On Robust Combiners for Oblivious Transfer and Other Primitives


A (1,2)-robust combiner for a cryptographic primitive \({\mathcal P}\) is a construction that takes two candidate schemes for \({\mathcal P}\) and combines them into one scheme that securely implement \({\mathcal P}\) even if one of the candidates fails. Robust combiners are a useful tool for ensuring better security in applied cryptography, and also a handy tool for constructing cryptographic protocols. For example, we discuss using robust combiners for obtaining universal schemes for cryptographic primitives (a universal scheme is an explicit construction that implements \({\mathcal P}\) under the sole assumption that \({\mathcal P}\) exists).

In this paper we study what primitives admit robust combiners. In addition to known and very simple combiners for one-way functions and equivalent primitives, we show robust combiners for protocols in the world of public key cryptography, namely for Key Agreement(KA).

The main point we make is that things are not as nice for Oblivious Transfer (OT) and in general for secure computation. We prove that there are no ”transparent black-box” robust combiners for OT, giving an indication to the difficulty of finding combiners for OT. On the positive side we show a black box construction of a (2,3)-robust combiner for OT, as well as a generic construction of (1,n)-robust OT-combiners from any (1,2)-robust OT-combiner.