On the Efficiency of Classical and Quantum Oblivious Transfer Reductions

  • Severin Winkler
  • Jürg Wullschleger
Conference paper

DOI: 10.1007/978-3-642-14623-7_38

Part of the Lecture Notes in Computer Science book series (LNCS, volume 6223)
Cite this paper as:
Winkler S., Wullschleger J. (2010) On the Efficiency of Classical and Quantum Oblivious Transfer Reductions. In: Rabin T. (eds) Advances in Cryptology – CRYPTO 2010. CRYPTO 2010. Lecture Notes in Computer Science, vol 6223. Springer, Berlin, Heidelberg


Due to its universality oblivious transfer (OT) is a primitive of great importance in secure multi-party computation. OT is impossible to implement from scratch in an unconditionally secure way, but there are many reductions of OT to other variants of OT, as well as other primitives such as noisy channels. It is important to know how efficient such unconditionally secure reductions can be in principle, i.e., how many instances of a given primitive are at least needed to implement OT. For perfect (error-free) implementations good lower bounds are known, e.g. the bounds by Beaver (STOC ’96) or by Dodis and Micali (EUROCRYPT ’99). However, in practice one is usually willing to tolerate a small probability of error and it is known that these statistical reductions can in general be much more efficient. Thus, the known bounds have only limited application. In the first part of this work we provide bounds on the efficiency of secure (one-sided) two-party computation of arbitrary finite functions from distributed randomness in the statistical case. From these results we derive bounds on the efficiency of protocols that use (different variants of) OT as a black-box. When applied to implementations of OT, our bounds generalize known results to the statistical case. Our results hold in particular for transformations between a finite number of primitives and for any error. Furthermore, we provide bounds on the efficiency of protocols implementing Rabin OT.

In the second part we study the efficiency of quantum protocols implementing OT. Recently, Salvail, Schaffner and Sotakova (ASIACRYPT ’09) showed that most classical lower bounds for perfectly secure reductions of OT to distributed randomness still hold in a quantum setting. We present a statistically secure protocol that violates these bounds by an arbitrarily large factor. We then present a weaker lower bound that does hold in the statistical quantum setting. We use this bound to show that even quantum protocols cannot extend OT. Finally, we present two lower bounds for reductions of OT to commitments and a protocol based on string commitments that is optimal with respect to both of these bounds.


Unconditional Security Oblivious Transfer Lower Bounds Quantum Cryptography Two-Party Computation 
Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2010

Authors and Affiliations

  • Severin Winkler
    • 1
  • Jürg Wullschleger
    • 2
  1. 1.ETH ZurichSwitzerland
  2. 2.University of BristolUnited Kingdom

Personalised recommendations