1 Introduction

1-out-of-2 bit oblivious transfer [EGL82] (OT) is a well-known cryptographic primitive between two parties, a sender Alice and a receiver Bob, in which the sender has as input two one-bit messages and the receiver chooses to learn one of them; in addition, two other guarantees hold, namely the sender does know which of her two messages was chosen by the receiver and the receiver obtains no information about the message that he did not choose to learn.

OT is a fundamental primitive for secure multiparty computation. In fact it is known that secure multiparty computation protocols can be entirely based on OT [Kil88, IPS08]. However, unconditionally secure two-party computation is not possible in the plain model, even if we only assume that one of the parties may be passively corrupted. Hence, OT is likewise impossible to be attained unless we assume the existence of some additional resource or some restriction on the capabilities of the parties. Examples of such situations include: physical assumptions such as the existence of a noisy channel between the sender and the receiver [CK88, IKO+11], hardware tokens [GIS+10], or the premise that one of the parties has bounded memory [CCM98]; and computational assumptions, where we assume that the parties are computationally bounded and we base the security of the OT protocol on the hardness of some problem, for example hardness of factoring [Rab81], the DDH assumption [BM89, AIR01], hardness of decoding [DvdGMN08], the quadratic residuosity assumption, and worst-case lattice assumptions [PVW08].

However, a particular assumption may at some point become compromised (e.g. computational assumptions may be broken, a hardware token may be corrupted, or a party may be in possession of a better-than-expect reception equipment in the case of a protocol based on noisy channels) and this would consequently jeopardize the security of an OT protocol based on such assumption. This motivates the notion of an OT combiner, a protocol between Alice and Bob that makes black-box calls to n candidate implementations of OT, and produces an instance of OT which is secure as long as a certain number of the candidates were secure to start with. In this way, we do not need to rely on a particular OT candidate being secure.

OT combiners can also be seen as a server-aided oblivious transfer protocol, where the resource that Alice and Bob have at their disposal is the existence of n servers, each of which is supposed to implement the OT functionality. Alice and Bob can call each of the servers several times, where for each execution a server receives two bits from Alice and one bit from Bob, and outputs the resulting bit to Bob. Therefore, in particular, there is no need of direct communication between servers; in fact, the servers do not even need to be aware of each other. We adopt this view of OT combiners in what follows.

OT combiners were introduced in [HKN+05] and further studied in several articles such as [HIKN08, PW08, IMSW14]. In this work we are interested in minimizing the number of calls to each of the servers, and we take as starting point [IMSW14], where the authors focus on single-use OT combiners, in which each OT server is used only once. In their work, they consider an adversary that may corrupt Alice and up to \(t_A\) servers or Bob and up to \(t_B\) servers, thereby obtaining all information seen during the protocol by the corrupted servers and party. We will call this adversary a \((t_A,t_B)\)-adversary. It is shown that for large enough n, there exists a single-use OT combiner which is perfectly secure against a passive \((t_A,t_B)\)-adversary where \(t_A=t_B=\Omega (n)\). More precisely this holds for \(t_A=t_B=0.11 n\). Furthermore, they show that the existence of single-use OT combiners implies the existence of a certain secret sharing scheme whose privacy and reconstruction thresholds are related to \(t_A\) and \(t_B\) and where the shares are of constant size. By applying certain bounds on secret sharing over small alphabets [CCX13], they conclude among other facts that unconditionally secure single-use OT-combiners cannot exist when \(t_A+t_B=n-O(1)\) (it is easy to show that perfectly secure OT combiners, single-use or not, cannot exist if \(t_A+t_B\ge n\)).

In this work, we first show a construction of single-use OT-combiners which are perfectly secure against an active adversary corrupting the same sets as in [IMSW14], namely:

Theorem 1

For any large enough n, there exists an n-server single-use OT-combiner which is perfectly secure against an active (0.11n, 0.11n)-adversary.

In fact, this theorem is a special case of a more general result, that represents a tight link between secret sharing schemes and OT combiners.

In order to explain this result, we first need to consider a slightly more general adversary that can corrupt either Alice and a set \(A\in \mathcal{A}\) of servers, or Bob and a set \(B\in \mathcal B\) of servers. Here \(\mathcal {A}\) and \(\mathcal {B}\) are two adversary structuresFootnote 1 on the set of servers \(\{1,\dots ,n\}\). We say that a pair \((\mathcal {A},\mathcal {B})\) of adversary structures is \(\mathcal {R}_{2}\) if for all \(A\in \mathcal {A}\) and \(B\in \mathcal {B}\) we have \(A\cup B\ne \{1,\dots ,n\}\). Our result is then as follows.

Theorem 2

Let \(\mathcal {A}\), \(\mathcal {B}\) be adversary structures on the set of servers \(\{1,\dots ,n\}\). Suppose that the following conditions are true:

  • \((\mathcal {A}, \mathcal {B})\) is an \(\mathcal {R}_{2}\) pair of structures.

  • There exists a secret sharing scheme \(\mathcal {S}\) for the set of participants \(\{1,\dots ,n\}\) with the following properties:

    1. 1.

      It is a linear secret sharing scheme.

    2. 2.

      The domain of secrets is \(\{0,1\}\) and for \(i=1,\dots ,n\) the domain of the i-th share is \(\{0,1\}^{\ell _i}\), for some \(\ell _i>0\).

    3. 3.

      Every set \(A\in \mathcal {A}\) is unqualified in \(\mathcal {S}\) and for every set \(B\in \mathcal {B}\), its complement \(\overline{B}\) is qualified in \(\mathcal {S}\).

Then there exists a OT-combiner which is perfectly secure against any active \((\mathcal {A},\mathcal {B})\)-adversary and uses the i-th server exactly \(\ell _i\) times.

Therefore we can see that a single-use OT combiner exists in the cases where an ideal (i.e. every share is one bit long) linear secret sharing scheme \(\mathcal {S}\) exists with a fitting access structure. Theorem 1 is obtained by plugging into Theorem 2 secret sharing schemes constructed from families of binary linear codes such that both them and their duals are on the Gilbert-Varshamov bound [CCG+07] (see Sect. 5.3 for more details).

An interesting fact about Theorem 2 is that it is close to give a tight characterization of unconditionally secure OT combiners in terms of secret sharing schemes, since one can extend the arguments in [IMSW13] to prove the following result.

Theorem 3

Let \(\mathcal {A}\), \(\mathcal {B}\) be adversary structures on the set of servers \(\{1,\dots ,n\}\). If there exists a perfectly secure OT-combiner which is secure against any active \((\mathcal {A},\mathcal {B})\)-adversary and uses server \(S_i\) exactly \(\ell _i\) times, then:

  • \((\mathcal {A}, \mathcal {B})\) is an \(\mathcal {R}_{2}\) pair of structures.

  • There exists a secret sharing scheme \(\mathcal {S}\) for the set of participants \(\{1,\dots ,n\}\) with the following properties:

    1. 1.

      The domain of secrets is \(\{0,1\}\) and for \(i=1,\dots ,n\) the domain of the i-th share is \(\{0,1\}^{\ell _i}\), for some \(\ell _i>0\).

    2. 2.

      Every set \(A\in \mathcal {A}\) is unqualified in \(\mathcal {S}\) and for every set \(B\in \mathcal {B}\), its complement \(\overline{B}\) is qualified in \(\mathcal {S}\).

If we compare both Theorems 2 and 3 we see there is just one gap regarding sufficient and necessary conditions, namely that our construction from Theorem 2 requires a linear secret sharing scheme, while we do not know if this is strictly necessary. Nevertheless, Theorems 2 and 3 can be used to determine the exact minimal number of calls that are sufficient and necessary for a perfectly secure OT combiner in some cases. For example, we can determine that if there are 3 servers and the adversary can be corrupt one party and one server, then the optimal number of OT calls is 5 (Sect. 8).

1.1 Details and Techniques

Our construction of an OT combiner showing Theorem 2 relies on the combination of two secret sharing schemes. The first one is the secret sharing scheme \(\mathcal {S}\) assumed by the theorem, which is used by Bob in order to secret share his input among the servers. The other secret sharing scheme is a multi-secret sharing scheme \(\Sigma \) with some unusual properties, whose construction may be of independent interest. This will be used by Alice in order to secret share her inputs among the servers.

Such secret sharing scheme takes a 2-bit secret \((m_0, m_1)\) and, in the simplified “single-use” case of our theorem where all \(\ell _i=1\) (which is enough to show Theorem 1), splits it into 2n shares, indexed by pairs (ij), where \(i=1,\dots ,n\), and \(j=0,1\). The secret sharing scheme is such that a set of participants of the form \(\{(1,v_1),(2,v_2),\dots ,(n,v_n)\}\) (where \(v_i\in \{0,1\}\)) can reconstruct the message \(m_0\) if and only if the bit-string \((v_1,\dots ,v_n)\) belongs to some given vector space V, while it can reconstruct \(m_1\) if and only if \((v_1,\dots ,v_n)\) belongs to some affine space \(\mathbf{t}+V\) for some given vector \(\mathbf{t}\). Further, these sets are the only minimally qualified sets for each of the messages.

If they were the only requirements, the existence of such a secret sharing scheme would be guaranteed by known general results in secret sharing (where each coordinate \(m_0\) and \(m_1\) would then be independently shared with a secret sharing scheme with potentially exponentially long shares). But what makes the problem interesting is that we have an additional requirement: every share is one bit long. This rules out the solution above and therefore the question of how the requirements on the access structures of \(m_0\) and \(m_1\) can be realized simultaneously is not trivial. Moreover, given that \(m_0\) and \(m_1\) cannot be shared independently, it is also necessary to exact some conditions preventing certain sets of shares from leaking correlations between \(m_0\) and \(m_1\) even if they give no information about either individual message. We show that we can achieve all these properties by a relatively simple construction.

With all these elements in hand, it is now easy to explain how our OT combiner works. Alice will use a secret sharing scheme as specified above where V is the set of all possible sharings of 0 in the scheme \(\mathcal {S}\) used by Bob, and \(\mathbf{t}\) is a sharing of 1 in \(\mathcal {S}\). In this situation \(\mathbf{t}+V\) is the set of all sharings of 1 in \(\mathcal {S}\) by linearity of \(\mathcal {S}\). She then sends the (i, 0) and (i, 1)-th shares to the i-th server. If Bob has used \(b_1,\ldots ,b_n\) as input for the servers, he will receive the shares of \((m_0,m_1)\) with indices \((1,b_1),\ldots ,(n,b_n)\). By the properties of the scheme \(\Sigma \) given that set of shares he can now reconstruct \(m_0\) if \((b_1,\dots ,b_n)\) was a sharing of 0 with \(\mathcal {S}\), and \(m_1\) if \((b_1,\dots ,b_n)\) was a sharing of 1 with \(\mathcal {S}\). Of course this only shows the correctness of the protocol when Alice and Bob are honest. We need to take into account that Bob can corrupt a set \(B\in \mathcal {B}\) of servers, obtaining both of Alice’s shares corresponding to those servers. Furthermore, in the active case, he can also submit values that do not correspond to a valid sharing of a bit with \(\mathcal {S}\). However, we show that even using both strategies simultaneously will not give him information about more than one of Alice’s messages.

1.2 Other Related Work

[HKN+05] introduced the notion of OT combiners. Several different flavours are introduced; the notion we are considering in this paper corresponds to the one they call third-party black-box combiners. They consider threshold security with \(t_A=t_B=t\), and show that passively unconditionally secure OT combiners cannot exist for \(n=2\), \(t=1\). On the other hand, they give a concrete construction of a secure OT combiner for \(n=3\), \(t=1\) making 2 calls to each OT-candidate (giving a total number of calls of 6, which as mentioned above can be brought down to 5 by our construction).

In [HIKN08], OT-combiners are constructed from secure multiparty computation protocols. Again, the threshold case with \(t_A=t_B=t\) is considered. They show how to construct OT combiners which are statistically secure against a (tt)-adversary with \(t=\Omega (n)\) which make O(1) calls to each server. Furthermore they achieve constant production rate, meaning that their construction allows to produce \(\Theta (n)\) instances of OT (in this work, we are only concerned about producing one instance). Furthermore, they show a variant of their protocol that is computationally secure against active adversaries. Subsequently [IPS08] shows, as one of the applications of their compiler, that the latter construction can be turned into a statistically secure OT-combiner, still achieving constant production rate and being secure against an active (tt)-adversary with \(t=\Omega (n)\).

In [PW08] an oblivious linear function evaluation (OLFE) combiner is constructed where each server executes a single instance of OLFE and the construction achieves perfect security whenever \(t_A+t_B<n\). OLFE is a functionality where Alice has as input two values ab in a finite field \(\mathbb {F}_q\) of q elements, Bob has as input \(x\in \mathbb {F}_q\) and receives \(ax+b\) as output. Even though OLFE is a generalization of OT (OT is equivalent to OLFE over \(\mathbb {F}_2\)), the construction in [PW08] requires \(q>n\), since it uses Shamir secret sharing in order to share the parties’ inputs among the servers.

Finally, it is interesting to point out that [BI01] and [VV15] consider, in different contexts, secret sharing schemes with access structures that are somewhat related to the ones we need. Given a language \(L\subseteq \{0,1\}^n\), their secret sharing schemes for 2n participants have as minimally qualified subsets all those of the form \(\{(1,v_1),(2,v_2),\dots ,(n,v_n)\}\) where \((v_1,v_2,\dots ,v_n)\in L\). However, both works also include the sets of the form \(\{(i,0),(i,1)\}\) as minimally qualified.

1.3 Extensions and Open Questions

We briefly consider some possible extensions of our result that we do not fully address in this paper. First, [IMSW14] also presents a single-use OT combiner that achieves statistical security against a passive adversary corrupting one of Alice and Bob and up to \(n/2-\omega (\log \kappa )\) servers, where \(\kappa \) is the security parameter. We sketch in Sect. 5.3 how we think our construction from Theorem 1 can be modified in order to achieve a similar result as [IMSW14] against a static active adversary.

Moreover, in this paper we have focused in minimizing the number of OT calls when we want to produce a single secure instance of OT. It is an interesting open question to understand whether our constructions can be extended to achieve constant production rate for perfect actively secure combiners. This raises the question whether our multi-secret sharing scheme can be modified so that it handles secrets of size O(n).

Finally, we only consider adversaries that corrupt one of the parties Alice and Bob together with a subset of servers. Our model does not consider corruption of only servers. It is easy to see that if an OT combiner is secure against a passive \((\mathcal {A},\mathcal {B})\)-adversary, then it is also secure against passive corruption of a server set C which lies in both \(\mathcal {A}\) and \(\mathcal {B}\). This is because such “external” adversary corrupting only C cannot obtain more information about Alice’s (resp. Bob’s) input than an adversary corrupting C and Bob (resp. Alice). However, when considering and active adversary we also need to guarantee the correctness of the combiner, i.e., that the external adversary is not able to make Bob output a value that is inconsistent with Alice’s inputs. We can in fact identify situations where the \(\mathcal {R}_{2}\) condition is not enough to achieve security against such adversaries. We discuss this in Sect. 9. It is an open question to determine in which conditions security is possible against corruption of servers only.

1.4 Overview

Section 2 contains preliminaries on secret sharing and adversary structures, although we also introduce the notion of \(\mathcal {R}_{2} \) pair. Section 3 describes our model. Section 4 gives a construction of a multi-secret sharing scheme with certain properties regarding its access structure; this will be the secret sharing scheme used by Alice in our construction. In Sect. 5 we show Theorem 2 in the case where \(\mathcal {S}\) can be taken to be an ideal secret sharing scheme (i.e. every share is a bit long). This is enough to show Theorem 1. In Sect. 6 we show Theorem 2 in the general case. In Sect. 7 we show Theorem 3. In Sect. 8 we apply our results to determine the minimal number of calls which are required for a 3-server OT combiner to be secure against an active (1,1)-adversary. Finally Sect. 9 contains our considerations on the case where an adversary corrupts only servers.

2 Preliminaries

2.1 Adversary Structures and \(\mathcal {R}_{2}\) Pairs of Structures

We denote by \(\mathcal {P}_n\) the set \(\{1,2,\dots ,n\}\). Furthermore, \(2^{\mathcal {P}_n}\) is the family of all subsets of \(\mathcal {P}_n\).

Definition 1

An adversary (or antimonotone) structure \(\mathcal {A}\subseteq 2^{\mathcal {P}_n}\) is a family of subsets of \(\mathcal {P}_n\) such that \(\emptyset \in \mathcal {A}\) and for every \(A\in \mathcal {A}\) and \(B\subseteq A\) we have \(B\in \mathcal {A}\).

Definition 2

We say that a pair \((\mathcal {A},\mathcal {B})\) of adversary structures is \(\mathcal {R}_{2}\) if for all \(A\in \mathcal {A}\), \(B\in \mathcal {B}\), we have \(A\cup B\ne \mathcal {P}_n\).

\(\mathcal {R}_{2}\) is a generalization of the well known notion of a \(\mathcal {Q}_{2}\) adversary structure (an adversary structure \(\mathcal {A}\) is \(\mathcal {Q}_{2}\) if for all \(A,B\in \mathcal {A}\), we have \(A\cup B\ne \mathcal {P}_n\)). More precisely, the pair of adversary structures \((\mathcal {A},\mathcal {A})\) is \(\mathcal {R}_{2} \) if and only if \(\mathcal {A}\) is \(\mathcal {Q}_{2}\). However, there exist adversary structures \(\mathcal {A},\mathcal {B}\) such that neither \(\mathcal {A}\) nor \(\mathcal {B}\) are \(\mathcal {Q}_{2}\), while the pair \((\mathcal {A},\mathcal {B})\) is \(\mathcal {R}_{2}\). For example: \(n=4\), and \(\mathcal {A}\) and \(\mathcal {B}\) are the adversary structures with maximal sets \(\{1,2\}, \{3,4\} \) in the case of \(\mathcal {A}\), and \(\{1,3\}, \{2,4\}\) in the case of \(\mathcal {B}\).

2.2 Secret Sharing

Our protocols rely heavily on secret sharing, a well-known cryptographic primitive introduced by Shamir [Sha79] and, independently, Blakley [Bla79]. We recall some terminology and results which will be needed later.

A secret sharing scheme for the set of participants \(\mathcal {P}_n\) is given by a probabilistic algorithm \(\texttt {Share}_{\mathcal {S}}\) that takes as input a secret s and outputs values \(a_1,a_2,\dots ,a_n\) known as shares. The vector \((a'_1,a'_2,\dots ,a'_n)\) is called a sharing of s if on input s \(\texttt {Share}_{\mathcal {S}}\) outputs the values \(a'_i\) as shares with non-zero probability.

We say that a set \(A\subseteq \mathcal {P}_n\) is unqualified if for any secret s and any sharing \((a_1,a_2,\dots ,a_n)\) for it, the vector \((a_i)_{i\in A}\) gives no information about the secret, i.e., the probability that the values \((a_i)_{i\in A}\) are outputted (as shares for A) by \(\texttt {Share}_{\mathcal {S}}\) on input s is the same as the probability of the same event when the input is \(s'\). Note that the family \(\mathcal {A}\subseteq 2^{\mathcal {P}_n}\) of all unqualified sets of \(\mathcal {S}\) is an adversary structure. We say that a set \(A\subseteq \mathcal {P}_n\) is qualified if for any secret s and any sharing \((a_1,a_2,\dots ,a_n)\) for it, the vector \((a_i)_{i\in A}\) uniquely determines the secret, i.e. there is a unique secret for which \(\texttt {Share}_{\mathcal {S}}\) can output those values as shares for A. The family of all qualified sets is called the access structure of \(\mathcal {S}\). We say that a secret sharing scheme is perfect if every set \(A\subseteq \mathcal {P}_n\) is either qualified or unqualified (there are no sets of shares which give partial information about the secret).

We also define \(\texttt {Reconstruct}_{\mathcal {S}}\), an algorithm that takes as input a set of pairs \(\{(i,a_i): i\in A\}\) where \(A\subseteq \mathcal {P}_n\) and outputs s if A is a qualified set for \(\mathcal {S}\) and the values \((a_i)_{i\in A}\) are part of a valid sharing of the secret s, and \(\bot \) otherwise.

Let \(\mathbb {F}\) be a finite field. A linear secret sharing scheme \(\mathcal {S}\) (over \(\mathbb {F}\)), LSSS for short, is a secret sharing scheme where the space of secrets is a vector space \(\mathbb {F}^{\ell _0}\), the space of the i-th shares is \(\mathbb {F}^{\ell _i}\) for \(i=1,\dots , n\), and there exists an integer e and a map \(M:\mathbb {F}^{\ell _0+e}\rightarrow \mathbb {F}^{\ell _1}\times \dots \times \mathbb {F}^{\ell _n}\) such that \(\texttt {Share}_{\mathcal {S}}\) consists in choosing a uniformly random vector \(\mathbf {u}\in \mathbb {F}^{e}\) and outputting \(M(s,\mathbf {u})\) as shares. We denote by \([s, \mathbf {u}]_{\mathcal {S}}\in \mathbb {F}^{\ell }\) this sharing, where \(\ell =\sum _{i=1}^n \ell _i\). Given a set \(A\subseteq \mathcal {P}_n\) we use \([s, \mathbf {u}]_{\mathcal {S}}^{(A)}\) to denote the vector consisting only of the shares corresponding to A. When we do not need to make the randomness explicit, then we write \([s]_{\mathcal {S}}\) and \([s]_{\mathcal {S}}^{(A)}\). Moreover, we say that \(\ell \) is the complexity of \(\mathcal {S}\). We note that \(\texttt {Share}_{\mathcal {S}}\) runs in polynomial time in \(\ell \). The set of possible sharings in a LSSS is a vector space and for all \(\lambda _1,\lambda _2\in \mathbb {F}\) we have \(\lambda _1[s_1, \mathbf {u_1}]_{\mathcal {S}}+\lambda _2[s_2, \mathbf {u_2}]_{\mathcal {S}}=[\lambda _1s_1+\lambda _2s_2, \lambda _1\mathbf {u_1}+\lambda _2 \mathbf {u_2}]_{\mathcal {S}}\), i.e. a linear combination of sharings is a sharing for the same linear combination applied to the secrets. An immediate implication is that \(\texttt {Reconstruct}_{\mathcal {S}}\), on input a qualified set A and a set of shares for it, acts by applying a linear function to these shares.

We need a few facts about when sets are qualified and unqualified in a linear secret sharing scheme. First, consider the case \(\ell _0=1\), where the secret is just an element in \(\mathbb {F}\). In that case a LSSS is perfect, and we have:

Lemma 1

Let \(\mathcal {S}\) be a LSSS with secrets in \(\mathbb {F}\). A set \(A\subseteq \mathcal {P}_n\) is unqualified if and only if there exists a vector \(\mathbf {u}\), such that \([1, \mathbf {u}]_{\mathcal {S}}^{(A)}=\mathbf {0}\), i.e., if we share the secret 1 using randomness \(\mathbf{u}\), the shares corresponding to A are all zero. Otherwise, it is qualified.

This can be easily derived by taking into account that, if the condition above is satisfied, then\([s, \mathbf {t}]_{\mathcal {S}}\) and \([s', \mathbf {t'}]_{\mathcal {S}}= [s, \mathbf {t}]_{\mathcal {S}}+(s'-s)[1,\mathbf{u}]_{\mathcal {S}}\) are sharings of s and \(s'\) such that all the shares in A coincide.

Now suppose that in addition \(\mathbb {F}=\mathbb {F}_2\), so we are dealing with binary LSSS; and that every share is one bit long, i.e., \(\ell _i=1\). Since given a qualified set A, the reconstruction algorithm in a LSSS consists of applying a linear function on the corresponding shares, under the conditions above the secret needs to equal the sum of the shares of a fixed subset \(A'\subseteq A\). Therefore we can characterize the minimally qualified sets (those qualified sets such that none of their subsets are qualified) as follows.

Lemma 2

Let \(\mathcal {S}\) be a LSSS with secrets in \(\mathbb {F}_2\) and shares in \(\mathbb {F}_2\). A set A is minimally qualified if and only if for any secret \(s\in \mathbb {F}_2\) and any sharing \((a_1,a_2,\dots ,a_n)=[s]_{\mathcal {S}}\), we have that \(s=\sum _{i\in A} a_i\).

In this work it will also be essential to understand LSSSs where \(\ell _0=2\) and \(\mathbb {F}\) is the binary field \(\mathbb {F}_2\). In general, if \(\ell _0>1\), the situation is more complicated than in the case \(\ell _0=1\) since there may be sets \(A\subseteq \mathcal {P}_n\) which can obtain partial information about the secret. The generalization of Lemma 1 is as follows. Let \(T_A\subseteq \mathbb {F}^{\ell _0}\) be the set of secrets s such that there exists \(\mathbf {u}\) with \([s, \mathbf {u}]_{\mathcal {S}}^{(A)}=\mathbf {0}\). Then for any secret m, when given \([m]_{\mathcal {S}}^{(A)}\), any element in \(m+T_A\) has the same probability of being the secret and any element not in \(m+T_A\) can be ruled out. Furthermore, \(T_A\) is always a vector space. In the case \(\ell _0=2\), \(\mathbb {F}=\mathbb {F}_2\), this means that a set A can be either qualified, unqualified or learn one bit of information about the secret \(m=(m_0,m_1)\), and this partial information can be of three types, corresponding to the three different subspaces of \(\mathbb {F}_2^2\) of dimension 1: either it learns one coordinate \(m_0\) and has no information about the other \(m_{1}\), or viceversa, or it learns \(m_0+m_1\) and nothing else. A LSSS \(\Sigma \) with secrets \((m_0,m_1)\) in \(\mathbb {F}_{2}^2\) induces a perfect LSSS \(\Sigma _0\) for the secret \(m_0\) (by considering \(m_1\) as randomness) and similarly, perfect LSSSs \(\Sigma _1\) and \(\Sigma _2\) for \(m_1\) and \(m_0+m_1\) respectively. Therefore we can talk about qualified sets and unqualified sets for \(m_0\) (resp. \(m_1\), \(m_0+m_1\)) and we will use Lemmas 1 and  2 for these individual secrets later on. We are therefore seeing \(\Sigma \) as a multi-secret sharing scheme (in a multi-secret sharing scheme [JMO93] several secret values are distributed among a set of users, and each secret may have different qualified subsets). Moreover, we can clearly define a reconstruction algorithm for the individual secrets \(m_0\) and \(m_1\), which we call \(\texttt {Reconstruct}_{\Sigma }^0\) and \(\texttt {Reconstruct}_{\Sigma }^1\) respectively.

As for the existence of LSSS, it is well known [ISN87] that every adversary structure is the adversary structure of a LSSS.

Theorem 4

For every finite field \(\mathbb {F}\) and integer \(\ell _0\ge 1\) and for every adversary structure \(\mathcal {A}\) there exists a perfect LSSS \(\mathcal {S}\) with secrets in \(\mathbb {F}^{\ell _0}\) and adversary structure \(\mathcal {A}\).

In general the complexity of the LSSS \(\mathcal {S}\) constructed with the methods used in [ISN87] is exponential in n. We say that a LSSS is ideal if \(\ell _0=1\) and \(\ell _i=1\) for all i. The complexity of an ideal LSSS is n, which is the smallest possible. Given a finite field \(\mathbb {F}\) most adversary structures \(\mathcal {A}\) do not admit ideal LSSSs over \(\mathbb {F}\).

3 OT-Combiners

We describe our model in more detail. Alice has a pair of inputs \(m_0, m_1\in \{0,1\}\) and Bob has an input a selection bit \(b\in \{0,1\}\). They execute a protocol \(\pi \) whose goal is to implement the functionality \(\mathcal {F}_{OT} \) securely (in the presence of an adversary which we specify below) on those inputs. The protocol \(\pi \) consists only of local computations by each of the parties and oracle calls to servers \(S_1,\dots ,S_n\) (in particular, we do not need a direct communication channel between Alice and Bob). If the server \(S_i\) is not corrupted, then it executes a copy of the functionality \(\mathcal {F}_{OT} \) and may be called several times. Each time a server is called, it receives a new pair of inputs \(x_0, x_1\in \{0,1\}\) from Alice and c from Bob, and executes the functionality \(\mathcal {F}_{OT}\) on these inputs, therefore outputting the message \(x_c\) towards Bob (Fig. 1).

Fig. 1.
figure 1

Functionality \(\mathcal {F}_{OT}\)

Full size image

We consider a static adversary \(\mathrm {Adv}\) characterized by a pair of adversary structures \((\mathcal {A},\mathcal {B})\) each contained in \(2^{\{S_1,\dots ,S_n\}}\), which we call an \((\mathcal {A},\mathcal {B})\)-adversary. Such adversary can corrupt, before the protocol starts, either Alice and a set of servers \(A\in \mathcal {A}\) or Bob and a set of servers \(B\in \mathcal {B}\). If the adversary is passive, then it obtains all information seen bys the corrupted party and servers during the protocol, but cannot make them deviate from the protocol. If the adversary is active, it can in addition make the corrupted party and servers deviate arbitrarily from the protocol.

In these conditions, we say that the protocol \(\pi \) is an n-server OT-combiner secure against \(\mathrm {Adv}\) if it securely implements the functionality \(\mathcal {F}_{OT} \) in the presence of this adversary. In this paper we will prove security using the Universal Composability framework [Can01], see [CDN15] for more information.

Let \(1\le t_A, t_B\le n\). If there exist \(\mathcal {A}\) and \(\mathcal {B}\) such that \(\mathcal {A}\) contains all subsets of size \(t_A\) of \(\{1,\dots ,n\}\) and \(\mathcal {B}\) contains all subsets of size \(t_B\) of \(\{1,\dots ,n\}\) and if \(\pi \) is an n-server OT-combiner secure against any \((\mathcal {A},\mathcal {B})\)-adversary, then we say that \(\pi \) is an n-server OT-combiner secure against a \((t_A,t_B)\)-adversary.

4 A Multi-secret Sharing Scheme

As we mentioned in Sect. 1.1, our OT combiners rely on the combination of two linear secret sharing schemes \(\mathcal {S}\) and \(\Sigma \). \(\mathcal {S}\) is given by the statement of Theorem 2 and is used by Bob. The secret sharing scheme \(\Sigma \), used by Alice, is a multi-secret sharing scheme satisfying a number of properties that we need in order to achieve security of our combiner.

In this section, we abstract the properties that we will need for \(\Sigma \), and we give a construction achieving these properties. How this will play a role in our OT-combiners will become apparent in the next sections.

Proposition 1

Let \(\ell \) be an integer, \(V\subsetneq \mathbb {F}_2^\ell \) be a vector subspace, \(\mathbf {t}\in \mathbb {F}_2^\ell \) be a vector such that \(\mathbf {t}\notin V\) and let W be the affine space \(W=\mathbf {t}+V\). Finally for \(I\subseteq \{1,\dots ,\ell \}\) let \(\mathbf {e}_I\in \mathbb {F}_2^{\ell }\) denote the vector with 1’s in the I-coordinates and 0’s in the rest.

Then the linear secret sharing scheme \(\Sigma \) for \(2\ell \) participants (indexed by pairs (ij)) with secrets in \(\{0,1\}^2\) and shares in \(\{0,1\}\), given in Fig. 2, is such that the following properties hold:

  1. 1.

    The minimally qualified sets for reconstructing the first coordinate \(m_0\) of the secret are exactly the sets of the form

    $$ \{(i,a_i): i=1,\dots ,n, (a_1,\dots ,a_n)\in V\}. $$
  2. 2.

    The minimally qualified sets for reconstructing the second coordinate \(m_1\) of the secret are exactly the sets of the form

    $$ \{(i,a_i): i=1,\dots ,n, (a_1,\dots ,a_n)\in W\}. $$
  3. 3.

    The minimally qualified sets for reconstructing the sum \(m_0+m_1\) are those of the form

    $$\{(i,c): i\in H, c=0,1\},$$

    where H is such that \(\mathbf {e}_H\in W\) and \(\mathbf {e}_{H'}\notin W\) for \(H'\subseteq H\).

Fig. 2.
figure 2

The multi-secret sharing scheme \(\Sigma \)

Full size image

Before starting with the proof, we need some definitions. Let U be the vector space spanned by the set \(V\cup \{\mathbf{t}\}\). Note \(U=V+W\). We define

$$Z_0=U^{\bot }=\{\mathbf{h}\in \mathbb {F}_2^{\ell }: \mathbf{h}\in V^{\bot }, {<}\mathbf{t},\mathbf{h}{>}=0\}$$

and

$$Z_1=\{\mathbf{h}\in \mathbb {F}_2^{\ell }: \mathbf{h}\in V^{\bot }, {<}\mathbf{t},\mathbf{h}{>}=1\}.$$

Note since \(\mathbf{b}\notin V\), then \(Z_1\) is non-empty and \(Z_1=Z_0+\mathbf{g}\) for some \(\mathbf{g}\) such that \({<}\mathbf{t},\mathbf{g}{>}=1\).

We also need the following lemma, which is a basic fact of linear algebra.

Lemma 3

For every \(\mathbf{u}\notin U\), the random variable \({<}\mathbf{u},\mathbf{h}{>}\), where \(\mathbf{h}\) is chosen uniformly at random in \(Z_0\) (resp. \(Z_1\)), is uniformly distributed in \(\mathbb {F}_2\).

Now we can proceed with the proof of Proposition 1

Proof of Proposition 1 . Clearly \(\Sigma \) is linear, since a fixed linear combination of the sharings is a sharing for the same linear combination applied to the secrets. Nevertheless we can also make the linearity of the construction more explicit by showing how the shares are constructed as a linear function of the secret \((m_0,m_1)\) and a uniform random vector in some space \(\mathbb {F}_2^e\), as follows. Note that \(V^{\bot }\) is a vector subspace. The set \(Z_0\) is also a vector subspace which will have a basis \(\{\mathbf{z}^{(1)},\mathbf{z}^{(2)},\dots ,\mathbf{z}^{(s)}\}\).

A uniformly random element in \(\{\mathbf{h}\in \mathbb {F}_2^{\ell }: \mathbf{h}\in V^{\bot }, {<}\mathbf{t},\mathbf{h}{>}=m_0+m_1\}\) can be then sampled by sampling independent uniform random elements \(d_1,\dots ,d_s\in \mathbb {F}_2\) and outputting \(d_1\mathbf{z}^{(1)} +\dots + d_s\mathbf{z}^{(s)}+(m_0+m_1)\mathbf{g}\). The elements \(h_i\) in our construction are simply the coordinates \(d_1z_i^{(1)} +\dots + d_sz_i^{(s)}+(m_0+m_1)g_i\). Therefore, the shares can be written as a linear combination of uniformly random elements \(r_1,\dots , r_{\ell -1}, d_1,\dots ,d_s\in \mathbb {F}_2\) and the values \(m_0\), \(m_1\).

Now we need to argue about the access structure of the secret sharing schemes for the different pieces of information \(m_0\), \(m_1\) and \(m_0+m_1\).

By Lemma 2, in the conditions of these scheme (linear, binary, every share is a bit) a set is minimally qualified for \(m_0\) (resp. \(m_1\), \(m_0+m_1\)) if and only if the corresponding shares always sum up to \(m_0\) (resp. \(m_1\), \(m_0+m_1\)) and there is no stricty smaller subset satisfying the same.

Fix \(A\subseteq \{1,2,\dots ,\ell \}\times \{0,1\}\) a set of indices. We define two sets \(I_1, I_2\subseteq \{1,2,\dots ,\ell \}\) as follows:

$$ I_1=\{i: \text {exactly one of } (i,0) \text { and } (i,1) \text { is in } A\} $$

and

$$ I_2=\{i: (i,1)\in A\}. $$

Then

$$ \sum _{(i,j)\in A} a_{(i,j)}=\sum _{i\in I_1} r_i+ \sum _{i\in I_2} h_i=\sum _{i\in I_1} r_i+ {<}\mathbf{e}_{I_2},\mathbf{h}{>} $$

where \(\mathbf{e}_{I_2}\) is the vector with 1’s in the positions of \(I_2\) and 0’s in the rest.

Note that if \(I_1\ne \emptyset , \{1,\dots ,\ell \}\), then \(\sum _{i\in I_1} r_i\) is uniformly distributed in \(\mathbb {F}_2\) over the choice of the \(r_i\)’s. Furthermore, \(\sum _{i\in I_1} r_i\) is clearly independent from \({<}\mathbf{e}_{I_2},\mathbf{h}{>}\). Hence the sum \(\sum _{(i,j)\in A} a_{(i,j)}\) is uniformly distributed in \(\mathbb {F}_2\).

Likewise if \(\mathbf{e}_{I_2}\notin U=V\cup W\) then \({<}\mathbf{e}_{I_2},\mathbf{h}{>}\) is uniformly distributed in \(\mathbb {F}_2\) by Lemma 3 (regardless of whether \(m_0+m_1=0\) or \(m_0+m_1=1\)). Therefore, the only cases where A can be minimally qualified for either \(m_0\), \(m_1\), \(m_0+m_1\) are the following:

  • \(I_1=\{1,\dots ,\ell \}\), \(\mathbf{e}_{I_2}\in V\). This case corresponds to

    $$A=\{(1,b_1),(2,b_2),\dots ,(n,b_n)\}$$

    where \((b_1,b_2,\dots ,b_n)=\mathbf{e}_{I_2}\in V\). Moreover \(\sum _{(i,j)\in A} a_{(i,j)}=m_0+{<}\mathbf{h},\mathbf{e}_{I_2}{>}=m_0\), so this set is minimally qualified for \(m_0\), since clearly there cannot be smaller subsets satisfying the same property.

  • \(I_1=\{1,\dots ,\ell \}\), \(\mathbf{e}_{I_2}\in W\). This case corresponds to

    $$A=\{(1,b_1),(2,b_2),\dots ,(n,b_n)\}$$

    where \((b_1,b_2,\dots ,b_n)=\mathbf{e}_{I_2}\in W\). Moreover \(\sum _{(i,j)\in A} a_{(i,j)}=m_0+{<}\mathbf{h},\mathbf{e}_{I_2}{>}=m_1\), so this set is minimally qualified for \(m_1\), since clearly there cannot be smaller subsets satisfying the same property.

  • \(I_1= \emptyset \), \(\mathbf{e}_{I_2}\in V\): in this case,

    $$A=\{(i,0): i\in I_2\}\cup \{(i,1): i\in I_2\}.$$

    However \(\sum _{(i,j)\in A} a_{(i,j)}={<}\mathbf{h},\mathbf{e}_{I_2}{>}=0\), so this set is not minimally qualified for any of the secrets.

  • \(I_1= \emptyset \), \(\mathbf{e}_{I_2}\in W\): in this case, again

    $$A=\{(i,0): i\in I_2\}\cup \{(i,1): i\in I_2\}.$$

    Now \(\sum _{(i,j)\in A} a_{(i,j)}={<}\mathbf{h},\mathbf{e}_{I_2}{>}=m_0+m_1\), so this set is minimally qualified for \(m_0+m_1\) unless there is a smaller subset \(I'_2\subseteq I_2\) such that \(e_{I'_2}\in W\). \(\square \)

5 Construction of OT-Combiners When \(\mathcal {S}\) is Ideal

In this section we will show Theorem 2, under the additional assumption that the secret sharing scheme \(\mathcal {S}\) is also ideal. That is, we show:

Theorem 2

case \(\mathcal {S}\) ideal. Let \(\mathcal {A}\), \(\mathcal {B}\subseteq 2^{\mathcal {P}_n}\) be adversary structures such that \((\mathcal {A}, \mathcal {B})\) is a \(\mathcal {R}_{2}\) pair. Suppose there exists a linear secret sharing scheme \(\mathcal {S}\) for n participants where the secret is in \(\{0,1\}\) and every share is in \(\{0,1\}\), and such that every set \(A\in \mathcal {A}\) is unqualified in \(\mathcal {S}\) and the complement \(\overline{B}\) of every set \(B\in \mathcal {B}\) is qualified in \(\mathcal {S}\).

Then there exists a single-use n-server OT combiner which is perfectly secure against any active \((\mathcal {A}, \mathcal {B})\)-adversary.

This result is enough to show Theorem 1, which is proven at the end of this section.

5.1 The Protocol

Our protocol \(\pi _{OT}\) described in Fig. 3 works as follows: Bob computes a secret sharing of his input b with the ideal linear secret sharing scheme \(\mathcal {S}\) promised above, therefore creating n shares \(b_i\), each of which is a bit since the scheme is ideal. On the other hand, Alice will secret share her input \((m_0,m_1)\) with a secret sharing scheme \(\Sigma \) that is defined as follows: \(\Sigma \) is the secret sharing scheme given by Proposition 1 where \(\ell =n\), V is the set of all possible sharings \([0,\mathbf {u}]_{\mathcal {S}}\) of 0 with \(\mathcal {S}\) (which is a vector space because \(\mathcal {S}\) is linear) and \(\mathbf {t}\) will be one sharing of 1 with \(\mathcal {S}\) (for example \(\mathbf {t}=[1,\mathbf {0}]_{\mathcal {S}}\)). By linearity, W is the set of all possible sharings of 1.

Now Alice an Bob call each OT server once, the inputs to the i-th server being \(a_{(i,0)}\) and \(a_{(i,1)}\), in this order, on Alice’s side, and \(b_i\) on Bob’s side. Assuming that there is no active corruption, Bob will receive \(a_{(i,b_i)}\) from the servers. By definition of \(\Sigma \) he has enough information to reconstruct \(m_b\) by running the corresponding reconstruction algorithm (if the reconstruction fails, because Alice’s shares were malformed, Bob outputs 0 by default).

Fig. 3.
figure 3

Protocol \(\pi _{OT}\) for ideal LSSSs.

Full size image

Proposition 2

If Alice and Bob follow the protocol semi-honestly, then \(\pi _{OT}\) (Fig. 3) implements OT with perfect correctness.

Proof

If Alice and Bob follow the protocol (semi-)honestly, at the end of the protocol Bob will have received all values \(m_b^{(i,b_i)},i=1,\dots ,n\), for some sharing \([b]_{\mathcal {S}}=(b_1,\dots ,b_n)\). By Proposition 1, \(\{(1,b_1),\dots ,(n,b_n)\}\) is qualified for reconstructing \(m_b\) (because \((b_1,\dots ,b_n)\in V\) if \(b=0\) and \((b_1,\dots ,b_n)\in W\) if \(b=1\)). \(\square \)

5.2 Security

In order to guarantee the privacy of Alice’s input, the first thing that we need to observe is that Bob does not learn \(m_b\) from \(a_{(i,b_i)}\) if \((b_1,\dots ,b_n)\) is not a valid sharing of b with \(\mathcal {S}\), since in that case \(\{(1,b_1),\dots ,(n,b_n)\}\) is not qualified for \(m_b\) by Proposition 1. However, this only guarantees privacy against a very weak semi-honest adversary corrupting Bob and no servers. Note that, first of all, the adversary can corrupt some set \(B\in \mathcal {B}\) of servers, thereby obtaining both \(a_{(i,0)}\) and \(a_{(i,1)}\) for all \(i\in B\). Moreover, if the adversary is malicious, it can also make Bob submit values \(b_i\) such that \((b_1,\dots ,b_n)\) is not a valid sharing \([b]_{\mathcal {S}}\). Finally, remember that in Sect. 2.2 we argued that given an ideal LSSS with secrets in \(\mathbb {F}_2\), like it is the case with \(\Sigma \), it may in principle happen that some sets of shares allow to reconstruct \(m_0+m_1\) even if they do not get any information about the individual \(m_0\) and \(m_1\). Therefore we also need to ensure that these cases will not happen in our problem.

We show how the properties we have guaranteed in Proposition 1 take care of all these and prevent the potentially malicious Bob from learning other information than he should.

Proposition 3

Suppose \((\mathcal {A},\mathcal {B})\) is an \(\mathcal {R}_{2} \) pair of adversary structures and \(\mathcal {S}\) and \(\Sigma \) are defined as above. Let \((m_0, m_1)\) be shared with \(\Sigma \). Fix \(B\in \mathcal {B}\) and \((b'_1,\dots ,b'_n)\in \mathbb {F}_2^n\), and define the set of indices

$$\mathcal {H}=\{(i,b'_i):i\in \overline{B}\}\cup \{(i,j): i\in B, j\in \{0,1\}\}.$$

Then:

  • If the set \(\{b'_i: i\in \overline{B}\}\) is not part of any sharing \([c]_\mathcal {S}\) for any \(c\in \{0,1\}\) then the values \(a_{(i,j)}, (i,j)\in I'\) give no information about the pair \((m_0, m_1)\).

  • If the set \(\{b'_i: i\in \overline{B}\}\) is a part of a sharing \([c]_\mathcal {S}\) of some \(c\in \{0,1\}\) then the values \(a_{(i,j)}, (i,j)\in I'\) give full information about \(m_c\) but no information about \(m_{1-c}\).

Proof

By the considerations in Sect. 2.2, we know that in principle a set of shares could either be unqualified (give no information about \((m_0,m_1)\)), qualified (give full information) or give partial information, which in turn can be of three types: either it gives information about one of the coordinates \(m_d\) and no information about \(m_{1-d}\) or it could give information about \(m_0+m_1\) and nothing else. On the other hand, Proposition 1 describes the minimally qualified sets for \(m_0\), \(m_1\) and \(m_0+m_1\).

We show first that the set \(\mathcal {H}\) is not qualified for \(m_0+m_1\) in any case. If that were the case, then there would exist a set \(I\subseteq \mathcal {P}_n\) such that \(\mathcal {H}\) would contain all indices of the form (i, 0), (i, 1) with \(i\in I\) and such that \(\mathbf {e}_I\in \mathbb {F}_2^n\) is a sharing of 1 with \(\mathcal {S}\). \(\mathcal {H}\) contains both (i, 0) and (i, 1) exactly for those \(i\in B\). But assume there existed an \(I\subseteq B\) such that \(\mathbf {e}_I\in \mathbb {F}_2^n\) were a sharing of 1. Now we get a contradiction as follows: from the assumptions, \(\overline{B}\) is qualified in \(\mathcal {S}\). Therefore by linearity of \(\mathcal {S}\) there cannot be a sharing of 1, \([1]_{\mathcal {S}}\), such that \([1]_{\mathcal {S}}^{\overline{B}}=\mathbf {0}\). But on the other hand \(\mathbf {e}_I\in \mathbb {F}_2^n\) is a sharing of 1 which satisfies that \([1]_{\mathcal {S}}^{\overline{I}}\) is zero, and since \(\overline{B}\subseteq \overline{I}\) both statements are contradictory.

Now note that the minimally qualified sets for \(m_0\) (resp. \(m_1\)) are those of the form \(\{(1,b_1),\dots ,(n,b_n)\}\subseteq \mathcal {P}_{n,2}\) where \((b_1,\dots ,b_n)\) is a sharing of 0 (resp. 1) with \(\mathcal {S}\). This implies that if \(\mathcal {H}\) is qualified for \(m_0\) (resp. \(m_1\)) then necessarily \(\{b'_i: i\in \overline{B}\}\) needs to be part of a sharing \([0]_{\mathcal {S}}\) (respectively \([1]_{\mathcal {S}}\)). \(\square \)

These elements are enough to formally show the security of our construction.

Theorem 5

The protocol \(\pi _{OT}\) UC-implements the functionality \(\mathcal {F}_{OT}\) in the presence of an \((\mathcal {A},\mathcal {B})\)-adversary.

Proof

Alice honest, Bob malicious:

We will suppose without loss of generality that corrupted servers act as a dummy adversary. Let B denote the set of corrupted servers.

First, \(\mathrm {Sim}\) awaits \((\texttt {ready},i)\) for \(i\in B\) and that the environment has sent \(b'_{i}\) for each \(i \in \overline{B}\). Then it executes \(\texttt {Reconstruct}_{\mathcal {S}}(\{(i,b'_i) : i \in \overline{B} \})\). If the reconstruction fails then \(\mathrm {Sim}\) chooses random messages \(\tilde{m}_0\), \(\tilde{m}_1\). If the reconstruction succeeds, let b be its output; then \(\mathrm {Sim}\) sends the command (transfer, b) to \(\mathcal {F}_{OT}\), receives message \((\texttt {sent},m_b)\) and sets \(\tilde{m}_{b}:=m_b\); it selects a random message \(\tilde{m}_{1-b} \in \mathcal {M}\).

In any case, \(\mathrm {Sim}\) generates a sharing \((a_{(i,j)})_{(i,j)\in \mathcal {P}_{n,2}}=[(\tilde{m}_0, \tilde{m}_1)]_\Sigma \).

Finally, in parallel \(\mathrm {Sim}\) sends the following to the environment: for each \(i \in \overline{B}\), it sends \(a_{(i,b'_i)}\), and for each \(i \in B\), it sends the entire vectors \(a_{(i,0)}\), \(a_{(i,1)}\).

We need to prove now that the distribution of these values is indistinguishable from the ones obtained in the interaction with the actual protocol. We should first note that since the set \(\overline{B}\) is qualified for \(\mathcal {S}\), the values \(\{b'_i: i\in \overline{B}\}\) cannot be part of both a sharing \([0]_{\mathcal {S}}\) and a sharing \([1]_{\mathcal {S}}\). Using Proposition 3, this implies that the distribution of the set of shares \((\tilde{m}_0)_{(i,j)}\), \((\tilde{m}_1)_{(i,j)}\), for \(i\in B\) and \(j\in \{0,1\}\) and \((\tilde{m}_0)_{(i,b'_i)}), (\tilde{m}_1)_{(i,b'_i)})\) for \(i\in \overline{B}\) obtained in the simulation is the same as the corresponding distribution in the actual protocol.

Alice malicious, Bob honest:

We will suppose without loss of generality that corrupted servers act as a dummy adversary. Let \(A\in \mathcal {A}\) be the set of corrupted servers. The simulator works as follows:

Upon receiving \((\texttt {ready})\) from the ideal functionality \(\mathcal {F}_{OT}\), \(\mathrm {Sim}\) generates uniformly random sharings of \(b = 0\) and \(b' = 1\) in \(\mathcal {S}\) subject to the only condition that if \(i \in A\), then \(b_i = b'_i\). Note that this is possible since A is unqualified for \(\mathcal {S}\). Then, in parallel \(\mathrm {Sim}\) sends \(b_i\) to the environment for each \(i\in A\). \(\mathrm {Sim}\) now awaits that for each \(i\in \overline{A}\), the environment sends \(a_{(i,0)}\) and \(a_{(i,1)}\) and that for each \(i\in A\) the environment sends \(a_{(i,b_i)}\).

For \(k=0,1\), if \(m_k\) is not already set to 0 then \(\mathrm {Sim}\) computes

$$m_k = \texttt {Reconstruct}_{\Sigma }^k(\{((i,b_i),a_{(i,b_i)}): i\in \mathcal {P}_n\})$$

If the reconstruction of \(m_k\) fails, \(\mathrm {Sim}\) sets \(m_k=0\). Finally, it sends \((\texttt {send},m_0,m_1)\) to \(\mathcal {F}_{OT}\).

By construction, the shares \(b_i\) corresponding to the set A of corrupt servers that the environment receives are indistinguishable from the A-shares in a uniformly random sharing of b, regardless of whether \(b=0\) or \(b=1\). Hence these \(b_i\) do not allow the receiver to distinguish the real and ideal world. Now, since after that step there is no further interaction, it suffices to show that the messages sent to Bob are indistinguishable from the ones sent in the real world.

This is the case since the shares have been chosen with the distribution Bob would use and since the simulator reconstructs the messages \(m_0\) and \(m_1\) in exactly the same way as Bob would reconstruct \(m_b\) in the real protocol, if b is his input. Therefore the real and ideal world are indistinguishable. \(\square \)

We note that the simulators in the proof above run in polynomial time.

5.3 Threshold Adversaries

We now consider threshold \((t_A,t_B)\)-adversaries, which corrupt Alice and up to \(t_A\) servers or Bob and up to \(t_B\) servers. Our main result is Theorem 1, which we recall next.

Theorem 1

For any large enough n, there exists an n-server single-use OT-combiner which is perfectly secure against an active (0.11n, 0.11n)-adversary.

This and other statements we claim below will be a consequence of the following lemma.

Lemma 4

If there exists a linear error-correcting code C over the binary field with length n, minimum distance d satisfying \(d\ge t_B+2\), and such that the minimum distance \(d^{\bot }\) of its dual \(C^{\bot }\) satisfies \(d^{\bot }\ge t_A+2\), then there exists a single-use OT-combiner for n servers which is perfectly secure against an active \((t_A, t_B)\)-adversary.

Proof

We know from [Mas93] (see also [CCG+07, Theorem 1]) that given a linear code C (over a field \(\mathbb {F}_q\)) with length \(n+1\), one can construct a linear secret sharing scheme for n participants with secret and shares in the same field \(\mathbb {F}_q\) as follows. Namely, given a secret \(s\in \mathbb {F}_q\), choose a codeword from C whose first coordinate is s, and define the remaining coordinates as the n shares. Then, if the code has minimum distance d and its dual code \(C^{\bot }\) has minimum distance \(d^{\bot }\), then any set of \(d^{\bot }-2\) participants in this LSSS is unqualified and any set of \(n-d+2\) participants is qualified. Hence the conditions of the lemma guarantee the existence of a ideal binary LSSS \(\mathcal {S}\) for n participants where every set of \(t_A\) participants is unqualified and every set of \(n-t_B\) participants is qualified. Plugging this \(\mathcal {S}\) into Theorem 2 (in the ideal case we have already proved in this section) shows the result. \(\square \)

Theorem 1 is then derived from the following result

Theorem 6

For large enough n, there exists a linear binary code with length \(n+1\) and \(d,d^{\bot }\ge 0.11n\).

The proof of this result essentially follows the steps from [CCG+07], and is based on the well-known Gilbert-Varshamov theorem from coding theory.

Theorem 7

(Gilbert-Varshamov). For every \(0\le \delta <1/2\) and any \(0<\epsilon <1-h_2(\delta )\) (where \(h(\cdot )\) denotes the binary entropy function), if a linear code is chosen uniformly at random among all linear codes over \(\mathbb {F}_2\) of length \(n+1\) and dimension \(k=\lceil (1-h_2(\delta )-\epsilon )(n+1)\rceil \), then with probability \(1-2^{-\Omega (n)}\) the code has minimum distance at least \(\delta (n+1)\).

Proof of Theorem 6. Choosing \(\delta =0.11\) (which guarantees \(h_2(\delta )<1/2\)), and \(\epsilon =1/2-h_2(\delta )\), Theorem 7 states that for large n, a uniformly random binary linear code of dimension \((n+1)/2\) has minimum distance \(\delta (n+1)\) with very large probability. Now the dual of a code of dimension \((n+1)/2\) also has dimension \((n+1)/2\). So one can use Gilbert-Varshamov bound (applied to both a code and its dual, whose distribution is clearly also uniformly random among all codes of dimension \((n+1)/2\)) and a union bound argument and the observations above about the relationship between codes and secret sharing schemes to conclude the result. \(\square \)

Proof of Theorem 1. This is now straightforward from Lemma 4 and Theorem 6. \(\square \)

We can also give non-asymptotic statements, at the cost of a small loss in the constant 0.11.

Theorem 8

For \(n\ge 21\), there exists an n-server single-use OT-combiner which is perfectly secure against an active \((\lfloor 0.1n\rfloor , \lfloor 0.1n\rfloor )\)-adversary.

Proof

[CCG+07, Corollary 2]. (see also Definition 5 in the same paper) guarantees that for \(n\ge 21\), there exists a binary linear code with both \(d, d^{\bot }\ge \lfloor 0.1n\rfloor \). Again applying Lemma 4 we obtain the result. \(\square \)

Theorem 1 is an existence result, and explicit constructions of codes attaining the Gilbert-Varshamov bound over the binary field are not known. We can only guarantee that choosing a random code of length \(n+1\) and dimension \((n+1)/2\) will with high probability yield a linear secret sharing scheme with the desired guarantees. Explicit constructions of perfectly secure OT-combiners against an active \((\Omega (n), \Omega (n))\)-adversary can be obtained from algebraic geometric codes, but the underlying constant is worse than 0.11. For small values of n one can also obtain explicit constructions of ideal binary LSSS with relatively good privacy and reconstruction thresholds. One possibility is to use self-dual codes (i.e. codes that are their own duals), since in that case the minimum distance of the code and its dual is the same. Tables of self-dual codes with the largest known minimum distance for their lengths are available at [Gab]. These tables show for instance the existence of a binary self-dual code of length 8 and minimum distance 4, which yields a single-use 7-server OT-combiner with perfect security against an active (2, 2)-adversary.

Finally, while in this paper we focus on perfect security, we briefly sketch a modification of our protocol towards the goal of achieving statistical security against a stronger threshold adversary that corrupts \(n/2-\omega (\log \kappa )\) servers, for a security parameter \(\kappa \), following the ideas of [IMSW14] who obtained a similar result for passive adversaries. In this case, we need to assume the existence of a direct communication channel between Alice and Bob and we assume that the static adversary corrupts a set of servers and one of the parties prior to the beginning of the protocol. The idea is to use our construction from Theorem 1 but, rather than fixing a LSSS \(\mathcal {S}\) prior to the start of the protocol as we do in Theorem 1, in the statistical version we would let Alice and Bob choose a random linear code and hence its associated LSSS as the first step of the protocol, after corruption of the servers (and one of the parties) has taken place. They do this by means of a secure coin tossing protocol. According to the arguments in Theorem 2, the adversary can only break the security of the protocol if it was able to corrupt either Alice and a set of servers A which is qualified in the corresponding LSSS scheme \(\mathcal {S}\) or Bob and a set of servers B such that the complement \(\overline{B}\) is not qualified in \(\mathcal {S}\). However, the adversary does not know the LSSS at the time of the corruption, so he must basically guess which set to corrupt. The results about LSSS constructed from codes in [Mas93, CCG+07] imply that the adversary succeeds if he corrupts a set of servers such that there exists a codeword in either C or \(C^{\bot }\) with a 1 in the first coordinate and the rest of its support is contained in the set of indices corresponding to the corrupted set. However, one can show by a simple counting argument that the probability that this bad event happens is negligible in \(\kappa \).

6 Construction of OT-Combiners in the General Case

In this section we present the general version of the protocol \(\pi _{OT}\) from the previous Sect. 5, when the adversary structure \(\mathcal {A}\) is not necessarily the adversary structure of an ideal LSSS over \(\mathbb {F}_2\). Note that many interesting access structures, for example most threshold structures, do not admit an ideal LSSS over \(\mathbb {F}_2\).

Theorem 2

Let \(\mathcal {A}\), \(\mathcal {B}\subseteq 2^{\mathcal {P}_n}\) be adversary structures such that \((\mathcal {A}, \mathcal {B})\) is a \(\mathcal {R}_{2}\) pair. Suppose there exists a linear secret sharing scheme \(\mathcal {S}\) for n participants where the secret is in \(\{0,1\}\) and the i-th share is in \(\{0,1\}^{\ell _i}\), and such that every set \(A\in \mathcal {A}\) is unqualified in \(\mathcal {S}\) and the complement \(\overline{B}\) of every set \(B\in \mathcal {B}\) is qualified in \(\mathcal {S}\).

Then there exists an OT combiner which calls the i-th server \(\ell _i\) times and is perfectly secure against any active \((\mathcal {A}, \mathcal {B})\)-adversary.

Fig. 4.
figure 4

Protocol \(\pi _{OT}\) for general LSSSs.

Full size image

Let \(\mathcal {S}\) be a possibly non-ideal perfect secret sharing scheme with adversary structure \(\mathcal {A}\). For \(i=1,\dots ,n\) the i-th share of \(\mathcal {S}\) belongs to some vector space \(U_i=\{0,1\}^{\ell _i}\) for some integer \(\ell _i\ge 1\). Let \(\ell =\sum _{i=1}^n \ell _i\) be the complexity of \(\mathcal {S}\).

The idea of the generalization is simple. The i-th server is split in \(\ell _i\) subservers, each of which will receive one different bit of the i-th share of Bob’s input. These subservers will now work as the servers did in the protocol from Sect. 5 (we remark however that the adversaries corrupt full servers and not individual subservers). For that we need to modify the secret sharing scheme \(\Sigma \) used by Alice accordingly. More precisely, let \(V, W\subseteq U_1\times \dots \times U_n\) be the sets of all possible sharings of 0 and 1 respectively. We can think of the elements of V and W as \(\ell \)-bit strings, and we index their coordinates by pairs (ik) where the (ik)-th coordinate of a sharing is the k-th bit of the i-th share. Now we can define \(\Sigma \) as in Proposition 1 for these V and W (and setting \(\mathbf {t}\) to be some sharing \([1]_{\mathcal {S}}\)). Everything works therefore the same as in Sect. 5.1 except that \(\Sigma \) will now have \(2\ell \) shares. The set of shares will be indexed by \(\mathcal {P}_{\ell ,2}:=\{(i,k,j): i=1,\dots ,n,\ k=1,\dots ,\ell _i,\ j=0,1\}.\) The general protocol is given in Fig. 4. The security proofs work essentially as in the case presented in Sect. 5.

7 Necessary Conditions for the Existence of OT Combiners

In this section we show Theorem 3.

Theorem 3

Let \(\mathcal {A}\), \(\mathcal {B}\) be adversary structures on the set of servers \(\{S_1,\dots ,S_n\}\). If there exists a perfectly secure OT-combiner which is secure against any passive \((\mathcal {A},\mathcal {B})\)-adversary and uses server \(S_i\) exactly \(\ell _i\) times, then \((\mathcal {A}, \mathcal {B})\) is an \(\mathcal {R}_{2}\) pair of structures and there exists a secret sharing scheme for n participants with secret in \(\{0,1\}\), the i-th share in \(\{0,1\}^{\ell _i}\), for \(i=1,\dots ,n\) and such that every set \(A\in \mathcal {A}\) is unqualified in \(\mathcal {S}\) and the complement \(\overline{B}\) of any set every set \(B\in \mathcal {B}\) is qualified in \(\mathcal {S}\).

First we show that if \((\mathcal {A},\mathcal {B})\) were not \(\mathcal {R}_{2} \) then the existence of an unconditionally secure OT combiner would imply the existence of a 2-party unconditionally secure OT protocol. Indeed if \((\mathcal {A},\mathcal {B})\) is not \(\mathcal {R}_{2} \), then there exists \(A\in \mathcal {A}\) and \(B\in \mathcal {B}\) such that \(A\cup B\) is the set of all servers. Then the entire protocol can be emulated by two parties: Alice\('\), who plays the joint role of Alice and all the servers in A and Bob\('\) who plays for Bob and all servers in B. This is then a two-party protocol in the plain model which is unconditionally secure against a semi-honest adversary who can corrupt either of the parties Alice\('\) and Bob\('\). This is known to be impossible.

Next, we prove the existence of a secret sharing scheme with the properties mentioned in the theorem. In fact, we simply reproduce the arguments from [IMSW13] in our setting. Assume we have an OT combiner which is perfectly secure against an \((\mathcal {A},\mathcal {B})\)-adversary and where the i-th server is used \(\ell _i\) times. Then Bob’s inputs to the OT servers must have been computed from his global input to the OT combiner by some probabilistic algorithm AlgBob. We now consider a secret sharing scheme \(\mathcal {S}\) whose sharing algorithm is AlgBob (understanding that the i-th share is the bit-string containing all \(\ell _i\) inputs bits to the i-th OT server produced by AlgBob). Since the OT combiner is secure against and adversary corrupting Alice and a set \(A\in \mathcal {A}\), this means that every \(A\in \mathcal {A}\) must be unqualified in \(\mathcal {S}\). Next we show that for every \(B\in \mathcal {B}\), its complement \(\overline{B}\) must be a reconstructing set for \(\mathcal {S}\). Consider a party Alice\('\) who plays the role of Alice and the servers in \(\overline{B}\) in the OT-combiner and a party Bob\('\), who plays the role of Bob and the servers in B. Assume that the inputs of Alice and Bob are independent. We then have a protocol between Alice\('\) and Bob\('\) in the plain model, which correctly implements the OT functionality and in which, by security of the OT combiner and since \(B\in \mathcal {B}\), Bob\('\) obtains no information about the input \((m_0,m_1)\) of Alice\('\) after the protocol has been executed. In these conditions, it follows from standard arguments about the impossibility of two party computation in the plain model (see e.g. [CDN15]) that Alice\('\) not only obtains information about the input of Bob\('\), but in fact she recovers it with probability 1. Given that all the information that Alice\('\) has learned during the execution of the protocol is the input bits to the servers in \(\overline{B}\), we conclude that \(\overline{B}\) is a reconstructing set for \(\mathcal {S}\).

8 2-Out-of-3 OT-Combiners

As an application of Theorems 2 and 3 we determine the minimal number of calls for a perfectly secure OT combiner where we have 3 servers, and 2 of them are secure. In other words, we want perfect security against an (1, 1)-adversary, i.e. \(\mathcal {A}=\mathcal {B}=\{\{1\},\{2\},\{3\}\}\). By Theorem 2, we are then interested in finding a linear secret sharing scheme over \(\mathbb {F}_2\) for 3 participants such that it has 1-privacy (every single participant is unqualified) and it has 2-reconstruction (every set of two participants is qualified). Note that we want to find a threshold secret sharing scheme, but Shamir’s scheme cannot be used directly over \(\mathbb {F}_2\) (we would tolerate at most 2 participants). One could instead use Shamir’s scheme over the extension field \(\mathbb {F}_4\), and in this case we have shares which are each in \(\{0,1\}^2\). This yields an OT-combiner where each server is called twice, which matches the number of calls in a construction in [HKN+05]. However, we show that one can do better with the following LSSS \(\mathcal {S}\).

Fig. 5.
figure 5

A 2-out-of-3 threshold linear secret sharing scheme \(\mathcal {S}\)

Full size image

Lemma 5

\(\mathcal {S}\) has 2-reconstruction and 1-privacy.

Corollary 1

There exists an OT combiner for 3 OT servers which is perfectly secure against an (1, 1)-adversary and makes 1 call to one of the OT servers and 2 calls to each of the other 2 servers.

Now we apply Theorem 3 in combination with the results from [CCX13] to show that this is optimal in the total number of server calls. Theorem 3 states that given an OT-combiner in the conditions above, there needs to exist a secret sharing scheme (linear or not) for 3 participants with 1-privacy, 2-reconstruction and share lengths matching the number of calls to the OT-servers. On the other hand we have

Theorem 9

[CCX13]. Suppose there exists a secret sharing scheme for n participants, where the i-th share takes values in an alphabet \(A_i\), and such that it has t-privacy and r-reconstruction. Let \(\overline{q}=\frac{1}{n}\sum _{i=1}^n|A_i|\) be the average cardinality of the share-alphabets. Then

$$ r-t\ge \frac{n-t+1}{\overline{q}}. $$

Therefore, a secret sharing in the conditions above must satisfy that the average cardinality of the share-alphabets is \(\overline{q}\ge 3\). Now note that in our case the shares are in \(\{0,1\}^{\ell _i}\), which are alphabets of cardinality \(2^{\ell _i}\), and we can rule out degenerate cases where \(\ell _i=0\) (since in that case, clearly it cannot happen simultaneously that \(\{i,j\}\) is qualified and \(\{j\}\) is unqualified). Under all these conditions, one can easily check that \(\sum _{i=1}^3 \ell _i<5\) and \(\overline{q}=\frac{1}{3}\sum _{i=1}^3 2^{\ell _i}\ge 3\) cannot be achieved simultaneously. Therefore,

Corollary 2

The minimal number of calls for a OT combiner for 3 OT servers which is perfectly secure against an (1, 1)-adversary is 5.

9 Security Against Corruptions of Only Servers

Our model does not consider corruption of only servers, and our security proofs therefore do not directly guarantee any security in case the adversaries corrupt only a set of servers. Nevertheless, we can argue that some security properties are satisfied even in case of server-only corruption.

Let \(\mathrm {Adv}\) be an adversary that corrupts a set C of servers only. Alice and Bob are both honest and have inputs \((m_0,m_1), b\) respectively. Let us first consider the case where \(\mathrm {Adv}\) is semi-honest and corrupts only a set \(S\in \mathcal {B}\) of servers. If a protocol \(\pi \) is secure in our model, it is easy to see that it will compute the correct result \((\bot ,m_b)\) (meaning Bob receives \(m_b\) and Alice receives nothing) also in this case and that \(\mathrm {Adv}\) will learn nothing more than at most \(b, m_b\). This follows, since if \(\mathrm {Adv}\) had also corrupted Bob semi-honestly, he would have learned at least as much and we can use security of \(\pi \) to conclude that in that case the correct result is computed and \(\mathrm {Adv}\) learns nothing more than \(b,m_b\). In particular, the view of \(\mathrm {Adv}\) can be simulated perfectly based on \(b, m_b\). A similar conclusion holds if we switch the roles of Alice and Bob, i.e. if \(\mathrm {Adv}\) is semi-honest and corrupts only a set \(S\in \mathcal {A}\) of servers, his view can be simulated perfectly based only on \(m_0, m_1\).

Now, consider the case where \(S\in \mathcal {A}\) and \(S\in \mathcal {B}\). We can then conclude that the view of \(\mathrm {Adv}\) can be simulated perfectly based on \(m_0, m_1\) and also based on \(b, m_b\). But this must mean that the distribution of this view does not depend on any of these values: assume for contradiction that there existed \(m_0, m_1\) such that the distribution of the view of S given \((0, m_0)\) is different from the one given \((1, m_1)\). Now compare the two cases where we run the protocol on inputs \((m_0,m_1, 0)\) respectively \((m_0, m_1, 1)\). Then the simulation based on \(m_0,m_1\) would output the same distribution in both cases, so it cannot be consistent with both the distribution resulting from \((m_0,m_1,0)\) and from \((m_0,m_1,1)\). So we have

Proposition 4

If protocol \(\pi \) is perfectly secure in our model, it is also secure against semi-honest corruption of a set of servers that is in both \(\mathcal {A}\) and \(\mathcal {B}\), except that the simulation may not in general be efficient.

Let us now consider malicious corruption: Alice and Bob are honest and \(\mathrm {Adv}\) is malicious and corrupts only a set \(C\in \mathcal {B}\) of servers. Note that from Alice’s point of view, the situation is indistinguishable from a case where \(\mathrm {Adv}\) also corrupts Bob but lets him play honestly. Security of \(\pi \) now implies that \(\mathrm {Adv}\) learns nothing more than b and \(m_{b'}\) for some well defined input \(b'\) that is determined by the behaviour of the malicious servers. Note that we are not guaranteed that \(b'\) is equal to the honest input b, even though Bob plays honestly. Similarly, for \(C\in \mathcal {A}\), \(\mathrm {Adv}\) will learn nothing about b.

We observe that if S is in both \(\mathcal {A}\) and \(\mathcal {B}\), then both the honest Alice and honest Bob are guaranteed privacy: By running \(\pi \), I will give away only the function evaluated in my own input and some input from the other party. But Alice and Bob are not guaranteed to agree on the result, so we do not get security in the standard single adversary sense against malicious corruption of C.

We can in fact argue that this cannot in general be achieved in our model, even if C is in both \(\mathcal {A}\) and \(\mathcal {B}\): Consider a case with 3 servers 1, 2, 3 and let \(\mathcal {A}= \{ \{1\}, \{2\} \}\) and \(\mathcal {B}= \{ \{2\}, \{3\} \}\). This is clearly \(\mathcal {R}_{2} \), so our model applies. Now, it is easy to see that a secure protocol \(\pi \) in our sense will in this case also be semi-honestly secure against single-adversary corruption of \(\{\mathrm{Alice, 1}\}\), as well as \(\{\mathrm{Bob, 3}\}\). So if \(\pi \) was also single adversary maliciously secure against corruption of \(\{2\}\), then we would have a situation where the whole player set is covered by 2 sets that are semi-honestly corruptible and 1 set that is maliciously corruptible, while \(\pi \) remains secure. And where furthermore the malicious server 2 has no inputs or outputs. We are precisely in the case where the proof of Theorem 1 in [FHM99] rules out the possibility of having a secure protocol.