Main motivation that blew my mind when started learning about OT was that it could be used by multiple parties to compute arbitrary functions. It’s one of the most basic primitive in mpc that allows building gc, pir,

Oblivious transfer: Alice and Bob are two parties allowed to participate. Alice has access to message: , and Bob wants to know , where of its choice. Alice wants to ensure that remains hidden in the process.

flowchart LR
subgraph S
b
end
S-->ROT["Rabin OT"]
ROT--1/2-->R1["b"]
ROT--1/2-->R2["#"]
subgraph R
R1
R2
end

Originally introduced by Rab81, where sender can send the message with probability 1/2, and thus, it’s name as .1

  • run such that and are prime.
  • receiver choose x\xleftarrow{\}{ 1,\dots,N-1 }\gcd(x,N)=1t=x^2 \mod{N}$.
  • Sender knowing, computes , and send to R.
    • Note: there are four values possible for , i.e. . Sender chooses 1 out of 4 randomly.
  • Receiver factors , if as OR .
  • .

implies : Proven in Cre87.

OT variations

Simple 1-2 OT: sender has two messages, and receiver receives 1 out of 2 messages. Mainly used for secure evaluation of GC.

Oblivious Key Generation: 1

Apart from the 3 PKE method: , introduce a new . For to be secure, it needs to have 3 properties:

  • No efficient adversary such that , where .
  • A preimage sampling algorithm such that , then , and is uniformly distributed.
  • CPA security of .

These can be used to prove 2 properties:

  • no efficient exists such that , where .
  • No efficient such that is noticeable, i.e. no PPT distinguisher that can distinguish between .

Let’s consider a simple 1-2 OT using elgamal-pke (Ideally, any CPA secure PKE, with Oblivious Key Generation (OKE) can be used):

  • Two parties involved are Alice, Bob. Alice has two messages , and Bob wants to know one of both.
  • Bob generates two keys: Run ElGamal KeyGen to generate a public, private key pair: , and choose another public key uniformly: pk_{1-b}\xleftarrow{\}\textsf{OGen}(r)pk_{0},pk_{1}$ to Alice.
  • Alice encrypts both messages: . Send to Bob.
  • Bob decrypts .

Prove receiver's security for unbounded sender.

Here, is a oblivious samplable public key, and both is identically distributed, it means Sender’s view is identical with respect to a simulator that samples a public private key pair for .

Prove sender's security for computationally bounded semi-honest receiver.

Since CPA secure PKE is used to encrypt both messages, a receiver on getting is able to know both with probability , where is the security parameter. To prove this, run a reduction proof with adversary that is able to break CPA security of ElGamal PKE, by running adversary as a subroutine and simulating honest OT sender. Note that if receiver is malicious than it could generate such that it knows the secret key, and then, can decrypt .

Above construction is secure in the Ideal-world model, if no malicious adversary exists. So, let’s consider a protocol secure in real-world model.

  • RSA
  • Bellare-Micali OT
  • Naor-Pinkas OT

1-N OT: sender has N messages, , and receiver receives 1 out of N message of its choice. Mainly used in PIR.

k-N OT: sender has N messages , and receiver wants to receive k out of N message of its choice. Mainly used in PSI.

OT Extensions

Generally, OT is performed in batches with multiple OTs for bit strings represented as . Extension protocols were developed analogous to Hybrid protocols in PK cryptography. So, less OTs have to be performed and keys shared are extended using symmetric cryptographic primitives.

  • random OT (ROT): functionality samples two strings for sender: , with receiver bit as . after the protocol, sender receives while receiver gets .
    • With ROT, by sending to receiver
    • Same can be done, if receiver chooses another bit for message.
  • correlated OT (COT): Let’s say the difference between both messages is .
    • while
    • .
    • Using this, , i.e. output of COT can be extended to bit strings using random oracle.

Practical Protocols

Let’s review CO15 protocol that uses 1-N using extension:

  • Work in set , and group
  • Use a hash function: to derive a k bit key from group element.
  • want to implement m for bit messages.
  • Receiver has indices , i.e. vector of length with each value in
  • Sender has n-length vector of l-bit messages .
  • At the end, receives m-length vector of l-bit strings such that .
  • first they use Random OT to share keys between sender and receiver.
    • Setup: , calculate , send to .
    • Choose: Receiver samples , compute , and send to .
    • Key Derivation:
      • computes
      • computes
    • at the end of the protocol, , i.e. both has same keys for required indices, and it’s impossible for any to guess .
  • ROT -> SOT: add a transfer phase to the protocol. sends encryption of messages to receiver
  • Transfer: compute encryption for all messages: and sends to
  • Retrieve: decrypts chosen messages:

Questions:

  • how to realise H?
  • how to realise symmetric encryption E?

Let’s review Naor-Pinkas OT:

  • introduced 1-out-of-N protocol using Pseudorandom functions and 1-2 OT. Provides security against semi-honest receiver.

IKNP03:

cot

SFE

Let’s look at how to evaluate functions securely using OT. Since, OT is a complete protocol, it can be used to do secure 2PC for any function.

XOR

our aim is to evaluate .

  • any participating party will know about the contents of the other party, thus, it’s possible to just share the bits between the two to compute xor.
flowchart LR
Alice-..->Sim["Simulator"]-..->Alice-.(x0).->Sim-.F(x0,x1).->Alice
Sim-.x0.->F--F(x0,x1)-->Sim
B-.x1.->F--F(x0,x1)-->B
  • To prove that protocol is secure, then there should exists simulator for both parties that simulates real world for semi-honest adversary in ideal-world model .

is used to denote semi-honest adversary, and is an honest adversary.

  • So, the simulator will do bogus communication with adversary to satisfy the transcript, then it’ll extract bit from the transcript, and send to functionality, which computes and sends to simulator.
  • Simulator forwards this to adversary.
  • The protocol is secure, if view of adversary is indistinguishable from real world protocol.
  • To prove that computation of XOR is secure, consider real world protocol, where A sends to B, and B sends to A.
  • Now, in real world, let’s consider a simulator for , that extracts from transcript, sends to , gets back , computes , sends to .
  • Observe that view of with is indistinguishable from , and .

AND:

  • For AND, it’s not possible to just share the bits, as the other party can’t compute from .
  • Let’s first create the ideal world functionality:
    • gets from , and from B.
    • compute , sends to .
  • Real world functionality:
    • Alice calculates , sends to ideal-world .
    • gets from , sends to .
    • B sends to A.
  • Let’s consider a simulator for A in ideal world.
    • can extract from in the transcript.
    • sends to , gets .
    • sends back to . ’s simulator acts similarly.
  • from ‘s perspective, and .

Composability: Use of 1-2 ideal world OT in previous protocol for real-world protocol is called Composability, where an already 2PC secure protocol can be substituted.

Arbitrary Computation

For doing any arbitrary computation on boolean circuits, 2-2 secret sharing is used to split the shares of boolean bit, so that no intermediate value of a gate can be used to infer input values.2

  • To split a bit , choose a random , send to , to B.

Suppose has , and has

  • XOR: compute
    • take individual shares and compute xor, i..e ,
    • share the results with other party.
  • AND: compute ,
    • distribute
    • perform on

References

Footnotes

  1. https://www.cs.jhu.edu/~susan/600.641/scribes/lecture13.pdf

  2. https://web.cs.ucla.edu/~rafail/Lecture10.pdf