Practical Adaptive Oblivious Transfer from a Simple Assumption

We present the first efficient, adaptive oblivious transfer protocol which is fully-simulatable under a simple assumption in the standard model. The sole complexity assumption required is that given (g, g, g, g, Q), where g generates a bilinear group of prime order p and a, b, c are selected randomly from Zp, it is hard to decide if Q = g. In an adaptive oblivious transfer protocol, a sender with a database of messages and a receiver repeatedly interact in such a way that the receiver obtains one message per interaction of his choice (and nothing more) while the sender learns nothing about any of the choices. All prior protocols in the standard model require dynamic “q-based” assumptions, where the number of group elements in the assumption input grows with the size of the sender’s database. Our construction makes an important change to the established “assisted decryption” technique for designing adaptive OT. As in prior works, the sender commits to a database of n messages by publishing an encryption of each message and a signature on each encryption. Then, each transfer phase can be executed in time independent of n as the receiver blinds one of the encryptions and proves knowledge of the blinding factors and a signature on this encryption, after which the sender helps the receiver decrypt the chosen ciphertext. One of the main obstacles to designing an adaptive OT scheme from a simple assumption is realizing a suitable signature for this purpose (i.e., enabling signatures on group elements in a manner that later allows for efficient proofs.) We make the observation that a secure signature scheme is not necessary for this paradigm, provided that signatures can only be forged in certain ways. We then show how to efficiently integrate an insecure signature into a secure adaptive OT construction. We believe this construction and its underlying techniques may be of interest in designing other privacy-preserving protocols from simple complexity assumptions.