A Framework for Universally Composable Oblivious Transfer from One-Round Key-Exchange

Abstract

Oblivious transfer is one of the main pillars of modern cryptography and plays a major role as a building block for other more complex cryptographic primitives. In this work, we present an efficient and versatile framework for oblivious transfer (OT) using one-round key-exchange (ORKE), a special class of key exchange (KE) where only one message is sent from each party to the other. Our contributions can be summarized as follows:

• We analyze carefully ORKE schemes and introduce new security definitions. Namely, we introduce a new class of ORKE schemes, called Alice-Bob one-round key-exchange (A-B ORKE), and the definitions of message and key indistinguishability.

• We show that OT can be obtained from A-B ORKE schemes fulfilling message and key indistinguishability. We accomplish this by designing a new efficient, versatile and universally composable framework for OT in the Random Oracle Model (ROM). The efficiency of the framework presented depends almost exclusively on the efficiency of the A-B ORKE scheme used since all other operations are linear in the security parameter. Universally composable OT schemes in the ROM based on new hardness assumptions can be obtained from instantiating our framework.

Examples are presented using the classical Diffie-Hellman KE, RLWE-based KE and Supersingular Isogeny Diffie-Hellman KE.

Appendices

Appendix

A UC-Security and Ideal Functionalities

The Universal Composability (UC) framework, firstly introduced by Canetti [12], allows us to analyze the security of protocols, not just per se, but also when composed with other protocols. Due to the lack of space, only a brief introduction on the UC-framework is presented. For more details on this subject we refer the reader to [12].

In a nutshell, to prove UC security of a protocol \(\pi \) (usually called the real-world execution) one compares it to an ideal version of the primitive, defined a priori (usually called the ideal-world execution). The entities involved in the ideal-world execution are dummy parties which interact via an ideal functionality \(\mathcal {F}\). These dummy parties may or may not be corrupted by an ideal adversary \(\mathsf {Sim}\), usually called the simulator. The functionality works as a trusted party: it receives inputs from all the entities involved and returns to each one something, depending on the primitive being implemented. In this way, each of the parties learns nothing but its own input and output. In the real-world execution, several parties interact between them via some protocol \(\pi \), which implements the desired primitive. These parties may or may not be corrupted by some adversary \(\mathcal {A}\). An entity \(\mathcal {E}\), often called the environment, oversees the executions in both the ideal and the real worlds. At the end of the executions, the environment is asked to distinguish them. The intuition of the UC-framework is that a protocol \(\pi \) is secure if the environment \(\mathcal {E}\) is not able to distinguish the real-world execution of \(\pi \) from the ideal-world execution of \(\mathcal {F}\). If this happens, we can conclude that a real-world adversary \(\mathcal {A}\) does not have more power than an ideal-world adversary \(\mathsf {Sim}\). Hence, whatever strategy a real-world adversary \(\mathcal {A}\) uses to cheat in the execution of \(\pi \), it can also be used by an ideal-world adversary \(\mathsf {Sim}\). Since we define the ideal functionality in order to avoid attacks from any adversary, we can conclude that there is no strategy for the real-world adversary \(\mathcal {A}\) that allows it to know more than its own input and output.

Formally, let \(\pi \) be a protocol where n parties and an adversary \(\mathcal {A}\) are involved. We denote the output of the environment \(\mathcal {E}\) in the end of the real-world execution of \(\pi \) with adversary \(\mathcal {A}\) by \(\mathsf {EXEC}_{\pi ,\mathcal {A},\mathcal {E}}\). The output of \(\mathcal {E}\) at the end of the ideal-world execution of a functionality \(\mathcal {F}\) with adversary \(\mathsf {Sim}\) is denoted by \(\mathsf {IDEAL}_{\mathcal {F},\mathsf {Sim},\mathcal {E}}\). The following definition introduces the notion of a protocol emulating (in a secure way) some ideal functionality.

Definition 11

We say that a protocol \(\pi \) UC-realizes \(\mathcal {F}\) if for every PPT adversary \(\mathcal {A}\) there is a PPT simulator \(\mathsf {Sim}\) such that for all PPT environments \(\mathcal {E}\),

$$\mathsf {IDEAL}_{\mathcal {F},\mathsf {Sim},\mathcal {E}}\approx \mathsf {EXEC}_{\pi ,\mathcal {A},\mathcal {E}}$$

where \(\mathcal {F}\) is an ideal functionality.

Oblivious transfer (OT), firstly introduced by Rabin [33], is a crucial primitive in cryptography. We describe the \(\left( {\begin{array}{c}2\\ 1\end{array}}\right) \)-OT ideal functionality \(\mathcal {F}_\text {OT}\), as presented in [15]. Let \(\lambda \in \mathbb {N}\) be a fixed value known to both parties, \(M_0,M_1 \in \{0,1\}^\lambda \) and \(b\in \{0,1\}\). The value \(\mathsf {sid}\) represents the session ID and the ID of the parties involved in the protocol.

Unfortunately, it is impossible to design universally composable OT protocols in the plain model, that is, without any setup assumption [13]. Hence, we use the random oracle model (ROM) to construct our UC-secure OT protocol. To this end, we work on the \(\mathcal {F}_{\text {RO}}\)-hybrid model in order to model random oracles in the UC framework. The random oracle ideal functionality \(\mathcal {F}_\text {RO}\) is presented below.

The idea behind the \(\mathcal {F}_\text {RO}\)-hybrid model is that every party involved in both the ideal-world execution of \(\mathcal {F}\) and the real-world execution of the protocol \(\pi \) (including the adversary) have access to an ideal functionality \(\mathcal {F}_\text {RO}\), which behaves as a random oracle. The environment can access this ideal functionality through the adversary. We denote by \( \mathsf {EXEC}_{\pi ,\mathcal {A},\mathcal {E}}^{\mathcal {F}_\text {RO}}\) the output of the environment after the real-world execution of the protocol \(\pi \) with an adversary \(\mathcal {A}\) in the real-world, with the ideal functionality \(\mathcal {F}_\text {RO}\). The notion of a protocol securely emulating an ideal functionality can be adapted to this model.

Definition 12

We say that a protocol \(\pi \) UC-realizes \(\mathcal {F}\) in the \(\mathcal {F}_\text {RO}\)-hybrid model if for every PPT adversary \(\mathcal {A}\) there is a PPT simulator \(\mathsf {Sim}\) such that for all PPT environments \(\mathcal {E}\),

$$\mathsf {IDEAL}_{\mathcal {F},\mathsf {Sim},\mathcal {E}}\approx \mathsf {EXEC}_{\pi ,\mathcal {A},\mathcal {E}}^{\mathcal {F}_\text {RO}}.$$

In this work, we consider static malicious adversaries. That is, an adversary corrupting any of the parties can deviate arbitrarily as it wishes from the protocol. However the parties are corrupted by the adversary before the beginning of the protocol and they remain so until the end of the protocol.

B Framework Instantiations

In the following section we provide relevant cases of ORKE schemes that can be used to instantiate our framework. More concretely, we show that our framework can be used with Diffie-Hellman, Ding’s KE and Supersingular Isogeny Diffie-Hellman.

1.1 B.1 DH-Based OT

Consider the Diffie-Hellman (DH) KE protocol [19]. Let p be a prime and consider the group \(\mathbb {Z}_p=\mathbb {Z}/p\mathbb {Z}\). Let \(g \in \mathbb {Z}_p\) be a generator of the multiplicative group \(\mathbb {Z}_p^*\). We assume g to be a public parameter of the system (e.g. a standard one), known by all parties. The DH KE is defined by three algorithms:

• \(\mathsf {Gen}_{\mathrm {DH}}(1^\kappa )\) outputs a secret key \(\mathsf {sk}=x\in \mathbb {Z}_p^*\) and a public key \(\mathsf {pk}\leftarrow g\).

• \(\mathsf {Msg}_{\mathrm {DH}}(r_i,\mathsf {sk}_i) [= \mathsf {Msg}_{\mathrm {DH}}^\mathsf {A}(r_i,\mathsf {sk}_i) = \mathsf {Msg}_{\mathrm {DH}}^\mathsf {B}(r_j,\mathsf {sk}_j,\cdot )]\) which takes as input the secret \(\mathsf {sk}_i=x_i\) and generator g and outputs \(g^{x_i}\).

• \(\mathsf {Key}_{\mathrm {DH}}(r_i,\mathsf {sk}_i, m_j)\) which takes as input a message \(m_j \leftarrow g^{x_j}\) and a secret key \(\mathsf {sk}_i=x_i\) and outputs \(m_j^{x_i}\).

Note that DH KE is an ORKE scheme, which means that \(\mathsf {Msg}_{\mathrm {DH}}\) is the same for both parties.

Recall that the Decisional Diffie-Hellman (DDH) assumption assumes that \((g,g^{x},g^y,g^{xy})\) is computationally indistinguishable from \((g,g^{x},g^y,z)\) when .

Using the notation of Sect. 2.1, consider \(\mathcal {M}=\overline{\mathcal {M}}=\mathbb {M}=\mathbb {Z}_p^*\), the operation \(*\) to be the product modulo p and \(\psi :\mathbb {Z}_p^*\times (\mathbb {Z}_p^*,*) \rightarrow \mathbb {Z}_p^*\) to be the action group defined as \(\psi (y,h)=y * h\mod p\).

The properties of \(\psi \)-message indistinguishability and \(\psi \)-key indistinguishability follow directly from the hardness of DDH of base g in the group \(\mathbb {Z}_p^*\). Consider the notation of Definition 5.

Lemma 13

The DH KE protocol is \(\psi \)-message indistinguishable.

Proof

Since g is a generator of \(\mathbb {Z}_p^*\), the message sent by Alice to Bob is a random element from \(\mathbb {Z}_p^*\) when it is computed using \(\mathsf {Msg}_\varPi \) or using \(\psi \).    \(\square \)

Lemma 14

The DH KE protocol is \(\psi \)-key indistinguishable, given that the DDH assumption holds.

Proof

Any key obtained using the \(\mathsf {Key}_{\mathrm {DH}}\) algorithm should be of the form \(g^{xy}\), where \(g^x\) is the output of the other party’s \(\mathsf {Msg}_{\mathrm {DH}}\), and y is the secret key of the party running this algorithm. As before, \(g^{xy}\) is a random element in \(\mathbb {Z}_p^*\), and so indistinguishable from a uniform chosen values from \(\mathbb {Z}_p^*\), given that the hardness of the DDH assumption holds.    \(\square \)

Therefore, we conclude that the DH KE can be used to instantiate the framework presented in this paper.

1.2 B.2 RLWE-Based OT

The instantiation of this framework using Ding’s KE was presented previously in [9] and this framework can be viewed as a generalization of their work. Here, we present a more generic instantiation using any RLWE-based KE scheme, such as [1, 20, 31].

Let \(q > 2\) be a prime such that \(q\equiv 1\mod 2n\), \(n\in N\) be a power of 2 and \(R_q = \mathbb {Z}_q[x]/\langle (x^n+1)\rangle \). Let \(\chi _\alpha \) be a discrete Gaussian distribution with parameter \(\alpha \).

Let . The RLWE assumption asks to distinguish \((a,as+e)\) where from (a, u) where  [29]. The HNF-RLWE assumption is similar to the RLWE assumption, but  [2].

Consider an RLWE-based KE scheme, which is secure given that the HNF-RLWE problem is hard. Let \((\mathsf {recMsg},\mathsf {recKey})\) be any reconciliation mechanism, as the ones presented in [20, 31], where \(\mathsf {recMsg}\) receives as input a value \(x_1\in R_q\) and outputs the signal w of \(x_1\) and a key K, and \(\mathsf {recKey}\) receives as input a value \(x_2\in R_q\) and a signal w and it outputs a key K. Recall that a reconciliation mechanism is parameterized by a bound \(\xi _\mathsf {rec}\) such that if \(x_1\) and \(x_2\) are close (meaning that \(|x_1-x_2|\le \xi _\mathsf {rec}\)), then

$$\Pr \left[ K_1=K_2: (w,K_1)\leftarrow \mathsf {recMsg}(x_1), K_2\leftarrow \mathsf {recKey}(x_2,w)\right] \ge 1-\mathsf {negl}(\kappa ).$$

It is also required that, if \(x_1\) is uniform, then \(K_1\) is indistinguishable from a uniform value, even when given w, where \((w,K_1)\leftarrow \mathsf {recMsg}(x_1)\).

Let be a public polynomial. The four algorithms that define any RLWE-based KE based are the following:

• \(\mathsf {Gen}_{RLWE}(1^\kappa )\) chooses and outputs a secret key and a public key \(\mathsf {pk}\leftarrow a s+2e \mod q\) where .

• \(\mathsf {Msg}_{RLWE}^\mathsf {A}(r_\mathsf {A},\mathsf {sk}_\mathsf {A})\) outputs the message \(m_\mathsf {A}= \mathsf {pk}_\mathsf {A}\).

• \(\mathsf {Msg}_{RLWE}^\mathsf {B}(r_\mathsf {B},\mathsf {sk}_\mathsf {B},m_\mathsf {A})\) computes \((w,K)\leftarrow \mathsf {recMsg}(m_A\mathsf {sk}_B+2e')\), where , and outputs \(m_\mathsf {B}=(\mathsf {pk}_\mathsf {B},w)\).

• \(\mathsf {Key}_{RLWE}(r_i, \mathsf {sk}_i, m_j)\) computes \(k_i\leftarrow s_i \mathsf {pk}_j + 2e'_i\), where , and outputs the shared key \(K \leftarrow \mathsf {recKey}(k_i,w)\).

RLWE-based KE schemes [1, 20, 31] are A-B ORKE scheme since Bob’s message depends on Alice message.

Using the notation of Sect. 2.1, consider \(\mathcal {M}\) to be the set of RLWE samples, that is, and \(\overline{\mathcal {M}}=\mathbb {M}=R_q\), the operation \(*\) to be the sum in \(R_q\) and \(\psi :R_q\times (R_q,+)\rightarrow R_q\) to be the action group defined as \(\psi (y,h)=y+h\).

Lemma 15

RLWE-based KE is \(\psi \)-message indistinguishable given that the HNF-RLWE assumption holds.

Proof

The message algorithm of Alice (\(\mathsf {Msg}_{RLWE}^\mathsf {A}\)) in this key exchange protocol outputs messages which are HNF-RLWE samples, thus, it is trivial to reduce the problem of breaking \(\psi \)-message indistinguishability of an RLWE-based KE to the problem of deciding the HNF-RLWE problem.    \(\square \)

For the \(\psi \)-key indistinguishability property, let \(K_A\) and \(K_B\) be the output of the algorithm \(\mathsf {Key}_{DingKE}\) when run by party \(\mathsf {A}\) and \(\mathsf {B}\) respectively.

Lemma 16

RLWE-based KE protocol is \(\psi \)-key indistinguishable, given that the HNF-RLWE assumption holds.

Proof

This follows directly from the security of the KE protocol. As proved in  [20, Theorem 3], to computationally distinguish \(K_A\) or \(K_B\) from uniformly random in \(R_q\) reduces to the HNF-RLWE assumption. Thus, if the HNF-RLWE assumption holds, the protocol is \(\psi \)-key indistinguishable.    \(\square \)

We conclude that RLWE-based KE schemes [1, 20, 31] can be used to instantiate the framework of this article.

1.3 B.3 SIDH-Based OT

Following the work of [4], where it is presented an OT protocol based on the Supersingular Isogeny Diffie-Hellman (SIDH) of [24], we adapt the same techniques to achieve the first UC OT based on Supersingular Isogeny cryptography. Although we use the same techniques to instantiate our framework using this key exchange, we work in the ROM instead of using the secure coin flip they use.

As defined in [24], let \(p=\ell _A^{e_A} \ell _B^{e_B} \cdot f \pm 1\) where \(\ell _A,\ell _B\) are small primes and f is a cofactor such that p is prime. Let \(E_0\) be a supersingular curve defined over \(\mathbb {F}_{p^2}\), and let \({P_A,Q_A}\) be a basis generating \(E_0[\ell _A^{e_A}]\) and \({P_B,Q_B}\) a basis generating \(E_0[\ell _B^{e_B}]\), where \(E[\ell ]\) is the \(\ell \)-torsion group of E, i.e. the set of all points \(P\in E(\overline{\mathbb {F}}_q)\) such that \(\ell P\) is the identity. As in [4], we consider \((P_A,Q_A),(P_B,Q_B)\) as public parameters of the cryptosystem.

Like the DH scheme, this is a vanilla ORKE scheme, since \(\mathsf {Msg}_{SIDH}\) is the same for both parties, and does not depend on the message previously exchanged by the other party. The three algorithms that define the KE are:

• \(\mathsf {Gen}_{SIDH}(1^\kappa ,r)\) pick \(m_i,n_i \in \mathbb {Z}/\ell _i^{e_i}\mathbb {Z}\), where at most one of them is divisible by \(\ell _i\), and compute an isogeny \(\phi _i: E_0\rightarrow E_i\) with kernel \(K_i = \langle { [m_i]P_i + [n_i] Q_i }\rangle \). Set \(\mathsf {sk}\leftarrow (m_i,n_i,\phi _i)\).

• \(\mathsf {Msg}_{SIDH}(r_i,\mathsf {sk}_i) [= \mathsf {Msg}_{SIDH}^\mathsf {A}(r_A,\mathsf {sk}_A) = \mathsf {Msg}_{SIDH}^\mathsf {B}(r_B,\mathsf {sk}_B,\cdot )] \) compute images

  $$\{ \phi _i(P_j), \phi _i(Q_j) \} \subset E_i$$

  and outputs the message \(m = (E_i,\phi _i(P_j), \phi _i(Q_j))\).

• \(\mathsf {Key}_{SIDH}(r_i,\mathsf {sk}_i, m_j)\) since \(m_j \leftarrow (E_j,\phi _j(P_i), \phi _j(Q_i))\), compute an isogeny \(\phi _i': E_j\rightarrow E_{ij}\) considering its kernel \(\langle { [m_i]\phi _j(P_i) + [n_i]\phi _j(Q_i) }\rangle \). Return the j-invariant of

  

Now, we prove that there exists the group action \(\psi \) as stated in Definition 5. Again, we base our group action on the assumptions of [4] and follow their notation. Consider \(\mathcal {M}= \overline{\mathcal {M}}\) to be the set of elements of the form (E, G, H), where G and H are elements of the \(\ell \)-torsion group of E. In [4], it is assumed that (E, G, H) is computationally indistinguishable from \((E, G+U, H+V)\) when U, V are randomly chosen among \(E[\ell ]\) such that the Weil paring of (G, H) and \((G+U,H+V)\) coincides. Moreover, they also show that such U, V can be sampled in polynomial time among the elements of \(E[\ell ]\), namely \(U \leftarrow \alpha G_B + \beta H_B\), \(V \leftarrow -(\alpha /\beta ) U\), where \(G_B \leftarrow \phi _B(P_A)\), \(H_B\leftarrow \phi _B(Q_A)\), and \(\alpha ,\beta \in \mathbb {Z}/\ell \mathbb {Z}\).

We are now able to propose the required group action \(\psi \). Let \(\mathbb {M}\) be the group of elements of the form \((U,V)\in E[\ell ]\) with group law \(*\) being the coordinate-wise usual sum of the ellipic curve points. This group acts on \(\overline{\mathcal {M}}\), \(\psi :\overline{\mathcal {M}}\times (\mathbb {M},*)\rightarrow \overline{\mathcal {M}}\), by modifying G and H, as \(\psi (y,h) = (E, G+U, H+V)\), where y is of the form of (E, G, H) and h of the form (U, V), and G, H, U, V are all elements in \(E[\ell ]\), such that U, V are sampled accordingly with [4].

Lemma 17

The SIDH KE protocol is \(\psi \)-message indistinguishable given the security assumptions in [24, Section 5] and the parameters are chosen as to prevent any distinguisher based attack [4].

Proof

In order to achieve the property of \(\psi \)-message indistinguishability, we must prevent any distinguisher from figuring out if the first message from the receiver is (E, G, H) or \((E,G+U,H+V)\). As in [4], we can choose the parameters to avoid the paring-based distinguisher using the Weil pairing, and so prevent the sender from finding out the secret bit of the receiver. If their conjecture that there is no other polynomial-time distinguisher for schemes of this form holds, then our OT protocol is \(\psi \)-message indistinguishable.    \(\square \)

Note that, differently from [4], in our proposal the receiver sends either (E, G, H) or \((E,G+U,H+V)\), together with the nounce t such that \((U,V)\leftarrow \mathsf {H}(t)\). In fact, [4] uses a secure coin flip procedure to generate U, V, while in this work we obtain U, V from the random oracle. This means that the receiver has the ability to try a polynomial number of queries to the RO in order to choose U, V, in contrast to the single possibility of [4]. Notwithstanding, if it would be possible for the receiver to obtain a good U, V in polynomial many tries, then the probability of the secure coin flip would be non-negligible. Therefore, the two approaches are equivalent with regard to the security of this procedure.

Lemma 18

The SIDH KE is \(\psi \)-key indistinguishable given the assumptions in [24, Section 5].

Proof

This follows from the proof of security of the key exchange in [24]. The shared key must be a j-invariant uniformly random in the set j-invariants, i.e. a random curve in the isogeny graph, which according to the assumptions in [24, Section 5] is difficult to compute without knowledge of the private isogenies.    \(\square \)

Therefore, we conclude that SIDH KE protocol of [24] can be used to instantiate the framework in this article.