 Oblivious transfer

In cryptography, an oblivious transfer protocol (often abbreviated OT) is a type of protocol in which a sender transfers one of potentially many pieces of information to a receiver, but remains oblivious as to what piece (if any) has been transferred.
The first form of oblivious transfer was introduced in 1981 by Michael O. Rabin^{1}. In this form, the sender sends a message to the receiver with probability 1/2, while the sender remains oblivious as to whether or not the receiver received the message. Rabin's oblivious transfer scheme is based on the RSA cryptosystem. A more useful form of oblivious transfer called 12 oblivious transfer or "1 out of 2 oblivious transfer," was developed later by Shimon Even, Oded Goldreich, and Abraham Lempel^{2}, in order to build protocols for secure multiparty computation. It is generalized to "1 out of n oblivious transfer" where the user gets exactly one database element without the server getting to know which element was queried, and without the user knowing anything about the other elements that were not retrieved. The latter notion of oblivious transfer is a strengthening of private information retrieval where one does not care about database's privacy.
Claude Crépeau showed that Rabin's oblivious transfer is equivalent to 12 oblivious transfer.^{3}
Further work has revealed oblivious transfer to be a fundamental and important problem in cryptography. It is considered one of the critical problems in the field, because of the importance of the applications that can be built based on it. In particular, it is complete for secure multiparty computation: that is given an implementation of oblivious transfer it is possible to securely evaluate any polynomial time computable function without any additional primitive.^{4}
Contents
Rabin's oblivious transfer protocol
In Rabin's oblivious transfer protocol, the sender generates an RSA public modulus N=pq where p and q are large prime numbers, and an exponent e relatively prime to (p1)(q1). The sender encrypts the message m as m^{e} mod N.
 The sender sends N, e, and m^{e} mod N to the receiver.
 The receiver picks a random x modulo N and sends x^{2} mod N to the sender. Note that gcd(x,N)=1 with overwhelming probability, which ensures that there are 4 square roots of x^{2} mod N.
 The sender finds a square root y of x^{2} mod N and sends y to the receiver.
If the receiver finds y is neither x nor x modulo N, the receiver will be able to factor N and therefore decrypt m^{e} to recover m (see Rabin encryption for more details). However, if y is x or x mod N, the receiver will have no information about m beyond the encryption of it. Since every quadratic residue modulo N has four square roots, the probability that the receiver learns m is 1/2.
12 oblivious transfer
In a 12 oblivious transfer protocol, the sender has two messages m_{0} and m_{1}, and the receiver has a bit b, and the receiver wishes to receive m_{b}, without the sender learning b, while the sender wants to ensure that the receiver receive only one of the two messages. The protocol of Even, Goldreich, and Lempel (which the authors attribute partially to Silvio Micali), is general, but can be instantiated using RSA encryption as follows.
Alice Bob Secret Public Calculus Secret Public Calculus m_{0},m_{1} Messages to be sent d N,e Generate RSA key pair and send public portion to Bob N,e Receive public key x_{0},x_{1} Generate two random messages x_{0},x_{1} Receive random messages k,b,x_{b} Choose , and generate random k v Compute the encryption of k, blind with x_{b} and send to Alice One of these will equal k, but Alice does not know which. Send both messages to Bob m'_{0},m'_{1} Receive both messages m_{b} = m'_{b} − k Bob decrypts the m'_{b} since he knows which x_{b} he selected earlier.  Alice has two messages, m_{0},m_{1}, and wants to send exactly one of them to Bob, but does not want to know which Bob receives.
 Alice generates a RSA key pair, comprising the modulus N, the public exponent e and the private exponent d
 She also generates two random values, x_{0},x_{1} and sends them to Bob along with her public modulus and exponent.
 Bob picks b to be either 0 or 1, and selects either the first or second x_{b}.
 He generates a random value k and blinds x_{b} by computing , which he sends to Alice.
 Alice doesn't know which of x_{0} and x_{1} Bob chose, so she attempts to unblind with both of her random messages and comes up with two possible values for k: and . One of these will be equal to k since it will correctly decrypt, while the other will produce another random value that does not reveal any information about k.
 She blinds the two secret messages with each of the possible keys, m'_{0} = m_{0} + k_{0} m'_{1} = m_{1} + k_{1}, and sends them both to Bob.
 Bob knows which of the two messages can be unblinded with k, so he is able to compute exactly one of the messages m_{b} = m'_{b} − k
1outofn oblivious transfer and koutofn oblivious transfer
A 1outofn oblivious transfer protocol can be defined as a natural generalization of a 1outof2 oblivious transfer protocol. Specifically, a sender has n messages, and the receiver has an index i, and the receiver wishes to receive the ith among the sender's messages, without the sender learning i, while the sender wants to ensure that the receiver receive only one of the n messages.
1outofn oblivious transfer is incomparable to private information retrieval (PIR). On the one hand, 1outofn oblivious transfer imposes an additional privacy requirement for the database: namely, that the receiver learn at most one of the database entries. On the other hand, PIR requires communication sublinear in n, whereas 1outofn oblivious transfer has no such requirement.
1n oblivious transfer protocols were proposed, e.g., by Moni Naor and Benny Pinkas [1], William Aiello, Yuval Ishai and Omer Reingold [2], Sven Laur and Helger Lipmaa [3].
Brassard, Crépeau and Robert further generalized this notion to kn oblivious transfer^{5}, wherein the receiver obtains a set of "k" messages from the "n" message collection. The set of k messages may be received simultaneously ("nonadaptively"), or they may be requested consecutively, with each request based on previous messages received^{6}.
Generalized oblivious transfer
kn Oblivious transfer is a special case of Generalized oblivious transfer, which was presented by Ishai and Kushilevitz^{7}. In that setting, the sender has a set U of n messages, and the transfer constraints are specified by a collection A of permissible subsets of U. The receiver may obtain any subset of the messages in U that appears in the collection A. The sender should remain oblivious of the selection made by the receiver, while the receiver cannot learn the value of the messages outside the subset of messages that he chose to obtain. The collection A is monotone decreasing, in the sense that it is closed under containment (i.e., if a given subset B is in the collection A, so are all of the subsets of B). The solution proposed by Ishai and Kushilevitz uses parallel invocations of 12 oblivious transfer while making use of a special model of private protocols. Later on, other solutions that are based on secret sharing were published  one by Bhavani Shankar, Kannan Srinathan, and C. Pandu Rangan^{8}, and another by Tamir Tassa^{9}.
Origins
In the early seventies Stephen Wiesner introduced a primitive called multiplexing in his seminal paper "Conjugate Coding", which was the starting point of quantum cryptography^{[4]}. Unfortunately it took more than ten years to be published. Even though this primitive was equivalent to what was later called 12 oblivious transfer, Wiesner did not see its application to cryptography.
See also
 Secure multiparty computation
 Zero knowledge proof
References
 ^0. Stephen Wiesner, "Conjugate coding", Sigact News, vol. 15, no. 1, 1983, pp. 78  88; original manuscript written circa 1970.
 ^1. Michael O. Rabin. "How to exchange secrets by oblivious transfer." Technical Report TR81, Aiken Computation Laboratory, Harvard University, 1981. Scanned handwriting on eprint.iacr.org archive. Typed version available on Dousti's homepage (Alternate link on Google Docs).
 ^2. S. Even, O. Goldreich, and A. Lempel, "A Randomized Protocol for Signing Contracts", Communications of the ACM, Volume 28, Issue 6, pg. 637647, 1985. Paper at Catuscia Palamidessi's page
 ^3. Claude Crépeau. "Equivalence between two flavours of oblivious transfer". In Advances in Cryptology: CRYPTO '87, volume 293 of Lecture Notes in Computer Science, pages 350354. Springer, 1988
 ^4. Joe Kilian. "Founding Cryptography on Oblivious Transfer", Proceedings, 20th Annual ACM Symposium on the Theory of Computation (STOC), 1988. Paper at ACM portal (subscription required)
 ^5. Gilles Brassard, Claude Crépeau and JeanMarc Robert. "Allornothing disclosure of secrets." In Advances in Cryptology: CRYPTO ’86, volume 263 of LNCS, pages 234–238. Springer, 1986.
 ^6. Moni Naor and Benny Pinkas. "Oblivious transfer with adaptive queries." In Advances in Cryptology: CRYPTO ’99, volume 1666 of LNCS, pages 573–590. Springer, 1999.
 ^7. Yuval Ishai and Eyal Kushilevitz. "Private simultaneous messages protocols with applications." In Proc. of ISTCS’97, IEEE Computer Society, pages 174–184, 1997.
 ^8. Bhavani Shankar, Kannan Srinathan and C. Pandu Rangan. "Alternative protocols for generalized oblivious transfer". In Proc. of ICDCN’08, LNCS 4904, pages 304–309, 2008.
 ^9. Tamir Tassa. "Generalized oblivious transfer by secret sharing". Designs, Codes and Cryptography, Volume 58:1, pages 1121, January 2011. Paper at openu.ac.il
External links
Categories: Theory of cryptography
 Cryptographic protocols
 Cryptographic primitives
Wikimedia Foundation. 2010.