Simulatable Adaptive Oblivious Transfer

We study an adaptivevariant of oblivious transfer in which a sender has Nmessages, of which a receiver can adaptively choose to receive kone-after-the-other, in such a way that (a) the sender learns nothing about the receiver's selections, and (b) the receiver only learns about the krequested messages. We propose two practical protocols for this primitive that achieve a stronger security notion than previous schemes with comparable efficiency. In particular, by requiring full simulatability for both sender and receiver security, our notion prohibits a subtle selective-failure attack not addressed by the security notions achieved by previous practical schemes. Our first protocol is a very efficient generic construction from unique blind signatures in the random oracle model. The second construction does not assume random oracles, but achieves remarkable efficiency with only a constant number of group elements sent during each transfer. This second construction uses novel techniques for building efficient simulatable protocols.

[1]  Jacob T. Schwartz,et al.  Fast Probabilistic Algorithms for Verification of Polynomial Identities , 1980, J. ACM.

[2]  Stephen Wiesner,et al.  Conjugate coding , 1983, SIGA.

[3]  Taher El Gamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, IEEE Trans. Inf. Theory.

[4]  T. Elgamal A public key cryptosystem and a signature scheme based on discrete logarithms , 1984, CRYPTO 1984.

[5]  Oded Goldreich,et al.  A randomized protocol for signing contracts , 1985, CACM.

[6]  Gilles Brassard,et al.  All-or-Nothing Disclosure of Secrets , 1986, CRYPTO.

[7]  Silvio Micali,et al.  How to play ANY mental game , 1987, STOC.

[8]  Joe Kilian,et al.  Weakening Security Assumptions and Oblivious Transfer (Abstract) , 1988, CRYPTO.

[9]  Silvio Micali,et al.  Non-Interactive Oblivious Transfer and Applications , 1989, CRYPTO.

[10]  Atsushi Fujioka,et al.  A Practical Secret Voting Scheme for Large Scale Elections , 1992, AUSCRYPT.

[11]  Mihir Bellare,et al.  On Defining Proofs of Knowledge , 1992, CRYPTO.

[12]  Rafail Ostrovsky,et al.  Invariant Signatures and Non-Interactive Zero-Knowledge Proofs are Equivalent (Extended Abstract) , 1992, CRYPTO.

[13]  Mihir Bellare,et al.  Random oracles are practical: a paradigm for designing efficient protocols , 1993, CCS '93.

[14]  Jacques Stern,et al.  Security Proofs for Signature Schemes , 1996, EUROCRYPT.

[15]  Jan Camenisch,et al.  Efficient Group Signature Schemes for Large Groups (Extended Abstract) , 1997, CRYPTO.

[16]  Victor Shoup,et al.  Lower Bounds for Discrete Logarithms and Related Problems , 1997, EUROCRYPT.

[17]  Jan Camenisch,et al.  Efficient group signature schemes for large groups , 1997 .

[18]  Rafail Ostrovsky,et al.  Security of Blind Digital Signatures (Extended Abstract) , 1997, CRYPTO.

[19]  Rafail Ostrovsky,et al.  Security of blind digital signatures , 1997 .

[20]  Moni Naor,et al.  Private Information Retrieval by Keywords , 1998, IACR Cryptol. ePrint Arch..

[21]  Moni Naor,et al.  Oblivious transfer and polynomial evaluation , 1999, STOC '99.

[22]  Moni Naor,et al.  Oblivious Transfer with Adaptive Queries , 1999, CRYPTO.

[23]  Ivan Damgård,et al.  Efficient Zero-Knowledge Proofs of Knowledge Without Intractability Assumptions , 2000, Public Key Cryptography.

[24]  Ran Canetti,et al.  Security and Composition of Multiparty Cryptographic Protocols , 2000, Journal of Cryptology.

[25]  Yuval Ishai,et al.  Priced Oblivious Transfer: How to Sell Digital Goods , 2001, EUROCRYPT.

[26]  Moni Naor,et al.  Efficient oblivious transfer protocols , 2001, SODA '01.

[27]  Wen-Guey Tzeng,et al.  Efficient 1-Out-n Oblivious Transfer Schemes , 2002, Public Key Cryptography.

[28]  Kaoru Kurosawa,et al.  Oblivious keyword search , 2004, J. Complex..

[29]  M. Kasahara,et al.  A New Traitor Tracing , 2002, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[30]  øöö Blockinø Oblivious Transfer Based on Blind SignaturesNovember , 2003 .

[31]  Alexandra Boldyreva,et al.  Efficient threshold signature, multisignature and blind signature schemes based on the Gap-Diffie-Hellman-Group signature scheme , 2002 .

[32]  Chanathip Namprempre,et al.  The One-More-RSA-Inversion Problems and the Security of Chaum's Blind Signature Scheme , 2003, Journal of Cryptology.

[33]  Moni Naor,et al.  Concurrent zero-knowledge , 2004, JACM.

[34]  Jan Camenisch,et al.  Signature Schemes and Anonymous Credentials from Bilinear Maps , 2004, CRYPTO.

[35]  Dan Boneh,et al.  Short Signatures Without Random Oracles , 2004, EUROCRYPT.

[36]  Wakaha Ogata,et al.  k out of n Oblivious Transfer without Random Oracles , 2004, IEICE Trans. Fundam. Electron. Commun. Comput. Sci..

[37]  Oded Goldreich,et al.  Foundations of Cryptography: Volume 2, Basic Applications , 2004 .

[38]  Moni Naor,et al.  Computationally Secure Oblivious Transfer , 2004, Journal of Cryptology.

[39]  Michael O. Rabin,et al.  How To Exchange Secrets with Oblivious Transfer , 2005, IACR Cryptol. ePrint Arch..

[40]  Yael Tauman Kalai Smooth Projective Hashing and Two-Message Oblivious Transfer , 2005, EUROCRYPT.

[41]  Dan Boneh,et al.  Hierarchical Identity Based Encryption with Constant Size Ciphertext , 2005, EUROCRYPT.

[42]  Wen-Guey Tzeng,et al.  Efficient k-out-of-n Oblivious Transfer Schemes , 2005, J. Univers. Comput. Sci..

[43]  Yevgeniy Dodis,et al.  A Verifiable Random Function with Short Proofs and Keys , 2005, Public Key Cryptography.

[44]  Oded Goldreich Foundations of Cryptography: Volume 1 , 2006 .

[45]  Chanathip Namprempre,et al.  On the (Im)possibility of Blind Message Authentication Codes , 2006, CT-RSA.

[46]  H. Lipmaa,et al.  On Security of Sublinear Oblivious Transfer * * * Draft , March 2 , 2006 * * * , 2006 .

[47]  Tatsuaki Okamoto,et al.  Efficient Blind and Partially Blind Signatures Without Random Oracles , 2006, IACR Cryptol. ePrint Arch..

[48]  David Pointcheval,et al.  Trapdoor Hard-to-Invert Group Isomorphisms and Their Application to Password-Based Authentication , 2006, Journal of Cryptology.