A Black-Box Construction of Fully-Simulatable, Round-Optimal Oblivious Transfer from Strongly Uniform Key Agreement

Abstract

We show how to construct maliciously secure oblivious transfer (M-OT) from a strengthening of key agreement (KA) which we call strongly uniform KA (SU-KA), where the latter roughly means that the messages sent by one party are computationally close to uniform, even if the other party is malicious. Our transformation is black-box, almost round preserving (adding only a constant overhead of up to two rounds), and achieves standard simulation-based security in the plain model.

As we show, 2-round SU-KA can be realized from cryptographic assumptions such as low-noise LPN, high-noise LWE, Subset Sum, DDH, CDH and RSA—all with polynomial hardness—thus yielding a black-box construction of fully-simulatable, round-optimal, M-OT from the same set of assumptions (some of which were not known before).

D. Friolo and D. Venturi—Supported in part by the research projects “PRIvacy-preserving, Security, and MAchine-learning techniques for healthcare applications (PRISMA)” and “Protect yourself and your data when using social networks”, both funded by Sapienza University of Rome, and in part by the MIUR under grant “Dipartimenti di eccellenza 2018–2022” of the Computer Science Department of Sapienza University of Rome.

D. Masny—Part of the work was done at UC Berkeley, funded by the Center for Long-Term Cybersecurity (CLTC, UC Berkeley).

Keywords

1 Introduction

Oblivious transfer (OT) is a very simple functionality between two parties: a sender with input two strings \((s_0,s_1)\), and a receiver with input a choice bit b; the output for the receiver equals \(s_b\), while the sender learns nothing (i.e., the receiver’s choice bit remains hidden) [15, 51]. The standard security definition for OT compares an execution of the protocol in the real world—where either the sender or the receiver might act maliciously—with an execution in the ideal world where a trusted third party simply implements the above functionality. Following previous work, we call “fully simulatable” an OT protocol that meets this notion.

Surprisingly, OT turned out to be sufficient for constructing secure multi-party computation (MPC) for arbitrary functionalities [6, 20, 32, 33, 38, 53, 54]. For this reason, constructing OT has been an important objective and received much attention. Nevertheless, previous constructions of fully-simulatable OT suffer from diverse shortcomings (cf. also Sect. 1.4): (i) They require trusted setup, or are based on random oracles (as, e.g., in [34, 50]); (ii) They have high round complexity (as, e.g., in [27]), while the optimal number of rounds would be 4 [19, 32]; (iii) They are non-black-box, in that they are obtained by generically transforming semi-honestly secure OT (SH-OT)—which in turn can be constructed from special types of PKE [21]—to fully-simulatable OT via (possibly interactive) zero-knowledge proofs (á la GMW [22]); (iv) They are tailored to specific hardness assumptions (as, e.g., in [7, 41]).

One exception is the work of Ostrovsky, Richelson and Scafuro [49], that provide a black-box construction of 4-round, fully-simulatable OT in the plain model from certified trapdoor permutations (TDPs) [5, 10, 45], which in turn can be instantiated from the RSA assumption under some parameter regimes [10, 35]. This draws our focus to the question:

1.1 Our Contribution

We give a positive answer to the above question by leveraging a certain type of key agreement (KA) protocols, which intuitively allow two parties to establish a secure channel in the presence of an eavesdropper. The influential work by Impagliazzo and Rudich [31] showed a (black-box) separation between secret-key cryptography and public-key cryptography and KA. Ever since, it is common sense that public-key encryption (PKE) requires stronger assumptions than the existence of one-way functions, and thus secure KA is the weakest assumption from which public-key cryptography can be obtained. More recent research efforts have only provided further confidence in this conviction [18].

In more details, our main contribution is a construction of fully-simulatable OT (a.k.a. maliciously secure OT, or M-OT) from a strengthening of KA protocols, which we term strongly uniform (SU); our protocol is fully black-box and essentially round-preserving, adding only a constant overhead of at most two rounds. In particular, we show:

Theorem 1

For any odd , with \(t>1\), there is a black-box construction of a \((t+1)\)-round, fully-simulatable oblivious transfer protocol in the plain model, from any \(t\)-round strongly uniform key agreement protocol and a perfectly binding commitment scheme.¹

Since, as we show, 2-round and 3-round SU-KA can be instantiated from several assumptions, including low-noise (ring) LPN, high-noise (ring) LWE, Subset Sum, CDH, DDH, and RSA—all with polynomial hardness—a consequence of our result is that we obtain round-optimal M-OT in the plain model under the same set of assumptions (in a black-box way). In particular, this yields the first such protocols from LPN, LWE (with modulus noise ratio \(\sqrt{n}\)), CDH, and Subset Sum.² Note that our LWE parameter setting relates to an approximation factor of \(n^{1.5}\) for SIVP in lattices of dimension n [52], which is the weakest LWE assumption known to imply PKE.

In our construction, we use a special kind of “commit-and-open” protocols which were implicitly used in previous works [39, 49]. As a conceptual contribution, we formalize their security properties, which allows for a more modular presentation and security analysis.

1.2 Technical Overview

We proceed to a high level overview of the techniques behind our main result, starting with the notion of strong uniformity and the abstraction of commit-and-open protocols, and landing with the intuition behind our construction of M-OT (cf. Fig. 1).

Strong Uniformity. As an important stepping stone to our main result, in Sect. 3, we introduce the notion of strong uniformity. Recall that a KA protocol allows Alice and Bob to share a key over a public channel, in such a way that the shared key is indistinguishable from uniform to the eyes of a passive eavesdropper. Strong uniformity here demands that, even if Bob is malicious, the messages sent by Alice are computationally close to uniform over an efficiently sampleable group.³ This flavor of security straightforwardly translates to SH-OT and PKE, yielding so-called SUSH-OT and SU-PKE. In the case of SUSH-OT, it demands that all messages of the receiver have this property (even if the sender is malicious). For SU-PKE, we distinguish two types, which are a strengthening of the types defined by Gertner et al. [21].⁴

• Type-A PKE: The distribution of the public key is computationally indistinguishable from uniform. This type of PKE is known to exist under DDH [17] and CDH [24] over efficiently sampleable groups,⁵ LWE [52], low-noise LPN [2], and Subset Sum [46].

• Type-B PKE: The encryption of a uniformly random message w.r.t. a maliciously chosen public key is computationally close to the uniform distribution over the ciphertext space. This type of PKE is harder to obtain, and can be constructed from enhanced certified TDPs, and from CDH and DDH over efficiently sampleable groups. In case of a TDP f, a ciphertext has the form , where h is a hardcore predicate for f, and r is a random element from the domain of f. Under CDH or DDH, a ciphertext is defined as \(g^r\) and \(h(g^{xr})\cdot m\), \(g^{xr}\cdot m\) respectively, where \(g^r\) is a uniform group element, and \(g^x\) is the public key. Clearly, for a uniform message \(m\), these ciphertexts are uniform even under maliciously chosen public keys.

Fig. 1.

Overview over equivalence and implications of the notion of strong uniformity. The value denotes the round complexity. \(^\dag \) This holds over efficiently sampleable groups. \(^\ddag \) We need an enhanced certified TDP.

In Sect. 3, we show that SU Type-A and SU Type-B PKE imply, respectively, 2-round and 3-round SU-KA, whereas 2-round SU-KA implies SU Type-A PKE. Further, we prove that SU-KA is equivalent to SUSH-OT. The latter implies that strong uniformity is a sufficiently strong notion to bypass the black-box separation between OT and KA, in a similar way as Type-A and Type-B PKE bypass the impossibility of constructing OT from PKE [21].

Commit-and-Open Protocols. A 1-out-of-2 commit-and-open (\( \text {C} \& \text {O}\)) protocol is a 3-round protocol with the following structure: (1) In the first round, the prover, with inputs two messages \(m _0,m _1\) and a bit d, sends a string \({\gamma }\) (called “commitment”) generated with \(m _d\) but independent of \(m _{1-d}\) to the verifier; (2) In the second round, the verifier sends a value \({\beta }\) to the prover (called “challenge”); (3) In the third round, the prover sends a tuple \((\delta ,m _0,m _1)\) to the verifier (called “opening”). Security requires two properties. The first property, called existence of a committing branch, demands that a malicious prover must be committed to at least one message, i.e. \(m _d\), already after having sent \({\gamma }\). The second property, called committing branch indistinguishability, asks that a malicious verifier cannot learn the committing branch, i.e. d, of an honest prover.

A construction of \( \text {C} \& \text {O}\) protocols for single bits is implicit in Kilian [39]. This has been extended to strings by Ostrovsky et al. [49]. Both constructions make black-box use of a statistically binding commitment scheme, and allow a prover to equivocally open one of the messages.

M-OT from SUSH-OT: A Warm Up. In order to explain the main ideas behind our construction of M-OT, we describe below a simplified version of our protocol for the special case of \(t= 2\), i.e. when starting with a 2-round SUSH-OT \((\mathsf {S}',\mathsf {R}')\); here, we denote with \(\rho \) the message sent by the receiver, and with \(\sigma \) the message sent by the sender, and further observe that for the case of 2 rounds the notion of strong uniformity collapses to standard semi-honest security with the additional property that the distribution of \(\rho \) is (computationally close to) uniform to the eyes of an eavesdropper. We then construct a 4-round OT protocol \((\mathsf {S},\mathsf {R})\), as informally described below:

1. 1.

   (\(\mathsf {R}\rightarrow \mathsf {S}\)): The receiver picks a uniformly random value \(m _{1-b}\in \mathcal {M} \), where b is the choice bit, and runs the prover of the \( \text {C} \& \text {O}\) protocol upon input \(m _{1-b}\), obtaining a commitment \({\gamma }\) that is forwarded to the sender.

2. 2.

   (\(\mathsf {S}\rightarrow \mathsf {R}\)): The sender samples a challenge \({\beta }\) for the \( \text {C} \& \text {O}\) protocol, as well as uniformly random elements \(r_0,r_1\in \mathcal {M} \). Hence, it forwards \(({\beta },r_0,r_1)\) to the receiver.

3. 3.

   (\(\mathsf {R}\rightarrow \mathsf {S}\)): The receiver runs the receiver \(\mathsf {R}'\) of the underlying 2-round OT protocol with choice bit fixed to 0, obtaining a value \(\rho _{b}\) which is used to define the message \(m _b = \rho _{b} - r_b\) required to complete the execution of the \( \text {C} \& \text {O}\) protocol in the non-committing branch b. This results in a tuple \((\delta ,m _0,m _1)\) that is forwarded to the sender.

4. 4.

   (\(\mathsf {S}\rightarrow \mathsf {R}\)): The sender verifies that the transcript \(T = ({\gamma },{\beta },(\delta ,m _0,m _1))\) is accepting for the underlying \( \text {C} \& \text {O}\) protocol. If so, it samples \(u_0,u_1\in \mathcal {M} \) uniformly at random, and runs the sender \(\mathsf {S}'\) of the underlying 2-round OT protocol twice, with independent random tapes: The first run uses input strings \((s_0,u_0)\) and message \(m _0+r_0\) from the receiver, resulting in a message \(\sigma _{0}\), whereas the second run uses input strings \((s_1,u_1)\) and message \(m _1+r_1\) from the receiver, resulting in a message \(\sigma _{1}\). Hence, it sends \((\sigma _{0},\sigma _{1})\) to the receiver.

5. 5.

   Output: The receiver runs the receiver \(\mathsf {R}'\) of the underlying 2-round OT protocol, upon input message \(\sigma _{b}\) from the sender, thus obtaining \(s_b\).

Correctness is immediate. In order to prove simulation-based security we proceed in two steps. In the first step, we show the above protocol achieves a weaker security flavor called receiver-sided simulatability [48, 49] which consists of two properties: (1) The existence of a simulator which by interacting with the ideal OT functionality can fake the view of any efficient adversary corrupting the receiver in a real execution of the protocol (i.e., standard simulation-based security w.r.t. corrupted receivers); (2) Indistinguishability of the protocol transcripts with choice bit of the receiver equal to zero or one, for any efficient adversary corrupting the sender in a real execution of the protocol (i.e., game-based security w.r.t. corrupted senders). In the second step, we rely on a round-preserving black-box transformation given in [49], which allows to boost receiver-sided simulatability to fully-fledged malicious security. To show (1), we consider a series of hybrid experiments:

• In the first hybrid, we run the first 3 rounds of the protocol, yielding a partial transcript \({\gamma },({\beta },r_0,r_1),(\delta ,m _0,m _1)\). Hence, after verifying that \(T = ({\gamma },{\beta },(\delta ,m _0,m _1))\) is a valid transcript of the \( \text {C} \& \text {O}\) protocol, we rewind the adversary to the end of the first round and continue the execution of the protocol from there using a fresh challenge \(({\beta }',r_0',r_1')\), except that after the third round we artificially abort if there is no value such that \(m _{\hat{b}} = m '_{\hat{b}}\), where \((\delta ',m _0',m _1')\) is the third message sent by the adversary after the rewinding.

  Notice that an abort means that it is not possible to identify a committing branch for the \( \text {C} \& \text {O}\) protocol, which however can only happen with negligible probability; thus this hybrid is computationally close to the original experiment.

• In the second hybrid, we modify the distribution of the value \(r'_{1-b}\) (right after the rewinding) to \(r''_{1-b} = \rho _{1-b} - m _{1-b}\), where we set from the previous hybrid, and where \(\rho _{1-b}\) is obtained by running the receiver \(\mathsf {R}'\) of the underlying 2-round OT protocol with choice bit fixed to 1.

  To argue indistinguishability, we exploit the fact that the distribution of \(m _{1-b}\) is independent from that of \(r'_{1-b}\), and thus by strong uniformity we can switch \(r'_{1-b}+m _{1-b}\) with \(\rho _{1-b}\) from the receiver \(\mathsf {R}'\).

• In the third hybrid, we use the simulator of the underlying 2-round SH-OT protocol to compute the messages \(\sigma _{1-b}\) sent by the sender. Note that in both the third and the second hybrid the messages \((\rho _{1-b},\sigma _{1-b})\) are computed by the honest sender, and thus any efficient algorithm telling apart the third and the second hybrid violates semi-honest security of \((\mathsf {S}',\mathsf {R}')\).

In the last hybrid, a protocol transcript is independent of \(s_{1-b}\) but still yields a well distributed output for the malicious receiver, which immediately implies a simulator in the ideal world.

To show (2), we first use the strong uniformity property of \((\mathsf {S}',\mathsf {R}')\) to sample \(m _b\) uniformly at random at the beginning of the protocol. Notice the this implies that the receiver cannot recover the value \(s_b\) of the sender anymore. Finally, we use the committing branch indistinguishability of the \( \text {C} \& \text {O}\) protocol to argue that the transcripts with \(b = 0\) and \(b = 1\) are computationally indistinguishable.

M-OT from SUSH-OT: The General Case. There are several difficulties when trying to extend the above protocol to the general case where we start with a \(t\)-round SUSH-OT. In fact, if we would simply iterate sequentially the above construction, where one iteration counts for a message from \(\mathsf {R}'\) to \(\mathsf {S}'\) and back, the adversary could use different committing branches from one iteration to the other. This creates a problem in the proof, as the simulator would need to be consistent with both choices of possible committing branches from the adversary, which however requires knowing both inputs from the sender.

We resolve this issue by having the receiver sending all commitments \({\gamma }_i\) for the \( \text {C} \& \text {O}\) protocol in the first round, where each value \({\gamma }_i\) is generated including a random message \(m _{1-b}^i\) concatenated with the full history \(m _{1-b}^{i-1},\ldots ,m _{1-b}^{1}\). Hence, during each iteration, the receiver opens one commitment as before. As we show, this prevents the adversary from switching committing branch from one iteration to the next one. We refer the reader to Sect. 4 for a formal description of our protocol, and for a somewhat detailed proof intuition.

1.3 Application to Round-Efficient MPC

Since M-OT implies maliciously secure MPC [6, 20] and very recently, the work of Choudhuri et al. [11], a direct consequence of Theorem 1 is the following:

Corollary 1

For any odd , there is a non-black-box construction of a \((t+1)\)-round maliciously secure multi-party computation protocol in the plain model, from any \(t\)-round strongly uniform key agreement protocol.

Corollary 1 yields 4-round maliciously secure MPC from any of low-noise LPN, high-noise LWE, Subset Sum, CDH, DDH, and RSA, all with polynomial hardness. Previously to our work, it was known how to get maliciously secure MPC in the plain model, for arbitrary functionalities:

• Using 5 rounds, via interactive ZK proofs and SH-OT [6], assuming polynomially-hard LWE with super-polynomial noise ratio and adaptive commitments [8], polynomially-hard DDH [3], and enhanced certified trapdoor permutations (TDP) [6, 49];

• Using 4 rounds, assuming sub-exponentially-hard LWE with super-polynomial noise ratio and adaptive commitments [8], polynomially-hard LWE with a SIVP approximation factor of \(n^{3.5}\) [7], sub-exponentially-hard DDH and one-way permutations [3], polynomially-hard DDH/QR/DCR [4], and either polynomially-hard QR or QR together with any of LWE/DDH/DCR (all with polynomial hardness) [29].

1.4 Related Work

Maliciously Secure OT. Jarecki and Shamtikov [34], and Peikert, Vaikuntanathan, and Waters [50], show how to construct 2-round M-OT in the common reference string model.

A result by Haitner et al. [27, 28] gives a black-box construction of M-OT from SH-OT. While being based on weaker assumptions (i.e., plain SH-OT instead of SUSH-OT), assuming the starting OT protocol has round complexity \(t\), the final protocol requires 4 additional rounds for obtaining an intermediate security flavor known as “defensible privacy”, plus 4 rounds for cut and choose, plus 2 times the number of rounds required for running coin tossing, plus a final round to conclude the protocol. Assuming coin tossing can be done in 5 rounds [37], the total accounts to \(t+ 19\) rounds, and thus yields 21 rounds by setting \(t= 2\).

Lindell [41] gives constructions of M-OT with 7 rounds, under the DDH assumption, the Nth residuosity assumption, and the assumption that homomorphic PKE exists. Camenish, Neven, and shelat [9], and Green and Hohenberger [26], construct M-OT protocols, some of which even achieve adaptive security, using computational assumptions over bilinear groups.

There are also several efficient protocols for OT that guarantee only privacy (but not simulatability) in the presence of malicious adversaries, see, e.g. [1, 7, 36, 40, 47].

Round-Optimal MPC. Katz and Ostrovsky [37] proved that 5 rounds are necessary and sufficient for realizing general-purpose two-party protocols, without assuming a simultaneous broadcast channel (where the parties are allowed to send each other messages in the same round). Their result was later extended by Garg et al. [19] who showed that, assuming simultaneous broadcast, 4 rounds are optimal for general-purpose MPC. Together with a result by Ishai et al. [32]—yielding non-interactive maliciously secure two-party computation for arbitrary functionalities, in the OT-hybrid model—the latter implies that 4 rounds are optimal for constructing fully-simulatable M-OT in the plain model.

Ciampi et al. [13] construct a special type of 4-round M-OT assuming certified TDPs,⁶ and show how to apply it in order to obtain (fully black-box) 4-round two-party computation with simultaneous broadcast. In a companion paper [12], the same authors further give a 4-round MPC protocol for the specific case of multi-party coin-tossing.

2 Preliminaries

2.1 Standard Notation

We use to denote the security parameter, sans-serif letters (such as \(\mathsf {A} \), ) to denote algorithms, caligraphic letters (such as \(\mathcal {X}\), \(\mathcal {Y}\)) to denote sets, and bold-face letters (such as \(\mathbf {v}\), \(\mathbf {A}\)) to denote vectors and matrices; all vectors are by default row vectors, and \(\mathbf {v}^{\mathsf {T}}\) denotes a column vector. An algorithm is probabilistic polynomial-time (PPT) if it is randomized, and its running time can be bounded by a polynomial in its input length. By , we mean that the value y is assigned to the output of algorithm \(\mathsf {A} \) upon input x and fresh random coins. We implicitly assume that all algorithms are given the security parameter as input.

A function is negligible in the security parameter (or simply negligible) if it vanishes faster than the inverse of any polynomial in , i.e. for all positive polynomials . We often write to denote that is negligible.

For a random variable \( X \), we write for the probability that \( X \) takes on a particular value \(x\in \mathcal {X}\) (with \(\mathcal {X}\) being the set where \( X \) is defined). The statistical distance between two random variables \( X \) and \( X '\) defined over the same set \(\mathcal {X}\) is defined as \(\varDelta \left( X ; X '\right) = \tfrac{1}{2}\sum _{x\in \mathcal {X}}|\Pr [ X = x] - \Pr [ X ' = x]|\). Given two ensembles and , we write \( X \equiv Y \) to denote that they are identically distributed, \( X \approx _s Y \) to denote that they are statistically close (i.e., ), and \( X \approx _c Y \) to denote that they are computationally indistinguishable—i.e., for all PPT distinguishers there exists a negligible function such that .

We call a group efficiently sampleable if and only if there is a PPT sampling procedure \(\mathsf {Samp}\) for the uniform distribution over the group, and moreover there exists a PPT simulator \(\mathsf {SimSamp}\) that given an element of the group, outputs the randomness used by \(\mathsf {Samp}\). More precisely, where and .⁷ A group that is efficiently reverse sampleable (as in [23]) suffices.

2.2 Oblivious Transfer

An interactive protocol \(\varPi \) for the Oblivious Transfer (OT) functionality, features two interactive PPT Turing machines \(\mathsf {S}\), \(\mathsf {R}\) called, respectively, the sender and the receiver. The sender \(\mathsf {S}\) holds a pair of strings , whereas the receiver \(\mathsf {R}\) is given a choice bit . At the end of the protocol, which might take several rounds, the receiver learns \(s_b\) (and nothing more), whereas the sender learns nothing.

Typically, security of OT is defined using the real/ideal paradigm. Specifically, we compare a real execution of the protocol, where an adversary might corrupt either the sender or the receiver, with an ideal execution where the parties can interact with an ideal functionality. The ideal functionality, which we denote by \(\mathcal {F}_{\mathtt {OT}}\), features a trusted party that receives the inputs from both the sender and the receiver, and then sends to the receiver the sender’s input corresponding to the receiver’s choice bit. We refer the reader to Fig. 2 for a formal specification of the \(\mathcal {F}_{\mathtt {OT}}\) functionality.

In what follows, we denote by (resp., ) the distribution of the output of the malicious receiver (resp., sender) during a real execution of the protocol \(\varPi \) (with \(s_0,s_1\) as inputs of the sender, b as choice bit of the receiver, and z as auxiliary input for the adversary), and by (resp., ) the output of the malicious receiver (resp., sender) in an ideal execution where the parties (with analogous inputs) interact with \(\mathcal {F}_{\mathtt {OT}}\), and where the simulator is given black-box access to the adversary.

Fig. 2.

Oblivious transfer ideal functionality

Definition 1 (OT with full simulation)

Let \(\mathcal {F}_{\mathtt {OT}}\) be the functionality from Fig. 2. We say that a protocol \(\varPi = (\mathsf {S},\mathsf {R})\) securely computes \(\mathcal {F}_{\mathtt {OT}}\) with full simulation if the following holds:

1. (a)

   For every non-uniform PPT malicious receiver \(\mathsf {R}^*\), there exists a non-uniform PPT simulator such that

   

   where , , , and .

2. (b)

   For every non-uniform PPT malicious sender \(\mathsf {S}^*\), there exists a non-uniform PPT simulator \(\mathsf {Sim} \) such that

   

   where , , , and .

Game-Based Security. One can also consider weaker security definitions for OT, where simulation-based security only holds when either the receiver or the sender is corrupted, whereas when the other party is malicious only game-based security is guaranteed. Below, we give the definition for the case of a corrupted sender, which yields a security notion known as receiver-sided simulatability. Intuitively, the latter means that the adversary cannot distinguish whether the honest receiver is playing with choice bit 0 or 1.

Definition 2 (OT with receiver-sided simulation)

Let \(\mathcal {F}_{\mathtt {OT}}\) be the functionality from Fig. 2. We say that a protocol \(\varPi = (\mathsf {S},\mathsf {R})\) securely computes \(\mathcal {F}_{\mathtt {OT}}\) with receiver-sided simulation if the following holds:

1. (a)

   Same as property (a) in Definition 1.

2. (b)

   For every non-uniform PPT malicious sender \(\mathsf {S}^*\) it holds that

   

   where , , and , and where is the distribution of the view of \(\mathsf {S}^*\) (with input \(s_0,s_1\) and auxiliary input z) at the end of a real execution of protocol \(\varPi \) with the honest receiver \(\mathsf {R}\) given b as input.

Receiver-sided simulatability is a useful stepping stone towards achieving full simulatability. In fact, Ostrovsky et al. [49] show how to compile any 4-round OT protocol with receiver-sided simulatability to a 4-round OT protocol with full simulatability. This transformation can be easily extended to hold for any \(t\)-round protocol, with \(t\ge 3\); the main reason is that the transform only relies on an extractable commitment scheme, which requires at least 3 rounds.

Theorem 2

(Adapted from [49]). Assuming \(t\ge 3\), there is a black-box transformation from t-round OT with receiver-sided simulation to t-round OT with full simulation.⁸

2.3 Commit-and-Open Protocols

We envision a 3-round protocol between a prover and a verifier where the prover takes as input two messages \(m_0,m_1\in \mathcal {M} \) and a bit . The prover speaks first, and the protocol is public coin, in the sense that the message of the verifier consists of uniformly random bits. Intuitively, we want that whenever the prover manages to convince the verifier, he must be committed to at least one of \(m_0,m_1\) already after having sent the first message.

More formally, a 1-out-of-2 commit-and-open (\( \text {C} \& \text {O}\)) protocol is a tuple of efficient interactive Turing machines specified as follows. (i) The randomized algorithm takes \(m_d\) and returns a string and auxiliary state information ; (ii) The randomized algorithm returns a random string ; (iii) The randomized algorithm takes \((\alpha ,{\beta },{\gamma },m_{1-d})\) and returns a string ; (iv) The deterministic algorithm takes a transcript \(({\gamma },{\beta },(\delta ,m_0,m_1))\) and outputs a bit.

We write for a run of the protocol upon inputs \((m_0,m_1, d)\) to the prover, and we denote by the random variable corresponding to a transcript of the interaction. Note that the prover does not necessarily need to know \(m_{1-d}\) before computing the first message. We say that \( \varPi _{\mathtt {c{ \& }o}}\) satisfies completeness if honestly generated transcripts are always accepted by the verifier, i.e. for all \(m_0,m_1\in \mathcal {M} \) and , we have , where the probability is over the randomness of , and .

Security Properties. Roughly, a \( \text {C} \& \text {O}\) protocol must satisfy two security requirements. The first requirement is that at the end of the first round, a malicious prover is committed to at least one message. This can be formalized by looking at a mental experiment where we first run the protocol with a malicious prover, yielding a first transcript \(T = ({\gamma },{\beta },(\delta ,m_0,m_1))\); hence, we rewind the prover to the point it already sent the first message, and give it a fresh challenge \({\beta }'\) which yields a second transcript \(T' = ({\gamma },{\beta }',(\delta ',m_0',m_1'))\). The security property now states that, as long as the two transcripts T and \(T'\) are valid, it shall exist at least one “committing branch” for which \(m_{\hat{d}} = m'_{\hat{d}}\). The second requirement says that no malicious verifier can learn any information on the committing branch of the prover. See the full version [16] for formal definitions.

3 Strong Uniformity at a Glance

This section contains a brief overview over the notion of strongly uniform OT and KA. We refer to the full version [16] for detailed definitions and for the implications of these notions.

In KA, Alice and Bob interact with the goal of establishing a shared key which remains hidden to an eavesdropper. We strengthen this notion by asking that Alice’s messages are computationally close to uniform over an efficiently sampleable group, even when Bob is malicious. We call this security feature strong uniformity.

Strong uniformity straightforwardly translates to OT. We call an OT protocol strongly uniform if the receiver’s messages are computationally close to uniform over an efficiently sampleable group, even when the sender is malicious. An important consequence of strong uniformity is that strongly uniform secure KA and strongly uniform semi-honestly secure OT are equivalent.

Theorem 3

There is a black-box construction of strongly uniform semi-honestly secure OT from strongly uniform secure KA and vice versa, with the same round complexity.

Intuitively, one can construct a KA protocol from OT by using the first of the sender’s inputs as key, and setting the receiver’s choice bit to 0, such that the receiver learns this key. Gertner et al. [21] already described this protocol, and it turns out that it preserves strong uniformity.

To construct strongly uniform semi-honestly secure OT from strongly uniform secure KA, one can use strong uniformity to let the receiver sample uniform messages rather than follow the KA protocol. More precisely, the sender and receiver will run two instances of the KA protocol, and the sender will use the two shared keys as one-time pad masks for his inputs. The receiver, depending on his choice bit, will run one of the two KA instances according to the protocol description, whereas, for the other one, he will sample uniform messages. Hence, the receiver will learn only one of the shared keys and inputs of the sender.

4 From SUSH-OT to M-OT

Fig. 3.

\((2t'+2)\)-round OT protocol achieving receiver-sided simulatability from \((2t'+1)\)-round strongly uniform semi-honestly secure OT. Note that the initial state information \(\alpha ^0_{\mathsf {S},0},\alpha ^0_{\mathsf {S},1}\) and \(\alpha ^0_{\mathsf {R},b}\) is set to be equal, respectively to the inputs used by the sender and the receiver during the runs of the underlying OT protocol \((\mathsf {S}',\mathsf {R}')\). The values \({\beta }_{t'+1},r_{0,t'+1},r_{1,t'+1}\) are not needed and can be removed, but we avoided to do that in order to keep the protocol description more compact.

Let be a 1-out-of-2 \( \text {C} \& \text {O}\) protocol and \(\varPi '= (\mathsf {S}',\mathsf {R}')\) be a \((2t'+1)\)-round OT protocol, where the first message \(\sigma ^{1}\) might be the empty string. Our OT protocol \(\varPi = (\mathsf {S},\mathsf {R})\) is depicted in Fig. 3 on page 19. The protocol consists of rounds as informally described below.

1. 1.

   The receiver samples \(m _{1-b,i}\in \mathcal {M} \) for all \(i\in [t']\), where b is the choice bit. Then he runs the prover of the \( \text {C} \& \text {O}\) protocol upon input \((m _{1-b,j})_{j\in [i]}\) for all \(i\in [t']\), obtaining \(({\gamma }_i)_{i\in [t']}\) which are forwarded to the sender.

2. 2.

   The sender samples uniform values . Then, he runs the underlying \((2t'+1)\)-round OT twice with inputs \((s_0,u_0)\) and \((s_1,u_1)\) to generate the first messages \(\sigma ^{1}_0\) and \(\sigma ^{1}_1\). Further, the sender samples a challenge \({\beta }_1\) for the \( \text {C} \& \text {O}\) protocol, as well as two uniformly random group elements \(r_{0,1}\), \(r_{1,1}\) from \(\mathcal {M} \), and forwards \(({\beta }_1,r_{0,1},r_{1,1})\) to the receiver together with the first messages of the OTs (i.e. \(\sigma ^{1}_0\) and \(\sigma ^{1}_1\)).

3. 3.

   Repeat the following steps for each \(i\in [t']\):

   1. (a)

      (\(\mathsf {R}\rightarrow \mathsf {S}\)): The receiver runs the receiver \(\mathsf {R}'\) of the underlying \((2t'+1)\)-round OT protocol with choice bit fixed to 0, and upon input message \(\sigma ^{i}_b\) from the sender, obtaining a message \(\rho ^{i}_b\) which is used to define the message \(m _{b,i} = \rho ^{i}_b - r_{b,i}\) required to complete the execution of the \( \text {C} \& \text {O}\) protocol in the non-committing branch b. This results in a tuple \((\delta _i,m _{0,i},m _{1,i})\) that is forwarded to the sender.

   2. (b)

      (\(\mathsf {S}\rightarrow \mathsf {R}\)): The sender verifies that the transcript \(T_i = ({\gamma }_i,{\beta }_i,(\delta _i,\)\((m _{0,j})_{j\in [i]},(m _{1,j})_{j\in [i]}))\) is accepting for the underlying \( \text {C} \& \text {O}\) protocol. If so, he continues the two runs of the sender \(\mathsf {S}'\) for the underlying \((2t'+1)\)-round OT protocol. The first run uses state \(\alpha _{\mathsf {S},0}^{i}\) and message \(m _{0,i} + r_{0,i}\) from the receiver resulting in a message \(\sigma ^{i+1}_0\) and state \(\alpha _{\mathsf {S},0}^{i+1}\), whereas the second run uses state \(\alpha _{\mathsf {S},1}^{i}\) and message \(m _{1,i} + r_{1,i}\) from the receiver resulting in a message \(\sigma ^{i+1}_1\) and state \(\alpha _{\mathsf {S},1}^{i+1}\). Finally, the sender samples a challenge \({\beta }_{i+1}\) for the \( \text {C} \& \text {O}\) protocol, as well as another two uniformly random group elements \(r_{0,i+1}\), \(r_{1,i+1}\) from \(\mathcal {M} \), and forwards \((\sigma ^{i+1}_0,\sigma ^{i+1}_1)\) and \({\beta }_{i+1}\), \(r_{0,i+1}\), \(r_{1,i+1}\) to the receiver.

4. 4.

   Output: The receiver runs the receiver \(\mathsf {R}'\) of the underlying \((2t'+1)\)-round OT protocol, upon input the \((t'+1)\)-th message \(\sigma ^{t'+1}_b\) from the sender, thus obtaining an output \(\rho ^{t'+1}_b\).

Correctness follows by the fact that, when both the sender and the receiver are honest, by correctness of the \( \text {C} \& \text {O}\) protocol the transcripts \(T_i\) are always accepting, and moreover the messages produced by the sender \(\sigma ^{i}_b\) are computed using message \(m _{b,i} + r_{b,i} = \rho ^{i}_b\) from the receiver, so that each pair \((\rho ^{i}_b,\sigma ^{i}_b)\) corresponds to the i-th interaction of the underlying \((2t'+1)\)-round OT protocol with input strings \((s_b,u_b)\) for the sender and choice bit 0 for the receiver, and thus at the end the receiver outputs \(s_b\). As for security, we have:

Theorem 4

(Receiver-sided simulatability of \(\varPi \)). Assuming that \(\varPi '\) is a \((2t'+1)\)-round strongly uniform semi-honestly secure OT protocol, and that \( \varPi _{\mathtt {c{ \& }o}}\) is a secure 1-out-of-2 commit-and-open protocol, then the protocol \(\varPi \) from Fig. 3 securely realizes \(\mathcal {F}_{\mathtt {OT}}\) with receiver-sided simulation.

We give a detailed proof in the full version [16], and here provide some intuition. In order to show receiver-sided simulatability we need to prove two things: (1) The existence of a simulator \(\mathsf {Sim} \) which by interacting with the ideal functionality \(\mathcal {F}_{\mathtt {OT}}\) can fake the view of any efficient adversary corrupting the receiver in a real execution of the protocol; (2) Indistinguishability of the protocol transcripts with choice bit of the receiver equal to zero or one, for any efficient adversary corrupting the sender in a real execution of the protocol.

To show (1), we consider a series of hybrid experiments that naturally lead to the definition of a simulator in the ideal world. In order to facilitate the description of the hybrids, it will be useful to think of the protocol as a sequence of iterations, where each iteration consists of 2 rounds, as depicted in Fig. 3 on page 19.

• In the first hybrid, we run a malicious receiver twice after he has sent his commitments. The purpose of the first run is to learn a malicious receiver’s input bit, i.e. on which branch he is not committed. If he is committed on both branches, simulation will be easy since he will not be able to receive any of the sender’s inputs. We use the second run to learn the output of a malicious receiver. We describe the two runs now.

  1. 1.

     The first round of each iteration yields an opening \((\delta _i,m _{0,i},m _{1,i})\). Hence, after verifying that the opening is valid, we rewind the adversary to the end of the first round of the i-th iteration to receive another opening \((\delta _i',m _{0,i}',m _{1,i}')\).

     Now, let such that \(m _{b,i}\ne m _{b,i}'\). By the security of the \( \text {C} \& \text {O}\) protocol, there can be at most one such b. If there is no b we continue the first run. Otherwise, if there is such a b, we have learned the equivocal branch and start the second run.

  2. 2.

     We execute the second run according to the protocol with the difference that we now know the equivocal branch, i.e. b, from the very beginning, which will help us later to simulate correctly right from the start. Notice that by the security of the \( \text {C} \& \text {O}\) protocol, a malicious receiver cannot change the equivocal branch in the second run. Obviously, he cannot change it during the same iteration since then he would be equivocal on both branches and contradict the security of the \( \text {C} \& \text {O}\) protocol. He can also not change the equivocal branch of one of the later rounds \(j>i\), since in the j-th commitment \(\delta _j\) he cannot be committed to both \(m _{b,i}\) and \(m _{b,i}'\), so he needs to equivocally open \(\delta _j\) as well. Thus, he needs to be committed on the other branch, i.e. branch \(1-b\).

• The values \(m '_{k,i}\) (right after the rewinding) of each iteration of the first run for , and second run for \(k=1-b\), are identical to \(m _{k,i}\). Moreover, \(m '_{k,i}\ne m _{k,i}\) holds only for the second run for branch \(k=b\). Therefore, in the second hybrid, we can change the distribution of \(r'_{k,i}\) to \(r'_{k,i} = \rho ^{i}_{k} - m _{k,i}\) for , and both runs except branch \(k=b\) during the second run. The value \(\rho ^{i}_{k}\) is obtained by running the simulator for the receiver of the underlying strongly uniform semi-honest OT protocol with choice bit 1 and input \(u_k\). We can use the messages generated by this simulator on the sender’s side as well.

  We will use the strong uniformity of the OT to argue that a malicious receiver cannot distinguish \(r'_{k,i} = \rho ^{i}_{k} - m _{k,i}\) from uniform. By the semi-honest security, the messages generated by the simulator are indistinguishable from the actual semi-honest OT. At the same time this simulator is independent of the sender’s inputs \(s_0\) and \(s_1\). Note that in this hybrid, we only need to known \(s_b\) for the second run after having learned b.

In the last hybrid, a protocol transcript is independent of \(s_{1-b}\) but still yields a well distributed output for the malicious receiver, which directly yields a simulator in the ideal world.

To show (2), we first use the strong uniformity of the underlying OT protocol to sample \(m _{b,i}\) uniformly at random at the beginning of the protocol. Notice that this implies that the receiver cannot recover the value \(s_b\) of the sender anymore. Further, we need the strong uniformity property here, since the receiver is interacting with a malicious sender who could influence the distribution of \(m _{b,i}\) sent by the receiver. Once both messages, \(m _{0,i}\) and \(m _{1,i}\) for all iterations are known before the start of the protocol, we can challenge the choice bit indistinguishability of the \( \text {C} \& \text {O}\) protocol. As a consequence, we can argue that the transcripts with \(b = 0\) and \(b = 1\) are computationally indistinguishable, which implies game-based security against a malicious sender.

5 Conclusions

We have shown a construction of maliciously secure oblivious transfer (M-OT) protocol from a certain class of key agreement (KA) and semi-honestly secure OT (SH-OT) protocols that enjoy a property called strong uniformity (SU), which informally means that the distribution of the messages sent by one of the parties is computationally close to uniform, even in case the other party is malicious.

When starting with 2-round or 3-round SUSH-OT or SU-KA, we obtain 4-round M-OT, and thus, invoking [11], 4-round maliciously secure MPC from standard assumptions including low-noise LPN, LWE, Subset Sum, CDH, DDH, and RSA (all with polynomial hardness).

Also, it is a natural question to see whether SU-KA with \(t\ge 4\) rounds can be instantiated from concrete assumptions that do not imply PKE.