arXiv:1005.0043v3 [cs.CR] 1 Apr 2011 eevrholds receiver edrholds sender A rnfr( transfer ae nascr biiu rnfrpooo.I this In OT, protocol. of transfer variant a oblivious concern [56] secure we be [34], paper, can a [31], computation on [27], multi-party based secure remarkable, any Most that it. proves from built can multi-party be protocols secure cryptographic of filed Considerable the cryptography computation. in in problem primitive concrete fundamental a a and is [18], by [16] O transfer Oblivious 1.1 ne Terms Index algorithms. quantum against secure is snttu.Wa’ oe yuigti atc-ae ahan hash for lattice-based protocol concrete this a using gain we by scheme, commitment more, based What’s lattic technica true. the is under not it framework is that hash folklore projective the the that instantiate shows indeed resid This quadratic tion. decisional the assumption, residuosity th supin h eiinlDfeHlmnasmto,the assumption, Diffie-Hellman decisional the assumption, it of pro understanding intuitive smooth and new simple a our allows and This hash. commitment hiding perfectly mitment, hnfn s swt h olg fCmue cec n Tec and Science Computer City, of Wuhan (e-mail:[email protected]). Technology, College China and Science the of Tech with University Huazhong and is Science Hsu Computer Chingfang of City, Wuhan (e-mail:[email protected]). Technology, College China and Science the of with University Huazhong is Xueming 430 Tang Hubei City, Wuhan Technology, Technolmail:[email protected]). and and Science Science Computer of of College University the with is Bing Zeng Abstract biiu rnfr( transfer oblivious h otefiin n,n atrse rmcmuiainrou communication from seen matter insta overhead. no computational fra common the one, the efficient available), trusted of st most assumption oracle under no the Diffie-Hellman random decisional secure is the no be on there is based to there (where proven (where mode and model plain available) string the obliv reference fully-simulatable in for works protocols that known the with pared most rounds communication at six costs framework The adversaries. I 1 rmwr o Fully-Simulatable For Framework A eisataetenwsot rjciehs ne h latt the under hash projective smooth new the instantiate We bi perfectly i.e., tools, abstract three uses framework Our NTRODUCTION ae endi nte a iheuvln effect equivalent with way another in defined later BLIVIOUS 40 W rsn rmwr o fully-simulatable for framework a present —We n OT olvostase O)protocols. (OT) transfer —oblivious ulckyoeain ncmuainloeha.Com- overhead. computational in operations public-key h n ). OT rnfr(T,fis nrdcdb 4]and [49] by introduced first (OT), transfer h OT n h n rvt oiieintegers positive private ihscrt gis o-dpiemalicious non-adaptive against security with ) h rvt messages private n el ihtefloigscenario. following the with deals egBn,Tn umn,adCigagHsu Chingfang and Xueming, Tang Bing, Zeng h biiu Transfer Oblivious -out-of- m 1 m , 2 oiyassump- uosity i m , . . . , n 1 g,Huazhong ogy, assumption e decisional security. s ue 430074 Hubei 430074 Hubei i , 7 hn (e- China 074 l ifiutto difficult lly ostransfer ious oblivious OT dn com- nding 2 eokis mework h n costs and i , . . . , lattice- d -out-of- h n hnology, ntiation andard nology, d or nds jective which n A . N ice h n - , ✦ 3]asrcsadgnrlzsteieso 1,[4 to [44] [1], of hashing, ideas for projective the framework smooth generalizes a and tool abstracts the [32] using these and from Starting works assumption. (DDH) Diffie-Hellman oe hnta fteielwrd neial,ahalf- be a to Undesirably, not world. ideal guaranteed the is of than protocol that than the harm the lower Therefore more of does. do level adversary not security ideal can corresponding world. adversary the ideal real corre- the the a in exists Thus, him there simulating world, real adversary the sponding real/ideal in adversary the that any requires under for paradigm security The paradigm. its simulation proven model strictly protocol the be that can means a we saying fully-simulatable, By is protocol fully-simulatable. not half-simulatable only [32]. assumption quadratic (DQR) decisional residuosity and assumption (DNR) residuosity nra niomn,apooo for protocol a environment, real in ere ytercie rmteritrcini tmost at is OT interaction their from h receiver knowledge the new all by expects learned sender The holds. he integers rmwr a eisatae ne h decisional the under instantiated be can framework nomto bu i rvt nu,ie,the i.e., input, private his about information where e h messages the get y[4 n 1 hc epcieypeet two- a presents respectively which for [1] protocol efficient and round [44] by feasible. assumptions constructing more intractability specific seems directly on invocations Thus, based many protocol NP. so the for with zero-knowledge embedded is practical of the it for However, because expensive version. prohibitive use, is latter version protocol former corresponding resulting the gain the can we Goldre- from Using [27], he). [24], to compiler known be ich’s side, to supposed one information not extra on is deduce does which to protocol; sees honestly he prescribed messages side, the a records by one adversaries told on than semi-honest everything adversary, desirable against semi-honest more security (a with is one much possible) as the as learn to adversary information way malicious malicious extra arbitrary any (a in act adversaries may malicious against esgs biul,teO otltrtr ee ois to refer literature most OT the Obviously, messages. notntl,teepooos(rfaeok)are frameworks) (or protocols these Unfortunately, osdrn ait fatc ehv oconfront to have we attack of variety a Considering h rtse nti ieto sidpnetymade independently is direction this in step first The 1 2 n a evee saseilcs of case special a as viewed be can and i 1 i < 2 i < . . . < m OT i 1 1 m , 2 eie D supin the assumption, DDH Besides . i h 2 m , . . . , 6 OT h n 1 h eevrepcsto expects receiver The . -Out-Of- 2 ae ntedecisional the on based i h ihu ekn any leaking without OT h n ihsecurity with OT h h positive n . n N -th 1 2
2 simulatable protocol for OT1 only provides a simulator corrupts the parties preset before the running of the in the case the receiver is corrupted such as [1], [44] or protocol. in the case the sender is corrupted such as [32]. Though constructing protocols for fully-simulatable 2 Considering security, requiring a protocol to be fully- OT1 with security against malicious adversaries has n simulatable is necessary. Specifically, a fully-simulatable been studied well, constructing protocols for such OTh protocol provides security against all kinds of attacks, hasn’t. We note that there are some works aiming to ex- n especially the future unknown attacks taken by any tend known cryptographic protocols to OTh . [42] shows n adversary whose computational resource is fixed when how to implementation OTh using log n invocation of 2 constructing the protocol (generally, it is assumed that OT1 under half-simulation. A similar implementation n the adversaries run arbitrary probabilistic polynomial- for adaptive OTh can be seen in [43]. What’s more, the time) [7], [24], while a not fully-simulatable protocol same authors of [42], [43] propose a way to transform a doesn’t. For example, the protocols proposed by [1], singe-server private-information retrieval scheme (PIR) [32], [44] suffer the selective-failure attacks, in which a into an oblivious transfer scheme under half-simulation malicious sender can induce transfer failures that are too [45]. With the help of a random oracle, [30] shows dependent on the messages that the receiver requests how to extend k oblivious transfers (for some security [45]. parameter k) into many more, without much additional Constructing fully-simulatable protocols for OT with effort. However, the Random Oracle Model is risky. security against malicious adversaries naturally becomes First, [10] shows that a scheme is secure in the Random the focus of the research community. [6] first presents Oracle Model does not necessarily imply that a particular such a fully-simulatable protocol. In detail, the OT is an implementation of it (in the real world) is secure, or even n adaptive h-out-n oblivious transfer (denoted by OTh 1 that this scheme does not have any ”structural flaws”. in related literature) and based on q-Power Decisional× Second, [10] shows efficient implementing the random Diffie-Hellman and q-Strong Diffie-Hellman assump- oracle is impossible. Later, [35] finds that the random- tions. Unfortunately, these two assumptions are not stan- oracle instantiations proposed by Bellare and Rogaway dard assumptions used in cryptography and seem signif- from 1993 and 1996, and the ones implicit in IEEE icantly stronger than DDH, DQR and so on. Motivated P1363 and PKCS standards are weaker than a random by basing OT on weaker complexity assumption, [28] oracle. What is worse, [35] shows that how the hash n presents a protocol for OTh using a blind identity-based function defects deadly damages the securities of the encryption which is based on decisional bilinear Diffie- cryptographic schemes presented in [4], [5]. Therefore, in Hellman (DBDH) assumption. Using cut-choose tech- this paper, we only consider the schemes which are fully- nique, [36] later presents two efficient protocols for fully- simulatable and without turning to a random oracle. 2 simulatable OT1 respectively based on DDH assumption To our best knowledge, only [6] and [28] respectively n and DNR assumption, where the DDH-based protocol present such fully-simulatable protocols for OTh . How- is the most efficient one among these fully-simulatable ever, the assumptions the former uses are not standard works. and the latter uses is too expensive. Therefore, a well- The protocols mentioned above are proved their se- motivated problem is to find a protocol or framework curities in the plain stand-alone model which not nec- for efficient, fully-simulatable, secure against malicious n essarily allows concurrent composition with other arbi- adversaries OTh under weaker complexity assumptions. trary malicious protocols. [48] overcomes this weakness and further the research by presenting a framework 1.2 Our Contribution under common reference string (CRS) model for fully- 2 In this paper, we present a framework for efficient, simulatable, universally composable OT1 and instan- tiating the framework respectively under DDH, DQR fully-simulatable, secure against non-adaptive malicious n and worst-case lattice assumption. It is notable that adversaries OTh whose security is proven under stand conditioning on a trusted CRS is available, the DDH- model (i.e., without turning to a random oracle). To our n based instantiation of the framework is the most efficient best knowledge, this is the first framework for such OTh . 2 The framework have the following features, protocol for OT1 no matter seen from the number of communication rounds or the computational overhead. 1) Fully-simulatable and secure against malicious ad- Recently, [20], using a novel compiler and somewhat versaries without using a CRS. [32]’s framework for 2 non-committing encryption they present, convert [48]’s OT1 is half-simulatable. Thought [48]’s framework 2 instantiations based on DDH, DQR to the corresponding for OT1 is fully-simulatable, it doesn’t work with- protocols with higher security level. In more detail, the out a CRS. What is more, how to provide a trusted 2 resulting protocols for OT1 are secure against adaptive CRS before the protocol run still is a unsolved malicious adversaries, which corrupts the parties dy- problem. The existing possible solutions, such as namically based on his knowledge gathered so far. Note natural process suggested by [48], are only con- 2 that, the fully-simulatable protocols for OT1 mentioned jectures without formal proofs. The same problem so far except the one presented by [6] are only secure remains in its adaptive version presented by [20]. against non-adaptive malicious adversaries, which only What is worse, [9], [11] show that even given a 3
authenticated communication channel, implement- 1.3 Our Approach ing a universal composable protocol providing useful trusted CRS in the presence of malicious We note that the smooth projective hash is a good adversaries is impossible. Therefore, considering abstract tool. Using this tool, [32] in fact presents a frame- OT 2 practical use, our framework are better. work for half-simulatable 1 , [21] present a framework 2) Efficient. Compared with the existing protocols for for password-based authenticated key exchange proto- fully-simulatable OT that without resorting to a cols. We also note that the cut-and-choose is a good CRS or a random oracle, i.e., the protocols pre- technique to make protocol fully-simulatable. Using this sented by [6], [28], [36], the DDH-based instantia- tool, [36] present several fully-simulatable protocol for OT 2 tion of our framework costs the minimum number 1 , [37] presents a general fully-simulatable protocol of communication rounds and costs the minimum for two-party computation. Indeed, we are inspired by computational overhead. Please see Section 4.4 and such works. Our basic ideal is to use cut-and-choose Section 4.5 for the detailed comparisons. technique and smooth projective hash to get a fully- We admit that, in the context of a trusted CRS is simulatable framework. available and only OT 2 is needed, the DDH-based Loosely speaking, a smooth projective hash (SPH) is a 1 ˙ ¨ instantiation of [48] is the most efficient one. set of operations defined over two languages L and L, where L˙ L¨ = . For any projective instance x˙ L˙ , 3) Abstract and modular. The framework is described ∩ ∅ ∈ using just three high-level cryptographic tools, i.e., there are two ways to obtain its hash value, i.e., the perfectly binding commitment (PBC), perfectly hid- way using its hash key or the way using its projective key and its witness w˙ . For any smooth instance x¨ L¨, ing commitment (PHC) and our new smooth pro- ∈ there is only one way to obtain its hash value, i.e., the jective hash (denoted by SPHDHCt,h for simplic- ity). This allows a simple and intuitive understand- way using its hash key. The version of SPH presented ing of its security. by [32] (denoted by VSPHH for simplicity) holds a 4) Generally realizable. The high-level cryptographic property called verifiable smoothness that can judge whether at least one of arbitrary two instances is smooth. tools PBC, PHC and SPHDHCt,h are realizable from a variety of known specific assumptions, Another property VSPHH holds, called hard subset even future assumptions maybe. This makes our membership, makes sure x¨ and x˙ are computationally framework generally realizable. In particular, we indistinguishable. instantiate SPHDHCt,h from the DDH assump- We observe that the VSPHH indeed is easy to be n tion, the DNR assumption, the DQR assumption extended to deal with OT1 , but seems difficult to be n and the lattice assumption. Instantiating PBC or extended to deal with the general OTh . The reason PHC under specific assumptions is beyond the is that, to hold verifiable smoothness, x˙s and x¨s have scope of this paper. Please see [23], [26] for such to be generated in a dependent way. This makes the examples. Generally realizability is vital to make verifiable smoothness for multiple x˙s and multiple x¨s (i.e., judge whether at least n h of arbitrary n instances the framework live long, considering the future − progress in breaking a specific intractable prob- are smooth) difficult to hold without leaking information lem. If this case happen, replacing the instantiation which is conductive to distinguish such x˙s and x¨s. We based on the broken problem with that based on a also observe that, there is no way to construct a fully- unbroken problem suffices. simulatable framework using VSPHH, because there is no way to extract the real input of the adversary in the case that the receiver is corrupted. What is more, we fix a folklore [36] that it appears We define a new smooth projective hash called t- technically difficult to instantiate the projective hash smooth h-projective hash family that holds proper- under lattice assumption by presenting a lattice-based ties distinguishability, hard subset membership, feasible SPHDHC instantiation. It is notable that we gain t,h cheating (denoted by SPHDHC for simplicity). The an OT n instantiation which is secure against quan- t,h h key solution in SPHDHC to the mentioned problems tum algorithms, using this lattice-based SPHDHC t,h t,h is that requiring each x¨ to hold a witness too. This solu- instantiation and appropriate lattice-based commitment tion enables us to generate x˙s and x¨s in a independent schemes. Considering that factoring integers and finding way. Correspondingly, the verifiable smoothness is not discrete logarithms are efficiently feasible for quantum needed any more and replaced by a property called algorithms [52]–[54], this is an example showing the ben- distinguishability, which provides a way to distinguish efits from the generally realizability of the framework. x˙s and x¨s if their witnesses are given. As an independent contribution, we present several Since the receiver encodes his input as a permutation propositions/lemmas related to the indistinguishability of x˙s and x¨s, a simulator can the extract the real input of of probability ensembles defined by sampling polyno- the adversary in the case that the receiver is corrupted if mial instances. Such propositions/lemmas simplify our their witnesses are available. Combining the application security proof very much. We believe that they are as of the technique cut-and-choose, a simulator can see such useful in security proof somewhere else as in this paper. witnesses by rewinding the adversary. To extract the 4 real input of the adversary in the case that the sender commitment scheme. In Section 3, we define our new is corrupted, the property feasible cheating provides hash system, i.e., SPHDHCt,h. In Section 4, we con- way to cheat out of the real input of the adversary. struct our framework. In Section 5, we prove the security Naturally, all the properties and the correlated algorithm of the framework. In Section 6, we reduce constructing in SPHDHCt,h are extended to deal with n instances SPHDHCt,h to constructing considerably simpler hash rather than only 2 instances. Please see Section 3.2 for a systems. In Section 7, we instantiate SPHDHCt,h under detailed comparison this new hash with previous hash the lattice, DDH, DNR, DQR assumptions, respectively. systems. We show that constructing SPHDHCt,h can be re- 2 PRELIMINARIES duced to constructing considerably simpler hash sys- Most notations and concepts mentioned in this section tems. Our lattice-based SPHDHCt,h instantiation is builded on the lattice-based cryptosystem presented by originate from [7], [23], [24] which are basic literature [36]. It is noticeable that it appears difficult to get lattice- in the filed of secure multi-party computation (SMPC). n based instantiation for SPH [36]. Our solution is to let We tailor them to the need of dealing with OTh . the instance x (x L˙ L¨) be available to the algorithm ∈ ∪ that is responsible for generating pair of the hash key 2.1 Basic Notations and the projective key. The other three intractability- We denote an unspecified positive polynomial by poly(.). assumption-based SPHDHC instantiations can be ul- t,h We denote the set consists of all natural numbers by N. timately built from known SPH schemes such as that def For any i N, [i] = 1, 2,...,i . We denote the set presented by [32] with necessary modifications. ∈ { } consists of all prime numbers by P. Using SPHDHCt,h we construct the framework de- scribed with high-level as follows . We denote security parameter used to measure secu- rity and complexity by k. A function µ(.) is negligible 1) The receiver generates hash parameters and appro- in k, if there exists a positive constant integer n , for priate many instance vectors, then sends them to 0 any poly(.) and any k which is greater than n (for the sender after disordering each vector. 0 simplicity, we later call such k sufficiently large k), it 2) The receiver and the sender cooperate to toss coin holds that µ(k) < 1/poly(k). A probability ensemble to decide which vector to be opened. def k X = X(1 ,a) k N,a 0,1 ∗ is an infinite sequence of 3) The receiver opens the chosen instances, encodes { } ∈ ∈{ } his private input by reordering each unchosen vec- random variables indexed by (k,a), where a represents tor and sends the resulting code, which in fact is a various types of inputs used to sample the instances sequence of permutations, to the sender. according to the distribution of the random variable k 4) The sender checks that the chosen vectors are X(1 ,a). Probability ensemble X is polynomial-time generated in the legal way which guarantees that constructible, if there exists a probabilistic polynomial- the receiver learns at most h message. If the check time (PPT) sample algorithm SX (.) such that for any a, k k pass, the sender encrypts his private input (i.e., any k, the random variables SX (1 ,a) and X(1 ,a) are the n messages he holds) using the hash values identically distributed. We denote sampling an instance k k of the instances of the unchosen vectors in the way according to X(1 ,a) by α SX (1 ,a). def k ← def indicated by the code of receiver’s private input, Let X = X(1 ,a) k N,a 0,1 ∗ and Y = k { } ∈ ∈{ } and sends the ciphertexts together with some auxil- Y (1 ,a) k N,a 0,1 ∗ be two probability ensembles. { } ∈ ∈{ } iary information (i.e., the projective hash keys) that They are computationally indistinguishable, denoted c is conductive to decrypt some ciphertexts to the X = Y , if for any non-uniform PPT algorithm D with receiver. an infinite auxiliary information sequence z = (zk)k N ∈ 5) The receiver decrypts the ciphertexts with the help (where each z 0, 1 ∗), there exists a negligible k ∈ { } of the auxiliary information and gains the messages function µ(.) such that for any sufficiently large k, any he expects. a, it holds that Intuitively speaking, the receiver’s security is im- P r(D(1k,X(1k,a),a,z )=1) plied by the property hard subset membership of | k − SPHDHC . This property guarantees that the receiver P r(D(1k, Y (1k,a),a,z )=1) 6 µ(k) t,h k | can securely encode his private input by reordering each X = Y unchosen instance vector. The sender’s security is im- They are same, denoted , if for any sufficiently k a X(1k,a) Y (1k,a) plied by the cut-and-choose technique, which guarantees large , any , and are defined in the that the probability that the adversaries controlling a cor- same way. They are equal, denoted X Y , if for any k a ≡ X(1k,a) rupted receiver learns extra new knowledge is negligible. sufficiently large , any , the distributions of and Y (1k,a) are identical. Obviously, if X = Y then X c ≡ Y ; If X Y then X = Y . ≡ 1.4 Organization Let ~x be a vector (note that arbitrary binary string can In Section 2, we describe the notations used in this be viewed as a vector). We denote its i-th element by paper, the security definition of OT n, the definition of ~x i , denote its dimensionality by #~x, denote its length h h i 5 in bits by ~x . For any positive integers set I, any vector deviates from prescribed protocol. In fact, after A finishes def| | A ~x, ~x I = (~x i )i I,i #~x. corrupting, and all corrupted parties have formed a h i h i ∈ ≤ Let M be a probabilistic (interactive) Turing machine. coalition led by A to learn as much extra knowledge, By Mr(.) we denote M’s output generated at the end of e.g. the honest parties’ private inputs, as possible. From an execution using randomness r. then on, they share knowledge with each other and def coordinate their behavior. Without loss of generality, Let f : D R. Let D′ 0, 1 ∗. Then f(D′) = → ⊆def { } we can view this coalition as follows. All corrupted f(x) x D′ D , Range(f) = f(D). { | ∈ ∩ } parties are dummy. A receives messages addressed to the Let x Y denotes sampling an instance x from do- ∈χ members of the coalition and sends messages on behalf main Y according to the distribution law (or probability of the members. density function ) χ. Specifically, let x U Y denotes n ∈ Loosely speaking, we say OTh is secure, if and only if, uniformly sampling an instance x from domain Y . for any malicious adversary A, the knowledge A learns in the real world is not more than that he learns in the n 2.2 Security Definition Of A Protocol For OTh ideal world. In other words, if and only if, for any mali- n cious adversary A, what harm A can do in real world is 2.2.1 Functionality Of OTh n not more than what harm he can do in the ideal world. OTh involves two parties, party P1 (i.e., the sender) n In the ideal world, there is an incorruptible trusted third and party P2 (i.e., the receiver). OTh ’s functionality is party (TTP). All parties hand their private inputs to TTP. formally defined as follows TTP computes f and sends back f(.) i to P . In the real h i i world, there is no TTP, and the computation of f(.) is f : N 0, 1 ∗ 0, 1 ∗ 0, 1 ∗ 0, 1 ∗ ×{ } ×{ } → { } ×{ } finished by A and all parties’ interactions. f(1k, ~m, H) = (λ, ~m H ) h i where n 2.2.3 OTh In The Ideal World k is the public security parameter. • n n In the ideal world, an execution of OTh proceeds as ~m ( 0, 1 ∗) is P ’s private input, and each ~m i • ∈ { } 1 | h i| follows. is the same. def Initial Inputs. All entities know the public security H Ψ = B B [n], #B = h is P2’s private n • ∈ { | ⊆ } parameter k. P holds a private input ~m ( 0, 1 ∗) . input. 1 ∈ { } Party P holds a private input H Ψ. Adversary A λ denotes a empty string and is supposed to be got 2 ∈ • holds a name list I [2], a randomness rA 0, 1 ∗ and by P1. That is, P1 is supposed to get nothing. ⊆ ∈{ } an infinite auxiliary input sequence z = (zk)k N, where ~m H is supposed to be got by P2. ∈ • h i zk 0, 1 ∗. Before proceeds to next stage, A corrupts Note that, the length of all parties’ private input have ∈ { } def parties listed in I and learns ~x I , where ~x = (~m, H). to be identical in SMPC (please see [24] for the reason h i and related discussion). This means that ~m = H is Submitting inputs to TTP. Each honest party Pi always | | | | submits its private input ~x i unchanged to TTP. A required. Without loss of generality, in this paper, we h i assume ~m = H always holds, because padding can be submits arbitrary string based on his knowledge to TTP | | | | easily used to meet such requirement. for the corrupted parties. The string TTP receives is a Intuitively speaking, the security of OT n requires that two-dimensional vector ~y which is formally described h as follows. P1 can’t learn any new knowledge — typically, P2’s private input, from the interaction at all, and P can’t ~x i if i / I, 2 ~y i = h i ∈ learn more than h messages held by P1. To capture the h i (α if i I security in a formal way, the concepts such as adver- ∈ ~x i sary, trusted third party, ideal world, real world were where α ~x i 0, 1 | h i| abort and α ∈ { h i} ∪ { } ∪ { i} ← introduced. Note that the security target in this paper is A(1k,I,r ,z , ~x I ). Obviously, there is a probability A k h i to be secure against non-adaptive malicious adversaries, that ~x = ~y. 6 so only concepts related to this case is referred to in the TTP computing f. TTP checks that ~y is a valid input to following. f, i.e., no entry of ~y is of the form aborti. If ~y passes the check, then TTP computes f and sets ~w to be f(1k, ~y). 2.2.2 Non-Adaptive Malicious Adversary Otherwise, TTP sets ~w to be (aborti, aborti). Finally, for n Before running OT , the adversary A has to corrupt all each i [n] TTP hands ~w i to each Pi respectively and h ∈ h i parties listed in I [2]. In the case that U P , P halts. ⊆ ∈ { 1 2} is not corrupted, U will strictly follow the prescribed Outputs. Each honest party Pi always outputs the protocol as an honest party. In the case that party U is message ~w i it obtains from the TTP. Each corrupted h i corrupted, U will be fully controlled by A as a corrupted party Pi outputs nothing (i.e., λ). The adversary outputs party. In this case, U will have to pass all his knowledge something generated by executing arbitrary function of to A before the protocol runs and follows A’s instructions the information he gathers so far. Without loss of gener- from then on — so there is a probability that U arbitrarily ality, this can be assumed to be (1k,I,r ,z , ~x I , ~w I ). A k h i h i 6
n The output of the whole execution in the ideal world, protocol for OTh . We say π securely computes f, if and only if k denoted by Idealf,I,A(zk)(1 , ~m, H), is defined by the out- for any non-uniform probabilistic polynomial-time adversary puts of all parties and that of the adversary as follows. A with an infinite sequence z = (zk)k N in the real world, ∈ there exists a non-uniform probabilistic expected polynomial- Ideal (1k, ~x, r ) i f,A(z),I A h i time adversary A′ with the same sequence in the ideal world A’s output, i.e., (1k,I,r , such that, for any I [2], it holds that A i = 0; ⊆ def zk, ~x I , ~w I ), = h i h i Pi’s output, i.e., λ, i I; c ∈ k ∗ n Realπ,I,A(zk)(1 , ~m, H) k N, ~m ( 0,1 ) = Pi’s output, i.e., ~w i , i [n] I. { } ∈ ∈ { } ∗ h i ∈ − H Ψ,zk 0,1 ∈ ∈{ } k k ′ ∗ n Obviously, Ideal f,A(z),I (1 , ~x) is a random variable Idealf,I,A (zk)(1 , ~m, H) k N, ~m ( 0,1 ) (1) ∈ ∈ { } ∗ { } H Ψ,zk 0,1 whose randomness is rA. ∈ ∈{ }
2.2.4 OT n In The Real World where the parameters input to the two probability ensembles h are same and each ~m i is of the same length. The adversary n h i In the real world, there is no TTP. A execution of OTh A’ in the ideal world is called a simulator of the adversary A proceeds as follows. in the real world. Initial Inputs. Initial input each entity holds in the real world is the same as in the ideal world but there are The concept, non-uniform probabilistic expected some difference as follows. A randomness ri is held by polynomial-time, mentioned in Definition 1 is formu- each party Pi. After finishes corrupting, in addition to lated in distinct way in distinct literature such as [8], the knowledge A learns in ideal world, the corrupted [23]. We prefer to the following definition [33], because def parties’ randomness ~r I is also learn by A, where ~r = it is clearer in formulation and more closely related to h i our issue. (r1, r2). Computing f. In the real world, computing f is Definition 2 (M1 runs in expected polynomial– finished by all entities’ interaction. Each honest party time with respect to M2). Let M1,M2 be two in- strictly follows the prescribed protocol (i.e., the concrete teractive Turing machines running a protocol. By < n protocol, usually denoted π , for OT ). The corrupted k h M1(x1, r1,z1),M2(x2, r2,z2) > (1 ), we denote a running parties have to follow A’s instructions and may arbitrar- which starts with Mi holding a private input xi, a randomness ily deviate from prescribed protocol. ri, an auxiliary input zi, the public security parameter k. By Outputs. Each honest party Pi always outputs what k IDNM1 (
2.3 Commitment Scheme 3 ANEW SMOOTH PROJECTIVE HASH - SPHDHC In this section, we briefly introduce the cryptographic t,h tool commitment scheme which will be used in our 3.1 The Definition Of SPHDHCt,h framework. For the strict definition and the details, In this section, we define a new smooth projective hash please see [23] or [26]. — t-smooth h-projective hash family that holds proper- ties distinguishability, hard subset membership, feasible Definition 3 (commitment scheme, non-strict descrip- cheating, denoted SPHDHCt,h for simplicity, which will tion, [23], [26]). A commitment scheme is a two-party be used to construct our framework for OT n. In section protocol involving two phases. h 7, we instantiate SPHDHCt,h respectively under four Initial Inputs. At the beginning, all parties know the pub- distinct intractability assumptions. • lic security parameter k. The unbounded sender P1 holds Let us recall some related works before defining poly(k) a randomness r 0, 1 ∗, a value m 0, 1 to SPHDHCt,h. [12], [55] present the classic notation 1 ∈{ } ∈{ } be committed to, where the polynomial poly(.) is public. of ”universal hashing”. Based on ”universal hashing”, The PPT receiver P holds a randomness r 0, 1 ∗. [15] first introduces the concept of universal projective 2 2 ∈{ } Commit Phase. P computes a commitment, denoted α, hashing, smooth projective hashing and hard subset • 1 based on his knowledge, i.e., α P (1k,m,r ), then P membership problem in terms of languages and sets. ← 1 1 1 send α to P2. In order to construct a framework for password-based authenticated key exchange, [21] modifies such defini- – The security for P1 is implied by the property compu- tion to some extent. That is, smoothness is defined over tationally hiding, which prevents P2 from knowledge every instance of a language rather than a randomly of the value committed by P1. That is, for any PPT poly(k) chosen instance. [32] refines the modified version in P2, any m1,m2 0, 1 , it holds that ∈{ } terms of the procedures used to implement it. What is more, a new requirement called verifiable smoothness is k V iewCP2 (< P1(m), P2 > (1 )) k N { } ∈ added to the hashing so as to construct a framework for c k 2 = V iewCP2 (< P1(m′), P2 > (1 )) k N, OT1 . The resulting hashing is called verifiablely-smooth { } ∈ projective hash family that has hard subset membership
where V iewCP2 (.) denotes P2’s view in commit property (denoted by VSPHH for simplicity). Note phase. that, the framework presented by [32] is not fully- simulatable. The difference between SPHDHC and Reveal Phase. P computes and sends a de-commitment, t,h • 1 the works mentioned above will be under a detailed which typically consists of m, r , to P to let P know 1 2 2 discussion after we define SPHDHC . m. Receiving de-commitment, P checks its validity. t,h 2 For clarity in presentation, we assume n = h + t Typically P checks that α = P (1k,m,r ) holds. If de- 2 1 1 always holds and introduce additional notations. Let commitment pass the check, P2 knows and accepts m. def R = (x, w) x, w 0, 1 ∗ be a relation, then LR = – The security for P2 is implied by the property { | ∈ { } } def x x 0, 1 ∗, w((x, w) R) , R(x) = w (x, w) R . perfectly binding, which guarantees that for any { def| ∈{ } ∃ ∈ } { | ∈ } unbounded P , any m ,m 0, 1 poly(k) such Π = π π :[n] [n], π is a permutation . Let π Π (to 1 1 2 ∈ { } { | → } ∈ that m = m , the probability that P accepts comply with other literature, we also use π somewhere 1 6 2 2 m2 while P1 commits to m1 is zero, where the to denote a protocol without bringing any confusion). probability is taken only over the randomness used Let ~x be an arbitrary vector. By π(~x), we denote a vector by P2. resulted from applying π to ~x. That is, ~y = π(~x), if and only if i(i [d] ~x i = ~y π(i) ) i(i / [d] ~x i = The above definition defines perfectly binding com- ∀ ∈ → defh i h i ∧ ∀ ∈ → h i ~y i ) holds, where d = min(#~x, n). mitment schemes (denoted by PBC). Relaxing the prop- h i erty binding to allow the probability of successful cheat Definition 4 (t-smooth h-projective hash family of unbounded P1 to be negligible, then the above def- that holds properties distinguishability, hard inition defines statically binding commitment schemes. subset membership and feasible cheating). Correspondingly, in the setting that P is PPT and P = (PG,IS,DI,KG,Hash,pHash,Cheat) is an 1 2 H is unbounded, there exists perfectly hiding commit- t-smooth h-projective hash family that holds properties ment schemes (denoted by PHC) and statically hid- distinguishability, hard subset membership and feasible ing commitment schemes, which provide perfectly hid- cheating (SPHDHCt,h), if and only if is specified as H ing and statically hiding to P1 respectively, and only follows computationally binding to P . If a property is secure The parameter-generator P G is a PPT algorithm that 2 • against unbounded adversaries, we say this property is takes a security parameter k as input and outputs a information-theoretically secure. We remark that there family parameter Λ, i.e., Λ P G(1k). Λ will be used ← is no commitment scheme holding both information- as a parameter to define three relations RΛ, R˙ Λ and R¨Λ, theoretically binding and information-theoretically hid- where R = R˙ R¨ . Moreover, R˙ R¨ = are Λ Λ ∪ Λ Λ ∩ Λ ∅ ing. supposed to hold. 8
The instance-sampler IS is a PPT algorithm that takes a SmGen (1k): Λ P G(1k), ~a IS(1k, Λ), ~x ~x~a, • 1 ← ← ← security parameter k, a family parameter Λ as input and for each j [n] operates as follows: (hk , pk ) ∈ j j ← outputs a vector ~a, i.e., ~a IS(1k, Λ). KG(1k, Λ, ~x j ), y Hash(1k, Λ, ~x j , hk ), ← h i j ← h i j Let ~a = ((x ˙ 1, w˙ 1),..., (x ˙ h, w˙ h), (¨xh+1, w¨h+1),..., −−−→xpky j (~x j , pkj ,yj ). Finally outputs (Λ, −−−→xpky). T h i ←k h i k (¨xn, w¨n)) be a vector generated by IS. We call each x˙ i SmGen2(1 ): compared with SmGen1(1 ), the only or x¨i an instance of LRΛ . For each pair (x ˙ i, w˙ i) (resp., difference is that for each j [n] [h], yj U k ∈ − ∈ (¨xi, w¨i)), w˙ i (resp., w¨i) is called a witness of x˙ i L ˙ Λ Range(Hash(1 , Λ, ~x j ,.)). ∈ R h i (resp., x¨i LR¨Λ ). Note that, by this way we indeed k k ] ∈ ˙ ¨ Smi(1 ): (Λ, −−−→xpky) SmGeni(1 ), −−−→xpky have defined the relationship RΛ, RΛ and RΛ here. The ← ] ← properties smoothness and projection we will mention π(−−−→xpky), finally outputs (Λ, −−−→xpky). later make sure R˙ R¨ = holds. 3) Distinguishability. Intuitively speaking, it requires that Λ ∩ Λ ∅ For simplicity in formulation later, we introduce the DI can distinguish the projective instances and some additional notations here. For ~a mentioned smooth instances with the help of their witnesses. That ~a def T above, ~x = (x ˙ 1,..., x˙ h, x¨h+1,..., x¨n) , is, it requires that the DI correctly computes the follow- ~a def T ing function. ~w = (w ˙ 1,..., w˙ h, w¨h+1,..., w¨n) . What is more, we abuse notation to some extent. We write N 3 ∈ ζ : ( 0, 1 ∗) 0, 1 ~x Range(IS(1k, Λ)) if and only if there exists a × { } →{ } ∈ ~a ~a k 0 if (x, w) R˙ , vector ~x such that ~x = ~x and ~a Range(IS(1 , Λ)). ∈ Λ k ∈ k ¨ We write x Range(IS(1 , Λ)) if and only if there ζ(1 , Λ, x, w)= 1 if (x, w) RΛ, ∈ ∈ exists a vector ~x such that ~x Range(IS(1k, Λ)) and undefined otherwise . ∈ x is an entry of ~x. The distinguisher DI is a PPT algorithm that takes a 4) Hard Subset Membership. Intuitively speaking, it re- • quires that for any ~x Range(IS(1k, Λ)), ~x can security parameter k, a family parameter Λ and a pair ∈ strings (x, w) as input and outputs an indicator bit b, be disordered without being detected. That is, for any def i.e., b DI(1k, Λ, x, w). π Π, the two probability ensembles HSM = ← ∈ 1 The key generator KG is a PPT algorithm that takes k def k • HSM1(1 ) k N and HSM2 = HSM2(1 ) k N, { } ∈ { } ∈ a security parameter k, a family parameter Λ and an specified as follows, are computationally indistinguish- instance x as input and outputs a hash key and a c able, i.e., HSM1 = HSM2. projection key, i.e., (hk,pk) KG(1k, Λ, x). k k k ← HSM1(1 ): Λ P G(1 ), ~a IS(1 , Λ), finally The hash Hash is a PPT algorithm that takes a security ~a ← ← • outputs (Λ, ~x ). parameter k, a family parameter Λ, an instance x and a k k HSM2(1 ): Operates as same as HSM1(1 ) with an hash key hk as input and outputs a value y, i.e., y exception that finally outputs (Λ, π(~x~a)). k ← Hash(1 , Λ, x, hk). 5) Feasible Cheating. Intuitively speaking, it requires that The projection pHash is a PPT algorithm that takes a • there is a way to cheat to generate a ~x which is supposed security parameter k, a family parameter Λ, an instance to fall into Lh Lt but actually falls into Ln R˙ Λ × R¨Λ R˙ Λ x, a witness w of x and a projection key pk as input and without being caught. That is, for any π Π, for outputs a value y, i.e., y pHash(1k, Λ,x,pk,w). ∈ ← any π′ Π, the two probability ensembles HSM2 The cheat Cheat is a PPT algorithm that takes a se- ∈ def k • and HSM3 = HSM3(1 ) k N are computationally curity parameter k, a family parameter Λ as input and { } c∈ indistinguishable, i.e., HSM2 = HSM3, where HSM2 outputs n elements of R˙ Λ, i.e., ((x ˙ 1, w˙ 1),... (x ˙ n, w˙ n)) k ← is defined above and HSM3 is defined as follows. Cheat(1 , Λ). k k k HSM3(1 ):Λ P G(1 ), ~a Cheat(1 ), finally and has the following properties ←~a ← H outputs (Λ, π′(~x )). 1) Projection. Intuitively speaking, it requires that for any instance x˙ L ˙ , the hash value of x˙ is obtainable with Remark 5 (The Witnesses Of The Instances). The main ∈ RΛ the help of its witness w˙ . That is, for any sufficiently use of the witnesses of an instance x˙ L ˙ Λ is to project ∈ R large k, any Λ Range(P G(1k)), any (x, ˙ w˙ ) generated and gain the hash value of x. In contrast, with respect to an k ∈ k by IS(1 , Λ), any (hk,pk) Range(KG(1 , Λ, x˙)), it instance x¨ L ¨Λ , it services as a proof of x¨ L ¨Λ . The ∈ ∈ R ∈ R holds that property distinguishability guarantees that given the needed k k witness, the projective instances and the smooth instances are Hash(1 , Λ, x,˙ hk)= pHash(1 , Λ, x,˙ pk, w˙ ) n distinguishable. For OTh , this means that a receiver can use 2) Smoothness. Intuitively speaking, it requires that for any the witnesses of x¨ to persuade a sender to believe that the instance vector ~x¨ Lt , the hash values of ~x¨ are ran- receiver is unable to gain the hash value of x¨. ∈ R¨Λ dom and unobtainable unless their hash keys are known. Remark 6 (Hard Subset Membership). The property That is, for any π Π, the two probability ensembles ∈ hard subset membership guarantees that for any ~x def k def k k ∈ Sm1 = Sm1(1 ) k N and Sm2 = Sm2(1 ) k N, Range(IS(1 , Λ)), any π Π, any PPT adversary A, the { } ∈ { } ∈ ∈ defined as follows, are computationally indistinguish- advantage of A identifying an entry of π(~x) falling into L ˙ c RΛ able, i.e., Sm1 = Sm2. (resp., LR¨Λ ) with probability over prior knowledge h/n (resp., 9 t/n) is negligible. That is, seen from A, every entry of π(~x) DI algorithm which is conducive to apply the seems the same. technique cut-and-choose. n With respect to OTh , this means that the receiver can 4) SPHDHCt,h requires a additional property feasi- encode his private input into a permutation of a vector ble cheating and the necessary algorithm Cheat. ~x Ln without leaking any information. For example, if This property provides a simulator with a way to ∈ RΛ the receiver expects to gain ~m H , then he may generates extract the real inputs of the adversary in the case h i a ~x and randomly chooses a permutation π Π such that that the sender is corrupted. ∈ π(~x) i L ˙ for each i H. Any PPT adversary knows 5) SPHDHC extends KG algorithm such that the h i ∈ RΛ ∈ t,h no new knowledge about H if only given π(~x). information of the instance is available to it. This However, if the witnesses of the instances of ~x are available makes constructing hash system easier. In indeed, (the simulator can gain the witnesses by rewinding the adver- this makes lattice-based hash system come true sary), then the receiver’s input is known. Therefore, there is which is thought difficult by [36]. way for the simulator to extract the real input of the adversary We observe that the VSPHH indeed is easy to be controlling the corrupted receiver. n extended to deal with OT1 , but seems difficult to be n extended to deal with the general OT n. The reason is Remark 7 (Feasible Cheating). In our framework for OTh , h the sender uses the hash values of the instances generated by that, to hold verifiable smoothness, x˙s and x¨s have to the receiver to encrypt its private inputs. The property feasible be generated in a dependent way. This makes designing cheating makes cheating out of the sender’s all private inputs IT dealing with n instances without leaking informa- feasible. Note that, this is a key for the simulator to extract the tion which is conductive to distinguish such x˙s and x¨s real inputs of the adversary controlling the corrupted sender. difficult. Therefore, even constructing a framework for n Therefore, it is conductive to construct a fully-simulatable OTh that is half-simulatable as [32] seems impossible. n We also observe that, there is no way to construct a fully- protocol for OTh . simulatable framework using VSPHH, because there is no way to extract the real input of the adversary in the 3.2 The Difference Between SPHDHCt,h And Re- lated Hash Systems case that the receiver is corrupted. The difficulties mentioned above can be overcame by Now we discuss the difference between our requiring each x¨ to hold a witness too. Since the receiver SPHDHC t,h and related hash systems previous encodes his input as a permutation of x˙s and x¨s, a works present or use. For simplicity, we only compare simulator can the extract the real input of the adversary our SPHDHC with the hash system VSPHH which t,h in the case that the receiver is corrupted if their witnesses is presented by [32]. We argue that this is justified, are available. Combining the application of the technique on the one hand, the version of [32] is the version cut-and-choose, a simulator can see such witnesses by holding most properties among previous works. On rewinding the adversary. What is more, the implemen- the other hand, the aim of [32] is the closest to ours. tation of DI is easier than that of its predecessor IT . They aim to construct a framework for OT 2 which 1 Because the operated object essentially is a pair of the actually is half-simulatable, while we aim to establish a form (x, w) which is simpler than (x ,...,x ) which is OT n 1 n fully-simulatable framework for h . the general form of the objects operated by IT . Loosely speaking, our SPHDHCt,h can be viewed as a generalized version of VSPHH. Indeed, VSPHH resembles SPHDHC1,1 very much and can be converted 4 CONSTRUCTING A FRAMEWORK FOR into SPHDHC1,1 though some modification is needed. FULLY-SIMULATABLE OT n The essential differences are listed as follows. h n 1) The key difference is that, besides each projective In this section, we construct a framework for OTh . In instance x˙ holding a witness w˙ , SPHDHCt,h also the framework, we will use a PPT algorithm, denoted Γ x¨ , that receiving B1,B2 Ψ, outputs a uniformly chosen requires each smooth instance to hold a witness ∈ w¨ permutation π U Π such that π(B1) = B2, i.e., π . ∈ ← n Γ(B ,B ). We give an example implementation of Γ as 2) To deal with OTh , SPHDHCt,h extends the IS 1 2 algorithm to generate h x˙s and t x¨s in a invoca- follows. tion. As a natural result, SPHDHC extends the Γ(B1,B2): First, E , C [n] B1. Second, for each t,h ←∅ ← − property smoothness to hold with respect to t x¨s, j B2, then i U B1, B1 B1 i , E E j ⇋ i . ∈ ∈ ← −{ } ← ∪{ } and extends the property hard subset membership Third, D [n] B2, for each j D, then i U C, C ← − ∈ ∈ ← to hold with respect to h x˙s and t x¨s. C i , E E j ⇋ i . Fourth, define π as π(i)= j if −{ } ← ∪{ } 3) In VSPHH there exists a instance test IT algo- and only if j ⇋ i E. Finally, outputs π. ∈ rithm that takes two instances as input and outputs a bit indicating whether at least one of the two in- 4.1 The Framework For n stances is smooth, i.e., b IT (x , x ). SPHDHC OTh ← 1 2 t,h discards this verifiability of smoothness and the Common inputs: All entities know the public se- • correlated IT , and instead provides a distinguisher curity parameter k, an positive polynomial polys(.), 10
def ˜ a SPHDHCt,h (where n = h + t) hash sys- Let Gi = j ~xi j LR˙ Λ ,i CS . For each { | h 2i ∈ ∈ } 2 tem , a information-theoretically hiding commit- i CS, P2 does πi Γ(Gi,H), sends (πi )i CS H ∈ ← ∈ ment scheme (denoted by IHC), a information- to P1. That is, P2 encode his private input into 2 ˜ theoretically binding commitment scheme (denoted sequences such as πi (~xi) where i CS. by IBC). ˜ ∈ Note that P2 can send ((i, j, ~wi j ))i CS,j Ji and Private Inputs: Party P1 (i.e., the sender) holds a (π2) h i ∈ ∈ • n i i CS in one step. private input ~m ( 0, 1 ∗) and a randomness Sender’s∈ step (S3): P checks the chosen instances, ∈ { } • 1 r1 0, 1 ∗. Party P2 ( i.e., the receiver) holds a ∈ { } encrypts and sends his private input to P2. private input H Ψ and a randomness r 0, 1 ∗. ∈ 2 ∈{ } 1) P verifies that each chosen instance vectors is The adversary A holds a name list I [2] and a 1 ⊆ legal, i.e., the number of the entries belonging randomness rA 0, 1 ∗. ∈{ } to L ˙ is not more than h. Auxiliary Inputs: The adversary A holds an infinite RΛ • P1 checks that, for each i CS, #Ji n h, auxiliary input sequence z = (zk)k N,zk 0, 1 ∗. ∈ ≥ − ∈ ∈{ } and for each j J , V F (1k, Λ, ~x˜ j , ~w˜ j ) is 1. ∈ i ih i ih i The protocol works as follow. For clarity, we omit If the check fails, P1 halts and outputs abort2, some trivial error-handlings such as P1 refusing to send otherwise P1 proceeds to next step. P2 something which is supposed to be sent. Handling 2) P1 reorders the entries of each unchosen in- such errors is easy. P2 halting and outputting abort1 stance vector in the way told by P2. suffices. ˜ 2 ˜ For each i CS, P1 does ~xi πi (~xi). Receiver’s step (R1): P generates hash parameters ∈ ← • 2 3) P1 encrypts and sends his private input to P2 and samples instances. together with some auxiliary messages. 1) P samples poly (k) instance vectors. Let For each i CS, j [n], P1 does: (hkij , pkij ) 2 s ∈ ∈ ← def k ˜ k ˜ K = poly (k). P does: Λ P G(1k); KG(1 , Λ, ~xi j ), βij Hash(1 , Λ, ~xi j , hkij ), s 2 h i ← h i ←k ~ def T ~ for each i [K], ~ai IS(1 , Λ). With- βi = (βi1,βi2,...,βin) ,~c ~m ( i CSβi), ∈ ← ← ⊕ ⊕ ∈ out loss of generality, we assume ~ai = def T −→pki = (pki1, pki2,...,pkin) , sends ~c and ((x ˙ 1, w˙ 1),..., (x ˙ h, w˙ h), (¨xh+1, w¨h+1),..., T (−→pki)i CS to P2. (¨xn, w¨n)) . ∈ Receiver’s step (R5): P2 decrypts the ciphertext ~c 2) P2 disorders each instance vector. • and gains the message he want. For each i [K], P2 uniformly chooses a ∈1 ˜ 1 For each i CS, j H, P2 operates: βij′ permutation πi U Π, then ~ai πi (~ai). ∈ ∈ ← ∈ ← k ˜ ˜ 3) P2 sends the instances and the corresponding pHash(1 , Λ, ~xi j , −→pki j , ~wi j ), mj′ ~c j ˜ ˜ ˜ h i h i h i ← h i ⊕ hash parameters, i.e., (Λ, ~x1, ~x2,..., ~xK ), to P1, ( i CSβij′ ). Finally, P2 gains the messages (mj′ )j H . def def ⊕ ∈ ∈ ~a˜i ~a˜i where ~x˜i = ~x (correspondingly, ~w˜i = ~w ). Receiver’s step (R2-R3)/Sender’s step (S1-S2): P • 1 4.2 The Correctness Of The Framework and P cooperate to toss coin to choose instance 2 Now let us check the correctness of the framework, i.e., vectors to open. the framework works in the case that P and P are K 1 2 1) P1: s U 0, 1 , sends IHC(s) to P2. honest. For each i CS, j H, we know ∈ { } K 2) P2: s′ U 0, 1 , sends IBC(s′) to P1. ∈ ∈ ∈ { } ~ 3) P1 and P2 respectively sends each other the de- ~c j = ~m j ( i CSβi j ) h i h i⊕ ⊕ ∈ h i commitments to IHC(s) or IBC(s′), and re- mj′ = ~c j ( i CSβij′ ) spectively checks the received de-commitments h i⊕ ⊕ ∈ are valid. If the check fails, P1 (P2 respectively) Because of the projection of , we know H halts and outputs abort2 (abort1 respectively). β~ j = β′ If no check fails, then they proceed to next step. ih i ij 4) P and P share a common randomness r = 1 2 So we have s s′. The instance vectors whose index fall into ⊕ def ~m j = m′ CS = i r i = 1,i [K] (correspondingly, h i j def { | h i ∈ } CS = [K] CS) are chosen to open. This means what P gets is ~m H that indeed is P − 2 h i 2 Receiver’s step (R4): P opens the chosen instances wants. • 2 to P1, encodes and sends his private input to P1. 1) P2 opens the chosen instances to prove that the 4.3 The Security Of The Framework instances he generates are legal. ˜ With respect to the security of the framework, we have P2 sends ((i, j, ~wi j ))i CS,j Ji to P1, where def h i ∈ ∈ the following theorem. J = j ~x˜ j L ¨ , j [n] . i { | ih i ∈ RΛ ∈ } 2) P2 encodes his private input and sends the Theorem 8 (The protocol is secure against the malicious resulting code to P . adversaries). Assume that is an t-smooth h-projective 1 H 11 hash family that holds properties distinguishability, hard sub- upper-bound of this probability deviates 1/2polys(k) at set membership and feasible cheating, IHC is a information- most negligible distance. theoretically hiding commitment, IBC is a information- For the security of P2, the framework first should theoretically binding commitment. Then, the protocol securely prevent P1 from learning P2’s private input. There is computes the oblivious transfer functionality in the presence a potential risk in Step R4 where P2 encodes his pri- of non-adaptive malicious adversaries. vate input. From Remark 6, we know that hard subset membership guarantees that for any PPT malicious P , We defer the strick proof of Theorem 8 to section 5 and 1 without being given π1, the probability that P learns first give an intuitive analysis here as a warm-up. For the i 1 any new knowledge is negligible. Thus P ’s encod- security of P , the framework should prevent P from 2 1 2 ing is safe. Besides cheating P of private input, it gaining more than h messages. Using cut and choose 2 seems there is another obvious attack that malicious P technique, P makes sure with some probability that 1 1 sends invalid messages, e.g. pk which (hk , pk ) / each instance vector contains no more than h projective ij ij ij ∈ Range(KG(1k, Λ, x )), to P . This attack in fact doesn’t instance, which leads to P learning extra messages is ij 2 2 matter. Its effect is equal to that of P ’s altering his real difficult. The following theorem guarantees that this 1 input, which is allowed in the ideal world too. probability is overwhelming. Theorem 9. Assume that the commitment schemes employed 4.4 The Communication Rounds in the framework are a perfectly hiding commitment and a perfectly binding commitment. Then, in case that P1 is honest Step R1 and Step R2 can be taken in one round. Step R5 and P2 is corrupted, the probability that P2 cheats to obtain is taken without communication. Each of other steps is more than h messages is at most 1/2polys(k). taken in one round. Therefore, the total number of the communication rounds is six. Proof: According to the framework, there are two Compared with existing fully-simulatable protocols necessary conditions for P ’s success in the cheating. 2 for oblivious transfer that without resorting to a random 1) P2 has to generate at least one illegal ~xi which oracle or a trusted common reference string (CRS), our contains more than h entries belonging to LR˙ Λ . If protocol is the most efficient one. On counting the total not, P2 cann’t correctly decrypt more than h entries communication rounds of a protocol, we count that of ~c, because of the smoothness of . Without loss H of the modified version. In the modified version, the of generality, we assume the illegal instance vectors consecutive communications of the same direction are are ~xl1 , ~xl2 ,...,~xl . n d combined into one round. The protocol for OTh 1 of 2) All illegal instance vectors are lucky not to be [6] costs one, two zero-knowledge proofs of knowledge× chosen and all the instance vectors unchosen respectively in initialization and in transfer a message, just are the illegal instance vectors, i.e., CS = where each zero-knowledge proofs of knowledge is per- l ,l ,...,l . We prove this claim in two case. { 1 2 d} formed in four rounds. The whole protocol costs at least a) In the case that CS = l ,l ,...,l and CS ten rounds. The protocol for OT n of [28] costs one zero- 6 { 1 2 d} − h l ,l ,...,l = , there exists j(j [d] l knowledge proof of knowledge in initialization which { 1 2 d} ∅ ∈ ∧ j ∈ CS). So P1 can detect P2’s cheating and P2 is performed in three rounds at least, one protocol to will gain nothing. extract a secret key corresponding to the identity of a b) In the case that CS = l ,l ,...,l and message which is performed in four rounds, one zero- 6 { 1 2 d} CS l ,l ,...,l = , there exists j(j knowledge proof of knowledge in transfer a message − { 1 2 d} 6 ∅ ∈ CS ~x is legal). Because of the smoothness which is performed in three rounds at least. We point out ∧ j of , P cannot correctly decrypt more than h that the interactive proof of knowledge of a discrete log- H 2 entries of ~c. arithm modulo a prime, presented by [51] and taken as a Now, let us estimate the probability that the second zero-knowledge proof of knowledge protocol in [28], to necessary condition is met. Note that, IHC(s) is a per- our best knowledge, is not known to be zero-knowledge. fectly hiding commitment, IBC(s′) is a perfectly binding However, turning to the techniques of Σ-protocol, [14] commitment, and P1 is honest, so the shared randomness make it zero-knowledge at cost of increment of three r is uniformly distributed. We have rounds in communication, which in turn induces the increment in communication rounds of the protocol of d polys(k) d P r(CS = l1,l2,...,ld )=(1/2) (1/2) − [28]. Taking all into consideration, this protocol costs at { } 2 =1/2polys(k) least ten rounds. The protocol for OT1 of [36] costs six rounds. This means that the probability that P2 cheats to obtain more than h messages is at most 1/2polys(k). 4.5 The Computational Overhead From the proof of Theorem 9, it is easy to see that if the commitment schemes employed are the ones with We measure the computational overhead of the frame- statically properties, the probability that P2 cheats to work in terms of the number of public key operations obtain more than h messages is negligible too, since the (i.e., operations based on trapdoor functions, or similar 12
2 operations) , because the overhead of public key op- is available and only OT1 is needed, [48]’s DDH-based erations, which depends on the length of their inputs, instantiation, which is two-round efficient and of two is greater than that of symmetric key operations (i.e., public key encryption operations and one public key operations based on one-way functions) by orders of decryption operation, is the most efficient one, no matter magnitude. Please see [38] to know which cryptographic seen from the number of communication rounds or the operation is public key operation or private key opera- computational overhead. tion. As to the framework, the public key operations are 5 A SECURITY PROOF OF THE FRAMEWORK Hash(.) and pHash(.), and the symmetric key operations are IHC(.) and IBC(.). In Step S3, P takes n #CS We prove Theorem 8 holds in this section. For nota- 1 · invocations of Hash(.) to encrypt his private input. In tional clarity, we denote the entities, the parties and the Step R5, P takes h #CS invocations of pHash(.) to adversary in the real world by P1, P2, A, and denote 2 · decrypt the messages he want. The value of #CS is the corresponding entities in the ideal world by P1′, P2′, A′. In the light of the parties being corrupted, there are polys(k), polys(k)/2, respectively, in the worst case and in the average case. Thus, fixing the problem we tackle four cases to be considered and we prove Theorem 8 (i.e., fixing the values of n and h), the efficiency only holds in each case. For simplicity, we assume that the commitment schemes employed are a perfectly binding depends on the value of polys(k). In Section 5 where we strictly prove the security of the framework, we’ll see commitment scheme and a perfectly hiding commitment scheme. If the statically ones are employed, the proof can that in the case that only P2 is corrupted, our simulator doesn’t consider a situation in the real world that arises be done in the same way with a slight modification. with probability at most 1/2polys(k). Therefore, setting We don’t know how to construct a strictly polynomial- time simulator for the adversary in the real world, in the polys(k)=40 is secure enough to use our framework in practice. In the worst case the computational overhead case that only P1 or P2 is corrupted. Instead, expected mainly consists of 40n invocations of Hash() taken by polynomial-time simulators are constructed (see section 2.2 for the justification), which results in a failure of P1 and 40h invocations of pHash() taken by P2; in the average case the computational overhead mainly standard black-box reduction technique. Fortunately, the problem and its derived problems can be solved using consists of 20n invocations of Hash() taken by P1 and the technique given by [26]. 20h invocations of pHash() taken by P2. We point out that, our simulator also may fail (with negligible probability) in the case that P1 is corrupted, 5.1 In the case that P1 Is Corrupted but the probability of this event arising depends on the In the case that P1 is corrupted, A takes the full control computational hiding of IBC and on the computational of P1 in the real world. Correspondingly, A’s simulator, binding of IHC rather than the value of polys(k) and has A′, takes the full control of P ′ in the ideal world, where no influence on computational overhead. So we don’t 1 A′ is constructed as follow. need to take this case into consideration here. def Initial input: A′ holds the same k, I = 1 , z = Compared with existing fully-simulatable protocols • { } (zk)k N, as A. What is more, A′ holds a uniform for oblivious transfer that without resorting to a random ∈ r ′ 0, 1 P oracle or a trusted CRS, our DDH-based instantiation distributed randomness A ∗. The parties 1′ P A A ∈{ } that will be presented in Section 7.1 is the most efficient and 1, whom ′ and respectively is to corrupt, ~m one in computational overhead. The operations of the hold the same . A′ works as follows. protocol in [6] are based on the non-standard assump- • tions, i.e., q-Power Decisional Diffie-Hellman and q- – Step Sm1: A′ corrupts P1′ and learns P1′’s private ¯ ¯ Strong Diffie-Hellman (q-SDH) assumptions, which both input ~m. Let A be a copy of A, i.e., A = A. A′ ¯ are associated with bilinear groups. [13] indicates that q- use A as a subroutine. A′ fixes the initial inputs ¯ SDH-based operations are more expensive that standard- of A to be identical to his except that fixes the ¯ assumption-based operations. The operations of the pro- randomness of A to be a uniformly distributed ¯ ¯ tocol in [28] are based on Decisional Bilinear Diffie- value. A′ activates A, and supplies A with ~m ¯ n Hellman (DBDH) assumption. Since bilinear curves are before A engages in the protocol for OTh . considerably more expensive than regular Elliptic curves In the following steps, A′ builds an environment ¯ [19] and DDH is obtainable from Elliptic curves, the for A which simulates the real world. That is, A′ operations in [6], [28] are considerably more expensive disguises himself as P1 and P2 at the same time ¯ than that DDH-based operations. Therefore, our DDH- to interact with A. based instantiation are more efficient than the protocols – Step Sm2: A′ uniformly chooses a randomness def presented by [6], [28]. The DDH-based protocol for OT 2 r 0, 1 K (K = poly (k)) as the shared 1 ∈U { } s presented by [36] also are very efficient. However, it can randomness. Let CS and CS be the sets decided be viewed as a specific case of our framework, thought by r. For each i CS, A′ honestly generates ∈ some modification of the protocol is needed. the hash parameters and instance vectors. For k We have to admit that, in the context of a trusted CRS each i CS, A′ calls Cheat(1 ) to generate such ∈ 13
parameters and vectors. A′ sends these hash ours. parameters and instance vectors to A¯. Using the idea of [26], we can overcome such problem Remark 10. From the remark 6, we know that each too. Specifically, an expected polynomial-time simula- entry of the instance vector generated by Cheat(1k) tor can be obtained by replacing Step Sim4 with Step is projective. If such instance vectors are not chosen Sim4.1, Sim4.2 given as follow. to be open, then the probability of A¯ detecting this Step Sim4.1: A′ estimates the value of q(α). A′ • fact is negligible, and A′ can extract the real input repeats the following procedure, denoted Φ, until of A¯, which is we want. the number of the time of A¯ correctly revealing his
– Step Sm3: A′ plays the role of P2 and executes commitment is up to poly(k), where poly(.) is a big Step R2-R3 of the framework to cooperate with enough polynomial. ¯ A¯ to toss coin. When tossing coin is completed Φ: A′ rewinds A to the end of Step S1 of the successfully, A′ learns and records the value s framework and A′ honestly executes Step R2 and A¯ commits to. R3 of the framework to interact with it. Remark 11. The aim of doing this tossing coin is Denote the number of times that Φ is repeated by def to know the randomness s A¯ choses. What A′ will d, then q(α) is estimated as q˜(α) = poly(k)/d. do next is to take IBC(r s) as his commitment to Step Sim4.2: A′ repeats the procedure Υ. In case A¯ ⊕ • redo tossing coin. correctly reveals the recorded value s, A′ proceeds ¯ – Step Sm4: A′ repeats the following proce- to the next step. In case A correctly reveals a value dure, denoted Υ, until A¯ correctly reveals the which is different from s, A′ outputs ambiguity1 and recorded value s. halts. In case the number of the time of repeating Υ: A′ rewinds A¯ to the end of Step S1 of the Υ exceeds the value of poly(k)/q˜(α), A′ outputs framework. Then, taking IBC (r s) as his timeout and halts. γ ⊕ commitment, A′ executes Step R2 and R3 of Proposition 12. The simulator A′ is expected polynomial- the framework, where γ is a fresh randomness time. uniformly chosen. – Step Sm5: Now A′ and A¯ shares the common Proof: Conditioning on Step Sim4.1 is executed, the randomness r. A′ executes Step R4 of the frame- expected value of d is poly(k)/q(α). Choosing a big work as the honest P2 do. On receiving ~c and enough poly(.), q˜(α) is within a constant factor of q(α) with probability 1 2poly(k). Therefore, the expected (−→pki)i CS, A′ correctly decrypts all entries of ~c − ∈ running time of A′, and gains A¯’s full real private input ~m. Then A′ sends ~m to the T T P . ExpTime ′ Time + Time + Time A ≤ Sim1 Sim2 Sim3 – Step Sim6: When A¯ halts, A′ halts with out- + q(α) (TimeΦ poly(k)/q(α)+ putting what A¯ outputs. · · TimeΥ poly(k)/q˜(α)) Without considering Step Sim4, A′ is polynomial-time. · However, taking Step Sim4 into consideration, this is + TimeSim5 + TimeSim6 not true any more. Let q(α), p(α) respectively denotes , is bounded by a polynomial. ¯ the probability that A correctly reveals his commit- What is more, we have def ment in Step Sim3 and in Procedure Υ, where α = 1) The probability that A′ outputs timeout is negligi- k (1 ,zk, I, ~m, rA¯). Then, the expected times of repeating ble. ¯ Υ in Step Sim4 is q(α)/p(α). Since the view A holds 2) The probability that A′ outputs ambiguity1 is neg- before revealing his commitment in Step Sim3 is different ligible. from that in procedure Υ, q(α), p(α) are distinct. What 3) The output of A′ in the ideal world and the output the computational secrecy of IBC guarantees and only of A in the real world are computationally indis- guarantees is q(α) p(α) = µ(.). However, there is a tinguishable, i.e., | − | risk that q(α)/p(α) is not bound by a polynomial. For c k 2k ′ k ∗ n example, q(α) = 1/2 ,p(α) = 1/2 , which result in Idealf, 1 ,A (zk)(1 , ~m, H) 1 k N, ~m ( 0,1 ) = { } ∈ ∈ { } ∗ k { h i} H Ψ,zk 0,1 q(α)/p(α) =2 . This is a big problem and gives rise ∈ ∈{ } k ∗ n to many other difficulties we will encounter later. Realπ, 1 ,A(zk)(1 , ~m, H) 1 k N, ~m ( 0,1 ) (2) { } ∈ ∈ { } ∗ { h i} H Ψ,zk 0,1 Fortunately, [26] encounters and solves the same prob- ∈ ∈{ } lem and its derived problem as ours. In a little more Since the propositions above can be proven in the details, [26] presents a protocol, in which P1, P2 re- same way as [26], we don’t iterate such details here. spectively sends a perfectly hiding commitment, a per- Proposition 13. In the case that P was corrupted, i.e., I = fectly binding commitment, and the corresponding de- 1 1 , the equation (1) required by Definition 1 holds. commitments to each other as the situation of tossing { } coin of our framework. To prove the security in the case Proof: First let us focus on the real world. A’s real that P is corrupted, [26] constructs a simulator in the input can be formulated as γ A(1k, ~m, z , r , r ). Note 1 ← k A 1 same way as ours and encounters the same problem as that in this case, P2’s output is a determinate function of 14
A’s real input. Since A’s real input is in its view, with- which he sends to A¯. Then A′ proceeds to next out loss of generality, we assume A’s output, denoted step. Otherwise, A′ sends abort2 to TTP, outputs α, constains its real input. Therefore, P2’s output is a what A¯ outputs and halts. determinate function of A’s output, where the function – Step Sim3: A′ repeats the following procedure, is denoted Ξ, until the hash parameters and the instance vectors A¯ sends in Step R1 passes the abort1 if γ = abort1, g(α)= check. A′ records the shared randomness r˜, the γ H otherwise. ¯ ( h i messages A sends to open the chosen instance def vectors. Let h(α) = (α, λ, g(α)). Then we have Ξ: A′ rewinds A¯ to the beginning of Step R2, and k honestly follows sender’s steps until reaches Realπ, 1 ,A(zk)(1 , ~m, H) { } ≡ Step S3.3 to interact with A¯. k h(Realπ, 1 ,A(zk)(1 , ~m, H) 0 ) Note that, in each repeating Ξ, the value A com- { } h i ′ Similarly, in the ideal world, we have mits to and the randomness used to generate the commitment in Step S1 are fresh and uniformly c ′ k chosen. Idealf, 1 ,A (zk)(1 , ~m, H) = { } – Step Sim4: ′ k h(Idealf, 1 ,A (zk)(1 , ~m, H) 0 ) { } h i 1) In case r =r ˜, A′ outputs failure and halts; c We use = not here because there is a negligible 2) In case r =r ˜ i(r i =r ˜ i r i = 1 ≡ 6 ∧ ∀ h i 6 h i → h i ∧ probability that A′ outputs timeout or ambiguity , which r˜ i = 0), A′ runs from scratch; 1 h i makes h(.) undefined. 3) Otherwise, i.e., in case r =r ˜ i(r i = 0 def 6 ∧ ∃ h i ∧ k r˜ i = 1), A′ records the first one, denoted e, Let X(1 , ~m, H, zk, 1 ) = h i k { }k def of these is and proceeds to next step. Realπ, 1 ,A(zk)(1 , ~m, H) 0 , Y (1 , ~m, H, zk, 1 ) = { } h i { } ′ k Remark 14. The aim of Step Sim3 and Sim4 is to Idealf, 1 ,A (zk)(1 , ~m, H) 0 . Following equation (2), c { } def h i prepare to extract the real input of A¯. If the third X = Y . Let F = (h)k N. What is more, assume ˜ ∈ case happens, then A′ knows each entry of ~xe he that A′ runs in a strictly polynomial-time. According sees in Step Sim2 belong to L ˙ or L ¨ . What to Proposition 20 we will present in Section 7, the RΛe RΛe ˜ proposition holds. is more, ~xe is indeed a legal instance vector. This is ˜ In fact, A′ doesn’t run in strictly polynomial-time, because ~xe passes the check executed by A′ in Step 2 which results in a failure of above standard reduction. Sim3. Combing πe received in Step Sim2, A′ knows ¯ Fortunately, this difficulty can be overcome by truncating the real input of A. ¯ the rare executions of A′ which are too long, then Note that, A’s initial input is fixed by A′ in Step ¯ applying standard reduction techniques. Since the details Sim1. So receiving the same messages, A responds ¯ is the same as [26], we don’t give them here and please in the same way. Therefore, rewinding A to the see [26] for them. beginning of Step R2, sending the message sent in Step Sim2, A′ can reproduce the same scenario as he meets in Step Sim2. 5.2 In the case that P2 Is Corrupted – Step Sim5: A rewinds A¯ to the beginning of In the case that P is corrupted, A takes the full control ′ 2 Step R2 of the framework, and sends msg pre- of P in the real world. Correspondingly, A takes the 2 ′ viously recorded to A¯ in order. According to the full control of P in the ideal world. We construct A as 2′ ′ analysis of Remark 14, A can extract A¯’s real follows. ′ def input H′. A′ does so and sends H′ to TTP and Initial input: A′ holds the same k, I = 2 , z = • { } receives message ~m H′ . (zk)k N as A, and holds a uniformly distributed h i ∈ – Step Sim6: A′ constructs ~m′ as follows. For each randomness r ′ 0, 1 ∗. The parties P ′ and P A ∈ { } 2 2 i H′, ~m′ i ~m i . For each i / H′, ~m′ i U hold the same private input H. ∈ h i ← h i ∈ h i ∈ 0, 1 ∗. Playing the role of P1 and taking ~m′ as A′ works as follows. { } • his real input, A′ follows Step S3.3 to complete – Step Sim1: A′ corrupts P2′ and learns P2′’s pri- the interaction with A¯. ¯ vate input H. A′ takes A’s copy A as a subrou- – Step Sim6: When A¯ halts, A′ halts with out- tine, fixes A¯’s initial input, activates A¯, supplies putting what A¯ outputs.. A¯ H A¯ with , builds an environment for in the Note that S doesn’t simulate a situation in the real same way as A′ does in the case that P1 is world that A cheats P1 of more than h message. For- corrupted. tunately, Theorem 9 guarantees that this situation arises – P A Step Sim2: Playing the role of 1, ′ honestly ex- with probability at most 1/2polys(k) and so can be ig- ecutes the sender’s steps until reaches Step S3.3. nored. If Step S3.3 is reached, A′ records the shared randomness r and the messages, denoted msg, Proposition 15. The simulator A′ is expected polynomial- 15 time. So Proof: First, let us focus on Step Sim3. In each q =P r(C) repetition of Ξ, because of the perfectly hiding of IHC(.), =P r(B)+ P r(B¯ R = R˜) and the uniform distribution of the value A commits to, ∩ ′ + P r(B¯ i(R i =0 R˜ i = 1)) (4) the chosen instance vectors are uniformly distributed. ∩ ∃ h i ∧ h i ¯ =P r(B)+ P r(B¯) (P r(R = R˜ B¯) This lead to the probability that A passes the check in · | each repetition is the same. Denote this probability by p. + P r( i(R i =0 R˜ i = 1) B¯)) The expected time of Step Sim3 is ∃ h i ∧ h i | def K 2 def Let S1 = (r, r˜) (r, r˜) ( 0, 1 ) , r =r ˜ , S2 = ExpTime = (1/p) Time { |K 2 ∈ { } } Sim3 · Ξ (r, r˜) (r, r˜) ( 0, 1 ) , r =r, ˜ i(r i =r ˜ i r i = { | ∈ { } def 6 ∀ h i 6 h i → h i Under the same analysis, the probability that A¯ passes 1 r˜ i = 0) , S = (r, r˜) (r, r˜) ( 0, 1 K)2, r = ∧ h i } 3 { | ∈ { } 6 the check in Step Sim2 is p too. Then, the expected time r,˜ i(i [K] r i =0 r˜ i = 1) . It is easy to see that ∃ ∈ ∧ h i ∧ h i } K 2 that A′ runs once from Step Sim1 to the beginning of S , S , S constitute a complete partition of ( 0, 1 ) 1 2 3 { } Step Sim4 is and #S =2K , #S = #S = (2K 2K 2K)/2. 1 2 3 · − Because of the perfectly hiding of IHC(.), and the OncExpTimeSim1 Sim4 TimeSim1 + TimeSim2 → ≤ uniform distribution of the value A′ commits to, R and + p ExpTimeSim3 ˜ · R are all uniformly distributed. We have = TimeSim1 + TimeSim2 K 2 K P r(R = R˜ B¯) = #S1/#( 0, 1 ) =1/2 (5) + TimeΞ | { } and Second, let us focus on Step Sim4, especially the case ˜ ¯ K 2 that A needs to run from scratch. Note that the initial P r( i(R i =0 R i = 1) B) = #S3/#( 0, 1 ) ′ ∃ h i ∧ h i | { } (6) inputs A′ holds is the same in each trial. Thus the =1/2 1/2K+1 probability that A′ runs from scratch in each trial is − the same. We denote this probability by 1 q. Then Combining equation (4), (5) and (6), we have − the expected time that A′ runs from Step Sim1 to the q = P r(B)+ P r(B¯)(1/2+1/2K+1) beginning of Step Sim5 is =1/2+1/2K+1 + (1/2 1/2K+1)P r(B) (7) − ExpTimeSim1 Sim5 (1+1/q) → ≤ > 1/2 (OncExpTimeSim1 Sim4 · → Combining equation (3) and (7), we have + TimeSim4) ExpTimeA′ < 3(TimeSim1 + TimeSim2 =(1+1/q) (TimeSim1+ · + TimeΞ + TimeSim4) TimeSim2 + TimeΞ + TimeSim4) + TimeSim5 + TimeSim6 The reason there is 1 here is that A′ has to run from scratch at least one time in any case. which means the expected running time of A′ is bound The expected running time of A′ in a whole execution by a polynomial. is Lemma 16. The probability that A′ outputs failure is less K 1 ExpTimeA′ ExpTimeSim1 Sim5 + TimeSim5 than 1/2 − . ≤ → + TimeSim6 Proof: Let X be a random variable defined as the =(1+1/q) (Time + Time (3) number of the trials in a whole execution. From the proof · Sim1 Sim2 P r(X = i)= + TimeΞ + TimeSim4) of Proposition 15, we know two facts. First, i 1 i 1 (1 q) − q < 1/2 − . Second, in each trial the event A′ + TimeSim5 + TimeSim6 − outputs failure is the combined event of B¯ and R = R˜, Third, let us estimate the value of q, which is the where the combined event happens with the following probability that A′ does not run from scratch in a trial. probability. We denote this event by C. It’s easy to see that event P r(B¯ R = R˜)= P r(B¯)P r(R = R˜ B¯) P r(R = R˜ B¯) C happens, if and only if one of the following events ∩ | ≤ | happens. Combining equation (5), this probability is not more than K 1) Event B happens, where B denotes the even that 1/2 . Therefore, the probability that A′ outputs failure A′ halts before reaching Step Sim3. in a whole execution is 2) Event B¯ happens and R = R˜, where R and R˜ ∞ K ∞ i 1 respectively denotes the random variable which is P r(X = i)P r(B¯ R = R˜) < (1/2 ) 1/2 − ∩ · defined as the shared randomness A′ gets in Step i=1 i=1 X K 1 X Sim2 and Step Sim3. =1/2 − 3) Event B¯ happens and there exists i such that R i = h i 0 R˜ i =1 . ∧ h i 16
Lemma 17. The output of the adversary A in the real 6 HOW TO CONSTRUCT SPHDHCt,h EASILY world and that of the simulator A′ in the ideal world are SPHDHCt,h holds so many properties that constructing computationally indistinguishable, i.e., it from scratch is not always easy. In this section, we c k ∗ n reduce constructing SPHDHCt,h to constructing seem- Realπ, 2 ,A(zk)(1 , ~m, H) 0 k N, ~m ( 0,1 ) = { } ∈ ∈ { } ∗ { h i} H Ψ,zk 0,1 ingly simpler hash systems. A idea naturally arising is ∈ ∈{ } ′ k ∗ n that generating the instances independently in essence Idealf, 2 ,A (zk)(1 , ~m, H) 0 k N, ~m ( 0,1 ) { } ∈ ∈ { } ∗ { h i} H Ψ,zk 0,1 to obtain the required properties. We keep this idea in ∈ ∈{ } mind to proceed to construct SPHDHCt,h. Proof: First, we claim that the outputs of A′ and A¯ are computationally indistinguishable. The only point that the output of A′ is different from that of A¯ is A′ 6.1 Smoothness may outputs failure. Since the probability that this point In this section, we describe how to obtain smoothness for arises is negligible, our claim holds. a hash family. First, we introduce a lemma from [24]. Second, we claim that the outputs of A and A¯ are def k computationally indistinguishable. The only point that Lemma 19 ( [24]). Let X = X(1 ,a) k N,a 0,1 ∗ { } ∈ ∈{ } the view of A¯ is different from that of A is that the def k and Y = Y (1 ,a) k N,a 0,1 ∗ be two polynomial-time ¯ { } ∈ ∈{ } c ciphertext A receives is generated by encrypting ~m′ constructible probability ensembles, and X = Y , then not ~m. Fortunately, SPHDHCt,h’s property smoothness c guarantees that the ciphertext generated in the two X~ = Y~ way are computationally indistinguishable. Therefore, def def where X~ = X~ (1k,a) N , X~ (1k,a) = k ∗ our claim holds. { }a ∈0,1 k ∈{k } k Combining the two claims, the proposition holds. (Xi(1 ,a))i [poly(k)], each Xi(1 ,a) = X(1 ,a), def ∈ def Y~ = Y~ (1k,a) N , Y~ (1k,a) = (Y (1k,a)) , Proposition 18. In the case that P2 was corrupted, i.e., I = k ∗ i i [poly(k)] { }a ∈0,1 ∈ 2 , the equation (1) required by Definition 1 holds. k ∈{ k} k k { } each Yi(1 ,a) = Y (1 ,a), and all Xi(1 ,a), Yi(1 ,a) are Proof: Note that the honest parties P1 and P1′ end independent. up with outputting nothing. Thus, the fact that the out- def k A A Proposition 20. Let X = X(1 ,a) k N,a 0,1 ∗ and puts of ′ and are computationally indistinguishable, { } ∈ ∈{ } def k which is supported by Lemma 17, directly prove this Y = Y (1 ,a) k N,a 0,1 ∗ be two polynomial-time con- proposition holds. { } ∈ ∈{ } c def structible probability ensembles, X = Y , F = (fk)k N, ∈ fk : 0, 1 ∗ 0, 1 ∗ is polynomial-time computable, then 5.3 Other Cases { } →{ } F (X) =c F (Y ) In the case that both P1 and P2 are corrupted, A takes the full control of the two corrupted parties. In the ideal def k def where F (X) = fk(X(1 ,a)) k N,a 0,1 ∗ ,F (Y ) = world, a similar situation also holds with respect to A′, k { } ∈ ∈{ } fk(Y (1 ,a)) k N,a 0,1 ∗ . P1′ and P2′. Liking in previous cases, A′ uses A’s copy, { } ∈ ∈{ } A¯, as a subroutine and builds a simulated environment Proof: Assume the proposition is false, then there ex- ¯ ¯ for A. A′ provids A with P1′ and P2′’s initial inputs ists a non-uniform PPT distinguisher D with an infinite before A¯ engages in the protocol. When A¯ halts, A′ halts sequence z = (zk)k N, a polynomial poly(.), an infinite ∈ with outputting what A¯ outputs. Obviously, A runs in positive integer set G N such that, for each k G, it ′ ⊆ ∈ strictly polynomial-time and the equation (1) required holds that by Definition 1 holds in this case. P r(D(1k,z ,a,f (X(1k,a))) = 1) In the case that none of P1 and P2 is corrupted. The | k k − k k simulator A′ is constructed as follows. A′ uses A¯, P¯1, P r(D(1 ,z ,a,f (Y (1 ,a))) = 1) 1/poly(k) k k |≥ P¯2 as subroutines, where A¯, P¯1, P¯2, respectively, is the We construct a distinguisher D′ with an infinite se- copy of A, P1 and P2. A′ fixes A¯’s initial inputs in the quence z = (zk)k N for the ensembles X and Y as same way as in previous cases. A′ chooses an arbitrary ∈ ¯ n follows. ~m ( 0, 1 ∗) and a uniformly distributed random- k ∈ { }¯ D′(1 ,zk,a,γ): δ fk(γ), finally outputs ness r¯1 as P1’s initial inputs. A′ chooses an arbitrary k ← ¯ D(1 ,zk,a,δ). H Ψ and a uniformly distributed randomness r¯2 k k ¯∈ Obviously, D′(1 ,zk,a,X(1 ,a)) = as P2’s initial inputs. A′ actives these subroutines and k k k k ¯ ¯ D(1 ,zk,a,fk(X(1 ,a)), D′(1 ,zk,a,Y (1 ,a)) = make the communication between P1 and P2 available k k D(1 ,zk,a,fk(Y (1 ,a)). So we have to A¯. Note that, in the case that none of P1 and P2 is corrupted, what adversaries can see in real life only is the k k P r(D′(1 ,z ,a,X(1 ,a)) = 1) communication between honest parties. When A¯ halts, | k − k k ¯ P r(D′(1 ,z ,a,Y (1 ,a)) = 1) 1/poly(k) A′ halts with outputting what A outputs. Obviously, A′ k |≥ runs in strictly polynomial-time and the equation (1) c This contradicts the fact X = Y . required by Definition 1 holds in this case. 17
def k k def Lemma 21. Let = (PG,IS,DI,KG,Hash,pHash,Cheat) −−→XY = −−→XY (1 ,a) N ∗ , −−→XY (1 ,a) = • k ,a 0,1 H def k { } ∈k ∈{ } k be a Hash Family. n = h + t. For each i [2] (X1(1 ,a),...,Xpoly1(k)(1 ,a), Ypoly1(k)+1(1 ,a),..., k k k j def j k ∈ def Ypoly(k)(1 ,a)), each Xi(1 ,a) = X(1 ,a), each and j [n], Sm = Sm (1 ) k N = ∈ i { i } ∈ Y (1k,a) = Y (1k,a), poly (.) poly(.), all X (1k,a) k k N i 1 i (SmGeni(1 ) 1 ,SmGeni(1 ) 2 j ) k , where k ≤ { k h i h ih i } ∈ and Yi(1 ,a) are independent; SmGeni(1 ) is defined in Definition 4. If meets the H −−→ def −−→ k following three conditions Φ(XY ) = Φk(XY (1 ,a)) k N,a 0,1 ∗ , • { } ∈ ∈{ } 1) All random variables SmGen (1k) 2 j are indepen- −−→ k k def i h ih i XY (1 ,a) = −−→XY (1 ,a), Φ = (Φk)k N, each dent, where i [2],j [n] [h]. g g ∈ Φk is a permutation over [poly(k)]. h+1 ∈ n∈ − h+1 n 2) Sm1 = ... = Sm1 , and Sm2 = ... = Sm2 . c g h+1 h+1 Proof: In case Φk([poly1(k)]) [poly1(k)], it ob- 3) Sm1 = Sm2 . ⊆ then has property smoothness. viously holds. We proceed to prove it also holds in H case Φk([poly1(k)]) * [poly1(k)]. Assume it does not Proof: Following Lemma 19, hold in this case, then there exists a non-uniform PPT distinguisher D with an infinite sequence z = (zk)k N,a h+1 k n k ∈ (Sm1 (1 ),...,Sm1 (1 )) k N N { } ∈ polynomial poly2(.), a infinite positive integer set G c h+1 k n k ⊆ = (Sm2 (1 ),...,Sm2 (1 )) k N such that, for each k G, { } ∈ ∈ ~ def 1 k n k k k holds. Let X = (Sm1(1 ),...,Sm1 (1 )) k N, and P r(D(1 ,zk, a, −−→XY (1 ,a)) = 1) { } ∈ | ~ def 1 k n k Y = (Sm2(1 ),...,Sm2 (1 )) k N. From the defini- k −−→ k { k } ∈ P r(D(1 ,zk, a, Φk(XY (1 ,a)) = 1) tion of SmGeni(1 ), we notice that, for each j [h] − | j k j k ∈ 1/poly2(k) (8) Sm1(1 )= Sm2(1 ). So it holds that g ≥ c def X~ = Y~ V = i i [poly1(k)], Φk(i) [poly(k)] [poly1(k)] . We { | ∈ V ∈ i <− ... < i ... <} i j k list the elements of in order as 1 j #V . Since each Sm (1 ) is polynomial-time constructible, def i Let V = i ,...,i . We define the following permuta- thus bothX~ and Y~ are polynomial-time constructible. Let j { 1 j} def tions over [poly(k)]. F = (π)k N, where π Π. Following Proposition 20, we ′ ~∈ c ~ ∈ Φ0 (i)= i i [poly(k)] have F (X) = F (Y ), i.e., k ∈ 1 k n k 0 i i V Φk(V ) π(Sm1(1 ),...,Sm1 (1 )) k N Φk(i)= ∈ ∪ { } ∈ Φ (i) i [poly(k)] V Φ (V ) c 1 k n k ( k k = π(Sm2(1 ),...,Sm2 (1 )) k N ∈ − − { } ∈ k k Notice that SmGen1(1 ) 1 = SmGen2(1 ) 1 , we h i h i For j [#V ], have ∈ k k j i i (V Vj ) Φk(V Vj ), (SmGen1(1 ) 1 , π(SmGen1(1 ) 2 )) k N Φ (i)= ∈ − ∪ − { h i h i } ∈ k Φ (i) i [poly(k)] (V V ) Φ (V V ). c k k ( k j k j = (SmGen2(1 ) 1 , π(SmGen2(1 ) 2 )) k N ∈ − − − − { h i h i } ∈ ′ −−→ k 0 −−→ k That is It is easy to see that XY (1 ,a) = Φk (XY (1 ,a)) c ≡ 0 −−→ k #V k Sm1 = Sm2 Φ (XY (1 ,a)), and Φk = Φ . Since −−→XY (1 ,a) = k g k g −−→ k k c 0 −−→ k , which meets the requirement of the smoothness. XY (1 ,a), then −−→XY (1 ,a) =Φk(XY (1 ,a)). So we have Loosely speaking, following Lemma 21, given a hash g k k family , if each x¨ was sampled in an independent way gP r(D(1 ,zk, a, −−→XY (1 ,a)) = 1)g H | − and its projective key is useless to obtain the value of k −−→ k Hash(1k, Λ, x,¨ .), then is smooth. P r(D(1 ,zk, a, Φk(XY (1 ,a))) = 1) H | k 0 −−→ k = P r(D(1 ,zk, a, Φkg(XY (1 ,a))) = 1) 6.2 Hard Subset Membership | − P r(D(1k,z , a, Φ#V (XY−−→(1k,a))) = 1) (9) In this section, we deal with how to obtain hard subset k kg | membership for a hash family. Following triangle inequality, we have g def k Proposition 22. Let X = X(1 ,a) k N,a 0,1 ∗ and k 0 −−→ k { } ∈ ∈{ } P r(D(1 ,zk, a, Φ (XY (1 ,a))) = 1) def k k Y = Y (1 ,a) k N,a 0,1 ∗ be two polynomial-time con- | − { } ∈ ∈{ } c P r(D(1k,z , a, Φ#V (XY−−→(1k,a))) = 1) structible probability ensembles, and X = Y . Then k gk |≤ #V c k j 1 k −−→XY = Φ(XY−−→) P r(D(1 ,z , a, Φ −g(XY−−→(1 ,a))) = 1) | k k − j=1 −−→ X where −−→XY and Φ(XY ) are two probabilityg ensembles defined g P r(D(1k,z , a, Φj (XY−−→(1k,a))) = 1) (10) as follows. k k | g g 18
Combining equation (8) (9) (10), we have or
#V P r(D(1k,z , a, −−−−→MXY (1k,a)) = 1) k j 1 −−→ k k P r(D(1 ,zk, a, Φk− (XY (1 ,a))) = 1) | − | − k j k j=1 P r(D(1 ,z , a, Φ (XY−−→(1 ,a))) = 1) X k k | g P r(D(1k,z , a, Φj (XY−−→(1k,a))) = 1) 1/poly (k) 1/(2#V poly2(k)) (14) k k |≥ 2 g≥ · So there exists j [#V ]gsuch that holds. Without loss of generality, we assume equation ∈ (13) holds (in case equation (14) holds, the proof can be done in similar way). We can construct a distinguisher D′ k j 1 k − −−→ P r(D(1 ,zk, a, Φk (XY (1 ,a))) = 1) with an infinite sequence z = (zk)k N for the probability | − ∈ ensembles X and Y as follows. P r(D(1k,z , a, Φj (XY−−→(1k,a))) = 1) k gk k j 1 k | D′(1 ,zk,a,γ): −→xy Φk− (i) SX (1 ,a) i 1/(#V poly2(k)) (11) j 1 h ik ← ∀ ∈ ≥ · [poly1(k)], xy Φ − (i) SY (1 ,a) i [poly(k)] g −→h k i ← ∀ ∈ − j 1 j [poly1(k)] Φk(ij ) , −→xy Φk(ij) γ, finally outputs According to the definition of Φ − , Φ , the k − { } h i ← k k D(1 ,zk, a, −→xy). differences between them are the values of points k Obviously, if γ is sampled from Y (1 ,a), then −→xy is ij , Φk(ij ). Similarly, the only differences between j 1 −−→ k j 1 −−→ k j −−→ k an instance of Φk− (XY (1 ,a)); if γ is sampled from Φ − (XY (1 ,a)) and Φ (XY (1 ,a)) are the ij-th k k X(1k,a), then xy is an instance of −−−−→MXY (1k,a). So we j 1 −−→ k −→ and Φk(ij )-th entries, i.e., Φk− (XY (1 ,a)) ij = have g g g h i k j 1 k k X(1 ,a), Φ − (−−→XY (1 ,a)) Φ (i ) = Y (1 ,a), k h k j i j j g k k Φ (XY−−→(1k,a)) i = Y (1k,a) Φ (XY−−→(1k,a)) Φ (i ) = P r(D′(1 ,zk,a,X(1 ,a)) = 1) k j , k k j | − k h ig h i k k X(1 ,a). P r(D′(1 ,zk,a,Y (1 ,a)) = 1) = def k | Let g−−−−→MXY = −−−−→MXY (1 ,a) gk N,a 0,1 ∗ , where k k { } ∈ ∈{ } P r(D(1 ,zk, a, −−−−→MXY (1 ,a)) = 1) −−−−→MXY (1k,a) is defined as follows. For each d [poly(k)], | − k j 1 k ∈ P r(D(1 ,z , a, Φ − (XY−−→(1 ,a))) = 1) (15) k k | j 1 k Φ − (XY−−→(1 ,a)) d d =Φ (i ) −−−−→MXY (1k,a) d = k k j g k h i 6 Combining (13) (15), we have h i (X(1 ,a) d =Φk(ij ) g k k k P r(D′(1 ,z ,a,X(1 ,a)) = 1) The difference between −−−−→MXY (1 ,a) and | k − k k j 1 −−→ k k k P r(D′(1 ,zk,a,Y (1 ,a)) = 1) 1/(2#V poly2(k)) Φ − (XY (1 ,a)) is that −−−−→MXY (1 ,a) Φk(ij ) = X(1 ,a), |≥ · k h i j 1 −−→ k k Φ − (XY (1 ,a)) Φk(ij ) = Y (1 ,a). The difference c k g h i This contradicts the fact X = Y . Therefore, the propo- k j −−→ k between −−−−→MXY (1 ,a) and Φ (XY (1 ,a)) is that sition also holds in case Φk([poly1(k)]) * [poly1(k)] too. g k k k j −−→ k −−−−→MXY (1 ,a) ij = X(1 ,a), Φk(XY (1 ,a)) ij = k h i g h i Y (1 ,a). Following triangle inequality, we have Lemma 23. Let = (PG,IS,DI,KG,Hash,pHash,Cheat) g H def be a hash family. Let n = h + t. For each i [n], ∈ k j 1 −−→ k i def i k i k def P r(D(1 ,zk, a, Φk− (XY (1 ,a))) = 1) HSM = HSM (1 ) k N, HSM (1 ) = | − k { k } ∈ k k k (HSM1(1 ) 1 ,HSM1(1 ) i + 1 ), where HSM1(1 ) P r(D(1 ,zk, a, −−−−→MXY (1 ,a)) = 1) + h i h i g | is defined in Definition 4. If meets the following three P r(D(1k,z , a, −−−−→MXY (1k,a)) = 1) H | k − conditions, P r(D(1k,z , a, Φj (XY−−→(1k,a))) = 1) 1) All variables HSM (1k) i +1 are independent, where k k 1 h i | i [n]. k j 1 k P r(D(1 ,z , a, Φ − (XY−−→(1 ,a))) = 1) ∈ 1 h h+1 n ≥ | k k g − 2) HSM = ... = HSM , HSM = ... = HSM . 1 c h+1 k j k 3) HSM = HSM . P r(D(1 ,z , a, Φ (XY−−→(1 ,a))) = 1) (12) k kg | then has property hard subset membership. H Combining (11) (12), we know thatg def def Proof: Let π Π, X = HSM 1, Y = HSM h+1, ∈ def def k j 1 k Φ = (π)k N, poly1(.) = h, poly(.) = n. Following P r(D(1 ,z , a, Φ − (XY−−→(1 ,a))) = 1) ∈ | k k − Proposition 22, we know k k P r(D(1 ,zk, a, −−−−→MXY (1 ,a)) = 1) g | 1/(2#V poly2(k)) (13) c −−→ ≥ · −−→XY = Φ(XY )
g 19
def k That is and Sm2 = Sm2(1 ) k N defined as follows, are { } ∈ c computationally indistinguishable, i.e., Sm1 = Sm2. k k k k k ((HSM1(1 ) 1 ,HSM1(1 ) 2 ),... Sm1(1 ): Λ P G(1 ), (¨x, w¨) IS(1 , Λ, 1), h i h i ← k ← k (HSM (1k) 1 ,HSM (1k) n +1 )) =c (hk,pk) KG(1 , Λ, x¨), y Hash(1 , Λ, x,¨ hk). 1 h i 1 h i ← ← k k Finally outputs (Λ, x,pk,y¨ ). (HSM2(1 ) 1 ,HSM2(1 ) 2 ),... k k h i h i Sm2(1 ): compared with Sm1(1 ), the only difference k k (HSM2(1 ) 1 ,HSM2(1 ) n +1 )) is that y Range(Hash(1k, Λ, x,¨ .)). h i h i ∈U 3) Hard Subset Membership. Intuitively speaking, it re- where HSM (1k), HSM (1k) are taken from Definition 1 2 quires that the instances of L and that of L 4. Note that HSM (1k) 1 = HSM (1k) 1 , so R˙ Λ R¨Λ 1 h i 2 h i are computationally indistinguishable. That is, the two c def k k k k probability ensembles Hm1 = Hm1(1 ) k N and (HSM1(1 ) 1 ,HSM1(1 ) 2 ,...,HSM1(1 ) n+1 ) = ∈ h i h i h i def k { } k k k Hm2 = Hm2(1 ) k N defined as follows, are com- (HSM2(1 ) 1 ,HSM2(1 ) 2 ,...,HSM2(1 ) n +1 ) { } ∈ c h i h i h i putationally indistinguishable, i.e., Hm1 = Hm2. k k k i.e., Hm1(1 ): Λ P G(1 ), (x, ˙ w˙ ) IS(1 , Λ, 0), finally c ← ← HSM1 = HSM2 outputs (Λ, x˙). Hm (1k): Λ P G(1k), (¨x, w¨) IS(1k, Λ, 1), finally 2 ← ← , which meets the requirement of the property hard outputs (Λ, x¨). subset membership. Loosely speaking, Lemma 23 shows that, It is easy to see that the projection and smoothness are given a hash family , if random variables two contradictory properties. That is, for any instance x, H ˙ ¨ IS(1k, Λ) 1 ,...,IS(1k, Λ) n are independent, it holds at most one of the two. Therefore, RΛ RΛ = . k h i k h i ∩ ∅ IS(1 , Λ) 1 ,...,IS(1 , Λ) h sample x˙ from L ˙ h i h i RΛ Theorem 25 (reduce constructing SPHDHCt,h to con- in the same way , IS(1k, Λ) h + 1 ,...,IS(1k, Λ) n h i h i structing SPHDH). Given a SPHDH , then we can effi- sample x¨ from L ¨ in the same way, L ˙ and L ¨ H RΛ RΛ RΛ ciently gain a SPHDHCt,h . are computationally indistinguishable, then has hard H H subset membership. Proof: Let = (PG,IS,DI,KG,Hash,pHash). H First, we construct a new hash system = H (P G, IS, DI, KG, Hash, pHash, Cheat) as follows. 6.3 Reducing To Constructing Considerably Simpler The procedures P G, DI, KG, Hash, pHash directly Hash • take the corresponding procedures from . H In this section, we reduce constructing SPHDHCt,h to IS(1k, Λ): For each i [h], ~a i IS(1k, Λ, 0); for • ∈ h i ← constructing considerably simpler hash. each i [n] [h], ~a i IS(1k, Λ, 1); finally outputs ∈ − h i ← Definition 24 (smooth projective hash family that holds ~a. Cheat(1k, Λ): For each i [n], ~a i IS(1k, Λ, 0); properties distinguishability and hard subset member- • ∈ h i ← ship). = (PG,IS,DI,KG,Hash,pHash) is a smooth finally outputs ~a. H projective hash family that holds properties distinguishability Second, we prove is a SPHDHC . From the H t,h and hard subset membership (SPHDH), if and only if is construction, we know that it remains to prove that H H specified as follows holds properties smoothness, hard subset membership The algorithms P G, DI, KG, Hash, and pHash are and feasible cheating. However, this fact directly follows • Lemma 21, Lemma 23 and Lemma ??. Therefore, is a specified as same as in SPHDHCt,h’s definition, i.e., H Definition 4. SPHDHCt,h. The instance-sampler IS is a PPT algorithm that takes a Sometimes it is not easy to gain smoothness for a hash • security parameter k, a family parameter Λ, a work mode family. In this case we have to construct a hash family, δ 0, 1 as input and outputs a instance along with defined as follows, as the first step to our goal. ∈ { } k its witness (x, w), i.e., (x, w) IS(1 , Λ,δ). Definition 26 ǫ ← ˙ ¨ ( -universal projective hash family that Correspondingly, we define relations RΛ, RΛ, RΛ as holds properties distinguishability and hard subset ˙ def k ¨ def follows. RΛ = k NRang(IS(1 , Λ, 0)), RΛ = membership). = (PG,IS,DI,KG,Hash,pHash) is ∈ k ∪ def H k NRang(IS(1 , Λ, 1)), RΛ = R˙ Λ R¨Λ. a ǫ-universal projective hash family that holds properties ∪ ∈ ∪ and has the following properties distinguishability and hard subset membership (ǫ-UPHDH), H if and only if is specified as follows. 1) The properties projection and distinguishability are spec- H All algorithms are specified as same as in SPHDH’s ified as same as in SPHDHCt,h’s definition, i.e., Def- • inition 4. definition, i.e., Definition 24. 2) Smoothness. Intuitively speaking, it requires that for and has the following properties H any instance x¨ L ¨ , the hash value of x¨ is un- ∈ RΛ 1) The properties projection, distinguishability and hard obtainable unless its hash key is known. That is, the subset membership are specified as same as in Definition def k two probability ensembles Sm1 = Sm1(1 ) k N 24. { } ∈ 20
2) ǫ-universality. Intuitively speaking, it requires the 7.1.2 Detailed Construction probability of guessing the hash value of x¨ is at We now present our DDH-based instantiation of SPHDH most ǫ. That is, for any sufficiently large k, any as follows. For simplicity, we assume the groups gener- k k Λ Range(P G(1 )), any x¨ Range(IS(1 , Λ, 1)), ated by Gen(1k) is of prime order. ∈ k∈ any pk Range(KG(1 , Λ, x¨) 2 ), any y P G(1k): Λ Gen(1k), finally outputs Λ. ∈ k h i ∈ • ← Range(Hash(1 , Λ, x,¨ .)), it holds that IS(1k, Λ,δ): (g, q, ) Λ, a Z , b Z , x˙ • U q U q k a b ab ∗ ← ∈ ∈ a b c← P r(Hash(1 , Λ, x,HK¨ )= y PK = pk) ǫ (g ,g ,g ), w˙ (a,b), c U Zq, x¨ (g ,g ,g ), ← ∈ ← | ≤ w¨ (a,b), finally outputs (x, ˙ w˙ ) if δ = 0, (¨x, w¨) if where (HK,PK) KG(1k, Λ, x¨), the probability is ← ← δ =1. taken over the randomness of KG. DI(1k, Λ, x, w): (g, q, ) Λ, (α,β,γ) x, (a,b) • a ∗b ←ab ← ← Compared with SPHDH, ǫ-UPHDH relaxes the upper w, if (α,β,γ) = (g ,g ,g ) holds, then outputs 0; if (α, β) = (ga,gb) and γ = gab holds, then outputs 1. bound of the probability of guessing the hash value of 6 KG(1k, Λ, x): (g, q, ) Λ, (α,β,γ) x, u Z , x¨ to a higher value. Assume ǫ< 1, as [15], [32], we can • ∗ ← ← ∈U q v Z , pk αugv, hk γuβv, finally outputs efficiently gain a SPHDH from a ǫ-UPHDH. ∈U q ← ← (hk,pk). Theorem 27. Given a ǫ-UPHDH , where ǫ < 1, then we Hash(1k, Λ, x, hk): y hk, outputs y. H • can efficiently gain a SPHDH . k ← b H pHash(1 , Λ,x,pk,w): (a,b) w, y pk , finally e • ← ← The way to prove this theorem is to construct a outputs y. required algorithm, which can be gained by a simply Lemma 29. The hash system holds the property projection. application of the Leftover Hash Lemma (please see [39] Proof: Let (x, ˙ w˙ ) Range(IS(1k, Λ, 0)). Let for this lemma). The detailed construction essentially is ∈ (hk,pk) Range(KG(1k, Λ, x˙)). Then, the same as [15]. Considering the space, we don’t iterate ∈ it here. Hash(1k, Λ, x,˙ hk)= Hash(1k, Λ, (ga,gb,gab), (gabugbv)) Combining Theorem 25 and Theorem 27, we have the abu bv following corollary. = g g k k a b ab Corollary 28 (reduce constructing SPHDHCt,h to con- pHash(1 , Λ, x,˙ hk, w˙ )= pHash(1 , Λ, (g ,g ,g ), structing ǫ-UPHDH). Given a ǫ-UPHDH , then we can (gaugv), (a,b)) H efficiently gain a SPHDHC . abu bv t,h H = g g e That is, 7 CONSTRUCTING SPHDHCt,h k k In this section, we construct SPHDHCt,h respectively Hash(1 , Λ, x,˙ hk)= pHash(1 , Λ, x,˙ pk, w˙ ) under the lattice assumption, the decisional Diffie- Hellman assumption, the decisional N-th residuosity assumption and the decisional quadratic residuosity as- Lemma 30. Assuming DDH is a hard problem, the hash sumption. Theorem 25 and Corollary 28 show that, to system holds the property smoothness. construct a SPHDHCt,h, what we need to do is to Proof: For this system, the probability ensembles construct a SPHDH or construct a ǫ-UPHDH (ǫ< 1). Sm1, Sm2 mentioned in the definition of SPHDH can be described as follows. 7.1 A Construction Under The Decisional Diffie- Sm (1k): Λ P G(1k), (g, q, ) Λ, a Z , b Hellman Assumption • 1 ← ∗ ← ∈U q ∈U Z , c Z , x¨ (ga,gb,gc), u Z , v Z , q ∈U q ← ∈U q ∈U q 7.1.1 Background pk gau+v, hk gcu+bv, y hk. Finally outputs k ← ← ← Let Gen(1 ) be an algorithm such that randomly chooses (Λ, x,pk,y¨ ). a cyclic group and outputs the group’s description G =< Sm (1k): Operates as same as Sm (1k) with an • 2 1 g, q, >, where g, q, respectively is the generator, the exception that y is generated as follows. d Z , ∗ ∗ ∈U q order, the operation of the group. y gd. ← The DDH problem is how to construct an algorithm Because b,c,u,v are chosen uniformly and q is prime, def to distinguish the two probability ensembles DDH1 = both cu and bv are uniformly distributed over Zq. Thus k def k DDH1(1 ) k N and DDH2 = DDH2(1 ) k N which cu + bv is uniformly distributed over Zq too. Therefore, { } ∈ { } ∈ Sm Sm . are formulate as follows. 1 ≡ 2 DDH (1k): < g, q, > Gen(1k), a Z , b Z , • 1 ∗ ← ∈U q ∈U q Lemma 31. The hash system holds the property distinguisha- c ab, finally outputs (< g, q, >,ga,gb,gc). ← ∗ bility. DDH (1k): Basically operates in the same way as • 2 DDH (1k) except that c Z . The proof of this lemma is trivial, so we omit it. 1 ∈U q At present, there is no efficient algorithm solving the Lemma 32. Assuming DDH is a hard problem, the hash c problem. Therefore, it is assumed that DDH1 = DDH2. system holds the property hard subset membership. 21
Proof: For this system, the probability ensembles Definition 34 (Learning With Errors). Learning with errors Hm1, Hm2 mentioned in the definition of SPHDH can problem (LW Eq,χ) is how to construct an efficient algorithm be described as follows. that receiving q, g, m, χ, (~ai,bi)i [m], outputs ~s with nonneg- ∈ k k Hm1(1 ): Λ P G(1 ), (g, q, ) Λ, a U Zq, b U ligible probability. The input and the output is specified in the • a ←b ab ∗ ← ∈ ∈ Zq, x˙ (g ,g ,g ). Finally outputs (Λ, x˙). following way. ←k k k k k k Hm2(1 ): Λ P G(1 ), (g, q, ) Λ, a U Zq, b U q q(1 ), g g(1 ), m poly(1 ), χ χ(1 ), ~s U • ← a b c ∗ ← ∈ ∈ ←k ← ← k ← ∈ Zq, c U Zq, x¨ (g ,g ,g ). Finally outputs (Λ, x¨). (Zq) . For each i [m], ~ai U (Zq) , ei χ Zq, bi T ∈ ∈ ∈ ← ∈ c ← ~s ~ai + ei mod q. Obviously, Hm1 = Hm2. · where q,g are positive integers, χ : Z R+ is a Combining all lemmas above, we have the following q → probability density function. theorem. With respect to the hardness of LW E, [50] proves Theorem 33. Assuming DDH is a hard problem, the hash that setting appropriate parameters, we can reduce two system is a SPHDH. worst-case standard lattice problems to LW E, which means LW E is a very hard problem. n 7.1.3 A Concrete Protocol For OTh Based On DDH Lemma 35 ( [50]). Setting security parameter k to be a value It’s known that the encryption scheme presented by such that q is a prime, β β(1k), β (0, 1), and β q > [17] can be used as a perfectly binding commitment ← ∈ · 2√k. Then the lattice problems SIVP and GapSV P can scheme. The encryption scheme is directly based on the be reduced to LW E ¯ . More specifically, if there exists an problem of discrete log. Since the task of solving the q,Ψβ efficient (possibly quantum) algorithm that solves LW E ¯ , problem DDH can be reduced to that of solving the q,Ψβ then there exists an efficient quantum algorithm solving the problem discrete log, the encryption scheme is based on following worst-case lattice problems in the l norm. DDH essentially. The DDH-based commitment scheme 2 SIVP: In any lattice Λ of dimension k, find a set of k presented by [47] is a perfectly hiding one. Therefore, • using those two commitment schemes and our DDH- linearly independent lattice vectors of length within at n most O˜(k/β) of optimal. based SPHDHCt,h, we gain a concrete protocol for OT h GapSVP: In any lattice Λ of dimension m, approximate based only on DDH. To reach the best efficiency, we • the length of a shortest nonzero lattice vector to within should use the DDH of the group which is on elliptic ˜ curves. See Section 4.5 for further discussion. a O(k/β) factor. We emphasize the fact that the reduction of Lemma 35 is quantum, which implies that any algorithm breaking 7.2 A Construction Under Lattice any cryptographic schemes which only based on LW E 7.2.1 Background is an algorithm solving at least one of the problems SIVP Learning with errors (LWE) is an average-case problem. and GapSVP. [50] shows that its hardness is implied by the worst- How to precisely set the parameters as values to gain a case hardness of standard lattice problem for quantum concrete LW E, which is as hard as required in Lemma 35 algorithms. is beyond the scope of this paper. To see such examples In lattice, the modulo operation is defined as x and more details, we recommend [50] and [48]. def def SPHDH mod y = x xx/yyy. Then we know x mod 1 = The instantiation of , which we will present − LW E x xxy. Let β be an arbitrary positive real number. Let soon, needs to use a -based public key cryptosys- − tem presented by [22], which is a slight variant of [50]’s Ψβ be a probability density function whose distribution is over [0, 1) and obtained by sampling from a normal cryptosystem. This cryptosystem is described as follow. √ Message space: 0, 1 . variable with mean 0 and standard deviation β/ 2π and • { } Setup(1k): q q(1k) q P q [k2, 2k2], m reducing the result modulo 1, more specifically • ← ∧ ∈ ∧ ∈ ← (1 + ε)(k + 1) log q ( where ε > 0 is an arbitrary + ¯ Ψβ : [0, 1) R constant), χ Ψα(k) α(k) = o(1/(√k log k)) (e.g., → 1← ∧ ∞ α(k) = 2 ). para (q,m,χ), finally outputs def 1 r k 2 √k(log k) ← Ψβ(r) = exp( π( − ) ) para. β − β k m k k k= KeyGen(1 ,para): A (Z ) × , ~s (Z ) , X−∞ • ∈U q ∈U q ~e (Z )m (which means each entry of ~e is indepen- Given an arbitrary integer q 2, an arbitrary proba- ∈χ q ≥ + dently drawn from Z according to χ), ~b A~s + ~e bility destiny function φ : [0, 1) R , the discretization q ← → mod q, pubk (A,~b), sk ~s, finally outputs a of φ over Zq is defined as ← ← public-private key pair (pubk, sk). + φ¯ : Zq R Enc(.), Dec(.): Since Enc(.), Dec(.) are immaterial → • (i+1/2)/q to understand this paper, we omit their detailed def φ¯(i) = φ(x)dx procedure here. (i 1/2)/q Z − [22] shows that if LW Eq,Ψ¯ α is hard, choosing appro- LW E can be formulated as follows. priate parameters, this cryptosystem holds the following 22 properties. pair. Then, we have 1) It provides security against chosen plaintext attack, k though we only need semantic security here. Hash(1 , Λ, x,˙ hk)= a, m k 2) For each A (Zq) × , we have ∈ k m k pHash(1 , Λ, x,˙ pk, w˙ )= Dec~s(α) P r(~b is messy ~b U (Zq) ) 1 2/q , | ∈ ≥ − = Dec~s(EncA,~b(a)) where~b is said to be messy if and only if, m ,m ∀ 0 1 ∈ = a, 0, 1 , the statistical distance between the distri- { } bution of EncA,~b(m0) and that of EncA,~b(m1) is This means that for any (x, ˙ w,˙ Λ) generated by the hash negligible. In other word, ~b is said to be messy system, it holds that
if and only if, EncA,~b(.) loses messages and so its ciphertext can’t be decrypted using any private key Hash(1k, Λ, x,˙ hk)= pHash(1k, Λ, x,˙ pk, w˙ ). k ~s (Zq) . ∈ m k 3) Given A (Z ) × and its trapdoor T , ∈ q then there exists an efficient decision algorithm Lemma 37. The hash system holds the property smoothness. IsMessy holds the following two property. First, ~ ~ m P r(IsMessy(A, T, b)=0 b U (Zq) ) is negligible. Proof: For this system, the probability ensembles ~ | ∈ ~ Second, b is indeed messy if IsMessy(A, T, b)=1. Sm1, Sm2 mentioned in the definition of SPHDH can be described as follows. 7.2.2 Detailed Construction k k m k Sm (1 ): Λ P G(1 ), (q,m,χ) Λ, A (Z ) × • 1 ← ← ∈U q We now present our LWE-based instantiation of SPHDH along with its trapdoor T , uniformly chooses ~b m ∈ as follows. (Zq) such that IsMessy(A, T,~b)=1, x¨ (A,~b), k k ← P G(1 ): Λ Setup(1 ), finally outputs Λ. w¨ (1,T ), a U 0, 1 , α EncA,~b(a), pk α, • k ← m k ← ∈ { } ← ← IS(1 , Λ,b): (q,m,χ) Λ, A (Z ) × along y a (Λ, x,pk,y¨ ) • U q , finally outputs . ← ∈ k m ← k k with its trapdoor T , ~s U (Zq) , ~e χ (Zq) , Sm (1 ): Operates as same as Sm (1 ) with an ∈ ∈ • 2 1 x˙ (A, A~s + ~e mod q), w˙ (0, ~s), uniformly exception that y U 0, 1 . ← m ← ∈ { } chooses ~b (Zq) such that IsMessy(A, T,~b)=1 k k ∈ Obviously, Sm1(1 ) Sm2(1 ). (recall that only negligible fraction of ~b are not ≡ messy, therefore such ~b can be efficiently chosen) , Lemma 38. Assuming LW E is a hard problem, the hash x¨ (A,~b), w¨ (1,T ), finally outputs (x, ˙ w˙ ) if b =0, system holds the property distinguishability. ← ← (¨x, w¨) if b =1. Proof: Recalling the property of IsMessy, we know if DI(1k, Λ, x, w): (q,m,χ) Λ, (A,~b) x, (i,̺) w, • ← ← ← (A,~b) isn’t messy, IsMessy(A, T,~b)=0;if(A,~b) is messy, if i =1 and IsMessy(A, ̺,~b)=1 holds, then outputs IsMessy(A, T,~b)=1 with a probability close to 1. Thus, 1; otherwise outputs 0. if (x, w) R¨Λ, DI outputs 1; if (x, w) R˙ Λ, DI outputs KG(1k, Λ, x): (q,m,χ) Λ, (A,~b) x, a 0, 1 , ∈ ∈ • ← ← ∈U { } 0. DI correctly computes ζ. α Enc (a), hk a, pk α, finally outputs ← A,~b ← ← (hk,pk). Lemma 39. Assuming LW E is a hard problem, the hash Hash(1k, Λ, x, hk): (q,m,χ) Λ, a hk, finally system holds the property hard subset membership. • ← ← outputs a. Proof: For this system, the probability ensembles pHash(1k, Λ,x,pk,w): (m,q,χ) Λ, α pk, • ← ← Hm1, Hm2 mentioned in the definition of SPHDH can (i,̺) w, a Dec (α), finally outputs a. ← ← ̺ be described as follows. In the above construction of SPHDH, each instance k k holds a matrix A, which seems expensive. However, Hm1(1 ): Λ P G(1 ), (q,m,χ) Λ, A U • m k ← ← ∈k (Zq) × along with its trapdoor T , ~s U (Zq) , in the corresponding construction of SPHDHCt,h, this ∈ ~e (Z )m, x˙ (A, A~s + ~e mod q), finally outputs overhead can be reduced by each instance vector sharing ∈χ q ← a matrix A. We point out that it’s not secure that all (Λ, x˙). Hm (1k): Λ P G(1k), (q,m,χ) Λ, A instance vectors share a matrix A. The reason is that in • 2 U m k ← ← ∈ this case, seeing matrix A’s trapdoor T in Step S2 of (Zq) × along with its trapdoor T , uniformly ~ m ~ the framework, P can distinguish smooth instances and chooses b (Zq) such that IsMessy(A, T, b)=1, 1 ~ ∈ projective instances of the unchosen instance vectors, x¨ (A, b), finally outputs (Λ, x¨). ← c which leads to P1 deducing P2’s private input. Obviously, Hm1 = Hm2. Lemma 36. Assuming LW E is a hard problem, the hash Combining Lemma 35 and above lemmas, we have the system holds the property projection. following theorem. Proof: Let x˙ = (A,~b) Range(IS(1k, Λ, 0)), w˙ = Theorem 40. If SIVP or GapSV P is a hard problem, the ∈ (0, ~s). Obviously, ((A,~b), ~s) is a correct public-private key hash system is a SPHDH. 23
n n 7.2.3 A Concrete Protocol For OTh With Security for OTh is secure against quantum algorithms. Against Quantum Algorithms The security proof of the framework guarantees that, 7.3 A Construction Under The Decisional N-th any adversary breaking the framework is an algorithm Residuosity Assumption breaking at least one of cryptographic tools used in 7.3.1 Verifiable-ǫ-universal Projective Hash Family the framework. Moreover, it’s generally believed that In this section, we will build a instantiation of ǫ- lattice-based cryptography resists quantum attacks [41]. UPHDH (ǫ < 1) from a instantiation of a hash system Therefore, to gain an instantiation of our framework with called verifiable-ǫ-universal projective hash family by security against quantum algorithms, it suffices to adopt [32]. Therefore, it is necessary to introduce the definition lattice-based instantiations of the cryptographic tools. of this hash system. Thus, it remains to find a IHC and a IBC with such security level. Though there exists general methods to Definition 43 (verifiable-ǫ-universal projective hash fam- construct perfectly binding commitments and perfectly ily, [32]). = (PG,IS,IT,KG,Hash,pHash) is a ǫ- H hiding commitments from one-way functions (or one- universal projective hash family (ǫ-VUPH), if and only if H way permutations) (see [23] Chapter 4), the resulting is specified as follows. lattice-based commitments seem too expensive. Thus, The algorithms P G, IS, KG, Hash, pHash are speci- • other approach is needed. fied as same as in ǫ-UPHDH’s definition, i.e., Definition First, based on the result of [22], we can get a relatively 26. efficient statically binding commitment. IS is a PPT algorithm that takes a security parameter k, • Lemma 41 ( [22]). There exists an efficient algorithm for a family parameter Λ as input and outputs a tuple, i.e., (w, ˙ x,˙ x¨) IS(1k, Λ). the lattice-based cryptosystem mentioned early such that, for ← IT is a PPT algorithm that takes a security parameter k, all but at most negligible fraction of public key generated by • a family parameter Λ, two instances as input and outputs KeyGen, given a trapdoor for the matrix A, and a public key k T a bit , i.e., b IT (1 , Λ, x , x ). (A, A ~s + ~e), it can efficiently extract the unique secret key ← 1 2 and has the following properties ~s. H 1) The properties projection, ǫ-universality are specified as The lattice-based cryptosystem can be used as a stat- same as that in ǫ-UPHDH’s definition, i.e., Definition ically binding commitment in the following way. In ~ 26. commit phase, P1 sends a public key (A, b) along with 2) Verifiability. First, for any sufficiently large k, any Λ E (m) P ∈ A,~b to 2. The computationally hiding directly fol- Range(P G(1k)), any (w, ˙ x,˙ x¨) Range(IS(1k, Λ)), ∈ lows the security level of the cryptosystem. In reveal it holds that IT (1k, Λ, x,˙ x¨) = IT (1k, Λ, x,¨ x˙)= 1. phase, P1 sends the trapdoor of A, the value m, and Second, for any sufficiently large k, any (Λ, x1, x2) such the randomness used in commit phase to P2. Following k that IT (1 , Λ, x1, x2)=1, at least one of x1, x2 is ǫ- Lemma 41, almost all legitimate public keys, respectively, universal. correspond to a unique private key. This guarantees that an encryption relative to legitimate public keys have a It is easy to see that verifiability guarantees any in- unique decryption. Therefore, it holds statically binding. stance x holds at most one of the properties projec- Second, combining the works of [2], [25], [29], [40], tion and universality. Therefore, we have the following we can get a relatively efficient statically hiding com- lemma. mitment. [29] presents a efficient way to construct stati- Lemma 44. Let = (PG,IS,IT,KG,Hash,pHash) be a H cally hiding commitments from any collision-free hash. ǫ-universal projective hash family, then Assuming one of the lattice problems SIVP and SV P is hard, [25] shows that [2]’s lattice-based hash of suitably L˙ L¨ = ∩ ∅ chosen parameters is collision-free. Under the assump- ˙ def k k 2 where L = x˙ Λ P G(1 ), (w, ˙ x,˙ x¨) IS(1 , Λ) and tion that GapSV P ˜ is hard in the worst case, [40] later def { | ← ← } O(n) L¨ = x¨ Λ P G(1k), (w, ˙ x,˙ x¨) IS(1k, Λ) . also shows that the lattice-based hash is collision-free. { | ← ← } Therefore, applying [29]’s method to [2]’s hash, we get 7.3.2 Background a lattice-based statically hiding commitment. n Let Gen(1k) be an algorithm that operates as follows. Now we can gain a concrete protocol for OTh with k P P security against quantum algorithms, this is summarized Gen(1 ): (p, q) U (p, q) (p, q) ( , ),p,q > • ∈ { | ∈ by the following theorem. 2, p = q = k, gcd(pq, (p 1)(q 1)) = 1 , N pq, | | | | − − } ← finally outputs N. Theorem 42. Assuming that one of the lattice problems The problem decisional N-th residuosity (DNR), first SIVP and GapSV P is hard for quantum algorithms, n presented by [46], is how to construct an algorithm instantiating the OTh framework with the lattice-based def DNR = SPHDHCt,h, and the lattice-based commitment schemes (no to distinguish two probability ensembles 1 k def k matter the ones that are got by applying the general method DNR1(1 ) k N and DNR2 = DNR2(1 ) k N which { } ∈ { } ∈ or the ones we suggests above), the resulting concrete protocol are formulate as follows. 24
k k N DNR (1 ): N Gen(1 ), a Z∗ 2 , b a For this system, the probability ensembles Hm , Hm • 1 ← ∈U N ← 1 2 mod N 2, finally outputs (N,b). mentioned in the definition of ǫ-UPHDH can be de- k k DNR (1 ): N Gen(1 ), b Z∗ 2 , finally outputs scribed as follows. • 2 ← ∈U N (N,b). k k Hm (1 ): Λ P G(1 ), (N,g) Λ, r Z∗ , x˙ • 1 ← ← ∈U N ← The DNR assumption is that there is no efficient gr mod N 2. Finally outputs (Λ, x˙). k k algorithm solving the problem. In other words, it is Hm (1 ): Λ P G(1 ), (N,g) Λ, r, v Z∗ , c • 2 ← ← ∈U N assumed that DNR1 = DNR2. x¨ gr(1 + vN) mod N 2. Finally outputs (Λ, x¨). Our instantiation of ǫ-UPHDH is build from a DNR- ← c It is clear that Hm = Hm . Therefore, the hash system based instantiation of ε-VUPH (ε< 1) presented by [32]. 1 2 holds the property hard subset membership. The instantiation of ε-VUPH is stated as follows. k k p2 log Nq P G(1 ): N Gen(1 ), a U ZN∗ 2 , T N , • N T ← 2 ∈ ← g a · mod N , Λ (N,g), finally outputs Λ. 7.4 A Construction Under The Decisional Quadratic ← k ← r IS(1 , Λ): (N,g) Λ, r, v Z∗ , w r, x˙ g • ← ∈U N ← ← Residuosity Assumption mod N 2, x¨ x˙(1 + vN) mod N 2, finally outputs ← k (w, x,˙ x¨). We reuse Gen(1 ) defined in section 7.3.2. Let JN be k 2k IT (1 , Λ, x,˙ x¨): (N,g) Λ. Checks that N > 2 , the subgroup of Z∗ of elements with Jacobi symbol 1. • N ← 2 g, x˙ Z∗ 2 . d x/¨ x˙ mod N and checks N (d 1). The problem decisional quadratic residuosity (DQR) is ∈ N ← | − v (d 1)/N and checks gcd(v,N)=1. Outputs 1 how to construct an algorithm to distinguish the two ← − def k if all the test pass and 0 otherwise. probability ensembles DQR1 = DQR1(1 ) k N and k hk { } ∈ KG(1 , Λ): (N,g) Λ, hk U ZN 2 , pk g def k • ← ∈ ← DQR2 = DQR2(1 ) k N which are formulated as 2 { } ∈ mod N , finally outputs (hk,pk). follows. Hash(1k, Λ, x, hk): (N,g) Λ, y xhk mod N 2, • ← ← DQR (1k): N Gen(1k), x J , finally outputs finally outputs y. • 1 ← ∈U N pHash(1k, Λ,x,pk,w): (N,g) Λ, y pkw (N, x). • k k 2 2 ← ← DQR (1 ): N Gen(1 ), r Z∗ , x r mod N, mod N , finally outputs y. • 2 ← ∈U N ← finally outputs (N, x). 7.3.3 Detailed Construction The DQR assumption is that there is no efficient We now present our DNR-based instantiation of ǫ- algorithm solving the problem. That is, it is assumed c UPHDH (ǫ< 1) as follows. that DQR1 = DQR2. k k p2 log Nq P G(1 ): N Gen(1 ), a Z∗ 2 , T N , As in section 7.3, the hash system we aim to achieve • U N N T ← 2 ∈ ← g a · mod N , Λ (N,g), finally outputs Λ. is an instantiation of ǫ-UPHDH. We will build it on ← k ← r 2 IS(1 , Λ,δ): (N,g) Λ, r Z∗ , x˙ g mod N , an instantiation of ε-VUPH presented by [32] which is • U N ← ∈ r ← 2 w˙ (r, 0), v Z∗ , x¨ g (1 + vN) mod N , constructed under DQR assumption. Considering the ← ∈U N ← w¨ (r, v), finally outputs (x, ˙ w˙ ) if δ = 0, (¨x, w¨) if space, we do not iterate the instantiation of ε-VUPH ← δ =1. here, and directly present our instantiation of ǫ-UPHDH DI(1k, Λ, x, w): (N,g) Λ, (r, v) w, as follows. • ← ← 1) if v = 0 mod N, operates as follows: checks P G(1k): (p, q) (P, P), where p = q = k, p < • U 2k r ∈ | | | | plog Nq that N > 2 , g, x ZN∗ 2 , r ZN∗ , x = g q< 2p 1, p = q =3 mod4, a U ZN∗ , T 2 , 2 ∈ ∈ 2−T ∈ ← mod N . Outputs 0 if all the test pass. g a · mod N, Λ (N,g), finally outputs Λ. ← k ← r 2) if v = 0 mod N, operates as follows: checks IS(1 , Λ,δ): (N,g) Λ, r U ZN , x˙ g mod N, 6 2k r • r ← ∈ ← that N > 2 , g, x Z∗ 2 , r Z∗ , x = g (1+vn) x¨ N g mod N, w¨ r , finally outputs (x, ˙ w˙ ) ∈ N ∈ N ← − ← mod N 2. Outputs 1 if all the test pass. if δ =0, (¨x, w¨) if δ =1. k k 2 hk DI(1 , Λ, x, w): (N,g) Λ, r w; checks that N > KG(1 , Λ, x): (N,g) Λ, hk U ZN , pk g • • 2 ← ∈ ← 2k ← ← r mod N , finally outputs (hk,pk). 2 , g, x ZN∗ . Outputs 0, if x = g mod N and all ∈ r Hash(1k, Λ, x, hk): (N,g) Λ, y xhk mod N 2, the test pass. Outputs 1, if x = N g mod N and • ← ← − finally outputs y. all the test pass. k hk pHash(1k, Λ,x,pk,w): (N,g) Λ, y pkw KG(1 , Λ, x): (N,g) Λ, hk U ZN , pk g • ← ← • ← ∈ ← mod N 2, finally outputs y. mod N, finally outputs (hk,pk). Hash(1k, Λ, x, hk): (N,g) Λ, y xhk mod N, • ← ← Theorem 45. Assuming DNR is a hard problem, the hash finally outputs y. system is a ǫ-UPHDH (ǫ< 1). pHash(1k, Λ,x,pk,w): (N,g) Λ, y pkw • ← ← Proof: It is easy to see that the hash system directly mod N, finally outputs y. ε inherits properties -universality and projection from the Theorem 46. Assuming DQR is a hard problem, the hash ǫ instantiation of -VUPH. Following Lemma 44, the hash system is a ǫ-UPHDH, where ǫ< 1. system holds property distinguishability. It remains to prove that the hash system holds the property hard This theorem can be proven in a similar way in which subset membership. Theorem 45 is proven. 25
REFERENCES [27] O. Goldreich, S. Micali, and A. Wigderson. How to play any men- tal game. In Proceedings of the nineteenth annual ACM symposium [1] B. Aiello, Y. Ishai, and O. Reingold. Priced oblivious transfer: How on Theory of computing, pages 218–229. ACM, 1987. to sell digital goods. In Advances in Cryptology-Eurocrypt’2001, [28] M. Green and S. Hohenberger. Blind identity-based encryption pages 119–135. Springer, 2001. and simulatable oblivious transfer. In K. Kurosawa, editor, [2] M. Ajtai. Generating hard instances of lattice problems (extended Advances in Cryptology-Asiacrypt’2007, pages 265–282, Kuching, abstract). In Proceedings of the twenty-eighth annual ACM symposium MALAYSIA, 2007. Springer-Verlag Berlin. on Theory of computing, pages 99–108. ACM, 1996. [29] Shai Halevi and Silvio Micali. Practical and provably-secure [3] B. Barak and Y. Lindell. Strict Polynomial-time in Simulation and commitment schemes from collision-free hashing. In Neal Koblitz, Extraction. SIAM Journal on Computing, 33(4):783–818, 2004. editor, Advances in Cryptology ł CRYPTO 96, volume 1109 of [4] D. Bernstein. Proving tight security for Rabin-Williams signatures. Lecture Notes in Computer Science, pages 201–215. Springer Berlin pages 70–87. Springer, 2008. / Heidelberg, 1996. [5] D. Boneh, C. Gentry, and M. Hamburg. Space-efficient identity [30] Y. Ishai, J. Kilian, K. Nissim, and E. Petrank. Extending oblivious based encryptionwithout pairings. In Foundations of Computer transfers efficiently. In Advances in Cryptology-Crypto’03, pages Science, 2007. FOCS’07. 48th Annual IEEE Symposium on, pages 145–161. Springer. 647–657. IEEE, 2007. [6] J. Camenisch, G. Neven, and A. Shelat. Simulatable adaptive [31] Y. Ishai, M. Prabhakaran, and A. Sahai. Founding cryptography Advances in oblivious transfer. In Advances in Cryptology-Eurocrypt’2007, page on oblivious transfer - efficiently. In D. Wagner, editor, Cryptology-Crypto’2008 590. Springer-Verlag, 2007. , pages 572–591, Santa Barbara, CA, 2008. [7] R. Canetti. Security and composition of multiparty cryptographic Springer-Verlag Berlin. protocols. Journal of Cryptology, 13(1):143–202, 2000. [32] Yael Tauman Kalai. Smooth projective hashing and two-message [8] R. Canetti, I. Damgard, S. Dziembowski, Y. Ishai, and T. Malkin. oblivious transfer. In Advances in Cryptology C EUROCRYPT 2005, Adaptive versus non-adaptive security of multi-party protocols. volume 3494, pages 78–95. Springer, 2005. . Journal of Cryptology, 17(3):153–207, 2004. [33] J. Katz and Y. Lindell. Handling expected polynomial-time strate- [9] R. Canetti and M. Fischlin. Universally composable commitments. gies in simulation-based security proofs. Journal of Cryptology, In Advances in CryptologyłCRYPTO 2001, pages 19–40. Springer, 21(3):303–349, 2008. 2001. [34] J Kilian. Founding crytpography on oblivious transfer. In [10] R Canetti, O Goldreich, and S Halevi. The random oracle Proceedings of the twentieth annual ACM symposium on Theory of methodology, revisited. Journal of the ACM (JACM), 51(4):557–594, computing, pages 20–31, Inc, One Astor Plaza, 1515 Broadway, 2004. New York, NY,10036-5701, USA, 1988. ACM New York, NY, USA. [11] R. Canetti, E. Kushilevitz, and Y. Lindell. On the limitations of STOC. universally composable two-party computation without set-up [35] Gatan Leurent and Phong Nguyen. How risky is the random- assumptions. Journal of Cryptology, 19(2):135–167, 2006. oracle model? In Shai Halevi, editor, Advances in Cryptology - [12] J.L. Carter and M.N. Wegman. Universal classes of hash functions. Crypto 2009, volume 5677 of Lecture Notes in Computer Science, Journal of computer and system sciences, 18(2):143–154, 1979. pages 445–464. Springer Berlin / Heidelberg, 2009. [13] J. Cheon. Security analysis of the strong Diffie-Hellman problem. [36] A.Y. Lindell. Efficient Fully-Simulatable Oblivious Transfer. In Advances in Cryptology-EUROCRYPT 2006, pages 1–11, 2006. Topics in cryptology: CT-RSA 2008: the cryptographers’ track at the [14] R. Cramer, I. Damg˚ard, and P. MacKenzie. Efficient zero- RSA conference 2008, San Francisco, CA, USA, April 8-11, 2008: knowledge proofs of knowledge without intractability assump- proceedings, page 52. Springer-Verlag New York Inc, 2008. tions. In Public Key Cryptography, pages 354–373. Springer, 2000. [37] Y. Lindell and B. Pinkas. An Efficient Protocol for Secure Two- [15] R. Cramer and V. Shoup. Universal hash proofs and a paradigm Party Computation in the Presence of Malicious Adversaries. for adaptive chosen ciphertext secure public-key encryption. In Advances in Cryptology-Eurocrypt’2007, pages 52–78. Springer- In L. Knudsen, editor, Advances in Cryptology - Eurocrypt’2002, Verlag, 2007. pages 45–64, Amsterdam, NETHERLANDS, 2002. Springer-Verlag [38] Chi-Jen Lu. On the security loss in cryptographic reductions. In Berlin. Advances in Cryptology-Eurocrypt’2009, volume 5479, pages 72–87. [16] C. Cr´epeau. Equivalence Between Two Flavours of Oblivious Springer, 2009. Transfers. In Advances in Cryptology-Crypto’87, page 354. Springer- [39] M.G. Luby and M. Luby. Pseudorandomness and cryptographic Verlag, 1987. applications. Princeton University Press, 1996. [17] T. ElGamal. A public key cryptosystem and a signature scheme [40] D. Micciancio and O. Regev. Worst-case to average-case reduc- based on discrete logarithms. IEEE Transactions On Information tions based on Gaussian measures. SIAM Journal on Computing, Theory, 31(4):469–472, 1985. 37(1):267–302, 2008. [18] S. Even, O. Goldreich, and A. Lempel. A randomized protocol [41] Daniele Micciancio and Oded Regev. Lattice-based Cryptography, for signing contracts. Communications of the ACM, 28(6):647, 1985. pages 147–191. Springer Berlin Heidelberg, 2009. [19] S.D. Galbraith, K.G. Paterson, and N.P. Smart. Pairings for [42] M. Naor and B. Pinkas. Oblivious transfer and polynomial cryptographers. Discrete Applied Mathematics, 156(16):3113–3121, evaluation. In Proceedings of the thirty-first annual ACM symposium 2008. on Theory of computing, pages 245–254. ACM New York, NY, USA, [20] J.A. Garay, D. Wichs, and H.S. Zhou. Somewhat non-committing 1999. encryption and efficient adaptively secure oblivious transfer. In Advances in Cryptology-Crypto’2009, page 523. Springer, 2009. [43] M. Naor and B. Pinkas. Oblivious transfer with adaptive queries. [21] R. Gennaro and Y. Lindell. A framework for password-based In Advances in Cryptology-Crypto’99, pages 573–590. Springer, 1999. authenticated key exchange. ACM Transactions on Information and [44] M. Naor and B. Pinkas. Efficient oblivious transfer protocols. System Security (TISSEC), 9(2):234, 2006. In Proceedings of the twelfth annual ACM-SIAM symposium on [22] C. Gentry, C. Peikert, and V. Vaikuntanathan. Trapdoors for Discrete algorithms, page 457. Society for Industrial and Applied hard lattices and new cryptographic constructions. In Stoc’08: Mathematics, 2001. Proceedings of the 2008 Acm International Symposium on The- [45] M. Naor and B. Pinkas. Computationally secure oblivious transfer. ory of Computing, pages 197–206 798. full paper available on Journal of Cryptology, 18(1):1–35, 2005. http://eprint.iacr.org/2007/432. [46] P. Paillier. Public-key cryptosystems based on composite degree [23] O. Goldreich. Foundations of cryptography,volume 1. Cambridge residuosity classes. In J. Stern, editor, Advances in Cryptology- university press, 2001. Eurocrypt’99, volume 1592 of Lecture Notes in Computer Science, [24] O. Goldreich. Foundations of cryptography, volume 2. Cambridge pages 223–238. university press, 2004. [47] T.P. Pedersen. Non-interactive and information-theoretic secure [25] O. Goldreich, S. Goldwasser, and S. Halevi. Collision-free hashing verifiable secret sharing. In Advances in Cryptology-Crypto’1991, from lattice problems. In Electronic Colloquium on Computational volume 91, pages 129–140. Springer, 1991. Complexity (ECCC), volume 3, 1996. [48] C. Peikert, V. Vaikuntanathan, and B. Waters. A framework [26] O. Goldreich and A. Kahan. How to construct constant-round for efficient and composable oblivious transfer. In D. Wagner, zero-knowledge proof systems for NP. Journal of Cryptology, editor, Advances in Cryptology-CRYPTO’2008, pages 554–571, Santa 9(3):167–189, 1996. Barbara, CA, 2008. Springer-Verlag Berlin. 26
[49] M. Rabin. How to exchange secrets by oblivious transfer. Techni- cal report, Technical Report TR-81, Harvard Aiken Computation Laboratory, 1981, 1981. [50] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM (JACM), 56(6):34, 2009. [51] CP Schnorr. Efficient signature generation by smart cards. Journal of Cryptology, 4(3):161–174, 1991. [52] P. W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM Journal on Computing, 26(5):1484–1509, 1997. [53] P.W. Shor. Algorithms for quantum computation: Discrete log- arithms and factoring. In Annual Symposium On Foundations Of Computer Science, volume 35, pages 124–124. Citeseer, 1994. [54] P.W. Shor. Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer. SIAM review, 41(2):303–332, 1999. [55] M.N. Wegman and L. Carter. New hash functions and their use in authentication and set equality. Journal of computer and system sciences, 22(3):265–279, 1981. [56] A.C.C. Yao. How to generate and exchange secrets. In Foundations of Computer Science, 1985., 27th Annual Symposium on, pages 162– 167, 1986.