Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
References

SPHF-Friendly Non-interactive Commitments

Profile image of Olivier BlazyOlivier Blazy

2013, Lecture Notes in Computer Science

https://doi.org/10.1007/978-3-642-42033-7_12
visibility

description

21 pages

link

1 file

Abstract

In 2009, Abdalla et al. proposed a reasonably practical password-authenticated key exchange (PAKE) secure against adaptive adversaries in the universal composability (UC) framework. It exploited the Canetti-Fischlin methodology for commitments and the Cramer-Shoup smooth projective hash functions (SPHFs), following the Gennaro-Lindell approach for PAKE. In this paper, we revisit the notion of non-interactive commitments, with a new formalism that implies UC security. In addition, we provide a quite efficient instantiation. We then extend our formalism to SPHF-friendly commitments. We thereafter show that it allows a blackbox application to one-round PAKE and oblivious transfer (OT), still secure in the UC framework against adaptive adversaries, assuming reliable erasures and a single global common reference string, even for multiple sessions. Our instantiations are more efficient than the Abdalla et al. PAKE in Crypto 2009 and the recent OT protocol proposed by Choi et al. in PKC 2013. Furthermore, the new PAKE instantiation is the first one-round scheme achieving UC security against adaptive adversaries.

Related papers

Improved Non-committing Encryption with Applications to Adaptively Secure Protocols
Dana Dachman-soled

Lecture Notes in Computer Science, 2009

We present a new construction of non-committing encryption schemes. Unlike the previous constructions of Canetti et al. (STOC '96) and of Damgård and Nielsen (Crypto '00), our construction achieves all of the following properties:

View PDFchevron_right
Somewhat Non-committing Encryption and Efficient Adaptively Secure Oblivious Transfer
Hong-Sheng Zhou

Lecture Notes in Computer Science, 2009

Designing efficient cryptographic protocols tolerating adaptive adversaries, who are able to corrupt parties on the fly as the computation proceeds, has been an elusive task. Indeed, thus far no efficient protocols achieve adaptive security for general multi-party computation, or even for many specific two-party tasks such as oblivious transfer (OT). In fact, it is difficult and expensive to achieve adaptive security even for the task of secure communication, which is arguably the most basic task in cryptography.

View PDFchevron_right
Generic Construction of UC-Secure Oblivious Transfer
Olivier Blazy

Lecture Notes in Computer Science, 2015

We show how to construct a completely generic UC-secure oblivious transfer scheme from a collision-resistant chameleon hash scheme (CH) and a CCA encryption scheme accepting a smooth projective hash function (SPHF). Our work is based on the work of Abdalla et al. at Asiacrypt 2013, where the authors formalize the notion of SPHF-friendly commitments, i.e. accepting an SPHF on the language of valid commitments (to allow implicit decommitment), and show how to construct from them a UC-secure oblivious transfer in a generic way. But Abdalla et al. only gave a DDH-based construction of SPHF-friendly commitment schemes, furthermore highly relying on pairings. In this work, we show how to generically construct an SPHF-friendly commitment scheme from a collision-resistant CH scheme and an SPHF-friendly CCA encryption scheme. This allows us to propose an instanciation of our schemes based on the DDH, as efficient as that of Abdalla et al., but without requiring any pairing. Interestingly, our generic framework also allows us to propose an instantiation based on the learning with errors (LWE) assumption. For the record, we finally propose a last instanciation based on the decisional composite residuosity (DCR) assumption.

View PDFchevron_right
New Techniques for SPHFs and Efficient One-Round PAKE Protocols
Olivier Blazy

Advances in Cryptology – CRYPTO 2013, 2013

Password-authenticated key exchange (PAKE) protocols allow two players to agree on a shared high entropy secret key, that depends on their own passwords only. Following the Gennaro and Lindell's approach, with a new kind of smooth-projective hash functions (SPHFs), Katz and Vaikuntanathan recently came up with the first concrete one-round PAKE protocols, where the two players just have to send simultaneous flows to each other. The first one is secure in the Bellare-Pointcheval-Rogaway (BPR) model and the second one in the Canetti's UC framework, but at the cost of simulation-sound non-interactive zeroknowledge (SS-NIZK) proofs (one for the BPR-secure protocol and two for the UC-secure one), which make the overall constructions not really efficient. This paper follows their path with, first, a new efficient instantiation of SPHF on Cramer-Shoup ciphertexts, which allows to get rid of the SS-NIZK proof and leads to the design of the most efficient one-round PAKE known so far, in the BPR model, and in addition without pairings. In the UC framework, the security proof required the simulator to be able to extract the hashing key of the SPHF, hence the additional SS-NIZK proof. We improve the way the latter extractability is obtained by introducing the notion of trapdoor smooth projective hash functions (TSPHFs). Our concrete instantiation leads to the most efficient oneround PAKE UC-secure against static corruptions to date. We additionally show how these SPHFs and TSPHFs can be used for blind signatures and zero-knowledge proofs with straight-line extractability.

View PDFchevron_right
Trading Static for Adaptive Security in Universally Composable Zero-Knowledge
Hong-Sheng Zhou

Lecture Notes in Computer Science, 2007

Adaptive security, while more realistic as an adversarial model, is typically much harder to achieve compared to static security in cryptographic protocol design. Universal composition (UC) provides a very attractive framework for the modular design of cryptographic protocols that captures both static and adaptive security formulations. In the UC framework, one can design protocols in hybrid worlds that allow access to idealized functionalities and then apply the universal composition theorem to obtain more concrete protocol instances. The zero-knowledge (ZK) ideal functionality is one of the most useful sub-protocols in modular cryptographic design. Given an adaptively secure protocol in the ideal ZK-hybrid-world do we always need an adaptively secure realization of the ZK functionality in order to preserve adaptive security under composition? In this work, perhaps surprisingly, we find that this is not so and in fact there are useful protocol instances that we can "trade static security for adaptive security." We investigate the above setting, by introducing a weakened ZK ideal functionality, called the ideal leaking-zero-knowledge functionality (LZK) that leaks some information about the witness to the adversary in a certain prescribed way. We show that while LZK is interchangeable to ZK against static adversaries, ZK is more stringent when adaptive adversaries are considered. We then proceed to characterize a class of protocols in the hybrid-ZK-world that can be "transported" to the LZK-hybridworld without forfeiting their security against adaptive adversaries. Our results demonstrate that in such settings a static protocol realization of ZK is sufficient for ensuring adaptive security for the parent hybrid protocol something that enables simplified and substantially more efficient UC realizations of such protocols.

View PDFchevron_right
Constructing Non-malleable Commitments: A Black-Box Approach
Ivan Visconti

2012 IEEE 53rd Annual Symposium on Foundations of Computer Science, 2012

We propose the first black-box construction of non-malleable commitments according to the standard notion of non-malleability with respect to commitment. Our construction additionally only requires a constant number of rounds and is based only on (black-box use of) one-way functions. Prior to our work, no black-box construction of nonmalleable commitments was known (except for relaxed notions of security) in any (polynomial) number of rounds based on any cryptographic assumption. This closes the wide gap existent between black-box and non-black-box constructions for the problem of non-malleable commitments.

View PDFchevron_right
Interactive Locking, Zero-Knowledge PCPs, and Unconditional Cryptography
Vipul Goyal

2010

Motivated by the question of basing cryptographic protocols on stateless tamper-proof hardware tokens, we revisit the question of unconditional two-prover zero-knowledge proofs for NP. We show that such protocols exist in the interactive PCP model of Kalai and Raz (ICALP ’08), where one of the provers is replaced by a PCP oracle. This strengthens the feasibility result of Ben-Or, Goldwasser, Kilian, and Wigderson (STOC ’88) which requires two stateful provers. In contrast to previous zero-knowledge PCPs of Kilian, Petrank, and Tardos (STOC ’97), in our protocol both the prover and the PCP oracle are efficient given an NP witness. Our main technical tool is a new primitive that we call interactive locking, an efficient realization of an unconditionally secure commitment scheme in the interactive PCP model. We implement interactive locking by adapting previous constructions of interactive hashing protocols to our setting, and also provide a direct construction which uses a minimal amount of interaction and improves over our interactive hashing based constructions. Finally, we apply the above results towards showing the feasibility of basing unconditional cryptography on stateless tamper-proof hardware tokens, and obtain the following results. (1) We show that if tokens can be used to encapsulate other tokens, then there exist unconditional and statistically secure (in fact, UC secure) protocols for general secure computation. (2) Even if token encapsulation is not possible, there are unconditional and statistically secure commitment protocols and zero-knowledge proofs for NP. (3) Finally, if token encapsulation is not possible, then no protocol can realize statistically secure oblivious transfer.

View PDFchevron_right
Simple, Black-Box Constructions of Adaptively Secure Protocols
Dana Dachman-soled, Seung Choi

Lecture Notes in Computer Science, 2009

We present a compiler for transforming an oblivious transfer (OT) protocol secure against an adaptive semi-honest adversary into one that is secure against an adaptive malicious adversary. Our compiler achieves security in the universal composability framework, assuming access to an ideal commitment functionality, and improves over previous work achieving the same security guarantee in two ways: it uses black-box access to the underlying protocol and achieves a constant multiplicative overhead in the round complexity. As a corollary, we obtain the first constructions of adaptively secure protocols in the stand-alone model using black-box access to a low-level primitive.

View PDFchevron_right
Efficient and Universally Composable Committed Oblivious Transfer and Applications
Juan A. Garay

Lecture Notes in Computer Science, 2004

Committed Oblivious Transfer (COT) is a useful cryptographic primitive that combines the functionalities of bit commitment and oblivious transfer. In this paper, we introduce an extended version of COT (ECOT) which additionally allows proofs of relations among committed bits, and we construct an efficient protocol that securely realizes an ECOT functionality in the universalcomposability (UC) framework in the common reference string (CRS) model. Our construction is more efficient than previous (non-UC) constructions of COT, involving only a constant number of exponentiations and communication rounds. Using the ECOT functionality as a building block, we construct efficient UC protocols for general two-party and multi-party functionalities (in the CRS model), each gate requiring a constant number of ECOT's.

View PDFchevron_right
Strongly Leakage-Resilient Authenticated Key Exchange
Willy Susilo

Lecture Notes in Computer Science, 2016

Authenticated Key Exchange (AKE) protocols have been widely deployed in many real-world applications for securing communication channels. In this paper, we make the following contributions. First, we revisit the security modelling of leakage-resilient AKE protocols, and show that the existing models either impose some unnatural restrictions or do not sufficiently capture leakage attacks in reality. We then introduce a new strong yet meaningful security model, named challenge-dependent leakage-resilient eCK (CLR-eCK) model, to capture challenge-dependent leakage attacks on both long-term secret key and ephemeral secret key (i.e., randomness). Second, we propose a general framework for constructing one-round CLR-eCK-secure AKE protocols based on smooth projective hash functions (SPHFs). This framework ensures the session key is private and authentic even if the adversary learns a large fraction of both long-term secret key and ephemeral secret key, and hence provides stronger security guarantee than existing AKE protocols which become insecure if the adversary can perform leakage attacks during the execution of a session. Finally, we also present a practical instantiation of the general framework based on the Decisional Diffie-Hellman assumption without random oracle. Our result shows that the instantiation is efficient in terms of the communication and computation overhead and captures more general leakage attacks.

View PDFchevron_right

References (40)

  1. Abdalla, M., Benhamouda, F., Blazy, O., Chevalier, C., Pointcheval, D.: SPHF- friendly non-interactive commitments. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013
  2. Part I. LNCS, vol. 8269, pp. 214-234. Springer, Heidelberg (2013), Full version available on the Cryptology ePrint Archive as Report 2013/588
  3. Abdalla, M., Chevalier, C., Pointcheval, D.: Smooth projective hashing for con- ditionally extractable commitments. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 671-689. Springer, Heidelberg (2009)
  4. Barak, B., Canetti, R., Lindell, Y., Pass, R., Rabin, T.: Secure computation without authentication. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 361-377.
  5. Springer, Heidelberg (2005)
  6. Beaver, D.: Adaptive zero knowledge and computational equivocation (extended abstract). In: 28th ACM STOC, pp. 629-638. ACM Press (May 1996)
  7. Bellovin, S.M., Merritt, M.: Encrypted key exchange: Password-based protocols se- cure against dictionary attacks. In: 1992 IEEE Symposium on Security and Privacy, pp. 72-84. IEEE Computer Society Press (May 1992)
  8. Benhamouda, F., Blazy, O., Chevalier, C., Pointcheval, D., Vergnaud, D.: New techniques for SPHFs and efficient one-round PAKE protocols. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part I. LNCS, vol. 8042, pp. 449-475. Springer, Heidelberg (2013); full version available on the Cryptology ePrint Archive as re- ports 2013/034 and 2013/341
  9. Blazy, O., Pointcheval, D., Vergnaud, D.: Round-optimal privacy-preserving proto- cols with smooth projective hash functions. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 94-111. Springer, Heidelberg (2012)
  10. Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: 42nd FOCS, pp. 136-145. IEEE Computer Society Press (October 2001)
  11. Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. Cryptology ePrint Archive, Report 2000/067 (2005), http://eprint.iacr.org/
  12. Canetti, R., Fischlin, M.: Universally composable commitments. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 19-40. Springer, Heidelberg (2001)
  13. Canetti, R., Halevi, S., Katz, J., Lindell, Y., MacKenzie, P.: Universally composable password-based key exchange. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 404-421. Springer, Heidelberg (2005)
  14. Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 337-351. Springer, Heidelberg (2002)
  15. Canetti, R., Lindell, Y., Ostrovsky, R., Sahai, A.: Universally composable two- party and multi-party secure computation. In: 34th ACM STOC, pp. 494-503. ACM Press (May 2002)
  16. Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265-281. Springer, Heidelberg (2003)
  17. Choi, S.G., Katz, J., Wee, H., Zhou, H.-S.: Efficient, adaptively secure, and com- posable oblivious transfer with a single, global CRS. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 73-88. Springer, Heidelberg (2013)
  18. Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13-25. Springer, Heidelberg (1998)
  19. Canetti, R., Krawczyk, H.: Universally composable notions of key exchange and secure channels. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 45-64. Springer, Heidelberg (2002)
  20. Dolev, D., Dwork, C., Naor, M.: Nonmalleable cryptography. SIAM Journal on Computing 30(2), 391-437 (2000)
  21. Fischlin, M., Libert, B., Manulis, M.: Non-interactive and re-usable universally composable string commitments with adaptive security. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 468-485. Springer, Heidelberg (2011)
  22. Gennaro, R., Lindell, Y.: A framework for password-based authenticated key ex- change. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 524-543.
  23. Springer, Heidelberg (2003), http://eprint.iacr.org/2003/032.ps.gz
  24. Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game, or a completeness theorem for protocols with honest majority. In: Aho, A. (ed.) 19th ACM STOC, pp. 218-229. ACM Press (May 1987)
  25. Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their va- lidity or all languages in NP have zero-knowledge proof systems. Journal of the ACM 38(3), 691-729 (1991)
  26. Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415-432. Springer, Heidelberg (2008)
  27. Haralambiev, K.: Efficient Cryptographic Primitives for Non-Interactive Zero- Knowledge Proofs and Applications. Ph.D. thesis, New York University (2011)
  28. Hofheinz, D., Müller-Quade, J.: Universally composable commitments using ran- dom oracles. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 58-76. Springer, Heidelberg (2004)
  29. Horvitz, O., Katz, J.: Universally-composable two-party computation in two rounds. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 111-129.
  30. Springer, Heidelberg (2007)
  31. Kalai, Y.T.: Smooth projective hashing and two-message oblivious transfer. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 78-95. Springer, Hei- delberg (2005)
  32. Katz, J.: Universally composable multi-party computation using tamper-proof hardware. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 115-128.
  33. Springer, Heidelberg (2007)
  34. Katz, J., Ostrovsky, R., Yung, M.: Efficient password-authenticated key exchange using human-memorable passwords. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 475-494. Springer, Heidelberg (2001)
  35. Katz, J., Vaikuntanathan, V.: Round-optimal password-based authenticated key exchange. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 293-310. Springer, Heidelberg (2011)
  36. Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: 12th SODA, pp. 448-457. ACM-SIAM (January 2001)
  37. Pedersen, T.P.: Non-interactive and information-theoretic secure verifiable secret sharing. In: Feigenbaum, J. (ed.) CRYPTO 1991. LNCS, vol. 576, pp. 129-140.
  38. Springer, Heidelberg (1992)
  39. Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and com- posable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554-571. Springer, Heidelberg (2008)
  40. Rabin, M.O.: How to exchange secrets with oblivious transfer. Technical Report TR81, Harvard University (1981)

Related papers

Analysis and Improvement of Lindell’s UC-Secure Commitment Schemes
Olivier Blazy

Lecture Notes in Computer Science, 2013

In 2011, Lindell proposed an efficient commitment scheme, with a non-interactive opening algorithm, in the Universal Composability (UC) framework. He recently acknowledged a bug in its security analysis for the adaptive case. We analyze the proof of the original paper and propose a simple patch of the scheme. More interestingly, we then modify it and present a more efficient commitment scheme secure in the UC framework, with the same level of security as Lindell's protocol: adaptive corruptions, with erasures. The security is proven in the standard model (with a Common Reference String) under the classical Decisional Diffie-Hellman assumption. Our proposal is the most efficient UC-secure commitment proposed to date (in terms of computational workload and communication complexity).

View PDFchevron_right
Fast and Universally-Composable Oblivious Transfer and Commitment Scheme with Adaptive Security
Megha Byali

2017

Adaptive security embodies one of the strongest notions of security that allows an adversary to corrupt parties at any point during protocol execution and gain access to its internal state. Since it models real-life situations such as “hacking”, efficient adaptively-secure multiparty computation (MPC) protocols are desirable. Such protocols demand primitives such as oblivious transfer (OT) and commitment schemes that are adaptively-secure as building blocks. Efficient realizations of these primitives have been found to be challenging, especially in the no erasure model. We make progress in this direction and provide efficient constructions that are Universally-Composable in the random oracle model. Oblivious Transfer. We present the first round optimal framework for building adaptively-secure OT in the programmable random oracle (PRO) model, relying upon the framework of Peikert et al. (Crypto 2008). When instantiated with Decisional Diffie Hellman assumption, it incurs a minimal co...

View PDFchevron_right
New Smooth Projective Hash Functions and One-Round Authenticated Key Exchange
Olivier Blazy

Abstract. Password-Authenticated Key Exchange (PAKE) has received deep attention in the last few years, with a recent strong improvement by Katz-Vaikuntanathan, and their one-round protocol: the two players just have to send simultaneous flows to each other, that depend on their own passwords only, to agree on a shared high entropy secret key.

View PDFchevron_right
Non-interactive and Re-usable Universally Composable String Commitments with Adaptive Security
Mark Manulis, Marc Fischlin

Lecture Notes in Computer Science, 2011

We present the first provably secure constructions of universally composable (UC) commitments (in pairing-friendly groups) that simultaneously combine the key properties of being non-interactive, supporting commitments to strings (instead of bits only), and offering reusability of the common reference string for multiple commitments. Our schemes are also adaptively secure assuming reliable erasures.

View PDFchevron_right
Efficient and Round-Optimal Oblivious Transfer and Commitment with Adaptive Security
Pratik Sarkar

Advances in Cryptology – ASIACRYPT 2020, 2020

We construct the most efficient two-round adaptively secure bit-OT in the Common Random String (CRS) model. The scheme is UC secure under the Decisional Diffie-Hellman (DDH) assumption. It incurs O(1) exponentiations and sends O(1) group elements, whereas the state of the art requires O(κ 2) exponentiations and communicates poly(κ) bits, where κ is the computational security parameter. Along the way, we obtain several other efficient UC-secure OT protocols under DDH :-The most efficient yet two-round adaptive string-OT protocol assuming global programmable random oracle. Furthermore, the protocol can be made non-interactive in the simultaneous message setting, assuming random inputs for the sender.-The first two-round string-OT with amortized constant exponentiations and communication overhead which is secure in the global observable random oracle model.-The first two-round receiver equivocal string-OT in the CRS model that incurs constant computation and communication overhead. We also obtain the first non-interactive adaptive string UC-commitment in the CRS model which incurs a sublinear communication overhead in the security parameter. Specifically, we commit to polylog(κ) bits while communicating O(κ) bits. Moreover, it is additively homomorphic. We can also extend our results to the single CRS model where multiple sessions share the same CRS. As a corollary, we obtain a two-round adaptively secure MPC protocol in this model.

View PDFchevron_right

Cited by

Efficient ID-based Designated Verifier Signature
Amandine Jambert

Proceedings of the 12th International Conference on Availability, Reliability and Security, 2017

View PDFchevron_right
One-Round Strong Oblivious Signature-Based Envelope
Willy Susilo

Lecture Notes in Computer Science, 2016

Oblivious Signature-Based Envelope (OSBE) has been widely employed for anonymity-orient and privacypreserving applications. The conventional OSBE execution relies on a secure communication channel to protect against eavesdroppers. In TCC 2012, Blazy, Pointcheval and Vergnaud proposed a framework of OSBE (BPV-OSBE) without requiring any secure channel by clarifying and enhancing the OSBE security notions. They showed how to generically build an OSBE scheme satisfying the new strong security in the standard model with a common-reference string. Their framework requires 2-round interactions and relies on the smooth projective hash function (SPHF) over special languages, i.e., languages from encryption of signatures. In this work, we investigate the study on the strong OSBE and make the following contributions. First, we propose a generic construction of one-round yet strong OSBE system. Compared to the 2-round BPV-OSBE, our one-round construction is more appealing, as its noninteractive setting accommodates more application scenarios in the real word. Moreover, our framework relies on the regular (identity-based) SPHF, which can be instantiated from extensive languages and hence is more general. Second, we also present an efficient instantiation, which is secure under the standard model from classical assumptions, DDH and DBDH, to illustrate the feasibility of our one-round framework. We remark that our construction is the first one-round OSBE with strong security

View PDFchevron_right
Efficient and Round-Optimal Oblivious Transfer and Commitment with Adaptive Security
Pratik Sarkar

Advances in Cryptology – ASIACRYPT 2020, 2020

We construct the most efficient two-round adaptively secure bit-OT in the Common Random String (CRS) model. The scheme is UC secure under the Decisional Diffie-Hellman (DDH) assumption. It incurs O(1) exponentiations and sends O(1) group elements, whereas the state of the art requires O(κ 2) exponentiations and communicates poly(κ) bits, where κ is the computational security parameter. Along the way, we obtain several other efficient UC-secure OT protocols under DDH :-The most efficient yet two-round adaptive string-OT protocol assuming global programmable random oracle. Furthermore, the protocol can be made non-interactive in the simultaneous message setting, assuming random inputs for the sender.-The first two-round string-OT with amortized constant exponentiations and communication overhead which is secure in the global observable random oracle model.-The first two-round receiver equivocal string-OT in the CRS model that incurs constant computation and communication overhead. We also obtain the first non-interactive adaptive string UC-commitment in the CRS model which incurs a sublinear communication overhead in the security parameter. Specifically, we commit to polylog(κ) bits while communicating O(κ) bits. Moreover, it is additively homomorphic. We can also extend our results to the single CRS model where multiple sessions share the same CRS. As a corollary, we obtain a two-round adaptively secure MPC protocol in this model.

View PDFchevron_right
Dual-System Simulation-Soundness with Applications to UC-PAKE and More
Charanjit Jutla

Advances in Cryptology -- ASIACRYPT 2015, 2015

We introduce a novel concept of dual-system simulationsound non-interactive zero-knowledge (NIZK) proofs. Dual-system NIZK proof system can be seen as a two-tier proof system. As opposed to the usual notion of zero-knowledge proofs, dual-system defines an intermediate partial-simulation world, where the proof simulator may have access to additional auxiliary information about the word, for example a membership bit, and simulation of proofs is only guaranteed if the membership bit is correct. Further, dual-system NIZK proofs allow a quasi-adaptive setting where the CRS can be generated based on language parameters. This allows for the further possibility that the partial-world CRS simulator may have access to additional trapdoors related to the language parameters. We show that for important hard languages like the Diffie-Hellman language, such dual-system proof systems can be given which allow unbounded partial simulation soundness, and which further allow transition between partial simulation world and single-theorem full simulation world even when proofs are sought on non-members. The construction is surprisingly simple, involving only two additional group elements for general linear-subspace languages in asymmetric bilinear pairing groups. As a direct application we give a short keyed-homomorphic CCAsecure encryption scheme. The ciphertext in this scheme consists of only six group elements (under the SXDH assumption) and the security reduction is tight. An earlier scheme of Libert et al. based on their efficient unbounded simulation-sound QA-NIZK proofs only provided a loose security reduction, and further had ciphertexts almost twice as long as ours. We also show a single-round universally-composable password authenticated key-exchange (UC-PAKE) protocol which is secure under adaptive corruption in the erasure model. The single message flow only requires four group elements under the SXDH assumption. This is the shortest known UC-PAKE even without considering adaptive corruption. The latest published scheme which considered adaptive corruption, by Abdalla et al [ABB+13], required non-constant (more than 10 times the bit-size of the password) number of group elements.

View PDFchevron_right
580 California St., Suite 400
San Francisco, CA, 94104
© 2025 Academia. All rights reserved