Oblivious transfer

From Free net encyclopedia

In cryptography, an oblivious transfer protocol (often abbreviated OT) is a protocol by which a sender sends some information to the receiver, but remains oblivious as to what is sent.

The first form of oblivious transfer was introduced in 1981 by Michael O. RabinTemplate:Ref. In this form, the sender sends a message to the receiver with probability 1/2, while the sender remains oblivious as to whether or not the receiver received the message. Rabin's oblivious transfer scheme is based on the RSA cryptosystem. A more useful form of oblivious transfer called 1-2 oblivious transfer or "1 out of 2 oblivious transfer," was developed later by Shimon Even, Oded Goldreich, and Abraham LempelTemplate:Ref, in order to build protocols for secure multiparty computation.

Further work has revealed oblivious transfer to be a fundamental and important problem in cryptography. It is considered one of the critical problems in the field, because of the importance of the applications that can be built based on it.Template:Ref

Contents 1 Rabin's oblivious transfer protocol 2 1-2 oblivious transfer 3 See also 4 References 5 External links

Rabin's oblivious transfer protocol

In Rabin's oblivious transfer protocol, the sender generates an RSA public modulus N=pq where p and q are large prime numbers, and an exponent e relatively prime to (p-1)(q-1). The sender encrypts the message m as m^e mod N.

1. The sender sends N,e, and m^e mod N to the receiver.
2. The receiver picks a random x modulo N and sends x² mod N to the sender.
3. The sender finds a square root y of x² mod N and sends y to the receiver.

If the y the sender finds is neither x nor -x modulo N, the receiver will be able to factor N and therefore decrypt m^e to recover m (see Rabin encryption for more details). However, if y is x or -x mod N, the receiver will have no information about m beyond the encryption of it. Since every quadratic residue modulo N has four square roots, the probability that the receiver learns m is 1/2.

1-2 oblivious transfer

In a 1-2 oblivious transfer protocol, the sender has two messages m₀ and m₁, and the receiver has a bit b, and the receiver wishes to receive m_b, without the sender learning b, while the sender wants to ensure that the receiver receive only one of the two messages. The protocol of Even, Goldreich, and Lempel (which the authors attribute partially to Silvio Micali), is general, but can be instantiated using RSA encryption as follows.

1. The sender generates RSA keys, including the modulus N, the public exponent e, and the private exponent d, and picks two random messages x₀ and x₁, and sends N, e, x₀, and x₁ to the receiver.
2. The receiver picks a random message k, encrypts k, and adds x_b to the encryption of k, modulo N, and sends the result c to the sender.
3. The sender computes k₀ to be the decryption of q-x₀ and similarly k₁ to be the decryption of q-x₁, and sends m₀ + k₀ and m₁ + k₁ to the receiver.
4. The receiver knows k_b and subtracts this from the corresponding part of the sender's message to obtain m_b.

See also

• Zero knowledge proof

References

• Template:Note Michael O. Rabin. "How to exchange secrets by oblivious transfer." Technical Report TR-81, Aiken Computation Laboratory, Harvard University, 1981. Paper on eprint.iacr.org archive
• Template:Note S. Even, O. Goldreich, and A. Lempel, "A Randomized Protocol for Signing Contracts", Communications of the ACM, Volume 28, Issue 6, pg. 637-647, 1985. Paper at ACM portal (subscription required)
• Template:Note Joe Kilian. "Founding Cryptography on Oblivious Transfer", Proceedings, 20th Annual ACM Symposium on the Theory of Computation (STOC), 1988. Paper on Joe Kilian's home page

External links

• Helger Lipmaa's collection of Web links on the topic