Oblivious Transfer (OT)
Alice (sender) has n secrets
Alice wants to give k secrets to Bob
Bob wants the secrets but does not
want Alice to know which secrets he
has
Oblivious Transfer
2 to 1
OT basics
OT design
Use of Modular Arithmetic
Direct Extension of PKE
OT application
Secure Function Evaluation
Secure Auction
OT – Coin Toss (The basics)
Alice generates 2 primes and computes their product,
p, which is sent to Bob
Bob Performs primality tests to ensure Alice is playing
fair.
Bob guesses a number 0 < n < p as a factor of p
Chances are he guesses wrong but Bob computes m
= n^2 mod p and sends this to Alice.
Alice knows the original number, p, and she looks for
all numbers less than p that generate a remainder of
m. This can be done fairly easily using the Chinese
Remainder Theorem
OT – Coin Toss Cont
Alice will find at least 1 pair of such numbers, she will
then send 1 of the pairs, p , to Bob.
O = n + p. He will then calculate the gcd(O,p)
This will yield either a trivial result or a factor of p
which Bob will send to Alice.
There is a 50% chance that Alice sends the nontrivial
p to Bob.
Bob has a slight advantage in that he picks the
original n, but there is a negligible chance that Bob
randomly pick an n that factors p. [Peterson]
Original OT
The transfer is somewhat like a simple game played
with a locked box requiring two different keys. A
sender transfers the locked box to a recipient, who
finds one key that partially unlocks the box. The
sender has both keys and, without seeing what the
recipient has done, must now pass on one of the two
keys. Depending on which key is sent, the recipient
will either succeed or fail in opening the box.
Although the sender's choice controls the outcome,
the sender never knows which choice to make to
guarantee a certain result.
The Heart of OT
Sender remains unsure of outcome
We want more
Want to share secrets not just have a fair
(50% chance) to come out with a prime
factor of a number.
OT - PKE
Alice generates two public-key/private-key key pairs.
Bob chooses a key in a symmetric encryption
algorithm (3DES, for example). He chooses one of
Alice’s public keys and encrypts his DES key with it.
He sends the encrypted key to Alice without telling
her which of her public keys he used.
Alice decrypts Bob’s key twice, once with each of her
private keys. In one of the cases, she uses the
correct key and successfully decrypts Bob’s DES key.
In the other case, she uses the wrong key and only
manages to generate a meaningless heap of bits that
nonetheless look like a random DES key.
OT – PKE cont
Alice encrypts both of her messages, each
with a different one of the DES keys she
generated in the previous step (one real and
one meaningless) and sends both of them to
Bob.
Bob gets one of Alice’s messages encrypted
with the proper DES key and the other one
encrypted with the gibberish DES key. When
Bob decrypts each of them with his DES key,
he can read one of them; the other just looks
like gibberish to him.
Conclusion of PKE – OT
Success:
Bob now knows one of Alice’s secrets
although doesn’t know which.
Disadvantage:
Bob does not know if he has Alice’s first or
second secret and has no way of finding
out.
Secure Function Evaluation
Application of OT
What is Secure Function
Evaluation (SFE)?
Our goal is to compute f(x1, …, xn), the
output, while at the same time limiting the
information that each party gains about the
other parties values (ideally, at the end, each
party knows their input, and the output of the
function, and no other information about their
opponent that isn’t inherent in the function
definition)
Some Uses for SFE
The Millionaires problem… two millionaires
wish to determine who has the most money
with out revealing their exact net worth
Voting f(x1, …, xn) returns 0 if candidate one
gets more votes, 1 if candidate two, etc
Auctions f(x1, …, xn) = (i, n) for maximum bid
Database computations
Database queries
Important Considerations in
Defining a SFE system
What type of adversary? (Passive v.
Active, Adaptive v. Non-Adaptive)
What type of network are the parties
connected to? (Pairwise Secure,
Broadcast, Authenticated)
What guarantees do you hope to
achieve? (Correctness, Privacy)
Known Results for SFE
If Trapdoor Permutations exist:
Any function evaluation can be computed securely
against a passive (honest-but-curious) adversary
Any function evaluation can be computed securely
against an active adversary controlling at most
one half of the parties
SFE over insecure networks:
any f can be computed securely against an active
adversary if parties used pairwise channels and
there are two-thirds majority of honest parties
[BGW, CCD]
any f can be computed securely using a broadcast
channel against an active adversary who has
corrupted less than half of the parties
Computing a Function
Bob and Alice share a Boolean circuit they wish to
compute
Alice’s input is a1 b1; Bob’s input is a2 b2
Define a = a1 a2; b = b1 b2
We want a c1, c2 for Alice, Bob, resp., subject to
c1 + c2 = (a1 + a2)(b1 + b2)
Alice chooses c1 in {0,1} at random and prepares n
possible c2 outputs for bob (based on the n possible
secrets Bob might have)
Alice and Bob perform OT and now they have c1 and
c2 values subject to the above constraints
Bob and Alice are now able to evaluate any Boolean
circuit
Two-Party Secure Function
Evaluation
A assigns each wire i two random values (Wi0, Wi1)
corresponding to 0 and 1
Used as pseudo-random keys (e.g. 80 bits)
Wire values denoted as ai (0 or 1)
A assigns a “garble” function to each wire: pi: ai ->
ci
(Wibi,ci) denotes the garbled value of wire i
Gate function denoted as ak=g(ai,aj)
A creates a table Tg which enables computation of
garbled output of g: (Wkbk,ck) from garbled inputs
(Wibi,ci) and (Wjbj,cj)
Two-Party Secure Function
Evaluation
The table does not disclose any information about the output of
g for other inputs
Does not reveal input or output values
Assume |FK(x)| = |Wkbk|+1
The table contains n entries:
For B to use the table
bi
bj
B knows (Wi ,ci), (Wj ,cj)
Finds (ci,cj) in the table
Performs XOR with entry in the table to compute garbled
output (Wkg(bi,bj),ck)
Recall that A xor B xor C xor B xor C = A
Garbled output from garbled inputs and table
Two-Party Secure Function
Evaluation
For each input wire, B and A engage in
oblivious transfer
A is the sender, B is the chooser
A sends the gate tables to B
A sends a translation table from the garbled
values of the output wires to output bits
By the end of the oblivious transfer stages, B
has enough information to compute f(x)
Two-Party Secure Function
Evaluation
Security of gates
Every masking value (FW(ci)) is used only once
Without knowledge of the correct key, masking values look
random
Overhead
Communication is performed in one back and forth round
A can prepare the circuit in advance (one table for each of m
gates)
Computation: one oblivious transfer for each input bit (n)
A and B must perform n exponentiations
B must evaluate f
Negligible compared to oblivious transfer
SFE - Fairplay
Fairplay consists of two parts:
a language SFDL (Secure Function
Definition Language) that describes the
SFE paradigm
a compiler that creates a one-pass
Boolean circuit in a language called SHDL
(Secure Hardware Definition Language)
Bob and Alice then are able to securely
evaluate the circuit
Compiling SFDL
SFDL is compiled into a Boolean circuit
using an SFDL – SHDL compiler.
The SHDL circuit must have
“obliviousness” built in to it:
No registers, loops, gotos
Every gate used exactly once
For array indexing a multiplexer is built
with all values of i hardwired in
And Finally…
There are Alice and
Bob programs who
take as input a
SHDL circuit and
carry out the secure
computation
protocol
SFDL Program Structure
First one must declare global constants and
types, followed by a sequence of functions.
Functions must precede any functions that
call it.
Recursion and global variables are forbidden.
The last function must be the output function.
Variable assignments are as one would
expect, operators include addition,
subtraction, Boolean operators, and standard
comparison operators.
If-then and if-then-else are supported
All loops must have a definite number of
iterations that are known in advance.
SFDL Compiler
Reads in SFDL program, transforms it,
outputs program in SHDL format.
Compiler performs the following steps:
Parsing
Function inlining and loop unfolding
Transformation into single-bit operations
Array access handling
Single variable assignments
Optimization (in terms of circuit size)
And Then…
An oblivious transfer is needed for every
input wire of the circuit.
Bob sends m “garbled” circuits to Alice,
Alice randomly chooses one circuit to be
evaluated, and Bob reveals remaining
m-1 circuits. Bob can be caught
cheating with probability 1-1/m.
The two implemented OT methods are
based on the Diffie-Hellman problem.
Results
Authors performed tests
on four functions:
AND – bitwise and on
Alice and Bob’s inputs
Billionaires – 32 bit input
for Bob and Alice, which
it compares
Keyed Database Search –
Bob has a keyed
database, Alice retrieves
items by specifying its
key
Median – finds median of
two sorted arrays
What’s the Point?
Secure Auction System
GOAL:
Keep bids secret from auctioneer
Auctioneer only needs to know
identification of highest bidder
clearing price
Need a third entity
“Auction issuer”
Create protocol where neither auctioneer nor auction issuer
have full information about bidders and bids
Assumption: auctioneer and auction issuer do not collude
Auctions
Auction consists of three types of entities
Bidders, auctioneer, auction issuer
Protocol
Auctioneer advertises details of auction
Rules, times, AI
AI creates an encryption scheme for each bidder to use
Bidders submit encrypted bids to the auctioneer, using the
AI’s encryption scheme
AI generates a program to compute the outcome of the
auction based upon the encrypted bids, then sends circuit
and output translation table to auctioneer
Auctioneer uses inputs and program to compute outcome of
auction
Secure Function Evaluation for
Auctions
Auctioneer must compute f(x1,…,xn) = result of auction = <i,p>
i = winner
p = clearing price
AI constructs circuit to compute auction result and garbles it
Auctioneer advertises auction and AI’s public key (P. OT)
Each bidder engages in a 1-of-2 proxy oblivious transfer (for
each bit)
AI is sender (garbled input bit value-pairs)
Bidder is the chooser
Auctioneer is proxy
Note that the auction issuer doesn’t receive any inputs
Auctioneer computes outcome of auction
AI provides output translation table
Future Work
Improve performance
Security against malicious parties
Fair termination
Reactive secure computation
Integrating other SFE primitives
Multi-party computation
Acknowledgments
By Dahlia Malkhi, Noam Nisan, Benny
Pinkas, and Yaron Sella (SFE)
Ivars Peterson (OT – Coin Toss)
© Copyright 2026 Paperzz