Dual-Mode Encryption for UC-Secure String OT from Learning with Errors

Liu, Momeng; Hu, Yupu; Lai, Qiqi; Zhang, Shanshan; Jia, Huiwen; Gao, Wen; Wang, Baocang

doi:https://doi.org/10.1049/2024/5513292

IET Information Security

On this page

Abstract Introduction Preliminaries Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2024 | Article ID 5513292 | https://doi.org/10.1049/2024/5513292

Dual-Mode Encryption for UC-Secure String OT from Learning with Errors

Momeng Liu,^1,2Yupu Hu,³Qiqi Lai,^2,4Shanshan Zhang,^3,5Huiwen Jia,⁶Wen Gao,⁷and Baocang Wang³

Academic Editor: Naghmeh Moradpoor

Received05 Jun 2023

Revised14 Aug 2023

Accepted29 Jan 2024

Published15 Feb 2024

Abstract

Universal composability (UC) is a primary security flavor for designing oblivious transfer (OT) due to its advantage of arbitrary composition. However, the study of UC-secure OT over lattices is still far behind compared with constructions over prequantum assumptions. Relying on the learning with errors (LWE) assumption, Quach proposes a dual-mode encryption scheme (SCN’20) for deriving a two-round OT whose security is provably UC-secure in the common reference string (CRS) model. Due to its use of a randomized rounding function proposed by Benhamouda et al. (PKC’18), this OT can only be limited to transmitting single-bit messages. Therefore, conducting trivial repetitions of Quach’s OT when transmitting multibit strings would be very costly. In this work, we put forward a modified dual-mode encryption cryptosystem under the decisional LWE assumption, from which we can derive a UC-secure string OT with both full-fledged dual-mode security and better efficiency on transmitting strings. The key technique we adopt is a key reconciliation scheme proposed by Jiang et al. (PKC’20), which is utilized to extend the single-bit symmetric encryption key (produced by the aforementioned rounding function) to a multibit case. Through a comprehensive performance analysis, we demonstrate that our proposal can indeed strike a balance between security and efficiency.

1. Introduction

The two-party computation primitive oblivious transfer (OT) was first introduced by Rabin [1] and acted as a fundamental cryptographic building block widely used in secure multiparty computation [2, 3]. In this scenario, the sender takes two messages (where ) as input and the receiver takes a bit as his message choice, with requiring that can only obtain the output in the end and remain oblivious to , while is totally unaware of ’s choice .

Essentially, OT can be realized in a two-round way. first generates and sends to a public key embedded with a message choice . will use this public key to compute the other public key for, respectively, encrypting and , and send back to these two encryptions, where only can be exactly recovered by secret decryption key.

With security concerns, universal composability (UC) [4] is a powerful notion among different simulation-based security flavors, which offers strong security guarantees and efficiency benefits whenever the protocol is executed concurrently or by arbitrary compositions within some advanced protocols, especially in multiparty computation or the complex Internet environment.

At CRYPTO’08, a dual-mode encryption framework for UC-secure OT is introduced by Peikert et al. [5]. To our best knowledge, this is the optimal OT framework up to now, which not merely satisfies the succinct two-round paradigm with high efficiency but also achieves UC security under the common reference string (CRS) model against static corruptions (i.e., the corruption case is determined before the protocol execution without any modification during the course of protocol execution). They claim that this generic construction can provide statistical security for one specific party in each mode when generally realized under the decisional Diffie–Hellman assumption and the quadratic residuosity assumption. When it comes to the learning with errors (LWE) assumption, the receiver can only achieve computational security in either mode, and each CRS can be reused in limited sessions.

Targeting to solve this problem, an upgraded dual-mode encryption from LWE is proposed by Quach at SCN’20 [6], which rises the receiver’s security to a statistical level and the reusability of each CRS to an unbounded case. In a nutshell, they utilize the noise flooding technique, requiring a superpolynomial LWE modulus to promote the security of the receiver and the reusability of each CRS. However, such a use of superpolynomial modulus would directly contradict to a polynomial time simulator for arguing sender’s security in [5]. For addressing this issue, the work of [6] adopts a randomized rounding function (with one-bit output) introduced by Benhamouda et al. [7] to make the public key messiness efficiently testable (applying lattice trapdoor techniques) and independent of the LWE modulus size.

However, since only one single-bit output from is taken as an almost-uniform symmetric key to hide messages in the dual-mode encryption of [6], this further limits the derived UC-secure OT to transmit multibit strings. In addition, as mentioned in [7], the extension of into a multibit output version is still an open question.

One may wonder that without costly trivial repetitions of this single-bit OT [6], does a variant of dual-mode encryption over lattices for deriving UC-secure string OT exist, along with full-fledged dual-mode properties and unbounded reusability of CRS?

Fortunately, our dual-mode encryption cryptosystem (see Section 3.2) provides an affirmative answer to this question.

1.1. Our Result

Based on the framework of [5], we propose an improved dual-mode encryption scheme [6] where it can directly derive a UC-secure OT (see Figure 1) for transmitting strings, as shown in Theorem 1.

Theorem 1 (informal). Relying on the hardness of LWE with a subpolynomial modulus, a two-round UC-secure OT against static corruptions in the common reference string (CRS) model exists and satisfies the following properties:(1)Each CRS can be instantiated in either messy or decryption mode, where the two modes are computationally indistinguishable.(2)In messy mode, it can only provide the sender statistical security and the receiver computational security. In decryption mode, it can only provide the sender computational security and the receiver statistical security instead.(3)Each CRS can be reused unbounded times for amortization between a fixed pair of participants.(4)This UC-secure OT can transmit multibit strings while avoiding costly trivial repetitions of single-bit OT.

1.2. Technical Overview

Our work can be viewed as an improvement of [6], and both works rely on the framework of [5]. For clarity, we first review the main technique adopted by Quach [6].

1.2.1. Technical Review of [6]

The work of [6] utilizes the noise flooding technique (requiring a superpolynomial size of LWE modulus) to upgrade the receiver security to a statistical level in decryption mode. However, it results in an inefficient simulator for arguing the sender’s statistical security in messy mode. In particular, such a polynomial-time simulator for the sender security has to be completed in time , which directly conflicts with the use of a superpolynomial LWE modulus in noise flooding technique. Therefore, a failure happens in a polynomial-time simulator for arguing receiver’s statistical security.

For addressing this issue, they follow the pattern of [8] and take the hash value output of an approximate smooth projective hash (ASPH) scheme [7] as a symmetric session key to encrypt the message. In a nutshell, an ASPH scheme operates on a set and an NP-language by assuming the existence of a hard subset membership problem, i.e., it is hard to distinguish whether a random element is chosen from or . For any , there exists a witness such that the pair satisfies a certain NP-relation. In addition, an ASPH scheme also involves a hashing key and a projection key . The projection property demands that the hash value, , is determined by computing the projected hash value, , if . The smoothness property requires that for any , is uniformly distributed even given and .

In particular, the work of [6] utilizes a bit-ASPH [7], whose hash value is one single-bit output from a randomized rounding function (see Section 2.3). Its OT execution mainly works as follows: Bob (the role of the receiver) first generates and sends to Alice (the role of the sender) his public key , where , , , . For all , Alice generates a hashing key and a projection key , and then computes the hash value to encrypt a one-bit message as . Alice sends (, ) to Bob. Then Bob computes the projected hash value and for decryption. If is close to (i.e., the -arry lattice generated by ), by the approximate correctness of , we have with high probability. Therefore, we have with majority in all . Otherwise, by the statistical smoothness of , the public key is messy (see Section 3.1), and the distribution of is statistically close to uniform. The approximate correctness of guarantees that Bob can recover on the decryptable branch , while the statistical smoothness of provides the message-lossy property for , i.e., Bob is oblivious to .

In addition, this rounding function offers a crucial property for arguing the simulation-based security of the sender. That is, given an appropriate trapdoor, public key messiness can be testable efficiently and independently of modulus . It helps to complete the UC security proof for the derived OT in [6] and achieve all the properties of that well-defined dual-mode encryption (see Section 2.1) over lattices instead of a weaker instantiation proposed by Peikert et al. [5].

However, the work of [6] can only encrypt single-bit messages by the employment of that rounding function , and a version of with -bit output is unresolved yet. In this work, we adopt a key reconciliation scheme introduced by Jiang et al. [9] to extend the single-bit symmetric key output by the bit-ASPH scheme [7] for a UC-secure string OT.

1.2.2. Extension of Symmetric Key

In essential, the work of [6] utilizes a KV09-type [10] ASPH scheme [7] to generate the symmetric keys and for hiding and recovering messages, respectively. Recently, the work of [9] proposes two types (i.e., type-A and type-B) of ASPH over lattices (both are KV09-type) for building a password-based authenticated key exchange (PAKE) framework. They introduce a novel key reconciliation scheme to concatenate after the execution of type-B ASPH in the PAKE framework for agreeing on a shared secret key between two participants, i.e., extracting a random multibit shared key from two close hash value outputs of the type-B ASPH. For clarity, we denote this key reconciliation scheme as , which consists of two algorithms (i.e., and ) and is executed between Alice and Bob as a one-message key reconciliation protocol (i.e., from Alice to Bob). Assume that (Alice’s secret) and (Bob’s secret) satisfy the condition (where represents the residue of over ) for some integer . After the execution of this protocol, both participants can agree on a common secret , i.e., as the subsequent symmetric session key for encryption. Because the two hash values output by the type-B ASPH are actually and , which will be taken as input into £ sequentially. By observation, both and are exactly taken as input into the rounding function as well [7]. Therefore, we can utilize this key reconciliation mechanism to extend the single-bit symmetric key output by and encrypt a multibit message as follows:where is the first bit of , and is the residual bits of . The correctness of decryption can be guaranteed by with very large probability and with for .

The approach we proposed above not only guarantees an efficient simulator for arguing sender’s statistical security in the UC model by retaining the use of but also solves the open problem for obliviously transferring multibit strings existing in [6]. Moreover, the adoption of is still compatible to public key messiness properties (see Lemma 9) when is far away from . Therefore, our dual-mode encryption cryptosystem is a full-fledged instantiation over the lattice, which can exactly realize the well-defined primitive notion (see Definition 1).

1.3. Performance Analysis

We compare the security of our dual-mode encryption cryptosystem with another two related works (i.e., [5, 6]) in Table 1 to show that this work can fully achieve the dual-mode properties, as Definition 1 required.

Note that a multisession UC-secure OT (see Figure 1) can be derived from our proposed dual-mode cryptosystem, where can be reused unbounded times and multibit string transmitting is available in each single session. However, in the work of [5], can be simply reused in limited sessions. Moreover, in the work of [6], only single-bit message transmission is allowed in each single session instead of transferring multibit strings.

For a clear efficiency comparison on those three works, we illustrate some notations for clarity in Table 2. We let denote the bit-length of an encrypted message in each session and denote the number of permitted sessions for a common . Then we mainly inspect the cost on vector sampling and the amortization performance during a multisession string OT execution (i.e., and ). In particular, we analyze the cost on generating , and in each mode, respectively. The cost on generating is due to producing and , the cost on generating is due to producing and error vector, and the cost on generating is due to randomness sampling.

Here, we let denote the cost on running times Gaussian sampling from , and denote the cost on running times uniform sampling from . For convenience, we treat the cost on sampling an -dimensional vector as the same as that of sampling an -dimensional vector according to some certain distribution. Since public matrix in messy mode is produced by (see Lemma 4), we denote the cost on generating such a matrix as . In addition, [6] and our work both use a heuristic randomized rounding function (see Lemma 6), and we denote as the cost on sampling required randomness during each execution of . Moreover, our scheme utilizes the key reconciliation mechanism £ (see Section 2.4); we denote the cost on sampling a binary form integer as . Therefore, we can observe the comparison result from Table 3.

For transmitting strings by a multisession UC-secure OT between two fixed participants (e.g., Alice and Bob), the work of [5] can only reuse a common during different (bounded) -OT sessions (i.e., requiring multiples of the cost on generating independent ), and each session can obliviously transfer multibit messages (i.e., ). Although the work of [6] can reuse a common during different (unbounded) -OT sessions, due to the use of , each session can only obliviously transfer single-bit messages (i.e., ) and need times independent randomness sampling for decryption correctness. Our work can also reuse a common during different (unbounded) -OT sessions, but each session can obliviously transfer multibit strings (i.e., ) with the additional price of sampling binary integer . Therefore, the total costs on randomness sampling for encrypting in the above three works are , , and , respectively.

Moreover, the communication cost in one OT execution is mainly on transmitting . Since the main difference of communication cost is on the ciphertext size, we conclude the bit-length of one single ciphertext (i.e., ) of these three works in Table 3. We observe that the work of [5] only needs to transmit bits for the encryption of an -bit message, which is more efficient than our work for transferring strings. However, our work can achieve higher security and allow string OT via transmitting bits, instead of the work of [6] needs bits for encrypting one single bit.

To sum up, if asking for higher efficiency but permitting lower security, the work of [5] would be recommended to use, since its costs on the randomness sampling and the ciphertext size are both less than the other two works. If it requires transferring multibit messages (i.e., ) with full-fledged dual-mode security, we only need to run one session of our string OT, while the work of [6] has to run single-bit OT sessions with huge overhead.

1.4. Other Related Work

The work of [11] builds a two-message OT protocol from LWE, which achieves statistical sender security and computational receiver security against malicious adversaries. For obliviously transferring multibit strings, although ours is less efficient (due to a superpolynomial modulus ) than their work, our scheme can obtain a stronger UC security at the expense of relying upon a trusted CRS.

In addition, the work of [12] proposes a generic construction to upgrade a two-round elementary OT to a UC-secure version in the malicious setting, where the CRS is reusable for unbounded times. By taking [5] or [11] as the elementary OT, we can obtain an LWE-based instantiation with a polynomial-size modulus. However, their work can only offer both participants computational security instead, and our proposal is more efficient by avoiding any non-black-box techniques.

Recently, the work of [13, 14] first introduced an LWE-based dual-mode non-interactive zero-knowledge proof (NIZK). We can take [5] as a semimalicious secure dual-mode OT into the framework of [13, 14] to derive a dual-mode OT with fully malicious security. Since [5] only achieves computational receiver security from LWE, if we fix this flaw with the noise flooding technique, the resulting issue would be the same as the problem in our scheme caused by the subexponential LWE modulus. Since the reductions for the soundness of [13, 14] are in a black-box way, it inherently implies the non-adaptively sound NIZKs of [13, 14] in statistical zero-knowledge mode. This can be patched up by complexity leveraging, but it would consequently lean upon the subexponential LWE hardness. Moreover, compiling the OT of [5] into the generic NIZKs framework of [13, 14] would result in practically inefficient proofs.

2. Preliminaries

2.1. Notations

Here, we take as an implicit security parameter. We let denote any function for some constant , and denote an unspecified function such that . If a probability is , we call it overwhelming.

We denote column vectors by bold lower cases and matrices by bold upper cases, e.g., and . Their transposition operations are denoted by and . We let represent the residue of over , and represent the residue of over . The largest integer smaller than and the smallest integer greater than are, respectively, written by and . We let represent the xor operation between two bit strings . All the distances and norms are in the norm unless otherwise specified. Let denote the infinity norm. For any positive integers , we let denote a set of integers .

We let represent the uniform distribution over a set and represent the uniform sampling . We say a distribution is -bounded if the probability of sampling from with the norm at most is overwhelming. The statistical distance between two distributions and is defined as , where is the probability mass function of . We say that and are statistically indistinguishable if , denoted by . If for any probabilistic polynomial time distinguisher such that , we say that and are computationally indistinguishable, denoted by .

2.2. Dual-Mode Encryption

We first recall the notion of dual-mode encryption [5, 6]. For clarity, we adopt their notations for illustration.

Definition 1 (dual-mode encryption). A dual-mode encryption scheme with message space consists of a bundle of probabilistic polynomial-time algorithms defined as follows:(1): Given as input the security parameter , the setup algorithm outputs a common reference string along with a trapdoor in messy mode.(2): Given as input the security parameter , the setup algorithm outputs a common reference string along with a trapdoor in decryption mode.(3): Given as input a common reference string and a branch , the key generation algorithm outputs a public encryption key and a secret decryption key for message encrypted on branch .(4): Given as input a common reference string , a public key , a branch and a message , the encryption algorithm outputs a ciphertext on branch .(5): Given as input a secret key and a ciphertext , the decryption algorithm outputs a message .(6): Given as input a common reference string , a trapdoor in messy mode and a (possibly malformed) public key , the algorithm outputs a branch corresponding to a messy branch of .(7): Given as input a common reference string and a trapdoor in decryption mode , the algorithm outputs keys , where is a public encryption key, and and are corresponding secret decryption keys for branches 0 and 1, respectively.The above dual-mode encryption is demanded to hold the following properties:(1)Completeness on decryptable branch: For every and , whether or is executed in setup phrase, decryption is correct on branch with overwhelming probability over the randomness of the entire experiment, i.e.,where .(2)Indistinguishability of modes: For every and , both two outputs from two distinct setup algorithms are computationally indistinguishable, i.e.,(3)Security in messy mode: For all and (possibly malformed) , implies that is message-lossy (i.e., messy). That is, for all messages ,(4)Security in decryption mode: For all , it holds that for every ,where for the left-hand side above.

The work of [5] showed that once a well-constructed dual-mode encryption scheme is completed as the above notion, a UC-secure OT can be directly obtained. Here, we suppose all readers know the UC security model well and omit to introduce its corresponding background here. We recommend to go to [5] for more details.

Theorem 2 (UC-secure OT from dual-mode encryption [5, 6]). If a dual-mode encryption scheme is well-defined as above, we can obtain a protocol to UC-realize the multisession OT functionality in the -hybrid model under static corruptions.

We can execute this UC-secure OT protocol in either of two modes. Each time, it is run over a distinct functionality that produces according to the corresponding setup algorithm. The messy mode only provides statistical security for the sender. The decryption mode only provides statistical security for the receiver. The other party in each mode can only achieve computational security.

2.3. Lattices Background

2.3.1. Lattices and Gaussians

We first recall some basic knowledge regarding lattices.

Let consist of linearly independent -dimensional column vectors for all . The -dimensional lattice generated by is defined as . The dual lattice of is defined as . Let define the minimum distance of a lattice in infinity norm. If the column vectors of a matrix are linearly independent, we say that is full-rank. Now we introduce two -ary lattices defined by :These two lattices are dual to each other up to a scaling factor such that and .

We define the Gaussian weight function on with parameter as follows:

The discrete Gaussian distribution over with parameter is defined as follows:

Moreover, we recall an important lattice parameter, i.e., the smoothing parameter [15]. For an -dimensional lattice and a positive real , the smoothing parameter is defined as the smallest such that .

Now we introduce some useful lemmas regarding the above -ary lattices defined by and the corresponding lattice quantity .

Lemma 1 (see [16] Lemma 5.2). Suppose a matrix whose row vectors can generate (a.k.a. is full-rank), and . For any , the distribution of is close to the uniform distribution over within statistical distance .

Lemma 2 (see [16] Lemmas 5.1 and 5.3). Let , , and be positive integers with prime and . For all but an at most fraction of , the rows of can generate . For all but an at most fraction of , we have a large minimum distance . That is

Lemma 3 (see [15–17]). For any -dimensional lattice and positive real , we have the following:Let , , and be positive integers with prime and . For any function , there is a negligible function such thatwith overwhelming probability over the choice of .

2.3.2. LWE

We introduce the definition of (decisional) LWE problem.

Definition 2 ((decisional) LWE [18]). Let and be positive integers, and denote an error distribution over . The (decisional) LWE problem states that for all and some secret vector , the distribution is computationally indistinguishable from the distribution of , i.e.,where , , and .

hardness [18]. For all , a -bounded distribution exists such that within approximation factor , breaking the average case problem is at least as hard as solving the worst case problems and using a quantum algorithm.

2.3.3. Lattices Trapdoors

Now, we introduce a lemma regarding the lattice trapdoor technique, which is used to identify messy public keys for arguing the sender’s statistical security in messy mode.

Lemma 4 (see [19] Theorem 5.1). Given some integers , , and as input, there exists an efficient randomized algorithm
which outputs along with a trapdoor such that(1)The distribution of is statistically close to .(2)For any and such that , given and the above as input, an efficient deterministic trapdoor inversion algorithm which can output exists, i.e., .

2.3.4. Noise Flooding

The following lemma is used for arguing the receiver’s statistical security in decryption mode.

Lemma 5 (see [9, 20]). Suppose and are two positive integers. Let be a fixed integer and . The distribution of is statistically close to the distribution of as long as , i.e.,

2.4. Statistically Smooth Rounding Function over Lattices

We still employ the statistically smooth rounding function [7] in our dual-mode encryption construction. It can provide a crucial property that identifying messy public key is simply running the trapdoor inversion algorithm once (independent of the superpolynomial LWE modulus ), which further helps to build an efficient simulator for arguing the sender’s statistical security in the UC model.

Lemma 6 (see [6, 7]). A randomized rounding function is well-defined such thatLet with , , and for some . Then, the above randomized rounding function satisfies the following properties:(1)Statistical smoothness: If is full-rank and for all with , we have the following:where the probability is taken over and the randomness of .(2)Approximate correctness: For all , where and such that (i.e., ) and , then for all large enough , we have the following:

2.5. Key Reconciliation over Lattices

Now, we recall the key reconciliation scheme introduced in [9], which can extract a random multibit shared key from two close secrets over . We denote this scheme as , which consists of two algorithms and can be viewed as a one-message key reconciliation protocol sequentially executed from Alice to Bob. Assume (Alice’s secret) and (Bob’s secret) with for some integer . At the end of the execution, Alice and Bob could reach a consensus on a common secret , i.e., . Let and . The scheme £ works as follows:

Alice’s execution (a.k.a. ):(1)Alice sets an integer in a binary form, where she defines and , and takes for but .(2)Alice sets the common secret as and sends to Bob.

Bob’s execution (a.k.a. ):

After receiving , Bob takes as input and , and sets the common secret in its binary form.

Lemma 7 (see [9]). We assume with , then Alice and Bob can agree on a common secret (i.e., ) after the execution of . Furthermore, if , the common key is confidential (even given ) and uniformly distributed over . The entropy is at least as large as .

Remark 1. Note that is independent of , then is the one-time pad for by . Hence, is independent of . Furthermore, is determined by the first randomly chosen bits of , then is independent of and uniformly random. Therefore, we can use as the one-time pad key to encrypt multiple bits in our dual-mode encryption scheme.

3. LWE-Based Dual-Mode Encryption for UC-Secure String OT

In this section, an LWE-based dual-mode encryption (see Section 3.2) is proposed for deriving a UC-secure string OT (as shown in Figure 1), which is more efficient than costly running multiple independent executions of single-bit OT [6] (see Table 3) for transmitting multibit messages. We first introduce its underlying LWE-based messy public-key encryption in Section 3.1, i.e., an extension scheme of the counterpart of [6].

3.1. Extended Messy Public-Key Encryption

For a lattice-based dual-mode encryption cryptosystem over multibit messages, we need an LWE-based messy public-key encryption as its underlying encryption algorithm, which is obtained by extending the messy public-key encryption of [6] to a multibit encryption version. In particular, we use the single-bit output of that statistically smooth rounding function (see Lemma 6) to encrypt the first bit of the message, for retaining the property that messy public key can be testable efficiently and independently of the LWE modulus size. Moreover, we add the key reconciliation scheme £ (see Section 2.4) into a framework. By taking one of ’s inputs during its multiple executions (under the same public key) as the input of £, we can obtain multiple random bits to hide the residue bits of the message. Since and £ both utilize the same public key (possibly malformed), the messy public key property is naturally inherent in our extended LWE-based encryption.

3.1.1. Parameters Setting

Consider the randomized rounding function (see Lemma 6) and key reconciliation scheme £ (see Section 2.4) together used in the scheme. We show all the parameters set in Table 4 to satisfy the correctness and security of the following LWE-based messy encryption scheme.

3.1.2. Construction

Now we show our extended LWE-based encryption scheme , over message space .(1): Sample , , , and set . Output:(2): For , doing as follows:1.Sample , and compute .2.Compute , where is set as any vector chosen from and .3.Split the message into two segments, i.e., , where is the first bit of , and is the residual bits of . Then compute:4.Output the ciphertext :(3): For all , doing as follows:1.Compute , and set the majority bit of the ’s as .2.Compute and set .3.Output the message .

Similar to [6], the term added into (i.e., noise flooding) is used for arguing the receiver’s statistical security in decryption mode. Note that it would not affect any of the following properties without this term in . Now, we show the correctness of this extended LWE-based encryption scheme.

Lemma 8 (correctness). Let , , and , then the above extended public-key encryption scheme is correct.

Proof. By Lemma 3, can be set such that with overwhelming probability over the choice of .
If we set and , by the approximate correctness of (see Lemma 6), for all , we haveover the internal randomness of and . By Cauchy–Schwarz inequality, we have .
We can observe from the above that and , therefore, . If we set for some integer , by the correctness of £ (see Lemma 7), two participants can agree on a common secret , i.e., .
Therefore, only using a Chernoff bound for the approximate correctness of , we can obtain the correct decryption with overwhelming probability in our extended public-key encryption scheme.

3.1.3. Messy Public Keys

For constructing a dual-mode encryption cryptosystem from LWE, we have to build upon LWE-based encryption with admitting messy (short for message-lossy) public keys. We say that a public key is messy, if a ciphertext output by carries no information (statistically) about the encrypted message, i.e., for all such that . Moreover, given some appropriate lattice trapdoor in the aftermentioned dual-mode cryptosystem, such messy keys can be efficiently identified. More precisely, the ciphertext produced by is . Therefore, for any fixed public key , we have to consider the statistical distance between and the distribution of , where . For any , both and are close to uniform within , then we have the following:

If is negligibly small, then is a messy public key. The correctness of implies that if is generated by , it has a large .

As shown in prior lattice-based cryptosystems [5, 16, 18], messy public keys have occupied an important position in security proofs. In particular, it requires [5] that the simulator in the UC model can efficiently identify messy keys with trapdoor information, which demands an explicit condition to identify those keys. Since our dual-mode encryption cryptosystem follows the framework of [5], we also present a sufficient condition for messy public keys as follows:

Lemma 9 (sufficient condition for messy public key). Let , and . Suppose that the rows of generate . Then for any and any Gaussian parameter used by , we have .
In particular, if and , is messy under . That is, for all such that

Proof. First, we can write as follows:where denotes the statistical distance between the distribution of and , and denotes the statistical distance between the distribution of and . Note that in the second part of (encrypted by £), we only consider whether the distribution of is nearly-uniform. This is due to the fact that the security of comes down to whether the distribution of is close to uniform.
Given , , such that , by the statistical smoothness of (see Lemma 6), the distribution of is statistically close to uniform over the randomness of and , i.e., . That is, are statistically close to uniform bits. Therefore, we only consider whether is negligibly small.
We can claim by Lemma 1 (for dimension instead of ). It directly implies that is close to the uniform distribution over for within statistical distance . Then we can claim that for the nearly uniform distribution of , which directly follows from Lemma 3 (i.e., a consequence of Lemma 2.6 in [16] and the duality between and ) with the statistically hiding property of £ (see Lemma 7).
More precisely, the first bit of the message (i.e., ) is information-theoretically hidden by , then we must show that the second part of the message (i.e., ) is statistically hidden by (output by ). Here, is the first bits of (randomly chosen from ), thus works as a one-time pad for hiding . As a part of ciphertext , can be regarded as a one-time pad encryption for hiding by . By Lemma 7, is independent of , then is independent of . The claim that is statistically hidden by follows the messiness of , i.e., is statistically hidden by . Therefore, the claim follows.

Now, we state two following lemmas, one of which claims that most public keys are messy for appropriate parameters, and the other one argues that our extended messy public-key encryption scheme is secure under the LWE assumption.

Lemma 10 (most public keys are messy). Let , , and . Then we have with overwhelming probability, in particular, is messy.

Proof. Let be comprised of and as above. By Lemma 2 (a consequence of Lemmas 5.1 and 5.3 in [16]), the rows of generate for all but an at most fraction of all (by Lemma 5.1 of [16]), and we have for all but an at most fraction of all (by Lemma 5.3 of [16]). Furthermore, since the set of points that close to within distance (in norm) has size at most , we have with overwhelming probability over the choice of for any fixed . As , the probability that belongs to those points is at most . Therefore, for any fixed , with overwhelming probability over the randomness of , we have . By Lemma 9, it implies that such is a messy public key.

Lemma 11 (security). Suppose , . Then the above extended messy public-key encryption scheme is secure under the assumption.

Proof. With the assumption, the public key generated from is computationally indistinguishable from . If , then by Lemma 10, is messy with overwhelming probability and security follows.

Next, we show that given an appropriate trapdoor, messy public keys can be efficiently identified in the following lemma, which is further used for arguing the sender’s statistical security in the messy mode execution of our dual-mode encryption.

Lemma 12 (see [6] Lemma 3.5). Suppose is full-rank and . Let . Then there exists an efficient algorithm which given a vector as input, decides whether (i.e., the public key is identified as messy). The algorithm works as follows:(1)Run in Lemma 4.(2)Output not sure, if the output is with . Otherwise, the output is messy.That is, if , then outputs messy by Lemma 4.

3.2. Dual-Mode Encryption over Multibit Messages

For achieving a UC-secure string OT (as shown in Figure 1), we take the above extended LWE-based messy public-key encryption (see Section 3.1) as the underlying encryption to build a dual-mode encryption over lattices. Here, we slightly change the Gaussian parameter to since test messy keys is required (see Lemma 12).

3.2.1. Construction

Now we follow the framework of [6] to show our LWE-based dual-mode cryptosystem for obliviously transferring multibit strings, where the prior encryption scheme is served as its underlying encryption.(1): Sample . Pick . Output:(2): Sample . Pick and . Set and output:(3): Pick , , . Output:It always satisfies that and .(4): Compute . Output .(5): Parse the ciphertext as . Output .(6): Run (defined in Lemma 12). If it outputs messy, output 0. Otherwise, output 1.(7): Pick , , . Output:

3.3. Dual-Mode Properties

According to Definition 1, we show the above-proposed cryptosystem satisfies the required dual-mode properties.

Lemma 13 (completeness on decryptable branch). Suppose , , and . Then, the above scheme is correct.

Proof. Since the scheme is taken as the underlying encryption in the above cryptosystem, therefore, the correctness (i.e., on decryptable branch ) of our dual-mode encryption directly follows by Lemma 8.

Lemma 14 (indistinguishability of modes). By the hardness of , the above dual-mode encryption satisfies indistinguishability of modes.

Proof. The difference between two modes is due to the distribution of produced by two different setup algorithms (i.e., or ). By Lemma 4, is statistically close to . By the assumption, is computationally indistinguishable from . Therefore, computational indistinguishability between two modes follows.

We hope that Alice (the sender) can achieve statistical security in the messy mode execution of derived OT, which is followed by the security in messy mode, as shown in Definition 1. The security in messy mode (see the undermentioned Lemma 16) can be obtained directly by a consequence of Lemmas 9 and 10 regarding messy public keys to guarantee that at least one of two branches on is message-lossy under the (possibly malformed) public key given by Bob (the receiver).

As another flavor for clarity, we show in Lemma 15 that the ciphertext of message on branch is message-lossy.

Since the encryption of (i.e., the former part of ) encrypted under the messy public key ) (where ) is message-lossy by the statistical smoothness of , we only need to prove that (i.e., the latter part of message ) can be statistically hidden by . Moreover, by the correctness of £, Bob (the receiver) can decrypt (i.e., the latter part of the ciphertext on decryptable branch ). That is, on branch , the key computed by Bob with given (a.k.a. ) is equal to the key computed by Alice (a.k.a. ). Moreover, it requires that Bob cannot recover Alice’s encryption key on the (messy) branch . In particular, the advantage of Bob can correctly recover on branch is , i.e., . This guarantees the encryption of can be statistically hidden by . The following claim follows.

Lemma 15. For any , the encryption of message on branch is message-lossy.

Proof. In messy mode on branch , we have , where . Once () is obtained from Alice, Bob can compute as follows:At the side of Alice, is encrypted by (i.e., the first bits of used for encryption of message ). Therefore, by the mechanism of £, can be recovered at the side of Bob by computingNow, we analyze that how can Bob recover a correct encryption key . First, Bob could obtain from the ciphertext on . Since , can be viewed as encrypted by , where the messy key (referring to Lemma 16), is message-lossy under the key . Therefore, is statistically hidden. Second, we can observe from the above computation of that by the syndrome except for the case that . Therefore, the proof for turns to show the proof for . More precisely, we can show that the syndrome corresponds to a nearly-uniform distribution over as the following argument.
Let and . Let . We have that for , , as long as , , then is uniform distributed over . We denote the event as , then . For clarity, we denote and is a random variable uniformly distributed over .As long as , we have .

Lemma 16 (security in messy mode). Suppose that , , and . Then, the above scheme satisfies security in messy mode.

Proof. First, for all , at least one of the public key or satisfies . This is because if and are both close to , by triangular inequality, is close to as well. In particular, if for both , then with negligible probability over the randomness of by Lemma 10. Therefore, for all , at least one of the public key or is messy by Lemma 10 with overwhelming probability over the choice of by Lemmas 2 and 3.
In addition, by Lemma 12, we can efficiently identify a messy branch, i.e., for all , we use to identify the messy branch as and it holds:

Lemma 17 (security in decryption mode). Assuming , the above scheme satisfies security in decryption mode.

Proof. Now we prove that for all , the distributions generated by either or are statistically close to each other for any .
For any , where and , we let . We set the following:By Lemma 5 (i.e., is statistically close to ), the above is statistically close to the following:We denote the regular key pair on decryptable branch generated by as follows:where , , , and .
Therefore, for all , the joint distribution of is statistically close to that of by using noise flooding technique (see Lemma 5).

Corollary 1. Assuming the hardness of with the parameters defined in the above dual-mode encryption cryptosystem, therefore, a UC-secure string OT as shown in Figure 1 with the specifications of Theorem 2 can be achieved.

Proof. Once a full-fledged dual-mode encryption scheme relying on the hardness of is achieved, by Theorem 2, we can directly obtain a UC-secure OT for transmitting multibit strings over lattice (as shown in Figure 1). Specifically, Alice acts as the sender and Bob as the receiver. They both execute the setup phase to obtain by selecting messy or decryption mode. In OT session, Bob first runs for sending , and then Alice uses to encrypt each message by running . After Bob received two encryptions , he can obtain his chosen message by running .
The UC security proof of this proposed string OT is highly similar to that of [5]. Please refer to the following remark and capture a proof sketch of our string OT in the UC model.

Remark 2 (illustration for simulation). Our dual-mode encryption over multibit messages mainly follows the framework of [6], whose simulation-based security proof is similar to the counterpart of [5], except that in the messy mode, the trapdoor inversion algorithm is simply run once by the crucial property of . Since our scheme retains the advantage by using in the trapdoor inversion part, our simulation-based proof also follows [5, 6]. For clarity, we make a sketchy simulation-based proof for our string OT protocol as follows:
Simulator for the case when only the receiver is corrupted: Regardless of which mode the protocol runs in the real world, the simulator for a corrupted receiver in the ideal world works as follows: run the algorithm to generate and follow the simulation steps specified in [5]. We only need to run the trapdoor inversion once for identifying a messy key by the crucial property of . Then, we can build an efficient simulator when only is corrupted.
Simulator for the case when only the sender is corrupted: Regardless of which mode the protocol runs in the real world, the simulator for a corrupted receiver in the ideal world works as follows: run the algorithm to generate and follow the simulation steps specified in [5]. Note that we simply need one modification in the reply of the adversary. After sends to the corrupted , the external adversary (or the corrupted ) will reply to . Since the simulator has the trapdoors on both branches, then both messages can be recovered correctly by .
Along with all the aforementioned dual-mode properties, therefore, we can obtain a two-round UC-secure string OT from LWE in the CRS model, as shown in Theorem 1.

4. Conclusions

Targeting to design a UC-secure OT for transmitting multibit strings, we follow up the work of [5, 6] and propose an improved LWE-based dual-mode encryption cryptosystem. Our scheme not only satisfies the well-defined dual-mode encryption notion but also avoids some costly vector sampling in simple repetitions of sing-bit OT execution for string OT applications. By a comprehensive analysis on both security and efficiency, we show that our scheme performs better than the other two most related works (i.e., [5, 6]).

In addition, a natural problem comes to mind is that whether an OT construction along with the properties, as shown in Theorem 1, is compatible with a polynomial LWE modulus. We believe it is nontrivial due to the use of the noise flooding technique. Another interesting question is to extend this work into their ring-setting version (even over module-lattice) for efficiency in practice. It seems easy to extend with one-bit hash value output in the ring-setting. However, some building blocks (e.g., the key mechanism scheme and lattice trapdoor techniques) should also be adapted into the ring-setting properly.

Data Availability

No underlying data were collected or produced in this study.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work is supported by the National Natural Science Foundation of China (grant nos. 61902303, 61972457, 62172266, 62002288, U19B2021), the Natural Science Basic Research Program of Shaanxi (program nos. 2024JC-YBMS-475, 2021JM-514), the Key Research and Development Program of Shaanxi (grant no. 2020ZDLGY08-04), the Scientific Research Program Funded by Shaanxi Provincial Education Department (program no. 23JP058), the Young Talent fund of University Association for Science and Technology in Shaanxi, China (program no. 20210116), the Shaanxi Key Laboratory of Blockchain and Secure Computing (no. N-KY-XZ-1101-202110-7349), the Fundamental Research Funds for the Central Universities (no. GK202103093), the Henan Key Laboratory of Network Cryptography Technology (no. LNCT2021-A03), the Innovation Scientists and Technicians Troop Construction Projects of Henan Province, the MOE Layout Foundation of Humanities and Social Sciences (no. 19YJA790007).

References

M. O. Rabin, “How to exchange secrets with oblivious transferTechnical Report TR-81, Aiken Computation Lab,” Harvard University, 1981.
View at: Google Scholar
A. C.-C. Yao, “How to generate and exchange secrets,” in 27th Annual Symposium on Foundations of Computer Science (sfcs 1986), pp. 162–167, IEEE, Toronto, ON, Canada, October 1986.
View at: Publisher Site | Google Scholar
O. Goldreich, S. Micali, and A. Wigderson, “How to play any mental game,” in STOC ′87: Proceedings of the Nineteenth Annual ACM Symposium on Theory of Computing, pp. 218–229, Association for Computing Machinery, New York, NY, USA, January 1987.
View at: Publisher Site | Google Scholar
R. Canetti, “Universally composable security: a new paradigm for cryptographic protocols,” in Proceedings 42nd IEEE Symposium on Foundations of Computer Science, pp. 136–145, IEEE, Newport Beach, CA, USA, October 2001.
View at: Publisher Site | Google Scholar
C. Peikert, V. Vaikuntanathan, and B. Waters, “A framework for efficient and composable oblivious transfer,” in Proceedings of the Annual International Cryptology Conference-CRYPTO 2008, pp. 554–571, Springer Berlin Heidelberg, Santa Barbara, USA, August 2008.
View at: Google Scholar
W. Quach, “UC-secure OT from LWE, revisited,” in Proceedings of International Conference on Security and Cryptography for Networks-SCN 2020, pp. 192–211, Springer, Cham, Amalfi, Italy, September 2020.
View at: Google Scholar
F. Benhamouda, O. Blazy, L. Ducas, and W. Quach, “Hash proof systems over lattices revisited,” in Proceedings of the IACR International Conference on Public-Key Cryptography-PKC 2018, Rio de Janeiro, pp. 644–674, Springer, Cham, Brazil, March 2018.
View at: Google Scholar
Y. T. Kalai, “Smooth projective hashing and two-message oblivious transfer,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques-EUROCRYPT 2005, pp. 78–95, Springer, Berlin, Heidelberg, Aarhus, Denmark, May 2005.
View at: Publisher Site | Google Scholar
S. Jiang, G. Gong, J. He, K. Nguyen, and H. Wang, “PAKEs: new framework, new techniques and more efficient lattice-based constructions in the standard model,” in Proceedings of the IACR International Conference on Public-Key Cryptography-PKC 2020, pp. 396–427, Springer, Cham, Edinburgh, UK, May 2020.
View at: Publisher Site | Google Scholar
J. Katz and V. Vaikuntanathan, “Smooth projective hashing and password-based authenticated key exchange from lattices,” in Proceedings of the International Conference on the Theory and Application of Cryptology and Information Security-ASIACRYPT 2009, pp. 636–652, Springer, Berlin, Heidelberg, Tokyo, Japan, December 2009.
View at: Publisher Site | Google Scholar
Z. Brakerski and N. Döttling, “Two-message statistically sender-private OT from LWE,” in Proceedings of the Theory of Cryptography Conference-TCC 2018, pp. 370–390, Springer, Cham, Panaji, India, November 2018.
View at: Publisher Site | Google Scholar
N. Döttling, S. Garg, M. Hajiabadi, D. Masny, and D. Wichs, “Two-round oblivious transfer from CDH or LPN,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques-EUROCRYPT 2020, pp. 768–797, Springer, Cham, Zagreb, Croatia, May 2020.
View at: Publisher Site | Google Scholar
R. Canetti, Y. Chen, J. Holmgren et al., “Fiat-Shamir: from practice to theory,” in STOC 2019: Proceedings of the 51st Annual ACM SIGACT Symposium on Theory of Computing, pp. 1082–1090, Association for Computing Machinery, Phoenix, AZ, USA, June 2019.
View at: Publisher Site | Google Scholar
C. Peikert and S. Shiehian, “Noninteractive zero knowledge for NP from (plain) learning with errors,” in Proceedings of the Annual International Cryptology Conference-CRYPTO 2019, pp. 89–114, Springer, Cham, Santa Barbara, USA, August 2019.
View at: Publisher Site | Google Scholar
D. Micciancio and O. Regev, “Worst-case to average-case reductions based on Gaussian measures,” in 45th Annual IEEE Symposium on Foundations of Computer Science, pp. 372–381, IEEE, Rome, Italy, October 2004.
View at: Publisher Site | Google Scholar
C. Gentry, C. Peikert, and V. Vaikuntanathan, “Trapdoors for hard lattices and new cryptographic constructions,” in STOC ’08: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, pp. 197–206, Association for Computing Machinery, Victoria, BC, Canada, May 2008.
View at: Publisher Site | Google Scholar
C. Peikert, “Limits on the hardness of lattice problems in ℓ_p norms,” Computational Complexity, vol. 17, pp. 300–351, 2008.
View at: Publisher Site | Google Scholar
O. Regev, “On lattices, learning with errors, random linear codes, and cryptography,” in STOC ’05: Proceedings of the Thirty-Seventh Annual ACM Symposium on Theory of Computing, pp. 84–93, Association for Computing Machinery, Baltimore, MD, USA, May 2005.
View at: Publisher Site | Google Scholar
D. Micciancio and C. Peikert, “Trapdoors for lattices: simpler, tighter, faster, smaller,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques-EUROCRYPT 2012, pp. 700–718, Springer, Berlin, Heidelberg, UK, April 2012.
View at: Publisher Site | Google Scholar
G. Asharov, A. Jain, A. Lóopez-Alt, E. Tromer, V. Vaikuntanathan, and D. Wichs, “Multiparty computation with low communication, computation and interaction via threshold FHE,” in Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques-EUROCRYPT 2012, pp. 83–501, Springer, Berlin, Heidelberg, Cambridge, UK, April 2012.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2024 Momeng Liu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

71

Downloads

95

Citations