Symmetric Blind Decryption with Perfect Secrecy

A blind decryption scheme enables a user to query decryptions from a decryption server without revealing information about the plaintext message. Such schemes are useful, for example, for the implementation of privacy preserving encrypted file storages and payment systems. In terms of functionality, blind decryption is close to oblivious transfer. For noiseless channels, information-theoretically secure oblivious transfer is impossible. However, in this paper we show that this is not the case for blind decryption. We formulate a definition of perfect secrecy of symmetric blind decryption for the following setting: at most one of the scheme participants is a malicious observer. We also devise a symmetric blind decryption scheme based on modular arithmetic on a ring $\mathbb{Z}_{p^2}$, where $p$ is a prime, and show that it satisfies our notion of perfect secrecy.


I. INTRODUCTION
Over the past 15 years, data has moved from local storage to centralized data warehouses in the cloud. The accessibility of large amounts of personal data through a public network has given rise to many security and privacy issues [1]. Fortunately, such issues have generally been taken seriously. For example, ethical and legal requirements have been imposed on guaranteeing the confidentiality of medical records [2], [3]. However, the implementation of privacy technologies is nontrivial, especially if the data storage has been outsourced to a cloud operator. Sensitive information can often be inferred from simple access patterns either by outsiders or by the operator of the storage. For example, being able to observe a medical doctor to access the medical record of a patient can leak sensitive information. Therefore, such access patterns should be kept hidden both from outsiders and from the party that is administering the records.
Oblivious databases [4] and privacy-preserving encrypted filesystems [5] are examples of technologies that can be used to hide the access information from the administrator. For such systems, the decryption of data is typically handled by a central decryption server. Such systems can be conveniently implemented using blind decryption schemes [6]. Blind decryption is a versatile primitive. It can be used as a building block for many privacy critical applications, such as privacy-preserving payment systems [7], key escrow systems, oblivious transfer protocols [8], privacy-preserving systems for digital rights management [9], [10] and private information retrieval [11].
A blind decryption scheme consists of an encryption scheme together with a blind decryption protocol intended to decrypt messages in a privacy-preserving fashion. The meaning of "blind decryption" can be easily described based on the J. Partala is with the Department of Computer Science and Engineering, University of Oulu, Finland (e-mail: juha.partala@ee.oulu.fi).

Alice
Encryptor key k Decryptor Figure 1. Blind decryption. Alice has obtained L ciphertexts from an encryptor and is entitled to choose exactly one of those for decryption. Alice interacts with a decryptor that shares a key k with the encryptor to transform the ciphertext message c i into a plaintext message m i . Neither the encryptor nor the decryptor learn the plaintext message chosen by Alice.
following scenario depicted in Figure 1. Suppose that Alice has obtained several encrypted messages from an encryptor. Alice is entitled to choose and decrypt exactly one of those messages. Suppose that the decryption key k is stored on a decryption server and Alice wishes to have the server decrypt the message for her in such a way that neither the encryptor nor the decryptor learn the message chosen by Alice.
There are suggestions for practical blind decryption based on public key cryptography [5], [6], [12]- [14]. It is also possible to implement the blind decryption functionality with other protocols such as secure multi party computation [15]. However, the resulting schemes would be computationally demanding. For many applications symmetric primitives are sufficient and computationally more efficient. In addition, they can provide secrecy that is not based on computational assumptions. Oblivious transfer schemes [16], [17] deliver the same functionality directly between the sender and the receiver without the decryption server. However, for noiseless channels, information-theoretically secure oblivious transfer is impossible [18]. In addition, there does not seem to exist blind decryption schemes such that the privacy of the user is based on information-theoretic security. Our work aims to fill this shortage. In this paper, we give a meaningful definition of perfect secrecy for the blind decryption scenario. In particular, we formulate perfect secrecy of symmetric blind decryption in a setting where at most one of the participants is maliciously observing but adhering to the protocol. We also propose a symmetric key blind decryption scheme SymmetricBlind that satisfies our definition. The scheme is based on modular arithmetic on a ring Z p 2 , where p is a prime.
The paper is organized as follows. In Section II, we de-scribe work that is related to ours. Section III discusses the fundamental definitions and the preliminaries for the rest of the paper. In Section IV, we formulate three perfect secrecy properties that the blind decryption scheme needs to satisfy. In Section V, we give a description of a symmetric blind decryption scheme SymmetricBlind. In Section VI, we show that the devised scheme satisfies our definition of perfect secrecy. Finally, Section VII considers future work and Section VIII provides the conclusion.

II. RELATED WORK
Chaum was the first to consider blindness in the context of digital signatures and privacy preserving payment systems [7]. He described the first public key blind signature scheme [19] by utilizing the properties of RSA encryption [20]. The scheme can be also used for encryption and can be therefore considered as the first blind decryption scheme. In the early articles, blind decryption is referred to as "blind decoding". Discrete logarithm based blind signature schemes were suggested in [21]- [24]. Sakurai and Yamane were the first to consider public key blind decryption based on the discrete logarithm problem [6]. Their method was based on the ElGamal cryptosystem [25] and related to the blind signature of Camenisch, Piveteau and Stadler [24]. The method was later applied for the implementation of a key escrow system [12]. Mambo, Sakurai and Okamoto were the first to consider blind decryption that is secure against chosen plaintext attacks by signing the ciphertext messages [26]. The resulting scheme is not capable of public key encryption since a secret signing key is required. Green described the first public key blind decryption scheme [5] that is secure against adaptive chosen ciphertext attacks (IND-CCA2) using bilinear groups. The security of these constructions has been considered computationally either in the random oracle model [11] or using computational indistinguishability and infeasibility assumptions [5].
Oblivious transfer protocols are symmetric primitives that offer functionality similar to blind decryption. For oblivious transfer, there are two participants: a sender and a receiver. For the original definition of oblivious transfer, the sender transmits a message which the receiver gets with probability 1 2. The sender remains oblivious whether the receiver actually got the message. This form of oblivious transfer was introduced by Rabin [16]. The concept was later extended by Even, Goldreich and Lempel [17]. For 2 1 -oblivious transfer, the receiver can choose one from two messages without the sender knowing which of the messages were chosen. A related concept that can be considered as a further generalization is all-or-nothing disclosure of secrets [27] for which Alice is willing to disclose at most one secret from a set to Bob without Bob learning information about the rest of the secrets. Alice must not learn which secret Bob chose.
Adaptive queries were considered by Naor and Pinkas [28]. They also considered active adversaries and provided security definitions relating to the simulatability of the receivers. Camenisch, Neven and Shelat extended the work of Naor and Pinkas by defining simulatable oblivious transfer [29] and providing practical constructions for such a scheme. There are other suggestions for oblivious transfer based on problems in bilinear groups [30], groups of composite order [31] and the Diffie-Hellman problem [32]- [37]. These schemes are based on computational assumptions. It is impossible to achieve information-theoretic security for both of the parties using noiseless channels [18]. However, it is possible using noisy channels such as discrete memoryless channels [38] or a trusted initializer [39].
General multiparty computation protocols can be also applied to implement blind decryption capabilities. Secure multiparty computation was originally introduced by Yao [40] for two party case. The general case for n ≥ 2 is due to Goldreich, Micali and Wigderson [41]. However, secure multiparty computation protocols are computationally intensive in comparison to pure blind decryption and oblivious transfer.
We denote the uniform distribution on a set X by U (X). If a random variable Z is uniformly distributed on a set X, we denote it by Z ∼ U (X). When an element x is sampled from U (X), we denote it by x ← U (X).

B. Symmetric encryption
A symmetric encryption scheme SE = (Gen, Enc, Dec) with keyspace K, plaintext space M and ciphertext space C consists of three algorithms: 1) The key generation algortihm Gen(s): On input a security parameter s, Gen outputs a key k ∈ K.
2) The encryption algorithm Enc(k, m): On input a key k ∈ K and a message m ∈ M, Enc outputs a ciphertext c ∈ C.
3) The decryption algorithm Dec(k, m): On input a key k ∈ K and a ciphertext c ∈ C, Dec outputs a message m ∈ M such that m = Dec(k, Enc(k, m)).

C. Blind decryption
Blind decryption has been considered in the literature for the asymmetric case. However, in this paper we are interested in the symmetric case which is easily adapted from the asymmetric one [5]. A symmetric blind decryption scheme BlindDecryption consists of a symmetric encryption scheme SE = (Gen, Enc, Dec) and a two-party protocol BlindDec. The protocol BlindDec is conducted between an honest user Alice and the decryption server which we shall call the Decryptor. The protocol enables Alice, that is in possession of a ciphertext c, to finish the protocol with the correct decryption of c. As a result of running BlindDec, Alice on input a ciphertext c = Enc(k, m) ∈ C outputs either the message m ∈ M or an error message ⊥. The Decryptor, on input the key k ∈ K, outputs nothing or an error message ⊥.
To be secure, the exchanged messages must not leak information to malicious users (the leak-freeness property [8]). The property can be formalized based on computational indistinguishability. For every adversary, there has to be a simulator so that the following two games are well defined. For the first game, a probabilistic polynomial time (PPT) adversary A can choose any number L of ciphertexts c i for i ∈ {1, 2, . . . , L}. It is then given the correct decryptions by executing BlindDec with the Decryptor. Finally, A outputs the plaintext message, ciphertext pairs (m i , c i ) for i ∈ {1, 2, . . . , L}. For the second game, a simulator S chooses any number L of ciphertexts c i for i ∈ {1, 2, . . . , L}. In this game, the plaintext messages are obtained by querying a trusted party. BlindDecryption is leak-free if for every PPT adversary A there is a simulator S such that for every PPT distinguisher D the probability of distinguishing between these two games is negligible [5].
Another important property for secure blind decryption is the blindness property. It formalizes the idea that the Decryptor must not learn anything about the actual plaintext message. This can be formalized by giving a PPT algorithm D the possibility to choose two ciphertexts c 1 , c 2 and giving it oracle access to two instances of BlindDec based on these choices. If the probability of distinguishing these two instances is negligible for every PPT algorithm D, then BlindDecryption satisfies ciphertext blindness. For a formal and rigorous definition, see for example [5].

D. Perfect secrecy
The notion of perfect secrecy is due to Shannon [42]. Let SE = (Gen, Enc, Dec) be an encryption scheme with keyspace K, plaintext space M and ciphertext space C. Let K denote a random variable on the keyspace induced by Gen. SE satisfies perfect secrecy if for every random variable M on the plaintext space, every plaintext m ∈ M and every ciphertext c ∈ C, Equivalently, SE satisfies perfect secrecy if and only if for every random variable M on the plaintext space, every plaintext messages m 1 , m 2 ∈ M and every ciphertext c ∈ C,

DECRYPTION
Instead of computational indistinguishability, we shall now consider secrecy of symmetric blind decryption based on the information observed by the parties. In the following, let SE = (Gen, Enc, Dec) together with BlindDec be a symmetric blind decryption scheme with keyspace K, plaintext space M and ciphertext space C.

A. The scenario
For the sake of clarity, we do not consider active adversaries. We assume that the parties adhere to the blind decryption protocol and only observe the flow of messages (and possibly Alice Encryptor Figure 2. The general blind decryption scenario. Alice chooses a ciphertext c i and derives a related ciphertext c ′ i that she transmits to the decryptor. The decryptor responds with the corresponding plaintext message m ′ i from which Alice can recover m i . deduce information from those messages). Active adversaries could, for example, induce errors to the protocol messages. Such adversarial scenarios are left for future work. In addition, we do not consider the case that the Decryptor is colluding with either Alice or the Encryptor against the other. Such a case is equivalent to the oblivious transfer scenario and information-theoretic security is impossible for noiseless channels [18]. However, we note that such collusion scenarios are important for certain applications and need to be investigated in the future. We do consider the case that the adversary is impersonating one of the parties which is a paramount requirement for many applications.
For clarity, we also restrict to the case that Alice decrypts a single message m ∈ M. Similar to the one-time pad, we assume that a new key is derived after every decryption. However, in our case there could be several ciphertexts c 1 , c 2 , . . . , c L encrypted under the same key. Nevertheless, once Alice has decrypted one of the messages we consider that particular key used and a new key and a new set of ciphertexts is generated.
The scenario is the following. The Encryptor chooses a set of L plaintext messages m i for i ∈ {1, 2, . . . , L}. He encrypts those messages under a key k to obtain ciphertext messages c j = Enc(k, m j ) for j ∈ {1, 2, . . . , L} that he transmits to Alice. Alice chooses one of those messages c i . To hide the actual ciphertext c i , we assume that there is a ciphertext transformation space C ′ ⊆ C so that Alice can derive a related ciphertext message c ′ i ∈ C ′ that she transmits to the Decryptor. The Decryptor responds with its decryption m ′ i ∈ M which Alice transforms to the correct plaintext message m i . The general scenario has been depicted in Figure 2. The used variables have been collected into Table I for easier reference.

B. Security requirements
As described in Section III-C, the scheme has to satisfy the following property.   Figure 3. Malicious Encryptor. The adversary attempts to learn which message was chosen by Alice.
1) Leak-freeness. Malicious observers must not learn information about the plaintext messages by observing the exchanges. The easiest way to provide leak-freeness against malicious observers that are not participants of the scheme is to protect each exchange with an encryption scheme that satisfies perfect secrecy. However, leakage need to be also addressed considering maliciousness of the protocol participants. Considering each individual party, we can divide leak-freeness as follows. 1.1) Leak-freeness against the Encryptor. Malicious encryptor must not learn information about the plaintext message obtained by Alice at the end of the protocol by observing the blind decryption messages. The situation is depicted in Figure 3. 1.2) Leak-freeness against Alice. This property ensures that, after obtaining m i , Alice does not learn information about the remaining L − 1 plaintexts m j for j ≠ i. The situation is depicted in Figure 4. In contrast to computational security, we cannot define leakfreeness as a distinguishing problem. Instead, we shall consider the probability distributions regarding the exchanged elements.
We also want to prevent Decryptor from deducing information about the plaintext message m i . Figure 4. Malicious Alice. The adversary attempts to decrypt additional messages. 2) Blindness against the Decryptor. This property ensures that a malicious decryption server does not learn the message Alice wants to decrypt. The situation is depicted in Figure 5.
In the computational security setting, there can be multiple applications of the blind decryption protocol for a fixed key. In our case, we want a fresh key for every decryption to achieve perfect secrecy. Therefore, we formulate leak-freeness and blindness for a single decryption. However, as was described before, we want to be able to encrypt multiple messages with the same key. For example, in privacy-preserving payment systems blind decryption is used to enable Alice to choose one -but only one -item from a selection of items. This results in a scenario in which there are L plaintext, ciphertext pairs (m j , c j ) for j ∈ {1, 2, . . . , L} but there is only a single application of BlindDec.
In the following section, we formulate these conditions based on information. Note that these conditions also provide secrecy against malicious observers that are not participants of the scheme since the information possessed by such observers is a proper subset of that of any of the participants. The following notation is used. Let K denote the random variable of blind decryption keys on the key space K induced by Gen. Let M j for j ∈ {1, 2, . . . , L} denote the random variables corresponding to the choice of m i for j ∈ {1, 2, . . . , L} by the

C. Perfect leak-freeness against the encryptor
We shall first formulate leak-freeness against the Encryptor. The blind decryption protocol messages c ′ and m ′ should not disclose any information about m i to the Encryptor. Equivalently, the messages should not leak information about the i that was chosen by Alice even if the Encryptor knows the key k and the right plaintext messages m j for j ∈ {1, 2, . . . , L}.
Our definition states that a malicious Encryptor can equally easily guess the plaintext message Alice wanted to be decrypted with or without information provided by the blind decryption protocol messages c ′ and m ′ . Note that, in the normal scenario, M = M i for some i ∈ {1, 2, . . . , L}. However, we do not want to restrict the definition to such a case. For example, there could be homomorphic blind decryption schemes for which certain operations could be permitted on the ciphertexts. Note also that the Encryptor inherently possesses more information about m than an outsider since m is dependent on m 1 , m 2 , . . . , m L .

D. Perfect leak-freeness against Alice
In order to be practical, the scheme needs to ensure that Alice is not able to decrypt messages. Therefore, we need to ensure that Alice obtains neither the decryption key nor any information about the decryptions of c 1 , c 2 , . . . , c L without interacting with the Decryptor. In addition, after a single application of BlindDec, Alice must not have any information about the remaining L − 1 messages. To make the requirement precise, we require that the observation of a single plaintext, ciphertext pair (m 1 , c 1 ) does not leak any information about the decryption of another ciphertext c 2 . The property is, in fact, a property of the encryption scheme.
Definition 4.2 (Perfect leak-freeness against Alice): A symmetric encryption scheme SE satisfies perfect leak-freeness against Alice for a single decryption if for every random variable M 1 , M 2 on the plaintext space, every m 1 , m 2 , m ∈ M and every c 1 , c 2 ∈ C such that c 1 ≠ c 2 , The condition states that the probability of obtaining the ciphertext pair (c 1 , c 2 ) is the same whether we encrypt (m 1 , m 2 ) or (m 1 , m). That is, observation of the ciphertexts c 1 , c 2 does not yield information about the decryption of c 2 even if we know the decryption of c 1 .

E. Perfect blindness against the decryptor
We still need to consider privacy against a malicious Decryptor. It is reasonable to assume that c 1 , c 2 , . . . , c L have been delivered to Alice using a private channel. If the Decryptor can observe c j for j ∈ {1, 2, . . . , L}, it means that he knows the corresponding plaintext messages since he is in possession of the blind decryption key. Therefore, it is natural to require that the ciphertexts are protected by a separate secure channel between Alice and the Encryptor. For the blindness property we want the server to learn nothing of the actual message m that Alice derives at the end of the blind decryption scheme. In this case, the Decryptor knows the correct key k as well as the messages c ′ and m ′ exchanged with Alice. The condition states that it is equally easy to guess the correct plaintext message with and without the information possessed by the decryptor. Note that we have assumed that c 1 , c 1 , . . . , c L have been delivered to Alice in perfect secrecy.

F. Perfect secrecy for symmetric blind decryption
Finally, we can state our definition of perfect secrecy based on the properties defined above. Encryptor Figure 6. General overview of SymmetricBlind. Two tiers of encryption are applied. The outer tier (SE) satisfies ordinary perfect secrecy. The inner tier (2PAD) provides perfect leak-freeness against Alice and has a transformation property enabling perfect blindness against the decryptor.
a single decryption of a maximum of L messages against a single malicious party if the scheme is perfectly leak-free against the encryptor for a maximum of L messages, SE is leak-free against Alice and the scheme satisfies perfect ciphertext blindness against the decryptor.

V. A CONCRETE BLIND DECRYPTION SCHEME
We shall now devise a blind decryption scheme SymmetricBlind that satisfies Def. 4.4. We shall implement our scheme using two tiers of symmetric encryption. For the outer tier we apply a scheme that satisfies ordinary perfect secrecy. Let that scheme be denoted by SE. The outer encryption scheme will hide information about c 1 , c 2 , . . . , c L from the Decryptor and also provide secrecy for c ′ and m ′ against the Encryptor. To achieve perfect blindness and leak-freeness against Alice, we design an inner tier encryption scheme called 2PAD that satisfies a useful transformation property. The property enables us to construct a blind decryption protocol BlindDec. To sum it up, our final construction will consist of two tiers of encryption and a protocol for Alice to query a single decryption from the Decryptor. The general overview of the scheme is depicted in Figure 6.
It would be possible to implement some of the required privacy properties with multiple applications of the one time pad. For example, if c i = m i ⊕k i , Alice could hide the plaintext message from the Decryptor by querying for the decryption of c ′ i = c i ⊕ k ′ , where k ′ is only known to Alice. The correct plaintext message would be obtained from However, such a protocol would leak i to the Decryptor since i would be needed for decryption. In addition, for a single decryption, the Decryptor would have to maintain a set of L keys which would quickly grow to an unmanageable size as L grows. In contrast, the optimal key size for single decryption would be 2 m i , where m i is the bit length of m i , assuming that each plaintext message is of the same bit length. Therefore, simply applying the one time pad is not sufficient.
In the following, we first describe our inner encryption scheme 2PAD that will provide perfect leak-freeness against Alice, as well as the required message transformation property. Then, we proceed to the description of a blind decryption protocol utilizing this scheme. Finally, we combine the inner encryption scheme with an outer encryption scheme that satisfies ordinary perfect secrecy and describe the complete blind decryption scheme.

A. The inner encryption scheme
We shall first construct an inner encryption scheme called 2PAD with some useful properties. Our inner scheme is based on modular arithmetic on the ring Z p 2 , where p ≥ 5 is a prime. Our plaintext space is Z p and every m ∈ Z p is mapped to Z p 2 which is the ciphertext space. To satisfy Def. 4.2, we want to add an amount of randomness that is at least twice the binary length of m in the encryption operation. Therefore, the keys of 2PAD will consist of a pair (x k , y k ) ∈ Z p × Z p .
Let z ∈ Z p 2 . Then, where z ′ , z ′′ ∈ Z p . Therefore, we can essentially represent z with two elements of Z p . Using such a representation, we encrypt a single message m ∈ Z p by first sampling a random element z ← U (Z p ∖ {0}) and setting b ∶= (pm + z) mod p 2 . Then, we add the key (x k , y k ) by computing c ∶= (px k b 2 + py k b + b) mod p 2 = px k z 2 + py k z + pm + z which is the ciphertext message. Such an encryption operation entails a useful transformation property. For every x k , y k ∈ Z p and b, b ′ ∈ Z p 2 such that b ≡ b ′ (mod p), Namely, if we know a plaintext m 1 and its encryption c 1 = px k z 2 + py k z + pm 1 + z, we know the decryption m 2 of c 2 for every c 2 ≡ c 1 (mod p) since it can be computed by the following algorithm. If c 1 ≡ c 2 (mod p) output ⊥ 3: output m 2 5: end procedure Let z ≡ c 1 ≡ c 2 (mod p). The algorithm works because The Map algorithm can transform the decryption m 1 of a ciphertext c 1 to the decryption m 2 of c 2 whenever c 2 ≡ c 1 (mod p).
Decryption is straightforward knowing the key (x k , y y ). Its operation, as well as the complete encryption scheme is described below.
Definition 5.1 (2PAD): The symmetric encryption scheme consists of the following three algorithms. 1: procedure Gen 2PAD (s) ▷ s determines the size for the plaintext space 2: Choose a public prime p such that p ≥ 5 and p ≥ 2 s 3: output (x k , y k ) 6: end procedure 1: procedure Enc 2PAD (x k , y k , m) ▷ Input consists of a key (x k , y k ) and a message m ∈ Z p 2: output c 6: end procedure 1: procedure Dec 2PAD (x k , y k , c) ▷ Input consists of a key (x k , y k ) and a ciphertext c ∈ Z p 2 2: output m 6: end procedure The plaintext and ciphertext spaces of 2PAD depend on the chosen prime p. In particular, the plaintext space is Z p while the ciphertext space is Z p 2 . Let us show the correctness of the scheme. That is, Dec 2PAD (x k , y k , Enc 2PAD (x k , y k , m)) = m for every key (x k , y k ) and plaintext m. Let c = Enc 2PAD (x k , y k , m). Then we have and c mod p = z, where z ∈ Z p . Now, We shall later show that given a single plaintext, ciphertext pair (m 1 , c 1 ) and a ciphertext c 2 such that c 2 ≡ c 1 (mod p) we still have information theoretic security for c 2 . That is, 2PAD satisfies perfect leak-freeness against Alice whenever c i ≡ c j (mod p) for i ≠ j. However, suppose that we have two plaintext, ciphertext pairs (m 1 , c 1 ), (m 2 , c 2 ) such that c 1 ≡ c 2 (mod p). We can show that the key x k , y k can be completely determined from such two pairs. Proposition 5.1: For every plaintext, ciphertext pair (m 1 , c 1 ), (m 2 , c 2 ) such that c 1 ≡ c 2 (mod p) there is a unique key (x k , y k ) such that c 1 = Enc 2PAD (x k , y k , m 1 ), Proof: Let z 1 , z 2 ∈ Z p such that z 1 ≡ c 1 (mod p) and z 2 ≡ c 2 (mod p). Let also v 1 = (c 1 − pm 1 − z 1 ) p and v 2 = (c 2 − pm 2 − z 2 ) p. Then, we have a system of two equations Note that since z 1 , z 2 ≡ 0 (mod p) and z 1 ≡ z 2 (mod p) we have z 2 1 z 2 − z 1 z 2 2 ≡ 0 (mod p) and Z is invertible modulo p. Therefore, the equation pair has a unique solution Due to Map, we require that if Bob sends L ciphertext messages c 1 , c 2 , . . . , c L to Alice we have c i ≡ c j (mod p) for every i ≠ j. Therefore, the maximum number of ciphertext messages under the same key is determined by L ≤ p − 1.

B. Blind decryption protocol
Next, we give a description of a blind decryption protocol based on the transformation algorithm Map.
Definition 5.2 (BlindDec): Suppose that the Encryptor and the Decryptor share a key (x k , y k ) = Gen 2PAD (s) intended for a single decryption by Alice. Furthermore, let Alice have an encrypted message c = Enc 2PAD (x k , y k , m) that is not known to the Decryptor. Finally, suppose that the prime p is public knowledge. Let the protocol BlindDec be defined by the following exchange between Alice and the Decryptor: 1) Alice: Compute c ′ ∶= c mod p and transmit it to the Decryptor. 2) Decryptor: Reply with m ′ = Dec 2PAD (x k , y k , c ′ ).
3) Alice: Compute the plaintext message m = Map(c ′ , m ′ , c). Let us quickly check the correctness of BlindDec. Let z ≡ c ′ ≡ c (mod p). Then, c = px k z 2 + py k z + pm + z, where m is the plaintext message. The Decryptor replies with

But now Alice can compute
which is the correct plaintext message.

C. The complete blind decryption scheme
As was mentioned earlier, the communication between Alice and the Encryptor has to be protected in order to prevent the Decryptor from obtaining the plaintext messages corresponding to c 1 , c 2 , . . . , c L . If the Decryptor can observe these ciphertext messages, it can freely decrypt all them since it knows the correct key. Therefore, we need to apply an outer encryption scheme that hides the ciphertext messages. The same solution is the easiest way to provide perfect leakfreeness against the Encryptor since it enables us to simplify the secrecy conditions. In our case, we want to protect both of these exchanges with an outer tier of encryption that provides perfect secrecy. Let SE n = (Gen n , Enc n , Dec n ) be any symmetric encryption scheme such that the plaintext and ciphertext space is Z n . Let it also satisfy (ordinary) perfect secrecy. We apply 2PAD together with SE n to provide the required leak-freeness and blindess properties.
The outer tier is composed in the following way. Alice and the Encryptor shares a set of keys k 1 , k 2 , . . . , k L . The Encryptor protects each ciphertext message by computing u j = Enc p 2 (k j , c j ) for j ∈ {1, 2, . . . , L}. It sends u 1 , u 2 , . . . , u L to Alice. Similarly, Alice and the Decryptor share a pair of keys k C , k P that are used to protect c ′ i and m ′ i . Alice sends w = Enc p (k C , z) to the Decryptor who responds with w ′ = Enc p (k P , m ′ ). The resulting scheme SymmetricBlind is defined as follows.
Definition 5.3 (SymmetricBlind): Let SE n = (Gen n , Enc n , Dec n ) be a symmetric encryption scheme such that the plaintext and ciphertext space is Z n and let SE n satisfy perfect secrecy. Let Alice and the Encryptor share a set of keys k 1 , k 2 , . . . , k L . Let Alice and the Decryptor share a pair of keys k C , k P intended for a single blind decryption by Alice. Let also the Encryptor and the Decryptor share a blind decryption key (x k , y k ) = Gen 2PAD (s), where 2 s ≥ L + 1, that is intended for single blind decryption by Alice. SymmetricBlind is determined by the following protocol. Alice

VI. SECURITY OF SYMMETRICBLIND
We shall now consider the security of SymmetricBlind. We proceed to show that the devised scheme satisfies the three conditions formulated in Section IV: perfect leak-freeness against the encryptor and Alice and perfect blindness against the decryptor.
A. Perfect leak-freeness against the encryptor Proposition 6.1: SymmetricBlind satisfies perfect leakfreeness against the encryptor for a single decryption of a maximum of L ≤ p − 1 messages, where p is determined by Gen 2PAD (s).
Proof: The claim follows directly from the observation that the Encryptor sees only w and w ′ . By the description of SymmetricBlind, c ′ and m ′ are protected by encryption satisfying perfect secrecy and thus do not leak information to the Encryptor.
It is easy to see that the outer tier of encryption is necessary. Suppose that the outer encryption scheme was not applied. Then c ′ would leak c i mod p which would betray i to the Encryptor.

B. Perfect blindness against decryptor
We shall now prove that the Decryptor does not get information about the plaintext message. Proposition 6.2: SymmetricBlind satisfies perfect blindness againt the decryptor for a single blind decryption.
Proof: Since c 1 , c 2 , . . . , c L are protected with perfect secrecy, we only need to show that where C ′ and M ′ are the random variables associated to the messages c ′ and m ′ , respectively. Let X, Y denote the random variables corresponding to the key elements (x k , y k ) ← Gen(s), respectively. The reply m ′ from the Decryptor is completely determined by the key (x k , y k ) and the element c ′ = c i mod p since m ′ = (−x k )c ′2 + (−y k )c ′ . Therefore, Let us consider C ′ . By the description of the scheme, we have C ′ = C i mod p, where i is the chosen index of Alice. But for every i we have, by the description of Enc 2PAD , that C i mod p ∼ U (Z p ∖ {0}). Therefore, C ′ is independent with X and Y and for every z, z ′ ∈ Z p ∖ {0} and for any z ∈ Z p . By our assumption, M is independent with X and Y and therefore we have which shows our claim.
The proof shows that the Decryptor (with the knowledge of the key (x k , y k ) and c ′ and m ′ ) does not gain any information about the plaintext message m assuming that c j for j ∈ {1, 2, . . . , L} have been delivered to Alice in perfect secrecy. Considering the secrecy against the Decryptor, it would suffice send c ′ without the additional level of encryption. However, the additional level is necessary to achieve leak-freeness against the Encryptor.

C. Perfect leak-freeness against Alice
We shall now consider a malicious Alice and show that the observation of a single plaintext, ciphertext pair (m 1 , c 1 ) does not yield information about the decryption of c 2 for c 2 ≡ c 1 (mod p). Proposition 6.3: SymmetricBlind satisfies perfect leakfreeness against Alice for a single decryption of a maximum of L ≤ p − 1 ciphertexts.
Proof: By the description of SymmetricBlind, the ciphertext messages c 1 , c 2 , . . . , c L are of different congruence class modulo p. Let M 1 , M 2 be random variables over the plaintext space Z p . Let X, Y denote the random variables corresponding to the key elements (x k , y k ) = Gen 2PAD (s). We have to show that for every m 1 , m 2 , m ∈ {0, 1, 2, . . . , p−1} and c 1 , c 2 ∈ Z p 2 such that c 1 ≡ c 2 (mod p).
Given a valid assignment for m 1 , c 1 and c 2 , it suffices to show that for every m ∈ Z p . By Proposition 5.1, for every plaintext, ciphertext pair (m 1 , c 1 ), (m, c 2 ) such that c 1 ≡ c 2 (mod p) there is a unique key (x k , y k ). Therefore, By the definition of Gen 2PAD , X and Y are independent and we have We have now established the perfect secrecy of SymmetricBlind according to Def. 4.4.  3  5  7  12  3  6  11  16  4  7  23  20  5  10  101  28  7  14  1009  40  10  20  5003  52  13  25  20011  60  15

D. The parameters
An optimal encryption scheme, with plaintext space M, that satisfies perfect leak-freeness against Alice for a single decryption needs 2 log 2 M bits of randomness for a key. 2PAD achieves exactly this bound since the plaintext space is Z p and a single key (x k , y k ) contains 2 log 2 p bits of randomness. Assuming that messages and keys are represented by binary strings, we need 2⌈log 2 p⌉ bits of key to encrypt messages of length ⌊log 2 p⌋. For a single decryption with SymmetricBlind, the Decryptor needs to store the key elements x k , y k ∈ Z p , as well as the keys k C , k P . The keys k C , k P are used to encrypt messages of Z p . Therefore, ⌈log 2 p⌉ bits for each of these keys suffices for perfect secrecy. In total, the Decryptor needs to store key material of 4⌈log 2 p⌉ bits for a single decryption of a message of bit length ⌊log 2 p⌋.
Since the ciphertext space is Z p 2 , the ciphertext length in bits is approximately twice the plaintext length. Depending on the length of the plaintext messages and the needed maximum number of encryptions L ≤ p − 1, we should therefore choose the smallest possible p, since its bit size has no effect on the security of the scheme. Table III lists some possible choices for p and the resulting key, plaintext and ciphertext lengths in bits. Note that for long plaintext messages the maximum number of messages L is practically unlimited.

VII. FUTURE WORK
There are two main drawbacks of the construction presented in this paper. First, we have not considered active adversaries. Similar to the one time pad, we have only considered such adversaries that observe the flow of messages. For practical scenarios, we need to consider adversaries that actively induce errors into the protocol flow. However, such considerations are most naturally conducted in the computational infeasibility model which has been used, for instance, in [5]. In the active adversaries setting, it would also be natural to consider the security of the devised scheme in the framework of computational indistinguishability such that the truly random keys are exchanged with pseudorandom bit strings. In particular, the computationally hard version of our scheme yields efficient practical implementations.
The second drawback is that we have only considered the case of a single malicious party. While it does not make sense to consider a scenario where Alice is colluding with the Encryptor against the Decryptor, the scenario where the Encryptor and the Decryptor are colluding is an important one. For many scenarios Alice cannot be certain whether the Encryptor and the Decryptor are in fact separate entities. However, if they are a single entity, the scenario is identical to oblivious transfer. We cannot achieve information-theoretic security in such a case [18]. For example, it is easy to see that our construction fails for colluding Encryptor and Decryptor. If that is the case, we effectively remove the outer layer of encryption which means that c ′ = c i mod p leaks i to the adversary. To provide security against colluding Encryptor and Decryptor, we would need to detect such collusion or to turn to computational assumptions. We leave the question as an open problem for future research.
Another interesting question for future work is to consider the case where we do not apply the outer layer of encryption from the Encryptor to Alice. Thus far, we have defined perfect blindness so that the Decryptor has absolutely no information about the plaintext message. However, we could relax the requirement so that -similar to leak-freeness against the encryptor -the information is conditioned on the plaintexts m 1 , m 2 , . . . , m L . In other words, we could relax the requirement so that the Decryptor may observe the selection (and the corresponding plaintext messages) given to Alice. Such a relaxation is natural in the oblivious transfer case where the Encryptor and the Decryptor are the same entity. We could then define blindness as a property requiring only that the selection i is hidden. It is again easy to see that our scheme without the outer layer of encryption fails such a property. If c 1 , c 2 , . . . , c L are not protected, then c ′ = c i mod p leaks the selection i. We leave this consideration also for future work.

VIII. CONCLUSION
In this paper, we give a definition of perfect secrecy for symmetric blind decryption in the setting where one of the parties may be malicious but adhering to the protocol of the scheme. We neither consider active adversaries nor the setting where two of the participants are colluding against the third. We construct a symmetric blind decryption scheme SymmetricBlind and show that it satisfies our definition of perfect secrecy. The scheme is based on two layers of encryption, where the inner layer utilizes a novel encryption scheme 2PAD given in this paper. 2PAD is based on modular arithmetic with Z p 2 as the ciphertext space, Z p as the plaintext space and Z p × Z p as the key space, where p ≥ 5 is a prime. The security of SymmetricBlind is shown information theoretically and does not depend on the size of p. For a fixed blind decryption key, SymmetricBlind supports a single blind decryption from a selection of L ≤ p − 1 messages. For a single decryption of a message of bit length ⌊log 2 p⌋, the decryption server needs to store key material of 4⌈log 2 p⌉ bits.