Symmetric Blind Decryption with Perfect Secrecy
A blind decryption scheme enables a user to query decryptions from a decryption server without revealing information about the plain-text message. Such schemes are useful, for example, for the implementation of privacy-preserving encrypted file storages and payment systems. In terms of functionality, blind decryption is close to oblivious transfer. For noiseless channels, information-theoretically secure oblivious transfer is impossible. However, in this paper, we show that this is not the case for blind decryption. We formulate a definition of perfect secrecy of symmetric blind decryption for the following setting: at most one of the scheme participants is a passive adversary (honest-but-curious). We also devise a symmetric blind decryption scheme based on modular arithmetic on a ring , where is a prime, and show that it satisfies our notion of perfect secrecy.
Over the past 15 years, data has moved from local storage to centralized data warehouses in the cloud. The accessibility of large amounts of personal data through a public network has given rise to many security and privacy issues . Fortunately, such issues have generally been taken seriously. For example, in many countries, ethical and legal requirements have been imposed on guaranteeing the confidentiality of medical records [2, 3]. However, the implementation of privacy technologies is nontrivial, especially if the data storage has been outsourced to a cloud operator. Sensitive information can often be inferred from simple access patterns either by outsiders or by the operator of the storage. For example, being able to observe a medical doctor to access the medical record of a patient can leak sensitive information. Therefore, such access patterns should be kept hidden both from outsiders and from the party that is administering the records. Oblivious databases  and privacy-preserving encrypted file systems  are examples of technologies that can be used to hide the access information from the administrator. For such systems, the decryption of data is typically handled by a central decryption server. Such systems can be conveniently implemented using blind decryption schemes . Blind decryption is a versatile primitive. It can be used as a building block for many privacy-critical applications, such as privacy-preserving payment systems , key escrow systems, oblivious transfer protocols , privacy-preserving systems for digital rights management [9, 10], and private information retrieval . A blind decryption scheme consists of an encryption scheme together with a blind decryption protocol intended to decrypt messages in a privacy-preserving fashion. The meaning of “blind decryption” can be easily described based on the following scenario depicted in Figure 1. Suppose that Alice has obtained several encrypted messages from an encryptor. Alice is entitled to choose and decrypt exactly one of those messages. Suppose that the decryption key is stored on a decryption server and Alice wishes to have the server decrypt the message for her in such a way that neither the encryptor nor the decryptor learns the message chosen by Alice.
There are suggestions for practical blind decryption based on public-key cryptography [5, 6, 12–14]. It is also possible to implement the blind decryption functionality with other protocols such as secure multiparty computation . However, the resulting schemes would be computationally demanding. For many applications, symmetric primitives are sufficient and computationally more efficient. In addition, they can provide secrecy that is not based on computational assumptions. Oblivious transfer schemes [16, 17] deliver the same functionality directly between the sender and the receiver without the decryption server. However, for noiseless channels, information-theoretically secure oblivious transfer is impossible . In addition, blind decryption schemes do not seem to exist, such that the privacy of the user is based on information-theoretic security. Our work aims to fill this shortage. In this paper, we give a meaningful definition of perfect secrecy for the blind decryption scenario. In particular, we formulate perfect secrecy of symmetric blind decryption in a setting in which at most one of the participants is an adversary but adhering to the protocol (at most one of the participants is honest-but-curious). We also propose a symmetric key blind decryption scheme which satisfies our definition. The scheme is based on modular arithmetic on a ring , where is a prime. Our main contribution is theoretical. Perfect secrecy requires the key to be changed for each decryption. Therefore, many existing applications of blind decryption which are built on the public-key case in the computational security model are not directly applicable. However, for the first time, we are able to give a meaningful definition of perfect secrecy of blind decryption and to show that blind decryption is possible in the information-theoretic security model. Additional research is needed to show which applications are possible in this model.
The paper is organized as follows. In Section 2, we describe work that is related to ours. Section 3 discusses the fundamental definitions and the preliminaries for the rest of the paper. In Section 4, we formulate three perfect secrecy properties that the blind decryption scheme needs to satisfy. In Section 5, we give a description of a symmetric blind decryption scheme . In Section 6, we show that the devised scheme satisfies our definition of perfect secrecy. Finally, Section 7 considers future work and Section 8 provides the conclusion.
2. Related Work
Chaum was the first to consider blindness in the context of digital signatures and privacy-preserving payment systems . He described the first public-key blind signature scheme  by utilizing the properties of RSA encryption . The scheme can be also used for encryption and can be therefore considered as the first blind decryption scheme. In the early articles, blind decryption is referred to as “blind decoding.” Discrete logarithm based blind signature schemes were suggested in [21–24]. Sakurai and Yamane were the first to consider public-key blind decryption based on the discrete logarithm problem . Their method was based on ElGamal Cryptosystem  and related to the blind signature of Camenisch et al. . The method was later applied for the implementation of a key escrow system . Mambo et al. were the first to consider blind decryption that is secure against chosen plain-text attacks by signing the ciphertext messages . The resulting scheme is not capable of public-key encryption, since a secret signing key is required. Green described the first public-key blind decryption scheme  that is secure against adaptive chosen ciphertext attacks (IND-CCA2) using bilinear groups. The security of these constructions has been considered computationally either in the random oracle model  or using computational indistinguishability and infeasibility assumptions .
Oblivious transfer protocols are symmetric primitives that offer functionality similar to blind decryption. For oblivious transfer, there are two participants: a sender and a receiver. For the original definition of oblivious transfer, the sender transmits a message which the receiver gets with probability . The sender remains oblivious as to whether the receiver actually got the message. This form of oblivious transfer was introduced by Rabin . The concept was later extended by Even et al. . For -oblivious transfer, the receiver can choose one from two messages without the sender knowing which of the messages was chosen. A related concept that can be considered as a further generalization is all-or-nothing disclosure of secrets  for which Alice is willing to disclose at most one secret from a set to Bob without Bob learning information about the rest of the secrets. Alice must not learn which secret Bob chose. Adaptive queries were considered by Naor and Pinkas . They also considered active adversaries and provided security definitions related to the simulatability of the receivers. Camenisch, Neven, and Shelat extended the work of Naor and Pinkas by defining simulatable oblivious transfer  and providing practical constructions for such a scheme. There are other suggestions for oblivious transfer based on problems in bilinear groups , groups of composite order , and the Diffie-Hellman problem [32–37]. These schemes are based on computational assumptions. It is impossible to achieve information-theoretic security for both of the parties using noiseless channels . However, it is possible using noisy channels such as discrete memoryless channels  or a trusted initializer (shown by Rivest in 1999; see “unconditionally secure commitment and oblivious transfer schemes using private channels and a trusted initializer”). For the computational security setting, the functionality of oblivious transfer can be also implemented with public-key blind decryption using the method of Dodis et al. .
General multiparty computation protocols can be also applied to implement blind decryption capabilities. Secure multiparty computation was originally introduced by Yao  for the two-party case. The general case for is due to Goldreich et al. . However, secure multiparty computation protocols are computationally intensive in comparison to blind decryption and oblivious transfer.
For the set of integers modulo , we denote and equate a congruence class with its least nonnegative representative. That is, we consider . By the notation we mean the unique such that . We denote the uniform distribution on a set by . If a random variable is uniformly distributed on a set , we denote it by . When an element is sampled from , we denote it by .
3.2. Symmetric Encryption
A symmetric encryption scheme with key space , plain-text space , and ciphertext space consists of three algorithms:(1)The key generation algorithm : on inputting a security parameter , outputs a key (2)The encryption algorithm : on inputting a key and a message , outputs a ciphertext (3)The decryption algorithm : on inputting a key and a ciphertext , outputs a message such that
3.3. Blind Decryption
Blind decryption has been considered in the literature for the asymmetric case. However, in this paper, we are interested in the symmetric case that is easily adapted from the asymmetric one . A symmetric blind decryption scheme consists of a symmetric encryption scheme and a two-party protocol . The protocol is conducted between an honest user Alice and the decryption server which we shall call the decryptor. The protocol enables Alice, who is in possession of a ciphertext , to finish the protocol with the correct decryption of . As a result of running , Alice on inputting a ciphertext outputs either the message or an error message . The decryptor, on inputting the key , outputs nothing or an error message . To be secure, the exchanged messages must not leak information to malicious users (the leak-freeness property ). The property can be formalized based on computational indistinguishability. For every adversary, there has to be a simulator so that the following two games are well defined. For the first game, a probabilistic polynomial time (PPT) adversary can choose any number of ciphertexts for . It is then given the correct decryptions by executing with the decryptor. Finally, outputs the plain-text message and ciphertext pairs for . For the second game, a simulator chooses any number of ciphertexts for . In this game, the plain-text messages are obtained by querying a trusted party. is leak-free if for every PPT adversary there is a simulator such that for every PPT distinguisher the probability of distinguishing between these two games is negligible .
Another important property for secure blind decryption is the blindness property. It formalizes the idea that the decryptor must not learn anything about the actual plain-text message. This can be formalized by giving a PPT algorithm the possibility to choose two ciphertexts and giving it oracle access to two instances of based on these choices. If the probability of distinguishing these two instances is negligible for every PPT algorithm , then satisfies ciphertext blindness. For a formal and rigorous definition, see, for example, .
3.4. Perfect Secrecy
The notion of perfect secrecy is due to Shannon . Let be an encryption scheme with key space , plain-text space , and ciphertext space . Let denote a random variable on the key space induced by . satisfies perfect secrecy if, for every random variable on the plain-text space, every plain-text , and every ciphertext ,Equivalently, satisfies perfect secrecy if and only if, for every random variable on the plain-text space, every plain-text messages , and every ciphertext ,
4. Perfect Secrecy for Symmetric Blind Decryption
In this section, we formulate a condition for the perfect secrecy of blind decryption. Instead of computational indistinguishability, we consider secrecy of symmetric blind decryption based on the information observed by the parties. In the following, let together with be a symmetric blind decryption scheme with key space , plain-text space , and ciphertext space .
4.1. The Scenario
For the sake of clarity, we do not consider active adversaries. We assume that the parties adhere to the blind decryption protocol and only observe the flow of messages (and possibly deduce information from those messages). Active adversaries could, for example, induce errors to the protocol messages. Such adversarial scenarios are left for future work. In addition, we do not consider the case where the decryptor is colluding with either Alice or the encryptor against the other. Such a case is equivalent to the oblivious transfer scenario and information-theoretic security is impossible for noiseless channels . However, we note that such collusion scenarios are important for certain applications and need to be investigated in the future. We do consider the case where the adversary is impersonating one of the parties, which is a paramount requirement for many applications. For clarity, we also restrict ourselves to the case where Alice decrypts a single message . Similar to the one-time pad, we assume that a new key is derived after every decryption. However, in our case, there could be several ciphertexts encrypted under the same key. Nevertheless, once Alice has decrypted one of the messages, we consider that particular key used and a new key, and a new set of ciphertexts is generated.
The scenario is the following. The encryptor chooses a set of plain-text messages for . He encrypts those messages under a key to obtain ciphertext messages for that he transmits to Alice. Alice chooses one of those messages . To hide the actual ciphertext , we assume that there is a ciphertext transformation space so that Alice can derive a related ciphertext message that she transmits to the decryptor. The decryptor responds with its decryption which Alice transforms to the correct plain-text message . The general scenario has been depicted in Figure 2. The used variables have been collected into Notations for easier reference.
4.2. Security Requirements
As described in Section 3.2, the scheme has to satisfy the following property.
Outsiders must not learn information about the plain-text messages by observing the exchanges.
The easiest way to provide leak-freeness against outsiders is to protect each exchange with an encryption scheme that satisfies perfect secrecy. However, leakage also needs to be addressed considering the protocol participants. Considering each individual party, we can divide leak-freeness as follows.
(1) Leak-Freeness against the Encryptor. Honest-but-curious encryptor must not learn information about the plain-text message obtained by Alice at the end of the protocol by observing the blind decryption messages. The situation is depicted in Figure 3.
(2) Leak-Freeness against Alice. This property ensures that, after obtaining , Alice does not learn information about the remaining plain texts for . The situation is depicted in Figure 4.
In contrast to computational security, we cannot define leak-freeness as a distinguishing problem. Instead, we shall consider the probability distributions regarding the exchanged elements. We also want to prevent decryptor from deducing information about the plain-text message .
4.2.2. Blindness against the Decryptor
This property ensures that an honest-but-curious decryption server does not learn the message Alice wants to decrypt. The situation is depicted in Figure 5.
In the computational security setting, there can be multiple applications of the blind decryption protocol for a fixed key. In our case, we want a fresh key for every decryption to achieve perfect secrecy. Therefore, we formulate leak-freeness and blindness for a single decryption. However, as was described before, we want to be able to encrypt multiple messages with the same key. For example, in privacy-preserving payment systems, blind decryption is used to enable Alice to choose one (only one) item from a selection of items. This results in a scenario in which there are plain-text and ciphertext pairs for but there is only a single application of .
In the following section, we formulate these conditions based on information. Note that these conditions also provide secrecy against observers that are not participants of the scheme, since the information possessed by such observers is a proper subset of that of any of the participants. The following notation is used. Let denote the random variable of blind decryption keys on the key space induced by . Let for denote the random variables corresponding to the choice of for by the encryptor and let denote the random variable corresponding to the plain-text Alice obtains at the end of the scheme. Following the standard practice , we assume that is independent of and for every . Let denote the random variable on the ciphertext transformation space for the ciphertext message that Alice discloses to the decryptor. Finally, let denote the random variable corresponding to the message that the decryptor responds with. These variables have been collected into Notations.
4.3. Perfect Leak-Freeness against the Encryptor
We shall first formulate leak-freeness against the encryptor. The blind decryption protocol messages and should not disclose any information about to the encryptor. Equivalently, the messages should not leak information about that was chosen by Alice even if the encryptor knows the key and the right plain-text messages for .
Definition 1 (perfect leak-freeness against encryptor). A symmetric blind decryption scheme is perfectly leak-free against the encryptor for a single decryption of a maximum of messages if, for every random variable for on the plain-text space and every for and every ,Our definition states that an honest-but-curious encryptor can equally easily guess the plain-text message Alice wanted to be decrypted with or without information provided by the blind decryption protocol messages and . Note that, in the normal scenario, for some . However, we do not want to restrict the definition to such a case. For example, there could be homomorphic blind decryption schemes for which certain operations could be permitted on the ciphertexts. Note also that the encryptor inherently possesses more information about than an outsider, since is dependent on .
4.4. Perfect Leak-Freeness against Alice
In order to be practical, the scheme needs to ensure that Alice is not able to decrypt messages. Therefore, we need to ensure that Alice obtains neither the decryption key nor any information about the decryptions of without interacting with the decryptor. In addition, after a single application of , Alice must not have any information about the remaining messages. To make the requirement precise, we require that the observation of a single plain-text and ciphertext pair does not leak any information about the decryption of another ciphertext . The property is, in fact, a property of the encryption scheme.
Definition 2 (perfect leak-freeness against Alice). A symmetric encryption scheme satisfies perfect leak-freeness against Alice for a single decryption if, for every random variable on the plain-text space, every , and every , such that ,The condition states that the probability of obtaining the ciphertext pair is the same whether we encrypt or . That is, observation of the ciphertexts does not yield information about the decryption of even if we know the decryption of .
4.5. Perfect Blindness against the Decryptor
We still need to consider privacy against an honest-but-curious decryptor. It is reasonable to assume that have been delivered to Alice using a private channel. If the decryptor can observe for , it means that he knows the corresponding plain-text messages, since he is in possession of the blind decryption key. Therefore, it is natural to require that the ciphertexts be protected by a separate secure channel between Alice and the encryptor. For the blindness property, we want the server to learn nothing of the actual message that Alice derives at the end of the blind decryption scheme. In this case, the decryptor knows the correct key as well as the messages and exchanged with Alice.
Definition 3 (perfect ciphertext blindness against the decryptor). A symmetric blind decryption scheme satisfies perfect ciphertext blindness against the decryptor if, for every random variable on the plain-text space, every , and every The condition states that it is equally easy to guess the correct plain-text message with and without the information possessed by the decryptor. Note that we have assumed that have been delivered to Alice in perfect secrecy.
4.6. Perfect Secrecy for Symmetric Blind Decryption
Finally, we can state our definition of perfect secrecy based on the properties defined above.
Definition 4 (perfect secrecy of blind decryption). A symmetric blind decryption scheme consisting of a symmetric encryption scheme and a blind decryption protocol satisfies perfect secrecy for symmetric blind decryption for a single decryption of a maximum of messages against a single honest-but-curious party if the scheme is perfectly leak-free against the encryptor for a maximum of messages, is leak-free against Alice, and the scheme satisfies perfect ciphertext blindness against the decryptor.
5. A Concrete Blind Decryption Scheme
We shall now devise a blind decryption scheme that satisfies Definition 4. We shall implement our scheme using two tiers of symmetric encryption. For the outer tier, we apply a scheme that satisfies ordinary perfect secrecy. Let that scheme be denoted by . The outer encryption scheme will hide information about from the decryptor and also provide secrecy for and against the encryptor. To achieve perfect blindness and leak-freeness against Alice, we design an inner tier encryption scheme called that satisfies a useful transformation property which enables us to construct a blind decryption protocol . To sum up, our final construction will consist of two tiers of encryption and a protocol for Alice to query a single decryption from the decryptor. The general overview of the scheme is depicted in Figure 6. It would be possible to implement some of the required privacy properties with multiple applications of the one-time pad. For example, if , Alice could hide the plain-text message from the decryptor by querying for the decryption of , where is only known to Alice. The correct plain-text message would be obtained from by computing . However, such a protocol would leak to the decryptor, since would be needed for decryption. In addition, for a single decryption, the decryptor would have to maintain a set of keys which would quickly grow to an unmanageable size as grows. In contrast, the optimal key size for single decryption would be , where is the bit length of , assuming that each plain-text message is of the same bit length. Therefore, simply applying the one-time pad is not sufficient.
In the following, we first describe our inner encryption scheme that will provide perfect leak-freeness against Alice, as well as the required message transformation property. Then, we proceed to the description of a blind decryption protocol utilizing this scheme. Finally, we combine the inner encryption scheme with an outer encryption scheme that satisfies ordinary perfect secrecy and describe the complete blind decryption scheme.
5.1. The Inner Encryption Scheme
We shall first construct an inner encryption scheme called with some useful properties. Our inner scheme is based on modular arithmetic on the ring , where is a prime. Our plain-text space is and every is mapped to the ciphertext space . To satisfy Definition 2, we want to add an amount of randomness that is at least twice the binary length of in the encryption operation. Therefore, the keys of will consist of pairs . Let . Then,where . Therefore, we can essentially represent with two elements of . Using such a representation, we encrypt a single message by first sampling a random element and setting . Then, we add the key by computingwhich is the ciphertext message. To enable blinding, Alice needs to be able to transform into another ciphertext . The encryption operation entails such a transformation property that follows from the congruencefor every and such that . Let be a plain text and let be its encryption with . Let now be any ciphertext under the same key such that and let be the corresponding plain text. Since , we have , where . Now, by (8),from whichwhich enables us to compute using without the key . Namely, if we know a plain text and its encryption , we know the decryption of for every . The plain text can be computed by the transformation algorithm in Algorithm 1.
Let . The algorithm works becauseIn order to query the decryptor, Alice can transform a ciphertext into any such that . The algorithm can transform the corresponding plain text to the decryption of .
Decryption is straightforward knowing the key . Its operation, as well as the complete encryption scheme, is described below.
The plain-text and ciphertext spaces of depend on the chosen prime ; the plain-text space is , while the ciphertext space is . Let us show the correctness of the scheme. That is,for every key and plain text . Let . Then one hasand , where . Now,We shall later show that, given a single plain-text and ciphertext pair and a ciphertext such that , we still have information-theoretic security for . That is, satisfies perfect leak-freeness against Alice whenever for . However, suppose that we have two plain-text and ciphertext pairs such that . We can show that the key can be completely determined from such two pairs.
Proposition 6. For every plain-text and ciphertext pair such that , there is a unique key such that
Proof. Let such that and . Let also and . Then, we have a system of two equations:where are known. Now, letNote that since and , we have and is invertible modulo . Therefore, the equation pair has a unique solution:
Due to the transformation algorithm , we require that if Bob sends ciphertext messages to Alice, we have for every . Otherwise, it would be trivial for Alice to derive the decryptions of all of the ciphertexts from a single plain-text and ciphertext pair. Therefore, the maximum number of ciphertext messages under the same key is determined by .
5.2. Blind Decryption Protocol
Next, we give a description of a blind decryption protocol based on the transformation algorithm .
Definition 7 (). Suppose that the encryptor and the decryptor share a key intended for a single decryption by Alice. Furthermore, let Alice have an encrypted message that is not known to the decryptor. Finally, suppose that the prime is public knowledge. Let the protocol be defined by the following exchange between Alice and the decryptor: (1)Alice: compute and transmit it to the decryptor(2)Decryptor: reply with (3)Alice: compute the plain-text message Let us quickly check the correctness of . Let . Then, , where is the plain-text message. The decryptor replies withBut now Alice can computewhich is the correct plain-text message.
5.3. The Complete Blind Decryption Scheme
As was mentioned earlier, the communication between Alice and the encryptor has to be protected in order to prevent the decryptor from obtaining the plain-text messages corresponding to . If the decryptor can observe these ciphertext messages, it can freely decrypt all of them, since it knows the correct key. Therefore, we need to apply an outer encryption scheme that hides the ciphertext messages. The same solution is the easiest way to provide perfect leak-freeness against the encryptor, since it enables us to simplify the secrecy conditions. In our case, we want to protect both of these exchanges with an outer tier of encryption which provides perfect secrecy. Let be any symmetric encryption scheme that satisfies perfect secrecy such that the plain-text and ciphertext space is . We will be applying with both and together with to provide the required leak-freeness and blindness properties. The outer tier is composed in the following way. Alice and the encryptor share a set of keys . The encryptor protects each ciphertext message by computing for . It sends to Alice. Similarly, Alice and the decryptor share a pair of keys that are used to protect and . Alice sends to the decryptor that responds with . The resulting scheme is defined as follows.
Definition 8 (). Let be a symmetric encryption scheme such that the plain-text and ciphertext space is and let satisfy perfect secrecy. Let Alice and the encryptor share a set of keys . Let Alice and the decryptor share a pair of keys intended for a single blind decryption by Alice. Also let the encryptor and the decryptor share a blind decryption key , where , which is intended for single blind decryption by Alice. is determined by Box 1.
Note that we require that the parameter determining the size of the plain-text space satisfy to ensure that the generated prime satisfies and the scheme supports at least the encryption of messages.
6. Security of
We shall now consider the security of . We proceed to show that the devised scheme satisfies the three conditions formulated in Section 4: perfect leak-freeness against the encryptor, perfect leak-freeness against Alice, and perfect blindness against the decryptor.
6.1. Perfect Leak-Freeness against the Encryptor
Proposition 9. satisfies perfect leak-freeness against the encryptor for a single decryption of a maximum of messages, where is determined by .
Proof. The claim follows directly from the observation that the encryptor sees only and . By the description of , and are protected by encryption satisfying perfect secrecy and thus do not leak information to the encryptor.
It is easy to see that the outer tier of encryption is necessary. Suppose that the outer encryption scheme was not applied. Then would leak which would betray to the encryptor.
6.2. Perfect Blindness against Decryptor
We shall now prove that the decryptor does not get information about the plain-text message.
Proposition 10. satisfies perfect blindness against the decryptor for a single blind decryption.
Proof. Since are protected with perfect secrecy, we only need to show thatwhere and are the random variables associated with the messages and , respectively. Let denote the random variables corresponding to the key elements , respectively. The reply from the decryptor is completely determined by the key and the element , since . Therefore,Let us consider . By the description of the scheme, we have , where is the chosen index of Alice. But, for every , we have, by the description of , that . Therefore, is independent of and andfor every andfor any . By our assumption, is independent of and and therefore we havewhich shows our claim.
The proof shows that the decryptor (with the knowledge of the key and and ) does not gain any information about the plain-text message assuming that for have been delivered to Alice in perfect secrecy. Considering the secrecy against the decryptor, it would suffice to send without the additional level of encryption. However, the additional level is necessary to achieve leak-freeness against the encryptor.
6.3. Perfect Leak-Freeness against Alice
We shall now consider an honest-but-curious Alice and show that the observation of a single plain-text and ciphertext pair does not yield information about the decryption of for .
Proposition 11. satisfies perfect leak-freeness against Alice for a single decryption of a maximum of ciphertexts.
Proof. By the description of , the ciphertext messages are of different congruence class modulo . Let be random variables over the plain-text space . Let denote the random variables corresponding to the key elements . We have to show thatfor every and such that . Given a valid assignment for and , it suffices to show thatfor every . By Proposition 6, for every plain-text and ciphertext pair such that , there is a unique key . Therefore,By the definition of , and are independent and we have
We have now established the perfect secrecy of according to Definition 4.
6.4. The Parameters
An optimal encryption scheme, with plain-text space , that satisfies perfect leak-freeness against Alice for a single decryption needs bits of randomness for a key. achieves exactly this bound, since the plain-text space is and a single key contains bits of randomness. Assuming that messages and keys are represented by binary strings, we need bits of key to encrypt messages of length . For a single decryption with , the decryptor needs to store the key elements , as well as the keys . The keys are used to encrypt messages of . Therefore, bits for each of these keys suffice for perfect secrecy. In total, the decryptor needs to store key material of bits for a single decryption of a message of bit length . Since the ciphertext space is , the ciphertext’s length in bits is approximately twice the plain text’s length. Depending on the length of the plain-text messages and the needed maximum number of encryptions , we should therefore choose the smallest possible , since its bit size has no effect on the security of the scheme. Table 1 lists some possible choices for and the resulting key, plain text, and ciphertext lengths in bits. Note that for long plain-text messages the maximum number of messages is practically unlimited.
7. Future Work
There are two main drawbacks of the construction presented in this paper. First, we have not considered active adversaries. Similar to the one-time pad, we have only considered such adversaries that observe the flow of messages. For practical scenarios, we need to consider adversaries that actively induce errors into the protocol flow. However, such considerations are most naturally conducted in the computational infeasibility model which has been used, for instance, in . In the active adversaries setting, it would also be natural to consider the security of the devised scheme in the framework of computational indistinguishability such that the truly random keys are exchanged with pseudorandom bit strings. In particular, the computationally hard version of our scheme yields efficient practical implementation. The computational security model is also more appealing considering applications due to the limitations induced by the information-theoretic model. For example, in the information-theoretic security model, private information retrieval requires an amount of communication that is at least the size of the database . Similarly, in , a fresh key is needed for each decryption resulting in limitations regarding existing applications. For example, applications that require adaptive queries cannot be instantiated with , since a fresh key would be required for each query. We leave it for future research to consider and its possible generalizations and applications in the computational security model.
The second drawback is that we have only considered the case of a single adversary. While it does not make sense to consider a scenario where Alice is colluding with the encryptor against the decryptor, the scenario where the encryptor and the decryptor are colluding is an important one. For many scenarios, Alice cannot be certain whether the encryptor and the decryptor are in fact separate entities. However, if they are a single entity, the scenario is identical to oblivious transfer. We cannot achieve information-theoretic security in such a case . For example, it is easy to see that our construction fails for colluding encryptor and decryptor. If that is the case, we effectively remove the outer layer of encryption, which means that leaks to the adversary. To provide security against colluding encryptor and decryptor, we would need to detect such collusion or to turn to computational assumptions. We leave the question as an open problem for future research. Another interesting question for future work is to consider the case where we do not apply the outer layer of encryption from the encryptor to Alice. Thus far, we have defined perfect blindness so that the decryptor has absolutely no information about the plain-text message. However, we could relax the requirement so that, similar to leak-freeness against the encryptor, the information is conditioned on the plain texts . In other words, we could relax the requirement so that the decryptor may observe the selection (and the corresponding plain-text messages) given to Alice. Such relaxation is natural in the oblivious transfer case where the encryptor and the decryptor are the same entity. We could then define blindness as a property requiring only that the selection be hidden. It is again easy to see that our scheme without the outer layer of encryption fails such a property. If are not protected, then leaks . Similarly, attempting to convert into an oblivious transfer scheme using the method of Dodis et al. is impossible, since requires that the parties be truly separate. The unification of encryptor and decryptor leaks even in the computational security model . We leave this consideration also for future work.
In this paper, we give a definition of perfect secrecy for symmetric blind decryption in the setting where one of the parties may be malicious but adhering to the protocol of the scheme. We consider neither active adversaries nor the setting where two of the participants are colluding against the third. We construct a symmetric blind decryption scheme and show that it satisfies our definition of perfect secrecy. The scheme is based on two layers of encryption, where the inner layer utilizes a novel encryption scheme given in this paper. is based on modular arithmetic with as the ciphertext space, as the plain-text space, and as the key space, where is a prime. The security of is shown information-theoretically and does not depend on the size of . For a fixed blind decryption key, supports a single blind decryption from a selection of messages. For a single decryption of a message of bit length , the decryption server needs to store key material of bits.
|:||Ciphertext transformation space|
|:||Blind encryption/decryption key|
|:||The number of messages encrypted under a single blind decryption key|
|Plain-text messages chosen by the encryptor|
|:||Ciphertext messages obtained by encrypting with the blind encryption key|
|or :||Ciphertext message chosen by Alice|
|or :||Transformed ciphertext message chosen by Alice|
|or :||Decryption of under the blind decryption key|
|or :||The plain-text message Alice obtains at the end of the scheme.|
|:||Random variable on induced by|
|:||Random variables corresponding to the choice of by the encryptor|
|:||Random variable on induced by Alice using|
|:||Random variable on induced by decryption of by the decryptor|
|:||Random variable corresponding to the plain-text message Alice obtains at the end of the scheme.|
A preprint of a preliminary version of this manuscript can be found in .
Conflicts of Interest
The author declares that there are no conflicts of interest regarding the publication of this article.
Financial support from Infotech Oulu Graduate School and the following foundations is gratefully acknowledged: Finnish Foundation for Technology Promotion, the Nokia Foundation, Tauno Tönning Foundation, Walter Ahsltröm Foundation, and the Finnish Foundation for Economic and Technology Sciences (KAUTE).
Office for Civil Rights, United State Department of Health and Human Services, Medical privacy. national standards of protect the privacy of personalhealth-information, 2013, http://www.hhs.gov/ocr/privacy/hipaa/administrative/privacyrule/index.html.
European Parliament, Directive 95/46/EC of the European Parliament and of the Council of 24 october 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, 1995, http://eur-lex.europa.eu/.
S. Coull, M. Green, and S. Hohenberger, “Controlling access to an oblivious database using stateful anonymous credentials,” in Public key cryptography—PKC 2009, S. Jarecki and G. Tsudik, Eds., vol. 5443 of Lecture Notes in Computer Science, pp. 501–520, Springer, Berlin, Germany, 2009.View at: Publisher Site | Google Scholar | MathSciNet
D. Chaum, “Blind signatures for untraceable payments,” in Advances in Cryptology, D. Chaum, R. Rivest, and A. Sherman, Eds., pp. 199–203, Springer, Boston, Mass, USA, 1983.View at: Google Scholar
M. Green and S. Hohenberger, “Blind identity-based encryption and simulatable oblivious transfer,” in Advances in cryptology—ASIACRYPT 2007, K. Kurosawa, Ed., vol. 4833 of Lecture Notes in Computer Science, pp. 265–282, Springer, Berlin, Germany, 2007.View at: Publisher Site | Google Scholar | MathSciNet
K. Sakuraii, Y. Yamane, S. Miyazaki, and T. Inoue, “A key escrow system with protecting user's privacy by blind decoding,” in Information Security, E. Okamoto, G. Davida, and M. Mambo, Eds., vol. 1396 of Lecture Notes in Computer Science, pp. 147–157, Springer, Berlin, Germany, 1998.View at: Publisher Site | Google Scholar
M. O. Rabin, “How to exchange secrets with oblivious transfer,” TR-81, Aiken Computation Lab, Harvard University, Cambridge, Mass, USA, 1981.View at: Google Scholar
I. Damgård, J. Kilian, and L. Salvail, “On the (im)possibility of basing oblivious transfer and bit commitment on weakened security assumptions,” in Proceedings of the 17th International Conference on Theory and Application of Cryptographic Techniques (EUROCRYPT ’99), vol. 1999, pp. 56–73, Springer, Berlin, Germany.View at: Google Scholar
P. Horster, M. Michels, and H. Petersen, “Meta-Message recovery and Meta-Blind signature schemes based on the discrete logarithm problem and their applications,” in Advances in Cryptology—ASIACRYPT'94, J. Pieprzyk and R. Safavi-Naini, Eds., vol. 917 of Lecture Notes in Computer Science, pp. 224–237, Springer, Berlin, Germany, 1995.View at: Publisher Site | Google Scholar
J. L. Camenisch, J.-M. Piveteau, and M. A. Stadler, “Blind signatures based on the discrete logarithm problem,” in Advances in Cryptology—EUROCRYPT '94, A. De Santis, Ed., vol. 950 of Lecture Notes in Computer Science, pp. 428–432, Springer, Berlin, Germany, 1995.View at: Publisher Site | Google Scholar
M. Mambo, K. Sakurai, and E. Okamoto, “How to utilize the transformability of digital signatures for solving the oracle problem,” in Advances in Cryptology—ASIACRYPT '96, K. Kim and T. Matsumoto, Eds., vol. 1163 of Lecture Notes in Computer Science, pp. 322–333, Springer, Berlin, Germany, 1996.View at: Publisher Site | Google Scholar
G. Brassard, C. Crépeau, and J.-M. Robert, “All-or-nothing disclosure of secrets,” in Proceedings of the Advances in Cryptology (CRYPTO ’86), vol. 263, pp. 234–238, Springer, Santa Barbara, Cali, USA, 1987.View at: Google Scholar
M. Naor and B. Pinkas, “Oblivious transfer with adaptive queries,” in Advances in Cryptology—CRYPTO 99, M. Wiener, Ed., vol. 1666 of Lecture Notes in Computer Science, pp. 573–590, Springer, Berlin, Germany, 1999.View at: Google Scholar
S. A. Jarecki and X. Liu, “Efficient oblivious pseudorandom function with applications to adaptive OT and secure computation of set intersection,” in Theory of Cryptography, O. Reingold, Ed., vol. 5444 of Lecture Notes in Computer Science, pp. 577–594, Springer, Berlin, Germany, 2009.View at: Publisher Site | Google Scholar | MathSciNet
K. Kurosawa, R. Nojima, and L. T. Phong, “Efficiency-improved fully simulatable adaptive OT under the DDH assumption,” in Proceedings of the 7th International Conference on Security and Cryptography for Networks (SCN ’10), vol. 6280, pp. 172–181, Springer, Amalfi, Italy, September 2010.View at: Google Scholar
K. Kurosawa, R. Nojima, and L. T. Phong, “Generic Fully Simulatable Adaptive Oblivious Transfer,” in Applied Cryptography and Network Security, J. Lopez and G. Tsudik, Eds., vol. 6715 of Lecture Notes in Computer Science, pp. 274–291, Springer, Berlin, Germany, 2011.View at: Publisher Site | Google Scholar
B. Zhang, H. Lipmaa, C. Wang, and K. Ren, “Practical fully simulatable oblivious transfer with sublinear communication,” in Financial Cryptography and Data Security, A.-R. Sadeghi, Ed., vol. 7859 of Lecture Notes in Computer Science, pp. 78–95, Springer, Berlin, Germany, 2013.View at: Publisher Site | Google Scholar
V. Guleria and R. Dutta, “Efficient adaptive oblivious transfer without -type assumptions in UC framework,” in Information and Communications Security, L. C. K. Hui, S. H. Qing, E. Shi, and S. M. Yiu, Eds., vol. 8958 of Lecture Notes in Computer Science, pp. 105–119, Springer International Publishing, New York, NY, USa, 2015.View at: Publisher Site | Google Scholar | MathSciNet
C. Crépeau, K. Morozov, and S. Wolf, “Efficient unconditional oblivious transfer from almost any noisy channel,” in Security in Communication Networks, C. Blundo and S. Cimato, Eds., vol. 3352 of Lecture Notes in Computer Science, pp. 47–59, Springer, Berlin, Germany, 2005.View at: Publisher Site | Google Scholar
Y. Dodis, S. Halevi, and T. Rabin, “A cryptographic solution to a game theoretic problem,” in Proceedings of the 20th Annual International Cryptology Conference (CRYPTO '00), M. Bellare, Ed., vol. 1880 of Lecture Notes in Computer Science, pp. 112–130, Springer, Santa Barbara, Calif, USA, August 2000.View at: Google Scholar
J. Katz and Y. Lindell, Introduction to Modern Cryptography, Chapman & Hall, Boca Raton, Fla, USA, 2007.View at: MathSciNet
J. Partala, Symmetric blind decryption with perfect secrecy, CoRR, 2015, http://arxiv.org/abs/1510.06231.