Results 1  10
of
48
Practical Quantum Oblivious Transfer
, 1992
"... We describe a protocol for quantum oblivious transfer , utilizing faint pulses of polarized light, by which one of two mutually distrustful parties ("Alice") transmits two onebit messages in such a way that the other party ("Bob") can choose which message he gets but cannot obtain information about ..."
Abstract

Cited by 73 (12 self)
 Add to MetaCart
We describe a protocol for quantum oblivious transfer , utilizing faint pulses of polarized light, by which one of two mutually distrustful parties ("Alice") transmits two onebit messages in such a way that the other party ("Bob") can choose which message he gets but cannot obtain information about both messages (he will learn his chosen bit's value with exponentially small error probability and may gain at most exponentially little information about the value of the other bit), and Alice will be entirely ignorant of which bit he received. Neither party can cheat (ie deviate from the protocol while appearing to follow it) in such a way as to obtain more information than what is given by the description of the protocol. Our protocol is easy to modify in order to implement the AllorNothing Disclosure of one out of two string messages, and it can be used to implement bit commitment and oblivious circuit evaluation without complexitytheoretic assumptions, in a way that remains secure e...
Efficient Cryptographic Protocols based on Noisy Channels
, 1996
"... The WireTap Channel of Wyner [20] shows that a Binary Symmetric Channel may be used as a basis for exchanging a secret key, in a cryptographic scenario of two honest people facing an eavesdropper. Later Cr'epeau and Kilian [9] showed how a BSC may be used to implement Oblivious Transfer in a crypto ..."
Abstract

Cited by 51 (0 self)
 Add to MetaCart
The WireTap Channel of Wyner [20] shows that a Binary Symmetric Channel may be used as a basis for exchanging a secret key, in a cryptographic scenario of two honest people facing an eavesdropper. Later Cr'epeau and Kilian [9] showed how a BSC may be used to implement Oblivious Transfer in a cryptographic scenario of two possibly dishonest people facing each other. Unfortunately this result is rather impractical as it requires\Omega\Gamma n 11 ) bits to be transmitted through the BSC to accomplish a single OT. The current paper provides efficient protocols to achieve the cryptographic primitives of Bit Commitment and Oblivious Transfer based on the existence of a Binary Symmetric Channel. Our protocols respectively require sending O(n) and O(n 3 ) bits through the BSC. These results are based on a technique known as Generalized Privacy Amplification [1] that allow two people to extract secret information from partially compromised data. 1 Introduction The cryptographic power of...
Committed Oblivious Transfer and Private MultiParty Computation
, 1995
"... . In this paper we present an efficient protocol for "Committed Oblivious Transfer" to perform oblivious transfer on committed bits: suppose Alice is committed to bits a0 and a1 and Bob is committed to b, they both want Bob to learn and commit to a b without Alice learning b nor Bob learning a¯ b ..."
Abstract

Cited by 50 (10 self)
 Add to MetaCart
. In this paper we present an efficient protocol for "Committed Oblivious Transfer" to perform oblivious transfer on committed bits: suppose Alice is committed to bits a0 and a1 and Bob is committed to b, they both want Bob to learn and commit to a b without Alice learning b nor Bob learning a¯ b . Our protocol, based on the properties of error correcting codes, uses Bit Commitment (bc) and oneoutoftwo Oblivious Transfer (ot) as black boxes. Consequently the protocol may be implemented with or without a computational assumption, depending on the kind of bc and ot used by the participants. Assuming a Broadcast Channel is also available, we exploit this result to obtain a protocol for Private MultiParty Computation, without making assumptions about a specific number or fraction of participants being honest. We analyze the protocol's efficiency in terms of bcs and ots performed. Our approach connects Zero Knowledge proofs on bcs, Oblivious Circuit Evaluation and Private MultiParty ...
Oblivious Transfers and Intersecting Codes
, 1996
"... Assume A owns t secret kbit strings. She is willing to disclose one of them to B, at his choosing, provided he does not learn anything about the other strings. Conversely, B does not want A to learn which secret he chose to learn. A protocol for the above task is said to implement Oneoutoft St ..."
Abstract

Cited by 39 (4 self)
 Add to MetaCart
Assume A owns t secret kbit strings. She is willing to disclose one of them to B, at his choosing, provided he does not learn anything about the other strings. Conversely, B does not want A to learn which secret he chose to learn. A protocol for the above task is said to implement Oneoutoft String Oblivious Transfer, denoted ( t 1 )OT k 2 . This primitive is particularly useful in a variety of cryptographic settings. An apparently simpler task corresponds to the case k = 1 and t = 2 of two onebit secrets: this is known as Oneoutoftwo Bit Oblivious Transfer, denoted ( 2 1 )OT 2 . We address the question of implementing ( t 1 )OT k 2 assuming the existence of a ( 2 1 )OT 2 . In particular, we prove that unconditionally secure ( 2 1 )OT k 2 can be implemented from \Theta(k) calls to ( 2 1 )OT 2 . This is optimal up to a small multiplicative constant. Our solution is based on the notion of selfintersecting codes. Of independent interest, we give several...
Oblivious Transfers and Privacy Amplification
, 1997
"... Assume A owns two secret kbit strings. She is willing to disclose one of them to B, at his choosing, provided he does not learn anything about the other string. Conversely, B does not want A to learn which secret he chose to learn. A protocol for the above task is said to implement Oneoutoftwo ..."
Abstract

Cited by 33 (8 self)
 Add to MetaCart
Assume A owns two secret kbit strings. She is willing to disclose one of them to B, at his choosing, provided he does not learn anything about the other string. Conversely, B does not want A to learn which secret he chose to learn. A protocol for the above task is said to implement Oneoutoftwo String Oblivious Transfer, denoted ( 2 1 )OT k . This primitive is particularly useful in a variety of cryptographic settings. An apparently simpler task corresponds to the case k = 1 of two onebit secrets: this is known as Oneoutoftwo Bit Oblivious Transfer, denoted ( 2 1 )OT. We address the question of reducing ( 2 1 )OT k to ( 2 1 )OT. This question is not new: it was introduced in 1986. However, most solutions until now have implicitly or explicitly depended on the notion of selfintersecting codes. It can be proved that this restriction makes it asymptotically impossible to implement ( 2 1 )OT k with fewer than about 3:5277 k instances of ( 2 1 )OT. The cur...
ConstantRound Oblivious Transfer in the Bounded Storage Model
, 2004
"... We present a constant round protocol for Oblivious Transfer in Maurer's bounded storage model. In this model, a long random string R is initially transmitted and each of the parties interacts based on a small portion of R. Even though the portions stored by the honest parties are small, security ..."
Abstract

Cited by 31 (5 self)
 Add to MetaCart
We present a constant round protocol for Oblivious Transfer in Maurer's bounded storage model. In this model, a long random string R is initially transmitted and each of the parties interacts based on a small portion of R. Even though the portions stored by the honest parties are small, security is guaranteed against any malicious party that remembers almost all of the string R.
Smooth Projective Hashing and TwoMessage Oblivious Transfer
 In EUROCRYPT 2005, SpringerVerlag (LNCS 3494
, 2005
"... Abstract. We present a general framework for constructing twomessage oblivious transfer protocols using a modification of Cramer and Shoup’s notion of smooth projective hashing (2002). Our framework is actually an abstraction of the twomessage oblivious transfer protocols of Naor and Pinkas (2001) ..."
Abstract

Cited by 30 (1 self)
 Add to MetaCart
Abstract. We present a general framework for constructing twomessage oblivious transfer protocols using a modification of Cramer and Shoup’s notion of smooth projective hashing (2002). Our framework is actually an abstraction of the twomessage oblivious transfer protocols of Naor and Pinkas (2001) and Aiello et. al. (2001), whose security is based on the Decisional Diffie Hellman Assumption. In particular, this framework gives rise to two new oblivious transfer protocols. The security of one is based on the N’thResiduosity Assumption, and the security of the other is based on both the Quadratic Residuosity Assumption and the Extended Riemann Hypothesis. When using smooth projective hashing in this context, we must deal with maliciously chosen smooth projective hash families. This raises new technical difficulties that did not arise in previous applications, and in particular it is here that the Extended Riemann Hypothesis comes into play. Similar to the previous twomessage protocols for oblivious transfer, our constructions give a security guarantee which is weaker than the traditional, simulation based, definition of security. Nevertheless, the security notion that we consider is nontrivial and seems to be meaningful for some applications in which oblivious transfer is used in the presence of malicious adversaries. 1
On robust combiners for oblivious transfer and other primitives
 In Proc. Eurocrypt ’05
, 2005
"... At the mouth of two witnesses... shall the matter be establishedDeuteronomy Chapter 19. ..."
Abstract

Cited by 29 (1 self)
 Add to MetaCart
At the mouth of two witnesses... shall the matter be establishedDeuteronomy Chapter 19.
Efficient unconditional oblivious transfer from almost any noisy channel
 Proceedings of Fourth Conference on Security in Communication Networks (SCN) ’04, LNCS
, 2004
"... Abstract. Oblivious transfer (OT) is a cryptographic primitive of central importance, in particular in two and multiparty computation. There exist various protocols for different variants of OT, but any such realization from scratch can be broken in principle by at least one of the two involved pa ..."
Abstract

Cited by 25 (6 self)
 Add to MetaCart
Abstract. Oblivious transfer (OT) is a cryptographic primitive of central importance, in particular in two and multiparty computation. There exist various protocols for different variants of OT, but any such realization from scratch can be broken in principle by at least one of the two involved parties if she has sufficient computing power—and the same even holds when the parties are connected by a quantum channel. We show that, on the other hand, if noise—which is inherently present in any physical communication channel—is taken into account, then OT can be realized in an unconditionally secure way for both parties, i.e., even against dishonest players with unlimited computing power. We give the exact condition under which a general noisy channel allows for realizing OT and show that only “trivial ” channels, for which OT is obviously impossible to achieve, have to be excluded. Moreover, our realization of OT is efficient: For a security parameter α> 0—an upper bound on the probability that the protocol fails in any way—the required number of uses of the noisy channel is of order O(log(1/α) 2+ε) for any ε> 0. 1
On the foundations of oblivious transfer
, 1998
"... cachinlacm.org Abstract. We show that oblivious transfer can be based on a very general notion of asymmetric information difference. We investigate a Universal Oblivious Ransfer, denoted UOT(X, Y), that gives Bob the freedom to access Alice’s input X in an arbitrary way as long as he does not obtai ..."
Abstract

Cited by 22 (0 self)
 Add to MetaCart
cachinlacm.org Abstract. We show that oblivious transfer can be based on a very general notion of asymmetric information difference. We investigate a Universal Oblivious Ransfer, denoted UOT(X, Y), that gives Bob the freedom to access Alice’s input X in an arbitrary way as long as he does not obtain full information about X. Alice does not learn which information Bob has chosen. We show that oblivious transfer can be reduced to a single execution of UOT(X, Y) with Bob’s knowledge Y restricted in terms of RCnyi entropy of order a> 1. For independently repeated UOT the reduction works even if only Bob’s Shannon information is restricted, i.e. if H(XIY)> 0 in every UOT(X, Y). Our protocol requires that honest Bob obtains at least half of Alice’s information X without error.