Updates
This commit is contained in:
296
chap-OT-LWE.tex
296
chap-OT-LWE.tex
@ -1,9 +1,132 @@
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
%\chapter{Lattice-Based Oblivious Transfer with Access Control}
|
||||
%\addcontentsline{tof}{chapter}{\protect\numberline{\thechapter} Transfert inconscient adaptatif avec contrôle d'accès à base de réseaux euclidiens}
|
||||
%\label{ch:ot-lwe}
|
||||
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
|
||||
\begin{comment}
|
||||
\section{Introduction}
|
||||
\end{comment}
|
||||
|
||||
|
||||
Oblivious transfer ($\mathsf{OT}$) is a central cryptographic primitive coined by Rabin~\cite{Rab81} and extended by Even \textit{et al.} \cite{EGL85}.
|
||||
It involves a
|
||||
sender $\mathsf{S}$ with a database of messages $M_1, \ldots, M_N$ and a receiver $\mathsf{R}$ with an index $\rho \in \{1,\ldots,N\}$. The
|
||||
protocol allows $\mathsf{R}$ to retrieve the $\rho$-th entry $M_{\rho}$ from $\mathsf{S}$ without letting $\mathsf{S}$ infer anything
|
||||
on $\mathsf{R}$'s choice $\rho$. Moreover, $\mathsf{R}$ only obtains $M_{\rho}$ learns nothing about $\{M_i\}_{i \neq \rho}$.
|
||||
|
||||
In its adaptive flavor \cite{NP99}, $\mathsf{OT}$ allows the receiver to interact $k$ times with $\mathsf{S}$ to retrieve
|
||||
$M_{\rho_1},\ldots,M_{\rho_k}$ in such a way that, for each index $i \in \{2,\ldots,k\}$, the $i$-th index $\rho_{i} $ may depend on the messages
|
||||
$M_{\rho_1},\ldots,M_{\rho_{i-1}}$ previously obtained by $\mathsf{R}$.
|
||||
|
||||
$\mathsf{OT}$ is known to be a complete building block for cryptography (as for example, \cite{GMW87}) in that, if it can be realized, then
|
||||
any secure multiparty computation can be. In its adaptive variant, $\mathsf{OT}$ is motivated by applications in privacy-preserving access
|
||||
to sensitive databases (e.g., medical records or financial data) stored in encrypted form on remote servers, oblivious searches or location-based
|
||||
services.
|
||||
|
||||
As far as efficiency goes, adaptive $\mathsf{OT}$ protocols should be designed in such a way that, after an inevitable initialization phase with
|
||||
linear communication complexity in $N$ and the security parameter $\lambda$, the complexity of each transfer is at most poly-logarithmic in $N$. At the same time, this asymptotic efficiency should not come at the expense of sacrificing ideal security properties.
|
||||
The most efficient adaptive $\mathsf{OT}$ protocols that satisfy the latter criterion stem from the work of Camenisch, Neven and shelat
|
||||
\cite{CNS07} and its follow-ups \cite{GH07,GH08,GH11}.
|
||||
|
||||
In its basic form, (adaptive) $\mathsf{OT}$ does not restrict in any way the population of users who can obtain specific records. In many
|
||||
sensitive databases (e.g., DNA databases or patients' medical history),
|
||||
however, not all users should be able to download all records: it is vital access to certain entries be conditioned on the receiver holding suitable credentials delivered by authorities. At the same time, privacy protection mandates that authorized users be able to query database records while
|
||||
leaking as little as possible about their interests or activities. In medical datasets, for example, the specific entries retrieved by a given doctor
|
||||
could reveal which disease his patients are suffering from. In financial or patent datasets, the access pattern of a company could betray its investment
|
||||
strategy or the invention it is developing.
|
||||
In order to combine user-privacy and fine-grained database security, it is thus desirable to enrich adaptive $\mathsf{OT}$ protocols with refined access control mechanisms in many of their natural use cases.
|
||||
|
||||
This motivated Camenisch, Dubovitskaya and Neven \cite{CDN09} to introduce
|
||||
a variant
|
||||
named \textit{ oblivious transfer with access control} (OT-AC), where each database record is protected by a different access control policy $P : \{0,1\}^\ast
|
||||
\rightarrow \{0,1\}$.
|
||||
Based on their attributes, users can obtain credentials generated by pre-determined authorities, which entitle them to anonymously retrieve database records of which the access policy accepts their certified attributes: in other words, the user can only download the records for which he has a
|
||||
valid credential $\mathsf{Cred}_x$ for an attribute string $x \in \{0,1\}^\ast$ such that
|
||||
$P(x)=1$. During the transfer phase, the user demonstrates possession of a pair $(\mathsf{Cred}_x,x)$ and simultaneously
|
||||
convinces the sender that he is querying some record $M_{\rho}$ associated with a policy $P$ such that $P(x)=1$. The only
|
||||
information that the database holder eventually learns is that some user retrieved some record which he was authorized to obtain.
|
||||
|
||||
Camenisch \textit{et al.} formalized the OT-AC primitive and provided a construction in groups with a bilinear map \cite{CDN09}.
|
||||
While efficient, their solution ``only'' supports access policies consisting of conjunctions: each policy $P$ is specified by a list
|
||||
of attributes that a given user should obtain a credential for in order to complete the transfer. Several subsequent works
|
||||
\cite{ZAW+10,CDNZ11,CDEN12}
|
||||
considered more expressive access policies while even hiding the access policies in some cases \cite{CDNZ11,CDEN12}. Unfortunately,
|
||||
all of them rely on non-standard assumptions (known as ``$q$-type assumptions'' as described in~\cref{ch:proofs}) in groups with a bilinear maps. For the sake of not putting
|
||||
all one's eggs in the same basket, a primitive as powerful as OT-AC ought to have alternative realizations based on firmer foundations.
|
||||
|
||||
In this chapter, we propose a solution based on lattice assumptions where access policies consist of any branching program of width $5$,
|
||||
which is known \cite{Bar86} to suffice for the realization of any access policy in $\mathsf{NC1}$. As a result of independent interest, we provide
|
||||
protocols for proving the correct evaluation of a committed branching program. More precisely, we give zero-knowledge arguments for demonstrating possession of a secret input $\mathbf x \in \{0,1\}^\kappa$ and
|
||||
a secret (and possibly certified) branching program $\BPR$ such that $\BPR(\mathbf x)=1$.
|
||||
\index{Complexity classes!$\mathsf{NC}1$}
|
||||
|
||||
\paragraph{Related Work.}
|
||||
Oblivious transfer with adaptive queries dates back to the work of Naor and Pinkas \cite{NP99}, which
|
||||
requires $O( \log N)$ interaction rounds per transfer.
|
||||
Naor and Pinkas \cite{NP05} also gave generic constructions of
|
||||
(adaptive) $k$-out-of-$N$ OT from private information retrieval (PIR) \cite{CGKS95}. The constructions of~\cite{NP99,NP05}, however, are only secure in the half-simulation model, where simulation-based
|
||||
security is only considered for one of the two parties (receiver security being formalized in terms of a game-based definition).
|
||||
Moreover, the constructions of Adaptive OT from PIR \cite{NP05}
|
||||
requires a complexity $O(N^{1/2})$ at each transfer where Adaptive OT allows for $O(\log N)$ cost.
|
||||
Before 2007, many OT protocols (e.g., \cite{NP01,AIR01,tau05}) were analyzed in terms of half-simulation.
|
||||
|
||||
While several efficient fully simulatable protocols appeared the last 15 years (e.g., \cite{DN03,Lin08,PVW08} and references therein),
|
||||
full simulatability
|
||||
remained elusive in
|
||||
the adaptive $k$-out-of-$N$ setting \cite{NP99} until the work~\cite{CNS07} of
|
||||
Camenisch, Neven and shelat, who introduced the ``assisted decryption''
|
||||
paradigm. The latter consists in having the sender obliviously decrypt a re-randomized version of one of the original ciphertexts contained in the database. This technique served as a blueprint for many subsequent protocols \cite{GH07,GH08,GH11,JL09}, including those with access control
|
||||
\cite{CDN09,CDNZ11,CDEN12,ACDN13} and those presented in this chapter. In the adaptive $k$-out-of-$N$ setting (which we denote as \OTA),
|
||||
the difficulty is to achieve full simulatability without having to transmit a $O(N)$ bits at each transfer. To our knowledge, except
|
||||
the oblivious-PRF-based approach of Jarecki and Liu \cite{JL09},
|
||||
all known fully simulatable \OTA protocols rely on bilinear maps\footnote{Several
|
||||
pairing-free candidates were suggested in \cite{KPN10,KPN11} but, as pointed out in \cite{GH11},
|
||||
they cannot achieve full simulatability in the sense of \cite{CNS07}. In particular, the sender can detect if the receiver fetches the same
|
||||
record in two distinct transfers.
|
||||
%The constructions of \cite{KN09} do achieve full simulatability but each transfer costs $\Theta(N)$ bits in terms
|
||||
%of communication.
|
||||
}. A recent work of D\"ottling \textit{et al.}~\cite{DFKS16} uses non-black-box techniques to realize $\LWE$-based $2$-round oblivious PRF (OPRF) protocols~\cite{FIPR05}. However, while fully simulatable OPRFs imply \cite{JL09}
|
||||
fully simulatable adaptive OT, the OPRF construction of~\cite{DFKS16} does not satisfy the standard
|
||||
notion of full simulation-based security against malicious adversaries (which is impossible to achieve in two rounds). It also relies on the full power of
|
||||
homomorphic encryption, which we do not require.
|
||||
|
||||
A number of works introduced various forms of access control in OT. Priced OT \cite{AIR01}
|
||||
assigns variable prices to all database records. In conditional OT \cite{DCOR99}, access to a record is made contingent on the user's secret
|
||||
satisfying some predicate. Restricted OT \cite{Her11} explicitly protects each record with an independent access policy. Still, none of these
|
||||
OT flavors aims at protecting the anonymity of users. The model of Coull, Green and Hohenberger \cite{CGH09} does consider user anonymity via stateful
|
||||
credentials. For the applications of OT-AC, it would nevertheless require re-issuing user credentials at each transfer.
|
||||
|
||||
While efficient, the initial OT-AC protocol of Camenisch \textit{et al.} \cite{CDN09} relies on non-standard
|
||||
assumptions in groups with a bilinear map and only realizes access policies made of conjunctions. Abe \textit{et al.} \cite{ACDN13}
|
||||
gave a different protocol which they proved secure under more standard assumptions in the universal composability framework \cite{Can01}.
|
||||
Their policies, however, remain limited to conjunctions. It was mentioned in \cite{CDN09,ACDN13}
|
||||
that disjunctions and DNF formulas can be handled by duplicating database entries. Unfortunately, this approach rapidly
|
||||
becomes prohibitively expensive in the case of $(t,n)$-threshold policies with $t \approx n/2$.
|
||||
Moreover, securing the protocol against malicious senders
|
||||
requires them to prove that
|
||||
all duplicates encrypt the same message. More expressive policies were considered by Zhang \textit{et al.} \cite{ZAW+10} who
|
||||
gave a construction based on attribute-based encryption \cite{SW05} that
|
||||
extends to access policies expressed by any Boolean formulas (and thus $\mathsf{NC}1$ circuits).
|
||||
Camenisch, Dubovitskaya, Neven and Zaverucha \cite{CDNZ11} generalized the OT-AC functionality so as
|
||||
to hide the access policies. In \cite{CDEN12}, Camenisch \textit{et al.} gave a more efficient
|
||||
construction with hidden policies based on the attribute-based
|
||||
encryption scheme of \cite{NYO08}. At the expense of a proof in the generic group model, \cite{CDEN12} improves upon the expressiveness
|
||||
of \cite{CDNZ11} in that its policies
|
||||
extend into CNF formulas. While the solutions of \cite{CDNZ11,CDEN12} both hide the access policies to users (and the successful termination
|
||||
of transfers to the database), their policies can only live in a proper subset of $\mathsf{NC1}$. As of now,
|
||||
threshold policies can only be efficiently handled by the ABE-based construction of Zhang \textit{et al.} \cite{ZAW+10}, which requires
|
||||
\textit{ad hoc} assumptions in groups with a bilinear map.
|
||||
\bigskip
|
||||
|
||||
In the forthcoming sections, we first present the adaptive oblivious transfer scheme and its access control flavour, then we present the needed building blocks, in particular a simpler version of the signature scheme presented in~\cref{se:gs-lwe-sigep}.
|
||||
We next present our constructions and the zero-knowledge protocol to guarantee the correct execution of a branching program.
|
||||
Finally, we close this chapter with the description of a shift of our scheme from the standard model to the random oracle model to reduce the communication complexity cost, and a comparison table between the different existing solutions.
|
||||
|
||||
\section{Adaptive Oblivious Transfer}
|
||||
\label{sec:def-OT}
|
||||
|
||||
In the syntax of \cite{CNs07}, an adaptive $k$-out-of-$N$ OT scheme $\OT_k^N$ is a tuple of stateful $\ppt$ algorithms $(\SI, \RI, \ST, \RT)$.
|
||||
\index{Adaptive Oblivious Transfer}
|
||||
In the syntax of \cite{CNS07}, an adaptive $k$-out-of-$N$ OT scheme $\OT_k^N$ is a tuple of stateful $\ppt$ algorithms $(\SI, \RI, \ST, \RT)$.
|
||||
The sender $\mathsf{S}=(\SI,\ST)$ consists of two interactive algorithms $\SI$ and $\ST$ and the receiver has a similar representation as algorithms $\RI$ and $\RT$.
|
||||
In the \textit{initialization phase}, the sender and the receiver run interactive algorithms $\SI$ and $\RI$, respectively, where $\SI$ takes as input messages $M_1, \ldots, M_N$ while $\RI$ has no input.
|
||||
This phase ends with the two algorithms $\SI$ and $\RI$ outputting their state information $S_0$ and $R_0$ respectively.
|
||||
@ -15,14 +138,14 @@ The sender starts runs $\ST(S_{i-1})$ to obtain its updated state information
|
||||
|
||||
We consider protocols that are secure (against static corruptions) in the sense of simulation-based definitions. The security
|
||||
properties against a cheating sender and a cheating receiver are formalized via the ``real-world/ideal-world'' paradigm. The
|
||||
security definitions of \cite{CNs07} are recalled in the following Section.
|
||||
security definitions of \cite{CNS07} are recalled in the following Section.
|
||||
|
||||
\subsection{Security Definitions for Adaptive $k$-out-of-$N$ Oblivious Transfer} \label{def-AOT}
|
||||
|
||||
Security is defined via the ``real-world/ideal-world'' paradigm which was first introduced in the Universal Composability (UC) framework~\cite{Can01}. Like \cite{CNs07,CDN09}, however, we do not incorporate all the formalities of the UC framework.
|
||||
Security is defined via the ``real-world/ideal-world'' paradigm which was first introduced in the Universal Composability (UC) framework~\cite{Can01}. Like \cite{CNS07,CDN09}, however, we do not incorporate all the formalities of the UC framework.
|
||||
We define two experiments: the \textbf{Real} experiment, where the two parties run the actual protocol, and the \textbf{Ideal} experiment wherein a \textit{trusted third party} assumes the role of the functionality.
|
||||
|
||||
The model of \cite{CNs07} formalizes two security notions called \textit{sender security} and \textit{receiver security}.
|
||||
The model of \cite{CNS07} formalizes two security notions called \textit{sender security} and \textit{receiver security}.
|
||||
The former considers the security of honest senders against cheating senders whereas the latter considers the security of honest receivers interacting
|
||||
with malicious senders.
|
||||
|
||||
@ -65,6 +188,7 @@ $\rho_i$, the definition prevents the cheating sender
|
||||
$\hS'$ from deciding to cause a failure of the transfer for specific values of $\rho_i$.
|
||||
|
||||
\begin{definition}[Sender Security] \label{def:sender-sec}
|
||||
\index{Adaptive Oblivious Transfer!Sender Security}
|
||||
An $\OT_k^N$ protocol is \textit{sender-secure} if, for any PPT real-world cheating receiver $\hR$, there exists a PPT ideal-world receiver $\hR'$ such that, for any polynomial $N_m(\lambda)$, any $N \in [N_m(\lambda)]$, any $k \in [N]$, any messages $M_1, \ldots, M_N$, and any indices $\rho_1, \ldots, \rho_k \in [N]$, no PPT distinguisher can separate the two following distributions with noticeable advantage:
|
||||
\[ \mathbf{Real}_{\mathsf{S},\hR}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k) \]
|
||||
and
|
||||
@ -72,6 +196,7 @@ $\hS'$ from deciding to cause a failure of the transfer for specific values of $
|
||||
\end{definition}
|
||||
|
||||
\begin{definition}[Receiver Security] \label{def:receiver-sec}
|
||||
\index{Adaptive Oblivious Transfer!Receiver Security}
|
||||
An $\OT_k^N$ protocol is \textit{receiver-secure} if, for any PPT real-world cheating sender $\hS$, there exists a PPT ideal-world sender $\hS'$ such that, for any polynomial $N_m(\lambda)$, any $N \in [N_m(\lambda)]$, any $k \in [N]$, any messages $M_1, \ldots, M_N$, and any indices $\rho_1, \ldots, \rho_k \in [N]$, no PPT distinguisher can tell apart the two following distributions with non-negligible advantage:
|
||||
\[ \mathbf{Real}_{\hS,\mathsf{R}}(N, k, M_1, \ldots, M_N, \rho_1, \ldots, \rho_k) \]
|
||||
and
|
||||
@ -102,6 +227,7 @@ The distribution of outputs of the environment in the different settings is deno
|
||||
\medskip
|
||||
|
||||
\begin{definition}
|
||||
\index{Adaptive Oblivious Transfer!with Access Control}
|
||||
An AC-OT protocol is said to securely implement the functionality if for any real-world adversary $\adv$ and any real world environment $\mathcal E$, there exists an ideal-world simulator $\mathcal A'$ controlling the same parties in the ideal-world as $\adv$ does in the real-world, such that
|
||||
\[ | \mathbf{Real}_{\mathcal E, \adv}(\lambda) - \mathbf{Ideal}_{\mathcal{E}, \adv}(\lambda) | \leq \negl(\lambda). \]
|
||||
\end{definition}
|
||||
@ -175,8 +301,9 @@ We consider a stateful variant of the scheme in Section \ref{se:gs-lwe-sigep}
|
||||
In the modified scheme hereunder, the string $\tau \in \{0,1\}^\ell$ is an $\ell$-bit counter maintained by the signer to keep track of the number of previously signed messages.
|
||||
|
||||
This simplified variant resembles
|
||||
the $\mathsf{SIS}$-based signature scheme of B\"ohl \textit{et al.} \cite{BHJ+15}. \\
|
||||
\indent In this version, the message space is $ \{0,1\}^{n \lceil \log q \rceil} $ so that vectors of $\Zq^n$ can be signed by first decomposing them using
|
||||
the $\mathsf{SIS}$-based signature scheme of B\"ohl \textit{et al.} \cite{BHJ+15}.
|
||||
|
||||
In this version, the message space is $ \{0,1\}^{n \lceil \log q \rceil} $ so that vectors of $\Zq^n$ can be signed by first decomposing them using
|
||||
$\mathsf{vdec}_{n,q-1}(.)$.
|
||||
|
||||
\begin{description}
|
||||
@ -235,7 +362,6 @@ The scheme is bounded message secure under non-adaptive chosen-message attacks i
|
||||
\item[Type II attacks,] where in the adversary's forgery $sig^\star = (\tau^\star, \mathbf v^\star)$, $\tau^\star$ has been recycled from an output $sig^{(i^\star)} = \bigl(\tau^{(i^\star)}, \mathbf v^{(i^\star)} \bigr)$ of the signing oracle for some query $i^\star \in \{ 1, \ldots, Q \}$.
|
||||
\end{description}
|
||||
|
||||
\noindent
|
||||
Lemma~\ref{le-type1-RMA} states that the signature scheme is secure against Type I forgery using the same technique as is~\cite{ABB10,Boy10,MP12}.
|
||||
Lemma~\ref{le-type2-RMA} claims that the signature scheme resists Type II attacks, with a proof that is very similar to the one of Lemma~\ref{le-type1-RMA}. Both security proofs assume the computational hardness of the $\SIS$ problem.
|
||||
\end{proof}
|
||||
@ -254,7 +380,7 @@ The scheme is bounded message secure under non-adaptive chosen-message attacks i
|
||||
At first, $\bdv$ calls $\adv$ to obtain the messages to be queried: $\mathfrak m^{(1)}, \ldots, \mathfrak m^{(Q)}$.
|
||||
For the sake of readability, let us define $\tau^{(i)} = i$, viewed as a bit-string, to be the tag corresponding to the $i$-th signature in our scheme. \medskip
|
||||
|
||||
\noindent \textbf{Setup.} As in~\cite{HW09}, the reduction guesses the shortest prefix such that the string $\tau^\star$ embedded in $\adv$'s forgery differs from all prefixes to $\{\tau^{(1)}, \dots, \tau^{(Q)}\}$.
|
||||
\textbf{Setup.} As in~\cite{HW09}, the reduction guesses the shortest prefix such that the string $\tau^\star$ embedded in $\adv$'s forgery differs from all prefixes to $\{\tau^{(1)}, \dots, \tau^{(Q)}\}$.
|
||||
To achieve this, $\bdv$ chooses at random $i^\dag \sample U(\{1, \ldots, Q\})$ and $t^\dag \sample U(\{1, \ldots, \ell\})$.
|
||||
Then, with probability $1/(Q \cdot \ell)$, the longest common prefix between $\tau^\star$ and one of the tags $\{ \tau^{(i)} \}_{i = 1}^{Q}$ is the string $\tau^\star[1] \cdots \tau^\star[t^\dag - 1] \in \bit^{t^\dag - 1}$: the first $(t^\dag - 1)$-th bits of $\tau^\star$.
|
||||
Let us define $\tau^\dag = \tau^\star_{\mid t^\dag}$, where $s_{|i}$ denotes the $i$-th prefix for a string~$s$.
|
||||
@ -283,17 +409,17 @@ The scheme is bounded message secure under non-adaptive chosen-message attacks i
|
||||
To finish, $\bdv$ samples a short vector $\mathbf e_u \in D_{\ZZ^m, \sigma}$ and computes the vector $\mathbf u = \bar{\mathbf A} \cdot \mathbf e_u$. The following public key is finally given to \adv:
|
||||
\[ PK := (\mathbf A, \{ \mathbf A_j \}_{j=0}^\ell, \mathbf D, \mathbf u). \]
|
||||
|
||||
\noindent \textbf{Signing queries.} To handle signature queries, the reduction $\bdv$ uses the trapdoor $\mathbf{T_C} \in \ZZ^{m \times m}$ to generate a signature.
|
||||
\textbf{Signing queries.} To handle signature queries, the reduction $\bdv$ uses the trapdoor $\mathbf{T_C} \in \ZZ^{m \times m}$ to generate a signature.
|
||||
To this end, $\bdv$ starts by computing the vector $\mathbf u_M = \mathbf u + \mathbf D \cdot \mathfrak m^{(i)}$.
|
||||
Then $\bdv$ can use $\mathbf{T_C}$ with the algorithm \textsf{SampleRight} from Lemma~\ref{lem:sampler} to
|
||||
compute a short vector $\mathbf v^{(i)}$ in $D_{\Lambda^\perp(\mathbf A_{\tau^{(i)}}), \sigma}^{\mathbf u_M}$, distributed like a
|
||||
valid signature and satisfying the verification equation~\eqref{ver-eq-block}.
|
||||
\medskip
|
||||
|
||||
\noindent \textbf{Output.} At some point, the attacker $\adv$ halts and outputs a \textit{valid} signature $sig^\star = (\tau^\star, \mathbf v^\star)$ for a message $\mathfrak m^\star \notin \{ \mathfrak{m}^{(1)}, \ldots, \mathfrak{m}^{(Q)}\}$.
|
||||
\textbf{Output.} At some point, the attacker $\adv$ halts and outputs a \textit{valid} signature $sig^\star = (\tau^\star, \mathbf v^\star)$ for a message $\mathfrak m^\star \notin \{ \mathfrak{m}^{(1)}, \ldots, \mathfrak{m}^{(Q)}\}$.
|
||||
Since the signature is valid, it satisfies $\| \mathbf v^\star \| \leq \sigma \sqrt{2m}$.
|
||||
|
||||
\noindent Parsing $\mathbf v^\star$ as $[ \mathbf{v}_1^\star \mid \mathbf{v}_2^\star]$ with $\mathbf v_1^\star, \mathbf v_2^\star \in \ZZ^m$ and injecting it in~\eqref{ver-eq-block} give:
|
||||
Parsing $\mathbf v^\star$ as $[ \mathbf{v}_1^\star \mid \mathbf{v}_2^\star]$ with $\mathbf v_1^\star, \mathbf v_2^\star \in \ZZ^m$ and injecting it in~\eqref{ver-eq-block} give:
|
||||
\begin{align*}
|
||||
\Bigr[ \bar{\mathbf A} ~\Big|~ \bar{\mathbf A} \cdot \bigl(\mathbf Q_0 + \sum_{j=1}^\ell \tau^\star[j] \cdot \mathbf Q_j\bigr) \Bigl] \cdot \begin{bmatrix} \mathbf v_1^\star \\ \hline \mathbf v_2^\star \end{bmatrix}
|
||||
& = \mathbf u + \mathbf D \cdot \mathfrak m^\star \mod q \\
|
||||
@ -316,11 +442,11 @@ The scheme is bounded message secure under non-adaptive chosen-message attacks i
|
||||
We will prove this result using techniques analogous to the previous proof. We show that given an adversary $\adv$ that comes out with a Type II signature in the \textsf{na-CMA} game with non negligible probability $\varepsilon$, we can construct a PPT $\bdv$ that breaks the $\SIS$ assumption with advantage $\varepsilon/Q$ using $\adv$.
|
||||
\medskip
|
||||
|
||||
\noindent Firstly, the reduction $\bdv$ is given a matrix $\mathbf{A} \in \Zq^{n \times m_d}$ as input and has to output an integer vector $\mathbf v \in \ZZ^{m_d}$ in $\Lambda^\perp_q(\mathbf{A})$ such that $0 < \| \mathbf v \| \leq \beta''$.
|
||||
Firstly, the reduction $\bdv$ is given a matrix $\mathbf{A} \in \Zq^{n \times m_d}$ as input and has to output an integer vector $\mathbf v \in \ZZ^{m_d}$ in $\Lambda^\perp_q(\mathbf{A})$ such that $0 < \| \mathbf v \| \leq \beta''$.
|
||||
Next, $\bdv$ receives from $\adv$ the messages $\mathfrak{m}^{(1)}, \ldots, \mathfrak{m}^{(Q)}$ for which $\adv$ will further ask signature queries.
|
||||
\medskip
|
||||
|
||||
\noindent To compute the public key, at the outset of the game, the reduction $\bdv$ starts by sampling $i^\dag \sample U(\{1, \ldots, Q\})$ corresponding to the guess that $\adv$'s forgery will recycle $\tau^{(i\dag)}$.
|
||||
To compute the public key, at the outset of the game, the reduction $\bdv$ starts by sampling $i^\dag \sample U(\{1, \ldots, Q\})$ corresponding to the guess that $\adv$'s forgery will recycle $\tau^{(i\dag)}$.
|
||||
This is independent of $\adv$'s view, and the guess will be correct with probability $1/Q$.
|
||||
Using this guess to compute $PK$, the reduction $\bdv$ picks $h_0, \ldots, h_\ell \in \Zq$ subject to the constraints
|
||||
\begin{equation} \label{eq:h-constraints}
|
||||
@ -330,7 +456,7 @@ The scheme is bounded message secure under non-adaptive chosen-message attacks i
|
||||
\end{cases}
|
||||
\end{equation}
|
||||
|
||||
\noindent \bdv then runs $(\mathbf C, \mathbf{T_C}) \gets \TrapGen(1^n, 1^m, q)$.
|
||||
\bdv then runs $(\mathbf C, \mathbf{T_C}) \gets \TrapGen(1^n, 1^m, q)$.
|
||||
The resulting matrix $\mathbf C \in \Zq^{n \times m}$ is statistically random, and the trapdoor $\mathbf{T_C} \in \ZZ^{m \times m}$ is a short basis of $\Lambda^\perp_q(\mathbf C)$.
|
||||
Next \bdv re-randomize $\mathbf{A}$ using short matrices $\mathbf S, \mathbf S_0, \mathbf S_1, \ldots, \mathbf S_\ell \in \ZZ^{m_d \times m}$ which are obtained by sampling their columns from the distribution $D_{\ZZ^{m_d}, \sigma}$.
|
||||
The challenger $\bdv$ then uses these matrices to define:
|
||||
@ -345,7 +471,7 @@ The scheme is bounded message secure under non-adaptive chosen-message attacks i
|
||||
\mathbf u = \mathbf A_{\tau^{(i^\dag)}} \cdot \begin{bmatrix} \mathbf v_1^{\dag} \\\hline \mathbf v_2^{\dag} \end{bmatrix} - \mathbf{A} \cdot \mathfrak m^{(i^\dag)} \mod q.
|
||||
\end{equation}
|
||||
|
||||
\noindent Finally, $\bdv$ sends to $\adv$ the public key
|
||||
Finally, $\bdv$ sends to $\adv$ the public key
|
||||
\[ PK := \bigl( \mathbf A, \{\mathbf A_j \}_{j=0}^\ell, \mathbf D, \mathbf u \bigr) \]
|
||||
which is distributed as the $PK$ of the real scheme.
|
||||
\smallskip \smallskip
|
||||
@ -366,7 +492,7 @@ The scheme is bounded message secure under non-adaptive chosen-message attacks i
|
||||
To answer this specific query, the challenger $\bdv$ returns $sig^{(i^\dag)} = (\tau^{(i^\dag)}, \mathbf v^{(i^\dag)})$ where $\mathbf v^{(i^\dag)} = ( \mathbf v_1^{\dag T} \mid \mathbf v_2^{\dag T})^T$ verifying~\eqref{eq:rel-uM}, which furthermore implies that $sig^{(i^\dag)}$ verifies~\eqref{ver-eq-block}.
|
||||
\end{itemize}
|
||||
|
||||
\noindent Thus we claim that $\bdv$ can solve the $\SIS$ problem using the Type II forgery provided by $\adv$.
|
||||
Thus we claim that $\bdv$ can solve the $\SIS$ problem using the Type II forgery provided by $\adv$.
|
||||
At the end of the game, the adversary outputs a valid signature $sig^\star = (\tau^{(i^\star)}, \mathbf v^\star)$ on a message $\mathfrak m^\star$ with $\| \mathbf v^\star \| \leq \sigma \sqrt{2m}$.
|
||||
In the event that $\tau^{(i^\star)} \neq \tau^{i^\dag}$, the reduction aborts. The latter event happens with probability $1-1/Q$.
|
||||
If we parse $\mathbf v^\star$ as $(\mathbf v_1^{\star, T} \mid \mathbf v_2^{\star T})^T \in \ZZ^{2m}$, with $\mathbf v_1^{\star}, \mathbf v_2^\star \in \ZZ^m$, it holds that:
|
||||
@ -395,7 +521,7 @@ The scheme is bounded message secure under non-adaptive chosen-message attacks i
|
||||
\section{A Fully Simulatable Adaptive OT Protocol} \label{OT-scheme}
|
||||
|
||||
|
||||
Our basic \OTA protocol builds on the ``assisted decryption'' technique \cite{CNs07}. The databases holder encrypts all entries
|
||||
Our basic \OTA protocol builds on the ``assisted decryption'' technique \cite{CNS07}. The databases holder encrypts all entries
|
||||
using a multi-bit variant \cite{PVW08} of Regev's cryptosystem \cite{Reg05} and proves the well-formedness of its public key and all ciphertexts. In addition,
|
||||
all ciphertexts are signed using a signature scheme. At each
|
||||
transfer, the receiver statistically re-randomizes a blinded version of the desired ciphertext, where the blinding is done via the additive
|
||||
@ -405,7 +531,7 @@ a transformation of one of the original ciphertexts by arguing knowledge of a si
|
||||
the sender obliviously decrypts the modified ciphertext and argues in zero-knowledge that the response is correct.
|
||||
|
||||
|
||||
Adapting the technique of \cite{CNs07} to the lattice setting requires the following building blocks:
|
||||
Adapting the technique of \cite{CNS07} to the lattice setting requires the following building blocks:
|
||||
(i) A signature scheme allowing to sign ciphertexts while remaining compatible with ZK proofs; (ii) A ZK protocol allowing to prove knowledge of a signature on some hidden ciphertext which belongs to a public set and was transformed into a given ciphertext; (iii) A protocol for proving the correct decryption of a ciphertext; (iv) A method of statistically re-randomizing an $\LWE$-encrypted ciphertext in a way that enables oblivious decryption. The first three ingredients can be obtained from \cref{ch:gs-lwe}. Since component (i) only needs to be secure against random-message attacks as
|
||||
long as the adversary obtains at most $N$ signatures, we use the simplified $\SIS$-based signature scheme
|
||||
of Section \ref{RMA-sec}.
|
||||
@ -506,8 +632,7 @@ In the initialization phase, the sender has to repeat step 5 with each
|
||||
%and $\mathbf{E} \in \ZZ^{m \times t}$.
|
||||
Knowing a short basis of $\Lambda_q^{\perp}(\mathbf{F})$, the simulator can extract
|
||||
the columns of $\mathbf{S}$ from the public key $\mathbf{P} \in \Zq^{n \times m}$. Details are given in Appendix~\ref{optimized}.
|
||||
% \indent In
|
||||
%Appendix \ref{ot-proofs}, we prove the security of the above \OTA protocol against static corruptions under the $\SIS$ and $\LWE$ assumptions.
|
||||
|
||||
\subsection{Security}
|
||||
The security of the above \OTA protocol against static corruptions is stated by the following theorems.
|
||||
|
||||
@ -518,7 +643,9 @@ The $\OTA$ protocol provides receiver security under the $\SIS$ assumption.
|
||||
\begin{proof}
|
||||
We prove that any real-world cheating sender $\hat{\mathsf{S}}$ implies an ideal-world cheating sender $\hat{\mathsf{S}}'$ such that, under the $\SIS$ assumption,
|
||||
the two distributions $\REAL_{\hat{\mathsf{S}},{\mathsf{R}}}$ and $\IDEAL_{\hat{\mathsf{S}}',{\mathsf{R}}'}$ with common inputs $(N,k,M_1,\ldots,M_N,\rho_1,\ldots,\rho_k)$ are indistinguishable
|
||||
to any PPT distinguisher $\ddv$. \\ \indent To this end, we consider a sequence of hybrid experiments with binary outputs. In each experiment $\textsf{Exp}_i$, a distinguisher $\ddv$ takes
|
||||
to any PPT distinguisher $\ddv$.
|
||||
|
||||
To this end, we consider a sequence of hybrid experiments with binary outputs. In each experiment $\textsf{Exp}_i$, a distinguisher $\ddv$ takes
|
||||
as input the states $(S_k,R_k)$ produced by $\hat{\mathsf{S}}$ and $\mathsf{R}'$ at the end of the experiment and outputs a bit. We define $W_i$ as the event that the output of experiment $\textsf{Exp}_i$ is $1$. The first experiment outputs whatever the distinguisher $\ddv$ outputs and corresponds to the real interaction between the cheating sender $\hat{\mathsf{S}}$ and the
|
||||
receiver $\mathsf{R}$. \smallskip
|
||||
\begin{description}
|
||||
@ -578,8 +705,9 @@ extracted matrix $\mathbf{S} \in \ZZ^{n \times t}$, by applying the test
|
||||
\eqref{test-deux}), it aborts the interaction as in $\textsf{Exp}_3$.
|
||||
If the ZK
|
||||
argument involves a true statement, $\hat{\mathsf{S}}'$ sends $1$ to the trusted party $\mathsf{T}$ so as to authorize the transfer in the ideal world. Otherwise, $\hat{\mathsf{S}}'$ sends $0$ to $\mathsf{T}$.
|
||||
At the end of the $k$-th transfer phase, $\hat{\mathsf{S}}'$ outputs whatever $\hat{\mathsf{S}}$ outputs as its final state $S_k$. \\
|
||||
\indent In $\textsf{Exp}_3$, it is easy to see that
|
||||
At the end of the $k$-th transfer phase, $\hat{\mathsf{S}}'$ outputs whatever $\hat{\mathsf{S}}$ outputs as its final state $S_k$.
|
||||
|
||||
In $\textsf{Exp}_3$, it is easy to see that
|
||||
$$ \Pr[W_3] = \Pr[ \ddv (X) =1 \mid X \leftarrow \IDEAL_{\hat{\mathsf{S}}',{\mathsf{R}}'} ] .$$
|
||||
When putting the above altogether, we find that there exists a PPT $\SIS$ solver $\bdv$ such that
|
||||
\begin{multline*}
|
||||
@ -690,8 +818,9 @@ Note that, by Lemma \ref{sig-rely}, such an index must exist unless $\hat{\maths
|
||||
database entry, $\hat{\mathsf{R}}'$ sends $\rho_i$ to the trusted party $\mathsf{T}$ which returns the message $M_{\rho_i} \in \{0,1\}^t$. The latter is used together with the
|
||||
extracted witness $\mu \in \{0,1\}^t$ to define the response $M'=M_{\rho_i} \oplus \mu \in \{0,1\}^t$ that $\hat{\mathsf{R}}'$ generates on behalf of the sender $\hat{\mathsf{S}}'$ at step 2 of the transfer. In addition,
|
||||
the ideal-world dishonest receiver $\hat{\mathsf{R}}'$ appeals to the simulator of the zero-knowledge argument system to simulate an argument of knowledge
|
||||
of $\{(\mathbf{s}_j,\mathbf{e}_j,\mathbf{y}[j])\}_{j=1}^t$ for the statement~\eqref{eq:protocol-2-original}.\\% (\ref{sender-proof-two}). \\
|
||||
\indent It is easy to see that, when $\hat{\mathsf{R}}$ interacts with the simulator $\hat{\mathsf{R}}'$ that emulates the real-world sender $\mathsf{S}'$, its view is identical to that
|
||||
of $\{(\mathbf{s}_j,\mathbf{e}_j,\mathbf{y}[j])\}_{j=1}^t$ for the statement~\eqref{eq:protocol-2-original}.
|
||||
|
||||
It is easy to see that, when $\hat{\mathsf{R}}$ interacts with the simulator $\hat{\mathsf{R}}'$ that emulates the real-world sender $\mathsf{S}'$, its view is identical to that
|
||||
of $\textsf{Exp}_4$: we have
|
||||
$$ \Pr[W_4] = \Pr[ \ddv (X) =1 \mid X \leftarrow \IDEAL_{{\mathsf{S}}',\hat{\mathsf{R}}'} ] .$$
|
||||
When combining the above, we conclude that there exist PPT algorithms $\bdv$ and $\bdv'$ such that
|
||||
@ -1300,8 +1429,9 @@ Next, we specify the set $\mathcal{S}$ and permutations of $D$ elements $\{\Gamm
|
||||
\item For $\phi = (\phi_1, \phi_2) \in \mathcal{S}$ and for $\mathbf{t} = (\mathbf{t}_1^T \mid \mathbf{t}_2^T)^T \in \mathbb{Z}^D$, where $\mathbf{t}_1 \in \mathbb{Z}^{3(n+m+N)t\delta_{B_\chi}}$ and $\mathbf{t}_2 \in \mathbb{Z}^{2Nt}$, we define $\Gamma_\phi(\mathbf{t}) = (\phi_1(\mathbf{t}_1)^T \mid \phi_2(\mathbf{t}_2)^T )^T $.
|
||||
\end{itemize}
|
||||
By inspection, it can be seen that the desired properties in \eqref{eq:zk-equivalence} are satisfied. As a result, we can obtain the required \textsf{ZKAoK} by running the protocol from \cref{sse:stern-abstraction} with common input $(\mathbf{M}, \mathbf{v})$ and prover's input $\mathbf{w}$.
|
||||
The protocol has communication cost $\mathcal{O}(D\log q)= \widetilde{\mathcal{O}}(\lambda)\cdot \mathcal{O}(Nt)$ bits. \\
|
||||
\indent While this protocol has linear complexity in $N$, it is only used in the initialization phase, where $\Omega(N)$ bits inevitably have to be transmitted anyway.
|
||||
The protocol has communication cost $\mathcal{O}(D\log q)= \widetilde{\mathcal{O}}(\lambda)\cdot \mathcal{O}(Nt)$ bits.
|
||||
|
||||
While this protocol has linear complexity in $N$, it is only used in the initialization phase, where $\Omega(N)$ bits inevitably have to be transmitted anyway.
|
||||
|
||||
|
||||
|
||||
@ -1452,7 +1582,9 @@ These steps can be treated as explained below.
|
||||
|
||||
At each step $\theta \in [L]$, the prover demonstrates knowledge of a path consisting of $\delta_\kappa$ nodes $\mathbf{g}_{\theta,1}, \ldots, \mathbf{g}_{\theta, \delta_\kappa} \in \{0,1\}^{n\lceil \log q\rceil}$ determined by $d_{\theta, 1}, \ldots, d_{\theta, \delta_\kappa}$, as well as their sibling nodes $\mathbf{t}_{\theta, 1}, \ldots, \mathbf{t}_{\theta, \delta_\kappa} \in \{0,1\}^{n\lceil \log q\rceil}$.
|
||||
Also, the prover argues knowledge of an opening $(y_\theta , \mathbf{r}_\theta) \in \{0,1\} \times \{0,1\}^m $ for the commitment of which $\mathbf{g}_{\theta, \delta_\kappa}$ is a binary decomposition.
|
||||
As shown in~\cref{sse:stern}. (and recalled in Appendix~\ref{appendix:bit-commit+Merkle-tree}), it suffices to prove the following relations (mod $q$):
|
||||
As shown in~\cref{sse:stern},
|
||||
%(and recalled in Appendix~\ref{appendix:bit-commit+Merkle-tree}),
|
||||
it suffices to prove the following relations (mod $q$):
|
||||
|
||||
\begin{eqnarray} \label{Merkle-layer}
|
||||
\forall \theta\in [L] \begin{cases}
|
||||
@ -1851,7 +1983,7 @@ which has communication cost $\mathcal{O}(D \log q)= \mathcal{O}(L\cdot \log \ka
|
||||
\section{Reducing the Communication Complexity in the Random Oracle Model} \label{optimized}
|
||||
One limitation of our basic adaptive OT protocol is that it requires the sender to repeat the zero-knowledge proofs of the initialization phase
|
||||
for each user. In total, the communication cost of the initialization phase thus amounts to $\Omega(\lambda N U)$, which is even more expensive
|
||||
than the $O(\lambda (N+U))$ complexities of \cite{CNs07,GH07,CDN09,JL09}. As pointed out by Green and Hohenberger \cite{GH11}, decreasing the
|
||||
than the $O(\lambda (N+U))$ complexities of \cite{CNS07,GH07,CDN09,JL09}. As pointed out by Green and Hohenberger \cite{GH11}, decreasing the
|
||||
cost of the initialization phase to be independent of the number of users is highly
|
||||
desirable: ideally, one would certainly prefer a non-interactive initialization phase where the Sender can publicize a $O(\lambda N)$-size
|
||||
commitment to the database, which can subsequently be used by arbitrarily many receivers.
|
||||
@ -1894,7 +2026,7 @@ $${PK}_{sig}:=\big( \mathbf{A},
|
||||
\item[2.] Choose a matrix $\mathbf{S} \sample \chi^{n \times t}$ that will serve as a secret key for an $\LWE$-based encryption scheme.
|
||||
Then, define the matrix $\mathbf{F} =H_{F}(\varepsilon) \in \Zq^{n \times m}$ and sample a matrix $\mathbf{E} \sample \chi^{m \times t }$ to compute
|
||||
\begin{eqnarray} \label{PK-gen-app}
|
||||
\mathbf{P} = \left[ \mathbf{p}_1 \mid \ldots \mid \mathbf{p}_t \right] = \mathbf{F}^\top \cdot \mathbf{S} + \mathbf{E} ~\in \Zq^{m \times t}
|
||||
\mathbf{P} = \left[ \mathbf{p}_1 \mid \ldots \mid \mathbf{p}_t \right] = \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} ~\in \Zq^{m \times t}
|
||||
\end{eqnarray}
|
||||
so that $(\mathbf{F},\mathbf{P}) \in \Zq^{n \times m} \times \Zq^{m \times t }$ forms a public key for a $t$-bit variant of Regev's encryption scheme \cite{Reg05}
|
||||
(or, equivalently,
|
||||
@ -1904,12 +2036,12 @@ $${PK}_{sig}:=\big( \mathbf{A},
|
||||
U(\Zq^n)$ and $\mathbf{x}_1,\ldots,\mathbf{x}_{N} \sample \chi^{t}$ to
|
||||
compute
|
||||
\begin{eqnarray} \label{init-db-app}
|
||||
(\mathbf{a}_i,\mathbf{b}_i)= \bigl( \mathbf{a}_i, ~ \mathbf{S}^\top \cdot \mathbf{a}_i + \mathbf{x}_i + M_i \cdot \lfloor q/2 \rfloor \bigr) \in \Zq^n \times \Zq^{t} \qquad \forall i \in [N]
|
||||
(\mathbf{a}_i,\mathbf{b}_i)= \bigl( \mathbf{a}_i, ~ \mathbf{S}^T \cdot \mathbf{a}_i + \mathbf{x}_i + M_i \cdot \lfloor q/2 \rfloor \bigr) \in \Zq^n \times \Zq^{t} \qquad \forall i \in [N]
|
||||
\qquad
|
||||
\end{eqnarray}
|
||||
|
||||
\item[4.] For each $i=1$ to $N$, generate a signature $(\tau_i,\mathbf{v}_i ) \leftarrow \mathsf{Sign}(SK_{sig},\tau,\mathfrak{m}_i)$ on the message
|
||||
$\mathfrak{m}_i=\mathsf{vdec}_{n+t,q-1}(\mathbf{a}_i|\mathbf{b}_i) \in \{0,1\}^{m_d}$ obtained by decomposing $(\mathbf{a}_i^\top | \mathbf{b}_i^\top)^\top \in \Zq^{n+t}$.
|
||||
$\mathfrak{m}_i=\mathsf{vdec}_{n+t,q-1}(\mathbf{a}_i|\mathbf{b}_i) \in \{0,1\}^{m_d}$ obtained by decomposing $(\mathbf{a}_i^T | \mathbf{b}_i^T)^T \in \Zq^{n+t}$.
|
||||
\item[5.] $\mathsf{S}_\mathsf{I}$ sends $\mathsf{R}_\mathsf{I}$ the initialization data
|
||||
\begin{eqnarray} \label{init-data}
|
||||
R_0= \bigl( PK_{sig} ,~(\mathbf{F},\mathbf{P}),~\{(\mathbf{a}_i,\mathbf{b}_i),(\tau_i,\mathbf{v}_i )\}_{i=1}^N , ~\pi_K \bigr),
|
||||
@ -1924,13 +2056,13 @@ that are consistent with \eqref{PK-gen-app}-\eqref{init-db-app}. The argument $\
|
||||
$\mathbf{X}=[\mathbf{x}_1 | \ldots | \mathbf{x}_N] \in \chi^{ t \times N}$
|
||||
and parse $\mathbf{S}$ and $\mathbf{E}$ as $\mathbf{S}=[\mathbf{s}_1 | \ldots | \mathbf{s}_t] \in \chi^{n \times t}$,
|
||||
$\mathbf{E}=[\mathbf{e}_1 | \ldots | \mathbf{e}_t] \in \chi^{m \times t}$.
|
||||
\item[b.] For each $j \in [t]$, define $\bar{M}_j \in \{0,1\}^N$ to be the $j$-th column of $\mathbf{M}^\top = [ \bar{M}_1 | \ldots | \bar{M}_t ]$. Likewise,
|
||||
let $\bar{\mathbf{b}}_j \in \Zq^N$ (resp. $\bar{\mathbf{x}}_j \in \chi^N$) be the $j$-th column of $\mathbf{B}_{\textsf{DB}}^\top=[\bar{\mathbf{b}}_1 | \ldots | \bar{\mathbf{b}}_t ] \in \Zq^{N \times t} $
|
||||
(resp. $\mathbf{X}^\top=[\bar{\mathbf{x}}_1 | \ldots | \bar{\mathbf{x}}_t ] $) and generate a signature of knowledge
|
||||
\item[b.] For each $j \in [t]$, define $\bar{M}_j \in \{0,1\}^N$ to be the $j$-th column of $\mathbf{M}^T = [ \bar{M}_1 | \ldots | \bar{M}_t ]$. Likewise,
|
||||
let $\bar{\mathbf{b}}_j \in \Zq^N$ (resp. $\bar{\mathbf{x}}_j \in \chi^N$) be the $j$-th column of $\mathbf{B}_{\textsf{DB}}^T=[\bar{\mathbf{b}}_1 | \ldots | \bar{\mathbf{b}}_t ] \in \Zq^{N \times t} $
|
||||
(resp. $\mathbf{X}^T=[\bar{\mathbf{x}}_1 | \ldots | \bar{\mathbf{x}}_t ] $) and generate a signature of knowledge
|
||||
of $\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$, $\bar{\mathbf{x}}_j \in \chi^N$, $\bar{M}_j \in \{0,1\}^N$, for $j \in [t]$, such that
|
||||
\begin{eqnarray} \label{sender-proof-app}
|
||||
\left[ \begin{array}{c|c|c|c} ~ \mathbf{F}^\top ~ & ~ \mathbf{I}_m ~ & ~ & ~ ~\\ \hline
|
||||
\rule{0pt}{2.5ex}~\mathbf{A}_{\textsf{DB}}^\top ~ & ~ ~ & ~ \mathbf{I}_N ~ & ~ \lfloor q/2 \rfloor \cdot \mathbf{I}_N ~
|
||||
\left[ \begin{array}{c|c|c|c} ~ \mathbf{F}^T ~ & ~ \mathbf{I}_m ~ & ~ & ~ ~\\ \hline
|
||||
\rule{0pt}{2.5ex}~\mathbf{A}_{\textsf{DB}}^T ~ & ~ ~ & ~ \mathbf{I}_N ~ & ~ \lfloor q/2 \rfloor \cdot \mathbf{I}_N ~
|
||||
\end{array} \right]
|
||||
\cdot \begin{bmatrix} \mathbf{s}_j \\ \hline \mathbf{e}_j \\ \hline \bar{\mathbf{x}}_j \\ \hline \rule{0pt}{2.5ex} \bar{{M}}_j \end{bmatrix} = \begin{bmatrix}
|
||||
\mathbf{p}_j \\ \hline
|
||||
@ -1943,7 +2075,7 @@ where $\mathsf{Chall}_K = H_{\mathsf{FS}}\big( (\mathbf{F},\mathbf{P}, \mathbf{A
|
||||
\{ \mathsf{Comm}_{K,j}\}_{j=1}^\varsigma \big) \in \{1,2,3\}^\varsigma$.
|
||||
\item[c.] If the proof of knowledge $\pi_K$ does not verify
|
||||
or if there exists $i \in [N]$ such that $(\tau_i,\mathbf{v}_i)$ is an invalid signature on
|
||||
$\mathsf{vdec}_{n+t,q-1}\big((\mathbf{a}_i^\top|\mathbf{b}_i^\top)^\top \big)^\top $, then $\mathsf{R}_\mathsf{I}$ aborts.
|
||||
$\mathsf{vdec}_{n+t,q-1}\big((\mathbf{a}_i^T|\mathbf{b}_i^T)^T \big)^T $, then $\mathsf{R}_\mathsf{I}$ aborts.
|
||||
\end{itemize}
|
||||
\item[6.] Finally $\mathsf{S}_\mathsf{I}$ defines $S_0= \big( (\mathbf{S},\mathbf{E}) ,(\mathbf{F},\mathbf{P}),PK_{sig} \big)$, which it keeps to itself. \medskip \smallskip
|
||||
\end{itemize}
|
||||
@ -1953,17 +2085,17 @@ an index $\rho_i \in [1,N]$. It interacts as follows with the sender $\mathsf{S}
|
||||
\begin{itemize}
|
||||
\item[1.] $\mathsf{R}_\mathsf{T}$ samples vectors $\mathbf{e} \sample U(\{-1,0,1\}^m)$, $\mu \sample U(\{0,1\}^t)$ and a random $\nu \sample U([-B,B]^t)$ to compute
|
||||
\begin{eqnarray} \label{rand-CT-app}
|
||||
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{\rho_i} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{\rho_i} + \mathbf{P}^\top \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
|
||||
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{\rho_i} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{\rho_i} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
|
||||
\qquad
|
||||
\end{eqnarray}
|
||||
which is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i} + \mu \cdot \lfloor q/2 \rfloor )$. The resulting ciphertext $(\mathbf{c}_0,\mathbf{c}_1)$ is sent to
|
||||
$\mathsf{S}_\mathsf{T}$. In addition, $\mathsf{R}_\mathsf{T}$ provides an interactive WI argument that $(\mathbf{c}_0,\mathbf{c}_1)$ is indeed a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$ for some index $\rho_i \in [N]$.
|
||||
To this end, $\mathsf{R}_\mathsf{T}$ argues knowledge of short vectors $\mathfrak{m} = \mathsf{vdec}_{n+1,q-1}(\mathbf{a}_i| \mathbf{b}_i) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
|
||||
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $\mathbf{v} =(\mathbf{v}_1^\top | \mathbf{v}_2^\top)^\top \in \ZZ^{2m}$ such that
|
||||
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $\mathbf{v} =(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ such that
|
||||
\begin{eqnarray} \label{statement-rand-un-app}
|
||||
\left[ \begin{array}{cc|c|c|c}
|
||||
\mathbf{H}_{n,q-1} ~ & ~ ~ & ~ \mathbf{F} ~& ~ &~ \\ \hline
|
||||
& ~\mathbf{H}_{t,q-1}~ & \rule{0pt}{2.5ex} ~\mathbf{P}^{\top}~ & ~ \mathbf{I}_t \cdot \lfloor q/2 \rfloor ~ & ~\mathbf{I}_t~
|
||||
& ~\mathbf{H}_{t,q-1}~ & \rule{0pt}{2.5ex} ~\mathbf{P}^{T}~ & ~ \mathbf{I}_t \cdot \lfloor q/2 \rfloor ~ & ~\mathbf{I}_t~
|
||||
\end{array} \right] \cdot \begin{bmatrix} \mathfrak{m} \\ \hline \mathbf{e} \\ \hline \mu \\ \hline \nu \end{bmatrix} = \begin{bmatrix} \mathbf{c}_0 \\ \hline \mathbf{c}_1 \end{bmatrix}
|
||||
\end{eqnarray}
|
||||
and
|
||||
@ -1974,25 +2106,25 @@ and
|
||||
\end{eqnarray}
|
||||
|
||||
\item[2.] If the WI argument of step 1 verifies, $\mathsf{S}_\mathsf{T}$ uses $\mathbf{S} \in \chi^{n \times t}$ to decrypt $(\mathbf{c}_0,\mathbf{c}_1) \in \Zq^n \times \Zq^t$ and
|
||||
obtain $$M' = \lfloor (\mathbf{c}_1 - \mathbf{S}^\top \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$$
|
||||
which is sent back to $\mathsf{R}_\mathsf{T}$. In addition, $\mathsf{S}_\mathsf{T}$ provides a NIZK argument $\pi_T$ of knowledge of $\mathbf{y}= \mathbf{c}_1 - \mathbf{S}^\top \cdot \mathbf{c}_0 - M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$
|
||||
obtain $$M' = \lfloor (\mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0) / ( q/2 ) \rceil \in \{0,1\}^t,$$
|
||||
which is sent back to $\mathsf{R}_\mathsf{T}$. In addition, $\mathsf{S}_\mathsf{T}$ provides a NIZK argument $\pi_T$ of knowledge of $\mathbf{y}= \mathbf{c}_1 - \mathbf{S}^T \cdot \mathbf{c}_0 - M' \cdot \lfloor q/2 \rfloor \in \ZZ^t$
|
||||
of norm $\| \mathbf{y} \|_{\infty} \leq q/5$ and $\mathbf{E}=[\mathbf{e}_1|\ldots | \mathbf{e}_t] \in \chi^{m \times t}$ satisfying (modulo $q$)
|
||||
\begin{eqnarray} \label{test-fin-trans}
|
||||
\mathbf{P} &=& \mathbf{F}^\top \cdot \mathbf{S} + \mathbf{E} ~ , \qquad \mathbf{c}_0^\top \cdot \mathbf{S} + \mathbf{y}^\top = \mathbf{c}_1^\top - {M'}^\top \cdot \lfloor q/2 \rfloor .
|
||||
\mathbf{P} &=& \mathbf{F}^T \cdot \mathbf{S} + \mathbf{E} ~ , \qquad \mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T = \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor .
|
||||
\end{eqnarray}
|
||||
Given $\mathbf{y}=(\mathbf{y}[1],\ldots,\mathbf{y}[t])^\top \in \ZZ^t$ and $\mathbf{S}=[\mathbf{s}_1| \ldots | \mathbf{s}_t]$, this amounts to proving, for each $j \in [t]$, knowledge
|
||||
Given $\mathbf{y}=(\mathbf{y}[1],\ldots,\mathbf{y}[t])^T \in \ZZ^t$ and $\mathbf{S}=[\mathbf{s}_1| \ldots | \mathbf{s}_t]$, this amounts to proving, for each $j \in [t]$, knowledge
|
||||
of $\mathbf{s}_j \in \chi^n$, $\mathbf{y}[j] \in \ZZ$ such that $|\mathbf{y}[j] | < q/4$ and $\mathbf{e}_j \in \chi^m$, such that
|
||||
\begin{eqnarray} \label{sender-proof-two-app}
|
||||
\left[ \begin{array}{c|c|c}
|
||||
~ \mathbf{F}^\top ~ & ~ \mathbf{I}_m ~ & ~~ \\ \hline
|
||||
\rule{0pt}{2.5ex} \mathbf{c}_0^\top ~ & & 1
|
||||
~ \mathbf{F}^T ~ & ~ \mathbf{I}_m ~ & ~~ \\ \hline
|
||||
\rule{0pt}{2.5ex} \mathbf{c}_0^T ~ & & 1
|
||||
\end{array} \right]
|
||||
\cdot \begin{pmatrix} \mathbf{s}_j \\ \hline \mathbf{e}_j \\ \hline \mathbf{y}[j] \end{pmatrix} = \begin{pmatrix}
|
||||
\mathbf{p}_j \\ \hline
|
||||
\rule{0pt}{2.5ex} \mathbf{c}_1[j] - M'[j] \cdot \lfloor q/2 \rfloor
|
||||
\end{pmatrix} \qquad~ \forall j \in [t], \qquad
|
||||
\end{eqnarray}
|
||||
where $\mathbf{c}_1=(\mathbf{c}_1[1],\ldots,\mathbf{c}_1[t])^\top $ and $M' = (M'[1],\ldots,M'[t])^\top$. Let the NIZK argument be $\pi_T=(
|
||||
where $\mathbf{c}_1=(\mathbf{c}_1[1],\ldots,\mathbf{c}_1[t])^T $ and $M' = (M'[1],\ldots,M'[t])^T$. Let the NIZK argument be $\pi_T=(
|
||||
\{\mathsf{Comm}_{T,j}\}_{j=1}^\varsigma,\mathsf{Chall}_T,\{\mathsf{Resp}_{T,j}\}_{j=1}^\varsigma)$,
|
||||
where $\mathsf{Chall}_T = H_{\mathsf{FS}}\big( (\mathbf{F},\mathbf{P}, \mathbf{c}_0, \mathbf{c}_{1}),
|
||||
\{ \mathsf{Comm}_{T,j}\}_{j=1}^\varsigma \big) \in \{1,2,3\}^\varsigma$.
|
||||
@ -2035,7 +2167,7 @@ The above $\OTA$ protocol provides receiver security under the $\SIS$ assumption
|
||||
|
||||
\item[\textsf{Exp}$_2$:] is as $\textsf{Exp}_1$ but, at step 5 of the initialization phase, $\mathsf{R}'$ uses the short basis
|
||||
$\mathbf{T}_{\mathbf{F}} \in \ZZ^{m \times m}$ of $\Lambda_q^{\perp}(\mathbf{F})$ (which satisfies $\mathbf{F} \cdot \mathbf{T}_{\mathbf{F}} = \mathbf{0}^n \bmod q$) to
|
||||
extract witnesses $\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$ from the columns $\mathbf{p}_j = \mathbf{F}^\top \cdot \mathbf{s}_j + \mathbf{e}_j \in \ZZ^m$ of the
|
||||
extract witnesses $\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$ from the columns $\mathbf{p}_j = \mathbf{F}^T \cdot \mathbf{s}_j + \mathbf{e}_j \in \ZZ^m$ of the
|
||||
matrix $\mathbf{P}= \left[\mathbf{p}_1 \mid \ldots \mid \mathbf{p}_t\right] \in \Zq^{m \times t}$
|
||||
%and
|
||||
% $\bar{\mathbf{x}}_j \in \chi^N$, $\bar{M}_j \in \{0,1\}^N$,
|
||||
@ -2044,11 +2176,11 @@ The above $\OTA$ protocol provides receiver security under the $\SIS$ assumption
|
||||
$\mathsf{R}'$ aborts the interaction in the event that one of the following conditions holds: \smallskip
|
||||
\begin{itemize}
|
||||
\item[E.1:] The $\LWE$-inversion algorithm
|
||||
fails to compute small-norm vectors $\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$ such that $\mathbf{p}_j = \mathbf{F}^\top \cdot \mathbf{s}_j + \mathbf{e}_j \in \Zq^m$ for some $j \in [t]$. %(which happens if $\mathbf{T}_{\mathbf{F}}^\top \cdot \mathbf{p}_j $ is not small)
|
||||
fails to compute small-norm vectors $\mathbf{s}_j \in \chi^n$, $\mathbf{e}_j \in \chi^m$ such that $\mathbf{p}_j = \mathbf{F}^T \cdot \mathbf{s}_j + \mathbf{e}_j \in \Zq^m$ for some $j \in [t]$. %(which happens if $\mathbf{T}_{\mathbf{F}}^T \cdot \mathbf{p}_j $ is not small)
|
||||
|
||||
\item[E.2:] The
|
||||
columns of $\mathbf{S} = \left [\mathbf{s}_1 \mid \ldots \mid \mathbf{s}_t \right] \in \chi^{n \times t}$ are successfully extracted but there exists $i \in [N]$ such that one of the coordinates of
|
||||
$\mathbf{b}_i - \mathbf{S}^\top \cdot \mathbf{a}_i \bmod q$ is neither close to $0$ nor $\lfloor q/2 \rfloor$ (i.e., the inequalities $ |\mathbf{b}_i - \mathbf{S}^\top \cdot \mathbf{a}_i \bmod q | > \alpha q$ and $ |(\mathbf{b}_i - \mathbf{S}^\top \cdot \mathbf{a}_i \bmod q) - \lfloor q/2 \rfloor | > \alpha q $ are both satisfied). \smallskip
|
||||
$\mathbf{b}_i - \mathbf{S}^T \cdot \mathbf{a}_i \bmod q$ is neither close to $0$ nor $\lfloor q/2 \rfloor$ (i.e., the inequalities $ |\mathbf{b}_i - \mathbf{S}^T \cdot \mathbf{a}_i \bmod q | > \alpha q$ and $ |(\mathbf{b}_i - \mathbf{S}^T \cdot \mathbf{a}_i \bmod q) - \lfloor q/2 \rfloor | > \alpha q $ are both satisfied). \smallskip
|
||||
\end{itemize}
|
||||
In either of the above situations, $\mathsf{R}'$ infers that $\hat{\mathsf{S}}$ managed to create a convincing argument for a false statement and aborts the interaction. In such a situation, however, $\mathsf{R}'$ can be turned into an algorithm that breaks the binding property
|
||||
of the commitment scheme used in the ZK argument (which contradicts the $\SIS$ assumption if the statistically hiding commitment of \cite{KTX08} is used) by replaying the adversary with the same random tape but a different random oracle $H_{\mathsf{FS}}$. According to the General Forking Lemma of \cite{BPVY00},
|
||||
@ -2070,7 +2202,7 @@ The above $\OTA$ protocol provides receiver security under the $\SIS$ assumption
|
||||
uses the previously extracted $\mathbf{S} \in \chi^{n \times t}$ to determine if there exists $\mathbf{y} \in \ZZ^t$ of norm $\| \mathbf{y} \|_{\infty}
|
||||
\leq q/5$ such that
|
||||
\begin{eqnarray} \label{test-trois}
|
||||
\mathbf{c}_0^\top \cdot \mathbf{S} + \mathbf{y}^\top = \mathbf{c}_1^\top - {M'}^\top \cdot \lfloor q/2 \rfloor .
|
||||
\mathbf{c}_0^T \cdot \mathbf{S} + \mathbf{y}^T = \mathbf{c}_1^T - {M'}^T \cdot \lfloor q/2 \rfloor .
|
||||
\end{eqnarray}
|
||||
If such vector $\mathbf{y}$ turns out not to exist, $\mathsf{R}'$ deduces $\mathsf{R}'$ that $\hat{\mathsf{S}}$ was able to fake a convincing argument for a false statement and aborts the interaction. However, $\mathsf{R}'$ can then be turned into a PPT adversary against the binding property
|
||||
of the commitment scheme used in the ZK argument (and thus the $\SIS$ assumption if the commitment of \cite{KTX08} is used) by replaying the adversary according to the General Forking technique \cite{BPVY00}. The result of \cite{BPVY00} tells us that
|
||||
@ -2083,12 +2215,12 @@ The above $\OTA$ protocol provides receiver security under the $\SIS$ assumption
|
||||
the first message of the encrypted database. In more details, at each transfer, $\mathsf{R}'$
|
||||
samples vectors $\mathbf{e} \sample U(\{-1,0,1\}^m)$, $\mu \sample U(\{0,1\}^t)$ and $\nu \sample U([-B,B]^t)$ to compute and send
|
||||
\begin{eqnarray*}
|
||||
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{1} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{1} + \mathbf{P}^\top \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
|
||||
(\mathbf{c}_0,\mathbf{c}_1) = \big( \mathbf{a}_{1} + \mathbf{F} \cdot \mathbf{e} , ~\mathbf{b}_{1} + \mathbf{P}^T \cdot \mathbf{e} + \mu \cdot \lfloor q/2 \rfloor + \nu \big) \in \Zq^n \times \Zq^t,
|
||||
\end{eqnarray*}
|
||||
which is a re-randomization of $(\mathbf{a}_{1},\mathbf{b}_{1} + \mu \cdot \lfloor q/2 \rfloor )$. Moreover, $\mathsf{R}_\mathsf{T}'$ uses the witness $\rho_i=1$ to faithfully generate an interactive WI argument that
|
||||
$(\mathbf{c}_0,\mathbf{c}_1)$ is a re-randomization of $(\mathbf{a}_{\rho_i},\mathbf{b}_{\rho_i})$.
|
||||
It thus generates a WI argument of knowledge of vectors $\mathfrak{m} = \mathsf{vdec}_{n+t,q-1}(\mathbf{a}_1| \mathbf{b}_1) \in \{0,1\}^{m_d}$, $\mathbf{e} \in \{-1,0,1\}^t$, $\mu \in \{0,1\}^t$,
|
||||
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $(\mathbf{v}_1^\top | \mathbf{v}_2^\top)^\top \in \ZZ^{2m}$ satisfying relations~\eqref{eq:protocol-3-original}.
|
||||
$\nu \in [-B,B]^t$, $\tau \in \{0,1\}^{\ell}$ and $(\mathbf{v}_1^T | \mathbf{v}_2^T)^T \in \ZZ^{2m}$ satisfying relations~\eqref{eq:protocol-3-original}.
|
||||
%(\ref{statement-rand-un})-(\ref{statement-rand-deux}).
|
||||
By the statistically WI of the interactive argument system, this modification has no noticeable impact on the output distribution of a cheating sender $\hat{\mathsf{S}}$ whatsoever.
|
||||
We have $ | \Pr[W_4] -\Pr[W_3] | \in \mathsf{negl}(\lambda). $ \smallskip
|
||||
@ -2131,4 +2263,60 @@ sender in a sequential manner. This restriction is important since
|
||||
the simulator has to rewind the receiver's zero-knowledge arguments at step 1 of each transfer, which would not be possible in concurrent sessions.
|
||||
|
||||
|
||||
\section{Comparison of Oblivious Transfer Schemes} \label{sec-comp}
|
||||
|
||||
\begin{table}[h]
|
||||
\centering
|
||||
\scriptsize
|
||||
\begin{tabular}{|ccccc|}
|
||||
\hline
|
||||
Protocol & \begin{minipage}{\widthof{Initialization}}\vspace{3pt}\centering Initialization Cost \vspace{3pt}\end{minipage} & Transfer Cost & Assumptions & Security \\
|
||||
\hline \hline
|
||||
Folklore & $\cdot$ & $\bigO(\lambda N)$ & general & Full Sim \\ \hline
|
||||
%KN~\cite{KN06} & $\bigO(\lambda(N+U))$ & $\bigO(\lambda N)$ & Decisional $n$-th residuosity + DDH & Full Sim \\ \hline
|
||||
NP~\cite{NP99} & $\cdot$ & $\bigO(\lambda \cdot \log(N))$ & DDH + $\OT_1^2$ & Half Sim \\ \hline
|
||||
KPN~\cite{KPN10} & $\bigO(\lambda (N \cdot U))$ & $\bigO(\lambda)$ & DDH & Full Sim \\ \hline
|
||||
CNS~\cite{CNS07} & $\bigO(\lambda (N + U))$ & $\bigO(\lambda)$ & $q$-type & Full Sim \\
|
||||
GH08~\cite{GH08} & $\bigO(\lambda (N + U))$ & $\bigO(\lambda)$ & DLIN + $q$-type & UC \\
|
||||
JL~\cite{JL09} & $\bigO(\lambda (N + U))$ & $\bigO(\lambda)$ & Comp. Dec. Residuosity + $q$-type & Full Sim \\
|
||||
%RKP~\cite{RKP09} & $\bigO(\lambda (N + U))$ & $\bigO(\lambda)$ & DLIN + $q$-Hidden SDH + $q$-TDH & UC \\
|
||||
GH11~\cite{GH11} & $\bigO(\lambda (N+U))$ & $\bigO(\lambda)$ & Decision 3-Party DH & Full Sim \\ \hline
|
||||
GH11~\cite{GH11} & $\bigO(\lambda N)$ & $\bigO(\lambda)$ & 3-Party DDH + DLIN & Full Sim \\ \hline \hline
|
||||
Ours, §\ref{sec:def-OT} & $\bigO(\lambda (N \cdot U))$ & $\bigO(\lambda \cdot \log N)$ & LWE + SIS & Full Sim \\
|
||||
Ours, App \ref{optimized} & $\bigO(\lambda N)$ & $\bigO(\lambda \cdot \log N)$ & LWE + SIS & Full Sim (ROM)\\ \hline
|
||||
\end{tabular}
|
||||
\medskip
|
||||
\caption[Comparison of the different adaptive OT protocols secure in the standard model]{Overview of the different adaptive OT (without access control) protocols secure in the standard model (except for our scheme in Section~\ref{optimized} of this Supplementary Material). In this table, $\lambda$ denotes the security parameter, $N$ the size of the database and $U$ the number of receivers. The horizontal lines separate the different schemes into categories based of their efficiency. We note that, like those of \cite{KPN11}, the KPN~\cite{KPN10} scheme is secure in a strictly weaker model than ours. In particular, the sender detects if the same record is obtained twice, as pointed out in \cite{GH11}.
|
||||
%We also note that, while the proceedings version of \cite{KPN11} claims a construction based on $\LWE$, this claim was removed from the revised
|
||||
%ePrint version in August 2014.
|
||||
}
|
||||
\label{tab:comparison}
|
||||
\end{table}
|
||||
|
||||
|
||||
In this section, we present, in Tables~\ref{tab:comparison} and \ref{tab:AC-comparison}, comparisons between existing adaptive oblivious transfer protocols and ours. These results are to be taken carefully, as the existing schemes are mostly designed in the pairing-based cryptography setting.
|
||||
The communication complexities thus take into account the number of underlying mathematical objects exchanged during each interactive protocols, which are group elements in the previous constructions, and vectors in our case.
|
||||
|
||||
Another remark is that the other schemes which support access control, shown in Table~\ref{tab:AC-comparison}, manage access policy in the fashion of Camenisch \textit{et al.}~\cite{CDN09}. In their work, they model the \textit{access policy} as access categories bounded to users (like their role, or their permission) which are delivered by the issuer. A given message in the database is made available for a \textit{conjunction} of access categories: meaning that to access a given file, a user has to be in \textit{all} the categories the message in linked to. To handle disjunctions, the file is duplicated. The number of messages in the database $N$ in these schemes is then dependent of the access policy, and a cost for duplications is to take into account, as the database has to prove that encryption of the same message with different access policy is indeed the encryption of the same message.
|
||||
|
||||
By handling access control through branching programs, we avoid the hidden cost of disjunctions, while enabling access control for attribute's language in $\mathsf{NC}1$.
|
||||
|
||||
\begin{table}[h]
|
||||
\centering
|
||||
\scriptsize
|
||||
\begin{tabular}{|ccccccc|}
|
||||
\hline
|
||||
Protocol & \begin{minipage}{\widthof{Initialization}}\centering\vspace{3pt} Initialization Cost\vspace{3pt}\end{minipage} & Transfer Cost & Assumptions & Policies & \begin{minipage}{\widthof{Policies}}Private Policies\end{minipage} & Security \\
|
||||
\hline \hline
|
||||
CDN~\cite{CDN09} & $\bigO(\lambda \cdot N)$ & $\bigO(\lambda) \cdot \poly[\lambda]$ & $q$-type & Conj. & \nocross & Full Sim \\
|
||||
%ZAWHMCY~\cite{ZA+10} & $\bigO(\lambda N)$ & $\bigO(\lambda)$ & ABE & Full Sim \\
|
||||
CDNZ~\cite{CDNZ11} & $\bigO(\lambda \cdot N)$ & $\bigO(\lambda) \cdot \poly[\lambda]$ & $q$-type + XDDH & Conj. & \okcross & Full Sim \\
|
||||
ACDN~\cite{ACDN13} & $\bigO(\lambda \cdot N)$ & $\bigO(\lambda) \cdot \poly[\lambda]$ & DLIN + SXDH& Conj. & \nocross & UC \\ \hline
|
||||
ZAW+~\cite{ZAW+10} & $\bigO(\lambda \cdot N)$ & $\bigO(\lambda)$ & CP-ABE + $q$-type & $\mathsf{NC}1$ & \nocross & Full-Sim \\ \hline
|
||||
CDEN~\cite{CDEN12} & $\bigO(\lambda \cdot N)$ & $\bigO(\lambda \log N) + \poly[\lambda]$ & CP-ABE + GGM & $\mbox{CNF}^{-}$ & \okcross & Full-Sim \\ \hline \hline
|
||||
Ours, §\ref{OT-AC-scheme} & $\bigO(\lambda \cdot N) $ & $\widetilde{\bigO}(\lambda \log N) + \poly[\lambda]$ & LWE + SIS & $\mathsf{NC}1$ & \nocross & Full Sim \\ \hline
|
||||
\end{tabular}
|
||||
\medskip
|
||||
\caption[Comparison of the different adaptive OT-AC schemes secure in the standard model]{Overview of the different adaptive OT-AC protocols secure in the standard model. Here $N$ denotes the size of the database. The polynomial $\poly[\lambda]$ in transfer costs captures the expense of access policies. In CDEN, GGM stands for generic group model, and $\mbox{CNF}^{-}$ means a restricted version of conjunctive normal form formulas, namely a user has to possess \textit{all} attributes in its access credentials, and to do so, it is able to provides a disjunction of its accesses. Finally ``Conj.'' means ``Conjunctions'', meaning that the user has to possess all the credential for a given message, and disjunctions can be achieved at the expense of duplications of database entries.}
|
||||
\label{tab:AC-comparison}
|
||||
\end{table}
|
||||
|
||||
Reference in New Issue
Block a user