Fast Cut-and-Choose-Based Protocols for Malicious and Covert Adversaries

Lindell, Yehuda

doi:10.1007/s00145-015-9198-0

Fast Cut-and-Choose-Based Protocols for Malicious and Covert Adversaries

Published: 28 February 2015

Volume 29, pages 456–490, (2016)
Cite this article

Download PDF

Journal of Cryptology Aims and scope Submit manuscript

Fast Cut-and-Choose-Based Protocols for Malicious and Covert Adversaries

Download PDF

Yehuda Lindell¹

1770 Accesses
38 Citations
1 Altmetric
Explore all metrics

Abstract

In the setting of secure two-party computation, two parties wish to securely compute a joint function of their private inputs, while revealing only the output. One of the primary techniques for achieving efficient secure two-party computation is that of Yao’s garbled circuits (FOCS 1986). In the semi-honest model, where just one garbled circuit is constructed and evaluated, Yao’s protocol has proven itself to be very efficient. However, a malicious adversary who constructs the garbled circuit may construct a garbling of a different circuit computing a different function, and this cannot be detected (due to the garbling). In order to solve this problem, many circuits are sent and some of them are opened to check that they are correct while the others are evaluated. This methodology, called cut-and-choose, introduces significant overhead, both in computation and in communication, and is mainly due to the number of circuits that must be used in order to prevent cheating. In this paper, we present a cut-and-choose protocol for secure computation based on garbled circuits, with security in the presence of malicious adversaries, that vastly improves on all previous protocols of this type. Concretely, for a cheating probability of at most $2^{-40}$, the best previous works send between 125 and 128 circuits. In contrast, in our protocol 40 circuits alone suffice (with some additional overhead). Asymptotically, we achieve a cheating probability of $2^{-s}$ where $s$ is the number of garbled circuits, in contrast to the previous best of $2^{-0.32s}$. We achieve this by introducing a new cut-and-choose methodology with the property that in order to cheat, all of the evaluated circuits must be incorrect, and not just the majority as in previous works. The security of our protocol relies on the decisional Diffie–Hellman assumption.

On the Size of Pairing-Based Non-interactive Arguments

Efficient Redactable Signature and Application to Anonymous Credentials

EasyCrypt: A Tutorial

1 Introduction

Background

Protocols for secure two-party computation enable a pair of parties $P_1$ and $P_2$ with private inputs $x$ and $y$, respectively, to compute a function $f$ of their inputs while preserving a number of security properties. The most central of these properties are privacy (meaning that the parties learn the output $f(x,y)$ but nothing else), correctness (meaning that the output received is indeed $f(x,y)$ and not something else) and independence of inputs (meaning that neither party can choose its input as a function of the other party’s input). The standard way of formalizing these security properties is to compare the output of a real protocol execution to an “ideal execution” in which the parties send their inputs to an incorruptible trusted party who computes the output for the parties. Informally speaking, a protocol is then secure if no real adversary attacking the real protocol can do more harm than an ideal adversary (or simulator) who interacts in the ideal model [2, 4, 11–13, 26]. An important parameter when considering this problem relates to the power of the adversary. Three important models are the semi-honest model (where the adversary follows the protocol specification exactly but tries to learn more than it should by inspecting the protocol transcript), the malicious model (where the adversary can follow any arbitrary polynomial-time strategy) and the covert model (where the adversary may behave maliciously but is guaranteed to be caught with probability $\epsilon $ if it does [1]).

Efficient Secure Computation and Yao’s Garbled Circuits

The problem of efficient secure computation has recently gained much interest. There are now a wide variety of protocols, achieving great efficiency in a variety of settings. These include protocols that require exponentiations for every gate in the circuit [19, 30] (these can be reasonable for small circuits but not large ones with tens or hundreds of thousands of gates), protocols that use the “cut-and-choose” technique on garbled circuits [23, 24, 27, 31], and more [3, 6, 7, 17, 18, 21, 28, 29]. The recent protocols of [7, 28] have very fast online running time. However, for the case of Boolean circuits and when counting the entire running time (and not just the online time), the method of cut-and-choose on garbled circuits is still the most efficient way of achieving security in the presence of covert and malicious adversaries.

Protocols for cut-and-choose on garbled circuits [23, 24, 27, 31] all work in the following way. Party $P_1$ constructs a large number of garbled circuits and sends them to party $P_2$. Party $P_2$ then chooses a subset of the circuits which are opened and checked. If all of these circuits are correct, then the remaining circuits are evaluated as in Yao’s protocol [32] (see [22] for details), and $P_2$ takes the majority output value as the output. The cut-and-choose approach forces $P_1$ to garble the correct circuit, since otherwise it will be caught cheating. However, it is important to note that even if all of the opened circuits are correct, it is not guaranteed that all of the unopened circuits are correct. This is due to the fact that if there are only a small number of incorrect circuits, then with reasonable probability these may not be chosen to be opened. For this reason, it is critical that $P_2$ outputs the majority output, since the probability that a majority of unopened circuits are incorrect when all opened circuits are correct is exponentially small in the number of circuits. We stress that it is not possible for $P_2$ to abort in case it receives different outputs in different circuits, even though in such a case it knows that $P_1$ cheated, because this opens the door to the following attack. A malicious $P_1$ can construct a single incorrect circuit that computes the following function: If the first bit of $P_2$’s input equals 0, then output random garbage, else compute the correct function. Now, if this circuit is not opened (which happens with probability $1/2$) and if the first bit of $P_2$’s input equals 0, then $P_2$ will receive a different output in this circuit and in the others. In contrast, if the first bit of $P_2$’s input equals 1, then it always receives the same output in all circuits. Thus, if the protocol instructs $P_2$ to abort if it receives different outputs, then $P_1$ will learn the first bit of $P_2$’s input (based on whether or not $P_2$ aborts). By having $P_2$ taken the majority value as output, $P_1$ can only cheat if the majority of the unopened circuits are incorrect, while all the opened ones are correct. In [24], it was shown that when $s$ circuits are sent and half of them are opened, the probability that $P_1$ can cheat is at most $2^{-0.311s}$. Thus, concretely, in order to obtain an error probability of $2^{-40}$, it is necessary to set $s=128$ and so use 128 circuits, which means that the approximate cost of achieving security in the presence of malicious adversaries is 128 times the cost of achieving security in the presence of semi-honest adversaries. In [31], it was shown that by opening and checking 60 % of the circuits instead of 50 %, the error becomes $2^{-0.32s}$ which means that it suffices to send 125 circuits in order to obtain a concrete error of $2^{-40}$. When the circuits are large, this means a little less bandwidth. However, as we describe in “Appendix 3,” this also results in more work and so is not necessarily better and may depend on the exact system setup. In [31], it was shown that checking 60 % of the circuits is optimal for the cut-and-choose method as used until that time (i.e., checking a percentage of the circuits and taking the majority result from the rest). In this paper, we present an alternative cut-and-choose method that achieves far better parameters.

Our Results

In this paper, we present a novel twist on the cut-and-choose strategy used in [23, 24, 27, 31] that enables us to achieve an error of just $2^{-s}$ with $s$ circuits (and some small additional overhead). Concretely, this means that just 40 circuits are needed for error $2^{-40}$. Our protocol is therefore much more efficient than previous protocols (there is some small additional overhead, but this is greatly outweighed by the savings in the garbled circuits themselves unless the circuit being computed is small). We stress that the bottleneck in protocols of this type is the computation and communication of the $s$ garbled circuits. This has been demonstrated in implementations. In [10], the cost of the circuit communication and computation for secure AES computation is approximately 80 % of the work. Likewise in [20, Table 7] regarding secure AES computation, the bandwidth due to the circuits was 83 % of all bandwidth, and the time was over 50 % of the time. On large circuits, as in the edit distance, this is even more significant with the circuit generation and evaluation taking 99.999 % of the time [20, Table 9]. Thus, the reduction of this portion of the computation to a third of the cost is of great significance.

We present a high-level outline of our new technique in Sect. 2. For now, we remark that the cut-and-choose technique on Yao’s garbled circuits introduces a number of challenges. For example, since the parties evaluate numerous circuits, it is necessary to enforce that the parties use the same input in all circuit computations. In addition, a selective input attack whereby $P_1$ provides correct garbled inputs only for a subset of the possible inputs of $P_2$ must be prevented (since otherwise $P_2$ will abort if its input is not in the subset because it cannot compute any circuit in this case, and thus, $P_1$ will learn something about $P_2$’s input based on whether or not it aborts). There are a number of different solutions to these problems that have been presented in [10, 23, 24, 27, 31]. The full protocol that we present here is based on the protocol of [24]. However, these solutions are rather “modular” (although this is meant in an informal sense) and can also be applied to our new technique; this is discussed at the end of Sect. 2. Understanding which technique is best will require implementation since they introduce tradeoffs that are not easily comparable. We leave this for future work and focus on the main point of this work which is that it is possible to achieve error $2^{-s}$ with just $s$ circuits. In Sect. 3.1, we present an exact efficiency count of our protocol and compare it to [24].

Covert Adversaries

Although not always explicitly proven, the known protocols for cut-and-choose on garbled circuits achieve covert security where the deterrent probability $\epsilon $ that the adversary is caught cheating equals 1 minus the statistical error of the protocol. That is, the protocol of [24] yields covert security of $\epsilon =1-2^{-0.311s}$ (actually, a little better), and the protocol of [31] yields covert security with $\epsilon =1-2^{-0.32s}$. Our protocol achieves covert security with deterrent $\epsilon =1-2^{-s+1}$ (i.e., the error is $2^{-s+1}$), which is far more efficient than all previous work. Specifically, in order to obtain $\epsilon =0.99$, the number of circuits needed in [24] is 24. In contrast, with our protocol, it suffices to use 8 circuits. Furthermore, with just 11 circuits, we achieve $\epsilon =0.999$, which is a very good deterrent. We note that $s$ circuits do not suffice for obtaining $\epsilon =1-2^{-s}$ deterrent, since the case that no circuits are computed (i.e., all are chosen to be checked) needs to be taken into account for small $s$.

Concurrent Work

In independent, concurrent work, Huang et al. [15] presented a different method for reducing the number of garbled circuits. In their protocol, both parties generate $s$ circuits and send them to each other. Thus, the overall number of circuits sent in their protocol is double that of ours. However, in a single-execution setting, the latency is likely to be similar.

2 The New Technique and Protocol Outline

The idea behind our new cut-and-choose strategy is to design a protocol with the property that the party who constructs the circuits ($P_1$) can cheat if and only if all of the opened circuits are correct and all of the evaluated circuits are incorrect. Recall that in previous protocols, if the circuit evaluator ($P_2$) aborts if the evaluated circuits do not all give the same output, then this can reveal information about $P_2$’s input to $P_1$. This results in an absurd situation: $P_2$ knows that $P_1$ is cheating but cannot do anything about it. In our protocol, we run an additional small secure computation after the cut-and-choose phase so that if $P_2$ catches $P_1$ cheating (namely, if $P_2$ receives inconsistent outputs), then in the second secure computation it learns $P_1$’s full input $x$. This enables $P_2$ to locally compute the correct output $f(x,y)$ once again. Thus, it is no longer necessary for $P_2$ to take the majority output. Details follow.

Phase 1—first cut-and-choose:

Parties $P_1$ (with input $x$) and $P_2$ (with input $y$) essentially run a protocol based on cut-and-choose of garbled circuits that is secure for malicious adversaries (like [24] or [31]). $P_1$ constructs just $s$ circuits (for error $2^{-s}$), and the strategy for choosing check or evaluation circuits is such that each circuit is independently chosen as a check or evaluation circuit with probability $1/2$ (unlike all previous protocols where a fixed number of circuits are checked).
If all of the circuits successfully evaluated by $P_2$ give the same output $z$, then $P_2$ locally stores $z$. Otherwise, $P_2$ stores a “proof” that it received two inconsistent output values in two different circuits. Such a proof could be having a garbled value associated with 0 on an output wire in one circuit, and a garbled value associated with 1 on the same output wire in a different circuit. (This is a proof since if $P_2$ obtains a single consistent output then the garbled values it receives on an output wire in different circuits are all associated with the same bit.)

Phase 2—secure evaluation of cheating: $P_1$ and $P_2$ run a protocol that is secure for malicious adversaries with error $2^{-s}$ (e.g., they use the protocol of [24, 31] with approximately $3s$ circuits), in order to compute the following:

$P_1$ inputs the same input $x$ as in the computation of phase 1 (and proves this).
$P_2$ inputs random values if it received a single output $z$ in phase 1, and inputs the proof of inconsistent output values otherwise.
If $P_2$’s input is a valid proof of inconsistent output values, then $P_2$ receives $P_1$’s input $x$; otherwise, it receives nothing.

If this secure computation terminates with abort, then the parties abort.

Output Determination If $P_2$ received a single output $z$ in phase 1, then it outputs $z$ and halts. Otherwise, if it received inconsistent outputs, then it received $x$ in phase 2. $P_2$ locally computes $z=f(x,y)$ and outputs it. We stress that $P_2$ does not provide any indication as to whether $z$ was received from phase 1 or locally computed.

Security

The argument for the security of the protocol is as follows. Consider first the case that $P_1$ is corrupted and so may not construct the garbled circuits correctly. If all of the check circuits are correct and all of the evaluation circuits are incorrect, then $P_2$ may receive the same incorrect output in phase 1 and will therefore output it. However, this can only happen if each incorrect circuit is an evaluation circuit and each correct circuit is a check circuit. Since each circuit is an evaluation or check circuit with probability exactly $1/2$, this happens with probability exactly $2^{-s}$. Next, if all of the evaluation circuits (that yield valid output) are correct, then the correct output will be obtained by $P_2$. This leaves the case that there are two different evaluation circuits that give two different outputs. However, in such a case, $P_2$ will obtain the required “proof of cheating” and so will learn $x$ in the 2nd phase, thereby enabling it to still output the correct value. Since $P_1$ cannot determine which case yielded output for $P_2$, this can be easily simulated.

Next consider the case that $P_2$ is corrupted. In this case, the only way that $P_2$ can cheat is if it can provide output in the second phase that enables it to receive $x$. However, since $P_1$ constructs the circuits correctly, $P_2$ will not obtain inconsistent outputs and so will not be able to provide such a “proof”. (We remark that the number of circuits $s$ sent is used for the case that $P_1$ is corrupted; for the case that $P_2$ is corrupted, a single circuit would actually suffice. Thus, there is no need to justify the use of fewer circuits than in previous protocols for this corruption case.)

Implementing Phase 2

The main challenge in designing the protocol is phase 2. As we have hinted, we will use the knowledge of two different garbled values for a single output wire as a “proof” that $P_2$ received inconsistent outputs. However, it is also necessary to make sure that $P_1$ uses the same input in phase 1 and in phase 2; otherwise, it could use $x$ or $x'$, respectively, and then learn whether $P_2$ received output via phase 1 or 2. The important observation is that all known protocols already have a mechanism for ensuring that $P_1$ uses the same input in all computed circuits. This same mechanism can be used for the circuits in phase 1 and 2, since it does not depend on the circuits being computed being the same.

Another issue that arises is the efficiency of the computation in phase 2. In order to make the circuit for phase 2 small, it is necessary to construct all of the output wires in all the circuits of phase 1, so that they have the same garbled values on the output wires. This in turn makes it necessary to open and check the circuits only after phase 2 (since opening a circuit to check, it reveals both garbled values on an output wire which means that this knowledge can no longer be a proof that $P_1$ cheated). Thus, the structure of the actual protocol is more complex than previous protocols; however, this relates only to its description and not efficiency.

We remark that we use the method of [24] in order to prove the consistency of $P_1$’s input in the different circuits and between phase 1 and phase 2. However, we believe that the methods used in [27, 31], for example, would also work, but have not proven this.

3 The Protocol

Preliminaries: Modified Batch Single-Choice Cut-and-Choose OT

The cut-and-choose OT primitive was introduced in [24]. Intuitively, a cut-and-choose OT is a series of 1-out-of-2 oblivious transfers with the special property that in some of the transfers, the receiver obtains a single value (as in regular oblivious transfer), while in the others the receiver obtains both values. In the context of cut-and-choose on Yao’s garbled circuits, the functionality is used for the receiver to obtain all garbled input values in the circuits that it wishes to open and check, and to obtain only the garbled input values associated with its input on the circuits to be evaluated.

In [24], the functionality defined is such that the receiver obtains both values in exactly half of the transfers; this is because in [24] exactly half of the circuits are opened. In this work, we modify the functionality so that the receiver can choose at its own will in which transfers it receives just one value and in which it receives both. We do this since we want $P_2$ to check each circuit with probability exactly $1/2$, independently of all other circuits. This yields an error of $2^{-s}$ instead of $\left( \begin{array}{c} s\\ s/2 \end{array}\right) ^{-1}$, which is smaller (this is especially significant in the setting of covert adversaries; see Sect. 5).

This modification introduces a problem since at a later stage in the protocol the receiver needs to prove to the sender for which transfers it received both values and for which it received only one. If it is known that the receiver obtains both values in exactly half of the transfers, or for any other known number, then the receiver can just send both values in these transfers (assuming that they are otherwise unknown, as is the case in the Yao circuit use of the functionality), and the sender knows that the receiver did not obtain both values in all others; this is what is done in [24]. However, here the receiver can obtain both values in an unknown number of transfers, as it desires. We therefore need to introduce a mechanism enabling the receiver to prove to the sender in which transfers it did not receive both values, in a way that it cannot cheat. We solve this by having the sender input $s$ random “check” values and having the receiver obtain such a value in every transfer for which it receives a single value only. Thus, at a later time, the receiver can send the appropriate check values, and this constitutes a proof that it did not receive both values in these transfers. See Functionality 3.1, and Sect. 6 for the construction and details.

Encoded Translation Tables

We modify the output translation tables typically used in Yao’s garbled circuits as follows. Let $k_i^0,k_i^1$ be the garbled values on wire $i$, which is an output wire, and let $H$ be a collision-resistant hash function. Then, the encoded output translation table for this wire is simply $\left[ H(k_i^0),H(k_i^1)\right] $. We require that $k_i^0\ne k_i^1$ and if this does not hold (which will be evident since then $H(k_i^0) = H(k_i^1)$), $P_2$ will automatically abort.

Observe that given a garbled value $k$, it is possible to determine whether $k$ is the 0 or 1 key (or possibly neither) by just computing $H(k)$ and seeing whether it equals the first or second value in the pair, or neither. However, given the encoded translation table, it is not feasible to find the actual garbled values, since this is equivalent to inverting the one-way function. This is needed in our protocol, as we will see below. We remark that both $k_i^0,k_i^1$ are revealed by the end of the protocol, and only need to remain secret until Step 7 has concluded (see the protocol below). Thus, they can be relatively short values (in practice, 80 bits should be well long enough).

We require that $H$ be collision resistant, since otherwise $P_1$ who constructs the circuit is not bounded by the values there. This can cause an issue since there may now be multiple values that are consistent with the encoded translation tables, and different values may be used in the actual garbled circuits constructed in phase 1, and in the circuits used to prevent cheating in phase 2 (this would cause a situation where $P_2$ will not learn $P_1$’s input $x$ even if it obtained inconsistent output values in phase 1).

^{Footnote 1}

The Circuit for Step 7

A naive circuit for computing the function in Step 7 can be quite large. Specifically, to compare two $n$ bit strings require $2n$ XORs followed by $2n$ ORs; if the output is 0, then the strings are equal. This has to be repeated $m$ times, once for every $i$, and then, the results have to be ORed. The result of all of the ORs is then ORed with $x$. Thus, there are $2mn+m+1$ non-XOR gates. Assuming $n$ is of size 80 (e.g., which suffices for the output values) and $m$ is of size 128, this requires $20,481$ non-XOR gates, which is very large. An alternative is therefore to compute the following garbled circuit:

1.
For every $i=1,\ldots ,m$,
1. (a)
  Compare $b_0\Vert b_1$ to $b_i^0\Vert b_i^1$ (where ‘$\Vert $’ denotes concatenation) by XORing bit-by-bit and take the NOT of each bit. This is done as in a regular garbled circuit; by combining the NOT together with the XOR, this has the same cost as a single XOR gate.
2. (b)
  Compute the $2n$-wise AND of the bits from above. Instead of using $2n-1$ Boolean AND gates, this can be achieved by encrypting the 1-key on the output wire under all $n$ keys (together with redundancy so that the circuit evaluator can know if it received the correct value).
2.
Compute the OR of the $m$ bits resulting from the above loop. Instead of using $m-1$ Boolean OR gates, this can be achieved by simply setting the 1-key on all of the output wires from the $n$-wise ANDs above to be the 1-key on the output wire of the OR. This ensures that as soon as the 1-key is received from an $n$-wise AND, the 1-key is received from the OR, as required. (This reveals for which $i$ the result of the $n$-wise AND was 1. However, this is fine in this specific case since $P_2$ knows exactly where equality should be obtained.)
3.
Compute the AND of the output from the previous step with all of the input bits of $P_1$. This requires $\ell $ Boolean AND gates.
4.
The output wires include the output of the OR (so that $P_2$ can know if it received $x$ or nothing), together with the output of all of the ANDs with the input bits of $P_1$.

Observe that although the above circuit is very small, $P_2$’s input size is $2n$ and this is quite large. Since the input size has a significant effect on the cost of the protocol (especially when using cut-and-choose oblivious transfer), it would be desirable to reduce this. This can be achieved by first having $P_2$ input $b_0\oplus b_1$ instead of $b_0\Vert b_1$, reducing the input length to $n$ (this is sound since if $P_2$ does not have both keys on any output wire then it cannot know their XOR). Furthermore, in order to obtain a cheating probability of $2^{-40}$ it suffices for the circuit to check only the first 40 bits of $b_0\oplus b_1$. (Note that $b_0^i$ and $b_1^i$ have to be longer since $H(b_i^0),H(b_i^1)$ are published; nevertheless, only 40 bits need to be included in the circuit. When using this optimization, the length of $b_0^i,b_1^i$ can be 128 bits and not 80, which is preferable.) Finally, by choosing all of the $b_i^0,b_i^1$ values so that they have the same fixed XOR (i.e., for some $\Delta $, it holds that for all $i$, $b_i^0\oplus b_i^1 = \Delta $, as in the free XOR technique), the size of the circuit is further reduced. In this case, an additional check has to be introduced, which is to check that there exists a single $\Delta $ such that $b_i^0 \oplus b_i^1 = \Delta $ for all $i=1,\ldots ,m$ (in the check phase, the output translation tables are already checked, so the additional step here is to just check that the XOR is all fine). This optimization requires that we assume that the hash function is correlation robust [16] with such correlated inputs (i.e., these look random); clearly, this holds in the random oracle model. This significantly reduces the bandwidth.

The Final Optimization

The actual secure computation of the above optimized circuit can be carried out simply and efficiently, as follows. Let $k_0,k_1$ be random garbled values. Then, assuming $\Delta $ is of length $s$, choose $s$ random values $k_1^1,\ldots ,k_1^s$ under the constraint that $\oplus _{i=1}^s k_1^i = k_1$. Next, in the cut-and-choose oblivious transfer for $P_2$’s inputs, $P_1$ defines the $i$th input pair to be $(x^i_0,x^i_1)$ where $x_{\Delta _i}^i = k_1^i$ and $x_{1-\Delta _i}$ is random (we denote $\Delta =\Delta _1,\ldots ,\Delta _s$). In addition, to the above, $k_0$ is sent in the clear. Observe that if $P_2$ knows $\Delta $ and inputs $\Delta _1,\ldots ,\Delta _s$ to the oblivious transfer, then it will receive for output $k_1^1,\ldots ,k_1^s$ and can compute $k_1=\oplus _{i=1}^s k_1^i$. However, if even one bit input to $P_2$ is not correct, then $k_1$ will be completely hidden. (Observe that this is actually a secure comparison to see whether both $P_1$ and $P_2$ know $\Delta $ [9].) This replaces steps (1) and (2) above, and the AND with $P_1$’s input bits is carried out with a single wire that has 0-value $k_0$ and 1-value $k_1$. Thus, if $P_2$ obtained $k_1$, it will be able to learn $P_1$’s input $x$; otherwise, it will learn nothing.^{Footnote 2}

See “Appendix 1” for graphic depictions of the above circuits and computations.

Cost

In the final optimized computation, the number of garbled gates is just $\ell $ binary AND gates, and the number of oblivious transfers is just $s$. Assuming $\ell =128$ (e.g., as in the secure AES example), we have that there are only $128$ non-XOR gates. When using 128 circuits as in our instantiation of Step 7 via [24], this comes to 16,384 garbled gates overall, which is significant but not too large. We stress that the size of this circuit is independent of the size of the circuit for the function $f$ to be computed. Thus, this becomes less significant as the circuit becomes larger. On the other hand, for very small circuits or when the input size is large relative to the overall circuit size, our approach will not be competitive. To be exact, assume a garbled circuit approach that requires $3s$ circuits. If $3s|C| < s|C|+3s\cdot \ell $, then our protocol will be slower (since the cost of our protocol is $s|C|$ for the main computation plus $3s\ell $ for the circuit of Step 7, in contrast to $3s|C|$ for the other protocol). This implies that our protocol will be faster as long as $|C|>\frac{3\ell }{2}$. Concretely, if $\ell =128$ and $s=40$, it follows that our protocol will be faster as long as $|C|>192$. Thus, our protocol is much faster, except for the case of very small circuits.

3.1 A Detailed Efficiency Count and Comparison

In this section, we provide an exact efficiency count of our protocol. This will enable an exact comparison of our protocol to previous and future works, as long as they also provide an exact efficiency count. We stress that implementations and empirical comparisons are also necessary to obtain a full picture, due to additional factors such as memory, parallelism and so on.

We count exponentiations, symmetric encryptions and bandwidth. We let $n$ denote the length of a symmetric encryption, and an arbitrary string of length of the security parameter (e.g., $\chi _j$). The cost of Step 2 (cut-and-choose oblivious transfer) is taken from the exact count provided in Sect. 6.4. The counts in Table 1 are for the overall number of operations for both parties $P_1$ and $P_2$.

Table 1 A Detailed Efficiency Count of Protocol 3.1

Full size table

The number of symmetric encryptions is counted as follows: Each circuit requires $8|C|$ symmetric encryptions to construct (counting $|C|$ as the number of non-XOR gates when using free XOR), $48|$ symmetric encryption to check and $2|C|$ encryptions to evaluate (using standard double encryption, each entry in a garbled gate requires 2 encryptions). Since approximately half of the circuits are checked and half are evaluated, the garbling, checking and evaluation of the main garbled circuit account for approximately $s\cdot 8|C|+\frac{s}{2}\cdot 8|C|+\frac{s}{2}\cdot 2|C|= 13s|C|$ symmetric encryptions. The garbled circuit used in Step 7 has $\ell $ non-XOR gates, and so, the same analysis applies on this size. However, the number of circuits sent in this step is $3s$, and thus, we obtain an additional $3 \times 13\cdot s\cdot \ell =39s\ell $.

The bandwidth count for Step 7 is computed based on the counts provided in [24], using $3s$ circuits. The cost of the exponentiations is based on the fact that in [24], if $P_1$ has input of length $\ell _1$ and $P_2$ has input of length $\ell _2$, and $s'$ circuits are used, then there are $3.5s'\ell _1+10.5s'\ell _2$ fixed-base exponentiations and $s'\ell _2$ regular exponentiations. However, $0.5s'\ell _1$ of the fixed-base exponentiations are for the proof of consistency and these are counted in Step 9 instead. Now, in Step 7, $P_1$’s input length is $\ell $ (it is the same $x$ as for the entire protocol) and $P_2$’s input is comprised of two garbled values for the output wires. Since these must remain secret for only a short amount of time, it is possible to take 80-bit values only and so $P_2$’s input length is 160 bits (this is irrespective of $P_2$’s input length to the function $f$). Taking $s'=3s$ and plugging these lengths into the above, we obtain the count appearing in the table.

The proof of consistency of $P_1$’s input is carried out $\ell $ times (once for each bit of $P_1$’s input) and over $s+3s=4s$ circuits (since there are $s$ circuits for the main computation of $C$, plus another $3s$ circuits for the computation in Step 7). By the count in [24], this proof therefore costs $\frac{4s\ell }{2} + 18\ell $ exponentiations, and bandwidth of 10 group elements and another $8s\ell $ short strings (this can therefore be counted as $2s\ell n$).

A Comparison to [24] In order to get a concrete understanding of the efficiency improvement, we will compare the cost to [24] for the AES circuit of size 6,800 gates [33], and input and output sizes of 128; see Table 2. Now, as we have mentioned, the overall cost of the protocol of [24] is $3.5s'\ell _1+10.5s\ell _2$ fixed-base exponentiations, $s'\ell _2$ regular exponentiations and $13s'|C|$ symmetric encryptions. In this case, $\ell _1=\ell _2=128$, $s'=125$ ($s'=125$ was shown to suffice for $2^{-40}$ security in [20]), and so we have that the cost is 224,000 fixed-base exponentiations, 32,000 regular exponentiations and $1625|C|=11{,}050{,}000$ symmetric encryptions. In contrast, taking $\ell =128$ and $s=40$, we obtain here 309,120 fixed-base exponentiations, $37{,}120$ regular exponentiations and 3,749,600 symmetric encryptions. In addition, the bandwidth of [24] is approximately $112{,}000$ group elements and 3,400,000 symmetric ciphertexts. At the minimal cost of 220 bits per group element (e.g., using point compression) and 128 bits per ciphertext, we have that this would come to approximately 449,640,000 bits, or close to half a gigabyte (in practice, it would be significantly larger due to communication overheads). In contrast, the bandwidth of our protocol for this circuit would be 133,120 group elements and 1,159,680 ciphertexts. With the same parameters as above, this would be approximately 177,725,440 bits, which is under 40 % of the cost of [24]. This is very significant since bandwidth is turning out to be the bottleneck in many cases. We stress that in larger circuits, the difference would be even more striking.

Table 2 Comparison of protocols for secure computation of AES

Full size table

4 Proof of Security

We prove security via the standard definition of secure two-party computation following the real/ideal paradigm, and using modular sequential composition, see [4, 12, 14] for details.

Theorem 4.1

Assume that the Decisional Diffie–Hellman assumption holds in $({\mathbb {G}},g,q)$ that $H$ is a collision-resistant function and that the garbling of the circuit is secure as in [24]. Then, Protocol 3.1 securely computes $f$ in the presence of malicious adversaries (with error $2^{-s}+\mu (n)$ where $\mu (\cdot )$ is some negligible function).^{Footnote 3}

Proof

We prove Theorem 4.1 in a hybrid model where a trusted party is used to compute the modified batch single-choice cut-and-choose oblivious transfer functionality and the zero-knowledge proof of knowledge of Step 9 (the fact that any zero-knowledge proof of knowledge fulfills the zero-knowledge proof of knowledge functionality was shown in [14]). We separately prove the case that $P_1$ is corrupted and the case that $P_2$ is corrupted.

${P}_\mathbf{1}$ is corrupted Intuitively, $P_1$ can only cheat by constructing some of the circuits in an incorrect way. However, in order for this to work, all of the check circuits must be valid, and all of the evaluation circuits that give output must give the same output. Otherwise, $P_2$ will abort (if there is an invalid check circuit) or will obtain $x$ and output the correct value $f(x,y)$ (if two different outputs are obtained). Now, once $P_1$ sends the circuits, and the cut-and-choose oblivious transfer has been completed, the question of whether a circuit is valid or not, or can be computed or not, is fully determined. (It is true that $P_1$ can send incorrect values for its input wires, but this will be detected in the zero-knowledge phase and so will cause an abort except with negligible probability.) Now, if there exists even just one valid circuit that is an evaluation circuit, then $P_2$ will always output the correct value, either because all evaluation circuits that can be computed are valid or because it will obtain two different outputs and so will learn $x$ in Step 7. Thus, in order to cheat, every valid circuit must be a check circuit and every invalid circuit must be an evaluation circuit. Since every circuit is chosen to be a check or evaluation circuit with probability exactly $1/2$, it follows that this probability of cheating is exactly $2^{-s}$. We now proceed to the formal proof.

Let $\mathcal{A}$ be an adversary controlling $P_1$ in an execution of Protocol 3.1 where a trusted party is used to compute the modified batch single-choice cut-and-choose OT functionality $\mathcal{F}_{\scriptstyle \mathrm {ccot}}$ and the zero-knowledge proof of knowledge of Step 9. We construct a simulator $\mathcal{S}$ who runs in the ideal model with a trusted party computing $f$. $\mathcal{S}$ runs $\mathcal{A}$ internally and simulates the honest $P_2$ for $\mathcal{A}$ as well as the trusted party computing the oblivious transfer and zero-knowledge proof of knowledge functionalities. In addition, $\mathcal{S}$ interacts externally with the trusted party computing $f$. $\mathcal{S}$ works as follows:

1.
$\mathcal{S}$ interacts with $\mathcal{A}$ and plays the honest $P_2$ for the entire protocol execution with input $y=0^\ell $ (in the $\mathcal{F}_{\scriptstyle \mathrm {ccot}}$ and zero-knowledge hybrid models).
2.
Let $x=\sigma _1,\ldots ,\sigma _\ell $ be the witness used by $P_1$ in the zero-knowledge proof of knowledge of Step 9 (i.e., $x$ is the concatenation of the $\sigma _1,\ldots ,\sigma _\ell $ values where $\sigma _i$ is the appropriate part of the witness used in the $i$th proof). $\mathcal{S}$ obtains this witness directly from $\mathcal{A}$ in the zero-knowledge proof of knowledge hybrid model (since $\mathcal{A}$ hands it to the trusted party computing the functionality). If the witness is not valid, then $P_2$ would abort and this is dealt with in the next step.
3.
If $P_2$ would abort in the execution, then $\mathcal{S}$ sends $\bot $ to the ideal functionality computing $f$. Otherwise, it sends $x$.

First, observe that $P_2$ uses its input only in $\mathcal{F}_{\scriptstyle \mathrm {ccot}}$. Therefore, the view of $\mathcal{A}$ in the simulation is identical to its view in a real execution, and so, $\mathcal{S}$’s output distribution in an ideal execution is identical to $\mathcal{A}$’s output distribution in a real execution of Protocol 3.1. However, in order to prove security, we need to prove that the joint distribution consisting of $\mathcal{A}$ and $P_2$’s output after a real protocol execution is indistinguishable from the joint distribution of $\mathcal{S}$ and $P_2$’s output after an ideal execution. Now, if $P_2$ were to abort in a real execution, then $\mathcal{S}$ sends $\bot $ to the trusted party and thus the joint distributions will be the same. However, the probability that $\mathcal{S}$ sends $\bot $ to the trusted party may not be the same as the probability that $P_2$ aborts in a real execution since this may actually depend on $P_2$’s input (recall that $\mathcal{S}$ uses input $0^\ell $ and not the same $y$ that $P_2$ uses). In addition to this difference, we must also show that when $P_2$ does not abort in a real execution, then its output is $f(x,y)$, relative to the same $x$ as sent by $\mathcal{S}$, except with probability that equals $2^{-s}+\mu (n)$, where $\mu (\cdot )$ is some negligible function.

We begin by defining the notion of a $\mathsf{bad}$ and $\mathsf{good}$ circuit. For a garbled circuit $GC_j$, we define the circuit input keys as follows:

1.
Circuit input keys associated with $P_1$’s input: Let $(i,0,g^{a_i^0}),(i,1,g^{a_i^1}),(j,g^{r_j})$ be the values sent by $P_1$ to $P_2$ in Step 3 of the protocol. Then, the circuit input keys associated with $P_1$’s input in $GC_j$ are the keys $H(g^{a_1^0\cdot r_j}),H(g^{a_1^1\cdot r_j}),\ldots ,H(g^{a_\ell ^0\cdot r_j}),H(g^{a_\ell ^1\cdot r_j})$.
2.
Circuit input keys associated with $P_2$’s input: Let $(z_0^{1,j},z_1^{1,j}),\ldots ,(z_0^{\ell ,j},z_1^{\ell ,j})$ be the set of symmetric keys associated with the $j$th circuit that were input by $P_1$ to the cut-and-choose oblivious transfer of Step 2. (These keys are the $j$th pair in each vector $z_1,\ldots ,z_\ell $.) These values are called the circuit input keys associated with $P_2$’s input in $GC_j$.

Then, a garbled circuit is $\mathsf{bad}$ if the circuit keys associated with both $P_1$’s and $P_2$’s input do not open it to the correct circuit $C$. We stress that after Step 3 of the protocol, each circuit is either “bad” or “not bad,” and this is fully determined. (The simulator cannot know at this point if a circuit is bad or not, but it is nevertheless fully determined.) This holds because $P_1$ has already sent the $\{g^{a_i^0},g^{a_i^1},g^{r_j}\}$ values, the garbled circuits and the seed to the randomness extractor in this step; note that once the seed to the randomness extractor is fixed, the symmetric keys derived from the Diffie–Hellman values are fully determined. In addition, the keys associated with $P_2$’s input are already fixed since these are fully determined in Step 2. A garbled circuit is $\mathsf{good}$ if it is not $\mathsf{bad}$.

Clearly, if a check circuit is $\mathsf{bad}$, then $P_2$ aborts. In addition, we claim that if a single evaluation circuit is $\mathsf{good}$ and $P_2$ does not abort, then the distribution over $P_2$’s output is the same in a real and simulated execution (except with probability $2^{-s}+\mu (n)$). In order to see this, observe that if there exists an evaluation circuit that is $\mathsf{good}$, then $P_2$ obtains $f(x,y)$ when evaluating that circuit. Any $\mathsf{bad}$ evaluation circuit that does not give correct output (with respect to the encoded output tables) is ignored. In addition, if there exists another $\mathsf{bad}$ evaluation circuit that yields a different output to $f(x,y)$, then $P_2$ receives $x$ in the computation in Step 7. This holds because if $P_2$ receives two different outputs then there exists a wire for which it receives both outputs; equivalently, there exists an encoded output pair for which $P_2$ receives both preimages. Since the computation in Step 7 is a secure protocol (as proven in [24]), it follows that $P_2$ either aborts or receives the correct output $x$ (except with probability $2^{-s}+\mu (n)$). Note that the change in the computation with respect to the zero-knowledge proof of consistency of $P_1$’s input is inconsequential with respect to the proof of security of [24]. Thus, the security obtained is except with probability $2^{-s}+\mu (n)$; the fact that $2^{-s}$ is achieved is by using $3s$ circuits (to be exact, one would need to the exact computation based on the error given in [24], but this is a very close approximation). In this case where $P_2$ learns $x$ in this step, it also outputs the correct $f(x,y)$. Thus, we conclude that if there exists a single evaluation circuit that is $\mathsf{good}$ and $P_2$ does not abort, then $P_2$ outputs $f(x,y)$. The last remaining case is the case where there exists an output wire for which $P_2$ did not receive a valid value in any evaluation circuit. In this case, $P_2$ aborts. However, this case means that all evaluation circuits are $\mathsf{bad}$. Now, if an additional check circuit is also $\mathsf{bad}$, then $P_2$ aborts due to a circuit check failing. In contrast, if all of the check circuits are $\mathsf{good}$, then $P_2$ will not abort due to the check failing but rather only due to not receiving a valid value on the output wire. This may be different from the simulation, since the question of $P_2$ aborting or not in this case may depend on the input.^{Footnote 4}

This implies that the simulation can deviate from the real output distribution if and only if every check circuit is $\mathsf{good}$ and every evaluation circuit is bad. Since the association of a circuit as being $\mathsf{bad}$ or $\mathsf{good}$ is fixed before $\mathcal{J}$ is revealed (and it is information theoretically hidden from $\mathcal{A}$ in the $\mathcal{F}_{\scriptstyle \mathrm {ccot}}$-hybrid model), it follows that a $\mathsf{bad}$ circuit is an evaluation circuit with probability exactly $1/2$ and a $\mathsf{good}$ circuit is a check circuit with probability exactly $1/2$ (and these probabilities between circuits are independent). There are $s$ circuits and so the probability that the above holds is exactly $2^{-s}$, as required.

We observe that when $P_1$ is corrupted, $\mathcal{A}$ has zero probability of cheating in the oblivious transfers and zero probability of cheating in the proof of consistency (this holds in the hybrid models; in the real model, there is a negligible probability of cheating). Thus, it can only cheat if the circuits are in the bad case described above, or in the secure computation of Step 7. This completes the proof of this corruption case.

We remark that it is implicit in the above analysis that $\mathcal{A}$ cannot detect whether $P_2$ outputs $f(x,y)$ due to all evaluation circuits giving the same output or due to it obtaining $x$ in Step 7. This is because the simulator does not need to be able to distinguish between these cases, and indeed, this can depend on the real input used by $P_2$. Likewise, $\mathcal{A}$ cannot detect whether $P_2$ aborts due to all evaluation circuits not giving a valid output, or whether it aborts due to the fact that it detected a bad circuit in the “correctness of check circuits” step.

${P}_\mathbf{2}$ is corrupted The intuition behind the security in this corruption case is simple and is identical to [24] and other cut-and-choose protocols based on garbled circuits. Specifically, every circuit is either an evaluation circuit, in which case $P_2$ can only learn the output, or a check circuit in which case $P_2$ learns nothing. The security here relies on the DDH assumption and the fact that the garbled values sent by $P_1$ and $P_2$ for the input wires reveal nothing about $P_1$’s input. In addition, it relies on the fact that $P_2$ cannot learn two different outputs by evaluating the evaluation circuits, or in general cannot learn two different values on an output wire (which would be a “proof that $P_1$ cheated” even though it is honest). This is needed since otherwise it could input these into the secure computation of Step 7 and learn $P_1$’s input $x$. Nevertheless, this follows directly from the security of [24] which in the case of a corrupted $P_2$ holds for any number of circuits, from the security of the computation in Step 7, and from the fact that it is hard to invert the one-way function $H$ used to compute the encoded output tables.

Formally, the simulator $\mathcal{S}$ works as follows:

1.
$\mathcal{S}$ obtains $P_2$’s input to the oblivious transfers (where $\mathcal{A}$ controls $P_2$) and uses this to define the set $\mathcal{J}$ and the input $y$.
2.
$\mathcal{S}$ sends $y$ to the trusted party computing $f$ and receives back $z=f(x,y)$.
3.
For every $j\in \mathcal{J}$, $\mathcal{S}$ constructs a proper garbled circuit. For every $j\notin \mathcal{J}$, $\mathcal{S}$ constructs a garbled circuit with exactly the same structure as the correct one, but that outputs the fixed string $z$ received from the trusted party, irrespective of the input. As in the protocol, all the circuits have the same garbled values on the output wires, and they have the same structure for $P_1$’s inputs.
4.
$\mathcal{S}$ continues to run the protocol with $\mathcal{A}$, playing the honest $P_1$ but using the circuits constructed in the previous step.
5.
At the conclusion of the protocol execution with $\mathcal{A}$, simulator $\mathcal{S}$ outputs whatever $\mathcal{A}$ outputs and halts.

This completes the simulation. The formal proof that the simulation is indistinguishable from a real execution follows from the indistinguishability of “fake” garbled circuits from real ones. The formal reduction is almost identical to [24] and so is omitted in this abstract. We remark only that the output distributions between the simulated and real executions is negligible in $n$, and independent of $s$, see [24] for details. This completes the proof.$\square $

5 Variants: Universal Composability and Covert Adversaries

Universal Composability [5] As in [24], by instantiating the cut-and-choose oblivious transfer and the zero-knowledge proofs with variants that are universally composable, the result is that Protocol 3.1 is universally composable.

Covert Adversaries [1] (see “Appendix 2”) Observe that in the case that $P_2$ is corrupted, the protocol is fully secure irrespective of the value of $s$ used. In contrast, when $P_1$ is corrupted, then the cheating probability is $2^{-s}+\mu (n)$. However, this cheating probability is independent of the input used by the $P_2$ (as shown in the proof of Theorem 4.1). Thus, Protocol 3.1 is suitable for the model of security in the presence of covert adversaries. Intuitively, since the adversary can cheat with probability only $2^{-s}$ and otherwise it is caught cheating, the protocol achieves covert security with deterrent $\epsilon =1-2^{-s}$. However, on closer inspection, this is incorrect. Specifically, as we have discussed above, if $P_2$ catches $P_1$ cheating due to the fact that two different circuits yield two different outputs, then it is not allowed to reveal this fact to $P_1$. Thus, $P_2$ cannot declare that $P_1$ is a cheat in this case, as is required in the model of covert adversaries. However, if $P_2$ detects even a single bad circuit in the check phase, then it can declare that $P_1$ is cheating, and this happens with probability at least $1/2$ (even if only a single circuit is bad). We can use this to show that for every $s$, Protocol 3.1 securely computes $f$ in the presence of covert adversaries with deterrent $\epsilon =\mathbf{1}-\mathbf{2}^{-\varvec{s}+\mathbf{1}}$. In actuality, we need to make a slight change to Protocol 3.1, as follows:

The additional zero-knowledge proof of knowledge enables the simulator $\mathcal{S}$ to completely open all circuits by the end of Step 3 of the protocol (by obtaining all of the values on $P_2$’s input wires via the oblivious transfers and all of the values on $P_1$’s inputs wires using $r_j$ values). We remark also this zero-knowledge proof of knowledge requires only a small constant number of exponentiations for every $j$ (note that only a small number of circuits are used here also since this is the setting of covert adversaries).

In addition, we stress that the honest $P_2$ only declares the $P_1$ is corrupted (and attempted cheating) if one of the check circuits is found to be invalid. In particular, $P_2$ does not declare that $P_1$ is corrupted if all checked circuits are correct, but two different evaluated circuits yield different outputs. In this latter case, like in the setting of malicious adversaries, $P_2$ obtains $P_1$’s input $x$ and uses it to locally compute the correct output without revealing to $P_1$ that anything happened.

We now proceed to security. We refer the reader to the definition of security for covert adversaries in “Appendix 2” and [1]; we use the strong explicit definition here. The simulator $\mathcal{S}$ for the case that $P_1$ is corrupted works as follows:

1.
$\mathcal{S}$ works like the simulator in the case of malicious adversaries and determines the set $\mathcal{G}$ of good (or valid) circuits and the set $\mathcal{B}$ of bad (or invalid) circuits. It determines this by using all of $P_1$’s inputs to the oblivious transfers and $r_j$ values extracted from the zero-knowledge proof of knowledge described above. If none of circuits are bad, then $\mathcal{S}$ simulates exactly as in the case of the malicious setting when no circuits are invalid. Otherwise, there is at least one bad circuit and $\mathcal{S}$ proceeds to the next step.
2.
With probability $\frac{1}{2}$, the simulator $\mathcal{S}$ sends $\mathsf{cheat}_1$ to the trusted party.
- If $\mathcal{S}$ receives back undetected, then it receives the input $y$ of the honest party $P_2$ and can determine its output as it wishes. Thus, it proceeds in the simulation by choosing the set of circuits to opened and checked to be exactly the set of good circuits $\mathcal{G}$. Otherwise, it runs the code of the honest $P_2$ with input $y$ with $\mathcal{A}$ and then sets the output of the honest $P_2$ in the ideal execution to be whatever the simulated $P_2$ receives (including the possibility that $P_2$ outputs $\mathsf{corrupted}_1$).
- If $\mathcal{S}$ receives back $\mathsf{corrupted}_1$, then $\mathcal{S}$ chooses the set of circuits to be opened and checked in the simulation of the protocol at random under the constraint that at least one circuit from $\mathcal{B}$ is opened and checked.
3.
Else (i.e., in the case that $\mathcal{S}$ does not send $\mathsf{cheat}_1$ to the trusted party):
- With probability $1-2^{-|\mathcal{B}|+1} + 2^{-s+1}$, $\mathcal{S}$ chooses the set of circuits to be opened and checked in the simulation of the protocol at random under the constraint that at least one circuit from $\mathcal{B}$ is opened and checked. In addition, $\mathcal{S}$ sends $\mathsf{corrupted}_1$ as $P_1$’s input to the trusted party. (This “strange” probability is explained below.)
- Otherwise, $\mathcal{S}$ chooses the set of circuits to be opened and checked in the simulation of the protocol at random under the constraint that no circuits from $\mathcal{B}$ are opened and checked.
4.
Apart from the above, $\mathcal{S}$ behaves exactly as in the case of simulation of malicious adversaries.

We now analyze the above. In order to understand the probability distribution, observe that if $\mathcal{B}$ circuits are invalid then in a real protocol execution the following occurs:

With probability $2^{-s}$, the adversary $\mathcal{A}$ succeeds in cheating (this is the case that the set of evaluated circuits is exactly $\mathcal{B}$).
With probability $1-2^{-|B|}$, party $P_2$ catches $\mathcal{A}$ cheating and outputs $\mathsf{corrupted}_1$ (this holds since $P_2$ catches $\mathcal{A}$ cheating unless every circuit in $\mathcal{B}$ is not opened, which happens with probability $2^{-|\mathcal{B}|}$).
Otherwise, with probability $2^{-|\mathcal{B}|} - 2^{-s}$, party $P_2$ outputs the correct result as if no cheating took place.

Now, in the simulation, we have the following probabilities:

With probability $\frac{1}{2}$, $\mathcal{S}$ sends $\mathsf{cheat}_1$ to the trusted party who returns $\mathsf{undetected}$ with probability $2^{-s+1}$. Thus, successful cheating occurs with probability $\frac{1}{2} \cdot 2^{-s+1} = 2^{-s}$, exactly as in a real execution.
With probability $1-2^{-s+1}$, the trusted party returns $\mathsf{corrupted}_1$ after $\mathcal{S}$ sends $\mathsf{cheat}_1$. Thus, $P_2$ outputs $\mathsf{corrupted}_1$ due to this case with probability $\frac{1}{2}\cdot (1-2^{-s+1}) = \frac{1}{2} - 2^{-s}$. However, in addition, $P_2$ outputs $\mathsf{corrupted}_1$ with probability $1-2^{-|\mathcal{B}|+1} + 2^{-s+1}$ in the case that $\mathcal{S}$ does not send $\mathsf{cheat}_1$. Since this case occurs with probability $\frac{1}{2}$ as well, this contributes probability $\frac{1}{2}\cdot (1-2^{-|\mathcal{B}|+1} + 2^{-s+1}) = \frac{1}{2} -2^{-|\mathcal{B}|} + 2^{-s}$. Summing these together, we have that $P_2$ outputs $\mathsf{corrupted}_1$ in the simulation with probability $\frac{1}{2} - 2^{-s} + \frac{1}{2} -2^{-|\mathcal{B}|} + 2^{-s} = 1-2^{-|B|}$, exactly as in a real execution.
Finally, in all other cases (with probability $2^{-|\mathcal{B}|} - 2^{-s}$), $P_2$ outputs the correct output as if no cheating took place, exactly as in a real execution.

As discussed in the introduction, this yields a huge efficiency improvement over previous results, especially for small values of $s$. For example, 100 circuits are needed to obtain $\epsilon =0.99$ in [1], 24 circuits are needed to obtain $\epsilon =0.99$ in [24], and here 8 circuits alone suffice to obtain $\epsilon =0.99$. Observe that when covert security is desired, the number of circuits sent in Step 7 needs to match the level of covert security. For example, in order to obtain $\epsilon =0.99$, 8 circuits are used in our main protocol and 24 circuits are used in Step 7.

We remark that our protocol would be a little simpler if $P_2$ always asked to open exactly half the circuits (especially in the cut-and-choose oblivious transfer). In this case, the error would be $\left( \begin{array}{c} s\\ s/2 \end{array}\right) ^{-1}$ instead of $2^{-s}$. In order to achieve an error of $2^{-40}$, this would require 44 circuits which is a 10 % increase in complexity, and reason enough to use our strategy of opening each circuit independently with probability $1/2$. However, when considering covert security, the difference is huge. For example, with $s=8$ we have that $\left( \begin{array}{c} 8\\ 4 \end{array}\right) ^{-1} = 1/70$ whereas $2^{-8}= 1/256$. This is a very big difference.

6 Constructing Modified Cut-and-Choose Oblivious Transfer

6.1 Preliminaries: The $\textit{RAND}$ Function

Let $({\mathbb {G}},g,q)$ be such that ${\mathbb {G}}$ is a group of order $q$, with generator $g$. We define the function $\textit{RAND}(w,x,y,z) = (u,v)$, where $u=(w)^t \cdot (y)^{t'}$ and $v=(x)^t \cdot (z)^{t'}$, and the values $t,t'\leftarrow {\mathbb {Z}}_q$ are random. $\textit{RAND}$ has the following properties:

Claim 6.1

Let $({\mathbb {G}},g,q)$ be as above and let $w,x,y,z\in {\mathbb {G}}$. Furthermore, let $(w,x,y,z)$ be a Diffie–Hellman tuple, and let $a\in {\mathbb {Z}}_q$ be such that $x=w^a$ and $z=y^a$. Then, for $(u,v)\leftarrow \textit{RAND}(w,x,y,z)$, it holds that $u^a=v$.

Proof

By the definition of $\textit{RAND}$, $u=w^t \cdot y^{t'}$ and $v=x^t \cdot z^{t'}$. Since $x=w^a$ and $z=y^a$, we can write that

$$\begin{aligned} v=x^t \cdot z^{t'}=(w^a)^t \cdot (y^a)^{t'} = (w^t \cdot y^{t'})^a = u^a, \end{aligned}$$

as required.$\square $

Claim 6.2

Let $({\mathbb {G}},g,q)$ be as above and let $w,x,y,z\in {\mathbb {G}}$. If $(w,x,y,z)$ is not a Diffie–Hellman tuple, then the distributions $(w,x,y,z,\textit{RAND}(w,x,y,z))$ and $(w,x,y,z,g^\alpha ,g^\beta )$, where $\alpha ,\beta \leftarrow {\mathbb {Z}}_q$ are random, are equivalent.

Proof

Let $a,b\in {\mathbb {Z}}_q$ such that $x=w^a$ and $z=y^b$ and $a\ne b$ (such a pair $a,b$ exists since $(w,x,y,z)$ is not a Diffie–Hellman tuple). Let $\alpha ,\beta \in {\mathbb {Z}}_q$; we show that $\mathrm{Pr}[\textit{RAND}(w,x,y,z)=(g^\alpha ,g^\beta )] = \frac{1}{q^2}$, where the probability is taken over $t,t'$ used to compute $\textit{RAND}$. Let $\gamma \in {\mathbb {Z}}_q$ be such that $y=w^\gamma $. Then, we have that $(w,x,y,z)=(w,w^a,w^\gamma ,w^{\gamma \cdot b})$, and so $u=w^t\cdot w^{\gamma \cdot t'}$ and $v=w^{a\cdot t}\cdot w^{\gamma \cdot b\cdot t'}$. Thus, $(u,v)=(g^\alpha ,g^\beta )$ if and only if $t+\gamma \cdot t'=\alpha $ and $a\cdot t + \gamma \cdot b\cdot t'=\beta $. These equations have a single solution if and only if the matrix

$$\begin{aligned} \left( \begin{array}{cc} 1 &{}\quad \gamma \\ a &{}\quad \gamma \cdot b\end{array}\right) \end{aligned}$$

is invertible, which holds here since the determinant is $\gamma \cdot \beta -\gamma \cdot a=\gamma \cdot (b-a)\ne 0$, where the inequality holds since $a\ne b$. Thus, there is a single pair $t,t'$ such that $(u,v)=(g^\alpha ,g^\beta )$ implying that the probability is $\frac{1}{q^2}$, as required.$\square $

6.2 The Protocol for Modified Cut-and-Choose OT

Our protocol is based on the batch single-choice cut-and-choose OT in [24], with appropriate changes. The most significant difference here is that unlike [24] the number of transfers in which the receiver obtains both strings is not fixed a priori, but is rather determined singlehandedly by the receiver. Thus, there is no proof that half of the pairs $(h_0^i,h_1^i)$ are such that $(g_0,g_1,h_0^i,h_1^i)$ are Diffie–Hellman tuples (i.e., a Diffie–Hellman tuple is of the form $(g_0,g_1,h_0,h_1)$ where there exists a value $w$ such that $h_0=(g_0)^w$ and $h_1=(g_1)^w$). In addition, there are additional steps used for $R$ to receive strings $\chi _j$ for every $j\notin \mathcal{J}$. This uses a similar mechanism to the transfer of the other strings. Specifically, $R$ is able to obtain $\chi _j$ for any $j$ for which the tuple $(g_0,g_1,h_0^j,h_1^j/g_1)$ is a Diffie–Hellman tuple, which is exactly for all $j\notin \mathcal{J}$. We remark that in Step 3, $R$ first “rerandomizes” the values $h_0^j$ and $h_1^j/g_1$, obtaining $\tilde{h}_0^j,\tilde{h}_1^j$. This seems to be unnecessary, since the protocol works when the sender computes $\textit{RAND}$ on the initial values $h_0^j$ and $h_1^j/g_1$. However, in the proof of security, the simulator needs to be able to cheat and obtain all values $\chi _j$. This is a problem since the simulator also needs to obtain all pairs from a cheating sender and so must choose $h_0^j,h_1^j$ such that all $(g_0,g_1,h_0^j,h_1^j)$ are Diffie–Hellman tuples. Since the simulator cannot make all of these tuples be Diffie–Hellman tuples at the same time as making all $(g_0,g_1,h_0^j,h_1^j/g_1)$ Diffie–Hellman tuples, the rerandomization is introduced in order to enable the simulator to cheat. Specifically, the simulator will choose all $h_0^j,h_1^j$ such that $(g_0,g_1,h_0^j,h_1^j)$ is a Diffie–Hellman tuple, and will then choose all $\tilde{h}_0^j,\tilde{h}_1^j$ so that all $(g_0,g_1,\tilde{h}_0^j,\tilde{h}_1^j)$ are also Diffie–Hellman tuples. This enables it to obtain all values. (Of course, the simulator will have to cheat in the zero-knowledge proof that $(h_0^j,h_1^j/g_1,\tilde{h}_0^j,\tilde{h}_1^j)$ since will this not be the case in the aforementioned way that the simulator chooses the values. Nevertheless, this is indistinguishable by the decisional Diffie–Hellman assumption.

The protocol appears below.

Correctness

Since it is not immediate from the protocol description, before proceeding to prove security we show that the output of the protocol is correct. First, we show that $R$ receives the values $\chi _j$ for every $j\notin \mathcal{J}$. For every $j$, the receiver obtains $(u_j,w_j)$ where $w_j=H(v_j)\oplus \chi _j$ and $(u_j,v_j)=\textit{RAND}(h_0^j,h_1^j,\tilde{h}_0^j,\tilde{h}_1^j)$. For every $j\notin \mathcal{J}$, we have that $\tilde{h}_0^j=(h_0^j)^{\rho _j}$ and $\tilde{h}_1^j=(h_1^j/g_1)^{\rho _j}$. Thus, $(h_0^j,h_1^j/g_1,\tilde{h}_0^j,\tilde{h}_1^j)$ is a Diffie–Hellman tuple. By Claim 6.1, this implies that $v_j=(u_j)^{\rho _j}$, for every $j\notin \mathcal{J}$. Thus, $w_j\oplus H((u_j)^{\rho _j}) = \chi _j$, as required. Observe also that all $(g_0,g_1,\tilde{h}_0^j,\tilde{h}_1^j)$ are Diffie–Hellman tuples, because if $j\in \mathcal{J}$ then $\tilde{h}_0^j=(h_0^j)^{\rho _j}=(g_0)^{\alpha _j\cdot \rho _j}$ and $\tilde{h}_1^j=(h_1^j)^{\rho _j}=(g_1)^{\alpha _j\cdot \rho _j}$, and if $j\in \mathcal{J}$ then $\tilde{h}_0^j=(h_0^j)^{\rho _j}=(g_0)^{\alpha _j\cdot \rho _j}$ and $\tilde{h}_1^j=(h_1^j/g_1)^{\rho _j}=(g_1)^{\alpha _j\cdot \rho _j}$. Thus, the zero-knowledge proof of Step 3b is accepted.

Likewise, for every $i=1,\ldots ,\ell $ and every $j=1,\ldots ,s$, by the way $R$ chooses its values we have that $(g_\sigma ,\tilde{g}_i,h_\sigma ^j,\tilde{h}_{i,j})$ is a Diffie–Hellman tuple, where $\tilde{g}_i=(g_\sigma )^{r_i}$, and thus, by Claim 6.1 it holds that $(u_{\sigma _i}^{i,j})^{r_i} = v_{\sigma _i}$.

Finally, for every $j\in \mathcal{J}$, the values are chosen by $P_2$ so that $h_0^j\!=\!(g_0)^{\alpha _j}$ and $h_1^j\!=\!(g_1)^{\alpha _j}$. Recall also that $g_1\!=\!(g_0)^y$, and thus $h_1^j\!=\!(g_1)^{\alpha _j} \!=\! (g_0)^{y\cdot \alpha _j}\!=\!(h_0^j)^y$. We now show that for all $j\!\in \!\mathcal{J}$, both $(g_0,\tilde{g}_i,h_0^j,\tilde{h}_{i,j})$ and $(g_1,\tilde{g}_i,h_1^j,\tilde{h}_{i,j})$ are Diffie–Hellman tuples:

1.
If $\sigma _i=0$ then $(g_0,\tilde{g}_i,h_0^j,\tilde{h}_{i,j})$ is a Diffie–Hellman tuple as shown above. Regarding $(g_1,\tilde{g}_i,h_1^j,\tilde{h}_{i,j})$, observe that $\tilde{g}_i = (g_0)^{r_i}$ and $\tilde{h}_{i,j} = (h_0^j)^{r_i}$. Since $g_1=(g_0)^y$ and $h_1^j = (h_0^j)^y$, we have that $\tilde{g}_i = (g_1)^{r_i/y}$ and $\tilde{h}_{i,j} = (h_0^j)^{r_i} = (h_1^j)^{r_i/y}$. By Claim 6.1, it follows that $v_1^{i,j} = (u_1^{i,j})^{r_i/y}$.
2.
If $\sigma _i=1$, then $(g_1,\tilde{g}_i,h_1^j,\tilde{h}_{i,j})$ is a Diffie–Hellman tuple as shown above. Regarding $(g_0,\tilde{g}_i,h_0^j,\tilde{h}_{i,j})$, observe that $\tilde{g}_i = (g_1)^{r_i}$ and $\tilde{h}_{i,j} = (h_1^j)^{r_i}$. Since $g_1=(g_0)^y$ and $h_1^j = (h_0^j)^y$, we have that $\tilde{g}_i = (g_0)^{y\cdot r_i}$ and $\tilde{h}_{i,j} = (h_1^j)^{r_i} = (h_0^j)^{y\cdot r_i}$. By Claim 6.1, it follows that $v_1^{i,j} = (u_1^{i,j})^{y\cdot r_i}$.

6.3 The Proof of Security of Protocol 6.3

Theorem 6.4

If the Decisional Diffie–Hellman problem is hard in $({\mathbb {G}},g,q)$, then Protocol 6.3 securely computes the $\mathcal{F}_{\scriptstyle \mathrm {ccot}}$ functionality. If the zero-knowledge proofs of Step 1b of the setup phase and Step 2b of the transfer phase are universally composable, then Protocol 6.3 UC-computes the $\mathcal{F}_{\scriptstyle \mathrm {ccot}}$ functionality.

Proof

We prove security in a hybrid model where the zero-knowledge proofs and proofs of knowledge (ZKPOK) are computed by ideal functionalities (where the prover sends $(x,w)$ and the functionality sends 1 to the verifier if and only if $(x,w)$ is in the relation); the fact that any zero-knowledge proof of knowledge securely computes this functionality has been formally proven in [14, Section 6.5.3].

Case 1: Corrupted Receiver

Let $\mathcal{A}$ be an adversary that controls the receiver $R$. We construct a simulator $\mathcal{S}$ that invokes $\mathcal{A}$ on its input and works as follows:

1.
$\mathcal{S}$ receives $g_1$ and receives the input $((g_0,g_1),y)$ that $\mathcal{A}$ sends to the ideal ZKPOK functionality. If $g_1 \ne (g_0)^y$, then $\mathcal{S}$ simulates $S$ aborting, and outputs whatever $\mathcal{A}$ outputs. Else, $\mathcal{S}$ proceeds to the next step.
2.
$\mathcal{S}$ receives $(h_0^1,h_1^1,\ldots ,h_0^s,h_1^s)$ from $\mathcal{A}$. For every $j=1,\ldots ,s$, $\mathcal{S}$ checks if $h_1^j = (h_0^j)^y$ then it sets $j\in \mathcal{J}$ and otherwise it sets $j\notin \mathcal{J}$.
3.
For every $i=1,\ldots ,\ell $, $\mathcal{S}$ receives $(\tilde{g}_i,\tilde{h}_{i,1},\ldots ,\tilde{h}_{i,s})$ from $\mathcal{A}$.
4.
For every $i=1,\ldots ,\ell $, $\mathcal{S}$ receives the witness $r_i$ that $\mathcal{A}$ sends to ZKPOK $(\tilde{g}_i,\tilde{h}_{i,1},\ldots ,\tilde{h}_{i,s})$. If it does not hold that [$\tilde{g}_i=(g_0)^{r_i}$ and every $\tilde{h}_{i,j}=(h_0^j)^{r_i}$] or [$\tilde{g}_i=(g_1)^{r_i}$ and every $\tilde{h}_{i,j}=(h_1^j)^{r_i}$], then $\mathcal{S}$ simulates $S$ aborting, and outputs whatever $\mathcal{A}$ outputs. Otherwise, for every $i$, let $\sigma _i$ be the bit for which it holds.
5.
$\mathcal{S}$ sends $\mathcal{J}$ and $\sigma _1,\ldots ,\sigma _s$ to the trusted party:
1. (a)
  For every $i=1,\ldots ,\ell $ and every $j\in \mathcal{J}$, $\mathcal{S}$ receives back a pair $(x_0^{i,j},x_1^{i,j})$.
2. (b)
  For every $i=1,\ldots ,\ell $, $\mathcal{S}$ receives back the vector ${x}_i = \langle x_{\sigma _i}^{i,1},\ldots , x_{\sigma _i}^{i,s}\rangle $.
3. (c)
  For every $k\notin \mathcal{J}$, $\mathcal{S}$ receives back $\chi _k$.
6.
$\mathcal{S}$ simulates the transfer phase by handing the following messages to $\mathcal{A}$:
1. (a)
  For every $i=1,\ldots ,\ell $ and every $j\in \mathcal{J}$, $\mathcal{S}$ computes $(u_0^{i,j},w_0^{i,j})$ and $(u_1^{i,j},w_1^{i,j})$ exactly like the honest sender (it can do this because it knows both $x_0^{i,j}$ and $x_1^{i,j}$).
2. (b)
  For every $i=1,\ldots ,\ell $ and every $k\notin \mathcal{J}$, $\mathcal{S}$ computes $(u_{\sigma _i}^{i,k},w_{\sigma _i}^{i,k})$ like the honest sender using $x_{\sigma _i}^{i,k}$, and sets $(u_{1-\sigma _i}^{i,k},w_{1-\sigma _i}^{i,k})$ to be a pair of a random element of ${\mathbb {G}}$ and a random string of length $n$.
7.
$\mathcal{S}$ simulates the transfer of $\chi _j$ values, as follows:
1. (a)
  $\mathcal{S}$ receives the $\tilde{h}_0^j,\tilde{h}_1^j$ values from $\mathcal{A}$ and the witness it sends to ZKPOK functionality. If the witness is not correct, it simulates $S$ aborting, and outputs whatever $\mathcal{A}$ outputs. Otherwise, it proceeds to the next step.
2. (b)
  For every $j\notin \mathcal{J}$, $\mathcal{S}$ computes $(u_j,w_j)$ as the honest sender does (it can do this since it knows $\chi _k$).
3. (c)
  For every $j\in \mathcal{J}$, $\mathcal{S}$ sets $(u_j,w_j)$ to be a pair of a random element of ${\mathbb {G}}$ and a random string of length $n$.
8.
$\mathcal{S}$ outputs whatever $\mathcal{A}$ outputs.

We claim that the output of the ideal execution with $\mathcal{S}$ is identical to the output of a real execution with $\mathcal{A}$ and an honest sender. This is due to the fact that the only difference is with respect to the way the tuples $(u_{1-\sigma _i}^{i,k},w_{1-\sigma _i}^{i,k})$ for $k\notin \mathcal{J}$ are formed, and the way that the tuples $(u_j,w_j)$ $j\in \mathcal{J}$ are formed (namely, these are generated as random elements by the simulator).

Beginning first with the $(u_j,w_j)$ tuples for $j\!\in \!\mathcal{J}$, observe that by the way that $\mathcal{S}$ defines $\mathcal{J}$, it holds that $h_1^j\!=\!(h_0^j)^y$ for all $j\!\in \!\mathcal{J}$. This implies that $(g_0,g_1,h_0^j,h_1^j)$ is a Diffie–Hellman tuple, and $(g_0,g_1,h_0^j,(h_1^j/g_1)$ is not a Diffie–Hellman tuple. Now, in the real protocol, $S$ generates $(u_j,w_j)$ by first computing $\textit{RAND}(g_0,g_1,h_0^j,(h_1^j/g_1))$. Thus, by Claim 6.2, the values $(u_j,v_j)$ are random in ${\mathbb {G}}$ and so $(u_j,w_j)$ are distributed identically to the way they are generated by $\mathcal{S}$ (i.e., $u_j$ is uniform in ${\mathbb {G}}$ and $w_j$ is uniform in $\{0,1\}^n$).

Regarding the tuples $(u_{1-\sigma _i}^{i,k},w_{1-\sigma _i}^{i,k})$ for $k\notin \mathcal{J}$, the same argument holds. Specifically, for $k\notin \mathcal{J}$, we know that $h_1^k \ne (h_0^k)^y$. Thus, for a given tuple $(\tilde{g}_i,\tilde{h}_{i,1},\ldots ,\tilde{h}_{i,s})$ it cannot hold that both [$\tilde{g}_i=(g_0)^{r_i}$ and every $\tilde{h}_{i,j}=(h_0^j)^{r_i}$] and [$\tilde{g}_i=(g_1)^{r_i}$ and every $\tilde{h}_{i,j}=(h_1^j)^{r_i}$]. Since the simulator set $\sigma _i$ to be such that [$\tilde{g}_i=(g_{\sigma _i})^{r_i}$ and every $\tilde{h}_{i,j}=(h_{\sigma _i}^j)^{r_i}$] holds, we have that [$\tilde{g}_i=(g_{1-\sigma _i})^{r_i}$ and every $\tilde{h}_{i,j}=(h_{1-\sigma _i}^j)^{r_i}$] does not hold. This in turn applies that $(g_{1-\sigma _i},\tilde{g}_i,h_{1-\sigma _i},\tilde{h}_{i,j})$ is not a Diffie–Hellman tuple, and so, the distribution generated by $\mathcal{S}$ by choosing the values $(u_{1-\sigma _i}^{i,k},w_{1-\sigma _i}^{i,k})$ uniformly is identical, as above.

Case 2: Corrupted Sender

We now proceed to the case that $\mathcal{A}$ controls the sender $S$. We construct a simulator $\mathcal{S}$ as follows:

1.
$\mathcal{S}$ computes $g_1=(g_0)^y$ for a random $y\leftarrow {\mathbb {Z}}_q$ and hands $g_1$ internally to $\mathcal{A}$.
2.
$\mathcal{S}$ simulates the ideal zero-knowledge proof of knowledge from $R$ to $S$ by handing 1 (“success”) to $\mathcal{A}$ as if it came from the ZKPOK ideal functionality.
3.
$\mathcal{S}$ plays the same strategy as an honest $R$ with $\mathcal{J}=[s]$ and $\sigma _1=\sigma _2=\cdots =\sigma _\ell =0$. That is:
1. (a)
  For every $j=1,\ldots ,s$, $\mathcal{S}$ chooses a random $\alpha _j\leftarrow {\mathbb {Z}}_q$ and sets $h_0^j=(g_0)^{\alpha _j}$ and $h_1^j=(g_1)^{\alpha _j}$ (i.e., setting $\mathcal{J}=[s]$). $\mathcal{S}$ hands $(h_0^1,h_1^1,\ldots ,h_0^s,h_1^s)$ to $\mathcal{A}$.
2. (b)
  For every $i=1,\ldots ,\ell $, $\mathcal{S}$ computes $\tilde{g}_i=(g_0)^{r_i}$ and $\tilde{h}_{i,1}=(h_0^1)^{r_i},\ldots ,\tilde{h}_{i,s}=(h_0^s)^{r_i}$ and sends the vector $(\tilde{g}_i,\tilde{h}_{i,1},\ldots ,\tilde{h}_{i,s})$ to $\mathcal{A}$.
4.
Upon receiving back pairs $(u_0^{i,j},w_0^{i,j})$ and $(u_1^{i,j},w_1^{i,j})$ for every $i=1,\ldots ,\ell $ and every $j=1,\ldots ,s$, simulator $\mathcal{S}$ computes $x_0^{i,j}=w_0^{i,j}\oplus H((u_0^{i,j})^{r_i}$ and $x_1^{i,j}= w_1^{i,j}\oplus H((u_1^{i,j})^{r_i/y}$, just like an honest $R$ (for when $j\in \mathcal{J}$).
5.
In the simulation of the transfer of $\chi _j$ values, $\mathcal{S}$ behaves differently, as follows:
1. (a)
  For every $j=1,\ldots ,s$ it computes $\tilde{h}_0^j=(h_0^j)^{\rho _j}$ and $\tilde{h}_1^j=(h_1^j/g_1)^{\rho _j}$ (as if $j\notin \mathcal{J}$, even though in actuality $j\in \mathcal{J}$ for all $j$).
2. (b)
  $\mathcal{S}$ simulates the zero-knowledge proof that all the tuples $\{(g_0,g_1,\tilde{h}_0^j,\tilde{h}_1^j)\}_{j=1}^s$ are Diffie–Hellman tuples (even though none of them are) by handing 1 (“success”) to $\mathcal{A}$ as if it came from the ZKPOK ideal functionality.
3. (c)
  Upon receiving all the pairs $\{(u_j,w_j)\}_{j=1}^s$ from $\mathcal{A}$, simulator $\mathcal{S}$ computes $\chi _j=w_j\oplus H((u_j)^{\rho _j}$.
6.
$\mathcal{S}$ sends all of the vectors pairs $x_i=\langle (x_0^{i,1},x_1^{i,1}),\ldots ,(x_0^{i,s},x_1^{i,s})\rangle $ for $i=1,\ldots ,\ell $ to the trusted party, as well as all of the values $\chi _1,\ldots ,\chi _s$.
7.
$\mathcal{S}$ outputs whatever $\mathcal{A}$ outputs, and halts.

There are two main observations regarding the simulation. First, by the way the simulator chooses $g_0$ and $g_1$, all of the $(g_0,\tilde{g}_i,h_0^j,\tilde{h}_{i,j})$ and $(g_1,\tilde{g}_i,h_1^j,\tilde{h}_{i,j})$ tuples are Diffie–Hellman tuples. Thus, $\mathcal{S}$ learns all of the pairs $(x_0^{i,j},x_1^{i,j})$, and these are consistent with the values that the honest receiver would receive in a real execution. Likewise, $\mathcal{S}$ learns all of the values $\chi _1,\ldots ,\chi _s$, and these are consistent with the $\chi _j$ values that $R$ would receive in a real execution for values of $j\notin \mathcal{J}$. Second, by the decisional Diffie–Hellman assumption, the output of a simulated execution with $\mathcal{S}$ in the ideal model is indistinguishable from the output of a real execution between $\mathcal{A}$ and an honest receiver. This is due to the fact that the only differences between the real and ideal executions are:

1.
The simulator chooses the values $(h_0^1,h_1^1,\ldots ,h_0^s,h_1^s)$ as if $\mathcal{J}=[s]$ (and the honest receiver uses the subset $\mathcal{J}$ in its input)
2.
The simulator generates the vectors $(\tilde{g}_i,\tilde{h}_{i,1},\ldots ,\tilde{h}_{i,s})$ as if all the receiver inputs are $\sigma _1=\cdots =\sigma _\ell =0$ (whereas the honest receiver uses its real input $\sigma _1,\ldots ,\sigma _\ell $, and
3.
The simulator cheats when it generates the pair $(\tilde{h}_0^j,\tilde{h}_1^j)$ making it so that all tuples $(h_0^j,h_1^j/g_1,\tilde{h}_0^j,\tilde{h}_1^j)$ are Diffie–Hellman tuples even though none of the tuples $(g_0,g_1,\tilde{h}_0^j,\tilde{h}_1^j)$ are.

Nevertheless, these differences are all indistinguishable by the DDH assumption. This is demonstrated formally as in [24].$\square $

6.4 Concrete Efficiency: Cut-and-Choose OT

We count the number of exponentiations and the bandwidth. We also distinguish between fixed-base exponentiations and regular exponentiations (in most groups, the cost of a fixed-base exponentiation is about a third of a full exponentiation [25, Sec. 14.6.3]). The cost of the zero-knowledge proof of knowledge of discrete log is 9 exponentiations and the exchange of 4 group elements [14], and the cost of the zero-knowledge proof in Step 2b of the transfer phase is $s+16$ exponentiations overall and the exchange of 10 group elements, see [24]. Finally, the cost of the $s$ zero-knowledge proofs of knowledge of Step 3b is $12s$ exponentiations and the exchange of $5s$ group elements.

In the setup phase, not counting the zero-knowledge proof of knowledge, $R$ carries out $2s+1$ fixed-base exponentiations and sends $2s+1$ group elements. In the transfer phase (excluding the zero-knowledge), $R$ computes $(s+1)\cdot \ell $ fixed-base exponentiations in Step 2a (these bases are used $\ell $ times and so for not very small values of $\ell $ the fixed-base optimization will be significant), and $S$ computes $\textit{RAND}$ $2s\ell $ times at the cost of $8s\ell $ fixed-base exponentiations. In addition, $R$ sends $(s+1)\ell $ group elements and $S$ sends $4s\ell $ group elements. In the transfer of $\chi _j$ values phase (excluding the zero-knowledge), $R$ computes $2s$ regular exponentiations, and $S$ computes $\textit{RAND}$ $s$ times at the cost of $4s$ regular exponentiations. In addition, $R$ sends $2s$ group elements and $S$ sends $2s$ group elements. Finally, in the output phase, $R$ computes $(s+|\mathcal{J}|)\ell + s-|\mathcal{J}|\approx \frac{3s}{2}\cdot \ell -\frac{s}{2}$ regular exponentiations. Overall, we have:

Operation	Exact cost	Approximate cost
Regular exponentiations	$1.5s\ell +18.5s+25$	$1.5s\ell $
Fixed-base exponentiations	$9s\ell +\ell +2s+1$	$9s\ell $
Bandwidth (group elements)	$5s\ell +\ell +11s+15$	$5s\ell $

Notes

This can be efficiently proven by combining all the ANDs into two tuples and then proving that either the first is a Diffie–Hellman tuple, or the second is a Diffie–Hellman tuple. A description of how such batching can be carried out is described in [24].
Note that $P_2$ must be able to check the correctness of the “garbled circuit.” However, here the first parts of the circuit are implicit only. However, recall that in the check circuits, $P_2$ receives both inputs to each oblivious transfer. Thus, given $\Delta $ (which is sent in the clear after the cut-and-choose OT terminates), $P_2$ can compute $k_1=\oplus _{i=1}^s x_{\Delta _i}^i$. It can then use $k_0$ sent in the clear, together with this computed $k_1$ as input to the procedure that checks whether the (standard) garbled circuit with the AND gates is correct.
The error is actually $\frac{1}{2^s-1}$ since $J$ must be chosen to not equal all of $[s]$. Thus, there are “only” $2^s-1$ possible cuts. We ignore this minor detail.
Specifically, $P_1$ may construct all of the circuits correctly, but may use one incorrect key—say, the 1-key—for one of the input wires associated with $P_2$’s input in a subset of the circuits in the oblivious transfer. In this case, if $P_2$’s associated input is 1 and all of the evaluation circuits are in the subset, then $P_2$ will abort. In contrast, the simulator uses input $y=0^\ell $ and so will not abort due to this error.

References

Y. Aumann, Y. Lindell, Security against covert adversaries: efficient protocols for realistic adversaries. J. Cryptol. 23(2), 281–343 (2010).
Article MathSciNet MATH Google Scholar
D. Beaver, Foundations of secure interactive computing, in CRYPTO’91. LNCS 576 (Springer, 1991), pp. 377–391.
R. Bendlin, I. Damgård, C. Orlandi, S. Zakarias, Semi-homomorphic encryption and multiparty computation, in EUROCRYPT 2011. LNCS 6632 (Springer, 2011), pp. 169–188.
R. Canetti, Security and composition of multiparty cryptographic protocols. J. Cryptol. 13(1), 143–202 (2000).
Article MathSciNet MATH Google Scholar
R. Canetti, Universally composable security: a new paradigm for cryptographic protocols, in $42$ nd FOCS (2001), pp. 136–145. Full version available at http://eprint.iacr.org/2000/067
I. Damgård, C. Orlandi, Multiparty computation for dishonest majority: from passive to active security at low cost, in CRYPTO 2010. LNCS 6223 (Springer, 2010), pp. 558–576.
I. Damgård, V. Pastro, N.P. Smart, S. Zakarias, Multiparty computation from somewhat homomorphic encryption, in CRYPTO 2012. Springer (LNCS 7417, 2012), pp. 643–662.
Y. Dodis, R. Gennaro, J. Hastad, H. Krawczyk, T. Rabin, Randomness extraction and key derivation using the CBC, cascade and HMAC modes, in CRYPTO 2004. LNCS 3152 (Springer, 2004), pp. 494–510.
R. Fagin, M. Naor, P. Winkler, Comparing information without leaking it. Commun. ACM 39(5), 77–85 (1996).
Article Google Scholar
T.K. Frederiksen, J.B. Nielsen, Fast and maliciously secure two-party computation using the GPU. Cryptology ePrint Archive: Report 2013/046 (2013).
S. Goldwasser, L. Levin, Fair computation of general functions in presence of immoral majority, in CRYPTO’90. LNCS 537 (Springer, 1990), pp. 77–93.
O. Goldreich, Foundations of Cryptography: Vol. 2: Basic Applications (Cambridge University Press, Cambridge, 2004).
O. Goldreich, S. Micali, A. Wigderson, How to play any mental game–a completeness theorem for protocols with honest majority, in $19$ th STOC (1987), pp. 218–229.
C. Hazay, Y. Lindell, Efficient Secure Two-Party Protocols: Techniques and Constructions (Springer, Berlin, 2010).
Book Google Scholar
Y. Huang, J. Katz, D. Evans, Efficient secure two-party computation using symmetric cut-and-choose, in CRYPTO 2013. LNCS 8043, vol. 2 (Springer, 2013), pp. 1–17.
Y. Ishai, J. Kilian, K. Nissim, E. Petrank, Extending oblivious transfer efficiently, in CRYPTO 2003. LNCS 2729 (Springer, 2003), pp. 145–161.
Y. Ishai, M. Prabhakaran, A. Sahai, Founding cryptography on oblivious transfer–efficiently, in CRYPTO 2008. LNCS 5157 (Springer, 2008), pp. 572–591.
Y. Ishai, M. Prabhakaran, A. Sahai, Secure Arithmetic computation with no honest majority, in TCC 2009. LNCS 5444 (Springer, 2009), pp. 294–314.
S. Jarecki, V. Shmatikov. Efficient two-party secure computation on committed inputs, in EUROCRYPT 2007. LNCS 4515 (Springer, 2007), pp. 97–114.
B. Kreuter, A. Shelat, C. Shen, Billion-gate secure computation with malicious adversaries, in The $21$ st USENIX Security Symposium (2012).
Y. Lindell, E. Oxman, B. Pinkas. The IPS compiler: optimizations, variants and concrete efficiency, in CRYPTO 2011. LNCS 6841 (Springer, 2011), pp. 259–276.
Y. Lindell, B. Pinkas, A proof of Yao’s protocol for secure two-party computation. J. Cryptol. 22(2), 161–188 (2009).
Article MathSciNet MATH Google Scholar
Y. Lindell, B. Pinkas, An efficient protocol for secure two-party computation in the presence of malicious adversaries. J. Cryptol. (to appear). Extended abstract appeared in EUROCRYPT 2007. LNCS 4515 (Springer, 2007), pp. 52–78.
Y. Lindell, B. Pinkas, Secure two-party computation via cut-and-choose oblivious transfer, in TCC 2011. J. Cryptol. 25(4),LNCS 6597 (Springer, 2011), pp. 329–346
A.J. Menezes, P.C. van Oorschot, S.A. Vanstone, Handbook of Applied Cryptography (CRC Press, Boca Raton, 2001).
Google Scholar
S. Micali, P. Rogaway, Secure computation. Unpublished manuscript (1992). Preliminary version in CRYPTO’91. LNCS 576 (Springer, 1991), pp. 392–404.
P. Mohassel, B. Riva, Garbled circuits checking garbled circuits: more efficient and secure two-party computation, in CRYPTO 2013. LNCS 8043 (Springer, 2013), pp. 36–53.
J.B. Nielsen, P.S. Nordholt, C. Orlandi, S. Sheshank Burra, A new approach to practical active-secure two-party computation, in CRYPTO 2012. LNCS 7417 (Springer, 2012), pp. 681–700.
J.B. Nielsen, C. Orlandi, LEGO for two-party secure computation, in TCC 2009. LNCS 5444 (Springer, 2009), pp. 368–386.
B. Schoenmakers, P. Tuyls, Practical two-party computation based on the conditional gate, in ASIACRYPT 2004. LNCS 3329 (Springer, 2004), pp. 119–136.
A. Shelat, C.H. Shen, Two-output secure computation with malicious adversaries, in EUROCRYPT 2011. LNCS 6632 (Springer, 2011), pp. 386–405.
A. Yao, How to generate and exchange secrets, in $27$ th FOCS (1986), pp. 162–167.
Bristol Cryptography Group. Circuits of basic functions suitable for MPC and FHE. http://www.cs.bris.ac.uk/Research/CryptographySecurity/MPC/

Download references

Acknowledgments

We thank Benny Pinkas and Ben Riva for many helpful discussions. We also thank Ranjit Kumaresan, Alex Malozemoff and Chuan Zhao for pointing out minor errors.

Author information

Authors and Affiliations

Department of Computer Science, Bar-Ilan University, Ramat Gan, Israel
Yehuda Lindell

Authors

Yehuda Lindell
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Yehuda Lindell.

Additional information

Communicated by Jonathan Katz.

An extended abstract of this work appeared at CRYPTO 2013. This work was funded by the European Research Council under the European Union’s Seventh Framework Programme (FP/2007-2013)/ERC Grant Agreement No. 239868.

Appendices

Appendix 1: The Circuit for Step 7 of Protocol 3.1

1.1 The Original Circuit

1.2 The First Optimization

1.3 The Final Optimization

Appendix 2: Definition of Security for Covert Adversaries

For the sake of completeness, and since it is less well known, we provide the definition of security for covert adversaries here.

The High-Level Idea Behind the Definition

The definition of security for covert adversaries is based on the standard ideal/real simulation paradigm for malicious adversaries and provides the guarantee that if the adversary cheats, then it will be caught by the honest parties (with some probability). In order to understand what we mean by this, we have to explain what we mean by “cheating.” Loosely speaking, we say that an adversary successfully cheats if it manages to do something that is impossible in the ideal model. Stated differently, successful cheating is behavior that cannot be simulated in the ideal model. Thus, for example, an adversary who learns more about the honest parties’ inputs than what is revealed by the output has cheated. In contrast, an adversary who uses pseudorandom coins instead of random coins (where random coins are what are specified in the protocol) has not cheated.

We begin by informally describing the guarantee provided by this notion. Let $0<\epsilon \le 1$ be a value (called the deterrence factor). Then, any attempt to cheat by a real adversary $\mathcal{A}$ is detected by the honest parties with probability at least $\epsilon $. Thus, provided that $\epsilon $ is sufficiently large, an adversary that wishes not to be caught cheating will refrain from attempting to cheat, lest it be caught doing so. Clearly, the higher the value of $\epsilon $, the greater the probability adversarial behavior is caught and thus the greater the deterrentto cheat. This notion is therefore called security in the presence of covert adversaries with $\epsilon $-deterrent. Note that the security guarantee does not preclude successful cheating. Indeed, if the adversary decides to cheat, it may gain access to the other parties’ private information or bias the result of the computation. The only guarantee is that if it attempts to cheat, then there is a fair chance that it will be caught doing so. This is in contrast to standard definitions, where absolute privacy and security are guaranteed for the given type of adversary. We remark that by setting $\epsilon =1$, the definition can be used to capture a requirement that cheating parties are always caught.

The Actual Definition

We begin by presenting the modified ideal model. In this model, we add new instructions that the adversary can send to the trusted party. Recall that in the standard ideal model, the adversary can send a special $\mathsf{abort}_i$ message to the trusted party, in which case the honest party receives $\mathsf{abort}_i$ as output. In the ideal model for covert adversaries, the adversary can send the following additional special instructions:

Special input $\mathsf{corrupted}_i$: If the ideal-model adversary sends $\mathsf{corrupted}_i$ instead of an input, the trusted party sends $\mathsf{corrupted}_i$ to the honest party and halts. This enables the simulation of behavior by a real adversary that always results in detected cheating. (It is not essential to have this special input, but it sometimes makes proving security easier.)
Special input $\mathsf{cheat}_i$: If the ideal-model adversary sends $\mathsf{cheat}_i$ instead of an input, the trusted party tosses coins and with probability $\epsilon $ determines that this “cheat strategy” by $P_i$ was detected, and with probability $1-\epsilon $ determines that it was not detected. If it was detected, the trusted party sends $\mathsf{corrupted}_i$ to the honest party. If it was not detected, the trusted party hands the adversary the honest party’s input and gives the ideal-model adversary the ability to set the output of the honest party to whatever value it wishes. Thus, a $\mathsf{cheat}_i$ input is used to model a protocol execution in which the real-model adversary decides to cheat. However, as required, this cheating is guaranteed to be detected with probability at least $\epsilon $. Note that if the cheat attempt is not detected, then the adversary is given “full cheat capability,” including the ability to determine the honest party’s output.

The idea behind the new ideal model is that given the above instructions, the adversary in the ideal model can choose to cheat, with the caveat that its cheating is guaranteed to be detected with probability at least $\epsilon $. We stress that since the capability to cheat is given through an “input” that is provided to the trusted party, the adversary’s decision to cheat must be made before the adversary learns anything (and thus independently of the honest party’s input and the output).

We are now ready to present the modified ideal model. Let $\epsilon :{\mathbb {N}}\rightarrow [0,1]$ be a function. Then, the ideal execution for a function $f:\{0,1\}^*\times \{0,1\}^*\rightarrow \{0,1\}^*\times \{0,1\}^*$ with parameter $\epsilon $ proceeds as follows:

Inputs: :: Let $x$ denote the input of party $P_1$, and let $y$ denote the input of party $P_2$. The adversary $\mathcal{A}$ also has an auxiliary input $z$.
Send inputs to trusted party: :: The honest party $P_j$ sends its received input to the trusted party. The corrupted party $P_i$, controlled by $\mathcal{A}$, may send a special input signaling abort or attempted cheating (by replacing the input with a special $\mathsf{abort}_i$, $\mathsf{corrupted}_i$ or $\mathsf{cheat}_i$ message), send its received input, or send some other input of the same length to the trusted party. This decision is made by $\mathcal{A}$ and may depend on the input value of $P_i$ and the auxiliary input $z$. Denote the pair of inputs sent to the trusted party by $(x',y')$.
Abort options: :: If a corrupted party sends $\mathsf{abort}_i$ to the trusted party as its input, then the trusted party sends $\mathsf{abort}_i$ to the honest party and halts. If a corrupted party sends $\mathsf{corrupted}_i$ to the trusted party as its input, then the trusted party sends $\mathsf{corrupted}_i$ to the honest party and halts.
Attempted cheat option: :: If a corrupted party sends $\mathsf{cheat}_i$ to the trusted party as its input, then the trusted party works as follows:

1.
With probability $\epsilon $, the trusted party sends $\mathsf{corrupted}_i$ to the adversary and the honest party.
2.
With probability $1-\epsilon $, the trusted party sends undetected to the adversary along with the honest party’s input. Following this, the adversary sends the trusted party an output value $\tau $ of its choice for the honest party. The trusted party then sends $\tau $ to $P_j$ as its output (where $P_j$ is the honest party).

If the adversary sent $\mathsf{cheat}_i$, then the ideal execution ends at this point. Otherwise, the ideal execution continues below.

Trusted party sends output to adversary: :: At this point, the trusted party computes $f_1(x',y')$ and $f_2(x',y')$ and sends $f_i(x',y')$ to $P_i$ (i.e., it sends the corrupted party its output).
Adversary instructs trusted party to continue or halt: :: After receiving its output, the adversary sends either $\mathsf continue$ or $\mathsf{abort}_i$ to the trusted party. If the trusted party receives continue, then it sends $f_j(x',y')$ to the honest party $P_j$. Otherwise, if it receives $\mathsf{abort}_i$, it sends $\mathsf{abort}_i$ to the honest party $P_j$.
Outputs: :: The honest party always outputs the output value it obtained from the trusted party. The corrupted party outputs nothing. The adversary $\mathcal{A}$ outputs any arbitrary (probabilistic polynomial-time computable) function of the initial inputs of the corrupted party, the auxiliary input $z$, and the value $f_i(x',y')$ obtained from the trusted party.

The output of the honest party and the adversary in an execution of the above ideal model is denoted by ${\textsc {ideal}}^\epsilon _{f,\mathcal{S}(z),i}(x,y,n)$.

Notice that there are two types of “cheating” here. The first is the classic $\mathsf{abort}$ and is used to model “early aborting” due to the impossibility of achieving fairness in general when there is no honest majority. The other type of cheating in this ideal model is more serious for two reasons: first, the ramifications of the cheating are greater (the adversary may learn the honest party’s input and may be able to determine its output), and second, the cheating is only guaranteed to be detected with probability $\epsilon $. Nevertheless, if $\epsilon $ is high enough, this may serve as a deterrent. We stress that in the ideal model, the adversary must decide whether to cheat obliviously of the honest party’s input and before it receives any output (and so it cannot use the output to help it decide whether or not it is “worthwhile” cheating). We have the following definition.

Definition 8.1

(security—strong explicit cheat formulation [1]) Let $f$ be a two-party functionality, let $\pi $ be a protocol, and let $\epsilon :{\mathbb {N}}\rightarrow [0,1]$ be a function. Protocol $\pi $ is said to securely compute $f$ in the presence of covert adversaries with $\epsilon $-deterrent if for every nonuniform probabilistic polynomial-time adversary $\mathcal{A}$ for the real model, there exists a nonuniform probabilistic polynomial-time adversary $\mathcal{S}$ for the ideal model such that for every $i\in \{1,2\}$:

$$\begin{aligned} \left\{ {\textsc {ideal}}^\epsilon _{f,\mathcal{S}(z),i}(x,y,n)\right\} _{x,y,z,n} \mathop {\equiv }\limits ^\mathrm{c}\left\{ {\textsc {real}}_{\pi ,\mathcal{A}(z),i}(x,y,n)\right\} _{x,y,z,n} \end{aligned}$$

where $x,y,z\in \{0,1\}^*$ under the constraint that $|x|=|y|$, and $n\in {\mathbb {N}}$.

Appendix 3: A Discussion on the Cut-and-Choose Parameters of [31]

In [31], it was shown that opening and checking 60 % of the circuits is preferable to opening and checking 50 % of the circuits, since it provides a lower error of $2^{-0.32s}$ instead of $2^{-0.311s}$. Although this difference may be small, it can still be significant: already for an error rate of $2^{-40}$, this enables the use of 125 circuits instead of 128 and so constitutes a saving. As we will show now, although this results in a saving in bandwidth, it also increases the work.

In order to see this, note that in every circuit that is checked, $P_2$ computes 4 symmetric encryptions per gate, in contrast to a single symmetric encryption in circuits that are computed ($P_1$ pays 4 symmetric encryptions for all circuits in any case). Thus, if half of the $s$ circuits are checked, the overall number of symmetric encryptions by the parties is $4|C|\cdot s+4|C|\cdot \frac{s}{2} + |C|\cdot \frac{s}{2}=6.5|C|s$. In contrast, if 60 % of the circuits are checked, then the overall number of symmetric encryptions is $4|C|\cdot s+4|C|\cdot \frac{3}{5}\cdot s + |C|\cdot \frac{2}{5}\cdot s=6.8|C|s$. To make this comparison concrete, for an error level of $2^{-40}$ one can either open half and use 128 circuits requiring 832 symmetric encryptions per gate, or one can open 60 % and use 125 circuits requiring 850 symmetric encryptions per gate.

Thus, although opening 60 % means saving on bandwidth, it also involves about a 2 % increase in work in the form of symmetric encryptions. The preferred method may depend on the actual network setup and machines being used for the computation. In most cases, the bandwidth seems to be more significant; however, there may be settings where computation is the bottleneck.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lindell, Y. Fast Cut-and-Choose-Based Protocols for Malicious and Covert Adversaries. J Cryptol 29, 456–490 (2016). https://doi.org/10.1007/s00145-015-9198-0

Download citation

Received: 23 December 2013
Published: 28 February 2015
Issue Date: April 2016
DOI: https://doi.org/10.1007/s00145-015-9198-0

Keywords

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

Fast Cut-and-Choose-Based Protocols for Malicious and Covert Adversaries

Abstract

Similar content being viewed by others

On the Size of Pairing-Based Non-interactive Arguments

Efficient Redactable Signature and Application to Anonymous Credentials

EasyCrypt: A Tutorial

1 Introduction

2 The New Technique and Protocol Outline

3 The Protocol

3.1 A Detailed Efficiency Count and Comparison

4 Proof of Security

Theorem 4.1

Proof

5 Variants: Universal Composability and Covert Adversaries

6 Constructing Modified Cut-and-Choose Oblivious Transfer

6.1 Preliminaries: The \(\textit{RAND}\) Function

Claim 6.1

Proof

Claim 6.2

Proof

6.2 The Protocol for Modified Cut-and-Choose OT

6.3 The Proof of Security of Protocol 6.3

Theorem 6.4

Proof

6.4 Concrete Efficiency: Cut-and-Choose OT

Notes

References

Acknowledgments

Author information

Authors and Affiliations

Corresponding author

Additional information

Appendices

Appendix 1: The Circuit for Step 7 of Protocol 3.1

1.1 The Original Circuit

1.2 The First Optimization

1.3 The Final Optimization

Appendix 2: Definition of Security for Covert Adversaries

Definition 8.1

Appendix 3: A Discussion on the Cut-and-Choose Parameters of [31]

Rights and permissions

About this article

Cite this article

Share this article

Keywords

Search

Navigation