Paper 2008/035

Efficient Fully-Simulatable Oblivious Transfer

Yehuda Lindell


Oblivious transfer, first introduced by Rabin, is one of the basic building blocks of cryptographic protocols. In an oblivious transfer (or more exactly, in its 1-out-of-2 variant), one party known as the sender has a pair of messages and the other party known as the receiver obtains one of them. Somewhat paradoxically, the receiver obtains exactly one of the messages (and learns nothing of the other), and the sender does not know which of the messages the receiver obtained. Due to its importance as a building block for secure protocols, the efficiency of oblivious transfer protocols has been extensively studied. However, to date, there are almost no known oblivious transfer protocols that are secure in the presence of \emph{malicious adversaries} under the \emph{real/ideal model simulation paradigm} (without using general zero-knowledge proofs). Thus, \emph{efficient protocols} that reach this level of security are of great interest. In this paper we present efficient oblivious transfer protocols that are secure according to the ideal/real model simulation paradigm. We achieve constructions under the DDH, $N$th residuosity and quadratic residuosity assumptions, as well as under the assumption that homomorphic encryption exists.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Extended abstract appeared at CT-RSA 2008.
oblivious transfer
Contact author(s)
lindell @ cs biu ac il
2008-01-28: received
Short URL
Creative Commons Attribution


      author = {Yehuda Lindell},
      title = {Efficient Fully-Simulatable Oblivious Transfer},
      howpublished = {Cryptology ePrint Archive, Paper 2008/035},
      year = {2008},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.