Cryptology ePrint Archive: Report 2010/199

A Framework For Fully-Simulatable $h$-Out-Of-$n$ Oblivious Transfer

Zeng Bing and Tang Xueming and Chingfang Hsu

Abstract: We present a framework for fully-simulatable $h$-out-of-$n$ oblivious transfer ($OT^{n}_{h}$) with security against non-adaptive malicious adversaries. The framework costs six communication rounds and costs at most $40n$ public-key operations in computational overhead. Compared with the known protocols for fully-simulatable oblivious transfer that works in the plain mode (where there is no trusted common reference string available) and proven to be secure under standard model (where there is no random oracle available), the instantiation based on the decisional Diffie-Hellman assumption of the framework is the most efficient one, no matter seen from communication rounds or computational overhead.

Our framework uses three abstract tools, i.e., information-theoretically binding commitment, information-theoretically hiding commitment and our new smooth projective hash. This allows a simple and intuitive understanding of its security.

We instantiate the new smooth projective hash under the lattice assumption, the decisional Diffie-Hellman assumption, the decisional $N$-th residuosity assumption, the decisional quadratic residuosity assumption. This indeed shows that the folklore that it is technically difficult to instantiate the projective hash framework under the lattice assumption is not true. What's more, by using this lattice-based hash and lattice-based commitment scheme, we gain a concrete protocol for $OT^{n}_{h}$ which is secure against quantum algorithms.

Category / Keywords: cryptographic protocols / oblivious transfer,public-key cryptography, quantum cryptography,lattice techniques

Date: received 9 Apr 2010, last revised 10 Jul 2011

Contact author: zeng bing zb at gmail com;

Available format(s): PDF | BibTeX Citation

Note: Submitted for Publication.

Version: 20110711:011342 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]