A Weakness in Some Oblivious Transfer and Zero-Knowledge Protocols

  • Ventzislav Nikov
  • Svetla Nikova
  • Bart Preneel
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4284)


We consider oblivious transfer protocols and their applications that use underneath semantically secure homomorphic encryption scheme (e.g. Paillier’s). We show that some oblivious transfer protocols and their derivatives such as private matching, oblivious polynomial evaluation and private shared scalar product could be subject to an attack. The same attack can be applied to some non-interactive zero-knowledge arguments which use homomorphic encryption schemes underneath. The roots of our attack lie in the additional property that some semantically secure encryption schemes possess, namely, the decryption also reveals the random coin used for the encryption, and that the (sender’s or prover’s) inputs may belong to a space, that is very small compared to the plaintext space. In this case it appears that even a semi-honest chooser (verifier) can derive from the random coin bounds for all or some of the sender’s (prover’s) private inputs with non-negligible probability. We propose a fix which precludes the attacks.


Oblivious Transfer Homomorphic Semantically Secure Cryptosystems Paillier’s Public-Key Cryptosystem Non-Interactive Zero-Knowledge Arguments 


  1. 1.
    Aiello, W., Ishai, Y., Reingold, O.: Priced Oblivious Transfer: How to Sell Digital Goods. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 119–135. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  2. 2.
    Benaloh, J.: Verifiable Secret-Ballot Elections, Ph.D. Thesis, Yale’s Univ. (1987)Google Scholar
  3. 3.
    Blake, I.F., Kolesnikov, V.: Strong Conditional Oblivious Transfer and Computing on Intervals. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 515–529. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  4. 4.
    Brassard, G., Crépeau, C., Robert, J.M.: All-or-nothing disclosure of secrets. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 234–238. Springer, Heidelberg (1987)Google Scholar
  5. 5.
    Catalano, D., Gennaro, R., Howgrave-Graham, N., Nguyen, P.: Paillier’s Cryptosystem Revisited. In: ACM Conf. on Comp. and Commun. Security, pp. 206–214 (2001)Google Scholar
  6. 6.
    Chang, Y.-C.: Single Database Private Information Retrieval with Logarithmic Communication. In: Wang, H., Pieprzyk, J., Varadharajan, V. (eds.) ACISP 2004. LNCS, vol. 3108, pp. 50–61. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  7. 7.
    Crépeau, C., van de Graaf, J., Tapp, A.: Committed Oblivious Transfer and Private Multi-party Computation. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 110–123. Springer, Heidelberg (1995)Google Scholar
  8. 8.
    Di Crescenzo, G.: Private Selective Payment Protocols. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 72–89. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  9. 9.
    Di Crescenzo, G., Ostrovsky, R., Rajagopalan, S.: Conditional Oblivious Transfer and Timed-Release Encryption. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 74–89. Springer, Heidelberg (1999)Google Scholar
  10. 10.
    Cramer, R., Damgard, I.: Linear zero-knowledge - a note on efficient zero-knowledge proofs and arguments. In: ACM Symp. on Theory of Computing, pp. 436–445 (1997)Google Scholar
  11. 11.
    Cramer, R., Damgård, I.B.: Secret-key zero-knowlegde and non-interactive verifiable exponentiation. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 223–237. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  12. 12.
    Damgård, I.B., Fazio, N., Nicolosi, A.: Non-interactive Zero-Knowledge from Homomorphic Encryption. In: Halevi, S., Rabin, T. (eds.) TCC 2006. LNCS, vol. 3876, pp. 41–59. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  13. 13.
    Damgard, I., Jurik, M.: A Generalization, a Simplification and Some Applications of Paillier’s Probabilistic Public-Key System. In: Kim, K.-c. (ed.) PKC 2001. LNCS, vol. 1992, pp. 119–136. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  14. 14.
    El Gamal, T.: A Public Key Cryptosystem and a Signature Scheme Based on Discrete Logarithms. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 10–18. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  15. 15.
    Fiat, A., Shamir, A.: How to prove yourself: Practical solutions to Identification and Signature Problems. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 186–194. Springer, Heidelberg (1987)Google Scholar
  16. 16.
    Freedman, M., Nissim, K., Pinkas, B.: Efficient Private Matching and Set Intersection. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 1–19. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  17. 17.
    Freedman, M.J., Ishai, Y., Pinkas, B., Reingold, O.: Keyword Search and Oblivious Pseudorandom Functions. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 303–324. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  18. 18.
    Goldwasser, S., Micali, S.: Probabilistic encryption and how to play mental poker keeping secret all partial information. In: ACM Symp. on Theory of Computing, pp. 365–377 (1982)Google Scholar
  19. 19.
    Goethals, B., Laur, S., Lipmaa, H., Mielikäinen, T.: On Private Scalar Product Computation for Privacy-Preserving Data Mining. In: Park, C.-s., Chee, S. (eds.) ICISC 2004. LNCS, vol. 3506, pp. 104–120. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  20. 20.
    Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game. In: ACM Symp. on Theory of Computing, pp. 218–229 (1987)Google Scholar
  21. 21.
    Kilian, J.: Founding Cryptography on Oblivious Transfer. In: ACM Symp. on Theory of Computing, pp. 20–31 (1988)Google Scholar
  22. 22.
    Lipmaa, H.: Verifiable Homomorphic Oblivious Transfer and Private Equality Test. In: Laih, C.-S. (ed.) ASIACRYPT 2003. LNCS, vol. 2894, pp. 416–433. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  23. 23.
    S. Laur, H. Lipmaa. Additive Conditional Disclosure of Secrets and Applications, Cryptology ePrint Archive: Report 2005/378 (2005)Google Scholar
  24. 24.
    Laur, S., Lipmaa, H., Mielikäinen, T.: Private Itemset Support Counting. In: Qing, S., Mao, W., López, J., Wang, G. (eds.) ICICS 2005. LNCS, vol. 3783, pp. 97–111. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  25. 25.
    Naccache, D., Stern, J.: A new public-key cryptosysytem based on higher residues. In: ACM Conf. on Computer and Commun. Security, pp. 59–66 (1998)Google Scholar
  26. 26.
    Naor, M., Pinkas, B.: Oblivious Transfer and Polynomial Evaluation. In: ACM STOC 1999, pp. 245–254 (1999)Google Scholar
  27. 27.
    Naor, M., Pinkas, B.: Efficient Oblivious Transfer Protocols. In: ACM-SIAM Symp. on Discrete Algorithms, pp. 448–457 (2001)Google Scholar
  28. 28.
    Okamoto, T., Uchiyama, S.: A new public-key cryptosystem as secure as factoring. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 308–318. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  29. 29.
    Paillier, P.: Public-Key Cryptosystems Based on Composite Degree Residuosity Classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999)Google Scholar
  30. 30.
    Rabin, M.: How to exchange secrets by oblivious transfer, Technical Report TR-81, Harvard Aiken Computation Laboratory (1981)Google Scholar
  31. 31.
    Stern, J.: A New and Efficient All-Or-Nothing Disclosure of Secrets Protocol. In: Ohta, K., Pei, D. (eds.) ASIACRYPT 1998. LNCS, vol. 1514, pp. 357–371. Springer, Heidelberg (1998)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ventzislav Nikov
    • 1
  • Svetla Nikova
    • 2
  • Bart Preneel
    • 2
  1. 1.Philips TASS 
  2. 2.Department Electrical EngineeringESAT/COSIC, Katholieke Universiteit LeuvenHeverlee-LeuvenBelgium

Personalised recommendations