Why Bellare-Micali Oblivious Transfer Construction requires ElGamal with hashed key?

Question

The idea of the Bellare-Micali Oblivious Transfer Constructions is the following:

Informally, the receiver is required to generate two public keys $y_b$, $y_{b-1}$ such that it knows only the secret key paired with $y_b$ (where $b$ is its choice bit), indicated with $k$. In order to prevent the receiver from cheating, the sender requires that the two generated public keys have to satisfy a certain constraint, i.e., $y_b \cdot y_{b-1} = c$ . In such a way, the receiver cannot know both private keys or it can compute DLOG. At this point, the receiver sends the two public keys to the sender. Then, the sender encrypts $m_0$ with $y_0$ and $m_1$ with $y_1$ and sends both encryptions $c_0$, $c_1$ to the receiver. Finally, the receiver obtains $m_b$ by decrypting the chipertext $c_b$ (corresponding to its choice bit) using the private key $k$ (note that $c_b$ is the only chipertext it can decrypt).

While the general idea is clear to me, I do not get why ElGamal is not computed as $y_{0}^{r_{0}} \cdot m_{0}$ (and $y_{1}^{r_{1}} \cdot m_{1}$) but $H(y_{0}^{r_{0}}) \oplus m_{0}$ is used instead.

Answer 1

The hash needs to be used in order to be able to simulate. In particular, consider the case that the receiver is corrupted. The simulator can't know the choice of $b$ so doesn't know if the receiver can decrypt the first or the second message. Therefore, in order to simulate, the simulator has no choice but to just choose random values to represent $H(y_0^{r_0})$ and $H(y_1^{r_1})$; denote these random values by $\rho_0$ and $\rho_1$. Then, the simulator can see which of the two queries $y_0^{r_0}$ or $y_1^{r_1}$ the receiver makes to the random oracle. (One can show via the CDH assumption that the receiver cannot make both queries.) Now, once the simulator receives the query $y_b^{r_b}$ to the random oracle, it can send $b$ to the trusted party and get back $m_b$. Then, it sets the response of the random oracle to be $\rho_b \oplus m_b$ (i.e., $H(y_b^{r_b})=\rho_b \oplus m_b$). You should be able to verify that this indeed gives the right distribution.

Next, in order to simulate the corrupted sender, the simulator has to be able to extract the values $m_0,m_1$. Since it doesn't know $r_0,r_1$ (since no ZKPOK are used), this is problematic without the hash. However, .... I'm actually stuck at this point; I'm not sure how you would do this without adding a proof of knowledge of the discrete log of $c$ in the beginning (maybe my brain is fried right now). Then once you have this ZKPOK, you wouldn't need the hash for this part of the proof anyway. Note that you only need to do the ZKPOK once for many OTs using the same $c$.

Note that the lectures refer to the semi-honest setting. In this case, I don't believe that the hash is actually necessary, and it suffices for $m_0,m_1$ to be in the group.