Two Message Oblivious Evaluation of Cryptographic Functionalities


We study the problem of two round oblivious evaluation of cryptographic functionalities. In this setting, one party $P_1$ holds a private key $\mathsf{sk}$ for a provably secure instance of a cryptographic functionality $\mathcal{F}$ and the second party $P_2$ wishes to evaluate $\mathcal{F}_\mathsf{sk}$ on a value $x$. Although it has been known for 22 years that general functionalities cannot be computed securely in the presence of malicious adversaries with only two rounds of communication, we show the existence of a round optimal protocol that obliviously evaluates cryptographic functionalities. Our protocol is provably secure against malicious receivers under standard assumptions and does not rely on heuristic (setup) assumptions. Our main technical contribution is a novel non-black box technique, which makes non-black box use of the security reduction of $\mathcal{F}_\mathsf{sk}$. Specifically, our proof of malicious receiver security uses the code of the reduction, which reduces the security of $\mathcal{F}_\mathsf{sk}$ to some hard problem, in order to break that problem directly. Instantiating our framework, we obtain the first two-round oblivious pseudorandom function that is secure in the standard model. This question was left open since the invention of OPRFs in 1997.

36th International Cryptology Conference (CRYPTO 2016)