Journal of Cryptology

, Volume 32, Issue 2, pp 459–497 | Cite as

(Efficient) Universally Composable Oblivious Transfer Using a Minimal Number of Stateless Tokens

  • Seung Geol Choi
  • Jonathan KatzEmail author
  • Dominique Schröder
  • Arkady Yerukhimovich
  • Hong-Sheng Zhou


We continue the line of work initiated by Katz (Eurocrypt 2007) on using tamper-proof hardware tokens for universally composable secure computation. As our main result, we show an oblivious-transfer (OT) protocol in which two parties each create and transfer a single, stateless token and can then run an unbounded number of OTs. We also show a more efficient protocol, based only on standard symmetric-key primitives (block ciphers and collision-resistant hash functions), that can be used if a bounded number of OTs suffice. Motivated by this result, we investigate the number of stateless tokens needed for universally composable OT. We prove that our protocol is optimal in this regard for constructions making black-box use of the tokens (in a sense we define). We also show that nonblack-box techniques can be used to obtain a construction using only a single stateless token.


Secure computation Oblivious transfer Hardware tokens Universal composability 



We thank the anonymous reviewers for their careful and thorough reading of our paper and for their helpful comments.


  1. 1.
    M. Abdalla, D. Catalano, D. Fiore. Verifiable random functions from identity-based key encapsulation, in Advances in Cryptology—Eurocrypt 2009, volume 5479 of LNCS (Springer, 2009), pp. 554–571.Google Scholar
  2. 2.
    Y. Aumann, Y. Lindell, Security against covert adversaries: efficient protocols for realistic adversaries. Journal of Cryptology, 23(2):281–343 (2010)Google Scholar
  3. 3.
    B. Barak, How to go beyond the black-box simulation barrier, in 42nd Annual Symposium on Foundations of Computer Science (IEEE, 2001), pp. 106–115Google Scholar
  4. 4.
    B. Barak, R. Canetti, J. B. Nielsen, R. Pass, Universally composable protocols with relaxed set-up assumptions, in 45th Annual Symposium on Foundations of Computer Science (IEEE, 2004), pp. 186–195Google Scholar
  5. 5.
    M. Blum, Coin flipping by telephone, in Proceedings of IEEE COMPCOM (1982), pp. 133–137Google Scholar
  6. 6.
    S. Brands, Untraceable off-line cash in wallets with observers. In Advances in Cryptology—Crypto ’93, volume 773 of LNCS (Springer, 1994), pp. 302–318Google Scholar
  7. 7.
    R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in 42nd Annual Symposium on Foundations of Computer Science (IEEE, 2001), pp. 136–145. Full version at
  8. 8.
    R. Canetti, Obtaining universally compoable security: towards the bare bones of trust (invited talk), in Advances in Cryptology—Asiacrypt 2007, volume 4833 of LNCS (Springer, 2007), pp. 88–112Google Scholar
  9. 9.
    R. Canetti, M. Fischlin, Universally composable commitments, in Advances in Cryptology—Crypto 2001, volume 2139 of LNCS (Springer, 2001), pp. 19–40Google Scholar
  10. 10.
    R. Canetti, E. Kushilevitz, Y. Lindell, On the limitations of universally composable two-party computation without set-up assumptions. J. Cryptol. 19(2):135–167 (2006)Google Scholar
  11. 11.
    R. Canetti, Y. Lindell, R. Ostrovsky, A. Sahai, Universally composable two-party and multi-party secure computation, in 34th Annual ACM Symposium on Theory of Computing (ACM Press, 2002), pp. 494–503Google Scholar
  12. 12.
    R. Canetti, R. Pass, A. Shelat, Cryptography from sunspots: How to use an imperfect reference string, in 48th Annual Symposium on Foundations of Computer Science (IEEE, 2007), pp. 249–259Google Scholar
  13. 13.
    N. Chandran, V. Goyal, A. Sahai, New constructions for UC secure computation using tamper-proof hardware. In Advances in Cryptology—Eurocrypt 2008, volume 4965 of LNCS (Springer, 2008), pp. 545–562Google Scholar
  14. 14.
    D. Chaum, T. P. Pedersen, Wallet databases with observers, in Advances in Cryptology—Crypto ’92, volume 740 of LNCS (Springer, 1993), pp. 89–105Google Scholar
  15. 15.
    R. Cramer, T.P. Pedersen, Improved privacy in wallets with observers, in Advances in Cryptology—Eurocrypt ’93, volume 765 of LNCS (Springer, 1993), pp. 329–343Google Scholar
  16. 16.
    I. Damgård, J.B. Nielsen, D. Wichs, Universally composable multiparty computation with partially isolated parties, in 6th Theory of Cryptography Conference—TCC 2009, volume 5444 of LNCS (Springer, 2009), pp. 315–331Google Scholar
  17. 17.
    I. Damgård, T.P. Pedersen, B. Pfitzmann, On the existence of statistically hiding bit commitment schemes and fail-stop signatures. J. Cryptol. 10(3):163–194 (1997)Google Scholar
  18. 18.
    Y. Desmedt, J.-J. Quisquater, Public-key systems based on the difficulty of tampering (is there a difference between DES and RSA?), in Advances in Cryptology—Crypto ’86, volume 263 of LNCS (Springer, 1987), pp. 111–117Google Scholar
  19. 19.
    Y. Dodis, A. Yampolskiy, A verifiable random function with short proofs and keys, in 8th Intl. Workshop on Theory and Practice in Public Key Cryptography (PKC), volume 3386 of LNCS (Springer, 2005), pp. 416–431Google Scholar
  20. 20.
    N. Döttling, D. Kraschewski, J.Müller-Quade, Unconditional and composable security using a single stateful tamper-proof hardware token, in 8th Theory of Cryptography Conference—TCC 2011, volume 6597 of LNCS (Springer, 2011), pp. 164–181Google Scholar
  21. 21.
    N. Döttling, T. Mie, J.Müller-Quade, T. Nilges, Implementing resettable UC-functionalities with untrusted tamper-proof hardware-tokens, in 10th Theory of Cryptography Conference—TCC 2013, volume 7785 of LNCS (Springer, 2013), pp. 642–661Google Scholar
  22. 22.
    M. Dubovitskaya, A. Scafuro, I. Visconti, On efficient non-interactive oblivious transfer with tamper-proof hardware, 2010. Cryptology ePrint Archive, Report 2010/509Google Scholar
  23. 23.
    M. Fischlin, B. Pinkas, A.-R. Sadeghi, T. Schneider, I. Visconti, Secure set intersection with untrusted hardware tokens, in Cryptographers’ Track—RSA 2011, volume 6558 of LNCS (Springer, 2011), pp. 1–16Google Scholar
  24. 24.
    O. Goldreich, Foundations of Cryptography, vol. 2: Basic Applications (Cambridge University Press, Cambridge, 2004)Google Scholar
  25. 25.
    O. Goldreich, L.A. Levin, A hard-core predicate for all one-way functions, in 21st Annual ACM Symposium on Theory of Computing (ACM Press, 1989), pp. 25–32Google Scholar
  26. 26.
    S. Goldwasser, Y.T. Kalai, G.N. Rothblum, One-time programs, in Advances in Cryptology—Crypto 2008, volume 5157 of LNCS (Springer, 2008), pp. 39–56Google Scholar
  27. 27.
    S. Goldwasser, R. Ostrovsky, Invariant signatures and non-interactive zero-knowledge proofs are equivalent, in Advances in Cryptology—Crypto ’92, volume 740 of LNCS (Springer, 1993), pp. 228–245Google Scholar
  28. 28.
    V. Goyal, Y. Ishai, M. Mahmoody, A. Sahai, Interactive locking, zero-knowledge PCPs, and unconditional cryptography, in Advances in Cryptology—Crypto 2010, volume 6223 of LNCS (Springer, 2010), pp. 173–190Google Scholar
  29. 29.
    V. Goyal, Y. Ishai, A. Sahai, R. Venkatesan, A. Wadia, Founding cryptography on tamper-proof hardware tokens, in 7th Theory of Cryptography Conference—TCC 2010, volume 5978 of LNCS (Springer, 2010), pp. 308–326Google Scholar
  30. 30.
    S. Halevi, S. Micali, Practical and provably-secure commitment schemes from collision-free hashing, in Advances in Cryptology—Crypto ’96, volume 1109 of LNCS (Springer, 1996), pp. 201–215Google Scholar
  31. 31.
    C. Hazay, Y. Lindell, Constructions of truly practical secure protocols using standard smartcards, in 15th ACM Conf. on Computer and Communications Security (ACM Press, 2008), pp. 491–500Google Scholar
  32. 32.
    C. Hazay, A. Polychroniadou, M. Venkitasubramaniam, Composable security in the tamper-proof hardware model under minimal complexity, in 14th Theory of Cryptography Conference—TCC-B 2016, volume 9985 of LNCS (Springer, 2016), pp. 367–399. Prior versions available at
  33. 33.
    D. Hofheinz, T. Jager, Verifiable random functions from standard assumptions, in 13th Theory of Cryptography Conference—TCC-A 2016, volume 9562 of LNCS (Springer, 2016), pp. 336–362Google Scholar
  34. 34.
    D. Hofheinz, D. Unruh, J.Müller-Quade, Universally composable zero-knowledge arguments and commitments from signature cards, in 5th Central European Conference on Cryptology (MoraviaCrypt) (2005)Google Scholar
  35. 35.
    S. Hohenberger, B. Waters, Constructing verifiable random functions with large input spaces, in Advances in Cryptology—Eurocrypt 2010, volume 6110 of LNCS (Springer, 2010), pp. 656–672Google Scholar
  36. 36.
    Y. Ishai, J. Kilian, K. Nissim, E. Petrank, Extending oblivious transfers efficiently, in Advances in Cryptology—Crypto 2003, volume 2729 of LNCS (Springer, 2003), pp. 145–161Google Scholar
  37. 37.
    Y. Ishai, M. Prabhakaran, A. Sahai, Founding cryptography on oblivious transfer—efficiently, in Advances in Cryptology—Crypto 2008, volume 5157 of LNCS (Springer, 2008), pp. 572–591Google Scholar
  38. 38.
    K. Järvinen, V. Kolesnikov, A.-R. Sadeghi, T. Schneider, Embedded SFE: offloading server and network using hardware tokens, in Financial Cryptography and Data Security 2010, volume 6052 of LNCS (Springer, 2010), pp. 207–221Google Scholar
  39. 39.
    J. Katz, Universally composable multi-party computation using tamper-proof hardware, in Advances in Cryptology—Eurocrypt 2007, volume 4515 of LNCS (Springer, 2007), pp. 115–128Google Scholar
  40. 40.
    J. Katz, Y. Lindell, Introduction to Modern Cryptography, 2nd edition (Chapman and Hall/CRC Press, 2014)Google Scholar
  41. 41.
    J. Kilian, Founding cryptography on oblivious transfer, in 20th Annual ACM Symposium on Theory of Computing (ACM Press, 1988), pp. 20–31Google Scholar
  42. 42.
    V. Kolesnikov, Truly efficient string oblivious transfer using resettable tamper-proof tokens, in 7th Theory of Cryptography Conference—TCC 2010, volume 5978 of LNCS (Springer, 2010), pp. 327–342Google Scholar
  43. 43.
    H. Lin, R. Pass, M. Venkitasubramaniam, A unified framework for concurrent security: Universal composability from stand-alone non-malleability, in 41st Annual ACM Symposium on Theory of Computing (ACM Press, 2009), pp. 179–188Google Scholar
  44. 44.
    Y. Lindell, General composition and universal composability in secure multi-party computation. J. Cryptol. 22(3):395–428 (2009)Google Scholar
  45. 45.
    H.K. Maji, M. Prabhakaran, M. Rosulek, Complexity of multi-party computation problems: The case of 2-party symmetric secure function evaluation, in 6th Theory of Cryptography Conference—TCC 2009, volume 5444 of LNCS (Springer, 2009), pp. 256–273Google Scholar
  46. 46.
    S. Micali, M.O. Rabin, S.P. Vadhan, Verifiable random functions, in 40th Annual Symposium on Foundations of Computer Science (IEEE, 1999), pp. 120–130Google Scholar
  47. 47.
    T. Moran, G. Segev, David and Goliath commitments: UC computation for asymmetric parties using tamper-proof hardware, in Advances in Cryptology—Eurocrypt 2008, volume 4965 of LNCS (Springer, 2008), pp. 527–544Google Scholar
  48. 48.
    M. Naor, Bit commitment using pseudorandomness, J. Cryptol. 4(2):151–158 (1991)Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Seung Geol Choi
    • 1
  • Jonathan Katz
    • 2
    Email author
  • Dominique Schröder
    • 3
  • Arkady Yerukhimovich
    • 4
  • Hong-Sheng Zhou
    • 5
  1. 1.United States Naval AcademyAnnapolisUSA
  2. 2.University of MarylandCollege ParkUSA
  3. 3.Friedrich-Alexander University Erlangen-NürnbergErlangenGermany
  4. 4.MIT Lincoln LaboratoryLexingtonUSA
  5. 5.Virginia Commonwealth UniversityRichmondUSA

Personalised recommendations