We introduce an analogous idea to strong asymmetric security (Jarecki, Krawczyk, Xu 2019) for secure two-party computation which we refer to as input obfuscated two party computation (io2PC). In io2PC, compromising the server's long-term storage doesn't immediate leak their input, but rather an oracle to a residual function. This means that the adversary must perform an amount of computation (observable to the simulator) to find the server's underlying input proportional to an online attack. In doing so, we provide a compiler from virtual black box obfuscations in the random oracle model and generic group model to io2PC protocol realizing the same functions. To achieve this, we construct a generic group analog to an oblivious psuedorandom function where the server mediates interaction with a generic group family indexed by the server's private input.
Many known libraries and papers on oblivious transfer either mistreat or ignore the issue of message reuse in multi-instance protocols. We provide a treatment of how to properly batch recent 2-round oblivious transfer protocols which are of import for multiparty computation which often relies on oblivious transfer extension built upon batch OT. We also abstract the recent endemic OT protocol of Masny and Rindal and show that it is, in fact, an instance of the OT protocol described by McQuoid, Rosulek, and Roy in their CCS2020 paper. We further provide optimizations for such POPF protocols and extend the list of known POPF constructions including a very simple OT protocol that may have pedagogical interest.
We present a generalization of the seminal EKE protocol to achieve a minimal (in communication flows and exponentiations) sPAKE in the UC model using a primitive we call programmable-once public function (POPF). Intuitively, a POPF is a function whose output can be programmed by one party on exactly one point. All other outputs of the function are outside of any party's control. We also use this primitive to achieve a UC-secure 1-out-of-$N$ oblivious tranfer protocol.
We give a characterization implying that collision-resistance and second-preimage resistance are equivalent, in an asymptotic sense, for a class of Linicrypt programs. Furthermore, there is a polynomial-time procedure for determining whether such a Linicrypt program is collision/second-preimage resistant.