ebooksgratis.com

See also ebooksgratis.com: no banners, no cookies, totally FREE.

CLASSICISTRANIERI HOME PAGE - YOUTUBE CHANNEL
Privacy Policy Cookie Policy Terms and Conditions
Oblivious transfer - Wikipedia, the free encyclopedia

Oblivious transfer

From Wikipedia, the free encyclopedia

In cryptography, an oblivious transfer protocol (often abbreviated OT) is a protocol by which a sender sends some information to the receiver, but remains oblivious as to what is received.

In the early seventies Stephen Wiesner introduced a primitive called multiplexing in his seminal paper "Conjugate Coding", which was the starting point of quantum cryptography[1]. Unfortunately it took more than ten years to be published. Even though this primitive was equivalent to what was later called 1-2 oblivious transfer, Wiesner did not see its application to cryptography.

The first form of oblivious transfer was introduced in 1981 by Michael O. Rabin[2]. In this form, the sender sends a message to the receiver with probability 1/2, while the sender remains oblivious as to whether or not the receiver received the message. Rabin's oblivious transfer scheme is based on the RSA cryptosystem. A more useful form of oblivious transfer called 1-2 oblivious transfer or "1 out of 2 oblivious transfer," was developed later by Shimon Even, Oded Goldreich, and Abraham Lempel[3], in order to build protocols for secure multiparty computation. It is generalized to "1 out of n oblivious transfer" where the user gets exactly one database element without the server getting to know which element was queried. The latter notion of oblivious transfer is a strengthening of private information retrieval where one does not care about database's privacy.

Claude Crépeau showed that Rabin's oblivious transfer is equivalent to 1-2 oblivious transfer.[4]

Further work has revealed oblivious transfer to be a fundamental and important problem in cryptography. It is considered one of the critical problems in the field, because of the importance of the applications that can be built based on it. In particular, it is a `complete' for secure multiparty computation: that is given an implementation of oblivious transfer it is possible to securely evaluate any polynomial time computable function without any additional primitive.[5]

Contents

[edit] Rabin's oblivious transfer protocol

In Rabin's oblivious transfer protocol, the sender generates an RSA public modulus N=pq where p and q are large prime numbers, and an exponent e relatively prime to (p-1)(q-1). The sender encrypts the message m as me mod N.

  1. The sender sends N,e, and me mod N to the receiver.
  2. The receiver picks a random x modulo N and sends x2 mod N to the sender. Note that gcd(x,N)=1 with overwhelming probability, which ensures that there are 4 square roots of x2 mod N.
  3. The sender finds a square root y of x2 mod N and sends y to the receiver.

If the y the sender finds is neither x nor -x modulo N, the receiver will be able to factor N and therefore decrypt me to recover m (see Rabin encryption for more details). However, if y is x or -x mod N, the receiver will have no information about m beyond the encryption of it. Since every quadratic residue modulo N has four square roots, the probability that the receiver learns m is 1/2.

[edit] 1-2 oblivious transfer

In a 1-2 oblivious transfer protocol, the sender has two messages m0 and m1, and the receiver has a bit b, and the receiver wishes to receive mb, without the sender learning b, while the sender wants to ensure that the receiver receive only one of the two messages. The protocol of Even, Goldreich, and Lempel (which the authors attribute partially to Silvio Micali), is general, but can be instantiated using RSA encryption as follows.

  1. The sender generates RSA keys, including the modulus N, the public exponent e, and the private exponent d, and picks two random messages x0 and x1, and sends N, e, x0, and x1 to the receiver.
  2. The receiver picks a random message k, encrypts k, and adds xb to the encryption of k, modulo N, and sends the result q to the sender.
  3. The sender computes k0 to be the decryption of q-x0 and similarly k1 to be the decryption of q-x1, and sends m0 + k0 and m1 + k1 to the receiver.
  4. The receiver knows kb and subtracts this from the corresponding part of the sender's message to obtain mb.

[edit] 1-n oblivious transfer

A 1-n oblivious transfer protocol can be defined as a natural generalization of a 1-2 oblivious transfer protocol. Specifically, a sender has n messages, and the receiver has an index i, and the receiver wishes to receive the i-th among the sender's messages, without the sender learning i, while the sender wants to ensure that the receiver receive only one of the n messages. Intuitively, it can also be considered as the effect of adding an additional database's privacy requirement to some existing private information retrieval protocol.

The existence of 1-n oblivious transfer protocols from any private information retrieval protocol was first established by Giovanni Di Crescenzo, Tal Malkin and Rafail Ostrovsky in [6]. Additional constructions of 1-n oblivious transfer protocols also related to private information retrieval, were proposed, e.g., by Moni Naor and Benny Pinkas [7], William Aiello, Yuval Ishai and Omer Reingold [8], Sven Laur and Helger Lipmaa [9].

[edit] See also

[edit] References

  • ^  Stephen Wiesner, "Conjugate coding", Sigact News, vol. 15, no. 1, 1983, pp. 78 - 88; original manuscript written circa 1970.
  • ^  Michael O. Rabin. "How to exchange secrets by oblivious transfer." Technical Report TR-81, Aiken Computation Laboratory, Harvard University, 1981. Paper on eprint.iacr.org archive
  • ^  S. Even, O. Goldreich, and A. Lempel, "A Randomized Protocol for Signing Contracts", Communications of the ACM, Volume 28, Issue 6, pg. 637-647, 1985. Paper at ACM portal (subscription required)
  • ^  Claude Crépeau. "Equivalence between two flavours of oblivious transfer". In Advances in Cryptology: CRYPTO '87, volume 293 of Lecture Notes in Computer Science, pages 350--354. Springer, 1988
  • ^  Joe Kilian. "Founding Cryptography on Oblivious Transfer", Proceedings, 20th Annual ACM Symposium on the Theory of Computation (STOC), 1988. Paper on Joe Kilian's home page

[edit] External links

Languages


aa - ab - af - ak - als - am - an - ang - ar - arc - as - ast - av - ay - az - ba - bar - bat_smg - bcl - be - be_x_old - bg - bh - bi - bm - bn - bo - bpy - br - bs - bug - bxr - ca - cbk_zam - cdo - ce - ceb - ch - cho - chr - chy - co - cr - crh - cs - csb - cu - cv - cy - da - de - diq - dsb - dv - dz - ee - el - eml - en - eo - es - et - eu - ext - fa - ff - fi - fiu_vro - fj - fo - fr - frp - fur - fy - ga - gan - gd - gl - glk - gn - got - gu - gv - ha - hak - haw - he - hi - hif - ho - hr - hsb - ht - hu - hy - hz - ia - id - ie - ig - ii - ik - ilo - io - is - it - iu - ja - jbo - jv - ka - kaa - kab - kg - ki - kj - kk - kl - km - kn - ko - kr - ks - ksh - ku - kv - kw - ky - la - lad - lb - lbe - lg - li - lij - lmo - ln - lo - lt - lv - map_bms - mdf - mg - mh - mi - mk - ml - mn - mo - mr - mt - mus - my - myv - mzn - na - nah - nap - nds - nds_nl - ne - new - ng - nl - nn - no - nov - nrm - nv - ny - oc - om - or - os - pa - pag - pam - pap - pdc - pi - pih - pl - pms - ps - pt - qu - quality - rm - rmy - rn - ro - roa_rup - roa_tara - ru - rw - sa - sah - sc - scn - sco - sd - se - sg - sh - si - simple - sk - sl - sm - sn - so - sr - srn - ss - st - stq - su - sv - sw - szl - ta - te - tet - tg - th - ti - tk - tl - tlh - tn - to - tpi - tr - ts - tt - tum - tw - ty - udm - ug - uk - ur - uz - ve - vec - vi - vls - vo - wa - war - wo - wuu - xal - xh - yi - yo - za - zea - zh - zh_classical - zh_min_nan - zh_yue - zu -