Cryptology ePrint Archive: Report 2016/602

More Efficient Oblivious Transfer Extensions

Gilad Asharov and Yehuda Lindell and Thomas Schneider and Michael Zohner

Abstract: Oblivious transfer (OT) is one of the most fundamental primitives in cryptography and is widely used in protocols for secure two-party and multi-party computation. As secure computation becomes more practical, the need for practical large scale oblivious transfer protocols is becoming more evident. Oblivious transfer extensions are protocols that enable a relatively small number of “base-OTs” to be utilized to compute a very large number of OTs at low cost. In the semi-honest setting, Ishai et al. (CRYPTO 2003) presented an OT extension protocol for which the cost of each OT (beyond the base-OTs) is just a few hash function operations. In the malicious setting, Nielsen et al. (CRYPTO 2012) presented an efficient OT extension protocol for the setting of malicious adversaries, that is secure in a random oracle model. In this work we improve OT extensions with respect to communication complexity, computation complexity, and scalability in the semi-honest, covert, and malicious model. Furthermore, we show how to modify our maliciously secure OT extension protocol to achieve security with respect to a version of correlation robustness instead of the random oracle. We also provide specific optimizations of OT extensions that are tailored to the use of OT in various secure computation protocols such as Yao’s garbled circuits and the protocol of Goldreich-Micali-Wigderson, which reduce the communication complexity even further. We experimentally verify the efficiency gains of our protocols and optimizations.

Category / Keywords: cryptographic protocols / oblivious transfer; implementation

Original Publication (in the same form): Journal of Cryptology

Date: received 7 Jun 2016, last revised 5 Dec 2017

Contact author: michael zohner at crisp-da de

Available format(s): PDF | BibTeX Citation

Note: This version includes an important fix of the maliciously-secure protocol for the case of a corrupted sender.

Version: 20171205:133448 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]