Efficient and Round-Optimal Oblivious Transfer and Commitment with Adaptive Security

Abstract

We construct the most efficient two-round adaptively secure bit-OT in the Common Random String (\(\text {CRS} \)) model. The scheme is UC secure under the Decisional Diffie-Hellman (DDH) assumption. It incurs \(\mathcal {O}(1)\) exponentiations and sends \(\mathcal {O}(1)\) group elements, whereas the state of the art requires \(\mathcal {O}(\kappa ^2)\) exponentiations and communicates \(\text {poly}(\kappa )\) bits, where \(\kappa \) is the computational security parameter. Along the way, we obtain several other efficient UC-secure OT protocols under DDH:

• The most efficient yet two-round adaptive string-OT protocol assuming global programmable random oracle. Furthermore, the protocol can be made non-interactive in the simultaneous message setting, assuming random inputs for the sender.

• The first two-round string-OT with amortized constant exponentiations and communication overhead which is secure in the global observable random oracle model.

• The first two-round receiver equivocal string-OT in the \(\text {CRS} \) model that incurs constant computation and communication overhead.

We also obtain the first non-interactive adaptive string UC-commitment in the CRS model which incurs a sublinear communication overhead in the security parameter. Specifically, we commit to \(\text {polylog}(\kappa )\) bits while communicating \(\mathcal {O}(\kappa )\) bits. Moreover, it is additively homomorphic.

We can also extend our results to the single \(\text {CRS} \) model where multiple sessions share the same \(\text {CRS} \). As a corollary, we obtain a two-round adaptively secure MPC protocol in this model.

This work was supported by the IARPA ACHILLES project, the NSF MACS project and NSF grant CNS-1422965. The first author is a member of the Check Point Institute for Information Security.

1 Introduction

Oblivious Transfer (OT), introduced in [23, 41], is one of the main pillars of secure distributed computation. Indeed, OT is a crucial building block for many MPC protocols, e.g. [4, 5, 27, 28, 33, 42]. As a result, significant amount of research has been dedicated to constructing OT protocols that are efficient enough and secure enough to be of practical use.

Table 1. Comparing our actively-secure UC-OT protocols with state-of-the-art DDH-based 2-round actively-secure UC-OT protocols.

Designing good OT protocols is a multi-dimensional challenge: One obvious dimension is the complexity, in terms of computational and communication overhead, as well as the number of rounds. Another dimension is the level of security guaranteed. Here the standard measure is Universally Composable (UC) security [8], in order to enable seamless modular composition into larger MPC protocols. Yet another dimension is the setup used. Commonplace models include the common random string model (\(\text {CRS} \)), the common reference string (CReS) model and the random oracle (RO) model. (Recall that UC-secure OT does not exist in the plain model  [9], thus it is essential to use some sort of setup.) Yet another dimension is the computational hardness assumptions used.

A final dimension, which is the focus of this work, is whether security is guaranteed for adaptive corruption of one or both of the participants, or alternatively only for the static case where one of the parties is corrupted, and the corruption takes place before the computation starts. Indeed, most of the recent works towards efficient OT concentrates on the static case, e.g. [10, 22, 36, 40].

We concentrate on the case of two-round, adaptively UC-secure OT. We only consider the case of malicious adversaries. It is easy to see that two rounds is the minimum possible, even for static OT. Furthermore, two-round OT enables two-round MPC [3,4,5, 27] which is again round-optimal. More importantly, the efficiency of the two-round MPC protocol crucially depends on the efficiency of the underlying two-round UC-OT protocol. Still, there is a dearth of efficient two-round adaptively UC-secure OT protocols which can tolerate malicious corruptions.

1.1 Our Contributions

We present a number of two-round UC-secure OT protocols. Our protocols are all based on the plain DDH assumption and work with any group where DDH is hard. While the protocols are quite different and in particular work in very different settings, they all use the same underlying methodology, which we sketch in Sect. 1.2. But first we summarize our results and compare it with the relevant state-of-the-art protocols. We organize the presentation and comparison based on the setup assumptions - the global random oracle (GRO) model, and the common reference and random string models. A stronger notion of RO is the GRO model where the same instance of RO is shared globally among different sessions. We have results in the global observable random oracle (GORO) model and the global programmable random oracle (GPRO) model. Our results are further subdivided into cases based on static and adaptive corruptions. A detailed comparison can be found in Table 1. We assume that the number of bits required to represent a group element (for which DDH holds) is \(\mathcal {O}(\kappa )\). For example, the DDH assumption holds in the elliptic curve groups and a group element can be represented with \(\mathcal {O}(\kappa )\) bits.

Global Random Oracle Model. Our protocols are proven to be secure in the well established GRO [7, 10] model. Our results in the GRO model are as follows:

• Efficient Adaptive OT in Programmable GRO Model. The work of “Simplest OT” [18] presented a 3-round OT in the programmable RO (PRO) model, which was later shown as not UC-statically secure [6, 34]. Inspired by their protocol, we design a 2-round adaptively secure OT \(\pi _{\textsf {aOT-GPRO}}\) in the GPRO model. Our protocol requires roughly 5 exponentiations and communicates 2 group elements and \(2\kappa \) bits when the sender’s input messages are \(\kappa \) bits long and the computational security parameter is \(\kappa \).

  State-of-the-Art. The work of [6] presents an adaptively secure OT assuming DDH. They require 11 exponentiations and 5\(\kappa \) bits of communication. The work of [36] obtains a two-round OT based on DDH using 6 exponentiations. They obtained static security assuming PRO. We observe that it can be proven to be adaptively secure under the same assumptions. They also provide an optimized variant requiring 4 exponentiations under the non-standard assumption of Interactive DDH, which is not known to be reducible to standard DDH. The work of [29] presented a 8 round adaptive OT protocol from semi-honest UC adaptive-OT and observable GRO (i.e. GORO) model in the tamper-proof hardware model. We do not compare with them due to difference in the underlying setup assumptions. A detailed comparison with other protocols is shown as Setting 1 in Table 1.

• One-Round Random OT in the GPRO + Short Single CRS Model. Our GPRO-based protocol can be further improved to obtain a one-round random OT (where the sender’s messages are randomly chosen) \(\pi _{\textsf {aROT-GPRO}}\) in the simultaneous message (where the parties can send messages in parallel) setting assuming a single short \(\text {CRS} \) of two group elements. By single \(\text {CRS} \), we refer to the setting of [11] where the same \(\text {CRS} \) is shared among all sessions and the simulator knows the trapdoor of the \(\text {CRS} \). In our protocols, each random OT requires communicating 2 group elements and computing roughly 5 exponentiations. This is particularly useful to compute the base OT in OT extension [32, 39] non-interactively during the offline phase.

  State-of-the-Art. In comparison, the work of [36] can obtain a one-round random OT in the simultaneous message setting from non-interactive Key Agreement protocols. Assuming DDH, they can instantiate their protocol using 6 exponentiations.¹ The work of [14] presented an OT with selective failure from CDH assumption and proven its security for \(\mathcal {O}(\kappa )\) OTs together. The work by Doerner et al. [21] presented an OT with selective failure based on observable RO (ORO) and used it to obtain OT extension while computing roughly 3 exponentiations per base-OT and 1 NIZKpok. However, their OT requires 5 rounds of interaction and communication of 4 group elements and 3\(\kappa \) bit strings, yielding a 6 round OT extension. On the other hand, our protocol would give a 3 round OT extension with communication of 2 group elements per base-OT and it should outperform theirs in the WAN setting where interaction dominates the computation time.

• Static OT in the Observable GRO Model. We replace the GPRO by a non-programmable GORO, with an extra one-time cost of 2 NIZKPoKs for Discrete Log and 5 exponentiations, which can be reused across multiple executions. One-time cost is a cost that is incurred only once per session/subsession even if multiple OT protocols are run in that session/subsession between the pair of parties. The remaining per-OT cost of this protocol is 5 exponentiations, except that now the protocol is only statically secure.

  State-of-the-Art. In comparison, the only two-round OT protocol from GORO is known from [10]. The authors generate a statically-secure one-sided simulatable OT under DDH assumption. It is used to obtain a UC-secure 2PC protocol using garbled circuits [3]. The 2PC can be instantiated as an UC-secure OT protocol. Each such OT would cost \(\mathcal {O}(\kappa )\) exponentiations, which cannot be amortized for large number of OTs. A detailed comparison can be found in Setting 2 of Table 1.

Common Random String Model. Next we present our results in the \(\text {CRS} \) model. We would like to note that the state-of-the-art protocols are in a stronger model, i.e. the common reference string model and yet we work in the common random string model and still outperform them. Our results and detailed comparison follows:

• Static OT in the CRS Model. We replace the GRO with a non programmable CRS. This gives us an efficient two-round static OT \(\pi _{\textsf {sOT-CRS}}\) which requires 8 exponentiations and communication of 5 group elements.

  State-of-the-Art. In contrast, The state-of-the-art is obtained by [40] in the common reference string model from DDH, Quadratic Residuosity (QR) and Learning with Errors (LWE). Their DDH based instantiation required 11 exponentiations and communicated 6 group elements, while other instantiations required more. Following this, [17] presented constructions in the single common reference string model (of [11]), which is a weaker setup assumption. They have a 2 round construction from Decision Linear Assumption which requires 20 exponentiations and they have a 4 round construction from DDH and Decisional Composite Residuosity Assumption. The recent work of [22] presents a theoretical construction based on CDH and Learning with Parity. Detailed comparison can be found in Setting 3 of Table 1.

• Receiver Equivocal OT in the CRS Model. Next, we add security against adaptive corruption of receiver at the cost of one extra exponentiation. This yields a receiver equivocal OT \(\pi _{\textsf {reOT-CRS}}\) which requires 9 exponentiations and communication of 5 group elements. Such an OT can find useful applications in efficient adaptively-secure zero knowledge [24] schemes.

  State-of-the-Art. Previous receiver equivocal OT protocol of [25] required somewhere equivocal encryption leading to a practically infeasible solution. On the other hand, [5] required \(\mathcal {O}(\kappa )\) instances of static string-OTs and non-blackbox usage of non-interactive equivocal commitment to construct a receiver equivocal OT. A detailed comparison can be found in Setting 4 of Table 1.

• Adaptive OT in the CRS Model. Finally, we add sender equivocation in our receiver equivocal OT to obtain a semi-adaptive OT (which is secure against static corruption of one party and adaptive corruption of another party) \(\pi _{\textsf {saOT-CRS}}\) in two rounds. Then, we apply the transformation of [5] to obtain our adaptively-secure bit OT \(\pi _{\textsf {aOT-CRS}}\) in two rounds. Their transformation upgrades a semi-adaptively secure OT to an adaptively secure OT in the augmented \(\textsf {NCE}\) model. Our final protocol \(\pi _{\textsf {aOT-CRS}}\) computes 11 exponentiations and communicates 7 group elements. In addition, it encrypts 2 bits using augmented \(\textsf {NCE}\). Upon instantiating the \(\textsf {NCE}\) scheme using the DDH-based protocol of [16], we obtain the first two round adaptively secure bit-OT which has constant communication and computation overhead.

  Table 2. Comparing our protocol with state-of-the-art adaptively secure (without erasures) UC commitment schemes where the commitment size is \(\mathcal {O}(\kappa )\) bits

  State-of-the-Art. In this setting, few works [12, 26, 26] achieve adaptive security based on general two-round MPC protocol using indistinguishability obfuscation. The only round optimal adaptively-secure protocol under standard computational assumption is due to [5] from DDH, LWE, and QR. They obtain a semi-adaptive bit-OT by garbling a non-interactive equivocal commitment scheme using equivocal garbling techniques of [13]. The construction also requires \(\mathcal {O}(\kappa ^2)\) invocations to a static string OT with oblivious sampleability property. Then, they provide a generic transformation to obtain an adaptively secure bit OT from a semi-adaptively secure bit-OT in the augmented \(\textsf {NCE}\) model. On efficiency measures, the work of [5] constructs the equivocal garbled circuit by communicating \(\text {poly}(\kappa )\) bits and their semi-adaptive bit OT requires \(\mathcal {O}(\kappa ^2)\) exponentiations, thus yielding a feasibility result. In contrast, our protocol is concretely efficient. We have compared with their protocol in Setting 5 of Table 1.

• Non-interactive Adaptive Commitment. As an independent result, we demonstrate that the first message of any two-round receiver equivocal OT behaves as an adaptively-secure commitment. By applying this result to our receiver equivocal OT \(\pi _{\textsf {reOT-CRS}}\), we obtain the first non-interactive adaptive string commitment scheme with sublinear communication in \(\kappa \). More specifically, we commit \(\text {polylog}(\kappa )\) bits using 4 exponentiations and communicating 2 group elements. Interestingly, our scheme is additively homomorphic.

  State-of-the-Art. On the other hand, the previous non-interactive adaptively-secure commitment schemes [1, 2, 9, 11] in the common reference string model were bit commitments requiring \(\mathcal {O}(1)\) exponentiations and \(\mathcal {O}(\kappa )\) bits communication to commit a bit. There are string commitments [19, 20] but they require 3 rounds of interaction for commitment. The work of [30] presented a theoretical construction from the minimal assumption of public key encryption with oblivious ciphertext generation. It has an interactive commitment phase and communicates \(\mathcal {O}(\kappa ^2)\) bits to commit to a single bit. Table 2 provides a qualitative comparison of our protocol with other schemes.

Single Common Random String Model. Currently, our results in this subsection are in the local \(\text {CRS} \) model. We can extend it to the single common random string, i.e. \(\text {sCRS} \) model of [11], where all parties share the same \(\text {sCRS} \) for their subsessions. A subsession is computed between a pair of parties with unique roles (party A is the sender of an OT subsession and Party B is the receiver). The local \(\text {CRS} \) is generated from \(\text {sCRS} \) by the parties during the protocol. There can be multiple instances of the same protocol within a subsession with the same local \(\text {CRS} \) between same parties with their roles preserved, i.e. A will be the sender and B will be the receiver. The simulator knows the hidden trapdoors for \(\text {sCRS} \). This benefit comes at a cost of keeping the \(\text {sCRS} \) length to \(4\kappa +2\) group elements. The length is independent of the number of parties or the number of instances of the protocol being run. However, we assume that the subsession ids are chosen statically by the environment \(\mathcal {Z}\) before seeing \(\text {sCRS} \). Using our adaptive OT and commitment protocol in the \(\text {sCRS} \) model, we obtain a two-round adaptively secure MPC protocol in the \(\text {sCRS} \) model. Similar result was observed in the work of [5].

1.2 Key Insights

Our OT protocols are in the dual-mode [35, 40] paradigm. In this paradigm, the protocol can be either in extractable mode or equivocal mode based on the mode of the setup assumption. In the extractable mode, the input of a corrupt receiver can be extracted by a simulator(playing the role of sender) using a trapdoor; whereas in the equivocal mode the simulator(playing the role of honest receiver) can use the trapdoor to compute randomness that would equivocate the receiver’s message to both bit values \(b \in \{0,1\}\). This would enable the simulator to extract a corrupt sender’s input messages corresponding to both bit values. Previous protocols ensured that the real world protocol was always in the extractable mode by programming the setup distribution [35, 40]. However, this required programming the setup based on which party is statically corrupt and this was incompatible with adaptive security.

The novelty of our paper lies in programming the mode of the protocol, during the protocol execution, without explicitly programming the setup. We achieve this by relying on the Computational Diffie-Hellman(CDH) and DDH assumption. The protocols either start off with a common random string - \((g, h, T_1)\) or generate one by invoking the GRO on a random string. The receiver is required to generate \(T_2\) and execute the OT protocol using \((g, h, T_1, T_2)\) as the setup tuple. The protocol ensures that if the tuple is non-DDH then the protocol is in extractable mode, else it is in equivocal mode. The CDH assumption guarantees that the tuple is a non-DDH tuple and hence the real world protocol is in extractable mode. Meanwhile, the simulator can compute \(T_2 = h^\textsf {td} \) s.t. the tuple is in equivocal mode by using the trapdoor \(\textsf {td} = \log _gT_1\). The simulated tuple is indistinguishable from real tuple due to DDH assumption. This trick follows by carefully tweaking the DDH based instantiation of the PWV framework such that it satisfies an additional property, i.e. the \(\text {CRS} \) for the protocol will be in extractable mode (a.k.a messy mode according to PVW) and it can be set to equivocal mode (a.k.a decryption mode according to PVW) by the simulator, given a trapdoor. This enables simulation in the adaptive setting as the simulator can conveniently program the \(\text {CRS} \) based on which party gets corrupted. Extending our techniques to hold under additional assumptions is an intriguing open question, especially LWE and QR since PVW can be instantiated from them. See Sect. 3 for a more detailed overview.

Paper Organization. In the next section, we introduce some notations and important concepts used in this paper. In Sect. 3, we present the key intuitions behind our protocols. This is followed by our results in the global random oracle model in Sect. 4. Then, we replace the random oracle assumption with a \(\text {CRS} \) setup to obtain a receiver equivocal OT in Sec. 5. Our optimized static-OT is present in the same section. In Sect. 6 we add sender equivocation in our receiver equivocal OT to obtain adaptively-secure OT in the CRS model. We present our independent result on adaptively-secure commitment scheme in Sect. 7. Finally, we conclude by replacing our local \(\text {CRS} \) with a single \(\text {CRS} \) in Sect. 8. In the same section we provide our two round adaptive MPC protocol in the single \(\text {CRS} \) model.

2 Preliminaries

Notations. We denote by \(a \leftarrow D\) a uniform sampling of an element a from a distribution D. The set of elements \(\{1,\ldots ,n\}\) is represented by [n]. We denote \(\text {polylog}(a)\) and \(\text {poly}(b)\) as polynomials in \(\log a\) and b respectively. We denote a probabilistic polynomial time algorithm as PPT. We denote the computational security parameter by \(\kappa \). Let \(\mathbb {Z}_q\) denote the field of order q, where \(q=\frac{p-1}{2}\) and p are primes. Let \(\mathbb {G}\) be the multiplicative group corresponding to \(\mathbb {Z}_p^*\) with generator g, where DDH assumption holds. We denote the set of natural numbers as \(\textsf {N}\). When a party \(\textsf {S} \) gets corrupted we denote it by \(\textsf {S} ^*\). Our protocols have the following naming convention \(\pi _{\langle \textsf {sec}\rangle \langle \textsf {prot}\rangle \textsf {-}\langle \textsf {setup}\rangle } \) where \({\langle \textsf {sec}\rangle }\) refers to the security model and it can be either \(\textsf {s}\) (static), \(\textsf {re}\) (receiver equivocal) or \(\textsf {a}\) (adaptive). \(\langle \textsf {prot}\rangle \) refers to the protocol which is either OT or ROT or COM based on OT or random OT or commitment protocol respectively. Similarly, \({\langle \textsf {setup}\rangle }\) refers to the setup assumption where it can be either \(\textsf {PRO}\) (PRO model) or \(\textsf {ORO}\) (ORO model) or \(\textsf {CRS}\) (CRS). Our security proofs are in the Universal Composability (UC) framework of [8]. We refer to the original paper for details.

Global Random Oracle Model. We present the global random oracle functionality from [7] in Fig. 1. It allows a simulator to observe illegitimate queries that are made by the adversary from outside the session by invoking the Observe command. It also enables the simulator to program (using the Program command) the random oracle on unqueried input points. Meanwhile, an adversary can also program (using the Program command) the random oracle on a point but an honest party can check whether that point has been programmed or not by invoking the IsProgrammed command. In the ideal world, a simulator can successfully program the RO since it can always return the result of IsProgrammed command as 0 when the adversary invokes it to verify whether a point has been programmed or not. More details can be found in Sect. 8 of [7]. In our OT protocols we require multiple instances of the GRO due different distributions on the domain and range of the GRO. We denote them as \(\mathcal {F}_\textsf {GRO1}\), \(\mathcal {F}_\textsf {GRO2}\) and so on. We assume \({\mathcal {F}_\textsf {GRO}}_i\) is indexed by a parameter \(i \in \textsf {N}\), in addition to \(\mathsf {sid}\). We avoid writing i as part of the parameters to avoid notation overloading.

Fig. 1.

The ideal functionality \(\mathcal {F}_{\textsf {GRO}}\) for global random oracle

Common Random String Model. In this assumption, the parties of a session \(\mathsf {sid}\) have access to a string randomly sampled from a distribution. A \(\text {CRS} \) is local to the session \(\mathsf {sid}\) and should not be used for protocols outside the session. In the security proof, the simulator would have access to the trapdoors of the \(\text {CRS} \) which would enable him to simulate the ideal world adversary. In the MPC literature, the acronym CRS can also refer to common reference string which is a stronger assumption than common random string. In this paper, we always use CRS for common random string unless explicitly mentioned. We also use the single \(\text {CRS} \) model [11] where a single \(\text {CRS} \) - \(\text {sCRS} \) is shared among all sessions and the simulator knows the trapdoor of the \(\text {sCRS} \).

Fig. 2.

The ideal functionality \(\mathcal {F}_{\textsf {OT}}\) for oblivious transfer

Fig. 3.

The ideal functionality \(\mathcal {F}_\textsf {COM}\) for commitment scheme

Oblivious Transfer. In a 1-out-of-2 OT, we have a sender (S) holding two inputs \(a_0,a_1 \in \{0,1\}^n\) and a receiver (\(\textsf {R}\)) holding a choice bit b. The correctness of OT means that \(\textsf {R}\) will obtain \(a_b\) as the outcome of the protocol. At the same time, S should learn nothing about b, and \(\textsf {R} \) should learn nothing about the other input of S, namely \(a_{\bar{b}}\). The ideal OT functionality \(\mathcal {F}_{\textsf {OT}}\) is shown in Fig. 2. We also consider the multi-session variant \(\mathcal {F}_{\textsf {mOT}}\) (Fig. 13) where multiple parties can run pairwise OT protocols, while sharing the same setup resources. This captures our OT protocols in the single \(\text {CRS} \) model.

Adversarial Model. We initially consider security against static corruptions by a malicious adversary. Later, we need different levels of adaptive security and we enlist them as follows:

• Static Corruption: The adversary corrupts the parties at the beginning of the protocol.

• Receiver Equivocal Corruption: The adversary corrupts sender statically and he corrupts the receiver adaptively.

• Sender Equivocal Corruption: The adversary corrupts receiver statically and he corrupts the sender adaptively.

• Semi-adaptive Corruption: The adversary corrupts one party statically and the other party adaptively.

• Adaptive Corruption: The adversary corrupts both parties adaptively. This scenario covers the previous corruption cases.

Commitment. A commitment scheme allows a committing party \(\textsf {C} \) to compute a commitment c to a message m, using randomness r, towards a party \(\textsf {V} \) in the \(\textsc {Commit}\) phase. Later in the \(\textsc {Decommit}\) phase, \(\textsf {C} \) can open c to m by sending the decommitment to \(\textsf {V} \). The commitment should hide m from a corrupt \(\textsf {V} ^*\). Binding ensures that a corrupt \(\textsf {C} ^*\) cannot open c to a different message \(m'\ne m\). In addition, UC-secure commitments require a simulator (for honest \(\textsf {V} \)) to extract the message committed by \(\textsf {C} ^*\). Also, it enables a simulator (for honest \(\textsf {C} \)) to commit to 0 and later open it to any valid message by using the trapdoor. The ideal commitment functionality \(\mathcal {F}_\textsf {COM}\) is shown in Fig. 3. We also consider the multi-session [11] variant \(\mathcal {F}_\textsf {mCOM}\) (Fig. 14) where multiple parties can run pairwise commitment schemes protocols, while sharing the same setup resources. This captures our commitment scheme in the single \(\text {CRS} \) model.

Non-committing Encryption. A non-committing encryption consists of three algorithms \(\textsf {NCE}= (\textsf {Gen}; \textsf {Enc}; \textsf {Dec})\). It is a public key encryption scheme which allows a simulator to encrypt a plaintext in the presence of an adaptive adversary. Given a trapdoor, the simulator (on behalf of the honest party) can produce some dummy ciphertext c without the knowledge of any plaintext m. Later when the honest party gets corrupted and the simulator produces matching randomness (or decryption key) s.t. c decrypts to m. More formally, it is defined as follows.

Definition 1

(Non-committing Encryption). A non-committing (bit) encryption scheme (NCE) consists of a tuple \((\textsf {NCE}.\textsf {Gen}, \textsf {NCE}.\textsf {Enc}, \textsf {NCE}.\textsf {Dec}, \textsf {NCE}.\mathcal {S})\) where \((\textsf {NCE}.\textsf {Gen}, \textsf {NCE}.\textsf {Enc}, \textsf {NCE}.\textsf {Dec})\) is an IND-CPA public key encryption scheme and \(\textsf {NCE}.\mathcal {S}\) is the simulation satisfying the following property: for \(b \in \{0,1\}\) the following distributions are computationally indistinguishable:

$$\{ (\textsf {pk}, c, r_G, r_E) : (\textsf {pk}, \textsf {sk}) \leftarrow \textsf {NCE}.\textsf {Gen}(1^\kappa ; r_G), c = \textsf {NCE}.\textsf {Enc}(\textsf {pk}, b; r_E)\}_{\kappa ,b} \approx $$

$$\{ (\textsf {pk}, c, r^b_G, r^b_E) : (\textsf {pk}, c, r^0_G, r^0_E, r^1_G, r^1_E) \leftarrow \textsf {NCE}.\mathcal {S}(1^\kappa )\}_{\kappa ,b}.$$

Definition 2

(Augmented Non-committing Encryption). An augmented \(\textsf {NCE}\) scheme consists of a tuple of algorithms \((\textsf {NCE}.\textsf {Gen}, \textsf {NCE}.\textsf {Enc}, \textsf {NCE}.\textsf {Dec}, \textsf {NCE}.\mathcal {S}\), \(\textsf {NCE}.\textsf {Gen}_\textsf {Obl}, \textsf {NCE}.\textsf {Gen}_\textsf {Inv})\) where \((\textsf {NCE}.\textsf {Gen}, \textsf {NCE}.\textsf {Enc}, \textsf {NCE}.\textsf {Dec}, \textsf {NCE}.\mathcal {S})\) is an \(\textsf {NCE}\) and:

• Oblivious Sampling: \(\textsf {NCE}.\textsf {Gen}_\textsf {Obl}(1^\kappa )\) obliviously generates a public key \(\textsf {pk}\) (without knowing the associated secret key \(\textsf {sk}\).

• Inverse Key Sampling: \(\textsf {NCE}.\textsf {Gen}_\textsf {Inv}(\textsf {pk})\) explains the randomness for the key \(\textsf {pk}\) satisfying the following property. Obliviousness: The following distributions are indistinguishable:

  $$\left\{ (\textsf {pk}, r): \textsf {pk}\leftarrow \textsf {NCE}.\textsf {Gen}_\textsf {Obl}(1^\kappa ; r)\right\} _{\kappa } \approx $$
  $$ \left\{ (\textsf {pk}, r'): (\textsf {pk}, \textsf {sk}) \leftarrow \textsf {NCE}.\textsf {Gen}(1^\kappa );r' \leftarrow \textsf {NCE}.\textsf {Gen}_\textsf {Inv}(\textsf {pk})\right\} _\kappa .$$

Definition 3

(Computational Diffie-Hellman Assumption). We say that the CDH assumption holds in a group \(\mathbb {G}\) if for any PPT adversary \(\mathcal {A}\),

$$\Pr [\mathcal {A}(g, h, T) = Z] = \textsf {neg}(\kappa ).$$

holds, where \(h, T \leftarrow \mathbb {G}\), and \(T = g^t\), \(Z = h^t\).

Definition 4

(Decisional Diffie-Hellman Assumption). We say that the DDH assumption holds in a group \(\mathbb {G}\) if for any PPT adversary \(\mathcal {A}\),

$$|\Pr [\mathcal {A}(g, h, T, Y) = 1] - \Pr [\mathcal {A}(g, h, T, Z) = 1]| = \textsf {neg}(\kappa ).$$

holds, where \(h, T, Y \leftarrow \mathbb {G}\) and \(T = g^t\), \(Z = h^t\).

3 Technical Overview

In this section, we will provide a high-level overview of our main constructions. Full technical details can be found in later sections.

3.1 Adaptively Secure OT in the Global Programmable RO Model

The “Simplest OT protocol” [18] is a three-round OT protocol in the programmable RO model. \(\textsf {S} \) sends the first message as \(T=g^r\), using some secret randomness \(r \leftarrow \mathbb {Z}_q\). \(\textsf {R} \) uses the sender’s message to compute the second message as \(B=g^\alpha T^b\) based on his input bit b using some secret receiver randomness \(\alpha \leftarrow \mathbb {Z}_q\). Upon receiving B, the sender reuses the secret randomness r to compute the OT third message as follows:

$$\begin{aligned} \begin{aligned} c_0&= \mathcal {F}_\textsf {GRO}\left( B^r\right) \oplus m_0\\ c_1&= \mathcal {F}_\textsf {GRO}\left( \left( \frac{B}{T}\right) ^r\right) \oplus m_1 \end{aligned} \end{aligned}$$

(1)

The receiver decrypts \(m_b = c_b \oplus \mathcal {F}_\textsf {GRO}(\mathsf {sid}, T^\alpha )\). A corrupt \(\textsf {R} ^*\) cannot obtain both messages as it requires computing \(T^r\) (as it involves querying \(B^r\) and \((\frac{B}{T})^r\)) to the RO. Such a computation is hard by CDH assumption as \(T=g^r\) is randomly sampled by \(\textsf {S} \) and kept secret from \(\textsf {R} \). On the other hand, a corrupted \(\textsf {S} ^*\) cannot guess b as b is perfectly hidden in B (since \(\alpha \) and \(\alpha -r\) are valid receiver randomness for bits 0 and 1). This also disrupts a corrupt receiver’s input extraction by the simulator as b is not binded to B. The only way to extract the input of \(\textsf {R} ^*\) is when he invokes \(\mathcal {F}_\textsf {GRO}\) on \(B^\alpha \) to decrypt \(m_b\). However, such a weak extraction process is insufficient for UC-secure protocols (GC-based protocols) where this OT protocol might be used and it has been pointed out by the work of [6, 34]. To tackle this issue, the protocol should bind the receiver’s input bit b to the receiver’s message. Here our goals are: 1) fix this protocol to be fully UC-secure; 2) reduce the round complexity of the protocol to two rounds.

Our Solution. We reduce the round complexity by generating T as an OT parameter using a GRO. The receiver generates T by invoking the GRO on a randomly sampled \(\textsf {seed}\). He constructs \(B=g^\alpha T^b\) based on bit b. The sender samples a random r from \(\mathbb {Z}_q\) and encrypt his message as in Eq. 1. The sender also sends \(z=g^r\) so that the receiver can decrypt \(m_b = c_b \oplus \mathcal {F}_\textsf {GRO}(\mathsf {sid}, z^\alpha )\). Security follows from the the security of Simplest OT. And sender’s messages are hidden due to CDH assumption. However, the receiver’s bit cannot be extracted from the receiver’s message as it is perfectly hidden.

Now we will add a mechanism such that the receiver’s bit can be extracted from the receiver’s message. Intuitively, the protocol is modified in such a way that the receiver runs two instances (using two different OT parameters) of the modified Simplest OT using the same randomness \(\alpha \). The sender encrypts his message by combining these two instances. Finally, the receiver uses \(\alpha \) to decrypt \(m_b\). Security ensures that a corrupt receiver cannot decrypt \(m_0\) or \(m_1\) if the two instances are not computed using \(\alpha \). And a simulator can extract the corrupt receiver’s input bit from the two instances if they are correctly constructed. This ensures input extraction of a corrupt receiver, thus giving us a round optimal UC-secure OT with high concrete efficiency.

More formally, the receiver \(\textsf {R} \) generates \((h, T_1,T_2)\) as receiver OT parameters using the GRO. He constructs two instances as \(B=g^\alpha T_1^b\) and \(H=h^\alpha T_2^b\) using the same randomness \(\alpha \). He sends \(\textsf {seed}\) and (B, H) to the sender \(\textsf {S} \). Next, \(\textsf {S} \) samples r, s from \(\mathbb {Z}_q\) and computes the sender OT parameter \(z=g^rh^s\). The sender combines the two OT instance by computing the ciphertexts:

$$c_0 = \mathcal {F}_\textsf {GRO}\left( \mathsf {sid}, B^rH^s\right) \oplus m_0, \text { and } c_1 = \mathcal {F}_\textsf {GRO}\left( \mathsf {sid}, \left( \frac{B}{T_1}\right) ^r\cdot \left( \frac{H}{T_2}\right) ^s\right) \oplus m_1. $$

The receiver computes \(m_b = c_b \oplus \mathcal {F}_\textsf {GRO}(\mathsf {sid}, z^\alpha )\). This new scheme supports extraction of a corrupt receiver’s input bit if the simulator knows x s.t. \(h=g^x\). The simulator extracts \(b=0\) if \(H=B^x\), else if \(\frac{H}{T_2}=(\frac{B}{T_1})^x\) then he sets \(b=1\). Otherwise, the receiver message is malformed and b is set as \(\bot \). Extraction always succeeds unless \((g, h, T_1, T_2)\) forms a DDH tuple. In such a case \((g, h, T_1, T_2) = (g, g^x, g^t, g^{xt})\) and both extraction cases will satisfy. However, such an event occurs with negligible probability since \((h, T_1, T_2)\) is generated using a random oracle. Sender’s messages are hidden from a corrupt receiver due to CDH assumption. Simulation against a corrupt sender proceeds by programming the GRO s.t \((g, h, T_1, T_2)\) is a DDH tuple. The simulator (playing the role of honest \(\textsf {R} \)) sets \(B=g^\alpha \) and \(H=h^\alpha \) as receiver message. Upon obtaining the second OT message from the corrupt sender, the simulator extracts \(m_0\) and \(m_1\) by using randomness \(\alpha \) and \(\alpha -t\) respectively. The corrupt sender cannot distinguish between the real and ideal world OT parameters due to DDH assumption. Also, B and H perfectly hides b in the ideal world.

Our protocol is more efficient than the state-of-the-art two-round UC-secure OT [36, 40]. Furthermore, if we are interested in random OTs, then \(\textsf {S} \) needs to communicate only the OT parameter z for all the OTs. This would yield a non-interactive random OT at the cost of 5 exponentiations and 2 group elements (i.e. \(\textsf {R} \) communicates (B, H) for each random OT). The same protocol is adaptively secure in the programmable random oracle model, and can be modified to use an global observable RO but only provide static security. See Sect. 4 for full details.

3.2 Receiver Equivocal Oblivious Transfer in the CRS Model

Our next goal is to obtain efficient UC-secure OT with only a common random string setup. We replace the GRO by partially setting the receiver OT parameters as the \(\text {CRS} \), consisting of three random group elements \((g, h, T_1)\). The receiver is required to generate \(T_2\) as part of the protocol and use it to compute B and H following the previous protocol (Sect. 3.1). \(T_2\) will be reused for multiple OT instances in the same session. It is guaranteed that a corrupt receiver will compute \(T_2\) s.t. the tuple is non-DDH due to the CDH assumption. In such a case, the simulator for a corrupt receiver can extract b from B and H given x, where \(h=g^x\). On the other hand, the simulator (playing role of honest receiver) for a corrupt sender can compute \(T_2\) s.t. \((g, h, T_1, T_2)\) is a DDH tuple, given the trapdoor t s.t. \(T_1=g^t\). It would allow him to extract corrupt sender’s input messages from \((c_0, c_1)\) and equivocate \((B, H) = (g^\alpha , h^\alpha )\) to open to bit b by opening the receiver’s randomness as \(\alpha -bt\). This provides security against adaptive corruption of receiver. The sender’s algorithm is similar to the one in Sect. 3.1 where the ciphertexts are formed as follows:

$$c_0 = B^rH^s \cdot m_0, \text { and } c_1 = \left( \frac{B}{T_1}\right) ^r\cdot \left( \frac{H}{T_2}\right) ^s \cdot m_1$$

However, the sender’s randomness (r, s) has to be unique for each OT instance, else the sender’s OT messages - \((c_0, c_1)\), will leak about the sender’s input messages - \((m_0, m_1)\). Thus, we obtain a two-round OT protocol which is secure against static corruption of the sender and adaptive corruption of the receiver in the common random string model. Our protocol requires 9 exponentiations and communication of 6 group elements, where one group element (i.e. \(T_2\)) can be reused; reducing the communication overhead to 5 group elements. We can further optimize our computation cost to 8 exponentiations if we sacrifice receiver equivocal property and instead settle for static security. In contrast, the only other two-round protocol [40] in this model requires 11 exponentiations and communication of 6 group elements in the common reference string model. Note that the protocol here is receiver-equivocal, which will be made fully adaptive in the following subsection.

3.3 Adaptively Secure Oblivious Transfer in the CRS Model

Finally, we would like to add sender equivocation to the above protocol. It requires a simulator to simulate the OT second message without the knowledge of sender’s input. Upon post-execution corruption of sender, the simulator should provide the randomness s.t. the OT second message corresponds to sender’s original input \((m_0, m_1)\). In our current protocol, the second OT message is computed based on B and H using the randomness r and s. The simulator (playing the role of an honest sender) sets \(c_{\bar{b}}\) randomly and opening it to \(m_{\bar{b}}\) requires the knowledge of receiver’s randomness - \(\alpha \). Also, such an equivocation would be possible only if the tuple - \(\text {CRS} \) and \(T_2\), is a non-DDH tuple as z and \(p_{\bar{b}}=\frac{c_{\bar{b}}}{m_{\bar{b}}}\) are two separate equations in r and s. When the tuple is a DDH one (which is required for receiver equivocation when the receiver is corrupted post-execution) then we can write \(p_{\bar{b}} = z^{\alpha +(-1)^{b}t}\). It is not possible to provide r and s s.t. a random \(c_{\bar{b}}\) opens to \(p_{\bar{b}} \cdot m_{\bar{b}}\), where \(p_{\bar{b}}\) gets fixed by \(\alpha \) and z, and \(m_{\bar{b}}\) is chosen by the adaptive adversary in post-execution corruption. Thus, it seems receiver and sender equivocation will not be possible simultaneously if we follow this approach.

We address this challenge by modifying the sender protocol. We construct a semi-adaptive OT protocol by slightly tweaking our receiver equivocal OT protocol. Then we apply the transformation of [5] which uplifts a semi-adaptive OT into to an adaptively secure OT using augmented \(\textsf {NCE}\). A semi-adaptive OT is one which is secure against static corruption of one party and adaptive corruption of another party. Our semi-adaptive OT construction is described as follows. The sender encrypts only bit messages \(m_i \in \{0, 1\}\) in ciphertext \((z_i, c_i)\), for \(i \in \{0, 1\}\), using independent randomness \((r_i, s_i)\). If \(m_i=1\) then sender encrypts it using the sender protocol as follows:

$$\begin{aligned} z_i&=g^{r_i}h^{s_i}\\ c_i&= \left( \frac{B}{T_i^i}\right) ^{r_i}\left( \frac{H}{T_2^i}\right) ^{s_i} \cdot m_i = \left( \frac{B}{T_i^i}\right) ^{r_i}\left( \frac{H}{T_2^i}\right) ^{s_i} \cdot 1 = \left( \frac{B}{T_i^i}\right) ^{r_i}\left( \frac{H}{T_2^i}\right) ^{s_i} \end{aligned}$$

If \(m_i=0\), then sender samples \(z_i\) and \(c_i\) as random group elements. Upon receiving \((z_0, c_0, z_1, c_1)\), the receiver computes \(y=c_b\cdot z_b^{-\alpha }\). If \(y=1\), then receiver outputs \(m_b=1\), else he outputs \(m_b=0\). In this new construction, \(m_{\bar{b}}\) remains hidden in \(c_{\bar{b}}\) from the corrupt receiver due to DDH assumption. Moreover, it solves our previous problem of equivocating sender’s OT message - \(c_{\bar{b}}\). Here, the simulator (playing the role of honest sender) can always compute \((z_{\bar{b}}, c_{\bar{b}})\) s.t. they encrypt \(m_{\bar{b}}=1\) using randomness \((r_{\bar{b}}, s_{\bar{b}})\). Later, when sender gets corrupted post-execution, the simulator can claim \((z_{\bar{b}}, c_{\bar{b}})\) was randomly sampled if \(m_{\bar{b}}=0\), else provide the randomness as \((r_{\bar{b}}, s_{\bar{b}})\) if \(m_{\bar{b}}=1\). Adversary cannot decrypt \(m_{\bar{b}}\) from \(c_{\bar{b}}\) since \(T_1^{r_{\bar{b}}}\) makes \(c_{\bar{b}} \) pseudorandom due to DDH assumption.

Thus, our new protocol is secure against semi-adaptive corruptions of parties. Next, we use the transformation of [5] to make it adaptively secure using augmented \(\textsf {NCE}\). The receiver generates an \(\textsf {NCE}\) key pair \((\textsf {pk}_b, \textsf {sk})\) corresponding to his input bit b. He samples another \(\textsf {NCE}\) public key \(\textsf {pk}_{\bar{b}}\) obliviously for bit \(\bar{b}\). He sends these two public keys to the sender. The sender additively secret shares his inputs:

$$m_0 = x_0 \oplus y_0, m_1 = x_1 \oplus y_1.$$

He runs the semi-adaptive OT protocol with inputs \((x_0, x_1)\) and encrypts \(y_0\) and \(y_1\) using \(\textsf {pk}_0\) and \(\textsf {pk}_1\) respectively.

$$e_0 = \textsf {NCE}.\textsf {Enc}(\textsf {pk}_0, y_0), e_1 = \textsf {NCE}.\textsf {Enc}(\textsf {pk}_1, y_1).$$

The sender sends the semi-adaptive OT messages and \((e_0, e_1)\) to the receiver. The honest receiver obtains \(x_b\) from the OT and \(y_b\). A corrupt receiver can obtain \(y_{\bar{b}}\) in addition, if he sampled \((\textsf {pk}_{\bar{b}}, \textsf {sk}_{\bar{b}})\) using the \(\textsf {NCE}.\textsf {Gen}\) algorithm. Our final protocol is secure against adaptive corruption of both parties. Consider the setting where both parties are honest initially and the simulator has to construct their view. The adaptive simulator runs the semi-adaptive simulator for the underlying semi-adaptive OT with static corruption of sender and adaptive corruption of receiver. The honest sender algorithm is run with inputs \((x_0, x_1)\), sampled as random bits. Suppose the sender gets corrupted first in post-execution then \(e_0\) and \(e_1\) can be equivocated s.t. \(y_0 = x_0 \oplus m_0\) and \(y_1 = x_1 \oplus m_1\). Indistinguishability proceeds due to the \(\textsf {NCE}\) property. Next, when the receiver gets corrupted the simulator obtains b. He uses the adaptive simulator for receiver in the semi-adaptive OT. The simulator also uses the inverse samplability property of the \(\textsf {NCE}\) to claim that \(\textsf {pk}_b\) was generated honestly and \(\textsf {pk}_{\bar{b}}\) obliviously. If the receiver gets corrupted first, then the receiver’s simulation doesn’t change. For the sender side, the simulator sets \(y_b = x_b \oplus m_b\). Later, when sender gets corrupted and simulator obtains \(m_{\bar{b}}\) the simulator equivocates \(e_{\bar{b}}\) s.t. \(y_{\bar{b}}= x_{\bar{b}} \oplus n_{\bar{b}}\). Indistinguishability proceeds since the adversary does not posses the secret key \(\textsf {sk}_{\bar{b}}\) as \(\textsf {pk}_{\bar{b}}\) was supposed to be obliviously sampled. As a result, the simulator successfully equivocates \(e_{\bar{b}}\). More details of our protocol can be found in Sect. 6.

3.4 Non-interactive Commitment with Adaptive Security

As an independent result, we prove that the first (i.e. receiver’s) message of any two-round 1-out-of-\(\mathcal {M}\) receiver equivocal OT can be considered as an UC-secure non-interactive commitment to receiver’s input. It can also withstand adaptive corruption of the parties involved in the commitment scheme. The committer \(\textsf {C} \) commits to his message \(b \in \mathcal {M}\) (where \(\mathcal {M}\) is the message space for the commitment) as c by invoking the receiver algorithm on choice b with randomness \(\alpha \). Decommitment follows by providing the randomness \(\alpha \) for the receiver’s OT message.

We can show that the commitment scheme satisfies the properties of an UC commitment- binding, hiding, extractable and equivocal, by relying on the security of the underlying receiver equivocal OT protocol. Binding of the commitment follows from sender security as a corrupt receiver cannot produce different randomness \(\alpha '\) s.t. c can be used to decrypt \(m_{\bar{b}}\) (where \(m_i\) is \(\textsf {S} \)’s ith message for \(i \in \mathcal {M}\)) where \(\bar{b} \in \mathcal {M}\) and \(\bar{b}\ne b\). Hiding of b is ensured from the OT security guarantees for an honest receiver against a corrupt sender. A corrupter committer’s input b is extracted by running the extraction algorithm of the OT simulator for a corrupt receiver. Finally, the commitment can be opened correctly by running the simulator (who is playing the role of honest OT receiver) and its equivocation algorithm (when receiver gets corrupted adaptively in post-execution). The commitment scheme is also secure against adaptive corruption as the simulator (for the honest committer in the commitment scheme) can always produce randomness \(\alpha '\), which is consistent with message b, by running the adaptive simulator for the OT.

When we compile our \(\pi _{\textsf {reOT-CRS}}\) protocol with this result, we obtain a non-interactive commitment \(c=(B, H)= (g^\alpha T_1^m, h^\alpha T_2^m)\) for \(\text {polylog}(\kappa )\) bit messages using four exponentiations and communication of two group elements. We can only commit to \(\text {polylog}(\kappa )\)-bit messages or messages from \(\text {poly}(\kappa )\)-sized message space \(\mathcal {M}\) since our PPT simulator runs in \(\mathcal {O}(|\mathcal {M}|)\) time to extract a corrupt receiver’s input by matching the following condition for each \(i \in \mathcal {M}\):

$$\text {if } \frac{H}{T_2^i} {\mathop {=}\limits ^{?}} \left( \frac{B}{T_1^i}\right) ^x \text { output } i.$$

Our detailed transformation from a receiver equivocal OT to an adaptive commitment can be found in Sect. 7.

Fig. 4.

Adaptively secure oblivious transfer in the global programmable random oracle model

4 Oblivious Transfer in the Global Random Oracle Model

In Sect. 4.1, we first show an efficient 2-round OT in the Global programmable RO model secure against adaptive adversaries. Then, we present a set of optimizations that can bring the efficiency at par with the Simplest OT by Chou and Orlandi [18] while requiring only one simultaneous round. In Sect. 4.2, we will show how to adapt our protocol to work in the global observable RO model but with only static security.

4.1 Adaptively Secure OT in the Global Programmable RO Model

As we have discussed in details the main intuition behind our protocol in Sect. 3.1, we will proceed to the full description. Our protocol \(\pi _{\textsf {aOT-GPRO}}\) in the PRO model is presented in Fig. 4. Security of our protocol has been summarized in Theorem 1 and the full proof can be found in [15].

Theorem 1

Assuming the Decisional Diffie-Hellman holds in group \(\mathbb {G}\), then \(\pi _{\textsf {aOT-GPRO}}\) UC-securely implements \(\mathcal {F}_{\textsf {OT}}\) functionality in presence of adaptive adversaries in the global programmable random oracle model.

Fig. 5.

Fully optimized random oblivious transfer with one simultaneous round

Practical Optimizations. The above OT protocol requires computing 9 exponentiations and communication of 3 group elements and 3 strings of length \(\kappa \) for one OT. However, the sender can reuse r, s for multiple instances of the OT protocol. Let \(B_i\) and \(H_i\) be the receiver’s message for the i-th OT instance. The sender will compute his OT message by reusing \(T_1^r, T_2^s\) and z. He can compute \(c_{i, 0} = \mathcal {F}_\textsf {GRO2}\left( \mathsf {sid}, i, B^rH^s\right) \oplus m_{i, 0}\) and \(c_{i, 1} = \mathcal {F}_\textsf {GRO2}\left( \mathsf {sid}, i, \left( \frac{B}{T_1}\right) ^r \left( \frac{H}{T_2}\right) ^s\right) \oplus m_{i, 1}\).

This reduces the overhead to 5 exponentiations and communication of 2 group elements and 2\(\kappa \) bit strings in the amortized setting. Our second observation is that many practical use of OT depends on OT extension [31] which in turn needs a base OT protocol on random messages, namely random OT. In the random OT variant of our OT protocol, the sender’s messages will be random pads \((p_0, p_1)\) where \(p_0 = \mathcal {F}_\textsf {GRO2}\left( \mathsf {sid}, B^rH^s\right) \) and \(p_1 = \mathcal {F}_\textsf {GRO2}\left( \mathsf {sid}, \left( \frac{B}{T_1}\right) ^r \left( \frac{H}{T_2}\right) ^s\right) \).

Fig. 6.

Statically secure oblivious transfer in the observable random oracle model

The receiver obtains \(p_b = \mathcal {F}_\textsf {GRO2}(\mathsf {sid}, z^\alpha )\) as output. In such a case, the receiver needs to send (B, H) for each OT and the sender only needs to send \(z=g^rh^s\), which can be reused for multiple OT instances. One can observe that the sender’s and receiver’s messages are independent of each other and depends only on (g, h). Thus, we can consider a setup consisting of a global \(\text {CRS} = (g, h)\) and a global programmable RO. The receiver computes (B, H) and sends it to the sender. Simultaneously, the sender can compute z and send it over to the receiver; thus resulting in a non-interactive random OT which requires 5 exponentiations and communication of 2 group elements per OT. This protocol is also secure against mauling attacks by a rushing adversary, who can either corrupt the sender or the receiver. A corrupt receiver can break security only if \((g, h, T_1, T_2)\) is a DDH tuple where \((g, h, T_1)\) is the \(\text {CRS} \); which occurs with negligible probability due to CDH assumption. Security against a corrupt sender is ensured by programming the GRO s.t. the tuple is a DDH tuple. In such a case \(\textsf {R} \)’s message, i.e. (B, H), perfectly hides \(\textsf {R} \)’s input. Indistinguishability of the tuple follows from DDH.

Our protocol \(\pi _{\textsf {aROT-GPRO}}\) is presented in Fig. 5. To compute n OTs, we only need \(4+5n\) exponentiations and communication of \(2n+1\) group elements and one \(\kappa \)-bit string. In contrast, the state-of-the-art OT extension protocol (from PRO based OT) of [36] requires 6n exponentiations and requires sending 4n group elements. The protocol of [21] requires lesser computation but they need 5 rounds of interaction for their OT. Thus, our protocol will outperform them in WAN setting where interaction is expensive.

4.2 Statically Secure OT in the Global Observable RO Model

The work of [37] has shown a separation between programmable RO and non-programmable RO. Therefore, we show how to change our protocol to work with an observable GRO. Our protocol is statically secure and has the same computation and communication overhead as the GPRO-based protocol, except now the parties need to compute one NIZKPoK each. We present the GORO-based OT protocol \(\pi _{\textsf {sOT-GORO}}\) in Fig. 6.

The only difference from the PRO-based scheme lies in the generation of the \(\text {CRS} \) and the OT parameters. The \((T_1, T_2)\) is generated by invoking \(\mathcal {F}_\textsf {GRO1}\) on \(\textsf {seed}\). The other group element h is generated by \(\textsf {R} \) and he also produces an NIZKPoK of x s.t. \(h=g^x\). We perform this because the simulator for a corrupt receiver needs the knowledge of x to extract the receiver’s input, which would not be possible if all three elements were generated using the ORO. However, this limits the possibility of extracting a corrupt sender’s input by programming the RO to return a DDH tuple. So, the sender is required to produce an NIZKPoK of r and s. This allows the simulator for a corrupt sender to extract r and s; thus extracting the input messages of the corrupt sender. The rest of the proof follows from the static security proof of our PRO-based scheme Security is summarized in Theorem 2 and the full proof can be found in [15].

Theorem 2

Assuming the Decisional Diffie-Hellman holds in group \(\mathbb {G}\), then \(\pi _{\textsf {sOT-GORO}}\) UC-securely implements \(\mathcal {F}_{\textsf {OT}}\) functionality in presence of static adversaries in the observable random oracle model.

We would like to point out that NIZK is known to be impossible in the ORO model [38]. However, we only need a relaxed NIZK and allow programming the RO in the security reduction while the simulator is restricted only to the observability feature. Such a relaxation is also utilized to circumvent the impossibility of NIZKs in ORO domain in prior related work [21].

Our protocol needs 5 exponentiations and communication of 2 group elements and two \(\kappa \)-bit strings. In addition, we require a one-time computation of 2 NIZKPoKs and 5 exponentiations and one-time communication of 2 group elements and \(\kappa \) bits. The only other 2 round GORO-based OT protocol is a feasibility result by [10].

Fig. 7.

Oblivious transfer secure against adaptive receiver corruption

5 Receiver Adaptively Secure OT in the \(\text {CRS} \) Model

In this section, we replace our use of GRO in \(\pi _{\textsf {aOT-GPRO}}\) by a common random string (CRS). Such a relaxation in the setup assumption results in degradation of the security and efficiency of the protocol. We lose security against adaptive corruption of sender, resulting in a receiver-equivocal OT which is secure against adaptive corruption of receiver. The computation overhead also increases to 9 exponentiations and 5 group elements as the sender’s randomness cannot be reused for multiple instances of the OT protocol as it will leak the individual sender messages from the OT messages. The intuition of our protocol has been discussed in Sect. 3.2 and Fig. 7 gives a detailed description of our protocol. The \(\text {CRS} \) consists of 3 group elements \(\text {CRS} =(g, h, T_1)\) and it requires to satisfy two properties for the security to hold.

Properties of CRS. The \(\text {CRS} \) for the subprotocols should satisfy the following two properties:

• Property 1: Given \((g, h, T_1)\) it should be computationally infeasible to obtain a \(T_2\) s.t. \((g, h, T_1, T_2)\) is a DDH tuple. This is ensured in our protocol since an adversary computing such a \(T_2\) (i.e. the tuple is DDH) can be used to break the CDH assumption in a blackbox manner by invoking it in a OT session. The CDH adversary will set the \(\text {CRS} \) s.t. \((h, T_1)\) is the CDH challenge and it will return \(T_2\) as the CDH response.

• Property 2: Given a simulated tuple \((g, h, T_1, T_2)\), where \(T_2=h^t\) and \(T_1=g^t\), it should be indistinguishable from a random tuple. An adversary who can distinguish the tuples can be used to break the DDH assumption. The DDH adversary forwards the DDH challenge tuple as the tuple to this adversary and forwards the answer of this adversary as the DDH answer. In addition, or simulation purposes we provide the simulator with the trapdoors- (x, t) for the \(\text {CRS} =(g, h, T_1)\) s.t. \(h=g^x\) and \(T_1=g^t\).

We require the first property for arguing security against a statically corrupt receiver. Given the \(\text {CRS} \) the corrupt receiver should not be able to set it in the equivocal mode. It will be in the extractable mode to ensure extraction of receiver’s input. On the other hand, if the receiver is honest, then the simulated receiver can set the \(\text {CRS} \) in the equivocal by using Property 2. This allows extracting both messages of the sender and simulate the honest receiver’s view during post-execution corruption. Security of our protocol is summarized in Theorem 3 and the full proof can be found in [15].

Theorem 3

Assuming the Decisional Diffie-Hellman holds in group \(\mathbb {G}\), then \(\pi _{\textsf {reOT-CRS}}\) UC-securely implements \(\mathcal {F}_{\textsf {OT}}\) functionality in presence of a statically corrupted sender and an adaptively corrupted receiver in the common random string model.

5.1 Efficient Static OT

We can further optimize our protocol \(\pi _{\textsf {reOT-CRS}}\) for static corruption by removing \(T_2\) from the protocol and henceforth renaming \(T_1\) to T. In \(\pi _{\textsf {reOT-CRS}}\), the element \(T_2\) was required solely for the purpose of equivocating receiver’s view. Our modified protocol \(\pi _{\textsf {sOT-CRS}}\) is presented in Fig. 8. This gives us a two-round static OT in the common random string model which computes 8 exponentiations and communicates 5 group elements. This outperforms the state-of-the-art [40] protocol which requires 11 exponentiations and communication of 6 group elements to obtain a two-round static OT in the common reference string model.

Fig. 8.

Static oblivious transfer in the CRS model

Fig. 9.

Semi-adaptively secure oblivious transfer

Fig. 10.

Adaptively secure oblivious transfer from semi-adaptively secure OT protocol using augmented \(\textsf {NCE}\) by [5]

6 Adaptively Secure Oblivious Transfer in the \(\text {CRS} \) Model

Our protocol \(\pi _{\textsf {reOT-CRS}}\) presented in the previous section is only secure against adaptive corruption of receiver. In this section, we make it secure against full adaptive corruption. In the overview section we constructed a semi-adaptive protocol first and then applied the [5] transformation using an augmented \(\textsf {NCE}\) to obtain our final protocol. See Sect. 3.3 for a high-level introduction. We first present our semi-adaptive OT protocol in Fig. 9 and then we present our complete protocol in Fig. 10.

6.1 Semi-adaptively Secure OT

We first present our semi-adaptive OT \(\pi _{\textsf {saOT-CRS}}\) protocol in Fig. 9. Security of our protocol is summarized in Theorem 4 and the full proof can be found in [15].

Theorem 4

Assuming the Decisional Diffie-Hellman holds in group \(\mathbb {G}\), then \(\pi _{\textsf {saOT-CRS}}\) UC-securely implements \(\mathcal {F}_{\textsf {OT}}\) functionality in presence of semi-adaptively corrupted malicious parties in the common random string model.

Fig. 11.

Adaptively secure non-interactive commitment from \(\pi _{\textsf {reOT-CRS}}= (\textsf {OT} _1, \textsf {OT} _2)\)

6.2 Obtaining Full Adaptive Security

Next, we apply the transformation of [5] to obtain our adaptively secure OT protocol \(\pi _{\textsf {aOT-CRS}}\) from our semi-adaptively secure OT protocol \(\pi _{\textsf {saOT-CRS}}\) in the augmented \(\textsf {NCE}\) model. For completeness we have presented the [5] transformation in Fig. 10 and it is summarized in Theorem 5.

Theorem 5

[5] Assuming \(\pi _{\textsf {saOT-CRS}}\) is a two-round semi-adaptively secure OT protocol and \(\textsf {NCE}\) is an augmented non-committing encryption scheme then protocol \(\pi _{\textsf {aOT-CRS}}\) UC-securely implements \(\mathcal {F}_{\textsf {OT}}\) functionality in presence of adaptively corrupted malicious parties in the common random string model.

Assuming DDH, \(\pi _{\textsf {saOT-CRS}}\) (Fig. 9) is a semi-adaptively secure OT from 4. Upon instantiating the \(\textsf {NCE}\) by the DDH-based augmented \(\textsf {NCE}\) scheme of [16] we obtain an adaptively secure bit-OT scheme from DDH. Thus, we can solely construct our adaptively secure OT from DDH.

Theorem 6

Assuming DDH assumption holds, our protocol \(\pi _{\textsf {aOT-CRS}}\) (Fig. 10) UC-securely implements \(\mathcal {F}_{\textsf {OT}}\) functionality in presence of adaptively corrupted malicious parties in the common random string model.

Efficiency. Our final protocol requires 11 exponentiations and communication of 7 group elements. One of the group element, i.e. \(T_2\) can be reused. In addition, it requires communicating 2 augmented \(\textsf {NCE}\) public keys and computing augmented \(\textsf {NCE}\) encryptions of 2 bits. We can instantiate our \(\textsf {NCE}\) scheme using the DDH-based protocol of [16] which computes \(\mathcal {O}(1)\) exponentiations and communicates \(\mathcal {O}(\kappa )\) bits for encrypting each bit. This yields the first two round adaptively secure bit-OT which has constant communication and computation overhead.

In contrast, the only other two round adaptive OT protocol of [5] uses communication-intensive tools like equivocal garbled circuits communicating \(\text {poly}(\kappa )\) bits. They also incur a computation overhead of \(\mathcal {O}(\kappa ^2)\) exponentiations.

Fig. 12.

Adaptively secure non-interactive commitment in the CRS model

7 Adaptively Secure Non-Interactive Commitment in the \(\text {CRS} \) Model

In this section, we present a transformation from any two-round receiver equivocal OT to a non-interactive adaptive commitment scheme. The high-level description can be found in Sect. 3.4. Let \(\pi _{\textsf {reOT-CRS}}= (\textsf {OT} _1, \textsf {OT} _2)\) denote a two-round receiver equivocal OT, where both \(\textsf {OT} _1\) and \(\textsf {OT} _2\) are PPT algorithms: \(\textsf {OT} _1\) outputs the receiver’s OT message c and internal state \(\textsf {st} \). Then our commitment to message \(b \in \mathcal {M}\) with randomness \(\alpha \) will be c where \(\{c, \textsf {st} \} = \textsf {OT} _1(b; \alpha ).\) The decommitment for c will be \((b, \alpha )\). The verifier \(\textsf {V} \) runs \(\textsf {OT} _1\) algorithm on \((b, \alpha )\) to check the validity of the decommitment. Our protocol is presented in Fig. 11 and the security is summarized in Theorem 7. The proof of the theorem can be found in [15].

Theorem 7

Assuming that \(\pi _{\textsf {reOT-CRS}}= (\textsf {OT} _1, \textsf {OT} _2)\) is a secure receiver equivocal OT, in the CRS model, then our protocol \(\pi _{\textsf {aCOM-CRS}}\) (Fig. 11) UC-securely implements \(\mathcal {F}_\textsf {COM}\) functionality against adaptive adversaries in the CRS model.

7.1 Concrete Instantiation and Efficiency

We apply our DDH-based receiver equivocal OT in Fig. 7 to the above compiler and get a concretely efficient adaptive commitment as shown in Fig. 12. It requires four exponentiations and communicating two group elements for committing to a \(\text {polylog}(\kappa )\) bit message in the common random string model. Decommitment incurs similar computation overhead and communicating the message and a field element. This gives us the first adaptive string commitment with a constant number of exponentiations and \(\mathcal {O}(\kappa )\) communication. The current state of the art non-interactive protocols with adaptive security [1, 2, 9, 11] are all bit commitments. Moreover, our protocol also supports additive homomorphism which can be verified as \(\textsc {Commit}(m_1; \alpha _1) + \textsc {Commit}(m_2; \alpha _2) = \textsc {Commit}(m_1 + m_2 ; \alpha _1 + \alpha _2)\).

8 Results in the Single \(\text {CRS} \) Model

In this section, we replace the per-session local \(\text {CRS} \) with a single “master” random string \(\text {sCRS} \) that can be reused by multiple pairs of parties for multiple sessions. Specifically, the parties will use the master random string \(\text {sCRS} \) to generate a per-session \(\text {CRS}- (g, h, T_1)\) and will then use the protocol from the previous section with that \(\text {CRS} \). We present our multi-session OT and multi-session commitment functionalities \(\mathcal {F}_{\textsf {mOT}}\) and \(\mathcal {F}_\textsf {COM}\) in Figs. 13 and 14 respectively. For simplicity, we will describe \(\mathcal {F}_{\textsf {mOT}}\) and the same holds true for \(\mathcal {F}_\textsf {mCOM}\). The parties participate in one session, with id \(\mathsf {sid}\), which implements \(\mathcal {F}_{\textsf {mOT}}\). One of the parties intializes the session by invoking Initialization with the list \(\textsf {L}\) of all the subsession ids. Then each subsession consists of multiple instances of \(\mathcal {F}_{\textsf {OT}}\) between a specific pair of parties with unique roles. This is ensured by considering a counter j alongwith subsession id \(\mathsf {ssid}\) in the functionality.

While implementing the functionalities, each subsession is associated with a unique \(\ell \)-bit identifier, which we call the sub-session id \(\mathsf {ssid}\). The \(\mathsf {ssid}\) may contain the identities of the two parties, as well as additional information that makes the session unique. Each participant will locally compute the session-specific reference string from the master reference string and the \(\mathsf {ssid}\). We assume that the \(\mathsf {ssid}\) strings are generated by the environment \(\mathcal {Z}\) before seeing the \(\text {sCRS} \) by invoking the Initialization phase with a list \(\textsf {L}\) of subsession ids through a party. The master random string \(\text {sCRS} \) will contain (g, h) and \(2\ell \) random group elements- \((u_{i, 0}, u_{i, 1})\) for \(i \in [\ell ]\):

$$\text {sCRS} = \Bigg [ (g, h), \{u_{i, 0}, u_{i, 1}\}_{i \in [\ell ]}\Bigg ]$$

Fig. 13.

The ideal functionality \(\mathcal {F}_{\textsf {mOT}}\) for multi-session oblivious transfer

Fig. 14.

The ideal functionality \(\mathcal {F}_\textsf {COM}\) for multi-session commitment scheme

The random string \(\text {CRS} _\mathsf {ssid}\) for some \(\mathsf {ssid}\) will consist of \((g, h, T_1)\), where \(\mathsf {ssid}_i\) denotes the ith bit of \(\mathsf {ssid}\) and \(T_1\) is constructed as follows:

$$T_1 = \varPi _{i \in [\ell ]}u_{i, \mathsf {ssid}_{i}}.$$

Once the \(\text {CRS} _\mathsf {ssid}\) for the session is computed, the parties run protocol \(\pi _{\textsf {aOT-CRS}}\) from Sect. 6 (for OT), or protocol \(\pi _{\textsf {COM-DDH}}\) from Sect. 7 (for Commitment), using \(\text {CRS} _\mathsf {ssid}\) as the reference string for the session. For security reasons, we need \(\ell = 2\kappa \) as the security degrades by a factor \(\frac{|\textsf {L}|^2}{2^\ell } \). In [15] we demonstrate that \(\text {CRS} _\mathsf {ssid}\) satisfies the two properties (Sect. 5) that are required for arguing security of each OT/commitment in the subsessions.

On Statically Chosen List \(\textsf {L}\) of \(\mathsf {ssid}\)s. We require that the subsession ids be chosen by the environment \(\mathcal {Z}\) before seeing \(\text {sCRS} \). This has been ensured since \(\mathcal {Z}\) has to invoke the Initialization phase (in Figs. 13 and 14) with a list \(\textsf {L}\) of subsession ids through a party. This allows us to construct an adversary for CDH (or DDH) from an adversary who breaks the security of property 1 (or 2) of \(\text {CRS} _\mathsf {ssid}\). The reduction works by modifying the \(\text {sCRS} \) and planting an instance of CDH/DDH in one of the subsessions based on the coresponding \(\mathsf {ssid}\). Instead, if we allowed \(\mathcal {Z}\) to adaptively choose the subsession ids after accessing \(\text {sCRS} \), then the reduction fails. It would require guessing the subsession id since the adversary chooses the subsession id adaptively. There are \(2^\ell \) possible subsession ids, where \(|\mathsf {ssid}|=\ell = \mathcal {O}(\kappa )\). Thus, the reduction succeeds only with negligible probability. We leave it as an interesting open question to obtain such protocols where we allow the environment to adaptively choose the subsession ids after seeing \(\text {sCRS} \).

8.1 Adaptively Secure OT in the sCRS Model

We obtain a two round adaptively secure OT protocol in \(\text {sCRS} \) model where in each subsession \(\mathsf {ssid}\) the parties run \(\pi _{\textsf {aOT-CRS}}\) using \(\text {CRS} _\mathsf {ssid}\). Our OT protocol and its security proof can be found in [15].

Theorem 8

Assuming that \(\pi _{\textsf {aOT-CRS}}\) implements \(\mathcal {F}_{\textsf {OT}}\) in the local \(\text {CRS} \) model, then there exists an OT protocol that UC-securely implements \(\mathcal {F}_{\textsf {mOT}}\) functionality (Fig. 13) against adaptive adversaries in the \(\text {sCRS} \) model.

8.2 Adaptively Secure Non-interactive Commitment in the sCRS Model

We obtain a non-interactive adaptively secure commitment scheme in \(\text {sCRS} \) model. In each subsession \(\mathsf {ssid}\) the parties run \(\pi _{\textsf {COM-DDH}}\) with \(\text {CRS} _\mathsf {ssid}\). The commitment scheme and its security proof can be found in [15].

Theorem 9

Assuming \(\pi _{\textsf {COM-DDH}}\) implements \(\mathcal {F}_\textsf {COM}\) in local \(\text {CRS} \) model, then there exists a non-interactive commitment protocol that UC-securely implements \(\mathcal {F}_\textsf {mCOM}\) functionality (Fig. 14) against adaptive adversaries in \(\text {sCRS} \) model.

8.3 Adaptively Secure MPC in the sCRS Model

We discuss our two round adaptively-secure MPC protocol \(\pi \) in the \(\text {sCRS} \) model.

Theorem 10

Let \(\pi '\) be a two round adaptively secure MPC protocol in the \((\mathcal {F}_{\textsf {OT}}, \mathcal {F}_\textsf {COM})\) model. Then \(\pi \) is a two round adaptively secure MPC protocol in the \(\text {sCRS} \) model.

Proof

By applying Theorem 8 and Theorem 9 we obtain an OT and commitment protocol that implements \(\mathcal {F}_{\textsf {mOT}}\) and \(\mathcal {F}_\textsf {mCOM}\) functionality in \(\text {sCRS} \) model. Multiple sessions of \(\mathcal {F}_{\textsf {OT}}\) is simulated given access to a session of \(\mathcal {F}_{\textsf {mOT}}\). Each session of \(\mathcal {F}_{\textsf {OT}}\) with session id s is simulated as a subsession with id s in \(\mathcal {F}_{\textsf {mOT}}\). Similarly, each session of \(\mathcal {F}_\textsf {COM}\) with session id \(s'\) is simulated as a subsession with id \(s'\) in \(\mathcal {F}_\textsf {mCOM}\).

Two round adaptively secure MPC protocol \(\pi '\) in the \((\mathcal {F}_{\textsf {OT}}, \mathcal {F}_\textsf {COM})\) model can be obtained from [5]. They compiled a N-party malicious constant-round adaptively secure MPC protocol \(\pi ''\) into a 2 round N-party malicious constant-round adaptively secure MPC protocol \(\pi '\), in the presence of \(\mathcal {F}_{\textsf {OT}}\). The work of [13] obtained \(\pi ''\) in the \(\mathcal {F}_\textsf {COM}\) and \(\mathcal {F}_{\textsf {ZK}}\) by applying the adaptive malicious transformation of [11] on the semi-honest constant round MPC protocol obtained from equivocal garbled circuits. Finally, \(\mathcal {F}_{\textsf {ZK}}\) is implemented by [9] in the presence of adaptive corruptions in the \(\mathcal {F}_\textsf {COM}\)-model.