Paper 2008/220

Essentially Optimal Universally Composable Oblivious Transfer

Ivan Damgård, Jesper Buus Nielsen, and Claudio Orlandi


Oblivious transfer is one of the most important cryptographic primitives, both for theoretical and practical reasons and several protocols were proposed during the years. We provide the first oblivious transfer protocol which is simultaneously optimal on the following list of parameters: Security: it has universal composition. Trust in setup assumptions: only one of the parties needs to trust the setup and some setup is needed for UC security. Trust in computational assumptions: only one of the parties needs to trust a computational assumption. Round complexity: it uses only two rounds. Communication complexity: it communicates O(1) group elements to transfer one out of two group elements. The Big-O notation hides 32, meaning that the communication is probably not optimal, but is essentially optimal in that the overhead is at least constant. Our construction is based on pairings, and we assume the presence of a key registration authority.

Available format(s)
Cryptographic protocols
Publication info
Published elsewhere. Presented at ICISC 2008
Oblivious TransferUniversally Composable Security
Contact author(s)
orlandi @ daimi au dk
2008-12-17: revised
2008-05-25: received
See all versions
Short URL
Creative Commons Attribution


      author = {Ivan Damgård and Jesper Buus Nielsen and Claudio Orlandi},
      title = {Essentially Optimal Universally Composable Oblivious Transfer},
      howpublished = {Cryptology ePrint Archive, Paper 2008/220},
      year = {2008},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.