Abstract
A blind decryption scheme enables a user to query decryptions from a decryption server without revealing information about the plaintext message. Such schemes are useful, for example, for the implementation of privacypreserving encrypted file storages and payment systems. In terms of functionality, blind decryption is close to oblivious transfer. For noiseless channels, informationtheoretically secure oblivious transfer is impossible. However, in this paper, we show that this is not the case for blind decryption. We formulate a definition of perfect secrecy of symmetric blind decryption for the following setting: at most one of the scheme participants is a passive adversary (honestbutcurious). We also devise a symmetric blind decryption scheme based on modular arithmetic on a ring , where is a prime, and show that it satisfies our notion of perfect secrecy.
1. Introduction
Over the past 15 years, data has moved from local storage to centralized data warehouses in the cloud. The accessibility of large amounts of personal data through a public network has given rise to many security and privacy issues [1]. Fortunately, such issues have generally been taken seriously. For example, in many countries, ethical and legal requirements have been imposed on guaranteeing the confidentiality of medical records [2, 3]. However, the implementation of privacy technologies is nontrivial, especially if the data storage has been outsourced to a cloud operator. Sensitive information can often be inferred from simple access patterns either by outsiders or by the operator of the storage. For example, being able to observe a medical doctor to access the medical record of a patient can leak sensitive information. Therefore, such access patterns should be kept hidden both from outsiders and from the party that is administering the records. Oblivious databases [4] and privacypreserving encrypted file systems [5] are examples of technologies that can be used to hide the access information from the administrator. For such systems, the decryption of data is typically handled by a central decryption server. Such systems can be conveniently implemented using blind decryption schemes [6]. Blind decryption is a versatile primitive. It can be used as a building block for many privacycritical applications, such as privacypreserving payment systems [7], key escrow systems, oblivious transfer protocols [8], privacypreserving systems for digital rights management [9, 10], and private information retrieval [11]. A blind decryption scheme consists of an encryption scheme together with a blind decryption protocol intended to decrypt messages in a privacypreserving fashion. The meaning of “blind decryption” can be easily described based on the following scenario depicted in Figure 1. Suppose that Alice has obtained several encrypted messages from an encryptor. Alice is entitled to choose and decrypt exactly one of those messages. Suppose that the decryption key is stored on a decryption server and Alice wishes to have the server decrypt the message for her in such a way that neither the encryptor nor the decryptor learns the message chosen by Alice.
There are suggestions for practical blind decryption based on publickey cryptography [5, 6, 12–14]. It is also possible to implement the blind decryption functionality with other protocols such as secure multiparty computation [15]. However, the resulting schemes would be computationally demanding. For many applications, symmetric primitives are sufficient and computationally more efficient. In addition, they can provide secrecy that is not based on computational assumptions. Oblivious transfer schemes [16, 17] deliver the same functionality directly between the sender and the receiver without the decryption server. However, for noiseless channels, informationtheoretically secure oblivious transfer is impossible [18]. In addition, blind decryption schemes do not seem to exist, such that the privacy of the user is based on informationtheoretic security. Our work aims to fill this shortage. In this paper, we give a meaningful definition of perfect secrecy for the blind decryption scenario. In particular, we formulate perfect secrecy of symmetric blind decryption in a setting in which at most one of the participants is an adversary but adhering to the protocol (at most one of the participants is honestbutcurious). We also propose a symmetric key blind decryption scheme which satisfies our definition. The scheme is based on modular arithmetic on a ring , where is a prime. Our main contribution is theoretical. Perfect secrecy requires the key to be changed for each decryption. Therefore, many existing applications of blind decryption which are built on the publickey case in the computational security model are not directly applicable. However, for the first time, we are able to give a meaningful definition of perfect secrecy of blind decryption and to show that blind decryption is possible in the informationtheoretic security model. Additional research is needed to show which applications are possible in this model.
The paper is organized as follows. In Section 2, we describe work that is related to ours. Section 3 discusses the fundamental definitions and the preliminaries for the rest of the paper. In Section 4, we formulate three perfect secrecy properties that the blind decryption scheme needs to satisfy. In Section 5, we give a description of a symmetric blind decryption scheme . In Section 6, we show that the devised scheme satisfies our definition of perfect secrecy. Finally, Section 7 considers future work and Section 8 provides the conclusion.
2. Related Work
Chaum was the first to consider blindness in the context of digital signatures and privacypreserving payment systems [7]. He described the first publickey blind signature scheme [19] by utilizing the properties of RSA encryption [20]. The scheme can be also used for encryption and can be therefore considered as the first blind decryption scheme. In the early articles, blind decryption is referred to as “blind decoding.” Discrete logarithm based blind signature schemes were suggested in [21–24]. Sakurai and Yamane were the first to consider publickey blind decryption based on the discrete logarithm problem [6]. Their method was based on ElGamal Cryptosystem [25] and related to the blind signature of Camenisch et al. [24]. The method was later applied for the implementation of a key escrow system [12]. Mambo et al. were the first to consider blind decryption that is secure against chosen plaintext attacks by signing the ciphertext messages [26]. The resulting scheme is not capable of publickey encryption, since a secret signing key is required. Green described the first publickey blind decryption scheme [5] that is secure against adaptive chosen ciphertext attacks (INDCCA2) using bilinear groups. The security of these constructions has been considered computationally either in the random oracle model [11] or using computational indistinguishability and infeasibility assumptions [5].
Oblivious transfer protocols are symmetric primitives that offer functionality similar to blind decryption. For oblivious transfer, there are two participants: a sender and a receiver. For the original definition of oblivious transfer, the sender transmits a message which the receiver gets with probability . The sender remains oblivious as to whether the receiver actually got the message. This form of oblivious transfer was introduced by Rabin [16]. The concept was later extended by Even et al. [17]. For oblivious transfer, the receiver can choose one from two messages without the sender knowing which of the messages was chosen. A related concept that can be considered as a further generalization is allornothing disclosure of secrets [27] for which Alice is willing to disclose at most one secret from a set to Bob without Bob learning information about the rest of the secrets. Alice must not learn which secret Bob chose. Adaptive queries were considered by Naor and Pinkas [28]. They also considered active adversaries and provided security definitions related to the simulatability of the receivers. Camenisch, Neven, and Shelat extended the work of Naor and Pinkas by defining simulatable oblivious transfer [29] and providing practical constructions for such a scheme. There are other suggestions for oblivious transfer based on problems in bilinear groups [30], groups of composite order [31], and the DiffieHellman problem [32–37]. These schemes are based on computational assumptions. It is impossible to achieve informationtheoretic security for both of the parties using noiseless channels [18]. However, it is possible using noisy channels such as discrete memoryless channels [38] or a trusted initializer (shown by Rivest in 1999; see “unconditionally secure commitment and oblivious transfer schemes using private channels and a trusted initializer”). For the computational security setting, the functionality of oblivious transfer can be also implemented with publickey blind decryption using the method of Dodis et al. [39].
General multiparty computation protocols can be also applied to implement blind decryption capabilities. Secure multiparty computation was originally introduced by Yao [40] for the twoparty case. The general case for is due to Goldreich et al. [41]. However, secure multiparty computation protocols are computationally intensive in comparison to blind decryption and oblivious transfer.
3. Preliminaries
3.1. Notation
For the set of integers modulo , we denote and equate a congruence class with its least nonnegative representative. That is, we consider . By the notation we mean the unique such that . We denote the uniform distribution on a set by . If a random variable is uniformly distributed on a set , we denote it by . When an element is sampled from , we denote it by .
3.2. Symmetric Encryption
A symmetric encryption scheme with key space , plaintext space , and ciphertext space consists of three algorithms:(1)The key generation algorithm : on inputting a security parameter , outputs a key (2)The encryption algorithm : on inputting a key and a message , outputs a ciphertext (3)The decryption algorithm : on inputting a key and a ciphertext , outputs a message such that
3.3. Blind Decryption
Blind decryption has been considered in the literature for the asymmetric case. However, in this paper, we are interested in the symmetric case that is easily adapted from the asymmetric one [5]. A symmetric blind decryption scheme consists of a symmetric encryption scheme and a twoparty protocol . The protocol is conducted between an honest user Alice and the decryption server which we shall call the decryptor. The protocol enables Alice, who is in possession of a ciphertext , to finish the protocol with the correct decryption of . As a result of running , Alice on inputting a ciphertext outputs either the message or an error message . The decryptor, on inputting the key , outputs nothing or an error message . To be secure, the exchanged messages must not leak information to malicious users (the leakfreeness property [8]). The property can be formalized based on computational indistinguishability. For every adversary, there has to be a simulator so that the following two games are well defined. For the first game, a probabilistic polynomial time (PPT) adversary can choose any number of ciphertexts for . It is then given the correct decryptions by executing with the decryptor. Finally, outputs the plaintext message and ciphertext pairs for . For the second game, a simulator chooses any number of ciphertexts for . In this game, the plaintext messages are obtained by querying a trusted party. is leakfree if for every PPT adversary there is a simulator such that for every PPT distinguisher the probability of distinguishing between these two games is negligible [5].
Another important property for secure blind decryption is the blindness property. It formalizes the idea that the decryptor must not learn anything about the actual plaintext message. This can be formalized by giving a PPT algorithm the possibility to choose two ciphertexts and giving it oracle access to two instances of based on these choices. If the probability of distinguishing these two instances is negligible for every PPT algorithm , then satisfies ciphertext blindness. For a formal and rigorous definition, see, for example, [5].
3.4. Perfect Secrecy
The notion of perfect secrecy is due to Shannon [42]. Let be an encryption scheme with key space , plaintext space , and ciphertext space . Let denote a random variable on the key space induced by . satisfies perfect secrecy if, for every random variable on the plaintext space, every plaintext , and every ciphertext ,Equivalently, satisfies perfect secrecy if and only if, for every random variable on the plaintext space, every plaintext messages , and every ciphertext ,
4. Perfect Secrecy for Symmetric Blind Decryption
In this section, we formulate a condition for the perfect secrecy of blind decryption. Instead of computational indistinguishability, we consider secrecy of symmetric blind decryption based on the information observed by the parties. In the following, let together with be a symmetric blind decryption scheme with key space , plaintext space , and ciphertext space .
4.1. The Scenario
For the sake of clarity, we do not consider active adversaries. We assume that the parties adhere to the blind decryption protocol and only observe the flow of messages (and possibly deduce information from those messages). Active adversaries could, for example, induce errors to the protocol messages. Such adversarial scenarios are left for future work. In addition, we do not consider the case where the decryptor is colluding with either Alice or the encryptor against the other. Such a case is equivalent to the oblivious transfer scenario and informationtheoretic security is impossible for noiseless channels [18]. However, we note that such collusion scenarios are important for certain applications and need to be investigated in the future. We do consider the case where the adversary is impersonating one of the parties, which is a paramount requirement for many applications. For clarity, we also restrict ourselves to the case where Alice decrypts a single message . Similar to the onetime pad, we assume that a new key is derived after every decryption. However, in our case, there could be several ciphertexts encrypted under the same key. Nevertheless, once Alice has decrypted one of the messages, we consider that particular key used and a new key, and a new set of ciphertexts is generated.
The scenario is the following. The encryptor chooses a set of plaintext messages for . He encrypts those messages under a key to obtain ciphertext messages for that he transmits to Alice. Alice chooses one of those messages . To hide the actual ciphertext , we assume that there is a ciphertext transformation space so that Alice can derive a related ciphertext message that she transmits to the decryptor. The decryptor responds with its decryption which Alice transforms to the correct plaintext message . The general scenario has been depicted in Figure 2. The used variables have been collected into Notations for easier reference.
4.2. Security Requirements
As described in Section 3.2, the scheme has to satisfy the following property.
4.2.1. LeakFreeness
Outsiders must not learn information about the plaintext messages by observing the exchanges.
The easiest way to provide leakfreeness against outsiders is to protect each exchange with an encryption scheme that satisfies perfect secrecy. However, leakage also needs to be addressed considering the protocol participants. Considering each individual party, we can divide leakfreeness as follows.
(1) LeakFreeness against the Encryptor. Honestbutcurious encryptor must not learn information about the plaintext message obtained by Alice at the end of the protocol by observing the blind decryption messages. The situation is depicted in Figure 3.
(2) LeakFreeness against Alice. This property ensures that, after obtaining , Alice does not learn information about the remaining plain texts for . The situation is depicted in Figure 4.
In contrast to computational security, we cannot define leakfreeness as a distinguishing problem. Instead, we shall consider the probability distributions regarding the exchanged elements. We also want to prevent decryptor from deducing information about the plaintext message .
4.2.2. Blindness against the Decryptor
This property ensures that an honestbutcurious decryption server does not learn the message Alice wants to decrypt. The situation is depicted in Figure 5.
In the computational security setting, there can be multiple applications of the blind decryption protocol for a fixed key. In our case, we want a fresh key for every decryption to achieve perfect secrecy. Therefore, we formulate leakfreeness and blindness for a single decryption. However, as was described before, we want to be able to encrypt multiple messages with the same key. For example, in privacypreserving payment systems, blind decryption is used to enable Alice to choose one (only one) item from a selection of items. This results in a scenario in which there are plaintext and ciphertext pairs for but there is only a single application of .
In the following section, we formulate these conditions based on information. Note that these conditions also provide secrecy against observers that are not participants of the scheme, since the information possessed by such observers is a proper subset of that of any of the participants. The following notation is used. Let denote the random variable of blind decryption keys on the key space induced by . Let for denote the random variables corresponding to the choice of for by the encryptor and let denote the random variable corresponding to the plaintext Alice obtains at the end of the scheme. Following the standard practice [43], we assume that is independent of and for every . Let denote the random variable on the ciphertext transformation space for the ciphertext message that Alice discloses to the decryptor. Finally, let denote the random variable corresponding to the message that the decryptor responds with. These variables have been collected into Notations.
4.3. Perfect LeakFreeness against the Encryptor
We shall first formulate leakfreeness against the encryptor. The blind decryption protocol messages and should not disclose any information about to the encryptor. Equivalently, the messages should not leak information about that was chosen by Alice even if the encryptor knows the key and the right plaintext messages for .
Definition 1 (perfect leakfreeness against encryptor). A symmetric blind decryption scheme is perfectly leakfree against the encryptor for a single decryption of a maximum of messages if, for every random variable for on the plaintext space and every for and every ,Our definition states that an honestbutcurious encryptor can equally easily guess the plaintext message Alice wanted to be decrypted with or without information provided by the blind decryption protocol messages and . Note that, in the normal scenario, for some . However, we do not want to restrict the definition to such a case. For example, there could be homomorphic blind decryption schemes for which certain operations could be permitted on the ciphertexts. Note also that the encryptor inherently possesses more information about than an outsider, since is dependent on .
4.4. Perfect LeakFreeness against Alice
In order to be practical, the scheme needs to ensure that Alice is not able to decrypt messages. Therefore, we need to ensure that Alice obtains neither the decryption key nor any information about the decryptions of without interacting with the decryptor. In addition, after a single application of , Alice must not have any information about the remaining messages. To make the requirement precise, we require that the observation of a single plaintext and ciphertext pair does not leak any information about the decryption of another ciphertext . The property is, in fact, a property of the encryption scheme.
Definition 2 (perfect leakfreeness against Alice). A symmetric encryption scheme satisfies perfect leakfreeness against Alice for a single decryption if, for every random variable on the plaintext space, every , and every , such that ,The condition states that the probability of obtaining the ciphertext pair is the same whether we encrypt or . That is, observation of the ciphertexts does not yield information about the decryption of even if we know the decryption of .
4.5. Perfect Blindness against the Decryptor
We still need to consider privacy against an honestbutcurious decryptor. It is reasonable to assume that have been delivered to Alice using a private channel. If the decryptor can observe for , it means that he knows the corresponding plaintext messages, since he is in possession of the blind decryption key. Therefore, it is natural to require that the ciphertexts be protected by a separate secure channel between Alice and the encryptor. For the blindness property, we want the server to learn nothing of the actual message that Alice derives at the end of the blind decryption scheme. In this case, the decryptor knows the correct key as well as the messages and exchanged with Alice.
Definition 3 (perfect ciphertext blindness against the decryptor). A symmetric blind decryption scheme satisfies perfect ciphertext blindness against the decryptor if, for every random variable on the plaintext space, every , and every The condition states that it is equally easy to guess the correct plaintext message with and without the information possessed by the decryptor. Note that we have assumed that have been delivered to Alice in perfect secrecy.
4.6. Perfect Secrecy for Symmetric Blind Decryption
Finally, we can state our definition of perfect secrecy based on the properties defined above.
Definition 4 (perfect secrecy of blind decryption). A symmetric blind decryption scheme consisting of a symmetric encryption scheme and a blind decryption protocol satisfies perfect secrecy for symmetric blind decryption for a single decryption of a maximum of messages against a single honestbutcurious party if the scheme is perfectly leakfree against the encryptor for a maximum of messages, is leakfree against Alice, and the scheme satisfies perfect ciphertext blindness against the decryptor.
5. A Concrete Blind Decryption Scheme
We shall now devise a blind decryption scheme that satisfies Definition 4. We shall implement our scheme using two tiers of symmetric encryption. For the outer tier, we apply a scheme that satisfies ordinary perfect secrecy. Let that scheme be denoted by . The outer encryption scheme will hide information about from the decryptor and also provide secrecy for and against the encryptor. To achieve perfect blindness and leakfreeness against Alice, we design an inner tier encryption scheme called that satisfies a useful transformation property which enables us to construct a blind decryption protocol . To sum up, our final construction will consist of two tiers of encryption and a protocol for Alice to query a single decryption from the decryptor. The general overview of the scheme is depicted in Figure 6. It would be possible to implement some of the required privacy properties with multiple applications of the onetime pad. For example, if , Alice could hide the plaintext message from the decryptor by querying for the decryption of , where is only known to Alice. The correct plaintext message would be obtained from by computing . However, such a protocol would leak to the decryptor, since would be needed for decryption. In addition, for a single decryption, the decryptor would have to maintain a set of keys which would quickly grow to an unmanageable size as grows. In contrast, the optimal key size for single decryption would be , where is the bit length of , assuming that each plaintext message is of the same bit length. Therefore, simply applying the onetime pad is not sufficient.
In the following, we first describe our inner encryption scheme that will provide perfect leakfreeness against Alice, as well as the required message transformation property. Then, we proceed to the description of a blind decryption protocol utilizing this scheme. Finally, we combine the inner encryption scheme with an outer encryption scheme that satisfies ordinary perfect secrecy and describe the complete blind decryption scheme.
5.1. The Inner Encryption Scheme
We shall first construct an inner encryption scheme called with some useful properties. Our inner scheme is based on modular arithmetic on the ring , where is a prime. Our plaintext space is and every is mapped to the ciphertext space . To satisfy Definition 2, we want to add an amount of randomness that is at least twice the binary length of in the encryption operation. Therefore, the keys of will consist of pairs . Let . Then,where . Therefore, we can essentially represent with two elements of . Using such a representation, we encrypt a single message by first sampling a random element and setting . Then, we add the key by computingwhich is the ciphertext message. To enable blinding, Alice needs to be able to transform into another ciphertext . The encryption operation entails such a transformation property that follows from the congruencefor every and such that . Let be a plain text and let be its encryption with . Let now be any ciphertext under the same key such that and let be the corresponding plain text. Since , we have , where . Now, by (8),from whichwhich enables us to compute using without the key . Namely, if we know a plain text and its encryption , we know the decryption of for every . The plain text can be computed by the transformation algorithm in Algorithm 1.

Let . The algorithm works becauseIn order to query the decryptor, Alice can transform a ciphertext into any such that . The algorithm can transform the corresponding plain text to the decryption of .
Decryption is straightforward knowing the key . Its operation, as well as the complete encryption scheme, is described below.
Definition 5 (). The symmetric encryption schemeconsists of Algorithms 2, 3, and 4.



The plaintext and ciphertext spaces of depend on the chosen prime ; the plaintext space is , while the ciphertext space is . Let us show the correctness of the scheme. That is,for every key and plain text . Let . Then one hasand , where . Now,We shall later show that, given a single plaintext and ciphertext pair and a ciphertext such that , we still have informationtheoretic security for . That is, satisfies perfect leakfreeness against Alice whenever for . However, suppose that we have two plaintext and ciphertext pairs such that . We can show that the key can be completely determined from such two pairs.
Proposition 6. For every plaintext and ciphertext pair such that , there is a unique key such that
Proof. Let such that and . Let also and . Then, we have a system of two equations:where are known. Now, letNote that since and , we have and is invertible modulo . Therefore, the equation pair has a unique solution:
Due to the transformation algorithm , we require that if Bob sends ciphertext messages to Alice, we have for every . Otherwise, it would be trivial for Alice to derive the decryptions of all of the ciphertexts from a single plaintext and ciphertext pair. Therefore, the maximum number of ciphertext messages under the same key is determined by .
5.2. Blind Decryption Protocol
Next, we give a description of a blind decryption protocol based on the transformation algorithm .
Definition 7 (). Suppose that the encryptor and the decryptor share a key intended for a single decryption by Alice. Furthermore, let Alice have an encrypted message that is not known to the decryptor. Finally, suppose that the prime is public knowledge. Let the protocol be defined by the following exchange between Alice and the decryptor: (1)Alice: compute and transmit it to the decryptor(2)Decryptor: reply with (3)Alice: compute the plaintext message Let us quickly check the correctness of . Let . Then, , where is the plaintext message. The decryptor replies withBut now Alice can computewhich is the correct plaintext message.
5.3. The Complete Blind Decryption Scheme
As was mentioned earlier, the communication between Alice and the encryptor has to be protected in order to prevent the decryptor from obtaining the plaintext messages corresponding to . If the decryptor can observe these ciphertext messages, it can freely decrypt all of them, since it knows the correct key. Therefore, we need to apply an outer encryption scheme that hides the ciphertext messages. The same solution is the easiest way to provide perfect leakfreeness against the encryptor, since it enables us to simplify the secrecy conditions. In our case, we want to protect both of these exchanges with an outer tier of encryption which provides perfect secrecy. Let be any symmetric encryption scheme that satisfies perfect secrecy such that the plaintext and ciphertext space is . We will be applying with both and together with to provide the required leakfreeness and blindness properties. The outer tier is composed in the following way. Alice and the encryptor share a set of keys . The encryptor protects each ciphertext message by computing for . It sends to Alice. Similarly, Alice and the decryptor share a pair of keys that are used to protect and . Alice sends to the decryptor that responds with . The resulting scheme is defined as follows.
Definition 8 (). Let be a symmetric encryption scheme such that the plaintext and ciphertext space is and let satisfy perfect secrecy. Let Alice and the encryptor share a set of keys . Let Alice and the decryptor share a pair of keys intended for a single blind decryption by Alice. Also let the encryptor and the decryptor share a blind decryption key , where , which is intended for single blind decryption by Alice. is determined by Box 1.
Note that we require that the parameter determining the size of the plaintext space satisfy to ensure that the generated prime satisfies and the scheme supports at least the encryption of messages.
6. Security of
We shall now consider the security of . We proceed to show that the devised scheme satisfies the three conditions formulated in Section 4: perfect leakfreeness against the encryptor, perfect leakfreeness against Alice, and perfect blindness against the decryptor.
6.1. Perfect LeakFreeness against the Encryptor
Proposition 9. satisfies perfect leakfreeness against the encryptor for a single decryption of a maximum of messages, where is determined by .
Proof. The claim follows directly from the observation that the encryptor sees only and . By the description of , and are protected by encryption satisfying perfect secrecy and thus do not leak information to the encryptor.
It is easy to see that the outer tier of encryption is necessary. Suppose that the outer encryption scheme was not applied. Then would leak which would betray to the encryptor.
6.2. Perfect Blindness against Decryptor
We shall now prove that the decryptor does not get information about the plaintext message.
Proposition 10. satisfies perfect blindness against the decryptor for a single blind decryption.
Proof. Since are protected with perfect secrecy, we only need to show thatwhere and are the random variables associated with the messages and , respectively. Let denote the random variables corresponding to the key elements , respectively. The reply from the decryptor is completely determined by the key and the element , since . Therefore,Let us consider . By the description of the scheme, we have , where is the chosen index of Alice. But, for every , we have, by the description of , that . Therefore, is independent of and andfor every andfor any . By our assumption, is independent of and and therefore we havewhich shows our claim.
The proof shows that the decryptor (with the knowledge of the key and and ) does not gain any information about the plaintext message assuming that for have been delivered to Alice in perfect secrecy. Considering the secrecy against the decryptor, it would suffice to send without the additional level of encryption. However, the additional level is necessary to achieve leakfreeness against the encryptor.
6.3. Perfect LeakFreeness against Alice
We shall now consider an honestbutcurious Alice and show that the observation of a single plaintext and ciphertext pair does not yield information about the decryption of for .
Proposition 11. satisfies perfect leakfreeness against Alice for a single decryption of a maximum of ciphertexts.
Proof. By the description of , the ciphertext messages are of different congruence class modulo . Let be random variables over the plaintext space . Let denote the random variables corresponding to the key elements . We have to show thatfor every and such that . Given a valid assignment for and , it suffices to show thatfor every . By Proposition 6, for every plaintext and ciphertext pair such that , there is a unique key . Therefore,By the definition of , and are independent and we have
We have now established the perfect secrecy of according to Definition 4.
6.4. The Parameters
An optimal encryption scheme, with plaintext space , that satisfies perfect leakfreeness against Alice for a single decryption needs bits of randomness for a key. achieves exactly this bound, since the plaintext space is and a single key contains bits of randomness. Assuming that messages and keys are represented by binary strings, we need bits of key to encrypt messages of length . For a single decryption with , the decryptor needs to store the key elements , as well as the keys . The keys are used to encrypt messages of . Therefore, bits for each of these keys suffice for perfect secrecy. In total, the decryptor needs to store key material of bits for a single decryption of a message of bit length . Since the ciphertext space is , the ciphertext’s length in bits is approximately twice the plain text’s length. Depending on the length of the plaintext messages and the needed maximum number of encryptions , we should therefore choose the smallest possible , since its bit size has no effect on the security of the scheme. Table 1 lists some possible choices for and the resulting key, plain text, and ciphertext lengths in bits. Note that for long plaintext messages the maximum number of messages is practically unlimited.
7. Future Work
There are two main drawbacks of the construction presented in this paper. First, we have not considered active adversaries. Similar to the onetime pad, we have only considered such adversaries that observe the flow of messages. For practical scenarios, we need to consider adversaries that actively induce errors into the protocol flow. However, such considerations are most naturally conducted in the computational infeasibility model which has been used, for instance, in [5]. In the active adversaries setting, it would also be natural to consider the security of the devised scheme in the framework of computational indistinguishability such that the truly random keys are exchanged with pseudorandom bit strings. In particular, the computationally hard version of our scheme yields efficient practical implementation. The computational security model is also more appealing considering applications due to the limitations induced by the informationtheoretic model. For example, in the informationtheoretic security model, private information retrieval requires an amount of communication that is at least the size of the database [44]. Similarly, in , a fresh key is needed for each decryption resulting in limitations regarding existing applications. For example, applications that require adaptive queries cannot be instantiated with , since a fresh key would be required for each query. We leave it for future research to consider and its possible generalizations and applications in the computational security model.
The second drawback is that we have only considered the case of a single adversary. While it does not make sense to consider a scenario where Alice is colluding with the encryptor against the decryptor, the scenario where the encryptor and the decryptor are colluding is an important one. For many scenarios, Alice cannot be certain whether the encryptor and the decryptor are in fact separate entities. However, if they are a single entity, the scenario is identical to oblivious transfer. We cannot achieve informationtheoretic security in such a case [18]. For example, it is easy to see that our construction fails for colluding encryptor and decryptor. If that is the case, we effectively remove the outer layer of encryption, which means that leaks to the adversary. To provide security against colluding encryptor and decryptor, we would need to detect such collusion or to turn to computational assumptions. We leave the question as an open problem for future research. Another interesting question for future work is to consider the case where we do not apply the outer layer of encryption from the encryptor to Alice. Thus far, we have defined perfect blindness so that the decryptor has absolutely no information about the plaintext message. However, we could relax the requirement so that, similar to leakfreeness against the encryptor, the information is conditioned on the plain texts . In other words, we could relax the requirement so that the decryptor may observe the selection (and the corresponding plaintext messages) given to Alice. Such relaxation is natural in the oblivious transfer case where the encryptor and the decryptor are the same entity. We could then define blindness as a property requiring only that the selection be hidden. It is again easy to see that our scheme without the outer layer of encryption fails such a property. If are not protected, then leaks . Similarly, attempting to convert into an oblivious transfer scheme using the method of Dodis et al. is impossible, since requires that the parties be truly separate. The unification of encryptor and decryptor leaks even in the computational security model [39]. We leave this consideration also for future work.
8. Conclusion
In this paper, we give a definition of perfect secrecy for symmetric blind decryption in the setting where one of the parties may be malicious but adhering to the protocol of the scheme. We consider neither active adversaries nor the setting where two of the participants are colluding against the third. We construct a symmetric blind decryption scheme and show that it satisfies our definition of perfect secrecy. The scheme is based on two layers of encryption, where the inner layer utilizes a novel encryption scheme given in this paper. is based on modular arithmetic with as the ciphertext space, as the plaintext space, and as the key space, where is a prime. The security of is shown informationtheoretically and does not depend on the size of . For a fixed blind decryption key, supports a single blind decryption from a selection of messages. For a single decryption of a message of bit length , the decryption server needs to store key material of bits.
Notations
Variables:  Key space 
:  Plaintext space 
:  Ciphertext space 
:  Ciphertext transformation space 
:  Blind encryption/decryption key 
:  The number of messages encrypted under a single blind decryption key 
Plaintext messages chosen by the encryptor  
:  Ciphertext messages obtained by encrypting with the blind encryption key 
or :  Ciphertext message chosen by Alice 
or :  Transformed ciphertext message chosen by Alice 
or :  Decryption of under the blind decryption key 
or :  The plaintext message Alice obtains at the end of the scheme. 
:  Random variable on induced by 
:  Random variables corresponding to the choice of by the encryptor 
:  Random variable on induced by Alice using 
:  Random variable on induced by decryption of by the decryptor 
:  Random variable corresponding to the plaintext message Alice obtains at the end of the scheme. 
Disclosure
A preprint of a preliminary version of this manuscript can be found in [45].
Conflicts of Interest
The author declares that there are no conflicts of interest regarding the publication of this article.
Acknowledgments
Financial support from Infotech Oulu Graduate School and the following foundations is gratefully acknowledged: Finnish Foundation for Technology Promotion, the Nokia Foundation, Tauno Tönning Foundation, Walter Ahsltröm Foundation, and the Finnish Foundation for Economic and Technology Sciences (KAUTE).