Oblivious Transfer based on Key Exchange

Abhishek Parakh

Abstract: Key-exchange protocols have been overlooked as a possible means for

implementing oblivious transfer (OT). In this paper we present a protocol for
mutual exchange of secrets, 1-out-of-2 OT and coin-flipping similar to Diffie-
Hellman protocol using the idea of obliviously exchanging encryption keys.
Since, Diffie-Hellman scheme is widely used, our protocol may provide a useful
alternative to the conventional methods for implementation of oblivious transfer
and a useful primitive in building larger cryptographic schemes.

1 Introduction

Oblivious transfer (OT), discussed by Stephen Wiesner as conjugate coding [1] became popular
when Rabin described a scheme for mutual exchange of secrets [2]. This combined with 1-out-
of-2 oblivious transfer led to the development of numerous cryptographic tools.

An oblivious transfer protocol is a scheme in which Alice transfers to Bob a secret without
knowing if Bob received it, while Bob may or may not receive the secret, each happening with a
certain probability, usually one-half. Such a scheme using Elliptic Curve Cryptography has been
discussed in [3].

In this paper we construct a protocol for oblivious transfer using key exchange similar to Diffie-
Hellman (DH) protocol [4], which is a popular method for establishing a shared key between two
parties over an insecure channel. We modify the Diffie-Hellman protocol such that the two
communicating parties will succeed or fail in establishing a shared key each with a probability of
one-half. However, the party sending the secret will not know if the receiver has the same key as
he/she does.

There have been implementations [5,6] of 1-out-of-n OT based on the Decision Diffie-Hellman
(DDH) problem [7]. However, our protocol differs from previous ones in the sense that - firstly,
we describe a scheme for mutual exchange of secrets based on DH. Secondly, in the previous
implementations the 1-out-of-n OT use the DDH for the transfer itself, i.e. applies the Diffie-
Hellman exponentiation for the encryption of secrets directly. Here we administer the idea of the
oblivious key exchange. Once the keys are exchanged (obliviously), the parties may use any
mutually agreed encryption method for the actual transfer / exchange of secrets.

1
The security of our protocol arises from the fact that the problem of determining an exponent e
given x , y and a prime p , such that x e mod p = y is equivalent to solving a Discrete Log
Problem (DLP) efficiently.

The participants choose numbers p and x , such that p is a large prime on the order of at least
300 decimal digits (1024 bits), p − 1 has a large prime factor and x is a generator of order p − 1
in the multiplicative group Ζ p (a generator is a primitive root of p ). This ensures the security of
the protocols not only against eavesdroppers but also against the opposing party, which is to be
considered as an adversary as well. Since we will be working only in Ζ p , we often do not state it
explicitly.

The proof that the security of Rabin’s cryptosystem is equivalent to a factorization problem led
to the development of the zero-knowledge proof [8]. In such a proof a prover tries to convince a
verifier that he possesses certain information but he does not disclose the information but only
the proof that he possesses the information. With every iteration of the algorithm, the probability
of an imposter cheating a verifier decreases exponentially. We will discuss a scheme for zero-
knowledge proof based on the discrete log problem.

2 Mutual exchange of secrets

Suppose Alice and Bob possess secrets S A and S B respectively, which they wish to exchange,
however, they do not trust each other. We would like to complete the exchange without a trusted
third party and without a procedure for simultaneous exchange of secrets; the latter being
practically impossible to implement when the parties are geographically far apart. Both parties
are assumed to have an appropriate mechanism to digitally sign every message they send.

Let the secrets S A and S B be passwords to files that Bob and Alice want to access such that if a
wrong password is used then the files will self-destruct. This prevents the parties from trying
random passwords. The protocol is based on the oblivious exchange of encryption keys.

The Protocol: We exploit the fact that there exist g1 , g 2 ∈ Ζ p , g1 ≠ g 2 such that they map to a
single cipher c , where c = g12 mod p = g 22 mod p . Let K A denote the key that Alice uses to
encrypt her secret, while Bob uses K B to encrypt his secret. With these assumptions, the
protocol proceeds as follows:

1. Alice and Bob agree upon a prime p , a number x ∈ Ζ p as the generator and c such that
c = g12 mod p = g 22 mod p (Alice and Bob both know g1 and g 2 ).

2. Alice privately chooses g A = g1 or g A = g 2 and two random numbers N A1 and N A2 .

2
 3. Bob secretly decides on g B , such that g B = g1 or g B = g 2 and a random number N B .

g A + N A1 N A2
4. Alice sends to Bob: x mod p and x mod p .

( )
NB
⎛ x g A + N A1 ⎞ N A2 N B
5. Bob sends to Alice: ⎜⎜ gB
⎟
⎟
mod p and computes K ′A = x mod p for himself.
⎝ x ⎠
N A2

⎡⎛ x g A + N A1 ⎞
NB
⎤ N A1
6. Alice computes: K A = ⎢⎜⎜ g B ⎟
⎟
⎥ mod p .
⎢⎝ x ⎠ ⎥
⎣ ⎦

7. Bob chooses a random message M and sends C = f (M , K ′A ) to Alice.

8. Alice sends back Y = f −1 (C , K A ) to Bob.

c = f (m, k ) is a function known to both Alice and Bob, where m is the input, k is the key and
knowing c does not reveal the key used. f may be an encryption function using a secret key
−1
and f is the decryption function.

Mutual agreement:
1. prime p such that p − 1 has a large prime factor.
2. a number x ∈ Ζ p that is a primitive root of p .
3. a number c , where c = g12 mod p = g 22 mod p .
N A1 and N A2
g A ∈ (g1 , g 2 )
Alice g B ∈ (g1 , g 2 ), N B and M

Bob
( )
K ′A = x
N A2 N B

Alice

[( ]
N A2

KA = x
)
g A − g B + N A1 N B N
A1 Bob

Compare with M to determine if K ′A = K A or K ′A ≠ K A

Illustration of proposed algorithm to achieve oblivious exchange of encryption key (all computations
performed in Ζ p ).

3
Two cases arise from the above sequence, namely g A = g B and g A ≠ g B . If g A = g B then
K ′A = K A , else K ′A ≠ K A . Hence, Bob receives K A with probability one-half. Steps 7 and 8 help
Bob check if he has K A by comparing Y and M .

Similarly, exchange of key K B takes place from Bob to Alice.

Define states,

⎧ K, if Bob received K A .
Ub = ⎨
⎩K , if Bob did not receive K A .

where, K ∈ Ζ p and K is the bitwise complement of K . U a is similarly defined.

In order to prevent cheating by either party, Alice sends U a ⊕ S A to Bob and Bob sends U b ⊕ S B
to Alice. Since, neither party knows other’s state of knowledge of the secret key, this step does
not provide either party with any knowledge of other’s secret.

Finally, Alice and Bob exchange their secrets encrypting them using K A and K B , respectively.

If at the last step, after Alice sends her encrypted secret to Bob, Bob was to cheat and not send
his secret to Alice, then the fact that Bob cheated implies that Bob received K A and U b = K and
that Bob had previously sent U b ⊕ S B = K ⊕ S B . Alice can retrieve S B by computing
K ⊕ SB ⊕ K = SB .

The probability, after the protocol is complete, that neither party knows other’s secret key is one-
fourth.

Example: Alice and Bob wish to exchange secrets S A and S B . They agree upon p = 23 , x = 5
and c = 9 . Therefore, c mod p = g1 = 3 and c mod p = g 2 = 20 . Two cases arise beginning
from step 2 of the algorithm. Let us examine them:

Case I: g A = g B

2. Alice chooses: g A = g1 = 3 and two random numbers N A1 = 5 and N A2 = 15 .

3. Bob chooses: g B = g1 = 3 and N B = 17 .

g A + N A1
4. Alice sends to Bob: x mod p = 53+5 mod 23 = 16 and
mod p = 515 mod 23 = 19 .
N A2
x

4
 5. Bob sends to Alice:
NB
⎛ x g A + N A1 ⎞
17
⎛ 53+5 ⎞
17
⎜ g ⎟ ⎛ 16 ⎞
⎜ x B ⎟ mod p = ⎜⎜ 3 ⎟⎟ mod 23 = ⎜ ⎟ mod 23
⎝ ⎠ ⎝ 5 ⎠ ⎝ 125 ⎠
(
= 16 × 125−1 )
17
mod 23
= (16 × 7 ) mod 23 = 7
17

and computes for himself: K ′A = x ( ) N A2 N B

mod p = 1917 mod 23 = 21 .

N A2
⎡⎛ x g A + N A1 ⎞
NB
⎤ N A1
⎥ mod p = (7 ) 5 mod 23 = 21 .
15
6. Alice computes: K A = ⎢⎜⎜ g B ⎟
⎟
⎢⎝ x ⎠ ⎥
⎣ ⎦

Bob may encrypt a random message with the key that he has generated and ask Alice to decrypt
it using her key to determine if he has K A . Since Alice and Bob have chosen g A = g B = 3 , then
K ′A = K A = 21 . ( g A = g B = 20 gives similar results.)

Case II: g A ≠ g B

2. Alice chooses: g A = g1 = 3 and two random numbers N A1 = 5 and N A2 = 15 .

3. Bob chooses: g B = g 2 = 20 and N B = 17 .

g A + N A1
4. Alice sends to Bob: x mod p = 53+5 mod 23 = 16 and
mod p = 515 mod 23 = 19 .
N A2
x

5. Bob sends to Alice:

NB
⎛ x g A + N A1 ⎞
17
⎛ 53+5 ⎞
17
⎜ g ⎟ ⎛ 16 ⎞
⎜ x B ⎟ mod p = ⎜⎜ 20 ⎟⎟ mod 23 = ⎜ ⎟ mod 23
⎝ ⎠ ⎝5 ⎠ ⎝ 12 ⎠
(
= 16 × 12 −1 )
17
mod 23
= (16 × 2) mod 23 = 9
17

and computes for himself: K ′A = x ( ) N A2 N B

mod p = 1917 mod 23 = 21 .

N A2
⎡⎛ x g A + N A1 ⎞
NB
⎤ N A1
⎥ mod p = (9) 5 mod 23 = 16 .
15
6. Alice computes: K A = ⎢⎜⎜ g B ⎟
⎟
⎢⎝ x ⎠ ⎥
⎣ ⎦

5
In this case, Alice and Bob have chosen g A ≠ g B , hence K ′A ≠ K A . ( g A = 20 and g B = 3 yields
similar results.)

In none of the cases can Bob can predict before hand what choice Alice has made, so the
protocol remains fair.

Security issues: The protocol breaks down if Bob is able to compute both x ( ) N A2 N B
mod p and

[x ( ]
N A2
)
g A − g B + N A1 N B N N A1 N A2
A1 mod p . We see that Bob can deduce x and x , using which he may
N A2
x
compute N A1
= x y mod p . Given y = N A2 − N A1 , deducing y is a DLP. If we assume that some
x
N A2
how Bob is able to deduce y , then in order for him to compute the ratio , he still needs to
N A1
know either N A1 or N A2 , which is again equivalent to a DLP. Based on the assumption that a
Discrete Log Problem is difficult to solve, the protocol remains secure.

3 One-out-of-two oblivious transfer

One of the most powerful primitives that have led to the invention of numerous cryptographic
schemes is the one-out-of-two oblivious transfer. It may conceptually be described as a black
box where Alice puts in two secrets, S1 and S 2 , such that Bob can only retrieve one of them
while getting no information about the other. Bob is concerned that Alice should not know which
secret he retrieved.

A situation may be such that a spy wishes to sell one out of two secrets that he possesses, while
the buyer does not wish the spy to know which information he wants. In such a situation the 1-
out-of-2 oblivious transfer can be employed. It is assumed that the party possessing the two
secrets is willing to disclose one and only one of these to the other.

The procedure of choosing prime p , generator number x and c = g12 mod p = g 22 mod p
remains identical to that described before. However, this time Alice uses secret keys K1 and K 2
to encrypt secrets S1 and S 2 , respectively. She announces to Bob that she is associating key K1
with g1 and key K 2 with g 2 . With these initial conditions the protocol follows:

g 1 + N A1
1. Alice secretly chooses N A1 and sends to Bob: x mod p .

2. Bob chooses g B = g1 (if he wants secret S1 ) or g B = g 2 (if he wants secret S 2 ) and

secret numbers N B and N B1 .

6
 N B N B1
⎛ x g1 + N A1 ⎞
3. Bob sends to Alice: ⎜⎜ g B ⎟
⎟ mod p and x N B mod p .
⎝ x ⎠
N A2
⎡⎛ x g1 + N A1 ⎞
N B N B1
⎤
4. Alice chooses a number N A2 and sends to Bob: ⎢⎜⎜ g B ⎟
⎟
⎥ mod p .
⎢⎝ x ⎠ ⎥
⎣ ⎦
1
⎡⎛ x g1 + N A1 ⎞
N B N B1 N A2
⎤ N B1 ⎛ x g1 + N A1 ⎞
N B N A2

5. Bob computes: K B = ⎢⎜⎜ g B ⎟

⎟
⎥ mod p = ⎜ g
⎜ x B
⎟
⎟ mod p .
⎢⎝ x ⎠ ⎥ ⎝ ⎠
⎣ ⎦

6. Alice computes: K1 = x
N B N A1 N A2
mod p and K 2 = x N B ( (g1 − g 2 + N A1 )
)N A2
mod p .

7. Alice encrypts secret S1 using K1 and secret S 2 using K 2 and sends them to Bob.

From the above sequence we see that if Bob chooses g B = g1 , then K B = K1 and if Bob chooses
g B = g 2 , then K B = K 2 . Hence, Bob will only be able to retrieve one of the two secrets
depending upon his choice, while Alice will not be able to determine which secret Bob has
retrieved.

Security issues: In order for Bob to cheat, he needs to compute both K1 and K 2 . His best option
is to determine one of the keys honestly and using that, try to deduce the other key. For instance,
N A1 N A2
N A1 x
if Bob honestly computes K1 , then he will have access to x and
N
. But this does not
x A1
provide him with any information about N A1 and N A2 which he needs to compute K 2 . Similarly,
he cannot calculate K1 from K 2 . The problem is again equivalent to efficiently solving a DLP.

4 Coin-Flipping Protocols

A couple may decide on which restaurant to go to or whether they should take a vacation or buy
a car for their next anniversary, by tossing a coin. In this case flipping a coin is a trivial matter
since both parties are present at the same place physically. However, problems arise when the
participants are geographically separated over large distances. How are they supposed to fairly
flip a coin when both of them cannot see the outcome simultaneously? Many business
transactions require such an arrangement or a simple game of gambling over the Web may need
a fair coin-toss. Numerous solutions exist for this purpose that employ cryptographic techniques
of bit commitment [9, 10].

7
It turns out that any oblivious transfer scheme may be suitably modified to flip a coin, so can be
the protocol for mutual exchange of secrets that we have presented. For instance, if Bob receives
the same key as Alice then Bob wins the toss else Alice wins. After Bob declares the key he has
computed, Alice replies if he won or lost and reveals all the variables that she had chosen which
Bob can use to verify Alice’s claim. Bob may not disclose any of the variables of his choice.

5 Zero-Knowledge Proofs

Introduced in 1985, zero-knowledge proofs are typically used to force malicious parties to
behave according to a predetermined protocol. In addition to their direct applicability to
cryptography, they serve as a good benchmark for the study of various problems regarding
cryptographic protocols [11, 12, 13]. Here we discuss a protocol for a prover P to convince a
verifier V that he possesses certain information without disclosing the actual information. We
may formally describe the problem as the following: P declares a y , such that y = x e mod p ,
where p is a prime and x ∈ Ζ p . y , x and p may be global information. However, only P
knows the exponent e . For everyone else, determining e is a DLP. The problem is for P to
convince V that he knows the value of e without disclosing it. The protocol may proceed as
follows:

1. P chooses a random integer n and sends X = x e ( ) n

mod p = x en mod p to V .

2. V chooses a random bit b . If b = 0 , M = 0 ; else he chooses a random m and sets

M = x m mod p and sends (b, M ) to P .

3. If b = 0 , P sends n to V ; else P sends Y = M e mod p = x me mod p to V .

4. When b = 0 , V verifies X is equal to y n mod p = x en mod p . So he believes that P

knows the value of n . If b = 1 , V verifies if Y is equal to y m mod p = x em mod p . So he
is convinced that P knows the value of e .

This is a single round of the protocol. Upon multiple rounds of the protocol, the probability of an
imposter cheating the verifier decreases exponentially.

We see that an imposter who does not know e will succeed with a probability of one-half in
each round. This is because if V starts communicating with an imposter P ′ from round one,
then when b = 0 , P ′ successfully completes the protocol, but when b = 1 , then P ′ will have to
guess the value of e . Hence, after t iterations, the probability of the verifier being cheated
decreases to 2 − t . The protocol is zero-knowledge because P never sends e , but only uses it as
an exponent. This makes it equivalent to Discrete-Log-Problem.

8
A zero-knowledge proof can be used for identification if the verifier knows the value of e ,
which acts like a password. The prover has to convince the verifier that he knows the password,
without actually giving it out. This is because the verifier may be an imposter trying to determine
the password by cheating.

6 Conclusion

Our algorithm opens up the possibility of development of oblivious transfer schemes using key
exchange protocols. Academically, it appears that such algorithms should have preceded Rabin’s
protocol. It shows that there exist numerous variations on the implementation of OT protocols.
Also, most OT schemes can be extended to coin flipping with minor modifications, in which
case, only one sided transfer may take place and success or failure depends on the opposing party
being lucky enough to deduce the key.

Our protocol is different from Rabin’s protocol in the sense that the latter aims at obliviously
transmitting the decryption key from the transmitter to the receiver whereas we establish a shared
key between the transmitter and receiver with probability one-half. Higher exponents may be
employed to generate transfer probabilities other than one-half. It turns out that the Diffie-
Hellman protocol is a powerful primitive and can be used as a basis for implementing many
cryptographic protocols that have been implemented via the RSA type transformations. This
possibility had been overlooked.

Acknowledgement

I sincerely thank William Perkins and James Harold Thomas for discussions and useful
comments.

References
1. S. Wiesner. Conjugate Coding, manuscript written circa 1970, unpublished until it appeared in
Sigact News, Vol. 15, no. 1, 1983, pp.78-88.

2. M. O. Rabin. How to exchange secrets by oblivious transfer. Technical Report TR-81, Aiken
Computation Laboratory, Harvard University, 1981.

3. A. Parakh. Oblivious Transfer using Elliptic Curves, Cryptologia, Volume 31, Issue 2 April
2007, pages 125 – 132.

4. W. Diffie and M. E. Hellman. New Directions in Cryptography, IEEE Transactions on

Information Theory, vol. IT-22, Nov. 1976, pp: 644-654.

5. M. Bellare, S. Micali. Non-interactive oblivious transfer and applicatoins. Crypto ’89, pp. 547-
557.

9
6. M. Naor and B. Pinkas. Efficient Oblivious Transfer Protocols, Proceedings of SODA 2001
(SIAM Symposium on Discrete Algorithms), January 7-9 2001, Washington DC.

7. D. Boneh. The Decision Diffie-Hellman Problem. Proceedings of the Third Algorithmic

Number Theory Symposium. Springer-Verlag LNCS 1423, 1998, pp: 48-63.

8. S. Goldwasser, S. Micali, and C. Rackoff. The knowledge complexity of interactive proof

systems. ACM Symposium on Theory of Computing, ACM Press, New York, USA, 1985, pp.
210-217.

9. M. Blum. Coin flipping by telephone. Advances in Cryptology: A Report on CRYPTO ’81,

pages 11–15, Santa Barbara, 1981. ECE Report No 82-04.

10. J. Reyneri and E. Karnin. Coin flipping by telephone (Corresp.). Information Theory, IEEE
Transactions on, Volume 30, Issue 5, Sep 1984 pages:775 – 776.

11. A. Fiat and A. Shamir, How to prove yourself: Practical solutions to identification and
signature problems, Advances in Cryptology - Crypto '86, Springer-Verlag (1987), 186-194.
12. U. Feige and A. Fiat and A. Shamir. Zero Knowledge Proofs of Identity. Proceedings of the
19th ACM Symp. on Theory of Computing, May 1987, pages:210-217.

13. O. Goldreieh, S. Micali and A. Wigderson, "Proofs That Yield Nothing But Their Validity
and a Methodology of Cryptographic Protocol Design", Proceedings of FOGS 1986, pp. 174-
187.

10