3 Conditional Oblivious Cast

We provide COC schemes for three basic predicates: “equality”, “inequality”, and “greater than”.

3.1 COC for “Equality” Predicate

To determine if x = y, we compute x/y via the multiplicatively homomorphic encryption scheme. If x/y = 1, A and B get the message m; otherwise, they get nothing. The scheme EQ-COC is described in Figure 1.

Theorem 1. The EQ-COC scheme has the correctness property, unconditional sender’s security, and computational receiver’s security if the underlying homo-morphic encryption scheme has semantic security.

Proof. For correctness, if x = y, A and B compute m by

DSK(e) = DSK(EP K(m)⊗ (EP K(x)⊗ EP K(y)⁻¹)^r)

= DSK(EP K(m)⊗ (EP K(1)^r))

= DSK(EP K(m))

= m.

– System parameters: (p, q, g).

– Message sender S has a message m and a key pair (P K_S, SK_S).

– Receiver A has a secret x, and receiver B has a secret y, where x, y∈ Gq. – Receiver A and B have a common key pair (P K, SK)

1. A and B send E_{P KS}(E_{P K}(x)) and E_{P KS}(E_{P K}(y)) to S respectively.

2. S decrypts the received messages to get E_{P K}(x) and E_{P K}(y). S computes e = E_{P K}(m)⊗ (EP K(x)⊗ EP K(y)⁻¹)^r

and sends it to A and B, where r∈RZq.

3. A and B compute ˆm = D_SK(e) and identify whether ˆm is valid.

Fig. 1. COC scheme for “Equality” predicate: EQ-COC

For sender’s security, we show that if x= y, m is unconditionally secure to A and B. Since e = EP K(m)⊗ (EP K(x)⊗ EP K(y)⁻¹)^r) = EP K(m· (x/y)^r), r∈R

Zq, for any possible m^, there is another r^∈ Zq such that e = EP K(m^·(x/y)^r).

As long as x= y, e can be decrypted to any possible message in Gq. This ensures unconditional security of S’s message m.

For receiver’s security, it is easy to see that S gets no information about x and y due to semantic security of the encryption scheme. Since A and B are symmetric, we only prove the security of B against A. We construct a simulator S_A for A’s real view

VA(P K, SK, P KS, x) = (P K, SK, P KS, x, EP K_S(EP K(x)), EP K_S(EP K(y)), e).

The simulator S_A on input (P K, SK, P K_S, x, ˆm) is as follows, where ˆm (may be a valid message or a random value) is the output of a real execution:

1. Choose a random value y^∗∈ Gq. 2. Compute e^∗= E_{P K}( ˆm).

3. Output (P K, SK, P KS, x, EP K_S(EP K(x)), EP K_S(EP K(y^∗)), e^∗).

By semantic security of the encryption scheme, A cannot distinguish the cipher-texts E_{P KS}(E_{P K}(y^∗)) and E_{P KS}(E_{P K}(y)). Furthermore, since e^∗ is identically distributed as e, the output of S_A is indistinguishable from V_A. Therefore, A gets no information about y except those computed from x and ˆm. 2 In the scheme, we assume x, y∈ Gq. If the length of x (or y) is longer than|p|, A and B compare h(x) and h(y), where h is a collision-resistant hash function.

This technique is applied to later schemes whenever necessary.

3.2 COC for “Inequality” Predicate

COC for the “inequality” predicate is more complicated than that for the “equal-ity” predicate. A and B need to send the ciphertexts of their secrets bit by bit.

We use additively homomorphic encryption schemes in this scheme, which is depicted in Figure 2.

– System parameters: n.

– Message sender S has a message m and a key pair (P K_S, SK_S).

– Receiver A has a secret x, and receiver B has a secret y, where|x| = |y| = n.

– Receiver A and B have a common key pair (P K, SK), where P K = (g, N ).

1. A and B send E_{P KS}(E_{P K}(x_i)) and E_{P KS}(E_{P K}(y_i)) to S respectively, 1≤ i ≤ n.

2. For each i∈ {1, 2, . . . , n}, S decrypts the received messages to get EP K(x_i) and E_{P K}(y_i), and computes the following values via homomorphic encryption:

(a) d_i= x_i− yi, d^_i= x_i+ y_i− 1.

(b) e_i= 2e_i+1+ d_i, where e_n+1= 0.

(c) c_i= m + r_i(e_i− di+ d^_i), where r_i∈RZN

3. S sends E_{P K}(c) in a random order to A and B, where c =c1, c₂, . . . , c_n.

4. A and B decrypt the received messages and identify the correct message if exis-tent.

Fig. 2. COC scheme for “Inequality” predicate: INE-COC

In the scheme, di= xi− yi and d^_i= xi− ¯yi are 0, 1 or -1. If xi= yi, di= 0;

otherwise, d^_i = 0. Let l be the leftmost different bit between x and y, i.e. the largest i such that d_i = 0. We have ei= 0 if i > l, e_i= 0 if i < l, and ei= d_i if i = l.

If x = y, the message m is embedded into the index i at which xi and y_i are distinct. However, we have to avoid leaking information of the number of distinct bits. So S masks m with random values on all indices except the index l.

It leaves only one copy of m in c_i’s:

– For i = l, since e_l = d_l and d^_l= x_l− ¯yl = 0, (e_l− dl+ d^_l) = 0. Therefore, c_l= m.

– For 1≤ i < l, ciwould be a random value because ei−di+d^_i= 2ei+1+d^_i= 0 and ri∈RZN.

– For l < i ≤ n, ci is also a random value because e_i = d_i = 0, d^_i = 0 and r_i∈RZN.

Theorem 2. The INE-COC scheme has the correctness property, unconditional sender’s security, and computational receiver’s security if the underlying homo-morphic encryption scheme has semantic security.

Proof. (sketch) Let l be the index of the first different bit of x and y (from the most significant bit). We see that d_l= e_l= x_l−yl= 1 or−1, and d^_l= x_j− ¯yj= 0. Therefore, c_l = m + r_l(e_l− dl+ d^_l) = m + r_l· 0 = m. Thus, A and B get m from the permutation of the encryptions.

For sender’s security, we see that if x = y, all d_i’s and e_i’s are 0, and all d^_i’s are not 0 (in fact, +1 or−1). Thus, for each index i, ci= m+r_i(0±1) = m±ri. Since for any possible ˜m, there exists an ˜ri such that ci= ˜m + ˜ri, m is unconditionally secure to A and B.

For receiver’s security, S gets no information about x and y by the semantic security of the encryption scheme. As in the proof of EQ-COC, for each of A and B, we can construct a simulator such that the adversary cannot distinguish the real view and the simulated view. Therefore the receiver’s security holds.2

– System parameters: (p, q, g).

– Message sender S has a message m and a key pair (P K_S, SK_S).

– Receiver A has a secret x, and receiver B has a secret y, where x, y∈ Gq,|x| =

|y| = n.

– Receiver A and B have a common key pair (P K, SK)

1. A encodes x as S¹_x, and sends E_{P KS}(E_{P K}(S_x¹[i])) to S, 1≤ i ≤ n.

2. B encodes y as S_y⁰, and sends E_{P KS}(E_{P K}(S_y⁰[i])) to S, 1≤ i ≤ n.

3. S decrypts the received messages and computes

e_i= E_{P K}(m)⊗ (EP K(S¹_x[i])⊗ EP K(S_y⁰[i])⁻¹)^ri, where r_i∈RGq, 1≤ i ≤ n. S sends ei’s to A and B in a random order.

4. A and B search ˆm_i= D_SK(e_i), 1≤ i ≤ n, to identify the correct m if existent.

Fig. 3. COC scheme for “Greater Than” predicate: GT-COC

3.3 COC for “Greater Than” Predicate

For the “greater than” predicate, we use the encoding methods mentioned in Section 2.4. A encodes x via 1-encoding and B encodes y via 0-encoding. The problem is then reduced to the “equality” problem immediately. When S receives encrypted S_x¹ and S_y⁰, he checks equality for corresponding strings. The scheme is presented in Figure 3. The security argument is the same as the proof of the EQ-COC scheme. This method is more efficient than the GT-COC¹₂scheme (in the next section, by setting m0 as a random number).