Efficient Traceable Oblivious Transfer Schemes with Aceess Control

Abstract

In light of the rapid advancement of information technology, data privacy and security have emerged as critical societal concerns. There is an urgent need for the effective implementation of data access control and traceability mechanisms regarding the management of sensitive information.To address this issue, this paper presents an efficient traceable Oblivious Transfer with Access Control (AC-TOT) scheme that integrates traceability and access control mechanisms, with its core design rooted in cryptographic symmetry principles—specifically leveraging the symmetric properties of bilinear pairings to achieve consistent bidirectional verification of security parameters between protocol participants. Our scheme could ensure that only authorized users can access services from the server in a privacy-preserving manner, with the server being aware solely of the number of accessible services while remaining oblivious to their specific content. Furthermore, the scheme permits recipients to access services without undergoing identity verification, thereby mitigating the risk of personal information disclosure. The security analysis demonstrates that the proposed scheme effectively prevents user abuse and enables the sender to trace improper behaviors.

1. Introduction

With the rapid development of information technology, data privacy and security have emerged as critical societal concerns. In particular, the effective implementation of access control and traceability mechanisms for sensitive information has become a pressing challenge. This issue is not only pivotal to safeguarding individual privacy rights but also has profound implications for organizational compliance and reputation management. As public expectations regarding information security continue to rise, there is a growing demand for robust mechanisms that can ensure sensitive data remains available exclusively to authorized entities [1,2], while also enabling effective tracking and accountability in data usage [3]. These challenges have stimulated extensive research in cryptography and information security to develop innovative and practical solutions.

First introduced in 1981 by Michael O. Rabin [4], oblivious transfer (OT) is a foundational cryptographic primitive enabling a sender to transmit multiple data items such that the receiver retrieves only one of them without revealing their choice to the sender or learning about the remaining items. This asymmetric privacy guarantee makes OT indispensable in various secure settings, including secure multi-party computation [5,6], electronic voting [7], and privacy-preserving auction systems [8].

Recently, embedding artificial intelligence (AI) into distributed computing environments—especially collaborative and federated learning frameworks—has heightened the need for privacy-preserving techniques. OT and its variants have gained prominence in this context due to their strong security properties. For instance, OT has been leveraged to enable secure, privacy-preserving aggregation within federated learning (FL) systems resilient to collusion [9], while functional OT has been employed to preserve input privacy in federated model selection [10]. Additionally, OT has been incorporated into lightweight cryptographic protocols to enable efficient and secure regression analysis in FL settings [11]. These advances highlight the growing relevance of OT-based primitives in enhancing the privacy and overall robustness of AI-centric data governance frameworks. Moreover, in practical application scenarios characterized by sparse interactions or low observability—such as secure auction systems, government data access platforms, and anonymous voting—minimal yet structured traceable information can still enable reliable misuse detection and source reconstruction, paralleling techniques from low infection rate source localization [12]. Similarly, Zhu et al. [13] investigated the co-evolution of node reputation and edge strategy in the prisoner’s dilemma game on complex networks, showing that dynamically updating reputation can significantly enhance overall cooperation, which offers an additional perspective for extending deterrence mechanisms in AC-TOT.

In the original OT framework, the sender transmits one of the two messages in their possession to the receiver. If the protocol is executed correctly, each message is equally likely (probability ${\displaystyle \frac{1}{2}}$ ) to be delivered to the receiver, who remains entirely ignorant of the other message. Subsequent to the receiver obtaining the message, the sender remains completely unaware of which message was selected. This foundational model has spurred considerable research, resulting in numerous enhancements across different dimensions [14,15,16,17,18].

Even et al. [16] introduced a novel 1-out-of-2 OT (${\mathrm{OT}}_2^1$) protocol based on public-key cryptography, offering both a formal definition and an implementation of OT axioms. Compared to Rabin’s original proposal, in which a participant has only a ${\displaystyle \frac{1}{2}}$ probability of obtaining the secret, Even et al. introduced significant improvements. In 1986, Brassard et al. [15] extended the OT protocol to a 1-out-of-n OT (${\mathrm{OT}}_n^1$) version, further enhancing its functionality. Brassard et al. realized ${\mathrm{OT}}_n^1$ by executing ${\mathrm{OT}}_2^1$n times. In 1995, Beaver [19] introduced Random OT, which involves two participants S and R. Here, R provides a choice bit $\mathrm{b}\leftarrow 0,1$ (which can also be generated randomly by the protocol), while S inputs a randomly selected pair of messages $(m_0,m_1)$. Consequently, this pair can be randomly generated by the protocol and subsequently returned to S. Upon successful execution of Random OT, R obtains the message $m_b$, while S remains unable to deduce R’s choice bit b, and R is unable to access any information regarding $m_{1-b}$.This protocol is commonly referred to as ROT. In 1990, Naor et al. [18] introduced a more efficient k-out-of-n OT (${\mathrm{OT}}_n^k$) scheme, which reduces the computational overhead compared to executing ${\mathrm{OT}}_n^1$k times. In 1999, Naor et al. [18] introduced a variant of ${\mathrm{OT}}_n^k$, termed adaptive OT. Unlike conventional ${\mathrm{OT}}_n^k$, in adaptive OT, R does not receive all k selection queries simultaneously; rather, R determines the i-th query based on the outcomes of the preceding $i-1$ queries.

The majority of existing OT schemes are founded on the finite-field discrete logarithm problem (FFDLP). Tzeng’s scheme [20] is widely cited but lacks access control and traceability mechanisms, enabling any user interacting with the message sender to retrieve the desired message upon protocol execution, thereby creating potential vulnerabilities for unauthorized access. Camenisch et al. [21] introduced an anonymous database access protocol that assigns distinct access control permissions to different records. These permissions are defined by attributes, roles, or rights that users must possess. This protocol offers strong security guarantees, ensuring that only authorized users can access records, while preventing the database provider from identifying the accessed records or the attributes and roles associated with users during access. These characteristics safeguard user privacy and enhance database security. However, in this design, the access policy remains publicly accessible. Ma et al. [22] developed an OT scheme that ensures traceable receiver privacy. By imposing a time limit that initially protects the receiver’s privacy, the sender can later retrieve the message chosen by the receiver, thereby enhancing information traceability while balancing privacy protection. Extensive research has been conducted to define OT security [23,24,25,26].

To address access control and traceability challenges, Han et al. [1] proposed a scheme combining Oblivious Signatures with Envelopes (OSBE) and OT. In this design, the receiver first authenticates to the issuer to obtain the necessary credentials for accessing protected services, while the sender—though informed of the total number of services requested—cannot determine which specific ones were chosen or learn any PII about the receiver. The protocol also streamlines performance by removing the need for zero-knowledge proofs and relying on non-transferable all-or-nothing credentials, all with minimal communication and computational overhead. Subsequently, Han et al. [2] introduced an accountable AC-OT (AAC-OT) scheme that enforces access control, ensuring that authorized users can access protected records while preserving anonymity. Users are required to obtain credentials from the issuer and adhere to the access count limitations defined in the access control list (ACL). This scheme tackles two critical challenges: timely credential revocation and the prevention of excessive record usage, making it the first AC-OT scheme to incorporate both features. Conversely, Liu et al. [3] introduced a traceable OT (TOT) scheme aimed at reconciling the conflict between privacy preservation and traceability in conventional OT. This scheme enables honest receivers to make a fixed number of selections while preserving full privacy. However, if a receiver attempts to exceed the predefined selection limit, the sender can trace all previous choices.

Notably, a key distinction emerges between these representative works and our proposal: HSM [2] integrates access control with Traceability¹ (permission revocation for over-access) but lacks Traceability² for auditing malicious behaviors, while LZM [3] supports Traceability² but does not incorporate access control mechanisms. Our AC-TOT scheme uniquely bridges this gap by combining dynamic access control with Traceability², enabling both authorized access enforcement and post hoc accountability for misuse—a dual functionality not achieved by either prior work.

Extensive research has been conducted on defining OT security [23,24,25,26]. OT schemes are classified based on their ability to ensure simulatability security for the sender and/or receiver. They fall into four categories: honest-but-curious models [26], semi-simulatable models [3,23], fully simulatable models [21,25], and universally composable (UC) models [2,24]. Cho and Döttling [26] introduced Laconic OT, which ensures sender privacy against semi-honest receivers. They developed a probabilistic polynomial-time simulator, ℓOTSim, that generates transcripts indistinguishable by any efficient adversary from those of the actual protocol, thereby validating sender privacy against semi-honest receivers. However, the assumption that all participants act honestly makes this model overly optimistic for real-world applications. Naor and Pinkas [23] proposed a semi-simulatable model accommodating malicious interceptors and receivers. Nonetheless, it treats sender and receiver security separately: sender privacy is guaranteed via simulation, while the receiver’s is protected through computational non-verifiability. To counter selective-failure attacks by deceptive senders, a fully simulatable model was developed [21,25], offering simulation-based security for both parties. In UC frameworks, security for each party is defined by comparing executions in the real and ideal worlds under the UC security definitions [2].

In

Table 1. Comparison of oblivious transfer schemes.

Function/Algorithm	NP [23]	CGS [25]	HSM [2]	LZM [3]	Ours
Adaptive	✓	✓	✓	✓	✓
Simulation	Semi	Full	UC	Semi	Semi
Standard Model	✓	✓	✓	×	✓
Dynamic Assumptions	×	✓	✓	✓	✓
Access Control	×	×	✓	✓	✓
Traceability1	×	×	✓	×	×
Traceability2	×	×	×	✓	✓

presents a comparative analysis of our proposed Traceable Oblivious Transfer with Access Control (AC-TOT) scheme in contrast to representative works in the field, highlighting its unique attributes. In the AC-TOT scheme, access control is enforced via a semi-simulatable model based on dynamic assumptions, ensuring traceability even when users engage in improper behavior.

In our scheme, traceability corresponds to Traceability², which enables the system to trace and disclose a dishonest receiver’s prior selections, acting as a deterrent against fraudulent activities. By contrast, Traceability¹ denotes the system’s capability to track user access patterns and revoke permissions upon exceeding predefined thresholds, thereby enforcing access limitations. These two dimensions of traceability illustrate the equilibrium between enforcing access control policies and ensuring accountability for user actions.

In Table 1, the symbol “✓” denotes the presence of a specific feature, whereas “×” signifies its absence. The term “adaptive” describes the receiver’s ability to sequentially select k records. “Simulation” encompasses multiple security models, such as honest-but-curious, semi/full-simulatable, and universally composable (UC) frameworks. The “dynamic” property refers to assumptions that evolve with parameter n, exemplified by the ℓ-Strong Diffie–Hellman (ℓ-SDH) Assumption [27].

1.1. Our Motivation

In real-world application scenarios, such as online transactions and e-commerce, OT protocols play a crucial role in safeguarding user privacy. However, conventional OT research has predominantly focused on developing schemes that ensure complete privacy protection for both receivers and senders. Although this guarantees the confidentiality of users’ choices, certain receivers may attempt to gain unauthorized access to additional information. In such cases, the sender must be able to monitor these behaviors [3] and implement appropriate countermeasures. Moreover, in scenarios such as online auction systems and government data access platforms, service providers must not only identify dishonest users but also trace their past selections to revoke unauthorized actions on sensitive data while maintaining anonymity and minimizing oversight.

To restrict access exclusively to authorized users, access control mechanisms have been implemented [1]. This requires users to authenticate and acquire the necessary credentials prior to accessing services. This mechanism effectively mitigates the risk of unauthorized users exploiting system resources.

Building on this context, this paper proposes a novel OT scheme integrating traceability and access control. Our objective is to develop a protocol that guarantees unconditional privacy for honest users while enabling the sender to trace all prior selections of misbehaving receivers when required. This approach aims to provide an innovative solution for secure and efficient data exchange while establishing a foundation for future research in related domains.

Specifically, the AC-TOT scheme demonstrates significant practical value through its wide applicability across various critical scenarios. In online auction systems, the scheme authenticates bidder identities via access control mechanisms, ensuring that only authorized users can participate in bidding, while preserving bid privacy and enabling traceability of malicious repeated bidding behavior. In government data access platforms, users must authenticate before accessing sensitive information, and the system can retrospectively analyze access records in the event of identity misuse or data abuse. In anonymous survey or voting systems, the scheme ensures voter privacy while preventing repeated submissions and enables the identification of dishonest users when data anomalies occur. In summary, the AC-TOT scheme not only addresses the limitations of traditional OT protocols in terms of controllable accountability but also provides technical support and theoretical foundations for building secure, trustworthy, and auditable data exchange environments.

1.2. Our Contribution

We present an efficient AC-TOT protocol, integrating the traceability framework of Liu et al. [3] with the access control mechanism of Han et al. [1]. The protocol is designed to ensure that only authorized users (i.e., receivers) can access services from the server while preserving privacy. The server knows only the number of services accessible to authorized users, without any knowledge of their specific content. Furthermore, receivers can access services without identity verification, significantly reducing the risk of personally identifiable information (PII) exposure. The protocol enables receivers to retrieve a fixed The protocol permits a receiver to privately select exactly k items $M_{{\sigma }_1},\dots ,M_{{\sigma }_k}$ from the sender’s catalogue $M_1,\dots ,M_n$ (with each ${\sigma }_i\in \{1,\dots ,n\}$). Under normal use, the sender learns nothing about which indices were chosen. However, if the receiver exceeds their quota of k messages, the sender is able to reconstruct all previously retrieved choices $M_{{\sigma }_1},\dots ,M_{{\sigma }_k}$. This strikes a balance between protecting honest users’ anonymity and deterring misuse by allowing the sender to take action when over-access occurs. This design effectively prevents misuse while ensuring the privacy of legitimate users and granting the sender the ability to take appropriate action when necessary.

Moreover, the protocol undergoes rigorous evaluation in a semi-simulation framework, demonstrating that integrating access control and traceability not only strengthens security and privacy guarantees but also delivers a practical, high-performance solution for real-world deployment.

1.3. Paper Organization

The structure of this paper is organized as follows. We present the formal definition of AC-TOT in Section 2 and the detailed introduction to the relevant background knowledge as well as the security model of the AC-TOT scheme is presented in Section 3. A concrete AC-TOT scheme is constructed in Section 4 and the corresponding security and efficiency analysis are presented in Section 5. The paper is concluded in Section 6.

2. Formal Definition

We formally define the AC-TOT framework, which consists of three core entities with distinct responsibilities, followed by a tuple of eight interactive probabilistic polynomial-time (PPT) algorithms that govern the framework’s operation.

2.1. Core Entities and Their Responsibilities

The AC-TOT system relies on three mutually cooperative entities, each with well-defined roles: Issuer (I): Responsible for authenticating the receiver (R) and issuing valid credentials to R (required for service requests). Sender (S): Responsible for encrypting service-related messages, responding to legitimate requests from R, and tracing R’s access history if R exceeds the service limit. Receiver (R): Obtains credentials from the issuer first, then requests up to k services from the sender using the credentials. If R exceeds this k-service limit, the sender can retroactively trace all of R’s prior service selections.

2.2. Algorithm Tuple of AC-TOT Scheme

An AC-TOT scheme is formally defined by eight interactive PPT algorithms, with clear input/output relationships and entity associations as follows:

• Setup: System initialization algorithm (run by the framework).
  Input: Unary security parameter $1^{\lambda }$ (defines the security level).
  Output: System public parameters $\mathit{params}$ (shared by all entities).

  $$\mathit{params}\leftarrow \mathsf{Setup}\left(1^{\lambda }\right)$$

  (1)
• KeyGen: Key generation algorithm (run by the framework or respective entities).
  Input: System public parameters $\mathit{params}$.
  Output: Key pairs for the three entities: sender’s $(p{k}_S,s{k}_S)$, issuer’s $(p{k}_I,s{k}_I)$, and Receiver’s $(p{k}_R,s{k}_R)$ (public keys for verification, private keys for signing/decryption).

  $$\left((p{k}_S,s{k}_S),(p{k}_I,s{k}_I),(p{k}_R,s{k}_R)\right)\leftarrow \mathsf{KeyGen}\left(\mathit{params}\right)$$

  (2)
• Issue: Credential issuance algorithm (run by the issuer I).
  Input: Issuer’s private key $s{k}_I$, sender’s unique identifier $s_{id}$, receiver’s unique identifier $r_{id}$, and system parameters $\mathit{params}$.
  Output: A valid credential $\sigma$ for the receiver (proves R’s eligibility to request services).

  $$\sigma \leftarrow \mathsf{Issue}(s{k}_I,s_{id},r_{id};\mathit{params})$$

  (3)
• Commitment: Message encryption algorithm (run by the sender S).
  Input: System parameters $\mathit{params}$, sender’s key pair $(p{k}_S,s{k}_S)$, issuer’s public key $p{k}_I$, and a set of service-related messages $M=(M_1,\dots ,M_n)$ (each $M_i$ corresponds to one service).
  Output: A set of ciphertexts $C=(C_1,\dots ,C_n)$ (each $C_i$ is the encrypted form of $M_i$, where $C_i=(C_{i,1},C_{i,2})$ for subsequent request/extraction).

  $$\mathbf{C}\leftarrow \mathsf{Commitment}\left(M,p{k}_I,p{k}_S,s{k}_S;\mathit{params}\right)$$

  (4)
• Request: Service request algorithm (run by the receiver R).
  Input: System parameters $\mathit{params}$, receiver’s private key $s{k}_R$, issuer-issued credential $\sigma$, and the first part of the target ciphertext $C_{i_j,1}$ (corresponding to the $i_j$-th service requested by R).
  Output: A commitment transcript $(B_i,Z_{i_j},B_{i_j},f\left(B_{i_j}\right))$ (proves R’s legitimate access right to the sender).

  $$(B_i,Z_{i_j},B_{i_j},f\left(B_{i_j}\right))\leftarrow \mathsf{Request}(s{k}_R,\sigma ,C_{i_j,1};\mathit{params})$$

  (5)
• Response: Service response algorithm (run by the sender S).
  Input: System parameters $\mathit{params}$, sender’s private key $s{k}_S$, and the receiver’s commitment transcript $(B_i,Z_{i_j},B_{i_j},f\left(B_{i_j}\right))$ (validated by S first).
  Output: A response $D_{i_j}$ (enables the receiver to extract the target message $M_{i_j}$).

  $$D_{i_j}\leftarrow \mathsf{Response}(s{k}_S,(B_i,Z_{i_j},B_{i_j},f\left(B_{i_j}\right));\mathit{params})$$

  (6)
• Extract: Message extraction algorithm (run by the receiver R).
  Input: System parameters $\mathit{params}$, receiver’s private key $s{k}_R$, sender’s response $D_{i_j}$, and the second part of the target ciphertext $C_{i_j,2}$.
  Output: The original target message $M_{i_j}$ (the service content requested by R).

  $$M_{i_j}\leftarrow \mathsf{Extract}(D_{i_j},C_{i_j,2},s{k}_R;\mathit{params})$$

  (7)
• Tracing: Access tracing algorithm (run by the sender S).
  Input: System parameters $\mathit{params}$, and $k+1$ commitment transcripts ${\left\{(B_i,Z_{i_j},B_{i_j},f\left(B_{i_j}\right))\right\}}_{j=1}^{k+1}$ (collected by S when R exceeds the k-service limit).
  Output: Access identifiers $z_{i_j}$ (corresponding to the $i_j$-th services accessed by R, enabling full tracing of R’s access history).

  $$z_{i_j}\leftarrow \mathsf{Tracing}\left({\left\{(B_i,Z_{i_j},B_{i_j},f\left(B_{i_j}\right))\right\}}_{j=1}^{k+1};\mathit{params}\right)$$

  (8)

Correctness Guarantee: If the sender and receiver strictly follow the protocol (i.e., use valid keys/credentials and execute algorithms honestly), the receiver will recover the intended message $M_{i_j}$ with probability 1.

3. Preliminaries

3.1. Security Model

We first establish a security model that captures the essential properties of AC-TOT schemes. Based on the semi-simulation framework by Naor and Pinkas [23], the model separately defines the guarantees for receiver and sender security.

Receiver security requires that transcripts produced during service access, $S_{\sigma }$ and $S_{{\sigma }^{\prime }}$, are indistinguishable from the sender’s point of view. Sender security follows a real/ideal world approach: the real setting reflects direct execution between the two parties, while in the ideal case, a trusted third party (TTP) mediates the interaction. For any PPT adversary $\mathcal{A}$ attacking the real protocol, there must exist a simulator ${\mathcal{A}}^{\prime }$ in the ideal world whose output is computationally indistinguishable from that of $\mathcal{A}$.

Besides protecting both sender and receiver privacy, an AC-TOT protocol must also enforce traceability and access control. Together, these requirements ensure that information remains secure and controllable throughout the transfer process.

• Receiver Privacy:
  Let $\mathcal{C}=\{{\sigma }_1,\dots ,{\sigma }_k\}$ and ${\mathcal{C}}^{\prime }=\{{\sigma }_1^{\prime },\dots ,{\sigma }_k^{\prime }\}$ be two distinct selection sets. The corresponding transcripts $\mathcal{A}=\{A_{{\sigma }_1},\dots ,A_{{\sigma }_k}\}$, ${\mathcal{A}}^{\prime }=\{A_{{\sigma }_1^{\prime }},\dots ,A_{{\sigma }_k^{\prime }}\}$, as well as message sets $\mathcal{M}=\{m_{{\sigma }_1},\dots ,m_{{\sigma }_k}\}$, ${\mathcal{M}}^{\prime }=\{m_{{\sigma }_1^{\prime }},\dots ,m_{{\sigma }_k^{\prime }}\}$, should be computationally indistinguishable from the sender’s view. In particular, if $\mathcal{M}$ and ${\mathcal{M}}^{\prime }$ follow the same distribution, the receiver’s choices remain unconditionally hidden.
• Sender Privacy:
  In the real world, the sender and receiver run the protocol directly. In the ideal world, a TTP mediates: the sender provides the full message set $\{M_1,\dots ,M_n\}$, while the receiver adaptively submits a subset $\{{\sigma }_1,\dots ,{\sigma }_t\}\subset \{1,\dots ,n\}$. The TTP returns the corresponding outputs $\{M_{{\sigma }_1},\dots ,M_{{\sigma }_t}\}$. Sender privacy holds if, for every PPT adversary against the real protocol, there exists a PPT simulator in the ideal setting whose output is indistinguishable from the adversary’s real-world view.
• Traceability:
  Although not part of conventional OT designs, traceability is a core feature of AC-TOT. When a malicious receiver exceeds the allowed k queries and makes $k+1$ distinct selections, the combined transcript $\mathcal{A}=\{A_{{\sigma }_1},\dots ,A_{{\sigma }_k},A_{{\sigma }_{k+1}}\}$ can be processed by a tracing algorithm to recover all accessed indices.
• Access Control Semantic Security:
  If a receiver lacks valid credentials issued by the authority, they gain no information about the protected content, preserving semantic security of access control.

3.2. Bilinear Map

In the field of cryptography, bilinear maps are a fundamental concept, particularly in pairing-based cryptography. A bilinear map is a map that takes two elements from two different groups and maps them to a third group while maintaining a linear relationship in each argument. Specifically, let $G_1$ and $G_2$ be two additive cyclic groups of prime order q, and let $G_{\tau }$ be a target group, also of prime order q, written multiplicatively. A bilinear map $e:G_1\times G_2\to G_{\tau }$ satisfies the following properties:

• Bilinearity: For any scalars $a,b\in {\mathbb{Z}}_q$ and points $P\in G_1,Q\in G_2$,

  $$e(aP,bQ)=e{(P,Q)}^{ab}.$$

  (9)
• Non-degeneracy: There exist $P\in G_1$ and $Q\in G_2$ with

  $$e(P,Q)\ne 1_{G_{\tau }},$$

  (10)

  ensuring the pairing is not degenerate.
• Computability: A polynomial-time algorithm must exist to evaluate $e(P,Q)$ for all $P\in G_1$, $Q\in G_2$.

3.3. Security Assumptions

Definition 1

(Diffie–Hellman (DH) Assumption [28]). Let $\mathbb{G}$ denote a cyclic group of prime order q, generated by g. For two elements $a,b\in {\mathbb{Z}}_q$, sampled uniformly at random, the computational DH problem is to derive $g^{ab}$ from the tuple $(g,g^a,g^b)$.

The DH assumption implies that for any probabilistic polynomial-time (PPT) adversary $\mathcal{A}$, the success probability of solving the DH problem is negligible:

$${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{DH}}\left(k\right)=\mathrm{Pr}\left[\mathcal{A}(g^b,g^a,g)\to g^{ab}\right]\le ϵ\left(k\right)$$

(11)

where $a,b\stackrel{R}{\leftarrow }{\mathbb{Z}}_q$.

Definition 2

(Decisional Diffie–Hellman (DDH) Assumption [29]). Let g generate a cyclic group $\mathbb{G}$ of prime order q. Choose $a,b,c\in {\mathbb{Z}}_q$ at random. The challenge is to determine whether $g^c=g^{ab}$ given the tuple $(g,g^a,g^b,g^c)$.

The DDH assumption holds if, for any PPT distinguisher $\mathcal{A}$, the ability to tell apart $(g,g^a,g^b,g^{ab})$ from $(g,g^a,g^b,g^c)$ is negligible:

$${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{DDH}}\left(k\right)=\left|\mathrm{Pr}[\mathcal{A}(g,g^a,g^b,g^{ab})=1]-\mathrm{Pr}[\mathcal{A}(g,g^a,g^b,g^c)=1]\right|\le ϵ\left(k\right)$$

(12)

All probabilities are taken over random $a,b,c\in {\mathbb{Z}}_q$ and the internal randomness of $\mathcal{A}$.

Definition 3

(ℓ-Strong Diffie–Hellman (ℓ-SDH) Assumption [27]). Consider a bilinear group setup $({\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_{\tau })\leftarrow \mathrm{gg}\left(1^k\right)$, with generators $g_1\in {\mathbb{G}}_1$ and $g_2\in {\mathbb{G}}_2$. Let $x\in {\mathbb{Z}}_p^{\ast }$ be sampled uniformly at random, and the adversary is given $(g_2,g_2^x,g_2^{x^2},\dots ,g_2^{x^{\mathsf{\ell }}})$.

The ℓ-SDH assumption claims that any PPT adversary $\mathcal{A}$ cannot find a pair $(\gamma ,g_1^{1/(x+\gamma )})$ with non-negligible advantage:

$${\mathrm{Adv}}_{\mathcal{A}}^{\mathsf{\ell }-\mathrm{SDH}}\left(k\right)=\mathrm{Pr}\left[\mathcal{A}(g_1,g_2,g_2^x,\dots ,g_2^{x^{\mathsf{\ell }}})\to (\gamma ,g_1^{1/(x+\gamma )})\right]\le ϵ\left(k\right)$$

(13)

with randomness over $x\in {\mathbb{Z}}_p^{\ast }$ and $\mathcal{A}$’s internal coin tosses.

Definition 4

(Extended Chosen-Target Computational Diffie–Hellman (XCT-CDH) Assumption [1]). Suppose $\mathbb{G}\leftarrow \mathcal{B}\left(1^k\right)$ is a cyclic group of prime order p, generated by g, and a hidden exponent $x\in {\mathbb{Z}}_p$ is selected randomly. An oracle $H_{\mathbb{G}}$ is available that outputs $g_j^x$ for any input $g_j\in \mathbb{G}$.

Given a set $\{g^{a_1},\dots ,g^{a_{\pi +1}}\}\subset \mathbb{G}$, the assumption posits that even with access to $H_{\mathbb{G}}$, a PPT adversary $\mathcal{A}$ cannot compute $g^{x{a}_{\pi +1}}$ with more than negligible probability:

$${\mathrm{Adv}}_{\mathcal{A}}^{\mathrm{XCT}-\mathrm{CDH}}\left(k\right)=\mathrm{Pr}\left[{\mathcal{A}}^{H_{\mathbb{G}}}\left(g^{a_{i_1}},\dots ,g^{a_{i_{\pi }}},g,g^x,p\right)\to g^{x{a}_{i_{\pi +1}}}\right]\le ϵ\left(k\right),$$

(14)

where each $a_{i_j}\in \{a_1,\dots ,a_{\pi +1}\}$, and all randomness is taken over the choice of x, the $a_i$, and the internal randomness of $\mathcal{A}$.

4. An Efficient Construction of Traceable Oblivious Transfer with Access Control

This section presents an efficient cryptographic construction that integrates the privacy-preserving property of oblivious transfer (OT), the authorization mechanism of access control, and traceability against malicious behavior. The core goal is to ensure that only authorized receivers can retrieve specific messages from the sender, while preventing unauthorized access and enabling the sender to trace the receiver’s interaction behavior (e.g., repeated access or abuse of privileges). The construction leverages bilinear pairings for secure computation, polynomial secret sharing for access control enforcement, and proofs of knowledge (PoK) for authenticity verification, achieving a balance between efficiency, security, and functionality. Below is the detailed implementation process, including system setup, key generation, and the complete access control-enabled OT workflow:

• Setup:
  Given a security parameter $\lambda$, run the bilinear group generation algorithm $\mathcal{G}\left(1^{\lambda }\right)$ to obtain a tuple $(e,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_{\tau })$, where each group has prime order q and $e:{\mathbb{G}}_1\times {\mathbb{G}}_2\to {\mathbb{G}}_{\tau }$ is a bilinear, non-degenerate pairing. Let $p=2q+1$ be a safe prime such that ${\mathbb{G}}_{\tau }\subseteq {\mathbb{Z}}_p^{\ast }$. Choose generators $g\in {\mathbb{G}}_1$ and $h\in {\mathbb{G}}_2$. The system publishes the public $params=(e,{\mathbb{G}}_1,{\mathbb{G}}_2,{\mathbb{G}}_{\tau },p,q,g,h)$ for use by all participants.
• KeyGen:

  (a)

  $Issuer$: Run $\mathcal{KG}\left(1^{\lambda }\right)$ to obtain a secret key $x\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^{\ast }$ and set the corresponding public key $y=h^x$. Output $({\mathit{sk}}_I=x,{\mathit{pk}}_I=y)$.

  (b)

  $Receiver$: Choose $z\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^{\ast }$ as the long-term secret and let

  $$(p{k}_R,s{k}_R)=(e{(g,h)}^z,z)$$

  (15)

  Additionally, sample auxiliary secrets $z_1,z_2,\dots ,z_k\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^{\ast }$ and compute

  $$Z_i=e{(g,h)}^{z_i}\mathrm{for}i=1,\dots ,k.$$

  (16)

  (c)

  $Sender$: Pick $s\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^{\ast }$ and define

  $$s{k}_S=s,p{k}_S=e{(g,h)}^s$$

  (17)

• Issue:
  To issue credentials, the issuer randomly selects $r\in {\mathbb{Z}}_q^{\ast }$ and computes the value

  $$\sigma =g^{1/(x+r)}$$

  (18)
  The resulting pair $(\sigma ,r)$ is securely transmitted to the receiver R, while the value r is also confidentially delivered to the sender S via a secure communication channel.
• Commitment:
  The sender generates the ciphertext as follows: First, the sender randomly selects $t_1,t_2,\dots ,t_n\stackrel{R}{\leftarrow }{\mathbb{Z}}_q^{\ast }$. It then computes an auxiliary value

  $$T=y{h}^r$$

  (19)

  and derives

  $$C_i=(C_{i,1},C_{i,2})=(T^{t_i},e{(g,h)}^{s{t}_i}·M_i),\mathrm{for}i=1,2,\dots ,n.$$

  (20)
  Finally, the sender sends the ciphertext set ${\left\{(C_1,\dots ,C_n)\right\}}_{i=1}^n$ to the receiver $R.$
• Request:
  The receiver first evaluates the pairing $A_{i_j}=e(\sigma ,C_{i_j,1})$, which by construction satisfies

  $$A_{i_j}=e{(g,h)}^{t_{i_j}}$$

  (21)
  It then randomly picks $r_i\in {\mathbb{Z}}_q^{\ast }$ and $z_{i_j}\in \{z_1,z_2,\dots ,z_k\}$, and computes

  $$B_i=e{(g,h)}^{r_i}$$

  (22)

  and

  $$B_{i_j}={\left(e{(g,h)}^{t_{i_j}}\right)}^{r_i·z_{i_j}}$$

  (23)

  where $i_j\in \{1,\dots ,n\}$ is the receiver’s choice. In addition, the receiver uses the private keys $z,z_1,\dots ,z_k$ to compute

  $$f\left(B_{i_j}\right)=z+z_1{B}_{i_j}+z_2{B}_{i_j}^2+\cdots +z_k{B}_{i_j}^k$$

  (24)
  The receiver sends $(B_i,Z_{i_j},B_{i_j},f\left(B_{i_j}\right))$ to the sender S, and simultaneously performs the following proof of knowledge:

  $$PoK\left\{(r_i,z_{i_j},r_i·z_{i_j}):B_i=e{(g,h)}^{r_i}\wedge Z_{i_j}=e{(g,h)}^{z_{i_j}}\wedge B_{i_j}=A_{i_j}^{r_i·z_{i_j}}\right\}$$

  (25)
• Response:
  Upon receiving $\left(B_i,Z_{i_j},B_{i_j},f\left(B_{i_j}\right)\right)$ from R, the sender checks if $Z_{i_j}$ and $B_{i_j}$ have appeared in previous sessions and verifies:

  $$e{(g,h)}^{f\left(B_{i_j}\right)}\stackrel{?}{=}p{k}_R·Z_1^{B_{i_j}}·Z_2^{B_{i_j}^2}\cdots Z_k^{B_{i_j}^k}$$

  (26)
  Then S verifies the proof of knowledge (same as Equation (11), no duplicate numbering):

  $$PoK\left\{(r_i,z_{i_j},r_i·z_{i_j}):B_i=e{(g,h)}^{r_i}\wedge Z_{i_j}=e{(g,h)}^{z_{i_j}}\wedge B_{i_j}=A_{i_j}^{r_i·z_{i_j}}\right\}$$

  (27)
  If the verification succeeds, S computes

  $$D_{i_j}={\left(B_{i_j}\right)}^s$$

  (28)

  and sends $D_{i_j}$ to the receiver as well as stores $(B_i,Z_{i_j},B_{i_j},f\left(B_{i_j}\right))$.
• Extract:
  The receiver computes

  $$E_{i_j}=D_{i_j}^{{(r_i·z_{i_j})}^{-1}}$$

  (29)

  and extracts the intended message by computing

  $$M_{i_j}={\displaystyle \frac{C_{i_j,2}}{E_{i_j}}}$$

  (30)
• Tracing:
  Once R and S have performed more than a predefined k interactions, the sender S can recover $z,z_1,z_2,\dots ,z_k$ from the secret-sharing technology. In each round, since the receiver’s choice is hidden in

  $$B_{i_j}={\left(e{(g,h)}^{t_{i_j}}\right)}^{r_i·z_{i_j}}$$

  (31)
  Once $z_{i_j}$ is decided, it is an easy task for the sender to determine the receiver’s choice by the transcripts $(B_i,Z_{i_j},B_{i_j},f\left(B_{i_j}\right))$.

5. Security Analysis

Theorem 1.

The proposed AC-TOT scheme satisfies correctness under the standard cryptographic assumptions.

Proof. 

The correctness proof comprises three components:

1. Correctness of PoK: If the receiver R is honest, then R indeed knows the secrets $r_i$, $z_{i_j}$, and their product $r_i·z_{i_j}$.

• R samples random nonces $v_r,v_z,v_{rz}\in {\mathbb{Z}}_q^{\ast }$ and computes

  $$\begin{array}{cc}\hfill T_1& =e{(g,h)}^{v_r},\hfill \\ \hfill T_2& =e{(g,h)}^{v_z},\hfill \\ \hfill T_3& =A_{i_j}^{v_{rz}}.\hfill \end{array}$$

  (32)
• Compute the Fiat–Shamir challenge

  $$c=H\left(B_i,Z_{i_j},B_{i_j},T_1,T_2,T_3\right)\in {\mathbb{Z}}_q^{\ast }$$

  (33)
• Compute the responses:

  $$\begin{array}{cc}\hfill s_r& =v_r-c·r_i\mathrm{mod}q,\hfill \\ \hfill s_z& =v_z-c·z_{i_j}\mathrm{mod}q,\hfill \\ \hfill s_{rz}& =v_{rz}-c·(r_i·z_{i_j})\mathrm{mod}q.\hfill \end{array}$$

  (34)
• R sends the proof transcript: $\pi =\left(c,T_1,T_2,T_3,s_r,s_z,s_{rz}\right)$ to the sender S.
• Upon receipt, S recomputes

  $$\begin{array}{cc}\hfill T_1^{\prime }& ={\left(e{(g,h)}^{r_i}\right)}^c·e{(g,h)}^{s_r}=e{(g,h)}^{c{r}_i+(v_r-c{r}_i)}=e{(g,h)}^{v_r}=T_1,\hfill \\ \hfill T_2^{\prime }& ={\left(e{(g,h)}^{z_{i_j}}\right)}^c·e{(g,h)}^{s_z}=e{(g,h)}^{c{z}_{i_j}+(v_z-c{z}_{i_j})}=e{(g,h)}^{v_z}=T_2,\hfill \\ \hfill T_3^{\prime }& ={\left(A_{i_j}^{r_i{z}_{i_j}}\right)}^c·A_{i_j}^{s_{rz}}=A_{i_j}^{c{r}_i{z}_{i_j}+(v_{rz}-c{r}_i{z}_{i_j})}=A_{i_j}^{v_{rz}}=T_3.\hfill \end{array}$$

  (35)
• Finally, S checks

  $$c^{\prime }=H\left(B_i,Z_{i_j},B_{i_j},T_1^{\prime },T_2^{\prime },T_3^{\prime }\right)$$

  (36)

  and verifies $c^{\prime }=c$.

2. Message Recovery: For any valid credential $(\sigma ,r)$ held by receiver R, the target message $M_{i_j}$ can be correctly recovered through the following computation:

$$\begin{array}{cc}\hfill A_{i_j}& =e(\sigma ,C_{i_j,1})=e\left(g^{{\displaystyle \frac{1}{x+r}}},{\left(y{h}^r\right)}^{t_{i_j}}\right)\hfill \\ \hfill & =e{\left(g^{{\displaystyle \frac{1}{x+r}}},h^{x+r}\right)}^{t_{i_j}}\hfill \\ \hfill & =e{(g,h)}^{t_{i_j}},\hfill \end{array}$$

(37)

$$\begin{array}{cc}\hfill {\displaystyle \frac{C_{i_j,2}}{E_{i_j}}}& ={\displaystyle \frac{e{(g,h)}^{s{t}_{i_j}}·M_{i_j}}{D_{i_j}^{{(r_i·z_{i_j})}^{-1}}}}\hfill \\ \hfill & ={\displaystyle \frac{e{(g,h)}^{s{t}_{i_j}}·M_{i_j}}{B_{i_j}^{s{(r_i·z_{i_j})}^{-1}}}}\hfill \\ \hfill & ={\displaystyle \frac{e{(g,h)}^{s{t}_{i_j}}·M_{i_j}}{A_{i_j}^s}}\hfill \\ \hfill & ={\displaystyle \frac{e{(g,h)}^{s{t}_{i_j}}·M_{i_j}}{e{(g,h)}^{s{t}_{i_j}}}}\hfill \\ \hfill & =M_{i_j}.\hfill \end{array}$$

(38)

3. Traceability Guarantee: After $k+1$ protocol executions between S and R, the private key components $(z,z_1,\dots ,z_k)$ are recovered via the following algebraic construction:

• The accumulated protocol transcripts generate $k+1$ linearly independent equations:

  $$f\left(B_{i_j}\right)=z+z_1{B}_{i_j}+z_2{B}_{i_j}^2+\cdots +z_k{B}_{i_j}^k,1\le i_j\le k+1$$

  (39)
• These equations form a linear system characterized by the Vandermonde matrix $\mathbf{V}$:

  $$\mathbf{V}=\left(\begin{array}{ccccc}1& B_1& B_1^2& \cdots & B_1^k\\ 1& B_2& B_2^2& \cdots & B_2^k\\ ⋮& ⋮& ⋮& \ddots & ⋮\\ 1& B_{k+1}& B_{k+1}^2& \cdots & B_{k+1}^k\end{array}\right),\mathbf{V}\left(\begin{array}{c}z\\ z_1\\ ⋮\\ z_k\end{array}\right)=\left(\begin{array}{c}f\left(B_1\right)\\ f\left(B_2\right)\\ ⋮\\ f\left(B_{k+1}\right)\end{array}\right)$$

  (40)
• The determinant of the Vandermonde matrix satisfies

  $$\det \left(\mathbf{V}\right)=\prod _{1\le i<j\le k+1}(B_j-B_i)\ne 0$$

  (41)
  This non-singularity ensures the existence of a unique solution $(z,z_1,\dots ,z_k)$, thereby enabling the precise reconstruction of R’s historical choices through the mapping.

□

Theorem 2.

The constructed AC-TOT protocol achieves semantic security and ensures the confidentiality of the sender’s data.

It is suggested to refer to [1] for the security analysis of the encryption scheme and the sender’s privacy.

Theorem 3.

The AC-TOT protocol preserves the receiver’s selection privacy under the defined security model.

Proof. 

Suppose an honest receiver engages in k rounds of the AC-TOT protocol with the sender. The scheme’s security hinges on the DDH assumption, which asserts that distinguishing authentic group elements from random ones in a DDH challenge is computationally intractable. In each round, receiver R computes a response tuple $(B_i,Z_{i_j},B_{i_j},f\left(B_{i_j}\right))$, where $B_i$, $Z_{i_j}$, and $B_{i_j}$ are group elements in ${\mathbb{G}}_{\tau }$ (original sentence incomplete, supplemented for coherence). From the sender’s perspective, given only $B_i$ and $Z_{i_j}$, deriving $B_{i_j}$ is computationally infeasible. In other words, the sender cannot determine which message the receiver has selected, thereby preserving the receiver’s privacy provided that the DDH assumption holds in ${\mathbb{G}}_{\tau }$. □

Complexity

Assuming that the pairing value $e(g,h)$ is pre-computable and the Setup overhead is negligible, we analyze the efficiency of each protocol phase as follows:

In the KeyGen, the issuer performs one exponentiation and transmits a single element from ${\mathbb{G}}_2$ to both the receiver and the sender. The receiver completes $k+1$ exponentiations and returns the same number of ${\mathbb{G}}_{\tau }$ elements to the sender. Meanwhile, the sender executes one exponentiation and replies with a single ${\mathbb{G}}_{\tau }$ element. In the Issue phase, the issuer conducts one exponentiation and sends two values to the receiver—one from ${\mathbb{G}}_1$ and another from ${\mathbb{Z}}_q$. The same ${\mathbb{Z}}_q$ value is also forwarded to the sender. In the Commitment phase, the sender evaluates $n+1$ exponentiations in ${\mathbb{G}}_2$ and n in ${\mathbb{G}}_{\tau }$, and then delivers n elements from each group to the receiver. In the Request phase, the receiver performs k pairing computations and $2k$ exponentiations, transmitting a total of $3k$ group elements in ${\mathbb{G}}_{\tau }$ and k scalars from ${\mathbb{Z}}_q$ to the sender. In the Response phase, the sender computes $k(k+5)$ exponentiations and responds with k elements from ${\mathbb{G}}_{\tau }$. In the Extract phase, the receiver recovers the messages via k exponentiations. In the Tracing phase, this step involves only linear operations over ${\mathbb{Z}}_q$, and its cost is considered negligible.

A full breakdown of computational and communication overheads is provided in

Table 2. Computation cost.

Phase	Party	Computation
Setup	Issuer	negligible
KeyGen	Issuer	1 e in ${\mathbb{G}}_2$
	Receiver	$(k+1)$ e in ${\mathbb{G}}_{\tau }$
	Sender	1 e in ${\mathbb{G}}_{\tau }$
Issue	Issuer	1 e in ${\mathbb{G}}_1$
Commitment	Sender	$(n+1)$ e in ${\mathbb{G}}_2$, n e in ${\mathbb{G}}_{\tau }$
Request (total k rounds)	Receiver	k p, $2k$ e in ${\mathbb{G}}_{\tau }$
Response (total k rounds)	Sender	$k·(k+5)$ e in ${\mathbb{G}}_{\tau }$
Extract	Receiver	k e in ${\mathbb{G}}_{\tau }$
Tracing	Sender	negligible (linear operations in ${\mathbb{Z}}_q$)

and

Table 3. Communication cost.

Phase	Communication
Setup	none
KeyGen	1 $E_2$ (Issuer → Receiver)
	1 $E_2$ (Issuer → Sender)
	$(k+1)$$E_{\tau }$ (Receiver → Sender)
	1 $E_{\tau }$ (Sender → Receiver)
Issue	1 $E_1$ + 1 $E_q$ (Issuer → Receiver)
	1 $E_q$ (Issuer → Sender)
Commitment	n $E_2$ + n $E_{\tau }$ (Sender → Receiver)
Request (total k rounds)	$3k$ $E_{\tau }$ + k $E_q$ (Receiver → Sender)
Response (total k rounds)	k $E_{\tau }$ (Sender → Receiver)
Extract	none
Tracing	none

, respectively (corrected “an” to “and”). We denote a single exponentiation and pairing operation as e and p, respectively. Element sizes are represented as $E_1$ (for ${\mathbb{G}}_1$), $E_2$ (for ${\mathbb{G}}_2$), $E_{\tau }$ (for ${\mathbb{G}}_{\tau }$), and $E_q$ (for ${\mathbb{Z}}_q$).

6. Conclusions

In this paper, we present a formal definition of the Traceable Oblivious Transfer with Access Control (AC-TOT) protocol and rigorously define the corresponding security model. We present the detail security analysis under the half-simulation model. In addition, we present the detail efficiency analysis of the proposed AC-TOT scheme. The proposed AC-TOT scheme introduces novel features that are absent in conventional OT protocols, including a credential issuance mechanism that requires users to authenticate solely with a trusted issuer, thereby eliminating the need for explicit authorization proofs to the sender. This design substantially minimizes the disclosure of sensitive information to senders while preserving the integrity of access control. Moreover, the AC-TOT protocol incorporates a traceability mechanism for receiver misconduct, thereby enabling accountability through cryptographic evidence of policy violations, and deters malicious behavior by facilitating the imposition of enforceable sanctions against non-compliant participants.

Despite these theoretical and functional advantages, potential limitations in practical deployment—such as key management overhead for the trusted issuer and latency in misconduct tracing under large-scale data scenarios—remain to be addressed, which also points out directions for future work. We plan to explore lightweight key management strategies for the issuer to reduce deployment costs and optimize the tracing algorithm to improve efficiency in large-scale environments, thereby further bridging the gap between theoretical design and real-world application.