Randomized Oblivious Transfer for Secure Multiparty Computation in the Quantum Setting

Abstract

Secure computation is a powerful cryptographic tool that encompasses the evaluation of any multivariate function with arbitrary inputs from mutually distrusting parties. The oblivious transfer primitive serves is a basic building block for the general task of secure multi-party computation. Therefore, analyzing the security in the universal composability framework becomes mandatory when dealing with multi-party computation protocols composed of oblivious transfer subroutines. Furthermore, since the required number of oblivious transfer instances scales with the size of the circuits, oblivious transfer remains as a bottleneck for large-scale multi-party computation implementations. Techniques that allow one to extend a small number of oblivious transfers into a larger one in an efficient way make use of the oblivious transfer variant called randomized oblivious transfer. In this work, we present randomized versions of two known oblivious transfer protocols, one quantum and another post-quantum with ring learning with an error assumption. We then prove their security in the quantum universal composability framework, in a common reference string model.

1. Introduction

Oblivious transfer (OT), first introduced by Rabin in 1981 [1], is an important primitive in modern cryptography. The OT primitive is known to be a basic building block for other cryptographic tasks, including secure Multi-Party Computation (MPC), Bit Commitment (BC), Coin-Tossing, and Zero-Knowledge Proofs [2,3,4,5,6,7].

A 1-out-of-2 OT protocol [8] consists of two parties, a sender with two input messages $(m_0,m_1)$ and a receiver with a choice bit $b\in \{0,1\}$. The goal of the protocol is to output only the message $m_b$ to the receiver, with no information about $m_{1-b}$, and the sender remains oblivious to the receiver’s input bit b. Note that, in the original work by Rabin, called all-or-nothing OT [1], the sender has a single input message, while the receiver has none. The protocol outputs the message to the receiver with probability $\frac{1}{2}$, such that the receiver has no information whether or not the receiver obtained the message. It was shown that one can construct 1-out-of-2 OT from all-or-nothing OT [9]. Another OT variant is that of Randomized Oblivious Transfer (ROT), where neither of the parties have any inputs. The ROT protocol, instead, outputs the messages $(m_0,m_1)$ to the sender and $(b,m_b)$ to the receiver, with $(m_0,m_1,b)$ chosen uniformly at random from their domains.

MPC [10,11], which is an extremely useful cryptographic tool to compute arbitrary functionalities, can be reduced to the OT primitive; i.e., having access to a secure OT is sufficient [2]. MPC implementations based on oblivious-circuit evaluation techniques require a large number of OT (one per input wire for Yao [10], and one per AND gate for GMW [11]). Since classical OT schemes (being based on asymmetric-key cryptography) are relatively slow, the development of large-scale MPC implementations has been severely hindered by the required OT rates. In order to deal with this issue of OT efficiency, the concept of OT extension was introduced by Ishai et al. in 2003 [12]. This technique refers to extending a small number of computationally expensive $base$ OTs into a larger number of OTs, using only cheap symmetric cryptography primitives. For proving the security of these OT extension techniques in the malicious-adversary setting [13], it turns out that one is required to use ROT instances as the base OTs. Additionally, ROT finds direct application in designing efficient Private Set Intersection (PSI) protocols [14], one of the most popular MPC techniques.

Moreover, even though the efficiency issue can be solved by the use of OT extensions for MPC applications, there is the underlying threat that asymmetric-key based schemes (e.g., integer-factorization or discrete-logarithm problems) will be faced with the arrival of quantum computers [15]. The research initiatives for developing quantum-resistant solutions have been following two paths. The first being on the development of more hard-to-break classical cryptography algorithms that will remain secure even against a quantum adversary. These solutions include the approximate Shortest Vector Problem (SVP) on ideal lattices [16], the Learning with Errors (LWE) problem [17] and its ring version, Ring Learning with Errors (RLWE) [16], constituting a new area of research, called post-quantum cryptography. The second approach is that of quantum cryptography, where solutions for Quantum Key Distribution (QKD), BC, and OT already exist [18]. While unconditional security for QKD has been proven [19], there are impossibility results to achieve for the case of BC and OT [20,21,22]. Nevertheless, practical solutions for BC and OT were proposed under the assumption of physical limitations on the devices, such as noisy storage and bounded quantum memories [23,24,25,26,27].

Our Contribution

In this work, we explore the construction of two ROT protocols in the quantum Universal Composability (UC) framework, in the Common Reference String (CRS) model:

• A quantum protocol based on the UC construction by Unruh [28] and augmented with an additional subroutine to enforce randomized outputs.
• A classical protocol based on a variant of the RLWE assumption that adapts the one presented in [29,30] but does not require a random oracle model and, instead, uses a composable commitment scheme and a composable non-interactive zero knowledge (NIZK) protocol.

In both cases, the basic idea is to build upon existing non-randomized OT protocols in such a way as to force the values of all of the protocol’s outputs to be influenced by both parties. This allows us to randomize both the messages $m_0,m_1$ and the choice bit b as long as at least one party is honest, leading to a ROT protocol. Furthermore, we prove that the resulting protocols are secure in the quantum UC framework.

This paper is organized in five sections. In Section 2, we briefly review some definitions and functionalities relevant for the description and analysis of the protocols. In Section 3, we present the generic construction of ROT from OT and afterwards present the commitment scheme and OT protocols that we will be using to achieve the quantum security we need. The security of the protocols are then shown in Section 4. Finally, in Section 5, we present the main results of this work.

2. Background

The problems regarding Ring Learning with Errors are conjectured to be hard on both classical and quantum computers. Before defining the RLWE distribution and its decision problem, we first present the notation used. Let $R_q={\mathbb{Z}}_q\left[X\right]/f\left(X\right)$ be a ring, where $q>2$ is a prime, and $f\left(X\right)$ is a cyclotomic polynomial of degree n. Let $\beta \in \mathbb{N}$ and $\chi$ be the error distribution that outputs elements of $R_q$ with a norm greater than $\beta$ with negligible probability.

Definition 1

(RLWE distribution). Let $q,R_q$ and χ be as above. The RLWE distribution $A_{s,\chi }$ is obtained by sampling $a\in R_q$ uniformly, choosing $e\leftarrow \$ \chi$ and outputting ($a,b=as+e \mathrm{mod} q$) for a secret $s\in R_q$.

Definition 2

(decision-RLWE). Let $q,R_q,\chi$ and $A_{s,\chi }$ be as above. For $s\leftarrow \$$ R_q, given many polynomial samples, the goal is to distinguish between $A_{s,\chi }$ and a uniform distribution over R_q × R_q.

By using the the RLWE variant of the LWE problem we are able to not only work with smaller keys but also increase the speed of the operations by using the Number Theoretic Transform (NTT). The protocol we will be analyzing uses a variant of the RLWE problem, the Hermite Normal Form of the RLWE problem (HNF-RLWE), in which the secret s is sampled from the error distribution χ instead of being chosen uniformly at random from the ring $R_q$. This version of the problem is assumed to be hard as well, since RLWE reduces to it [31].

Often times studying the standalone security of protocols is not enough, since they will be frequently used as subroutines in more complex tasks, as is the case of OT, as well as Coin Tossing, Commitment schemes, Zero-Knowledge proofs, etc. In order to ensure that protocols are secure in any computational environment, Canetti [32] introduced the Universal Composability (UC) framework, which we define next.

Let π be an n-party protocol and $\mathcal{F}$ be an ideal functionality. We denote as ${\mathrm{IDEAL}}_{\mathcal{F},\mathcal{S},\mathcal{Z}}$ the output of the environment $\mathcal{Z}$ at the end of the ideal-world execution of functionality $\mathcal{F}$ with adversary $\mathcal{S}$, and as ${\mathrm{EXEC}}_{\pi ,\mathcal{A},\mathcal{Z}}$ the output of the environment $\mathcal{Z}$ at the end of the real-world execution of π with adversary $\mathcal{A}$. The notion of a protocol securely emulating some ideal functionality is as follows:

Definition 3

(UC-secure). We say that π UC-emulates $\mathcal{F}$ if for any adversary $\mathcal{A}$ there exists a simulator $\mathcal{S}$, such that, for all environment $\mathcal{Z}$,

$$\begin{array}{c}\hfill {\mathrm{IDEAL}}_{\mathcal{F},\mathcal{S},\mathcal{Z}}\approx {\mathrm{EXEC}}_{\pi ,\mathcal{A},\mathcal{Z}}.\end{array}$$

When discussing UC security, we can consider either a bounded (computational) or unbounded (statistical) approach. In computational UC security, we restrict the adversary, simulator, and environment to polynomial-time machines, and this approach is used when showing security based on computational assumptions. On the other hand, in statistical UC security, we quantify over all adversaries, simulators, and environments; as such, we can model statistical security.

In this work, we consider malicious adversaries, that is, adversaries that can deviate in any way from the protocol. However, we assume that the corruption of a party happens before the start of the protocol, and both the sender or the receiver may be corrupted.

In Figure 1, Figure 2, Figure 3, Figure 4 and Figure 5 we present the functionalities that will be relevant in this work.

We stress that the definition of ${\mathcal{F}}_{ROT}$ presented here is stronger than the one presented in Unruh’s original paper [28], in which the outputs are only random if the parties are both honest. In the same paper, the UC framework is extended to the quantum setting by allowing the protocol π, the adversary $\mathcal{A}$, the simulator $\mathcal{S}$, and the environment $\mathcal{Z}$ to be quantum.

Unruh [28] also showed that, when π is a classical protocol and π statistically UC-emulates $\mathcal{F}$, then π statistically quantum-UC-emulates $\mathcal{F}$, providing a lift from statistical classical-UC to statistical quantum-UC. A similar result exists for the computational case [28], but it is required that the adversary in the classical case is given the same computational power as in the quantum setting; in other words, we need to guarantee that the classical machines present in the proof of UC security are as powerful as quantum-polynomial-time machines.

Consider protocols π and σ, we denote the protocol where σ invokes instances of π by ${\sigma }^{\pi }$. A usual situation would be ${\sigma }^{\mathcal{F}}$, being a protocol that uses some ideal functionality $\mathcal{F}$, and ${\sigma }^{\pi }$ would then be the protocol that results from implementing that functionality with some protocol π. Composition has been shown to be secure, both in the classical [32] and quantum settings [28].

Theorem 1

(Universal Composition Theorem [28]). Let $\mathcal{F},\mathcal{G}$ be ideal functionalities. Let π be an n-party protocol that UC-emulates $\mathcal{G}$ in the $\mathcal{F}$-hybrid model, and let η be an n-party protocol that UC-emulates $\mathcal{F}$. Protocol ${\pi }^{\eta }$ then UC-emulates $\mathcal{G}$.

3. Protocols

In this section, we start by presenting the generic construction of ROT from OT, using a commitment scheme, and afterwards describe the commitment scheme and the quantum OT protocol that will allow our ROT protocol to computationally quantum-UC-emulate ${\mathcal{F}}_{ROT}$. Finally, we describe a post-quantum approach, a ROT protocol based on the RLWE assumption, inspired by the recent work of [30], with a small tweak to avoid using random oracles, which misbehave against quantum adversaries.

3.1. Generating an UC-Secure Random OT

The protocol ${\pi }_{OT\to ROT}$ is presented in Figure 6. We consider the two parties: the sender $\mathsf{S}$ and the receiver $\mathsf{R}$. It begins with $\mathsf{R}$ sampling two strings $r_0,r_1\in {\{0,1\}}^{\ell }$ and committing them to $\mathsf{S}$. $\mathsf{R}$ then chooses a random bit c, and $\mathsf{S}$ chooses two random strings, $w_0,w_1\in {\{0,1\}}^{\ell }$. With these, the parties invoke the ${\mathcal{F}}_{OT}$ functionality. Following that, $\mathsf{S}$ chooses a random bit d and sends it over to $\mathsf{R}$. Finally, $\mathsf{R}$ opens his commitment, and $\mathsf{S}$ checks if it matches the initial commit. If it does not, it aborts; otherwise, it outputs $(M_0=w_d\oplus r_d,M_1=w_{d\oplus 1}\oplus r_{d\oplus 1})$. $\mathsf{R}$ outputs $(b=c\oplus d,M_b=w_c\oplus r_c)$.

3.2. UC-Secure Commitment Scheme

Canetti [33] showed that UC-secure commitment schemes are impossible in the plain model, and the same result was later proven for the quantum setting as well [22]. With that in mind, we will be working on the Common Reference String (CRS) model defined in Figure 4.

The protocol ${\pi }_{COM}$ in Figure 7 has been shown to be computationally UC-secure in the CRS model [33]. The key to this protocol’s composability is the use of a trapdoor pseudo-random generator (PRNG) $G_{pk}$, which is described by its public key $pk$. This generator $G_{pk}$ stretches n-bit inputs to 4n-bit outputs, and has a trapdoor $td$. Having access to both $pk$ and $td$, we can easily check if a given string $y\in {\{0,1\}}^{4n}$ is in the range of $G_{pk}$.

Note that the protocol ${\pi }_{COM}$ is a bit commitment protocol, and for string commitment, an instance of ${\pi }_{COM}$ is needed to run for each bit of the string.

3.3. UC-Secure Quantum OT Protocol

The protocol in Figure 8 was proposed by Yao and has been shown to be statistically quantum-UC-secure with ideal commitments [28].

We describe the logical qubit states $|0\rangle$ and $|1\rangle$ (representing the computational basis), and the states $|+\rangle =\left(\right|0\rangle +|1\rangle )/\sqrt{2}$, $|-\rangle =\left(\right|0\rangle -|1\rangle )/\sqrt{2}$ (representing the Hadamard basis). We use the following notation to define the states $\left|\right(s_i,a_i)\rangle$ for $s_i,a_i\in \{0,1\}$:

$$\begin{array}{c}\left|\right(0,0)\rangle =|0\rangle \left|\right(0,1)\rangle =|+\rangle ,\hfill \\ \left|\right(1,0)\rangle =|1\rangle \left|\right(1,1)\rangle =|-\rangle .\hfill \end{array}$$

The protocol begins with the sender $\mathsf{S}$ preparing qubit states and sending them to the receiver $\mathsf{R}$, which then samples a random string $\tilde{a}$. For every qubit received, $\mathsf{R}$ measures the i-th state on a computational basis if $\widetilde{a_i}=0$ or, on the Hadamard basis, if $\widetilde{a_i}=1$. Therefore, approximately half of $\mathsf{R}$’s measurement results will be correlated with the prepared states by $\mathsf{S}$, while the rest will be uncorrelated. To ensure security against a dishonest $\mathsf{R}$, it is required to commit information on all of his measurement bases and outcomes to $\mathsf{S}$, which then picks a random subset of them and tests for correlations. The passing of this test (statistically) ensures that $\mathsf{R}$ measured its qubits honestly. Next, $\mathsf{S}$ shares with $\mathsf{R}$ the bases it used for her state-preparation and, with this information, $\mathsf{R}$ knows which of its results are correlated with the sender’s. The receiver, then, creates two sets: $I_0$, with indices where it is measured on the same basis as $\mathsf{S}$, and $I_1$, where their measuring bases differ. Following that, $\mathsf{R}$ uses its choice bit b to select the order in which it sends the two sets to $\mathsf{S}$. The sender samples two hash functions $f_0,f_1$ at random, from a 2-universal family of hash functions $\mathbf{F}$, in order to generate uniform keys of appropriate size, as that of the messages $m_0,m_1$. $\mathsf{S}$ sends the encrypted messages $w_0,w_1$ to $\mathsf{R}$, which can only decrypt the message corresponding to the set $I_0$.

3.4. Post-Quantum UC-Secure ROT Protocol

The protocol in Figure 9 is based on the recently proposed protocol by [30] (which was based on [29]), which has been shown to be UC-secure under the RLWE assumption in the Random Oracle Model (ROM). However, UC security using ROM does not directly lift to UC security against quantum adversaries. Taking that into consideration, our idea is to replace the random oracle calls, which are used to either commit to a string or to generate a random string.

In order to understand the protocol ${\pi }_{ROT}$, we need to provide some preliminary definitions. A signal function $\mathsf{Sig}$ and an extraction function $\mathsf{Ext}$ are described as in the key exchange protocol using RLWE of [34], to be used by the involved parties to reconcile a shared key.

Let ${\sigma }_0,{\sigma }_1:{\mathbb{Z}}_q\to \{0,1\}$. We define ${\sigma }_0,{\sigma }_1$ as follows:

$${\sigma }_0\left(a\right)=\left\{\begin{array}{cc}0,\hfill & a\in [-\lfloor \frac{q}{4}\rfloor ,\lfloor \frac{q}{4}\rfloor ]\hfill \\ 1,\hfill & \mathrm{otherwise}\hfill \end{array}\right.\mathrm{and}{\sigma }_1\left(a\right)=\left\{\begin{array}{cc}0,\hfill & a\in [-\lfloor \frac{q}{4}+1\rfloor ,\lfloor \frac{q}{4}+1\rfloor ]\hfill \\ 1,\hfill & \mathrm{otherwise}\hfill \end{array}\right.$$

Next, we need to extend ${\sigma }_0,{\sigma }_1$ to the ring case. For any $a={\sum }_{i=0}^{n-1}{a}_i{X}^i\in R_q$, we define ${\sigma }_0,{\sigma }_1:R_q\to R_2$ as follows:

$${\sigma }_0\left(a\right)=\sum _{i=0}^{n-1}{\sigma }_0\left(a_i\right)X^i\mathrm{and}{\sigma }_1\left(a\right)=\sum _{i=0}^{n-1}{\sigma }_1\left(a_i\right)X^i$$

The signal function $\mathsf{Sig}:R_q\to R_2$ can now be defined as $\mathsf{Sig}\left(a\right)={\sigma }_b\left(a\right)$, where $b\leftarrow \$ \{0,1\}$, while the extraction function $\mathsf{Ext}:$ R_q × R₂ → R₂ is

$$\mathsf{Ext}(a,\sigma )=\left(a+\sigma \frac{q-1}{2}modq\right)mod2.$$

We can now describe the ROT protocol based on the RLWE assumption, Figure 9, which can be seen as a tweaked version of the protocol of [30], where we replace the random oracles by a commitment scheme and a NIZK protocol, modeled as functionalities.

Let χ and q be as in Definition 2 and ℓ be the security parameter. Let $(m,h)$ be the common string, where $m,h\in R_q$, and let $\mathsf{Ext}$ and $\mathsf{Sig}$ be the algorithms defined above.

The protocol starts with both parties generating an RLWE sample. The sender $\mathsf{S}$ generates $p_{\mathsf{S}}=m{s}_{\mathsf{S}}+2e_{\mathsf{S}}modq$, and the receiver $\mathsf{R}$ generates $p_{\mathsf{R}}^c=m{s}_{\mathsf{R}}+2e_{\mathsf{R}}modq$, where c is a bit randomly chosen by $\mathsf{R}$. If the sampled bit $c=1$, then $\mathsf{R}$ computes $p_{\mathsf{R}}^0=p_{\mathsf{R}}^1-hmodq$. The receiver then samples two strings $t_0,t_1\leftarrow \$ {\{0,1\}}^{\ell }$ commits both strings, and sends $p_{\mathsf{R}}^0$ to $\mathsf{S}$. The sender uses the common string h and $p_{\mathsf{R}}^0$ to compute $p_{\mathsf{R}}^1=p_{\mathsf{R}}^0+h$ mod q and uses both values $p_{\mathsf{R}}^0,p_{\mathsf{R}}^1$ to generate two RLWE samples. $k_{\mathsf{S}}^i=s_{\mathsf{S}}{p}_{\mathsf{R}}^i+2e_{\mathsf{S}}^{\prime }$ mod q for $i\in \{0,1\}$. $\mathsf{S}$ now computes ${\sigma }_i=\mathsf{Sig}\left(k_{\mathsf{S}}^i\right)$ and ${\mathsf{sk}}_{\mathsf{S}}^i=\mathsf{Ext}(k_{\mathsf{S}}^i,{\sigma }_i)$, for $i\in \{0,1\}$ and sends $p_{\mathsf{S}},{\sigma }_0,{\sigma }_1$ to $\mathsf{R}$. The receiver then generates an RLWE sample $k_{\mathsf{R}}=s_{\mathsf{R}}{p}_{\mathsf{S}}+2e_{\mathsf{R}}^{\prime }$ mod q from $p_{\mathsf{S}}$ and computes ${\mathsf{sk}}_{\mathsf{R}}=\mathsf{Ext}(k_{\mathsf{R}},{\sigma }_c)$. The key exchange protocol guarantees that ${\mathsf{sk}}_{\mathsf{S}}^c={\mathsf{sk}}_{\mathsf{R}}$ with overwhelming probability, so as to guarantee that $\mathsf{R}$ did not cheat (and indeed the computed ${\mathsf{sk}}_{\mathsf{R}}$). Both parties engage in a NIZK protocol. If the proof fails, $\mathsf{S}$ aborts; otherwise, he samples a bit a and two strings $r_0,r_1\leftarrow \$ {\{0,1\}}^{\ell }$ and sends a, r0, r1 to $\mathsf{R}$. The receiver opens his initial commitment to $\mathsf{S}$, and if the test passes, both parties output their messages: $\mathsf{S}$ outputs ($M_0={\mathsf{sk}}_{\mathsf{S}}^a\oplus r_a\oplus t_a,M_1={\mathsf{sk}}_{\mathsf{S}}^{a\oplus 1}\oplus r_{a\oplus 1}\oplus t_{a\oplus 1}$), and $\mathsf{R}$ outputs ($b=a\oplus c,M_b={\mathsf{sk}}_{\mathsf{R}}\oplus r_c\oplus t_c$).

To simplify the description of ${\pi }_{ROT}$ in Figure 9, we represent ${\mathcal{F}}_{NIZK}$ with a single input from the prover $\mathsf{R}$ (the witness w) and a single output to the verifier $\mathsf{S}$, where this output is 1 if w satisfies $\mathcal{R}$ or 0 otherwise. Let the binary relation $\mathcal{R}$ be such that

$$\mathcal{R}(x,w)=1\iff w={\mathsf{sk}}_{\mathsf{S}}^0\vee w={\mathsf{sk}}_{\mathsf{S}}^1,$$

where $x=\mathsf{Enc}({\mathsf{sk}}_{\mathsf{S}}^0,{\mathsf{sk}}_{\mathsf{S}}^1)$ for a given public key encryption scheme.

The ${\mathcal{F}}_{NIZK}$ functionality can, for instance, be instantiated using the protocol described in [35]. This protocol is shown to be quantum-composable in the CRS model, based on the LWE assumption.

4. Security

In this section, we establish the quantum-UC security of the proposed protocols in the CRS model. We begin by analyzing the quantum protocol first and proving that ${\pi }_{OT\to ROT}$ is quantum-UC-secure when instantiated with ${\pi }_{COM}$ and ${\pi }_{QOT}^{{\pi }_{COM}}$. We then prove the quantum-UC security of the ${\pi }_{ROT}$.

4.1. Quantum-UC Security of the Quantum ROT Protocol

Theorem 2.

Protocol ${\pi }_{OT\to ROT}$ quantum-UC-emulates ${\mathcal{F}}_{ROT}$ in the $\langle {\mathcal{F}}_{OT},{\mathcal{F}}_{COM}\rangle$-hybrid model.

Proof. 

We start by describing how the simulator $\mathcal{S}$ behaves in each of the possible cases for the execution of the protocol when an adversary $\mathcal{A}$ is present.

• Corrupted Sender. In this case, $\mathcal{S}$ simulates the view of the sender, effectively controlling the inputs to ${\mathcal{F}}_{COM}$ and the input bit to ${\mathcal{F}}_{OT}$. In order to do so, we start by replacing ${\mathcal{F}}_{COM}$ by a commitment functionality ${\mathcal{F}}_{FakeCOM}$, which allows the receiver to cheat. In the commit phase, ${\mathcal{F}}_{FakeCOM}$ expects a message commit instead of (commit, x); in the open phase, ${\mathcal{F}}_{FakeCOM}$ expects a message (open, x) instead of open, which is then sent to the sender. We now change the receiver’s implementation to match with the new functionality; that is, when committing to message m, the receiver stores that message and later gives it to ${\mathcal{F}}_{FakeCOM}$ when opening the commitment.

We can now describe how the simulator works. $\mathcal{S}$ starts by receiving $(M_0,M_1)$ from ${\mathcal{F}}_{ROT}$; afterwards, it sends commit to ${\mathcal{F}}_{FakeCOM}$, samples $c\leftarrow \$ \{0,1\}$, and sends c to ${\mathcal{F}}_{OT}$. Upon receiving d, the simulator extracts $w_0,w_1$ from observing the sender’s call to ${\mathcal{F}}_{OT}$ and computes $r_d=M_0\oplus w_d$ and $r_{d\oplus 1}=M_1\oplus w_{d\oplus 1}$. Finally, it sends (open, $(r_1,r_1)$) to ${\mathcal{F}}_{FakeCOM}$.

• Corrupted Receiver. Now, $\mathcal{S}$ simulates the view of the receiver, controlling the input messages to ${\mathcal{F}}_{OT}$. The simulator starts by receiving $(b,M)$ from ${\mathcal{F}}_{ROT}$. After receiving the commitment message, $\mathcal{S}$ extracts the strings $r_0,r_1$ and the bit c from observing the receiver’s call to ${\mathcal{F}}_{COM}$ and ${\mathcal{F}}_{OT}$, respectively. It then computes $w_c=r_c\oplus M$ and $d=b\oplus c$ and samples $w_{c\oplus 1}\leftarrow \$ {\{0,1\}}^{\ell }$; afterwards, send $(w_0,w_1)$ to ${\mathcal{F}}_{OT}$ and d to $\mathcal{A}$. When ${\mathcal{F}}_{COM}$ replies with open $(r_0,r_1)$, it checks if the values received match the original commitments and aborts if they do not.
• Both/None parties corrupted. When both parties are corrupted, $\mathcal{S}$ internally runs $\mathcal{A}$, which generates the messages for both parties.
   When the adversary does not corrupt any party, the simulator does not have an input from the ideal functionality ${\mathcal{F}}_{ROT}$. As such, $\mathcal{S}$ runs the honest receiver and the honest sender, executing the needed algorithms when a dummy party is called in the ideal execution. The simulator forwards the messages of the honestly simulated protocol to $\mathcal{A}$.

To finish the proof, it remains to show that the simulated executions of the protocol are indistinguishable from the real one.

Claim 1.

If the adversary $\mathcal{A}$ corrupts the sender, then the real execution of the protocol ${\pi }_{OT\to ROT}$ is indistinguishable from the simulated one.

Proof. 

The real world execution can be viewed as a game that proceeds as follows:

• Sample values $r_0,r_1\leftarrow \$ {\{0,1\}}^{\ell }$ and commit to values $r_0,r_1$.
• Sample bit $c\leftarrow \$ \{0,1\}$ and run the OT protocol with the choice bit c.
• Open the commitment to values $r_0,r_1$.

The ideal world execution can be viewed as a game that proceeds as follows:

• Send commit to ${\mathcal{F}}_{FakeCOM}$.
• Sample bit $c\leftarrow \$ \{0,1\}$ send c to ${\mathcal{F}}_{OT}$.
• Send (open, $(r_0,r_1)$) to ${\mathcal{F}}_{FakeCOM}$, where $r_d=M_0\oplus w_d$ and $r_{d\oplus 1}=M_1\oplus w_{d\oplus 1}$.

The differences between the two traces are the commitment functionality and how the values $r_0,r_1$ are generated. However, since the commitments are opened in the same way, replacing ${\mathcal{F}}_{COM}$ by ${\mathcal{F}}_{FakeCOM}$ leads to a perfectly indistinguishable network. Regarding $r_0,r_1$, since $M_0,M_1$ are uniform random values, which come from ${\mathcal{F}}_{ROT}$, the values $r_0,r_1$ are also statistically indistinguishable from uniform random values. Therefore, the two executions are statistically indistinguishable. □

Claim 2.

If the adversary $\mathcal{A}$ corrupts the receiver, then the real execution of the protocol ${\pi }_{OT\to ROT}$ is indistinguishable from the simulated one.

Proof. 

The real world execution can be viewed as a game that proceeds as follows:

• Sample strings $w_0,w_1\leftarrow \$ {\{0,1\}}^{\ell }$ and run the OT protocol with $w_0,w_1$.
• Sample bit d and send it to $\mathsf{R}$
• Check if the received values verify their commitment.

The ideal world execution can be viewed as a game that proceeds as follows:

• Sample string $w_{c\oplus 1}\leftarrow \$ {\{0,1\}}^{\ell }$ and compute $w_c=r_c\oplus M$; afterwards, send ($w_0,w_1$) to ${\mathcal{F}}_{ROT}$.
• Compute $d=b\oplus c$ and send it to $\mathsf{R}$.
• Check if the received values verify their commit.

In this case, the difference between both traces is in how $w_c$ and d are generated. Since M and b are uniform random values, which come from ${\mathcal{F}}_{ROT}$, both the string $w_c$ and the bit d are statistically indistinguishable from a uniform random string and a uniform random bit, respectively. Thus, the above two executions are statistically indistinguishable. □

Finally, it is trivial to conclude that, when both parties are corrupted and when neither parties are corrupted, the simulated executions of the protocol are indistinguishable from the real execution. This concludes the proof. □

We have shown that, with ${\pi }_{OT\to ROT}$, we can transform ${\pi }_{QOT}$ into a ROT. We now need to prove that ${\pi }_{COM}$ remains UC-secure when working in a quantum setting.

Theorem 3.

Let $G_{pk}$ be a quantum robust PRNG. ${\pi }_{COM}$ then (computationally) quantum UC-emulates ${\mathcal{F}}_{COM}$ in the CRS model.

Proof. 

We start by briefly describing the UC security proof of ${\pi }_{COM}$ by Canneti in [33].

The simulation starts with the simulator $\mathcal{S}$ by generating $p{k}_0,p{k}_1$, sampling random $r_0,r_1\in {\{0,1\}}^n$, and setting $\sigma =G_{p{k}_0}\left(r_0\right)\oplus G_{p{k}_1}\left(r_1\right)$. With this fake string, $\mathcal{S}$ tells the adversary $\mathcal{A}$ that the sender is committed to $y=G_{p{k}_0}\left(r_0\right)$. By later sending $r_0$ or $r_1$, the simulator is able to open the commitment to either $b=0$ or to $b=1$, respectively. If it were possible to distinguish the fake string from the real one, it would contradict the pseudo-randomness of the generator.

When working in a quantum setting, the indistinguishability of the fake string reduces to the pseudo-randomness of the generator; that is, the environment can only distinguish between the real world and ideal world executions if it is possible to distinguish the fake string σ from the real one. As such, if the generators are quantum robust, the environment will not be able to distinguish between both strings. Therefore, the arguments used in the classical UC security proof follow for quantum UC security as well. □

Finally, we analyze the security of the proposed composition of protocols. Let ${\pi }_{QROT}$ denote ${\pi }_{OT\to ROT}$ instantiated with ${\pi }_{COM}$ and ${\pi }_{QOT}^{{\pi }_{COM}}$.

Theorem 4.

Protocol ${\pi }_{QROT}$ quantum-UC-emulates ${\mathcal{F}}_{ROT}$.

Proof. 

First, we analyze the UC security of ${\pi }_{QOT}^{{\pi }_{COM}}$. Protocol ${\pi }_{QOT}$ with ideal commitments is known to be universally composable [28]; as such, since ${\pi }_{COM}$ is a composable commitment scheme, we have that ${\pi }_{QOT}^{{\pi }_{COM}}$ quantum-UC-emulates ${\mathcal{F}}_{OT}$.

Finally, as was shown in Theorem 2, ${\pi }_{OT\to ROT}$ with ideal commitments and an ideal OT is universally composable. Since both ${\pi }_{COM}$ and ${\pi }_{QOT}^{{\pi }_{COM}}$ are universally composable, the result follows directly. □

A downside of using ${\pi }_{COM}$ as the commitment scheme is that we require a call to ${\pi }_{COM}$ for each bit of the string we intend to commit, which will affect the protocol’s efficiency. However, since a composable commitment is required, this is our best suggestion in the CRS model.

4.2. Quantum-UC Security of the Post-Quantum ROT Protocol

We now analyze the security of ${\pi }_{ROT}$. The simulator will use its ability to program the CRS and extract the NIZK witness in order to obtain the desired UC security.

Theorem 5.

Protocol ${\pi }_{ROT}$ (computationally) quantum-UC-emulates $F_{ROT}$ in the CRS model, given that the HNF-RLWE assumption holds.

Proof. 

Once again, we describe the behavior of the simulator $\mathcal{S}$ in each of the possible cases for the execution of the protocol when an adversary $\mathcal{A}$ is present.

• Corrupted Sender. The simulator $\mathcal{S}$ simulates the view of the sender, meaning that it controls the communication with $\mathsf{R}$ as well as the inputs of ${\mathcal{F}}_{COM}$ and ${\mathcal{F}}_{NIZK}$. As in the proof of security for ${\pi }_{QROT}$, we will be replacing ${\mathcal{F}}_{COM}$ by the functionality ${\mathcal{F}}_{FakeCOM}$ and changing the receiver’s implementation to match ${\mathcal{F}}_{FakeCOM}$.

$\mathcal{S}$ starts by receiving $(M_0,M_1)$ from ${\mathcal{F}}_{ROT}$. It then samples $c\leftarrow \$ \{0,1\}$ and $t_0,t_1\leftarrow \$ {\{0,1\}}^{\ell }$, as an honest receiver would. Next, it computes two RLWE samples, $p_{\mathsf{R}}^0=m{s}_{\mathsf{R}}^0+2e_{\mathsf{R}}^0$ mod q and $p_{\mathsf{R}}^1=m{s}_{\mathsf{R}}^0+2e_{\mathsf{R}}^0$ mod q, sets $h=p_{\mathsf{R}}^1-p_{\mathsf{R}}^0$, and programs ${\mathcal{F}}_{CRS}$ to return ($m,h$) when queried. Following that, it sends $p_{\mathsf{R}}^0$ to $\mathcal{A}$ and sends commit to ${\mathcal{F}}_{FakeCOM}$.

After receiving $(p_{\mathsf{S}},{\sigma }_0,{\sigma }_1)$, $\mathcal{S}$ computes ${\mathsf{sk}}_{\mathsf{R}}^i=\mathsf{Ext}(s_{\mathsf{R}}^i{p}_{\mathsf{S}}+2{e_{\mathsf{R}}^{\prime }}^i,{\sigma }_i)$, for $i\in \{0,1\}$, and sends ${\mathsf{sk}}_{\mathsf{R}}^c$ to ${\mathcal{F}}_{NIZK}$. Finally, upon receiving $a,r_0,r_1$, $\mathsf{S}$ computes $t_a=M_0\oplus {\mathsf{sk}}_{\mathsf{S}}^a\oplus r_a$ and $t_{a\oplus 1}=M_1\oplus {\mathsf{sk}}_{\mathsf{S}}^{a\oplus 1}\oplus r_{a\oplus 1}$ and sends (open, $(t_0,t_1)$) to ${\mathcal{F}}_{FakeCOM}$.

• Corrupted Receiver. In this case, $\mathcal{S}$ simulates the view of the receiver, controlling the communication with $\mathsf{S}$. The simulator starts by receiving $(b,M)$ from ${\mathcal{F}}_{ROT}$. It computes $p_{\mathsf{S}}$ as an honest sender; after receiving $p_{\mathsf{R}}^0$ as well as the receipt of the commitment, it computes ${\mathsf{sk}}_{\mathsf{S}}^i,{\sigma }_i$ honestly, for $i\in \{0,1\}$, and sends $p_{\mathsf{S}},{\sigma }_0,{\sigma }_1$ to $\mathcal{A}$. After receiving the reply from ${\mathcal{F}}_{NIZK}$, if the test passed, $\mathcal{S}$ extracts c from observing the call made to ${\mathcal{F}}_{NIZK}$ and comparing ${\mathsf{sk}}_{\mathsf{R}}$ to ${\mathsf{sk}}_{\mathsf{S}}^0$ and ${\mathsf{sk}}_{\mathsf{S}}^1$. Finally, it computes $a=b\oplus c$ and $r_c=M\oplus {\mathsf{sk}}_{\mathsf{S}}^c\oplus t_c$, samples $r_{c\oplus 1}\leftarrow \$ \{0,1\}$ and sends $a,r_0,r_1$ to $\mathcal{A}$. At the end, it checks if $t_0,t_1$ match the initial commitment, aborting if they do not.
• Both/None parties corrupted. Here, both cases work as in the previous UC security proof. When both parties are corrupted, the adversary is ran internally by $\mathcal{S}$. When neither of the parties are corrupted, $\mathcal{S}$ runs the honest receiver and sender, sending all the messages between them to $\mathcal{A}$.

Again, we now need to show that the real execution of the protocol is indistinguishable from the simulated ones.

Claim 3.

If the adversary $\mathcal{A}$ corrupts the sender, then the real execution of the protocol ${\pi }_{ROT}$ is indistinguishable from the simulated one.

Proof. 

The real world execution can be viewed as a game that proceeds as follows:

• Sample bit $c\leftarrow \$ \{0,1\}$ and strings $t_0,t_1\leftarrow \$ {\{0,1\}}^{\ell }$.
  Generate RLWE sample $p_{\mathsf{R}}$ and, if $c=1$, compute $p_{\mathsf{R}}^0=p_{\mathsf{R}}^1-h$.
  Send $p_{\mathsf{R}}^0$ and commit to values $t_0,t_1$.
• Compute ${\mathsf{sk}}_{\mathsf{R}}=\mathsf{Ext}(s_{\mathsf{R}}{p}_{\mathsf{S}}+2e_{\mathsf{R}}^{\prime },{\sigma }_c)$ and run the NIZK protocol with ${\mathsf{sk}}_{\mathsf{R}}$.
• Open the commitment to values $t_0,t_1$.

The ideal world execution can be viewed as a game that proceeds as follows:

• Sample bit $c\leftarrow \$ \{0,1\}$.
  Generate RLWE samples $p_{\mathsf{R}}^0,p_{\mathsf{R}}^1$ and program ${\mathcal{F}}_{CRS}$ to return $(m,p_{\mathsf{R}}^1-p_{\mathsf{R}}^0)$.
  Send $p_{\mathsf{R}}^0$ to $\mathcal{A}$ and send commit to ${\mathcal{F}}_{FakeCOM}$.
• Compute ${\mathsf{sk}}_{\mathsf{R}}^i=\mathsf{Ext}(s_{\mathsf{R}}^i{p}_{\mathsf{S}}+2{e_{\mathsf{R}}^{\prime }}^i,{\sigma }_i)$, for $i\in \{0,1\}$, and send ${\mathsf{sk}}_{\mathsf{R}}^c$ to ${\mathcal{F}}_{NIZK}$.
• Send (open,$(t_0,t_1)$) to ${\mathcal{F}}_{FakeCOM}$, where $t_a=M_0\oplus {\mathsf{sk}}_{\mathsf{S}}^a\oplus r_a$ and $t_{a\oplus 1}=M_1\oplus {\mathsf{sk}}_{\mathsf{S}}^{a\oplus 1}\oplus r_{a\oplus 1}$.

The first difference between both games is in $p_{\mathsf{R}}^0$ and $p_{\mathsf{R}}^1$. In the real world game, only $p_{\mathsf{R}}^c$ is an RLWE sample ($p_{\mathsf{R}}^{c\oplus 1}$ is a uniform random sample), while in the ideal world game, both $p_{\mathsf{R}}^0$ and $p_{\mathsf{R}}^1$ are RLWE samples. Given that the RLWE assumption holds, both situations are indistinguishable.

Once again, replacing ${\mathcal{F}}_{COM}$ by ${\mathcal{F}}_{FakeCOM}$ leads to an indistinguishable network, since the commitments are opened in the same way. Finally, in the real world, $t_0,t_1$ are uniform random values, while in the ideal world, they are not. However, since $M_0,M_1$ are uniform random values that come from ${\mathcal{F}}_{ROT}$, the values in the ideal world are statistically indistinguishable from uniform random values.

Thus, the two executions are indistinguishable, assuming the RLWE assumption holds. □

Claim 4.

If the adversary $\mathcal{A}$ corrupts the receiver, then the real execution of the protocol ${\pi }_{ROT}$ is indistinguishable from the simulated one.

Proof. 

The real world execution can be viewed as a game that proceeds as follows:

• Generate RLWE sample $p_{\mathsf{S}}$.
• Compute $p_{\mathsf{R}}^1=p_{\mathsf{R}}^0+hmodq$. Compute ${\sigma }_i$ and ${\mathsf{sk}}_{\mathsf{S}}^i$, for $i\in \{0,1\}$.
  Send $(p_{\mathsf{S}},{\sigma }_0,{\sigma }_1)$.
• Run the NIZK protocol and check if the test passes; abort if it does not.
  Sample $a\leftarrow \$ \{0,1\}$ and $r_0,r_1\leftarrow \$ {\{0,1\}}^{\ell }$. Send ($a{r}_0,r_1$).
• Check if the received values verify their commitment; abort if they do not.

The ideal world execution can be viewed as a game that proceeds as follows:

• Generate RLWE sample $p_{\mathsf{S}}$.
• Compute $p_{\mathsf{R}}^1=p_{\mathsf{R}}^0+hmodq$. Compute ${\sigma }_i$ and ${\mathsf{sk}}_{\mathsf{S}}^i$, for $i\in \{0,1\}$.
  Send $(p_{\mathsf{S}},{\sigma }_0,{\sigma }_1)$.
• Check if the received answer from ${\mathcal{F}}_{NIZK}$ is 1; abort if it is not.
  Send $(a,r_0,r_1)$, where $a=b\oplus c$, $r_c=M\oplus {\mathsf{sk}}_{\mathsf{S}}^c\oplus t_c$, and $r_{1-c}\leftarrow \$ {\{0,1\}}^{\ell }$.
• Check if the received values verify their commitment; abort if they do not.

The games differ in how a and $r_c$ are generated; however, since b and M are uniform random values that come from ${\mathcal{F}}_{ROT}$, both $r_c$ and a are statistically indistinguishable from a uniform random string and a uniform random bit, respectively. Hence, the real world execution and the ideal world execution are indistinguishable, assuming that the RLWE assumption holds. □

It remains to be seen whether the simulated executions where both parties are corrupted and when no party is corrupted are also indistinguishable. As in the previous proof, both are trivial, which concludes the proof. □

5. Conclusions

In view of the usefulness of MPC and the steady evolution of both quantum technology and post-quantum cryptography techniques, as well as recognizing the potential threat quantum computers can present in the landscape of information security, we have proposed two potential solutions for quantum secure implementations of ROT.

Both of these protocols have in common that they use a commitment scheme based on quantum-secure pseudo-random generators, which is universally composable in the CRS model. The CRS assumption has the advantage of being weaker and better understood than the quantum random oracle, and it is independent of technological limitations as opposed to the noisy storage assumptions, which are two of the most common models in which the security of OT protocols is studied.

The first construction is based on a quantum OT protocol composed with a quantum secure bit commitment, which is then transformed into a ROT protocol. The usage of a PRNG, which is secure against any poly-time quantum distinguisher, is the key to the commitment scheme’s quantum composability. The second construction is based on a highly efficient UC-secure ROT protocol from the RLWE assumption, initially proposed in the ROM. Our protocol differs in that we remove the random oracle’s requirement, replacing it by a commitment scheme and non-interactive zero knowledge protocol, which allows us to make a quantum-secure UC protocol, but in the CRS model instead.

Potential future work directions include the following:

• Further optimization of the commitment scheme to reduce the number of CRS calls and PRNG computations per committed bit in the context of a string commitment scheme.
• The implementation of both protocols and a comparison of their performance, taking available (quantum) technologies into account. This poses a challenge, as the limitations of quantum technologies are much less known than traditional computational power and communication.