Dual-Mode Encryption for UC-Secure String OT from Learning with Errors

,


Introduction
The two-party computation primitive oblivious transfer (OT) was first introduced by Rabin [1] and acted as a fundamental cryptographic building block widely used in secure multiparty computation [2,3].In this scenario, the sender S takes two messages ðμ 0 ; μ 1 Þ: 2 f0; 1g ℓ (where ℓ ≥ 1) as input and the receiver R takes a bit b 2 f0; 1g: as his message choice, with requiring that R can only obtain the output μ b in the end and remain oblivious to μ 1−b , while S is totally unaware of R's choice b.
Essentially, OT can be realized in a two-round way.R first generates and sends to S a public key embedded with a message choice b. S will use this public key to compute the other public key for, respectively, encrypting μ 0 and μ 1 , and send back to R these two encryptions, where only μ b can be exactly recovered by secret decryption key.
With security concerns, universal composability (UC) [4] is a powerful notion among different simulation-based security flavors, which offers strong security guarantees and efficiency benefits whenever the protocol is executed concurrently or by arbitrary compositions within some advanced protocols, especially in multiparty computation or the complex Internet environment.
At CRYPTO'08, a dual-mode encryption framework for UC-secure OT is introduced by Peikert et al. [5].To our best knowledge, this is the optimal OT framework up to now, which not merely satisfies the succinct two-round paradigm with high efficiency but also achieves UC security under the common reference string (CRS) model against static corruptions (i.e., the corruption case is determined before the protocol execution without any modification during the course of protocol execution).They claim that this generic construction can provide statistical security for one specific party in each mode when generally realized under the decisional Diffie-Hellman assumption and the quadratic residuosity assumption.When it comes to the learning with errors (LWE) assumption, the receiver can only achieve computational security in either mode, and each CRS can be reused in limited sessions.
Targeting to solve this problem, an upgraded dual-mode encryption from LWE is proposed by Quach at SCN'20 [6], which rises the receiver's security to a statistical level and the reusability of each CRS to an unbounded case.In a nutshell, they utilize the noise flooding technique, requiring a superpolynomial LWE modulus q to promote the security of the receiver and the reusability of each CRS.However, such a use of superpolynomial modulus would directly contradict to a polynomial time OðqÞ: simulator for arguing sender's security in [5].For addressing this issue, the work of [6] adopts a randomized rounding function R (with one-bit output) introduced by Benhamouda et al. [7] to make the public key messiness efficiently testable (applying lattice trapdoor techniques) and independent of the LWE modulus size.
However, since only one single-bit output from R is taken as an almost-uniform symmetric key to hide messages in the dual-mode encryption of [6], this further limits the derived UC-secure OT to transmit multibit strings.In addition, as mentioned in [7], the extension of R into a multibit output version is still an open question.
One may wonder that without costly trivial repetitions of this single-bit OT [6], does a variant of dual-mode encryption over lattices for deriving UC-secure string OT exist, along with full-fledged dual-mode properties and unbounded reusability of CRS?
Fortunately, our dual-mode encryption cryptosystem (see Section 3.2) provides an affirmative answer to this question.
1.1.Our Result.Based on the framework of [5], we propose an improved dual-mode encryption scheme [6] where it can directly derive a UC-secure OT (see Figure 1) for transmitting strings, as shown in Theorem 1.
Theorem 1 (informal).Relying on the hardness of LWE with a subpolynomial modulus, a two-round UC-secure OT against static corruptions in the common reference string (CRS) model exists and satisfies the following properties: (1) Each CRS can be instantiated in either messy or decryption mode, where the two modes are computationally indistinguishable.(2) In messy mode, it can only provide the sender statistical security and the receiver computational security.
In decryption mode, it can only provide the sender computational security and the receiver statistical security instead.
(3) Each CRS can be reused unbounded times for amortization between a fixed pair of participants.(4) This UC-secure OT can transmit multibit strings while avoiding costly trivial repetitions of single-bit OT.
1.2.Technical Overview.Our work can be viewed as an improvement of [6], and both works rely on the framework of [5].For clarity, we first review the main technique adopted by Quach [6].
1.2.1.Technical Review of [6].The work of [6] utilizes the noise flooding technique (requiring a superpolynomial size of LWE modulus) to upgrade the receiver security to a statistical level in decryption mode.However, it results in an inefficient simulator for arguing the sender's statistical security in messy mode.In particular, such a polynomial-time simulator for the sender security has to be completed in time OðqÞ: , which directly conflicts with the use of a superpolynomial LWE modulus in noise flooding technique.Therefore, a failure happens in a polynomial-time simulator for arguing receiver's statistical security.

IET Information Security
For addressing this issue, they follow the pattern of [8] and take the hash value output of an approximate smooth projective hash (ASPH) scheme [7] as a symmetric session key to encrypt the message.In a nutshell, an ASPH scheme operates on a set X and an NP-language L ⊆ X by assuming the existence of a hard subset membership problem, i.e., it is hard to distinguish whether a random element is chosen from L or X \ L. For any x 2 L, there exists a witness w such that the pair ðx; wÞ: satisfies a certain NP-relation.In addition, an ASPH scheme also involves a hashing key hk and a projection key hp.The projection property demands that the hash value, Hðhk; xÞ: , is determined by computing the projected hash value, pHðhp; wÞ: , if x 2 L. The smoothness property requires that for any x 2 X \ L, Hðhk; xÞ: is uniformly distributed even given hp and x.
In particular, the work of [6] utilizes a bit-ASPH [7], whose hash value is one single-bit output from a randomized rounding function R : Z q À!f0; 1g: (see Section 2.3).Its OT execution mainly works as follows: Bob (the role of the receiver) first generates and sends to Alice (the role of the sender) his public key ðA; c ¼ As þ e þ fÞ: , where A 2 Z m×n q , s À $ Z n q , e Àχ m , f À $ ½−B 0 ; B 0 m .For all i 2 ½N: , Alice generates a hashing key hk i ¼ r i ÀD m Z; s and a projection key hp i ¼ p T i ¼ r T i A, and then computes the hash value H i ¼ Rðr T i ⋅ cÞ: to encrypt a one-bit message μ 2 f0; 1g: as β i ¼ Rðr T i ⋅ cÞ: ⊕ μ.Alice sends (hp i , β i ) to Bob.Then Bob computes the projected hash value pH i ¼ Rðp T i ⋅ sÞ: and Rðp T i ⋅ sÞ: ⊕ β i for decryption.If c is close to ΛðAÞ: (i.e., the q-arry lattice generated by A), by the approximate correctness of R, we have H i ¼ Rðr T i ⋅ cÞ: ¼ Rðp T i ⋅ sÞ: ¼ pH i with high probability.Therefore, we have μ ¼ Rðp T i ⋅ sÞ: ⊕ β i with majority in all i 2 ½N: .Otherwise, by the statistical smoothness of R, the public key ðA; cÞ: is messy (see Section 3.1), and the distribution of β i is statistically close to uniform.The approximate correctness of R guarantees that Bob can recover μ b on the decryptable branch b 2 f0; 1g: , while the statistical smoothness of R provides the message-lossy property for μ 1−b , i.e., Bob is oblivious to μ 1−b .
In addition, this rounding function R offers a crucial property for arguing the simulation-based security of the sender.That is, given an appropriate trapdoor, public key messiness can be testable efficiently and independently of modulus q.It helps to complete the UC security proof for the derived OT in [6] and achieve all the properties of that well-defined dual-mode encryption (see Section 2.1) over lattices instead of a weaker instantiation proposed by Peikert et al. [5].
However, the work of [6] can only encrypt single-bit messages by the employment of that rounding function R, and a version of R with ΘðnÞ: -bit output is unresolved yet.In this work, we adopt a key reconciliation scheme introduced by Jiang et al. [9] to extend the single-bit symmetric key output by the bit-ASPH scheme [7] for a UC-secure string OT.

Extension of Symmetric Key.
In essential, the work of [6] utilizes a KV09-type [10] ASPH scheme [7] to generate the symmetric keys H i ¼ Rðr T i ⋅ cÞ: and pH i ¼ Rðp T i ⋅ sÞ: for hiding and recovering messages, respectively.Recently, the work of [9] proposes two types (i.e., type-A and type-B) of ASPH over lattices (both are KV09-type) for building a password-based authenticated key exchange (PAKE) framework.They introduce a novel key reconciliation scheme to concatenate after the execution of type-B ASPH in the PAKE framework for agreeing on a shared secret key between two participants, i.e., extracting a random multibit shared key from two close hash value outputs of the type-B ASPH.For clarity, we denote this key reconciliation scheme as £ ¼ ð£ alice ; £ bob Þ: , which consists of two algorithms (i.e., £ alice ðdÞ : À!ðσ; ξ alice Þ: and £ bob ðσ; d 0 Þ: À!ξ bob ) and is executed between Alice and Bob as a one-message key reconciliation protocol (i.e., from Alice to Bob).Assume that d ÀZ q (Alice's secret) and d 0 ÀZ q (Bob's secret) satisfy the condition jðd − d 0 Þ q j: ≤ δ (where ðxÞ q represents the residue of x 2 Z q over ½ − q=2; q=2Þ: ) for some integer δ ≤ q=32.After the execution of this protocol, both participants can agree on a common secret ξ, i.e., ξ ¼ ξ alice ¼ ξ bob as the subsequent symmetric session key for encryption.Because the two hash values output by the type-B ASPH are actually d ¼ r T i ⋅ c and d 0 ¼ p T i ⋅ s, which will be taken as input into £ sequentially.By observation, both d and d 0 are exactly taken as input into the rounding function R as well [7].Therefore, we can utilize this key reconciliation mechanism £ ¼ ð£ alice ; £ bob Þ: to extend the single-bit symmetric key output by R and encrypt a multibit message μ ¼ ðμ R ; μ £ Þ: 2 f0; 1g ℓ as follows: where μ R is the first bit of μ, and μ £ is the residual bits of μ.
The correctness of decryption can be guaranteed by H i ¼ Rðr T i ⋅ cÞ: ¼ Rðp T i ⋅ sÞ: ¼ pH i with very large probability and ξ alice ¼ ξ bob with jðd − d 0 Þ q j: ≤ δ for δ ≤ q=32.

IET Information Security
The approach we proposed above not only guarantees an efficient simulator for arguing sender's statistical security in the UC model by retaining the use of R but also solves the open problem for obliviously transferring multibit strings existing in [6].Moreover, the adoption of £ ¼ ð£ alice ; £ bob Þ: is still compatible to public key messiness properties (see Lemma 9) when c is far away from ΛðAÞ: .Therefore, our dual-mode encryption cryptosystem is a full-fledged instantiation over the lattice, which can exactly realize the welldefined primitive notion (see Definition 1).
1.3.Performance Analysis.We compare the security of our dual-mode encryption cryptosystem with another two related works (i.e., [5,6]) in Table 1 to show that this work can fully achieve the dual-mode properties, as Definition 1 required.
Note that a multisession UC-secure OT (see Figure 1) can be derived from our proposed dual-mode cryptosystem, where crs can be reused unbounded times and multibit string transmitting is available in each single session.However, in the work of [5], crs can be simply reused in limited sessions.Moreover, in the work of [6], only single-bit message transmission is allowed in each single session instead of transferring multibit strings.
For a clear efficiency comparison on those three works, we illustrate some notations for clarity in Table 2.We let ℓ denote the bit-length of an encrypted message in each session and ℓ 0 denote the number of permitted sessions for a common crs.Then we mainly inspect the cost on vector sampling and the amortization performance during a multisession string OT execution (i.e., ℓ ≥ 1 and ℓ 0 ≥ 1).In particular, we analyze the cost on generating crs, pk and ct in each mode, respectively.The cost on generating crs is due to producing A and v, the cost on generating pk is due to producing sk and error vector, and the cost on generating ct is due to randomness sampling.
Here, we let a ⋅ b g denote the cost on running a times Gaussian sampling from Z m , and b ⋅ b u denote the cost on running b times uniform sampling from Z m q .For convenience, we treat the cost on sampling an n-dimensional vector as the same as that of sampling an m-dimensional vector according to some certain distribution.Since public matrix A in messy mode is produced by TrapGenð1 n ; 1 m ; qÞ: À!ðA; TÞ: (see Lemma 4), we denote the cost on generating such a matrix A as d trap A .In addition, [6] and our work both use a heuristic randomized rounding function R (see Lemma 6), and we denote b R as the cost on sampling required randomness during each execution of R.Moreover, our scheme utilizes the key reconciliation mechanism £ (see Section 2.4); we denote the cost on sampling a binary form integer f ¼ a t−1 ⋯ a gþ1 a g ⋯ a 1 a 0 as b f .Therefore, we can observe the comparison result from Table 3.
For transmitting strings by a multisession UC-secure OT between two fixed participants (e.g., Alice and Bob), the work of [5] can only reuse a common A during different (bounded) ℓ 0 -OT sessions (i.e., requiring ℓ 0 multiples of the cost on generating independent v), and each session can obliviously transfer multibit messages (i.e., ℓ ≥ 1).Although the work of [6] can reuse a common crs during different (unbounded) ℓ 0 -OT sessions, due to the use of R, each session can only obliviously transfer single-bit messages (i.e., ℓ ¼ 1) and need N ¼ OðnÞ: times independent randomness sampling for decryption correctness.Our work can also reuse a common crs during different (unbounded) ℓ 0 -OT sessions, but each session can obliviously transfer multibit strings (i.e., ℓ ≥ 1) with the additional price of sampling binary integer f .Therefore, the total costs on randomness sampling for encrypting fðμ 0 ; μ 1 Þ j 2 f0; 1g ℓ g j≤ℓ 0 in the above three works are ℓ 0 ⋅ ð2b uÞ: , ℓ 0 ⋅ ð2Nðb u þ b RÞÞ: , and , respectively.Moreover, the communication cost in one OT execution is mainly on transmitting ðpk; fct 0 ; ct 1 gÞ: .Since the main difference of communication cost is on the ciphertext size, we conclude the bit-length of one single ciphertext (i.e., size) of these three works in Table 3.We observe that the work of [5] only needs to transmit ðn þ ℓÞ: logq bits for the encryption of an ℓ-bit message, which is more efficient than our work for transferring strings.However, our work can achieve higher security and allow string OT via transmitting [6] needs Nðn logq þ 1Þ: bits for encrypting one single bit.
To sum up, if asking for higher efficiency but permitting lower security, the work of [5] would be recommended to use, since its costs on the randomness sampling and the ciphertext size are both less than the other two works.If it requires transferring multibit messages (i.e., ℓ>1) with fullfledged dual-mode security, we only need to run one session of our string OT, while the work of [6] has to run ℓ 0 ¼ ℓ single-bit OT sessions with huge overhead.
1.4.Other Related Work.The work of [11] builds a twomessage OT protocol from LWE, which achieves statistical The cost on sampling a binary form integer f ¼ a t−1 ⋯ a gþ1 a g ⋯ a 1 a 0 4 IET Information Security uÞ: uÞ: uÞ: IET Information Security sender security and computational receiver security against malicious adversaries.For obliviously transferring multibit strings, although ours is less efficient (due to a superpolynomial modulus q) than their work, our scheme can obtain a stronger UC security at the expense of relying upon a trusted CRS.
In addition, the work of [12] proposes a generic construction to upgrade a two-round elementary OT to a UCsecure version in the malicious setting, where the CRS is reusable for unbounded times.By taking [5] or [11] as the elementary OT, we can obtain an LWE-based instantiation with a polynomial-size modulus.However, their work can only offer both participants computational security instead, and our proposal is more efficient by avoiding any nonblack-box techniques.
Recently, the work of [13,14] first introduced an LWE-based dual-mode non-interactive zero-knowledge proof (NIZK).We can take [5] as a semimalicious secure dual-mode OT into the framework of [13,14] to derive a dual-mode OT with fully malicious security.Since [5] only achieves computational receiver security from LWE, if we fix this flaw with the noise flooding technique, the resulting issue would be the same as the problem in our scheme caused by the subexponential LWE modulus.Since the reductions for the soundness of [13,14] are in a black-box way, it inherently implies the non-adaptively sound NIZKs of [13,14] in statistical zero-knowledge mode.This can be patched up by complexity leveraging, but it would consequently lean upon the subexponential LWE hardness.Moreover, compiling the OT of [5] into the generic NIZKs framework of [13,14] would result in practically inefficient proofs.

Preliminaries
2.1.Notations.Here, we take n as an implicit security parameter.We let polyðnÞ: denote any function f ðnÞ: ¼ Oðn c Þ: for some constant c, and neglðnÞ: denote an unspecified function f ðnÞ: such that f ðnÞ: ¼ n −ωð1Þ .If a probability is 1 − neglðnÞ: , we call it overwhelming.
We denote column vectors by bold lower cases and matrices by bold upper cases, e.g., a and A. Their transposition operations are denoted by a T and A T .We let x mod q represent the residue of x 2 Z q over ½0; …; qÞ: , and ðxÞ q represent the residue of x 2 Z q over ½ − q=2; q=2Þ: .The largest integer smaller than x and the smallest integer greater than x are, respectively, written by ⌊x⌋ and ⌈x⌉.We let x ⊕ y represent the xor operation between two bit strings x; y 2 f0; 1g k .All the distances dð⋅; ⋅Þ: and norms k⋅jj: are in the ℓ 2 norm unless otherwise specified.Let k⋅jj 1 denote the infinity norm.For any positive integers N ≥ 1, we let ½N: denote a set of integers f1; …; Ng: .We let UðEÞ: represent the uniform distribution over a set E and x À $ E represent the uniform sampling x ÀUðEÞ: .We say a distribution ψ is B-bounded if the probability of sampling from ψ with the norm at most B 2 R is overwhelming.The statistical distance between two distributions D 1 and D 2 is defined as 2.2.Dual-Mode Encryption.We first recall the notion of dual-mode encryption [5,6].For clarity, we adopt their notations for illustration.
Definition 1 (dual-mode encryption).A dual-mode encryption scheme with message space f0; 1g ℓ consists of a bundle of probabilistic polynomial-time algorithms ðSetupMessy; SetupDec; KeyGen; Enc; Dec; FindMessy; TrapKeyGenÞ: defined as follows: (1) SetupMessyð1 n Þ: À!ðcrs; td M Þ: : Given as input the security parameter n, the setup algorithm outputs a common reference string crs along with a trapdoor td M in messy mode.and a ciphertext ct, the decryption algorithm outputs a message μ 2 f0; 1g ℓ .(6) FindMessyðcrs; td M ; pkÞ: À! b: Given as input a common reference string crs, a trapdoor in messy mode td M and a (possibly malformed) public key pk, the algorithm outputs a branch b 2 f0; 1g: corresponding to a messy branch of pk.(7) TrapKeyGenðcrs; td D Þ: À!ðpk; sk 0 ; sk 1 Þ: : Given as input a common reference string crs and a trapdoor in decryption mode td D , the algorithm outputs keys ðpk; sk 0 ; sk 1 Þ: , where pk is a public encryption key, and sk 0 and sk 1 are corresponding secret decryption keys for branches 0 and 1, respectively.
The work of [5] showed that once a well-constructed dual-mode encryption scheme is completed as the above notion, a UC-secure OT can be directly obtained.Here, we suppose all readers know the UC security model well and omit to introduce its corresponding background here.We recommend to go to [5] for more details.
Theorem 2 (UC-secure OT from dual-mode encryption [5,6]).If a dual-mode encryption scheme ðSetupMessy; SetupDec; KeyGen; Enc; Dec; FindMessy; TrapKeyGenÞ: is well-defined as above, we can obtain a protocol to UC-realize the multisession OT functionality b F OT in the F CRS -hybrid model under static corruptions.
We can execute this UC-secure OT protocol in either of two modes.Each time, it is run over a distinct functionality F CRS that produces crs according to the corresponding setup algorithm.The messy mode only provides statistical security for the sender.The decryption mode only provides statistical security for the receiver.The other party in each mode can only achieve computational security.
Let B ¼ fb 1 ; …; b n g: consist of n linearly independent m-dimensional column vectors b i 2 R m for all i 2 ½n: .The m-dimensional lattice Λ generated by B is defined as ΛðBÞ: ¼ fBc ¼ ∑ i2½n c i ⋅ b i : c 2 Z n g: .The dual lattice of Λ is defined as Λ * ¼ fy 2 Span R ðΛÞ|8x 2 Λ; <x; y > 2 Zg: .Let λ 1  1 ðΛÞ: ¼ min x2Λ\f0g kxjj 1 define the minimum distance of a lattice in infinity norm.If the column vectors of a matrix A 2 Z m×n q are linearly independent, we say that A is full-rank.Now we introduce two q-ary lattices defined by A 2 Z m×n q : These two lattices are dual to each other up to a scaling factor q such that ΛðAÞ: ¼ q ⋅ Λ ?ðAÞ * and Λ ?ðAÞ: ¼ q ⋅ ΛðAÞ * .We define the Gaussian weight function on R m with parameter τ >0 as follows: The discrete Gaussian distribution over Z with parameter τ >0 is defined as follows: Moreover, we recall an important lattice parameter, i.e., the smoothing parameter [15].For an m-dimensional lattice Λ and a positive real ϵ>0, the smoothing parameter η ϵ ðΛÞ: is defined as the smallest τ >0 such that ρ 1=τ ðΛ * \ f0gÞ: ≤ ϵ.Now we introduce some useful lemmas regarding the above q-ary lattices defined by A and the corresponding lattice quantity η ϵ .
Lemma 1 (see [16] Lemma 5.2).Suppose a matrix A 2 Z m×n q whose row vectors can generate Z n q (a.k.a.A is full-rank), ϵ 2 ð0; 1  2 Þ: and τ ≥ η ϵ ðΛ ?ðAÞÞ: .For any e ÀD m Z; τ , the distribution of u ¼ e T A mod q is close to the uniform distribution over Z n q within statistical distance 2ϵ.
Lemma 2 (see [16] Lemmas 5.1 and 5.3).Let n, m, and q be positive integers with q prime and m ≥ 2n logq.For all but an at most q −n fraction of A 2 Z m×n q , the rows of A can generate Z n q .For all but an at most q −n fraction of A 2 Z m×n q , we have a large minimum distance λ 1  1 ðΛðAÞÞ: ≥ q=4.That is Lemma 3 (see [15][16][17]).For any m-dimensional lattice Λ and positive real ϵ>0, we have the following: Let n, m, and q be positive integers with q prime and m ≥ 2n logq.For any function ωð ffiffiffiffiffiffiffiffiffiffi logm p Þ: , there is a negligible function ϵðmÞ: such that with overwhelming probability over the choice of A À $ Z m×n q .
LWE q;χ;n hardness [18].For all B ≥ Ωð ffiffiffi n p Þ: , a B-bounded distribution χ ¼ χðnÞ: exists such that within approximation factor γ ¼ Õð ffiffiffi n p q=BÞ: , breaking the average case problem LWE q;χ;n is at least as hard as solving the worst case problems GapSVP γ and SIVP γ using a quantum algorithm.

Lattices
Trapdoors.Now, we introduce a lemma regarding the lattice trapdoor technique, which is used to identify messy public keys for arguing the sender's statistical security in messy mode.
Lemma 4 (see [19] Theorem 5.1).Given some integers n ≥ 1, q ≥ 2, and m ≥ Ωðn logqÞ: as input, there exists an efficient randomized algorithm TrapGenð1 n ; 1 m ; qÞ: which outputs A 2 Z m×n along with a trapdoor T such that (1) The distribution of A is statistically close to UðZ m×n q Þ: .(2) For any s 2 Z m q and e 2 Z m q such that kejj: <q=6 ffiffiffiffi m p , given c ¼ As þ e and the above ðA; TÞ: as input, an efficient deterministic trapdoor inversion algorithm which can output ðs; eÞ: exists, i.e., InvertðT; A; cÞ: À!ðs; eÞ: .2.3.4.Noise Flooding.The following lemma is used for arguing the receiver's statistical security in decryption mode.
Lemma 5 (see [9,20]).Suppose B ¼ BðnÞ: and B 0 ¼ B 0 ðnÞ: 2 Z are two positive integers.Let e 1 2 ½ − B; B: be a fixed integer and e 2 À $ ½ − B 0 ; B 0 : .The distribution of e 2 is statistically close to the distribution of e 2 þ e 1 as long as B=B 0 ¼ neglðnÞ: , i.e., 2.4.Statistically Smooth Rounding Function over Lattices.We still employ the statistically smooth rounding function [7] in our dual-mode encryption construction.It can provide a crucial property that identifying messy public key is simply running the trapdoor inversion algorithm once (independent of the superpolynomial LWE modulus q), which further helps to build an efficient simulator for arguing the sender's statistical security in the UC model.
Lemma 6 (see [6,7]).A randomized rounding function R : Let A 2 Z m×n q with m ¼ Θðn logqÞ: , p 2 Z n q , and τ ≥ η ϵ ðΛ ?ðAÞÞ: for some ϵ ¼ neglðnÞ: .Then, the above randomized rounding function R satisfies the following properties: (1) Statistical smoothness: If A is full-rank and for all c 2 Z m q with dðc; ΛðAÞÞ: ≥ q ffiffiffiffi m p =τ, we have the following: where the probability is taken over r ÀD m Z; τ and the randomness of R.
(2) Approximate correctness: For all c ¼ As þ e 2 Z m q , where s 2 Z n q and e 2 Z m q such that dðc; ΛðAÞÞ: ≤ B (i.e., kejj: ≤ B) and B ⋅ τ ⋅ ffiffiffiffi m p ¼ oðqÞ: , then for all large enough n, we have the following: 2.5.Key Reconciliation over Lattices.Now, we recall the key reconciliation scheme introduced in [9], which can extract a random multibit shared key from two close secrets over Z q .We denote this scheme as £ ¼ ð£ alice ; £ bob Þ: , which consists of two algorithms and can be viewed as a one-message key reconciliation protocol sequentially executed from Alice to Bob.Assume d ÀZ q (Alice's secret) and d 0 ÀZ q (Bob's secret) with |ðd − d 0 Þ q | ≤ δ for some integer δ ≤ q=32.At the end of the execution, Alice and Bob could reach a consensus on a common secret ξ, i.e., ξ ¼ ξ alice ¼ ξ bob .Let t ¼ ⌊logq⌋ and g ¼ ⌈logδ⌉.The scheme £ works as follows: Alice's execution (a.k.a.£ alice ðdÞ: À!ðσ; ξ alice Þ: ): IET Information Security (1) Alice sets an integer f ¼ a t−1 ⋯ a gþ1 a g ⋯ a 1 a 0 in a binary form, where she defines a g ¼ 1 and a gþ1 ¼ 0, and takes a j Àf0; 1g: for 0 ≤ j ≤ t − 1 but j ≠ g; g þ 1.
We assume d; d 0 2 Z q with |ðd − d 0 Þ q | ≤ δ, then Alice and Bob can agree on a common secret (i.e., ξ ¼ ξ alice ¼ ξ bob ) after the execution of £ ¼ ð£ alice ; £ bob Þ: .Furthermore, if d À $ Z q , the common key ξ is confidential (even given σ) and uniformly distributed over f0; 1g ðt−g−2Þ .The entropy HðξÞ: ¼ Hðξ|σÞ: is at least as large as log q 16σ .Remark 1.Note that f is independent of d, then d is the onetime pad for f by σ ¼ f þ d mod q.Hence, f is independent of σ.Furthermore, ξ is determined by the first t − g − 2 randomly chosen bits of f , then ξ is independent of σ and uniformly random.Therefore, we can use ξ as the one-time pad key to encrypt multiple bits in our dual-mode encryption scheme.

LWE-Based Dual-Mode Encryption for UC-Secure String OT
In this section, an LWE-based dual-mode encryption (see Section 3.2) is proposed for deriving a UC-secure string OT (as shown in Figure 1), which is more efficient than costly running multiple independent executions of single-bit OT [6] (see Table 3) for transmitting multibit messages.We first introduce its underlying LWE-based messy public-key encryption in Section 3.1, i.e., an extension scheme of the counterpart of [6].

Extended Messy
Public-Key Encryption.For a latticebased dual-mode encryption cryptosystem over multibit messages, we need an LWE-based messy public-key encryption as its underlying encryption algorithm, which is obtained by extending the messy public-key encryption of [6] to a multibit encryption version.In particular, we use the single-bit output of that statistically smooth rounding function R (see Lemma 6) to encrypt the first bit of the message, for retaining the property that messy public key can be testable efficiently and independently of the LWE modulus size.Moreover, we add the key reconciliation scheme £ (see Section 2.4) into a framework.By taking one of R's inputs during its multiple executions (under the same public key) as the input of £, we can obtain multiple random bits to hide the residue bits of the message.Since R and £ both utilize the same public key (possibly malformed), the messy public key property is naturally inherent in our extended LWE-based encryption.
3.1.1.Parameters Setting.Consider the randomized rounding function R (see Lemma 6) and key reconciliation scheme £ (see Section 2.4) together used in the scheme.We show all the parameters set in Table 4 to satisfy the correctness and security of the following LWE-based messy encryption scheme.

Compute ξ
Similar to [6], the term f added into c (i.e., noise flooding) is used for arguing the receiver's statistical security in decryption mode.Note that it would not affect any of the following properties without this term in c.Now, we show the correctness of this extended LWE-based encryption scheme.
, and δ ≤ q=32, then the above extended publickey encryption scheme is correct.
If we set kejj: ≤ B and k fjj: ≤ B 0 , by the approximate correctness of R (see Lemma 6), for all i 2 ½N: , we have over the internal randomness of R and r i ÀD m Z; τ .By Cauchy-Schwarz inequality, we have We can observe from the above that d ¼ r T i c and i ðe þ fÞ: | ≤ δ for some integer δ ≤ q=32 ¼ oðqÞ: , by the correctness of £ (see Lemma 7), two participants can agree on a common secret ξ, i.e., ξ ¼ ξ alice ¼ ξ bob .
Therefore, only using a Chernoff bound for the approximate correctness of R, we can obtain the correct decryption with overwhelming probability in our extended public-key encryption scheme.□ 3.1.3.Messy Public Keys.For constructing a dual-mode encryption cryptosystem from LWE, we have to build upon LWE-based encryption with admitting messy (short for message-lossy) public keys.We say that a public key pk is messy, if a ciphertext output by LWEEncðpk; ⋅Þ: carries no information (statistically) about the encrypted message, i.e., for all μ 0 ; μ 1 2 f0; 1g ℓ such that LWEEncðpk; μ 0 Þ: ≈ s LWEEncðpk; μ 1 Þ: .Moreover, given some appropriate lattice trapdoor in the aftermentioned dual-mode cryptosystem, such messy keys can be efficiently identified.More precisely, the ciphertext produced by LWEEnc is ct ¼ ðfp i ; β i g i≤N ; fk; σ k ; β £ gÞ: .Therefore, for any fixed public key pk ¼ ðA; cÞ: , we have to consider the statistical distance δðpkÞ: between UðZ n q × Z 2 × Z q Þ: and the distribution of ðr T i A; Rðr T i cÞ; r T i cÞ: , where r i ÀD m Z; τ .For any μ 0 ; μ 1 2 Z ℓ 2 , both LWEEncðpk; μ 0 Þ: and LWEEncðpk; μ 1 Þ: are close to uniform within δðpkÞ: , then we have the following: If δðpkÞ: is negligibly small, then pk is a messy public key.The correctness of LWEDec implies that if pk is generated by LWEKeyGen, it has a large δðpkÞ: .As shown in prior lattice-based cryptosystems [5,16,18], messy public keys have occupied an important position in security proofs.In particular, it requires [5] that the simulator in the UC model can efficiently identify messy keys with trapdoor information, which demands an explicit condition to identify those keys.Since our dual-mode encryption cryptosystem follows the framework of [5], we also present a sufficient condition for messy public keys as follows: Lemma 9 (sufficient condition for messy public key).Let A À $ Z m×n q , and c 2 Z m q .Suppose that the rows of pk ¼ ðA; cÞ: generate Z nþ1 q .Then for any ϵ ¼ ð0; 1 2 Þ: and any Gaussian parameter τ ≥ η ϵ ðΛ ?ðpkÞÞ: used by LWEEnc, we have δðpkÞ: ≤ 2ϵ.
In particular, if dðc; Proof.First, we can write δðpkÞ: as follows: IET Information Security where δ R denotes the statistical distance between the distribution of Rðr T i cÞ: and UðZ 2 Þ: , and δ £ denotes the statistical distance between the distribution of ðr T i A; r T i cÞ: and UðZ n q × Z q Þ: .Note that in the second part of ct ¼ ðfp i ; β i g i≤N ; fk; σ k ; β £ gÞ: (encrypted by £), we only consider whether the distribution of ðr T i A; r T i cÞ: is nearly-uniform.This is due to the fact that the security of β £ comes down to whether the distribution of σ k ¼ f þ ðr T k ⋅ cÞ: mod q is close to uniform.Given A, c, p T i ¼ r T i A such that dðc; ΛðAÞÞ: ≥ q ffiffiffiffi m p =τ, by the statistical smoothness of R (see Lemma 6), the distribution of Rðr T i cÞ: is statistically close to uniform over the randomness of R and r i ← D m Z; τ , i.e., δ R ¼ neglðnÞ: .That is, fβ i g i≤N are statistically close to uniform bits.Therefore, we only consider whether δ £ is negligibly small.
We can claim δ £ ≤ 2ϵ by Lemma 1 (for dimension n þ 1 instead of n).It directly implies that ðr T i A; r T i cÞ: is close to the uniform distribution over Z nþ1 q for r i ← D m Z; τ within statistical distance 2ϵ.Then we can claim that δ £ ¼ neglðnÞ: for the nearly uniform distribution of ðr T i A; r T i cÞ: , which directly follows from Lemma 3 (i.e., a consequence of Lemma 2.6 in [16] and the duality between Λ ?ðpkÞ: and ΛðpkÞ: ) with the statistically hiding property of £ (see Lemma 7).
More precisely, the first bit of the message (i.e., μ R ) is information-theoretically hidden by Rðr T i cÞ: , then we must show that the second part of the message (i.e., μ £ ) is statistically hidden by ξ alice (output by £ alice ).Here, ξ alice is the first t − g − 2 bits of f (randomly chosen from f0; 1g t−g−2 ), thus f works as a one-time pad for hiding μ £ .As a part of ciphertext ct, σ k ¼ f þ ðr T k cÞ: mod q can be regarded as a one-time pad encryption for hiding f by r T k c.By Lemma 7, f is independent of σ k , then ξ alice is independent of σ k .The claim that μ £ is statistically hidden by ξ alice follows the messiness of pk, i.e., f is statistically hidden by r T k c.Therefore, the claim follows.□Now, we state two following lemmas, one of which claims that most public keys are messy for appropriate parameters, and the other one argues that our extended messy public-key encryption scheme is secure under the LWE assumption.

Lemma 10 (most public keys are messy
, and pk ¼ ðA; cÞ: À $ Z m×n q × Z m q .Then we have dðc; ΛðAÞÞ: ≥ q=4 with overwhelming probability, in particular, ðA; cÞ: is messy. Proof.Let pk 2 Z m×ðnþ1Þ q be comprised of A and c as above.By Lemma 2 (a consequence of Lemmas 5.1 and 5.3 in [16]), the rows of pk generate Z nþ1 q for all but an at most q −ðnþ1Þ <q −n fraction of all pk (by Lemma 5.1 of [16]), and we have λ 1  1 ðΛðpkÞÞ: ≥ q=4 for all but an at most q −n fraction of all pk (by Lemma 5.3 of [16]).Furthermore, since the set of points that close to ΛðAÞ: within distance q=4 (in ℓ 1 norm) has size at most q n ðq=2Þ m , we have d 1 ðc; ΛðAÞÞ: ≥ q=4 with overwhelming probability over the choice of c for any fixed A 2 Z m×n q .As m ≥ 2n logq, the probability that c À $ Z m q belongs to those points is at most q −n ¼ neglðnÞ: .Therefore, for any fixed A, with overwhelming probability over the randomness of c← $ Z m q , we have dðc; ΛðAÞÞ: ≥ d 1 ðc; ΛðAÞÞ: ≥ q ffiffiffiffi m p =τ.By Lemma 9, it implies that such pk ¼ ðA; cÞ: is a messy public key.
Proof.With the LWE q;χ;n assumption, the public key ðA; cÞ: generated from LWEKeyGen is computationally indistinguishable from UðZ m×n q × Z m q Þ: .If ðA; cÞ: À $ Z m×n q × Z m q , then by Lemma 10, ðA; cÞ: is messy with overwhelming probability and security follows.
□ Next, we show that given an appropriate trapdoor, messy public keys can be efficiently identified in the following lemma, which is further used for arguing the sender's statistical security in the messy mode execution of our dual-mode encryption.
(  1), we take the above extended LWE-based messy public-key encryption (see Section 3.1) as the underlying encryption to build a dual-mode encryption over lattices.Here, we slightly change the Gaussian parameter τ to τ ≥ 6m since test messy keys is required (see Lemma 12).
3.2.1.Construction.Now we follow the framework of [6] to show our LWE-based dual-mode cryptosystem for obliviously transferring multibit strings, where the prior encryption scheme ðLWEKeyGen; LWEEnc; LWEDecÞ: is served as its underlying encryption.
Proof.Since the scheme ðLWEKeyGen; LWEEnc; LWEDecÞ: is taken as the underlying encryption in the above cryptosystem, therefore, the correctness (i.e., on decryptable branch b 2 f0; 1g: ) of our dual-mode encryption directly follows by Lemma 8. □ Lemma 14 (indistinguishability of modes).By the hardness of LWE q;χ;n , the above dual-mode encryption satisfies indistinguishability of modes.
Proof.The difference between two modes is due to the distribution of crs produced by two different setup algorithms (i.e., SetupMessyð1 n Þ: or SetupDecð1 n Þ: ).By Lemma 4, crs M ¼ ðA; vÞ: ÀSetupMessyð1 n Þ: is statistically close to UðZ m×n q × Z m q Þ: .By the LWE q;χ;n assumption, crs D ¼ ðA; v ¼ As * þ e * Þ: ÀSetupDecð1 n Þ: is computationally indistinguishable from ðA; vÞ: À $ Z m×n q × Z m q .Therefore, computational indistinguishability between two modes follows.□   We hope that Alice (the sender) can achieve statistical security in the messy mode execution of derived OT, which is followed by the security in messy mode, as shown in Definition 1.The security in messy mode (see the undermentioned Lemma 16) can be obtained directly by a consequence of Lemmas 9 and 10 regarding messy public keys to guarantee that at least one of two branches on ðct 0 ; ct 1 Þ: is messagelossy under the (possibly malformed) public key ðA; cÞ: given by Bob (the receiver).
As another flavor for clarity, we show in Lemma 15 that the ciphertext ctb of message Since the encryption of μ b R (i.e., the former part of μb ) encrypted under the messy public key ðA; Proof.In messy mode on branch b, we have At the side of Alice, μ b £ is encrypted by ξ b alice (i.e., the first t − g − 2 bits of fb used for encryption of message μb ).Therefore, by the mechanism of £, ξ b alice can be recovered at the side of Bob by computing k TvÞmod q ¼ 0: ¼ 1 q þ neglðnÞ: .More precisely, we can show that the syndrome ðr b k TvÞ: mod q corresponds to a nearly-uniform distribution over Z q as the following argument.
Let v À $ Z m q and r b k ÀD m Z; τ .Let ðr b k TvÞ: mod q ¼ ∑ m j¼1 r b k j ⋅ v j mod q.We have that for 8v j À $ Z q , i 2 ½m: , as long as 9j 2 ½m: , r b k j ≠ 0, then ðr b k TvÞ: mod q is uniform distributed over Z q .We denote the event r b k ¼ 0 as E 0 , then Pr½E 0 : ¼ D Z;τ ð0Þ m .For clarity, we denote X ¼ ðr b k TvÞ: mod q and Y is a random variable uniformly distributed over Z q .
Proof.First, for all pk 0 , at least one of the public key pk 0 ¼ c 0 or pk 1 ¼ c 1 satisfies dðc b ; ΛðAÞÞ: ≥ q=6 ffiffiffiffi m p .This is because if c 0 and c 1 are both close to ΛðAÞ: , by triangular inequality, v ¼ pk 1 − pk 0 ¼ c 1 − c 0 is close to ΛðAÞ: as well.In particular, if dðc b ; ΛðAÞÞ: ≤ q=6 ffiffiffiffi m p for both b 2 f0; 1g: , then dðv; ΛðAÞÞ: ≤ q=3 ffiffiffiffi m p with negligible probability over the randomness of SetupMessy by Lemma 10.Therefore, for all pk 0 , at least one of the public key pk 0 ¼ c 0 or pk 1 ¼ c 1 is messy by Lemma 10 with overwhelming probability over the choice of A by Lemmas 2 and 3.
In addition, by Lemma 12, we can efficiently identify a messy branch, i.e., for all pk 0 , we use FindMessyðT; A; pk 0 Þ : À! b to identify the messy branch as b and it holds: □ Lemma 17 (security in decryption mode).Assuming B 0 =B ¼ neglðnÞ: , the above scheme satisfies security in decryption mode.
Proof.Now we prove that for all ðcrs; td D Þ: À SetupDecð1 n Þ: , the distributions ðpk b ; sk b Þ: generated by either KeyGenðcrs D ; bÞ: or TrapKeyGenðtd D Þ: are statistically close to each other for any b 2 f0; 1g: .For any ðcrs D ; td D Þ: ÀSetupDecð1 n Þ: , where crs D ¼ ðA; v ¼ As * þ e * Þ: and td D ¼ s * , we let ðpk 0 ; sk 0 ; sk 1 Þ: À TrapKeyGenðtd D Þ: .We set the following: By Lemma 5 (i.e., e is statistically close to e þ e * ), the above ðpk 1 ; sk 1 Þ: is statistically close to the following: We denote the regular key pair on decryptable branch b generated by KeyGenðcrs D ; bÞ: as follows: where s À $ Z n q , e Àχ m , f À $ ½−B 0 ; B 0 m , and c pk 1 − c pk 0 ¼ v. Therefore, for all b 2 f0; 1g: , the joint distribution of ðcrs D ; pk b ; sk b Þ: is statistically close to that of ðcrs D ; c pk b ; c sk b Þ: by using noise flooding technique (see Lemma 5).□ Corollary 1. Assuming the hardness of LWE q;χ;n with the parameters defined in the above dual-mode encryption cryptosystem, therefore, a UC-secure string OT as shown in Figure 1 with the specifications of Theorem 2 can be achieved.
Proof.Once a full-fledged dual-mode encryption scheme relying on the hardness of LWE q;χ;n is achieved, by Theorem 2, we can directly obtain a UC-secure OT for transmitting multibit strings over lattice (as shown in Figure 1).Specifically, Alice acts as the sender and Bob as the receiver.They both execute the setup phase to obtain crs by selecting messy or decryption mode.In OT session, Bob first runs KeyGenðcrs; bÞ: for sending pk 0 , and then Alice uses pk 0 to encrypt each message μ b 0 by running Encðcrs; pk 0 ; b 0 ; μ b 0 Þ : .After Bob received two encryptions ðct 0 ; ct 1 Þ: , he can obtain his chosen message μ b by running Decðsk b ; ct b Þ: .The UC security proof of this proposed string OT is highly similar to that of [5].Please refer to the following remark and capture a proof sketch of our string OT in the UC model.□ Remark 2 (illustration for simulation).Our dual-mode encryption over multibit messages mainly follows the framework of [6], whose simulation-based security proof is similar to the counterpart of [5], except that in the messy mode, the trapdoor inversion algorithm is simply run once by the crucial property of R. Since our scheme retains the advantage by using R in the trapdoor inversion part, our simulation-based proof also follows [5,6].For clarity, we make a sketchy simulation-based proof for our string OT protocol as follows: Simulator for the case when only the receiver R is corrupted: Regardless of which mode the protocol runs in the real world, the simulator Sim for a corrupted receiver R in the ideal world works as follows: run the algorithm SetupMessy to generate ðcrs; td M Þ: and follow the simulation steps specified in [5].We only need to run the trapdoor inversion once for identifying a messy key by the crucial property of R.Then, we can build an efficient simulator when only R is corrupted.
Simulator for the case when only the sender S is corrupted: Regardless of which mode the protocol runs in the real world, the simulator Sim for a corrupted receiver S in the ideal world works as follows: run the algorithm SetupDec to generate ðcrs; td D Þ: and follow the simulation steps specified in [5].Note that we simply need one modification in the reply of the adversary.After Sim sends pk 0 to the corrupted S, the external adversary (or the corrupted S) will reply ðct 0 ; ct 1 Þ: to Sim.Since the simulator Sim has the trapdoors on both branches, then both messages can be recovered correctly by td D .
Along with all the aforementioned dual-mode properties, therefore, we can obtain a two-round UC-secure string OT from LWE in the CRS model, as shown in Theorem 1.

Conclusions
Targeting to design a UC-secure OT for transmitting multibit strings, we follow up the work of [5,6] and propose an improved LWE-based dual-mode encryption cryptosystem.

IET Information Security
Our scheme not only satisfies the well-defined dual-mode encryption notion but also avoids some costly vector sampling in simple repetitions of sing-bit OT execution for string OT applications.By a comprehensive analysis on both security and efficiency, we show that our scheme performs better than the other two most related works (i.e., [5,6]).
In addition, a natural problem comes to mind is that whether an OT construction along with the properties, as shown in Theorem 1, is compatible with a polynomial LWE modulus.We believe it is nontrivial due to the use of the noise flooding technique.Another interesting question is to extend this work into their ring-setting version (even over module-lattice) for efficiency in practice.It seems easy to extend R with one-bit hash value output in the ring-setting.However, some building blocks (e.g., the key mechanism scheme and lattice trapdoor techniques) should also be adapted into the ring-setting properly.

TABLE 2 :nsecurity parameter n ≥ 1 m
Notations for efficiency analysis.Parameter Description ℓ The bit-length of an encrypted message μ in each session ℓ 0 The number of permitted sessions for a common crs Implicit Lattice dimension m ≥ 2ðn þ 1Þ: logq b g The cost on running one Gaussian sampling from Z m b u The cost on running one uniform sampling from Z m q d trap A The cost on generating a matrix A by TrapGenð1 n ; 1 m ; qÞ: À!ðA; TÞ: b R The cost on sampling required randomness during each execution of R b f

( 2 )
SetupDecð1 n Þ: À!ðcrs; td D Þ: : Given as input the security parameter n, the setup algorithm outputs a common reference string crs along with a trapdoor td D in decryption mode.(3) KeyGenðcrs; bÞ: À!ðpk; sk b Þ: : Given as input a common reference string crs and a branch b 2 f0; 1g: , the key generation algorithm outputs a public encryption key pk and a secret decryption key sk b for message encrypted on branch b. (4) Encðcrs; pk; b 0 ; μÞ: À!ct: Given as input a common reference string crs, a public key pk, a branch b 0 2 f0; 1g: and a message μ 2 f0; 1g ℓ , the encryption algorithm outputs a ciphertext ct on branch b 0 .(5) Decðsk b ; ctÞ: À!μ: Given as input a secret key sk b
analyze that how can Bob recover a correct encryption key ξ b alice .First, Bob could obtain ðσ b k ; p b k Þ: from the ciphertext ctb on μb .Since σ b k ¼ fb þ ðr b k T ⋅ cÞ: , fb can be viewed as encrypted by r b k Tc, where the messy key c ¼ As þ e þ f þ v (referring to Lemma 16), fb is message-lossy under the key r b k Tc.Therefore, ξ b alice is statistically hidden.Second, we can observe from the above computation of ξ b bob that ξ b bob ≠ ξ b alice by the syndrome r b k Tv except for the case that v ¼ 0. Therefore, the proof for Pr½ξ b bob ¼ ξ b alice : ¼ 1 2 t−g−2 þ neglðnÞ: turns to show the proof for Pr½ðr b

TABLE 1 :
Analysis on security.

TABLE 3 :
Analysis on efficiency.

)
Output not sure, if the output is ðs; eÞ: with kejj