Survey of
OTExtension
Yuval Ishai, Joe Kilian, Kobbi Nissim, Erez Petrank
Oblivious Transfer Extension
Slides by Peter Rindal
2/26/2014
INTRODUCTION
Background information
OT
DEFINITION
β’ Oblivious Transfer is a ubiquitous cryptographic primitive designed to transfer
specific data based on the receivers choice.
Bob
Alice
ππ , ππ
π β {π, π}
ππ
β’ No other information can be learned by any party.
NOTATION
π
β’ Let
β’ ππππ
denote π oblivious transfers each of length π
k
β’ Let
β’ Bold lower case letters denote a vectors
β’ Capital letters denote a matrix.
i.e.
i.e.
π
π
π΄π
n
π΄π
β’ Let
β’ ππ
β’ ππ
denote the ππ‘β row of π
denote the π π‘β colum of π
π
MOTIVATION
β’ OT is used extensively in general protocols for secure computation.
β’ At least one OT per input bit
β’ OT is typically an efficiency bottleneck
β’ What if we could use a few traditional oblivious transfers and get many OTs
β’ Given π OTs
β’ Get ~2π OTs
ANALOGY
β’ Public key cryptography is expensive compared to private key
cryptography.
β’ Can we use private key cryptography to extend public key cryptography?
β’ YES!
β’ Use public key cryptography to share a short private key.
β’ Use private key cryptography as the work horse.
ππ’π. πππ¦
πππ. πππ¦
ππ’π. πππ¦
β
+
BANG FOR YOUR BUCK
β’ The algorithm will turn πΆπ»ππ β πΆπ»ππ
β’ Turn π iterations of π length OTs β π iterations of π length OTs.
β’ where π is the security parameter.
β’ How is this better
β’ π = 128, ππ 256
Some security parameterβ¦
β’ π = ππ’ππππ ππ ππππ’π‘π
β’ maybe 30,000?
πΆπ»ππ
β’ Instead of 30,000 OTs
β’ We do 128 OTs each of length 30,000 (much cheaper!!)
β
πΆπ»ππ
?
+
EXTENDING OT
Semi-honest
THE ALGORITHM: 1
Sender
Receiver
β’ INPUT: π β π pairs of π length
messages ( indexed by πi,{0,1} )
β’ INPUT: r β π selection bits
β’ Initializes a random vector π β {π, π}π
β’ Initializes a random π × π bit matrix π
π
k
k
Run OT backwards to share Information for the later OTs
β
πΆπ»ππ
+
n
π
THE ALGORITHM: 2
Run OT backwards to share Information for the later OTs
Sender
β’ π, π
Receiver
β’ r, π
β’ Run π OTs on each column of π
β’ π0 = ππ ,
π1 = πβ¨ππ
β’ Use π as the selection bits for the π
OTs
β’ Let π denote the result of these OTs
β
πΆπ»ππ
+
;1β€πβ€π
THE ALGORITHM: 3
Sender
Receiver
β’ π, π, π
β’ r, π
β’ For each row π of π:
β’ For each message pair
β’ Send π¦π,0 , π¦π,1
β’ π§π = π¦π,ππ β¨π»( π, ππ )
β’ π¦π,0 = Xj,0 β¨π»( π, ππ )
β’ π¦π,1 = Xj,1 β¨π»( π, ππ β¨π)
β’ Correctness: π§π β‘ ππ,ππ
β
πΆπ»ππ
+
Wait, What?
OBTAINING π
Receiver picks π β π
{0,1}πο΄π
Sender picks π β π
{0,1}π
Sender obtains π β {0,1}πο΄π
ri=0
1 1
0 0
1 1
ri=1
1 0
0 1
1 0
t1
t2
tk
t1
ο
r
s1
t2
ο
r
s2
...
tk
ο
r
sk
qi= ti
πΆπ»ππ
qi= tiο
s
t1
ο
r
t2
...
tk
ο
r
π = 1 0 β¦ 1
β
πΆπ»ππ
+
CORRECTNESS
Run OT backwards to share Information for the later OTs
Sender
β’ π, π, π
Columns of π
Rows of π
β’ π1 = π β
ππ β¨π 1
β’ Q1 = π1 β
π β¨π1
β’ π 2 = π β
π2 β¨π 2
β’ Q 2 = π2 β
π β¨π2
β¦
β’ π π = π β
ππ β¨π π
β¦
β’ Q n = ππ β
π β¨ππ
β
πΆπ»ππ
+
Receiver picks T οR {0,1}nο΄k
Sender picks s οR {0,1}k
Sender obtains Q ο {0,1}nο΄k
ri=0
1 1
0 0
1 1
qi= ti
ri=1
1 0
0 1
1 0
qi= tiο
s
t1
t2
tk
t1
ο
ο
t1
ο
r
s1
t2
ο
r
s2
...
tk
r
sk
r
t2
...
tk
ο
r
π = 1 0 β¦ 1
β
πΆπ»ππ
+
CORRECTNESS
Run OT backwards to share Information for the later OTs
Sender
β’ π, π, π
Rows of π
β’ π1 = π1 β
π β¨π1
β’ π2 = π2 β
π β¨π2
β¦
β’ ππ = ππ β
π β¨ππ
β’ If the Receiver's selection bit π1 = 0
β’ π1 = π1
β’ If the Receiver's selection bit π1 = 1
β’ π1 = πβ¨π1
β
πΆπ»ππ
+
Receiver picks T οR {0,1}nο΄k
Sender picks s οR {0,1}k
Sender obtains Q ο {0,1}nο΄k
ri=0
1 1
0 0
1 1
qi= ti
ri=1
1 0
0 1
1 0
qi= tiο
s
t1
t2
tk
t1
ο
ο
t1
ο
r
s1
t2
ο
r
s2
...
tk
r
sk
r
t2
...
tk
ο
r
π = 1 0 β¦ 1
β
πΆπ»ππ
+
CORRECTNESS
Sender
β’ π, π, π
β’
π¦π,0 = ππ,0 β¨π» π, ππ
β
πΆπ»ππ
+
CORRECTNESS
Sender
β’ π, π, π
β’
π¦π,0 = ππ,0 β¨π» π, ππ
= ππ,0 β¨π» π, ππ β
π β¨ππ
β
πΆπ»ππ
+
CORRECTNESS
Sender
β’ π, π, π
β’
ππ = 0
ππ = 1
π¦π,0 = ππ,0 β¨π» π, ππ
= ππ,0 β¨π» π, ππ β
π β¨ππ
β ππ,0 β¨π» π, ππ
β ππ,0 β¨π» π, πβ¨ππ
β
πΆπ»ππ
+
CORRECTNESS
Sender
β’ π, π, π
β’
ππ = 0
ππ = 1
π¦π,0 = ππ,0 β¨π» π, ππ
= ππ,0 β¨π» π, ππ β
π β¨ππ
β’ π¦π,1 = ππ,1 β¨π» π, ππ β¨π
β ππ,0 β¨π» π, ππ
β ππ,0 β¨π» π, πβ¨ππ
β
πΆπ»ππ
+
CORRECTNESS
Sender
β’ π, π, π
β’
ππ = 0
ππ = 1
π¦π,0 = ππ,0 β¨π» π, ππ
= ππ,0 β¨π» π, ππ β
π β¨ππ
β’ π¦π,1 = ππ,1 β¨π» π, ππ β¨π
= ππ,1 β¨π» π, ππ β
π β¨ππ β¨π
β ππ,0 β¨π» π, ππ
β ππ,0 β¨π» π, πβ¨ππ
β
πΆπ»ππ
+
CORRECTNESS
Sender
β’ π, π, π
β’
ππ = 0
ππ = 1
π¦π,0 = ππ,0 β¨π» π, ππ
= ππ,0 β¨π» π, ππ β
π β¨ππ
β’ π¦π,1 = ππ,1 β¨π» π, ππ β¨π
= ππ,1 β¨π» π, ππ β
π β¨ππ β¨π
β ππ,0 β¨π» π, ππ
β ππ,0 β¨π» π, πβ¨ππ
β ππ,1 β¨π» π, ππ β¨π
β ππ,1 β¨π» π, πβ¨ππ β¨π
β
πΆπ»ππ
+
CORRECTNESS
Sender
β’ π, π, π
β’
ππ = 0
ππ = 1
π¦π,0 = ππ,0 β¨π» π, ππ
= ππ,0 β¨π» π, ππ β
π β¨ππ
β’ π¦π,1 = ππ,1 β¨π» π, ππ β¨π
= ππ,1 β¨π» π, ππ β
π β¨ππ β¨π
β ππ,0 β¨π» π, ππ
β ππ,0 β¨π» π, πβ¨ππ
β ππ,1 β¨π» π, ππ β¨π
β ππ,1 β¨π» π, πβ¨ππ β¨π
= ππ,1 β¨π» π, ππ
β
πΆπ»ππ
+
CORRECTNESS
Sender
β’ π, π, π
β’
ππ = 0
ππ = 1
π¦π,0 = ππ,0 β¨π» π, ππ
= ππ,0 β¨π» π, ππ β
π β¨ππ
β’ π¦π,1 = ππ,1 β¨π» π, ππ β¨π
= ππ,1 β¨π» π, ππ β
π β¨ππ β¨π
β ππ,0 β¨π» π, ππ
β ππ,0 β¨π» π, πβ¨ππ
β ππ,1 β¨π» π, ππ β¨π
β ππ,1 β¨π» π, πβ¨ππ β¨π
= ππ,1 β¨π» π, ππ
β
πΆπ»ππ
+
CORRECTNESS
Sender
β’ π, π, π
β’
ππ = 0
ππ = 1
π¦π,0 = ππ,0 β¨π» π, ππ
= ππ,0 β¨π» π, ππ β
π β¨ππ
β’ π¦π,1 = ππ,1 β¨π» π, ππ β¨π
= ππ,1 β¨π» π, ππ β
π β¨ππ β¨π
β ππ,0 β¨π» π, ππ
β ππ,0 β¨π» π, πβ¨ππ
β ππ,1 β¨π» π, ππ β¨π
β ππ,1 β¨π» π, πβ¨ππ β¨π
= ππ,1 β¨π» π, ππ
β
πΆπ»ππ
+
CORRECTNESS
Receiver
β’ r, π
β’ ππ = 1
β’ ππ = 0
π¦π,0
π¦π,1
= ππ,0 β¨π» π, ππ
= ππ,1 β¨π» π, πβ¨ππ
ππ,0 β‘ π¦π,0 β¨π» π, ππ
ππ,1 β’ π¦π,1 β¨π» π, ππ
π¦π,0
π¦π,1
= ππ,0 β¨π» π, ππ β¨π
= ππ,1 β¨π» π, ππ
ππ,0 β’ π¦π,0 β¨π» π, ππ
ππ,1 β‘ π¦π,1 β¨π» π, ππ
β
πΆπ»ππ
+
BANG FOR YOUR BUCK
β’ The algorithm will turns πΆπ»ππ β πΆπ»ππ
β’ Turn π iterations of π length OTs β π iterations of π length OTs.
β’ where π is the security parameter.
β’ How is this better????
β’ π = 128, ππ 256
Some security parameterβ¦
β’ π = ππ’ππππ ππ ππππ’π‘π
β’ maybe 30,000?
β’ Instead of 30,000 OTs
β’ We do 128 OTs each of length 30,000 (much cheaper!!)
πΆπ»ππ
β
πΆπ»ππ
π»
+
SECURITY
β’ Easy to verify protocol is secure against malicious sender.
β’ π appears simply as uniform randomness since itβs the combination of ππ and
πβ¨ππ
β’ Both ππ and πβ¨ππ appear as uniform randomness.
β’ A simulator would
β’ Generate a random matrix π and send that is the input to the backwards ππππ .
β’ Sender would then output (π¦π,0 , π¦π,1 ) as it would normally do.
β’ The sender just cant learn the value π.
β’ They are allowed to send any π0 , π1 since this can happen in the idea world.
SECURITY
β’ Verifying the protocol is secure against Semi-honest receiver.
β’ There are only two ways for a semi-honest receiver to learn a message it shouldnβt.
1. π = {0}π
β’ β π, ππ β¨π = β( π, ππ )
β’ This happens with probability
2.
1
2π
It guesses correctly on a query β( π, ππ β¨π )
π‘
β’ If the receiver make π‘ queries, it has a probability of π
2
π‘+1
β’ Therefore, it is secure except with negligible probability π
2
CORRELATION ROBUSTNESS
Instantiating the Random Oracle
MOTIVATION
β’ In this protocol, the receiver knows many of these π1 , π2 , β¦ , ππ values but does
not the senders secret value π .
β’ If the receiver could learn π by knowing π1 , π2 , β¦ , ππ and querying β. The
receiver could break the protocol and learn all messages.
β’ EX: if
rj = 0
π¦π,0 = ππ,0 β¨π» π, ππ
π¦π,1 = ππ,1 β¨π» π, πβ¨ππ
DEFINITION
β’ Correlation Robustness
β’ A hash function that is secure against XOR-ing an unknown and many know
values together.
β’ Given
β π‘1 , π‘2 , β¦ π‘π
β(π β¨π‘1 ), β(π β¨π‘2 ), β¦ , β(π β¨π‘π )
The joint distribution looks pseudo-random.
β’ Even if given access to polynomial additional queries to β.
PROTOCOLS
β’ We believe this is a simple requirement enjoyed by many hash functions.
β’ SHA1
β’ RC5
β’ Any Evidence that they do not have this property would be considered an
attack on these protocols.
EXTENDING OT
Malicious Adversary
MALICIOUS ATTACK
ON SEMI-HONEST PROTOCOL
β’ Suppose the receiver somehow knows ππ,0 ; 1 β€ π β€ π
β’ Then, On the backwards ππππ they could
β’ set the π π‘β bit on ππ,0 to 0.
β’ Everywhere else, ππ,0 =ππ,1
β’ When the receiver gets π¦π,0 , π¦π,1 , they can extract π from the collection of all of the
π¦π,0 messages.
β’ Since the receiver knows that at the π π‘β bit
else.
ππ = ππ and known values everywhere
β’ Therefore π can be learned and then all of π can be learned.
MALICIOUS ATTACK
ON SEMI-HONEST PROTOCOL
β’ Essentially,
β’ The receiver changes their choice of messages it wants for each ππππ . It then
compares the differences it gets in ( π¦π,0 , π¦π,1 ).
β’ It then guesses at that bit either being 1 or 0.
β’ Queries β on both guesses and checks to see which one makes sense.
SOLUTION
β’ Cut-and-choose!!!!!
β’ Make sure that the receiver is sending consistent choices of messages it wants to
receive.
β’ Run π instances of the protocol in parallel with completely random inputs.
β’ Randomly βopenβ
π
2
of the instances.
β’ Have the receiver share the private values.
β’ Evaluate the remaining
π
2
instances.
π
β’ The receiver tells the sender whether or not each random π remaining inputs are right or
2
wrong.
β’ Sender sends the β of the desired message ππ,π with the remaining
π
2
random inputs.
πΆπππππ’π πππ
πβπ πΈππ
Thanks you,
-Peter Rindal
CITATIONS
β’ Yuval Ishai, et. al. [IKNP 03] , Extending Oblivious Transfers Efficiently
http://www.cs.bgu.ac.il/~kobbi/papers/OTextend_proc.pdf (paper),
http://dimacs.rutgers.edu/Workshops/Privacy/slides/ishai.ppt (slides)
β’ Vladimir Kolesnikov, et. al. [KK 13] , Improved OT Extension for Transferring
Short Secrets http://eprint.iacr.org/2013/491.pdf (paper),
http://www.youtube.com/watch?v=AgPZVecLuXs (video)
© Copyright 2026 Paperzz