We propose an elliptic curve-version of oblivious transfer (ECOT) protocol which transfers points on an elliptic curve, instead of binary strings.
Oblivious transfer (OT) is an important cryptographic primitive used in many cryptographic protocols as a building block. In the oblivious transfer protocols, the sender has messages m0 and m1 and the receiver wishes to retrieve one of the two messages without showing the sender which message was actually retrieved. OTs usually transfer binary strings, but in our protocol points on an elliptic curve are transfered.
For more details, please refer to Wikipedia article.
Let G be the basepoint of the elliptic curve. Let M0 and M1 be messages the sender wishes to send. Let b be the index that receiver wishes to fetch (in the final step of or protocol, receiver will get Mb without disclosing the index b to the sender).
- Sender (S)
- Pick random numbers x0 and x1. Send X0 := x0G and X1 := x1G to the receiver.
- Receirver (R)
- Pick a random number k and send K := kXb to the sender.
- Sender (S)
- Send the following two points to the receiver.
- M0' := M0 + x0-1 K
- M1' := M1 + x1-1 K
- Send the following two points to the receiver.
- Receiver (R)
- Compute Mb' - kG to get Mb.
Mb' - kG = Mb + xb-1・kxbG = Mb
The only variable the sender receives from the receiver is K, which is uniformly random because it is multiplied by a random k.
M1-b' = M1-b + kxbx1-b-1G
Since xbx1-b-1G is not known to the reciever, it is impossible to extract M1-b (within a probabilistic polynomial time).
We only use a group addition, it is an easy exercise to convert the protocol to work with (Z/pZ)☓. We note that the element inversion (x → x-1) should be computed in Z/φ(p-1)Z, which requires the factorization of p-1.
Yes. To do so, the sender should send {xiG}i at the first step and {Mi + xi-1 K}i at the third step. The communication cost is thus linear in the number of messages, which is comparably inefficient to the context of private information retrieval (PIR).
Any point on an elliptic curve can be serialized to a binary string (the most straightforward way is to concatenate the binary expression of x- and y-coordinates), which can be transfered by binary OTs.
On the other hand, a binary string can be converted into a point on an elliptic curve by identifying the binary string to the x-coordinate of the point on an elliptic curve. In this case, the final binary message can be extracted from the x-coordinate of the EC-point message. There are two possible candidates of y for a single x because if (x, y) is on a curve, (x, -y) is also on a curve. You can choose either points arbitrary since y-coordinate will be discarded at the final step of this protocol.