The security of the free-XOR optimization was originally proven in the random oracle model. In the same paper, Kolesnikov and Schneider also addressed the question of replacing the random oracle with a standard cryptographic assumption and suggested to use a hash function which achieves some form of security under correlated inputs. This claim was revisited by Choi et al. (TCC 2012) who showed that a stronger form of security is required, and proved that the free-XOR optimization can be realized based on a new primitive called \emph{circular 2-correlation hash function}. Unfortunately, it is currently unknown how to implement this primitive based on standard assumptions, and so the feasibility of realizing the free-XOR optimization in the standard model remains an open question.
We resolve this question by showing that the free-XOR approach can be realized in the standard model under the \emph{learning parity with noise} (LPN) assumption. Our result is obtained in two steps: (1) We show that the hash function can be replaced with a symmetric encryption which remains secure under a combined form of related-key and key-dependent attacks; and (2) We show that such a symmetric encryption can be constructed based on the LPN assumption.
Category / Keywords: foundations / Garbled Circuit, Related Key Attacks, Key-Dependent Message Attacks Date: received 4 Sep 2012, last revised 24 Feb 2015 Contact author: bennyap at post tau ac il Available format(s): PDF | BibTeX Citation Version: 20150224:152115 (All versions of this report) Short URL: ia.cr/2012/516 Discussion forum: Show discussion | Start new discussion