Adaptive Oblivious Transfer Protocols

Secure multi-party computation (MPC) is a basic topic of cryptography. The primitive of oblivious transfer (OT) is a fundamental component of a MPC protocol. There are two main OT models:OT1/2 and OTk/n. For OT1/2, the sender has two secrets m1 and m2 and would like to give the receiver one of them at the receiver’s choice. Meanwhile, the receiver does not want the sender to know which secret he chooses. For OTk/n, the sender has n secrets m1; …,mn, and would like to give the receiver k of them at the receiver’s choice. The receiver does not want the sender to know which secrets he chooses.The general OTk/n model does not consider the adaptive attack, namely, the adver-sary takes advantage of the information obtained during the interactive processes of S and R so as to enhance the attack ability. In order to solve this problem, Naor and Pinkas put forth the model of adaptive oblivious transfer in 1999. In the model, R can send k queries to S one by one. During k times interactive process, R can only recover k messages at his choice. Except that, R knows nothing about the remaining messages. Moreover, S does not know which messages are recovered by R in the processes.The first contribution of this thesis is to simplify and improve Camenisch-Neven-Shelat OT protocol. In Eurocrypt’07, Camenisch, Neven and Shelat proposed an adap-tive OT protocol which adopted the technique of assisted decryption. The OT protocol has a great effect on its like. We find the encryption used in the protocol is determin-istic. The structure results in that S (database manager) can only serve a single user R. Moreover, the protocol can be run only once even in the presence of a single user. To overcome the two shortcomings, we shall improve the Camenisch-Neven-Shelat OT scheme by replacing the deterministic encryption with a probabilistic encryption. We also show the improvement is adaptively secure. The original protocol and its like use zero-knowledge proofs to check the consistency of ciphertexts. We shall definitely point out that the procedure is unnecessary. In earlier literatures, Rabin, Even, Goldreich and Lempel had stressed that in most applications the message transferred in an OT protocol must be recognizable to the receiver R. We reaffirm this gist because it is helpful to greatly simplify many OT protocols.The second contribution is to simplify and improve Green-Hohenberger OT pro-tocol. In TCC’11, Green and Hohenberger proposed an adaptive OT protocol under...