Paper 2015/546

Actively Secure OT Extension with Optimal Overhead

Marcel Keller, Emmanuela Orsini, and Peter Scholl


We describe an actively secure OT extension protocol in the random oracle model with efficiency very close to the passively secure IKNP protocol of Ishai et al. (Crypto 2003). For computational security parameter $\kappa$, our protocol requires $\kappa$ base OTs, and is the first practical, actively secure protocol to match the cost of the passive IKNP extension in this regard. The added communication cost is only additive in $O(\kappa)$, independent of the number of OTs being created, while the computation cost is essentially two finite field operations per extended OT. We present implementation results that show our protocol takes no more than 5% more time than the passively secure IKNP extension, in both LAN and WAN environments, and so is essentially optimal with respect to the passive protocol.

Available format(s)
Cryptographic protocols
Publication info
Published by the IACR in CRYPTO 2015
oblivious transfer extensions
Contact author(s)
peter scholl @ bristol ac uk
m keller @ bristol ac uk
emmanuela orsini @ bristol ac uk
2015-06-08: received
Short URL
Creative Commons Attribution


      author = {Marcel Keller and Emmanuela Orsini and Peter Scholl},
      title = {Actively Secure OT Extension with Optimal Overhead},
      howpublished = {Cryptology ePrint Archive, Paper 2015/546},
      year = {2015},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.