Paper 2021/682

Batching Base Oblivious Transfers

Ian McQuoid, Mike Rosulek, and Lawrence Roy


Protocols that make use of oblivious transfer (OT) rarely require just one instance. Usually a batch of OTs is required --- notably, when generating base OTs for OT extension. There is a natural way to optimize 2-round OT protocols when generating a batch, by reusing certain protocol messages across all instances. In this work we show that this batch optimization is error-prone. We catalog many implementations and papers that have an incorrect treatment of this batch optimization, some of them leading to catastrophic leakage in OT extension protocols. We provide a full treatment of how to properly optimize recent 2-round OT protocols for the batch setting. Along the way we show several performance improvements to the OT protocol of McQuoid, Rosulek, and Roy (ACM CCS 2020). In particular, we show an extremely simple OT construction that may be of pedagogical interest.

Available format(s)
Cryptographic protocols
Publication info
Preprint. MINOR revision.
oblivious transfer
Contact author(s)
mcquoidi @ oregonstate edu
rosulekm @ oregonstate edu
ldr709 @ gmail com
2021-05-25: revised
2021-05-25: received
See all versions
Short URL
Creative Commons Attribution


      author = {Ian McQuoid and Mike Rosulek and Lawrence Roy},
      title = {Batching Base Oblivious Transfers},
      howpublished = {Cryptology ePrint Archive, Paper 2021/682},
      year = {2021},
      note = {\url{}},
      url = {}
Note: In order to protect the privacy of readers, does not use cookies or embedded third party content.