Two-Round Oblivious Transfer from CDH or LPN

Döttling, Nico; Garg, Sanjam; Hajiabadi, Mohammad; Masny, Daniel; Wichs, Daniel

doi:10.1007/978-3-030-45724-2_26

Nico Döttling¹⁰,
Sanjam Garg¹¹,
Mohammad Hajiabadi¹¹,
Daniel Masny¹² &
…
Daniel Wichs¹³

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 12106))

Included in the following conference series:

Annual International Conference on the Theory and Applications of Cryptographic Techniques

2554 Accesses
37 Citations
1 Altmetric

Abstract

We show a new general approach for constructing maliciously-secure two-round oblivious transfer (OT). Specifically, we provide a generic sequence of transformations to upgrade a very basic notion of two-round OT, which we call elementary OT, to UC-secure OT. We then give simple constructions of elementary OT under the Computational Diffie-Hellman (CDH) assumption or the Learning Parity with Noise (LPN) assumption, yielding the first constructions of malicious (UC-secure) two-round OT under these assumptions. Since two-round OT is complete for two-round 2-party and multi-party computation in the malicious setting, we also achieve the first constructions of the latter under these assumptions.

S. Garg—Supported in part from AFOSR Award FA9550-19-1-0200, AFOSR YIP Award, NSF CNS Award 1936826, DARPA and SPAWAR under contract N66001-15-C-4065, a Hellman Award and research grants by the Okawa Foundation, Visa Inc., and Center for Long-Term Cybersecurity (CLTC, UC Berkeley). The views expressed are those of the authors and do not reflect the official policy or position of the funding agencies.

D. Masny—Part of the research was done at UC Berkeley supported by the Center for Long-Term Cybersecurity (CLTC, UC Berkeley).

D. Wichs—Research supported by NSF grants CNS-1314722, CNS-1413964, CNS-1750795 and the Alfred P. Sloan Research Fellowship.

You have full access to this open access chapter, Download conference paper PDF

Universally Composable Oblivious Transfer Based on a Variant of LPN

Three-Round Secure Multiparty Computation from Black-Box Two-Round Oblivious Transfer

Unconditionally Secure Oblivious Polynomial Evaluation: A Survey and New Results

Article 31 March 2022

1 Introduction

Oblivious transfer (OT) [Rab05, EGL85], is a fundamental primitive in cryptography. An OT protocol consists of two parties: a sender and a receiver. The sender’s input is composed of two strings $(m_0, m_1)$ and the receiver’s input is a bit c. At the end of the execution of the OT protocol, the receiver should only learn the value $m_{c}$, but should not learn anything about the other value $m_{1-c}$. The sender should gain no information about the choice bit c. This very simple primitive is often used as the foundational building block for realizing secure computation protocols [Yao82, GMW87]. Thus, the efficiency characteristics of the OT protocol directly affect the efficiency of the resulting secure computation protocol. As such, several notions of OT, achieving varying security and efficiency properties, have been devised (see e.g., [Lin16]). Ideally, we want to achieve a simulation-based definition of OT, where we require that malicious behavior in the real world can be simulated in an ideal world with an ideal OT functionality, and even more desirably, we want to do so in the universal composability (UC) framework [Can01].

OT in Two-Rounds. As the name suggests, a two-round OT protocols allows the OT functionality to be implemented in just the minimal two-rounds of communication. Namely, the receiver sends the first-round message based on her input bit c. Next, using his input $(m_0,m_1)$ and the first message of the protocol, the sender generates and sends the second-round message of the protocol. Finally, the receiver uses the second-round protocol message to recover $m_c$.

OT protocols that require only two rounds of communication are often desirable. Most importantly, two-round OT protocols are complete (necessary and sufficient) for general two-round (i.e., round optima) two-party [Yao82] and multi-party secure computation (2PC, MPC) [GS18, BL18] in both the semi-honest and malicious settings. Unfortunately, constructing two-round OT is typically much harder than constructing OT protocols with a larger round complexity. In particular, by relying on ZK proofs, we can construct constant-round malicious OT assuming only constant-round semi-honest OT and the latter follows from essentially all known assumptions that imply public-cryptography. On the other hand, no such equivalence is known for 2-round protocols since zero-knowledge proofs add more round. Furthermore, we know that two-round simulation-secure malicious OT is impossible in the plain model, and therefore we consider security in the common reference string (CRS) model.

Assumptions. Over the years, tremendous progress has been made in constructing both semi-honest and maliciously secure two-round OT protocols [CCM98, NP01, AIR01, DHRS04, PVW08, HK12, BD18] from a wide variety of assumptions. However, there are still gaps in our understanding—namely, constructing two-round OT typically requires stronger assumptions than what known to be sufficient for just OT. This is especially true for the case of maliciously secure OT. In this work, we attempt to bridge this gap. More specifically, we ask:

Can maliciously secure two-round OT and be based on the Computational Diffie-Hellman (CDH) assumption or the Learning Parity with Noise (LPN) assumption?

Since two-round malicious (UC) OT is complete for two-round malicious (UC) 2PC and MPC, the above is equivalent to asking whether the latter can be instantiated under the CDH and LPN assumptions. While constructions of UC-secure two-round OT under the Decisional Diffie-Hellman (DDH) assumption and the Learning with Errors (LWE) assumption are known [PVW08], the question of constructing the same under CDH and LPN has so far remained open. Moreover, we do not even have two-round constructions under CDH or LPN that satisfy any alternate weaker notions of malicious OT security that have been previously proposed in the literature.

1.1 Why Is Two-Round Maliciously Secure OT Difficult?

One reason that (two-round) OT is difficult to construct is that this notion is even difficult to define. Simulation-based definitions of security are complex and impose requirements that often seem stronger than necessary and hard to achieve. Unlike (say) public-key encryption, where we have simple game-based definitions that imply simulation-based (semantic) security, we do not have any simpler definitions of malicious OT security that suffice for simulation. All prior attempts from the literature to weaken the definition of OT security are still complex and require some form of extraction/simulation. In particular, to meaningfully define that the malicious receiver only learns one of the two sender values $m_0,m_1$, all known definitions require that we can somehow extract the receiver’s choice bit c from the first OT message and then argue that the second message hides the value $m_{1-c}$.

To meet any such extraction-based definition, we need to start with an OT where the receiver’s choice bit is statistically committed in the first OT message. This seems like a significant restriction. For example there is a natural construction of OT from CDH due to Bellare and Micali [BM90], which achieves semi-honest security in the standard model or a weak form of malicious security in the random-oracle model. However, in this construction, the first message only commits the receiver computationally to the choice bit and hence there is no hope of extracting it. Therefore, it appears difficult to prove any meaningful notion of malicious security without resorting to the random oracle model.

Overall, we are aware of only two approaches towards achieving maliciously-secure OT. The first starts with semi-honest OT and then compiles it to malicious OT using zero-knowledge proofs. Unfortunately, if we want two-round OT we would need to use non-interactive zero-knowledge (NIZK) proofs and we do not have instantiations of such NIZKs under many natural assumptions such as CDH or LPN (or LWE). The other approach, used by Peikert, Vaikuntanathan and Waters [PVW08] (and to some extent also e.g., [NP01, AIR01, BD18]) takes advantage of a statistically “lossy” mode of DDH/LWE based encryption. Unfortunately, we do not have any such analogous “lossy” mode for CDH/LPN based encryption and therefore this approach too appears to be fundamentally stuck.

1.2 Our Results

In this work, we give a new general approach for constructing UC-secure two-round OT.^{Footnote 1} Specifically, we introduce an extremely weak and simple notion of two-round OT, which we call elementary OT. This notion is defined via a game-based definition and, in contrast to all prior notions of OT, does not rely on an extractor. We then provide a series of generic transformations that upgrade the security of elementary OT, eventually culminating in a UC-secure two-round OT. These transformations are the main technically challenging contributions of the paper. Lastly, we show simple constructions of two-round elementary OT under the Computational Diffie-Hellman (CDH) assumption or the Learning Parity with Noise (LPN) assumption, yielding the first constructions of UC-secure two-round OT under these assumptions. We rely on a variant of LPN with noise-rate $1/n^{\varepsilon }$ for some arbitrary constant $\varepsilon > \frac{1}{2}$.^{Footnote 2}

Applications to Two-Round MPC. As mentioned earlier, two-round OT is known to be complete for constructing two-round MPC [GS18, BL18]. Thus, our results also yield the first constructions of two-round malicious (UC-secure) MPC under the Computational Diffie-Hellman (CDH) assumption or the Learning Parity with Noise (LPN) assumption.

Open Problems. Interestingly, our generic transformations use garbled circuits that make a non-black-box use of the underlying cryptographic primitives. We leave it as an open problem to obtain a black-box construction or show the impossibility thereof.

Follow-Up Work. Subsequently to our work, techniques and results of our paper were used in some follow-up works. Lombardi et al. [LQR+19] used our main result to obtain the first construction of maliciously-secure designated-verifier NIZK (MDV-NIZK) from CDH. MDV-NIZK may be though of as a two-round ZK protocol in the CRS model with a reusable first-round message. Technically, [LQR+19] gives constructionist of MDV-NIZK from a combination of key-dependent-message (KDM) secure private-key encryption for projection functions and a receiver-extractable two-round OT protocol. (See Definition 15.) They used the main result of our paper in order to realize their OT component. (The KDM component is already known from CDH [BLSV18].) In another work, Döttling, Garg and Malavolta [DGM19] use and extend techniques form our work (especially those from Sect. 6) in order to build protocols for Malicious Laconic Function Evaluation (among others).

2 Technical Overview

Our results are obtained via a sequence of transformations between various notions of OT. We give an overview of this sequence in Fig. 1 and explain each of the steps below. All of the notions of OT that we consider are two-round and can rely on a common reference string (CRS), which is generated by a trusted third party and given to both the sender and the receiver. For simplicity, we often ignore the CRS in the discussion below.

Elementary OT. We begin by defining an extremely weak and simple notion of OT, called elementary OT. The receiver uses her choice bit c to generate a first round message $\mathsf {otr} $. The sender then uses $\mathsf {otr} $ to generate a second-round message $\mathsf {ots} $ together with two values $y_0,y_1$. The receiver gets $\mathsf {ots} $ and uses it to recover the value $y_c$. Note that, unlike in standard OT, the sender does not choose the two values $y_0,y_1$ himself, but instead generates them together with $\mathsf {ots} $. (One may think of this as analogous to the distinction between key-encapsulation and encryption.) The security of elementary OT is defined via the following two game-based requirements:

1.
Receiver Security: The receiver’s choice bit c is computationally hidden by the first-round OT message $\mathsf {otr} $.
2.
Sender Security: A malicious receiver who creates the first-round message $\mathsf {otr} $ maliciously and is then given an honestly generated second-round message $\mathsf {ots} $ cannot simultaneously output both of the values $y_0,y_1$ except with negligible probability.

Note that elementary OT provides a very weak notion of sender security. Firstly, it only provides unpredictability, rather than indistinguishability, based security – the malicious receiver cannot output both values $y_0,y_1$, but may learn some partial information about each of the two values. Second of all, it does not require that the there is a consistent bit w such that the value $y_{w}$ is hidden from the malicious receiver – it may be that, even after the receiver maliciously chooses $\mathsf {otr} $, for some choices of $\mathsf {ots} $ she learns $y_0$ and for other choices she learns $y_1$. We fix the second issue first.

From Elementary OT to Search OT. We define a strengthening of elementary OT, which we call search OT. The syntax and the receiver security remain the same. For sender security, we still keep an unpredictability (search) based security definition. But now we want to ensure that, for any choice of the malicious receiver’s message $\mathsf {otr} $, there is a consistent bit w such that $y_w$ is hidden. We want to capture this property without requiring the existence of an (even inefficient) extractor that can find such w. We do so as follows. For any choice of the malicious receiver’s first message $\mathsf {otr} $ (along with all her random coins and the CRS), we define two probabilities $\varepsilon _0,\varepsilon _1$ which denote the probability of the receiver outputting $y_0$ and $y_1$ respectively, taken only over the choice of $\mathsf {ots} $. We require that for any polynomial p, with overwhelming probability over the receiver’s choices, at least one of $\varepsilon _0$ or $\varepsilon _1$ is smaller than 1/p. In particular, this means that with overwhelming probability over the malicious receiver’s choice of $\mathsf {otr} $, there is a fixed and consistent bit w such that the receiver will be unable to recover $y_w$ from the sender’s message $\mathsf {ots} $. Note that the value w may not be extractable (even inefficiently) from $\mathsf {otr} $ alone since the way that w is defined is “adversary-dependent”.

To go from elementary OT to search OT, we rely on techniques from “hardness amplification”. The difficulty of using a search-OT adversary to break elementary-OT security is that a search-OT adversary can, for example, have $\varepsilon _0 = \varepsilon _1 = \frac{1}{2}$, but for half the value of $\mathsf {ots} $ it outputs the correct $y_0$ and for half it outputs the correct $y_1$, yet it never output both correct values simultaneously. However, if we could ensure that $\varepsilon _0,\varepsilon _1$ are both much larger than $\frac{1}{2}$, then this could not happen. We use hardness amplification to achieve this. In particular, we construct search OT scheme from elementary OT by having the sender generate $\lambda $ (security parameter) different second-round messages of the elementary OT and set the search OT values to be the concatenations $\mathsf {OTS} = (\mathsf {ots} ^{1},\ldots ,\mathsf {ots} ^{\lambda })$ and $Y_0 = (y_0^1,\ldots ,y_0^\lambda ), Y_1 = (y_1^1,\ldots ,y_1^\lambda )$. By hardness amplification, if for some choice of $\mathsf {otr} $ the malicious receiver can separately predict each of $Y_0, Y_1$ with probability better than some inverse polynomial 1/p, then that means it can separately predict each of the components $y_0, y_1$ with extremely high probability ${>}\frac{3}{4}$, and by the union bound, can therefore predict both components $y_0,y_1$ simultaneously with probability ${>}\frac{1}{4}$.

From Search OT to Indistinguishability OT. Next, we define a notion that we call indistinguishability OT. Here, just like in standard OT, the sender gets to choose his two values $m_0,m_1$ himself, rather than having the scheme generate values $y_0,y_1$ for him, as was the case in elementary and search OT. The receiver security remains the same as in elementary and search OT: the receiver’s choice bit c is hidden by her first-round message $\mathsf {otr} $. The sender security is defined in a similar manner to search OT, except that we now require indistinguishability rather than unpredictability. In particular, the malicious receiver chooses two values $m_0,m_1$ and a maliciously generated $\mathsf {otr} $. For any such choice, we define two probabilities $\varepsilon _0,\varepsilon _1$, where $\varepsilon _b$ denotes the receiver’s advantage, calculated only over the random coins of the sender, in distinguishing between $\mathsf {ots} $ generated with the messages $(m_0,m_1)$ versus $(m'_0, m'_1)$ where $m'_b$ is uniformly random and $m'_{1-b} = m_{1-b}$. We require that for any polynomial p, with overwhelming probability over the receiver’s choices, at least one of $\varepsilon _0$ or $\varepsilon _1$ is smaller than 1/p. In particular, this means that, with overwhelming probability, the malicious receiver’s choice of $\mathsf {otr} $ fixes a consistent bit w such that the receiver does not learn anything about $m_w$.

To go from search OT to indistinguishability OT with 1-bit values $m_0,m_1$, we rely on the Goldreich-Levin hardcore bit [GL89]. In particular, we use search OT to generate $\mathsf {ots} $ along with values $y_0,y_1$ and then use the Goldreich-Levin hardcore bits of $y_0,y_1$ to mask $m_0,m_1$ respectively. To then allow for multi-bit values $m_0,m_1$, we simply have the sender send each bit separately, by reusing the same receiver message $\mathsf {otr} $ for all bits.

From Indistinguishability OT to Weak SFE. Next, we generalize from OT and define a weak form of (two-round) secure function evaluation (weak-SFE). Here, there is a receiver with an input x and a sender with a circuit f. The receiver learns the output f(x) in the second round. We define a very simple (but weak) game-based notion of malicious security, without relying on a simulator or extractor:

Receiver Security: The receiver’s first-round message hides the input x from the sender.
Sender Security: A malicious receiver cannot distinguish between any two functionally equivalent circuits $f_0,f_1$ used by the sender.

We show how to compile indistinguishability OT to weak SFE. Indeed, the construction is the same as the standard construction of (standard) SFE from (standard) OT: the receiver sends first-round OT messages corresponding to the bits of the input x and the sender creates a garbled circuit for f and uses the two input labels as the values for the second-round OT messages.

The proof of sender security, however, is very different than that for the standard construction of SFE from OT, which relies on extracting the receiver’s OT choice bits. Instead, we rely on technical ideas that are similar to and inspired by those recently used in the context of distinguisher-dependent simulation [JKKR17] and have a sequence of hybrids that depends on the adversary. More concretely, indistinguishability OT guarantees that for each input wire, there is some bit w such that the adversary cannot tell if we replace the label for w by uniform. However, this bit w is defined in an adversary-dependent manner. This effectively allows us to extract the adversary’s OT choice bits. Therefore, we have a sequence of adversary-dependent hybrids where we switch the OT values used by the sender and replace the labels for the bits w by random values. We then rely on garbled circuit security to argue that garblings of $f_0$ and $f_1$ are indistinguishable, and conclude that the adversary’s advantage is negligible.

Formalizing the above high-level approach is the most technically involved component of the paper.

From Weak SFE to OT with UC Sender Security. We show how to go from weak SFE to an OT scheme that has UC-security for the sender. In particular, this means we can extract the choice bit c from the receiver’s first-round message $\mathsf {otr} $ and simulate the sender’s second-round message $\mathsf {ots} $ given only $m_c$, without knowing the “other” value $m_{1-c}$. For the receiver’s security, we maintain the same indistinguishability-based requirement as in elementary/search/indistinguishability OT, which guarantees that the choice bit c is hidden by the first-round OT message $\mathsf {otr} $. We refer to this as a “half-UC OT” for short. This is the first step where we introduce a simulation/extraction based notion of security.

Our compiler places a public-key $\mathsf {pk} $ of a public-key encryption (PKE) scheme to the CRS. The receiver encrypts her choice bit c under $\mathsf {pk} $ using randomness r and sends the resulting ciphertext $\mathsf {ct}= \mathsf {E}_{\mathsf {pk}}(c;r)$ as part of her first-round OT message. At the same time, the receiver and sender run an instance of weak SFE, where the receiver’s input is $x = (c,r)$ and the sender’s circuit is $f_{\mathsf {pk}, \mathsf {ct}, m_0,m_1}(c,r)$, which output $m_c$ if $\mathsf {ct}= \mathsf {E}_{\mathsf {pk}}(c;r)$ and $\bot $ otherwise. The indistinguishability-based security of the receiver directly follows from that of the SFE and the PKE, which together guarantees that c is hidden by the first-round message. To argue UC security of the sender, we now extract the receiver’s bit c by decrypting the ciphertext $\mathsf {ct}$. If $\mathsf {ct}$ is an encryption of c then $f_{\mathsf {pk}, \mathsf {ct}, m_0,m_1}$ is functionally equivalent to $f_{\mathsf {pk}, \mathsf {ct}, m'_0,m'_1}$ where $m'_c = m_c$ and $m'_{1-c}$ is replaced by an arbitrary value, say all 0s. Therefore, we can simulate the sender’s second-round OT message by using the circuit $f_{\mathsf {pk}, \mathsf {ct}, m'_0,m'_1}$, which only relies on knowledge of $m_c$ without knowing $m_{1-c}$, and weak SFE security guarantees that this is indistinguishable from the real world.

From UC Sender Security to Full UC OT. Finally, we show how to use an OT scheme with UC-security of the sender and indistinguishability-based security for the receiver (“half-UC OT”) to get a full UC-secure OT. In particular, this means that we need to simulate the receiver’s first-round message without knowing c and extract two values $m_0,m_1$ from a malicious sender such that, if the receiver’s bit was c, he would get $m_c$.

Before we give our actual construction, it is useful to examine a naive proposal and why it fails. In the naive proposal, the sender commits to both values $m_0,m_1$ using an extractable commitment (e.g., PKE where the public key is in the CRS); the parties use a half-UC OT where the sender puts the two decommitments as his OT values and also sends the commitments as part of the second-round OT message. We can extract two values $m_0,m_1$ from the commitment and are guaranteed that the receiver either outputs the value $m_c$ or $\bot $ (if the decommitment he receives via the underlying OT is incorrect). But we are unable to say which of the two cases will occur. This is insufficient for full security.

We solve the above problem via two steps:

We first give a solution using a two-round zero-knowledge (ZK) argument and an extractable commitment (both in the CRS model). The sender and receiver run the half-UC OT protocol where the receiver uses her choice bit c and the sender uses his two values $m_0,m_1$. In the first round, the receiver also sends the first-round verifier message of the ZK argument. In the second round, the sender also commits to his two messages $m_0,m_1$ using an extractable commitment and uses the ZK argument system to prove that he computed the second-round OT message correctly using the same values $m_0,m_1$ as in the commitment. This provides UC security for the receiver since, if the ZK argument verifies, we can extract the values $m_0,m_1$ from the commitment and know that the receiver would recover the correct value $m_c$. The transformation also preserves UC security for the sender since the ZK argument can be simulated.
We then show how to construct a two-round ZK argument using half-UC OT. We rely on a $\varSigma $-protocol for $\mathsf {NP} $ where the prover sends a value a, receives a 1-bit challenge $b \in \{0,1\}$, and sends a response z; the verifier checks that the transcript (a, b, z) is valid for the statement being proved and accepts or rejects accordingly. We can compile a $\varSigma $-protocol to a two-round ZK argument using OT. The verifier sends a first-round OT message for a random bit b. The prover chooses a and computes both responses $z_0,z_1$ corresponding to both possible values of the challenge b; he then sends a and uses $z_0,z_1$ as the values for the second-round OT message. The verifier recovers $z_b$ from the OT and checks that $(a,b,z_b)$ is a valid transcript of the $\varSigma $-protocol. We repeat this in parallel $\lambda $ (security parameter) times to get negligible soundness error. It turns out that we can prove ZK security by relying on the UC-security for the sender; we can extract the OT choice bits b in each execution and then simulate the $\varSigma $-protocol transcript after knowing the challenge bit b. It would also be easy to prove soundness using UC-security for the receiver, but we want to only rely on a “half-UC” OT where we only have indistinguishability security of the receiver. To solve this, we rely on a special type of “extractable” $\varSigma $-protocol [HL18] in the CRS model, where, for every choice of a there is a unique “bad challenge” b such that, if the statement is false, there exists a valid response z that results in a valid transcript (a, b, z). Furthermore, this unique bad challenge b should be efficiently extractable from a using a trapdoor to the CRS. Such “extractable” $\varSigma $-protocols can be constructed from only public-key encryption. If the $\varSigma $-protocol is extractable and the OT scheme has indistinguishability-based receiver security then the resulting two-round ZK is computationally sound. This is because, the only way that the prover can succeed is if in each of the $\lambda $ invocations he chooses a first message a such that the receiver’s OT choice bit b is the unique bad challenge for a, but this means that the prover can predict the receiver’s OT choice bits (the reduction uses the trapdoor for the $\varSigma $-protocol to extract the unique bad challenge from a).

Combined together, the above two steps give a general compiler from half-UC OT to fully secure UC OT.

Instantiation from CDH. We now give our simple instantiation of elementary OT under the CDH assumption. The construction is based on a scheme of Bellare and Micali [BM90], which achieves a weak form of malicious security in the random-oracle model. Our protocol is somewhat simplified and does not require a random oracle. Recall that the CDH assumption states that, given a generator g of some cyclic group $\mathbb {G}$ of order p, along with values $g^a,g^b$ for random $a,b \in \mathbb Z_p$, it is hard to compute $g^{ab}$.

The CRS of the OT scheme consists of $A = g^a$ for random $a \in \mathbb Z_p$. The receiver with a choice bit c computes two value $h_c = g^r$ and $h_{1-c}= A/h_c$ for a random $r \in \mathbb Z_p$ and sends $\mathsf {otr}:= h_0$ as the first-round OT message. The sender computes $h_1 = A/h_0$. It chooses a random $b \in \mathbb Z_p$, sets $\mathsf {ots}:= B= g^b$ as the second-round message, and generates the two values $y_0 = h_0^b, y_1 = h_1^b$. The receiver outputs $\hat{y}_c = B^r$.

This ensures correctness since $\hat{y}_c = B^r = g^{br} = h_c^b = y_c$. Also, $h_0$ is uniformly random over $\mathbb {G}$ no matter what the receiver bit c is, and therefore this provides (statistic) indistinguishability-based receiver security. Lastly, we argue that we get elementary OT security for the sender, meaning that a malicious receiver cannot simultaneously compute both $y_0,y_1$. Note that the only values seen by the malicious receiver during the game are $A = g^a, B =g^b$. If the receiver outputs $y_0 = h_0^b, y_1 = h_1^b = (A/h_0)^b$ then we can use these values to compute $y_0 \cdot y_1 = A^b = g^{ab}$, which breaks CDH.

Instantiation from LPN. We also give a simple instantiation of elementary OT under the LPN assumption. This construction closely mirrors the CDH one. We use a variant of the LPN problem with noise-rate $1/n^{\varepsilon }$ for an arbitrary constant $\varepsilon > \frac{1}{2}$. We also rely on a variant of the LPN problem where the secret is chosen from the error distribution, which is known to be equivalent to standard LPN where the secret is uniformly random [ACPS09]. In particular this variant of the LPN problem states that, for a Bernoulli distribution $\mathcal B_\rho $ which outputs 1 with probability $\rho = 1/n^\varepsilon $, and for $A \leftarrow \mathbb {Z}_2^{n \times n}$, $s,e \leftarrow \mathcal B_\rho ^n$, the values $(A, s A + e)$ are indistinguishable from uniformly random values.

The CRS of the OT scheme consists of a tuple (A, v) where $A \leftarrow \mathbb {Z}_2^{n \times n}$ and $v \leftarrow \mathbb {Z}_2^n$. The receiver chooses $x,e \leftarrow \mathcal B_\rho ^n$ and sets $h_c = Ax + e$ and $h_{1-c} = v- h_c$ and sends $\mathsf {otr} = h_0$ as the first-round OT message. The sender computes $h_1 = h_0 +v$, chooses $S, E \leftarrow \mathcal B_\rho ^{\lambda \times n}$ where $\lambda $ is the security parameter and sends $\mathsf {ots}:= B = SA + E$ as the second-round OT message. The sender computes the values $y_0 = Sh_0, y_1 = Sh_1$. The receiver outputs $\hat{y}_c = Bx$.

This ensures correctness with a small inverse-polynomial error probability. In particular, $y_c = Sh_c = S(Ax + e) = Bx + Se - Ex = \hat{y}_c + (Se - Ex)$ where $Ex + Se = 0$ except with a small error probability, which we can make an arbitrarily small inverse polynomial in $\lambda $ by setting n to be a sufficiently large polynomial in $\lambda $. The receiver’s (computational) indistinguishability-based security holds under LPN since $h_0$ is indistinguishable from uniform no matter what c is. We also get elementary OT security for the sender under the LPN assumption. A malicious receiver only sees the values A, v and $B = SA + E$ during the game. If the receiver outputs $y_0 = Sh_0,y_1= Sh_1$, then we can use it to compute $y_0 + y_1 = S(h_0 +h_1) = Sv$. But, since S is hard to compute given A, B, we can argue that Sv is indistinguishable form uniform under the LPN assumption, by thinking of the i’th of Sv as a Goldreich-Levin hardcore bit for the i’th row of S. Therefore, is should be hard to output Sv except with negligible probability.

The fact that we get a small (inverse polynomial) error probability does not affect the security of the generic transformations going from elementary OT to indistinguishability OT for 1-bit messages. Then, when we go from 1-bit messages to multi-bit messages we can also use an error-correcting code to amplify correctness and get a negligible correctness error.

3 Preliminaries

Notation. We use $\lambda $ for the security parameter. We use to denote computational indistinguishability between two distributions and use $\equiv $ to denote two distributions are identical. For a distribution D we use $x \xleftarrow {\$}D$ to mean x is sampled according to D and use $y \in D$ to mean y is in the support of D. For a set $\mathsf {S}$ we overload the notation to use $x \xleftarrow {\$}\mathsf {S}$ to indicate that x is chosen uniformly at random from $\mathsf {S}$.

3.1 Basic Inequalities

Lemma 1

(Markov Inequality for Advantages). Let A(Z) and B(Z) be two random variables depending on a random variable Z and potentially additional random choices. Assume that $|\Pr _Z[A(Z) = 1] - \Pr _Z[B(Z) = 1]| \ge \epsilon \ge 0$. Then

$$ \Pr _Z[|\Pr [A(Z) = 1] - \Pr [B(Z) = 1]| \ge \epsilon /2] \ge \epsilon /2. $$

Proof

Let $a := \Pr _Z[|\Pr [A(Z) = 1] - \Pr [B(Z) = 1]| \ge \epsilon /2]$. We have $\epsilon \le a \times 1 + (1-a) \times \epsilon /2 $. Since $0 \le 1-a \le 1$, we obtain $\epsilon \le a + \epsilon /2 $. The inequality now follows. $\square $

Theorem 2

(Hoeffding Inequality). Let $X_1,\dots ,X_N \in [0,1]$ be i.i.d. random variables with expectation $\mathsf {E}[X_1]$. Then it holds that

$$ \Pr \left[ \left| \frac{1}{N} \sum _i X_i - \mathsf {E}[X_1] \right| > \delta \right] \le 2 e^{-2N\delta ^2}. $$

3.2 Standard Primitives

Definition 3

(PKE). The notion of CPA security for a PKE scheme $\mathsf {PKE}= (\mathsf {KeyGen}, \mathsf {E}, \mathsf {Dec})$ is standard. We say that $\mathsf {PKE}$ is perfectly correct if $\Pr [\exists (\mathsf {m},\mathsf {r})$ s.t. $\mathsf {Dec}(\mathsf {sk}, \mathsf {E}(\mathsf {pk}, \mathsf {m}; \mathsf {r})) \ne \mathsf {m}] = \mathsf {negl}(\lambda )$, where $(\mathsf {pk}, \mathsf {sk}) \xleftarrow {\$}\mathsf {KeyGen} (1^\lambda )$.

Definition 4

(Garbled Circuits). A garbling scheme for a class of circuits $\mathcal {C}$ with n-bit inputs consists of $(\mathsf {Garble},\mathsf {Eval}, \mathsf {Sim})$ with the following correctness and security properties.

Correctness: for all $\mathsf {C}\in \mathcal {C}$, $\mathsf {x}\in \{0,1\}^n$, we have $\Pr [\mathsf {Eval}(\widehat{\mathsf {C}}, \mathsf {GarbleInput} (\vec {\mathsf {lb}}^0,\vec {\mathsf {lb}}^1,\mathsf {x})) = \mathsf {C}(\mathsf {x})] = 1$, where $(\widehat{\mathsf {C}},\vec {\mathsf {lb}}^0,\vec {\mathsf {lb}}^1) \xleftarrow {\$}\mathsf {Garble} (1^\lambda ,\mathsf {C})$, $\vec {\mathsf {lb}}^0 := (\mathsf {lb} ^0_1, \dots , \mathsf {lb} ^0_n)$, $\vec {\mathsf {lb}}^1 := (\mathsf {lb} ^1_1, \dots , \mathsf {lb} ^1_n)$ and we define $\mathsf {GarbleInput} (\vec {\mathsf {lb}}^0,\vec {\mathsf {lb}}^1,\mathsf {x}) := (\mathsf {lb} ^{\mathsf {x}_1}_1, \dots , \mathsf {lb} ^{\mathsf {x}_n}_n)$.
Security: For any $\mathsf {C}\in \mathcal {C}$ and $\mathsf {x}\in \{0,1\}^n$: , where $(\widehat{\mathsf {C}},\vec {\mathsf {lb}}^0,\vec {\mathsf {lb}}^1) \xleftarrow {\$}\mathsf {Garble} (1^\lambda ,\mathsf {C})$.

4 Definitions of Two-Round Oblivious Transfer

A two-round oblivious transfer (OT) protocol (we use the definition from [BGI+17]) is given by algorithms $(\mathsf {Setup},\mathsf {OT}_1,\mathsf {OT}_2,\mathsf {OT}_3)$, where the setup algorithm $\mathsf {Setup} $ generates a CRS value $\mathsf {crs} \xleftarrow {\$}\mathsf {Setup} (1^\lambda )$.^{Footnote 3} The receiver runs the algorithm $\mathsf {OT} _1$ which takes $\mathsf {crs} $ and a choice bit $c \in \{0,1\}$ as input and outputs $(\mathsf {otr}, \mathsf {st})$. The receiver then sends $\mathsf {otr} $ to the sender, who obtains $\mathsf {ots} $ by evaluating $\mathsf {OT} _2(1^\lambda ,\mathsf {otr}, \mathsf {m}_0, \mathsf {m}_1)$, where $\mathsf {m}_0$ and $\mathsf {m}_1$ (such that $\mathsf {m}_0, \mathsf {m}_1 \in \{0,1\}{\lambda }$) are its inputs. The sender then sends $\mathsf {ots} $ to the receiver who obtains $\mathsf {m}_c$ by evaluating $\mathsf {OT} _3(1^\lambda ,\mathsf {st}, \mathsf {ots})$.

4.1 Correctness

We say that a two-round OT scheme is perfectly correct, if with probability $1 - \mathsf {negl}(\lambda )$ over the choice of $\mathsf {crs} \xleftarrow {\$}\mathsf {Setup} (1^\lambda )$ the following holds: for every choice bit $c \in \{0,1\}$ of the receiver and input messages $\mathsf {m}_0$ and $\mathsf {m}_1$ of the sender, and for any $(\mathsf {otr},\mathsf {st}) \in \mathsf {OT} _1(\mathsf {crs},c)$ and $\mathsf {ots} \in \mathsf {OT} _2(\mathsf {crs}, \mathsf {otr}, \mathsf {m}_0, \mathsf {m}_1)$, we have $\mathsf {OT} _3(\mathsf {st}, \mathsf {ots}) = \mathsf {m}_c$. (Recall that $x \in \mathcal {D}$ for a distributions $\mathcal {D}$ means that x is in the support of $\mathcal {D}$.)

4.2 Receiver’s Security Notions

We consider two notions of receiver’s security—namely, notions that require security against a malicious sender. We describe them next.

Receiver’s indistinguishability security. For every non-uniform polynomial-time adversary $\mathcal {A}$: $|\Pr [\mathcal {A}(\mathsf {crs}, \mathsf {OT} _1(\mathsf {crs},0)) = 1] -\Pr [\mathcal {A}(\mathsf {crs}, \mathsf {OT} _1(\mathsf {crs},1)) = 1]| = \mathsf {negl}(\lambda )$, where $\mathsf {crs} \xleftarrow {\$}\mathsf {Setup} (1^\lambda )$.

Receiver’s UC-Security. We work in Canetti’s UC framework with static corruptions [Can01]. We assume familiarity with this model. We use $\mathcal {Z}$ for denoting the underlying environment. For a real protocol $\varPi $ and an adversary $\mathcal {A}$, we use $\mathsf {EXEC}_{\varPi , \mathcal {A}, \mathcal {Z}}$ to denote the real-world ensemble. Also, for an ideal functionality $\mathcal {F}$ and an adversary $\mathcal {S}$ we denote $\mathsf {IDEAL}_{\mathcal {F}, \mathcal {S}, \mathcal {Z}}$ to denote the ideal-world ensemble.

We say that an OT protocol $\mathsf {OT} $ is receiver-UC secure if for any adversary $\mathcal {A}$ corrupting the sender, there exists a simulator $\mathcal {S}$ such that for all environments $\mathcal {Z}$:

where the ideal functionality $\mathcal {F}_{\mathrm {OT}} $ is defined in Fig. 2. (We will follow the same style as in [CLOS02, PVW08].)

Since our OT protocols are in the CRS model, we also give the $\mathcal {F}_{\mathrm {CRS}} $ idea functionality below (Fig. 3).

4.3 Sender’s Security Notions

We consider several different notions of sender’s security that we define below. In the first two notions of security, namely elementary and search notions, we change the syntax of $\mathsf {OT}_2 $ a bit. More specifically, instead of taking $\mathsf {m}_0$ and $\mathsf {m}_1$ as input, $\mathsf {OT}_2 $ outputs two masks $\mathsf {y}_0$ and $\mathsf {y}_1$ where the receiver only gets $\mathsf {y}_c$, where c is the receiver’s choice bit.

Sender’s Elementary Security. The elementary sender security corresponds to the weakest security notion against a malicious receiver that is considered in this work. This notion requires that the receiver actually compute both the strings $\mathsf {y}_0$ and $\mathsf {y}_1$ used by the sender. Let $\mathcal {A}= (\mathcal {A}_1,\mathcal {A}_2)$ be an adversary. Consider the following experiment $\mathsf {Exp}^\lambda _{\mathsf {eOT}}(\mathcal {A})$:

1.
Run $\mathsf {crs} \xleftarrow {\$}\mathsf {Setup} (1^\lambda )$.
2.
Run ($\mathsf {otr},\mathsf {st}) \xleftarrow {\$}\mathcal {A}_1(1^\lambda ,\mathsf {crs})$
3.
Compute $(\mathsf {ots}, \mathsf {y}_0,\mathsf {y}_1) \xleftarrow {\$}\mathsf {OT}_2 (\mathsf {crs},\mathsf {otr})$
4.
Compute $(\mathsf {y}^*_0,\mathsf {y}^*_1) \xleftarrow {\$}\mathcal {A}_2(\mathsf {st},\mathsf {ots})$ and output 1 iff $(\mathsf {y}^*_0, \mathsf {y}^*_1) = (\mathsf {y}_0,\mathsf {y}_1)$

We say that a scheme satisfies $\mathsf {eOT}$ security if $\Pr [\mathsf {Exp}_{\mathsf {eOT}}^\lambda (\mathcal {A})=1] = \mathsf {negl}(\lambda )$.

Sender’s Search Security. Next, we consider the search security notion. In this stronger security notion, the adversary is expected to still compute both $\mathsf {y}_0$ and $\mathsf {y}_1$ but perhaps not necessarily at the same time. More formally, let $\mathcal {A}= (\mathcal {A}_1,\mathcal {A}_2)$ be an adversary where $\mathcal {A}_2$ outputs a message $\mathsf {y}^*$. Consider the following experiment $\mathsf {Exp}^{\mathsf {crs},\mathsf {r},w}_{\mathsf {sOT}}(\mathcal {A})$, indexed by a $\mathsf {crs} $, random coins $\mathsf {r}\in \{0,1\}^\lambda $ and a bit $w \in \{0,1\}$.

1.
Run ($\mathsf {otr},\mathsf {st}) \xleftarrow {\$}\mathcal {A}_1(1^\lambda ,\mathsf {crs};\mathsf {r})$
2.
Compute $(\mathsf {ots}, \mathsf {y}_0,\mathsf {y}_1) \xleftarrow {\$}\mathsf {OT}_2 (\mathsf {crs},\mathsf {otr})$
3.
Compute $\mathsf {y}^* \xleftarrow {\$}\mathcal {A}_2(\mathsf {st},\mathsf {ots},w)$ and output 1 iff $\mathsf {y}^* = \mathsf {y}_w$

We say a PPT adversary $\mathcal {A}$ breaks the sender search privacy if there exist a non-negligible function $\epsilon $ such that

$$ \Pr _{\mathsf {crs},\mathsf {r}}[\Pr [\mathsf {Exp}^{\mathsf {crs},\mathsf {r},0}_{\mathsf {sOT}}(\mathcal {A})=1]> \epsilon \text { and } \Pr [\mathsf {Exp}^{\mathsf {crs},\mathsf {r},1}_{\mathsf {sOT}}(\mathcal {A})=1 ]> \epsilon ] > \epsilon , $$

where $\mathsf {crs} \xleftarrow {\$}\mathsf {Setup} (1^\lambda )$ and $\mathsf {r}\xleftarrow {\$}\{0,1\}^\lambda $.

Sender’s Indistinguishability Security ($\mathsf {iOT} $). Moving on, we consider the sender’s indistinguishability security notion (or the iOT notion for short). In this notion, we require that the receiver does not learn any information about either $\mathsf {m}_0$ or $\mathsf {m}_1$. More formally, let $\mathcal {A}= (\mathcal {A}_1,\mathcal {A}_2)$ be an adversary where $\mathcal {A}_2$ outputs a bit s. Consider the following experiment $\mathsf {Exp}^{\mathsf {crs},\mathsf {r},w,b}_{\mathsf {iOT}}(\mathcal {A})$, indexed by a $\mathsf {crs} $, random coins $\mathsf {r}\in \{0,1\}^\lambda $, a bit $w \in \{0,1\}$ and a bit $b \in \{0,1\}$.

1.
Run $(\mathsf {m}_0,\mathsf {m}_1,\mathsf {otr},\mathsf {st}) \xleftarrow {\$}\mathcal {A}_1(1^\lambda ,\mathsf {crs};\mathsf {r})$
2.
If $b = 0$ compute $\mathsf {ots} \xleftarrow {\$}\mathsf {OT}_2 (\mathsf {crs},\mathsf {otr},\mathsf {m}_0,\mathsf {m}_{1})$
3.
Otherwise, if $b = 1$ compute $\mathsf {ots} \xleftarrow {\$}\mathsf {OT}_2 (\mathsf {crs},\mathsf {otr},\mathsf {m}'_0,\mathsf {m}'_1)$ where $\mathsf {m}'_w \xleftarrow {\$}\{0,1\}^n$ and $\mathsf {m}'_{1-w} =\mathsf {m}_{1-w}$.
4.
Compute and output $s \xleftarrow {\$}\mathcal {A}_2(\mathsf {st},\mathsf {ots})$

Define the advantage of $\mathcal {A}$ as $\mathsf {Adv}_{\mathsf {iOT}}^{\mathsf {crs},\mathsf {r},w}(\mathcal {A}) = |\Pr [\mathsf {Exp}^{\mathsf {crs},\mathsf {r},w,0}_{\mathsf {iOT}}(\mathcal {A}) = 1] - \Pr [\mathsf {Exp}^{\mathsf {crs},\mathsf {r},w,1}_{\mathsf {iOT}}(\mathcal {A}) = 1]|$. We say a PPT adversary $\mathcal {A}$ breaks the sender’s indistinguishability security if there exist a non-negligible function $\epsilon $ such that

$$ \Pr _{\mathsf {crs},\mathsf {r}}[\mathsf {Adv}^{\mathsf {crs},\mathsf {r},0}_{\mathsf {iOT}}(\mathcal {A})> \epsilon \text { and } \mathsf {Adv}^{\mathsf {crs},\mathsf {r},1}_{\mathsf {iOT}}(\mathcal {A})> \epsilon ] > \epsilon , $$

where $\mathsf {crs} \xleftarrow {\$}\mathsf {Setup} (1^\lambda )$ and $\mathsf {r}\xleftarrow {\$}\{0,1\}^\lambda $.

In the experiment above, if the two messages $\mathsf {m}_0$ and $\mathsf {m}_1$ are single-bits, then call the notion bit iOT. Otherwise, we call the notion string iOT.

Sender’s UC-Security. We say that an OT protocol $\mathsf {OT} $ is sender-UC secure if for any adversary $\mathcal {A}$ corrupting the receiver, there exists a simulator $\mathcal {S}$ such that for all environments $\mathcal {Z}$:

where the ideal functionality $\mathcal {F}_{\mathrm {OT}} $ is defined in Fig. 2.

Definition 5

For $\mathcal {X} \in \{\text {elementary, search, indistinguishability} \}$, we call a two-round OT scheme $\mathcal {X}$-secure if it has sender’s $\mathcal {X}$ security and receiver’s indistinguishability security. Moreover, we call a two-round OT scheme UC-secure if it has sender’s UC-security and receiver’s UC-security.

5 Transformations for Achieving Sender’s Indistinguishability

In this section, we give a sequence of transformations which leads us to sender’s indistinguishability security, starting with sender’s elementary security.

5.1 From Elementary OT to Search OT

We rely on a result of [CHS05] on hardness amplification of weakly verifiable puzzles. In such puzzles, a puzzle generator can efficiently verify solutions but others need not be able to; we rely on a restricted case where the solution is unique and the puzzle generator generates the puzzle with the solution. The result essentially says that solving many puzzles is much harder than solving a single puzzle. For simplicity, we state a simplified version of their result (restatement of Lemma 1 in [CHS05]) with a restricted range of parameters. It shows that, if there is a “weak solver” that has some inverse polynomial advantage in solving $\lambda $ puzzles simultaneously, then there is an “amplified solver” that has extremely high advantage (arbitrarily close to 1) in solving an individual puzzle.

Lemma 6

(Hardness Amplification [CHS05]). For every polynomial p and every constant $\delta >0$ there exists a PPT algorithm $\mathsf {Amp}$ such that the following holds for all sufficiently large $\lambda \in \mathbb {N}$. Let G be some distribution over pairs $(\mathsf {puzzle},\mathsf {solution}) \leftarrow G$. Let $\mathsf {WS}$ be a “weak solver” such that

$$\Pr [\mathsf {WS}(\mathsf {puzzle}_1,\ldots ,\mathsf {puzzle}_\lambda ) = (\mathsf {solution}_1,\ldots ,\mathsf {solution}_\lambda )] \ge 1/p(\lambda )$$

where $(\mathsf {puzzle}_i,\mathsf {solution}_i) \xleftarrow {\$}G$ for $i \in \{1,\ldots ,\lambda \}$. Then

$$\Pr [\mathsf {Amp}^{\mathsf {WS},G}(1^\lambda , \mathsf {puzzle}^*) = \mathsf {solution}^*] \ge \delta $$

where $(\mathsf {puzzle}^*,\mathsf {solution}^*) \xleftarrow {\$}G$.

Construction of Search OT. Let $\varPi = (\mathsf {Setup}, \mathsf {OT}_1, \mathsf {OT}_2,\mathsf {OT}_3)$ be an elementary OT. We construct a search OT scheme $\varPi ' = (\mathsf {Setup}, \mathsf {OT}_1, \mathsf {OT}_2 ',\mathsf {OT}_3 ')$ as follows:

$(\mathsf {ots} ', Y_0, Y_1) \xleftarrow {\$}\mathsf {OT}_2 '(\mathsf {otr} ')$: Sample $(\mathsf {ots} ^i,y^i_0,y^i_1) \xleftarrow {\$}\mathsf {OT}_2 (\mathsf {crs}, \mathsf {otr})$ for $i = 1,\ldots , \lambda $. Output $\mathsf {ots} ' = (\mathsf {ots} ^1,\ldots ,\mathsf {ots} ^\lambda )$ and $Y_0 = (\mathsf {y}_0^1,\ldots ,\mathsf {y}_0^\lambda )$, $Y_1 = (\mathsf {y}_1^1,\ldots ,\mathsf {y}_1^\lambda )$.
$Y \xleftarrow {\$}\mathsf {OT} '_3(\mathsf {ots} ', \mathsf {st})$: Parse $\mathsf {ots} ' = (\mathsf {ots} ^1,\ldots ,\mathsf {ots} ^\lambda )$. Let $\mathsf {y}_i \xleftarrow {\$}\mathsf {OT} _3(\mathsf {ots} ^i,\mathsf {st})$ for $i = 1,\ldots , \lambda $. Output $Y = (\mathsf {y}_1,\ldots ,\mathsf {y}_\lambda )$.

Theorem 7

If $\varPi $ is an elementary OT then $\varPi '$ described above is a search OT.

The proof can be found in the full version of the paper.

5.2 From Search OT to Bit $\mathsf {iOT}$

Let $\varPi = (\mathsf {Setup}, \mathsf {OT}_1, \mathsf {OT}_2,\mathsf {OT}_3)$ be a search OT with message length $n= n(\lambda )$. We construct an iOT scheme $\varPi ' = (\mathsf {Setup}, \mathsf {OT}_1 ', \mathsf {OT}_2 ',\mathsf {OT}_3 ')$ with 1-bit message as follows:

$(\mathsf {otr} ',\mathsf {st} ') \xleftarrow {\$}\mathsf {OT}_1 '(\mathsf {crs}, b)$: Let $(\mathsf {otr},\mathsf {st}) \xleftarrow {\$}\mathsf {OT}_1 (\mathsf {crs}, b)$. Output $\mathsf {otr} ' = \mathsf {otr}, \mathsf {st} ' = (\mathsf {st}, b)$.
$\mathsf {ots} ' \xleftarrow {\$}\mathsf {OT}_2 '(\mathsf {otr} ',\mathsf {m}_0,\mathsf {m}_1)$: Sample $(\mathsf {ots},\mathsf {y}_0,\mathsf {y}_1) \xleftarrow {\$}\mathsf {OT}_2 (\mathsf {crs}, \mathsf {otr})$. Choose $s_0,s_1 \xleftarrow {\$}\{0,1\}^n$. For $b \in \{0,1\}$, let $c_b = \langle \mathsf {y}_b, s_b \rangle \oplus \mathsf {m}_b$. Output $\mathsf {ots} ' = (\mathsf {ots}, s_0, s_1 , c_0, c_1)$.
$M \xleftarrow {\$}\mathsf {OT} '_3(\mathsf {st} ' , \mathsf {ots} ')$: Parse $\mathsf {ots} ' = (\mathsf {ots}, s_0, s_1, c_0, c_1)$, $\mathsf {st} ' = (\mathsf {st}, b)$. Let $\mathsf {y} \xleftarrow {\$}\mathsf {OT} _3(\mathsf {ots},\mathsf {st})$. Output $M = c_b \oplus \langle \mathsf {y}, s_b \rangle $.

Theorem 8

If $\varPi $ is a search OT then $\varPi '$ is an iOT with 1-bit messages.

The proof can be found in the full version of the paper.

5.3 From Bit $\mathsf {iOT}$ to String $\mathsf {iOT}$

Let $\varPi = (\mathsf {Setup}, \mathsf {OT}_1, \mathsf {OT}_2,\mathsf {OT}_3)$ be an iOT scheme with 1 bit messages. Then, we construct an iOT scheme $\varPi ' = (\mathsf {Setup}, \mathsf {OT}_1 ', \mathsf {OT}_2 ',\mathsf {OT}_3 ')$ with message length $n= n(\lambda )$ as follows:

$(\mathsf {otr} ',\mathsf {st} ') \xleftarrow {\$}\mathsf {OT}_1 '(\mathsf {crs}, b)$: Let $(\mathsf {otr},\mathsf {st}) \xleftarrow {\$}\mathsf {OT}_1 (\mathsf {crs}, b)$. Output $\mathsf {otr} ' = \mathsf {otr}, \mathsf {st} ' = \mathsf {st} $.
$\mathsf {ots} ' \xleftarrow {\$}\mathsf {OT}_2 '(\mathsf {otr} ',\mathsf {m}_0,\mathsf {m}_1)$: For each $i \in [n]$, sample $\mathsf {ots} ^{(i)} \xleftarrow {\$}\mathsf {OT}_2 (\mathsf {crs}, \mathsf {otr}, \mathsf {m}_0^{(i)}, \mathsf {m}_1^{(i)})$, where $\mathsf {m}_0^{(i)}$ and $\mathsf {m}_1^{(i)}$ are the $i^{th}$ bits of $\mathsf {m}_0$ and $\mathsf {m}_1$, respectively. Output $\mathsf {ots} ' = \{\mathsf {ots} ^{(i)}\}_{i \in [n]}$.
$M \xleftarrow {\$}\mathsf {OT} '_3(\mathsf {ots} ', \mathsf {st} ')$: Parse $\mathsf {ots} ' = \{\mathsf {ots} ^{(i)}\}$, $\mathsf {st} ' = (\mathsf {st}, b)$. Let $M^{(i)} \xleftarrow {\$}\mathsf {OT} _3(\mathsf {ots} ^{(i)},\mathsf {st})$ and output M.

Theorem 9

If $\varPi $ is iOT with 1-bit messages then $\varPi '$ is an iOT with messages of length n.

The proof can be found in the full version of the paper.

6 Weak Secure Function Evaluation

In this section, we will define our notion of weak secure function evaluation and provide instantiations of the new notion.

6.1 Definitions

Definition 10

A weak secure function evaluation scheme $\mathsf {wSFE}$ for a function class $\mathcal {F}$ consists of four PPT algorithms $(\mathsf {Setup},\mathsf {Receiver}_1,\mathsf {Sender},\mathsf {Receiver}_2)$ with the following syntax.

$\mathsf {Setup} (1^\lambda )$: Takes as input a security parameter and outputs a common reference string $\mathsf {crs} $
$\mathsf {Receiver}_1(\mathsf {crs},x)$: Takes as input a common reference string $\mathsf {crs} $ and an input x and outputs a message $\mathsf {z}_1$ and a state $\mathsf {st} $
$\mathsf {Sender}(\mathsf {crs},f,\mathsf {z}_1)$: Takes as input a common reference string $\mathsf {crs} $, a function $f \in \mathcal {F}$ and a receiver message $\mathsf {z}_1$ and outputs a sender message $\mathsf {z}_2$
$\mathsf {Receiver}_2(\mathsf {st},\mathsf {z}_2)$: Takes as input a state $\mathsf {st} $ and a sender message $\mathsf {z}_2$ and outputs a value y.

We require the following properties.

Correctness: It holds for any $\lambda $, any $f \in \mathcal {F}$ and any x in the domain of f that
$$ \mathsf {Receiver}_2(\mathsf {st},\mathsf {Sender}(\mathsf {crs},f,\mathsf {z}_1)) = f(x), $$
where $\mathsf {crs} \xleftarrow {\$}\mathsf {Setup} (1^\lambda )$ and $(\mathsf {z}_1,\mathsf {st}) \xleftarrow {\$}\mathsf {Receiver}_1(\mathsf {crs},x)$
Receiver Privacy: Let $\mathcal {A}= (\mathcal {A}_1,\mathcal {A}_2)$ be an adversary where $\mathcal {A}_2$ outputs a bit and let the experiment $\mathsf {Exp}_{RP}(\mathcal {A})$ be defined as follows:
- Compute $\mathsf {crs} \xleftarrow {\$}\mathsf {Setup} (1^\lambda )$
- Compute $(x_0,x_1) \xleftarrow {\$}\mathcal {A}_1(\mathsf {crs})$
- Choose $b \xleftarrow {\$}\{0,1\}$
- Compute $\mathsf {z}_1^*\xleftarrow {\$}\mathsf {Receiver}_1(\mathsf {crs},x_b)$
- Compute $b' \xleftarrow {\$}\mathcal {A}_2(\mathsf {crs},\mathsf {z}_1^*)$
- If $b' = b$ output 1, otherwise 0
Define $\mathsf {Adv}_{RP}(\mathcal {A}) = |\Pr [\mathsf {Exp}_{RP}(\mathcal {A}) = 1] - 1/2|$. We say that $\mathsf {wSFE}$ has computational receiver privacy, if it holds for all PPT adversaries $\mathcal {A}$ that $\mathsf {Adv}_{RP}(\mathcal {A}) < \mathsf {negl}(\lambda )$. Likewise, we say that $\mathsf {wSFE}$ has statistical receiver privacy, if it holds for all unbounded (non-uniform) adversaries $\mathcal {A}$ that $\mathsf {Adv}_{RP}(\mathcal {A}) < \mathsf {negl}(\lambda )$.
Sender Privacy: Let $\mathcal {A}= (\mathcal {A}_1,\mathcal {A}_2)$ be an adversary where $\mathcal {A}_2$ outputs a bit and let the experiment $\mathsf {Exp}_{SP}(\mathcal {A})$ be defined as follows:
- Compute $\mathsf {crs} \xleftarrow {\$}\mathsf {Setup} (1^\lambda )$
- Compute $(f_0,f_1,\mathsf {z}_1) \xleftarrow {\$}\mathcal {A}_1(\mathsf {crs})$
- Choose $b \xleftarrow {\$}\{0,1\}$
- Compute $\mathsf {z}_2^*\xleftarrow {\$}\mathsf {Sender}(\mathsf {crs},f_b,\mathsf {z}_1)$
- Compute $b' \xleftarrow {\$}\mathcal {A}_2(\mathsf {crs},\mathsf {z}_2^*)$
- If $b' = b$ output 1, otherwise 0
Define $\mathsf {Adv}_{SP}(\mathcal {A}) = |\Pr [\mathsf {Exp}_{SP}(\mathcal {A}) = 1] - 1/2|$. We say that $\mathsf {wSFE}$ has computational sender privacy, if it holds for all PPT adversaries $\mathcal {A}= (\mathcal {A}_1,\mathcal {A}_2)$ which output equivalent functions $f_0 \equiv f_1$ in the first stage that $\mathsf {Adv}_{SP}(\mathcal {A}) < \mathsf {negl}(\lambda )$. Likewise, we say that $\mathsf {wSFE}$ has statistical sender privacy, if it holds for all unbounded (non-uniform) adversaries $\mathcal {A}$ which output equivalent functions $f_0 \equiv f_1$ in the first stage that $\mathsf {Adv}_{SP}(\mathcal {A}) < \mathsf {negl}(\lambda )$.

6.2 wSFE for All Circuits from $\mathsf {iOT}$ and Garbled Circuits

Let $\mathsf {iOT} = (\mathsf {Setup},\mathsf {OT}_1,\mathsf {OT}_2,\mathsf {OT}_3)$ be an iOT protocol and let $(\mathsf {Garble},\mathsf {Eval})$ be a garbling scheme. Overloading notation, assume that if $\vec {x} = (x_1,\dots ,x_n) \in \{0,1\}^n$ is an input vector, then $\mathsf {OT}_1 (\mathsf {crs},\vec {x}) = (\mathsf {OT}_1 (\mathsf {crs},x_1),\dots ,\mathsf {OT}_1 (\mathsf {crs},x_n))$. Similarly, if $\vec {m}_0 = (m_{0,1},\dots ,m_{0,n})$ and $\vec {m}_1 = (m_{1,1},\dots ,m_{1,n})$ are two vectors of messages, then denote

$$\begin{aligned} \mathsf {OT}_2 (\mathsf {crs},\vec {\mathsf {otr}},\vec {m}_0,\vec {m}_1) = (\mathsf {OT}_2 (\mathsf {crs},\mathsf {otr} ^1,m_{0,1},m_{1,1}),\dots ,\mathsf {OT}_2 (\mathsf {crs},\mathsf {otr} ^n,m_{0,n},m_{1,n})) \end{aligned}$$

The scheme $\mathsf {wSFE}$ is given as follows.

$\mathsf {Setup} (1^\lambda )$: Compute and output $\mathsf {crs} \xleftarrow {\$}\mathsf {iOT}.\mathsf {Setup} (1^\lambda )$
$\mathsf {Receiver}_1(\mathsf {crs},\vec {x} \in \{0,1\}^n)$: Compute $(\vec {\mathsf {otr}},\vec {\mathsf {st}}') \xleftarrow {\$}\mathsf {iOT}.\mathsf {OT}_1 (\mathsf {crs},\vec {x})$. Output $\mathsf {z}_1 \xleftarrow {\$}\vec {\mathsf {otr}}$ and $\mathsf {st} \xleftarrow {\$}\vec {\mathsf {st}}'$.
$\mathsf {Sender}(\mathsf {crs},\mathsf {z}_1 = \vec {\mathsf {otr}},\mathsf {C})$:
- Compute $(\widehat{\mathsf {C}},\vec {\mathsf {lb}}^0,\vec {\mathsf {lb}}^1) \xleftarrow {\$}\mathsf {Garble} (1^\lambda ,\mathsf {C})$
- Compute $\vec {\mathsf {ots}} \xleftarrow {\$}\mathsf {iOT}.\mathsf {OT}_2 (\mathsf {crs},\vec {\mathsf {otr}},\vec {\mathsf {lb}}^0,\vec {\mathsf {lb}}^1)$.
- Output $\mathsf {z}_2 \xleftarrow {\$}(\vec {\mathsf {ots}},\widehat{\mathsf {C}})$.
$\mathsf {Receiver}_2(\mathsf {st} = \vec {\mathsf {st}}',\mathsf {z}_2)$:
- Parse $\mathsf {z}_2 = (\vec {\mathsf {ots}},\widehat{\mathsf {C}})$.
- Compute $\vec {\mathsf {lb}} \xleftarrow {\$}\mathsf {iOT}.\mathsf {OT}_3 (\vec {\mathsf {st}}',\vec {\mathsf {ots}})$
- Compute $\mathsf {m}\xleftarrow {\$}\mathsf {Eval}(\widehat{\mathsf {C}},\vec {\mathsf {lb}})$.
- Output $\mathsf {m}$

Correctness. We will briefly argue that the scheme is correct. Thus, let $\mathsf {crs} \xleftarrow {\$}\mathsf {iOT}.\mathsf {Setup} (1^\lambda )$ and $(\vec {\mathsf {otr}},\vec {\mathsf {st}}) \xleftarrow {\$}\mathsf {iOT}.\mathsf {OT}_1 (\mathsf {crs},\vec {x})$. Further let $(\widehat{\mathsf {C}},\vec {\mathsf {lb}}^0,\vec {\mathsf {lb}}^1) \xleftarrow {\$}\mathsf {Garble} (1^\lambda ,\mathsf {C})$ and $\vec {\mathsf {ots}} \xleftarrow {\$}\mathsf {iOT}.\mathsf {OT}_2 (\mathsf {crs},\vec {\mathsf {otr}},\vec {\mathsf {lb}}^0,\vec {\mathsf {lb}}^1)$. By the correctness of iOT it holds that

$$ \vec {\mathsf {lb}} = \mathsf {iOT}.\mathsf {OT}_3 (\vec {\mathsf {st}},\vec {\mathsf {ots}}) = \mathsf {GarbleInput} (\vec {\mathsf {lb}}^0,\vec {\mathsf {lb}}^1,\vec {x}). $$

Furthermore, by the correctness of the garbling scheme $(\mathsf {Garble},\mathsf {Eval})$ it holds that

$$ m = \mathsf {Eval}(\widehat{\mathsf {C}},\vec {\mathsf {lb}}) = \mathsf {Eval}(\widehat{\mathsf {C}},\mathsf {GarbleInput} (\vec {\mathsf {lb}}^0,\vec {\mathsf {lb}}^1,\vec {x})) = \mathsf {C}(\vec {x}), $$

and we get that $\mathsf {wSFE}$ is correct.

Receiver Privacy. We will first establish receiver privacy of $\mathsf {wSFE}$.

Theorem 11

Assume that $\textsf {iOT}$ has receiver indistinguishability security. The $\mathsf {wSFE}$ has receiver privacy.

The proof can be found in the full version of the paper.

Sender Privacy. We will now proceed to show sender privacy of $\mathsf {wSFE}$ against malicious receivers.

Theorem 12

Assuming that $\textsf {iOT}$ has indistinguishability sender privacy and that $(\mathsf {Garble},\mathsf {Eval})$ is a simulation secure garbling scheme, it holds that $\mathsf {wSFE}$ has sender privacy.

The proof can be found in the full version of the paper.

7 Sender-UC OT from wSFE

In this section we will provide a two-round OT protocol with sender’s UC security and receiver’s indistinguishability security from any CPA-secure PKE and a two-round wSFE for a specific class of functions.

Let $\mathsf {PKE}:= (\mathsf {KeyGen}, \mathsf {E}, \mathsf {Dec})$ be a PKE scheme and let $\mathsf {wSFE}$ be a two-round wSFE, i.e. $\mathsf {wSFE}:= (\mathsf {Setup}, \mathsf {Receiver}_1, \mathsf {Sender},\mathsf {Receiver}_2)$, for a function class $\mathcal {F}$ defined as follows: any function in this class is of the form $\mathsf {C}[\mathsf {pk},\mathsf {ct},\mathsf {m}_0,\mathsf {m}_1] $, parameterized over a public key $\mathsf {pk} $, a ciphertext $\mathsf {ct}$ and two messages $\mathsf {m}_0$ and $\mathsf {m}_1$, and is defined as follows:

$\mathsf {C}[\mathsf {pk},\mathsf {ct},\mathsf {m}_0,\mathsf {m}_1](b,\mathsf {r})$: If $\mathsf {PKE}.\mathsf {E}(\mathsf {pk},b;\mathsf {r}) = \mathsf {ct}$, output $\mathsf {m}_b$; otherwise $\bot $.

Construction 13

(Sender-UC OT). The OT-protocol is based on the above two primitives $\mathsf {PKE}$ and $\mathsf {wSFE}$, and is described as follows.

$\mathsf {Setup} (1^\lambda )$: Compute $\mathsf {crs} ' \xleftarrow {\$}\mathsf {wSFE}.\mathsf {Setup} (1^\lambda )$ and $(\mathsf {pk},\mathsf {sk}) \xleftarrow {\$}\mathsf {PKE}.\mathsf {KeyGen} (1^\lambda )$. Output $\mathsf {crs}:= (\mathsf {crs} ',\mathsf {pk})$.
$\mathsf {OT}_1 (\mathsf {crs} = (\mathsf {crs} ',\mathsf {pk}),b)$: Choose $\mathsf {r}\xleftarrow {\$}\{0,1\}^\lambda $ and compute $\mathsf {ct}\xleftarrow {\$}\mathsf {PKE}.\mathsf {E}(\mathsf {pk},b;\mathsf {r})$. Set $\vec {x} := (b,r)$ and compute $(\mathsf {z}_1, \mathsf {st}) \xleftarrow {\$}\mathsf {wSFE}.\mathsf {Receiver}_1(\mathsf {crs} ',\vec {x})$. Output $\mathsf {otr}:= (\mathsf {ct},\mathsf {z}_1)$ as the OT message and $\mathsf {st} $ as the private state.
$\mathsf {OT}_2 (\mathsf {crs}, \mathsf {otr},\mathsf {m}_0,\mathsf {m}_1)$: Parse $\mathsf {crs} = (\mathsf {crs} ',\mathsf {pk})$, $\mathsf {otr} = (\mathsf {ct},\mathsf {z}_1)$ and compute $\mathsf {z}_2 \xleftarrow {\$}\mathsf {wSFE}.\mathsf {Sender}(\mathsf {crs} ',\mathsf {C}[\mathsf {pk},\mathsf {ct},\mathsf {m}_0,\mathsf {m}_1] , \mathsf {z}_1)$. Output $\mathsf {ots}:= \mathsf {z}_2$.
$\mathsf {OT}_3 (\mathsf {st},\mathsf {ots})$: Let $\mathsf {z}_2 := \mathsf {ots} $. Compute and output $\mathsf {Receiver}_2(\mathsf {st}, \mathsf {z}_2)$.

Theorem 14

Assuming $\mathsf {PKE}$ is CPA-secure and perfectly correct (Definition 3), and that $\mathsf {wSFE}$ satisfies correctness, receiver privacy and sender privacy (Definition 10), then the OT given in Construction 13 provides receiver’s indistinguishability security and sender’s UC security.

The proof can be found in the full version of the paper.

Finally, we mention that the OT protocol constructed in Construction 13 satisfies a receiver-extractability property, which was (implicitly) used in the proof of sender’s UC security. Since we will use this definition later, we formalize it below.

Definition 15

We say that an OT protocol $(\mathsf {Setup}, \mathsf {OT}_1, \mathsf {OT}_2, \mathsf {OT}_3)$ has receiver extractability if the setup algorithm $\mathsf {Setup} (1^\lambda )$ in addition to $\mathsf {crs} $ also outputs a trapdoor key $\sigma $ and if there is a PPT algorithm $\mathsf {Extract} $, for which the following holds: for any stateful PPT adversary $\mathcal {A} := (\mathcal {A}_1, \mathcal {A}_2)$, assuming $(\mathsf {m}_0, \mathsf {m}_1, \mathsf {otr}) \xleftarrow {\$}\mathcal {A}_1(\mathsf {crs})$ and $b = \mathsf {Extract} (\sigma , \mathsf {otr})$, then $\mathcal {A}_2$ cannot distinguish between the outputs of $\mathsf {OT}_2 (\mathsf {crs}, \mathsf {otr}, (\mathsf {m}_0, \mathsf {m}_1))$ and $\mathsf {OT}_2 (\mathsf {crs}, \mathsf {otr}, (\mathsf {m}_{b}, \mathsf {m}_{b}))$.

8 2-Round ZK from Sender-UC OT and $\varSigma $-Protocols

In this section we give a two-round (statement-independent) ZK protocol against malicious verifiers in the CRS model based on a special type of $\varSigma $-protocols and an OT with sender’s UC-security and receiver’s indistinguishability security.

We first start by defining the properties we require of our $\varSigma $-protocol, and will then define the notion of statement-independent ZK protocols that we would like to achieve. Our notion of $\varSigma $-protocols is what Holmgren and Lombardi [HL18] called extractable $\varSigma $-protocols, defined as follows.

Definition 16

(Extractable $\varSigma $-protocols [HL18]). A CRS-based $\varSigma $-protocol $(\mathsf {Setup}, \mathsf {P}, \mathsf {V}, \mathsf {Extract}, \mathsf {Sim})$ for a language $\mathsf {L} \in \mathsf {NP} $ is a three-round argument system between a prover $\mathsf {P}:= (\mathsf {P}_1, \mathsf {P}_2)$ and a verifier $\mathsf {V}$, where the prover is the initiator of the protocol and where the verifier’s only message is a random bit $b \in \{0,1\}$. The setup algorithm $(\mathsf {crs}, \sigma ) \xleftarrow {\$}\mathsf {Setup} (1^\lambda )$ returns a CRS value $\mathsf {crs} $ together with an associated trapdoor key $\sigma $. The trapdoor key $\sigma $ will only play a role in the extractability requirement. We require the following properties:

Completeness: For all $\lambda $, all $(\mathsf {x}, \mathsf {w}) \in \mathsf {R}$ (where $\mathsf {R}$ is the underlying relation), we have $\Pr [\mathsf {V}(\mathsf {crs}, \mathsf {x}, \mathsf {a}, b, \mathsf {z}) = 1] = 1$, where the probability is taken over $(\mathsf {crs}, \sigma ) \xleftarrow {\$}\mathsf {Setup} (1^\lambda )$, $(\mathsf {a}, \mathsf {st}) \xleftarrow {\$}\mathsf {P}_1(\mathsf {crs}, \mathsf {x}, \mathsf {w})$, $b \xleftarrow {\$}\{0,1\}$ and $\mathsf {z} \xleftarrow {\$}\mathsf {P}_2(\mathsf {st}, b)$.
Special soundness and extractability: For any value $\mathsf {crs} $ generated as $(\mathsf {crs}, \sigma ) \xleftarrow {\$}\mathsf {Setup} (1^\lambda )$, any $\mathsf {x}\notin \mathsf {L}$ and any (possibly malicious) first-round message $\mathsf {a}$, there exists at most one $b \in \{0,1\}$ for which there exists $\mathsf {z}$ such that $\mathsf {V}(\mathsf {crs}, \mathsf {x}, \mathsf {a}, b, \mathsf {z}) = 1$. Moreover, for such parameters, this unique value of b (if any) can be computed efficiently as $\mathsf {Extract} (\sigma , \mathsf {x}, \mathsf {a})$.
Honest-verifier zero knowledge: For any value $\mathsf {crs} $ generated as $(\mathsf {crs}, \sigma ) \xleftarrow {\$}\mathsf {Setup} (1^\lambda )$, any $b \in \{0,1\}$ and any $(\mathsf {x}, \mathsf {w}) \in \mathsf {R}$:
(1)
where $(\mathsf {a}, \mathsf {st}) \xleftarrow {\$}\mathsf {P}_1(\mathsf {crs}, \mathsf {x}, \mathsf {w})$, $\mathsf {z} \xleftarrow {\$}\mathsf {P}_2(\mathsf {st}, b)$ and $(\mathsf {a}', \mathsf {z}') \xleftarrow {\$}\mathsf {Sim}(\mathsf {crs}, \mathsf {x}, b)$.

We will now define out notion of CRS-based two-round statement-independent ZK. Informally, a two-round ZK protocol is statement-independent if the verifier’s message in the protocol is independent of the statement being proven.

Definition 17

(Two-round statement-independent zero knowledge). A two-round zero-knowledge argument system for a language $\mathsf {L} \in \mathsf {NP} $ with a corresponding relation $\mathsf {R}$ in the CRS model consists of four PPT algorithms $\mathsf {ZK} = (\mathsf {Setup}, \mathsf {P}, \mathsf {V}:= (\mathsf {V}_1, \mathsf {V}_2), \mathsf {Sim}:= (\mathsf {Sim}_1, \mathsf {Sim}_2))$, defined as follows. The setup algorithm $\mathsf {Setup} $ on input $1^\lambda $ outputs a value $\mathsf {crs} $. The verifier algorithm $\mathsf {V}_1(\mathsf {crs})$ on input $\mathsf {crs} $ returns a message $\mathsf {msgv} $ together with a private state $\mathsf {st} $. We stress that the verifier does not take as input any statement $\mathsf {x}$, hence the “statement-independent” name. The prover algorithm $\mathsf {P}(\mathsf {crs}, \mathsf {x}, \mathsf {w}, \mathsf {msgv})$ on input $\mathsf {crs} $, a statement $\mathsf {x}$ with a corresponding witness $\mathsf {w}$ and a verifier’s message $\mathsf {msgv} $, outputs a message $\mathsf {msgp} $. Finally, the algorithm $\mathsf {V}_2( \mathsf {st}, \mathsf {x}, \mathsf {msgp})$ outputs a bit b. We require the following properties.

Completeness: For all $(\mathsf {x}, \mathsf {w}) \in \mathsf {L}$ we have $\Pr [\mathsf {V}_2(\mathsf {st}, \mathsf {x}, \mathsf {msgp}) = 1] = 1$, where $\mathsf {crs} \xleftarrow {\$}\mathsf {Setup} (1^\lambda )$, $(\mathsf {msgv}, \mathsf {st}) \xleftarrow {\$}\mathsf {V}_1(\mathsf {crs})$ and $\mathsf {msgp} \xleftarrow {\$}\mathsf {P}(\mathsf {crs}, \mathsf {x}, \mathsf {w}, \mathsf {msgv})$.
Adaptive soundness: No PPT malicious prover can convince an honest verifier of a false statement, even if the statement is chosen adaptively after seeing $\mathsf {crs} $ and the verifier’s (statement-independent) message. Formally, for any PPT adversary $\mathsf {P}^* $ the following holds: $\Pr [\mathsf {V}_2(\mathsf {st}, \mathsf {x}, \mathsf {msgp}) = 1 \wedge \mathsf {x}\notin \mathsf {L}] = \mathsf {negl}(\lambda )$, where $\mathsf {crs} \xleftarrow {\$}\mathsf {Setup} (1^\lambda )$, $(\mathsf {msgv}, \mathsf {st}) \xleftarrow {\$}\mathsf {V}_1(\mathsf {crs})$, $(\mathsf {x}, \mathsf {msgp}) \xleftarrow {\$}\mathsf {P}^*(\mathsf {crs}, \mathsf {msgv})$.
Adaptive Malicious Zero-Knowledge (ZK): Let $\mathsf {V}^* = (\mathsf {V}^*_1,\mathsf {V}^*_2)$ be a stateful two-phase adversary where $\mathsf {V}^*_2$ outputs a bit. Let the experiment $\mathsf {Exp}_{\mathrm {ZK}}(\mathsf {V}^*)$ be defined as follows:
1. 1.
  Choose $b \xleftarrow {\$}\{0,1\}$
2. 2.
  If $b = 0$, sample $\mathsf {crs} \xleftarrow {\$}\mathsf {Setup} (1^\lambda )$. Else, sample $(\mathsf {crs}, \sigma ) \xleftarrow {\$}\mathsf {Sim}_1(1^\lambda )$.
3. 3.
  Let $(\mathsf {x}, \mathsf {w}, \mathsf {msgv}) \xleftarrow {\$}\mathsf {V}^*_1(\mathsf {crs})$. If $\mathsf {R}(\mathsf {x}, \mathsf {w}) = 0$, then halt.
4. 4.
  If $b = 0$, let $\mathsf {msgp} \xleftarrow {\$}\mathsf {P}(\mathsf {crs}, \mathsf {x}, \mathsf {w}, \mathsf {msgv})$. Else, let $\mathsf {msgp} \xleftarrow {\$}\mathsf {Sim}_2(\sigma , \mathsf {x}, \mathsf {msgv})$.
5. 5.
  Compute $b' \xleftarrow {\$}\mathsf {V}^*_2(\mathsf {msgp})$.
6. 6.
  If $b' = b$ output 1, otherwise 0.
Define $\mathsf {Adv}_{\mathrm {ZK}}(\mathsf {V}^*) = |\Pr [\mathsf {Exp}_{\mathrm {ZK}}(\mathsf {V}^*) = 1] - 1/2|$. We say that the scheme is zero-knowledge if for all PPT adversaries $\mathsf {V}^*$, $\mathsf {Adv}_{\mathrm {ZK}}(\mathsf {V}^*) = \mathsf {negl}(\lambda )$.

Construction 18

(Two-round ZK). Let $\mathsf {OT}:= (\mathsf {Setup},\mathsf {OT}_1,\mathsf {OT}_2,\mathsf {OT}_3)$ be an $\mathsf {OT}$ protocol and let $\mathsf {SIGM}:= (\mathsf {Setup}, \mathsf {P}, \mathsf {V}, \mathsf {Extract}, \mathsf {Sim})$ be an extractable $\varSigma $-protocol for a language $\mathsf {L} \in \mathsf {NP} $ (Definition 16). We give a two-round ZK protocol $\mathsf {ZK}:= (\mathsf {Setup}, \mathsf {P}, \mathsf {V}:= (\mathsf {V}_1, \mathsf {V}_2))$ for $\mathsf {L} $ as follows. The construction is parameterized over a polynomial $r := r(\lambda )$, which we will instantiate in the soundness proof.

$\mathsf {ZK}.\mathsf {Setup} (1^\lambda )$: Run $\mathsf {crs} _{\mathrm {ot}} \xleftarrow {\$}\mathsf {OT}.\mathsf {Setup} (1^\lambda )$ and $(\mathsf {crs} _{\mathrm {sig}}, \sigma ) \xleftarrow {\$}\mathsf {SIGM}.\mathsf {Setup} (1^\lambda ) $. Return $\mathsf {crs}:= (\mathsf {crs} _{\mathrm {ot}}, \mathsf {crs} _{\mathrm {sig}})$.
$\mathsf {ZK}.\mathsf {V}_1(\mathsf {crs}:= (\mathsf {crs} _{\mathrm {ot}}, \mathsf {crs} _{\mathrm {sig}}) )$: For each $i \in [r]$, sample $b_i \xleftarrow {\$}\{0,1\}$. Let $(\vec {\mathsf {otr}} , \vec {\mathsf {st}}_{\mathrm {ot}}) \xleftarrow {\$}\mathsf {OT} _1(\mathsf {crs} _{\mathrm {ot}} , \vec {b}) $, where $\vec {b} := (b_1, \dots , b_r)$. Return $(\mathsf {msgv}, \mathsf {st})$, where $\mathsf {msgv}:= \vec {\mathsf {otr}}$ is the message to the prover $\mathsf {P}$, and $\mathsf {st}:= (b_1, \dots , b_r, \vec {\mathsf {st}}_{\mathrm {ot}})$ is the private state.
$\mathsf {ZK}.\mathsf {P}(\mathsf {crs}:= (\mathsf {crs} _{\mathrm {ot}}, \mathsf {crs} _{\mathrm {sig}}) , \mathsf {x}, \mathsf {w}, \mathsf {msgv})$: For each $i \in [r]$ sample $(\mathsf {a}_i , \mathsf {sts}_i) \xleftarrow {\$}\mathsf {SIGM}.\mathsf {P}_1(\mathsf {crs} _{\mathrm {sig}},\mathsf {x}, \mathsf {w})$. For each $i \in [r]$ and $b \in \{0,1\}$, form $\mathsf {z}_{i, b} \xleftarrow {\$}\mathsf {SIGM}.\mathsf {P}_2(\mathsf {sts}_i , b) $, which is the prover’s last message in the $\varSigma $-protocol when his first message was $\mathsf {a}_i$ and when the verifier’s challenge bit is b. Return $\mathsf {msgp}:= (\vec {\mathsf {a}} , \mathsf {OT} _2(\mathsf {crs} _{\mathrm {ot}}, \vec {\mathsf {otr}} , \vec {\mathsf {z}_0} , \vec {\mathsf {z}_1} ))$, where $\vec {\mathsf {a}} := (\mathsf {a}_1, \dots , \mathsf {a}_r)$, $\vec {\mathsf {z}_0} := (\mathsf {z}_{1,0} , \dots , \mathsf {z}_{r,o})$ and $\vec {\mathsf {z}_1} := (\mathsf {z}_{1,1} , \dots , \mathsf {z}_{r,1})$.
$\mathsf {ZK}.\mathsf {V}_2(\mathsf {st}, \mathsf {x}, \mathsf {msgp})$: Parse $\mathsf {st}: = (b_1, \dots , b_r, \vec {\mathsf {st}}_{\mathrm {ot}})$, $\mathsf {msgp}:= (\vec {\mathsf {a}} , \vec {\mathsf {ots}}) $ and $\vec {\mathsf {a}} := (\mathsf {a}_1, \dots , \mathsf {a}_r) $. Let $(\mathsf {z}_1, \dots , \mathsf {z}_r) = \mathsf {OT} _3(\vec {\mathsf {st}}_{\mathrm {ot}} , \vec {\mathsf {ots}} )$. Return 1 if for all $i \in [r]$: $\mathsf {SIGM}.\mathsf {V}(\mathsf {crs} _{\mathrm {sig}}, \mathsf {x}, \mathsf {a}_i, b_i, \mathsf {z}_i) = 1$. Otherwise, return 0.

Theorem 19

Assuming that $\mathsf {SIGM}:= (\mathsf {Setup}, \mathsf {P}, \mathsf {V}, \mathsf {Extract}, \mathsf {Sim})$ is an extractable $\varSigma $-protocol for a language $\mathsf {L}$ (Definition 16) and $\mathsf {OT}:= (\mathsf {Setup},\mathsf {OT}_1,\mathsf {OT}_2,\mathsf {OT}_3)$ provides sender’s UC-security and receiver’s indistinguishability security, then the protocol $\mathsf {ZK} $ given in Construction 18 satisfies completeness, adaptive soundness and adaptive malicious zero knowledge for $\mathsf {L}$.

The proof can be found in the full version of the paper.

9 UC-Secure OT from Sender-UC OT and Zero Knowledge

We will now show how to build a UC-secure OT scheme (with both receiver’s and sender’s UC security) from the combination of a CPA-secure PKE scheme, a CRS-based two-round statement-independent ZK protocol, and a two-round OT scheme with sender’s UC-security and receiver’s indistinguishability security.

Let $\mathsf {PKE}:= (\mathsf {KeyGen}, \mathsf {E}, \mathsf {Dec})$ be the PKE scheme, $(\mathsf {Setup}, \mathsf {OT}_1, \mathsf {OT}_2, \mathsf {OT}_3)$ be the base two-round OT scheme and $\mathsf {ZK} = (\mathsf {Setup}, \mathsf {P}, \mathsf {V}:= (\mathsf {V}_1, \mathsf {V}_2), \mathsf {Sim}:= (\mathsf {Sim}_1, \mathsf {Sim}_2))$ be a two-round statement-independent ZK protocol for the language $\mathsf {L}_{\mathsf {pk}, \mathsf {crs} _{\mathrm {ot}}, \mathsf {otr}} \in \mathsf {NP} $, parameterized over a public key $\mathsf {pk} $ of the PKE scheme, a CRS value $\mathsf {crs} _{\mathrm {ot}}$ of the OT scheme and an OT-receiver’s message $\mathsf {otr} $, defined as follows:

$$\begin{aligned}&\mathsf {L}_{\mathsf {pk}, \mathsf {crs} _{\mathrm {ot}}, \mathsf {otr}} = \big \{(\mathsf {ct}_0, \mathsf {ct}_1, \mathsf {ots}) \mid \exists (\mathsf {m}_0, \mathsf {m}_1, \mathsf {r}_0, \mathsf {r}_1, \mathsf {r}) \text { s.t. } \nonumber \\&\quad \mathsf {ct}_0 = \mathsf {E}(\mathsf {pk}, \mathsf {m}_0 ; \mathsf {r}_0), \mathsf {ct}_1 = \mathsf {E}(\mathsf {pk}, \mathsf {m}_1 ; \mathsf {r}_1), \mathsf {ots} = \mathsf {OT}_2 (\mathsf {crs} _{\mathrm {ot}}, \mathsf {otr}, \mathsf {m}_0, \mathsf {m}_1 ; \mathsf {r}) \big \}. \end{aligned}$$

(2)

Construction 20

(UC-secure OT). We build $\mathsf {OT} ' := (\mathsf {Setup} ', \mathsf {OT}_1 ', \mathsf {OT}_2 ', \mathsf {OT}_3 ')$ from the above primitives as follows.

$\mathsf {Setup} '(1^\lambda )$: Sample $(\mathsf {pk}, \mathsf {sk}) \xleftarrow {\$}\mathsf {PKE}.\mathsf {Gen}(1^\lambda )$, $\mathsf {crs} _{\mathrm {ot}} \xleftarrow {\$}\mathsf {OT}.\mathsf {Setup} (1^\lambda )$ and $\mathsf {crs} _{\mathrm {zk}} \xleftarrow {\$}\mathsf {ZK}.\mathsf {Setup} (1^\lambda )$. Output $\mathsf {crs}:= (\mathsf {pk}, \mathsf {crs} _{\mathrm {ot}} , \mathsf {crs} _{\mathrm {zk}})$.
$\mathsf {OT}_1 '(\mathsf {crs}, b)$: Parse $\mathsf {crs}:= (\mathsf {pk}, \mathsf {crs} _{\mathrm {ot}} , \mathsf {crs} _{\mathrm {zk}})$. Sample $(\mathsf {otr}, \mathsf {st} _{\mathrm {ot}}) \xleftarrow {\$}\mathsf {OT}_1 (\mathsf {crs} _{\mathrm {ot}} , b)$ and $(\mathsf {msgv}, \mathsf {st} _{\mathrm {zk}}) \xleftarrow {\$}\mathsf {ZK}.\mathsf {V}_1(\mathsf {crs} _{\mathrm {zk}})$. Output $\mathsf {otr} ' := (\mathsf {otr}, \mathsf {msgv})$ as the message to the sender and output $\mathsf {st}:= (\mathsf {st} _{\mathrm {ot}}, \mathsf {st} _{\mathrm {zk}})$ as the private state.
$\mathsf {OT}_2 ' (\mathsf {crs}, \mathsf {otr} ' , \mathsf {m}_0, \mathsf {m}_1)$: Parse $\mathsf {crs}:= (\mathsf {pk}, \mathsf {crs} _{\mathrm {ot}} , \mathsf {crs} _{\mathrm {zk}})$ and $\mathsf {otr} ' := (\mathsf {otr}, \mathsf {msgv})$. Sample $\mathsf {r}, \mathsf {r}_0, \mathsf {r}_1 \xleftarrow {\$}\{0,1\}^*$. Let $\mathsf {ct}_0 := \mathsf {E}(\mathsf {pk}, \mathsf {m}_0 ; \mathsf {r}_0)$, $\mathsf {ct}_1 = \mathsf {E}(\mathsf {pk}, \mathsf {m}_1 ; \mathsf {r}_1)$, and $\mathsf {ots} = \mathsf {OT}_2 (\mathsf {crs} _{\mathrm {ot}}, \mathsf {otr}, \mathsf {m}_0, \mathsf {m}_1 ; \mathsf {r})$. Set $\mathsf {x}:= (\mathsf {ct}_0, \mathsf {ct}_1, \mathsf {ots}) $ and $\mathsf {w}:= (\mathsf {m}_0, \mathsf {m}_1, \mathsf {r}_0, \mathsf {r}_1, \mathsf {r})$. Output $\mathsf {ots} ' := (\mathsf {ct}_0, \mathsf {ct}_1 , \mathsf {ots}, \mathsf {msgp})$, where $\mathsf {msgp} \xleftarrow {\$}\mathsf {ZK}.\mathsf {P}(\mathsf {crs} _{\mathrm {zk}} , \mathsf {x}, \mathsf {w}, \mathsf {msgv})$.
$\mathsf {OT}_3 '(\mathsf {st}, \mathsf {ots} ')$: Parse $\mathsf {st}:= (\mathsf {st} _{\mathrm {ot}}, \mathsf {st} _{\mathrm {zk}})$, $\mathsf {ots} ' := (\mathsf {ct}_0, \mathsf {ct}_1, \mathsf {ots}, \mathsf {msgp})$ and let $\mathsf {x}:= (\mathsf {ct}_0, \mathsf {ct}_1, \mathsf {ots}) $. If $\mathsf {ZK}.\mathsf {V}_2(\mathsf {st} _{\mathrm {zk}} , \mathsf {x}, \mathsf {msgp}) \ne 1$, then return $\bot $. Otherwise, return $\mathsf {OT}_3 (\mathsf {st} _{\mathrm {ot}}, \mathsf {ots})$.

Theorem 21

Assuming that $\mathsf {OT} \!:=\! (\mathsf {Setup},\mathsf {OT}_1,\mathsf {OT}_2,\mathsf {OT}_3)$ provides sender’s UC-security and receiver’s indistinguishability security, that $\mathsf {PKE}\!:=\! (\mathsf {KeyGen}, \mathsf {E}, \mathsf {Dec})$ is a CPA-secure scheme, and that $\mathsf {ZK} $ is a two-round ZK protocol for the language $\mathsf {L}$ described in Eq. 2, then the OT protocol $\mathsf {OT} '$ given in Construction 20 satisfies completeness and UC security.

The proof can be found in the full version of the paper.

10 Instantiations from CDH and LPN

10.1 Instantiation from CDH

We first give a construction of elementary OT from CDH. In fact, we show that the construction also already directly satisfies the stronger notion of search OT security. The protocol is given in Fig. 4.

Definition 22

(Computational Diffie-Hellman (CDH) assumption). Let $\mathsf {G}$ be a group-generator scheme, which on input $1^\lambda $ outputs $(\mathbb {G}, p, g)$, where $\mathbb {G}$ is the description of a group, p is the order of the group which is always a prime number and g is a generator of the group. We say that $\mathsf {G}$ is CDH-hard if for any PPT adversary $\mathcal {A}$: $\Pr [\mathcal {A}(\mathbb {G}, p , g, g^{a_1}, g^{a_2}) = g^{a_1 a_2}] = \mathsf {negl}(\lambda ) $, where $(\mathbb {G}, p, g) \xleftarrow {\$}\mathsf {G}(1^\lambda )$ and $a_1, a_2 \xleftarrow {\$}\mathbb {Z}_p$.

Lemma 23

The protocol in Fig. 4 satisfies statistical receiver’s indistinguishability security.

Proof

The distribution of the receiver’s message $h_0=g^rX^{-c}$ is uniformly random over the group $\mathbb {G}$ no matter that the receiver’s bit c is. $\square $

Lemma 24

The protocol in Fig. 4 satisfies sender’s elementary security based on the CDH assumption.

Proof

Let there be a PPT adversary $\mathcal {A}$ that breaks the elementary security of the sender. Then we are able to construct a PPT adversary $\mathcal {B}$ that breaks the CDH assumption. Recall that $\mathcal {A}$ receives a CRS $X=g^x$, sends a group element $h_0$, receives $S=g^{s}$ for a uniform s, and succeeds if he outputs $y_0=h_0^{s}$, $y_1=h_1^{s} = (h_0X)^s$. Our adversary against the CDH assumption receives $\mathbb {G}$, p, g, $A_1:=g^{a_1}$, $A_2:=g^{a_2}$ from his challenger, gives CRS $X:=A_1$ to $\mathcal {A}$, receives $h_0$, gives $S:=A_2$ to $\mathcal {A}$, receives $y_0,y_1$ and outputs $y_1/y_0$. If $\mathcal {A}$ succeeds then $y_0=h_0^{s} = h_0^{a_2}$, $y_1=h_1^{s}=(h_0X)^{s}=h_0^{b}A_1^{a_2} = h_0^{a_2}g^{a_1a_2}$ and therefore $y_1/y_0 = g^{a_1a_2}$, meaning that $\mathcal {B}$ succeeds in solving CDH. $\square $

The above two lemmas already show that the scheme in Fig. 4 is a elementary OT scheme and we can then rely on our black-box transformations from the previous sections to then get UC secure OT under CDH assumption. Therefore, the following Theorem follows as a corollary.

Theorem 25

Under the CDH assumption there exists a 2-round UC OT.

Although the above lemmas already suffice to show the above corollary, we note that we can actually show something stronger about the scheme in Fig. 4. Not only does it satisfy sender’s elementary security, it already also satisfies the stronger notion of sender’s search security. To show this, we implicitly rely on the random self-reducibility of the CDH problem.

Lemma 26

The protocol in Fig. 4 satisfies sender’s search security based on the CDH assumption.

Proof

Let there be an adversary $\mathcal {A}=(\mathcal {A}_1,\mathcal {A}_2)$ with

$$ \Pr _{\mathsf {crs},\mathsf {r}}[\Pr [\mathsf {Exp}^{\mathsf {crs},\mathsf {r},0}_{\mathsf {sOT}\mathsf {iOT}}(\mathcal {A})=1]> \epsilon \text { and } \Pr [\mathsf {Exp}^{\mathsf {crs},\mathsf {r},1}_{\mathsf {sOT}\mathsf {iOT}}(\mathcal {A})=1 ]> \epsilon ] > \epsilon , $$

the we can construct an adversary $\mathcal {A}'$ that solves CDH at least with probability $\epsilon ^3$. $\mathcal {A}'$ receives a CDH challenge $\mathbb {G}, p , g,A_1,A_2$. It sets crs $X:=A_1$, chooses random coins r and invokes $\mathcal {A}_1$ which outputs a state $\mathsf {st} $ and OT message $\mathsf {otr} =h_0$. $\mathcal {A}'$ samples $d_1,d_2\leftarrow \mathbb Z_p$, defines $S_{0}:=A_2\cdot g^{d_1}$, $S_{1}:=A_2\cdot g^{d_2}$ and invokes for $i\in \{0,1\}$ $\mathcal {A}_2(\mathsf {st},S_{i},i)$ which outputs $y_i$. $\mathcal {A}'$ returns solution $(h_0^{d_1}\cdot y_1)/(h_0^{d_2}\cdot y_0\cdot A_1^{d_2})$ to the CDH challenger.

With probability $\epsilon $, crs X and random coins r are good, i.e. $\Pr [\mathsf {Exp}^{\mathsf {crs},\mathsf {r},0}_{\mathsf {sOT}\mathsf {iOT}}(\mathcal {A})=1]> \epsilon $ and $\Pr [\mathsf {Exp}^{\mathsf {crs},\mathsf {r},1}_{\mathsf {sOT}\mathsf {iOT}}(\mathcal {A})=1]> \epsilon $. We condition on that being the case. Since $S_{0}$ and $S_{1}$ are independent, it holds with probability $\epsilon ^2$ that $\mathcal {A}_2$ is successful for input $(\mathsf {st},S_{0},0)$ and input $(\mathsf {st},S_{1},1)$. Conditioned on that being the case, $y_0=h_0^{s_{0}}=h_0^{a_2+d_1}$ and $y_1=h_1^{s_{1}}=(h_0\cdot A_1)^{d_2+a_2}$. Therefore it holds that the submitted CDH solution is

$$ \frac{h_0^{d_1}\cdot y_1}{h_0^{d_2}\cdot y_0\cdot A_1^{d_1}}=\frac{h_0^{d_1}\cdot (h_0\cdot A_1)^{d_2+a_2}}{h_0^{d_2}\cdot h_0^{a_2+d_1}\cdot A_1^{d_2}}=A_1^{a_2}. $$

Hence, $\mathcal {A}'$ solves CDH with at least probability $\epsilon ^3$. $\square $

10.2 Instantiation from LPN

We now give an instantiation of an elementary OT under the learning parity with noise (LPN) assumption with noise rate $\rho = n^{-\varepsilon }$ for $\varepsilon > \frac{1}{2}$. This protocol only achieves imperfect correctness, with an inverse-polynomial failure probability, but we argue that this is sufficient to get UC OT with negligible error probability.

Definition 27

(Learning Parity with Noise). For a uniform $s\in \mathbb Z_2^n$, oracle $\mathcal O_{\mathsf {LPN}}$ outputs samples of the form a, $z=as+e$, where $a\xleftarrow {\$}\mathbb Z_2^n$ and Bernoulli distributed noise term $e\xleftarrow {\$}\mathcal B_\rho $ for parameter $\rho $. Oracle $\mathcal O_{\mathsf {uniform}}$ outputs uniform samples $a,z\in \mathbb Z^{n}_2\times \mathbb Z_2$. We say Learning with Parity (LPN) for dimension n and noise distribution $\mathcal B_\rho $ is hard iff for any ppt adversary $\mathcal {A}$,

$$ |\Pr [\mathcal {A}^{O_{\mathsf {LPN}}}(1^n)=1]-\Pr [\mathcal {A}^{O_{\mathsf {uniform}}}(1^n)=1]|\le \mathsf {negl}. $$

In the following, we will use a variant of LPN, where the secret is sampled from the noise distribution rather than the uniform distribution and the first sample is errorless. This variant is known to be as hard as standard LPN. The two following lemmata give a more precise relation between LPN and its above described variant.

Lemma 28

([BLP+13], Lemma 4.3). There is an efficient reduction from LPN with dimension n and noise distribution $\mathcal B_\rho $ to LPN where the first sample is errorless with dimension $n-1$ and noise distribution $\mathcal B_\rho $ that reduces the advantage by at most probability $2^{-n}$.

Lemma 29

([ACPS09] Adaptation of Lemma 2). LPN samples of the from $a, as+e$ with uniform $a,s\in \mathbb Z^n_2$ and $e\xleftarrow {\$}\mathcal B_\rho $ can be efficiently transformed into samples $a', a's'+e$, where $s'\xleftarrow {\$}\mathcal B_\rho ^n$ and uniform $a'\in \mathbb Z^n_2$. This also holds when $e=0$, i.e. first is errorless LPN. The same transformation maintains the uniformity of samples in $\mathbb Z^n_2\times \mathbb Z_2$.

Proof

(Proof Sketch). The transformation queries LPN samples $A,z_A=As+e_s$ until $A\in \mathbb Z^{n\times n}_2$ is invertible. Then, $A^{-1},A^{-1}z_{A}=s+A^{-1}e_s$ will allow mapping LPN samples $a,z=as+e$ to samples with secret $s'=e_s$ by computing the new sample $a'=aA^{-1}$, $z+aA^{-1}z_{A}=a's'+e$. In the case where $e=0$, i.e. an errorless LPN sample, the resulting sample will also be errorless. $\square $

Lemma 30

The protocol in Fig. 5 satisfies receiver’s indistinguishability security based on the LPN assumption with dimension n and noise distribution $\mathcal B_\rho $.

Proof

The receiver’s bit c is masked by an LPN sample $Ax+e$. Therefore, distinguishing the case $c=0$ versus $c=1$ is equivalent to breaking LPN. $\square $

Lemma 31

The protocol in Fig. 5 satisfies sender’s elementary OT security based on the LPN assumption with dimension $n-1$ and noise distribution $\mathcal B_\rho $.

Proof

We use a hybrid version of first is errorless LPN with a secret sampled from the noise distribution which is hard based on standard LPN with the same noise distribution and dimension $n-1$, see Lemma 28 and Lemma 29. Hybrid LPN is as hard as standard LPN losing a factor $\frac{1}{\lambda }$ in the advantage.

Let there be a malicious receiver that outputs $y_0,y_1$ with probability $\epsilon >\mathsf {negl}$ then there is a LPN distinguisher $\mathcal {A}$ that breaks hybrid first is errorless LPN with advantage $\epsilon $. $\mathcal {A}$ operates as follows. It receives a LPN challenge $v, A, z_v, Z$ and sets CRS to A, v. After receiving $h_0$, it sends Z to the malicious receiver and obtains $y_0,y_1$. If $y_0+y_1=z_v$ it outputs 1 otherwise 0.

Let $Z=SA+E$, $z_v=Sv$, then $\mathcal {A}$ faithfully simulates the actual protocol. With probability $\epsilon $, the malicious receiver will output $(y_0,y_1)=(Sh_0,Sh_1)$. In this case $y_0+y_1=Sv$ equals $z_v$ and $\mathcal {A}$ will output 1. In the uniform case, i.e. $Z_A$ and $z_v$ are uniform, hence the malicious receiver can output $y_0,y_1$ such that $y_0+y_1=z_v$ at most with probability $2^{-\lambda }$. Hence $\mathcal {A}$ breaks LPN with advantage $\frac{\epsilon }{\lambda }-2^{-\lambda }>\mathsf {negl}$. $\square $

Lemma 32

(Imperfect Correctness). Let a sender and a receiver interact in the protocol in Fig. 5 with parameter $\rho \le \frac{1}{n ^{\epsilon }}$, for constant $1>\epsilon >\frac{1}{2}$. Then with overwhelming probability $1 -\mathsf {negl}(\lambda )$ over the coins of the receiver (i.e., x, e) we have the following probability of correctness over the coins of the sender (i.e., S, E):

$$ \Pr _{S,E}[Sh_{c}=Zx]\ge 1-4\lambda n^{1-2\epsilon } , $$

where $4\lambda n^{1-2\epsilon }$ can be an arbitrary $\frac{1}{\mathsf {poly}(\lambda )}$ for a suitable choice of $n=\mathsf {poly}(\lambda )$.

Proof

The protocol is correct iff the receivers output Zx matches the senders output $Sh_{c}$. By construction, $Zx=SAx+Ex$, whereas $Sh_{c}=SAx+Se$. Hence correctness holds when $Ex-Se=0$.

By Chernoff,

$$ \Pr [|x|>2\rho n \vee |e|>2\rho n]\le 2e^{-\frac{\rho n}{3}}, $$

which is negligible for $\epsilon <1$. Given that $|x|\le 2 \rho n$, for all rows $e_i$ of E, $e_ix$ is distributed as the sum of at most $2\rho n$ Bernoulli variables with parameter $\rho $. Hence, by a union bound over the $2\rho n$ variables $\Pr _{e_i}[e_ix=1]\le 2\rho ^2 n$. Using another union bound over all $\lambda $ rows yields $\Pr _{E}[Ex\ne 0\in \mathbb {Z}_2^{\lambda }]\le 2\lambda \rho ^2 n$. Because of symmetry,

$$ \Pr _{E,S}[Ex-Se=0]\ge 1-4\lambda \rho ^2 n. $$

$\square $

Dealing with Imperfect Correctness. The above gives us an elementary OT scheme with imperfect correctness under LPN: with overwhelming probability over the coins of the receiver, we have a $1/p(\lambda )$ error-probability over the coins of the sender, where we can choose $p(\lambda )$ to be an arbitrary polynomial. For concreteness we set $p(\lambda ) = \lambda ^2$, so the error probability is $1/\lambda ^2$. We outline how to leverage the series of generic transformations from the previous sections to get UC OT with a negligible correctness error. This requires only minor modifications throughout.

Elementary OT $\rightarrow $ Search OT (Theorem 7): This transformation performs a $\lambda $-wise parallel repetition on the sender message and therefore, by the union bound, increases the correctness error from $1/\lambda ^2$ to $1/\lambda $. Security is unaffected.
Search OT $\rightarrow $ bit-iOT (Theorem 8): This transformation preserves the correctness error of $1/\lambda $. Security is unaffected.
bit-iOT $\rightarrow $ string iOT (Theorem 9): Here, we can modify the transformation slightly and first encode the strings using an error-correcting code and have the receiver apply error correction. Since each bit has an independent error probability of $1/\lambda $, we can set the parameters of the error-correcting code to get an exponentially small error probability, say $2^{-2\lambda }$. Security is unaffected by this modification.
Imperfect $\rightarrow $ Perfect Correctness: The above gives a scheme where, with overwhelming probability over the receiver’s coins, we have a $2^{-2\lambda }$ error probability over the sender’s coins. However, our definition of OT correctness in Sect. 4.1 requires a stronger notion of perfect correctness: with overwhelming over the receiver’s coins and the CRS, all choices of the sender coins yield the correct output. This is needed in two places: (1) In the construction of 2-round ZK arguments (Theorem 19), we rely on extractable commitments, which in turn require a PKE with perfect correctness (Definition 3). Constructing PKE from OT requires the same perfect correctness for the OT. (2) In the construction of UC OT from Sender-UC OT and ZK (Theorem 21) we also need the underlying Sender-UC OT to have perfect correctness. This is because we rely on the fact that if a malicious sender computes the second-round OT message correctly with some choice of random coins (which he proves via the ZK argument), then the receiver gets the correct value. We can generically achieve such perfect correctness, using an idea similar to the one behind Naor’s commitments [Nao90]. We add an additional random value $r^*$ to the CRS. The sender computes his second-round OT message by relying on a pseudorandom generator G and setting the random coins to be $G(s) \oplus r^*$ where s is small seed of length (e.g.,) $\lambda $. By a counting argument, with overwhelming probability over $r^*$ and the receiver’s random coins, there is no choice of the sender’s coins s that results in an error. Security is preserved by relying on the security of the PRG.

Combining the above, the following theorem follows as a corollary.

Theorem 33

Under the LPN assumption with noise rate $\rho = n^{-\varepsilon }$ for $\varepsilon > \frac{1}{2}$ there exists a 2-round UC OT.

Notes

1.
Although we achieve UC security, it does not appear that achieving stand-alone security would make our solutions significantly simpler.
2.
This is marginally stronger than the variant used in constructing public-key encryption due to Alekhnovich [Ale03], which relies on a noise-rate $1/\varTheta (n^{1/2})$.
3.
Some variants of two-round OT do not need a CRS. In this case, we will assume $\mathsf {Setup} $ as the identity function.

References

Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_35
Chapter Google Scholar
Aiello, B., Ishai, Y., Reingold, O.: Priced oblivious transfer: how to sell digital goods. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 119–135. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44987-6_8
Chapter Google Scholar
Alekhnovich, M.: More on average case vs approximation complexity. In: 44th FOCS, Cambridge, MA, USA, 11–14 October 2003, pp. 298–307. IEEE Computer Society Press (2003)
Google Scholar
Brakerski, Z., Döttling, N.: Two-message statistically sender-private OT from LWE. In: Beimel, A., Dziembowski, S. (eds.) TCC 2018, Part II. LNCS, vol. 11240, pp. 370–390. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03810-6_14
Chapter Google Scholar
Badrinarayanan, S., Garg, S., Ishai, Y., Sahai, A., Wadia, A.: Two-message witness indistinguishability and secure computation in the plain model from new assumptions. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017, Part III. LNCS, vol. 10626, pp. 275–303. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_10
Chapter MATH Google Scholar
Benhamouda, F., Lin, H.: k-round multiparty computation from k-round oblivious transfer via garbled interactive circuits. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 500–532. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_17
Chapter Google Scholar
Brakerski, Z., Langlois, A., Peikert, C., Regev, O., Stehlé, D.: Classical hardness of learning with errors. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, Palo Alto, CA, USA, 1–4 June 2013, pp. 575–584. ACM Press (2013)
Google Scholar
Brakerski, Z., Lombardi, A., Segev, G., Vaikuntanathan, V.: Anonymous IBE, leakage resilience and circular security from new assumptions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part I. LNCS, vol. 10820, pp. 535–564. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78381-9_20
Chapter Google Scholar
Bellare, M., Micali, S.: Non-interactive oblivious transfer and applications. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 547–557. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_48
Chapter Google Scholar
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd FOCS, Las Vegas, NV, USA, 14–17 October 2001, pp. 136–145. IEEE Computer Society Press (2001)
Google Scholar
Cachin, C., Crépeau, C., Marcil, J.: Oblivious transfer with a memory-bounded receiver. In: 39th FOCS, Palo Alto, CA, USA, 8–11 November 1998, pp. 493–502. IEEE Computer Society Press (1998)
Google Scholar
Canetti, R., Halevi, S., Steiner, M.: Hardness amplification of weakly verifiable puzzles. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 17–33. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_2
Chapter MATH Google Scholar
Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable two-party and multi-party secure computation. In: 34th ACM STOC, Montréal, Québec, Canada, 19–21 May 2002, pp. 494–503. ACM Press (2002)
Google Scholar
Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_16
Chapter Google Scholar
Döttling, N., Garg, S., Malavolta, G.: Laconic conditional disclosure of secrets and applications. In: 2019 IEEE 58th Annual Symposium on Foundations of Computer Science (FOCS). IEEE (2019)
Google Scholar
Ding, Y.Z., Harnik, D., Rosen, A., Shaltiel, R.: Constant-round oblivious transfer in the bounded storage model. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 446–472. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24638-1_25
Chapter Google Scholar
Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Commun. ACM 28(6), 637–647 (1985)
Article MathSciNet Google Scholar
Goldreich, O., Levin, L.A.: A hard-core predicate for all one-way functions. In: 21st ACM STOC, Seattle, WA, USA, 15–17 May 1989, pp. 25–32. ACM Press (1989)
Google Scholar
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: Aho, A. (ed.) 19th ACM STOC, New York City, NY, USA, 25–27 May 1987, pp. 218–229. ACM Press (1987)
Google Scholar
Garg, S., Srinivasan, A.: Two-round multiparty secure computation from minimal assumptions. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018, Part II. LNCS, vol. 10821, pp. 468–499. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8_16
Chapter Google Scholar
Halevi, S., Kalai, Y.T.: Smooth projective hashing and two-message oblivious transfer. J. Cryptol. 25(1), 158–193 (2012)
Article MathSciNet Google Scholar
Holmgren, J., Lombardi, A.: Cryptographic hashing from strong one-way functions (or: one-way product functions and their applications). In: 59th FOCS, pp. 850–858. IEEE Computer Society Press (2018)
Google Scholar
Jain, A., Kalai, Y.T., Khurana, D., Rothblum, R.: Distinguisher-dependent simulation in two rounds and its applications. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 158–189. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63715-0_6
Chapter MATH Google Scholar
Lindell, Y.: How to simulate it - a tutorial on the simulation proof technique. Cryptology ePrint Archive, Report 2016/046 (2016). http://eprint.iacr.org/2016/046
Lombardi, A., Quach, W., Rothblum, R.D., Wichs, D., Wu, D.J.: New constructions of reusable designated-verifier NIZKs. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 670–700. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_22
Chapter Google Scholar
Naor, M.: Bit commitment using pseudo-randomness. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 128–136. Springer, New York (1990). https://doi.org/10.1007/0-387-34805-0_13
Chapter Google Scholar
Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: Rao Kosaraju, S. (ed.) 12th SODA, Washington, DC, USA, 7–9 January 2001, pp. 448–457. ACM-SIAM (2001)
Google Scholar
Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_31
Chapter Google Scholar
Rabin, M.O.: How to exchange secrets with oblivious transfer. Cryptology ePrint Archive, Report 2005/187 (2005). http://eprint.iacr.org/2005/187
Yao, A.C.-C.: Protocols for secure computations (extended abstract). In: 23rd FOCS, Chicago, Illinois, 3–5 November 1982, pp. 160–164. IEEE Computer Society Press (1982)
Google Scholar

Download references

Author information

Authors and Affiliations

CISPA Helmholtz Center for Information Security, Saarbrücken, Germany
Nico Döttling
UC Berkeley, Berkeley, USA
Sanjam Garg & Mohammad Hajiabadi
VISA Research, Palo Alto, USA
Daniel Masny
Northeastern University, Boston, USA
Daniel Wichs

Authors

Nico Döttling
View author publications
You can also search for this author in PubMed Google Scholar
Sanjam Garg
View author publications
You can also search for this author in PubMed Google Scholar
Mohammad Hajiabadi
View author publications
You can also search for this author in PubMed Google Scholar
Daniel Masny
View author publications
You can also search for this author in PubMed Google Scholar
Daniel Wichs
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding authors

Correspondence to Nico Döttling or Sanjam Garg .

Editor information

Editors and Affiliations

Équipe-projet COSMIQ, Inria, Paris, France
Anne Canteaut
Computer Science Department, Technion, Haifa, Israel
Yuval Ishai

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Döttling, N., Garg, S., Hajiabadi, M., Masny, D., Wichs, D. (2020). Two-Round Oblivious Transfer from CDH or LPN. In: Canteaut, A., Ishai, Y. (eds) Advances in Cryptology – EUROCRYPT 2020. EUROCRYPT 2020. Lecture Notes in Computer Science(), vol 12106. Springer, Cham. https://doi.org/10.1007/978-3-030-45724-2_26

Download citation

DOI: https://doi.org/10.1007/978-3-030-45724-2_26
Published: 01 May 2020
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-45723-5
Online ISBN: 978-3-030-45724-2
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

International Association for Cryptologic Research (opens in a new tab)

Two-Round Oblivious Transfer from CDH or LPN

Abstract

Similar content being viewed by others

Universally Composable Oblivious Transfer Based on a Variant of LPN

Three-Round Secure Multiparty Computation from Black-Box Two-Round Oblivious Transfer

Unconditionally Secure Oblivious Polynomial Evaluation: A Survey and New Results

1 Introduction

1.1 Why Is Two-Round Maliciously Secure OT Difficult?

1.2 Our Results

2 Technical Overview

3 Preliminaries

3.1 Basic Inequalities

Lemma 1

Proof

Theorem 2

3.2 Standard Primitives

Definition 3

Definition 4

4 Definitions of Two-Round Oblivious Transfer

4.1 Correctness

4.2 Receiver’s Security Notions

4.3 Sender’s Security Notions

Definition 5

5 Transformations for Achieving Sender’s Indistinguishability

5.1 From Elementary OT to Search OT

Lemma 6

Theorem 7

5.2 From Search OT to Bit \(\mathsf {iOT}\)

Theorem 8

5.3 From Bit \(\mathsf {iOT}\) to String \(\mathsf {iOT}\)

Theorem 9

6 Weak Secure Function Evaluation

6.1 Definitions

Definition 10

6.2 wSFE for All Circuits from \(\mathsf {iOT}\) and Garbled Circuits

Theorem 11

Theorem 12

7 Sender-UC OT from wSFE

Construction 13

Theorem 14

Definition 15

8 2-Round ZK from Sender-UC OT and \(\varSigma \)-Protocols

Definition 16

Definition 17

Construction 18

Theorem 19

9 UC-Secure OT from Sender-UC OT and Zero Knowledge

Construction 20

Theorem 21

10 Instantiations from CDH and LPN

10.1 Instantiation from CDH

Definition 22

Lemma 23

Proof

Lemma 24

Proof

Theorem 25

Lemma 26

Proof

10.2 Instantiation from LPN

Definition 27

Lemma 28

Lemma 29

Proof

Lemma 30

Proof

Lemma 31

Proof

Lemma 32

Proof

Theorem 33

Notes

References

Author information

Authors and Affiliations

Corresponding authors

Editor information

Editors and Affiliations

Rights and permissions

Copyright information