On BlackBox Complexity of Universally Composable Security in the CRS Model
 9 Citations
 1.4k Downloads
Abstract

Static UC Secure Computation. Designing the first static UC secure oblivious transfer protocol based on publickey encryption and standalone semihonest oblivious transfer. As a corollary we obtain the first blackbox constructions of UC secure computation assuming only tworound semihonest oblivious transfer.

Onesided UC Secure Computation. Designing adaptive UC secure twoparty computation with single corruptions assuming publickey encryption with oblivious ciphertext generation.

Adaptive UC Secure Computation. Designing adaptively secure UC commitment scheme assuming only publickey encryption with oblivious ciphertext generation. As a corollary we obtain the first blackbox constructions of adaptive UC secure computation assuming only (trapdoor) simulatable publickey encryption (as well as a variety of concrete assumptions).
We remark that such a result was not known even under nonblackbox constructions.
Keywords
UC secure computation Blackbox constructions Oblivious transfer UC commitments1 Introduction
Secure multiparty computation enables a set parties to mutually run a protocol that computes some function f on their private inputs, while preserving a number of security properties. Two of the most important properties are privacy and correctness. The former implies data confidentiality, namely, nothing leaks by the protocol execution but the computed output. The later requirement implies that no corrupted party or parties can cause the output to deviate from the specified function. It is by now well known how to securely compute any efficient functionality [2, 4, 24, 45, 50] in various models and under the stringent simulationbased definitions (following the ideal/real paradigm). Security is typically proven with respect to two adversarial models: the semihonest model (where the adversary follows the instructions of the protocol but tries to learn more than it should from the protocol transcript), and the malicious model (where the adversary follows an arbitrary polynomialtime strategy), and feasibility results are known in the presence of both types of attacks. The initial model considered for secure computation was of a static adversary where the adversary controls a subset of the parties (who are called corrupted) before the protocol begins, and this subset cannot change. In a stronger corruption model the adversary is allowed to choose which parties to corrupt throughout the protocol execution, and as a function of its view; such an adversary is called adaptive.
These feasibility results rely in most cases on standalone security, where a single set of parties run a single execution of the protocol. Moreover, the security of most cryptographic protocols proven in the standalone setting does not remain intact if many instances of the protocol are executed concurrently [40]. The strongest (but also the most realistic) setting for concurrent security is known by Universally Composable (UC) security [4]. This setting considers the execution of an unbounded number of concurrent protocols in an arbitrary and adversarially controlled network environment. Unfortunately, standalone secure protocols typically fail to remain secure in the UC setting. In fact, without assuming some trusted help, UC security is impossible to achieve for most tasks [7, 8, 40]. Consequently, UC secure protocols have been constructed under various trusted setup assumptions in a long series of works; see [1, 5, 10, 14, 34, 38] for few examples.

Blackbox Usage: A construction is blackbox if it refers only to the input/output behavior of the underlying primitives.

Nonblackbox Usage: A construction is nonblack box if it uses the code computing the functionality of the underlying primitives.
Typically, nonblackbox constructions have been employed to demonstrate feasibility and derive the minimal assumptions required to achieve cryptographic tasks. An important theoretical question is whether or not nonblackbox usage of the underlying primitive is necessary in a construction. Besides its theoretical importance, obtaining blackbox constructions is related to efficiency as an undesirable effect of nonblackbox constructions is that they are typically inefficient and unlikely to be implemented in practice. Fortunately, a recent line of works [25, 26, 32, 47] has narrowed the gap between what is achievable via nonblackbox and blackbox constructions under minimal assumptions.
More relevant to our context, the work of Ishai, Prabhakaran and Sahai [33] provided the first blackbox constructions of UC secure protocols assuming only oneway functions in a model where all parties have access to an ideal oblivious transfer (OT) functionality. Orthogonally, Choi et al. [12] provided a compiler that transforms any semihonest OT to a protocol that is secure against malicious static adversaries in the standalone (i.e. not UC) while assuming that all parties have access to the ideal commitment functionality. In the adaptive setting, the work of Choi et al. provides a transformation from adaptively secure semihonest oblivious transfer to one that is secure in the stronger UC setting against malicious adaptive adversaries while assuming that all parties have access to the ideal commitment functionality. In essence, these works provide blackbox constructions, however, they fall short of identifying the necessary minimal general computational assumptions in the UC setting.
Loosely speaking, a UC commitment scheme [7] is a fundamental building block in secure computation which is defined in two phases: in the commit phase a committer commits to a value while keeping it hidden, whereas in the decommit phase the committer reveals the value that it previously committed to. In addition to the standard binding and hiding security properties that any commitment must adhere, commitment schemes that are secure in the UC framework must allow straightline extraction (where a simulator should be able to extract the content of any valid commitment generated by the adversary) and straightline equivocation (where a simulator should be able to produce many commitments for which it can later decommit to both 0 and 1). We stress that even security in the static setting requires some notion of equivocation. Due to these rigorous requirements, it has been a real challenge to design blackbox constructions of UC secure commitment schemes.
In the context of realizing the UC commitments in the CRS model, Damgård and Nielsen introduced the notion of mixedcommitments in [16]. This construction requires a CRS that is linear in the number of parties and can be instantiated under the Nresiduosity and psubgroup hardness assumptions. In the global CRS model (where a single CRS is introduced for any number of executions), the only known constructions are by Damgård and Groth [15] based on the Strong RSA assumption and Lindell [42] based on the DDH assumption, where the former construction guarantees security in the adaptive setting whereas the later construction provides static security.
Another fundamental building block in secure computation which has been widely studied is oblivious transfer [21, 49]. Semihonest tworound oblivious transfer can be constructed based enhanced trapdoor permutations [21] and smooth projective hashing [28], and concretely under Discrete DiffieHellman (DDH) [46]. Tworound protocols with malicious UC security are presented in the influential paper by Peikert et al. [48] that presents a blackbox framework in the common reference string (CRS) model for oblivious transfer, based on dualmode publickey encryption (PKE) schemes, which can be concretely instantiated under the DDH, quadratic residuosity and Learning with Errors (LWE) hardness assumptions. In a followup work [13], the authors present UC oblivious transfer constructions in the global CRS model assuming DDH, Nresiduosity and the Decision Linear Assumption (DLIN). As pointed out in [13], the [48] constructions require a distinct CRS per party. In the context of adaptive UC oblivious transfer protocols, the works of [12] and [22] give constructions in the UC commitment hybrid model where they additionally rely on an assumption that implies adaptive semihonest oblivious transfer.
It is worth noting that while the works of [48] and [13] provide abstractions of their assumptions, the assumptions themselves are not general enough to help understand the minimal assumptions required to achieve static UC security. In particular, when restricting attention to blackbox constructions based on general assumptions, the stateoftheart literature seems to indicate that achieving UC security in most trusted setup models reduces to constructing two apparently incomparable primitives: semihonest oblivious transfer and UC commitment schemes. This leaves the following important question open:
What are the minimal (general) assumptions required to construct UC secure protocols, given only blackbox access to the underlying primitives?
We note that this question is already well understood in the static setting when relaxing the blackbox requirement. Namely, in [18] Damgård, Nielsen and Orlandi showed how to construct UC commitments assuming only semihonest oblivious transfer in the global CRS model, while additionally assuming a preprocessing phase where the parties participate in a roundrobin manner^{1}. More recently, Lin, Pass and Venkitasubramaniam [39] improved this result by removing any restricted preprocessing phase. In the same work the authors showed how to achieve UC security in the global CRS model assuming only the existence of semihonest oblivious transfer. In particular, this construction shows that static UC security can be achieved without assuming UC commitments when relying on nonblackbox techniques.
In the standalone (i.e. not UC) setting, assuming only the existence of semihonest oblivious transfer [26, 27, 32] show how to construct secure multiparty computation protocols while relying on the underlying primitives in a blackbox manner. More recently, [12] provided blackbox constructions that are secure against static adversaries, again, in the standalone setting, where all parties have access to an ideal commitment functionality (cf. Proposition 1 in [12]). The latter construction achieves a stronger notion of straightline simulation, however falls short of achieving static UC security (see more details in Sect. 3).
In the adaptive setting, the only work that considers a single general assumption that implies adaptive UC security using nonblackbox techniques is the result due to DachmanSoled et al. [14], that shows how to obtain adaptive UC commitments assuming simulatable PKE. Moreover, the best known general assumptions required to achieve blackbox UC security are adaptive semihonest oblivious transfer and UC commitments [12, 17]. Known minimal general assumptions that are required to construct these primitives are (trapdoor) simulatable PKE for adaptive semihonest oblivious transfer [11] and mixed commitments for UC commitments [17].
1.1 Our Results
In this paper we present a thorough study of blackbox UC secure computation in the CRS model; details follow.
Static UC Secure Computation. Our first result is given in the static setting, where we demonstrate the feasibility of UC secure computation based on semihonest oblivious transfer and extractable commitments. More concretely, we prove how to transform any statically semihonest secure oblivious transfer into one that is secure in the presence of malicious adversaries, giving only blackbox access to the underlying semihonest oblivious transfer protocol. Our approach is inspired by the protocols from [27] and [37], where we observe that it is not required to use the full power of static UC commitments. Instead, we employ a weaker primitive that only requires straightline input extractability. Interestingly, we prove that this weaker notion of security, denoted by extractable commitments [44], can be realized based on any CPA secure PKE. More precisely, we prove the following theorem.
Theorem 11
(Informally). Assuming the existence of PKE and semihonest oblivious transfer, then any functionality can be realized in the CRS model with static UC security, where the underlying primitives are accessed in a blackbox manner.
We remark here that this theorem makes a significant progress towards reducing the general assumptions required to construct UC secure protocols. Previously, the only general assumptions based on which we knew how to construct UC secure protocols were mixedcommitments [16] and dualmode PKE [48] both of which were tailormade for the particular application. Towards understanding the required minimal assumptions, we recall the work Damgård and Groth in [15] who showed that the existence of UC commitments in the CRS model implies a standalone key agreement protocol. Moreover, under blackbox constructions, the seminal work of Impagliazzo and Rudich [31] implies that key agreement cannot be based on oneway functions. Thus, there is reasonable evidence to believe that some publickey primitive is required for UC commitments. In that sense, our assumption regarding PKE is close to being optimal. Nevertheless, it is unknown whether the semihonest oblivious transfer assumption is required.
Our result is shown in two phases. At first we compile the semihonest oblivious transfer protocol into a new protocol with intermediate security properties in the presence of malicious adversaries. This transformation is an extension of the [27] transformation that is only proven for bit oblivious transfer, whereas our proof works for string oblivious transfer. Next, we use the transformed oblivious transfer protocol in order to construct a maliciously fully secure oblivious transfer. By combining our oblivious transfer with the [33] protocol we obtain a statically generic UC secure computation.
An important corollary is deduced from the work by Gertner et al. [23], who provided a blackbox construction of PKE based on any tworound semihonest oblivious transfer protocol. Specifically, the combination of their result with ours implies the following corollary, which demonstrates that tworound semihonest oblivious transfer is sufficient in the CRS model to achieve blackbox constructions of UC secure protocols.
Corollary 12
(Informally). Assuming the existence of tworound semihonest oblivious transfer, then any functionality can be UC realized in the CRS model, where the oblivious transfer is accessed in a blackbox manner.
Implications. In what follows, we make a sequence of interesting observations that are implied by our result in the static UC setting.

The important result by Canetti, Lindell, Ostrovsky and Sahai [9] presents the first nonblackbox constructions of static UC secure protocols assuming enhanced trapdoor permutations. In fact, their result can be extended assuming only PKE with oblivious ciphertext generation (which is PKE with the special property that a ciphertext can be obliviously sampled without the knowledge of the plaintext, and can be further realized using enhanced trapdoor permutation). In that sense, our result, assuming PKE with oblivious ciphertext generation, can be viewed as an improvement of [9] when relying on this primitive in a blackbox manner.

The pair of works by Damgard, Nielsen and Orlandi [18] and Lin, Pass and Venkitasubramaniam [39] demonstrate that nonblackbox constructions of UC commitments, and more generally static UC secure computation, can be achieved in the CRS model assuming only semihonest oblivious transfer. In comparison, our result shows that tworound semihonest oblivious transfer protocols are sufficient for obtaining blackbox UC secure computation in the CRS model. Note that most semihonest oblivious transfer protocols anyway require only tworound of communication, e.g., [21].

In [38, 39], Lin, Pass and Venkitasubramaniam provided a unified framework for constructing UC secure protocols in any “trustedsetup” model. Their result is achieved by capturing the minimal requirement that implies UC computations in the setup model. More precisely, they introduced the notion of a UC puzzle and showed that any setup model that admits a UC puzzle can be used to securely realize any functionality in the UC setting, while additionally assuming the existence of semihonest oblivious transfer. Moreover, they showed how to easily construct such puzzles in most models. We remark that our approach can be viewed as providing a framework to construct blackbox UC secure protocols in other UC models. More precisely, we show that any setup model that admits the extractable commitment functionality can be used to securely realize any functionality assuming the existence of semihonest oblivious transfer. In fact, our result easily extends to the chosen key registration authority (KRA) model [1], where it is assumed the existence of a trusted authority that samples public key, secret key pairs for each party, and broadcasts the public key to all parties. We leave it for future work to instantiate our framework in other setup models.

The fact that our construction only requires PKE and semihonest oblivious transfer allows an easy translation of static UC security to various efficient implementations under a wide range of concrete assumptions. Specifically, both PKE and (tworound) semihonest oblivious transfer can be realized under RSA, factoring Blum integers, LWE, DDH, Nresiduosity, psubgroup and coding assumptions. This is compared to prior results that could be based on the later five assumptions [13, 19, 20, 48].

Recently, Maji, Prabhakaran, and Rosulek [44] initiated the study of the cryptographic complexity of secure computation tasks, while characterizing the relative complexity of a task in the UC setting. Specifically, they established a zeroone law that states that any task is either trivial (i.e., it can be reduced to any other task), or complete (i.e., to which any task can be reduced to), where a functionality \(\mathcal{F}\) is said to reduce to another functionality \(\mathcal{G}\), if there is a UC secure protocol for \(\mathcal{F}\) using ideal access to \(\mathcal{G}\). More precisely, they showed that assuming the existence of semihonest oblivious transfer, every finite twoparty functionality is either trivial or complete. While their main theorem relies on the minimal assumption of semihonest oblivious transfer, their use of the assumption is nonblackbox and they leave it as an open problem to achieve the same while relying on oblivious transfer in a blackbox manner. Our result makes progress towards establishing this.
In more details, their highlevel approach is to identify complete functionalities using four categories, namely, (1) \(\mathcal{F}_{\scriptscriptstyle \mathrm {XOR}}\) that abstracts a XORtype functionality, (2) \(\mathcal{F}_{\scriptscriptstyle \mathrm {CC}}\) that abstracts a simple cutandchoose functionality, (3) \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) the oblivious transfer functionality, and (4) \(\mathcal{F}_{\scriptscriptstyle \mathrm {COM}}\) the commitment functionality. They then show that each category can be used to securely realize any computational task^{2}. Among these reductions, functionalities \(\mathcal{F}_{\scriptscriptstyle \mathrm {XOR}}\) and \(\mathcal{F}_{\scriptscriptstyle \mathrm {CC}}\) rely on oblivious transfer in a nonblackbox way. In this work we improve the reduction of functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {CC}}\). That is, we obtain this improvement by showing that the extractable commitment functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) and semihonest oblivious transfer can be used in a blackbox way to realize functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\), and combine this with a reduction presented in [44] that reduces \(\mathcal{F}_{\scriptscriptstyle \mathrm {CC}}\) to the \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) functionality in a blackbox way.
Theorem 13
(Informally). Assuming the existence of PKE with oblivious ciphertext generation, then any twoparty functionality can be realized in the CRS model with onesided adaptive UC security and blackbox access to the PKE.
Adaptive UC Secure Computation. Our last result is in the strongest corruption setting, where any number of parties can be adaptively corrupted. Here we design a new adaptively secure UC commitment scheme under the assumption of PKE with oblivious ciphertext generation, which is the first construction that achieves the stronger notion of adaptive security based on this hardness assumption. Our construction makes a novel usage of such a PKE together with ReedSolomon codes, where the polynomial shares are encrypted using the PKE with oblivious ciphertext generation. Pluggingin our UC commitment protocol into the transformation of [12] that generates adaptive malicious oblivious transfer given adaptive semihonest oblivious transfer and UC commitments, implies an adaptively UC secure oblivious transfer protocol with malicious security based on semihonest adaptive oblivious transfer and PKE with oblivious ciphertext generation, using only blackbox access to the semihonest oblivious transfer and the PKE. That is,
Theorem 14
(Informally). Assuming the existence of PKE with oblivious ciphertext generation and adaptive semihonest oblivious transfer, then any functionality can be realized in the CRS model with adaptive UC security, where the underlying primitives are accessed in a blackbox manner.
We further recall the work of Choi et al. [11] that shows that the weakest general known assumption that is required to construct adaptively secure semihonest oblivious transfer is trapdoor simulatable PKE. Now, since such an encryption scheme admits PKE with oblivious ciphertext generation, we obtain the following corollary that unifies the two assumptions required to achieve adaptive UC security.
Corollary 15
Assuming the existence of (trapdoor) simulatable PKE, then any functionality can be realized in the CRS model with adaptive UC security and blackbox access to the PKE.
An additional interesting observation that is implied by our work is that our UC commitment scheme implies a construction that is secure in the adaptive setting when erasures are allowed, and under the weaker assumption of PKE. Specifically, instead of obliviously sampling ciphertexts in the commitment phase, the committer encrypts arbitrary plaintexts and then erases the plaintexts and randomness used for these computations. Our proof follows easily for this case as well. Combining our UC commitment scheme together with the semihonest with erasures OT from [41] and the transformation of [12], we obtain the following result
Theorem 16
(Informally). Assuming the existence of PKE and semihonest oblivious transfer secure against an adaptive adversary assuming erasures, then any functionality can be realized in the CRS model with adaptive UC security assuming erasures, where the underlying primitives are accessed in a blackbox manner.
Noting that OT secure against adaptive adversaries assuming erasures can be realized under assumptions sufficient for achieving the same with respect to the weaker static adversaries, this theorem shows that achieving UC security against adaptive adversaries in the presence of erasures does not require any additional assumption beyond what is required to secure against static adversaries.
Implications. Next, we specify a sequence of interesting observations that are implied by our result in the adaptive UC setting.

Previously, DachmanSoled et al. [14], showed that adaptive UC secure protocols can be constructed in the CRS model assuming the existence of simulatable PKE. Our result improves this result in terms of complexity assumptions by showing that trapdoor simulatable PKE is sufficient, and provides new constructions based on concrete assumptions that were not known before. Nevertheless, we should point out that while the work of DachmanSoled et al. is constructed in the global CRS model using a nonblackbox construction, our result provides a blackbox construction in a CRS model where the length of the reference string is linear in the number of parties.

Analogous to our result on static UC security, it is possible to extend this result to the chosen keyregistration authority (KRA) model, where we assume the existence of a trustedparty that samples public keys and secret keys for each party, and broadcasts the public key to all parties.

Importantly, this result provides the first evidence that adaptively secure UC commitment is theoretically easier to construct than standalone adaptively secure semihonest oblivious transfer. This is due to a separation from [43] (regarding static vs. adaptive oblivious transfer), that proves that adaptive oblivious transfer requires a stronger hardness assumption than enhanced trapdoor permutation.

Regarding concrete assumptions, previously, adaptive UC commitments without erasures were constructed based on Nresiduosity and psubgroup hardness assumptions [17] and Strong RSA [15]. On the other hand, our result demonstrates the feasibility of this primitive under DDH, LWE, factoring Blum integers and RSA assumptions. When considering adaptive corruption with erasures, the work of Blazy, et al. [3], extending the work of Lindell [42], shows how to construct highly efficient UC commitments based on the DDH assumption. On the other hand, assuming erasures, we are able to construct an adaptive UC commitment scheme based on any CPAsecure PKE.
2 Preliminaries
We denote the security parameter by n. We use the abbreviation PPT to denote probabilistic polynomialtime. We further denote by \(a\leftarrow A\) the random sampling of a from a distribution A, and by [n] the set of elements \(\{1,\ldots ,n\}\).
Definition 21

Indistinguishability of Oblivious and Real Ciphertexts. For any message m in the appropriate domain, consider the experiment \((\textsc {PK},\textsc {SK}) \leftarrow \mathsf {Gen}(1^n)\), \(c_1 \leftarrow \widetilde{\mathsf {Enc}}_{\textsc {PK}}(r_1)\), \(c_2 \leftarrow \mathsf {Enc}_{\textsc {PK}}(m;r_2)\), \(r'_1 \leftarrow \widetilde{\mathsf {Enc}}^{1}_\textsc {PK}(c_2)\).
Then, \((\textsc {PK},r'_1,c_1,m) \mathop {\approx }\limits ^\mathrm{c}(\textsc {PK},r_2,c_2,m)\).
To this end, we only employ PKE with perfect decryption. This merely simplifies the analysis and can be relaxed by using PKE with a negligible decryption error instead.
2.1 Oblivious Transfer
1outof2 oblivious transfer (OT) is an important functionality in the context of secure computation that is engaged between a sender \(\mathrm{Sen}\) and a receiver \(\mathrm{Rec}\); see Fig. 1 for the description of functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\). In this paper we are interested in reducing the hardness assumptions for general UC secure computation when using only blackbox access to the underlying cryptographic primitives, such as the semihonest OT. We use semihonest OT as a building block for designing UC secure protocols in both static and adaptive settings. In the static setting, we refer to the tworound protocol of [21] that is based on PKE with oblivious ciphertext generation (or enhanced trapdoor permutation). In the adaptive setting, we refer to the tworound protocol of [9] that is based on augmented noncommitting encryption scheme.
We next recall that any tworound semihonest OT implies PKE. We demonstrate that in two phases, starting with the claim that semihonest OT implies a key agreement (KA) protocol, where two parties agree on a secret key over a public channel. This statement has already been proven in [23] in the static setting, and holds for any number of rounds. The idea is simple, the parties execute an OT protocol where the party that plays the sender picks two random inputs \(s_0,s_1\), whereas the party that plays the receiver enters 0. Finally, the parties output \(s_0\) and security follows from the correctness and privacy of the OT. A simple observation shows that this reduction also holds in the adaptive setting. Namely, starting with an adaptive semihonest OT, the same reduction implies an adaptively secure KA (where the protocol communication must be consistent with respect to any key). Note that this reduction preserves the number of rounds, thus if the starting point is a tworound OT then the reduction implies a tworound KA. Next, a well established fact shows that in the static setting a tworound key agreement implies PKE (in fact, these primitives are equivalent). Formally,
Theorem 22
Assume the existence of tworound key agreement protocol with static security, then there exists INDCPA PKE.
Sender Private Oblivious Transfer. Sender privacy is a weaker notion than malicious security and only requires that the receiver’s input be hidden even against a malicious sender. It is weaker than malicious security in that it does not require a simulation of the malicious sender that extracts the sender’s inputs. In particular, we will only require that a malicious sender cannot distinguish the cases where the receiver’s input is 0 or 1. Formally stated,
Definition 23

\(\{\mathbf{View}_{\mathcal{A},\pi }[\mathcal{A}(1^n), \mathrm{Rec}(1^n,0)]\}_{n \in \mathbb {N}}\)

\(\{\mathbf{View}_{\mathcal{A},\pi }[\mathcal{A}(1^n), \mathrm{Rec}(1^n,1)]\}_{n \in \mathbb {N}}\)
We point out that sender privacy protects the receiver against a malicious sender and should be read as privacy against a malicious sender.
Defensibly Private Oblivious Transfer. The notion of defensible privacy was introduced by Haitner in [26, 27]. A defense in a twoparty protocol \(\pi = (P_1,P_2)\) execution is an input and random tape provided by the adversary after the execution concludes. A defense for a party controlled by the adversary is said to be good, if this party participated honestly in the protocol using this very input and random tape, then it would have resulted in the exact same messages that were sent by the adversary. In essence, this defense serves as a proof of honest behavior. It could very well be the case that an adversary deviates from the protocol in the execution but later provides a good defense. The notion of defensible privacy says that a protocol is private in the presence of defensible adversaries if the adversary learns nothing more than its prescribed output when it provides a good defense.
We informally describe the notion of good defense for a protocol \(\pi \); we refer to [27] for the formal definition. Let \({\mathsf {trans}}=(q_1,a_1,\ldots ,q_\ell ,a_\ell )\) be the transcript of an execution of a protocol \(\pi \) that is engaged between \(P_1\) and \(P_2\) and let \(\mathcal{A}\) denote an adversary that controls \(P_1\), where \(q_i\) is the ith message from \(P_1\) and \(a_i\) is the ith message from \(P_2\) (that is, \(a_i\) is the response for \(q_i\)). Then we say that (x, r) constitutes a good defense of \(\mathcal{A}\) relative to \({\mathsf {trans}}\) if the transcript generated by running the honest algorithm for \(P_1\) with input x and random tape r against \(P_2\)’s messages \(a_1,\ldots ,a_\ell \) results \({\mathsf {trans}}\).
The notion of defensible privacy can be defined for any secure computation protocol. Nevertheless, since we are only interested in oblivious transfer protocols, we present a definition below that is restricted to oblivious transfer protocols. The more general definition can be found in [27]. At a highlevel, an OT protocol is defensibly private with respect to a corrupted sender if no adversary interacting with an honest receiver with input b should be able to learn b, if at the end of the execution the adversary produces any good defense. Similarly, an OT protocol that is defensibly private with respect to malicious receivers requires that any adversary interacting with an honest sender with input \((s_0,s_1)\) should not be able to learn \(s_{1b}\), if at the end of the execution the adversary produces a good defense with input b. Below we present a variant of the definition presented in [27]. We stress that while the [27] definition only considers bit OT (i.e. sender’s inputs are bits) we consider string OT.
Definition 24
 1.
\(\{\varGamma (\mathbf{View}_{\mathcal{A}}[\mathcal{A}(1^n),\mathrm{Rec}(1^n,U)],U)\}\ \ \ \mathop {\approx }\limits ^\mathrm{c}\ \ \ \{\varGamma (\mathbf{View}_{\mathcal{A}}[\mathcal{A}(1^n),\mathrm{Rec}(1^n,U)],U')\}\), where \(\varGamma (v,*)\) is set to \((v,*)\) if following the execution \(\mathcal{A}\) outputs a good defense for \(\pi \), and \(\bot \) otherwise, and U and \(U'\) are independent random variables uniformly distributed over \(\{0,1\}\). This property is referred to as defensibly private with respect to a corrupted sender.
 2.
\(\{\varGamma (\mathbf{View}_{\mathcal{A}}[\mathrm{Sen}(1^n,(U^n_0,U^n_1)),\mathcal{A}(1^n)],U^n_{1b})\} \mathop {\approx }\limits ^\mathrm{c}\{\varGamma (\mathbf{View}_{\mathcal{A}}[\mathrm{Sen}(1^n,(U^n_0,U^n_1)),\mathcal{A}(1^n)],\bar{U}^n)\}\) where \(\varGamma (v,*)\) is set to \((v,*)\) if following the execution \(\mathcal{A}\) outputs a good defense for \(\pi \), and \(\bot \) otherwise, b is the \(\mathrm{Rec}\)’s input in this defense and \(U^n_0,U^n_1,\bar{U}^n\) are independent random variables uniformly distributed over \(\{0,1\}^n\). This property is referred to as defensibly private with respect to a corrupted receiver.
In our construction from Sect. 3, we will rely on an OT protocol that is sender private and defensibly private with respect to a corrupted receiver. In [27], Haitner et al. showed how to transform any semihonest bitOT to one that is defensibly private with respect to a corrupted receiver and malicious secure with respect to a corrupted sender. More formally, the following Lemma is implicit in the work of [27].
Lemma 21
(Implicit in Theorem 4.1 and Corollary 5.3 [27]). Assume the existence of a semihonest oblivious transfer protocol \(\pi \). Then there exists an oblivious transfer protocol \(\hat{\pi }\) that is defensibleprivate with respect to the receiver and sender private that relies on the underlying primitive in a blackbox manner.
Now, since sender privacy is implied by malicious security with respect to a corrupted sender, this transformation yields a bit OT protocol with the required security guarantees. Nevertheless, our protocol crucially relies on the fact that the underlying OT is a string OT protocol. We therefore show in the full version [30] how to transform any bit OT to a string OT protocol while preserving both defensible private with respect to a maliciously corrupted receiver and sender privacy.
At a highlevel, in order to convert any protocol from semihonest security to defensible privacy, Haitner et al. include a cointossing stage at the beginning of the protocol that determines the parties’ random tapes. In fact, they let the cointossing also determine the parties inputs as they only require OT secure with respect to random inputs for both the sender and receiver. Now, if the receiver has to provide a good defense, then it must reveal the input and randomness used for the semihonest OT protocol and prove consistency relative to the values generated in the cointossing stage. Due to the fact that the commitment schemes that are used in the cointossing stage are statisticallybinding, the probability that a malicious receiver can deviate from the protocol and provide a good defense is negligible. Using this fact, Haitner et al. argued that the probability that a malicious receiver outputs a good defense and guesses the other sender’s input is negligible. Next, to obtain sender private oblivious transfer they first transformed an OT protocol that is defensibleprivate against malicious receivers to one that is maliciously secure, and then exploited the symmetry of OT in order to obtain a protocol that is senderprivate. The first transformation relies on the cutandchoose approach to ensure that the receiver provides a valid defense, and then using the fact that defensible privacy hides the sender’s other input they argued that it is receiverprivate.
2.2 UC Commitment Schemes
2.3 Extractable Commitments
Our result in the static setting requires the notion of (static) extractable UC commitments, which is a weaker security property than UC commitments in the sense that it does not require equivocality. In what follows, we introduce the definition for the ideal functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) from [44]. Towards introducing this definition, Maji et al. introduced some notions first. More concretely,
Definition 25

It is a two phase protocol between a sender and a receiver (using only plain communication channels).

At the end of the first phase (commitment phase), the sender and the receiver output a transcript \({\mathsf {trans}}\). Furthermore, the sender receives an output (which will be used for opening the commitment).

In the decommitment phase the sender sends a message \(\gamma \) to the receiver, who extracts an output value \(\mathsf{opening}({\mathsf {trans}},\gamma )\in \{0,1\}^n\cup \{\bot \}\).
Definition 26

\(\omega _R\) is a statistically binding commitment scheme (with standalone security).

In \(\omega _L\), at the end of the commitment phase the receiver outputs a string \(z\in \{0,1\}^n\). If the receiver is honest, it is only with negligible probability that there exists \(\gamma \) such that \(\mathsf{opening}({\mathsf {trans}},\gamma )\ne \bot \) and \(\mathsf{opening}({\mathsf {trans}},\gamma )\ne z\).
Implementing \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) in the CRS Model. We briefly sketch how to implement the extractable commitment functionality in the \(\mathcal{F}_{\scriptscriptstyle \mathrm {CRS}}\)hybrid based on the CPAsecurity of any PKE. Namely, the CRS will be set to a publickey generated using the keygeneration function of the PKE scheme. To commit, a sender simply encrypts the message using the publickey in the CRS and sends the ciphertext to the receiver. We can achieve extraction by setting the CRS to a publickey for which the secretkey is available to the extractor (in this case, the extractor is the \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) functionality). Hiding follows from the CPAsecurity of the encryption scheme. A formal description and proof of this construction can be found in the full version of this paper [30].
3 Static UC Secure Computation
In this section we prove the feasibility of UC secure computation based on semihonest OT and extractable commitments, where the latter can be constructed based on tworound semihonest OT (see Sects. 2.1 and 2.3 for more details). More concretely, we prove how to transform any statically semihonest secure OT into one that is secure in the presence of malicious adversaries, giving only blackbox access to the underlying semihonest OT protocol. Our protocol is a variant of the protocol by Lin and Pass from [37] (which in turn is a variant of the protocol of [27]). In particular, in [37], the authors rely on a strong variant of a commitment scheme known as a CCAsecure commitment in order to achieve extraction. We observe that it is not required to use the full power of such commitments, or for that matter UC commitments. Specifically, using a weaker primitive that only implies straightline input extractability enables to solely rely on semihonest OT. An important weakening in our commitment scheme compared to CCAsecure commitments from [37] is that we allow invalid commitments to be made by the adversary. We remark here that the work of [37] rely on string OT that are secure against malicious senders and state that the work of [26] provides a blackbox construction of such a protocol starting from a semihonest bit OT. However, the work of [26] only shows how to construct a bit OT secure against malicious senders where the proof crucially relies on the sender’s input being only bits. We provide a transformation and complete analysis from bit OT to a string OT for the weaker notion of defensible privacy as this is sufficient for our work. Finally, combining our UC OT protocol with the [33] protocol, we obtain a statically UC secure protocol for any wellformed functionality (see definition in [9]). Namely,
Theorem 31
Assume the existence of static semihonest oblivious transfer. Then for any multiparty wellformed functionality \(\mathcal{F}\), there exists a protocol that UC realizes \(\mathcal{F}\) in the presence of static, malicious adversaries in the \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\)hybrid model using blackbox access to the oblivious transfer protocol.
We remark here that the work of [12] shows how starting from a semihonest oblivious transfer it is possible to obtain a blackbox construction of an OT protocol that is secure against standalone static adversaries in the \(\mathcal{F}_{{\scriptscriptstyle \mathrm {COM}}}\)hybrid model. It is noted in [12] that the (highlevel) analysis provided in the work might be extendable to the UCsetting (cf. Footnote 10 in [12]). Furthermore, in the static setting, it is conceivable that \(\mathcal{F}_{{\scriptscriptstyle \mathrm {COM}}}\) can be directly realized in the \(\mathcal{F}_{{\scriptscriptstyle \mathrm {EXTCOM}}}\)hybrid using the notion of extractable trapdoor commitments [47]. We do not pursue this approach and instead directly realize OT in the \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\)hybrid. While the previous works of [12] and [27] require a three step transformation, our transformation is one shot and therefore more direct.
It seems possible to generalize our theorem to multisession functionalities. Analogous to [7], this will allows us to extend our corollaries to the Global CRS model by additionally assuming CCA encryption scheme and leave it as future work.
3.1 Static UC Oblivious Transfer
In the following, we discuss a secure implementation of the oblivious transfer functionality (see Fig. 1) with static, malicious security in the \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\)hybrid model (where \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) is stated formally in Fig. 3). Our goal in this section is to show that the security of malicious UC OT can be based on UC semihonest OT, denoted by \(\pi ^{\scriptscriptstyle \mathrm {SH}}_{\scriptscriptstyle \mathrm {OT}}\), and extractable commitments. Our result is shown in two phases. At first we compile the semihonest OT protocol \(\pi _{\scriptscriptstyle \mathrm {OT}}^{\scriptscriptstyle \mathrm {SH}}\) into a new protocol with the security properties that are specified in Sect. 2.1, extending the [27] transformation into string OT; denote the compiled OT protocol by \(\widehat{\pi }_{\scriptscriptstyle \mathrm {OT}}\). Next, we use \(\widehat{\pi }_{\scriptscriptstyle \mathrm {OT}}\) in order to construct a new protocol \(\pi _{\scriptscriptstyle \mathrm {OT}}^{\scriptscriptstyle \mathrm {ML}}\) that is secure in the presence of malicious adversaries. Details follow,
Protocol 1 (Protocol \(\pi _{\scriptscriptstyle \mathrm {OT}}^{\scriptscriptstyle \mathrm {ML}}\) with Static Security)
Input: The sender \(\mathrm{Sen}\) has input \((v_0,v_1)\) where \(v_0,v_1\in \{0,1\}^n\) and the receiver \(\mathrm{Rec}\) has input \(u\in \{0,1\}\).
 1.Coin Tossing:

Receiver’s random tape generation: The parties use a coin tossing protocol in order to generate the inputs and random tapes for the receiver.

The receiver commits to 20n strings of appropriate length, denoted by \(a^1_\mathrm{Rec},\ldots ,a^{20n}_\mathrm{Rec}\), by sending \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) the message \((\mathsf{commit}, sid, \widetilde{ssid_i}, a^i_\mathrm{Rec})\) for all \(i\in [n]\).

The sender responds with 20n random strings of appropriate length \(b^1_\mathrm{Rec},\ldots , b^{20n}_\mathrm{Rec}\).

The receiver computes \(r^i_\mathrm{Rec}= a^i_\mathrm{Rec}\oplus b^i_\mathrm{Rec}\) and then interprets \(r^i_\mathrm{Rec}= c_i  \tau ^i_\mathrm{Rec}\) where \(c_i\) determines the receiver’s input for the \(i^{th}\) OT protocol, whereas \(\tau ^i_\mathrm{Rec}\) determines the receiver’s random tape used for this execution.


Sender’s random tape generation: The parties use a coin tossing protocol in order to generate the inputs and random tapes for the sender.

The sender commits to 20n strings of appropriate length, denoted by \(a^1_\mathrm{Sen},\ldots ,a^{20n}_\mathrm{Sen}\), by sending \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) the message \((\mathsf{commit}, sid, \widetilde{ssid'_i}, a^i_\mathrm{Sen})\) for all \(i\in [n]\).

The receiver responds with 20n random strings of appropriate length \(b^1_\mathrm{Sen},\ldots , b^{20n}_\mathrm{Sen}\).

The sender computes \(r^i_\mathrm{Sen}= a^i_\mathrm{Sen}\oplus b^i_\mathrm{Sen}\) and then interprets \(r^i_\mathrm{Sen}= s^0_i  s^1_i  \tau ^i_\mathrm{Sen}\) where \((s_i^0,s_i^1)\) determine the sender’s input for the \(i^{th}\) OT protocol, whereas \(\tau ^i_\mathrm{Sen}\) determines the sender’s random tape used for this execution.


 2.Oblivious Transfer:

The parties participate in 20n executions of the OT protocol \(\widehat{\pi }_{\scriptscriptstyle \mathrm {OT}}\) with the corresponding inputs and random tapes obtained from Stage 2. Let the output of the receiver in the \(i^{th}\) execution be \(\tilde{s_i}\).

 3.Cutandchoose:

\(\mathrm{Sen}\) chooses a random subset \(q_\mathrm{Sen}= (q^1_\mathrm{Sen},\ldots ,q^n_\mathrm{Sen}) \in \{1,\ldots ,20\}^n\) and sends it to \(\mathrm{Rec}\). The string \(q_\mathrm{Sen}\) is used to define a set of indices \(\varGamma _\mathrm{Sen}\subset \{1,\ldots ,20n\}\) of size n in the following way: \(\varGamma _\mathrm{Sen}= \{20iq^i_\mathrm{Sen}\}_{i\in [n]}\). The receiver then opens the commitments from Stage 1 that correspond to the indices within \(\varGamma _\mathrm{Sen}\), namely, the receiver decommits \(a^i_\mathrm{Rec}\) for all \(i \in \varGamma _\mathrm{Sen}\). \(\mathrm{Sen}\) checks that the decommitted values are consistent with the inputs and randomness used for the OTs in Stage 2 by the receiver, and aborts in case of a mismatch.

\(\mathrm{Rec}\) chooses a random subset \(q_\mathrm{Rec}= (q^1_\mathrm{Rec},\ldots ,q^n_\mathrm{Rec}) \in \{1,\ldots ,20\}^n\) and sends it to \(\mathrm{Sen}\). The string \(q_\mathrm{Rec}\) is used to define a set of indices \(\varGamma _\mathrm{Rec}\subset \{1,\ldots ,20n\}\) of size n in the following way: \(\varGamma _\mathrm{Rec}= \{20iq^i_\mathrm{Rec}\}_{i\in [n]}\). The sender then opens the commitments from Stage 1 that correspond to the indices within \(\varGamma _\mathrm{Rec}\), namely, the sender decommits \(a^i_\mathrm{Sen}\) for all \(i \in \varGamma _\mathrm{Rec}\). \(\mathrm{Rec}\) checks that the decommitted values are consistent with the inputs and randomness used for the OTs in Stage 2 by the sender, and aborts in case of a mismatch.

\(\mathrm{Rec}\) commits to another subset \(\varGamma \subset [20n]\) denoted by \((\varGamma ^1,\ldots ,\varGamma ^n)\), by sending \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) the message \((\mathsf{commit}, sid, ssid'_i, \varGamma ^i)\) for all \(i\in [n]\). (The sender will reveal its inputs and randomness that are used in Stage 2 that correspond to the indices in \(\varGamma \) later in Stage 5.)

 4.Combiner:

Let \(\varDelta = [20n]  \varGamma _\mathrm{Rec} \varGamma _\mathrm{Sen}\). Then for every \(i \in \varDelta \), the receiver computes \(\alpha _i = u \oplus c_i\) and sends it to the sender.

The sender computes a 10noutof18n secret sharing of \(v_0\), denote the shares by \(\{\rho _i^0\}_{i \in \varDelta }\). Analogously, it computes a 10noutof18n secret sharing of \(v_1\), denote the shares by \(\{\rho _i^1\}_{i \in \varDelta }\). The sender computes \(\beta _i^b = \rho _i^b \oplus s_i^{b\oplus \alpha _i}\) for all \(b \in \{0,1\}\) and \(i \in \varDelta \), and sends the outcome to the receiver.

The receiver computes \(\tilde{\rho _i} = \beta _i^u\oplus \tilde{s_i}\) for all \(i\in \varDelta \). Denote by \(\rho \) these concatenated bits.

 5.Final cutandchoose:

The receiver decommits \(\varGamma \) and the sender sends the inputs and randomness it used in Stage 2 for the coordinates that correspond to \(\varDelta \cap \varGamma \). (Note that the sender need only reveal the indices that were not decommitted in Stage 3). \(\mathrm{Rec}\) checks that the sender’s values are consistent with the inputs and randomness used for the OTs in Stage 2 by the sender, and aborts in case of a mismatch.

The receiver checks whether \((\tilde{\rho }_i)_{i\in \varDelta }\) agrees with some codeword \(w \in \mathcal{W}_{18n,10n}\) on 17n locations (where the code \(\mathcal{W}_{18n,10n}\) is induced by the secret sharing construction that we use in Stage 4). Recall that the minimum distance of the code \(\mathcal{W}_{18n,10n}\) is at least \(18n10n > 8n\), which implies that there will be at most one such codeword w. Furthermore, since we can correct up to \(\frac{18n10n}{2} = 4n\) errors, any code that is 17n close to a codeword can be efficiently recovered using the BerlekampWelch algorithm. The receiver outputs that w as its output in the OT protocol. If no such w exists, the receiver returns a default value.

Theorem 32
Assume that \(\pi ^{\scriptscriptstyle \mathrm {SH}}_{\scriptscriptstyle \mathrm {OT}}\) is static semihonest secure and that the compiled \(\widehat{\pi }_{\scriptscriptstyle \mathrm {OT}}\) is secure according to Lemma 21. Then Protocol 1 UC realizes \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) in the presence of static malicious adversaries in the \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\)hybrid model using blackbox access to the oblivious transfer protocol.
Recalling that our protocol relies on the existence of semihonest OT and extractable commitments, and that the later can be constructed based on any tworound semihonest OT, e.g., [21], which implies PKE (see Sects. 2.1 and 2.3 for more details), an immediate corollary from Theorem 32 implies that,
Corollary 33
Assume the existence of tworound static semihonest oblivious transfer. Then there exists a protocol that securely realizes \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) in the presence of static malicious adversaries in the CRS model using blackbox access to the oblivious transfer protocol.

If the receiver obtains more than 10n shares of both inputs then the simulator halts and outputs \({\mathsf {fail}}\) (we prove in Section [30] that this event only occurs with negligible probability).

If the receiver obtains less than 10n shares of both inputs then the simulator picks two random values for \(v_0\) and \(v_1\) of the appropriate length and completes the interaction, playing the role of the honest sender on these values. Note that in this case the simulator does not need to call the ideal functionality.

Finally, if the receiver obtains more than 10n shares for only one input \(u\in \{0,1\}\), then the simulator sends u to the ideal functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) and obtains \(v_u\). The simulator then sets \(v_{1u}\) as a random string of the appropriate length and completes the interaction by playing the role of the honest sender on these values.
Recall that the only difference between the simulation and the real execution is in the way the messages in Stage 4 are generated. Specifically, in the simulation a value u is extracted from the malicious receiver and then fed to the \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) functionality. The simulation is then completed based on the output returned from the functionality. Intuitively, the cutandchoose mechanism ensures that the receiver cannot deviate from the honest strategy in Stage 2 in more than n OT sessions without getting caught with overwhelming probability. Moreover, the defensible privacy of the OT protocol implies that the receiver can learn at most one of the two inputs of the sender relative to the OT executions in Stage 2 for which the receiver proceeded honestly.

Let \(w_0\) and \(w_1\) denote the corresponding codewords (if there are no such codewords that agree with with \(v_0\) and \(v_1\) on 16n locations then the simulator uses a default codeword instead). Next, the simulator checks \(w_0\) and \(w_1\) against the final cutandchoose. If any of the shares from \(w_b\) are inconsistent with the opened shares that are opened by the sender in the final cutandchoose, then \(v_b\) is set to a default value, otherwise \(v_b\) is the value corresponding to the shared secret.
Finally, the simulator sends \((v_0,v_1)\) to the ideal functionality for \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\). Security in this case is reduced to the privacy of the receiver. In addition, the difference between the simulation’s strategy and the honest receiver’s strategy is that the simulator extracts the sender’s both inputs in all \(i \in \varDelta \varPhi \) and then finds codewords that are 16nclose to the extracted values, whereas the honest receiver finds a codeword that is 17nclose based on the inputs it received in the Stages 2 and 5, and returns it. We thus prove that the value u extracted by the simulator is identical the to the reconstructed output of the honest receiver relying on the properties of the secret sharing scheme.
4 OneSided Adaptive UC Secure Computation
In the twoparty onesided adaptive setting, at most one of the parties is adaptively corrupted [29, 35]. In this section we provide a simple transformation of our static UC secure protocol from Sect. 3 to a twoparty UCsecure protocol that is secure against onesided adaptive corruption. Our first observation is that in Protocol 1 the parties use their real inputs to the OT protocol only in Phase 4. Therefore simulation of the first three phases can be easily carried out by simply following the honest strategy. On the other hand, simulating messages in Phase 4 requires some form of equivocation since if corruption takes place after this phase is concluded then the simulator needs to explain this message with respect to the real input of the corrupted party. On a highlevel we will transform the protocol so that if no party is corrupted until end of Phase 4, the simulator can equivocate the message in Phase 4. We explain how to achieve equivocation later. First, we describe our simulator: In case either party is statically corrupted the simulation for Protocol 1 follows the strategy of the honest party until Phase 4, where the simulator extracts the corrupted party’s input relying on the fact that it knows the adversary’s committed input in Phase 1. Therefore, the same proof follows in case the adversary adaptively corrupts one of the parties at any point before Phase 4, as the simulator can pretend that corruption took place statically. On the other hand, if corruption takes place after Phase 4, then the simulator equivocates the communication. It is important to note that while in the plain model any statically secure protocol can be compiled into onesided secure protocol by encrypting its entire communication, it is not clear that this is the case in the UC setting due to the additional setup, e.g., a CRS that may depend on the identity of the corrupted party. Nevertheless, in Phase 4 the parties only run a combiner for which the computation does not involve any usage of the CRS (which is induced by the extractable commitment). Therefore, the proof follows.
A common approach to achieve equivocation is to rely on noncommitting encryption schemes (NCE) [6, 11, 16], that allow secure communication in the presence of adaptive attacks. This powerful tool has been constructed while relying on (a variant of) simulatable PKE schemes, which, roughly speaking, allows for both the publickey and the ciphertexts to be generated obliviously without the knowledge of the plaintext or the secret key [11, 16]. Notably, these constructions achieve a stronger notion of security where both parties may be adaptively corrupted (also referred to as fully adaptive). Our second observation is that it is sufficient to rely on a weaker variant of NCE, namely, one that is secure against only onesided adaptive corruption.
In particular, we take advantage of a construction presented in [6] and later refined in [16], that achieves receiver equivocation under the assumption of semihonest OT. We will briefly describe it now. Recall that in the fully adaptive case, the highlevel idea is for the sender and receiver to mutually agree on a random bit, which is then used by the sender to determine which of two random strings to mask its message. The process of agreeing on a bit requires the ability to both obliviously sample a publickey without the knowledge of the secret key, as well as the ability to obliviously sample a ciphertext without the knowledge of the corresponding plaintext. In the simpler onesided scenario, Canetti et al. observed that an oblivious transfer protocol can replace the oblivious generation of the publickey. Specifically, the NCE receiver sends two public keys to the sender, and then the parties invoke an OT protocol where the NCE receiver plays the role of the OT sender and enters the corresponding secret keys. To allow equivocation for the NCE sender, the OT must enable equivocation with respect to the OT receiver. The [21] OT protocol is an example for such a protocol. Here the OT receiver can pick the two ciphertexts so that it knows both plaintexts. Then equivocation is carried out by declaring that the corresponding ciphertext is obliviously sampled.
The advantage of this approach is that it removes the requirement of generating the public key obliviously, as now the randomness for its generation is split between the parties, where anyway only one of them is corrupted. This implies that the simulator can equivocate the outcome of the protocol execution without letting the adversary the ability to verify it. To conclude, it is possible to strengthen the security of Protocol 1 into the onesided setting by simply encrypting the communication within the combiner phase using onesided NCE which in turn can be constructed based on PKE with oblivious ciphertext generation. This implies the following theorem which further implies blackbox onesided UC secure computation from enhanced trapdoor permutation.
Theorem 41
Assume the existence of PKE with oblivious ciphertext generation. Then for any twoparty wellformed functionality \(\mathcal{F}\), there exists a protocol that UC realizes \(\mathcal{F}\) in the presence of onesided adaptive, malicious adversaries in the CRS model using blackbox access to the PKE.
5 Adaptive UC Secure Computation
In this section we demonstrate the feasibility of UC secure commitment schemes based on PKE with oblivious ciphertext generation (namely, where it is possible to obliviously sample the ciphertext without knowing the plaintext). Our construction is secure even in the presence of adaptive corruptions and is the first to achieve the stronger notion of adaptive security based on this hardness assumption. Pluggingin our UC commitment protocol into the transformation of [12] that generates adaptive malicious OT given adaptive semihonest OT and UC commitments, implies an adaptively UC secure oblivious transfer protocol with malicious security based on semihonest adaptive OT and PKE with oblivious ciphertext generation using only blackbox access to the semihonest OT and the PKE. Stating formally,
Theorem 51
Assume the existence of adaptive semihonest oblivious transfer and PKE with oblivious ciphertext generation. Then for any multiparty wellformed functionality \(\mathcal{F}\), there exists a protocol that UC realizes \(\mathcal{F}\) in the presence of adaptive, malicious adversaries in the CRS model using blackbox access to the oblivious transfer protocol and the PKE.
Noting that simulatable PKE implies both semihonest adaptive OT [9, 11] and PKE with oblivious ciphertext generation, we derive the following corollary (where simulatable PKE implies oblivious sampling of both public keys and ciphertexts),
Corollary 52
Assume the existence of simulatable PKE. Then for any multiparty wellformed functionality \(\mathcal{F}\), there exists a protocol that UC realizes \(\mathcal{F}\) in the presence of adaptive, malicious adversaries in the CRS model using blackbox access to the simulatable PKE.
This in particular improves the result from [14] that relies on simulatable PKE in a nonblackbox manner. Note also that our UC commitment can be constructed using a weaker notion than simulatable PKE where the inverting algorithms can require a trapdoor. This notion is denoted by trapdoor simulatable PKE [11] and can be additionally realized based on the hardness assumption of factoring Blum integers. This assumption, however, requires that we modify our commitment scheme so that the CRS includes \(3n+1\) public keys of the underlying PKE instead of just one, as otherwise the reduction to the security of the PKE does not follow for multiple ciphertexts. Specifically, at the cost of linear blowup (in the security parameter) of the CRS, we obtain adaptively secure UC commitments under a weaker assumption. Now, since trapdoor simulatable PKE implies adaptive semihonest OT [11] it holds,
Corollary 53
Assume the existence of trapdoor simulatable PKE. Then for any multiparty wellformed functionality \(\mathcal{F}\), there exists a protocol that UC realizes \(\mathcal{F}\) in the presence of adaptive, malicious adversaries in the CRS model using blackbox access to the trapdoor simulatable PKE.
Note that, since the best known general assumptions for realizing adaptive semihonest OT is trapdoor simulatable PKE, this corollary gives evidence that the assumptions for adaptive semihonest OT are sufficient for adaptive UC security and makes a step towards identifying the minimal assumptions for achieving UC security in the adaptive setting. To conclude, we note that enhanced trapdoor permutations, which imply PKE with oblivious ciphertext generation, imply the following corollary,
Theorem 54
Assume the existence of enhanced trapdoor permutation. Then \(\mathcal{F}_{\scriptscriptstyle \mathrm {COM}}\) (cf. Fig. 2) can be UC realized in the CRS model in the presence of adaptive malicious adversaries.
5.1 UC Commitments from PKE with Oblivious Ciphertext Generation
Theorem 55
Assume that \(\varPi =(\mathsf {Gen},\mathsf {Enc},\mathsf {Dec},\widetilde{\mathsf {Enc}}, \widetilde{\mathsf {Enc}}^{1})\) is a PKE with oblivious ciphertext generation. Then protocol \(\pi _{\scriptscriptstyle \mathrm {COM}}\) (cf. Fig. 4) UC realizes \(\mathcal{F}_{\scriptscriptstyle \mathrm {COM}}\) in the CRS model in the presence of adaptive malicious adversaries.
A High Level Proof. Intuitively, security requires proving both hiding and binding in the presence of static and adaptive corruptions. The hiding property follows from the INDCPA security of the encryption scheme combined with the fact that the receiver only sees n shares in a noutof\(3n+1\) secretsharing of the message in the commit phase. On the other hand, proving binding is much more challenging and reduces to the facts that a corrupted sender cannot successfully predict exactly the n indices from \(\{1,\ldots ,3n+1\}\) that will be chosen in the cointossing protocol. In fact, if it can identify these n indices, then it would be possible for the adversary to break binding. An important informationtheoretic argument that we prove here is that for a fixed encoding phase, no adversary can equivocate on two continuations from the encoding phase with different outcomes of the cointossing phase. Saying differently, for any given encoding phase there is exactly one outcome for the cointossing phase that will allow equivocation. Given this claim, binding now follows from the INDCPA security of the encryption scheme used in the cointossing phase. In addition, recall that in the UC setting the scheme must also support a simulation that allows straightline extraction and equivocation. At a highlevel, the simulator sets the CRS to publickeys for which it knows the corresponding secretkeys. This will allow the simulator to extract all the values encrypted by the adversary. We observe that the simulator can fix the outcome of the cointossing phase to any nindices of its choice by extracting the random string \(\sigma _0\) encrypted by the receiver and choosing a random string \(\sigma _1\) so that \(\sigma _0 \oplus \sigma _1\) is a particular string. Next, the simulator generates secretsharing for both 0 and 1 so that they overlap in the particular n shares. To commit, the simulator encrypts the n common shares within the n indices to be revealed (which it knows in advance), and for the rest of the indices it encrypts two shares, one that corresponds to the sharing of 0 and the other that corresponds to the sharing of 1. Finally, in the decommit phase, the simulator reveals that shares that correspond to the real message m, and exploits the invertible sampling algorithm to prove that the other ciphertexts were obliviously generated.
Footnotes
 1.
In such a preprocessing phase, it is assumed that at most one party is allowed to transmit messages in any round.
 2.
Where it suffices to realize the \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) functionality as it is known to be complete [36].
 3.
We note that while in the plain model any statically secure protocol can be compiled into onesided secure protocol by encrypting its entire communication using onesided NCE, it is not the case in the UC setting due to the additional setup.
References
 1.Barak, B., Canetti, R., Nielsen, J.B., Pass, R.: Universally composable protocols with relaxed setup assumptions. In: FOCS, pp. 186–195 (2004)Google Scholar
 2.Beaver, D.: Foundations of secure interactive computing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 377–391. Springer, Heidelberg (1992) Google Scholar
 3.Blazy, O., Chevalier, C., Pointcheval, D., Vergnaud, D.: Analysis and improvement of Lindell’s UCsecure commitment schemes. In: Jacobson, M., Locasto, M., Mohassel, P., SafaviNaini, R. (eds.) ACNS 2013. LNCS, vol. 7954, pp. 534–551. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 4.Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: FOCS, pp. 136–145 (2001)Google Scholar
 5.Canetti, R., Dodis, Y., Pass, R., Walfish, S.: Universally composable security with global setup. IACR Cryptology ePrint Archive 2006, 432 (2006)Google Scholar
 6.Canetti, R., Feige, U., Goldreich, O., Naor, M.: Adaptively secure multiparty computation. In: STOC, pp. 639–648 (1996)Google Scholar
 7.Canetti, R., Fischlin, M.: Universally composable commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19–40. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 8.Canetti, R., Kushilevitz, E., Lindell, Y.: On the limitations of universally composable twoparty computation without setup assumptions. J. Cryptol. 19(2), 135–167 (2006)zbMATHMathSciNetCrossRefGoogle Scholar
 9.Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.:Universally composable twoparty and multiparty secure computation. In: STOC, pp. 494–503 (2002)Google Scholar
 10.Canetti, R., Pass, R., Shelat, A.:Cryptography from sunspots: how to use an imperfect reference string. In: FOCS, pp. 249–259 (2007)Google Scholar
 11.Choi, S.G., DachmanSoled, D., Malkin, T., Wee, H.: Improved noncommitting encryption with applications to adaptively secure protocols. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 287–302. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 12.Choi, S.G., DachmanSoled, D., Malkin, T., Wee, H.: Simple, blackbox constructions of adaptively secure protocols. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 387–402. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 13.Choi, S.G., Katz, J., Wee, H., Zhou, H.S.: Efficient, adaptively secure, and composable oblivious transfer with a single, global CRS. In: PKC, pp. 73–88 (2013)Google Scholar
 14.DachmanSoled, D., Malkin, T., Raykova, M., Venkitasubramaniam, M.: Adaptive and concurrent secure computation from new adaptive, nonmalleable commitments. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 316–336. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 15.Damgård, I., Groth, J.: Noninteractive and reusable nonmalleable commitment schemes. In: STOC, pp. 426–437 (2003)Google Scholar
 16.Damgård, I.B., Nielsen, J.B.: Improved noncommitting encryption schemes based on a general complexity assumption. In: Bellare, M. (ed.) CRYPTO 2000. LNCS, vol. 1880, pp. 432–450. Springer, Heidelberg (2000) CrossRefGoogle Scholar
 17.Damgård, I.B., Nielsen, J.B.: Perfect hiding and perfect binding universally composable commitment schemes with constant expansion factor. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 581–596. Springer, Heidelberg (2002) CrossRefGoogle Scholar
 18.Damgård, I., Nielsen, J.B., Orlandi, C.: On the necessary and sufficient assumptions for UC computation. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 109–127. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 19.David, B., Dowsley, R., Nascimento, A.C.A.: Universally composable oblivious transfer based on a variant of LPN. In: Gritzalis, D., Kiayias, A., Askoxylakis, I. (eds.) CANS 2014. LNCS, vol. 8813, pp. 143–158. Springer, Heidelberg (2014) Google Scholar
 20.David, B.M., Nascimento, A.C.A., MüllerQuade, J.: Universally composable oblivious transfer from lossy encryption and the McEliece assumptions. In: Smith, A. (ed.) ICITS 2012. LNCS, vol. 7412, pp. 80–99. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 21.Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Commun. ACM 28(6), 637–647 (1985)MathSciNetCrossRefGoogle Scholar
 22.Garay, J.A., Wichs, D., Zhou, H.S.: Somewhat noncommitting encryption and efficient adaptively secure oblivious transfer. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 505–523. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 23.Gertner, Y., Kannan, S., Malkin, T., Reingold, O., Viswanathan, M.: The relationship between public key encryption and oblivious transfer. In: FOCS, pp. 325–335 (2000)Google Scholar
 24.Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or A completeness theorem for protocols with honest majority. In: STOC, pp. 218–229 (1987)Google Scholar
 25.Goyal, V., Lee, C.K., Ostrovsky, R., Visconti, I.: Constructing nonmalleable commitments: a blackbox approach. In: FOCS, pp. 51–60 (2012)Google Scholar
 26.Haitner, I.: Semihonest to malicious oblivious transfer—the blackbox way. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 412–426. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 27.Haitner, I., Ishai, Y., Kushilevitz, E., Lindell, Y., Petrank, E.: Blackbox constructions of protocols for secure computation. SIAM J. Comput. 40(2), 225–266 (2011)Google Scholar
 28.J. Cryptol. Smooth projective hashing and twomessage oblivious transfer. 25(1), 158–193 (2012)Google Scholar
 29.Hazay, C., Patra, A.: Onesided adaptively secure twoparty computation. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 368–393. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 30.Hazay, C., Venkitasubramaniam, M.: On blackbox complexity of universally composable security in the CRS model. IACR Cryptology ePrint Archive 2015, 488 (2015)Google Scholar
 31.Impagliazzo, R., Rudich, S.: Limits on the provable consequences of oneway permutations. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 8–26. Springer, Heidelberg (1990) CrossRefGoogle Scholar
 32.Ishai, Y., Kushilevitz, E., Lindell, Y., Petrank, E.: Blackbox constructions for secure computation. In: STOC, pp. 99–108 (2006)Google Scholar
 33.Ishai, Y., Prabhakaran, M., Sahai, A.: Founding cryptography on oblivious transfer – efficiently. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 572–591. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 34.Kalai, Y.T., Lindell, Y., Prabhakaran, M.: Concurrent composition of secure protocols in the timing model. J. Cryptol. 20(4), 431–492 (2007)zbMATHMathSciNetCrossRefGoogle Scholar
 35.Katz, J., Ostrovsky, R.: Roundoptimal secure twoparty computation. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 335–354. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 36.Kilian, J.: Founding cryptography on oblivious transfer. In: STOC, pp. 20–31 (1988)Google Scholar
 37.Lin, H., Pass, R.: Blackbox constructions of composable protocols without setup. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 461–478. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 38.Lin, H., Pass, R., Venkitasubramaniam, M.: A unified framework for concurrent security: universal composability from standalone nonmalleability. In: STOC, pp. 179–188 (2009)Google Scholar
 39.Pass, R., Lin, H., Venkitasubramaniam, M.: A unified framework for UC from only OT. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 699–717. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 40.Lindell, Y.: General composition and universal composability in secure multiparty computation. In: FOCS, pp. 394–403 (2003)Google Scholar
 41.Lindell, A.Y.: Adaptively secure twoparty computation with erasures. In: Fischlin, M. (ed.) CTRSA 2009. LNCS, vol. 5473, pp. 117–132. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 42.Lindell, Y.: Highlyefficient universallycomposable commitments based on the DDH assumption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 446–466. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 43.Lindell, Y., Zarosim, H.: Adaptive zeroknowledge proofs and adaptively secure oblivious transfer. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 183–201. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 44.Maji, H.K., Prabhakaran, M., Rosulek, M.: A zeroone law for cryptographic complexity with respect to computational UC security. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 595–612. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 45.Micali, S., Rogaway, P.: Secure computation. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 392–404. Springer, Heidelberg (1992) Google Scholar
 46.Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: Proceedings of the Twelfth Annual Symposium on Discrete Algorithms, Washington, DC, USA, pp. 448–457, 7–9 Jan 2001Google Scholar
 47.Pass, R., Wee, H.: Blackbox constructions of twoparty protocols from oneway functions. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 403–418. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 48.Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 49.Rabin, M.: How to exchange secrets by oblivious transfer. Technical memo TR81, Aiken Computation Laboratory, Harvard University (1981)Google Scholar
 50.Yao, A.C.C.: How to generate and exchange secrets (extended abstract). In: FCOS, pp. 162–167 (1986)Google Scholar