Security analysis of polynomial interpolation-based distributed oblivious transfer protocols

Abstract

In an unconditionally secure Distributed Oblivious Transfer (DOT) protocol, a receiver contacts at least k servers to obtain one of the n secrets held by a sender. Once the protocol has been executed, the sender does not know which secret was chosen by the receiver and the receiver has not gained information on the secrets she did not choose. In practical applications, the probability distribution of the secrets may not be uniform, e.g., when DOT protocols are used in auctions, some bids may be more probable than others. In this kind of scenario, we show that the claim “a party cannot obtain more than a linear combination of secrets” is incorrect; depending on the probability distribution of the secrets, some existing polynomial interpolation-based DOT protocols allow a cheating receiver, or a curious server, who has obtained a linear combination of the secrets to determine all the secrets.