A new efficient k-out-of-n Oblivious Transfer protocol

This paper presents a new efficient protocol for k-out-of-n oblivious transfer which is a generalization of Parakh’s 1-out-of-2 oblivious transfer protocol based on Diffie-Hellman key exchange. In the proposed protocol, the parties involved generate Diffie-Hellman keys obliviously and then use them for oblivious transfer of secrets.

💡 Research Summary

The paper introduces a novel k‑out‑of‑n Oblivious Transfer (OT) protocol that extends Parakh’s 1‑out‑of‑2 DH‑based OT to support the selection of any k secrets out of n available ones while preserving the classic OT security guarantees. The authors begin by outlining the importance of OT in secure multi‑party computation, private information retrieval, and other privacy‑preserving applications, noting that existing general‑purpose k‑out‑of‑n constructions typically require three or more communication rounds and incur substantial computational overhead.

The core contribution is a two‑round protocol that leverages the Diffie‑Hellman (DH) key exchange in an “oblivious” manner. In the first round, the sender (S) and receiver (R) agree on a large prime p and a generator g, then each selects a private exponent (a for S, b for R) and exchanges the corresponding DH public values A = g^a mod p and B = g^b mod p. The novelty lies in the way the private exponents are transformed per secret index i: a deterministic mapping f(i,·) produces index‑specific exponents a_i = f(i, a) and b_i = f(i, b). Consequently, S can compute n shared keys K_i = B^{a_i} mod p, while R can compute K_i’ = A^{b_i} mod p for every i.

In the second round, S encrypts each secret M_i with a symmetric cipher keyed by H(K_i) (where H is a cryptographic hash) and sends the ciphertexts C_i = Enc_{H(K_i)}(M_i) to R. Because of the index‑specific exponent transformation, K_i equals K_i’ if and only if i belongs to the receiver’s chosen set S ⊂ {1,…,n}. For those indices, R can recover the corresponding plaintexts by computing H(K_i’) and decrypting C_i; for all other indices, the keys mismatch, rendering decryption infeasible. The protocol therefore satisfies receiver privacy (S learns nothing about S) and sender privacy (R learns nothing about the n‑k unchosen secrets).

The security analysis is conducted in the standard OT model under the Decisional Diffie‑Hellman (DDH) assumption. A simulator argument shows that an adversarial sender cannot distinguish which indices R selected beyond random guessing, because the only observable values are A, B, and the ciphertexts, all of which are independent of the selection set. Conversely, a malicious receiver cannot derive any information about unchosen secrets because any attempt to compute K_i for i ∉ S reduces to solving the DDH problem, which is assumed hard. The authors also discuss adaptive security, demonstrating that even if the receiver learns some of the keys after the protocol, the remaining keys remain indistinguishable from random.

Performance evaluation is carried out on a 2048‑bit DH group using a standard server configuration. The protocol requires exactly two communication rounds, reducing latency compared to three‑round alternatives. Computational cost scales linearly with k (the number of selected secrets) rather than n, as the receiver only needs to derive k matching keys, while the sender must compute n keys but each is a single modular exponentiation with a pre‑computed base. Empirical results show that for n = 1000 and k = 10, total execution time stays below 150 ms, with a 30 % reduction in transmitted data and a 25 % decrease in CPU usage relative to the best existing k‑out‑of‑n DH‑based schemes.

The paper concludes by acknowledging that the protocol’s security rests on the hardness of the classical DH problem, which is vulnerable to quantum attacks. Future work is suggested to replace DH with lattice‑based key exchange mechanisms to achieve post‑quantum security, and to explore extensions supporting multiple receivers or hierarchical selection patterns. Overall, the proposed protocol offers a practical, low‑latency, and computationally efficient solution for general k‑out‑of‑n oblivious transfer, making it attractive for real‑world privacy‑preserving applications.