Two provably secure k-out-of-n oblivious transfer schemes

https://doi.org/10.1016/j.amc.2004.10.059Get rights and content

Abstract

Oblivious transfer (OT) is a fundamental cryptographic tool. In a k-out-of-n oblivious transfer (OT) model, one party Alice (the sender) sends n bits to another party Bob (the receiver), Bob can get only k bits from n bits. However, Alice cannot know which k bits Bob received. In this paper, we propose two efficient k-out-of-n oblivious transfer schemes, which are proved security without using random oracle. At the same time, security of the two schemes is based on DDH assumption. As efficiency of computation and communication, the cost of communication and computation of the receiver is independent of number n of messages; a prominent advantage is that the sender only computes one exponentiation in the second oblivious transfer scheme. To the best of my knowledge, it is least computation in the oblivious transfer available.

Introduction

Oblivious transfer (OT) is a fundamental cryptographic tool and widely used as a building block of secure computation. In 1981, Rabin first introduced the concept of Oblivious transfer [1]. Subsequently, it was generalized to 1-out-of-2 oblivious transfer protocols (OT12) by Even et al. [2]. The sender knows two messages and would like to let the receiver choose any one of them in such a way that the receiver does not learn more than one, and the sender remains oblivious to the value the receiver chooses. Brassard et al. directly extended 1-out-of-2 to 1-out-of-n such that the sender has n secret strings and the receiver selects one of them without revealing his choice of index. However, there has been little study in k-out-of-n oblivious OTkn. Roughly speaking, in a k-out-of-n oblivious transfer, the receiver can receiver only k messages out of n messages sent by the sender. In general, one thinks that k-out-of-n oblivious transfer is extension of 1-out-of-n oblivious transfer. It is obvious that a trivial OTkn protocol can be obtained by performing OT1n protocol k times. But the efficiency of such extension scheme is very low.

Oblivious transfer protocols can be used as stand-alone protocol, e.g. for trading digital information [5], or as a building block for more complex protocol, e.g. secure two-party computation [6], privacy-preserving auction [7] and oblivious polynomial evaluation [8].

Mu [9] and Naor [10] presented classical k-out-of-n oblivious transfer based on discrete logarithm. In the k-out-of-n oblivious transfer (1  k  n). Alice sends n bits to Bob, Bob can get only k of them. Recently, Wakaha Ogata and Ryota Sasahara proposed an efficient k-out-of-n oblivious transfer based on OT1n of the scheme of Naor and Pinkas with less communication and computation cost. But these schemes are not efficient or not provably secure.

Our contribution: In this paper, we give two efficient k-out-of-n oblivious transfer schemes. Compared with Wakaha et al. scheme, the first proposed scheme is more efficient, and it has much less communication cost and computation complexity; and our second proposed scheme has a prominent advantage that the sender only computes one exponentiation, to the best of my knowledge, it is least computation for the sender in the oblivious transfer scheme available. Our schemes are provably secure under the Decisional Diffie–Hellman (DDH) assumption, and our schemes are very efficient in computation and achieve optimal efficiency in terms of the number of round and the total number of exchanged messages for the case that the receiver’s choice is unconditionally secure.

Section snippets

The definition of oblivious transfer

Oblivious transfer (OT) is a cryptographic protocol between two players, called receiver and a sender, In the k-out-of-n oblivious transfer scheme, the sender has n messages, and the receiver wants to get arbitrary k messages among n messages.

The OT scheme should satisfy the basic requirements:

Collectness: The protocol achieves its goal if the sender and the receiver behave properly. That is, the receiver only gets k messages that he wants to know.

The receiver’s privacy: After executing the

The first k-out-of-n OT scheme

In this section, we give the first k-out-of-n OT scheme based on DDH assumption without using random oracle model, and security proof of the scheme. Compared with Wakaha et al.’s scheme, our scheme has less communications cost and computations complexity.

In the following, we suppose g be a generator of a multiplicative group and the group 〈g〉 has prime order q. Let M1, M2,  , Mn  g〉 be the messages of the sender, and (δ1, δ2,  , δk) be the choice indices of the receiver.

  • Step 1:

    The receiver first sets a

Security analysis

Correctness: According to the above oblivious transfer scheme, we know for all i  {1,  , n}Zi=gc0+c1i++ck-1ik-1+ik,holds, and Ki and Ki satisfy the follow relation:Ki=Zis(B0B1i)ri=gsf(i)gri(b0+b1i)=gsf(i)g(sa+ri)(b0+b1i)=gsf(i)Ki.To any i  {δ1,  , δk}, f(i) = 0 holds, so we get Ki=Ki, then the receiver obtains message to be Mi, i  {δ1,  , δk}.

Theorem 1

In a k-out-of-n oblivious transfer scheme, it is negligible to guess the probability of which messages the receiver chooses for the sender.

Proof

In a k-out-of-n

Efficiency

In this section, we give a comparison of communication cost and computation complexity between Wakaha et al.’s scheme with our scheme (See the following Table 1 in detail).

In an oblivious transfer scheme, the performance criteria that interest us are sender’s computational effort, the receiver’s computational effort, and the communication between the sender and the receiver. The computation complexity is mainly determined by exponentiation operator in an oblivious transfer scheme. After the

The second k-out-of-n oblivious transfer scheme

In the following, we give the second k-out-of-n oblivious transfer scheme and discuss security of the scheme. Suppose that (δ1,  , δk)  (1,  , n) are indices of messages which the receiver wants to get. Let G be an Abelian group of order p, where p = 2q + 1 and p, q are two large primes. S denotes the sender, R be the receiver.

The operators of the second k-out-of-n oblivious transfer scheme are as follows:

  • 1.

    S randomly chooses two generators g and h of G, and which satisfy that the discrete logarithm of h

Analysis of security and efficiency

In this section, we will give analysis of security and efficiency to our proposed second oblivious transfer scheme. Suppose that the sender and the receiver are honest in the above protocol, we can obtainWi=βr0+r1i++rk-1ik-1+ikhc0+c1i++ck-1ik-1+ik=gtR(i)htf(i),for all i  {δ1,  , δk}, f(i) = 0 holds, therefore we get the following relationWi=gtR(i)htf(i)=gtR(i)=βR(i).Because only the receiver knows the polynomial R(x), and he knows β, thus the receiver can correctly obtain message Mi=Mi, i  {δ1,  , δk

Conclusion

In this paper, we have proposed two efficient k-out-of-n oblivious transfer schemes, which have been provably security without using random oracle model. Both the oblivious transfer schemes are based on DDH assumption, and cover all possible types of oblivious transfer. For example, they cover the Rabin’s original scheme, where the sender only one message to the receiver, while the sender does not know if or not the receiver obtains the message. Let k = 1 and n = 2, then they can converts into the

Acknowledgements

This research is supported by the doctoral starting fund of North China University of Technology.

References (8)

  • O. Rabin, Exchange secrets by oblivious transfer, Computer Science Lab, Harvard University, Cambridge, MA, TR-81,...
  • S. Even et al.

    A randomized protocol for signing contracts

    Commun. ACM

    (1985)
  • O. Goldreich, M. Micali, A. Widgerson, How to play any mental game, in: Proc. of the 19th ACM Symp. on Theory of...
  • M. Naor, B. Pinkas, Privacy preserving auctions and mechanism design, in: Proc. of the 1st ACM Conf. on Electronic...
There are more references available in the full text version of this article.

Cited by (0)

View full text