Security analysis of three oblivious transfer protocols
An m out of n oblivious transfer (OT) protocol is a cryptographic protocol for a sender to transfer m out of n messages to a receiver such that the sender has no idea which m messages are obtained by the receiver (receiver security) and at the same time the receiver cannot obtain more than m message...
Saved in:
| Main Authors: | , , |
|---|---|
| Format: | text |
| Language: | English |
| Published: |
Institutional Knowledge at Singapore Management University
2004
|
| Subjects: | |
| Online Access: | https://ink.library.smu.edu.sg/sis_research/832 https://doi.org/10.1007/978-3-0348-7865-4_27 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Institution: | Singapore Management University |
| Language: | English |
| Summary: | An m out of n oblivious transfer (OT) protocol is a cryptographic protocol for a sender to transfer m out of n messages to a receiver such that the sender has no idea which m messages are obtained by the receiver (receiver security) and at the same time the receiver cannot obtain more than m messages (sender security). Three such protocols are proposed in [1], which have the advantage that the communication overhead of the protocols is much smaller than that of mimplementations of a 1 out of n OT protocol. In this paper we give a security analysis of the three protocols. First we show that the first protocol cannot guarantee both the sender security and the receiver security simultaneously. Next, we point out an obvious security flaw in the second protocol which allows the receiver to obtain all the n messages. The third protocol is nicely designed to be non-interactive. However, we show that the security of the protocol is based on a sort of parallel discrete logarithm problem, instead of the discrete logarithm problem as claimed in the paper. Using the technique of “generalized birthday attack”, the former problem can be solved with a computation complexity much smaller than that required to solve the discrete logarithm problem. |
|---|