How Many Oblivious Transfers Are Needed for Secure Multiparty Computation?

  • Danny Harnik
  • Yuval Ishai
  • Eyal Kushilevitz
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4622)


Oblivious transfer (OT) is an essential building block for secure multiparty computation when there is no honest majority. In this setting, current protocols for n ≥ 3 parties require each pair of parties to engage in a single OT for each gate in the circuit being evaluated. Since implementing OT typically requires expensive public-key operations (alternatively, expensive setup or physical infrastructure), minimizing the number of OTs is a highly desirable goal.

In this work we initiate a study of this problem in both an information-theoretic and a computational setting and obtain the following results.
  • If the adversary can corrupt up to t = (1 − ε)n parties, where ε> 0 is an arbitrarily small constant, then a total of O(n) OT channels between pairs of parties are necessary and sufficient for general secure computation. Combined with previous protocols for “extending OTs”, O(nk) invocations of OT are sufficient for computing arbitrary functions with computational security, where k is a security parameter.

  • The above result does not improve over the previous state of the art in the important case where t = n − 1, when the number of parties is small, or in the information-theoretic setting. For these cases, we show that an arbitrary function f:{0,1} n →{0,1}* can be securely computed by a protocol which makes use of a single OT (of strings) between each pair of parties. This result is tight in the sense that at least one OT between each pair of parties is necessary in these cases. A major disadvantage of this protocol is that its communication complexity grows exponentially with n. We present natural classes of functions f for which this exponential overhead can be avoided.


Secure Protocol Secure Computation Security Parameter Oblivious Transfer Expander Graph 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC0 In: 45th FOCS, pp. 166–175 (2004)Google Scholar
  2. 2.
    Barkol, O., Ishai, Y.: Secure computation of constant-depth circuits with applications to database search problems. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 395–411. Springer, Heidelberg (2005)Google Scholar
  3. 3.
    Beaver, D.: Precomputing oblivious transfer. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 97–109. Springer, Heidelberg (1995)Google Scholar
  4. 4.
    Beaver, D.: Correlated pseudorandomness and the complexity of private computations. In: 28th STOC, pp. 479–488 (1996)Google Scholar
  5. 5.
    Beimel, A., Malkin, T.: A quantitative approach to reductions in secure computation. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 238–257. Springer, Heidelberg (2004)Google Scholar
  6. 6.
    Beimel, A., Malkin, T., Micali, S.: The all-or-nothing nature of two-party secure computation. In: Wiener, M.J. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 80–97. Springer, Heidelberg (1999)Google Scholar
  7. 7.
    BenOr, M., Goldwasser, S., Wigderson, A.: Completeness theorems for non-cryptographic fault-tolerant distributed computation. In: 20th STOC, pp. 1–10 (1988)Google Scholar
  8. 8.
    Berman, P., Garay, J., Perry, K.: Bit optimal distributed consensus. In: Computer Science Research, pp. 313–332. Plenum Publishing Corporation (1992)Google Scholar
  9. 9.
    Bracha, G.: An o(logn) expected rounds randomized byzantine generals protocol. Journal of the ACM 34(4), 910–920 (1987)zbMATHCrossRefGoogle Scholar
  10. 10.
    Canetti, R.: Security and composition of multiparty cryptographic protocols. Journal of Cryptology 13(1), 143–202 (2000)zbMATHCrossRefGoogle Scholar
  11. 11.
    Chaum, D., Crépeau, C., Damgård, I.: Multiparty unconditionally secure protocols. In: 20th STOC, pp. 11–19 (1988)Google Scholar
  12. 12.
    Coan, B., Welch, J.: Modular construction of a byzantine agreement protocol with optimal message bit complexity. Information and Computation 97(1) (1992)Google Scholar
  13. 13.
    Crépeau, C., Kilian, J.: Achieving oblivious transfer using weakened security assumptions. In: 29th FOCS, pp. 42–52 (1988)Google Scholar
  14. 14.
    Damgård, I., Kilian, J., Salvail, L.: On the (im)possibility of basing oblivious transfer and bit commitment on weakened security assumptions. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 56–73. Springer, Heidelberg (1999)Google Scholar
  15. 15.
    Dodis, Y., Micali, S.: Lower bounds for oblivious transfer reductions. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 42–55. Springer, Heidelberg (1999)Google Scholar
  16. 16.
    Erdos, P., Simonovits, M.: A limit theorem in graph theory. Stud. Sci. Math. Hung 1, 51–57 (1966)Google Scholar
  17. 17.
    Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Communications of the ACM 28(6), 637–647 (1985)CrossRefGoogle Scholar
  18. 18.
    Fitzi, M., Franklin, M., Garay, J., Vardhan, H.: Towards optimal and efficient perfectly secure message transmission. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, Springer, Heidelberg (2007)CrossRefGoogle Scholar
  19. 19.
    Franklin, M., Haber, S.: Joint encryption and message-efficient secure computation. J. Cryptology 9(4), 217–232 (1996)zbMATHCrossRefGoogle Scholar
  20. 20.
    Gabber, O., Galil, Z.: Explicit constructions of linear-sized superconcentrators. JCSS 22(3), 407–420 (1981)zbMATHGoogle Scholar
  21. 21.
    Goldreich, O.: Foundations of Cryptography, vol. 2. Cambridge University Press, Cambridge (2004)zbMATHGoogle Scholar
  22. 22.
    Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game - a completeness theorem for protocols with honest majority. In: 19th STOC, pp. 218–229 (1987)Google Scholar
  23. 23.
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity, or all languages in NP have zero-knowledge proof system. Journal of the ACM 38(1), 691–729 (1991)zbMATHGoogle Scholar
  24. 24.
    Goldreich, O., Vainish, R.: How to solve any protocol problem - an efficiency improvement. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 73–86. Springer, Heidelberg (1988)Google Scholar
  25. 25.
    Goldreich, O., Wigderson, A.: Tiny families of functions with random properties: A quality-size trade-off for hashin. Rand. Structs. and Algs. 11(4), 315–343 (1997)zbMATHCrossRefGoogle Scholar
  26. 26.
    Gradwohl, R., Kindler, G., Reingold, O., Ta-Shma, A.: On the error parameter of dispersers. In: APPROX-RANDOM, pp. 294–305 (2005)Google Scholar
  27. 27.
    Harnik, D., Kilian, J., Naor, M., Reingold, O., Rosen, A.: On tolerant combiners for oblivious transfer and other primitives. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 96–113. Springer, Heidelberg (2005)Google Scholar
  28. 28.
    Harnik, D., Naor, M., Reingold, O., Rosen, A.: Completeness in two-party secure computation - a computational view. In: 36th STOC, pp. 252–261 (2004)Google Scholar
  29. 29.
    Hirt, M., Maurer, U.: Player simulation and general adversary structures in perfect multiparty computation. Journal of Cryptology 13(1), 31–60 (2000)zbMATHCrossRefGoogle Scholar
  30. 30.
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: 21st STOC, pp. 44–61 (1989)Google Scholar
  31. 31.
    Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 145–161. Springer, Heidelberg (2003)Google Scholar
  32. 32.
    Kamp, J., Zuckerman, D.: Deterministic extractors for bit-fixing sources and exposure-resilient cryptography. In: 44th FOCS, pp. 92–101 (2003)Google Scholar
  33. 33.
    Kilian, J.: Founding cryptography on oblivious transfer. In: 20th STOC, pp. 20–31 (1988)Google Scholar
  34. 34.
    Kilian, J.: A general completeness theorem for two-party games. In: 23rd STOC, pp. 553–560 (1991)Google Scholar
  35. 35.
    King, V., Saia, J., Sanwalani, V., Vee, E.: Towards secure and scalable computation in peer-to-peer networks. In: 47th FOCS, pp. 87–98 (2006)Google Scholar
  36. 36.
    Margulis, G.: Explicit constructions of concentrators. Problemy peredaci informacii 9(4), 71–80 (1973)Google Scholar
  37. 37.
    Meier, R., Przydatek, B., Wullschleger, J.: Robuster combiners for oblivious transfer. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, Springer, Heidelberg (2007)CrossRefGoogle Scholar
  38. 38.
    Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: SODA 2001. SIAM Symposium on Discrete Algorithms, pp. 448–457 (2001)Google Scholar
  39. 39.
    Ostrovsky, R., Rajagopalan, S., Vazirani, U.: Simple and efficient leader election in the full information model. In: 26th STOC, pp. 234–242 (1994)Google Scholar
  40. 40.
    Rabin, M.O.: How to exchange secrets by oblivious transfer. TR-81, Harvard (1981)Google Scholar
  41. 41.
    Radhakrishnan, J., Ta-Shma, A.: Bounds for dispersers, extractors, and depth-two superconcentrators. SIAM J. Discrete Math. 13(1), 2–24 (2000)zbMATHCrossRefGoogle Scholar
  42. 42.
    Reingold, O., Vadhan, S., Wigderson, A.: Entropy waves, the zig-zag graph product, and new constant-degree expanders and extractors. ECCC 8(18) (2001)Google Scholar
  43. 43.
    Shaltiel, R.: Recent developments in explicit constructions of extractors. Bulletin of the EATCS 77, 67–95 (2002)zbMATHGoogle Scholar
  44. 44.
    Wiesner, S.: Conjugate coding. SIGACT News 15(1), 78–88 (1983)CrossRefGoogle Scholar
  45. 45.
    Wullschleger, J.: Oblivious transfer amplification. In: EUROCRYPT 2007, vol. 4515, pp. 555–572. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  46. 46.
    Yao, A.C.: Protocols for secure computations. In: 23rd FOCS, pp. 160–164 (1982)Google Scholar
  47. 47.
    Yao, A.C.: How to generate and exchange secrets. In: 27th FOCS, pp. 162–167 (1986)Google Scholar
  48. 48.
    Zuckerman, D.: Randomness-optimal sampling, extractors, and constructive leader election. In: 28th STOC, pp. 286–295 (1996)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Danny Harnik
    • 1
  • Yuval Ishai
    • 1
  • Eyal Kushilevitz
    • 1
  1. 1.Department of Computer Science, Technion, HaifaIsrael

Personalised recommendations