Theory of Cryptography Conference

TCC 2011: Theory of Cryptography pp 347-363

Practical Adaptive Oblivious Transfer from Simple Assumptions

  • Matthew Green
  • Susan Hohenberger
Conference paper

DOI: 10.1007/978-3-642-19571-6_21

Volume 6597 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Green M., Hohenberger S. (2011) Practical Adaptive Oblivious Transfer from Simple Assumptions. In: Ishai Y. (eds) Theory of Cryptography. TCC 2011. Lecture Notes in Computer Science, vol 6597. Springer, Berlin, Heidelberg


In an adaptive oblivious transfer (OT) protocol, a sender commits to a database of messages and then repeatedly interacts with a receiver in such a way that the receiver obtains one message per interaction of his choice (and nothing more) while the sender learns nothing about any of the choices. Recently, there has been significant effort to design practical adaptive OT schemes and to use these protocols as a building block for larger database applications. To be well suited for these applications, the underlying OT protocol should: (1) support an efficient initialization phase where one commitment can support an arbitrary number of receivers who are guaranteed of having the same view of the database, (2) execute transfers in time independent of the size of the database, and (3) satisfy a strong notion of security under a simple assumption in the standard model.

We present the first adaptive OT protocol simultaneously satisfying these requirements. The sole complexity assumption required is that given (g,ga,gb,gc,Q), where g generates a bilinear group of prime order p and a,b,c are selected randomly from ℤp, it is hard to decide if Q = gabc. All prior protocols in the standard model either do not meet our efficiency requirements or require dynamic “q-based” assumptions.

Our construction makes an important change to the established “assisted decryption” technique for designing adaptive OT. As in prior works, the sender commits to a database of n messages by publishing an encryption of each message and a signature on each encryption. Then, each transfer phase can be executed in time independent of n as the receiver blinds one of the encryptions and proves knowledge of the blinding factors and a signature on this encryption, after which the sender helps the receiver decrypt the chosen ciphertext. One of the main obstacles to designing an adaptive OT scheme from a simple assumption is realizing a suitable signature for this purpose (i.e., enabling signatures on group elements in a manner that later allows for efficient proofs.) We make the observation that a secure signature scheme is not necessary for this paradigm, provided that signatures can only be forged in certain ways. We then show how to efficiently integrate an insecure signature into a secure adaptive OT construction.

Download to read the full conference paper text

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Matthew Green
    • 1
  • Susan Hohenberger
    • 1
  1. 1.Johns Hopkins UniversityUSA