A framework for efficient and composable oblivious transfer.

*(English)*Zbl 1183.94046
Wagner, David (ed.), Advances in cryptology – CRYPTO 2008. 28th annual international cryptology conference, Santa Barbara, CA, USA, August 17–21, 2008. Proceedings. Berlin: Springer (ISBN 978-3-540-85173-8/pbk). Lecture Notes in Computer Science 5157, 554-571 (2008).

Summary: We propose a simple and general framework for constructing oblivious transfer (OT) protocols that are efficient, universally composable, and generally realizable under any one of a variety of standard number-theoretic assumptions, including the decisional Diffie-Hellman assumption, the quadratic residuosity and decisional composite residuosity assumptions, and worst-case lattice assumptions.

Our OT protocols are round-optimal (one message each way), quite efficient in computation and communication, and can use a single common string for an unbounded number of executions between the same sender and receiver. Furthermore, the protocols can provide statistical security to either the sender or the receiver, simply by changing the distribution of the common string. For certain instantiations of the protocol, even a common uniformly random string suffices.

Our key technical contribution is a simple abstraction that we call a dual-mode cryptosystem. We implement dual-mode cryptosystems by taking a unified view of several cryptosystems that have what we call “messy” public keys, whose defining property is that a ciphertext encrypted under such a key carries no information (statistically) about the encrypted message.

As a contribution of independent interest, we also provide a multi-bit amortized version of O. Regev’s lattice-based cryptosystem [“On lattices, learning with errors, random linear codes, and cryptography”, in: STOC’05, ACM, New York, 84–93 (2005)] whose time and space complexity are improved by a linear factor in the security parameter \(n\). The resulting amortized encryption and decryption times are only \(\tilde{O}(n)\) bit operations per message bit, and the ciphertext expansion can be made as small as a constant; the public key size and underlying lattice assumption remain essentially the same.

For the entire collection see [Zbl 1155.94010].

Our OT protocols are round-optimal (one message each way), quite efficient in computation and communication, and can use a single common string for an unbounded number of executions between the same sender and receiver. Furthermore, the protocols can provide statistical security to either the sender or the receiver, simply by changing the distribution of the common string. For certain instantiations of the protocol, even a common uniformly random string suffices.

Our key technical contribution is a simple abstraction that we call a dual-mode cryptosystem. We implement dual-mode cryptosystems by taking a unified view of several cryptosystems that have what we call “messy” public keys, whose defining property is that a ciphertext encrypted under such a key carries no information (statistically) about the encrypted message.

As a contribution of independent interest, we also provide a multi-bit amortized version of O. Regev’s lattice-based cryptosystem [“On lattices, learning with errors, random linear codes, and cryptography”, in: STOC’05, ACM, New York, 84–93 (2005)] whose time and space complexity are improved by a linear factor in the security parameter \(n\). The resulting amortized encryption and decryption times are only \(\tilde{O}(n)\) bit operations per message bit, and the ciphertext expansion can be made as small as a constant; the public key size and underlying lattice assumption remain essentially the same.

For the entire collection see [Zbl 1155.94010].