Paper 2017/545

Resource-efficient OT combiners with active security

Ignacio Cascudo and Ivan Damgård and Oriol Farràs and Samuel Ranellucci

Abstract

An OT-combiner takes $n$ implementations of the oblivious transfer (OT) functionality, some of which may be faulty, and produces a secure instance of oblivious transfer as long as a large enough number of the candidates are secure. More specifically, an OT-combiner is a 2-party protocol between Alice and Bob which can make several black-box calls to each of the $n$ OT candidates. An adversary can corrupt one of the players and certain number of OT candidates, obtaining their inputs and (in the active case) full control of their outputs and we want the resulting protocol to be secure against such adversary. In this work we consider perfectly (unconditionally, zero-error) secure OT-combiners and we focus on \emph{minimizing the number of calls} to the candidate OTs. First, we extend a result from Ishai et. al (ISIT 2014), constructing a perfectly secure single-use (one call per OT candidate) OT-combiner which is secure against active adversaries corrupting one player and at most a tenth of the OT candidates. Ishai et. al obtained the same result for passive adversaries. Second, we consider a general asymmetric corruption model where an adversary can corrupt different sets of OT candidates depending on whether it is Alice or Bob who is corrupted. We give sufficient and necessary conditions on the existence of an OT combiner with a given number of calls to each server in terms of the existence of secret sharing schemes with certain access structures and share-lengths. This allows us for example to reduce the number of calls needed by known OT combiners, and in fact to determine the optimal number of calls, in some concrete situations even in the symmetric case, e.g. when there are three OT candidates and one of them is corrupted.

Note: Some of the techniques in this paper are based upon those developed by the same authors in report 2014/809; however, the statement of the problem is essentially different and most of the results are new.