Analysis Of The Simulatability Of An Oblivious Transfer

In the Journal of Cryptology (25(1): 158-193. 2012), Shai Halevi and Yael Kalai proposed a general framework for constructing two-message oblivious transfer protocols using smooth projective hashing. The authors asserts that this framework gives a simulation-based security guarantee when the sender is corrupted. Later this work has been believed to be half-simulatable in literatures. In this paper, we show that the assertion is not true and present our ideas to construct a fully-simulatable oblivious transfer framework

Adaptive Oblivious Transfer with Access Control from Lattice Assumptions

International audienceAdaptive oblivious transfer (OT) is a protocol where a sender initially commits to a database $\{M_i\}_{i=1}^N$. Then, a receiver can query the sender up to $k$ times with private indexes $\rho_1,\ldots,\rho_k$ so as to obtain $M_{\rho_1},\ldots , M_{\rho_k}$ and nothing else. Moreover, for each $i \in [k]$, the receiver's choice $\rho_i$ may depend on previously obtained messages. Oblivious transfer with access control (OT-AC) is a flavor of adaptive OT where database records are protected by distinct access control policies that specify which credentials a receiver should obtain in order to access each $M_i$. So far, all known OT-AC protocols only support access policies made of conjunctions or rely on {\it ad hoc} assumptions in pairing-friendly groups (or both). In this paper, we provide an OT-AC protocol where access policies may consist of any branching program of polynomial length, which is sufficient to realize any access policy in NC1. The security of our protocol is proved under the Learning-with-Errors (LWE) and Short-Integer-Solution (SIS) assumptions. As a result of independent interest, we provide protocols for proving the correct evaluation of a committed branching program on a committed input