Paper 2009/508

On the Efficiency of Classical and Quantum Oblivious Transfer Reductions

Severin Winkler and Juerg Wullschleger


Due to its universality oblivious transfer (OT) is a primitive of great importance in secure multi-party computation. OT is impossible to implement from scratch in an unconditionally secure way, but there are many reductions of OT to other variants of OT, as well as other primitives such as noisy channels. It is important to know how efficient such unconditionally secure reductions can be in principle, i.e., how many instances of a given primitive are at least needed to implement OT. For perfect (error-free) implementations good lower bounds are known, e.g. the bounds by Beaver (STOC '96) or by Dodis and Micali (EUROCRYPT '99). However, in practice one is usually willing to tolerate a small probability of error and it is known that these statistical reductions can in general be much more efficient. Thus, the known bounds have only limited application. In the first part of this work we provide bounds on the efficiency of secure (one-sided) two-party computation of arbitrary finite functions from distributed randomness in the statistical case. From these results we derive bounds on the efficiency of protocols that use (different variants of) OT as a black-box. When applied to implementations of OT, our bounds generalize known results to the statistical case. Our results hold in particular for transformations between a finite number of primitives and for any error. Furthermore, we provide bounds on the efficiency of protocols implementing Rabin OT. In the second part we study the efficiency of quantum protocols implementing OT. Recently, Salvail, Schaffner and Sotakova (ASIACRYPT '09) showed that most classical lower bounds for perfectly secure reductions of OT to distributed randomness still hold in a quantum setting. We present a statistically secure protocol that violates these bounds by an arbitrarily large factor. We then present a weaker lower bound that does hold in the statistical quantum setting. We use this bound to show that even quantum protocols cannot extend OT. Finally, we present two lower bounds for reductions of OT to commitments and a protocol based on string commitments that is optimal with respect to both of these bounds.

Note: Adapted the proof of Corollary 11 to the corrected version of Theorem 4 from arXiv:0907.4246. Some minor changes.

Available format(s)
Publication info
Published elsewhere. Unknown where it was published
Unconditional SecurityOblivious TransferLower BoundsQuantum CryptographyTwo-Party Computation
Contact author(s)
swinkler @ ethz ch
2010-08-12: last of 4 revisions
2009-10-26: received
See all versions
Short URL
Creative Commons Attribution


      author = {Severin Winkler and Juerg Wullschleger},
      title = {On the Efficiency of Classical and Quantum Oblivious Transfer Reductions},
      howpublished = {Cryptology ePrint Archive, Paper 2009/508},
      year = {2009},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.