12 research outputs found
Generic Construction of UC-Secure Oblivious Transfer
International audienceWe show how to construct a completely generic UC-secure oblivious transfer scheme from a collision-resistant chameleon hash scheme (CH) and a CCA encryption scheme accepting a smooth projective hash function (SPHF). Our work is based on the work of Abdalla et al. at Asiacrypt 2013, where the authors formalize the notion of SPHF-friendly commitments, i.e. accepting an SPHF on the language of valid commitments (to allow implicit decommitment), and show how to construct from them a UC-secure oblivious transfer in a generic way. But Abdalla et al. only gave a DDH-based construction of SPHF-friendly commitment schemes, furthermore highly relying on pairings. In this work, we show how to generically construct an SPHF-friendly commitment scheme from a collision-resistant CH scheme and an SPHF-friendly CCA encryption scheme. This allows us to propose an instanciation of our schemes based on the DDH, as efficient as that of Abdalla et al., but without requiring any pairing. Interestingly, our generic framework also allows us to propose an instantiation based on the learning with errors (LWE) assumption. For the record, we finally propose a last instanciation based on the decisional composite residuosity (DCR) assumption
A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM
Oblivious Transfer (OT) is a fundamental cryptographic protocol that finds a
number of applications, in particular, as an essential building block for
two-party and multi-party computation. We construct a round-optimal (2 rounds)
universally composable (UC) protocol for oblivious transfer secure against
active adaptive adversaries from any OW-CPA secure public-key encryption scheme
with certain properties in the random oracle model (ROM). In terms of
computation, our protocol only requires the generation of a public/secret-key
pair, two encryption operations and one decryption operation, apart from a few
calls to the random oracle. In~terms of communication, our protocol only
requires the transfer of one public-key, two ciphertexts, and three binary
strings of roughly the same size as the message. Next, we show how to
instantiate our construction under the low noise LPN, McEliece, QC-MDPC, LWE,
and CDH assumptions. Our instantiations based on the low noise LPN, McEliece,
and QC-MDPC assumptions are the first UC-secure OT protocols based on coding
assumptions to achieve: 1) adaptive security, 2) optimal round complexity, 3)
low communication and computational complexities. Previous results in this
setting only achieved static security and used costly cut-and-choose
techniques.Our instantiation based on CDH achieves adaptive security at the
small cost of communicating only two more group elements as compared to the
gap-DH based Simplest OT protocol of Chou and Orlandi (Latincrypt 15), which
only achieves static security in the ROM
On the security of data markets: controlled Private Function Evaluation
The income of companies working on data markets steadily grows year by year. Private function evaluation (PFE) is a valuable tool in solving corresponding security problems. The task of Controlled Private Function Evaluation (CPFE) and its relaxed version (rCPFE) was proposed in [11]. We define an ideal functionality for the latter task and present a UC-secure realization of the functionality against static malicious parties. The core primitive is functional encryption (FE) and essentially this determines the conditions of realizability. Accordingly, in the case of non-adaptive FE-setting secure realization of the ideal functionality is achievable in the standard model, otherwise, accessibility of random oracle is required
On the Security of Data Markets and Private Function Evaluation
The income of companies working on data markets steadily grows year by year. Private function evaluation (PFE) is a valuable tool in solving corresponding security problems. The task of Controlled Private Function Evaluation and its relaxed version was introduced in [Horvath et.al., 2019]. In this article, we propose and examine several different approaches for such tasks with computational and information theoretical security against static corruption adversary. The latter level of security implies quantum-security. We also build known techniques and constructions into our solution where they fit into our tasks. The main cryptographic primitive, naturally related to the task is 1-out-of-n oblivious transfer. We use Secure Multiparty Computation techniques and in one of the constructions functional encryption primitive. The analysis of the computational complexity of the constructions shows that the considered tasks can efficiently be implemented, however it depends on the range of parameter values (e.g. size of database, size of the set of permitted function), the execution environment (e.g. concurrency) and of course on the level of security
Post-Quantum UC-Secure Oblivious Transfer in the Standard Model with Adaptive Corruptions
Since the seminal result of Kilian, Oblivious Transfer has proven to be a
fundamental primitive in cryptography. In such a scheme, a user is able
to gain access to an element owned by a server, without learning more than
this single element, and without the server learning which element the user
has accessed. This primitive has received a lot of study in the literature,
among which very few schemes are based on lattices.
The recent NIST call for post-quantum encryption and signature
schemes has revived the interest for cryptographic protocols based on
post-quantum assumptions and the need for a secure post-quantum
oblivious transfer scheme.
In this paper, we show how to construct an oblivious transfer
scheme based on lattices, from a collision-resistant chameleon hash
scheme (CH) and a CCA encryption scheme accepting a smooth projective
hash function (SPHF). Note that our scheme does not rely on random
oracles and provides UC security against adaptive corruptions assuming
reliable erasures
New Smooth Projective Hashing For Oblivious Transfer
Oblivious transfer is an important tool against malicious cloud server providers. Halevi-Kalai OT, which is based on smooth projective hash(SPH), is a famous and the most efficient framework for -out-of- oblivious transfer (\mbox{OT}^{2}_{1}) against malicious adversaries in plain model. A natural question however, which so far has not been answered, is whether its security level can be improved, i.e., whether it can be made fully-simulatable.
In this paper, we press a new SPH variant, which enables a positive answer to above question. In more details, it even makes fully-simulatable \mbox{OT}^{n}_{t} ( and ) possible. We instantiate this new SPH variant under not only the decisional Diffie-Hellman assumption, the decisional -th residuosity assumption and the decisional quadratic residuosity assumption as currently existing SPH constructions, but also the learning with errors (LWE) problem. Before this paper, there is a folklore that it is technically difficult to instantiate SPH under the lattice assumption (e.g., LWE). Considering quantum adversaries in the future, lattice-based SPH makes important sense
Efficient, Adaptively Secure, and Composable Oblivious Transfer with a Single, Global CRS
We present a general framework for efficient, universally composable oblivious transfer (OT) protocols in which a single, global, common reference string (CRS) can be used for multiple invocations of oblivious transfer by arbitrary pairs of parties. In addition: • Our framework is round-efficient. E.g., under the DLIN or SXDH assumptions we achieve round-optimal protocols with static security, or 3-round protocols with adaptive security (assuming erasure). • Our resulting protocols are more efficient than any known previously, and in particular yield protocols for string OT using O(1) exponentiations and communicating O(1) group elements. Our result improves on that of Peikert et al. (Crypto 2008), which uses a CRS whose length depends on the number of parties in the network and achieves only static security. Compared to Garay et al. (Crypto 2009), we achieve adaptive security with better round complexity and efficiency
Efficient, Adaptively Secure, and Composable Oblivious Transfer with a Single, Global CRS
We present a general framework for efficient, universally composable oblivious transfer (OT)
protocols in which a single, global, common reference string (CRS) can be used for multiple
invocations of oblivious transfer by arbitrary pairs of parties. In addition:
- Our framework is round-efficient. E.g., under the DLIN or SXDH assumptions we achieve
round-optimal protocols with static security, or 3-round protocols with adaptive security
(assuming erasure).
- Our resulting protocols are more efficient than any known previously, and in particular
yield protocols for string OT using O(1) exponentiations and communicating O(1) group
elements.
Our result improves on that of Peikert et al. (Crypto 2008), which uses a CRS whose length
depends on the number of parties in the network and achieves only static security. Compared
to Garay et al. (Crypto 2009), we achieve adaptive security with better round complexity and
efficiency
On the (Ir)Replaceability of Global Setups, or How (Not) to Use a Global Ledger
In universally composable (UC) security, a global setup is intended to capture the ideal behavior of a primitive which is accessible by multiple protocols, allowing them to share state. A representative example is the Bitcoin ledger. Indeed, since Bitcoin---and more generally blockchain ledgers---are known to be useful in various scenarios, it has become increasingly popular to capture such ledgers as global setup. Intuitively, one would expect UC to allow us to make security statements about protocols that use such a global setup, e.g., a global ledger, which can then be automatically translated into the setting where the setup is replaced by a protocol implementing it, such as Bitcoin.
We show that the above reasoning is flawed and such a generic security-preserving replacement can only work under very (often unrealistic) strong conditions on the global setup and the security statement.
For example, the UC security of Bitcoin for realizing a ledger proved by Badertscher et al. [CRYPTO\u2717] is not sufficient per se to allow us to replace the ledger by Bitcoin when used as a global setup. In particular, we cannot expect that all security statements in the global ledger-hybrid world would be preserved when using Bitcoin as a ledger.
On the positive side, we provide characterizations of security statements for protocols that make use of global setups, for which the replacement is sound. Our results can be seen as a first guide on how to navigate the very tricky question of what constitutes a ``good\u27\u27 global setup and how to use it in order to keep the modular protocol-design approach intact
On Black-Box Complexity of Universally Composable Security in the CRS model
In this work, we study the intrinsic complexity of black-box Universally Composable (UC) secure computation based on general assumptions. We present a thorough study in various corruption modelings while focusing on achieving security in the common reference string (CRS) model. Our results involve the following:
1. Static UC secure computation. Designing the first static UC oblivious transfer protocol based on public-key encryption and stand-alone semi-honest oblivious transfer. As a corollary we obtain the first black-box constructions of UC secure computation assuming only two-round semi-honest oblivious transfer.
2. One-sided UC secure computation. Designing adaptive UC two-party computation with single corruptions assuming public-key encryption with oblivious ciphertext generation.
3. Adaptive UC secure computation. Designing adaptively secure UC commitment scheme assuming only public-key encryption with oblivious ciphertext generation. As a corollary we obtain the first black-box constructions of adaptive UC secure computation assuming only (trapdoor) simulatable public-key encryption (as well as a variety of concrete assumptions).
We remark that such a result was not known even under non-black-box constructions