How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i y x f ( x , y )
How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i y x f ( x , y )
How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i /// y / x f ( x , y )
How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i /// y / x ◮ UC-security : ∃ an efficient simulator S f ( x , y ∗ ) S ( a 1 , b 1 , a 2 , b 2 ,... ) → y ∗
How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i /// y / x ◮ UC-security : ∃ an efficient simulator S f ( x , y ∗ ) S ( a 1 , b 1 , a 2 , b 2 ,... ) → y ∗ ◮ No Abort (optional): When abnormal behavior was detected, output f ( x , 0)
How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i /// y / x ◮ UC-security : ∃ an efficient simulator S f ( x , y ∗ ) S ( a 1 , b 1 , a 2 , b 2 ,... ) → y ∗ ◮ No Abort (optional): When abnormal behavior was detected, output f ( x , 0) ◮ Difficulty : distribution y ∗ = ⇒ f ( x , y ∗ ) has entropy in ideal world = ⇒ leak information of receiver’s randomness in real world
How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i /// y / x ◮ UC-security : ∃ an efficient simulator S f ( x , y ∗ ) S ( a 1 , b 1 , a 2 , b 2 ,... ) → y ∗ ◮ No Abort (optional): When abnormal behavior was detected, output f ( x , 0) ◮ Difficulty : distribution y ∗ = ⇒ f ( x , y ∗ ) has entropy in ideal world = ⇒ leak information of receiver’s randomness in real world
How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i /// y / x ◮ UC-security : ∃ an efficient simulator S f ( x , y ∗ ) S ( a 1 , b 1 , a 2 , b 2 ,... ) → y ∗ ◮ No Abort (optional): When abnormal behavior was detected, output f ( x , 0) ◮ Difficulty : distribution y ∗ = ⇒ f ( x , y ∗ ) has entropy in ideal world = ⇒ leak information of receiver’s randomness in real world
How to Lift One-shot Security to Reusability S R a i , b i x i ˜ rOLE a i ˜ x i + b i /// y / x ◮ UC-security : ∃ an efficient simulator S f ( x , y ∗ ) S ( a 1 , b 1 , a 2 , b 2 ,... ) → y ∗ ◮ No Abort (optional): When abnormal behavior was detected, output f ( x , 0) ◮ Difficulty : distribution y ∗ = ⇒ f ( x , y ∗ ) has entropy in ideal world = ⇒ leak information of receiver’s randomness in real world ◮ “Strong” UC-security = ⇒ Reusability The simulator is deterministic
Overview: rNISC in rOLE-hybrid model S R y ∈ F n x ∈ F n ◮ Assume f is an arithmetic NC 1 circuit or an arithmetic branching program over F ◮ [IK’02,AIK’14] encode y �→ ( A , b ) s.t. Ax + b reveals f ( x , y ) and nothing else ◮ Against malicious sender: detect if ( A , b ) is honestly generated, i.e. satisfies some simple arithmetic constraints � Ax + b , if ( A , b ) satisfies constraints Certified rOLE → ⊥ , otherwise
Overview: rNISC in rOLE-hybrid model S R y ∈ F n x ∈ F n ◮ Assume f is an arithmetic NC 1 circuit or an arithmetic branching program over F ◮ [IK’02,AIK’14] encode y �→ ( A , b ) s.t. Ax + b reveals f ( x , y ) and nothing else ◮ Against malicious sender: detect if ( A , b ) is honestly generated, i.e. satisfies some simple arithmetic constraints � Ax + b , if ( A , b ) satisfies constraints Certified rOLE → ⊥ , otherwise
Overview: rNISC in rOLE-hybrid model S R A , b x rOLE Ax + b y ∈ F n x ∈ F n ◮ Assume f is an arithmetic NC 1 circuit or an arithmetic branching program over F ◮ [IK’02,AIK’14] encode y �→ ( A , b ) s.t. Ax + b reveals f ( x , y ) and nothing else ◮ Against malicious sender: detect if ( A , b ) is honestly generated, i.e. satisfies some simple arithmetic constraints � Ax + b , if ( A , b ) satisfies constraints Certified rOLE → ⊥ , otherwise
Overview: rNISC in rOLE-hybrid model S R A , b x rOLE Ax + b y ∈ F n x ∈ F n ◮ Assume f is an arithmetic NC 1 circuit or f ( x , y ) an arithmetic branching program over F ◮ [IK’02,AIK’14] encode y �→ ( A , b ) s.t. Ax + b reveals f ( x , y ) and nothing else ◮ Against malicious sender: detect if ( A , b ) is honestly generated, i.e. satisfies some simple arithmetic constraints � Ax + b , if ( A , b ) satisfies constraints Certified rOLE → ⊥ , otherwise
Overview: rNISC in rOLE-hybrid model S R A , b x rOLE Ax + b y ∈ F n x ∈ F n ◮ Assume f is an arithmetic NC 1 circuit or f ( x , y ) an arithmetic branching program over F ◮ [IK’02,AIK’14] encode y �→ ( A , b ) s.t. Ax + b reveals f ( x , y ) and nothing else ◮ Against malicious sender: detect if ( A , b ) is honestly generated, i.e. satisfies some simple arithmetic constraints � Ax + b , if ( A , b ) satisfies constraints Certified rOLE → ⊥ , otherwise
Overview: rNISC in rOLE-hybrid model S R A , b x Certified rOLE � Ax + b ⊥ y ∈ F n x ∈ F n ◮ Assume f is an arithmetic NC 1 circuit or f ( x , y ) an arithmetic branching program over F ◮ [IK’02,AIK’14] encode y �→ ( A , b ) s.t. Ax + b reveals f ( x , y ) and nothing else ◮ Against malicious sender: detect if ( A , b ) is honestly generated, i.e. satisfies some simple arithmetic constraints � Ax + b , if ( A , b ) satisfies constraints Certified rOLE → ⊥ , otherwise
Overview: rNISC in rOLE-hybrid model S R A , b x Certified rOLE � Ax + b ⊥ y ∈ F n x ∈ F n ◮ Assume f is an arithmetic NC 1 circuit or f ( x , y ) an arithmetic branching program over F ◮ [IK’02,AIK’14] encode y �→ ( A , b ) s.t. Ax + b reveals f ( x , y ) and nothing else ◮ Against malicious sender: detect if ( A , b ) is honestly generated, i.e. satisfies some simple arithmetic constraints � Ax + b , if ( A , b ) satisfies constraints Certified rOLE → ⊥ , otherwise
Certified rOLE S R
Certified rOLE S R a 1 , b 1 x 1 rOLE a 1 x 1 + b 1 a 2 , b 2 x 2 rOLE a 2 x 2 + b 2 a 3 , b 3 x 3 rOLE a 3 x 3 + b 3 . . .
Certified rOLE Certified rOLE S R a 1 , b 1 x 1 rOLE a 1 x 1 + b 1 a 2 , b 2 x 2 rOLE a 2 x 2 + b 2 a 3 , b 3 x 3 rOLE a 3 x 3 + b 3 . . .
Certified rOLE Certified rOLE S R a 1 , b 1 x 1 rOLE a 1 x 1 + b 1 a 2 , b 2 x 2 rOLE a 2 x 2 + b 2 a 3 , b 3 x 3 rOLE a 3 x 3 + b 3 . . . ◮ Sender can prove ( a 1 , b 1 , a 2 , b 2 ,... ) satisfies arithmetic constraints
Certified rOLE Certified rOLE S R a 1 , b 1 x 1 rOLE a 1 x 1 + b 1 a 2 , b 2 x 2 rOLE a 2 x 2 + b 2 a 3 , b 3 x 3 rOLE a 3 x 3 + b 3 . . . ◮ Sender can prove ( a 1 , b 1 , a 2 , b 2 ,... ) satisfies arithmetic constraints ◮ Side product: reusable DV-NIZK in rOLE-hybrid model.
Certified rOLE Certified rOLE S R a 1 , b 1 x 1 rOLE a 1 x 1 + b 1 a 2 , b 2 x 2 rOLE a 2 x 2 + b 2 a 3 , b 3 x 3 rOLE a 3 x 3 + b 3 . . . ◮ Sender can prove ( a 1 , b 1 , a 2 , b 2 ,... ) satisfies arithmetic constraints ◮ Side product: reusable DV-NIZK in rOLE-hybrid model.
Certified rOLE Certified rOLE S R a 1 , b 1 x 1 rOLE a 1 x 1 + b 1 a 2 , b 2 x 2 rOLE a 2 x 2 + b 2 a 3 , b 3 x 3 rOLE a 3 x 3 + b 3 . . . ◮ Sender can prove ( a 1 , b 1 , a 2 , b 2 ,... ) satisfies arithmetic constraints a i = a j for some ( i , j ) for general constraints → see eprint ◮ Side product: reusable DV-NIZK in rOLE-hybrid model.
Certified rOLE Certified rOLE S R . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ
Certified rOLE Certified rOLE S R w rOLE w ← F . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ
Certified rOLE Certified rOLE S R a , r w rOLE aw + r r ← F w ← F . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ
Certified rOLE Certified rOLE S R a , r w rOLE aw + r r ← F w ← F . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Commitment( a )
Certified rOLE Certified rOLE S R a , r w rOLE aw + r r ← F w ← F . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a )
Certified rOLE Certified rOLE S R a , r w rOLE aw + r r ← F w ← F x i ˆ x i ← F ˆ rOLE ˆ ˆ x i = x i − w ˆ x i rOLE . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a )
Certified rOLE Certified rOLE S R a , r w rOLE aw + r r ← F w ← F r , r ′ r ′ ← F x i ˆ x i ← F ˆ rOLE x i + r ′ r ˆ ˆ a , b + r ′ ˆ x i = x i − w ˆ x i rOLE a ˆ x i + b + r ′ ˆ . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a )
Certified rOLE Certified rOLE S R a , r w rOLE aw + r r ← F w ← F r , r ′ r ′ ← F x i ˆ x i ← F ˆ rOLE x i + r ′ r ˆ ˆ a , b + r ′ ˆ x i = x i − w ˆ x i rOLE a ˆ x i + b + r ′ ˆ . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs
Certified rOLE Certified rOLE S R a , r w rOLE aw + r r ← F w ← F r , r ′ r ′ ← F x i ˆ x i ← F ˆ rOLE x i + r ′ r ˆ ˆ a , b + r ′ ˆ x i = x i − w ˆ x i rOLE a ˆ x i + b + r ′ ˆ . . . x i + r ′ ) + ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs
Certified rOLE Certified rOLE S R a , r w rOLE r , r ′ ˆ x i r , r ′ ← F rOLE w , ˆ x i ← F a , b + r ′ ˆ x i = x i − w ˆ ˆ x i rOLE x i + r ′ ) + e ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs
Certified rOLE Certified rOLE S R a , r w rOLE r , r ′ ˆ x i r , r ′ ← F rOLE w , ˆ x i ← F a , b + r ′ ˆ x i = x i − w ˆ ˆ x i rOLE x i + r ′ ) + e ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs ◮ Correctness: Above equation.
Certified rOLE Certified rOLE S R a , r w rOLE r , r ′ ˆ x i r , r ′ ← F rOLE w , ˆ x i ← F a , b + r ′ ˆ x i = x i − w ˆ ˆ x i rOLE x i + r ′ ) + e ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs ◮ Correctness: Above equation. x i + ˆ ◮ UC-secure against Receiver: x i := w ˆ x i . ˆ
Certified rOLE Certified rOLE S R a , r w rOLE r , r ′ ˆ x i r , r ′ ← F rOLE w , ˆ x i ← F a , b + r ′ ˆ ˆ x i = x i − w ˆ x i rOLE x i + r ′ ) + e ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs ◮ Correctness: Above equation. x i + ˆ ◮ UC-secure against Receiver: x i := w ˆ x i . ˆ ◮ “Strong” UC-secure against Sender:
Certified rOLE Certified rOLE S R a , r w rOLE r , r ′ ˆ x i r , r ′ ← F rOLE w , ˆ x i ← F a , b + r ′ ˆ ˆ x i = x i − w ˆ x i rOLE x i + r ′ ) + e ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs ◮ Correctness: Above equation. x i + ˆ ◮ UC-secure against Receiver: x i := w ˆ x i . ˆ ◮ “Strong” UC-secure against Sender:
Certified rOLE Certified rOLE S R a , r w rOLE r , r ′ ˆ x i r , r ′ ← F rOLE w , ˆ x i ← F a , b + r ′ ˆ ˆ x i = x i − w ˆ x i rOLE x i + r ′ ) + e ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs ◮ Correctness: Above equation. x i + ˆ ◮ UC-secure against Receiver: x i := w ˆ x i . ˆ ◮ “Strong” UC-secure against Sender: Deviate = ⇒ random output
Certified rOLE Certified rOLE S R a , r w rOLE r , r ′ ˆ x i r , r ′ ← F rOLE w , ˆ x i ← F a , b + r ′ ˆ ˆ x i = x i − w ˆ x i rOLE x i + r ′ ) + e ( a ˆ x i + b + r ′ ) ax i + b = ( aw + r ) · ˆ x i − ( r ˆ ˆ Target Commitment( a ) rOLE outputs ◮ Correctness: Above equation. x i + ˆ ◮ UC-secure against Receiver: x i := w ˆ x i . ˆ ◮ “Strong” UC-secure against Sender: Deviate = ⇒ random output not yet
Our Results NEW primitive: Oblivious linear function evaluation (OLE) S R a , b ∈ F x ∈ F get ax + b ∈ F Theorem 2 Theorem 3 An information-theoretical An UC-secure 2-msg reusable UC-secure reusable NISC OLE protocol in the CRS setting, protocol in rOLE-hybrid model. under Paillier assumption.
Our Results NEW primitive: Oblivious linear function evaluation (OLE) S R a , b ∈ F x ∈ F get ax + b ∈ F Theorem 2 Theorem 3 An information-theoretical An UC-secure 2-msg reusable UC-secure reusable NISC OLE protocol in the CRS setting, protocol in rOLE-hybrid model. under Paillier assumption.
rOLE from Paillier Dual-mode (similar to OT from [PVW’08] ) Mode I Mode II S R S R crs ← D 1 crs ← D 2 a , b x a , b x
rOLE from Paillier Dual-mode (similar to OT from [PVW’08] ) Mode I Mode II S R S R crs ← D 1 crs ← D 2 a , b x a , b x Enc ( x )
rOLE from Paillier Dual-mode (similar to OT from [PVW’08] ) Mode I Mode II S R S R crs ← D 1 crs ← D 2 a , b x a , b x Enc ( x ) Enc ( a − r ) Enc ( b + rx )
rOLE from Paillier Dual-mode (similar to OT from [PVW’08] ) Mode I Mode II S R S R crs ← D 1 crs ← D 2 a , b x a , b x Enc ( x ) Enc ( a − r ) Enc ( b + rx ) Efficient simulator against unbounded malicious receiver
rOLE from Paillier Dual-mode (similar to OT from [PVW’08] ) Mode I Mode II S R S R crs ← D 1 crs ← D 2 a , b x a , b x Enc ( x ) Enc ( 0 ) Enc ( a − r ) Enc ( b + rx ) Efficient simulator against unbounded malicious receiver
rOLE from Paillier Dual-mode (similar to OT from [PVW’08] ) Mode I Mode II S R S R crs ← D 1 crs ← D 2 a , b x a , b x Enc ( x ) Enc ( 0 ) Enc ( a − r ) Enc ( ) a Enc ( b + rx ) Enc ( b ) Efficient simulator against unbounded malicious receiver
rOLE from Paillier Dual-mode (similar to OT from [PVW’08] ) Mode I Mode II S R S R crs ← D 1 crs ← D 2 a , b x a , b x Enc ( x ) Enc ( 0 ) Enc ( a − r ) Enc ( ) a Enc ( b + rx ) Enc ( b ) Efficient simulator against Efficient simulator against unbounded malicious receiver unbounded malicious sender
rOLE from Paillier Dual-mode (similar to OT from [PVW’08] ) D 1 is indistinguishable from D 2 Mode I Mode II S R S R crs ← D 1 crs ← D 2 a , b x a , b x Enc ( x ) Enc ( 0 ) Enc ( a − r ) Enc ( ) a Enc ( b + rx ) Enc ( b ) Efficient simulator against Efficient simulator against unbounded malicious receiver unbounded malicious sender
Paillier Encryption Scheme KeyGen public key, trapdoor
Paillier Encryption Scheme KeyGen public key, trapdoor x Encrypt Enc r ( x ) Decrypt x randomness r trapdoor
Paillier Encryption Scheme KeyGen public key, trapdoor x Encrypt Enc r ( x ) Decrypt x randomness r trapdoor Enc 0 ( x ) Decrypt x
Paillier Encryption Scheme KeyGen public key, trapdoor x Encrypt Enc r ( x ) Decrypt x randomness r trapdoor Enc 0 ( x ) Decrypt x Enc r ( x ) · Enc s ( y ) = Enc r + s ( x + y )
rOLE from Paillier S R a , b x
rOLE from Paillier CRS (Mode I) S R h = Enc 0 ( 1 ) w = Enc α ( 0 ) W 0 = Enc β ( 1 ) a , b x
rOLE from Paillier CRS (Mode I) S R h = Enc 0 ( 1 ) w = Enc α ( 0 ) W 0 = Enc β ( 1 ) a , b x sample sk W 1 = w sk W x 0 = Enc x β + α · sk ( x )
rOLE from Paillier CRS (Mode I) S R h = Enc 0 ( 1 ) w = Enc α ( 0 ) W 0 = Enc β ( 1 ) a , b x sample r sample sk W 1 = w sk W x 0 = Enc x β + α · sk ( x ) v = w r = Enc r α ( 0 ) V 0 = h a W − r = Enc − r β ( a − r ) 0 V 1 = h b W r 1 = Enc rx β + r α · sk ( b + rx )
Recommend
More recommend