Paper 2008/014

Simulatable Adaptive Oblivious Transfer

Jan Camenisch, Gregory Neven, and abhi shelat


We study an adaptive variant of oblivious transfer in which a sender has N messages, of which a receiver can adaptively choose to receive k one-after-the-other, in such a way that (a) the sender learns nothing about the receiver’s selections, and (b) the receiver only learns about the k requested messages. We propose two practical protocols for this primitive that achieve a stronger security notion than previous schemes with comparable efficiency. In particular, by requiring full simulatability for both sender and receiver security, our notion prohibits a subtle selective-failure attack not addressed by the security notions achieved by previous practical schemes. Our first protocol is a very efficient generic construction from unique blind signatures in the random oracle model. The second construction does not assume random oracles, but achieves remarkable efficiency with only a constant number of group elements sent during each transfer. This second construction uses novel techniques for building efficient simulatable protocols.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. An extended abstract of this paper appears in Moni Naor, editor, Advances in Cryptology – EUROCRYPT 2007, volume 4515 of Lecture Notes in Computer Science, pages 573–590, Springer-Verlag, 2007. This is the full version.
Contact author(s)
Gregory Neven @ esat kuleuven be
2008-01-14: received
Short URL
Creative Commons Attribution


      author = {Jan Camenisch and Gregory Neven and abhi shelat},
      title = {Simulatable Adaptive Oblivious Transfer},
      howpublished = {Cryptology ePrint Archive, Paper 2008/014},
      year = {2008},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.