### Bounty: 50

I’m having the following protocol specification of a k-out-of-n oblivious transfer (as part of some E-Voting protocol) and it’s bugging me that I fail to understand it with my basic knowledge of cryptography.

This particular implementation looks totally different from the usual 1-out-of-n “the receiver generates multiple public keys but only one is valid” examples I can find in the Internet.

1) Is this OT somehow based on the ElGamal encryption scheme? Especially the exponentiation within a prime order group remind me of it, but I don’t see what the PK and SK are?

2) In order for it to be working, and according to the the final equation \$m_{sj} = c_{sj} oplus k_j\$ I’m expecting to get \$m_j\$ from simplyfing \$c_{sj} oplus k_j\$.

\$m_j = koplus c\$

\$m_j = H(bcdot g^{-sr}) oplus c\$

\$m_j = H((Gamma(s_j)cdot g^{r})^s cdot g^{-sr}) oplus c\$

\$m_j = H(Gamma(s_j)^s cdot g^{sr} cdot g^{-sr}) oplus c\$

\$m_j = H(Gamma(s_j)^s) oplus c\$

\$m_j = H(Gamma(s_j)^s) oplus (moplus k)\$

\$m_j = H(Gamma(s_j)^s) oplus (moplus H(Gamma(i)^s))\$

so, \$H(Gamma(s_j)^s)\$ must be equal to \$H(Gamma(i)^s)\$

How can that be? How can some counter \$i\$ be equal to the senders query \$s_j\$? Is the selection \$s\$ basically the index of \$m\$ that he wants to receive.

Get this bounty!!!

This site uses Akismet to reduce spam. Learn how your comment data is processed.