Priced Oblivious Transfer: How to Sell Digital Goods

We consider the question of protecting the privacy of customers buying digital goods. More specifically, our goal is to allow a buyer to purchase digital goods from a vendor without letting the vendor learn what, and to the extent possible also when and how much, it is buying. We propose solutions which allow the buyer, after making an initial deposit, to engage in an unlimited number of priced oblivious-transfer protocols, satisfying the following requirements: As long as the buyer's balance contains sufficient funds, it will successfully retrieve the selected item and its balance will be debited by the item's price. However, the buyer should be unable to retrieve an item whose cost exceeds its remaining balance. The vendor should learn nothing except what must inevitably be learned, namely, the amount of interaction and the initial deposit amount (which imply upper bounds on the quantity and total price of all information obtained by the buyer). In particular, the vendor should be unable to learn what the buyer's current balance is or when it actually runs out of its funds. The technical tools we develop, in the process of solving this problem, seem to be of independent interest. In particular, we present the first one-round (two-pass) protocol for oblivious transfer that does not rely on the random oracle model (a very similar protocol was independently proposed by Naor and Pinkas [21]). This protocol is a special case of a more general "conditional disclosure" methodology, which extends a previous approach from [11] and adapts it to the 2-party setting.

[1]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[2]  Julien P. Stern A new and efficient all-or-nothing disclosure of secrets protocol , 1998 .

[3]  Fabrice Boudot,et al.  Efficient Proofs that a Committed Number Lies in an Interval , 2000, EUROCRYPT.

[4]  Gilles Brassard,et al.  All-or-Nothing Disclosure of Secrets , 1986, CRYPTO.

[5]  David Chaum,et al.  Security without identification: transaction systems to make big brother obsolete , 1985, CACM.

[6]  Eyal Kushilevitz,et al.  Private information retrieval , 1998, JACM.

[7]  A. Yao,et al.  Fair exchange with a semi-trusted third party (extended abstract) , 1997, CCS '97.

[8]  Jacques Stern,et al.  A New Public-Key Cryptosystem , 1997, EUROCRYPT.

[9]  Tatsuaki Okamoto,et al.  A New Public-Key Cryptosystem as Secure as Factoring , 1998, EUROCRYPT.

[10]  Yuval Ishai,et al.  Protecting data privacy in private information retrieval schemes , 1998, STOC '98.

[11]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[12]  David Naccache,et al.  On blind signatures and perfect crimes , 1992, Comput. Secur..

[13]  Amos Fiat,et al.  Untraceable Electronic Cash , 1990, CRYPTO.

[14]  Moni Naor,et al.  Oblivious Transfer with Adaptive Queries , 1999, CRYPTO.

[15]  Julien P. Stern A New Efficient All-Or-Nothing Disclosure of Secrets Protocol , 1998, ASIACRYPT.

[16]  Joe Kilian,et al.  Founding crytpography on oblivious transfer , 1988, STOC '88.

[17]  Moni Naor,et al.  Distributed Oblivious Transfer , 2000, ASIACRYPT.

[18]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[19]  Silvio Micali,et al.  Non-Interactive Oblivious Transfer and Applications , 1989, CRYPTO.

[20]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[21]  Silvio Micali,et al.  Computationally Private Information Retrieval with Polylogarithmic Communication , 1999, EUROCRYPT.

[22]  Rafail Ostrovsky,et al.  Replication is not needed: single database, computationally-private information retrieval , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[23]  Hannes Federrath,et al.  Anonymity and Unobservability in the Internet , 1999 .

[24]  Yuval Ishai,et al.  Private simultaneous messages protocols with applications , 1997, Proceedings of the Fifth Israeli Symposium on Theory of Computing and Systems.

[25]  Moni Naor,et al.  Oblivious transfer and polynomial evaluation , 1999, STOC '99.

[26]  Moni Naor,et al.  Number-theoretic constructions of efficient pseudo-random functions , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[27]  Moni Naor,et al.  Efficient oblivious transfer protocols , 2001, SODA '01.

[28]  Elizabeth D Mann Private access to distributed information , 1998 .

[29]  Hannes Federrath,et al.  Project “anonymity and unobservability in the Internet” , 2000, CFP '00.