Adaptive Oblivious Transfer with Access Control from Lattice Assumptions

Adaptive oblivious transfer (OT) is a protocol where a sender initially commits to a database {Mi}i=1. Then, a receiver can query the sender up to k times with private indexes ρ1, . . . , ρk so as to obtain Mρ1 , . . . ,Mρk and nothing else. Moreover, for each i ∈ [k], the receiver’s choice ρi may depend on previously obtained messages {Mρj}j<i. Oblivious transfer with access control (OT-AC) is a flavor of adaptive OT where database records are protected by distinct access control policies that specify which credentials a receiver should obtain in order to access each Mi. So far, all known OT-AC protocols only support access policies made of conjunctions or rely on ad hoc assumptions in pairing-friendly groups (or both). In this paper, we provide an OT-AC protocol where access policies may consist of any branching program of polynomial length, which is sufficient to realize any access policy in NC1. The security of our protocol is proved under the Learning-with-Errors (LWE) and ShortInteger-Solution (SIS) assumptions. As a result of independent interest, we provide protocols for proving the correct evaluation of a committed branching program on a committed input.