Universally Composable Adaptive Priced Oblivious Transfer

  • Alfredo Rial
  • Markulf Kohlweiss
  • Bart Preneel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 5671)


An adaptive k-out-of-N Priced Oblivious Transfer (POT) scheme is a two-party protocol between a vendor and a buyer. The vendor sells a set of messages m 1, . . . ,m N with prices p 1, . . . , p N . In each transfer phase i = 1, . . . , k, the buyer chooses a selection value σ i  ∈ {1, . . . ,N} and interacts with the vendor to buy message m σ i in such a way that the vendor does not learn σ i and the buyer does not get any information about the other messages.

We present a POT scheme secure under pairing-related assumptions in the standard model. Our scheme is universally composable and thus, unlike previous results, preserves security when it is executed with multiple protocol instances that run concurrently in an adversarially controlled way. Furthermore, after an initialization phase of complexity O(N), each transfer phase is optimal in terms of rounds of communication and it has constant computational and communication cost. To achieve these properties, we design the first efficient non-interactive proof of knowledge that a value lies in a given interval we are aware of.


Universally composable security priced oblivious transfer bilinear maps non-interactive range proofs of knowledge 


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Koargonkar, P., Wolin, L.: A multivariate analysis of web usage. Journal of Advertising Research, 53–68 (March/April 1999)Google Scholar
  2. 2.
    Tsai, J., Egelman, S., Cranor, L., Acquisti, R.: The effect of online privacy information on purchasing behavior: An experimental study, working paper (June 2007)Google Scholar
  3. 3.
    Grimm, R., Aichroth, P.: Privacy protection for signed media files: a separation-of-duty approach to the lightweight drm (lwdrm) system. In: Dittmann, J., Fridrich, J.J. (eds.) MM&Sec, pp. 93–99. ACM, New York (2004)CrossRefGoogle Scholar
  4. 4.
    Lee, D.G., Oh, H.G., Lee, I.Y.: A study on contents distribution using electronic cash system. In: EEE 2004: Proceedings of the 2004 IEEE International Conference on e-Technology, e-Commerce and e-Service (EEE 2004), Washington, DC, USA, pp. 333–340. IEEE Computer Society, Los Alamitos (2004)Google Scholar
  5. 5.
    Chaum, D.: Blind signatures for untraceable payments. In: CRYPTO 1982, pp. 199–203. Plenum Press, New York (1999)Google Scholar
  6. 6.
    Camenisch, J., Hohenberger, S., Lysyanskaya, A.: Compact E-Cash. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 302–321. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  7. 7.
    Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: Compact e-cash and simulatable VRFs revisited. Cryptology ePrint Archive, Report 2009/107 (2009),
  8. 8.
    Berthold, O., Federrath, H., Köhntopp, M.: Project anonymity and unobservability in the internet. In: CFP 2000: Proceedings of the tenth conference on Computers, freedom and privacy, pp. 57–65. ACM, New York (2000)Google Scholar
  9. 9.
    Sun, H.-M., Wang, K.-H., Hung, C.-F.: Towards privacy preserving digital rights management using oblivious transferGoogle Scholar
  10. 10.
    Aiello, W., Ishai, Y., Reingold, O.: Priced oblivious transfer: How to sell digital goods. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 119–135. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  11. 11.
    Rabin, M.O.: How to exchange secrets by oblivious transfer (1981)Google Scholar
  12. 12.
    Naor, M., Pinkas, B.: Oblivious transfer with adaptive queries. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 573–590. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  13. 13.
    Kohlweiss, M., Faust, S., Fritsch, L., Gedrojc, B., Preneel, B.: Efficient oblivious augmented maps: Location-based services with a payment broker. In: Borisov, N., Golle, P. (eds.) PET 2007. LNCS, vol. 4776, pp. 77–94. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  14. 14.
    Canetti, R.: Universally composable security: A new paradigm for cryptographic protocols. In: FOCS 2001: Proceedings of the 42nd IEEE symposium on Foundations of Computer Science, Washington, DC, USA, p. 136. IEEE Computer Society, Los Alamitos (2001)Google Scholar
  15. 15.
    Camenisch, J., Neven, G., Shelat, A.: Simulatable adaptive oblivious transfer. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 573–590. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  16. 16.
    Green, M., Hohenberger, S.: Blind identity-based encryption and simulatable oblivious transfer. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 265–282. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  17. 17.
    Green, M., Hohenberger, S.: Universally composable adaptive oblivious transfer. Cryptology ePrint Archive, Report 2008/163 (2008),
  18. 18.
    Damgård, I., Nielsen, J.B., Orlandi, C.: Essentially optimal universally composable oblivious transfer. Cryptology ePrint Archive, Report 2008/220 (2008),
  19. 19.
    Wagner, D. (ed.): CRYPTO 2008. LNCS, vol. 5157. Springer, Heidelberg (2008)zbMATHGoogle Scholar
  20. 20.
    Tobias, C.: Practical oblivious transfer protocols. In: Petitcolas, F.A.P. (ed.) IH 2002. LNCS, vol. 2578, pp. 415–426. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  21. 21.
    Crescenzo, G.D., Ostrovsky, R., Rajagopalan, S.: Conditional oblivious transfer and timed-release encryption. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 74–89. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  22. 22.
    Blake, I.F., Kolesnikov, V.: Strong conditional oblivious transfer and computing on intervals. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 515–529. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  23. 23.
    Ishai, Y., Kushilevitz, E.: Private simultaneous messages protocols with applications. In: Proc. of 5th ISTCS, pp. 174–183 (1997)Google Scholar
  24. 24.
    Shankar, B., Srinathan, K., Rangan, C.P.: Alternative protocols for generalized oblivious transfer. In: Rao, S., Chatterjee, M., Jayanti, P., Murthy, C.S.R., Saha, S.K. (eds.) ICDCN 2008. LNCS, vol. 4904, pp. 304–309. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  25. 25.
    Herranz, J.: Restricted adaptive oblivious transfer. Cryptology ePrint Archive, Report 2008/182 (2008),
  26. 26.
    Coull, S., Green, M., Hohenberger, S.: Controlling access to an oblivious database using stateful anonymous credentials. Cryptology ePrint Archive, Report 2008/474 (2008),
  27. 27.
    Camenisch, J., Chaabouni, R., Shelat, A.: Efficient protocols for set membership and range proofs. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 234–252. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  28. 28.
    Groth, J., Sahai, A.: Efficient non-interactive proof systems for bilinear groups. In: Smart, N.P. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 415–432. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  29. 29.
    Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M.K. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  30. 30.
    Belenkiy, M., Chase, M., Kohlweiss, M., Lysyanskaya, A.: P-signatures and noninteractive anonymous credentials. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 356–374. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  31. 31.
    Boyen, X., Waters, B.: Full-domain subgroup hiding and constant-size group signatures. In: Okamoto, T., Wang, X. (eds.) PKC 2007. LNCS, vol. 4450, pp. 1–15. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  32. 32.
    Canetti, R.: Obtaining universally compoable security: Towards the bare bones of trust. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 88–112. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  33. 33.
    Santis, A.D., Di Crescenzo, G., Persiano, G.: Necessary and sufficient assumptions for non-interactive zero-knowledge proofs of knowledge for all NP relations. In: Welzl, E., Montanari, U., Rolim, J.D.P. (eds.) ICALP 2000. LNCS, vol. 1853, pp. 451–462. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  34. 34.
    Goldwasser, S., Micali, S., Rackoff, C.: The knowledge complexity of interactive proof systems. SIAM J. Comput. 18(1), 186–208 (1989)MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    Goldreich, O.: Foundations of Cryptography: Basic Tools. Cambridge University Press, New York (2000)zbMATHGoogle Scholar
  36. 36.
    Blum, M., Feldman, P., Micali, S.: Non-interactive zero-knowledge and its applications. In: STOC 1988: Proceedings of the twentieth annual ACM symposium on Theory of computing, pp. 103–112. ACM Press, New York (1988)CrossRefGoogle Scholar
  37. 37.
    Feige, U., Lapidot, D., Shamir, A.: Multiple noninteractive zero knowledge proofs under general assumptions. SIAM Journal on Computing 29(1), 1–28 (1999)MathSciNetCrossRefzbMATHGoogle Scholar
  38. 38.
    Camenisch, J., Stadler, M.: Efficient group signature schemes for large groups. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997)CrossRefGoogle Scholar
  39. 39.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. 17(2), 281–308 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  40. 40.
    Boneh, D., Boyen, X.: Short signatures without random oracles. In: Cachin, C., Camenisch, J. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 56–73. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  41. 41.
    Ateniese, G., Camenisch, J., de Medeiros, B.: Untraceable RFID tags via insubvertible encryption. In: CCS 2005: Proceedings of the 12th ACM conference on Computer and communications security, pp. 92–101. ACM, New York (2005)Google Scholar
  42. 42.
    Canetti, R., Rabin, T.: Universal composition with joint state. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 265–281. Springer, Heidelberg (2003)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2009

Authors and Affiliations

  • Alfredo Rial
    • 1
  • Markulf Kohlweiss
    • 1
  • Bart Preneel
    • 1
  1. 1.ESAT/SCD/COSIC and IBBTKatholieke Universiteit LeuvenBelgium

Personalised recommendations