Universally Composable Adaptive Oblivious Transfer

نویسندگان

  • Matthew Green
  • Susan Hohenberger
چکیده

In an oblivious transfer (OT) protocol, a Sender with messages M1, . . . ,MN and a Receiver with indices σ1, . . . , σk ∈ [1, N ] interact in such a way that at the end the Receiver obtains Mσ1 , . . . ,Mσk without learning anything about the other messages and the Sender does not learn anything about σ1, . . . , σk. In an adaptive protocol, the Receiver may obtain Mσi−1 before deciding on σi. Efficient adaptive OT protocols are interesting both as a building block for secure multiparty computation and for enabling oblivious searches on medical and patent databases. Historically, adaptive OT protocols were analyzed with respect to a “half-simulation” definition which Naor and Pinkas showed to be flawed. In 2007, Camenisch, Neven, and shelat, and subsequent other works, demonstrated efficient adaptive protocols in the full-simulation model. These protocols, however, all use standard rewinding techniques in their proofs of security and thus are not universally composable. Recently, Peikert, Vaikuntanathan and Waters presented universally composable (UC) non-adaptive OT protocols (for the 1-out-of-2 variant). However, it is not clear how to preserve UC security while extending these protocols to the adaptive k-outof-N setting. Further, any such attempt would seem to require O(N) computation per transfer for a database of size N . In this work, we present an efficient and UC-secure adaptive k-out-of-N OT protocol, where after an initial commitment to the database, the cost of each transfer is constant. Our construction is secure under bilinear assumptions in the standard model.

برای دانلود رایگان متن کامل این مقاله و بیش از 32 میلیون مقاله دیگر ابتدا ثبت نام کنید

ثبت نام

اگر عضو سایت هستید لطفا وارد حساب کاربری خود شوید

منابع مشابه

On Black-Box Complexity of Universally Composable Security in the CRS Model

In this work, we study the intrinsic complexity of black-box Universally Composable (UC) secure computation based on general assumptions. We present a thorough study in various corruption modelings while focusing on achieving security in the common reference string (CRS) model. Our results involve the following: • Static UC secure computation. Designing the first static UC secure oblivious tran...

متن کامل

Universally Composable Oblivious Transfer in the Multi-party Setting

We construct efficient universally composable oblivious transfer protocols in the multi-party setting for honest majorities. Unlike previous proposals our protocols are designed in the plain model (i.e., without a common reference string), are secure against malicious adversaries from scratch (i.e., without requiring an expensive compiler), and are based on weaker cryptographic assumptions than...

متن کامل

Universally Composable Adaptive Priced Oblivious Transfer

An adaptive k-out-of-N Priced Oblivious Transfer (POT) scheme is a two-party protocol between a vendor and a buyer. The vendor sells a set of messages m1, . . . ,mN with prices p1, . . . , pN . In each transfer phase i = 1, . . . , k, the buyer chooses a selection value σi ∈ {1, . . . ,N } and interacts with the vendor to buy message mσi in such a way that the vendor does not learn σi and the b...

متن کامل

Universally Composable Adaptive Priced Oblivious Transfer

An adaptive k-out-of-N Priced Oblivious Transfer (POT) scheme is a two-party protocol betweena vendor and a buyer. The vendor sells a set of messagesm1, . . .,mN with pricesp1, . . . ,pN . Ineach transfer phase i = 1, . . . , k, the buyer chooses a selection value σi ∈ {1, . . . ,N } and interactswith the vendor to buy messagemσi in such a way that the vendor doe...

متن کامل

Generic Fully Simulatable Adaptive Oblivious Transfer

We aim at constructing adaptive oblivious transfer protocols, enjoying fully simulatable security, from various well-known assumptions such as DDH, d-Linear, QR, DCR, and LWE. To this end, we present two generic constructions of adaptive OT, one of which utilizes verifiable shuffles together with threshold decryption schemes, while the other uses permutation networks together with what we call ...

متن کامل

ذخیره در منابع من


  با ذخیره ی این منبع در منابع من، دسترسی به آن را برای استفاده های بعدی آسان تر کنید

عنوان ژورنال:

دوره   شماره 

صفحات  -

تاریخ انتشار 2008