2008 | OriginalPaper | Buchkapitel
A Framework for Efficient and Composable Oblivious Transfer
verfasst von : Chris Peikert, Vinod Vaikuntanathan, Brent Waters
Erschienen in: Advances in Cryptology – CRYPTO 2008
Verlag: Springer Berlin Heidelberg
Aktivieren Sie unsere intelligente Suche, um passende Fachinhalte oder Patente zu finden.
Wählen Sie Textabschnitte aus um mit Künstlicher Intelligenz passenden Patente zu finden. powered by
Markieren Sie Textabschnitte, um KI-gestützt weitere passende Inhalte zu finden. powered by
We propose a simple and general framework for constructing oblivious transfer (OT) protocols that are
efficient
,
universally composable
, and
generally realizable
under any one of a variety of standard number-theoretic assumptions, including the decisional Diffie-Hellman assumption, the quadratic residuosity and decisional composite residuosity assumptions, and
worst-case
lattice assumptions.
Our OT protocols are round-optimal (one message each way), quite efficient in computation and communication, and can use a single common string for an unbounded number of executions between the same sender and receiver. Furthermore, the protocols can provide
statistical
security to either the sender or the receiver, simply by changing the distribution of the common string. For certain instantiations of the protocol, even a common
uniformly random
string suffices.
Our key technical contribution is a simple abstraction that we call a
dual-mode
cryptosystem. We implement dual-mode cryptosystems by taking a unified view of several cryptosystems that have what we call “messy” public keys, whose defining property is that a ciphertext encrypted under such a key carries
no information
(statistically) about the encrypted message.
As a contribution of independent interest, we also provide a multi-bit
amortized
version of Regev’s lattice-based cryptosystem (STOC 2005) whose time and space complexity are improved by a linear factor in the security parameter
n
. The resulting amortized encryption and decryption times are only
$\tilde{O}(n)$
bit operations per message bit, and the ciphertext expansion can be made as small as a constant; the public key size and underlying lattice assumption remain essentially the same.