Practical Adaptive Oblivious Transfer from Simple Assumptions
In an adaptive oblivious transfer (OT) protocol, a sender commits to a database of messages and then repeatedly interacts with a receiver in such a way that the receiver obtains one message per interaction of his choice (and nothing more) while the sender learns nothing about any of the choices. Recently, there has been significant effort to design practical adaptive OT schemes and to use these protocols as a building block for larger database applications. To be well suited for these applications, the underlying OT protocol should: (1) support an efficient initialization phase where one commitment can support an arbitrary number of receivers who are guaranteed of having the same view of the database, (2) execute transfers in time independent of the size of the database, and (3) satisfy a strong notion of security under a simple assumption in the standard model.
We present the first adaptive OT protocol simultaneously satisfying these requirements. The sole complexity assumption required is that given (g,ga,gb,gc,Q), where g generates a bilinear group of prime order p and a,b,c are selected randomly from ℤp, it is hard to decide if Q = gabc. All prior protocols in the standard model either do not meet our efficiency requirements or require dynamic “q-based” assumptions.
Our construction makes an important change to the established “assisted decryption” technique for designing adaptive OT. As in prior works, the sender commits to a database of n messages by publishing an encryption of each message and a signature on each encryption. Then, each transfer phase can be executed in time independent of n as the receiver blinds one of the encryptions and proves knowledge of the blinding factors and a signature on this encryption, after which the sender helps the receiver decrypt the chosen ciphertext. One of the main obstacles to designing an adaptive OT scheme from a simple assumption is realizing a suitable signature for this purpose (i.e., enabling signatures on group elements in a manner that later allows for efficient proofs.) We make the observation that a secure signature scheme is not necessary for this paradigm, provided that signatures can only be forged in certain ways. We then show how to efficiently integrate an insecure signature into a secure adaptive OT construction.
- 4.Boneh, D., Boyen, X., Shacham, H.: Short Group Signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004)Google Scholar
- 8.Camenisch, J., Dubovitskaya, M., Neven, G.: Oblivious transfer with access controls. In: ACM CCS 2009, pp. 131–140 (2009)Google Scholar
- 9.Camenisch, J., Michels, M.: Proving in Zero-Knowledge that a Number n is the Product of Two Safe Primes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 107–122. Springer, Heidelberg (1999)Google Scholar
- 11.Camenisch, J., Stadler, M.: Efficient Group Signature Schemes for Large Groups. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294, pp. 410–424. Springer, Heidelberg (1997)Google Scholar
- 12.R. Chaabouni, H. Lipmaa, A. Shelat. Additive combinatorics and discrete logarithm based range protocols (2009), Cryptology ePrint Archive: 2009/469 http://eprint.iacr.org/2009/469.pdf
- 14.Chen, Y., Chou, J.-S., Hou, X.-W.: A novel k-out-of-n oblivious transfer protocols based on bilinear pairings (2010), Cryptology ePrint Archive: Report 2010/027Google Scholar
- 16.Cramer, R., Damgård, I., Schoenmakers, B.: Proof of Partial Knowledge and Simplified Design of Witness Hiding Protocols. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 174–187. Springer, Heidelberg (1994)Google Scholar
- 19.Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: STOC 1987, pp. 218–229 (1987)Google Scholar
- 20.Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Computing 17(2) (1988)Google Scholar
- 23.Green, M., Hohenberger, S.: Practical adaptive oblivious transfer from simple assumptions (2010), The full version of this work appears in the Cryptology ePrint Archive: Report 2010/109 Google Scholar
- 28.Kilian, J.: Founding cryptography on oblivious transfer. In: STOC 1988, pp. 20–31 (1988)Google Scholar
- 33.Naor, M., Pinkas, B.: Oblivious Transfer with Adaptive Queries. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 573–590. Springer, Heidelberg (1999)Google Scholar
- 34.Peikert, C., Vaikuntanathan, V., Waters, B.: A Framework for Efficient and Composable Oblivious Transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008)Google Scholar
- 35.Rabin, M.: How to exchange secrets by oblivious transfer. Technical Report TR-81, Aiken Computation Laboratory, Harvard University (1981)Google Scholar
- 38.Sun, H.-M., Chen, Y., Chou, J.-S.: An efficient secure oblivious transfer (2009), Cryptology ePrint Archive: Report 2009/521 Google Scholar
- 40.Yao, A.: How to generate and exchange secrets. In: FOCS, pp. 162–167 (1986)Google Scholar