Removing Erasures with Explainable Hash Proof Systems

Abstract

An important problem in secure multi-party computation is the design of protocols that can tolerate adversaries that are capable of corrupting parties dynamically and learning their internal states. In this paper, we make significant progress in this area in the context of password-authenticated key exchange (\(\textsf {PAKE}\)) and oblivious transfer (\(\textsf {OT}\)) protocols. More precisely, we first revisit the notion of projective hash proofs and introduce a new feature that allows us to explain any message sent by the simulator in case of corruption, hence the notion of Explainable Projective Hashing. Next, we demonstrate that this new tool generically leads to efficient \(\textsf {PAKE}\) and \(\textsf {OT}\) protocols that are secure against semi-adaptive adversaries without erasures in the Universal Composability (UC) framework. We then show how to make these protocols secure even against adaptive adversaries, using non-committing encryption, in a much more efficient way than generic conversions from semi-adaptive to adaptive security. Finally, we provide concrete instantiations of explainable projective hash functions that lead to the most efficient \(\textsf {PAKE}\) and \(\textsf {OT}\) protocols known so far, with UC-security against adaptive adversaries, without assuming reliable erasures, in the single global CRS setting.

As an important side contribution, we also propose a new commitment scheme based on \(\textsf {DDH}\), which leads to the construction of the first one-round \(\textsf {PAKE}\) adaptively secure under plain \(\textsf {DDH}\) without pairing, assuming reliable erasures, and also improves previous constructions of \(\textsf {OT}\) and two- or three-round \(\textsf {PAKE}\) schemes.

1 Introduction

1.1 Motivation

One of the most difficult problems in secure multi-party computation is the design of protocols that can tolerate adaptive adversaries. These are adversaries which can corrupt parties dynamically and learn their internal states. As stated in the seminal work of Canetti et al. [12], this problem is even more difficult when uncorrupted parties may deviate from the protocol by keeping record of past configurations, instead of erasing them, or just because erasures are not reliable. To deal with this problem, they introduced the concept of non-committing encryption (\(\textsf {NCE}\)) and showed how to use it to build general multi-party computation protocols that remained secure even in the presence of such adversaries. Unfortunately, the gain in security came at the cost of a significant loss in efficiency. Though these results were later improved (e.g., [6, 17, 21, 27]), \(\textsf {NCE}\) still requires a large amount of communication and achieving efficient constructions with adaptive security without assuming reliable erasures remains a difficult task.

To address the efficiency issue with previous solutions, Garay, Wichs, and Zhou [24] (GWZ) introduced two new notions. The first one was the notion of semi-adaptive security in which an adversary is not allowed to corrupt a party if all the parties are honest at the beginning of the protocol. The main advantage of the new notion is that it is only slightly more difficult to achieve than static security but significantly easier than fully-adaptive security. The second new notion was the concept somewhat non-committing encryption. Unlike standard \(\textsf {NCE}\) schemes, somewhat non-committing encryption only allows the sender of a ciphertext to open it in a limited number of ways, according to an equivocality parameter \(\ell \).

In addition to being able to build very efficient somewhat non-committing encryption schemes for small values of \(\ell \), Garay et al. [24] also showed how to build a generic compiler with the help of such schemes that converts any semi-adaptively secure cryptographic scheme into a fully-adaptively secure one. Since the equivocality parameter \(\ell \) needed by their compiler is proportional to the input and output domains of the functionality being achieved, they were able to obtain very efficient constructions for functionalities with small domains, such as 1-out-of-2 oblivious transfers (\(\textsf {OT}\)). In particular, their results do not require reliable erasures and hold in the universal composability (UC) framework [8, 9].

Building on the results of Garay et al. [24], Canetti et al. [10] showed how to use 1-out-of-2 \(\textsf {OT}\) protocols to build reasonably efficient password-based authenticated key exchange (\(\textsf {PAKE}\)) protocols in the UC framework against adaptive corruptions without erasures. The number of \(\textsf {OT}\) instances used in their protocol is proportional to the number of bits of the password.

Even though both works provide efficient constructions of UC-secure \(\textsf {OT}\) and \(\textsf {PAKE}\) schemes with adaptive security without erasures, the efficiency gap between these protocols and those which assume reliable erasures (e.g., [1, 18]) remains significant. In this work, we aim to reduce this gap.

1.2 Our Approach

In order to build more efficient \(\textsf {OT}\) and \(\textsf {PAKE}\) schemes with adaptive security without erasures, we start from the constructions of Abdalla et al. [1], which were the most efficient \(\textsf {OT}\) and \(\textsf {PAKE}\) constructions in the UC model with adaptive corruptions, with a single global common reference string (CRS)¹, and assuming reliable erasures. We then improve them to make them secure against semi-adaptive adversaries, without erasures. Finally, we show how to enhance these protocols with non-committing encryption (\(\textsf {NCE}\)) in order to achieve adaptive security without erasures and without impacting too much their efficiency. All our constructions assume the existence of a single global CRS (notice that even with static corruptions, \(\textsf {OT}\) and \(\textsf {PAKE}\) in the UC model do not exist in the plain model without CRS [14]).

Hash Proof Systems. At the heart of the \(\textsf {OT}\) and \(\textsf {PAKE}\) constructions in [1] is the following idea: one party commits to his index (for \(\textsf {OT}\)) or his password (for \(\textsf {PAKE}\)), and the other party derives from this commitment some hash value which the first party can compute if his commitment was valid and contained some given value (a valid password or a given index), or appears random otherwise. This hash value is then used to mask the values to be transferred in the \(\textsf {OT}\) case or is used to derive the session key in the \(\textsf {PAKE}\) case.

More precisely, this hash value is computed through a hash proof system or smooth projective hash functions (\(\textsf {SPHF}\)) [20]. An \(\textsf {SPHF}\) is defined for a language \(\mathcal {L}\subseteq \mathcal {X}\). In our case, this language is the language of valid commitments of some value. The first property of an \(\textsf {SPHF}\) is that, for a word C in \(\mathcal {L}\), the hash value can be computed using either a secret hashing key \(\mathsf {hk}\) (generated by the first party) or a public projected key \(\mathsf {hp}\) (derived from \(\mathsf {hk}\) and given to the second party) together with a witness w to the fact that C is indeed in \(\mathcal {L}\). However, for a word C not in \(\mathcal {L}\), the hash value computed with \(\mathsf {hk}\) is perfectly random, even knowing \(\mathsf {hp}\). The latter is known as the smoothness property.

Explainable Hash Proof Systems. To make the protocol secure against semi-adaptive adversaries, we face two main problems. The first is the fact the commitment scheme has at the very least to be UC-secure against semi-adaptive adversaries, without relying on erasures. While this is not the case for the original commitment scheme in [1], we show that it is true for a slight variant of it.

The second problem is the main challenge: in case of corruption of an honest player, after this player sent some projection key \(\mathsf {hp}\), we need to exhibit a hashing key \(\mathsf {hk}\) that is compatible with the view of the adversary. In particular, this view may contain a hash value of some commitment under \(\mathsf {hk}\). For that purpose, we introduce the notion of explainable hash proof systems (\(\textsf {EPHFs}\)) which basically are \(\textsf {SPHFs}\) with a trapdoor enabling to generate a projection key \(\mathsf {hp}\), and later exhibit a hashing key \(\mathsf {hk}\) for any hash value.

We propose two constructions of \(\textsf {EPHFs}\). The first one works with any \(\textsf {SPHF}\), as long as there exists a trapdoor which enables to generate, for any hashing key \(\mathsf {hk}\), a random hashing key \(\mathsf {hk}'\) associated to the same projection key as \(\mathsf {hp}\). This property is achieved by most known \(\textsf {SPHFs}\). Then to generate a hashing key \(\mathsf {hk}'\) corresponding to a given projection key \(\mathsf {hp}\) (associated to some known \(\mathsf {hk}\)) and a given hash value H, we can draw \(\mathsf {hk}'\) as above until it corresponds to the hash value H. Unfortunately, this can only be done if the set of possible hash values is small. One way to ensure this fact is to truncate the hash value to only \(\nu \) bits instead of keeping the entire hash value. In this case, the reduction requires \(O(2^\nu )\) drawing of \(\mathsf {hk}'\).

This reduction gap means that \(\nu \) has to be logarithmic in the security parameter. If we look carefully at current \(\textsf {SPHF}\) constructions over cyclic groups, we remark that hashing keys are usually vectors of scalars, while hash values are typically group elements. Therefore, intuitively, it does not seem possible to recover a hashing key from a hash value, without performing some kind of discrete logarithm computation on the hash value.² As a result, it appears that the best we can hope for in this case is to drop the cost from \(O(2^\nu )\) down to \(O(2^{\nu /2})\), through the use of a baby-step giant-step algorithm, or the Pollard’s kangaroo method [30]. A straightforward application of this idea to an \(\textsf {SPHF}\), however, would require computing the discrete logarithm of the hash value, which is impractical. Our second construction consists largely in making this idea work.

From Semi-adaptive to Adaptive Adversaries. Once we obtain \(\textsf {OT}\) and \(\textsf {PAKE}\) protocols secure against semi-adaptive adversaries using \(\textsf {EPHFs}\), we still need to transform them into protocols secure against adaptive adversaries.

First, for \(\textsf {PAKE}\), the GWZ transformation cannot directly be used because channels are not authenticated, and some ideas of Canetti et al. in [4] need to be combined to deal with this issue. Even then, the GWZ improvement of using somewhat \(\textsf {NCE}\) cannot be applied directly because \(\textsf {PAKE}\) outputs are session keys, and therefore there is an exponential number of them, which means the equivocality parameter and the communication complexity of the resulting protocol would be exponential in the security parameter. Hence, to transform a semi-adaptively secure \(\textsf {PAKE}\) protocol into an adaptively secure one, each bit of each flow of the original protocol needs to be sent through an \(\textsf {NCE}\) channel. While the resulting protocol would only be 3-round, its communication complexity would be impractical: even with the most efficient \(\textsf {NCE}\) schemes known so far [17], this would multiply the communication complexity of the original protocol by about 320.³ This is why we propose a new transformation from semi-adaptively secure to adaptively-secure \(\textsf {PAKE}\), in which only \(\mathfrak {K}+ 8 {\nu _m}\) bits are sent via \(\textsf {NCE}\) channels (where \(\mathfrak {K}\) is the security parameter and \({\nu _m}\) is the password length).

Second, for \(\textsf {OT}\), while the GWZ transformation is very practical for bit \(\textsf {OT}\) (i.e., \(\textsf {OT}\) for one-bit messages), it cannot be used for long messages nor for 1-out-of-k \(\textsf {OT}\) for large k (e.g., polynomial in the security parameter) for similar reasons as in the \(\textsf {PAKE}\) case. Garay et al. [24] proposed a solution for long messages consisting in running \({\nu _m}\)-bit string \(\textsf {OT}\) together with zero-knowledge proofs to make sure the same index is used in all protocols. Here, we show how to directly construct \({\nu _m}\)-bit string \(\textsf {OT}\) from our specific semi-adaptive protocol at a much lower cost, by avoiding zero-knowledge proofs and reducing the number of bits sent via \(\textsf {NCE}\) channels. Contrary to a solution obtained by the GWZ transformation, the communication complexity of this new protocol is polynomial in k (instead of being exponential in k).

Relying only on DDH. As an important side contribution, we propose a new \(\textsf {SPHF}\)-friendly commitment scheme based on the plain Decisional Diffie-Hellman assumption (\(\textsf {DDH}\)). In addition to being more efficient than the one of Abdalla et al. [1], the new commitment scheme also does not require pairings. As a result, the new scheme can be used to significantly improve previous \(\textsf {OT}\) and \(\textsf {PAKE}\) schemes in the UC model with adaptive adversaries, assuming reliable erasures. Moreover, it also yields to the first one-round PAKE scheme under plain DDH, using [1]. All the previously known one-round \(\textsf {PAKE}\) schemes (even only secure against statistical corruptions) use pairings, including the recent extremely efficient scheme of Jutla and Roy in [28], where each user only sends four group elements.

For our protocols to be secure, the underlying commitment scheme has to possess strong properties, which makes its design quite challenging. First, we need to be able to extract the inputs of the parties and, in particular, the commitments produced by the adversary. Second, we also need to be able to simulate a party without knowing its input and, in particular, his commitments; but we still need to be able to later open these commitments to the correct input, in case of corruption. In other words, the commitment has to be both equivocable and extractable. Third, to be compatible with \(\textsf {SPHF}\), an additional twist is required: the language \(\mathcal {L}\) of commitments of a given value need to be non-trivial. More precisely, it should not be possible for a (polynomial-time) adversary to generate a commitment which may be opened in multiple ways (even if a polynomial-time adversary may not be able to find it), or in other words, a commitment generated by a polynomial-time adversary has to be perfectly binding. This last property is called robustness. Roughly speaking, a commitment satisfying all these three properties is said to be \(\textsf {SPHF}\)-friendly.

Efficient constructions of equivocable and extractable commitments fall in two categories: the one following the ideas of Canetti and Fischlin [13] (including [1, 3]), and the ones using non-interactive zero-knowledge proofs as decommitment information as the Fischlin-Libert-Manulis schemes [23]. The latter ones are not robust and cannot be used for our purpose. The first basically consists, when the committed value is just one bit b, to commit in an equivocable way to b, and provide two ciphertexts \(C_0\) and \(C_1\), where \(C_b\) contains the decommitment information for b and \(C_{1-b}\) is random. Extracting such a commitment can be done by decrypting \(C_0\) and \(C_1\) and finding which of them contains a valid decommitment information, while simulating such a commitment just consists of encryptions of valid decommitment information in \(C_0\) and \(C_1\) (for 0 and 1, respectively).

The difficulty is to find an equivocable commitment and an encryption scheme compatible with an \(\textsf {SPHF}\), which essentially means that they have to be structure-preserving. In [3], the Pedersen [31] commitment scheme is used. But then the decommitment information has to be done bit by bit as it is a scalar, which is very inefficient⁴. To solve this issue, in [1], one of the Haralambiev structure-preserving commitment schemes [26] is used, at the expense of relying on \(\textsf {SXDH}\) and pairings. Unfortunately, there does not seem to exist structure-preserving commitment schemes under plain \(\textsf {DDH}\). This is why we developed a new way of constructing \(\textsf {SPHF}\)-friendly commitment schemes.

1.3 Organization of the Paper

Due to space restrictions, we focus on \(\textsf {OT}\) in the core of the paper. \(\textsf {PAKE}\) constructions are detailed in the full version [2].

After recalling some definitions in Sect. 2, we introduce our new notion of explainable hash proof systems (\(\textsf {EPHFs}\)) in Sect. 3 and present our two constructions. This is our first main contribution. Then, we show how to use \(\textsf {EPHFs}\) and \(\textsf {SPHF}\)-friendly commitments to construct \(\textsf {OT}\) UC-secure against semi-adaptive adversaries, in Sect. 4. Next, we introduce our new \(\textsf {SPHF}\)-friendly commitment scheme under plain \(\textsf {DDH}\), which is our second main contribution. Using the latter, we also provide substantial improvements for \(\textsf {OT}\) and \(\textsf {PAKE}\) schemes in the UC model, assuming reliable erasures. Finally, in Sect. 6, we show how to efficiently enhance our \(\textsf {OT}\) semi-adaptive protocols with non-committing encryption (\(\textsf {NCE}\)) in order to achieve adaptive security. In particular, we propose several adaptive versions of our semi-adaptive \(\textsf {OT}\) protocols, yielding different trade-offs in terms of communication complexity and number of rounds. In each case, at least one of our new protocols outperforms existing ones. A detailed related work coverage can be found in the full version [2].

To better focus on the core ideas, standard definitions and notations are recalled in the full version [2]. Additional details and proofs for \(\textsf {EPHFs}\), all the proofs of our semi-adaptively and adaptively secure protocols, and proofs and some technical parts of our new \(\textsf {SPHF}\)-friendly commitment are in the full version [2].

2 Definitions

Notations. As usual, all the players and algorithms will be possibly probabilistic and stateful. Namely, adversaries can keep a state \(\mathsf {st}\) during the different phases, and we denote \(\mathop {\leftarrow }\limits ^{{}_\$}\) the outcome of a probabilistic algorithm or the sampling from a uniform distribution. For example, \(\mathcal {A}(x;r)\) will denote the execution of \(\mathcal {A}\) with input x and random tape r. For the sake of clarity, sometimes, the latter random tape will be dropped, with the notation \(\mathcal {A}(x)\).

Smooth Projective Hash Functions. Projective hashing was first introduced by Cramer and Shoup [20]. Here we use the formalization of \(\textsf {SPHF}\) from [7].

Let \((\mathcal {X}_\mathsf {crs})_\mathsf {crs}\) be a family of domains for the hash functions indexed by \(\mathsf {crs}\), and let \((\mathcal {L}_{\mathsf {crs},\mathsf {par}})_{\mathsf {crs},\mathsf {par}}\) be a family of languages, i.e., \(\mathcal {L}_{\mathsf {crs},\mathsf {par}}\) is a subset of \(\mathcal {X}_\mathsf {crs}\). For the sake of simplicity, we write \(\mathsf {crs\text {-}par}= (\mathsf {crs},\mathsf {par})\). In this paper, we focus on languages of commitments, whose corresponding plaintexts satisfy some relations, and even more specifically here equal to some value \(\mathsf {par}\). The value \(\mathsf {crs}\) will be the common reference string for these commitments. The value \(\mathsf {par}\) is a parameter which is not necessarily public. In case of \(\textsf {PAKE}\) for example, it is the expected password.

A key property of an \(\textsf {SPHF}\) is that, for a word C in \(\mathcal {L}_\mathsf {crs\text {-}par}\), the hash value can be computed by using either a secret hashing key \(\mathsf {hk}\) or a public projection key \(\mathsf {hp}\) but with a witness w of the fact that C is indeed in \(\mathcal {L}\). More precisely, an \(\textsf {SPHF}\) is defined by four algorithms:

• \(\mathsf {HashKG}(\mathsf {crs})\) generates a hashing key \(\mathsf {hk}\) for \(\mathsf {crs}\);

• \(\mathsf {ProjKG}(\mathsf {hk},\mathsf {crs},C)\) derives the projection key \(\mathsf {hp}\);

• \(\mathsf {Hash}(\mathsf {hk},\mathsf {crs\text {-}par},C)\) outputs the hash value (in a set \(\varPi \), called the range of the \(\textsf {SPHF}\)) from the hashing key \(\mathsf {hk}\), for any word \(C\in \mathcal {X}\);

• \(\mathsf {ProjHash}(\mathsf {hp},\mathsf {crs\text {-}par},C,w)\) outputs the hash value from the projection key \(\mathsf {hp}\), and the witness w, for a word \(C \in \mathcal {L}\).

On the one hand, the correctness of the \(\textsf {SPHF}\) assures that if \(C \in \mathcal {L}_\mathsf {crs\text {-}par}\) with w a witness of this fact, then \(\mathsf {Hash}(\mathsf {hk},\mathsf {crs\text {-}par},C) = \mathsf {ProjHash}(\mathsf {hp},\mathsf {crs\text {-}par},C,w)\). On the other hand, the security is defined through the smoothness, which guarantees that, if \(C \not \in \mathcal {L}_\mathsf {crs\text {-}par}\), \(\mathsf {Hash}(\mathsf {hk},\mathsf {crs\text {-}par},C)\) is statistically indistinguishable from a random element, even knowing \(\mathsf {hp}\). More formally, an \(\textsf {SPHF}\) is smooth if, for any \(\mathsf {crs}\), any \(\mathsf {par}\), and any \(C \notin \mathcal {L}_\mathsf {crs\text {-}par}\), the following two distributions are statistically indistinguishable:

We chose to restrict \(\mathsf {HashKG}\) and \(\mathsf {ProjKG}\) not to use the parameter \(\mathsf {par}\), but just \(\mathsf {crs}\) (instead of \(\mathsf {crs\text {-}par}\)), as for some applications, such as \(\textsf {PAKE}\), \(\mathsf {hk}\) and \(\mathsf {hp}\) have to be independent of \(\mathsf {par}\), since \(\mathsf {par}\) is a secret (the password in case of \(\textsf {PAKE}\)). We know that this is a stronger restriction than required for our purpose, since one can use \(\mathsf {par}\) without leaking any information about it; and some of our applications such as \(\textsf {OT}\) do not require \(\mathsf {par}\) to be private at all. But, this is not an issue, since none of our \(\textsf {SPHFs}\) uses \(\mathsf {par}\).

If \(\mathsf {ProjKG}\) does not depend on C and satisfies a slightly stronger smoothness property (called adaptive smoothness, which holds even if C is chosen after \(\mathsf {hp}\)), we say the \(\textsf {SPHF}\) is a KV-SPHF, as such an SPHF was introduced by Katz and Vaikuntanathan in [29]. Otherwise, it is said to be a GL-SPHF, as such an SPHF was introduced by Gennaro and Lindell in [25]. More formally, a KV-SPHF is said to be smooth if for any \(\mathsf {crs}\), any \(\mathsf {par}\), and any function f from the set of projection keys to \(\mathcal {X}_\mathsf {crs\text {-}par}{\setminus }\mathcal {L}_\mathsf {crs\text {-}par}\), the following two distributions are statistically indistinguishable:

See [7] for details on GL-SPHF and KV-SPHF and language definitions.

We would like to remark that one can easily extend the range of an existing \(\textsf {SPHF}\) by concatenating several hash values with independent hashing keys on the same word. In this case, the global projection key would be the concatenation of the respective projection keys. It is straightforward to see that the smoothness property of the global \(\textsf {SPHF}\) follows directly from a classic hybrid argument over the smoothness property of the underlying \(\textsf {SPHF}\).

SPHF -Friendly Commitment Schemes. In this section, we briefly sketch the definition of \(\textsf {SPHF}\)-friendly commitment schemes we will use in this paper (more details are given in the full version [2]). This is a slightly stronger variant of the one in [1], since it requires an additional polynomial-time algorithm \(\mathsf {C.IsBinding} \). But the construction in [1] still satisfies it. This is a commitment scheme that is both equivocable and extractable. It is defined by the following algorithms: \(\mathsf {C.Setup} (1^\mathfrak {K})\) generates the global parameters, passed through the global CRS \(\mathsf {crs}\) to all other algorithms, while \(\mathsf {C.SetupT} (1^\mathfrak {K})\) is an alternative that additionally outputs a trapdoor \(\tau \); \(\mathsf {C.Com}\) \(^\ell (\varvec{M})\) outputs a pair \((C,\delta )\), where C is the commitment of the message \(\varvec{M}\) for the label \(\ell \), and \(\delta \) is the corresponding opening data, used by \(\mathsf {C.Ver} ^\ell (C,\varvec{M},\delta )\) to check the correct opening for C, \(\varvec{M}\) and \(\ell \). It always outputs 0 (false) on \(\varvec{M}=\bot \). The trapdoor \(\tau \) can be used by \(\mathsf {C.Sim} ^\ell (\tau )\) to output a pair \((C,\mathsf {eqk})\), where C is a commitment and \(\mathsf {eqk} \) an equivocation key that is later used by \(\mathsf {C.Open} ^\ell (\mathsf {eqk},C,\varvec{M})\) to open C on any message \(\varvec{M}\) with an appropriate opening data \(\delta \). The trapdoor \(\tau \) can also be used by \(\mathsf {C.Ext} ^\ell (\tau ,C)\) to output the committed message \(\varvec{M}\) in C, or \(\perp \) if the commitment is invalid. Eventually, the trapdoor \(\tau \) also allows \(\mathsf {C.IsBinding} ^\ell (\tau ,C,\varvec{M})\) to check whether the commitment C is binding to the message \(\varvec{M}\) or not: if there exists \(\varvec{M}' \ne \varvec{M}\) and \(\delta '\), such that \(\mathsf {C.Ver} ^\ell (C,\varvec{M}',\delta ') = 1\), then it outputs 0.

All these algorithms should satisfy some correctness properties: all honestly generated commitments open and verify correctly, can be extracted and are binding to the committed value, while the simulated commitments can be opened on any message.

Then, some security guarantees should be satisfied as well, when one denotes the generation of fake commitments \((C,\delta ) \mathop {\leftarrow }\limits ^{{}_\$}\mathsf {C.SCom} ^\ell (\tau ,\varvec{M})\), computed as \((C,\mathsf {eqk}) \mathop {\leftarrow }\limits ^{{}_\$}\mathsf {C.Sim} ^\ell (\tau )\) and then \(\delta \leftarrow \mathsf {C.Open} ^\ell (\mathsf {eqk},C,\varvec{M})\):

• Setup Indistinguishability: one cannot distinguish the CRS generated by \(\mathsf {C.Setup} \) from the one generated by \(\mathsf {C.SetupT} \);

• Strong Simulation Indistinguishability: one cannot distinguish a real commitment (which is generated by \(\mathsf {C.Com}\)) from a fake commitment (generated by \(\mathsf {C.SCom} \)), even with oracle access to the extraction oracle (\(\mathsf {C.Ext} \)), the binding test oracle (\(\mathsf {C.IsBinding} \)), and to fake commitments (using \(\mathsf {C.SCom} \));

• Robustness: one cannot produce a commitment and a label that extracts to \(\varvec{M}\) (possibly \(\varvec{M}=\bot \)) such that \(\mathsf {C.IsBinding} ^\ell (\tau ,C,\varvec{M}) = 0\), even with oracle access to the extraction oracle (\(\mathsf {C.Ext} \)), the binding test oracle (\(\mathsf {C.IsBinding} \)), and to fake commitments (using \(\mathsf {C.SCom} \)).

Note that, for excluding trivial attacks, on fake commitments, the extraction oracle outputs the \(\mathsf {C.SCom} \)-input message and the binding test oracle accepts for the \(\mathsf {C.SCom} \)-input message too. Finally, an \(\textsf {SPHF}\)-friendly commitment scheme has to admit an \(\textsf {SPHF}\) for the following language:

where \(\mathsf {crs\text {-}par}= (\mathsf {crs},\mathsf {par})\) and \(\varvec{M} = \mathsf {par}\).

Basically, compared to the original definition in [1], the main difference is that it is possible to check in polynomial time (using \(\mathsf {C.IsBinding} \)) whether a commitment is perfectly binding or not, i.e., does not belong to any \(\mathcal {L}_{(\mathsf {crs},\varvec{M}')}\) for \(\varvec{M}' \ne \varvec{M}\), where \(\varvec{M}\) is the value extracted from the commitment via \(\mathsf {C.Ext} \). In addition, in the games for the strong simulation indistinguishability and the robustness, the adversary has access to this oracle \(\mathsf {C.IsBinding} \).

Finally, for our \(\textsf {PAKE}\) protocols, as in [1], we need another property called strong pseudo-randomness. This property is a strong version of the pseudo-randomness property. However, while the latter is automatically satisfied by any \(\textsf {SPHF}\)-friendly commitment scheme, the former may not, because of an additional information provided to the adversary. But, it is satisfied by the \(\textsf {SPHF}\)-friendly commitment scheme in [1] and by our new commitment scheme introduced in Sect. 5, which is the most efficient known so far, based on the plain \(\textsf {DDH}\).

SPHF -Friendly Commitment Schemes without Erasures. We will say that an \(\textsf {SPHF}\)-friendly commitment scheme is without erasures if this is an \(\textsf {SPHF}\)-friendly commitment scheme where \(\delta \) (and thus the witness) just consists of the random coins used by the algorithm \(\mathsf {C.Com}\). Then, an \(\textsf {SPHF}\)-friendly commitment scheme without erasures yields directly a commitment scheme that achieves UC-security without erasures.

We remark that slight variants of the constructions in [1, 3] are actually without erasures, as long as it is possible to sample obliviously an element from a cyclic group. To make these schemes without erasures, it is indeed sufficient to change the commitment algorithm \(\mathsf {C.Com}\) to generate random ciphertexts (with elements obliviously sampled from the corresponding cyclic groups) instead of ciphertexts of 0, for the unused ciphertexts (i.e., the ciphertexts \(b_{i,\overline{M_i}}\), for [1], using the notations in that paper). This does not change anything else, since these ciphertexts are not used in the verification algorithm \(\mathsf {C.Ver} \).

In the sequel, all \(\textsf {SPHF}\)-friendly commitment schemes are assumed to be without erasures. Variants of [1, 3] are possible instantiations, but also our quite efficient constructions presented in Sect. 5 and the full version [2].

3 Explainable Projective Hashing

In this section, we define the notion of explainable projective hash function (\(\textsf {EPHF}\)) and then give two generic constructions of \(\textsf {EPHF}\) from \(\textsf {SPHF}\). Both constructions work with any \(\textsf {SPHF}\) built using the generic framework of [7], basically as long as there is a way to generate the CRS so that the discrete logarithms of all elements are known. This encompasses most \(\textsf {SPHFs}\) over cyclic groups. The second construction is more efficient, but only enable building GL-EPHF, while the first construction enables building both GL-EPHF and KV-EPHF and is slightly more generic (it may work with \(\textsf {SPHFs}\) which are not built using the generic framework).

3.1 Definition

Let us first suppose there exists an algorithm \(\mathsf {Setup}\) which takes as input the security parameter \(\mathfrak {K}\) and outputs a CRS \(\mathsf {crs}\) together with a trapdoor \(\tau \). In our case \(\mathsf {Setup}\) will be \(\mathsf {C.SetupT} \), and the trapdoor \(\tau \) will be the commitment trapdoor, which may need to be slightly modified, as we will see in our constructions. This modification generally roughly consists in adding the discrete logarithms of all used elements in the trapdoor \(\mathsf {C.SetupT} \) and is possible with most concrete commitment schemes.

An explainable projective hashing (\(\textsf {EPH}\)) is an \(\textsf {SPHF}\) with the following additional property: it is possible to generate a random-looking projection key \(\mathsf {hp}\), and then receive some hash value H, some value \(\mathsf {par}\) and some word \(C \notin \mathcal {L}_\mathsf {crs\text {-}par}\), and eventually generate a valid hashing key \(\mathsf {hk}\) which corresponds to \(\mathsf {hp}\) and H, as long as we know \(\tau \). In other words, it is possible to generate \(\mathsf {hp}\) and then “explain” any hash H for a word outside the language \(\mathcal {L}_\mathsf {crs\text {-}par}\), by giving the appropriate \(\mathsf {hk}\).

While dual projective hashing [33] implies a weak version of smoothness, our notion of \(\textsf {EPH}\) implies the usual notion of smoothness, and is thus stronger than \(\textsf {SPHF}\). Then, an \(\textsf {EPHF}\) can be either a GL-EPHF or a KV-EPHF, depending on whether the word C is known when \(\mathsf {hp}\) is generated.

GL-EPHF. Formally, a GL-EPHF is defined by the following algorithms:

• \(\mathsf {Setup}(1^\mathfrak {K})\) takes as input the security parameter \(\mathfrak {K}\) and outputs the global parameters, passed through the global CRS \(\mathsf {crs}\) or \(\mathsf {crs\text {-}par}\) to all the other algorithms, plus a trapdoor \(\tau \);

• \(\mathsf {HashKG}\), \(\mathsf {ProjKG}\), \(\mathsf {Hash}\), and \(\mathsf {ProjHash}\) behave as for a classical \(\textsf {SPHF}\);

• \(\mathsf {SimKG}(\mathsf {crs},\tau ,C)\) outputs a projection key \(\mathsf {hp}\) together with an explainability key \(\mathsf {expk}\) (C is not given as input for KV-EPHF);

• \(\mathsf {Explain}(\mathsf {hp},\mathsf {crs\text {-}par},C,H,\mathsf {expk})\) outputs an hashing key \(\mathsf {hk}\) corresponding to \(\mathsf {hp}\), \(\mathsf {crs\text {-}par}\), C, and H.

It must satisfy the same properties as an \(\textsf {SPHF}\) together with the following properties, for any \((\mathsf {crs},\tau ) \mathop {\leftarrow }\limits ^{{}_\$}\mathsf {Setup}(1^\mathfrak {K})\):

• Explainability Correctness. For any \(\mathsf {par}\), any \(C \notin \mathcal {L}_\mathsf {crs\text {-}par}\) and any hash value H, if \((\mathsf {hp},\mathsf {expk}) \mathop {\leftarrow }\limits ^{{}_\$}\mathsf {SimKG}(\mathsf {crs},\tau ,C)\) and \(\mathsf {hk}\mathop {\leftarrow }\limits ^{{}_\$}\mathsf {Explain}(\mathsf {hp},\mathsf {crs\text {-}par},C,H,\mathsf {expk})\), then \(\mathsf {hp}= \mathsf {ProjKG}(\mathsf {hk},\mathsf {crs},C)\) and \(H = \mathsf {Hash}(\mathsf {hk},\mathsf {crs\text {-}par},C)\), with overwhelming probability (over the random tape of \(\mathsf {Explain}\));

• Indistinguishability. As for smoothness, we consider two types of indistinguishability: a GL-EPHF is indistinguishable, if for any \(\mathsf {par}\) and any \(C\notin \mathcal {L}_\mathsf {crs\text {-}par}\), the two following distributions are statistically indistinguishable:

  

KV-EPHF. A KV-EPHF is a GL-EPHF, for which \(\mathsf {ProjKG}\) and \(\mathsf {SimKG}\) does not take as input the word C, and which satisfies the same smoothness as a KV-SPHF, and a stronger indistinguishability property. A KV-EPHF is \(\varepsilon \)-indistinguishable, if for any \(\mathsf {par}\) and any function f from the set of projection keys to \(\mathcal {X}{\setminus }\mathcal {L}_\mathsf {crs\text {-}par}\), the two following distributions are statistically indistinguishable:

3.2 First Construction

This first construction enables to transform any GL-SPHF (or KV-SPHF) satisfying some properties of re-randomization of the hashing key into a GL-EPHF (respectively, a KV-SPHF). These properties are satisfied by any GL-SPHF (or KV-SPHF) built from the generic framework [7], when \(\tau \) contains the discrete logarithms of all elements defining the language, as shown in the full version [2]. We first present the construction for GL-EPHF.

GL-EPHF. Here are the properties we require:

 

(a) :

For any hashing key \(\mathsf {hk}\) and associated projection key \(\mathsf {hp}\), it is possible to draw a random \(\mathsf {hk}'\) corresponding to \(\mathsf {hp}\), such that \(\mathsf {hk}'\) looks like a fresh hashing key (conditioned on the fact that its projection key is \(\mathsf {hp}\)). More precisely, we suppose there exists a randomized algorithm \(\mathsf {InvProjKG}\), which takes as input \(\tau \), a hashing key \(\mathsf {hk}\), \(\mathsf {crs\text {-}par}\), and a word \(C \notin \mathcal {L}_\mathsf {crs\text {-}par}\), and outputs a random hashing key \(\mathsf {hk}'\), satisfying \(\mathsf {ProjKG}(\mathsf {hk}',\mathsf {crs},C) = \mathsf {hp}\). For any \(\mathsf {crs\text {-}par}\), for any \(C \notin \mathcal {L}_\mathsf {crs\text {-}par}\), for any hashing key \(\mathsf {hk}\mathop {\leftarrow }\limits ^{{}_\$}\mathsf {HashKG}(\mathsf {crs})\), the two following distributions are supposed to be statistically indistinguishable:

For GL-SPHFs built from the generic framework [7], if we look at the discrete logarithms of all the group elements defining the language and all the ones in the projection key, hashing keys corresponding to a given projection key \(\mathsf {hp}\) essentially are the solutions of a linear system (the right-hand side of the system corresponds to \(\mathsf {hp}\), while coefficients of the system depend on the language). \(\mathsf {InvProjKG}\) can then output a uniform solution of this linear system.

(b) :

A stronger property than smoothness, called strong smoothness, is required. Informally, it ensures that smoothness holds even when the hashing key is conditioned on any projection key. Formally, a GL-SPHF is strongly smooth if for any \(\mathsf {crs\text {-}par}\), for any \(C \notin \mathcal {L}_\mathsf {crs\text {-}par}\), for any projection key \(\mathsf {hp}\) (generated by \(\mathsf {hk}\mathop {\leftarrow }\limits ^{{}_\$}\mathsf {HashKG}(\mathsf {crs})\) and \(\mathsf {hp}\leftarrow \mathsf {ProjKG}(\mathsf {hk},\mathsf {crs},C)\)), the two following distributions are statistically indistinguishable:

(c) :

There exists a parameter \(\nu \) linear in \(\log \mathfrak {K}\) and a randomness extractor \(\mathsf {Extract}\) with range \(\{0,1\}^\nu \), such that the two following distributions are statistically indistinguishable:

Details on the randomness extractor can be found in the full version [2]. But we can use either a deterministic extractor exists for \(\varPi \), which is possible for many cyclic groups [16], or a probabilistic extractor with an independent random string in the CRS.

 

Then, if the hash values H computed by \(\mathsf {Hash}\) or \(\mathsf {ProjHash}\) are replaced by \(\mathsf {Extract}(H)\), the resulting \(\textsf {SPHF}\) is a GL-EPHF. Indeed, if \(\mathsf {SimKG}(\mathsf {crs},\tau ,C)\) just generates \(\mathsf {hk}\mathop {\leftarrow }\limits ^{{}_\$}\mathsf {HashKG}(\mathsf {crs})\) and \(\mathsf {hp}\leftarrow \mathsf {ProjKG}(\mathsf {hk},\mathsf {crs},C)\), and outputs \(\mathsf {hp}\) and \(\mathsf {expk}= (\tau ,\mathsf {hk})\). Then, \(\mathsf {Explain}(\mathsf {hp},\mathsf {crs\text {-}par},C,H,\mathsf {expk})\) just runs \(\mathsf {hk}' \mathop {\leftarrow }\limits ^{{}_\$}\mathsf {InvProjKG}(\tau ,\mathsf {hk},\mathsf {crs},C)\) many times until it finds \(\mathsf {hk}'\) such that \(\mathsf {Hash}(\mathsf {hk}',\mathsf {crs\text {-}par},C) = H\). It aborts if does not find a valid \(\mathsf {hk}'\) after \(2^\nu \mathfrak {K}\) times. Thanks to the smoothness and the above properties, its abort probability is negligible in the security parameter \(\mathfrak {K}\).⁵ Since \(\nu \) is linear in \(\log \mathfrak {K}\), the resulting algorithm \(\mathsf {Explain}\) runs in polynomial time in \(\mathfrak {K}\). A formal proof can be found in the full version [2].

We observe that \(\nu \) impacts on the running time of \(\mathsf {SimKG}\) which will only be used in the proofs of our \(\textsf {PAKE}\) and \(\textsf {OT}\) protocols (and not in their constructions), so that \(\nu \) only impacts on the tightness of the proofs of the resulting protocols. In all comparisons in this article, we will use \(\nu = 1\), which hinders performances of our scheme; but our schemes are still very efficient. In practice, to gain constant factors, it would be advisable to use a greater \(\nu \), and thus larger blocks. Finally, the range of the \(\textsf {EPHF}\) can be easily extended just by using multiple copies of the \(\textsf {EPHF}\): for a range of \(\nu '\), \(\mathsf {hk}\) becomes a tuple of \(\lceil \nu '/\nu \rceil \) original hashing keys, the same for \(\mathsf {hp}\) and H.

KV-EPHF. In the first generic construction for GL-SPHF, we get a KV-EPHF, if Property (a) and Property (b) hold even if C can depend on \(\mathsf {hp}\). In other words, instead of quantifying on any \(C \notin \mathcal {L}_\mathsf {crs\text {-}par}\), we quantify on any function f from the set of projection keys to \(\mathcal {X}{\setminus }\mathcal {L}_\mathsf {crs\text {-}par}\), and replace C by \(f(\mathsf {hp})\) in the definition (similarly to what is done for the smoothness of KV-SPHF or the indistinguishability of KV-EPHF).

As for GL-EPHF, any KV-SPHF built using the generic framework satisfies these properties and so can be transformed into KV-EPHF, as long as discrete logarithms of all elements in the matrix \(\varGamma \) can be known from \(\tau \).

3.3 Second Construction

We show a more efficient construction for GL-EPHF from any GL-SPHF built using the generic framework in the full version [2]. The idea is to use the algebraic properties of this framework to replace the costly search for \(\mathsf {hk}'\) in \(\mathsf {Explain}\) (which requires \(O(2^\nu )\) guesses) by the computation of a small (less than \(2^\nu \)) discrete logarithm in \(\mathsf {ProjHash}\). This can be done in \(O(2^{\nu /2})\) group operations by \(\mathsf {ProjHash}\), using Pollard’s kangaroo method in [30]. The parameter \(\nu \) can therefore be twice larger in our second construction, which makes it approximately twice more efficient.

4 Semi-adaptive \(\textsf {OT}\) Without Erasures

In this section, we propose a new \(\textsf {OT}\) protocol that is UC-secure against semi-adaptive adversaries, without requiring reliable erasures. The new protocol is very similar to the UC-secure \(\textsf {OT}\) construction in [1], except that the underlying \(\textsf {SPHF}\)-friendly commitment scheme has to be without erasures and the underlying \(\textsf {SPHF}\) has to be explainable. The security proof, which can be found in the full version [2], is however more complex.

4.1 Semi Adaptivity

The semi-adaptive setting has been introduced in [24], for two-party protocols when channels are authenticated: the adversary is not allowed to corrupt any player if the two players were honest at the beginning of the protocol. When channels are not authenticated, as for \(\textsf {PAKE}\), we restrict the adversary not to corrupt a player \(P_i\) if an honest flow has been sent on its behalf, and it has been received by \(P_j\), without being altered.

In addition to those restrictions on the adversary, there are also some restrictions on the simulator and the protocol. First, the simulator has to be setup-preserving, which means, in our case, that it first has to generate the CRS, before simulating the protocol execution. Second, the simulator has to be input-preserving, which means that if the adversary corrupts some user and honestly runs the protocol for some input x, the simulator submits the same input to the functionality. Third, the protocol has to be well-formed, which means that the number of flows and the size of each flow is independent of the input and the random tapes of the users. All these restrictions are clearly satisfied by our simulators and protocols. Formal definitions can be found in [24].

4.2 Oblivious Transfer

The ideal functionality of an Oblivious Transfer (\(\textsf {OT}\)) protocol is depicted in Fig. 1. It is inspired from [18]. In Fig. 2, we describe a 2-round 1-out-of-k \(\textsf {OT}\) for \({\nu _m}\)-bit messages, that is UC-secure against semi-adaptive adversaries. It can be built from any \(\textsf {SPHF}\)-friendly commitment scheme, admitting a GL-EPHF, with range \(\varPi = \{0,1\}^{\nu _m}\), for the language: , where \(\mathsf {crs\text {-}par}= (\mathsf {crs},\mathsf {par})\) and \(\varvec{M} = \mathsf {par}\).

Fig. 1.

Ideal functionality for 1-out-of-k oblivious transfer

In case of corruption of the database (sender) after it has sent its flow, since we are in the semi-adaptive setting, the receiver was already corrupted and thus the index s was known to the simulator. The latter can thus generate “explainable” \(\mathsf {hp}_t\) for all \(t\not =s\), so that when the simulator later learns the messages \(m_t\), it can explain \(\mathsf {hp}_t\) with appropriate \(\mathsf {hk}_t\). Erasures are no longer required, contrarily to [1].

Fig. 2.

UC-secure 1-out-of-k \(\textsf {OT}\) from an \(\textsf {SPHF}\)-friendly commitment for semi-adaptive adversaries

The restriction that \(\varPi \) has to be of the form \(\{0,1\}^{\nu _m}\) is implicit in [1]. Any \(\textsf {SPHF}\) can be transformed to an \(\textsf {SPHF}\) with range \(\varPi \) of the form \(\{0,1\}^{\nu _m}\), using a randomness extractor, as long as the initial range is large enough. However, this is not necessarily the case for \(\textsf {EPHF}\), since the extractor might not be efficiently invertible. That is why we prefer to make this assumption on \(\varPi \) explicit.⁶

5 A New \(\textsf {SPHF}\)-Friendly Commitment Scheme

In this section, we present our new efficient \(\textsf {SPHF}\)-friendly commitment scheme under the plain \(\textsf {DDH} \). Due to lack of space, we only give an overview of the scheme and a comparison with previous \(\textsf {SPHF}\)-friendly commitment schemes. Details are left to the full version [2].

5.1 Scheme

High-Level Intuition. The basic idea of our scheme is a generalization of the schemes in [1, 3, 13, 15]. In these schemes, the commitment of a bit b consists of an equivocable commitment⁷ (also known as trapdoor commitment [22]) a of b together with two ciphertexts \(C_0\) and \(C_1\) (with an \(\textsf {IND-CCA}\) encryption scheme), such that \(C_b\) contains a valid opening \(d_b\) of the commitment a for b, while \(C_{1-b}\) is sampled obliviously.

To extract some commitment C, it is sufficient to know the decryption key of the underlying \(\textsf {IND-CCA}\) encryption scheme and check whether \(C_0\) or \(C_1\) contains a valid opening \(d_0\) or \(d_1\) of a for 0 or 1. To simulate a commitment C, it is sufficient to know a trapdoor enabling to construct a commitment a and two valid openings \(d_0\) and \(d_1\) for both 0 and 1.

The robustness property basically comes from the fact the adversary cannot generate a commitment a and two valid openings \(d_0\) and \(d_1\), without breaking the binding property of the commitment a. Therefore, any commitment C generated by a polynomial-time adversary is perfectly binding.

However, for the resulting commitment to be compatible with \(\textsf {SPHF}\), the underlying primitives (equivocable commitment and \(\textsf {IND-CCA}\) encryption scheme) have to be algebraic. In [3], Abdalla et al. propose to use the Pedersen commitment [31], as the equivocable commitment, together with the Cramer-Shoup [19] encryption scheme. Unfortunately, as the openings of the Pedersen commitments are scalars, they have to be encrypted bit-by-bit for the resulting commitment to be \(\textsf {SPHF}\)-friendly. This makes the commitment size of one bit to be quadratic in the security parameter (or the commitment to contain a linear number of group elements). This issue was solved in [1] by replacing the Pedersen commitment, by the Haralambiev commitment TC4 [26], for which the opening is a group element. However, this was at the expense on relying on bilinear groups (and \(\textsf {SXDH}\)) instead of plain \(\textsf {DDH}\).

More precisely, the Haralambiev commitment of a bit b consists in a group element \(a = g^{r_b} T^b\), with \(r_b\) a random scalar, and g, T two public generators of a cyclic group \(\mathbb {G}\) of prime order p. The opening of a is \(d_b = \hat{h}^{r_b}\) with \(\hat{h}\) another generator of \(\mathbb {G}\). This can be check using a pairing as follows: \(e(a/T^b, \hat{h}) \overset{{}_{?}}{=}e(g, d_b)\).

Pairings are only used to check the validity of an opening, and are only required in the security proof, as the committer needs to reveal \(r_b\) anyway (as it is part of his random tape), and \(r_b\) is sufficient to check the validity of the opening information \(d_b\) of a without pairing.

In our new scheme, we replace the need of a pairing by adding a 2-universal hash [20]. A 2-universal hash proof system can be seen as a designated-verifier one-time-simulation-sound zero-knowledge proof, which basically means that (i) it can only be checked by the simulator which generated the CRS, (ii) the simulator can generate fake or simulated proof for false statement, (ii) and the adversary cannot generate proof for false statement even if it sees one fake proof. Finally, the Cramer-Shoup (\(\textsf {IND-CCA}\)) encryption scheme can be replaced by the ElGamal encryption scheme, as the 2-universal hash provides a form of non-malleability which is sufficient for our purpose⁸. As the construction is no longer black-box, new ideas are required in the proof of security of the scheme.

Our New Scheme. Our new scheme is formally described and proven in the full version [2].

Basically, the setup \(\mathsf {C.SetupT} (1^\mathfrak {K})\) generates a cyclic group \(\mathbb {G}\) of order p, together with four generators g, \(h=g^{x}\), \(\hat{h}=g^{\hat{x}}\), \(T = g^t\), a tuple \((\alpha ,\beta ,\gamma ,\alpha ',\beta ',\gamma ')\leftarrow \mathbb {Z}_p^6\), and H is a random collision-resistant hash function from some family \(\mathcal {H}\). It then computes the tuple \((c = g^{\alpha } \hat{h}^{\gamma }, d = g^{\beta } h^{\gamma }, c' = g^{\alpha '} \hat{h}^{\gamma '}, d' = g^{\beta '} h^{\gamma '})\). The CRS \(\mathsf {crs}\) is set as \((g,h,\hat{h},H,c,d,c',d',T)\) and the trapdoor \(\tau \) is the tuple \((\alpha ,\alpha ',\beta ,\beta ',\gamma ,\gamma ')\) (a.k.a., extraction trapdoor) together with t (a.k.a., equivocation trapdoor) and \((x,\hat{x})\) (only used in the \(\textsf {EPHF}\)).

To commit a vector of bits \(\varvec{M}=(M_i)_i \in \{0,1\}^m\) under a label \(\ell \), for \(i=1,\ldots ,m\), we choose two random scalars \(r_{i,M_i},s_{i,M_i} \mathop {\leftarrow }\limits ^{{}_\$}\mathbb {Z}_p\) and set

$$\begin{aligned} u_{i,M_i}&= g^{s_{i,M_i}}&v_{i,M_i}&= h^{s_{i,M_i}} \hat{h}^{r_{i,M_i}}&w_{i,M_i}&= (c^{r_{i,M_i}} \cdot d^{s_{i,M_i}}) \cdot (c'^{r_{i,M_i}} d'^{s_{i,M_i}})^{\xi } \\ u_{i,\overline{M_i}}&\mathop {\leftarrow }\limits ^{{}_\$}\mathbb {G}&v_{i,\overline{M_i}}&\mathop {\leftarrow }\limits ^{{}_\$}\mathbb {G}&w_{i,\overline{M_i}}&\mathop {\leftarrow }\limits ^{{}_\$}\mathbb {G}, \end{aligned}$$

together with \(a_i \leftarrow g^{r_{i,M_i}} T^{M_i}\), where \(\xi = H(\ell ,(a_{i},(u_{i,b},v_{i,b})_b)_{i})\). The commitment is then \(C = (a_i,(u_{i,b},v_{i,b},w_{i,b})_{b})_i\in \mathbb {G}^{8m}\), while the opening information is the 2m-tuple \(\delta = (r_{i,M_i},s_{i,M_i})_{i}\in \mathbb {Z}_p^{2m}\).

The pair \((u_{i,M_i},v_{i,M_i})\) is the ElGamal encryption of the opening \(d_{i,M_i} = \hat{h}^{r_{i,M_i}}\) of the equivocable commitment \(a_i\), while \(w_{i,M_i}\) is the 2-universal hash proving that \(\log _g a_i/T^{M_i}\), the discrete logarithm in base g of \(a_i\) (i.e., \(r_{i,M_i}\) when generated honestly), is equal to the discrete logarithm in base \(\hat{h}\) of the plaintext \(d_{i,M_i}\).

The equivocation trapdoor t enables to open \(a_i\) to both 0 and 1, and so enables simulating commitments, while the equivocation trapdoor \((\alpha ,\alpha ',\beta ,\beta ',\gamma ,\gamma ')\) is the hashing key for the 2-universal hash proof system, i.e., enables to check the validity of the proof \(w_{i,M_i}\) as follows: \( w_{i,b} \overset{{}_{?}}{=}{(a_i/T^b)}^{\alpha + \xi \alpha '} \cdot u_{i,b}^{\beta + \xi \beta '} \cdot v_{i,b}^{\gamma + \xi \gamma '}. \)

5.2 Complexity and Comparison

Table 1 compares our new schemes with existing non-interactive UC-secure commitments with a single global CRS. Since in most cryptographic schemes relying on \(\textsf {SPHF}\)-friendly commitments, such as the \(\textsf {OT}\) and \(\textsf {PAKE}\) schemes in [1], the most important metrics tend to be the size of the commitments and the size of the projection keys, Table 1 focuses on these parameters. In this context, as Table 1 shows, our new construction is the most efficient \(\textsf {SPHF}\)-friendly commitment scheme (even for KV-SPHF, since group elements in \(\mathbb {G}_2\) are larger than elements in \(\mathbb {G}_1\)) resulting in the most efficient \(\textsf {OT}\) and \(\textsf {PAKE}\) schemes so far (adaptively secure, assuming reliable erasures, under any assumption, with a single global CRS). In addition, since the new commitment scheme is secure under plain \(\textsf {DDH}\), it allows for the construction of the first one-round \(\textsf {PAKE}\) (adaptively secure, assuming reliable erasures) under plain \(\textsf {DDH}\), since the scheme of Abdalla, Chevalier, and Pointcheval [3] does not support KV-SPHF (which is required for one-round \(\textsf {PAKE}\) construction [1]).

Table 1. Comparison with existing non-interactive UC-secure commitments with a single global CRS

6 Adaptive \(\textsf {OT}\) Without Erasures

As explained in [24], one can transform any semi-adaptive protocols into adaptive ones by sending all the flows through secure channels. Such secure channels can be constructed using non-committing encryption (\(\textsf {NCE}\)) [5, 12, 17, 21]. However, even the most efficient instantiation of NCE [17] requires \(8{\nu _\mathsf {NCE}}\mathfrak {K}\) group elements to send \({\nu _\mathsf {NCE}}\) bits securely, with ElGamal encryption scheme as (trapdoor) simulatable encryption scheme. If \({\nu _\mathsf {NCE}}\) is \(\varOmega (\mathfrak {K})\), this can be reduced to about \(320{\nu _\mathsf {NCE}}\) group elements.

In this section, we propose several adaptive versions of our semi-adaptive \(\textsf {OT}\) and \(\textsf {PAKE}\) protocols. Some are optimized for the number of rounds, while others are optimized for the communication complexity. In each case, at least one of our new protocols performs better than existing protocols. Only the high-level intuition is given in this section. Details are given in the full version [2].

First Scheme. A first efficient way to construct a bit (i.e., \({\nu _m}= 1\)) 1-out-of-2 \(\textsf {OT}\) secure against adaptive adversary consists in applying the generic transformation of Garay et al. [24] to our semi-adaptive \(\textsf {OT}\).

This transformation uses the notion of \(\ell \)-somewhat non-committing encryption scheme. This scheme enables to send securely long messages, but which restricts the non-committing property to the following: it is only possible to produce random coins corresponding to \(\ell \) different messages. Then, to get an adaptive \(\textsf {OT}\) from a semi-adaptive \(\textsf {OT}\), it is sufficient to execute the protocol in a 8-somewhat non-committing channel. Indeed, the simulator can send via this channel 8 versions of the transcript of the protocol: depending on which user gets corrupted first and on which were their inputs and outputs. There are two choices of inputs for the sender (the two index queries) and two outputs (the message \(m_s\)), hence four choices in total; and there are four choices of inputs for the receiver (the two messages \(m_0\) and \(m_1\)). Hence the need for 8 versions.

In [24], the authors also show how to extend their bit \(\textsf {OT}\) based on the \(\textsf {DDH}\) version of the static \(\textsf {OT}\) of Peikert et al. [32] to string \(\textsf {OT}\) by repeating the protocol in parallel and adding an equivocable commitment to the index and a zero-knowledge proof to ensure that the sender always uses the same index s. Actually, for both of our instantiations and for the one in [24], we can do better, just by using the same commitment C to s (in our case) or the same CRS (the one obtained by coin tossing) and the same public key of the dual encryption system (in their case). This enables us to get rid off the additional zero-knowledge proof and can also be applied to the QR instantiation in [24]. In addition, the commitment C to s (in our case) or the CRS and the public key (in their case) only needs to be sent in the first somewhat non-committing channel.

Furthermore, if the original semi-adaptive \(\textsf {OT}\) is a 1-out-of-k \(\textsf {OT}\) (with \(k = 2^{{\nu _k}}\)), then we just need to use a \(2^{k+1}\)-somewhat \(\textsf {NCE}\) instead of a 8-somewhat \(\textsf {NCE}\) encrypt (because there are \(2^k\) possible inputs for the sender, and k possible inputs and 2 possible outputs for the receiver, so \(2^k + 2k \le 2^{k+1}\) possible versions for the transcript).

Finally, the combination of all the above remarks yields a \({\nu _m}\)-bit string 1-out-of-k \(\textsf {OT}\) scheme requiring only \({\nu _m}\) \(2^{k+1}\)-somewhat \(\textsf {NCE}\) channels, and so only \({\nu _m}(k+1)\) bits sent through \(\textsf {NCE}\).

Second Scheme. Our second scheme can be significantly more efficient than our first one, for several parameter choices. Essentially, it consists in using \(\textsf {NCE}\) channels to send \(k {\nu _m}\) random bits to mask the messages (in case the sender is corrupted first) and \(2 {\nu _k}\) random bits to enable the simulator to make the commitment binding to the index s (in case the receiver gets corrupted first). Methods used for this second part are specific to our new \(\textsf {SPHF}\)-friendly commitment scheme, but can also be applied to the commitment scheme in [1].

The scheme is depicted in Fig. 3. Our 1-out-of-k \(\textsf {OT}\) protocol uses a \(\textsf {NCE}\) channel of \({\nu _\mathsf {NCE}}= 2{\nu _k}+ k {\nu _m}\) bits, where \(k = 2^{{\nu _k}}\), for \({\nu _m}\)-bit strings. This channel is used to send a random value \(R\). The last \(k {\nu _m}\) bits of \(R\) are k \({\nu _m}\)-bit values \(R_1,\dots ,R_k\). These values are used to mask the messages \(m_1,\dots ,m_k\) sent by the sender, to be able to reveal the correct messages, in case of corruption of the sender (when both the sender and the receiver were honest at the beginning, and so when \(m_1,\dots ,m_k\) were completely unknown to the simulator).

Fig. 3.

UC-secure 1-out-of-k \(\textsf {OT}\) from our \(\textsf {SPHF}\)-friendly commitment for adaptive adversaries

The first \(2{\nu _k}\) bits of \(R\) are used to make the commitment C (which is normally simulated when the receiver is honest) perfectly binding to the revealed index s, in case of corruption of the receiver (when both the sender and the receiver were honest at the beginning, and so when s was completely unknown to the simulator). More precisely, they are used to partially hide the last component of commitments: the \(w_{i,b}\); the bit \(R_{2i+b-1}\) indicates whether \(w_{i,b}\) has to be inverted or not before use. The full security proof is given in the full version [2].

Remark 1

Though the new protocol uses our new commitment scheme, it could alternatively use the commitment scheme in [1], by just replacing \(w_{i,b}\) by the last part of the Cramer-Shoup ciphertexts in these schemes. The proof would be very similar. This replacement may yield a more efficient scheme (under \(\textsf {SXDH}\) however) when \({\nu _m}\) is large, since the projection key in [1] is shorter than for our scheme and multiple projection keys need to be sent due to the generic transformation of \(\textsf {SPHF}\) to \(\textsf {EPH}\).

Comparison. In Table 2, we give a detailed comparison of our \(\textsf {OT}\) schemes with the \(\textsf {DDH}\)-based \(\textsf {OT}\) in [24]. The \(\textsf {QR}\)-based one in less efficient anyway. We see that, for every parameters \({\nu _m}\) and k, at least one of our two schemes (if not both) is the most efficient scheme regarding both the number of rounds and the communication complexity.

The exact communication complexity cost depends on the exact instantiation of \(\textsf {NCE}\). But in all cases, at least one of our schemes outperforms existing schemes both in terms of number of bits sent via a \(\textsf {NCE}\) channel, and in terms of auxiliary elements (elements which are not directly used by the \(\textsf {NCE}\) scheme). In addition, our second scheme always uses the smallest number of auxiliary elements; and it requires \(k {\nu _m}+ 2{\nu _k}\) bits to be sent via a \(\textsf {NCE}\) channel, which is not worse than the \((k+1){\nu _m}\) bits required by our first scheme, as long as \({\nu _m}\ge 2 {\nu _k}\).

Table 2. Comparison of 1-out-of-k \(\textsf {OT}\) UC-secure against adaptive adversaries, without erasures, with \(k=2^{{\nu _k}}\)

Here are some details on the comparison. We suppose we use the \(\textsf {NCE}\) scheme proposed in [17] (which is 2-round) and the ElGamal encryption as simulation encryption scheme for the \(\textsf {NCE}\) scheme and the somewhat \(\textsf {NCE}\) construction (which also requires a simulation encryption scheme). So all our schemes are secure under \(\textsf {DDH}\) (plus existence of collision resistant hash functions and symmetric key encryption, but only for efficiency, since \(\textsf {DDH}\) implies that also).

In the comparison, we extend the schemes in [24] to 1-out-of-k schemes using the method explained in Sect. 6 and the 1-out-of-k version of the schemes of Peikert et al. [32], which consists in doing \({\nu _k}\) schemes in parallel and secret sharing the messages (where \(k = 2^{{\nu _k}}\)).

To understand the costs in the table, recall that a \(2^l\)-somewhat non-committing encryption scheme works as follows: one player sends a l-bit value I using a full \(\textsf {NCE}\) scheme (2 rounds) together with \(2^l\) public keys all samples obviously except the \(I^{\text {th}}\) one, and then the other player sends \(2^l\) ciphertexts samples obliviously except the \(I^{\text {th}}\) one which contains a symmetric key K. Then to send any message through this \(2^l\)-somewhat \(\textsf {NCE}\) channel, a player just sends 8 messages all random except the \(I^{\text {th}}\) one which is an encryption of the actual message under K. This means that if the original semi-adaptive protocol is x-round, then the protocol resulting from the transformation of Garay et al., is \((x+2)\)-round; and this costs a total of \(3\cdot 2^l\) group elements, in addition of the group elements for the l-bit non-committing encryption.