*Bounty: 50*

*Bounty: 50*

I’m having the following protocol specification of a k-out-of-n oblivious transfer (as part of some E-Voting protocol) and it’s bugging me that I fail to understand it with my basic knowledge of cryptography.

This particular implementation looks totally different from the usual 1-out-of-n “the receiver generates multiple public keys but only one is valid” examples I can find in the Internet.

1) Is this OT somehow based on the ElGamal encryption scheme? Especially the exponentiation within a prime order group remind me of it, but I don’t see what the PK and SK are?

2) In order for it to be working, and according to the the final equation $m_{sj} = c_{sj} oplus k_j$ I’m expecting to get $m_j$ from simplyfing $c_{sj} oplus k_j$.

$m_j = koplus c$

$m_j = H(bcdot g^{-sr}) oplus c$

$m_j = H((Gamma(s_j)cdot g^{r})^s cdot g^{-sr}) oplus c$

$m_j = H(Gamma(s_j)^s cdot g^{sr} cdot g^{-sr}) oplus c$

$m_j = H(Gamma(s_j)^s) oplus c$

$m_j = H(Gamma(s_j)^s) oplus (moplus k)$

$m_j = H(Gamma(s_j)^s) oplus (moplus H(Gamma(i)^s))$

so, $H(Gamma(s_j)^s)$ must be equal to $H(Gamma(i)^s)$

How can that be? How can some counter $i$ be equal to the senders query $s_j$? Is the selection $s$ basically the index of $m$ that he wants to receive.