Keywords

1 Introduction

Secure multi-party computation enables a set parties to mutually run a protocol that computes some function f on their private inputs, while preserving a number of security properties. Two of the most important properties are privacy and correctness. The former implies data confidentiality, namely, nothing leaks by the protocol execution but the computed output. The later requirement implies that no corrupted party or parties can cause the output to deviate from the specified function. It is by now well known how to securely compute any efficient functionality [2, 4, 24, 45, 50] in various models and under the stringent simulation-based definitions (following the ideal/real paradigm). Security is typically proven with respect to two adversarial models: the semi-honest model (where the adversary follows the instructions of the protocol but tries to learn more than it should from the protocol transcript), and the malicious model (where the adversary follows an arbitrary polynomial-time strategy), and feasibility results are known in the presence of both types of attacks. The initial model considered for secure computation was of a static adversary where the adversary controls a subset of the parties (who are called corrupted) before the protocol begins, and this subset cannot change. In a stronger corruption model the adversary is allowed to choose which parties to corrupt throughout the protocol execution, and as a function of its view; such an adversary is called adaptive.

These feasibility results rely in most cases on stand-alone security, where a single set of parties run a single execution of the protocol. Moreover, the security of most cryptographic protocols proven in the stand-alone setting does not remain intact if many instances of the protocol are executed concurrently [40]. The strongest (but also the most realistic) setting for concurrent security is known by Universally Composable (UC) security [4]. This setting considers the execution of an unbounded number of concurrent protocols in an arbitrary and adversarially controlled network environment. Unfortunately, stand-alone secure protocols typically fail to remain secure in the UC setting. In fact, without assuming some trusted help, UC security is impossible to achieve for most tasks [7, 8, 40]. Consequently, UC secure protocols have been constructed under various trusted setup assumptions in a long series of works; see [1, 5, 10, 14, 34, 38] for few examples.

In this work, we are interested in understanding the intrinsic complexity of UC secure computation. Identifying the general assumptions required for a particular cryptographic task provides an abstraction of the functionality and the specific hardness that is exploited to obtain a secure realization of the task. The expressive nature of general assumptions allows the use of a large number of concrete assumptions of our choice, even one that may not have been considered at the time of designing the protocols. Constructions that are based on general assumptions are proven in two flavors:

  • Black-box Usage: A construction is black-box if it refers only to the input/output behavior of the underlying primitives.

  • Non-black-box Usage: A construction is non-black box if it uses the code computing the functionality of the underlying primitives.

Typically, non-black-box constructions have been employed to demonstrate feasibility and derive the minimal assumptions required to achieve cryptographic tasks. An important theoretical question is whether or not non-black-box usage of the underlying primitive is necessary in a construction. Besides its theoretical importance, obtaining black-box constructions is related to efficiency as an undesirable effect of non-black-box constructions is that they are typically inefficient and unlikely to be implemented in practice. Fortunately, a recent line of works [25, 26, 32, 47] has narrowed the gap between what is achievable via non-black-box and black-box constructions under minimal assumptions.

More relevant to our context, the work of Ishai, Prabhakaran and Sahai [33] provided the first black-box constructions of UC secure protocols assuming only one-way functions in a model where all parties have access to an ideal oblivious transfer (OT) functionality. Orthogonally, Choi et al. [12] provided a compiler that transforms any semi-honest OT to a protocol that is secure against malicious static adversaries in the stand-alone (i.e. not UC) while assuming that all parties have access to the ideal commitment functionality. In the adaptive setting, the work of Choi et al. provides a transformation from adaptively secure semi-honest oblivious transfer to one that is secure in the stronger UC setting against malicious adaptive adversaries while assuming that all parties have access to the ideal commitment functionality. In essence, these works provide black-box constructions, however, they fall short of identifying the necessary minimal general computational assumptions in the UC setting.

Loosely speaking, a UC commitment scheme [7] is a fundamental building block in secure computation which is defined in two phases: in the commit phase a committer commits to a value while keeping it hidden, whereas in the decommit phase the committer reveals the value that it previously committed to. In addition to the standard binding and hiding security properties that any commitment must adhere, commitment schemes that are secure in the UC framework must allow straight-line extraction (where a simulator should be able to extract the content of any valid commitment generated by the adversary) and straight-line equivocation (where a simulator should be able to produce many commitments for which it can later decommit to both 0 and 1). We stress that even security in the static setting requires some notion of equivocation. Due to these rigorous requirements, it has been a real challenge to design black-box constructions of UC secure commitment schemes.

In the context of realizing the UC commitments in the CRS model, Damgård and Nielsen introduced the notion of mixed-commitments in [16]. This construction requires a CRS that is linear in the number of parties and can be instantiated under the N-residuosity and p-subgroup hardness assumptions. In the global CRS model (where a single CRS is introduced for any number of executions), the only known constructions are by Damgård and Groth [15] based on the Strong RSA assumption and Lindell [42] based on the DDH assumption, where the former construction guarantees security in the adaptive setting whereas the later construction provides static security.

Another fundamental building block in secure computation which has been widely studied is oblivious transfer [21, 49]. Semi-honest two-round oblivious transfer can be constructed based enhanced trapdoor permutations [21] and smooth projective hashing [28], and concretely under Discrete Diffie-Hellman (DDH) [46]. Two-round protocols with malicious UC security are presented in the influential paper by Peikert et al. [48] that presents a black-box framework in the common reference string (CRS) model for oblivious transfer, based on dual-mode public-key encryption (PKE) schemes, which can be concretely instantiated under the DDH, quadratic residuosity and Learning with Errors (LWE) hardness assumptions. In a followup work [13], the authors present UC oblivious transfer constructions in the global CRS model assuming DDH, N-residuosity and the Decision Linear Assumption (DLIN). As pointed out in [13], the [48] constructions require a distinct CRS per party. In the context of adaptive UC oblivious transfer protocols, the works of [12] and [22] give constructions in the UC commitment hybrid model where they additionally rely on an assumption that implies adaptive semi-honest oblivious transfer.

It is worth noting that while the works of [48] and [13] provide abstractions of their assumptions, the assumptions themselves are not general enough to help understand the minimal assumptions required to achieve static UC security. In particular, when restricting attention to black-box constructions based on general assumptions, the state-of-the-art literature seems to indicate that achieving UC security in most trusted setup models reduces to constructing two apparently incomparable primitives: semi-honest oblivious transfer and UC commitment schemes. This leaves the following important question open:

What are the minimal (general) assumptions required to construct UC secure protocols, given only black-box access to the underlying primitives?

We note that this question is already well understood in the static setting when relaxing the black-box requirement. Namely, in [18] Damgård, Nielsen and Orlandi showed how to construct UC commitments assuming only semi-honest oblivious transfer in the global CRS model, while additionally assuming a pre-processing phase where the parties participate in a round-robin mannerFootnote 1. More recently, Lin, Pass and Venkitasubramaniam [39] improved this result by removing any restricted pre-processing phase. In the same work the authors showed how to achieve UC security in the global CRS model assuming only the existence of semi-honest oblivious transfer. In particular, this construction shows that static UC security can be achieved without assuming UC commitments when relying on non-black-box techniques.

In the stand-alone (i.e. not UC) setting, assuming only the existence of semi-honest oblivious transfer [26, 27, 32] show how to construct secure multiparty computation protocols while relying on the underlying primitives in a black-box manner. More recently, [12] provided black-box constructions that are secure against static adversaries, again, in the stand-alone setting, where all parties have access to an ideal commitment functionality (cf. Proposition 1 in [12]). The latter construction achieves a stronger notion of straight-line simulation, however falls short of achieving static UC security (see more details in Sect. 3).

In the adaptive setting, the only work that considers a single general assumption that implies adaptive UC security using non-black-box techniques is the result due to Dachman-Soled et al. [14], that shows how to obtain adaptive UC commitments assuming simulatable PKE. Moreover, the best known general assumptions required to achieve black-box UC security are adaptive semi-honest oblivious transfer and UC commitments [12, 17]. Known minimal general assumptions that are required to construct these primitives are (trapdoor) simulatable PKE for adaptive semi-honest oblivious transfer [11] and mixed commitments for UC commitments [17].

1.1 Our Results

In this paper we present a thorough study of black-box UC secure computation in the CRS model; details follow.

Static UC Secure Computation. Our first result is given in the static setting, where we demonstrate the feasibility of UC secure computation based on semi-honest oblivious transfer and extractable commitments. More concretely, we prove how to transform any statically semi-honest secure oblivious transfer into one that is secure in the presence of malicious adversaries, giving only black-box access to the underlying semi-honest oblivious transfer protocol. Our approach is inspired by the protocols from [27] and [37], where we observe that it is not required to use the full power of static UC commitments. Instead, we employ a weaker primitive that only requires straight-line input extractability. Interestingly, we prove that this weaker notion of security, denoted by extractable commitments [44], can be realized based on any CPA secure PKE. More precisely, we prove the following theorem.

Theorem 11

(Informally). Assuming the existence of PKE and semi-honest oblivious transfer, then any functionality can be realized in the CRS model with static UC security, where the underlying primitives are accessed in a black-box manner.

We remark here that this theorem makes a significant progress towards reducing the general assumptions required to construct UC secure protocols. Previously, the only general assumptions based on which we knew how to construct UC secure protocols were mixed-commitments [16] and dual-mode PKE [48] both of which were tailor-made for the particular application. Towards understanding the required minimal assumptions, we recall the work Damgård and Groth in [15] who showed that the existence of UC commitments in the CRS model implies a stand-alone key agreement protocol. Moreover, under black-box constructions, the seminal work of Impagliazzo and Rudich [31] implies that key agreement cannot be based on one-way functions. Thus, there is reasonable evidence to believe that some public-key primitive is required for UC commitments. In that sense, our assumption regarding PKE is close to being optimal. Nevertheless, it is unknown whether the semi-honest oblivious transfer assumption is required.

Our result is shown in two phases. At first we compile the semi-honest oblivious transfer protocol into a new protocol with intermediate security properties in the presence of malicious adversaries. This transformation is an extension of the [27] transformation that is only proven for bit oblivious transfer, whereas our proof works for string oblivious transfer. Next, we use the transformed oblivious transfer protocol in order to construct a maliciously fully secure oblivious transfer. By combining our oblivious transfer with the [33] protocol we obtain a statically generic UC secure computation.

An important corollary is deduced from the work by Gertner et al. [23], who provided a black-box construction of PKE based on any two-round semi-honest oblivious transfer protocol. Specifically, the combination of their result with ours implies the following corollary, which demonstrates that two-round semi-honest oblivious transfer is sufficient in the CRS model to achieve black-box constructions of UC secure protocols.

Corollary 12

(Informally). Assuming the existence of two-round semi-honest oblivious transfer, then any functionality can be UC realized in the CRS model, where the oblivious transfer is accessed in a black-box manner.

Implications. In what follows, we make a sequence of interesting observations that are implied by our result in the static UC setting.

  • The important result by Canetti, Lindell, Ostrovsky and Sahai [9] presents the first non-black-box constructions of static UC secure protocols assuming enhanced trapdoor permutations. In fact, their result can be extended assuming only PKE with oblivious ciphertext generation (which is PKE with the special property that a ciphertext can be obliviously sampled without the knowledge of the plaintext, and can be further realized using enhanced trapdoor permutation). In that sense, our result, assuming PKE with oblivious ciphertext generation, can be viewed as an improvement of [9] when relying on this primitive in a black-box manner.

  • The pair of works by Damgard, Nielsen and Orlandi [18] and Lin, Pass and Venkitasubramaniam [39] demonstrate that non-black-box constructions of UC commitments, and more generally static UC secure computation, can be achieved in the CRS model assuming only semi-honest oblivious transfer. In comparison, our result shows that two-round semi-honest oblivious transfer protocols are sufficient for obtaining black-box UC secure computation in the CRS model. Note that most semi-honest oblivious transfer protocols anyway require only two-round of communication, e.g., [21].

  • In [38, 39], Lin, Pass and Venkitasubramaniam provided a unified framework for constructing UC secure protocols in any “trusted-setup” model. Their result is achieved by capturing the minimal requirement that implies UC computations in the setup model. More precisely, they introduced the notion of a UC puzzle and showed that any setup model that admits a UC puzzle can be used to securely realize any functionality in the UC setting, while additionally assuming the existence of semi-honest oblivious transfer. Moreover, they showed how to easily construct such puzzles in most models. We remark that our approach can be viewed as providing a framework to construct black-box UC secure protocols in other UC models. More precisely, we show that any setup model that admits the extractable commitment functionality can be used to securely realize any functionality assuming the existence of semi-honest oblivious transfer. In fact, our result easily extends to the chosen key registration authority (KRA) model [1], where it is assumed the existence of a trusted authority that samples public key, secret key pairs for each party, and broadcasts the public key to all parties. We leave it for future work to instantiate our framework in other setup models.

  • The fact that our construction only requires PKE and semi-honest oblivious transfer allows an easy translation of static UC security to various efficient implementations under a wide range of concrete assumptions. Specifically, both PKE and (two-round) semi-honest oblivious transfer can be realized under RSA, factoring Blum integers, LWE, DDH, N-residuosity, p-subgroup and coding assumptions. This is compared to prior results that could be based on the later five assumptions [13, 19, 20, 48].

  • Recently, Maji, Prabhakaran, and Rosulek [44] initiated the study of the cryptographic complexity of secure computation tasks, while characterizing the relative complexity of a task in the UC setting. Specifically, they established a zero-one law that states that any task is either trivial (i.e., it can be reduced to any other task), or complete (i.e., to which any task can be reduced to), where a functionality \(\mathcal{F}\) is said to reduce to another functionality \(\mathcal{G}\), if there is a UC secure protocol for \(\mathcal{F}\) using ideal access to \(\mathcal{G}\). More precisely, they showed that assuming the existence of semi-honest oblivious transfer, every finite two-party functionality is either trivial or complete. While their main theorem relies on the minimal assumption of semi-honest oblivious transfer, their use of the assumption is non-black-box and they leave it as an open problem to achieve the same while relying on oblivious transfer in a black-box manner. Our result makes progress towards establishing this.

    In more details, their high-level approach is to identify complete functionalities using four categories, namely, (1) \(\mathcal{F}_{\scriptscriptstyle \mathrm {XOR}}\) that abstracts a XOR-type functionality, (2) \(\mathcal{F}_{\scriptscriptstyle \mathrm {CC}}\) that abstracts a simple cut-and-choose functionality, (3) \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) the oblivious transfer functionality, and (4) \(\mathcal{F}_{\scriptscriptstyle \mathrm {COM}}\) the commitment functionality. They then show that each category can be used to securely realize any computational taskFootnote 2. Among these reductions, functionalities \(\mathcal{F}_{\scriptscriptstyle \mathrm {XOR}}\) and \(\mathcal{F}_{\scriptscriptstyle \mathrm {CC}}\) rely on oblivious transfer in a non-black-box way. In this work we improve the reduction of functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {CC}}\). That is, we obtain this improvement by showing that the extractable commitment functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) and semi-honest oblivious transfer can be used in a black-box way to realize functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\), and combine this with a reduction presented in [44] that reduces \(\mathcal{F}_{\scriptscriptstyle \mathrm {CC}}\) to the \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) functionality in a black-box way.

One-Sided UC Secure Computation. In this stronger two-party setting, where at most one of the parties is adaptively corrupted [29, 35], we prove that one-sided adaptive UC security is implied by PKE with oblivious ciphertext generation. Here we combine two observations, one where our malicious static oblivious transfer from the previous result requires using the parties’ inputs in only one phase, together with the fact that one-sided non-committing encryption (NCE) can be designed based on PKE with oblivious ciphertext generation [6, 16]. In particular, NCE allow secure communication in the presence of adaptive attacks, which implies that the communication can be equivocated once the real message is handed to the simulator. Then, by encrypting part of our statically secure protocol using NCE, we obtain a generic protocol for any two-party functionality under the assumption specified aboveFootnote 3. Namely,

Theorem 13

(Informally). Assuming the existence of PKE with oblivious ciphertext generation, then any two-party functionality can be realized in the CRS model with one-sided adaptive UC security and black-box access to the PKE.

Adaptive UC Secure Computation. Our last result is in the strongest corruption setting, where any number of parties can be adaptively corrupted. Here we design a new adaptively secure UC commitment scheme under the assumption of PKE with oblivious ciphertext generation, which is the first construction that achieves the stronger notion of adaptive security based on this hardness assumption. Our construction makes a novel usage of such a PKE together with Reed-Solomon codes, where the polynomial shares are encrypted using the PKE with oblivious ciphertext generation. Plugging-in our UC commitment protocol into the transformation of [12] that generates adaptive malicious oblivious transfer given adaptive semi-honest oblivious transfer and UC commitments, implies an adaptively UC secure oblivious transfer protocol with malicious security based on semi-honest adaptive oblivious transfer and PKE with oblivious ciphertext generation, using only black-box access to the semi-honest oblivious transfer and the PKE. That is,

Theorem 14

(Informally). Assuming the existence of PKE with oblivious ciphertext generation and adaptive semi-honest oblivious transfer, then any functionality can be realized in the CRS model with adaptive UC security, where the underlying primitives are accessed in a black-box manner.

We further recall the work of Choi et al. [11] that shows that the weakest general known assumption that is required to construct adaptively secure semi-honest oblivious transfer is trapdoor simulatable PKE. Now, since such an encryption scheme admits PKE with oblivious ciphertext generation, we obtain the following corollary that unifies the two assumptions required to achieve adaptive UC security.

Corollary 15

Assuming the existence of (trapdoor) simulatable PKE, then any functionality can be realized in the CRS model with adaptive UC security and black-box access to the PKE.

An additional interesting observation that is implied by our work is that our UC commitment scheme implies a construction that is secure in the adaptive setting when erasures are allowed, and under the weaker assumption of PKE. Specifically, instead of obliviously sampling ciphertexts in the commitment phase, the committer encrypts arbitrary plaintexts and then erases the plaintexts and randomness used for these computations. Our proof follows easily for this case as well. Combining our UC commitment scheme together with the semi-honest with erasures OT from [41] and the transformation of [12], we obtain the following result

Theorem 16

(Informally). Assuming the existence of PKE and semi-honest oblivious transfer secure against an adaptive adversary assuming erasures, then any functionality can be realized in the CRS model with adaptive UC security assuming erasures, where the underlying primitives are accessed in a black-box manner.

Noting that OT secure against adaptive adversaries assuming erasures can be realized under assumptions sufficient for achieving the same with respect to the weaker static adversaries, this theorem shows that achieving UC security against adaptive adversaries in the presence of erasures does not require any additional assumption beyond what is required to secure against static adversaries.

Implications. Next, we specify a sequence of interesting observations that are implied by our result in the adaptive UC setting.

  • Previously, Dachman-Soled et al. [14], showed that adaptive UC secure protocols can be constructed in the CRS model assuming the existence of simulatable PKE. Our result improves this result in terms of complexity assumptions by showing that trapdoor simulatable PKE is sufficient, and provides new constructions based on concrete assumptions that were not known before. Nevertheless, we should point out that while the work of Dachman-Soled et al. is constructed in the global CRS model using a non-black-box construction, our result provides a black-box construction in a CRS model where the length of the reference string is linear in the number of parties.

  • Analogous to our result on static UC security, it is possible to extend this result to the chosen key-registration authority (KRA) model, where we assume the existence of a trusted-party that samples public keys and secret keys for each party, and broadcasts the public key to all parties.

  • Importantly, this result provides the first evidence that adaptively secure UC commitment is theoretically easier to construct than stand-alone adaptively secure semi-honest oblivious transfer. This is due to a separation from [43] (regarding static vs. adaptive oblivious transfer), that proves that adaptive oblivious transfer requires a stronger hardness assumption than enhanced trapdoor permutation.

  • Regarding concrete assumptions, previously, adaptive UC commitments without erasures were constructed based on N-residuosity and p-subgroup hardness assumptions [17] and Strong RSA [15]. On the other hand, our result demonstrates the feasibility of this primitive under DDH, LWE, factoring Blum integers and RSA assumptions. When considering adaptive corruption with erasures, the work of Blazy, et al. [3], extending the work of Lindell [42], shows how to construct highly efficient UC commitments based on the DDH assumption. On the other hand, assuming erasures, we are able to construct an adaptive UC commitment scheme based on any CPA-secure PKE.

2 Preliminaries

We denote the security parameter by n. We use the abbreviation PPT to denote probabilistic polynomial-time. We further denote by \(a\leftarrow A\) the random sampling of a from a distribution A, and by [n] the set of elements \(\{1,\ldots ,n\}\).

Definition 21

(PKE with Oblivious Ciphertext Generation [16]). A PKE \(\varPi \) with oblivious sampling generation is defined by the tuple \((\mathsf {Gen},\mathsf {Enc},\mathsf {Dec},\widetilde{\mathsf {Enc}}, \widetilde{\mathsf {Enc}}^{-1})\) and has the following additional property,

  • Indistinguishability of Oblivious and Real Ciphertexts. For any message m in the appropriate domain, consider the experiment \((\textsc {PK},\textsc {SK}) \leftarrow \mathsf {Gen}(1^n)\), \(c_1 \leftarrow \widetilde{\mathsf {Enc}}_{\textsc {PK}}(r_1)\), \(c_2 \leftarrow \mathsf {Enc}_{\textsc {PK}}(m;r_2)\), \(r'_1 \leftarrow \widetilde{\mathsf {Enc}}^{-1}_\textsc {PK}(c_2)\).

    Then, \((\textsc {PK},r'_1,c_1,m) \mathop {\approx }\limits ^\mathrm{c}(\textsc {PK},r_2,c_2,m)\).

To this end, we only employ PKE with perfect decryption. This merely simplifies the analysis and can be relaxed by using PKE with a negligible decryption error instead.

2.1 Oblivious Transfer

1-out-of-2 oblivious transfer (OT) is an important functionality in the context of secure computation that is engaged between a sender \(\mathrm{Sen}\) and a receiver \(\mathrm{Rec}\); see Fig. 1 for the description of functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\). In this paper we are interested in reducing the hardness assumptions for general UC secure computation when using only black-box access to the underlying cryptographic primitives, such as the semi-honest OT. We use semi-honest OT as a building block for designing UC secure protocols in both static and adaptive settings. In the static setting, we refer to the two-round protocol of [21] that is based on PKE with oblivious ciphertext generation (or enhanced trapdoor permutation). In the adaptive setting, we refer to the two-round protocol of [9] that is based on augmented non-committing encryption scheme.

We next recall that any two-round semi-honest OT implies PKE. We demonstrate that in two phases, starting with the claim that semi-honest OT implies a key agreement (KA) protocol, where two parties agree on a secret key over a public channel. This statement has already been proven in [23] in the static setting, and holds for any number of rounds. The idea is simple, the parties execute an OT protocol where the party that plays the sender picks two random inputs \(s_0,s_1\), whereas the party that plays the receiver enters 0. Finally, the parties output \(s_0\) and security follows from the correctness and privacy of the OT. A simple observation shows that this reduction also holds in the adaptive setting. Namely, starting with an adaptive semi-honest OT, the same reduction implies an adaptively secure KA (where the protocol communication must be consistent with respect to any key). Note that this reduction preserves the number of rounds, thus if the starting point is a two-round OT then the reduction implies a two-round KA. Next, a well established fact shows that in the static setting a two-round key agreement implies PKE (in fact, these primitives are equivalent). Formally,

Theorem 22

Assume the existence of two-round key agreement protocol with static security, then there exists IND-CPA PKE.

Fig. 1.
figure 1

The oblivious transfer functionality.

Full size image

Sender Private Oblivious Transfer. Sender privacy is a weaker notion than malicious security and only requires that the receiver’s input be hidden even against a malicious sender. It is weaker than malicious security in that it does not require a simulation of the malicious sender that extracts the sender’s inputs. In particular, we will only require that a malicious sender cannot distinguish the cases where the receiver’s input is 0 or 1. Formally stated,

Definition 23

(Sender Private OT). Let \(\pi \) be a two-party protocol that is engaged between a sender \(\mathrm{Sen}\) and a receiver \(\mathrm{Rec}\). We say that \(\pi \) is a sender private oblivious transfer protocol, if for every PPT adversary \(\mathcal{A}\) that corrupts \(\mathrm{Sen}\), the following ensembles are computationally indistinguishable:

  • \(\{\mathbf{View}_{\mathcal{A},\pi }[\mathcal{A}(1^n), \mathrm{Rec}(1^n,0)]\}_{n \in \mathbb {N}}\)

  • \(\{\mathbf{View}_{\mathcal{A},\pi }[\mathcal{A}(1^n), \mathrm{Rec}(1^n,1)]\}_{n \in \mathbb {N}}\)

where \(\mathbf{View}_{\mathcal{A},\pi }[\mathcal{A}(1^n), \mathrm{Rec}(1^n,b)]\) denotes \(\mathcal{A}\)’s view within \(\pi \) whenever the receiver \(\mathrm{Rec}\) inputs the bit b.

We point out that sender privacy protects the receiver against a malicious sender and should be read as privacy against a malicious sender.

Defensibly Private Oblivious Transfer. The notion of defensible privacy was introduced by Haitner in [26, 27]. A defense in a two-party protocol \(\pi = (P_1,P_2)\) execution is an input and random tape provided by the adversary after the execution concludes. A defense for a party controlled by the adversary is said to be good, if this party participated honestly in the protocol using this very input and random tape, then it would have resulted in the exact same messages that were sent by the adversary. In essence, this defense serves as a proof of honest behavior. It could very well be the case that an adversary deviates from the protocol in the execution but later provides a good defense. The notion of defensible privacy says that a protocol is private in the presence of defensible adversaries if the adversary learns nothing more than its prescribed output when it provides a good defense.

We informally describe the notion of good defense for a protocol \(\pi \); we refer to [27] for the formal definition. Let \({\mathsf {trans}}=(q_1,a_1,\ldots ,q_\ell ,a_\ell )\) be the transcript of an execution of a protocol \(\pi \) that is engaged between \(P_1\) and \(P_2\) and let \(\mathcal{A}\) denote an adversary that controls \(P_1\), where \(q_i\) is the ith message from \(P_1\) and \(a_i\) is the ith message from \(P_2\) (that is, \(a_i\) is the response for \(q_i\)). Then we say that (xr) constitutes a good defense of \(\mathcal{A}\) relative to \({\mathsf {trans}}\) if the transcript generated by running the honest algorithm for \(P_1\) with input x and random tape r against \(P_2\)’s messages \(a_1,\ldots ,a_\ell \) results \({\mathsf {trans}}\).

The notion of defensible privacy can be defined for any secure computation protocol. Nevertheless, since we are only interested in oblivious transfer protocols, we present a definition below that is restricted to oblivious transfer protocols. The more general definition can be found in [27]. At a high-level, an OT protocol is defensibly private with respect to a corrupted sender if no adversary interacting with an honest receiver with input b should be able to learn b, if at the end of the execution the adversary produces any good defense. Similarly, an OT protocol that is defensibly private with respect to malicious receivers requires that any adversary interacting with an honest sender with input \((s_0,s_1)\) should not be able to learn \(s_{1-b}\), if at the end of the execution the adversary produces a good defense with input b. Below we present a variant of the definition presented in [27]. We stress that while the [27] definition only considers bit OT (i.e. sender’s inputs are bits) we consider string OT.

Definition 24

(Defensible-Private String OT). Let \(\pi \) be a two-party protocol that is engaged between a sender \(\mathrm{Sen}\) and a receiver \(\mathrm{Rec}\). We say that \(\pi \) is a defensibly-private string oblivious transfer protocol, if for every PPT adversary \(\mathcal{A}\) the following holds,

  1. 1.

    \(\{\varGamma (\mathbf{View}_{\mathcal{A}}[\mathcal{A}(1^n),\mathrm{Rec}(1^n,U)],U)\}\ \ \ \mathop {\approx }\limits ^\mathrm{c}\ \ \ \{\varGamma (\mathbf{View}_{\mathcal{A}}[\mathcal{A}(1^n),\mathrm{Rec}(1^n,U)],U')\}\), where \(\varGamma (v,*)\) is set to \((v,*)\) if following the execution \(\mathcal{A}\) outputs a good defense for \(\pi \), and \(\bot \) otherwise, and U and \(U'\) are independent random variables uniformly distributed over \(\{0,1\}\). This property is referred to as defensibly private with respect to a corrupted sender.

  2. 2.

    \(\{\varGamma (\mathbf{View}_{\mathcal{A}}[\mathrm{Sen}(1^n,(U^n_0,U^n_1)),\mathcal{A}(1^n)],U^n_{1-b})\} \mathop {\approx }\limits ^\mathrm{c}\{\varGamma (\mathbf{View}_{\mathcal{A}}[\mathrm{Sen}(1^n,(U^n_0,U^n_1)),\mathcal{A}(1^n)],\bar{U}^n)\}\) where \(\varGamma (v,*)\) is set to \((v,*)\) if following the execution \(\mathcal{A}\) outputs a good defense for \(\pi \), and \(\bot \) otherwise, b is the \(\mathrm{Rec}\)’s input in this defense and \(U^n_0,U^n_1,\bar{U}^n\) are independent random variables uniformly distributed over \(\{0,1\}^n\). This property is referred to as defensibly private with respect to a corrupted receiver.

In our construction from Sect. 3, we will rely on an OT protocol that is sender private and defensibly private with respect to a corrupted receiver. In [27], Haitner et al. showed how to transform any semi-honest bit-OT to one that is defensibly private with respect to a corrupted receiver and malicious secure with respect to a corrupted sender. More formally, the following Lemma is implicit in the work of [27].

Lemma 21

(Implicit in Theorem 4.1 and Corollary 5.3 [27]). Assume the existence of a semi-honest oblivious transfer protocol \(\pi \). Then there exists an oblivious transfer protocol \(\hat{\pi }\) that is defensible-private with respect to the receiver and sender private that relies on the underlying primitive in a black-box manner.

Now, since sender privacy is implied by malicious security with respect to a corrupted sender, this transformation yields a bit OT protocol with the required security guarantees. Nevertheless, our protocol crucially relies on the fact that the underlying OT is a string OT protocol. We therefore show in the full version [30] how to transform any bit OT to a string OT protocol while preserving both defensible private with respect to a maliciously corrupted receiver and sender privacy.

At a high-level, in order to convert any protocol from semi-honest security to defensible privacy, Haitner et al. include a coin-tossing stage at the beginning of the protocol that determines the parties’ random tapes. In fact, they let the coin-tossing also determine the parties inputs as they only require OT secure with respect to random inputs for both the sender and receiver. Now, if the receiver has to provide a good defense, then it must reveal the input and randomness used for the semi-honest OT protocol and prove consistency relative to the values generated in the coin-tossing stage. Due to the fact that the commitment schemes that are used in the coin-tossing stage are statistically-binding, the probability that a malicious receiver can deviate from the protocol and provide a good defense is negligible. Using this fact, Haitner et al. argued that the probability that a malicious receiver outputs a good defense and guesses the other sender’s input is negligible. Next, to obtain sender private oblivious transfer they first transformed an OT protocol that is defensible-private against malicious receivers to one that is maliciously secure, and then exploited the symmetry of OT in order to obtain a protocol that is sender-private. The first transformation relies on the cut-and-choose approach to ensure that the receiver provides a valid defense, and then using the fact that defensible privacy hides the sender’s other input they argued that it is receiver-private.

2.2 UC Commitment Schemes

The notion of UC commitments was introduced by Canetti and Fischlin in [7]. The formal description of functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {COM}}\) is depicted in Fig. 2.

Fig. 2.
figure 2

The string commitment functionality.

Full size image

2.3 Extractable Commitments

Our result in the static setting requires the notion of (static) extractable UC commitments, which is a weaker security property than UC commitments in the sense that it does not require equivocality. In what follows, we introduce the definition for the ideal functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) from [44]. Towards introducing this definition, Maji et al. introduced some notions first. More concretely,

Definition 25

A protocol is a syntactic commitment protocol if:

  • It is a two phase protocol between a sender and a receiver (using only plain communication channels).

  • At the end of the first phase (commitment phase), the sender and the receiver output a transcript \({\mathsf {trans}}\). Furthermore, the sender receives an output (which will be used for opening the commitment).

  • In the decommitment phase the sender sends a message \(\gamma \) to the receiver, who extracts an output value \(\mathsf{opening}({\mathsf {trans}},\gamma )\in \{0,1\}^n\cup \{\bot \}\).

Definition 26

Two syntactic commitment protocols \((\omega _L,\omega _R)\) form a pair of complementary statistically binding commitment protocols if the following hold:

  • \(\omega _R\) is a statistically binding commitment scheme (with stand-alone security).

  • In \(\omega _L\), at the end of the commitment phase the receiver outputs a string \(z\in \{0,1\}^n\). If the receiver is honest, it is only with negligible probability that there exists \(\gamma \) such that \(\mathsf{opening}({\mathsf {trans}},\gamma )\ne \bot \) and \(\mathsf{opening}({\mathsf {trans}},\gamma )\ne z\).

As noted in [44], \(\omega _L\) by itself is not an interesting cryptographic goal, as the sender can simply send the committed string in the clear during the commitment phase. Nevertheless, in defining \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) below, there exists a single protocol that satisfies both the security guarantees. We are now ready to introduce the notion of extractable commitments in Fig. 3 that is parameterized by \((\omega _L,\omega _R)\). We also include a function \({\mathsf {pp}}\) that will be used as an initialization phase to set up the public-parameters for \(\omega _L\) and \(\omega _R\).

Fig. 3.
figure 3

Extractable commitment functionality.

Full size image

Implementing \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) in the CRS Model. We briefly sketch how to implement the extractable commitment functionality in the \(\mathcal{F}_{\scriptscriptstyle \mathrm {CRS}}\)-hybrid based on the CPA-security of any PKE. Namely, the CRS will be set to a public-key generated using the key-generation function of the PKE scheme. To commit, a sender simply encrypts the message using the public-key in the CRS and sends the ciphertext to the receiver. We can achieve extraction by setting the CRS to a public-key for which the secret-key is available to the extractor (in this case, the extractor is the \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) functionality). Hiding follows from the CPA-security of the encryption scheme. A formal description and proof of this construction can be found in the full version of this paper [30].

3 Static UC Secure Computation

In this section we prove the feasibility of UC secure computation based on semi-honest OT and extractable commitments, where the latter can be constructed based on two-round semi-honest OT (see Sects. 2.1 and 2.3 for more details). More concretely, we prove how to transform any statically semi-honest secure OT into one that is secure in the presence of malicious adversaries, giving only black-box access to the underlying semi-honest OT protocol. Our protocol is a variant of the protocol by Lin and Pass from [37] (which in turn is a variant of the protocol of [27]). In particular, in [37], the authors rely on a strong variant of a commitment scheme known as a CCA-secure commitment in order to achieve extraction. We observe that it is not required to use the full power of such commitments, or for that matter UC commitments. Specifically, using a weaker primitive that only implies straight-line input extractability enables to solely rely on semi-honest OT. An important weakening in our commitment scheme compared to CCA-secure commitments from [37] is that we allow invalid commitments to be made by the adversary. We remark here that the work of [37] rely on string OT that are secure against malicious senders and state that the work of [26] provides a black-box construction of such a protocol starting from a semi-honest bit OT. However, the work of [26] only shows how to construct a bit OT secure against malicious senders where the proof crucially relies on the sender’s input being only bits. We provide a transformation and complete analysis from bit OT to a string OT for the weaker notion of defensible privacy as this is sufficient for our work. Finally, combining our UC OT protocol with the [33] protocol, we obtain a statically UC secure protocol for any well-formed functionality (see definition in [9]). Namely,

Theorem 31

Assume the existence of static semi-honest oblivious transfer. Then for any multi-party well-formed functionality \(\mathcal{F}\), there exists a protocol that UC realizes \(\mathcal{F}\) in the presence of static, malicious adversaries in the \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\)-hybrid model using black-box access to the oblivious transfer protocol.

We remark here that the work of [12] shows how starting from a semi-honest oblivious transfer it is possible to obtain a black-box construction of an OT protocol that is secure against stand-alone static adversaries in the \(\mathcal{F}_{{\scriptscriptstyle \mathrm {COM}}}\)-hybrid model. It is noted in [12] that the (high-level) analysis provided in the work might be extendable to the UC-setting (cf. Footnote 10 in [12]). Furthermore, in the static setting, it is conceivable that \(\mathcal{F}_{{\scriptscriptstyle \mathrm {COM}}}\) can be directly realized in the \(\mathcal{F}_{{\scriptscriptstyle \mathrm {EXTCOM}}}\)-hybrid using the notion of extractable trapdoor commitments [47]. We do not pursue this approach and instead directly realize OT in the \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\)-hybrid. While the previous works of [12] and [27] require a three step transformation, our transformation is one shot and therefore more direct.

It seems possible to generalize our theorem to multi-session functionalities. Analogous to [7], this will allows us to extend our corollaries to the Global CRS model by additionally assuming CCA encryption scheme and leave it as future work.

3.1 Static UC Oblivious Transfer

In the following, we discuss a secure implementation of the oblivious transfer functionality (see Fig. 1) with static, malicious security in the \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\)-hybrid model (where \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) is stated formally in Fig. 3). Our goal in this section is to show that the security of malicious UC OT can be based on UC semi-honest OT, denoted by \(\pi ^{\scriptscriptstyle \mathrm {SH}}_{\scriptscriptstyle \mathrm {OT}}\), and extractable commitments. Our result is shown in two phases. At first we compile the semi-honest OT protocol \(\pi _{\scriptscriptstyle \mathrm {OT}}^{\scriptscriptstyle \mathrm {SH}}\) into a new protocol with the security properties that are specified in Sect. 2.1, extending the [27] transformation into string OT; denote the compiled OT protocol by \(\widehat{\pi }_{\scriptscriptstyle \mathrm {OT}}\). Next, we use \(\widehat{\pi }_{\scriptscriptstyle \mathrm {OT}}\) in order to construct a new protocol \(\pi _{\scriptscriptstyle \mathrm {OT}}^{\scriptscriptstyle \mathrm {ML}}\) that is secure in the presence of malicious adversaries. Details follow,

Protocol 1 (Protocol \(\pi _{\scriptscriptstyle \mathrm {OT}}^{\scriptscriptstyle \mathrm {ML}}\) with Static Security) 

Input: The sender \(\mathrm{Sen}\) has input \((v_0,v_1)\) where \(v_0,v_1\in \{0,1\}^n\) and the receiver \(\mathrm{Rec}\) has input \(u\in \{0,1\}\).

The protocol:

  1. 1.

    Coin Tossing:

    • Receiver’s random tape generation: The parties use a coin tossing protocol in order to generate the inputs and random tapes for the receiver.

      • The receiver commits to 20n strings of appropriate length, denoted by \(a^1_\mathrm{Rec},\ldots ,a^{20n}_\mathrm{Rec}\), by sending \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) the message \((\mathsf{commit}, sid, \widetilde{ssid_i}, a^i_\mathrm{Rec})\) for all \(i\in [n]\).

      • The sender responds with 20n random strings of appropriate length \(b^1_\mathrm{Rec},\ldots , b^{20n}_\mathrm{Rec}\).

      • The receiver computes \(r^i_\mathrm{Rec}= a^i_\mathrm{Rec}\oplus b^i_\mathrm{Rec}\) and then interprets \(r^i_\mathrm{Rec}= c_i || \tau ^i_\mathrm{Rec}\) where \(c_i\) determines the receiver’s input for the \(i^{th}\) OT protocol, whereas \(\tau ^i_\mathrm{Rec}\) determines the receiver’s random tape used for this execution.

    • Sender’s random tape generation: The parties use a coin tossing protocol in order to generate the inputs and random tapes for the sender.

      • The sender commits to 20n strings of appropriate length, denoted by \(a^1_\mathrm{Sen},\ldots ,a^{20n}_\mathrm{Sen}\), by sending \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) the message \((\mathsf{commit}, sid, \widetilde{ssid'_i}, a^i_\mathrm{Sen})\) for all \(i\in [n]\).

      • The receiver responds with 20n random strings of appropriate length \(b^1_\mathrm{Sen},\ldots , b^{20n}_\mathrm{Sen}\).

      • The sender computes \(r^i_\mathrm{Sen}= a^i_\mathrm{Sen}\oplus b^i_\mathrm{Sen}\) and then interprets \(r^i_\mathrm{Sen}= s^0_i || s^1_i || \tau ^i_\mathrm{Sen}\) where \((s_i^0,s_i^1)\) determine the sender’s input for the \(i^{th}\) OT protocol, whereas \(\tau ^i_\mathrm{Sen}\) determines the sender’s random tape used for this execution.

  2. 2.

    Oblivious Transfer:

    • The parties participate in 20n executions of the OT protocol \(\widehat{\pi }_{\scriptscriptstyle \mathrm {OT}}\) with the corresponding inputs and random tapes obtained from Stage 2. Let the output of the receiver in the \(i^{th}\) execution be \(\tilde{s_i}\).

  3. 3.

    Cut-and-choose:

    • \(\mathrm{Sen}\) chooses a random subset \(q_\mathrm{Sen}= (q^1_\mathrm{Sen},\ldots ,q^n_\mathrm{Sen}) \in \{1,\ldots ,20\}^n\) and sends it to \(\mathrm{Rec}\). The string \(q_\mathrm{Sen}\) is used to define a set of indices \(\varGamma _\mathrm{Sen}\subset \{1,\ldots ,20n\}\) of size n in the following way: \(\varGamma _\mathrm{Sen}= \{20i-q^i_\mathrm{Sen}\}_{i\in [n]}\). The receiver then opens the commitments from Stage 1 that correspond to the indices within \(\varGamma _\mathrm{Sen}\), namely, the receiver decommits \(a^i_\mathrm{Rec}\) for all \(i \in \varGamma _\mathrm{Sen}\). \(\mathrm{Sen}\) checks that the decommitted values are consistent with the inputs and randomness used for the OTs in Stage 2 by the receiver, and aborts in case of a mismatch.

    • \(\mathrm{Rec}\) chooses a random subset \(q_\mathrm{Rec}= (q^1_\mathrm{Rec},\ldots ,q^n_\mathrm{Rec}) \in \{1,\ldots ,20\}^n\) and sends it to \(\mathrm{Sen}\). The string \(q_\mathrm{Rec}\) is used to define a set of indices \(\varGamma _\mathrm{Rec}\subset \{1,\ldots ,20n\}\) of size n in the following way: \(\varGamma _\mathrm{Rec}= \{20i-q^i_\mathrm{Rec}\}_{i\in [n]}\). The sender then opens the commitments from Stage 1 that correspond to the indices within \(\varGamma _\mathrm{Rec}\), namely, the sender decommits \(a^i_\mathrm{Sen}\) for all \(i \in \varGamma _\mathrm{Rec}\). \(\mathrm{Rec}\) checks that the decommitted values are consistent with the inputs and randomness used for the OTs in Stage 2 by the sender, and aborts in case of a mismatch.

    • \(\mathrm{Rec}\) commits to another subset \(\varGamma \subset [20n]\) denoted by \((\varGamma ^1,\ldots ,\varGamma ^n)\), by sending \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\) the message \((\mathsf{commit}, sid, ssid'_i, \varGamma ^i)\) for all \(i\in [n]\). (The sender will reveal its inputs and randomness that are used in Stage 2 that correspond to the indices in \(\varGamma \) later in Stage 5.)

  4. 4.

    Combiner:

    • Let \(\varDelta = [20n] - \varGamma _\mathrm{Rec}- \varGamma _\mathrm{Sen}\). Then for every \(i \in \varDelta \), the receiver computes \(\alpha _i = u \oplus c_i\) and sends it to the sender.

    • The sender computes a 10n-out-of-18n secret sharing of \(v_0\), denote the shares by \(\{\rho _i^0\}_{i \in \varDelta }\). Analogously, it computes a 10n-out-of-18n secret sharing of \(v_1\), denote the shares by \(\{\rho _i^1\}_{i \in \varDelta }\). The sender computes \(\beta _i^b = \rho _i^b \oplus s_i^{b\oplus \alpha _i}\) for all \(b \in \{0,1\}\) and \(i \in \varDelta \), and sends the outcome to the receiver.

    • The receiver computes \(\tilde{\rho _i} = \beta _i^u\oplus \tilde{s_i}\) for all \(i\in \varDelta \). Denote by \(\rho \) these concatenated bits.

  5. 5.

    Final cut-and-choose:

    • The receiver decommits \(\varGamma \) and the sender sends the inputs and randomness it used in Stage 2 for the coordinates that correspond to \(\varDelta \cap \varGamma \). (Note that the sender need only reveal the indices that were not decommitted in Stage 3). \(\mathrm{Rec}\) checks that the sender’s values are consistent with the inputs and randomness used for the OTs in Stage 2 by the sender, and aborts in case of a mismatch.

    • The receiver checks whether \((\tilde{\rho }_i)_{i\in \varDelta }\) agrees with some codeword \(w \in \mathcal{W}_{18n,10n}\) on 17n locations (where the code \(\mathcal{W}_{18n,10n}\) is induced by the secret sharing construction that we use in Stage 4). Recall that the minimum distance of the code \(\mathcal{W}_{18n,10n}\) is at least \(18n-10n > 8n\), which implies that there will be at most one such codeword w. Furthermore, since we can correct up to \(\frac{18n-10n}{2} = 4n\) errors, any code that is 17n close to a codeword can be efficiently recovered using the Berlekamp-Welch algorithm. The receiver outputs that w as its output in the OT protocol. If no such w exists, the receiver returns a default value.

Theorem 32

Assume that \(\pi ^{\scriptscriptstyle \mathrm {SH}}_{\scriptscriptstyle \mathrm {OT}}\) is static semi-honest secure and that the compiled \(\widehat{\pi }_{\scriptscriptstyle \mathrm {OT}}\) is secure according to Lemma 21. Then Protocol 1 UC realizes \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) in the presence of static malicious adversaries in the \(\mathcal{F}_{\scriptscriptstyle \mathrm {EXTCOM}}\)-hybrid model using black-box access to the oblivious transfer protocol.

Recalling that our protocol relies on the existence of semi-honest OT and extractable commitments, and that the later can be constructed based on any two-round semi-honest OT, e.g., [21], which implies PKE (see Sects. 2.1 and 2.3 for more details), an immediate corollary from Theorem 32 implies that,

Corollary 33

Assume the existence of two-round static semi-honest oblivious transfer. Then there exists a protocol that securely realizes \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) in the presence of static malicious adversaries in the CRS model using black-box access to the oblivious transfer protocol.

A High Level Proof. We first provide an overview of the security proof; the complete proof is found in [30]. Loosely speaking, in case the receiver is corrupted the simulator plays the role of the honest sender in Stages 1–4. Next in Stage 5, the simulator extracts the receiver’s input u. Specifically, the simulator extracts all the committed values of the receiver within Stage 1 (relying on the fact that the commitment scheme is extractable), and then uses these values in order to obtain the inputs for the OT executions in Stage 2. Upon completing Stage 2, the simulator records the coordinates for which the receiver deviates from the prescribed input and random tape chosen in the coin tossing phase. Denoting these set of coordinates by \(\varPhi \), we recall that a malicious receiver may obtain both of the sender’s inputs with respect to the OT executions that correspond to the coordinates within \(\varPhi \) and \(\varGamma \). On the other hand, it obtains only one of the two inputs with respect to the rest of the OT executions that correspond to the coordinates within \(\varDelta - \varPhi - \varGamma \). Consequently, the simulator checks how many shares of \(v_0\) and \(v_1\) are obtained by the receiver and proceeds accordingly. In more details,

  • If the receiver obtains more than 10n shares of both inputs then the simulator halts and outputs \({\mathsf {fail}}\) (we prove in Section [30] that this event only occurs with negligible probability).

  • If the receiver obtains less than 10n shares of both inputs then the simulator picks two random values for \(v_0\) and \(v_1\) of the appropriate length and completes the interaction, playing the role of the honest sender on these values. Note that in this case the simulator does not need to call the ideal functionality.

  • Finally, if the receiver obtains more than 10n shares for only one input \(u\in \{0,1\}\), then the simulator sends u to the ideal functionality \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) and obtains \(v_u\). The simulator then sets \(v_{1-u}\) as a random string of the appropriate length and completes the interaction by playing the role of the honest sender on these values.

Recall that the only difference between the simulation and the real execution is in the way the messages in Stage 4 are generated. Specifically, in the simulation a value u is extracted from the malicious receiver and then fed to the \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\) functionality. The simulation is then completed based on the output returned from the functionality. Intuitively, the cut-and-choose mechanism ensures that the receiver cannot deviate from the honest strategy in Stage 2 in more than n OT sessions without getting caught with overwhelming probability. Moreover, the defensible privacy of the OT protocol implies that the receiver can learn at most one of the two inputs of the sender relative to the OT executions in Stage 2 for which the receiver proceeded honestly.

In case the sender is corrupted, the simulator’s strategy is to play the role of the honest receiver until Stage 5 where the simulator extracts the sender’s inputs. More specifically, the simulator first extracts the sender’s input for the OT executions in Stage 1 (relying on the fact that the commitment scheme is extractable). Next, the simulator extracts the shares \(\{\rho ^0_i\}_{i\in \varDelta }\) and \(\{\rho ^1_i\}_{i\in \varDelta }\) that correspond to inputs \(v_0\) and \(v_1\). To obtain the actual values the simulator checks if these shares agree with some codeword relative to 16n locations. That is,

  • Let \(w_0\) and \(w_1\) denote the corresponding codewords (if there are no such codewords that agree with with \(v_0\) and \(v_1\) on 16n locations then the simulator uses a default codeword instead). Next, the simulator checks \(w_0\) and \(w_1\) against the final cut-and-choose. If any of the shares from \(w_b\) are inconsistent with the opened shares that are opened by the sender in the final cut-and-choose, then \(v_b\) is set to a default value, otherwise \(v_b\) is the value corresponding to the shared secret.

Finally, the simulator sends \((v_0,v_1)\) to the ideal functionality for \(\mathcal{F}_{\scriptscriptstyle \mathrm {OT}}\). Security in this case is reduced to the privacy of the receiver. In addition, the difference between the simulation’s strategy and the honest receiver’s strategy is that the simulator extracts the sender’s both inputs in all \(i \in \varDelta -\varPhi \) and then finds codewords that are 16n-close to the extracted values, whereas the honest receiver finds a codeword that is 17n-close based on the inputs it received in the Stages 2 and 5, and returns it. We thus prove that the value u extracted by the simulator is identical the to the reconstructed output of the honest receiver relying on the properties of the secret sharing scheme.

4 One-Sided Adaptive UC Secure Computation

In the two-party one-sided adaptive setting, at most one of the parties is adaptively corrupted [29, 35]. In this section we provide a simple transformation of our static UC secure protocol from Sect. 3 to a two-party UC-secure protocol that is secure against one-sided adaptive corruption. Our first observation is that in Protocol 1 the parties use their real inputs to the OT protocol only in Phase 4. Therefore simulation of the first three phases can be easily carried out by simply following the honest strategy. On the other hand, simulating messages in Phase 4 requires some form of equivocation since if corruption takes place after this phase is concluded then the simulator needs to explain this message with respect to the real input of the corrupted party. On a high-level we will transform the protocol so that if no party is corrupted until end of Phase 4, the simulator can equivocate the message in Phase 4. We explain how to achieve equivocation later. First, we describe our simulator: In case either party is statically corrupted the simulation for Protocol 1 follows the strategy of the honest party until Phase 4, where the simulator extracts the corrupted party’s input relying on the fact that it knows the adversary’s committed input in Phase 1. Therefore, the same proof follows in case the adversary adaptively corrupts one of the parties at any point before Phase 4, as the simulator can pretend that corruption took place statically. On the other hand, if corruption takes place after Phase 4, then the simulator equivocates the communication. It is important to note that while in the plain model any statically secure protocol can be compiled into one-sided secure protocol by encrypting its entire communication, it is not clear that this is the case in the UC setting due to the additional setup, e.g., a CRS that may depend on the identity of the corrupted party. Nevertheless, in Phase 4 the parties only run a combiner for which the computation does not involve any usage of the CRS (which is induced by the extractable commitment). Therefore, the proof follows.

A common approach to achieve equivocation is to rely on non-committing encryption schemes (NCE) [6, 11, 16], that allow secure communication in the presence of adaptive attacks. This powerful tool has been constructed while relying on (a variant of) simulatable PKE schemes, which, roughly speaking, allows for both the public-key and the ciphertexts to be generated obliviously without the knowledge of the plaintext or the secret key [11, 16]. Notably, these constructions achieve a stronger notion of security where both parties may be adaptively corrupted (also referred to as fully adaptive). Our second observation is that it is sufficient to rely on a weaker variant of NCE, namely, one that is secure against only one-sided adaptive corruption.

In particular, we take advantage of a construction presented in [6] and later refined in [16], that achieves receiver equivocation under the assumption of semi-honest OT. We will briefly describe it now. Recall that in the fully adaptive case, the high-level idea is for the sender and receiver to mutually agree on a random bit, which is then used by the sender to determine which of two random strings to mask its message. The process of agreeing on a bit requires the ability to both obliviously sample a public-key without the knowledge of the secret key, as well as the ability to obliviously sample a ciphertext without the knowledge of the corresponding plaintext. In the simpler one-sided scenario, Canetti et al. observed that an oblivious transfer protocol can replace the oblivious generation of the public-key. Specifically, the NCE receiver sends two public keys to the sender, and then the parties invoke an OT protocol where the NCE receiver plays the role of the OT sender and enters the corresponding secret keys. To allow equivocation for the NCE sender, the OT must enable equivocation with respect to the OT receiver. The [21] OT protocol is an example for such a protocol. Here the OT receiver can pick the two ciphertexts so that it knows both plaintexts. Then equivocation is carried out by declaring that the corresponding ciphertext is obliviously sampled.

The advantage of this approach is that it removes the requirement of generating the public key obliviously, as now the randomness for its generation is split between the parties, where anyway only one of them is corrupted. This implies that the simulator can equivocate the outcome of the protocol execution without letting the adversary the ability to verify it. To conclude, it is possible to strengthen the security of Protocol 1 into the one-sided setting by simply encrypting the communication within the combiner phase using one-sided NCE which in turn can be constructed based on PKE with oblivious ciphertext generation. This implies the following theorem which further implies black-box one-sided UC secure computation from enhanced trapdoor permutation.

Theorem 41

Assume the existence of PKE with oblivious ciphertext generation. Then for any two-party well-formed functionality \(\mathcal{F}\), there exists a protocol that UC realizes \(\mathcal{F}\) in the presence of one-sided adaptive, malicious adversaries in the CRS model using black-box access to the PKE.

5 Adaptive UC Secure Computation

In this section we demonstrate the feasibility of UC secure commitment schemes based on PKE with oblivious ciphertext generation (namely, where it is possible to obliviously sample the ciphertext without knowing the plaintext). Our construction is secure even in the presence of adaptive corruptions and is the first to achieve the stronger notion of adaptive security based on this hardness assumption. Plugging-in our UC commitment protocol into the transformation of [12] that generates adaptive malicious OT given adaptive semi-honest OT and UC commitments, implies an adaptively UC secure oblivious transfer protocol with malicious security based on semi-honest adaptive OT and PKE with oblivious ciphertext generation using only black-box access to the semi-honest OT and the PKE. Stating formally,

Theorem 51

Assume the existence of adaptive semi-honest oblivious transfer and PKE with oblivious ciphertext generation. Then for any multi-party well-formed functionality \(\mathcal{F}\), there exists a protocol that UC realizes \(\mathcal{F}\) in the presence of adaptive, malicious adversaries in the CRS model using black-box access to the oblivious transfer protocol and the PKE.

Noting that simulatable PKE implies both semi-honest adaptive OT [9, 11] and PKE with oblivious ciphertext generation, we derive the following corollary (where simulatable PKE implies oblivious sampling of both public keys and ciphertexts),

Corollary 52

Assume the existence of simulatable PKE. Then for any multi-party well-formed functionality \(\mathcal{F}\), there exists a protocol that UC realizes \(\mathcal{F}\) in the presence of adaptive, malicious adversaries in the CRS model using black-box access to the simulatable PKE.

This in particular improves the result from [14] that relies on simulatable PKE in a non-black-box manner. Note also that our UC commitment can be constructed using a weaker notion than simulatable PKE where the inverting algorithms can require a trapdoor. This notion is denoted by trapdoor simulatable PKE [11] and can be additionally realized based on the hardness assumption of factoring Blum integers. This assumption, however, requires that we modify our commitment scheme so that the CRS includes \(3n+1\) public keys of the underlying PKE instead of just one, as otherwise the reduction to the security of the PKE does not follow for multiple ciphertexts. Specifically, at the cost of linear blowup (in the security parameter) of the CRS, we obtain adaptively secure UC commitments under a weaker assumption. Now, since trapdoor simulatable PKE implies adaptive semi-honest OT [11] it holds,

Corollary 53

Assume the existence of trapdoor simulatable PKE. Then for any multi-party well-formed functionality \(\mathcal{F}\), there exists a protocol that UC realizes \(\mathcal{F}\) in the presence of adaptive, malicious adversaries in the CRS model using black-box access to the trapdoor simulatable PKE.

Note that, since the best known general assumptions for realizing adaptive semi-honest OT is trapdoor simulatable PKE, this corollary gives evidence that the assumptions for adaptive semi-honest OT are sufficient for adaptive UC security and makes a step towards identifying the minimal assumptions for achieving UC security in the adaptive setting. To conclude, we note that enhanced trapdoor permutations, which imply PKE with oblivious ciphertext generation, imply the following corollary,

Theorem 54

Assume the existence of enhanced trapdoor permutation. Then \(\mathcal{F}_{\scriptscriptstyle \mathrm {COM}}\) (cf. Fig. 2) can be UC realized in the CRS model in the presence of adaptive malicious adversaries.

5.1 UC Commitments from PKE with Oblivious Ciphertext Generation

In this section we demonstrate the feasibility of adaptively secure UC commitments for the message space \(m\in \{0,1\}\) from any public-key encryption scheme \(\varPi =(\mathsf {Gen},\mathsf {Enc},\mathsf {Dec},\widetilde{\mathsf {Enc}}, \widetilde{\mathsf {Enc}}^{-1})\) with oblivious ciphertext generation (cf. Definition 21) in the common reference string (CRS) model. In this model [7] the parties have access to a CRS chosen from a specified trusted distribution \(\mathcal{D}\). This is captured via the ideal functionality \(\mathcal {F}_{\scriptscriptstyle \mathrm {CRS}}^{\mathcal{D}}\) (see [30] for the definition). We note that we use \(\varPi \) in two places in our protocol. First, in the encoding phase (where the commitments are computed by the sender) and then in the coin-tossing phase (where the commitments are computed by the receiver). Our complete construction can be found in Fig. 4. Next, we prove

Fig. 4.
figure 4

UC adaptively secure commitment scheme.

Full size image

Theorem 55

Assume that \(\varPi =(\mathsf {Gen},\mathsf {Enc},\mathsf {Dec},\widetilde{\mathsf {Enc}}, \widetilde{\mathsf {Enc}}^{-1})\) is a PKE with oblivious ciphertext generation. Then protocol \(\pi _{\scriptscriptstyle \mathrm {COM}}\) (cf. Fig. 4) UC realizes \(\mathcal{F}_{\scriptscriptstyle \mathrm {COM}}\) in the CRS model in the presence of adaptive malicious adversaries.

A High Level Proof. Intuitively, security requires proving both hiding and binding in the presence of static and adaptive corruptions. The hiding property follows from the IND-CPA security of the encryption scheme combined with the fact that the receiver only sees n shares in a n-out-of-\(3n+1\) secret-sharing of the message in the commit phase. On the other hand, proving binding is much more challenging and reduces to the facts that a corrupted sender cannot successfully predict exactly the n indices from \(\{1,\ldots ,3n+1\}\) that will be chosen in the coin-tossing protocol. In fact, if it can identify these n indices, then it would be possible for the adversary to break binding. An important information-theoretic argument that we prove here is that for a fixed encoding phase, no adversary can equivocate on two continuations from the encoding phase with different outcomes of the coin-tossing phase. Saying differently, for any given encoding phase there is exactly one outcome for the coin-tossing phase that will allow equivocation. Given this claim, binding now follows from the IND-CPA security of the encryption scheme used in the coin-tossing phase. In addition, recall that in the UC setting the scheme must also support a simulation that allows straight-line extraction and equivocation. At a high-level, the simulator sets the CRS to public-keys for which it knows the corresponding secret-keys. This will allow the simulator to extract all the values encrypted by the adversary. We observe that the simulator can fix the outcome of the coin-tossing phase to any n-indices of its choice by extracting the random string \(\sigma _0\) encrypted by the receiver and choosing a random string \(\sigma _1\) so that \(\sigma _0 \oplus \sigma _1\) is a particular string. Next, the simulator generates secret-sharing for both 0 and 1 so that they overlap in the particular n shares. To commit, the simulator encrypts the n common shares within the n indices to be revealed (which it knows in advance), and for the rest of the indices it encrypts two shares, one that corresponds to the sharing of 0 and the other that corresponds to the sharing of 1. Finally, in the decommit phase, the simulator reveals that shares that correspond to the real message m, and exploits the invertible sampling algorithm to prove that the other ciphertexts were obliviously generated.