Postquantum Cut-and-Choose Oblivious Transfer Protocol Based on LWE

Ding, Hangchao; Jiang, Han; Xu, Qiuliang

doi:https://doi.org/10.1155/2021/9974604

Security and Communication Networks

On this page

Abstract Introduction Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2021 | Article ID 9974604 | https://doi.org/10.1155/2021/9974604

Postquantum Cut-and-Choose Oblivious Transfer Protocol Based on LWE

Hangchao Ding,¹Han Jiang,^2,3and Qiuliang Xu^2,3

Academic Editor: Vincenzo Conti

Received05 Apr 2021

Accepted04 Aug 2021

Published10 Sept 2021

Abstract

We propose postquantum universal composable (UC) cut-and-choose oblivious transfer (CCOT) protocol under the malicious adversary model. In secure two-party computation, we construct copies’ garbled circuits, including half check circuit and half evaluation circuit. The sender can transfer the key to the receiver by CCOT protocol. Compared to PVW-OT [6] framework, we invoke WQ-OT [35] framework with reusability of common random string () and better security. Relying on LWE’s assumption and the property of the Rounding function, we construct an UC-CCOT protocol, which can resist quantum attack in secure two-party computation.

1. Introduction

1.1. Background

In secure two-party computation, sender and receiver jointly compute the value of function . inputs and inputs . Then, and obtain the value of . Yao’s garbled circuits, used in secure two-party computation, are only secure in the semihonest adversary model. In Yao’s protocol, a single garbled circuit is constructed to evaluate. For better security, we apply copies garbled circuits in secure two-party computation. For constructing secure protocol under the malicious adversary model, cut-and-choose methodology is used to prevent malicious party from cheating by constructing incorrect garbled circuits in secure two-party computation. This methodology needs to construct copies’ garbled circuits.

Secure two-party computation protocol is implemented by (GC). Sender and receiver jointly compute the value of by computing (), which satisfy security, privacy, correctness, and input’s independence. In 1986, Yao [1] proposed a secure two-party computation protocol, which is mainly based on GC and (OT).

Yao’s protocol is only secure and efficient in the semihonest adversary model. However, this protocol cannot obtain the security of the malicious adversary model. In 1987, Goldreich and Micali [2] proposed a GMW compiler, which can compile protocols under the semihonest adversary model to protocols under the malicious adversary model. Application for the GMW compiler needs a number of zero-knowledge proof and commitment mechanisms. This operation results in high complexity and low efficiency. Construction of (UC) protocol under the malicious adversary model has great significance in secure two-party computation.

In Yao’s protocol, sender constructs a garbled circuit, including wires. In these wires, each wire corresponds to a garbled circuit key , where represents the corresponding value of wires. Sender inputs , , in copies’ wires, Receiver inputs , in remaining copies’ wires. sends and to . , as the circuit evaluator, needs ’s input’s value and corresponding garbled circuit key’s value. For computing , inputs and needs corresponding key’s value in remaining wires. needs to obtain corresponding key’s value about . It means that needs to obtain corresponding from . So, can apply OT protocol to obtain corresponding garbled key’s value.

1.2. Related Work

1.2.1. Oblivious Transfer

OT protocol, as a basic building primitive in cryptography, has great security significance in secure two-party computation or multiparty computation. For better, intuitively, understanding protocol, we give a brief introduction about its ideal function in Figure 1.

Denote ideal function . For better understanding this process on the Internet, we consider session identity for our description. This function is implemented by the interaction between the sender and the receiver .For understanding the ideal function , we introduce an protocol for understanding OT’s role in Figure 2. The sender has two-message and . The receiver wants to obtain message , . Then, the sender and the receiver apply protocol. The receiver can obtain message . In this process, the sender has no information about receiver’s selected bit . The receiver has no information about .

The OT protocol can be constructed by the public key encryption (PKE) system or trapdoor permutation function. We consider constructing a PKE-based OT protocol. Next, we introduce this construction, given a series of PKE algorithms as follows:

1.2.2. Cut-and-Choose Technique

For better understanding the importance of cut-and-choose technique in secure two-party computation, firstly, we give a brief description about basic Yao’s protocol in Figure 3, which is the original secure two-party computation protocol.

Yao’s protocol, used to compute the function, is only secure in the semihonest adversary model, which is just based on a single garbled circuit for evaluation. The circuit of this construction is not enough secure, which cannot obtain malicious adversary’s security. Considering its single garbled circuit, if someone cheats in this protocol, it cannot be detected. It can be solved by applying the GMW compiler to obtain malicious adversary’s security. However, this needs extracomputation.

For correctly computing the value of function , it is better to construct many circuits for computation. Circuit constructor constructs many garbled circuits and sends these circuits to the circuit evaluator. Then, some circuits are used for check circuit and used to check the correctness of garbled circuits. Some circuits are used for evaluation circuit, for evaluating the value of function. This technique is called cut-and-choose methodology, meaning cutting some garbled circuits in the first step and then choosing some circuits for checking in the second step.

Cut-and-choose methodology, as a tool used in secure two-party computation, can prevent the circuit constructor from cheating in constructing incorrect circuits. This technique can reduce the use of zero-knowledge proof techniques, which can improve the efficiency of secure computation protocols.

For better understanding this process, we give a brief description about cut-and-choose process in Figure 4. Here, we mainly introduce a universal technique “” methodology.

Firstly, constructs copies’ garbled circuits and sends these circuits to . Secondly, chooses circuits for checking. Denote set as check-circuit set, including copies’ check circuits. Otherwise, the rest of circuits are used for evaluating circuits. Define as evaluation-circuit set. obtains check circuits for checking correctness of half circuits and then evaluates in remaining evaluation circuits. Some garbled circuits maybe incorrectly constructed, so evaluator can use majority of evaluation-circuit output as value of .

Considering cut-and-choose technique applied on secure two-party computation, may carry out select failure attack for . may use different input values to obtain different ciphertexts and confuse some values about index bit from ’s evaluation set. The main reason about this attack is the separation between cut-and-choose methodology with oblivious transfer process. So, it is crucial to combine cut-and-choose methodology with oblivious transfer protocol, called the protocol.

OT is a basic protocol in secure two-party computation, where sends garbled key’s value of every wire in the garbled circuit to . If cut-and-choose methodology is separated from the OT protocol, this separation may result in selection failure attack. It is crucial to combine methodology with the OT protocol, that is, (CCOT) protocol. This has crucial significance about security in secure two-party computation protocol.

1.2.3. Related Reference

OT was firstly proposed by Rabin [3]. OT is a fundamental primitive in secure two-party and multiparty computation. In secure two-party computation, receiver obtains one or two values from sender through the OT protocol. As a result, receiver only obtains corresponding values and has nothing about other information. Sender is oblivious to ’s selection bit. In 2007, Peikert and Waters [4] proposed a primitive ‘lossy trapdoor functions’ (lossy TDFs) and applied ‘lossy TDFs’ to construct trapdoor function. In 2008, Peikert and Vaikuntanathan [5] proposed a framework for efficient and composable OT, which is constructed by the dual-mode PKE System, called PVW-OT framework. In Peikert’s dual-mode encryption system, it includes messy mode and decryption mode (called Dec mode). However, (crs) can be reused with bounded limitation. Sender’s computational security in messy mode and receiver’s computational security in Dec mode can be obtained in this scheme. However, it cannot suffice for each party’s statistical security in both modes. Peikert also construct corresponding schemes based on DDH, QR, and LWE’s assumption. Fully simulatable PVW-OT protocol’s security is (UC), which can compose securely other protocols in complex Internet. UC security is proposed by Canetti [6]. This guarantees security when many protocols are executed in parallel under malicious adversary’s environment. Some lattice-based oblivious transfer protocols are proposed in postquantum era; most of these protocols are based on LWE’s assumption under the semihonest, malicious, or covert adversary model [7–9].

In 2020, Quach [10] proposed a UC-secure OT protocol based on LWE’s assumption and rounding function, which can be seen as a modified framework of PVW-OT, called WQ-OT. In WQ-OT protocol, the rounding function is applied on constructing UC-OT. Considering that the is a (SPHF), it can be applied on our scheme with the property of rounding function’s hash key and projective key. In WQ-OT, crs can be reused many times without limitation, and statistical security of the sender and the receiver can be obtained in both messy mode and Dec mode.

SPHF has a wide range of applications, such as key exchange and oblivious transfer [11, 12]. In 2012, Halevi and Kalai [13] proposed a two-message OT, which is based on projective hashing function. Cramer and Shoup [14] proposed a universal hash proof in the standard model, which corresponds to adaptive-CCA secure public-key encryption. Kalai [13] proposed a two-message oblivious transfer based on modification of Cramer and Shoup’s SPHF. In 2018, Benhamouda and Blazy [15] proposed a hash proof system or SPHF. It gives an SPHF under standard LWE ciphertext’s languages, which is based on IND-CCA2 MP’s encryption [16]. Before this SPHF proposed by Benhamouda, Katz and Vaikuntanathan [11, 17] proposed a SPHF based on lattice in the standard model, whose language is not valid in standard LWE’s ciphertext. Zhang and Yu [18] proposed a SPHF based on LWE’s assumption under random oracle. Brakerski [19] proposed a two-message OT based on LWE’s assumption which guarantees sender’s statistical privacy under the model of malicious adversary.

In 2007, Lindell and Pinkas [20] proposed cut-and-choose technique for secure two-party computation under the malicious adversary model. Circuit constructor constructs copies’ GC. Circuit evaluator chooses copies’ GC for check circuit and remaining half copies’ GC for evaluation circuit. checks correctness of the key’s value in each wire of check garbled circuit. and apply remaining half garbled circuits for computing .

In secure two-party computation, cut-and-choose methodology can be applied to prevent malicious adversary from cheating in this process. As an important technique in secure two-party computation, cut-and-choose is applied to normalize and constrain parties for honestly executing protocols in garbled circuits. In cut-and-choose methodology, constructor constructs copies’ garbled circuits. Evaluator chooses some garbled circuits for checking. When these check circuits are correctly constructed, the evaluator applies remaining garbled circuits to evaluate corresponding function by evaluation circuits.

In this process, the OT protocol is applied for transferring corresponding key’s value through wires of the garbled circuit. The OT protocol can be applied on transferring sender ’s key to receiver through garbled circuit’s wires. If these two processes are done separately, the overall protocol may lead to selective-failure attacks, which are introduced in [20, 21]. Combining cut-and-choose detection with oblivious transfer, we can transfer keys by wires between the sender (circuit constructor) and the receiver (circuit evaluator).

Lindell [22] applied cut-and-choose methodology [20] for constructing fully simulatable OT protocols. Lindell [23] proposed a new primitive in secure two-party computation, called CCOT protocol, which can avoid selective-failure attacks. After CCOT primitive proposed by Lindell, some scholars have proposed some schemes about construction of CCOT, which are mostly modified CCOT protocol, such as batch CCOT and bilateral CCOT [24–28].

Traditional are applied in transferring key or message by number theory’s assumption, such as DDH and QR assumption. Classical number theory assumptions cannot resist quantum attacks. It is necessary to design postquantum cryptography schemes. Considering lattice’s specific linear structure, lattice-based protocols can be applied to resist quantum attacks.

There exist some cryptographic protocols based on lattice’s assumption, which can resist quantum attack with the specific construction of lattice. Reduction from worst case to average case in lattice, trapdoors algorithm and some lattice theory are mentioned in [29–32].

In secure two-party computation, the CCOT protocol can resist malicious adversary’s attack. Considering postquantum era, designing the CCOT protocol based on lattice assumption can resist quantum attacks. Combining with lattice theory, designing LWE-based CCOT protocol is of great significance to resist quantum attacks in secure two-party computation. Then, we can expand CCOT to batch-CCOT protocol, which can be applied on secure multiparty computation.

1.3. Our Contribution

(i)We construct a CCOT protocol based on LWE’s assumption and rounding function. Applying WQ-OT [10] encryption scheme based on the rounding function and combining with PVW’s dual framework [5], we design a UC-secure cut-and-choose OT protocol under the malicious adversary model.(ii)Our CCOT protocol has better security property. For better understanding CCOT’s security, we give a security analysis under the malicious adversary’s corruption in smooth projective hash proof system, which is mainly based on simulation proof methodology.(iii)In our scheme, can be reused many times, and all parties can achieve statistical security. The rounding function, as smooth projective hash function (SPHF), has better security in transferring ’s garbled key to . Due to the special property of the hash key and the projective key, this rounding function can guarantee CCOT protocol’s correctness, privacy, and indistinguishability between the Messy mode and Dec mode.(iv)Apply the CCOT protocol on secure two-party computation, which is mainly based on garbled circuits.

1.4. Organization

(i)In Section 1, we give an overall introduction about background, related work about the CCOT protocol. Finally, we give our contribution and paper’s organization.(ii)In Section 2, we mainly introduce some preliminaries about lattice theory and some knowledge used in scheme’s construction.(iii)In Section 3, we introduce some basic tools applied on our scheme. It includes OT-based dual-mode encryption, which is initiated by Regev’s encryption and rounding function. As an important methodology in secure two-party computation, cut-and-choose technique is also introduced in this part. This dual-mode encryption’s framework security is mostly based on LWE’s assumption, where indistinguishability between the Messy Mode and the Dec Mode is based on DLWE’s assumption.(iv)In Section 4, cut-and-choose oblivious transfer (CCOT) protocol, as an important protocol, is applied on secure two-party computation. We construct a CCOT protocol and embed this CCOT protocol into secure two-party computation. Then, we expand CCOT to BCCOT by batch operation and embed this BCCOT protocol into secure two-party computation.

2. Preliminary

2.1. Notation

Denote as the security parameter throughout this paper and also meaning the dimension of LWE’s assumption. We denote a negligible function as in polynomial function , which is much smaller than the function close to zero, such as , where is a positive constant close to . Similarly, we denote function as an overwhelming function. Denote bold lowercase letter as the vector, e.g. , and denote bold uppercase letter as matrix, e.g. . Denote and . Denote as a residual class set, which can be obtained by any integers’ mod integer . Denote quotient ring as a residual class set, where is modulo prime integer . Denote as group of reals [0, 1), according to modulo 1 addition. Define as the distribution on , which has mean 0 and standard deviation . Denote and as an transpose operation of vector and matrix . Given probability distribution , denote variable as sampling variable from certain distribution . Usually, denote as sampling from uniform distribution in .

2.2. Lattice Theory

Lattice, as a linear algebraic structure, can resist quantum attacks. Some lattice schemes are constructed by reduction from worst case to average case, such as reduction from SVP/CVP to LWE/SIS. Considering the size of keys and ciphertext and the structure of lattice, LWE’s assumption is more used in key exchange (KE), oblivious transfer (OT), and public key encryption (PKE). And, SIS’s assumption is more used in signature schemes. We apply LWE’s assumption to design an OT protocol.

Lattice is a discrete additive subgroup. And, lattice is also a linear structure, which is constructed by lattice basis and integral coefficient.

Definition 1 (LWE). Learning with errors assumption can be regarded as an output by an random algorithm, which outputs , and , such as Gaussian distribution and, centered binomial distribution. In this assumption, LWE’s pairs are indistinguishable from uniform distribution. Usually, we classify LWE’s assumption as SLWE and DLWE.

Definition 2 (search-LWE). Given some LWE’s pairs, the probability of finding is negligible.

Definition 3 (decision-LWE). Given some LWE’s pairs and uniform pairs, it is indistinguishable from LWE’s pairs to uniform pairs.

Definition 4 (Gaussian probability function). Gaussian distribution means that variable samples from based on Gaussian function. Usually, denote function with mean 0 and variance .

Definition 5 (ideal lattice). Ideal lattice can be regarded as an algebraic structure based on cyclic basis, which is constructed in quotient ring . It has some advantages, such as shortening the size of keys and ciphertext.

Definition 6 (ring-LWE). Given , certain distribution , and output , let us denote as the distribution of LWE’s pairs.

Definition 7 (search-RLWE). Given RLWE’s pairs , it is difficult in finding .

Definition 8 (decision-RLWE). Let RLWE’s pairs be sampled from distribution . assumption means that it is indistinguishable from to uniform distribution.
Given lattice basis , we also define lattice as and , and dual lattice .
Let be the shortest nonzero vector in lattice , which is denoted as .

Definition 9 (smoothing parameter [29]). Given -dimensional lattice , positive real , and Gaussian function , , define smoothing parameter as the smallest , which satisfy .

Definition 10 (noise flooding [33]). Given two integers and , assuming that is negligible compared to , satisfying . Then, following two distributions are indistinguishable between and , meaning that , .

Lemma 1 (see [31]). Given any-dimensional latticeand, obtain. For anyfunction, there exists negligible, satisfyingor.

Lemma 2 (see [31]). Given, for anyfrom, define eventand obtain. Given, for anyfrom, obtain. So, we can obtain.

3. Basic Tools

3.1. Dual-Mode PVW-PKE and Related PVW-OT Protocol

3.1.1. Dual-Mode PVW-PKE Encryption System

We introduce a dual-mode encryption cryptosystem proposed by Peikert et al., called PVW framework [5]. This cryptosystem is usually applied on constructing the protocol. It includes messy-encryption mode (or Messy mode) and decryption-encryption mode (or Dec mode).

We introduce relevant probability probabilistic algorithms, which include algorithms. In these algorithms, message space is and string is generically common in all algorithms, and we often omit them. Next, we introduce these Algorithms in Figure 5.

Firstly, this cryptosystem can be initialized by a trusted setup phase, algorithm, which outputs a string and a trapdoor . When is uniformly distributed (), invoke Messy branch for our encryption (). When is distributed by certain distribution, invoke decryption branch for our encryption. Considering the generation of , the property of dual-mode cryptosystem is that the distribution of in and branch is indistinguishable.

Secondly, we invoke corresponding public key encryption (PKE) scheme, which includes , , and algorithm. In key generation phase, input a branch parameter and output . The encrypter encrypts a message under chosen branch ().

When , we denote this mode as the messy mode. In this mode, the sender encrypts the message under branch , and the receiver decrypts ciphertext under branch . Apparently, the decrypter cannot obtain the corresponding message. Usually, we can use a algorithm to find messy branch.

When , we denote this mode as Dec Mode. In this mode, the sender encrypts the message under branch , and the receiver can correctly decrypt ciphertext under corresponding branch . In Dec Mode, we apply a trapdoor generation algorithm in security proof. In security proof, we should notice that it is indistinguishable between the key pair from and the key pair from .

The are as follows:(1): for any branch , the receiver can correctly decrypt ciphertext, meaning .(2)Indistinguishability between two modes: it is indistinguishable between the Messy mode and the Dec mode, which is mainly indistinguishable between and .(3)The property of messy mode: given from and any public key (including malformed ) from the key generation phase under corresponding mode, invoke algorithm to obtain messy branch . In Messy mode, it can obtain statistical security, which can hide some information about ciphertext, meaning .(4)The property of decryption mode: it is indistinguishable between key pairs generated by and key pairs generated by , meaning .

3.1.2. PVW-OT Framework

Peikert proposed protocol in Figure 6, which applies any mode in the dual-mode encryption system under the -hybrid UC model [6]. The protocol achieves the function of ideal in Figure 1.

To achieve the messy and decryption mode, define to produce common string, which corresponds to relevant setup algorithm.

Lemma 3 (see [5]). In static corruption model, the protocolsecurely emulates ideal functionin the universal composable-hybrid model.

3.2. Dual-Mode WQ-PKE and Related WQ-OT Protocol

UC-OT based on PVW’s framework [5] can provide sender’s statistical security and receiver’s computational security in the messy mode. In Dec mode, sender’s security is computational and receiver’s security is statistical. This construction can only provide receiver’s computational security in Messy mode and sender’s computational security in Dec Mode. In addition, it has bounded limitation about reusability of .

Considering about these limitations, apply superpolynomial LWE modulus and single ‘short’ and then achieve statistical security in both mode and unbounded ’s reusability.

Apply the WQ-OT scheme [10] for our ’s construction. WQ-OT is a two-round UC-OT based on Common References String (), and it is based on LWE assumption with subexponential modulus-to-noise ratio.

Considering noise flooding technique is applied to strengthen reusability and statistical security, we need superpolynomial modulus of LWE. However, this operation has negative impact on the security proof. And, the simulator of PVW-OT operates in linear time, not superpolynomial, due to negative impact on security proof. For resolving this difficulty, apply randomized rounding function to PKE-based framework. Benhamouda [15] et al. proposed a rounding function.

Considering about security proof, we apply the hash proof system, which mainly refers to lattice-based SPHFs. In the following, we will introduce a rounding function, which is viewed as an approximate hash proof system. Given , , , , and ‘’ as a vector is close to , the prover knows and and the prover needs to prove ‘’ is the corresponding ciphertext for the verifier. The verifier samples a uniformly random vector . Let be a hash key, and compute as a projection key. The verifier sends projection key to the prover, and the prover computes projection hash value . The verifier computes hash value . Then, the verifier sends to the prover. The prover checks whether to ensure the verifier is honest; then, the verifier approves the prover’s proof. This progress is zero knowledge. The prover has not revealed secret information and .

The high probability of implies the property of approximate correctness, which needs vector ‘’ close to lattice , with distance less than . For applying the approximate hash proof system better, the property of smoothness needs point ‘’ far from , with minimum distance .

3.2.1. Rounding Function

We describe a suitable q-periodic signal function, rounding function , as follows. Given , define the rounding function as follows:(i): given full rank matrix , , for all satisfying , achieve : given , for all , satisfying , achieve

3.2.2. Smooth Projective Hash Function Encryption System

Apply this rounding function on our encryption system, which is likely Regev’s Encryption. Define this modified encryption system as the smooth encryption system. For better understanding the process of the smooth encryption system, we introduce the encryption process of single-bit message in Figure 7.(i): denote as the security parameter in the whole scheme. Let prime integers be modulus. Let and . Distribution is a -bounded distribution (). Usually, set ; the value of is a security limitation value, which guarantees LWE’s assumption for schemes. is a negligible value compared to , satisfying .(ii): given and , decryption algorithm can correctly decrypt with nonnegligible probability. : given and , the smooth encryption scheme based on LWE’s assumption can achieve corresponding security.

3.2.3. WQ-OT Framework

We give a brief introduction about dual-mode encryption based on the SPHF encryption system in Figure 8, which is based on the hash key and projection key of SPHF-rounding function.(1): given and , then the scheme can correctly decrypt in the Dec mode.(2)Indistinguishability between Messy mode and Dec mode: given string to any adversary, adversary cannot distinguish between the Messy mode with the Dec mode, implying . This indistinguishability implies the indistinguishability between LWE’s vector pairs with uniform vector pairs.(3)Sufficient conditions for Messy key: given public key in the smooth encryption system, it satisfies . Given full rank uniform matrix and , when and , then public key achieves the property of Messy key.(4): given parameter , , and sample from , satisfying , we obtain messy public key with nonnegligible probability.(5): given and generated by , which is a full rank matrix, invoke algorithm, which inputs vector to decide distance between and lattice . When , output Messy public key with overwhelming probability.(6): given and , then the scheme achieves security in the Messy mode, implying .(7)Dec: given , satisfying , then the scheme achieve security in the Dec mode, implying the indistinguishability between generated from and generated from in security proof.

Lemma 4 (see [10]). Given assumption with the corresponding parameter in WQ-OT’s construction, an dual-mode UC-secure oblivious transfer protocol under static corruption exists.

4. Cut-and-Choose Oblivious Transfer

Cut-and-choose oblivious transfer () protocol can be applied on secure two-party computation, which transfers circuit constructor’s garbled keys of wires to the circuit evaluator. Firstly, we introduce the ideal function of in secure two-party computation.

4.1. Ideal Function of CCOT

Lindell presented the concept of , which is an oblivious transfer protocol combined with cut-and-choose index bit. We give a brief introduction about its ideal function . Circuit constructor constructs one garbled circuit; circuit evaluator decides to obtain two key’s value of each wire or one key’s value of two wires, which is based on the index bit . When , wants to obtain both key’s value; when , wants to obtain one key’s value from two keys. We give a brief introduction about the ideal function in Figure 9.

4.2. Construction of CCOT Protocol

(CCOT) is a new primitive for secure two-party computation. For better understanding the role of protocol in secure two-party computation, we give a general introduction about protocol’s construction.

Firstly, we give the construction of the protocol corresponding to a single garbled circuit in Figure 10.

Given setup algorithm SetupMesssy and SetupDec algorithm, is selected bit from the receiver’s input.(1)The receiver R is initialized with index bit . When , R invokes algorithm to obtain , which is , , , and . When , R invokes algorithm to obtain , which is , , , and .(2)R sends relevant public key to sender S in corresponding index bit. When , R sends to S. S encrypts message and under and . S samples and computes ; then, we obtain . Finally, S sends to R. When , R sends to S. S encrypts message and under and . S samples and computes ; then, we obtain . Finally, S sends to R.(3)When , receiver R receives from sender . R parses as . R invokes to obtain by computing . Finally, R obtains and . When , R receives from S. R parses as . R invokes to obtain by computing .

Lemma 5 (correctness [10]). Givenand, then the scheme can correctly decrypt in Dec branch.

In the Dec mode, given the corresponding parameter, due to rounding function’s property, the receiver can correctly decrypt corresponding two ciphertext. In the Messy mode, when , , and secret key can be used to decrypt ciphertext . In the meantime, and secret key cannot be used to decrypt corresponding ciphertext . When , , and secret key can be used to decrypt ciphertext . However, , and secret key cannot be used to decrypt corresponding ciphertext .

The correctness of this protocol is shown in Table 1, which is similar to the SmoothEnc System.

4.2.1. Security Proof

Theorem 1. Givenand, the above scheme is UC-secure CCOT protocol under static malicious adversary, assuming the hardness of learning with errors with the corresponding parameter.

We mainly consider two corruption cases; the sender is corrupted; the receiver is corrupted. Sender is corrupted: firstly, we consider adversary corrupt sender , and we need to construct a simulator , who can invoke adversary input copies and make some operations as follows.

when , run Dec mode’s setup algorithm and obtain , which is well known to all parties. Honest receiver runs algorithm to obtain and then sends and to sender . Corresponding this situation, simulator invokes algorithm to obtain and then sends to adversary , which simulates a interactive scenario between receiver and adversary . Then, simulator stores . Adversary invokes algorithm to obtain ciphertext and sends to receiver . Simulator simulates this process; Simulator receives from adversary ; checks corresponding secret key and and invokes algorithm to obtain , . Simulator sends to ideal function . Receiver obtains the corresponding message based on mode index and selection bit index .

: adversary corrupts receiver , and we need to construct a simulator , who simulates the process between adversary and sender .

When , run Messy mode’s setup algorithm to obtain , where is well known to all parties. We should notice that the distribution of is uniformly sampled. Honest sender interacts with corrupted by adversary . Adversary chooses a selection bit and then invokes algorithm to obtain , which is public to sender . Simulator invokes to obtain messy branch . Then, simulator sends to ideal function of . Then, simulator receives corresponding message . Simulator simulates the process between and .

Firstly, computes and . Secondly, sends to adversary , as if from sender ’s value. Finally, adversary decrypts with corresponding secret key . Considering LWE’s assumption and Messy mode’s property, adversary cannot obtain the correct message.

4.3. Ideal Function of BCCOT

In secure two-party computation, Garbled circuits’ constructor constructed many copies circuits, which can resist one situation about constructing incorrect circuit. Let be garbled circuits’ parameter. constructs copies circuits, half of these circuits are used for checking and another half are used for evaluation. After all check circuits pass detection, remaining half circuits are used for evaluating . Some garbled circuit maybe incorrectly constructed by , and we can adopt majority value of . Considering circuits’ parameter , we introduce a ‘batch cut-and-choose’ oblivious transfer’s ideal function in Figure 11. In a special case, when , , the receiver obtains , and this is single-choice function.

4.4. Construction of BCCOT Protocol

Considering that copies of garbled circuits used in secure two-party computation based on protocol, can be regarded as a series of oblivious transfer protocol, which can be implemented by batch operation.

Firstly, we give the construction of protocol corresponding to copies’ garbled circuits in Figure 12. Sender constructs copies’ garbled circuits. Each circuit has input wires, in which half of them are for ’s input and the other half are for ’s input wires. When all selection bit and , receiver obtains in every circuit.

Data Availability

The performance test data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was funded by China Scholarship Council (no. 202006220176) and was supported in part by the National Natural Science Foundation of China, under Grant 61632020, Science and Technology Innovation Base Special Project of Provincial Software Engineering Key Laboratory, under Grant 11480004042015, and Development and Construction Funds Project of National Independent Innovation Demonstration Zone in Shandong Peninsula, under Grant S190101010001.

References

C. C. . Yao, “How to generate and exchange secrets,” in Proceedings of the Symposium on Foundations of Computer Science, IEEE, Toronto, ON, Canada, October 2008.
View at: Google Scholar
O. Goldreich, “How to play ANY mental game,” in Proceedings of the nineteenth annual ACM symposium on Theory of computing(STOC), Newyork, NY, USA, January 1987.
View at: Publisher Site | Google Scholar
M. O. Rabin, “How to exchange secrets by oblivious transfer,” Tech. Rep., IACR, Lyon, France, 1981, Technical Memo TR-81.
View at: Google Scholar
C. Peikert and B. Waters, “Lossy trapdoor functions and their applications,” SIAM Journal on Computing, vol. 40, no. 6, p. 279, 2007.
View at: Publisher Site | Google Scholar
C. Peikert, V. Vaikuntanathan, and B. Waters, “A framework for efficient and composable oblivious transfer,” in Proceedings of the International Cryptology Conference, pp. 554–571, Santa Barbara, CA, USA, August 2008.
View at: Publisher Site | Google Scholar
R. Canetti, “Universally composable security: a new paradigm for cryptographic protocols,” in Proceedings 42nd IEEE Symposium on Foundations of Computer Science(FOCS), Newport Beach, CA, USA, October 2001.
View at: Publisher Site | Google Scholar
W. Chun-Xiao and W. Ji-Zhong, “A lattice-based oblivious transfer protocol in malicious model,” Energy Procedia, vol. 13, pp. 1095–1100, 2011.
View at: Google Scholar
M. Liu and H. U. Yupu, “Universally composable oblivious transfer from ideal lattice,” Frontiers of Computer ence, vol. 13, no. 4, pp. 879–906, 2019.
View at: Publisher Site | Google Scholar
Z. Li, C. Xiang, and C. Wang, “Oblivious transfer via lossy encryption from lattice-based cryptography,” Wireless Communications and Mobile Computing, vol. 2018, Article ID 5973285, 11 pages, 2018.
View at: Publisher Site | Google Scholar
W. Quach, “UC-secure OT from LWE, revisited,” in Proceedings of the Security and Cryptography for Networks, 12th International Conference, SCN 2020, Amalfi, Italy, September 14–16, 2020.
View at: Publisher Site | Google Scholar
J. Katz and V. Vaikuntanathan, “Smooth projective hashing and password-based authenticated key exchange from lattices,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Melbourne, Australia, December 2009.
View at: Publisher Site | Google Scholar
F. Kiefer and M. Manulis, “Distributed Smooth projective hashing and its application to two-server password authenticated key exchange,” in Proceedings of the International Conference on Applied Cryptography & Network Security, Springer, Cham, Banff, Canada, June 2014.
View at: Publisher Site | Google Scholar
S. Halevi and Y. T. Kalai, “Smooth projective hashing and two-message oblivious transfer,” Journal of Cryptology, vol. 25, no. 1, pp. 158–193, 2012.
View at: Publisher Site | Google Scholar
R. Cramer and V. Shoup, “Universal hash proofs and a paradigm for adaptive chosen ciphertext secure public-key encryption,” in Proceedings of the International Conference on the Theory & Applications of Cryptographic Techniques: Advances in Cryptology, Springer-Verlag, Amsterdam, Netherlands, May 2002.
View at: Publisher Site | Google Scholar
F. Benhamouda, O. Blazy, L. . Ducas, and W. Quach, “Hash proof systems over lattices revisited,” Cryptography – PKC 2018, Springers, Berlin, Germany, 2018.
View at: Publisher Site | Google Scholar
D. Micciancio and C. Peikert, “Trapdoors for lattices: simpler, tighter, faster, smaller,” in Proceedings of the 31st Annual international conference on Theory and Applications of Cryptographic Techniques, Springer, Cambridge, UK, April 2012.
View at: Publisher Site | Google Scholar
J. Katz and V. Vaikuntanathan, “Round-optimal password-based authenticated key exchange,” Journal of Cryptology, vol. 26, no. 4, pp. 714–743, 2013.
View at: Publisher Site | Google Scholar
J. Zhang and Y. Yu, “Two-round PAKE from approximate SPH and instantiations from lattices,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security, Hong Kong, China, December 2017.
View at: Google Scholar
X. Wei, H. Jiang, C. Zhao, M. Zhao, and Q. Xu, “Fast cut-and-choose bilateral oblivious transfer for malicious adversaries,” in Proceedings of the 2016 IEEE Trustcom/BigDataSE/I SPA, IEEE, Tianjin, China, August 2016.
View at: Publisher Site | Google Scholar
Y. Lindell and B. Pinkas, “An efficient protocol for secure two-party computation in the presence of malicious adversaries,” Journal of Cryptology: The Journal of the International Association for Cryptologic Research, vol. 28, 2015.
View at: Publisher Site | Google Scholar
M. Naor and B. Pinkas, “Efficient oblivious transfer protocols,” in Proceedings of the Symposium on Discrete Algorithms, Washington D.C. USA, January 2001.
View at: Google Scholar
Y. Lindell, “Efficient fully-simulatable oblivious transfer,” Journal of Cryptology, vol. 2008, p. 35, 2008.
View at: Publisher Site | Google Scholar
Y. Lindell and B. Pinkas, “Secure two-party computation via cut-and-choose oblivious transfer,” Journal of Cryptology, vol. 25, 2012.
View at: Publisher Site | Google Scholar
V. Kolesnikov and R. Kumaresan, “On cut-and-choose oblivious transfer and its variants,” Lecture Notes in Computer ence, vol. 2757, pp. 242–266, 2015.
View at: Publisher Site | Google Scholar
Y. Lindell, “Fast cut-and-choose based protocols for malicious and covert adversaries,” in Proceedings of the 33rd Annual Cryptology Conference, Santa Barbara, CA, USA, August 2013.
View at: Publisher Site | Google Scholar
Z. Chuan, J. Han, and W. Xiao-Chao, “Cut-and-Choose bilateral oblivious transfer,” Journal of Software, vol. 1, no. 2, pp. 384–391, 2017.
View at: Google Scholar
Z. Brakerski and N. Döttling, “Two-message statistically sender-private OT from LWE,” Theory of Cryptography, Springers, Berlin, Germany, 2018.
View at: Publisher Site | Google Scholar
H. Jiang and Q. Xu, “Advances in key techniques of practical secure multi-party computation,” Journal of Computer Research and Development, vol. 52, no. 10, pp. 2247–2257, 2015.
View at: Google Scholar
D. Micciancio and O. Regev, “Worst-case to average-case reductions based on Gaussian measures,” in Proceedings of the 45th Annual IEEE Symposium on Foundations of Computer Science, Rome, Italy, October 2004.
View at: Publisher Site | Google Scholar
R. Oded, “On lattices, learning with errors, random linear codes, and cryptography,” Journal of the ACM, vol. 56, 2009.
View at: Publisher Site | Google Scholar
C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in Proceedings of the 40th Annual ACM Symposium on Theory of Computing, ACM, Victoria, Canada, May 17-20, 2008.
View at: Publisher Site | Google Scholar
B. Libert, S. Ling, F. Mouhartem, K. Nguyen, and H. Wang, “Adaptive oblivious transfer with access control from lattice assumptions,” in Proceedings of the international conference on the theory and application of cryptology and information security, pp. 533–563, Hong Kong, China, December 2017.
View at: Publisher Site | Google Scholar
G. Asharov, A. Jain, and D. Wichs, “Multiparty computation with low communication, computation and interaction via threshold FHE,” in Proceedings of the International Conference on Theory & Applications of Cryptographic Techniques, Springer, Cambridge UK, April 2011.
View at: Google Scholar

Copyright

Copyright © 2021 Hangchao Ding et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

315

Downloads

479

Citations