Universally Composable Adaptive Oblivious Transfer

  • Matthew Green
  • Susan Hohenberger
Conference paper

DOI: 10.1007/978-3-540-89255-7_12

Part of the Lecture Notes in Computer Science book series (LNCS, volume 5350)
Cite this paper as:
Green M., Hohenberger S. (2008) Universally Composable Adaptive Oblivious Transfer. In: Pieprzyk J. (eds) Advances in Cryptology - ASIACRYPT 2008. ASIACRYPT 2008. Lecture Notes in Computer Science, vol 5350. Springer, Berlin, Heidelberg


In an oblivious transfer (OT) protocol, a Sender with messages M1,...,MN and a Receiver with indices σ1,...,σk ∈ [1,N] interact in such a way that at the end the Receiver obtains \(M_{\sigma_1},\dots,M_{\sigma_k}\) without learning anything about the other messages and the Sender does not learn anything about σ1,...,σk. In an adaptive protocol, the Receiver may obtain \(M_{\sigma_{i-1}}\) before deciding on σi. Efficient adaptive OT protocols are interesting as a building block for secure multiparty computation and for enabling oblivious searches on medical and patent databases.

   Historically, adaptive OT protocols were analyzed with respect to a “half-simulation” definition which Naor and Pinkas showed to be flawed. In 2007, Camenisch, Neven, and shelat, and subsequent other works, demonstrated efficient adaptive protocols in the full-simulation model. These protocols, however, all use standard rewinding techniques in their proofs of security and thus are not universally composable. Recently, Peikert, Vaikuntanathan and Waters presented universally composable (UC) non-adaptiveOT protocols for the 1-out-of-2 variant, in the static corruption model using certain trusted setup assumptions. However, it is not clear how to preserve UC security while extending these protocols to the adaptive k-out-of-N setting. Further, any such attempt would seem to require O(N) computation per transfer for a database of size N. In this work, we present an efficient and UC-secure adaptivek-out-of-NOT protocol in the same model as Peikert et al., where after an initial commitment to the database, the cost of each transfer is constant. Our construction is secure under bilinear assumptions in the standard model.

Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2008

Authors and Affiliations

  • Matthew Green
    • 1
  • Susan Hohenberger
    • 1
  1. 1.Information Security InstituteThe Johns Hopkins UniversityBaltimoreUSA

Personalised recommendations