim}\) receives its input and output \((x_1,y)\) and explains the internal state of \(P_1\) until Step 7 as in the prior corruption case. Next, \(\textsc {Sim}\) explains the internal state of \(P_1\) in Step 7 using the garbled inputs keys of \(P_0\) that are consistent with \(0^n\) as the keys received from \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\). Namely, the ith input wire of \(P_0\) in the jth evaluation circuit is explained as \(g^{a_i^{0}c_j}\). Finally, the simulator explains the message \(\texttt {Accept}\) as being received from the ZK functionality and concludes the simulation as above.
The proof for this corruption case is identical to the prior case since \(P_1\) already used its input in the cutandchoose OT phase, and the additional simulated messages only correspond to the garbled inputs for the check circuits transferred from \(P_0\).
Postexecution corruption

\(P_0\) is corrupted. \(\textsc {Sim}\) simulates \(P_0\) and \(P_1\) during all the steps as in the no corruption case. The internal state of \(P_0\) is explained as above except that in Step 9 \(\textsc {Sim}\) explains y as the output received via the ideal call of \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\).

\(P_1\) is corrupted. \(\textsc {Sim}\) simulates \(P_0\) and \(P_1\) during all the steps as in the no corruption case. The internal state of \(P_0\) is explained as above except that in Step 9 \(\textsc {Sim}\) explains y as the input entered to the ideal call of \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\).
Security in the hybrid model is proven exactly as above since the messages that are sent via \(\mathcal{F}_{\scriptscriptstyle \mathrm {SC}}\) can be equivocated relative the correct output value. This concludes the proof. \(\square \)
Efficient Statically Secure and Witness Equivocal UC ZK PoKs
We present two results in this section. The first (side) result illustrates a technique for generating efficient statically secure UC ZK PoK for various \(\Sigma \)protocols. Our protocols take a new approach where the prover commits to an additional transcript which enables witness extraction without using rewinding, and enable to achieve UC ZK PoK constructions that incur constant overhead with a negligible soundness error. Prior to that, \(\Sigma \)protocols were complied into the UC setting using UC commitments [11].
Next, we define a new notion denoted by witness equivocal UC ZK PoK for compound statements [8] (where the statement is comprised of several substatements that are associated using an OR relation). The additional feature that witness equivocal UC ZK PoK offers over static security is that it allows the simulator to equivocate the simulated proof upon adaptively corrupting the prover. Specifically, this notion implies that the simulator knows the witnesses for all substatements, but not which subset is used by the real prover. Furthermore, the simulator is able to convince the corrupted prover that it indeed knows the correct subset of witnesses. Note that this notion is weaker than onesided UC ZK PoK where the simulator is required to simulate the proof obliviously of the witness and later prove consistency with respect to the real witness. In this work, we build efficient witness equivocal UC ZK PoKs for a class of fundamental compound \(\Sigma \)protocols. Our protocols are constant rounds and overhead, with a negligible soundness error.
Statically Secure UC ZK PoK with Constant Overhead
We briefly describe our technique for generating efficient UC ZK PoK for \(\Sigma \)protocols. Recall that in order to obtain a UC secure ZK PoK in the CRS model for a \(\Sigma \)protocol it suffices to build a straight line simulator and witness extractor. A straight line simulator can be obtained by using standard techniques of committing the challenge of the verifier at the onset of the proof using UC commitments [23]. In what follows, we will focus on designing straight line extractors. We begin with a generalization of our UC ZK PoKs for \(\Sigma \)protocols for relations of the form \({\mathcal{R}}_\Gamma = \left\{ ((\tilde{\mathbb G}, \tilde{\mathbb H},y), x) ~y = \Gamma (x)\right\} \) defined with respect to a oneway homomorphic mapping \(\Gamma : \tilde{\mathbb G}\rightarrow \tilde{\mathbb H}\) from a source group \((\tilde{\mathbb G},\oplus )\) to a target group \((\tilde{\mathbb H},\odot )\) (where \(\Gamma \) is homomorphic if \(\Gamma (x_0\oplus x_1) = \Gamma (x_0) \odot \Gamma (x_1)\)).^{Footnote 5} Loosely speaking, given a \(\Sigma \)protocol \(\Pi _\Gamma \) for \({\mathcal{R}}_\Gamma \) we define a new proof \(\Pi '_\Gamma \) by instructing the prover to send two responses \(z,z'\) to a pair of distinct challenges \(c,c'\) queried by the verifier. Specifically, the former response z is sent on clear and publicly verified as specified in \(\Pi _\Gamma \), whereas the latter response \(z'\) is encrypted using a homomorphic PKE with plaintext space \(\tilde{\mathbb G}\). Moreover, the validity of \(z'\) is carried out by a (\(\Sigma \)protocol) UC ZK proof \(\Pi _\Sigma \) for consistency. Observe that an extractor can be easily constructed for \(\Pi '_\Gamma \) by placing a public key for the homomorphic PKE in the CRS, of which the extractor knows the corresponding secret key. Clearly, the efficiency of our new proof depends heavily on the overhead of \(\Pi _\Sigma \). For simplicity, we describe our protocols for a honest verifier; standard techniques can be used to achieve full security. We discuss two concrete implementations below.
UC Secure ZK PoK for Discrete Logarithm
We illustrate our technique on the \(\Sigma \)protocol for proving the knowledge of a discrete logarithm (DL) in a primeorder group \({\mathbb G}\). We instantiate \((\tilde{\mathbb G},\oplus )\) with \(({\mathbb Z}_p,+)\) for operation \(+\) denoting addition in \({\mathbb Z}_p\), and \((\tilde{\mathbb H},\odot )\) with \(({\mathbb G},\cdot )\) for operation \(\cdot \) denoting multiplication in \({\mathbb G}\). Furthermore, the oneway group homomorphism is defined by \(\Gamma (x) = \mathrm {EXP}(x) =g^x\) where g is a generator of \({\mathbb G}\) and induces the relation,
We apply our technique on the \(\Sigma \)protocol due to [49] and instantiate the additively homomorphic PKE within \(\Pi _\Sigma \) with Paillier [47], that is defined by \(\mathsf {Enc}_{\textsc {PK}}(x;r) = (1+N)^x\cdot r^{N}\hbox { mod }N^2\) where N is an RSA composite and is INDCPA secure under the DCR hardness assumption. Formally,
Protocol 6
(UC ZK PoK of DL (\(\Pi _{\scriptscriptstyle \mathrm {DL}}\)))

CRS: A public key \(\textsc {PK}\) for Paillier PKE.

Joint statement: The description of a group \({\mathbb G}\) of prime order p and a generator g, and the public statement h.

Auxiliary input for the prover: \(x\in {\mathbb Z}_{p}\) such that \(h=g^x\).

The Protocol:

1.
Prover \({\textsc {P}}\) picks a random \(r\leftarrow {\mathbb Z}_{p}\) and sends the verifier \(a = g^r\).

2.
Verifier \({\textsc {V}}\) returns random challenges \(c,c'\leftarrow {\mathbb Z}_{p}\).

3.
\({\textsc {P}}\) sends \(z \leftarrow r+ cx \hbox { mod }p\) and encrypts \(z' \leftarrow r+c'x\hbox { mod }p\) using \(\textsc {PK}\), generating ciphertext e. \({\textsc {P}}\) sends z and e to \({\textsc {V}}\) and proves in UC ZK that the plaintext of e and the discrete log of \(ah^{c'}\) are the same.

4.
\({\textsc {V}}\) accepts if the ZK proof is verified correctly and \(g^z = ah^c\).

1.
The proof used in Step 3 is obtained from a \(\Sigma \)protocol for the following relation,
Namely, the goal is to prove consistency of discrete logarithms with respect to two different group orders with generators \((1+N)\) and g, respectively. This can be achieved by combining the proof of knowledge of discrete logarithms over the integers [20] and the proof of plaintext knowledge for Pailler (we note that [20] shows a proof for consistent exponents, i.e. for Diffie–Hellman tuples, but the same proof technique works here as well). Namely, the prover selects at random y and \(\beta \), computes \(e' = (1+N)^y\beta ^N \hbox { mod }N^2\) and \(h'= g^y\) and sends \(e',h'\) to the verifier, who returns a random challenge \(c \in {\mathbb Z}_p\). The prover then replies with \(z =y + cx\) (over integers) and \(\gamma = \alpha \beta ^c \hbox { mod }N\). However, to ensure the privacy of x within \(y+cx\), y must be chosen so that its length is at least \(c + x + \kappa \), where \(\kappa \) is a statistical parameter. The verifier then accepts if \((1+N)^z\gamma ^N \hbox { mod }N^2 = e'e^c \hbox { mod }N^2\) and \(g^z = h'h^c\). We further note that the above proof requires a special care since it must ensure that the exact same value x is encrypted under Paillier rather than \(x+ip\), for p the order of \({\mathbb G}\) and i some integer. Nevertheless, an extractor that decrypts and learns \(x+ip\) can still find x. Thus our extractor first learns \(z'\) by decrypting the Paillier ciphertext and then extracts x from z and \(z'\). Finally, the above \(\Sigma \)protocol and the PoK presented in Protocol 5 are proven in the UC framework using standard techniques of committing the verifier’s challenge at the beginning of the proof using UC commitment scheme [26].
Proposition 6.2
Assume that the DCR and DDH assumptions are hard in the respective groups. Then Protocol 5 UC realizes \({\mathcal{R}}_{{\scriptscriptstyle \mathrm {DL}}}\) with negligible soundness error and constant overhead.
Proof Sketch
Informally, the proof follows by having the extractor pick a pair of keys \((\textsc {PK},\textsc {SK})\) and place \(\textsc {PK}\) in the CRS. Then, whenever receiving ciphertext e from the prover, the extractor decrypts it using \(\textsc {SK}\) and extracts the witness from z and \(z'\). From the security of the ZK proof of discrete logarithms consistency, it holds that the prover must encrypt with overwhelming probability the correct value of \(z'\). This implies that the extractor can extracts the witness correctly. Furthermore, the ZK property is implied by the ZK of the original proof for \({\mathcal{R}}_{\scriptscriptstyle \mathrm {DL}}\) and the ZK proof of consistency. Specifically, a simulator for \(\Pi _{\scriptscriptstyle \mathrm {DL}}\) will compute the first message and z as in the original simulation of [49]. It then obliviously samples a ciphertext e rather than encrypting the real message \(z'\), and employs the simulator for the ZK proof of consistency \(\Pi _\Sigma \) (which is a proof for relation \({\mathcal{R}}_1\) in Protocol 5). Note that the simulator can also encrypt an arbitrary value instead of obliviously sampling the ciphertext. Nevertheless, we stick to the former description since it simplifies the description of our protocol for the adaptive setting. It is simple to verify that the simulated view is computationally indistinguishable from a real view since the only difference is relative to the ciphertext e and the simulated view of \(\Pi _\Sigma \). Finally, the overhead of the protocol is constant since the overhead of the internal ZK proof is constant. \(\square \)
Consistency of discrete logarithms. Next, we consider a UC PoK for the following relation,
Here \((\tilde{\mathbb G},\oplus )\) is instantiated with \(({\mathbb Z}_p,+)\) and \((\tilde{\mathbb H},\odot )\) with \(({\mathbb G}\times {\mathbb G},\cdot )\). We further define by \(\Gamma (x) = (g_0^x,g_1^x)\) where \(g_0,g_1\) are two generators in \({\mathbb G}\). As above, we use Paillier PKE to encrypt the second reply of the prover. The proof is an immediate extension of the Protocol 5 and the standard \(\Sigma \)protocol for \({\mathcal{R}}_{\scriptscriptstyle \mathrm {DH}}\). The underlying ZK proof for proving the correctness of the plaintext encrypted by the prover is an extension of the proof for the relation used in Protocol 5. Specifically, the relation for the underlying ZK proof is,
UC Secure PoK for Nth Root and Quadratic Residuosity
Finally, we demonstrate our technique for the proof of knowledge of an Nth root formally defined by,
We instantiate \((\tilde{\mathbb G},\oplus )\) with \(({\mathbb Z}^*_N,\cdot )\) and \((\tilde{\mathbb H},\odot )\) with \(({\mathbb Z}^*_{N^2},\cdot )\), where multiplication is computed in the respective group. Furthermore, \(\Gamma (x)=x^N\hbox { mod }N^2\). Note that in order to encrypt the message of the prover we need to use a multiplicative PKE, and we therefore consider a variant of El Gamal PKE that operates in \({\mathbb Z}^*_{N}\) for a message space \(\mathbb {QR}_N\) where \(N=pq\) is an RSA composite such that \((p1)/2\) and \((q1)/2\) are relatively primes. Specifically, encrypting a message \(m \in \mathbb {QR}_N\) is computed by \((e_1,e_2) = (g^r \hbox { mod }N,m\cdot h^r \hbox { mod }N)\) where g is a random element in \(\mathbb {QR}_N\), \(h = g^x\hbox { mod }N\) with a secret key \(x \in {\mathbb Z}_{\phi (N)/4}\) and randomness \(r \leftarrow {\mathbb Z}_{\phi (N)/4}\). The security of this scheme is based on the composite DDH assumption [19] in \({\mathbb Z}^*_N\) (defined below). In the proof below, the verifier is required to ensure that \(z'^N = a u^{2c'}\). This is achieved by raising the ciphertext \(e=(e_1,e_2)\) encrypting \(z'\) to the power of N componentwise modulo \(N^2\), and then have the prover prove that \(e_1^N, e_2^N/a u^{2c'}\) is a Diffie–Hellman tuple in \({\mathbb Z}^*_{N^2}\). Such a ZK proof is provided in [20]. Namely, we use \(2c'\) instead of \(c'\) to ensure that \(z'\) is in \(\mathbb {QR}_N\).
The Composite DDH Assumption. Let \(N = pq\) be an RSA modulus and g is an element of \(\mathbb {QR}_N\) the group of squares in \({\mathbb Z}_N^*\). Then values a and b are chosen uniformly at random in \({\mathbb Z}_{\phi (N)/4}\) and the value y is either random in \(\mathbb {QR}_N\) or satisfies \(y = g^{ab}\hbox { mod }N\). Finally, the assumption asserts that for any polynomialtime algorithm, the advantage in guessing which way y was sampled when given \((N, g, g^a \hbox { mod }N, g^b \hbox { mod }N, y)\) is negligibly close to 1 / 2.
Protocol 7
( UC ZK PoK for ())

Joint statement: \(u \in {\mathbb Z}^*_{N^2}\).

Auxiliary input for the prover: \(v\in {\mathbb Z}^*_N\) such that \(u=v^N\hbox { mod }N^2\).

CRS: A composite N and a public key \(\textsc {PK}= ({\mathbb G},h=g^x)\) for El Gamal PKE in \({\mathbb Z}_N^*\).

The Protocol:

1.
Prover \({\textsc {P}}\) picks a random \(r'\leftarrow {\mathbb Z}^*_N\) and sends verifier \({\textsc {V}}\) the value a where \(a = r^{N} \hbox { mod }N^2\) where \(r \leftarrow r'^2 \mod N\).

2.
\({\textsc {V}}\) returns random challenges \(c,c'\leftarrow {\mathbb Z}^*_N\).

3.
\({\textsc {P}}\) sets \(z \leftarrow rv^{c} \hbox { mod }N\) and \(z' \leftarrow rv^{2c'} \hbox { mod }N\), and encrypts \(z'\) using \(\textsc {PK}\) (note that \(z'\in \mathbb {QR}_N\)). Denote the generated ciphertext by \(e = (e_1,e_2)\). \({\textsc {P}}\) sends \({\textsc {V}}\) values z and e and proves in UC ZK that the decryption of \(e^N \hbox { mod }N^2\) corresponds to \(a u^{2c'} \hbox { mod }N^2\). That is, \({\textsc {P}}\) proves that \(({\mathbb Z}^*_{N^2},g,h,e^N_1,e^N_2/a u^{2c'})\) is a Diffie–Hellman tuple in \({\mathbb Z}^*_{N^2}\) using the proof from [20].

4.
\({\textsc {V}}\) accepts if it accepts the ZK proof and if \(z^N=a u^{c} \hbox { mod }N^2\).

1.
Proposition 6.3
Assume that the DCR and composite DDH assumptions are hard in the respective groups. Then Protocol 6 UC realizes \({\mathcal{R}}_{\scriptscriptstyle \mathrm {NR}}\) with negligible soundness error and constant overhead.
Finally, we consider a proof of knowledge for the square root relation that is formally defined by,
We instantiate \((\tilde{\mathbb G},\oplus )\) with \(({\mathbb Z}^*_N,\cdot )\) and \((\tilde{\mathbb H},\odot )\) with \((\mathbb {QR}_N,\cdot )\), where multiplication is computed in the respective groups. Furthermore, \(\Gamma (x)=x^2\hbox { mod }N\). Following a similar technique used for the ZK PoK of \({\mathcal{R}}_{\scriptscriptstyle \mathrm {NR}}\) we design a proof for \({\mathcal{R}}_{\scriptscriptstyle \mathrm {QR}}\) based on the QR and composite DDH assumptions. Formally,
Proposition 1.26 Assume that the QR and composite DDH assumptions are hard in the respective groups. Then there exists a protocol that UC realizes \({\mathcal{R}}_{\scriptscriptstyle \mathrm {QR}}\) with negligible soundness error and constant overhead.
Witness Equivocal UC ZK PoK for Compound Statements
The proof technique discussed above cannot be used in the adaptive setting since it does not allow witness equivocation when the prover is adaptively corrupted. Fortunately, in this work we only need to consider proofs of consistency for compound statements for which the simulator knows all witnesses but not which one is used by the real prover, since this choice depends on the prover’s input. Consider the simple case of compound two statements for \(\Sigma \)protocols, where the prover separates the verifier’s challenge c into two values; \(c_1\) and \(c_2\) such that \(c = c_1 \oplus c_2\). Assume w.l.o.g. that the prover does not have a witness for the first statement, and then it always chooses \(c_1\) in which it knows how to complete the proof (similarly to what the simulator does), and uses its witness for the other statement to complete the second proof on a given challenge \(c_2\). Note that the verifier cannot distinguish whether the prover knows the first or the second witness (or both); see [8] for more details. This type of compound statements generalizes to s substatements for which the prover proves the knowledge of witnesses of some subset t.
Our next step is to design proofs for compound statements that are secure in the presence of adaptive attacks. Specifically, we design a weaker primitive for which the simulator knows the witnesses for all substatements, but not the correct subset. Note first that by simply allowing the simulator to use all potential witnesses is insecure in the adaptive setting, since an adversary that corrupts the prover can detect a simulated execution by simply computing the multiple witnesses. In order to resolve this difficulty we instruct the prover to obliviously sample the ciphertexts for the statements and it does not know the witnesses, which are then used as the statements for the internal proof of consistency \(\Pi _\Sigma \). More concretely, assume a binary compound statement (the more general case follows easily). Then the prover encrypts a valid response with respect to the relation for which the witness is known, as discussed in Section 6.1. In addition, it obliviously picks the ciphertext for the statement it does not know the witness. Finally, the prover proves that one of these ciphertexts was computed correctly using an OR relation for \(\Pi _\Sigma \). We note that both homomorphic PKEs discussed in Section 6.1 support oblivious ciphertext sampling.
Formally, we describe our protocol for compound statements that are defined relative to relations \({\mathcal{R}}_0\) and \({\mathcal{R}}_1\) (following the ideas from [8]). We denote by \(\Pi _0\) and \(\Pi _1\) the respective UC ZK PoK \(\Sigma \)protocols for \({\mathcal{R}}_0\) and \({\mathcal{R}}_1\) and by \(\Pi _\Sigma \) the proof of consistency (we implicitly assume that \(\Pi _\Sigma \) is associated with a PKE).
Protocol 7 ( UC ZK PoK for \({\mathcal {R}}_\mathbf{0}\) and \({\mathcal {R}}_\mathbf{1}\) ())

Joint statement: \(x_0\in L_0\) and \(x_1\in L_1\).

Auxiliary input for the prover: \(\omega _i\) for \(i\in \{0,1\}\) such that \((x_i,\omega _i)\in {\mathcal{R}}_i\).

CRS: A CRS for \(\Pi _\Sigma \).

The Protocol:

1.
Prover \({\textsc {P}}\) computes the first message as follows.
It first invokes the simulator \(\textsc {Sim}_{1i}\) for \(\Pi _{1i}\) on \(x_{1i}\) and arbitrary challenge \(\tilde{c}\), and obtains message \(m_{1i}\).^{Footnote 6}
It then invokes the real prover \({\textsc {P}}_i\) for \(\Pi _i\) on \((x_i,\omega _i)\) and obtains message \(m_i\).
\({\textsc {P}}\) sends messages \((m_0,m_1)\) to the verifier.

2.
\({\textsc {V}}\) returns two random challenges \(c,c'\) from the appropriate space.

3.
\({\textsc {P}}\) computes its response as follows. It first invokes simulator \(\textsc {Sim}_{1i}\) on \(x_{1i}\) and arbitrary challenge \(\tilde{c}\), and receives a prover’s response \(z_{1i}\) for \(\Pi _{1i}\). \({\textsc {P}}\) then computes an obliviously sampled ciphertext \(e_{1i}\). Next, \({\textsc {P}}\) invokes \({\textsc {P}}_i\) on \((x_i,\omega _i),m_i,c\oplus \tilde{c}\) and receives a prover’s response \(z_i\) for \(\Pi _i\). \({\textsc {P}}\) then invokes \({\textsc {P}}_i\) on \((x_i,\omega _i),m_i,c'\) and receives a prover’s response \(z'_i\) for \(\Pi _i\). Let \(e_i\) denote a ciphertext that encrypts \(z'_i\) Finally, \({\textsc {P}}\) engages with \({\textsc {V}}\) in an execution of an OR relation for the proof \(\Pi _\Sigma \), proving that either \(e_i\) encrypts a valid response for \(\Pi _i\) or \(e_{i1}\) encrypts a valid response for \(\Pi _{i1}\) relative to challenge \(c'\notin \{\tilde{c},c\oplus \tilde{c}\}\).
\({\textsc {P}}\) further sends the verifier the messages \(z_0,z_1\).

4.
\({\textsc {V}}\) invokes the verifiers for \(\Pi _0\) and \(\Pi _1\) and accepts if they both accept the messages \(z_0,z_1\), if the two challenges received from the prover are valid shares of c and if the proof for the OR relation of \(\Pi _\Sigma \) is verified correctly.

1.
We conclude with the following theorem.
Theorem 6.4
Assume the existence of homomorphic PKE with respect to a group \({\mathbb H}\) and operation \(\odot \) that supports oblivious and invertible sampling of ciphertexts, and that \(\Gamma : \tilde{\mathbb G}\rightarrow \tilde{\mathbb H}\) is a oneway group homomorphism. Then, Protocol 7 is a witness equivocal UC ZK \(\Sigma \)protocol for relations \({\mathcal{R}}_0\) and \({\mathcal{R}}_1\) with negligible soundness error and constant overhead.
Proof Sketch
Proving PoK follows easily using the trapdoor from the CRS and the soundness of \(\Pi _\Sigma \), which allows the extractor to decrypt the ciphertext \(e_i\) and extract the witness. We next prove that the protocol is ZK. Note that standard simulation follows from the ZK property of each subprotocol and the [8] proof. We recall next that our protocols only consider simulators that know both witnesses \(\omega _0\) and \(\omega _1\), but do not know which one is used by the real prover. Simulation in this case is trivial since the simulator simply uses its two witnesses. By the INDCPA security of the homomorphic encryption scheme and the security of \(\Pi _{1i}\), the simulated view (when using two witnesses) and the real view (when using only one witness) are computationally indistinguishable. We now show that the protocol is witness equivocal. Recall that this property implies that the simulator must explain the internal state of the simulated prover with respect to the real prover’s witness. Say the real prover knows \(\omega _i\), then the view for \(\Pi _i\) can be easily explained as if the real prover generated it since the simulator used \(\omega _i\) in its simulation. In addition, the simulated proof for \(x_{1i}\) differs from the real view by (1) honestly encrypting message \(z'_{1i}\) rather than obliviously sampling the ciphertext and (2) running the real prover for \(\Pi _{1i}\) rather than the simulated one. Witness equivocal follows from the ciphertext simulatability of the PKE and the fact that the real view of \(\Pi _{1i}\) can be explained as a simulated view. Namely, the simulator for Protocol 7 can claim that the honestly generated ciphertext \(e_{1i}\) was obliviously sampled and that the real view generated for \(\Pi _\Sigma \) relative to statement \(e_{1i}\) is a simulated view (since \(\Pi _\Sigma \) is a \(\Sigma \)protocol with perfect simulation; see Definition 7.9). \(\square \)
Our constructions for the malicious setting make use of compound relations defined as follows. We denote by \({\mathcal{R}}_{\Gamma ,{\scriptscriptstyle \mathrm {OR}}}\) a compound OR relation of two substatements where both statements correspond to the same relation \({\mathcal{R}}_{\Gamma }\). We further denote by \({\mathcal{R}}_{\Gamma ,{\scriptscriptstyle \mathrm {OR}}(s)}\) a relation for which the statement is a combination of two substatements, each contains a tuple of s elements. Specifically, we consider a proof of knowledge for the relation \({\mathcal{R}}_{{\scriptscriptstyle \mathrm {DH}},{\scriptscriptstyle \mathrm {OR}}(s)}\) of which only one of the two sets is comprised from Diffie–Hellman tuples. Finally, we consider a relation \({\mathcal{R}}_{\Gamma ,\scriptscriptstyle \mathrm {COMP}(s,t)}\) where the statement consists s substatements for relation \({\mathcal{R}}_{\Gamma }\) for which the prover proves the knowledge of only t substatements out of s (for some \(t < s\)).
Notes
 1.
We note that this statement is valid regarding protocols that do not employ fully homomorphic encryptions (FHE). To this end, we only consider protocols that do not take the FHE approach. As a side note, it was recently observed in [39] that adaptive security is impossible for FHE satisfying compactness.
 2.
We stress that the semiadaptive notion is incomparable to the onesided notion since the former assumes that either one party is statically corrupted or none of the parties get corrupted.
 3.
The actual key pair used in the circuit garbling is derived from \((g^{a^0_i c_j},g^{a^1_i c_j})\) using an extractor. A universal hash function is used in [42] for this purpose, where the seeds for the function are picked by \(P_0\) before it knows \(\mathcal{J}\).
 4.
At this point \(P_0\) is committed to all the keys associated with the s circuits.
 5.
This notation covers many basic relations such as discrete logarithm and quadratic residuosity.
 6.
Note that the simulator returns the entire view for the proof from which we extract the first message.
References
 1.
R. Bendlin, I. Damgård, C. Orlandi, and S. Zakarias. Semihomomorphic encryption and multiparty computation, in EUROCRYPT (2011), pp. 169–188.
 2.
D. Beaver. Plug and play encryption, in CRYPTO (1997), pp. 75–89.
 3.
D. Beaver, and S. Haber. Cryptographic protocols provably secure against dynamic adversaries, in EUROCRYPT (1992), pp. 307–323.
 4.
M. Bellare, D. Hofheinz, and S. Yilek. Possibility and impossibility results for encryption and commitment secure under selective opening, in EUROCRYPT (2009), pp. 1–35.
 5.
D. Beaver, S. Micali, and P. Rogaway. The round complexity of secure protocols (extended abstract), in STOC (1990), pp. 503–513.
 6.
R. Canetti. Universally composable security: a new paradigm for cryptographic protocols, in FOCS (2001), pp. 136–145.
 7.
R. Canetti, I. Damgård, S. Dziembowski, Y. Ishai, and T. Malkin. Adaptive versus nonadaptive security of multiparty protocols. J. Cryptology, 17(3):153–207, 2004.
 8.
R. Cramer, I. Damgård, and B. Schoenmakers. Proofs of partial knowledge and simplified design of witness hiding protocols, in CRYPTO (1994), pp. 174–187.
 9.
S.G. Choi, D. DachmanSoled, T. Malkin, and H. Wee. Improved noncommitting encryption with applications to adaptively secure protocols, in ASIACRYPT (2009), pp. 287–302.
 10.
S.G. Choi, D. DachmanSoled, T. Malkin, and H. Wee. Simple, blackbox constructions of adaptively secure protocols, in TCC (2009), pp. 387–402.
 11.
R. Canetti, and M. Fischlin. Universally composable commitments, in Proceedings of Advances in Cryptology—CRYPTO 2001, 21st Annual International Cryptology Conference, Santa Barbara, California, USA (Aug. 19–23, 2001), pp. 19–40.
 12.
R. Canetti, U. Feige, O. Goldreich, and M. Naor. Adaptively secure multiparty computation, in STOC (1996), pp. 639–648.
 13.
R. Canetti, S. Goldwasser, and O. Poburinnaya. Adaptively secure twoparty computation from indistinguishability obfuscation, in TCC (2015), pp. 557–585.
 14.
R. Canetti, S. Halevi, and J. Katz. Adaptivelysecure, noninteractive publickey encryption, in TCC (2005), pp. 150–168.
 15.
R. Canetti, Y. Lindell, R. Ostrovsky, and A. Sahai. Universally composable twoparty and multiparty secure computation, in STOC (2002).
 16.
R. Cramer, and V. Shoup. Universal hash proofs and a paradigm for adaptive chosen ciphertext secure publickey encryption, in EUROCRYPT (2002), pp. 45–64.
 17.
Y. Dodis, R. Gennaro, J. Håstad, H. Krawczyk, and T. Rabin. Randomness extraction and key derivation using the CBC, cascade and HMAC modes, in CRYPTO (2004), pp. 494–510.
 18.
I. Damgård, and Y. Ishai. Constantround multiparty computation using a blackbox pseudorandom generator, in CRYPTO (2005), pp. 378–394.
 19.
I. Damgård, and M. Jurik. A lengthflexible threshold cryptosystem with applications, in ACISP (2003), pp. 350–364.
 20.
I. Damgård, M. Jurik, and J.B. Nielsen. A generalization of Paillier’s publickey system with applications to electronic voting. Int. J. Inf. Sec., 9(6):371–385, 2010.
 21.
D. DachmanSoled, J. Katz, and V. Rao. Adaptively secure, universally composable, multiparty computation in constant rounds, in TCC (2015), pp. 586–613.
 22.
I. Damgård, and J.B. Nielsen. Improved noncommitting encryption schemes based on a general complexity assumption, in CRYPTO (2000), pp. 432–450.
 23.
I. Damgård, and J.B. Nielsen. Perfect hiding and perfect binding universally composable commitment schemes with constant expansion factor, in CRYPTO (2002), pp. 581–596.
 24.
I. Damgård, and J.B. Nielsen. Universally composable efficient multiparty computation from threshold homomorphic encryption, in CRYPTO (2003), pp. 247–264.
 25.
I. Damgård, V. Pastro, N.P. Smart, and S. Zakarias. Multiparty computation from somewhat homomorphic encryption, in CRYPTO (2012), pp. 643–662.
 26.
O. Goldreich and A. Kahan. How to construct constantround zeroknowledge proof systems for np. J. Cryptology, 9(3):167–190, 1996.
 27.
O. Goldreich, S. Micali, and A. Wigderson. How to play any mental game or a completeness theorem for protocols with honest majority, in STOC (1987), pp. 218–229.
 28.
O. Goldreich. Foundations of Cryptography: Basic Tools. Cambridge University Press, 2001.
 29.
S. Garg, and A. Polychroniadou. Tworound adaptively secure MPC from indistinguishability obfuscation, in TCC (2015), pp. 614–637.
 30.
S. Garg, and A. Sahai. Adaptively secure multiparty computation with dishonest majority, in CRYPTO (2012), pp. 105–123.
 31.
J.A. Garay, D. Wichs, and H.S. Zhou. Somewhat noncommitting encryption and efficient adaptively secure oblivious transfer, in CRYPTO (2009), pp. 505–523.
 32.
J. Håstad, R. Impagliazzo, L.A. Levin, and M. Luby. A pseudorandom generator from any oneway function. SIAM J. Comput., 28(4):1364–1396, 1999.
 33.
B. Hemenway, R. Ostrovsky, and A. Rosen. Noncommitting encryption from \(\Phi \)hiding, in TCC (2015), pp. 591–608.
 34.
C. Hazay, and A. Patra. Onesided adaptively secure twoparty computation, in TCC (2014), pp. 368–393.
 35.
Y. Ishai, M. Prabhakaran, and A. Sahai. Founding cryptography on oblivious transfer—efficiently, in CRYPTO (2008), pp. 572–591.
 36.
S. Jarecki, and A. Lysyanskaya. Adaptively secure threshold cryptography: Introducing concurrency, removing erasures, in EUROCRYPT (2000), pp. 221–242.
 37.
J. Katz, and R. Ostrovsky. Roundoptimal secure twoparty computation, in CRYPTO (2004), pp. 335–354.
 38.
J. Katz, A. Thiruvengadam, and H.S. Zhou. Feasibility and infeasibility of adaptively secure fully homomorphic encryption, in Public Key Cryptography (2013), pp. 14–31.
 39.
Y. Lindell. Adaptively secure twoparty computation with erasures, in CTRSA (2009), pp. 117–132.
 40.
Y. Lindell and B. Pinkas. A proof of security of Yao’s protocol for twoparty computation. Journal of Cryptology, 22(2):161–188, 2009.
 41.
Y. Lindell and B. Pinkas. Secure twoparty computation via cutandchoose oblivious transfer. J. Cryptology, 25(4):680–722, 2012.
 42.
Y. Lindell and B. Pinkas. An efficient protocol for secure twoparty computation in the presence of malicious adversaries. J. Cryptology, 28(2):312–350, 2015.
 43.
J.B. Nielsen. Separating random oracle proofs from complexity theoretic proofs: the noncommitting encryption case, in CRYPTO (2002), pp. 111–126.
 44.
J.B. Nielsen, P.S. Nordholt, C. Orlandi, and S.S. Burra. A new approach to practical activesecure twoparty computation, in CRYPTO (2012), pp. 681–700.
 45.
M. Naor, and O. Reingold. Synthesizers and their application to the parallel construction of psuedorandom functions, in FOCS (1995), pp. 170–181.
 46.
P. Paillier. Publickey cryptosystems based on composite degree residuosity classes, in EUROCRYPT (1999), pp. 223–238.
 47.
C. Peikert, V. Vaikuntanathan, and B. Waters. A framework for efficient and composable oblivious transfer, in CRYPTO (2008), pp. 554–571.
 48.
C.P. Schnorr. Efficient identification and signatures for smart cards, in CRYPTO (1989), pp. 239–252.
 49.
M.N. Wegman J.L. Carter. Universal classes of hash functions. Journal of Computer and System Sciences, 18(2):143–154, 1979.
 50.
S. Wolf, and J. Wullschleger. Oblivious transfer is symmetric, in EUROCRYPT (2006), pp. 222–232.
 51.
A.C. Yao. Protocols for secure computations (extended abstract), in FOCS (1982), pp. 160–164.
Author information
Affiliations
Corresponding author
Additional information
A preliminary version of this paper appeared in [34]
Communicated by Jonathan Katz.
Appendices
Appendix 1: Standard Security Notions
Hardness Assumptions
Our constructions rely on the following hardness assumptions.
Definition 7.1
(DDH) We say that the decisional Diffie–Hellman (DDH) problem is hard relative to \(\mathcal{G}\) if for all polynomialsized circuits \(\mathcal{C}=\{\mathcal{C}_n\}\) there exists a negligible function \({\mathsf {negl}}\) such that
where \(({\mathbb G},q,g)\leftarrow \mathcal{G}(1^n)\) and the probabilities are taken over the choices of g and \(x,y,z\in {\mathbb Z}_q\).
We require the DDH assumption to hold for primeorder groups. In a few places we use a different version of the DDH assumption: for random generators \(g,h \in {\mathbb G}\) and for distinct but otherwise random \(a,b \in {\mathbb Z}_q\), the tuples \((g,h,g^a,h^a)\) and \((g,h,g^a,h^b)\) are computationally indistinguishable. This version of the DDH assumption is equivalent to the common form discussed above.
Definition 7.2
(DCR) We say that the decisional composite residuosity (DCR) problem is hard relative to \(\mathcal{G}\) if for all polynomialsized circuits \(\mathcal{C}=\{\mathcal{C}_n\}\) there exists a negligible function \({\mathsf {negl}}\) such that
where \(N\leftarrow \mathcal{G}(1^n)\), N is a random nbit RSA composite, r is chosen at random in \({\mathbb Z}_N\) and the probabilities are taken over the choices of N, y and r.
Definition 7.3
(QR) We say that the quadratic residuosity (QR) problem is hard relative to \(\mathcal{G}\) if for all polynomialsized circuits \(\mathcal{C}=\{\mathcal{C}_n\}\) there exists a negligible function \({\mathsf {negl}}\) such that
where \(N\leftarrow \mathcal{G}(1^n)\), N is a random nbit RSA composite, \(\mathbb {J}_N\) denote the group of Jacobi symbol (+1) elements of \({\mathbb Z}^*_N\), \(\mathbb {QR}_N= \{x^2\;:\; x \in {\mathbb Z}^*_N\}\) denote \(\mathbb {J}_N\)’s subgroup of quadratic residues and the probabilities are taken over the choices of N, z.
Public Key Encryption Scheme
We specify the definitions of public key encryption and INDCPA.
Definition 7.4
(PKE) We say that \(\Pi =(\mathsf {Gen}, \mathsf {Enc}, \mathsf {Dec})\) is a public key encryption scheme if \(\mathsf {Gen}, \mathsf {Enc}, \mathsf {Dec}\) are polynomialtime algorithms specified as follows:

\(\mathsf {Gen}\), given a security parameter n (in unary), outputs keys \((\textsc {PK},\textsc {SK})\), where \(\textsc {PK}\) is a public key and \(\textsc {SK}\) is a secret key. We denote this by \((\textsc {PK},\textsc {SK})\leftarrow \mathsf {Gen}(1^n)\).

\(\mathsf {Enc}\), given the public key \(\textsc {PK}\) and a plaintext message m, outputs a ciphertext c encrypting m. We denote this by \(c\leftarrow \mathsf {Enc}_{\textsc {PK}}(m)\); and when emphasizing the randomness r used for encryption, we denote this by \(c\leftarrow \mathsf {Enc}_{\textsc {PK}}(m;r)\).

\(\mathsf {Dec}\), given the public key \(\textsc {PK}\), secret key \(\textsc {SK}\) and a ciphertext c, outputs a plaintext message m s.t. there exists randomness r for which \(c = \mathsf {Enc}_{\textsc {PK}}(m;r)\) (or \(\bot \) if no such message exists). We denote this by \(m \leftarrow \mathsf {Dec}_{\textsc {PK},\textsc {SK}}(c)\).
For a public key encryption scheme \(\Pi =(\mathsf {Gen}, \mathsf {Enc}, \mathsf {Dec})\) and a nonuniform probabilistic adversary \(\textsc {Adv}=(\textsc {Adv}_1,\textsc {Adv}_2)\), we consider the following INDCPA game:
Denote by \(\mathbf {Adv}_{\Pi ,\textsc {Adv}}(n)\) the probability that \(\textsc {Adv}\) wins the INDCPA game.
Definition 7.5
IND(CPA) A public key encryption scheme \(\Pi =(\mathsf {Gen}, \mathsf {Enc}, \mathsf {Dec})\) has indistinguishable encryptions under chosen plaintext attacks (INDCPA), if for every nonuniform probabilistic adversary \(\textsc {Adv}=(\textsc {Adv}_1,\textsc {Adv}_2)\) there exists a negligible function \({\mathsf {negl}}\) such that \(\mathbf {Adv}_{\Pi ,\textsc {Adv}}(n) \le \frac{1}{2} + {\mathsf {negl}}(n).\)
We say that a protocol \(\pi \) realizes functionality \(\mathcal{F}\) with t PKE operations (relative to \(\Pi \)) if the number of calls \(\pi \) makes to either one of \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) is at most t. Importantly, this definition is not robust in the sense that one might define an encryption algorithm \(\mathsf {Enc}'\) that consists of calling \(\mathsf {Enc}\), n times in parallel. In this work we do not abuse this definition and consider algorithms \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) for a single basic operation, which are implemented by O(1) group exponentiations in various group descriptions.
Zeroknowledge Proofs and Proofs of Knowledge
Our protocols employ zeroknowledge proofs (of knowledge) for assuring correct behaviour. We formally define zeroknowledge and knowledge extraction as stated in [28]. We then conclude with a definition of a \(\Sigma \)protocol which constitutes a zeroknowledge proof of a special type.
Definition 7.6
(Interactive proof system) A pair of PPT interactive machines \(({\textsc {P}},{\textsc {V}})\) is called an interactive proof system for a language L if there exists a negligible function \({\mathsf {negl}}\) such that the following two conditions hold:

1.
Completeness: For every \(x\in L\),
$$\begin{aligned} \Pr [\langle {\textsc {P}},{\textsc {V}}\rangle (x)=1]\ge 1{\mathsf {negl}}(x). \end{aligned}$$ 
2.
Soundness: For every \(x\notin L\) and every interactive PPTmachine B,
$$\begin{aligned} \Pr [\langle B,{\textsc {V}}\rangle (x)=1]\le {\mathsf {negl}}(x). \end{aligned}$$
Definition 7.7
(Zeroknowledge) Let \(({\textsc {P}},{\textsc {V}})\) be an interactive proof system for some language L. We say that \(({\textsc {P}},{\textsc {V}})\) is computational zeroknowledge if for every PPT interactive machine \({\textsc {V}}^*\) there exists a PPT algorithm \(M^*\) such that
where the left term denotes the output of \({\textsc {V}}^*\) after it interacts with \({\textsc {P}}\) on common input x, whereas the right term denotes the output of \(M^*\) on x.
Definition 7.8
(Knowledge extraction) Let R be a binary relation and \(\kappa \rightarrow [0,1]\). We say that an interactive function \({\textsc {V}}\) is a knowledge verifier for the relation R with knowledge error \(\kappa \) if the following two conditions hold:

Nontriviality: There exists an interactive machine \({\textsc {P}}\) such that for every \((x,y)\in {\mathcal{R}}\) (implying that \(x\in L_{\mathcal{R}}\)), all possible interactions of \({\textsc {V}}\) with \({\textsc {P}}\) on common input x and auxiliary input y are accepting.

Validity (with error \(\kappa \)): There exists a polynomial \(q(\cdot )\) and a probabilistic oracle machine K such that for every interactive function \({\textsc {P}}\), every \(x\in L_{\mathcal{R}}\), and every machine K satisfies the following condition: Denote by p(x, y, r) the probability that the interactive machine \({\textsc {V}}\) accepts, on input x, when interacting with the prover specified by \({\textsc {P}}_{x,y,r}\) that uses randomness r (where the probability is taken over the coins of \({\textsc {V}}\)). If \(p(x,y,r)>\kappa (x)\), then, on input x and with access to oracle \({\textsc {P}}_{x,y,r}\), machine K outputs a solution \(s\in {\mathcal{R}}(x)\) within an expected number of steps bounded by
$$\begin{aligned} \frac{q(x)}{p(x,y,r)\kappa (x)} \end{aligned}$$The oracle machine K is called a universal knowledge extractor.
Definition 7.9
(\(\Sigma \)protocol) A protocol \(\pi \) is a \(\Sigma \)protocol for relation R if it is a 3round publiccoin protocol and the following requirements hold:

Completeness: If \({\textsc {P}}\) and \({\textsc {V}}\) follow the protocol on input x and private input w to \({\textsc {P}}\) where \((x,w)\in {\mathcal{R}}\), then \({\textsc {V}}\) always accepts.

Special soundness: There exists a polynomialtime algorithm A given any x and any pair of accepting transcripts \((a,e,z), (a,e',z')\) on input x, where \(e\ne e'\), outputs w such that \((x,w)\in {\mathcal{R}}\).

Special honestverifier zero knowledge: There exists a PPTalgorithm \(M^*\) such that
$$\begin{aligned} \left\{ \langle {\textsc {P}}(x,w),{\textsc {V}}(x,e)\rangle \right\} _{x\in L_{\mathcal{R}}} \approx _c\left\{ M(x,e) \right\} _{x\in L_{\mathcal{R}}} \end{aligned}$$where M(x, e) denotes the output of M upon input x and e, and \(\langle {\textsc {P}}(x,w),{\textsc {V}}(x,e)\rangle \) denotes the output transcript of an execution between \({\textsc {P}}\) and \({\textsc {V}}\), where \({\textsc {P}}\) has input (x, w), \({\textsc {V}}\) has input x, and \({\textsc {V}}\)’s random tape (determining its query) equals e.
Appendix 2: A HighLevel Overview of Yao’s Garbling Technique
We briefly describe the garbling technique of Yao as described by Lindell and Pinkas in [41]. In this construction, the desired function f is represented by a boolean circuit C that is computed gate by gate from the input wires to the output wires. In the following, we distinguish four different types of wires used in a given boolean circuit: (a) circuitinput wires; (b) circuitoutput wires; (c) gateinput wires (that enter some gate g); and (d) gateoutput wires (that leave some gate g). The underlying idea is to associate every wire w with two random values, say \(k^0_w,k^1_w\), such that \(k^0_w\) represents the bit 0 and \(k^1_w\) represents the bit 1. The garbled table for each gate maps random input values to random output values, with the property given two input values it is only possible to learn the output value that corresponds to the output bit. This is accomplished by viewing the four potential inputs to the gate \(k^0_1,k^1_1\) (values associated with the first input wire) and \(k^0_2,k^1_2\) (values associated with the second input wire), as encryption keys. So that the output key values \(k^0_3,k^1_3\) are encrypted under the appropriate input keys. For instance, let g be a NAND gate. Then, \(k_3^1\) (that corresponds to bit 1) is encrypted under the pair of keys associated with the values \((0,0),\;(0,1),\;(1,0)\), whereas \(k^0_3\) is encrypted under the pair of keys associated with (1, 1) which yields the following four ciphertexts
where \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec})\) is a private key encryption scheme that has chosen double encryption security and an elusive efficiently verifiable range; see [41] for the formal definitions. These ciphertexts are randomly permuted in order to obtain the garbled table for gate g. Then, given the input wire keys \(k^{\alpha }_1,k^{\beta }_2\) that correspond to the bits \(\alpha \) and \(\beta \) and the garbled table containing the four encryptions, it is possible to obtain the output wire key \(k^{g(\alpha ,\beta )}_3\). The description of the garbled circuit is concluded with the output decryption tables, mapping the random values on the circuitoutput wires back to their corresponding boolean values.
A useful lemma. Next, we state a useful lemma regarding garbled circuits taken verbatim from [43] and further stated in [40, 42]. The lemma states that it is possible to build a fake garbled circuit that outputs a fixed value \(y = f(x_0,x_1)\) which is indistinguishable relative to an adversary who has only a single set of keys that corresponds to the inputs \(x_0,x_1\). We rely on this lemma in our onesided security proofs when \(P_1\) is corrupted. Formally,
Lemma 8.1
Given a circuit C and an output value y (of same length as the output of C) it is possible to construct a garbled circuit \(\widetilde{GC}\) such that:

1.
The output of \(\widetilde{GC}\) is always y, regardless of the garbled values that are provided for the input wires of \(P_0\) and \(P_1\), and

2.
If \(y = f(x_0,x_1)\), then no nonuniform PPT adversary \(\textsc {Adv}\) can distinguish between the distribution ensemble of \(\widetilde{GC}\) and a single arbitrary garbled value for every input wire, and the distribution ensemble consisting of a real garbled version of C, together with garbled values that correspond to \(x_0\) for \(P_0\)’s input wires and to \(x_1\) for \(P_1\)’s input wires.
Rights and permissions
About this article
Cite this article
Hazay, C., Patra, A. Efficient OneSided Adaptively Secure Computation. J Cryptol 30, 321–371 (2017). https://doi.org/10.1007/s0014501592224
Received:
Revised:
Published:
Issue Date:
Keywords
 Secure twoparty computation
 Adaptive security
 Noncommitting encryption
 Oblivious transfer