Oblivious Transfer Based Protocol - Protocol Description

5.3 Protocol Description

5.3.3 Oblivious Transfer Based Protocol

The purpose of this protocol is for the user to obtain one and only one record from the cell in the public grid P, shown in Figure 5.4. We achieve this by constructing a 2-dimensional oblivious transfer, based on the ElGamal oblivious transfer [5, 76], using adaptive oblivious transfer proposed by Naor et al. [75].

The public grid P, known by both parties, hasm columns andn rows. Each cell inP contains a symmetric keyki,j and a cell id in gridQi.e.,pIDQi,j, ki,jq, which can

be represented by a stream of bitsXi,j. The user determines his/her i, j coordinates in the public grid which is used to acquire the data from the cell within the grid. The

protocol is initialised by the server by generating mˆn keys of the form gRi_||_gCi_.

This initialisation is presented in Algorithm 19. Algorithm 19 Initialisation

Input: X1,1, ..., Xm,n, whereXi,j “IDQi,j||ki,j

Output: Y1,1, ..., Ym,n

1: Ki,j Ð Ki,j “ gRi||gCj, for 1 ď i ď n and 1 ď j ď m, where Ri and Cj are randomly chosen

2: Yi,j ÐXi,j ‘HpKi,jq, for 1 ď iď n and 1 ď j ďm, where H is a fast secure hash function

3: return Y1,1, ..., Ym,n {Encryptions ofX1,1, ..., Xm,n using Ki,j}

Algorithm 19 is executed once and the outputY1,1, ..., Ym,n is sent to the user. At which point, the user can query this information using the indices i, andj, as input. This protocol is presented in Algorithm 20.

Algorithm 20 T ransf er

Input: User:i, j

Output: User:pIDQi,j, ki,jq

1: User

2: y Ðgx_{, where} _y _{is the public key of the user and}_x _{is chosen at random} 3: C1 Ð pA1, B1q “ pgr1, g´iyr1q 4: C2 Ð pA2, B2q “ pgr2, g´jyr2q 5: ServerðC1,C2 6: Server 7: C1 1,α Ð pA r1 α 1 , gRαpgαB1qr 1 α_q_{for 1}_ď_α _ď_n 8: C1 2,β Ð pA r1 β 2 , gCβpgβB2q r1 β_q for 1_ďβ _ďm 9: U ser ðC1 1,1, ...,C 1 1,n,C 1 2,1, ...,C 1 2,m 10: User

11: Let pU1,i, V1,iq “C₁1_,i and pU2,j, V2,jq “C₁1_,j 12: W1 ÐV1,i{pU1,iqx

13: W2 ÐV2,j{pU2,jqx 14: K1

i,j ÐW1||W2 15: X1

i,j ÐYi,j ‘HpKi,j1 q

16: Reconstruct pIDQi,j, ki,jq fromX

1 i,j

17: return pIDQi,j, ki,jq {Cell id of gridQ, with associated cell key}

At the conclusion of the protocol presented by Algorithm 20, the user has the information to query the location server for the associated block.

Theorem 5. Assume that the user and server follow Algorithms 19 and 20 correctly, then X1

i,j “Yi,j ‘HpKi,jq.

Proof: We begin this proof by showing that Ki,j “ Ki,j1 . In the initialisation algorithm (Algorithm 19) Ki,j is calculated as Ki,j “ gRi||gCj. At the end of the transfer protocol, the user computes K1

i,j as W1||W2. We now need to prove that W1 and W2 equal gRi and gCj respectively. W1 is computed as V1,i{pU1,iqx, where U1,i “ Ar 1 α 1 “ pgr1qr 1 α _“ _gr1r1α _and _V 1,i “ gRαpgαB1qr 1 α _“ _gRα_p_gα_g´i_yr1_qr1α_{, for}

1ďiďn. Whenα “i then V1,i “gRipyr1qr

i _“gRi_yr1r1i. Raising U_1,i to the power x gives pU1,iqx “ pgr1r1i_qx _“ gxr1ri1 _“ yr1r1i. Therefore, W₁ _“ V_1,i{pU_1,iqx _“ gRi_{. By}

similar means we can prove that W2 “V2,j{pU2,jqx “gCj. Since W1||W2 “gRi||gCj, then Ki,j “ Ki,j1 . Since ‘ is self inverse and given that Yi,j “ Xi,j ‘HpKi,jq, it follows that Xi,j “Yi,j ‘HpKi,jq. Using knowledge of Ki,j, the user can compute

Xi,j as desired. This completes the proof.

In document Design and analysis of privacy-preserving protocols (Page 102-104)