1-out-of-2: post-quantum oblivious transfer protocols based on multivariate public key cryptography

Abstract

Oblivious transfer (OT) is a fundamental cryptographic primitive. It is developed for the efficient and feasible implementation of most advanced cryptographic tasks. Today, most of the existing OT protocols’ security is based on number-theoretic assumptions. However, many number-theoretical problems are solvable by a quantum computer in polynomial time. Therefore, OT protocols with post-quantum cryptography approach are required. Multivariate cryptographic constructions are one of the potential candidates for post-quantum cryptography as they are speedy and require only modest computational resources. This paper presents constructions of OT protocols utilizing multivariate public key cryptography (MPKC). Security of our schemes is achieved under the hardness of multivariate quadratic (MQ) problem. To the best of our knowledge, our designs are the first MPKC-based post-quantum OT protocols.

Appendix I. Security model

In order to design a cryptographic scheme, it is essential to prove its security. Informally, security is an attack game played between a challenger (simulator) and an attacker (adversary). Any multi-party protocol should satisfy the following basic security requirements:

• Correctness: It ensures that an honest party receives the correct output at the end of the protocol.

• Privacy: It indicates that on completion of the protocol, each party learns whatever is prescribed in the protocol, not beyond that.

• Fairness: It ensures that a dishonest party learns its output only when the honest party learns its output.

Security model in semi-honest environment [35] A two-party protocol (\(\Omega \)) is nothing but random process executing a function \(\psi =(\psi _1,\psi _2):(\chi ,\zeta )\rightarrow (\psi _1(\chi ,\zeta ),\psi _2(\chi ,\zeta ))\). We say that the protocol \(\Omega \) is secure in semi-honest environment if whatever can be evaluated by a party after involving in the protocol, which can be obtained using its input and output. In other words the parties follow the protocol honestly, while the adversaries try to extract additional information. It is formalized with the help of a simulation paradigm. During an execution of \(\Omega \) on the input \((\chi ,\zeta )\), the view of a party \(P_i\) is denoted by \(\mathsf{View}_i^{\Omega }(\chi ,\zeta )\) and defined as \(\mathsf{View}_i^{\Omega }(\chi ,\zeta )=(\xi , r^{(i)},\eta ^{(i)}_1,...,\eta ^{(i)}_t)\), where \(\xi \in \{\chi ,\zeta \}\) represents \(P_i\)’s input, \(r^{(i)}\) denotes the outcome of \(P_i\)’s internal coin tosses and \(\eta ^{(i)}_l\) \((l=1,2,...,t)\) stands for the l-th message obtained by \(P_i\) during the computation of \(\Omega \).

Definition Appendix I..1 Security in semi-honest Model:

Let the function \(\psi =(\psi _1,\psi _2):\{0,1\}^*\times \{0,1\}^*\rightarrow \{0,1\}^*\times \{0,1\}^*\) be deterministic. Then we say that the protocol \(\Omega \) computing \(\psi \) is secure in semi-honest environment if for PPT adversaries \(\mathcal {SIM}_1\) (controlling \(P_1\)) and \(\mathcal {SIM}_2\) (controlling \(P_2\)),

$$\begin{aligned} \{\mathcal {SIM}_1(\chi , \psi _1(\chi ,\zeta ))\}_{\chi ,\zeta \in \{0,1\}^*}{\mathop {\equiv }\limits ^{c}}{\mathsf{View}_1^{\Omega }(\chi ,\zeta )}_{\chi ,\zeta \in \{0,1\}^*},\\ \{\mathcal {SIM}_2(\zeta , \psi _2(\chi , \zeta ))\}_{\chi ,\zeta \in \{0,1\}^*}{\mathop {\equiv }\limits ^{c}}{\mathsf{View}_2^{\Omega }(\chi ,\zeta )}_{\chi ,\zeta \in \{0,1\}^*}, \end{aligned}$$

where \(\{\mathcal {SIM}_1(\chi ,\psi _1(\chi ,\zeta ))\}_{\chi ,\zeta \in \{0,1\}^*}\) and \(\{\mathcal {SIM}_2(\zeta , \psi _2(\chi ,\zeta ))\}_{\chi ,\zeta \in \{0,1\}^*}\), respectively, denote the simulated views of \(P_1\) and \(P_2\), which contain input of the corresponding party, simulated random coins and simulated protocol messages obtained by the corresponding party.

Security model in malicious environment [35]: In malicious model, adversaries can behave arbitrarily and can deviate at will from the prescribed protocol. In this case, security is formalized by an ideal process. An incorruptible trusted third party (TTP) involves in the ideal process. TTP gets the inputs from the participants, evaluates the functionality on those inputs and sends outputs back to them. We say that a protocol achieves its security in malicious model if a real world adversary can be simulated by an ideal world adversary. We discuss here the security framework of a two-party protocol in the presence of malicious adversary:

The real world: A protocol \(\Omega \) is executed in the real world, where an honest party follows the instructions of \(\Omega \), while the adversary \({\mathcal {A}}_i\) (controlling \(P_i\)) can behave arbitrarily. Let \(P_1\), \(P_2\) have the private inputs \(\chi \), \(\zeta \) and \({\mathcal {A}}_i\) have auxiliary input \(\vartheta \). On completion of the protocol \(\Omega \), an honest party outputs whatever is prescribed in \(\Omega \), a corrupted party outputs nothing and an adversary outputs the available transcripts as its view. In the real world, we denote the joint output as \(\mathsf{REAL}_{\Omega ,{\mathcal {A}}_i(\vartheta )}(\chi , \zeta )\).

The ideal process: Let the ideal process adversary \(\mathcal {SIM}_i\) control \(P_i\), where \(i=1,2\). This process includes an incorruptible TTP.

• Input: Suppose \(P_1\), \(P_2\) have inputs of \(\chi \), \(\zeta \), respectively, \(\mathcal {SIM}_i\) has access to \(P_i\)’s input and auxiliary input \(\vartheta \).

• Sending inputs to TTP: An honest party always sends its real input to TTP, while a corrupted party may send arbitrary input or it can abort. Let TTP receive \(({\overline{\chi }}, {\overline{\zeta }})\), where \({\overline{\chi }},{\overline{\zeta }}\) may not be equal to \(\chi ,\zeta \) respectively. TTP sends \(\perp \) to both the parties provided one of \({\overline{\chi }},{\overline{\zeta }}\) is “abort”.

• TTP answers the adversary: TTP computes the functionality \(\psi :({\overline{\chi }}, {\overline{\zeta }})\rightarrow (\psi _1({\overline{\chi }}, {\overline{\zeta }}),\psi _2({\overline{\chi }}, {\overline{\zeta }}))\) and sends \(\psi _i({\overline{\chi }}, {\overline{\zeta }})\) to \(\mathcal {SIM}_i\), who in turn sends “abort” or “continue” to TTP.

• TTP answers the honest party: If TTP receives “continue” from \(\mathcal {SIM}_i\), then TTP sends \(\psi _j({\overline{\chi }}, {\overline{\zeta }})\) to the honest party (\(P_t,t\in \{1,2\}\setminus \{i\}\)). Otherwise, TTP sends \(\perp \) to \(P_t,t\in \{1,2\}\setminus \{i\}\).

• Output: The honest party \(P_t,t\in \{1,2\}\setminus \{i\}\) always outputs the value whatever it receives from TTP, while the corrupted party \(P_i\) outputs nothing and the adversary outputs its view. In the ideal process, we denote the joint output as \(\mathsf{IDEAL}_{\psi ,\mathcal {SIM}_i(\vartheta )}(\chi , \zeta )\).

Definition Appendix I..2 Simulatability: Suppose \(\Omega \) is a two-party protocol and \(\psi \) is the associated functionality. Then we say that \(\Omega \) is secure in malicious environment if for any PPT real world adversary \({\mathcal {A}}_i\), there is a PPT ideal process adversary \(\mathcal {SIM}_i\), such that \(\mathsf{IDEAL}_{\psi ,\mathcal {SIM}_i(Z)}(\chi , \zeta )\equiv ^c \mathsf{REAL}_{\Omega ,{\mathcal {A}}_i(\vartheta )}(\chi , \zeta )\) for each \(i=1,2\).