Security of CO15 ciphertext computation

[rozbb]

Currently, the CO15 OT sender output uses the encryption algorithm E(k, m) = k ⊕ m. But this is not the algorithm that CO15 use themselves!

CO15 use a quasi-authenticated cipher of the form E'(k, m) = (k₁ ⊕ m, k₂) where k₁ and k₂ are the two 128-bit halves of k. Importantly, they argue that E' is non-committing and robust as per definitions 1 and 2 (see screenshot; it's from page 5). On the other hand, E is NOT robust: V_{S,e} always equals S in the definition, since decryption never fails.

Is the choice of the encryption algorithm E secure here, then?

[wangxiao1254]

Note that B[i] is fed into a KDF (which you can model as a random oracle). Putting it in their language, it is more like $H(k)\xor m$.

[rozbb]

Yes, this is in keeping with CO15's definition of $k^i_j = H_{(S, R^i)}(whatever)$

[wangxiao1254]

Oh I see. I vaguely remember this is to make sure that the Adv (as malicious receiver) queries the RO so that the simulator can extract the choice bit. But the protocol ends up not being simulation-secure, so I'm not sure if that really needed. Maybe we should provide a PVW OT

[rozbb]

Ah, interesting. What's PVW?

[wangxiao1254]

https://eprint.iacr.org/2007/348

[rozbb]

Thanks. So to recap: is this simplified encryption function E safe to use? I ask because I'm implementing CO15 myself and it'd be nice if the ciphertext was 50% smaller

[wangxiao1254]

If safe means no attack, I think so.
If safe means simulation security, even the original version of CO15 is not. You need to do either PVW or a patched version of CO15. See e.g., https://eprint.iacr.org/2018/499