Results 1 
6 of
6
Oblivious Transfers and Intersecting Codes
, 1996
"... Assume A owns t secret kbit strings. She is willing to disclose one of them to B, at his choosing, provided he does not learn anything about the other strings. Conversely, B does not want A to learn which secret he chose to learn. A protocol for the above task is said to implement Oneoutoft St ..."
Abstract

Cited by 39 (4 self)
 Add to MetaCart
Assume A owns t secret kbit strings. She is willing to disclose one of them to B, at his choosing, provided he does not learn anything about the other strings. Conversely, B does not want A to learn which secret he chose to learn. A protocol for the above task is said to implement Oneoutoft String Oblivious Transfer, denoted ( t 1 )OT k 2 . This primitive is particularly useful in a variety of cryptographic settings. An apparently simpler task corresponds to the case k = 1 and t = 2 of two onebit secrets: this is known as Oneoutoftwo Bit Oblivious Transfer, denoted ( 2 1 )OT 2 . We address the question of implementing ( t 1 )OT k 2 assuming the existence of a ( 2 1 )OT 2 . In particular, we prove that unconditionally secure ( 2 1 )OT k 2 can be implemented from \Theta(k) calls to ( 2 1 )OT 2 . This is optimal up to a small multiplicative constant. Our solution is based on the notion of selfintersecting codes. Of independent interest, we give several...
Conditional oblivious transfer and timedrelease encryption
 Lecture Notes in Computer Science
, 1592
"... Abstract. We consider the problem of sending messages “into the future.” Previous constructions for this task were either based on heuristic assumptions or did not provide anonymity to the sender of the message. In the publickey setting, we present an efficient and secure timedrelease encryption s ..."
Abstract

Cited by 8 (1 self)
 Add to MetaCart
Abstract. We consider the problem of sending messages “into the future.” Previous constructions for this task were either based on heuristic assumptions or did not provide anonymity to the sender of the message. In the publickey setting, we present an efficient and secure timedrelease encryption scheme using a “time server ” which inputs the current time into the system. The server has to only interact with the receiver and never learns the sender’s identity. The scheme’s computational and communicational cost per request are only logarithmic in the time parameter. The construction of our scheme is based on a novel cryptographic primitive: a variant of oblivious transfer which we call conditional oblivious transfer. We define this primitive (which may be of independent interest) and show an efficient construction for an instance of this new primitive based on the quadratic residuosity assumption. 1
Concurrent/Resettable ZeroKnowledge with Concurrent Soundness in the Bare PublicKey Model and Its Applications
, 2003
"... In this paper, we present both practical and general 4round concurrent and resettable zeroknowledge arguments with concurrent soundness in the bare publickey (BPK) model. To our knowledge, our result is the first work that achieves concurrent soundness for ZK protocols in the BPK model and stan ..."
Abstract

Cited by 3 (0 self)
 Add to MetaCart
In this paper, we present both practical and general 4round concurrent and resettable zeroknowledge arguments with concurrent soundness in the bare publickey (BPK) model. To our knowledge, our result is the first work that achieves concurrent soundness for ZK protocols in the BPK model and stands for the current stateoftheart of concurrent zeroknowledge with setup assumptions.
On Unconditionally Secure Distributed Oblivious Transfer ∗
, 2006
"... This paper is about the Oblivious Transfer in the distributed model proposed by M. Naor and B. Pinkas. In this setting a Sender has n secrets and a Receiver is interested in one of them. During a set up phase, the Sender gives information about the secrets to m Servers. Afterwards, in a recovering p ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
This paper is about the Oblivious Transfer in the distributed model proposed by M. Naor and B. Pinkas. In this setting a Sender has n secrets and a Receiver is interested in one of them. During a set up phase, the Sender gives information about the secrets to m Servers. Afterwards, in a recovering phase, the Receiver can compute the secret she wishes by interacting with any k of them. More precisely, from the answers received she computes the secret in which she is interested but she gets no information on the others and, at the same time, any coalition of k − 1 Servers can neither compute any secret nor figure out which one the Receiver has recovered. We present an analysis and new results holding for this model: lower bounds on the resources required to implement such a scheme (i.e., randomness, memory storage, communication complexity); some impossibility results for oneround distributed oblivious transfer protocols; two polynomialbased constructions implementing 1outofn distributed oblivious transfer, which generalize and strengthen the two constructions for 1outof2 given by Naor and Pinkas; as well as new oneround and tworound distributed oblivious transfer protocols, both for threshold and general access structures on the set of Servers, which are optimal with respect to some of the given bounds. Most of these constructions are basically combinatorial in nature. 1
Translucent Cryptography  An Alternative to Key Escrow, and its Implementation via Fractional Oblivious Transfer
, 1996
"... We presentan alternative to the controversial \key escrow " techniques for enabling lawenforcement and national security access to encrypted communications. Our proposal allows such access with probability p for each message, for a parameter p between0and1tobechosen (say, by Congress) to provide an ..."
Abstract
 Add to MetaCart
We presentan alternative to the controversial \key escrow " techniques for enabling lawenforcement and national security access to encrypted communications. Our proposal allows such access with probability p for each message, for a parameter p between0and1tobechosen (say, by Congress) to provide an appropriate balance between concerns for individual privacy, on the one hand, and the need for such accessbylawenforcement and national security, on the other. For example, with p =0:4,alawenforcement agency conducting an authorized wiretap which records 100 encrypted conversations would expect to be able to decrypt (approximately) 40 of these conversations � the agency would not be able to decrypt the remaining 60 conversations at all. Di erent values of p can be chosen for di erent situations, such as for export. Our proposal can be combined with other ideas, such as secretsharing, to provide additional exibility. Our scheme is remarkably simple to implement, as it requires no prior escrowing of keys. We provide an e cient implementation of translucent cryptography. It is based on noninteractive oblivious transfer, as pioneered by Bellare and Micali [2], who showed how to transfer
Translucent Cryptography—An Alternative to Key Escrow, and Its Implementation via Fractional Oblivious Transfer
, 1997
"... Abstract. We present an alternative to the controversial “keyescrow ” techniques for enabling law enforcement and national security access to encrypted communications. Our proposal allows such access with probability p for each message, for a parameter p between 0 and 1 to be chosen (say, by Congre ..."
Abstract
 Add to MetaCart
Abstract. We present an alternative to the controversial “keyescrow ” techniques for enabling law enforcement and national security access to encrypted communications. Our proposal allows such access with probability p for each message, for a parameter p between 0 and 1 to be chosen (say, by Congress) to provide an appropriate balance between concerns for individual privacy, on the one hand, and the need for such access by law enforcement and national security, on the other. (For example, with p = 0.4, a lawenforcement agency conducting an authorized wiretap which records 100 encrypted conversations would expect to be able to decrypt (approximately) 40 of these conversations; the agency would not be able to decrypt the remaining 60 conversations at all.) Our scheme is remarkably simple to implement, as it requires no prior escrowing of keys. We implement translucent cryptography based on noninteractive oblivious transfer. Extending the schemes of Bellare and Micali [2], who showed how to transfer a message with probability 1 2, we provide schemes for noninteractive fractional oblivious transfer, which allow a message to be transmitted with any given probability p. Our protocol is based on the Diffie–Hellman assumption and uses just one El Gamal encryption (two exponentiations), regardless of the value of the transfer probability p. This makes the implementation of translucent cryptography competitive, in efficiency of encryption, with current suggestions for software key escrow.