Two provably secure k-out-of-n oblivious transfer schemes
Introduction
Oblivious transfer (OT) is a fundamental cryptographic tool and widely used as a building block of secure computation. In 1981, Rabin first introduced the concept of Oblivious transfer [1]. Subsequently, it was generalized to 1-out-of-2 oblivious transfer protocols by Even et al. [2]. The sender knows two messages and would like to let the receiver choose any one of them in such a way that the receiver does not learn more than one, and the sender remains oblivious to the value the receiver chooses. Brassard et al. directly extended 1-out-of-2 to 1-out-of-n such that the sender has n secret strings and the receiver selects one of them without revealing his choice of index. However, there has been little study in k-out-of-n oblivious . Roughly speaking, in a k-out-of-n oblivious transfer, the receiver can receiver only k messages out of n messages sent by the sender. In general, one thinks that k-out-of-n oblivious transfer is extension of 1-out-of-n oblivious transfer. It is obvious that a trivial protocol can be obtained by performing protocol k times. But the efficiency of such extension scheme is very low.
Oblivious transfer protocols can be used as stand-alone protocol, e.g. for trading digital information [5], or as a building block for more complex protocol, e.g. secure two-party computation [6], privacy-preserving auction [7] and oblivious polynomial evaluation [8].
Mu [9] and Naor [10] presented classical k-out-of-n oblivious transfer based on discrete logarithm. In the k-out-of-n oblivious transfer (1 ⩽ k ⩽ n). Alice sends n bits to Bob, Bob can get only k of them. Recently, Wakaha Ogata and Ryota Sasahara proposed an efficient k-out-of-n oblivious transfer based on of the scheme of Naor and Pinkas with less communication and computation cost. But these schemes are not efficient or not provably secure.
Our contribution: In this paper, we give two efficient k-out-of-n oblivious transfer schemes. Compared with Wakaha et al. scheme, the first proposed scheme is more efficient, and it has much less communication cost and computation complexity; and our second proposed scheme has a prominent advantage that the sender only computes one exponentiation, to the best of my knowledge, it is least computation for the sender in the oblivious transfer scheme available. Our schemes are provably secure under the Decisional Diffie–Hellman (DDH) assumption, and our schemes are very efficient in computation and achieve optimal efficiency in terms of the number of round and the total number of exchanged messages for the case that the receiver’s choice is unconditionally secure.
Section snippets
The definition of oblivious transfer
Oblivious transfer (OT) is a cryptographic protocol between two players, called receiver and a sender, In the k-out-of-n oblivious transfer scheme, the sender has n messages, and the receiver wants to get arbitrary k messages among n messages.
The OT scheme should satisfy the basic requirements:
Collectness: The protocol achieves its goal if the sender and the receiver behave properly. That is, the receiver only gets k messages that he wants to know.
The receiver’s privacy: After executing the
The first k-out-of-n OT scheme
In this section, we give the first k-out-of-n OT scheme based on DDH assumption without using random oracle model, and security proof of the scheme. Compared with Wakaha et al.’s scheme, our scheme has less communications cost and computations complexity.
In the following, we suppose g be a generator of a multiplicative group and the group 〈g〉 has prime order q. Let M1, M2, … , Mn ∈ 〈g〉 be the messages of the sender, and (δ1, δ2, … , δk) be the choice indices of the receiver.
- Step 1:
The receiver first sets a
Security analysis
Correctness: According to the above oblivious transfer scheme, we know for all i ∈ {1, … , n}holds, and Ki and satisfy the follow relation:To any i ∈ {δ1, … , δk}, f(i) = 0 holds, so we get , then the receiver obtains message to be Mi, i ∈ {δ1, … , δk}. Theorem 1 In a k-out-of-n oblivious transfer scheme, it is negligible to guess the probability of which messages the receiver chooses for the sender. Proof In a k-out-of-n
Efficiency
In this section, we give a comparison of communication cost and computation complexity between Wakaha et al.’s scheme with our scheme (See the following Table 1 in detail).
In an oblivious transfer scheme, the performance criteria that interest us are sender’s computational effort, the receiver’s computational effort, and the communication between the sender and the receiver. The computation complexity is mainly determined by exponentiation operator in an oblivious transfer scheme. After the
The second k-out-of-n oblivious transfer scheme
In the following, we give the second k-out-of-n oblivious transfer scheme and discuss security of the scheme. Suppose that (δ1, … , δk) ⊂ (1, … , n) are indices of messages which the receiver wants to get. Let G be an Abelian group of order p, where p = 2q + 1 and p, q are two large primes. S denotes the sender, R be the receiver.
The operators of the second k-out-of-n oblivious transfer scheme are as follows:
- 1.
S randomly chooses two generators g and h of G, and which satisfy that the discrete logarithm of h
Analysis of security and efficiency
In this section, we will give analysis of security and efficiency to our proposed second oblivious transfer scheme. Suppose that the sender and the receiver are honest in the above protocol, we can obtainfor all i ∈ {δ1, … , δk}, f(i) = 0 holds, therefore we get the following relationBecause only the receiver knows the polynomial R(x), and he knows β, thus the receiver can correctly obtain message , i ∈ {δ1, … , δk
Conclusion
In this paper, we have proposed two efficient k-out-of-n oblivious transfer schemes, which have been provably security without using random oracle model. Both the oblivious transfer schemes are based on DDH assumption, and cover all possible types of oblivious transfer. For example, they cover the Rabin’s original scheme, where the sender only one message to the receiver, while the sender does not know if or not the receiver obtains the message. Let k = 1 and n = 2, then they can converts into the
Acknowledgements
This research is supported by the doctoral starting fund of North China University of Technology.
References (8)
- O. Rabin, Exchange secrets by oblivious transfer, Computer Science Lab, Harvard University, Cambridge, MA, TR-81,...
- et al.
A randomized protocol for signing contracts
Commun. ACM
(1985) - O. Goldreich, M. Micali, A. Widgerson, How to play any mental game, in: Proc. of the 19th ACM Symp. on Theory of...
- M. Naor, B. Pinkas, Privacy preserving auctions and mechanism design, in: Proc. of the 1st ACM Conf. on Electronic...