**Efficient k-out-of-n Oblivious Transfer Schemes with Adaptive and Non-Adaptive Queries**

*Cheng-Kang Chu and Wen-Guey Tzeng*

**Abstract: **In this paper we propose a very efficient two-round k-out-of-n oblivious transfer scheme, in which R sends O(k) messages to S, and S sends O(n) messages back to R. The computation cost of R and S is reasonable as R needs O(k) operations and S needs O(n)operations. The choices of R are unconditionally secure and the secrecy of unchosen messages is guaranteed as well if the decisional bilinear Diffie-Hellman problem is hard. When k=1, our scheme is as efficient as the most efficient 1-out-of-n oblivious transfer scheme up to now. Our scheme has the nice property of universal parameters.
That is, each pair of R and S need neither hold any secret key nor perform any prior setup. The system parameters can be used by all senders and receivers without any trapdoor specification. Our k-out-of-n oblivious transfer scheme is the most efficient one in terms of the communication cost, in both rounds and the number of messages.
Moreover, our scheme can be extended in a straightforward way to an adaptive k-out-of-n oblivious transfer scheme, which allows the receiver R to choose the secrets one by one adaptively. In our scheme, S sends O(n) messages to R in one round in the commitment phase. For each query of R, only O(1) messages are exchanged and O(1) operations (in elliptic curves) are performed. In fact, the number k of queries need not be pre-fixed or known beforehand. This makes our scheme highly flexible.

**Category / Keywords: **cryptographic protocols / Oblivious Transfer

**Publication Info: **PKC 2005

**Date: **received 14 Feb 2004, last revised 23 Nov 2004

**Contact author: **ckchu at cis nctu edu tw

**Available format(s): **Postscript (PS) | Compressed Postscript (PS.GZ) | BibTeX Citation

**Note: **The scheme against semi-honest receivers has been improved.

**Version: **20041124:032643 (All versions of this report)

**Short URL: **ia.cr/2004/041

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]