Advances in Multimedia

Volume 2012, Article ID 630610, 9 pages

http://dx.doi.org/10.1155/2012/630610

## A Novel *k*-out-of-*n* Oblivious Transfer Protocol from Bilinear Pairing

Department of Information Management, Nanhua University, No. 55, Section 1, Nanhua Road, Dalin Township, Chiayi County 62249, Taiwan

Received 30 November 2011; Revised 13 March 2012; Accepted 27 March 2012

Academic Editor: Mohamed Hamdi

Copyright © 2012 Jue-Sam Chou. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

#### Abstract

Oblivious transfer (OT) protocols mainly contain three categories: 1-out-of-2 OT, 1-out-of-*n* OT, and *k*-out-of-*n* OT. In most cases, they are treated as cryptographic primitives and are usually executed without consideration of possible attacks that might frequently occur in an open network, such as an impersonation, replaying, or man-in-the-middle attack. Therefore, when used in certain applications, such as mental poker games and fair contract signings, some extra mechanisms must be combined to ensure the security of the protocol. However, after a combination, we found that very few of the resulting schemes are efficient enough in terms of communicational cost, which is a significant concern for generic commercial transactions. Therefore, we propose a novel *k*-out-of-*n* oblivious transfer protocol based on bilinear pairing, which not only satisfies the requirements of a *k*-out-of-*n* OT protocol, but also provides mutual authentication to resist malicious attacks. Meanwhile, it is efficient in terms of communication cost.

#### 1. Introduction

An oblivious transfer (OT) is an important primitive for designing security services. It can be used in various applications like the signing of fair contracts, oblivious database searches, mental poker games, privacy-preserving auctions, secure multiparty computations [1], and so on. In 1981, Rabin [2] first proposed an interactive OT scheme in which the probability of the receiver’s capability to decrypt a message sent by the sender is 1/2. Rabin used the proposed OT to design a 3-pass secret exchange (EOS) protocol, hoping that two parties can exchange their secrets fairly. In 1985, Even et al. [3] presented a more generalized OT, called 1-out-of-2 OT (), in which a sender sends two encrypted messages to a chooser with only one of which the chooser can decrypt. They also presented a contract-signing protocol by evoking multiple times to prevent one party from obtaining the other party’s contract signature without first showing his own. In 1986, Brassard et al. [4] further extended into a 1-out-of-*n* OT (, also known as “all-or-nothing”), in which only one out of *n* sent messages can actually be obtained by the chooser. The authors pointed out that their scheme can be used to implement a multiparty mental poker game [5] against a player coalition. In contrast to the interactive versions described above, Bellare and Micali [6] first proposed a noninteractive scheme in 1989. In this scheme, a user obliviously transfers two messages to another party equipped with two public keys to decrypt one of the messages.

From 1999 to 2001, based on the above-mentioned interactive and noninteractive OT schemes, Naor and Pinkas proposed some related OT methods, such as an adaptive [7], proxy [8], distributed [9], efficient [10], and efficient [11]. Here, is the final form of the OT schemes. In this form, from the *n* encrypted messages sent, the chooser can obtain *k* chosen messages in plaintext form without the sender’s knowledge regarding which part of the messages are decrypted. In Naor and Pinkas’s distributed schemes [9], the sender distributes two messages among *n* servers, and the chooser contacts servers to receive one of them. The authors claimed that their schemes can protect the privacy of both parties. However, in 2007, Ghodosi [12] showed two possible attacks on these schemes. In the first attack, two collaborating servers can reveal the chooser’s choice of , while, in the second attack, the chooser can learn both *M _{0}* and

*M*by colluding with only a single server. In 2002, Mu et al. [13] proposed three schemes constructed using RSA encryption, a Nyberg-Rueppel signature, and an ElGamal encryption scheme, respectively. Two of these are interactive, while the other can be either interactive or noninteractive. The authors claimed that their schemes are complete, robust, and flexible and induce a significant improvement in communication cost. However, in 2006, Ghodosi and Zaare-Nahandi [14] showed that these schemes fail to satisfy the requirements of an oblivious transfer protocol. In 2004, Ogata and Kurosawa [15] proposed another scheme, based on an RSA blind signature, which can be employed in either an adaptive or a nonadaptive manner. The authors claimed that their scheme can be applied to oblivious key searching. In 2005, three schemes are proposed [16–18]. Among these, Chu and Tzeng's scheme [16] is the most efficient as it needs only 2 passes to send 1024 k bits from the chooser to the sender, and bits from the sender to the chooser, where Data is a message or ciphertext, and represents the bit length of Data. In 2006, Parakh [19] proposed an elliptic-curve-based algorithm allowing to obliviously transfer his secrecy, , to with a 50% probability of success. However, we found that can decide whether can obtain his secret (which is one-to-one mapped to

_{1}*Pn*) by first assuming that . Under this assumption, upon receiving from

_{A}*B*,

*A*can obtain

*B*’s one-time random variable by computing . Then, by computing = ,

*A*can obtain . Subsequently, by computing (,

*A*obtains , just as does in step 5(b). Therefore, if finds = , it confirms that can obtain after the protocol runs; otherwise, it knows cannot obtain the value of . This violates

*B*’s privacy. In the same year, for coping with all possible attacks encountered in an open network, Kim and Lee [20] proposed two protocols, which are modified from Bellare-Micali noninteractive scheme [6] by appending the sender’s signature to make the sender undeniable about what he sent and be authentic to the chooser. However, we found, other than the weaknesses pointed by Chang and Shiao [21], Kohnfelder’s protocol still has the reblocking problem [22]. Because when modulus , message cannot be recovered by Bob. This makes legal Alice unable to be authenticated by Bob.

In 2007, Halevi and Kalai [23] proposed another scheme by using smooth projective hashing and showed that the used RSA composite in their scheme need not be a product of safe primes. Also in 2007, Camenish et al. and Green and Hohenberger proposed two related OT schemes [24, 25], respectively. Both focus on the security of full simulatability for the sender and receiver to resist against selective-failure attack [7]. In 2009, Qin et al. [26] proposed two noninteractive schemes. However, in their protocols, a receiver has to interact with a third party to obtain the choice-related secret key each time it wants to select one of the sent message. This makes their scheme somewhat inconvenient and inconsistent with the meaning of noninteractive protocols as indicated in the title (this phenomenon can also be found in some proposed noninteractive OT schemes). In the same year, Chang and Lee [27] presented a robust scheme using both the RSA blind signature and Chinese Remainder Theorem. However, we found their scheme fails since the sender can decide which parts of the messages were chosen by the chooser. We will describe this weakness in Section 3.2. In addition, in 2011, Ma et al. [28] proposed an oblivious transfer using a privacy scheme for a timed-release receiver. Their scheme has a good timed-release property. However, it needs to call ZKP times to learn *k* of the *n* sent messages. This makes their protocol less efficient. Moreover, it does not have mutual authentication. Therefore, when the sender and receiver want to communicate, they need a secure channel. Otherwise, without identity authentication, malicious attackers can simultaneously launch many ZKPs. This will degrade the system performance and may cause the system to suffer from a denial-of-service (DOS) attack (according to the definition in [29]).

After surveying all of the above-mentioned OT schemes, we found that almost all of them lack the consideration of adding security features. Only [2, 20] do consider the protection against all possible attacks. However, study [20] fails which we have described earlier. Hence, if we wish all of the proposed OT protocols, other than scheme [2], to be able to resist against various attacks, we should run them through secure channels. This would incur extra communicational overhead. For this reason, in this paper, we propose a novel interactive scheme that needs only two passes but can get rid of using a secure channel to avoid adding extra communicational overhead. It not only is simple in concept but also encompasses some essential security features such as mutual authentication, the prevention of man-in-the-middle (MIMA) attack, and replay attack. Thus, when compared with other interactive OT schemes, our scheme promotes not only in the communicational efficiency but also in the aspect of security.

The rest of this paper is organized as follows. The introduction has been presented in Section 1, and some preliminaries are shown in Section 2. In Section 3, we review Chang et al.’s scheme and show its weakness. After that, we show our protocol in Section 4. Then, the security analyses and communicational cost comparisons among related works and our scheme are made in Section 5. Finally, a conclusion is given in Section 6.

#### 2. Preliminaries

In this section, we briefly introduce the security features of our scheme in Section 2.1, the principles of bilinear pairing in Section 2.2, and some intractable problems used in this paper in Section 2.3.

##### 2.1. Security Features of Our Scheme

Just as traditional OT schemes, our also has two parties, the sender and the chooser . In the scheme, *S* obliviously transfers messages to *C*, and can choose messages among them without *S’s *knowledge about which *k* messages were selected, where and . In addition, our scheme also possesses the following three security features which are needed in a traditional OT scheme.

*(1) Correctness*

After the protocol run, should be able to obtain the valid data chosen by him before.

*(2) Chooser’s Privacy*

In the protocol, each of the chooser’s choices should not be known to the sender or any third party. More precisely, each of the chooser’s encrypted choice can be any valid choice with equal probability, that is, for an encrypted choice and any valid choice *x*, . This property is known as *Shannon perfect secrecy*.

*(3) Sender’s Privacy*

At end of the protocol run, the chooser cannot get any knowledge about the other messages it did not choose. More formally, the ciphertexts sent by the sender are semantically secure [30]. The chooser can obtain a plaintext decrypted from its ciphertext only if it has the key offered by the sender.

Except for the above three properties, our interactive scheme also has the following three security features, (4) through (6), to guard against possible security threats.

*(4) Impersonation Attack Resistance*

Each party has to authenticate the counterpart. That is, it should be a mutual-authentication OT.

*(5) Replaying Attack Resistance*

An adversary could not obtain any messages by only replaying old messages sent by the sender.

*(6) Man-in-the-Middle Attack (MIMA) Resistance*

MIMA is an attack that an adversary eavesdropping on the communication line between two communicating parties uses as some means to make them believe that they each are talking to the intended party. But indeed, they are talking to the adversary.

##### 2.2. Bilinear Pairing

Let be an additive group composed of points on an elliptic curve with order *q*, and let be a multiplicative group with the same order. A bilinear mapping is defined as which must satisfy the following properties [31].(1)Bilinear: a mapping is bilinear if for all , and all .(2)Nondegenerate: the mapping does not map all pairs in to the identity in .(3)Computable: there is an efficient algorithm to compute for any .(4)If is a generator for then is a generator for .(5)Commutative: for all .(6)Distributive: for all .

##### 2.3. Some Diffie-Hellman Problems

Let , let *P* be a base point of a group on an Elliptic curve, and let , , and *be *three groups with each having a prime order . Using these definitions, we describe some well-known intractable Diffie-Hellman problems [32] that will be used in this paper.

*(1) The Computational Diffie-Hellman (CDH) Problem*

In *G*, given , finding the element mod *q*.

*(2) The Decisional Diffie-Hellman (DDH) Problem*

In *G*, given , deciding whether mod *q*.

*(3) The Bilinear Computational Diffie-Hellman (BCDH) Problem*

Given in , finding in .

According to Boneh and Franklin’s study [31], the BCDH problem is no harder than the CDH problem in *G* (or equivalently ).

*(4) Chosen-Target CDH (CTCDH) Problem*

Let be a hash function, let be a target oracle which returns a random element in *G*, and a helper oracle which returns when queried by , where is an unknown random integer in . Also, let be the number of queries to and the number of queries to . The CTCDH problem is finding pairs of , with each satisfying , for and . Without loss of generality, we can let and be and *l*, respectively. The CTCDH problem can then be rephrased as that after obtaining ) and via querying the oracle and the helper oracle correspondingly, trying to find the *l*th pair without the knowledge of *c*. The CTCDH problem is proposed and considered as a hard problem by Boldyreva in 2002 [33]. Its former version in RSA is proved by Bellare et al. in [34].

#### 3. Review of Chang et al.’s Protocol

In 2009, Chang et al. proposed a robust scheme based on CRT, hoping that their scheme can achieve the security requirements of a general scheme. However, we found their scheme cannot satisfy the chooser’s privacy. In the following, we first review the scheme in Section 3.1 then show the weakness found in Section 3.2.

##### 3.1. Review

We roughly describe the protocol by listing the relevant steps in the following (see [27] for more details).

*Step 1. *After receiving the request from Bob for all messages , Alice owning these messages selects relatively prime integers, , and computes *D *= . She then constructs the congruence system
Furthermore, Alice computes the following values: , , and , where be the product of two large primes and be Alice public/private key pair satisfying , by using her public key . Finally, she publishes and the pairs of , for to *n*, in the public board.

*Step 2. *If Bob wants to learn messages among them, he must select pairs of (), for to *k*, from the public board and first generate corresponding random numbers , for each pair of (). Then, he subsequently computes the following:
by using Alice’s public key and sends back to Alice.

*Step 3. *Upon receiving the messages sent by Bob, Alice employs her private key to compute , and then sends the results to Bob.

*Step 4. *After receiving the messages from Alice, Bob computes the following values: . Consequently, Bob learns the demanded messages successfully by computing

##### 3.2. Weaknesses

Although Chang et al. claimed that their scheme can satisfy the security requirements demanded by the scheme, we found that Bob’s privacy has been violated, since according to their protocol, Alice first sets values of ( to *n*), and Bob commits his choices to the values of to *k*). After computing the values of ( to *k*), Alice can use each of the ( to *n*) to compute = , for to and to . In addition, using each , Alice can compute the values of ^{(*)} = , for *i *= 1 to *n*, to compare with the committed values, . For example, suppose Bob chooses the first message, mod *N*, and Alice wants to guess which Bob chose, Alice starts to use to compute = mod . He will get mod = . That is, Alice will find a match, , and knows that Bob chose the first message. Conversely, if Alice uses , () to compute , he will get ^{(*)} = mod *N*, which is not equal to . In other words, Alice cannot know the correct message that Bob chose. That is, once a pair, (, ), for example, has been matched, Alice knows that Bob chose the th message. Hence, we can easily see that such explorations cost at most multiplications to obtain , and multiplications and exponentiations to yield all values of ^{(*)}. Therefore, with at most () multiplications and exponentiations, it is computationally feasible for Alice to decide which values Bob selected, which violates Bob’s privacy.

#### 4. Proposed Protocol

In this section, we present our ID-based protocol based on bilinear pairings, which were proved and applied to cryptography by Boneh and Franklin in 2001 [31]. Our scheme consists of two phases: (1) an initialization phase and (2) an oblivious transfer phase. In the following, we first describe these two phases. Then, to demonstrate the chooser’s privacy preservation, we use a misleading attack for an explanation. As the receiver’s privacy preservation can be reasoned in a similar fashion, we omit its description here.

*(1) Initialization Phase*

In this phase, we adopt the same system parameters as the ones used in [31]. In addition, there also exists a trusted key generation center (KGC) which is assumed to be key-escrow-attack free. Initially, KGC chooses an additive group of order *q*, a multiplicative group of the same order, where is a bilinear mapping, that is, , and three one-way hash functions: *H*: , , and which maps a string (a user’s ID) to an element in , that is, :. Moreover, it selects as its private master key and computes the corresponding system public key as. Then, KGC publishes the system parameter set . After that, when a user (sender/chooser) registers his identifier , KGC will compute a public/private key pair for him, where = and = .

*(2) Oblivious Transfer Phase*

In this phase, when a sender possessing messages (,, and ) wants to obliviously transfer messages of them (and ) to a chooser, they together will execute the following steps, where the public/private key pairs of the sender and chooser are / and /, respectively, and are the set of choices selected by the chooser in advance. We also depict them in Table 1.

*Step 1. *The chooser randomly chooses two integers* a*,* b * and computes , , where and are the random choices. After that, he generates a signature Sig on by computing and . Then, he sends together with Sig to the sender.

*Step 2. *After receiving and Sig from the chooser, the sender computes and verifies the chooser’s signature by checking whether the equation = holds. If it holds, he believes that the chooser is the intended party as claimed. Then, the sender randomly chooses an integer and computes and , where , and are the messages. He/She then sends to the chooser.

*Step 3. *After receiving the message , and from the sender, the chooser can obtain the *k* intended messages by at most computing the equation, times.

*(3) A Misleading Attack for Chooser’s Privacy Preservation*

To demonstrate the chooser’s privacy more clearly, we take the following as a counterexample. According to step 1 in our protocol, the chooser computes , where and *j *= 1 to . Since and are both the same for and , a misleading attack may be that . A malicious sender can pre-compute for each in the interval . After receiving from the chooser, he computes each for all in for a comparison with the precomputed values. Consequently, the sender may guess some or all of the chooser’s choices. Therefore, the protocol cannot achieve chooser privacy. However, the mistake here is that both and are points in the additive group . The division operation is invalid because is an additive group.

#### 5. Security Analysis

In this section, we use the following claims to show that our protocol not only is correct but also possesses the properties of mutual authentication, chooser’s privacy, and sender’s privacy and can resist against active attacks such as relay attack, man-in-the-middle attack, and denial of service attack.

*Claim 1. *The proposed protocol is correct.

*Proof. *After the protocol runs, the chooser can exactly obtain the messages which he/she selected by computing

*Claim 2. *The proposed protocol can achieve mutual authentication.

*Proof. *We show the holdness of this claim by using the following two reasons.

(1)Apparently, it can be easily seen that the sender can authenticate the chooser by verifying the chooser’s signature, Sig (as described in step 2 of the oblivious transfer phase).(2)For that the ciphertext contains the sender’s private key , the chooser can compute the meaningful message only via using the sender’s public key (also refer to the equation in claim 1). This means that only the true sender can produce the right and thus can be authenticated by the chooser using his public key.

*Claim 3. *The proposed protocol can achieve the chooser’s privacy.

*Proof. *Due to the fact that each of the chooser’s choices are first hashed and randomized by and respectively, and then signed as by chooser in step 1, where is a random number. We argue that nobody except for the chooser can know the choice . Because even an attacker might steal the chooser’s private key , he/she cannot obtain from owing to the hardness of ECDLP. That is, he cannot figure out , and therefore not to mention . More formally, let ; that is, consists of all the possible ordered pairs satisfying the equation . If we are given a value , then under fixed , there only exists a unique value satisfying the equation. And for a given , under the definition of a collision-free one-way hash function, once has been determined, the value of is determined as well. That is, the relationship between and is one-to-one. Having this observation in mind and the dimension of is *n*, we can see that there are pairs in . In other words, Pr [] = Pr [] = which means that, under seeing a specific , the choice of the chooser cannot be revealed other than guessing. This achieves the *Shannon perfect secrecy*. Therefore, the proposed protocol possesses chooser’s privacy.

*Claim 4. *The proposed scheme can achieve the sender’s privacy.

*Proof. *Assume that malicious chooser wants to obtain more than messages in the protocol. If he/she could succeed, then, the sender’s privacy is violated (see Section 2.1). However, we will prove that, other than his *k* chosen messages, it is computationally infeasible for to obtain the th message by using the following two arguments, (I) and (II). In argument (I), we show why must follow the protocol to form the values of and ; otherwise, he/she cannot obtain the chosen messages. In argument (II), we show that if intends to obtain the th message, he/she will face the intractable CTCDH problem under the assumption that is a random hash function.

*Argument (I)*

must follow the protocol to form the values of and , for to *k*; otherwise, he cannot obtain the chosen messages, .

In the following, we further divide this argument into three cases: (a) fakes but forms honestly, (b) fakes but forms honestly, and (c) fakes both the values of and . (For each case’s explanation, refer to Table 1.)

(a) fakes but forms honestly. Assume that is dishonest in forming but forms honestly as specified in the protocol. For example, without loss of generality, it replaces with a specific and computes . Then, the sender will compute , and send them back to . As a result, cannot decrypt ) to obtain the messages since is obviously not equal to (refer to claim 1). Perhaps, for obtaining the messages, may try another way by computing expected to be equal to . But this is computationally infeasible since does not know both the sender’s private key and the one-time secrecy . To extract from is an ECDLP.(b) fakes but forms honestly. Assume that is dishonest in forming but forms in the same manner as specified in the protocol. For example, without loss of generality, he replaces each with a specified and computes . Then, the sender will compute , for to *n*, and send them back to . As a result, cannot decrypt since is obviously not equal to . Perhaps, for obtaining the messages, may try another way by computing expected to be equal to . But again this is computationally infeasible since does not know both the sender’s private key and the one-time secrecy . Even he knows , extracting from is an ECDLP. Hence, cannot compute the value to decrypt for obtaining the messages, .(c) fakes both the values of and . Without loss of generality, we assume that replaces with and also fakes as *H*()*X*. Under this construction, the value of computed by the sender would be and the ciphertexts would be , for to *k*, or equivalently, . Although, knows the value of (since it just equals to received from the sender), it still cannot compute without the knowledge of . From above description, we know that when the setting of is and is , cannot obtain . Not to mention, might set as , where is a random chosen element in . In summary, cannot obtain the selected messages under the violation of setting both the values, and .

*Argument (II)*

If follows the protocol honestly to obtain messages, but intends to extract the th message then it will face the intractable CTCDH problem under the assumption that is a random hash function.

That wants to obtain message implies would have the knowledge of (in fact, according to argument (I), an honest chooser could know of the values, , for to , since = , for and to *k*). Let and . According to argument (I), for obtaining the chosen messages, cannot change the structures of and . Under this situation, only can be decomposed as since and . Moreover, under the assumption that is a random hash function and the fact that has the knowledge of , and , can be represented as , where equals to and is a random element in due to the assumption that is a random hash function. Consequently, the problem really faces is finding the th pair () with the knowledge of pairs of (, , and (, ), where , but without the knowledge of sender’s one-time secrecy *c* (since it is an ECDLP for extracting from . This is known as the intractable CTCDH problem introduced in Section 2.3 by letting . Therefore, the chooser cannot obtain the th message.

According to arguments I and II, we have proven claim 4 that our scheme has the sender’s privacy.

*Claim 5. *The proposed scheme can resist against replay attack.

*Proof. *Suppose that an adversary intercepts a chooser’s OT request (containing , and Sig) and replays it later. After receiving the sender’s new response , computed from the replayed and , the adversary cannot obtain the selected messages by computing since he/she does not know the value of embedded in the replayed message . It is computationally infeasible for the adversary to extract from , due to the hardness of ECDLP.

*Claim 6. *The proposed scheme can resist against man-in-the-middle attack (MIMA).

*Proof. *MIMA is an attack that an adversary intercepts the communication line between two communicating parties and uses some means to make them believe that they each are talking to the intended party as claimed. But indeed, they are talking to . Figure 1 illustrates the scenario of such a MIMA. We first argue that the adversary cannot succeed in this scenario since it cannot generate the valid message (2), (, Sig′) as shown in the figure. More clearly, without the knowledge of chooser’s private key , he/she cannot forge a valid signature Sig′ in message (2) to be successfully verified by the sender since Sig′ should be equal to . In addition, it is also hard for to forge valid message (4), (), to be accepted by the chooser. Since that for embedding a meaningful into , *E* must have the knowledge of . Although *E* can choose another random nonce such that , it still has to know the sender’s private key to form the valid . Therefore, without the knowledge of , *E* cannot launch such a MIMA attack.

*Claim 7. *The proposed scheme can resist a denial of service attack (DOS).

*Proof. *Our protocol has a built-in mutual authentication property; thus, it can prevent this kind of attack, as the sender needs only one hash and two bilinear pairing computations to authenticate the chooser in step (2). Once the sender finds that the authenticating equation does not hold, it aborts the procedure.

##### 5.1. Communicational Cost Comparisons

Generally, the communicational cost of a protocol run consists of three factors: (1) needed passes, (2) computational overhead, and (3) needed transmission data size (NTDS) or bandwidth consumption. It is well known that factor (1) is always dominant over factor (2). Hence, in this section, we focus only on factor (1) and (3) to demonstrate the communication cost comparisons among our nonadaptive protocol and the other same type protocols, such as Chu and Tzeng’s [16] (which is to our best knowledge, the most efficient scheme up to date), Mu et al.’s [13], Naor and Pinkas’s [7], and recent works [17, 18, 24, 27]. From factor (1), our scheme is the most efficient since it only requires two passes. As to factor (3), the data size transmitted in our scheme is also the minimal among such type of schemes. For demonstrating this in the following, we will first describe two underlying facts and used notations for making comparisons about factor (3).

Generally speaking, we have the following two facts for cryptosystems.

*Fact 1. *To the same security level, a RSA cryptosystem would require a key length of 1024 bits while an ECC-based cryptosystem only needs 160 bits.

*Fact 2. *The length of the ciphertexts for RSA, ElGamal, and ECC-based cryptosystems is 1024 bits, 1024 bits, and 160 bits, correspondingly.

*Notations*

We use to represent the bit length of a *string*, or the required bit length that an *action* performs.

After the description of used facts and notations, we now use them to estimate the needed transmission data size (NTDS) of our scheme and the above-mentioned protocols. In our scheme, each of the variables transmitted between the chooser and sender is an ECC point. Thus, the NTDS from the chooser to the sender is estimated as bits and from the sender to the chooser is bits. Naor and Pinkas’s scheme [7] constructs their scheme by evoking an primitive times. Thus, the needed number of passes is times the number of passes required in one of their ’s protocol run and likewise the NTDS is about times of the NTDS that an ’s work demands. Therefore, their scheme has the most expensive communicational cost. As for Camenisch et al.’s protocol [24], the communicational cost is expensive as well due to the complexity of the protocol. In their protocol, the sender first sends commitments to the chooser, and then the sender and the chooser together run a proof-of-knowledge (Pok) subprotocol for assuring the correctness of the commitments. If the proof is valid, the sender sends ciphertexts to the chooser, and the chooser then runs the BlindExtract subprotocol times with the help of the sender to extract the blind choices to decrypt the ciphertexts.

Consequently, the number of passes for executing protocol [24] is , where Pok represents the required passes for executing the proof-of-knowledge subprotocol. Besides, the NTDS from chooser to sender is estimated as and from sender to chooser is . Similarly, the passes and NTDS of other studies can be estimated in the same manner. We show the comparison results in Table 2.

From Table 2, we can see that our scheme not only possesses the mutual authentication function but also is the most efficient in both needed passes and NTDS among these related. Therefore, our scheme can be gracefully used when applied in commercial applications (e.g., Kerschbaum et al.’s method [1] used OT scheme as a building block in constructing RFID benchmarking protocols).

#### 6. Conclusion

An OT scheme which is secure and efficient in communicational cost is essential and eager for commercial applications. After reviewing most of the OT schemes, we found that, other than considering the protocol’s correctness and privacy of both communication parties, almost all of them lack the security services, such as mutual authentication, and the prevention of replay, DOS, and main-in-the-middle attacks. Hence, they should run under a secure channel when applied in commercial applications. This will increase execution overhead. Therefore, to get rid of using the secure channel (for improving the communicational efficiency in some applications, such as mental poker playing, oblivious key searching), we propose a novel *k*-out-of-*n* oblivious transfer protocol by combining an OT scheme with a security mechanism based on bilinear pairing. We have proved that our scheme not only is correct but also possesses the properties of mutual authentication, the sender’s privacy, and the chooser’s privacy and can resist against replay and MIMA attacks. Further, we have compared our scheme with other nonadaptive *k*-out-of-*n* OT schemes in the aspects of needed passes, NTDS, and the function of mutual authentication and shown the result in Table 2. From Table 2, we can see that our scheme is the most efficient in communicational cost (including needed passes and NTDS). In addition, to our knowledge, it is the only scheme that has successfully integrated the function of mutual authentication nowadays.

#### References

- F. Kerschbaum, N. Oertel, and L. W. F. Chaves, “Privacy-preserving computation of benchmarks on item-level data using RFID,” in
*Proceedings of the 3rd ACM Conference on Wireless Network Security (WiSec '10)*, pp. 105–110, March 2010. View at Publisher · View at Google Scholar · View at Scopus - M. O. Rabin, “How to exchange secrets with oblivious transfer,” Tech. Rep. TR-81, Aiken Computation Lab, Harvard University, Cambridge, Mass, USA, 1981. View at Google Scholar
- S. Even, O. Goldreich, and A. Lempel, “A randomized protocol for signing contracts,”
*Communications of the ACM*, vol. 28, no. 6, pp. 637–647, 1985. View at Publisher · View at Google Scholar · View at Scopus - G. Brassard, C. Crepeau, and J.-M. Robert, “All-or-nothing disclosure of secrets,” in
*Proceedings of the International Conference on Advances in Cryptology (CRYPTO '86)*, vol. 263 of*Lecture Notes in Computer Science*, pp. 234–238, 1986. - J. S. Chou and Y. S. Yeh, “Mental poker game based on a bit commitment scheme through network,”
*Computer Networks*, vol. 38, no. 2, pp. 247–255, 2002. View at Publisher · View at Google Scholar · View at Scopus - M. Bellare and S. Micali, “Non-interactive oblivious transfer and application,” in
*Proceedings of the International Conference on Advances in Cryptology (CRYPTO '89)*, vol. 435 of*Lecture Notes in Computer Science*, pp. 547–557, 1989. - M. Naor and B. Pinkas, “Oblivious transfer with adaptive queries,” in
*Proceedings of the International Conference on Advances in Cryptology (CRYPTO '99)*, Lecture Notes in Computer Science, pp. 573–590, 1999. - M. Naor, B. Pinkas, and R. Sumner, “Privacy preserving auctions and mechanism design,” in
*Proceedings of the 1st ACM Conference on Electronic Commerce*, 1999. - M. Naor and B. Pinkas, “Distributed oblivious transfer,” in
*Proceedings of the International Conference on Advances in Cryptology (CRYPTO '00)*, vol. 1976 of*Lecture Notes in Computer Science*, 2000. - M. Naor and B. Pinkast, “Oblivious transfer and polynomial evaluation,” in
*Proceedings of the 31st Annual ACM Symposium on Theory of Computing (FCRC '99)*, pp. 245–254, May 1999. View at Scopus - M. Naor and B. Pinkas, “Efficient oblivious transfer protocols,” in
*Proceedings of the 12th annual ACM-SIAM symposium on Discret Mathematics (SODA '01)*, pp. 448–457, 2001. View at Scopus - H. Ghodosi, “On insecurity of Naor-Pinkas' distributed oblivious transfer,”
*Information Processing Letters*, vol. 104, no. 5, pp. 179–182, 2007. View at Publisher · View at Google Scholar · View at Scopus - Y. Mu, J. Zhang, and V. Varadharajan, “m out of n oblivious transfer,” in
*Proceedings of the 7th Australasian Conference on Information Security and Privacy (ACISP '02)*, vol. 2384 of*Lecture Notes in Computer Science*, pp. 395–405, 2002. - H. Ghodosi and R. Zaare-Nahandi, “Comments on the ‘m out of n oblivious transfer’,”
*Information Processing Letters*, vol. 97, no. 4, pp. 153–155, 2006. View at Publisher · View at Google Scholar · View at Scopus - W. Ogata and K. Kurosawa, “Oblivious keyword search,”
*Journal of Complexity*, vol. 20, no. 2-3, pp. 356–371, 2004. View at Google Scholar · View at Scopus - C. K. Chu and W. G. Tzeng, “Efficient
*k*-out-of-*n*oblivious transfer schemes with adaptive and non-adaptive queries,” in*Proceedings of the 8th International Workshop on Theory and Practice in Public Key Cryptography (PKC '05)*, pp. 172–183, January 2005. View at Scopus - J. Zhang and Y. Wang, “Two provably secure
*k*-out-of-*n*oblivious transfer schemes,”*Applied Mathematics and Computation*, vol. 169, no. 2, pp. 1211–1220, 2005. View at Publisher · View at Google Scholar · View at Scopus - H. F. Huang and C. C. Chang, “A new design for efficient t-out-n oblivious transfer scheme,” in
*Proceedings of the 19th International Conference on Advanced Information Networking and Applications (AINA '05)*, pp. 28–30, March 2005. View at Publisher · View at Google Scholar · View at Scopus - A. Parakh, “Oblivious transfer using elliptic curves,” in
*Proceedings of the 15th International Conference on Computing (CIC '06)*, pp. 323–328, November 2006. View at Publisher · View at Google Scholar · View at Scopus - S. Kim and G. Lee, “Secure verifiable non-interactive oblivious transfer protocol using RSA and Bit commitment on distributed environment,”
*Future Generation Computer Systems*, vol. 25, no. 3, pp. 352–357, 2009. View at Publisher · View at Google Scholar · View at Scopus - Y. F. Chang and W. C. Shiao, “The essential design principles of verifiable non-interactive OT protocols,” in
*Proceedings of the 8th International Conference on Intelligent Systems Design and Applications (ISDA '08)*, pp. 241–245, November 2008. View at Publisher · View at Google Scholar · View at Scopus - L. M. Kohnfelder, “On the signature reblocking problem in public-key cryptography,”
*Communications of the ACM*, vol. 21, no. 2, p. 179, 1978. View at Google Scholar - S. Halevi and Y. T. Kalai, “Smooth projective hashing and two-message oblivious transfer,” Cryptology ePrint Archive 2007/118, 2007. View at Google Scholar
- J. Camenisch, G. Neven, and A. Shelat, “Simulatable adaptive oblivious transfer,” in
*Proceedings of the Annual International Conference on the Theory and Applications of Cryptographic Techniques*, vol. 4515 of*Lecture Notes in Computer Science*, pp. 573–590, 2007. View at Scopus - M. Green and S. Hohenberger, “Blind identity-based encryption and simulatable oblivious transfer,” Cryptology ePrint Archive 2007/235, 2007. View at Google Scholar
- J. Qin, H. W. Zhao, and M. Q. Wang, “Non-interactive oblivious transfer protocols,” in
*Proceedings of the International Forum on Information Technology and Applications (IFITA '09)*, pp. 120–124, May 2009. View at Publisher · View at Google Scholar · View at Scopus - C. C. Chang and J. S. Lee, “Robust
*t*-out-of-*n*oblivious transfer mechanism based on CRT,”*Journal of Network and Computer Applications*, vol. 32, no. 1, pp. 226–235, 2009. View at Publisher · View at Google Scholar · View at Scopus - X. Ma, L. Xu, and F. Zhang, “Oblivious transfer with timed-release receiver's privacy,”
*Journal of Systems and Software*, vol. 84, no. 3, pp. 460–464, 2011. View at Publisher · View at Google Scholar · View at Scopus - W. Stallings,
*Cryptography and Network Security—Principals and Practices*, Prentice Hall, Upper Saddle River, NJ, USA, 3rd edition, 2003. - S. Goldwasser and S. Micali, “Probabilistic encryption & how to play mental poker keeping secret all partial information,” in
*Proceedings of the 40th annual ACM symposium on Theory of Computing (STOC '82)*, pp. 365–377, 1982. - D. Boneh and M. K. Franklin, “Identity-based encryption from the Weil pairing,” in
*Proceedings of the International Conference on Advances in Cryptology (CRYPTO '01)*, vol. 2139 of*Lecture Notes in Computer Science*, pp. 213–229, 2001. - D. R. Stinson,
*Cryptography—Theory & Practice*, Chapman & Hall/CRC Taylor & Francis Group, 3rd edition, 2006. - A. Boldyreva, “Threshold signatures, multisignatures and blind signatures based on the Gap-Diffie-Hellman-group signature scheme,” in
*Proceedings of the 6th International Workshop on Theory and Practice in Public Key Cryptography*, vol. 2567 of*Lecture Notes in Computer Science*, pp. 31–46, 2003. - M. Bellare, C. Namprempre, D. Pointcheval, and M. Semanko, “The one-more-RSA-inversion problems and the security of chaum's blind signature scheme,” in
*Proceedings of Financial Cryptography (FC '01)*, vol. 2248 of*Lecture Notes in Computer Science*, pp. 319–338, 2003.