Transcript 下載/瀏覽

多媒體網路安全實驗室
A New Design for Efficient t-out-n
Oblivious Transfer Scheme
Date：2010.11.24
Reporter : Chien-Wen Huang
Auther : Hui-Feng Huang and Chin-Chen Chang
出處: 19th International Conference on Advanced Information Networking
and Applications
多媒體網路安全實驗室
Outline
1
Introduction
2
The Proposed Scheme
3
Discussions
4
Conclusions
多媒體網路安全實驗室
Introduction
Rabin proposed the concept of the two-party oblivious
transfer (OT) scheme.
The oblivious transfer has found many applications in
cryptographic studies,ex:fair electronic contract
signing,oblivious secure computation and PIR.
多媒體網路安全實驗室
The Proposed Scheme
First describe that a t-out-n OT should satisfy
the following requirements:
1. Correctness: the receiver obtains t secrets after
executing the protocol with the sender.
2. Receiving ambiguity: the sender will not know
which t secrets the receiver has received.
3. Sending privacy: the receiver does not get any
information about other n-t messages.
多媒體網路安全實驗室
多媒體網路安全實驗室
the sender:randomly chooses two large
primes p , q and computes  (N )
Calculates a private key d ,then publish ( N , e)
s.t. ed  1 mod  ( N ), where e  3
The detail of the protocol is depicted as follows.
e
1. The sender: ci  mi mod N (i  1,2,..., n)and c1 , c2 ,..., cnto
the receiver.
2. The receiver: chooses t random secrets
and calculates
e
e
e
s1 , s2 ,..., st  Z
*
N
y i  s1 ci1 , yi2  s2 ci2 ,..., y i  st cit mod N ( j  1,2,..., t )
1
t
Where ci1 , ci2 ,...cit  {c1 , c2 ,..., cn } and send y i , y i ,..., y i to sender.
1
2
t
多媒體網路安全實驗室
3. The sender:After receiving,he computes
zi j  yidj mod N ( j  1,2,..., t ), then send z i , z i ,..., z i to receiver .
1
2
t
4. The receiver: obtains the message
m j  z i j s j 1 mod N , where mi j {m1 , m2 ,..., mn }
 In Step 1, for the security: m e  m 3  N
 Consider m (adding up some important
information such as:date,time,sender’s ID or
receiver’s ID)
多媒體網路安全實驗室
Discussions
Secrecy
1. N should be large enough to make factorization
difficult.
2. the low-exponent RSA attacks do not work on our
scheme.
Receiver’s Ambiguity
 only the sender can compute
zi j  yidj  (mi j  s j )ed  mi j  s j
1. without knowing s j , the sender cannot obtain the
message.
2. s j is randomly chosen by the receiver.
多媒體網路安全實驗室
Sender’s Privacy
1. the receiver cannot derive the secret key d of the
sender.
2. the receiver only receives t secrets he has chosen
and no other (n-t) messages.
Performance
1. the sender totally sends n+t elements to the
receiver and the receiver sends t elements to the
sender.
2. Since the public key e=3 , the computational
complexity for the sender is t modular
exponentiations and 2n modular multiplications.
多媒體網路安全實驗室
Conclusions
The proposed protocol requires three rounds of
communication.
The computation and communication loads are
greatly reduced for both the sender and
receiver.
Only 4t modular multiplications are required for
a receiver to obtain t secrets.
It is very suitable for mobile clients.
多媒體網路安全實驗室