1. Oblivious Transfer

2. Outline
Preliminary
Requirements
protocols

3. Assumptions Semi-honest party assumption Malicious party assumption
Parties honestly follow the security protocol
Parties might be curious about the transferred data
Malicious party assumption
The malicious party can do anything
Transfer false data
Turn down the protocol
Collusion
Often, we can handle
semi-honest + integrity verification

4. Public-key encryption
Let (G,E,D) be a public-key encryption scheme
G is a key-generation algorithm (pk,sk)  G
Pk: public key
Sk: secret key
Terms
Plaintext: the original text, denoted as m
Ciphertext: the encrypted text, denoted as c
Encryption: c = Epk(m)
Decryption: m = Dsk(c)
Concept of one-way function: knowing c, pk, and the function Epk, it is still computationally intractable to find m.
*Check literature for different implementations

5. Example: the RSA algorithm
Based on the idea that factorization of integers into their prime factors is hard.​
★ n=p．q, where p and q are distinct primes​
Proposed by Rivest, Shamir, and Adleman​ in 1977 and a paper was published in The Communications of ACM in 1978​

6. RSA Key generation Alice encrypts M as C≡Me (mod n)​
Bob chooses two primes p,q and compute n=pq​
Bob chooses e with gcd(e,(p-1)(q-1))=​ gcd(e, ψ(n))=1​
ψ(n) Euler's totient function counting the positive integers up to a given integer n that are relatively prime to n
Bob solves de≡1 (mod ψ(n))​
Bob makes (n, e) public and (p,q,d) secret​
Alice encrypts M as C≡Me (mod n)​
Bob decrypts by computing M≡Cd (mod n)

7. Correctness Euler’s theorem RSA correctness proof:
If a and n are co-prime, i.e., gcd(a, n)=1,
Then:
aψ(n) = 1 mod n
RSA correctness proof:
Cd ≡ (Me)d ≡ Med ≡ M1+kψ(n)  ≡M  (mod n)

8. security Finding d -> finding ψ(n) -> finding p and q from n
the fastest factorization algorithm for b-bit number

9. 1-out-of-2 Oblivious Transfer (OT)
Setting
Sender has two messages m0 and m1
Receiver has a single bit {0,1} and wants to learn m , but does not want the sender know which bit is selected.
Outputs
Sender knows nothing about 
Receiver obtain m and learns nothing of m1-

10. A simple protocol
Assume that a public-key can be sampled without knowledge of its secret key (knowing pk only):
The protocol is simplified with this assumption
Knowing pk but not knowing sk – tricky to do that
Both parties are honest

11. A simple Protocol for Oblivious Transfer
Receiver (with input ):
Receiver chooses one key-pair (pk,sk) and one public-key pk’ (oblivious key generation), but does not know sk’ (pk’ cannot be released by sender; sender should not know which is the pk’)
Receiver sets pk = pk, pk1- = pk’
Receiver sends pk0,pk1 to sender
Sender (with input m0,m1):
Sends c0=Epk0(m0), c1=Epk1(m1)
Receiver:
Decrypts c using sk and obtains m.
Note: receiver can decrypt for pk but not for pk1-

12. Cost Receiver: Sender:
Computation: two key generation operations; one decryption
Communication: 2 PKs
Sender:
Computation: two encryption ops
Communication: 2 ciphertext

13. A more practical 1 out of 2 OT Protocol
m0 and m1  Alice’s messages
Generate a RSA key-pair: Public Key or PK (N, e)
Secret Key or SK (d)
2. Generate random messages:
x0 and x1
3. Decrypt the two possible ks as Alice does not know b hence xb used in computing v by Bob:
k0 = (v – x0)^d mod N
k1 = (v – x1)^d mod N
4. Hide messages m0 and m1 as
m0’=m0+k0
m1’=m1+k1
b 𝜖 {0,1}  Bob’s input bit
Generate a random message: k
Encrypt k as:
E(k) = ke
3. Compute:
v = xb + ke mod N
4. Retrieve:
mb = mb’ - k
PK, x0, and x1
Alice
(sender) v
Bob
(receiver)
m0’ and m1’

14. security Assume Bob wants to know m0 security: Bob cannot know k1
Needs to know d
Alice cannot distinguish k0, k1

15. Costs Bob Alice Computation: 1 rand msg + 1 encryption + 2 mod add
Communication: v
Alice
Computation: 1 key generation, 2 rand msgs + 2 decryption + 2 mod add
Communication: pk + 2 rand msgs + 2 decrypted msgs

16. Reducing costs
There are more efficient 1-out-of-2 protocols developed recently

17. Generalization Similarly, we can define 1-out-of-k oblivious transfer
Protocol remains the same:
Choose k-1 public keys for which the secret key is unknown
Choose 1 public-key and secret-key pair