[Back] Oblivious transfer allows a sender to not know the information that a receiver has read. If c is a '0', we will be able to read Message 0, if it is a '1' we will be able to read Message 1:

## Oblivious transfer |

## Method

The method used is:

So, we are Bob the Investigator and investigating a serious crime, and we suspect that Eve is the person who is involved in the crime.

We now need to approach her employer (Alice) and ask for some information on her. So how do we do this without Alice knowing that we suspect Eve? Well oblivious transfer (OT) performs this.

Let's say that HackerZForU employ Eve and Trent, and we are only interested in getting information on Eve. Alice runs the company.

Now the method we will use is based on the Diffie-Hellman key exchange method, but is modified so that we generated two keys for Alice to pass the data. One will work and the other will be useless. Alice will have no idea which of the keys will work, and the information that we can look at. In this case we'll ask for data from both Eve and Trent, and Alice will not know which of them is the suspect.

First Alice and Bob generate random numbers (a and b). Alice then takes a value of g and raises it to the power of a:

\(A = g^a \)

She passes this to Bob. If Bob is interested in the first record he calculates g to the power b, else if it is the second record, he calculates the value passed from Alice (A), and multiplies this value with g to the power of b. Bob then sends one of these back:

\( if (c==0): B = g^b\)

\( if (c==1): B = A \times g^b\)

Alice receives the value from Bob (B). She then calculates two keys: the hash of B to the power of a, and the hash of B/A to the power of a.

\( K_0 = Hash(B^a)\)

\( K_1 = Hash((B/A)^a)\)

She then encrypts the two messages (M0 and M1) with each of the keys, and returns the ciphers to Bob.

\( e_0 = E_{K_0}(M_0)\)

\( e_1 = E_{K_1}(M_1)\)

Bob calculates the decryption key (which will only work for one of the them) as the hash of A to the power of b:

\( K_{bob} = Hash(A^b)\)

Bob will then try to decrypt the two ciphers with \( K_{bob}\) and only one will work.

## Presentation

## Code

An outline of the code is here:

from Crypto.Cipher import AES import hashlib import random import sys g=9 n=1001 a=random.randint(5, 10) b=random.randint(10,15) Alice=(g**a) % n c=1 if (len(sys.argv)>1): c=int(sys.argv[1]) print 'g: ',g,' n: ',n print 'Alice value: ',Alice print 'a (Alice random): ',a print 'b (Bob random): ',b # === Bob calculates === if (c==0): Bob=(g**b) % n else: Bob=Alice*((g**b) % n) # === Alice calculates === key0 = hashlib.sha256(str((Bob**a) %n)).digest() key1 = hashlib.sha256(str(((Bob/Alice)**a) %n)).digest() cipher1 = AES.new(key0, AES.MODE_ECB) cipher2 = AES.new(key1, AES.MODE_ECB) print '\nAlice calculates these keys' print 'Key 0: ',key0 print 'Key 1: ',key1 en0=cipher1.encrypt('Bob did it ') en1=cipher2.encrypt('Alice did it ') ## === Bob decrypts print '\nBob calculates this key:' Bob_key = hashlib.sha256(str((Alice**b) %n)).digest() print 'Bob key: ',Bob_key cipher1 = AES.new(Bob_key, AES.MODE_ECB) message_0=cipher1.decrypt(en0) message_1=cipher1.decrypt(en1) print '\nBob decrypts the messages:' print 'Message 0: ',message_0 print 'Message 1: ',message_1