sign in sign up
<<
Home , LEX (cipher)

1

Symmetric Blind Decryption with Perfect Secrecy Juha Partala

Abstract—A blind decryption scheme enables a user to query Alice Encryptor decryptions from a decryption server without revealing informa- tion about the plaintext message. Such schemes are useful, for example, for the implementation of privacy preserving encrypted ⎧c1 ⎪ file storages and payment systems. In terms of functionality, blind ⎪c2 ←ÐÐÐÐÐ ⎨ decryption is close to oblivious transfer. For noiseless channels, ⎪ ⋮ information-theoretically secure oblivious transfer is impossible. ⎪ ci ↦ mi ⎪cL However, in this paper we show that this is not the case for ⎩ k blind decryption. We formulate a definition of perfect secrecy Õ of symmetric blind decryption for the following setting: at most × × one of the scheme participants is a malicious observer. We also Ö devise a symmetric blind decryption scheme based on modular arithmetic on a ring Zp2 , where p is a prime, and show that it satisfies our notion of perfect secrecy. Index Terms—Communication system security, , key k , Information security Decryptor Figure 1. Blind decryption. Alice has obtained L from an I.INTRODUCTION encryptor and is entitled to choose exactly one of those for decryption. Alice interacts with a decryptor that shares a key k with the encryptor to transform Over the past 15 years, data has moved from local storage the message ci into a plaintext message mi. Neither the encryptor to centralized data warehouses in the cloud. The accessibility nor the decryptor learn the plaintext message chosen by Alice. of large amounts of personal data through a public network has given rise to many security and privacy issues [1]. For- following scenario depicted in Figure 1. Suppose that Alice tunately, such issues have generally been taken seriously. For has obtained several encrypted messages from an encryptor. example, ethical and legal requirements have been imposed Alice is entitled to choose and decrypt exactly one of those on guaranteeing the confidentiality of medical records [2], [3]. messages. Suppose that the decryption key k is stored on a However, the implementation of privacy technologies is non- decryption server and Alice wishes to have the server decrypt trivial, especially if the data storage has been outsourced to the message for her in such a way that neither the encryptor a cloud operator. Sensitive information can often be inferred nor the decryptor learn the message chosen by Alice. from simple access patterns either by outsiders or by the There are suggestions for practical blind decryption based operator of the storage. For example, being able to observe on public key cryptography [5], [6], [12]–[14]. It is also a medical doctor to access the medical record of a patient possible to implement the blind decryption functionality with can leak sensitive information. Therefore, such access patterns other protocols such as secure multi party computation [15]. should be kept hidden both from outsiders and from the party However, the resulting schemes would be computationally that is administering the records. demanding. For many applications symmetric primitives are Oblivious databases [4] and privacy-preserving encrypted sufficient and computationally more efficient. In addition, filesystems [5] are examples of technologies that can be used they can provide secrecy that is not based on computational arXiv:1510.06231v1 [cs.CR] 21 Oct 2015 to hide the access information from the administrator. For assumptions. Oblivious transfer schemes [16], [17] deliver such systems, the decryption of data is typically handled the same functionality directly between the sender and the by a central decryption server. Such systems can be con- receiver without the decryption server. However, for noiseless veniently implemented using blind decryption schemes [6]. channels, information-theoretically secure oblivious transfer is Blind decryption is a versatile primitive. It can be used as a impossible [18]. In addition, there does not seem to exist blind building block for many privacy critical applications, such as decryption schemes such that the privacy of the user is based privacy-preserving payment systems [7], key escrow systems, on information-theoretic security. Our work aims to fill this oblivious transfer protocols [8], privacy-preserving systems for shortage. In this paper, we give a meaningful definition of digital rights management [9], [10] and private information perfect secrecy for the blind decryption scenario. In particular, retrieval [11]. we formulate perfect secrecy of symmetric blind decryption in A blind decryption scheme consists of an encryption scheme a setting where at most one of the participants is maliciously together with a blind decryption protocol intended to decrypt observing but adhering to the protocol. We also propose a messages in a privacy-preserving fashion. The meaning of symmetric key blind decryption scheme SymmetricBlind that ”blind decryption” can be easily described based on the satisfies our definition. The scheme is based on modular J. Partala is with the Department of Computer Science and Engineering, arithmetic on a ring Zp2 , where p is a prime. University of Oulu, Finland (e-mail: [email protected].fi). The paper is organized as follows. In Section II, we de- 2 scribe work that is related to ours. Section III discusses the other suggestions for oblivious transfer based on problems in fundamental definitions and the preliminaries for the rest of bilinear groups [30], groups of composite order [31] and the the paper. In Section IV, we formulate three perfect secrecy Diffie-Hellman problem [32]–[37]. These schemes are based properties that the blind decryption scheme needs to satisfy. on computational assumptions. It is impossible to achieve In Section V, we give a description of a symmetric blind de- information-theoretic security for both of the parties using cryption scheme SymmetricBlind. In Section VI, we show that noiseless channels [18]. However, it is possible using noisy the devised scheme satisfies our definition of perfect secrecy. channels such as discrete memoryless channels [38] or a Finally, Section VII considers future work and Section VIII trusted initializer [39]. provides the conclusion. General multiparty computation protocols can be also ap- plied to implement blind decryption capabilities. Secure mul- tiparty computation was originally introduced by Yao [40] for II.RELATED WORK two party case. The general case for n ≥ 2 is due to Goldreich, Chaum was the first to consider blindness in the context of Micali and Wigderson [41]. However, secure multiparty com- digital signatures and privacy preserving payment systems [7]. putation protocols are computationally intensive in comparison He described the first public key blind signature scheme [19] to pure blind decryption and oblivious transfer. by utilizing the properties of RSA encryption [20]. The scheme can be also used for encryption and can be therefore consid- III.PRELIMINARIES ered as the first blind decryption scheme. In the early articles, blind decryption is referred to as ”blind decoding”. Dis- A. Notation crete logarithm based blind signature schemes were suggested For the set of integers modulo n, we denote Zn = in [21]–[24]. Sakurai and Yamane were the first to consider {[0], [1],..., [n − 1]} and equate a congruence class with public key blind decryption based on the discrete logarithm its least non-negative representative. That is, we consider problem [6]. Their method was based on the ElGamal cryp- Zn = {0, 1, . . . , n − 1}. By the notation x mod n we mean tosystem [25] and related to the blind signature of Camenisch, the unique i ∈ {0, 1, . . . , n − 1} such that i ≡ x (mod n). Piveteau and Stadler [24]. The method was later applied for the We denote the uniform distribution on a set X by U(X). implementation of a key escrow system [12]. Mambo, Sakurai If a random variable Z is uniformly distributed on a set X, and Okamoto were the first to consider blind decryption we denote it by Z ∼ U(X). When an element x is sampled that is secure against chosen plaintext attacks by signing from U(X), we denote it by x ← U(X). the ciphertext messages [26]. The resulting scheme is not capable of public key encryption since a secret signing key is required. Green described the first public key blind decryption B. Symmetric encryption scheme [5] that is secure against adaptive chosen ciphertext A symmetric encryption scheme SE = (Gen, Enc, Dec) with attacks (IND-CCA2) using bilinear groups. The security of keyspace K, plaintext space M and ciphertext space C consists these constructions has been considered computationally either of three algorithms: in the random oracle model [11] or using computational 1) The key generation algortihm Gen(s): On input a security indistinguishability and infeasibility assumptions [5]. parameter s, Gen outputs a key k ∈ K. Oblivious transfer protocols are symmetric primitives that 2) The encryption algorithm Enc(k, m): On input a key k ∈ offer functionality similar to blind decryption. For oblivious K and a message m ∈ M, Enc outputs a ciphertext c ∈ C. transfer, there are two participants: a sender and a receiver. 3) The decryption algorithm Dec(k, m): On input a key k ∈ For the original definition of oblivious transfer, the sender K and a ciphertext c ∈ C, Dec outputs a message m ∈ M transmits a message which the receiver gets with probabil- such that m = Dec(k, Enc(k, m)). ity 1~2. The sender remains oblivious whether the receiver actually got the message. This form of oblivious transfer was introduced by Rabin [16]. The concept was later extended by C. Blind decryption 2 Even, Goldreich and Lempel [17]. For ‰1Ž-oblivious transfer, Blind decryption has been considered in the literature for the receiver can choose one from two messages without the the asymmetric case. However, in this paper we are interested sender knowing which of the messages were chosen. A related in the symmetric case which is easily adapted from the concept that can be considered as a further generalization is asymmetric one [5]. A symmetric blind decryption scheme all-or-nothing disclosure of secrets [27] for which Alice is BlindDecryption consists of a symmetric encryption scheme willing to disclose at most one secret from a set to Bob without SE = (Gen, Enc, Dec) and a two-party protocol BlindDec. The Bob learning information about the rest of the secrets. Alice protocol BlindDec is conducted between an honest user Alice must not learn which secret Bob chose. and the decryption server which we shall call the Decryptor. Adaptive queries were considered by Naor and Pinkas [28]. The protocol enables Alice, that is in possession of a ciphertext They also considered active adversaries and provided security c, to finish the protocol with the correct decryption of c. As definitions relating to the simulatability of the receivers. Ca- a result of running BlindDec, Alice on input a ciphertext menisch, Neven and Shelat extended the work of Naor and c = Enc(k, m) ∈ C outputs either the message m ∈ M or Pinkas by defining simulatable oblivious transfer [29] and an error message ⊥. The Decryptor, on input the key k ∈ K, providing practical constructions for such a scheme. There are outputs nothing or an error message ⊥. 3

To be secure, the exchanged messages must not leak infor- Alice Encryptor mation to malicious users (the leak-freeness property [8]). The property can be formalized based on computational indistin- guishability. For every adversary, there has to be a simulator m , m , . . . , m so that the following two games are well defined. For the first 1 2 L j c Enc k, m game, a probabilistic polynomial time (PPT) adversary A can ∀ j = ( j) c , c , . . . , c c , c , . . . , c choose any number L of ciphertexts c for i 1, 2,...,L . 1 2 L ←Ð 1 2 L i ∈ { } Pick i 1, 2,...,L It is then given the correct decryptions by executing BlindDec ∈ { } Decryptor with the Decryptor. Finally, A outputs the plaintext message, ciphertext pairs (mi, ci) for i ∈ {1, 2,...,L}. For the second ′ game, a simulator S chooses any number L of ciphertexts Derive ci from ci ′ ′ ci for i ∈ {1, 2,...,L}. In this game, the plaintext messages ci Ð→ ci ′ ′ are obtained by querying a trusted party. BlindDecryption is mi = Dec(k, ci) ′ ′ leak-free if for every PPT adversary A there is a simulator mi ←Ð mi ′ S such that for every PPT distinguisher D the probability of Derive mi from mi distinguishing between these two games is negligible [5]. Figure 2. The general blind decryption scenario. Alice chooses a ciphertext ′ Another important property for secure blind decryption ci and derives a related ciphertext ci that she transmits to the decryptor. The ′ is the blindness property. It formalizes the idea that the decryptor responds with the corresponding plaintext message mi from which Decryptor must not learn anything about the actual plaintext Alice can recover mi. message. This can be formalized by giving a PPT algorithm D the possibility to choose two ciphertexts c1, c2 and giving deduce information from those messages). Active adversaries it oracle access to two instances of BlindDec based on these could, for example, induce errors to the protocol messages. choices. If the probability of distinguishing these two instances Such adversarial scenarios are left for future work. In addition, is negligible for every PPT algorithm D, then BlindDecryption we do not consider the case that the Decryptor is colluding satisfies ciphertext blindness. For a formal and rigorous defi- with either Alice or the Encryptor against the other. Such nition, see for example [5]. a case is equivalent to the oblivious transfer scenario and information-theoretic security is impossible for noiseless chan- D. Perfect secrecy nels [18]. However, we note that such collusion scenarios are important for certain applications and need to be investigated The notion of perfect secrecy is due to Shannon [42]. Let in the future. We do consider the case that the adversary SE Gen, Enc, Dec be an encryption scheme with keyspace = ( ) is impersonating one of the parties which is a paramount , plaintext space and ciphertext space . Let K denote a K M C requirement for many applications. random variable on the keyspace induced by Gen. SE satisfies For clarity, we also restrict to the case that Alice decrypts perfect secrecy if for every random variable M on the plaintext a single message m . Similar to the one-time pad, we space, every plaintext m and every ciphertext c , ∈ M ∈ M ∈ C assume that a new key is derived after every decryption. Pr [M = mSc = Enc(K,M)] = Pr [M = m] . However, in our case there could be several ciphertexts c1, c2, . . . , cL encrypted under the same key. Nevertheless, Equivalently, SE satisfies perfect secrecy if and only if for ev- once Alice has decrypted one of the messages we consider that ery random variable M on the plaintext space, every plaintext particular key used and a new key and a new set of ciphertexts messages m1, m2 ∈ M and every ciphertext c ∈ C, is generated. The scenario is the following. The Encryptor chooses a set Pr [c = Enc(K,M)SM = m1] of L plaintext messages m for i 1, 2,...,L . He encrypts Pr c Enc K,M M m . i ∈ { } = [ = ( )S = 2] those messages under a key k to obtain ciphertext messages cj = Enc(k, mj) for j ∈ {1, 2,...,L} that he transmits to IV. PERFECTSECRECYFORSYMMETRICBLIND Alice. Alice chooses one of those messages ci. To hide the DECRYPTION actual ciphertext ci, we assume that there is a ciphertext ′ Instead of computational indistinguishability, we shall now transformation space C ⊆ C so that Alice can derive a related ′ ′ consider secrecy of symmetric blind decryption based on the ciphertext message ci ∈ C that she transmits to the Decryptor. ′ information observed by the parties. In the following, let SE = The Decryptor responds with its decryption mi ∈ M which (Gen, Enc, Dec) together with BlindDec be a symmetric blind Alice transforms to the correct plaintext message mi. The decryption scheme with keyspace K, plaintext space M and general scenario has been depicted in Figure 2. The used ciphertext space C. variables have been collected into Table I for easier reference.

A. The scenario For the sake of clarity, we do not consider active adversaries. B. Security requirements We assume that the parties adhere to the blind decryption As described in Section III-C, the scheme has to satisfy the protocol and only observe the flow of messages (and possibly following property. 4

Table I Encryptor VARIABLES Adversary    ′ ′ c1,c2,...,cL Symbol Description ci ↦ ci, mi ↦ mi ←Ð K key space mj? j ≠ i M plaintext space ∀j mj ↦ cj C ciphertext space   C′ ciphertext transformation space × Õ   k blind encryption / decryption key c′ × ×m′ i× × i L the number of messages encrypted under Ö × a single blind decryption key m1, m2, . . . , mL plaintext messages chosen by the Encryptor ′ ′ ci ↦ mi c1, c2, . . . , cL ciphertext messages obtained by encrypting   with the blind encryption key c or ci ciphertext message chosen by Alice ′ ′ c or ci transformed ciphertext message chosen by Alice ′ ′ ′ m or mi decryption of c under the blind decryption key Decryptor m or mi the plaintext message Alice obtains at the end of the scheme Figure 4. Malicious Alice. The adversary attempts to decrypt additional messages. 

Alice   Adversary Alice Encryptor c1,c2,...,cL      ←Ð ∀j mj ↦ cj c1,c2,...,cL i? ←Ð c c′ , m′ m i ↦ i i ↦ i ′ ′ ci c , m mi j m c  ↦ i i ↦ ∀ j ↦ j ′ × Õ ′  ci× ×mi  × Õ    × × c′ × ×m′ Ö × i× × i Ö × ′ ′ ci ↦ mi   c′ m′  i ↦ i  mi? Adversary Decryptor Figure 5. Malicious Decryptor. The adversary attempts to learn the plaintext Figure 3. Malicious Encryptor. The adversary attempts to learn which message that Alice obtains.  message was chosen by Alice.

2) Blindness against the Decryptor. This property ensures 1) Leak-freeness. Malicious observers must not learn infor- that a malicious decryption server does not learn the mation about the plaintext messages by observing the message Alice wants to decrypt. The situation is depicted exchanges. in Figure 5. The easiest way to provide leak-freeness against malicious In the computational security setting, there can be multiple observers that are not participants of the scheme is to protect applications of the blind decryption protocol for a fixed key. In each exchange with an encryption scheme that satisfies perfect our case, we want a fresh key for every decryption to achieve secrecy. However, leakage need to be also addressed consid- perfect secrecy. Therefore, we formulate leak-freeness and ering maliciousness of the protocol participants. Considering blindness for a single decryption. However, as was described each individual party, we can divide leak-freeness as follows. before, we want to be able to encrypt multiple messages with 1.1) Leak-freeness against the Encryptor. Malicious encryptor the same key. For example, in privacy-preserving payment must not learn information about the plaintext message systems blind decryption is used to enable Alice to choose obtained by Alice at the end of the protocol by observing one – but only one – item from a selection of items. This the blind decryption messages. The situation is depicted results in a scenario in which there are L plaintext, ciphertext in Figure 3. pairs (mj, cj) for j ∈ {1, 2,...,L} but there is only a single 1.2) Leak-freeness against Alice. This property ensures that, application of BlindDec. after obtaining mi, Alice does not learn information about In the following section, we formulate these conditions the remaining L−1 plaintexts mj for j ≠ i. The situation based on information. Note that these conditions also provide is depicted in Figure 4. secrecy against malicious observers that are not participants of In contrast to computational security, we cannot define leak- the scheme since the information possessed by such observers freeness as a distinguishing problem. Instead, we shall con- is a proper subset of that of any of the participants. The sider the probability distributions regarding the exchanged following notation is used. Let K denote the random variable elements. of blind decryption keys on the key space K induced by Gen. We also want to prevent Decryptor from deducing informa- Let Mj for j ∈ {1, 2,...,L} denote the random variables tion about the plaintext message mi. corresponding to the choice of mi for j ∈ {1, 2,...,L} by the 5

Table II information about the decryptions of c1, c2, . . . , cL without RANDOM VARIABLES interacting with the Decryptor. In addition, after a single Random variable Description application of BlindDec, Alice must not have any information K random variable on K induced by Gen about the remaining L−1 messages. To make the requirement M1,M2,...,ML random variables corresponding to the choice precise, we require that the observation of a single plaintext, of m1, m2, . . . , mL by the encryptor ciphertext pair m , c does not leak any information about C′ random variable on C′ induced by Alice ( 1 1) using BlindDec the decryption of another ciphertext c2. The property is, in M ′ random variable on M induced by decryption fact, a property of the encryption scheme. ′ of C by the decryptor Definition 4.2 (Perfect leak-freeness against Alice): A sym- M random variable corresponding to the plaintext message m Alice obtains at the end of the scheme metric encryption scheme SE satisfies perfect leak-freeness against Alice for a single decryption if for every random variable M1,M2 on the plaintext space, every m1, m2, m ∈ M Encryptor and let M denote the random variable correspond- and every c1, c2 ∈ C such that c1 ≠ c2, ing to the plaintext m Alice obtains at the end of the scheme. Pr [c1 = Enc(K,M1) ∩ c2 = Enc(K,M2) Following the standard practice [43], we assume that K is SM1 = m1 ∩ M2 = m2 ] independent with M and Mj for every j ∈ {1, 2,...,L}. Let C′ denote the random variable on the ciphertext transformation = Pr [c1 = Enc(K,M1) ∩ c2 = Enc(K,M2) ′ ′ space C for the ciphertext message c that Alice discloses SM1 = m1 ∩ M2 = m] . to the Decryptor. Finally, let M ′ denote the random variable The condition states that the probability of obtaining the corresponding to the message m′ that the Decryptor responds ciphertext pair c , c is the same whether we encrypt with. These variables have been collected into Table II. ( 1 2) (m1, m2) or (m1, m). That is, observation of the ciphertexts c1, c2 does not yield information about the decryption of c2 C. Perfect leak-freeness against the encryptor even if we know the decryption of c1. We shall first formulate leak-freeness against the Encryptor. ′ ′ The blind decryption protocol messages c and m should not E. Perfect blindness against the decryptor disclose any information about m to the Encryptor. Equiva- i We still need to consider privacy against a malicious De- lently, the messages should not leak information about the i cryptor. It is reasonable to assume that c , c , . . . , c have been that was chosen by Alice even if the Encryptor knows the key 1 2 L delivered to Alice using a private channel. If the Decryptor can k and the right plaintext messages m for j 1, 2,...,L . j ∈ { } observe c for j 1, 2,...,L , it means that he knows the Definition 4.1 (Perfect leak-freeness against encryptor): j ∈ { } corresponding plaintext messages since he is in possession of A symmetric blind decryption scheme is perfectly leak-free the blind decryption key. Therefore, it is natural to require against the encryptor for a single decryption of a maximum that the ciphertexts are protected by a separate of L messages if for every random variable M,M for j j ∈ between Alice and the Encryptor. For the blindness property 1, 2,...,L on the plaintext space and every m, m′, m { } j ∈ M we want the server to learn nothing of the actual message m for j 1, 2,...,L and every c′ ′, ∈ { } ∈ C that Alice derives at the end of the blind decryption scheme. L ′ ′ ′ ′ In this case, the Decryptor knows the correct key k as well as Pr M = m WC = c ∩ M = m  Mj = mj ′ ′ j=1 the messages c and m exchanged with Alice. L Definition 4.3 (Perfect ciphertext blindness against the = Pr M = m W Mj = mj . decryptor): A symmetric blind decryption scheme satisfies j=1 perfect ciphertext blindness against the decryptor if for every ′ Our definition states that a malicious Encryptor can equally random variable M on the plaintext space and every m, m ∈ ′ ′ easily guess the plaintext message Alice wanted to be de- M and every c ∈ C crypted with or without information provided by the blind Pr M m C′ c′ M ′ m′ Pr M m . decryption protocol messages c′ and m′. Note that, in the [ = S = ∩ = ] = [ = ] normal scenario, M = Mi for some i ∈ {1, 2,...,L}. However, The condition states that it is equally easy to guess the correct we do not want to restrict the definition to such a case. plaintext message with and without the information possessed For example, there could be homomorphic blind decryption by the decryptor. Note that we have assumed that c1, c1, . . . , cL schemes for which certain operations could be permitted have been delivered to Alice in perfect secrecy. on the ciphertexts. Note also that the Encryptor inherently possesses more information about m than an outsider since F. Perfect secrecy for symmetric blind decryption m is dependent on m , m , . . . , m . 1 2 L Finally, we can state our definition of perfect secrecy based on the properties defined above. D. Perfect leak-freeness against Alice Definition 4.4 (Perfect secrecy of blind decryption): A sym- In order to be practical, the scheme needs to ensure that metric blind decryption scheme consisting of a symmetric en- Alice is not able to decrypt messages. Therefore, we need to cryption scheme SE and a blind decryption protocol BlindDec ensure that Alice obtains neither the decryption key nor any satisfies perfect secrecy for symmetric blind decryption for 6

Alice Encryptor would quickly grow to an unmanageable size as L grows. In contrast, the optimal key size for single decryption would be 2SmiS, where SmiS is the bit length of mi, assuming that each SE plaintext message is of the same bit length. Therefore, simply  2PAD  applying the one time pad is not sufficient. ci ↤ ui ←ÐÐÐ ui ↤ ¨ ci ↤ mi In the following, we first describe our inner encryption Alice Decryptor scheme 2PAD that will provide perfect leak-freeness against  © Alice, as well as the required message transformation property. Then, we proceed to the description of a blind decryption protocol utilizing this scheme. Finally, we combine the inner 2PAD Map encryption scheme with an outer encryption scheme that c c′ i ↦ i satisfies ordinary perfect secrecy and describe the complete blind decryption scheme. SE   ′ 2PAD ci ↦ w ÐÐÐ→ w ↦ ′ ′ ¨ A. The inner encryption scheme ci ↦ mi ′ ′ ′ ′ mi ↤ w ←ÐÐÐ w ↤ mi We shall first construct an inner encryption scheme called © 2PAD with some useful properties. Our inner scheme is based 2PAD Map   on modular arithmetic on the ring Zp2 , where p ≥ 5 is a prime. m m′ i ↦ i Our plaintext space is Zp and every m ∈ Zp is mapped to Zp2 which is the ciphertext space. To satisfy Def. 4.2, we want to Figure 6. General overview of SymmetricBlind. Two tiers of encryption are add an amount of randomness that is at least twice the binary applied. The outer tier (SE) satisfies ordinary perfect secrecy. The inner tier length of m in the encryption operation. Therefore, the keys (2PAD) provides perfect leak-freeness against Alice and has a transformation property enabling perfect blindness against the decryptor. of 2PAD will consist of a pair (xk, yk) ∈ Zp × Zp. Let z ∈ Zp2 . Then, ′ ′′ 2 a single decryption of a maximum of L messages against z ≡ pz + z (mod p ) a single malicious party if the scheme is perfectly leak-free ′ ′′ where z , z ∈ Zp. Therefore, we can essentially represent z against the encryptor for a maximum of L messages, SE with two elements of Zp. Using such a representation, we is leak-free against Alice and the scheme satisfies perfect encrypt a single message m ∈ Zp by first sampling a random ciphertext blindness against the decryptor. 2 element z ← U(Zp ∖ {0}) and setting b ∶= (pm + z) mod p . Then, we add the key (xk, yk) by computing V. A CONCRETEBLINDDECRYPTIONSCHEME 2 2 2 c ∶= (pxkb + pykb + b) mod p = pxkz + pykz + pm + z We shall now devise a blind decryption scheme SymmetricBlind that satisfies Def. 4.4. We shall implement our which is the ciphertext message. Such an encryption operation scheme using two tiers of symmetric encryption. For the outer entails a useful transformation property. For every xk, yk ∈ Zp ′ ′ tier we apply a scheme that satisfies ordinary perfect secrecy. and b, b ∈ Zp2 such that b ≡ b (mod p), Let that scheme be denoted by SE. The outer encryption ′2 ′ ′ 2 ′ 2 pxkb + pykb + b ≡ pxkb + pykb + b (mod p ). scheme will hide information about c1, c2, . . . , cL from the Decryptor and also provide secrecy for c′ and m′ against Namely, if we know a plaintext m1 and its encryption c1 = 2 the Encryptor. To achieve perfect blindness and leak-freeness pxkz + pykz + pm1 + z, we know the decryption m2 of c2 against Alice, we design an inner tier encryption scheme called for every c2 ≡ c1 (mod p) since it can be computed by the 2PAD that satisfies a useful transformation property. The following algorithm. property enables us to construct a blind decryption protocol 1: procedure Map(c1, m1, c2) BlindDec. To sum it up, our final construction will consist of 2: If c1 ≡~ c2 (mod p) output ⊥ two tiers of encryption and a protocol for Alice to query a 3: m2 ∶= (c2 − c1 + pm1)~p single decryption from the Decryptor. The general overview 4: output m2 of the scheme is depicted in Figure 6. 5: end procedure It would be possible to implement some of the required Let z ≡ c1 ≡ c2 (mod p). The algorithm works because privacy properties with multiple applications of the one time 2 c2 c1 pm1 p pxkz pykz pm2 z pad. For example, if ci = mi⊕ki, Alice could hide the plaintext ( − + )~ = ( + + + 2 message from the Decryptor by querying for the decryption − pxkz − pykz − pm1 − z + pm1)~p ′ ′ ′ of ci = ci ⊕ k , where k is only known to Alice. The correct pm2 p ′ ′ = ( )~ plaintext message would be obtained from mi = ci ⊕ ki = ′ ′ ′ = m2. ci ⊕ k ⊕ ki by computing mi ⊕ k = ci ⊕ ki = mi. However, such a protocol would leak i to the Decryptor since i would The Map algorithm can transform the decryption m1 of a be needed for decryption. In addition, for a single decryption, ciphertext c1 to the decryption m2 of c2 whenever c2 ≡ c1 the Decryptor would have to maintain a set of L keys which (mod p). 7

Decryption is straightforward knowing the key (xk, yy). Proposition 5.1: For every plaintext, ciphertext pair Its operation, as well as the complete encryption scheme is (m1, c1), (m2, c2) such that c1 ≡~ c2 (mod p) there is a unique described below. key (xk, yk) such that Definition 5.1 (2PAD): The symmetric encryption scheme c1 = Enc2PAD(xk, yk, m1), c Enc x , y , m . 2PAD = (Gen2PAD, Enc2PAD, Dec2PAD) 2 = 2PAD( k k 2) Proof: Let z1, z2 ∈ Zp such that z1 ≡ c1 (mod p) and consists of the following three algorithms. z2 ≡ c2 (mod p). Let also v1 = (c1 − pm1 − z1)~p and v2 = 1: procedure Gen2PAD(s) ▷ s determines the size for the (c2 − pm2 − z2)~p. Then, we have a system of two equations plaintext space 2 s v1 = xkz1 + ykz1, 2: Choose a public prime p such that p ≥ 5 and p ≥ 2 v x z2 y z , 3: xk ← U(Zp) 2 = k 2 + k 2 4: yk ← U(Zp) where v1, v2, z1, z2 are known. Let now 5: output (xk, yk) 2 2 z1 z2 6: end procedure Z = Œ ‘ . z1 z2 1: procedure Enc2PAD(xk, yk, m) ▷ Input consists of a key z , z 0 mod p z z mod p (xk, yk) and a message m ∈ Zp Note that since 1 2 ≡~ ( ) and 1 ≡~ 2 ( ) we z2z z z2 0 mod p Z p 2: z ← U(Zp ∖ {0}) have 1 2 − 1 2 ≡~ ( ) and is invertible modulo . 2 3: b ∶= (pm + z) mod p Therefore, the equation pair has a unique solution 2 2 4: c pxkb pykb b mod p −1 2 2 −1 ∶= ( + + ) ‰v1 v2Ž ⋅ Z = ‰xkz1 + ykz1 xkz2 + ykz2Ž ⋅ Z 5: output c 2 2 z1 z2 −1 6: end procedure = ‰xk ykŽ Œ ‘ ⋅ Z z1 z2 1: procedure Dec2PAD(xk, yk, c) ▷ Input consists of a key x y . (xk, yk) and a ciphertext c ∈ Zp2 = ‰ k kŽ 2: z ∶= c mod p 2 2 3: t ∶= (p(−xk)z + p(−yk)z + c) mod p Due to Map, we require that if Bob sends L ciphertext 4: m t z p ∶= ( − )~ messages c1, c2, . . . , cL to Alice we have ci ≡~ cj (mod p) for 5: output m every i ≠ j. Therefore, the maximum number of ciphertext 6: end procedure messages under the same key is determined by L ≤ p − 1. The plaintext and ciphertext spaces of 2PAD depend on the B. Blind decryption protocol chosen prime p. In particular, the plaintext space is Zp while the ciphertext space is Zp2 . Let us show the correctness of the Next, we give a description of a blind decryption protocol scheme. That is, based on the transformation algorithm Map. Definition 5.2 (BlindDec): Suppose that the Encryptor and Dec2PAD(xk, yk, Enc2PAD(xk, yk, m)) = m the Decryptor share a key (xk, yk) = Gen2PAD(s) intended for a single decryption by Alice. Furthermore, let Alice have for every key x , y and plaintext m. Let c ( k k) = an encrypted message c = Enc2PAD(xk, yk, m) that is not Enc2PAD(xk, yk, m). Then we have known to the Decryptor. Finally, suppose that the prime p

2 is public knowledge. Let the protocol BlindDec be defined by c = pxkb + pykb + b the following exchange between Alice and the Decryptor: 2 2 ′ ≡ pxkz + pykz + pm + z (mod p ) 1) Alice: Compute c ∶= c mod p and transmit it to the Decryptor. and c mod p z, where z . Now, ′ ′ = ∈ Zp 2) Decryptor: Reply with m = Dec2PAD(xk, yk, c ). 3) Alice: Compute the plaintext message m = Dec x , y , c t z p ′ ′ 2PAD( k k ) = ( − )~ Map(c , m , c). 2 ′ = (p(−xk)z + p(−yk)z Let us quickly check the correctness of BlindDec. Let z ≡ c ≡ 2 2 + pxkz + pykz + pm + z − z)~p c (mod p). Then, c = pxkz + pykz + pm + z, where m is the plaintext message. The Decryptor replies with = (pm + z − z)~p = m. ′ 2 2 m = (p(−xk)z + p(−yk)z + z − z)~p = (−xk)z + (−yk)z. We shall later show that given a single plaintext, ciphertext But now Alice can compute pair (m1, c1) and a ciphertext c2 such that c2 ≡~ c1 (mod p) ′ ′ ′ we still have information theoretic security for c2. That is, Map(c , m , c) = (c − z + pm )~p 2PAD satisfies perfect leak-freeness against Alice whenever 2 ′ = (pxkz + pykz + pm + z − z + pm )~p ci ≡~ cj (mod p) for i ≠ j. However, suppose that we have two 2 2 = (pxkz + pykz + pm − pxkz − pykz)~p plaintext, ciphertext pairs (m1, c1), (m2, c2) such that c1 ≡~ c2 pm p (mod p). We can show that the key xk, yk can be completely = ( )~ determined from such two pairs. = m 8

which is the correct plaintext message. VI.SECURITYOF SYMMETRICBLIND We shall now consider the security of SymmetricBlind. We C. The complete blind decryption scheme proceed to show that the devised scheme satisfies the three As was mentioned earlier, the communication between conditions formulated in Section IV: perfect leak-freeness Alice and the Encryptor has to be protected in order to against the encryptor and Alice and perfect blindness against prevent the Decryptor from obtaining the plaintext messages the decryptor. corresponding to c1, c2, . . . , cL. If the Decryptor can observe these ciphertext messages, it can freely decrypt all them since A. Perfect leak-freeness against the encryptor it knows the correct key. Therefore, we need to apply an Proposition 6.1: SymmetricBlind satisfies perfect leak- outer encryption scheme that hides the ciphertext messages. freeness against the encryptor for a single decryption of a The same solution is the easiest way to provide perfect leak- maximum of L ≤ p − 1 messages, where p is determined by freeness against the Encryptor since it enables us to simplify Gen2PAD(s). the secrecy conditions. In our case, we want to protect both Proof: The claim follows directly from the observation of these exchanges with an outer tier of encryption that that the Encryptor sees only w and w′. By the description provides perfect secrecy. Let SEn = (Genn, Encn, Decn) be of SymmetricBlind, c′ and m′ are protected by encryption any symmetric encryption scheme such that the plaintext and satisfying perfect secrecy and thus do not leak information to ciphertext space is Zn. Let it also satisfy (ordinary) perfect the Encryptor. secrecy. We apply 2PAD together with SEn to provide the It is easy to see that the outer tier of encryption is necessary. required leak-freeness and blindess properties. Suppose that the outer encryption scheme was not applied. ′ The outer tier is composed in the following way. Alice Then c would leak ci mod p which would betray i to the and the Encryptor shares a set of keys k1, k2, . . . , kL. The Encryptor. Encryptor protects each ciphertext message by computing uj = Encp2 (kj, cj) for j ∈ {1, 2,...,L}. It sends u1, u2, . . . , uL B. Perfect blindness against decryptor to Alice. Similarly, Alice and the Decryptor share a pair ′ ′ We shall now prove that the Decryptor does not get infor- of keys kC , kP that are used to protect ci and mi. Alice mation about the plaintext message. sends w = Encp(kC , z) to the Decryptor who responds with Proposition 6.2: SymmetricBlind satisfies perfect blindness ′ ′ w = Encp(kP , m ). The resulting scheme SymmetricBlind is againt the decryptor for a single blind decryption. defined as follows. Proof: Since c1, c2, . . . , cL are protected with perfect Definition 5.3 (SymmetricBlind): Let SEn = secrecy, we only need to show that (Genn, Encn, Decn) be a symmetric encryption scheme Pr M m C′ c′ M ′ m′ Pr M m , such that the plaintext and ciphertext space is Zn and let SEn [ = S = ∩ = ] = [ = ] satisfy perfect secrecy. Let Alice and the Encryptor share where C′ and M ′ are the random variables associated to the a set of keys k1, k2, . . . , kL. Let Alice and the Decryptor messages c′ and m′, respectively. Let X,Y denote the ran- share a pair of keys k , k intended for a single blind C P dom variables corresponding to the key elements (xk, yk) ← decryption by Alice. Let also the Encryptor and the Decryptor ′ Gen(s), respectively. The reply m from the Decryptor is share a blind decryption key x , y Gen s , where ( k k) = 2PAD( ) completely determined by the key (xk, yk) and the element 2s L 1, that is intended for single blind decryption ′ ′ ′2 ′ ≥ + c = ci mod p since m = (−xk)c + (−yk)c . Therefore, by Alice. SymmetricBlind is determined by the following ′ ′ ′ ′ protocol. Pr [M = m SC = c ∩ M = m ] ′ ′ Alice Encryptor = Pr [M = m SX = xk ∩ Y = yk ∩ C = c ] . Choose m , m , . . . , m 1 2 L Let us consider C′. By the description of the scheme, we ∀j ∶ ′ have C = Ci mod p, where i is the chosen index of Alice. cj = Enc2PAD(xk, yk, mj) But for every i we have, by the description of Enc2PAD, that such that ′ ′ Ci mod p ∼ U(Zp ∖ {0}). Therefore, C is independent with c c ′ mod p j j j ≡~ j ( ) ∀ ≠ X and Y and ∀j ∶ uj = Encp2 (kj, cj) ′ u1, u2, . . . , uL ←Ð u1, u2, . . . , uL Pr [M = m SX = xk ∩ Y = yk ∩ C = z ] ′ ′ ∀j cj = Decp2 (kj, uj) = Pr [M = m SX = xk ∩ Y = yk ∩ C = z ] Pick i ′ ′ for every z, z ∈ Zp ∖ {0} and c = ci mod p ′ w = Encp(kC , c ) Decryptor Pr [M = m SX = xk ∩ Y = yk ] w w ′ Ð→ Pr M m X xk Y yk C z ′ = Q [ = S = ∩ = ∩ = ] c = Decp(kC , w) z∈Zp∖{0} m′ Dec x , y , c′ ′ = 2PAD( k k ) Pr C z X xk Y yk ′ ′ ⋅ [ = S = ∩ = ] w = Encp(kP , m ) 1 ′ ′ Pr M m X x Y y C′ z w ←Ð w = p 1 ⋅ Q [ = S = k ∩ = k ∩ = ] ′ ′ − z∈ p∖{0} m = Decp(kP , w ) Z ′ ′ Pr M m X x Y y C′ z mi = Map(c , m , ci) = [ = S = k ∩ = k ∩ = ] 9

for any z ∈ Zp. Table III By our assumption, M is independent with X and Y and PARAMETEREXAMPLESFOR SYMMETRICBLIND therefore we have p Decryptor key length plaintext length ciphertext length [bits] [bits] [bits] Pr [M = m SX = xk ∩ Y = yk ] = Pr [M = m] 5 12 3 5 7 12 3 6 which shows our claim. 11 16 4 7 The proof shows that the Decryptor (with the knowledge of 23 20 5 10 the key x , y and c′ and m′) does not gain any information 101 28 7 14 ( k k) 1009 40 10 20 about the plaintext message m assuming that cj for j ∈ 5003 52 13 25 {1, 2,...,L} have been delivered to Alice in perfect secrecy. 20011 60 15 29 Considering the secrecy against the Decryptor, it would suffice 231 − 1 124 31 62 61 − c′ 2 1 244 61 122 send without the additional level of encryption. However, the 2127 − 1 508 127 254 additional level is necessary to achieve leak-freeness against the Encryptor. D. The parameters C. Perfect leak-freeness against Alice An optimal encryption scheme, with plaintext space M, We shall now consider a malicious Alice and show that the that satisfies perfect leak-freeness against Alice for a single observation of a single plaintext, ciphertext pair (m1, c1) does decryption needs 2 log2 SMS bits of randomness for a key. not yield information about the decryption of c2 for c2 ≡~ c1 2PAD achieves exactly this bound since the plaintext space (mod p). is Zp and a single key (xk, yk) contains 2 log2 p bits of Proposition 6.3: SymmetricBlind satisfies perfect leak- randomness. Assuming that messages and keys are represented freeness against Alice for a single decryption of a maximum by binary strings, we need 2⌈log2 p⌉ bits of key to encrypt of L ≤ p − 1 ciphertexts. messages of length ⌊log2 p⌋. For a single decryption with Proof: By the description of SymmetricBlind, the cipher- SymmetricBlind, the Decryptor needs to store the key elements text messages c1, c2, . . . , cL are of different congruence class xk, yk ∈ Zp, as well as the keys kC , kP . The keys kC , kP are modulo p. Let M1,M2 be random variables over the plaintext used to encrypt messages of Zp. Therefore, ⌈log2 p⌉ bits for space Zp. Let X,Y denote the random variables corresponding each of these keys suffices for perfect secrecy. In total, the to the key elements (xk, yk) = Gen2PAD(s). We have to show Decryptor needs to store key material of 4 log p bits for a that ⌈ 2 ⌉ single decryption of a message of bit length ⌊log2 p⌋. Pr [c1 = Enc2PAD(X,Y,M1) ∩ c2 = Enc2PAD(X,Y,M2) Since the ciphertext space is Zp2 , the ciphertext length in bits is approximately twice the plaintext length. Depending on SM1 = m1 ∩ M2 = m2 ∩ c1 ≡~ c2 (mod p)] the length of the plaintext messages and the needed maximum Pr c Enc X,Y,M c Enc X,Y,M = [ 1 = 2PAD( 1) ∩ 2 = 2PAD( 2) number of L ≤ p − 1, we should therefore choose SM1 = m1 ∩ M2 = m ∩ c1 ≡~ c2 (mod p)] the smallest possible p, since its bit size has no effect on the security of the scheme. Table III lists some possible choices for every m1, m2, m ∈ {0, 1, 2, . . . , p−1} and c1, c2 ∈ Zp2 such for p and the resulting key, plaintext and ciphertext lengths that c1 ≡~ c2 (mod p). in bits. Note that for long plaintext messages the maximum Given a valid assignment for m1, c1 and c2, it suffices to show that number of messages L is practically unlimited.

Pr [c1 = Enc2PAD(X,Y,M1) ∩ c2 = Enc2PAD(X,Y,M2) VII.FUTUREWORK 2 SM1 = m ∩ M2 = m2 ∩ c1 ≡~ c2 (mod p)] = 1~p There are two main drawbacks of the construction presented in this paper. First, we have not considered active adversaries. for every m ∈ Zp. By Proposition 5.1, for every plaintext, Similar to the one time pad, we have only considered such ciphertext pair (m1, c1), (m, c2) such that c1 ≡~ c2 (mod p) adversaries that observe the flow of messages. For practical there is a unique key (xk, yk). Therefore, scenarios, we need to consider adversaries that actively induce Pr [c1 = Enc2PAD(X,Y,M1) ∩ c2 = Enc2PAD(X,Y,M2) errors into the protocol flow. However, such considerations SM1 = m1 ∩ M2 = m ∩ c1 ≡~ c2 (mod p)] are most naturally conducted in the computational infeasibility model which has been used, for instance, in [5]. In the active = Pr [X = xk ∩ Y = yk] . adversaries setting, it would also be natural to consider the By the definition of Gen2PAD, X and Y are independent and security of the devised scheme in the framework of computa- we have tional indistinguishability such that the truly random keys are exchanged with pseudorandom bit strings. In particular, the Pr [X = xk ∩ Y = yk] = Pr [X = xk] ⋅ Pr [Y = yk] computationally hard version of our scheme yields efficient 1 p2. = ~ practical implementations. The second drawback is that we have only considered the We have now established the perfect secrecy of case of a single malicious party. While it does not make SymmetricBlind according to Def. 4.4. sense to consider a scenario where Alice is colluding with 10

the Encryptor against the Decryptor, the scenario where the [2] Office for Civil Rights, United State Department of Health Encryptor and the Decryptor are colluding is an important and Human Services, “Medical privacy. national standards of protect the privacy of personal-health-information,” one. For many scenarios Alice cannot be certain whether http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html the Encryptor and the Decryptor are in fact separate entities. (retrieved 29 April 2013). However, if they are a single entity, the scenario is identical [3] European Parliament, “Directive 95/46/EC of the European Parliament and of the Council of 24 october 1995 on the protection of individuals to oblivious transfer. We cannot achieve information-theoretic with regard to the processing of personal data and on the free movement security in such a case [18]. For example, it is easy to see that of such data,” http://eur-lex.europa.eu/ (retrieved 21.9.2012), 1995. our construction fails for colluding Encryptor and Decryptor. [4] S. Coull, M. Green, and S. Hohenberger, “Controlling access to If that is the case, we effectively remove the outer layer of an oblivious database using stateful anonymous credentials,” in ′ Public Key Cryptography – PKC 2009, ser. Lecture Notes in encryption which means that c = ci mod p leaks i to the Computer Science, S. Jarecki and G. Tsudik, Eds. Springer Berlin adversary. To provide security against colluding Encryptor and Heidelberg, 2009, vol. 5443, pp. 501–520. [Online]. Available: Decryptor, we would need to detect such collusion or to turn http://dx.doi.org/10.1007/978-3-642-00468-1 28 [5] M. Green, “Secure blind decryption,” in Public Key Cryptography – PKC to computational assumptions. We leave the question as an 2011, ser. Lecture Notes in Computer Science, D. Catalano, N. Fazio, open problem for future research. R. Gennaro, and A. Nicolosi, Eds. Springer Berlin / Heidelberg, 2011, Another interesting question for future work is to consider vol. 6571, pp. 265–282, 10.1007/978-3-642-19379-8 16. [Online]. Available: http://dx.doi.org/10.1007/978-3-642-19379-8 16 the case where we do not apply the outer layer of encryption [6] K. Sakurai and Y. Yamane, “Blind decoding, blind undeniable from the Encryptor to Alice. Thus far, we have defined perfect signatures, and their applications to privacy protection,” in Information blindness so that the Decryptor has absolutely no information Hiding, ser. Lecture Notes in Computer Science, R. Anderson, Ed. Springer Berlin Heidelberg, 1996, vol. 1174, pp. 257–264. [Online]. about the plaintext message. However, we could relax the Available: http://dx.doi.org/10.1007/3-540-61996-8 45 requirement so that – similar to leak-freeness against the [7] D. Chaum, “Blind signatures for untraceable payments,” in Advances encryptor – the information is conditioned on the plaintexts in Cryptology, D. Chaum, R. Rivest, and A. Sherman, Eds. Springer m , m , . . . , m . In other words, we could relax the require- US, 1983, pp. 199–203. [Online]. Available: http://dx.doi.org/10.1007/ 1 2 L 978-1-4757-0602-4 18 ment so that the Decryptor may observe the selection (and [8] M. Green and S. Hohenberger, “Blind identity-based encryption and the corresponding plaintext messages) given to Alice. Such a simulatable oblivious transfer,” in Advances in Cryptology – ASIACRYPT relaxation is natural in the oblivious transfer case where the 2007, ser. Lecture Notes in Computer Science, K. Kurosawa, Ed. Springer Berlin Heidelberg, 2007, vol. 4833, pp. 265–282. [Online]. Encryptor and the Decryptor are the same entity. We could Available: http://dx.doi.org/10.1007/978-3-540-76900-2 16 then define blindness as a property requiring only that the [9] R. Perlman, C. Kaufman, and R. Perlner, “Privacy-preserving DRM,” in selection i is hidden. It is again easy to see that our scheme Proceedings of the 9th Symposium on Identity and Trust on the Internet, without the outer layer of encryption fails such a property. If ser. IDTRUST ’10. New York, NY, USA: ACM, 2010, pp. 69–83. [Online]. Available: http://doi.acm.org/10.1145/1750389.1750399 ′ c1, c2, . . . , cL are not protected, then c = ci mod p leaks the [10] L. L. Win, T. Thomas, and S. Emmanuel, “Privacy enabled digital rights selection i. We leave this consideration also for future work. management without trusted third party assumption,” Multimedia, IEEE Transactions on, vol. 14, no. 3, pp. 546–554, June 2012. [11] C. P. Schnorr and M. Jakobsson, “Security of signed ElGamal encryp- VIII.CONCLUSION tion,” in Advances in cryptology—ASIACRYPT 2000, ser. Lecture Notes in Comput. Sci. Berlin: Springer, 2000, vol. 1976, pp. 73–89. In this paper, we give a definition of perfect secrecy for [12] K. Sakurai, Y. Yamane, S. Miyazaki, and T. Inoue, “A key symmetric blind decryption in the setting where one of the escrow system with protecting user’s privacy by blind decoding,” in Information Security, ser. Lecture Notes in Computer Science, parties may be malicious but adhering to the protocol of E. Okamoto, G. Davida, and M. Mambo, Eds. Springer Berlin the scheme. We neither consider active adversaries nor the Heidelberg, 1998, vol. 1396, pp. 147–157. [Online]. Available: setting where two of the participants are colluding against http://dx.doi.org/10.1007/BFb0030417 the third. We construct a symmetric blind decryption scheme [13] Y. Sameshima, “A key escrow system of the RSA ,” in Information Security, ser. Lecture Notes in Computer Science, SymmetricBlind and show that it satisfies our definition of per- E. Okamoto, G. Davida, and M. Mambo, Eds. Springer Berlin fect secrecy. The scheme is based on two layers of encryption, Heidelberg, 1998, vol. 1396, pp. 135–146. [Online]. Available: where the inner layer utilizes a novel encryption scheme 2PAD http://dx.doi.org/10.1007/BFb0030416 [14] W. Ogata et al., “New identity-based blind signature and blind decryp- given in this paper. 2PAD is based on modular arithmetic with tion scheme in the standard model,” IEICE transactions on fundamentals Zp2 as the ciphertext space, Zp as the plaintext space and of electronics, communications and computer sciences, vol. 92, no. 8, pp. 1822–1835, 2009. Zp Zp as the key space, where p 5 is a prime. The security × ≥ [15] A. C.-C. Yao, “How to generate and exchange secrets,” in Foundations of SymmetricBlind is shown information theoretically and of Computer Science, 1986., 27th Annual Symposium on, Oct 1986, pp. does not depend on the size of p. For a fixed blind decryption 162–167. key, SymmetricBlind supports a single blind decryption from [16] M. O. Rabin, “How to exchange secrets with oblivious transfer,” a selection of L p 1 messages. For a single decryption of Technical Report TR-81, Aiken Computation Lab, Harvard University, ≤ − 1981. a message of bit length ⌊log2 p⌋, the decryption server needs [17] S. Even, O. Goldreich, and A. Lempel, “A randomized protocol for to store key material of 4⌈log2 p⌉ bits. signing contracts,” Commun. ACM, vol. 28, no. 6, pp. 637–647, Jun. 1985. [Online]. Available: http://doi.acm.org/10.1145/3812.3818 [18] I. Damgard,˚ J. Kilian, and L. Salvail, “On the (im)possibility REFERENCES of basing oblivious transfer and bit commitment on weakened security assumptions,” in Proceedings of the 17th International [1] B. Thuraisingham, “Big data security and privacy,” in Proceedings of Conference on Theory and Application of Cryptographic Techniques, the 5th ACM Conference on Data and Application Security and Privacy, ser. EUROCRYPT’99. Berlin, Heidelberg: Springer-Verlag, 1999, pp. ser. CODASPY ’15. New York, NY, USA: ACM, 2015, pp. 279–280. 56–73. [Online]. Available: http://dl.acm.org/citation.cfm?id=1756123. [Online]. Available: http://doi.acm.org/10.1145/2699026.2699136 1756131 11

[19] D. Chaum, “Security without identification: Transaction systems to make [35] K. Kurosawa, R. Nojima, and L. Phong, “Generic fully simulatable big brother obsolete,” Commun. ACM, vol. 28, no. 10, pp. 1030–1044, adaptive oblivious transfer,” in Applied Cryptography and Network Oct. 1985. [Online]. Available: http://doi.acm.org/10.1145/4372.4373 Security, ser. Lecture Notes in Computer Science, J. Lopez and [20] R. L. Rivest, A. Shamir, and L. Adleman, “A method for obtaining G. Tsudik, Eds. Springer Berlin Heidelberg, 2011, vol. 6715, pp. 274– digital signatures and public-key ,” Comm. ACM, vol. 21, 291. [Online]. Available: http://dx.doi.org/10.1007/978-3-642-21554-4 no. 2, pp. 120–126, 1978. 16 [21] D. Chaum and T. Pedersen, “Wallet databases with observers,” in [36] B. Zhang, H. Lipmaa, C. Wang, and K. Ren, “Practical fully Advances in Cryptology – CRYPTO’92, ser. Lecture Notes in Computer simulatable oblivious transfer with sublinear communication,” in Science, E. Brickell, Ed. Springer Berlin Heidelberg, 1993, vol. 740, pp. Financial Cryptography and Data Security, ser. Lecture Notes in 89–105. [Online]. Available: http://dx.doi.org/10.1007/3-540-48071-4 7 Computer Science, A.-R. Sadeghi, Ed. Springer Berlin Heidelberg, [22] T. Okamoto, “Provably secure and practical identification schemes 2013, vol. 7859, pp. 78–95. [Online]. Available: http://dx.doi.org/10. and corresponding signature schemes,” in Advances in Cryptology – 1007/978-3-642-39884-1 8 CRYPTO’92, ser. Lecture Notes in Computer Science, E. Brickell, [37] V. Guleria and R. Dutta, “Efficient adaptive oblivious transfer Ed. Springer Berlin Heidelberg, 1993, vol. 740, pp. 31–53. [Online]. without q-type assumptions in uc framework,” in Information and Available: http://dx.doi.org/10.1007/3-540-48071-4 3 Communications Security, ser. Lecture Notes in Computer Science, [23] P. Horster, M. Michels, and H. Petersen, “Meta-message recovery and L. C. K. Hui, S. H. Qing, E. Shi, and S. M. Yiu, Eds. Springer meta-blind signature schemes based on the discrete logarithm problem International Publishing, 2015, vol. 8958, pp. 105–119. [Online]. and their applications,” in Advances in Cryptology – ASIACRYPT’94, Available: http://dx.doi.org/10.1007/978-3-319-21966-0 8 ser. Lecture Notes in Computer Science, J. Pieprzyk and R. Safavi- [38] C. Crepeau,´ K. Morozov, and S. Wolf, “Efficient unconditional oblivious Naini, Eds. Springer Berlin Heidelberg, 1995, vol. 917, pp. 224–237. transfer from almost any noisy channel,” in Security in Communication [Online]. Available: http://dx.doi.org/10.1007/BFb0000437 Networks, ser. Lecture Notes in Computer Science, C. Blundo and [24] J. Camenisch, J.-M. Piveteau, and M. Stadler, “Blind signatures based S. Cimato, Eds. Springer Berlin Heidelberg, 2005, vol. 3352, pp. 47–59. on the discrete logarithm problem,” in Advances in Cryptology – [Online]. Available: http://dx.doi.org/10.1007/978-3-540-30598-9 4 EUROCRYPT’94, ser. Lecture Notes in Computer Science, A. De Santis, [39] R. Rivest, “Unconditionally secure commitment and oblivious transfer Ed. Springer Berlin Heidelberg, 1995, vol. 950, pp. 428–432. [Online]. schemes using private channels and a trusted initializer,” Unpublished Available: http://dx.doi.org/10.1007/BFb0053458 manuscript, 1999. [25] T. ElGamal, “A public key cryptosystem and a signature scheme based [40] A. C. Yao, A. C. Yao, A. C. Yao, and A. C. Yao, “Protocols for secure on discrete logarithms,” IEEE Trans. Inform. Theory, vol. 31, no. 4, pp. computations,” in Foundations of Computer Science, 1982. SFCS ’08. 469–472, 1985. 23rd Annual Symposium on, Nov 1982, pp. 160–164. [41] O. Goldreich, S. Micali, and A. Wigderson, “How to play any [26] M. Mambo, K. Sakurai, and E. Okamoto, “How to utilize the mental game,” in Proceedings of the Nineteenth Annual ACM transformability of digital signatures for solving the oracle problem,” Symposium on Theory of Computing, ser. STOC ’87. New in Advances in Cryptology – ASIACRYPT ’96, ser. Lecture Notes York, NY, USA: ACM, 1987, pp. 218–229. [Online]. Available: in Computer Science, K. Kim and T. Matsumoto, Eds. Springer http://doi.acm.org/10.1145/28395.28420 Berlin Heidelberg, 1996, vol. 1163, pp. 322–333. [Online]. Available: [42] C. E. Shannon, “Communication theory of secrecy systems*,” Bell http://dx.doi.org/10.1007/BFb0034858 System Technical Journal, vol. 28, no. 4, pp. 656–715, 1949. [Online]. [27] G. Brassard, C. Crepeau,´ and J.-M. Robert, “All-or-nothing disclosure Available: http://dx.doi.org/10.1002/j.1538-7305.1949.tb00928.x of secrets,” in Proceedings on Advances in cryptology – CRYPTO [43] J. Katz and Y. Lindell, Introduction to Modern Cryptography. Chapman ’86. London, UK, UK: Springer-Verlag, 1987, pp. 234–238. [Online]. & Hall/CRC, 2007. Available: http://dl.acm.org/citation.cfm?id=36664.36681 [28] M. Naor and B. Pinkas, “Oblivious transfer with adaptive queries,” in Advances in Cryptology – CRYPTO 99, ser. Lecture Notes in Computer Science, M. Wiener, Ed. Springer Berlin Heidelberg, 1999, vol. 1666, pp. 573–590. [Online]. Available: http://dx.doi.org/10.1007/ 3-540-48405-1 36 [29] J. Camenisch, G. Neven, and a. shelat, “Simulatable adaptive oblivious transfer,” in Advances in Cryptology – EUROCRYPT 2007, ser. Lecture Notes in Computer Science, M. Naor, Ed. Springer Berlin Heidelberg, 2007, vol. 4515, pp. 573–590. [Online]. Available: http://dx.doi.org/10.1007/978-3-540-72540-4 33 [30] M. Green and S. Hohenberger, “Universally composable adaptive oblivious transfer,” in Advances in Cryptology - ASIACRYPT 2008, ser. Lecture Notes in Computer Science, J. Pieprzyk, Ed. Springer Berlin Heidelberg, 2008, vol. 5350, pp. 179–197. [Online]. Available: http://dx.doi.org/10.1007/978-3-540-89255-7 12 [31] S. Jarecki and X. Liu, “Efficient oblivious pseudorandom function with applications to adaptive ot and secure computation of set intersection,” in Theory of Cryptography, ser. Lecture Notes in Computer Science, O. Reingold, Ed. Springer Berlin Heidelberg, 2009, vol. 5444, pp. 577–594. [Online]. Available: http://dx.doi.org/10. 1007/978-3-642-00457-5 34 [32] K. Kurosawa and R. Nojima, “Simple adaptive oblivious transfer without random oracle,” in Advances in Cryptology – ASIACRYPT 2009, ser. Lecture Notes in Computer Science, M. Matsui, Ed. Springer Berlin Heidelberg, 2009, vol. 5912, pp. 334–346. [Online]. Available: http://dx.doi.org/10.1007/978-3-642-10366-7 20 [33] K. Kurosawa, R. Nojima, and L. T. Phong, “Efficiency-improved fully simulatable adaptive ot under the ddh assumption,” in Proceedings of the 7th International Conference on Security and Cryptography for Networks, ser. SCN’10. Berlin, Heidelberg: Springer-Verlag, 2010, pp. 172–181. [Online]. Available: http://dl.acm.org/citation.cfm?id= 1885535.1885554 [34] M. Green and S. Hohenberger, “Practical adaptive oblivious transfer from simple assumptions,” in Theory of Cryptography, ser. Lecture Notes in Computer Science, Y. Ishai, Ed. Springer Berlin Heidelberg, 2011, vol. 6597, pp. 347–363. [Online]. Available: http://dx.doi.org/10. 1007/978-3-642-19571-6 21