Cryptology ePrint Archive: Report 2021/682

Batching Base Oblivious Transfers

Ian McQuoid and Mike Rosulek and Lawrence Roy

Abstract: Protocols that make use of oblivious transfer (OT) rarely require just one instance. Usually a batch of OTs is required --- notably, when generating base OTs for OT extension. There is a natural way to optimize 2-round OT protocols when generating a batch, by reusing certain protocol messages across all instances. In this work we show that this batch optimization is error-prone. We catalog many implementations and papers that have an incorrect treatment of this batch optimization, some of them leading to catastrophic leakage in OT extension protocols.

We provide a full treatment of how to properly optimize recent 2-round OT protocols for the batch setting. Along the way we show several performance improvements to the OT protocol of McQuoid, Rosulek, and Roy (ACM CCS 2020). In particular, we show an extremely simple OT construction that may be of pedagogical interest.

Category / Keywords: cryptographic protocols / oblivious transfer

Date: received 24 May 2021, last revised 25 May 2021

Contact author: mcquoidi at oregonstate edu, rosulekm@oregonstate edu, ldr709@gmail com

Available format(s): PDF | BibTeX Citation

Version: 20210525:203843 (All versions of this report)

Short URL: ia.cr/2021/682


[ Cryptology ePrint archive ]