Efficient Oblivious Transfer from Lossy Threshold Homomorphic Encryption (original) (raw)

2017, Lecture Notes in Computer Science

In this article, a new oblivious transfer (OT) protocol, secure in the presence of erasure-free one-sided active adaptive adversaries is presented. The new bit OT protocol achieves better communication complexity than the existing bit OT protocol in this setting. The new bit OT protocol requires fewer number of public key encryption operations than the existing bit OT protocol in this setting. As a building block, a new two-party lossy threshold homomorphic public key cryptosystem is designed. It is secure in the same adversary model. It is of independent interest. Definition 2. (Lossy Threshold PKE Scheme Secure against Erasure-Free One-Sided Active Adaptive Adversaries) A lossy threshold PKE scheme secure against erasure-free one-sided active adaptive adversaries for the set of parties P = {P 1 , P 2 }, and security parameter n, is a 4-tuple (K, KG, E, Π DEC) having the following properties. Key Space: The key space K is a family of finite sets (pk, sk 1 , sk 2). pk is the public key and sk i is the secret key share of P i. Let M pk denote the message space for public key pk. Key Generation: There exists a probabilistic polynomial-time key generation algorithm KG, which, on input (1 n , mode), generates public output pk and a list {vk, vk 1 , vk 2 } of verification keys, and secret output sk i for P i , where (pk, sk 1 , sk 2) ∈ K. By setting mode to zero and one, key in lossy mode and injective mode can be generated, respectively. vk is called the verification key, vk i is called the verification key of P i. Encryption: There exists a probabilistic polynomial-time encryption algorithm E, which, on input pk, m ∈ M pk , r $ ← coins(E), outputs an encryption c = E pk (m, r) of m. Decryption: There exists a two-party decryption protocol Π DEC secure against erasure-free one-sided active adaptive adversaries. On common public input (c, pk, vk, vk 1 , vk 2), and secret input sk i for each P i , i ∈ {1, 2}, where sk i is the secret key share of P i for the public key pk (as generated by KG), and c is an encrypted message, Π DEC returns a message m, or the symbol ⊥ denoting a decryption failure, as a common public output.