Cryptology ePrint Archive: Report 2015/061

More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries

Gilad Asharov and Yehuda Lindell and Thomas Schneider and Michael Zohner

Abstract: Oblivious transfer (OT) is one of the most fundamental primitives in cryptography and is widely used in protocols for secure two-party and multi-party computation. As secure computation becomes more practical, the need for practical large scale oblivious transfer protocols is becoming more evident. Oblivious transfer extensions are protocols that enable a relatively small number of “base-OTs” to be utilized to compute a very large number of OTs at low cost. In the semi-honest setting, Ishai et al. (CRYPTO 2003) presented an OT extension protocol for which the cost of each OT (beyond the base-OTs) is just a few hash function operations. In the malicious setting, Nielsen et al. (CRYPTO 2012) presented an efficient OT extension protocol for the setting of active adversaries, that is secure in the random oracle model. In this work, we present an OT extension protocol for the setting of malicious adversaries that is more efficient and uses less communication than previous works. In addition, our protocol can be proven secure in both the random oracle model, and in the standard model with a type of correlation robustness. Given the importance of OT in many secure computation protocols, increasing the efficiency of OT extensions is another important step forward to making secure computation practical.

Category / Keywords: cryptographic protocols / oblivious transfer extensions, concrete efficiency

Original Publication (with major differences): IACR-EUROCRYPT-2015

Date: received 26 Jan 2015, last revised 21 Nov 2017

Contact author: michael zohner at ec-spride de

Available format(s): PDF | BibTeX Citation

Note: This version includes an important fix of the protocol for the case of a corrupted sender.

Version: 20171121:125742 (All versions of this report)

Short URL:

Discussion forum: Show discussion | Start new discussion

[ Cryptology ePrint archive ]