Efficient oblivious transfer with membership verification

In this article, we introduce a new concept of oblivious transfer with membership verification that allows any legitimate group users to obtain services from a service provider in an oblivious manner. We present two oblivious transfer with membership verification schemes, differing in design. In the first scheme, a trusted group manager issues credentials for a pre-determined group of users so that the group of users with a valid group credential can obtain services from the service provider, while the choices made by group users remain oblivious to the service provider. The second scheme avoids the trusted group manager, which allows any user in the group to be a group manager, thus it is more suitable in distributed systems. In particular, we prove that the two oblivious transfer with membership verification schemes can achieve receiver’s privacy and sender’s privacy under a half-simulation model.


Introduction
It is a well-known economic strategy that the service providers are usually willing to sell their goods or services to a group of users with a discount price to attract customers.The more people who make a batch buy, the better prices the service providers are willing to offer.In addition to a good price, the customer's privacy should be protected when buying goods or services from the service providers.With this motivation in mind, we aim to design oblivious transfer with membership verification schemes (MV-OT), which ensure that (1) user's privacy (e.g.consumption transcript) is hidden from the service provider, (2) only legitimate group users can obtain services from the service provider, and (3) the proposed MV-OT schemes should incur same computation and communication costs as conventional oblivious transfer with access control schemes.
To see whether MV-OT is useful in practice, we consider a scenario where an issuer (group manager) forms a group which includes certain number of users wanting to purchase digital goods or services from a service provider.After forming a group of users, the issuer first generates the group credential for all users.Next, the issuer registers the group with a service provider, who will verify whether the real number of users in the group is in accordance with the claimed number.After a successful authentication with the service provider, a valid group user can acquire the digital goods or services obliviously.
We stress that designing MV-OT schemes is a nontrivial task.The straightforward way to achieve MV-OT is to combine a broadcast encryption or a membership encryption scheme with a conventional oblivious transfer with access control scheme. 1,2The group manager first encrypts the credential and broadcasts the ciphertext to every user in the group, only valid users in the group could obtain the credential, with which the users in the group could acquire services from a sender.However, there are several drawbacks in this straightforward combination.First, the combined algorithm inherits the computation and storage costs of two independent algorithms.Second, every user in the group has to share the same credential, which means if a dispute happens, even the group manager cannot decide which user should be accused.Third, a straightforward combination of two different algorithms may lead to new security issues.

Our contributions
We formulate the concept of MV-OT and present two concrete MV-OT schemes that can be applied in different applications.In the first scheme, a central authority first forms a group of users willing to make a batch buy from a service provider (or sender).The central authority generates credentials for group users and group token which is sent to the sender.The sender encrypts the digital contends with the group token to ensure only group users with valid credentials can acquire the digital goods or services successfully.The users outside the group cannot gain any information transmitted between the sender and the valid users in the group.In the second scheme, we remove the central authority to make it much more suitable in distributed applications.Any member in the group or even the sender can play the role of an issuer to generate group information.
It is worth noticing that the proposed schemes achieve privacy as well as membership verification without involving too much computation and communication costs.The comprehensive efficiency analysis of the proposed schemes shows that our proposed schemes just involve few extra computation and communication costs compared with the oblivious transfer with access control schemes in Han et al., 1 which makes the proposed MV-OT schemes applicable in many distributed systems such as ad hoc mobile networks.

Related works
Oblivious transfer.Oblivious transfer has been applied widely in secure multiparty computation, 3 digital content browsing, 4 exchange of secrets 5 and other privacypreserving systems. 1,2,6,7Oblivious transfer has received much attention since it was first proposed by Rabin. 5n the early works, 5,8 the sender can only one message m b, b2f0, 1g obliviously, which was soon extended to a more general k-out-of-n setting by Brassard et al., 9 where a receiver could choose k messages obliviously from a sender.To ensure only legitimate receivers obtain contents from a receiver, Coull et al. 10 proposed an oblivious transfer scheme with access control using state graphs, where the receivers in the system can only acquire contents successfully from a sender if he has some unused states.Liu et al. 11 proposed the concept of traceable oblivious transfer such that the privacy of users is treated separately.The privacy of the honest receivers is well-protected while the privacy of the dishonest receivers could be traced by the sender.
Broadcast encryption.The concept of broadcast encryption was proposed by Fiat and Naor. 12Broadcast encryption enables one broadcaster to transmit messages to a dynamically chosen group of users S such that S N , where N refers to the set of all the users having access to the broadcast channel.Fiat and Naor 12 presented the first symmetric-key-based broadcast encryption scheme and the corresponding security model, which was extended to the public key setting by Dodis and Fazio. 13Recently, Gritti et al. 14 proposed a novel broadcast encryption with dealership scheme which enables certain ''dealers'' in the broadcast system first to make a bulk buy from the broadcaster and then resell them in their own groups.Broadcast encryption with dealership accommodates a new business opportunity model and has received lots of attention. 15,16roadcast encryption can provide group membership verification; however, the ''dealer'' can trace the contents purchased by the users in the group, which in turn violates the privacy requirements in the aforementioned scenario.

Membership
proof and membership encryption.Membership proof [17][18][19][20] is a very useful cryptographic primitive such that a user can prove to a verifier in a privacy-preserving manner that an attribute A belongs to a group G. Membership proof protocols can be further divided into two categories according to the information that can be accessed by the verifier.In the first category, 19,20 the verifier has knowledge of a token P(A) on a single attribute and all the attributes in 1G.The prover can convince the verifier that A 2 G without letting the verifier know which attribute it is in the group.In the second category, 17,18 the verifier has access to an attribute A and the group token P(G) containing information on a set of attributes.The prover can convince the verifier that A 2 P(G) without leaking information of other attributes in the group.Membership encryption is proposed by Guo et al. 21,22 as a useful alternative primitive of membership proof.It employs the privacy-preserving group token P(G) in Au et al. 17 such that given P(G), it is computationally difficult to know the attributes or identities in P(G); however, a success decryption requires that a user holds the membership A 2 G.
Secret handshake.Secret handshake [23][24][25] is a useful primitive that can be applied in privacy-preserving applications where group membership verification is indispensable.The concept of secret handshake was introduced by Balfanz et al., 23 which enables some entities in the same group to authenticate each other anonymously without leaking private information.Later on, Xu and Yung 24 proposed a secret handshake scheme achieving k-unlikability, which means an adversary can only infer that the participant is one out of the k users in the group.Recently, Tian et al. 25 proposed a k-time secret handshake scheme that allows valid users in a group to authenticate each other up to k times with a group credential.Otherwise, the private information can be traced in public.To achieve group membership verification, secret handshake schemes require that the service provider has to stay within the same group with all the users, which is impractical for the setting mentioned in the aforementioned scenario.
Article organization.The rest of the article is organized as follows.We introduce the formal definition and the security model of MV-OT in section ''Security model.''Some preliminaries are presented in section ''Preliminaries,'' and concrete MV-OT schemes are presented in section ''Our proposed schemes.''We prove their security and analyze their efficiency in section ''Security analysis,'' and the article is concluded in section ''Conclusion.''

Security model
In this section, we present the formal definition and the security model for MV-OT schemes.

Definition
There are three entities in an MV-OT system, namely, a receiver, a sender, and an issuer who behaves on behalf of a group manager.We assume there exists a public key infrastructure (PKI) that issues certificates on users' public keys.First, the issuer forms a group containing the users willing to obtain services from the sender.Then, the issuer generates the group token and sends it to the sender via a secure channel.The issuer generates credentials for each user in the group, with which the user (i.e. the receiver) could obtain services or digital goods from the sender.The system consists of four algorithms as follows: 1. Setup.Taking as input of a security parameter k, the Setup algorithm outputs the system public parameters params params Setup(1 k ) 2. KeyGen.Taking as input of the system parameters params, the KeyGen generates the public key pairs for the senders, receivers, and issuer, respectively, in the system (pk I , sk I ) KeyGen(params) 3. GroupGen.Taking as input of the systems parameters params, pseudonyms of l users A 1 , A 2 , . . ., A l , and the private key of the issuer, it returns the credential for the receivers and group token for the sender Transfer R (c i j , s i j ; params), and Transfer S (R i j ; params), then the receiver can obtain the intended message

Security model
The security model presented in this section follows the half-simulation model in Naor and Pinkas. 26We define that an MV-OT scheme is secure if the following conditions hold: 1. Receiver's privacy.The sender S cannot obtain any information about the receiver's choices.
To be specific, for any two different choice sets 2. Sender's privacy.A valid receiver R cannot obtain any information other messages m i , i 6 2 fi 1 , i 2 , . . ., i k g other than the intended contents.The security of the sender is defined through the real-world/ideal-world paradigm.
In the real world, the sender and the receiver execute the protocols following the algorithm.
In the ideal world, the protocol is executed with a trusted third party (TTP).The sender sends all the messages m 1 , m 2 , . . ., m n to the TTP, where the receiver acquires the intended choices m i 1 , m i 2 , . . ., m i k adaptively.If fi 1 , i 2 , . . ., i k g f1, 2, . . ., ng, then TTP sends m i 1 , m i 2 , . . ., m i k to the receiver.An MV-OT scheme is said to provide the privacy of the sender if for any receiver R in real world, there exists a probabilistic polynomial time (PPT) R 0 such that the outputs of R and R 0 are indistinguishable.3. Semantic security.If a receiver R does not have a valid group credential s i , 1 ł i ł l, she cannot obtain any useful information m i , 1 ł i ł n from the sender S.

Bilinear pairing
Let G 1 and G 2 be multiplicative cyclic groups with prime order q.Let g and h be generators of G 1 .A bilinear map e : G 1 3 G 1 !G 2 satisfies the following conditions: Bilinearity: e(g a , h b ) = e(g, h) ab for all g, h 2 G 1 and a, b 2 G q .
No-degeneracy: e(g, h) Computability: there is an efficient algorithm to compute e(g, h) for all g, h 2 G 1 .

Complexity assumptions
Definition 1. Discrete logarithm (DL) assumption.Let G be a cyclic group with a prime order q and g be a generator of G. Given a random element X 2 G, compute x 2 Z Ã p such that X = g x mod q.Let Adv DL A (k) be the advantage of a PPT adversary.We say that DL assumption holds in G that for all PPT adversary A, the following function Adv DL A (k) is negligible Definition 2. One-generator l-strong Diffie-Hellman (l-SDH) assumption. 27Let (G 1 , G 2 ) be a bilinear group, for a randomly chosen element x 2 Z Ã q and a random generator g 2 G 1 , the l-SDH problem is, given g, g x , g x 2 , . . ., g x l 2 G l + 1 1 , to compute a pair (g 1=(x + c) , c).Define the advantage of a PPT adversary as Adv OGÀlÀSDH A (k), and we say the l-SDH assumption holds if for all PPT algorithm A, the following function A(params, g, g x , . . ., g x l ) Definition 3. Extended chosen-target computational Diffie-Hellman (XCT-CDH) assumption. 1 Let G be a cyclic group with prime order q and x 2 Z Ã q , there is a help oracle H G ( Á ) that takes g i as input and returns g x i .Given a (k + 1) tuple fg a 1 , g a 2 , . . ., g a k + 1 g, where a i 2 z Ã q for i = 1, 2, . . ., k + 1, define the advantage Adv XCTÀCDH A (k) of a PPT adversary A, and XCT-CDH assumption holds in G, if for all PPT adversary A that A H G (Á) (q, g, g x , g a i 1 , . . ., g a i k ) where a i j 2 fa 1 , a 2 , . . ., a k + 1 g, for all j = 1, 2, . . ., k + 1.

Our proposed schemes
In this section, we present two MV-OT schemes.In the first scheme, there is an issuer generating credentials for the members in the group.Our construction takes advantage of the techniques of accumulator scheme in Nguyen. 18In the first proposed scheme, the system parameters contain two secret keys (a, b) and some auxiliary parameters g a , g a 2 , . . ., g a l , g b , g ba , g ba 2 , . . ., g ba l .
While the group token is , the membership verification process is described as follows: 1.If user A i is a valid group user with credential , then it would be computationally easy to recover e((v 2 v A i 1 ) t j , g which is further used to extract the intended message.
2. Otherwise, if a dishonest user A k who does not belong to the group tries to interact with the sender, we have which contains the inversion exponent g 1=(a + A k ) that is computationally infeasible to be computed from the system parameters.
MV-OT n k 3 1 -I The proposed scheme consists of a tuple of PPT algorithms as follows: 1. Setup.Taking as input a security parameter k, this algorithm outputs a bilinear group (e, G 1 , G 2 ) where e : are cyclic groups with prime q.Let g be a generator of G 1 .The system parameters params = (e, G 1 , G 2 , q, g). 2. KeyGen.Suppose there are l users with pseudonyms A 1 , A 2 , . . ., A l in the group, the issuer (i.e. group manager) chooses a, b 2 Z Ã q and computes g a , g a 2 , . . ., g a l , g b , g ba , g ba 2 , . . ., g ba l and generates the group token , where t 2 Z Ã q is chosen at random by the issuer.For each user with pseudonym A i , 1 łi łl, the issuer computes s A i =g 1=((a+ A i )(b+ A i )) and returns it to the individual users.I sends (P(G), a) to the sender S. 3. Commitment. in response to the requirement from a user with pseudonym A i , S chooses n different random elements t 1 , t 2 , . . ., t n 2 Z Ã q and a one-time secret z 2 Z Ã q , S computes the ciphertext of m 1 , m 2 , . . ., m n as c j = (c j, 1 , c j, 2 ) where Transfer.Upon receiving the ciphertexts from the sender, the receiver with pseudonym A i chooses r i 2 Z Ã q and computes B i j = e(c i j , 1 , s A i ), E i j = e(c i j , 1 , s A i ) r i , where i j 2 f1, 2, . . ., ng, then the receiver A i sends E i j to S. S computes D i j = (E i j ) z and sends it to R. R computes and obtains the intended message m i j = c i j , 2 =K i j .
Correctness.Suppose the receiver with pseudonym A i is a valid group member with credential s A i .The correctness check of MV-OT n k 3 1 -II scheme is as follows In the MV-OT n k 3 1 -I scheme, it involves a central authority named issuer helps to form and maintain the group, which makes it unpractical in distributed scenarios.Therefore, we proposed the second scheme MV-OT n k 3 1 -II without a central authority.Anyone who tries to make a batch buy or even the sender could behave as the group manager to initialize the system.The proposed MV-OT n k 3 1 -II scheme consists of a tuple of PPT algorithms as follows: 1. Setup.Taking as input a security parameter k, this algorithm outputs a bilinear group (e, G 1 , G 2 ) where e : G 1 3 G 1 !G 2 and G 1 , G 2 are cyclic groups with prime q.Let g and h be generators of G 1 and G 2 , respectively.The system parameters params = (e, G 1 , G 2 , q, g, h). 2. KeyGen.Suppose there is an initial setup phase and there have been l users with pseudonyms A 1 , A 2 , . . ., A l in the group.The sender chooses a 2 Z Ã q and computes g a , g a 2 , . . ., g a l and generates the group token q is randomly chosen by the sender.For each user with pseudonym A i , 1 ł i ł m, the sender computes and returns s A i = g 1=(a + A i ) . 3. Commitment.In response to the requirement from a user with pseudonym A i .S chooses n different random numbers t 1 , t 2 , . . ., t n 2 Z Ã q and a one-time secret z 2 Z Ã q .S computes the ciphertext of m 1 , m 2 , . . ., m n as e(g, g) Transfer.Upon receiving ciphertexts from the sender, A i chooses r i 2 Z Ã q and computes B i j = e(c i j , s A i ) and E i j = B r i i j , where i j is the index of message of the receiver's choice and i j 2 f1, 2, . . ., ng, then the receiver A i sends E i j to S. S computes D i j = (E i j ) z and sends it to R. R computes K i j = D r À1 i i j and obtains the intended message m i j = c i j , 2 =K i j .
Correctness.Suppose the receiver with pseudonym A i is valid group member with credential s A i .The correctness check of MV-OT n k 3 1 -II scheme is as follows and (a + A j ) Á m i j e(g, g)

Security analysis
The security result of our MV-OT schemes is shown by the following theorems.
Theorem 1.The proposed MV-OT n k 3 1 -I scheme provides receiver's privacy for honest receivers.
Proof.Suppose an honest receiver with pseudonym A i requests contents from the sender.fE i 1 , E i 2 , . . ., E i k g is a set of transcripts on A i choices.For any E i j such that j 2 f1, 2, . . ., kg, E i j = e(g, g) . Set , where t i w 6 ¼ t i j and t i w 2 ft 1 , t 2 , . . ., t n g, which means the choice of the receiver is computationally indistinguishable to the sender as long as the DL problem is hard in G 2 .
Theorem 2. The proposed MV-OT n k 3 1 -I scheme provides sender's privacy.
Proof.Suppose an honest receiver runs the MV-OT protocol with the sender S to obtain k messages.For any PPT malicious receiver R in the real world, we are able to construct a PPT malicious receiver RÃ in the ideal model such that the outputs of R and RÃ are indistinguishable.RÃ simulates the honest sender S in the real world and interacts with R as follows: 1. S sends the messages m 1 , m 2 , . . ., m n to the TTP.
In the simulation process, if R obtains k + 1 messages while RÃ is unaware of the indices of the corresponding messages, the simulation aborts.Otherwise, we are able to show that R is only able to choose at most k messages under the XCT-CDH assumption.If R can get k + 1 messages, he can compute E i j for j = 1, 2, . . ., k + 1.That is, if R can obtain (e(g, g) ) z , (e(g, g) , (e(g, g) which contradicts the XCT-CDH assumption.Therefore, R can only obtain the required messages from the sender and cannot obtain any information on other messages that he hasn't required.
We can see from Theorem Proof.The semantic security of MV-OT n k 3 1 -I is analyzed through two aspects.First, if the adversary A could forge s A i = g 1=((b + A i )(a + A i )) , then A could act as authorized receiver to communicate with the sender.In this case, there exists another PPT algorithm B that could use A to break l-SDH assumption.Second, if the adversary A could compute e(g, g) from the ciphertext c i = (c i, 1 , c i, 2 ), then A could also obtain messages from the receiver.In this case, there exists a PPT algorithm that could take advantage of A to break the XCT-CDH assumption.Therefore, MV-OT n k 3 1 -I is semantically secure.

Efficiency analysis
We present a comprehensive complexity analysis in terms of computation and communication costs.The results are presented in Tables 1 and 2, respectively.By l, n, and k, we denote the number of users in the group, the total number of the messages, and the number of messages selected by a receiver.Let E G 1 and E G 2 denote the exponential operations in G 1 and G 2 , and P one pairing operation.

Conclusion
In this article, we formulate the concept of MV-OT such that only legitimate users with proper membership can obliviously acquire digital goods or services a service provider.We have proposed two MV-OT schemes with completed security analysis.The two MV-OT schemes are different in design, and the one without trusted group manager is preferable in distributed systems.

Declaration of conflicting interests
The author(s) declared no potential conflicts of interest with respect to the research, authorship, and/or publication of this article.

Theorem 4 .Theorem 5 .Theorem 6 .
The proposed MV-OT n k 3 1 -II scheme provides receiver's privacy for honest receivers.The security proof and the subsequent proofs of the MV-OT n k 3 1 -II scheme are similar as that for MV-OT n k 3 1 -I, thus we omit it.The proposed MV-OT n k 3 1 -II scheme provides sender's privacy.The proposed MV-OT n k 3 1 -II scheme is semantic secure.
2, . . ., n, where c Ã 1 , c Ã 2 , . . ., c Ã n are n different pairs of random numbers selected from G 1 and G 2 by RÃ .3. RÃ monitors the outputs of RÃ , if R can compute B i 1 , B i 2 , . . ., B i k and E i 1 , E i 2 , . . ., E i k .RÃ chooses random B 1 that fB i 1 , B i 2 , . . ., B i k g and fE i 1 , E i 2 , . . ., E i k g are indistinguishable from random elements in G 2 and fc 1 , c 2 , . . ., c n g are indistinguishable from random elements in G 1 3 G 2 by Theorem 3. In addition, the sets of fD i 1 , D i 2 , . . ., D i k g and fD Ã i 1 , D Ã i 2 , . . ., D Ã i k g are identically distributed.Therefore, no distinguishers can distinguish the outputs of R and R0 with a non-negligible probability.

Table 1 .
Computational costs of the proposed schemes.

Table 2 .
Communication costs of the proposed schemes.