Cryptography Reference
In-Depth Information
Blundo et al.'s security model because this model covers other unconditionally
secure DOT security models [8,9].
Note that allowing communication amongst the servers is a silent condition
in existing DOT protocols. Indeed, the impossibility result of [3,4], in achiev-
ing condition
C
4, indicates that, given the transcript of the interaction with
k
servers, a coalition of the receiver and
only
one dishonest server is sucient for
the receiver to learn all secrets. Therefore, in their protocol there must be a
mechanism for ensuring that the receiver does not contact more than
k
servers
(see [8]). This kind of mechanism could be implemented with communication
amongst the servers.
The organization of the paper is as follows. In Sect. 2 we review the works
related to ours. After providing definitions and notations in Sect. 3, we briefly
describe our model in Sect. 4, and we list the components involved in our system
in Sect. 5. Section 6 is devoted to the detailed description of the model. In Sect. 7,
we evaluate our proposed scheme and demonstrate that it guarantees conditions
C
1
,...,C
4.
2 Related Works
There have been few publications related to unconditionally secure polynomial-
based DOT protocols and the basic principles underlying these protocols are
conceptually similar. In the original DOT protocol [8] introduced by Naor and
Pinkas, as well as in its generalization [3,4] presented by Blundo et al., a sender
distributes some information amongst
m
servers so that, by contacting
k
servers,
a receiver is able to learn only one of the secrets held by the sender. A simplified
overview of the (
k
,
m
)-DOT-
1
presented in [4] may be described as follows
(operations are executed in a finite field IK = IF
p
,where
p
is a prime number):
1. The sender, who has
n
secrets
ω
0
,...,ω
n−
1
generates a sparse
n
-variate
polynomial function
Q
defined by
k−
1
n−
1
a
i
x
i
+
ω
0
+
Q
(
x, y
1
,...,y
n−
1
)=
(
ω
i
−
ω
0
)
×
y
i
,
i
=1
i
=1
where the coecients
a
i
1) are numbers randomly selected
in IK. We note that
ω
0
=
Q
(0
,...,
0) and, for
(1
≤
i
≤
k
−
∈{
1
,...,n
−
1
}
,
ω
=
Q
(0
,...,
0
,
1
,
0
,...,
0), where the number 1 is in position
+1.
2. Then, to each server
S
j
(1
≤
j
≤
m
), the sender transmits the (
n
−
1)-variate
polynomial function
F
j
defined by
F
j
(
y
1
,...,y
n−
1
)=
Q
(
j, y
1
,...,y
n−
1
)
.
3. In the oblivious transfer phase, the receiver chooses the identifier
of one
secret and generates univariate polynomial functions
Z
i
(1
≤
i
≤
n
−
1) of
degree at most
k
−
1 such that (
Z
1
(0)
,...,Z
n−
1
(0)) is an (
n
−
1)-tuple of
zeros if the receiver is interested in
ω
0
(i.e.,
= 0), or an (
n
1)-tuple of
zeros and a single one in position
if the receiver is interested in
ω
(where
−
∈{
1
,...,n
−
1
}
).
Search WWH ::
Custom Search