Equational Security of a Lattice-based Oblivious Transfer Protocol

Transcription

1 Journal of Network Intelligence c 2016 ISSN (Online) Taiwan Ubiquitous Inforation Volue 2, Nuber 3, August 2017 Equational Security of a Lattice-based Oblivious Transfer Protocol Mo-Meng Liu State Key Laboratory of Integrated Service Networks Xidian University No.2 South Taibai Road, Xian, Shaanxi, , China liuoeng@gail.co Yu-Pu Hu State Key Laboratory of Integrated Service Networks Xidian University No.2 South Taibai Road, Xian, Shaanxi, , China yphu@ail.pxidian.edu.cn Received March 2017; Revised April Abstract. In this paper, we apply a novel fraework, called equational security fraework, to an efficient lattice-based oblivious transfer (OT) protocol which is built upon the hardness of the learning with errors (LWE) proble that is believed quantu resistant, and provable secure in the standard universally coposability (UC) odel. This novel fraework can provide a concrete atheatical odel of counication, and a concise syntax to describe protocol in ters of a set of atheatical equations. This distinguishing feature akes it ore easily to analyze the security of protocols when they are deployed in soe coplex environents (e.g., when coposed with other protocols). Our initial otivation intends to prove the equational security of this lattice-based OT protocol to clai its usability in a fully asynchronous environent. However, we found a tiing bug during the security proof of this lattice-based OT protocol in the equational security fraework. Thus, we accordingly ake twice odifications on its traditional OT functionality. Unfortunately, we still cannot obtain the equational security of this lattice-based OT protocol. We reark that our negative result does not ean that we find soe specific faults in the original security proof of this OT protocol, but it iplies that this protocol is not suitable to be used in the fully asynchronous execution environents. Keywords: Oblivious transfer, Lattice-based cryptography, Equational security fraework, Universally coposability 1. Introduction. As a fundaental cryptographic priitive, oblivious transfer (OT) was firstly introduced by Rabin [1] to depict a cryptographic scenario between two parties, where one party (called the sender) sends a essage to the other party (called the receiver) with requiring that the receiver can only obtain this essage with probability 1 and 2 the sender reains oblivious as to whether the essage has been received or not. In addition, an OT protocol based on RSA cryptosyste was proposed to ipleent this tricky conception. Afterwards, a ore useful for called 1-out-of-2 OT [2] was developed to build protocols for secure ultiparty coputation. 1-out-of-2 OT is also an execution of a two-party coputation, where the sender takes as input a essage pair and the receiver chooses one bit as his input. After the interaction between two parties, the receiver can 231

2 232 M.M Liu and Y.P. Hu retrieve his chosen essage without knowing any knowledge of the other essage and the sender is unaware of the receiver s essage choice. Moreover, 1-out-of-2 OT can be trivially transfored into 1-out-of-N OT, where the sender runs a database consisting of N essage entries and the receiver can retrieve one out of N essages by his choice. In the rest of paper, unless otherwise noted, we abbreviate 1-out-of-2 OT as OT for clarity. Due to the above siple functionality of OT, it can be utilized to securely and efficiently ipleent soe atheatical operations (e.g., secure two-party ultiplication [3]) aong several parties. Therefore, OT is usually taken as the basic building block to construct ore coplex cryptographic protocols in countless cryptographic literatures. In [4] and [5], efficient OT protocols are built upon the decisional Diffie-Hellan (DDH) assuption. However, their security is shown in half-siulation paradig, where an ideal siulator can only be constructed for a cheating receiver. Therefore, this type of OT protocols cannot be sufficiently secure when integrated into a larger protocol. With this concern, any works attept to achieve fully-siulation security, i.e., the ideal siulators can be built for both parties. There are several results (e.g., [6]) which ai to construct fully-siulation secure OT protocol, however, ost of the are secure in the stand-alone odel (cf. [7]), which guarantees that the protocol is secure under sequential coposition instead of parallel or concurrent coposition. However, concurrent coposability can bring great advantages on efficiency when protocols are executed in a coplex environent, such as the Internet, where it can help to save counication rounds by running protocols parallelly. This kind of security requireent is captured by a well-known fraework, called universally coposability (UC) odel [8]. That is, the protocol which is provable secure in the UC odel can aintain its security when running concurrently with arbitrary other secure and insecure protocols. However, one ain feature of the UC fraework is that any cryptographic task can be expressed as an ideal functionality (e.g., OT functionality) and alost any network environent (e.g., fully asynchronous execution environents) is possible in this UC odel. This highly generality akes it hard to use this UC foralization when specifying and analyzing concrete protocols in practice. This liitation otivates researchers to explore several variants for siplifying and specializing of the general UC odel [9, 10, 11, 12]. For the sae prospective, a novel fraework called equational security fraework [13] is proposed to provide a concrete atheatical odel and a concise syntax to describe secure coputation protocols, i.e., specifying cryptographic protocols by a syste of atheatical equations. The fraework akes the study of secure coputation protocols in a concise, rigorous, notation-wise lightweight anner. Motivation. In this paper, by applying the equational security fraework, we revisit the security of an efficient lattice-based OT protocol [14] which is built upon the hardness of the learning with errors (LWE) proble and provable secure in the standard UC fraework. Actually, our work is initially inspired by [15], which analyzes two concrete OT protocols in the equational security fraework for their equational security. In [15], they first show the equational security of OT extension protocol [16], however, they cannot prove the equational security of an efficient UC secure OT [17] even after soe odifications. Therefore, this otivates us to explore whether this lattice-based OT protocol [14] can achieve its equational security or not. Moreover, to the best of our knowledge, the lattice-based OT protocol proposed in [14] is the ost efficient OT protocol which is believed quantu resistant (relying on the LWE hardness) and secure in the UC fraework (offering the guarantee for arbitrary coposition). Thus, if we achieve the equational security of this lattice-based OT protocol, it will ake the protocol easily understandable

3 Equational Security of a Lattice-based Oblivious Transfer Protocol 233 and proisingly utilized in a coplex environent (ight be quantu adversarial and fully asynchronous). Our Results. Here we briefly present our ain findings in this paper. First, it is clear to see that the UC-security proof of this lattice-based OT protocol [14] is ade by using the traditional OT functionality (see later in Section 4 Figure 2). When we apply this traditional OT functionality to the equational security proof of this lattice-based OT protocol, we find a tiing bug in the case that when the sender is corrupted, so that there always exists an environent which can distinguish the real world fro the ideal world with overwheling probability. Therefore, we accordingly odified the OT ideal functionality twice to fix this bug, however, the result is still negative, i.e., this latticebased OT protocol [14] cannot obtain its security in the equational security fraework. Roadap. We introduce soe basic notions and backgrounds in Section 2, and recall the lattice-based OT protocol [14] we entioned in Section 3. Our work is ainly presented in Section 4 to explore the equational security of this lattice-based OT protocol. Moreover, we give the conclusion of this paper in Section Preliinaries. In this section, soe relevant backgrounds are introduced in two parts, where we briefly introduce the equational security fraework in Section 2.1, and latticebased cryptography and UC fraework which are related to the lattice-based OT protocol [14] in Section 2.2. For clarity, ost notations and concepts we recall respect their definitions shown in [8, 13, 14, 15]. In addition, we assue that the readers are failiar with the siulation-based security [7] Equational security fraework. To study protocols in a concise, rigorous, notationwise lightweight anner, equational security fraework [13] is proposed to provide a concrete atheatical odel and a concise syntax to describe cryptographic protocols by a syste of atheatical equations. Its underlying atheatical foundation relies on doain theory [18, 19, 20]. Since to explain how doain theory can be applied to the equational security fraework is not essential to the readers, we skip this illustration and refer to [13, 15] for a detailed treatent. Here, we only introduce soe necessary backgrounds and notions of the equational security fraework. In a nutshell, the equational security fraework can be viewed as a network with nodes representing coputation units and edges odeling counication channels. Each channel is associated with a partially ordered set (i.e., poset) which represents all possible essages or sequences of essages that ay be transitted on the channel over tie, where the teporal evolution is described by the partial order relation. For exaple, if a channel is allowed to transit an arbitrary nuber of essages fro a basic set X, then it can be odeled by a poset (X, ), where X = {(x 1,..., x k ) : k 0, i, x i x} represents a set of finite essages in X, and the partial ordering relation (reflexive, transitive and antisyetric) is used to describe a sequence of transission observations at different points in tie, denoted by a chain x 1 x 2... x k. Here x i+1 is a possible extension or future of x i if for any two histories x i x i+1. Another coon exaple of poset, denoted by X = X { }, consisting of all essages in X, and a botto eleent representing the case that no essage has been transitted yet, where its flat partial order satisfies that x y if and only if x = or x = y. This kind of poset X odels a counication channel which is capable of transitting only a single essage fro X. In the equational security fraework, each node can be viewed as a unit with one input and one output, where the input (resp. the output) is the Cartesian product of incoing channels (resp. outgoing channels). Each coputational unit at each node can be odeled

4 234 M.M Liu and Y.P. Hu as a function f : C 1 C 2 fro the incoing channels to the outgoing channels such that f(h 1 ) f(h 2 ) in C 2 if for any h 1 h 2 in C 1. This natural onotonicity iplies that once a essage has been transitted, the sender cannot take it back in tie. Now we give a ore detailed introduction of equational security fraework [13] in ters of its application in this paper. All considered posets in this paper are coplete partial orders (CPOs), i.e., for any chain x 1 x 2... in poset (X, ), it has a least upper bound sup i x i. In addition, all CPOs have a inial eleent = sup, i.e., for all x X, it satisfies the relation x. These posets are naturally endowed with the Scott topology, where a subset A X is closed if for all x A, y x iplies y A, and any chain in A has a least upper bound in A. Open sets are defined as the copleents of closed sets. Note that all CPOs considered in this paper are flat CPOs. That is, for any finite set X, it is extended with to for a flat CPO X, where the partial order in this flat CPO consists of x for all x X. In addition, for any set X, x X represents selecting an eleent x uniforly at rando fro X. Then the functions f : X Y between sets can be lifted into the functions f : X Y between the corresponding flat CPOs by setting f( ) =. Moreover, the equational fraework also specifies the probabilistic behaviors of protocols, represented by the probabilistic functions between sets of distributions with proper ordering relation. A probability distribution on a CPO X is a function p : X [0, 1] such that p(a) + p(b) = p(a B) for all disjoint A, B X and p(x) = 1. We let n be a security paraeter. If for all x X, p(x) < n c for any constant c > 1, we say such a probability p is negligible. Then p is overwheling if 1 p is negligible. Note that the set of probability distributions over a CPO X, denoted by D(X), is also a CPO. For any two distributions p and q over D(X), we have q q (in D(X)) if and only if p(a) q(a) for any open subset A X. Now we recall soe notations defined in [15] for the application of equational security fraework in our work. A flat CPO is denoted by X with a botto eleent X, where its partial order satisfies that x 1 x 2 if and only if x 1 = or x 1 = x 2. This flat CPO X odels a siple counication channel which can transit a single essage fro X/{ }, where represents the state that no essage has been transitted yet. We use X 2 = {(x, y) : x, y X, x ; y } to represent the set of strict pairs over X. For any pair z X 2, z consists of two eleents, i.e., z[0] and z[1] such that z[i] = when z = or i =. Now we let x, y denote the operation of cobining two eleents into a strict pair, thus z can be written as the for of z[0], z[1]. Note that x, =, y =, and therefore x, [0] =, y [1] = even when x, y. In addition, for any pairs x 0, x 1, y 0, y 1, strict function f and strict binary operation, it is easily to verify that f( x 0, x 1 [i]) = f(x 0 ), f(x 1 ) [i] and x 0, x 1 [i] y 0, y 1 [i] = x 0 y 0, x 1 y 1 [i]. For clarity, in the rest of the paper we let the CPO S = { } represent signals, i.e., the essages without inforation content, the CPO B = {0, 1} represent single bit essage (used for selecting an eleent fro a pair), and the CPO M l = {0, 1} l describe bit-strings of length l. Moreover, we utilize x!y = x, y [1] to represent the operation of guarding y by x such that x!y = y except for the case x =. This expression can be used for delaying the transission of y until after x is received. In addition, the expression x! = x! can be used for testing x >. Advantages of equational security fraework. The ost outstanding feature of the equational fraework is that it can provide a atheatically clean syntax to specify the processes of coputation nodes by a set of atheatical equations. This akes it easy to represent coposition by cobining equations together. Since coposition is independent of the coposition order, the behavior of a network can be described by

5 Equational Security of a Lattice-based Oblivious Transfer Protocol 235 the equations of each node with the edges connecting the nodes. with using equations in this way, it can also provide a concise ethod to deduce transforations as well. For instance, equivalent coponents can be replaced by each other if they have equivalent equations. When considering probabilistic behaviors, if a coponent is indistinguishable fro another coponent, then they can be interchangeably used with negligible ipact on the behavior of the entire syste Soe backgrounds related to the lattice-based OT protocol. In this section, we introduce soe necessary backgrounds related to the lattice-based OT protocol [14] we later introduce in Section 3, including lattice-based cryptography and UC fraework. We first recall soe notations defined in [8, 14] Notations. We use bold lowercase letters to denote vectors, e.g., v, and bold capital letters to denote atrices, e.g, M. The notation v T represents the transpose of vector v. For any x, y R with y > 0, x od y = x x/y y and x = x + 1/2. For an integer q 1, Z q denotes the quotient ring Z/qZ. We let T = R/Z denote the group of reals [0, 1) with odulo 1 addition. For any α R +, Ψ α denotes the distribution on T obtained by sapling fro a noral variable with ean 0 and standard deviation α/ 2π, reduced odulo 1. Moreover, its discretization Ψ α : Z q R + defines the discrete distribution over Z q of the rando variable q X Ψα od q, where X Ψα has distribution Ψ α. If D is a probability distribution over Z q, then x D denotes sapling x Z q according to D. If D( ) is a probabilistic algorith, y D(x) denotes running D on input x and assigning the output to y. Throughout this paper, n N denotes a security paraeter which is taken as an iplicit input to all cryptographic algoriths. We classify the growth of functions by using standard asyptotic notation. Let f(n) and g(n) be two positive functions. We say f(n) = O(g(n)) if there exist two fixed positive constants c and n 0 such that f(n) cg(n) for all n n 0, and f(n) = o(g(n)) if for any arbitrarily positive constant c, there exists a positive constant n 0 such that f(n) cg(n) for all n n 0. We say that f(n) = Õ(g(n)) if f(n) = O(g(n) log c n) for soe fixed constant c. Let poly(n) denote an unspecified function f(n) = O(n c ) for soe constant c. We say that soe unspecified function f(n) is negligible in n if f(n) = o(n c ) for any constant c. Let negl(n) denote such a function f(n) which is negligible in n. We say that a probability is overwheling if it is 1 negl(n). Let X = {X(n, x)} n N,x {0,1} denote a binary distribution enseble (i.e., an infinite set of probability distributions over {0, 1}), where a distribution X(n, x) is associated with each security paraeter n N and input x {0, 1}. Now we have two such ensebles X = {X(n, x)} n N,x {0,1} and Y = {Y (n, x)} n N,x {0,1}. If Pr(X(n, x) = 1) Pr(Y (n, x) = 1) negl(n), we say that X and Y are indistinguishable, denoted by X Y Lattice-based cryptography. Lattice-based cryptography [21, 22] is a proising postquantu cryptography candidate [23] since it has strong provable security guarantees and good asyptotic efficiency. As a versatile priitive for lattice-based cryptographic constructions, the learning with errors (LWE) proble introduced by Regev [24] is widely utilized and regarded quantu resistant due to its provable property that solving the average-case LWE proble is at least as hard as solving soe standard worst-case lattice proble that cannot be efficiently solved by quantu algoriths. Referring to [24], the LWE proble is described as follows: Definition 2.1 (LWE). Let n 1, q 2 be positive integers, X be an error distribution over Z q, and s be a secret vector following the unifor distribution over Z n q. Let A s,x denote the probability distribution over Z n q Z q obtained by choosing a Z n q uniforly at

6 236 M.M Liu and Y.P. Hu rando, choosing e Z q according to X, and returning the saple (a, c) = (a, a, s +e) Z n q Z q. The LWE proble has two versions, the search-version and the decision-version. Search-LWE is to find s given access to arbitrarily any independent saples (a, c) = (a, a, s + e) fro A s,x. Decision-LWE is to distinguish an oracle that returns independent saples fro A s,x fro an oracle that returns independent saples fro the unifor distribution on Z n q Z q. In [24], Regev gave a quantu reduction fro worst-case lattice probles to the search- LWE proble. Moreover, he also established the equivalences of the search-lwe proble by using eleentary reductions, including a reduction fro the (average-case) decisionversion to the search-version. Note that in the rest of this paper we denote this decision- LWE proble as the LWE proble. Here we state the result [24] with regarding to the average-case decision-lwe proble, which is denoted by LWE q,x and used in the following cryptographic application (see Section 3) as underlying hardness. That is, for certain choices of q and X : Proposition 2.1 (see [24] Theore 1.1 and Lea 4.2). Let n, q be integers and α = α(n) (0, 1) be such that αq > 2 n. If there exists an efficient algorith that can solve LWE q,x, then there exists an efficient quantu algorith for solving the shortest vector proble (GapSVP) and the shortest independent vectors proble (SIVP) to within Õ(n/α) in the worst case UC fraework. Since the lattice-based OT protocol proposed in [14] achieves its security in the standard universally coposability (UC) fraework [8], we begin by a brief overview of this odel which can provide a strong guarantee that ensuring the protocol reains secure when run concurrently with arbitrary other secure and insecure protocols. The security defined in this odel is ade by coparison: given a certain task, we assue that there exists a specific achine called the ideal functionality, denoted by F, which can securely ipleent this task. This ideal functionality obtains the inputs of the coputation participants and provides the with the desired outputs, where all counication between F and the involved coputation parties are done over secure channels and the whole interaction process can be regarded as an ideal protocol/process (denoted by ρ F ) to securely realize this given task. However, in the real world, we cannot obtain this ideal protocol ρ F. We need a real protocol π to ipleent F and intuitively expect that π is no less secure than F. It iplies that if there exists an adversary that can do anything during the execution of π, then the adversary can also do the sae thing during an execution of ρ F. Due to the required security of F, this adversary cannot attack successfully π either. This is captured by requiring that for any real adversary Adv, there exists an ideal adversary, called the siulator Si (constructed fro Adv), such that an execution of π with Adv (called the real world) is indistinguishable fro an execution of F with Si (called the ideal world). Moreover, in the UC fraework there is a new algorithic entity called environent Env, which odels the external environent of the current honest parties. The distinguishing feature of the UC fraework is that Env can freely interact with both worlds through the whole execution process. If no achine Env can distinguish its interaction with the real world fro the one with the ideal world, then we say this real protocol π can securely UCeulate the ideal functionality F or the ideal process ρ F, i.e., π can achieve UC-security. Referring to [8], we let F be an ideal functionality. EXEC π,adv,env (n, x) denotes the rando variable describing the single bit output of Env when interacting with Adv and running π on an input x {0, 1}, where n represents the security paraeter. Likewise, the rando variable describing the single bit output of Env when interacting with F

7 Equational Security of a Lattice-based Oblivious Transfer Protocol 237 and Si on the sae input x is denoted by IDEAL F,Si,Env (n, x). Let EXEC π,adv,env (resp. IDEAL F,Si,Env ) denote the enseble {EXEC π,adv,env (n, x)} (resp. {IDEAL F,Si,Env (n, x)}) of distributions over {0, 1}, where n N, x {0, 1}. Then the general notion that π can securely UC-eulate F is forally defined as follows. Definition 2.2 (UC-Security). Let F be an ideal functionality. A protocol π is said to UC-eulate F if for any adversary Adv, there exists a siulator Si such that for all environents Env it holds that where denotes indistinguishability. IDEAL F,Si,Env EXEC π,adv,env, 3. Lattice-based OT Protocol. In this section, we will introduce an efficient latticebased OT protocol [14] which is provable secure in the UC fraework. This lattice-based OT is extracted fro a dual-ode cryptosyste constructed by using soe technical tools proposed in [25]. Once such a dual-ode cryptosyste under soe certain standard assuption is built well, an efficient and UC-secure OT protocol based on the sae hardness assuption can be directly derived. In Section 3.1, we first present the dual-ode cryptosyste instantiated with the L- WE proble. Then we introduce the derived OT protocol in Section 3.2. In addition, for a clear application of equational fraework to this lattice-based OT protocol, we briefly recall the siulator constructions for the UC-security proof of this OT protocol in Section Dual-ode cryptosyste based on LWE hardness. Dual-ode cryptosyste behaves like a noral encryption schee which can correctly decrypt a essage encrypted with a given public key by the corresponding secret key. However, the distinguishing feature of this particular encryption schee is that it can operate in two odes, i.e., essy ode and decryption ode, where the ode that the schee will run in is decided by the trusted setup phase of the dual-ode cryptosyste. In the trusted setup phase, a coon reference string (denoted by ) and the corresponding trapdoor inforation τ 1 are created, where ay be chosen either uniforly rando or fro a specified distribution. Note that the distribution of decides the ode that the dual-ode cryptosyste will run in and also specifies the type of public key used in the encryption. The instantiation of the dual-ode cryptosyste with the LWE proble relies on soe techniques developed in [25], including an LWE-based encryption (a variant of Regev s CPA-secure LWE-based cryptosyste [24]) and an efficient algorith called IsMessy (which is used to build the siulator in UC-security proof). In [25], it shows that how to securely ebed a trapdoor into the public atrix A used in this LWE-based encryption cryptosyste, so that when the corresponding trapdoor inforation is given, the algorith IsMessy can efficiently identify the essy public key, which has the property that a ciphertext produced by the essy public key carries no inforation (statistically) about the encrypted essage. Here we first introduce this LWE-based encryption, where the essage space is Z 2 = {0, 1}. Let the odulus q = poly(n) be a large prie. For every essage µ Z 2, the center of µ is defined as t(µ) = µ q/2 Z q. Let X denote an error distribution over Z q and D Z,r denote a Gaussian-like distribution over Z with standard deviation 1 Note that the trapdoor τ in different odes is different, it will be illustrated later in the description of the dual-ode construction.

8 238 M.M Liu and Y.P. Hu approxiately r 2. All operations are perfored over Z q. LWE-Based Encryption LWEKeyGen(1 n ): choose a secret key s Zq n 1 uniforly at rando. To generate the public key, choose a atrix A Zq n uniforly at rando and an error vector x Z 1 q according to the error distribution X = Ψ α for soe paraeter α = α(n) (0, 1) (here each x i is chosen independently for all i []). Then copute (A, p = s T A + x), where each entry (a i, p i ) is a saple fro A s,x and denotes the nuber of saples. LWEEnc( = (A, p), µ): to encrypt a essage µ Z 2, choose a vector e Z fro D Z,r and output the ciphertext (u, c) = (Ae, pe + t(µ)) = (Ae, pe + µ q/2 ) Z n q Z q. LWEDec(sk = s, (u, c)): to recover the essage µ fro the ciphertext, copute d = c s T u Z q. Output 0 if d is closer to 0 than to q/2 odulo q, otherwise output 1. Reark 3.1. The above LWE-based encryption schee can also be applied when the essage is a vector µ Z l 2, where l = poly(n) 1. The ain advantage that the atrix A can be reused over l different bits enables to fulfill a ulti-session OT protocol, where it can ipleent l individual OT executions by using the sae A and obliviously transfer one bit to the receiver in each subsession. Now we introduce the LWE-based dual-ode cryptosyste constructed by the above LWE-based encryption and the essy key identifying algorith IsMessy. For siplicity, we only present this LWE-based dual-odel construction for l = 1. LWE-Based Dual-Mode Cryptosyste SetupMessy(1 n ): choose a atrix A Z n q uniforly at rando, together with the trapdoor inforation τ = (S, A) as shown in [25]. For each b {0, 1}, choose a vector v b Z 1 q uniforly at rando. Let = (A, v 0, v 1 ). Output (, τ). SetupDec(1 n ): choose a atrix A Z n q and a vector w Zq 1 uniforly at rando. For each b {0, 1}, choose a secret s b Z n q uniforly at rando and an error vector x b X 1, where all entries are chosen independently fro the error distribution X. Let v b = s T b A + x b w, = (A, v 0, v 1 ), and τ = (w, s 0, s 1 ). Output (, τ). KeyGen(, ): choose a secret s Z n q uniforly at rando and a vector x X 1. Let = s T A+x v, where {0, 1} denotes the decryptable branch 3. Let sk = s and output (, sk). Enc(, b, µ): output y LWEEnc((A, p = + v b ), µ), where b {0, 1} is chosen by the encrypter. Here y is the pair (u, c). Dec(sk, y): output µ LWEDec(sk = s, (u, c)). FindMessy(τ, ): parse τ as (S, A), run IsMessy(S, A, + v b ) for each b {0, 1}, and output b such that IsMessy can output essy on at least one branch correctly with overwheling probability. TrapdoorKeyGen(τ): parse τ as (w, s 0, s 1 ), and output (, sk 0, sk 1 )=(w, s 0, s 1 ). 2 Referring to [25], the particular value of the Gaussian paraeter r is a paraeter of the schee. When the trapdoor inforation is ebed in the schee, the value of r will be related to the length of the trapdoor for A. 3 The ciphertext of a essage can be produced in two branches b = 0 or b = 1. This ciphertext only on the branch = b can be correctly decrypted. We call the branch decryptable.

9 Equational Security of a Lattice-based Oblivious Transfer Protocol 239 Reark 3.2. SetupMessy generates a together with trapdoor τ = (S, A), where S is an ebedded trapdoor in A so that IsMessy can be used in FindMessy to reveal that whether + v b is a essy key for each b {0, 1} when the trapdoor τ is given. The dual-ode cryptosyste has three ain security properties: (1) in essy ode, for each base public key, at least one of the derived public keys + v b for b {0, 1} can statistically hide its encrypted essage; (2) in decryption ode, the honest receiver s chosen bit is statistically hidden by its choice of base key ; (3) given, no adversary can efficiently distinguish two odes (i.e., satisfying coputational indistinguishability). These security properties guarantee that a UC-secure OT protocol can be derived fro this dual-ode cryptosyste. However, the instantiation of the dual-ode cryptosyste with the LWE proble only satisfies a slightly relaxed version of the above security properties. Fortunately, a UC-secure OT protocol based on LWE hardness can still be derived, however, it leads to a slightly weaker security of the honest receiver when running in decryption ode, i.e., coputational security LWE-based OT protocol. Once this LWE-based dual-ode cryptosyste is built well, an LWE-based OT protocol denoted by d ode can be obtained directly (see Figure 1). This d ode can securely UC-eulate a ulti-session OT functionality F OT in the F CRS -hybrid odel (cf. [8]), where F OT serves as a shell around a bounded nuber (corresponding to l) of independent F OT executions. Here F OT denote the traditional OT ideal functionality, where the sender S and the receiver R just forward their inputs ( 0, 1 ) and {0, 1} to F OT and F OT will return to R without any output to S. Here F OT specifies its interaction with two parties in a single session by sid, and coordinates each subsession of the sae session by ssid. F CRS is an ideal functionality which generates a for both parties. Once is obtained, the execution of d ode ainly follows the procedure of the dual-ode cryptosyste. Note that d ode can also operate in two odes. Since F CRS can run two different setup algorith, we denote it by F D CRS. When D = SetupMessy, d ode runs in the essy ode; When D = SetupDec,d ode runs in the decryption ode. Note that the protocol d ode is a 1-out-of-2 OT, it can be extended as a 1-out-of-2 k OT protocol by choosing v b for each b {0, 1} k. Sender Receiver (sid, ssid, 0, 1) (sid, ssid, ) Setup: (sid, S, R) (sid, S, R) FGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGB FCRS D EGGGGGGGGGGGGGGG GGGGGGGGGGGGGGGC (sid, ) (sid, ) Multi-session OT: y b Enc(, b, b ) for each b {0, 1} (sid, ssid, ) DGGGGGGGGGGGGGGGGGG (, sk) KeyGen(, ) (sid, ssid, y 0, y 1) GGGGGGGGGGGGGGGGGGGGGA outputs (sid, ssid, Dec(sk, y )) Figure 1. Lattice-based OT protocol d ode 3.3. UC-security proof sketch. As shown in [14], d ode is provable secure against static corruptions in the UC fraework, where static corruption eans that the adversary can only ake corruption decision before the execution of the protocol instead of during the course of the protocol execution. UC-security iplies that for any real-world adversary

10 240 M.M Liu and Y.P. Hu Adv, there exists an ideal-world adversary Si, called siulator, interacting with the ideal functionality F OT, such that no achine Env can distinguish its interaction with Adv in an execution of d ode fro an interaction with Si by using F OT. The ain ingredients of UC-security proof of d ode lie in the siulator constructions in the corruption cases that when only the receiver is corrupted and when only the sender is corrupted, respectively. In each corruption case, Si starts by running a copy of Adv. Every incoing value received by Si is written into Adv s input tape. Every outgoing value on Adv s output tape is copied to Si s output tape. Note that regardless of which ode the protocol d ode will run in, the construction of Si only depends on corruption case. When only R is corrupted: Si runs the essy ode setup algorith and generates (, τ) SetupMessy(1 n ). Naely, Si chooses a atrix A Zq n uniforly at rando, together with a trapdoor τ = (S, A). For each b {0, 1}, Si selects a vector v b Z 1 q uniforly at rando, sets = (A, v 0, v 1 ), and outputs (, τ). When the parties query FCRS D, Si returns (sid, ) to the and stores τ privately. At soe point, Adv produces a essage (sid, ssid, ) and sends it to Si, where = s T A+x v. Then Si runs FindMessy(, τ, ) to find b for specifying the essy branch, and queries the ideal functionality F OT with (sid, ssid, receiver, 1 b) in the nae of R. Then Si receives the output (sid, ssid, 1 b ) fro F OT and stores the value (b, 1 b ). When S is activated on soe subsession (sid, ssid), then Si ust play the role of the sender to interact with Adv like a real world execution. Si firstly looks up the corresponding (b, 1 b ), then coputes y 1 b Enc(, 1 b, 1 b ) and y b Enc(, b, 0 l ). Finally Si sends the essage (sid, ssid, y 0, y 1 ) to Adv as if it were fro S. When only S is corrupted: Si runs the decryption ode setup algorith and generates (, τ) SetupDec(1 n ), Naely, Si chooses a atrix A Z n q and a vector w Z 1 q uniforly at rando. For each b {0, 1}, Si chooses a secret vector s b Z n q uniforly at rando and an error vector x b X 1, and then sets v b = s T b A + x b w, = (A, v 0, v 1 ), and τ = (w, s 0, s 1 ). When the parties query the ideal functionality FCRS D, Si returns (sid, ) to the and stores τ privately. When R is activated on soe subsession (sid, ssid), Si runs TrapKeyGen(, τ) to generate (, sk 0, sk 1 ), where (, sk 0, sk 1 ) = (w, s 0, s 1 ), and sends (sid, ssid, ) to Adv as if it were fro R, and s- tores (sid, ssid,, sk 0, sk 1 ). When Adv replies with a tuple (sid, ssid, y 0, y 1 ), Si first looks up the corresponding (, sk 0, sk 1 ), then coputes b Dec(sk b, y b ) for each b {0, 1}. Since S has been activated, Si sends (sid, ssid, sender, 0, 1 ) to F OT as if it were fro S. 4. Equational Security of d ode. In this section, we analyze the equational security of d ode. As shown in Section 3, it is clear to see that in the UC-security proof of d ode they use the traditional OT functionality (see Figure 2). When we keep using this traditional OT functionality in equational security fraework, we found that there exists a tiing bug in the case that when the sender is corrupted. Then we soehow odify the OT functionality into a revised one that outputs the sender one acknowledge bit a, which illustrates whether the chosen bit of the receiver has been transitted yet or not without leaking any content of. However, we cannot achieve the security of the sender in this case. Regarding to this situation, we weaken this revised OT functionality by allowing to leak the bit a to the environent, but the result is still negative Equational description of d ode. In this section, we first give the description of d ode in the equational security fraework. Fro Section 3, we know that d ode

11 Equational Security of a Lattice-based Oblivious Transfer Protocol 241 can securely UC-eulate a ulti-session OT functionality F OT which can be regarded as a shell that wraps several traditional OT functionalities F OT. In each subsession ssid of a session sid, one bit can be securely and obliviously transferred to the receiver R. This feature of d ode coes fro the fact that the LWE-based encryption utilized for constructing the LWE-based dual-ode cryptosyste can encrypt an l-bit essage by reusing the public atrix A for l ties bit encryption. When l = 1, d ode is a 1-out-of- 2 OT protocol which UC-eulates a single-session OT functionality which securely and obliviously transfer one single bit, i.e., FOT = F OT. For siplicity, we only consider the case that when l = 1, that is, we only use sid and oit ssid in the equational description of d ode. In the equational security fraework, this traditional OT functionality F OT can be described as shown in Figure 2, where the sender S and the receiver R send their inputs 2 M 2 l = Z 2 2 and B = {0, 1} to F OT, respectively. Then F OT will output = 2 [] to R without any output to S. 2 F OT OT( 2, ) = 2 : Z 2 2 : B : Z 2 = 2 [] Figure 2. Traditional OT functionality F OT In addition, we know that d ode can operate in two odes. In each ode, two parties first query FCRS D with qs and qr (see Figure 3) for a. Here the distribution of is decided by setup algorith in each ode, i.e., when running in essy ode (i.e., D = SetupMessy(1 n )), FCRS D = F CRS es ; When running in decryption ode (i.e., D = SetupDec(1 n )), FCRS D = F dec CRS. qs F D CRS qr CRS D (qs, qr ) = (, ) qs = (sid, S, R) qr = (sid, S, R) SetupMessy(1 n )/SetupDec(1 n ) Figure 3. CRS functionality F D CRS As shown in Figure 4, d ode is described by the notion of nodes and channels, where S, R and FCRS D are represented by three nodes with several input and output channels. It is easy to show the correctness of the protocol. With cobining the equations of FCRS D, Sender and Receiver progras for a real syste Real( 2, ) = which is perfectly equivalent to the defining equation = 2 [] of the ideal functionality F OT, while F OT iplies an ideal syste Ideal( 2, ) = 2 [].

12 242 M.M Liu and Y.P. Hu 2 S qs F D CRS qr R Sender( 2,, ) = (qs, ) qs = (sid, S, R) y 0 LWEEnc((A, p = + v 0 ), 2 [0]) y 1 LWEEnc((A, p = + v 1 ), 2 [1]) = y 0, y 1 Receiver(,, ) = (qr,, ) qr = (sid, S, R) KeyGen(, ) = LWEDec(sk = s, []). Figure 4. Equational description of d ode 4.2. Equational security regarding to the traditional OT functionality F OT. Now we analyze the security of d ode in the equational fraework. The security of d ode in the UC fraework requires that for any adversary Adv, there always exists an efficient siulator progra Si such that for any Env, it cannot distinguish the real syste (the execution of d ode with Adv) fro the ideal syste (the execution of F OT with Si) with overwheling advantage. Here this environent Env connects to all input and output channels of the execution syste. In addition, we let Env produce one additional output t S. The distinguishing advantage of the environent Env is defined by ADV(Env) = Pr{Env[Real] = } Pr{Env[Ideal] = }. When the sender is corrupted. In this attack scenario, since the sender is corrupted by the adversary, the real syste is obtained by reoving the Sender progra fro Figure 4. As shown in Figure 5(a), the real syste is represented by RealS(qs,, ) = (,, ). The corresponding ideal syste IdealS(qs,, ) = (,, ) is described as shown in Figure 5(b). The security in this case requires that two execution systes are indistinguishable for any Env, where Env connects all input and output channels of these two systes, it is denoted by Env(,, ) = (qs,,, t). qs F D CRS qr R qs SiS 2 F OT (a) The real syste (b) The ideal syste Figure 5. When the sender is corrupted (with respect to F OT ) Now we define two distinguishing environents Env 0 and Env 1, and show that for any siulator SiS, at least one of these two environents can distinguish the real and ideal systes with non-negligible advantage.

13 Equational Security of a Lattice-based Oblivious Transfer Protocol 243 Env 0 (,, ) = (qs,,, t) sets qs =, =, and =, and outputs t = ( > ). Env 1 (,, ) = (qs,,, t) sets qs =, =, and {0, 1}, and outputs t = ( > ). The only difference between Env 0 and Env 1 is the value of. According to the receiver progra Receiver, we can see that > if and only if > in the real syste. Thus, we have Pr{Env 0 [RealS] = } = 0 and Pr{Env 1 [RealS] = } = 1. In the ideal syste, since the output value t is independent of when interacting with IdealS, we have Pr{Env 0 [IdealS] = } = Pr{Env 1 [IdealS] = }, which is denoted by p. Thus, these two environents have advantages ADV(Env 0 ) = p and ADV(Env 1 ) = 1 p, respectively. Therefore, either Env 0 or Env 1 has distinguishing advantage at least 1/ Equational security regarding to a revised OT functionality F OT. Based on the above analysis, we know that the protocol d ode is not secure when the sender is corrupted since the environent can distinguish by setting > and observing >. This is the only weakness, i.e., a tiing bug, in the current corruption. With this concern, we can odify the traditional OT functionality F OT into a revised OT functionality which will additionally output a signal bit a = ( > ) to the sender. The signal a S only leaks the inforation that whether has been transitted yet or not without revealing the content of. We denote this revised OT functionality as F OT, see Figure 6. 2 a F OT OT ( 2, ) = (a, ) = 2 [] a = ( > ) Figure 6. A revised OT functionality F OT When the sender is corrupted. Due to this revised OT functionality, we accordingly odify the OT protocol d ode. Therefore, when the sender is corrupted, the real and ideal execution systes are described as shown in Figure 7. qs F D CRS qr R qs SiS 2 a F OT (a) The real syste (b) The ideal syste Figure 7. When the sender is corrupted (with respect to F OT ) Here the security against corrupted sender with respect to F OT can be proved by the following siulator SiS, which takes the signal a = ( > ) as an additional input.

14 244 M.M Liu and Y.P. Hu SiS(qs,, a) = (,, 2 ) (, τ) SetupDec(1 n ) = (A, v 0, v 1 ) τ = (w, s 0, s 1 ) a!w qs = (sid, S, R) 2 [0] = LWEDec(sk = s 0, [0]) 2 [1] = LWEDec(sk = s 1, [1]) 2 = 2 [0], 2 [1] When the receiver is corrupted. Now we have to consider the security of d ode when the receiver is corrupted. However, in order to atch the case that F OT leaks a signal a to the sender, we need to odify the sender progra in the real syste. The only possible way for this goal is that we let the sender produce an additional output a = ( > ) since the sender only receives one essage which is the dependent of fro the receiver. Therefore, the current real and ideal systes are shown in Figure 8. 2 a S qs F D CRS qr 2 a F OT SiR qr (a) The real syste (b) The ideal syste Figure 8. When the receiver is corrupted (with respect to F OT ) Note that the sender progra is accordingly odified as Sender, which is represented by S in Figure 8 and described as the following equations: Sender ( 2,, ) = (a, qs, ) (qs, ) = Sender( 2,, ) a = ( > ). It is easy to verify the correctness of the revised OT protocol, where a real protocol execution (Sender F D CRS Receiver) : ( 2, ) (a, ) is equivalent to the ideal functionality F OT : ( 2, ) (a, ). Now we only need to show that the real and ideal systes described in Figure 8 are indistinguishable for any Env(a,, ) = ( 2, qr, ), i.e., the security against the corrupted receiver. However, the result is negative and shown by Proposition 4.1. Proposition 4.1. For any siulator SiR, there is an environent Env(a,, ) = (, qr,, t) such that the distinguishing advantage ADV[Env] = Pr{Env[RealR] = } Pr{Env[IdealR] = } is not negligible. Proof: We define two distinguishing environents Env 1 and Env 2, and show that for any siulator SiR, at least one of these two environents can distinguish the real syste fro ideal systes with non-negligible advantage. Env 1 (a,, ) = ( 2, qr,, t) sets qr =, 2 =, {0, 1}, and >, and outputs t = (a > ). Env 2 (a,, ) = ( 2, qr,, t) sets qr =, 2 Z 2 2, {0, 1}, and >, and outputs t = ( 2 [] = LWEDec(sk = s, [])).

15 Equational Security of a Lattice-based Oblivious Transfer Protocol 245 We let u i denote the input distribution of SiR (i.e., SiR(, qr, ) = (,, )) when interacting with Env i for i = 1, 2. For any input distribution u = (, qr, ), u denotes the distribution of. Siilarly, we have u qr, u. In addition, we denote the distribution of as SiR(u). When interacting with Env 1, the real syste sets a =. For atching the case that the ideal syste is indistinguishable with the real syste, SiR ust output {0, 1} with overwheling probability. Let p 1 = Pr(SiR(u 1 ) > ) and p 2 = Pr(SiR(u 2 ) > ). Then 1 p 1 is negligible. Note that u 1 = with probability 1 since 2 =. Env 1 and Env 2 both set based on the sae distribution, so u 1 u 2. Since SiR is onotone, we have p 1 p 2, and thus 1 p 2 is also negligible. For i = 1, 2, we let p 0 i = Pr(SiR(u i ) = 0) and p 1 i = Pr(SiR(u i ) = 1), where p 0 1 +p 1 1 = p 1 and p 0 2 +p 1 2 = p 2. Since both {0} and {1} are open sets in B, by onotonicity of SiR we have p 0 1 p 0 2 and p 1 1 p 1 2. Now we consider the distinguishing advantage of Env 2. It is easy to see that Pr{Env 2 [RealR] = } = 1. When interacting with the ideal syste, let denote SiR(u 2 ), then we have Pr(Env 2 [IdealR = ]) = Pr(t = = )Pr( = )+Pr(t = = )Pr( = )+Pr(t = = 1 )Pr( = 1 ) where t = ( 2 [] = LWEDec(s, [])). We can deduce that p 1 1 is close to 1/2. For this clai, we fix and consider the case when = 1. By definition of F OT, u 1 = 2 [ ], and SiR cannot learn 2 []. In addition, since 2 [] is randoly selected fro Z 2, SiR cannot do better than randoly guessing and outputting a ciphertext c 2 [d] of it. Therefore, we have Pr(t = = 1 ) 1/2. Since p 1 1 p 1 2 = p 2 p 2, we have p 2 p 2 p1 1. Therefore, we can deduce the following inequations: Pr(Env 2 [IdealR = ]) = Pr(t = = )Pr( = ) + Pr(t = = )Pr( = ) +Pr(t = = 1 )Pr( = 1 ) (1 p 2 ) + P r(t = = )P r( = ) + 1/2 (1 p 2 ) + p 2 + 1/2 = 1 (p 2 p 2) + 1/2 1 p /2 If we require Pr(Env 2 [RealR] = ) Pr(Env 2 [IdealR] = ) = 1 Pr(Env 2 [IdealR] = ) p 1 1 1/2 to be negligible, then p1 1 should be close to 1/2. This leads to a contradiction in Env 1, i.e., SiR cannot output = with overwheling probability. This fact contradicts the nature of FindMessy which can find correct essy branch 1 on the inforation of (, τ) with overwheling probability. Therefore, it iplies that such a SiR is insufficient in Env 2 such that Env 2 can only distinguish between the real and ideal systes with negligible advantage, or our assuption that Env 1 can distinguish IdealR fro RealR with negligible advantage is not the case Equational security regarding to a weaker OT functionality F OT. Fro the above analysis, we know that when using traditional OT functionality F OT the security under the corruption with the sender cannot be achieved. This is ainly due to the lack of inforation a. Then we revised F OT as F OT which leaks a to the sender. However, in this case, the security under the corruption with the receiver cannot be achieved. It iplies that we cannot build good siulators satisfying the security of d ode when using neither F OT nor F OT, ainly because that it is hard to eulate (either directly or indirectly) the

16 246 M.M Liu and Y.P. Hu signal bit a for siulator. Now we would like to see what if we odify F OT into a weaker functionality F OT (see Figure 9), where the acknowledge bit a = ( > ) is leaked to the environent Env instead of seen by the sender in F OT. 2 F OT a OT ( 2, ) = (a, ) = 2 [] a =! Figure 9. A weaker OT functionality F OT Here we say F OT is weaker than F OT since F OT can eulate F OT by coposing with an ideal agent which relays 2 to F OT but releases a to Env, while F OT is unable to eulate F OT (a is given to Env, so the sender wont get it). When the ideal functionality leaks soe inforation to Env, this usually eans that in the real world, the party responsible for outputting that inforation is controlled by an adversary, and in the ideal world that inforation is given to a siulator to eulate the adversary s behavior. For the concrete case of F OT, when the sender/receiver is corrupted, a is given to SiS/SiR, which ay want to utilize a to decide when or what other inforation would be released to F OT and the environent Env. However, it is not necessary for SiS/SiR to eulate the behaviour of a corrupted sender/receiver by taking advantage of this additional input. By the definition of F OT, we accordingly odify the protocol dode (see Figure.10). Here we add an additional functionality Net between Sender and Receiver, which is responsible outputting a to the environent. Now we analyse the security of d ode with respect to F OT. Note that the progra Net can be regarded as a part of the adversary, once one party is corrupted, we reove the corresponding corrupted progra together with Net functionality fro the real syste. When the sender is corrupted. When the sender is corrupted, we reove Sender progra and Net fro Figure 10, then the real syste is (FCRS D Receiver). We can see that in the real syste there is no interface of a any ore, while in the ideal world, a is given to SiS. It is clear to see that the current protocol description is the sae as the case shown in Figure 7, so the security can be achieved directly when the sender is corrupted. When the receiver is corrupted. When the receiver is corrupted, we reove Receiver progra and Net fro Figure 10, then the real syste is (Sender FCRS D ). The real and ideal systes are described as shown in Figure 11. Unfortunately, even though we already ake use of a weaker OT functionality F OT, the security under the corruption with the receiver still cannot be achieved. This is shown by the following Proposition 4.2. Proposition 4.2. For any siulator SiR, there is an environent Env(, ) = ( 2, qr,, t) such that the distinguishing advantage ADV[Env] = Pr{Env[RealR] = } Pr{Env[RealR] = } is not negligible.