Cryptology ePrint Archive: Report 2016/933

Actively Secure 1-out-of-N OT Extension with Application to Private Set Intersection

Michele Orrù and Emmanuela Orsini and Peter Scholl

Abstract: This paper describes a 1-out-of-N oblivious transfer (OT) extension protocol with active security, which achieves very low overhead compared with the passively secure protocol of Kolesnikov and Kumaresan (Crypto 2011). Our protocol obtains active security using a consistency check which requires only simple computation and has a communication overhead that is independent of the total number of OTs to be produced. We prove its security in both the random oracle model and the standard model, assuming a variant of correlation robustness. We describe an implementation, which demonstrates our protocol only incurs an overhead of around 5–30% on top of the passively secure protocol. Random 1-out-of-N OT is a key building block in recent, very efficient, passively secure private set intersection (PSI) protocols. Our random OT extension protocol has the interesting feature that it even works when N is exponentially large in the security parameter, provided that the sender only needs to obtain polynomially many outputs. We show that this can be directly applied to improve the performance of PSI, allowing the core private equality test and private set inclusion subprotocols to be carried out using just a single OT each. This leads to a reduction in communication of up to 3 times for the main component of PSI.

Category / Keywords: cryptographic protocols / Oblivious transfer; private set intersection; multi-party computation

Original Publication (with major differences): CT-RSA 2017

Date: received 27 Sep 2016, last revised 21 Nov 2016

Contact author: Emmanuela Orsini at bristol ac uk, Peter Scholl@bristol ac uk, michele orru@studenti unitn it

Available format(s): PDF | BibTeX Citation

Note: Full version

Version: 20161121:145905 (All versions of this report)

Short URL: ia.cr/2016/933

Discussion forum: Show discussion | Start new discussion


[ Cryptology ePrint archive ]