Private Mutual Authentication and Conditional Oblivious Transfer

A bi-directional Private Authentication, or

Unlinkable Secret Handshake

, allows two parties to authenticate each other as certified by given certification authorities (i.e. affiliated with given groups), in a

mutually private way

, in the sense that the protocol leaks no information about either participant to a party which does not satisfy that participant’s authentication policy. In particular, the protocol hides what group this participant belongs to, and protocol instances involving the same participant are unlinkable. We construct the first realization of such private authentication using

O

(1) exponentiations and bilinear maps, secure under Strong Diffie-Hellman and Decisional Linear assumptions.

Our protocols rely on a novel technical tool, a family of efficient Private Conditional Oblivious Transfer (COT) protocols, secure under DDH, for languages defined by modular arithmetic constraints (e.g. equality, inequality, sums, products) on discrete-log representations of some group elements. (Recall that (

w

1

,...,

w

n

) is a representation of

C

in bases (

g

1

,...,

g

n

) if

$C=g_1^{w_1}...g_n^{w_n}$

.) A COT protocol for language L allows sender

S

to encrypt message

m

“under” statement

x

so that receiver

R

gets

m

only if

R

holds a witness for membership of

x

in

L

, while

S

learns nothing. A

private

COT for

L

hides not only message

m

but also statement

x

from any

R

that does not know a witness for

x

in

L

.