Postquantum Cut-and-Choose Oblivious Transfer Protocol Based on LWE

We propose postquantum universal composable (UC) cut-and-choose oblivious transfer (CCOT) protocol under the malicious adversary model. In secure two-party computation, we construct s copies’ garbled circuits, including half check circuit and half evaluation circuit. ,e sender can transfer the key to the receiver by CCOTprotocol. Compared to PVW-OT [6] framework, we invoke WQ-OT [35] framework with reusability of common random string (crs) and better security. Relying on LWE’s assumption and the property of the Rounding function, we construct an UC-CCOT protocol, which can resist quantum attack in secure two-party computation.


Introduction
Background. In secure two-party computation, sender P 1 and receiver P 2 jointly compute the value of function f(x, y). P 1 inputs x and P 2 inputs y. en, P 1 and P 2 obtain the value of f(x, y). Yao's garbled circuits, used in secure two-party computation, are only secure in the semihonest adversary model. In Yao's protocol, a single garbled circuit is constructed to evaluate. For better security, we apply s copies garbled circuits in secure two-party computation. For constructing secure protocol under the malicious adversary model, cut-and-choose methodology is used to prevent malicious party from cheating by constructing incorrect garbled circuits in secure two-party computation.
is methodology needs to construct s copies' garbled circuits.
Secure two-party computation protocol is implemented by Garbled Circuit (GC). Sender P 1 and receiver P 2 jointly compute the value of f(x, y) by computing C(x, y) (f(x, y) � C(x, y)), which satisfy security, privacy, correctness, and input's independence. In 1986, Yao [1] proposed a secure two-party computation protocol, which is mainly based on GC and Oblivious Transfer (OT).
Yao's protocol is only secure and efficient in the semihonest adversary model. However, this protocol cannot obtain the security of the malicious adversary model. In 1987, Goldreich and Micali [2] proposed a GMW compiler, which can compile protocols under the semihonest adversary model to protocols under the malicious adversary model. Application for the GMW compiler needs a number of zero-knowledge proof and commitment mechanisms.
is operation results in high complexity and low efficiency. Construction of Universal Composable (UC) protocol under the malicious adversary model has great significance in secure two-party computation.

Related Work
1.2.1. Oblivious Transfer. OT protocol, as a basic building primitive in cryptography, has great security significance in secure two-party computation or multiparty computation. For better, intuitively, understanding OT 1 2 protocol, we give a brief introduction about its ideal function F OT in Figure 1.
Denote ideal function F OT : m 0 , m 1 × σ { } ⟶ ⊥, m σ . For better understanding this process on the Internet, we consider session identity sid for our description. is function is implemented by the interaction between the sender S and the receiver R.For understanding the ideal function F OT , we introduce an OT 1 2 protocol for understanding OT's role in Figure 2. e sender has two-message m 0 and m 1 .
e receiver wants to obtain message m σ , σ ∈ 0, 1 { }. en, the sender and the receiver apply OT 1 2 protocol. e receiver can obtain message m σ . In this process, the sender has no information about receiver's selected bit σ. e receiver has no information about m 1−σ . e OT protocol can be constructed by the public key encryption (PKE) system or trapdoor permutation function. We consider constructing a PKE-based OT protocol. Next, we introduce this construction, given a series of PKE algorithms (KeyGen, Enc, Dec) as follows:

Cut-and-Choose
Technique. For better understanding the importance of cut-and-choose technique in secure twoparty computation, firstly, we give a brief description about basic Yao's protocol in Figure 3, which is the original secure two-party computation protocol.
Yao's protocol, used to compute the function, is only secure in the semihonest adversary model, which is just based on a single garbled circuit for evaluation. e circuit of this construction is not enough secure, which cannot obtain malicious adversary's security. Considering its single garbled circuit, if someone cheats in this protocol, it cannot be detected. It can be solved by applying the GMW compiler to obtain malicious adversary's security. However, this needs extracomputation.
For correctly computing the value of function f(x, y), it is better to construct many circuits for computation. Circuit constructor constructs many garbled circuits and sends these circuits to the circuit evaluator. en, some circuits are used for check circuit and used to check the correctness of garbled circuits. Some circuits are used for evaluation circuit, for evaluating the value of function. is technique is called cut-and-choose methodology, meaning cutting some garbled circuits in the first step and then choosing some circuits for checking in the second step.
Cut-and-choose methodology, as a tool used in secure two-party computation, can prevent the circuit constructor from cheating in constructing incorrect circuits. is technique can reduce the use of zero-knowledge proof techniques, which can improve the efficiency of secure computation protocols. For better understanding this process, we give a brief description about cut-and-choose process in Figure 4. Here, we mainly introduce a universal technique "cut-and-choose" methodology.
Firstly, P 1 constructs s copies' garbled circuits and sends these circuits to P 2 . Secondly, P 2 chooses s/2 circuits for checking. Denote set CGC as check-circuit set, including s/2 copies' check circuits. Otherwise, the rest of s/2 circuits are used for evaluating circuits. Define EGC as evaluation-circuit set. P 2 obtains check circuits for checking correctness of half circuits and then evaluates f(x, y) in remaining evaluation circuits. Some garbled circuits maybe incorrectly constructed, so evaluator P 2 can use majority of evaluationcircuit output as value of f(x, y).
Considering cut-and-choose technique applied on secure two-party computation, P 1 may carry out select failure attack for P 2 . P 1 may use different input values to obtain different ciphertexts and confuse some values about index bit j from P 2 's evaluation set. e main reason about this attack is the separation between cut-and-choose methodology with oblivious transfer process. So, it is crucial to combine cut-and-choose methodology with oblivious transfer protocol, called the CCOT protocol.
OT is a basic protocol in secure two-party computation, where P 1 sends garbled key's value of every wire in the garbled circuit to P 2 . If cut-and-choose methodology is separated from the OTprotocol, this separation may result in selection failure attack. It is crucial to combine cut − and − choose methodology with the OT protocol, that is, cut − and − choose oblivious transfer (CCOT) protocol. is has crucial significance about security in secure two-party computation protocol.

Related
Reference. OT was firstly proposed by Rabin [3]. OT is a fundamental primitive in secure two-party and multiparty computation. In secure two-party computation, receiver P 2 obtains one or two values from sender P 1 through the OT protocol. As a result, receiver P 2 only obtains corresponding values and has nothing about other information. Sender P 1 is oblivious to P 2 's selection bit. In 2007, Peikert and Waters [4] proposed a primitive 'lossy trapdoor functions' (lossy TDFs) and applied 'lossy TDFs' to construct trapdoor function. In 2008, Peikert and Vaikuntanathan [5] proposed a framework for efficient and composable OT, which is constructed by the dual-mode PKE System, called PVW-OT framework. In Peikert's dual-mode encryption system, it includes messy mode and decryption mode (called Dec mode). However, common random string (crs) can be reused with bounded limitation. Sender's computational security in messy mode and receiver's computational security in Dec mode can be obtained in this scheme. However, it cannot suffice for each party's statistical security in both modes. Peikert also construct corresponding schemes based on DDH, QR, and LWE's assumption. Fully simulatable PVW-OT protocol's security is universally composable (UC), which can compose securely other protocols in complex Internet. UC security is proposed by Canetti [6]. is guarantees security when many protocols are executed in parallel under malicious adversary's environment. Some lattice-based oblivious transfer protocols are proposed in postquantum era; most of these protocols are based on LWE's assumption under the semihonest, malicious, or covert adversary model [7][8][9].
In 2020, Quach [10] proposed a UC-secure OT protocol based on LWE's assumption and rounding function, which can be seen as a modified framework of PVW-OT, called WQ-OT. In WQ-OT protocol, the rounding function is applied on constructing UC-OT. Considering that the rounding function is a smooth projective hash function (SPHF), it can be applied on our scheme with the property of rounding function's hash key and projective key. In WQ-OT, crs can be reused many times without limitation, and statistical security of the sender and the receiver can be obtained in both messy mode and Dec mode.

Security and Communication Networks
SPHF has a wide range of applications, such as key exchange and oblivious transfer [11,12]. In 2012, Halevi and Kalai [13] proposed a two-message OT, which is based on projective hashing function. Cramer and Shoup [14] proposed a universal hash proof in the standard model, which corresponds to adaptive-CCA secure public-key encryption. Kalai [13] proposed a two-message oblivious transfer based on modification of Cramer and Shoup's SPHF. In 2018, Benhamouda and Blazy [15] proposed a hash proof system or SPHF. It gives an SPHF under standard LWE ciphertext's languages, which is based on IND-CCA2 MP's encryption [16]. Before this SPHF proposed by Benhamouda, Katz and Vaikuntanathan [11,17] proposed a SPHF based on lattice in the standard model, whose language is not valid in standard LWE's ciphertext. Zhang and Yu [18] proposed a SPHF based on LWE's assumption under random oracle. Brakerski [19] proposed a two-message OT based on LWE's assumption which guarantees sender's statistical privacy under the model of malicious adversary.
In 2007, Lindell and Pinkas [20] proposed cut-andchoose technique for secure two-party computation under the malicious adversary model. Circuit constructor P 1 constructs s copies' GC. Circuit evaluator P 2 chooses s/2 copies' GC for check circuit and remaining half s/2 copies' GC for evaluation circuit. P 2 checks correctness of the key's value in each wire of check garbled circuit. P 1 and P 2 apply remaining half garbled circuits for computing f(x, y).
In secure two-party computation, cut-and-choose methodology can be applied to prevent malicious adversary from cheating in this process. As an important technique in secure two-party computation, cut-and-choose is applied to normalize and constrain parties for honestly executing protocols in garbled circuits. In cut-and-choose methodology, constructor P 1 constructs s copies' garbled circuits. Evaluator P 2 chooses some garbled circuits for checking. When these check circuits are correctly constructed, the evaluator applies remaining garbled circuits to evaluate corresponding function by evaluation circuits.
In this process, the OT protocol is applied for transferring corresponding key's value through wires of the garbled circuit. e OT protocol can be applied on transferring sender P 1 's key to receiver P 2 through garbled circuit's wires. If these two processes are done separately, the overall protocol may lead to selective-failure attacks, which are introduced in [20,21]. Combining cut-and-choose detection with oblivious transfer, we can transfer keys by wires between the sender (circuit constructor) and the receiver (circuit evaluator).
Traditional OT 1 2 are applied in transferring key or message by number theory's assumption, such as DDH and QR assumption. Classical number theory assumptions cannot resist quantum attacks. It is necessary to design postquantum cryptography schemes. Considering lattice's specific linear structure, lattice-based protocols can be applied to resist quantum attacks.
ere exist some cryptographic protocols based on lattice's assumption, which can resist quantum attack with the specific construction of lattice. Reduction from worst case to average case in lattice, trapdoors algorithm and some lattice theory are mentioned in [29][30][31][32].
In secure two-party computation, the CCOT protocol can resist malicious adversary's attack. Considering postquantum era, designing the CCOT protocol based on lattice assumption can resist quantum attacks. Combining with lattice theory, designing LWE-based CCOT protocol is of great significance to resist quantum attacks in secure twoparty computation. en, we can expand CCOT to batch-CCOT protocol, which can be applied on secure multiparty computation.

Our Contribution
(i) We construct a CCOT protocol based on LWE's assumption and rounding function. Applying WQ-OT [10] encryption scheme based on the rounding function and combining with PVW's dual framework [5], we design a UC-secure cut-and-choose OT protocol under the malicious adversary model. (ii) Our CCOT protocol has better security property. For better understanding CCOT's security, we give a security analysis under the malicious adversary's corruption in smooth projective hash proof system, which is mainly based on simulation proof methodology. (iii) In our scheme, crs can be reused many times, and all parties can achieve statistical security. e rounding function, as smooth projective hash function (SPHF), has better security in transferring P 1 's garbled key to P 2 . Due to the special property of the hash key and the projective key, this rounding function can guarantee CCOT protocol's correctness, privacy, and indistinguishability between the Messy mode and Dec mode. (iv) Apply the CCOT protocol on secure two-party computation, which is mainly based on garbled circuits.

Organization
(i) In Section 1, we give an overall introduction about background, related work about the CCOT protocol. Finally, we give our contribution and paper's organization. (ii) In Section 2, we mainly introduce some preliminaries about lattice theory and some knowledge used in scheme's construction. (iii) In Section 3, we introduce some basic tools applied on our scheme. It includes OT-based dual-mode encryption, which is initiated by Regev's encryption and rounding function. As an important methodology in secure two-party computation, cut-andchoose technique is also introduced in this part. is dual-mode encryption's framework security is mostly based on LWE's assumption, where indistinguishability between the Messy Mode and the Dec Mode is based on DLWE's assumption. (iv) In Section 4, cut-and-choose oblivious transfer (CCOT) protocol, as an important protocol, is applied on secure two-party computation. We construct a CCOT protocol and embed this CCOT protocol into secure two-party computation. en, we expand CCOT to BCCOT by batch operation and embed this BCCOT protocol into secure twoparty computation.

Notation.
Denote n as the security parameter throughout this paper and also meaning the dimension of LWE's assumption. We denote a negligible function as in polynomial function negl(n), which is much smaller than the function close to zero, such as f � n − c , where c is a positive constant close to ∞. Similarly, we denote function 1 − negl(n) as an overwhelming function. Denote bold lowercase letter as the vector, e.g. v, and denote bold uppercase letter as matrix, e.g. M. Denote a mod b � a − ⌊a/b⌋b } as a residual class set, which can be obtained by any integers' mod integer k. Denote quotient ring Z q � Z/qZ as a residual class set, where Z is modulo prime integer q(q ≥ 2). Denote T � R/Z as group of reals [0, 1), according to modulo 1 addition. Define Ψ α as the distribution on T, which has mean 0 and standard deviation α/ �� � 2π √ .
Denote v T and M T as an transpose operation of vector v and matrix M. Given probability distribution D, denote variable x ⟵ D as sampling variable x from certain distribution D. Usually, denote x ⟵ U(Z) as sampling from uniform distribution in Z.

Lattice eory.
Lattice, as a linear algebraic structure, can resist quantum attacks. Some lattice schemes are constructed by reduction from worst case to average case, such as reduction from SVP/CVP to LWE/SIS. Considering the size of keys and ciphertext and the structure of lattice, LWE's assumption is more used in key exchange (KE), oblivious transfer (OT), and public key encryption (PKE). And, SIS's assumption is more used in signature schemes. We apply LWE's assumption to design an OT protocol.
Lattice is a discrete additive subgroup. And, lattice is also a linear structure, which is constructed by lattice basis and integral coefficient.
Learning with errors (LWE) assumption can be regarded as an output by an random algorithm, which outputs (a, 〈a, s〉 + e), a, s ⟵ U and e ⟵ D, such as Gaussian distribution and, centered binomial distribution. In this assumption, LWE's pairs are indistinguishable from uniform distribution. Usually, we classify LWE's assumption as SLWE and DLWE.
Definition 2 (search-LWE). Given some LWE's pairs, the probability of finding s is negligible.
Definition 3 (decision-LWE). Given some LWE's pairs and uniform pairs, it is indistinguishable from LWE's pairs to uniform pairs. Definition 4 (Gaussian probability function). Gaussian distribution means that variable x samples from R based on Gaussian function. Usually, denote function ρ s (x) � exp (−π‖x 2 ‖/s 2 ) with mean 0 and variance s 2 .
Definition 5 (ideal lattice). Ideal lattice can be regarded as an algebraic structure based on cyclic basis, which is constructed in quotient ring Z q . It has some advantages, such as shortening the size of keys and ciphertext.
Definition 6 (ring-LWE). Given a, s ∈ R q , certain distribution D, and output (a, b � 〈a, s〉 + e) ∈ R q × R q , let us denote A s,χ as the distribution of LWE's pairs. Definition 7 (search-RLWE). Given RLWE's pairs (a, b � 〈a, s〉 + e) ∈ R q × R q , it is difficult in finding s.

Security and Communication Networks
Definition 8 (decision-RLWE). Let RLWE's pairs be sampled from distribution A s,D . DRLWE assumption means that it is indistinguishable from A s,D to uniform distribution.
Let λ 1 (Λ) be the shortest nonzero vector in lattice Λ(A), which is denoted as ‖x‖.

Dual-Mode PVW-PKE Encryption System.
We introduce a dual-mode encryption cryptosystem proposed by Peikert et al., called PVW framework [5]. is cryptosystem is usually applied on constructing the OT protocol. It includes messy-encryption mode (or Messy mode) and decryption-encryption mode (or Dec mode).
We introduce relevant probability probabilistic algorithms, which include (Setup, KeyGen, Enc, Dec, FindMessy, TrapKeyGen) algorithms. In these algorithms, message space is 0, 1 { } n and string crs is generically common in all algorithms, and we often omit them. Next, we introduce these Algorithms in Figure 5.
Firstly, this cryptosystem can be initialized by a trusted setup phase, Setup algorithm, which outputs a string crs and a trapdoor t. When crs is uniformly distributed (Setup � SetupMessy), invoke Messy branch for our encryption (Setup � SetupDec). When crs is distributed by certain distribution, invoke decryption branch for our encryption. Considering the generation of crs, the property of dual-mode cryptosystem is that the distribution of crs in SeupMessy and SeupDec branch is indistinguishable.
Secondly, we invoke corresponding public key encryption (PKE) scheme, which includes KeyGen, Enc, and Dec algorithm. In key generation phase, input a branch parameter σ and output (pk, sk). e encrypter encrypts a message under chosen branch b (b, σ ∈ 0, 1 { }). When b ≠ σ, we denote this mode as the messy mode. In this mode, the sender encrypts the message under branch b, and the receiver decrypts ciphertext under branch σ. Apparently, the decrypter cannot obtain the corresponding message. Usually, we can use a FindMessy algorithm to find messy branch.
When b � σ, we denote this mode as Dec Mode. In this mode, the sender encrypts the message under branch b, and the receiver can correctly decrypt ciphertext under corresponding branch σ(b � σ). In Dec Mode, we apply a trapdoor generation algorithm TrapKeyGen in security proof. In security proof, we should notice that it is indistinguishable between the key pair from TrapKeyGen and the key pair from KeyGen. e properties of PVW framework are as follows: (1) Completeness: for any branch b � σ ∈ 0, 1 { }, the receiver can correctly decrypt ciphertext, meaning Dec(sk, Enc(pk, σ, m)) � m.
(2) Indistinguishability between two modes: it is indistinguishable between the Messy mode and the Dec mode, which is mainly indistinguishable between crs M and crs D . (3) e property of messy mode: given (crs M , t M ) from SetupMessy and any public key pk (including malformed pk) from the key generation phase under corresponding mode, invoke FindMessy(t M , pk) algorithm to obtain messy branch b ′ . In Messy mode, it can obtain statistical security, which can hide some information about ciphertext, meaning Enc(pk, b ′ , m 0 ) s ≈ Enc(pk, b ′ , m 1 ).

PVW-OT Framework.
Peikert proposed dm mode protocol in Figure 6, which applies any mode in the dualmode encryption system under the F CRS -hybrid UC model [6]. e dm mode protocol achieves the function of ideal F OT in Figure 1. To achieve the messy and decryption mode, define F mode CRS to produce common string, which corresponds to relevant setup algorithm.
Lemma 3 (see [5]). In static corruption model, the protocol dm mode securely emulates ideal function F OT in the universal composable F mode CRS -hybrid model.

Dual-Mode WQ-PKE and Related WQ-OT Protocol.
UC-OT based on PVW's framework [5] can provide sender's statistical security and receiver's computational security in the messy mode. In Dec mode, sender's security is computational and receiver's security is statistical. is construction can only provide receiver's computational security in Messy mode and sender's computational security in Dec Mode. In addition, it has bounded limitation about reusability of crs. Considering about these limitations, apply superpolynomial LWE modulus and single 'short' crs and then achieve statistical security in both mode and unbounded crs's reusability.
Apply the WQ-OT scheme [10] for our CCOT's construction. WQ-OT is a two-round UC-OT based on Common References String (crs), and it is based on LWE assumption with subexponential modulus-to-noise ratio.
Considering noise flooding technique is applied to strengthen reusability and statistical security, we need superpolynomial modulus q of LWE. However, this operation has negative impact on the security proof. And, the simulator of PVW-OT operates in linear q time, not superpolynomial, due to negative impact on security proof. For resolving this difficulty, apply randomized rounding function to PKE-based OT framework. Benhamouda [15] et al. proposed a rounding function.

Security and Communication Networks
Considering about security proof, we apply the hash proof system, which mainly refers to lattice-based SPHFs. In the following, we will introduce a rounding function, which is viewed as an approximate hash proof system. Given c � As + e ∈ Z m q , A ∈ Z m×n q , s ∈ Z n q , e ∈ Z m q , and 'c' as a vector is close to Λ(A), the prover knows s and e and the prover needs to prove 'c' is the corresponding ciphertext for the verifier. e verifier samples a uniformly random vector r ⟵ D m Z,s . Let r be a hash key, and compute p � A T r as a projection key. e verifier sends projection key p to the prover, and the prover computes projection hash value pH � R(〈p, s〉) � R(p T s) � R(r T As).
e verifier computes hash value H � R(〈r, c〉) � R(r T c). en, the verifier sends H to the prover. e prover checks whether H � pH to ensure the verifier is honest; then, the verifier approves the prover's proof. is progress is zero knowledge. e prover has not revealed secret information s and e. e high probability of H � pH implies the property of approximate correctness, which needs vector 'c' close to lattice Λ(A), with distance less than B. For applying the approximate hash proof system better, the property of smoothness needs point 'c' far from Λ(A), with minimum distance q �� m √ /s.

Smooth Projective Hash Function Encryption System.
Apply this rounding function on our encryption system, which is likely Regev's Encryption. Define this modified encryption system as the smooth encryption system. For better understanding the process of the smooth encryption system, we introduce the encryption process of single-bit message u ∈ 0, 1 { } in Figure 7.
(i) Parameters: denote n as the security parameter in the whole scheme. Let prime integers q ≥ 2 be modulus. Let m ≥ 2(n + 1)log q and s ≥ 4 ); the value of B is a security limitation value, which guarantees LWE's assumption for schemes. B ′ is a negligible value compared to B, satisfying q ≤ w(B ′ + � n √ )m. (ii) Correctness: given (B + B ′ ) · s · �� m √ � O(q) and s ≥ ω( ����� log m ), decryption algorithm Dec(sk, ct) can correctly decrypt with nonnegligible probability. Security: given m ≥ 2(n + 1)log q and s ≥ 4 �� m √ , the smooth encryption scheme based on LWE's assumption can achieve corresponding security.

WQ-OT Framework.
We give a brief introduction about dual-mode encryption based on the SPHF encryption system in Figure 8, which is based on the hash key and projection key of SPHF-rounding function.
(1) Completeness: given , then the scheme can correctly decrypt in the Dec mode.
(2) Indistinguishability between Messy mode and Dec mode: given string crs to any adversary, adversary cannot distinguish between the Messy mode with the Dec mode, implying SetupMessy * (1 n ) c ≈ SetupDec * (1 n ). is indistinguishability implies the indistinguishability between LWE's vector pairs with uniform vector pairs. Lemma 4 (see [10]

Cut-and-Choose Oblivious Transfer
Cut-and-choose oblivious transfer (CCOT) protocol can be applied on secure two-party computation, which transfers circuit constructor's garbled keys of wires to the circuit evaluator. Firstly, we introduce the ideal function of CCOT in secure two-party computation.

Ideal Function of CCOT.
Lindell presented the concept of CCOT, which is an oblivious transfer protocol combined with cut-and-choose index bit. We give a brief introduction about its ideal function F CCOT . Circuit constructor P 1 constructs one garbled circuit; circuit evaluator P 2 decides to obtain two key's value of each wire or one key's value of two wires, which is based on the index bit j ∈ 0, 1 { }. When j � 0, P 2 wants to obtain both key's value; when j � 1, P 2 wants to obtain one key's value from two keys. We give a brief introduction about the ideal function in Figure 9.  Firstly, we give the construction of the CCOT protocol corresponding to a single garbled circuit in Figure 10.
Given setup algorithm SetupMesssy and SetupDec algorithm, σ is selected bit from the receiver's input.
When j � 1, R sends (A, pk 0 , pk 1 ) to S. S encrypts message y 0 and y 1 under pk 0 and pk 1 . S samples r b ⟵ D m Z,r and computes p t b � r t b · A; then, we ob- (3) When j � 0, receiver R receives ct i from sender S. R parses ct i as (p b , β i ). R invokes Dec * (sk b , ct i ) to obtain y i by computing y i ⟵ R(p t b · sk b ) ⊕ β i . Finally, R obtains y 0 and y 1 . When j � 1, R receives ct i from S. R parses ct i as (p b , β i ). R invokes Dec * (sk σ , ct i ) to obtain y σ by computing y i ⟵ R(p t b · sk σ ) ⊕ β i .
In the Dec mode, given the corresponding parameter, due to rounding function's property, the receiver can correctly decrypt corresponding two ciphertext. In the Messy mode, when σ � 0, pk 0 � As + e + f, and secret key sk σ � sk 0 � s can be used to decrypt ciphertext ct 0 . In the meantime, pk 0 � As + e + f + v and secret key sk σ � sk 0 � s cannot be used to decrypt corresponding ciphertext ct 1 . When σ � 1, pk 1 � As + e + f, and secret key sk σ � sk 1 � s can be used to decrypt ciphertext ct 1 . However, pk 0 � As + e + f − v, and secret key sk σ � sk 0 � s cannot be used to decrypt corresponding ciphertext ct 0 . e correctness of this protocol is shown in Table 1, which is similar to the SmoothEnc System.

Security Proof
Theorem 1. Given s ≥ 6m and m ≥ 2(n + 1)log q, the above scheme is UC-secure CCOT protocol under static malicious adversary, assuming the hardness of learning with errors with the corresponding parameter.
We mainly consider two corruption cases; the sender is corrupted; the receiver is corrupted. Sender is corrupted: firstly, we consider adversary A corrupt sender P 1 , and we need to construct a simulator S, who can invoke adversary A ′ s input copies and make some operations as follows.
when j � 0, run Dec mode's setup algorithm SetupDec * and obtain (crs 0 , t 0 ) ⟵ SetupDec * (1 n ), which is well known to all parties. Honest receiver P 2 runs KeyGen * algorithm to obtain (pk 0 , pk 1 , sk b ) and then P 2 sends pk 0 and pk 1 to sender P 1 . Corresponding this situation, simulator S invokes TrapKeyGen * (crs 0 , t 0 ) algorithm to obtain (pk, sk 0 , sk 1 ) and then S sends (sid, pk) to adversary A, which simulates a interactive scenario between receiver P 2 and adversary A. en, simulator S stores (sk 0 , sk 1 ). Adversary A invokes Enc * (pk, y 0 , y 1 ) algorithm to obtain ciphertext (ct 0 , ct 1 ) and A sends (ct 0 , ct 1 ) to receiver P 2 . Simulator S simulates this process; Simulator S receives (ct 0 , ct 1 ) from adversary A; S checks corresponding secret key sk 0 and sk 1 and invokes Dec *  (sk b , ct b ), b ∈ 0, 1 { }  Security and Communication Networks 11 algorithm to obtain y b ′ , b ∈ 0, 1 { }. Simulator S sends (y 0 ′ , y 1 ′ ) to ideal function F ccot . Receiver P 2 obtains the corresponding message based on mode index j and selection bit index σ.
Receiver is corrupted: adversary A corrupts receiver P 2 , and we need to construct a simulator S, who simulates the process between adversary A and sender P 1 .
When j � 1, run Messy mode's setup algorithm SetupMessy * to obtain (crs 1 , t 1 ) ⟵ SetupMessy * (1 n ), where crs 1 is well known to all parties. We should notice that the distribution of crs 1 is uniformly sampled. Honest sender P 1 interacts with P 2 corrupted by adversary A. Adversary A chooses a selection bit σ and then invokes KeyGen * (crs 1 , σ) algorithm to obtain (sid, pk σ , sk σ ), which is public to sender P 1 . Simulator S invokes FindMessy * (crs 1 , t 1 , pk σ ) to obtain messy branch b. en, simulator S sends (sid, receiver, 1 − b) to ideal function of F OT . en, simulator S receives corresponding message y 1−b . Simulator S simulates the process between P 1 and A.
Firstly, S computes ct b ⟵ Enc * (pk b , 0 n ) and ct 1−b ⟵ Enc * (pk 1−b , y 1−b ). Secondly, S sends (ct b , ct 1−b ) to adversary A, as if from sender P 1 's value. Finally, adversary A decrypts ct b with corresponding secret key sk σ . Considering LWE's assumption and Messy mode's property, adversary A cannot obtain the correct message.

Ideal Function of BCCOT.
In secure two-party computation, Garbled circuits' constructor P 1 constructed many copies circuits, which can resist one situation about P 1 constructing incorrect circuit. Let s be garbled circuits' parameter. P 1 constructs s copies circuits, half of these circuits are used for checking and another half are used for evaluation. After all check circuits pass detection, remaining half circuits are used for evaluating f(x, y). Some garbled circuit maybe incorrectly constructed by P 1 , and we can adopt majority value of f(x, y). Considering circuits' parameter s, we introduce a 'batch cut-and-choose' oblivious transfer's ideal function F bccot in Figure 11. In a special case, when σ 1 � σ 2 � · · · � σ s � σ, j ∉ J, the receiver obtains y j σ , and this is single-choice CCOT function.

Construction of BCCOT Protocol.
Considering that s copies of garbled circuits used in secure two-party computation based on CCOT protocol, BCCOT can be regarded as a series of oblivious transfer protocol, which can be implemented by batch operation.
Data Availability e performance test data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.