Batch Oblivious Transfer Clause Samples

Batch Oblivious Transfer. ‌ 1 Oblivious Transfer (OT) protocol, more specifically OT 2 protocol, allows two parties (sender and chooser) to solve the following problem. The sender has two strings m0 and m1 and transfers one of them to the chooser in accordance with the following conditions: – the chooser selects a particular mb which he wishes to obtain (b ∈ {0, 1}); – the chooser does learn nothing about m1−b; – the sender does not know which mb was transferred. We modify and extend construction of RSA-based OT 2 protocol from [11]. Most oblivious transfer protocols employ some kind of ElGamal encryption. This results in increased computational overhead as the chooser must perform at least one modular exponentiation. Using RSA-based oblivious transfer allows to reduce the chooser’s complexity, since the public exponent can be made small. Moreover, RSA decryption with distinct private exponents can be implemented efficiently, leading to Batch RSA [5]. We use this idea for further improvement of computational complexity of RSA-based oblivious transfer. We employ the following notation through the rest of the section. Let n = p q be an RSA public modulus (i.e. a product of two distinct primes p and q) and let e, d denote public and private exponents, respectively. Let Zn = {0, 1,...,n − 1} and let Zn∗ be the set of all numbers from Zn relatively prime to n. All computations in protocol descriptions are defined over Zn, the only exception is bitwise xor operation . We will omit stating explicitly that our operations in the paper are mod n whenever it is clear from the context. The hash function H is modelled as a truly random function (random oracle, see [2]) in the security analysis. For simplicity we write H(a1,..., al) for the hash function applied to the concatenation of l-tuple (a1,..., al). Random, uniform selection of x from the set A is denoted by x R A. We assume the sender (S in protocol description) generates the instance of RSA system and the chooser (C) already has a valid public key of the sender (i.e. a pair (n, e)). Moreover, we assume that the length of H output is not shorter than strings m0 and m1. Recall, b 0, 1 denotes the index of string, which the chooser wants to obtain.