Universally Composable Adaptive Oblivious Transfer

In an oblivious transfer <Emphasis FontCategory="SansSerif">(OT)</Emphasis> protocol, a Sender with messages <em>M</em> <Subscript>1</Subscript>,...,<em>M</em> <Subscript> <em>N</em> </Subscript> and a Receiver with indices <em>***</em> <Subscript>1</Subscript>,...,<em>***</em> <Subscript> <em>k</em> </Subscript> *** [1,<em>N</em> ] interact in such a way that at the end the Receiver obtains $M_{\sigma_1},\dots,M_{\sigma_k}$ without learning anything about the other messages and the Sender does not learn anything about <em>***</em> <Subscript>1</Subscript>,...,<em>***</em> <Subscript> <em>k</em> </Subscript> . In an <em>adaptive</em> protocol, the Receiver may obtain $M_{\sigma_{i-1}}$ before deciding on <em>***</em> <Subscript> <em>i</em> </Subscript> . Efficient adaptive <Emphasis FontCategory="SansSerif">OT</Emphasis> protocols are interesting as a building block for secure multiparty computation and for enabling oblivious searches on medical and patent databases.

Historically, adaptive <Emphasis FontCategory="SansSerif">OT</Emphasis> protocols were analyzed with respect to a "half-simulation" definition which Naor and Pinkas showed to be flawed. In 2007, Camenisch, Neven, and shelat, and subsequent other works, demonstrated efficient adaptive protocols in the full-simulation model. These protocols, however, all use standard rewinding techniques in their proofs of security and thus are not universally composable. Recently, Peikert, Vaikuntanathan and Waters presented universally composable (UC) <em>non-adaptive</em> <Emphasis FontCategory="SansSerif">OT</Emphasis> protocols for the 1-out-of-2 variant, in the static corruption model using certain trusted setup assumptions. However, it is not clear how to preserve UC security while extending these protocols to the adaptive <em>k</em> -out-of-<em>N</em> setting. Further, any such attempt would seem to require <em>O</em> (<em>N</em> ) computation per transfer for a database of size <em>N</em> . In this work, we present an efficient and UC-secure <em>adaptive</em> <em>k</em> -out-of-<em>N</em> <Emphasis FontCategory="SansSerif">OT</Emphasis> protocol in the same model as Peikert <em>et al.</em>, where after an initial commitment to the database, the cost of each transfer is <em>constant</em> . Our construction is secure under bilinear assumptions in the standard model.