Network Oblivious Transfer
 2 Citations
 2.3k Downloads
Abstract
Motivated by the goal of improving the concrete efficiency of secure multiparty computation (MPC), we study the possibility of implementing an infrastructure for MPC. We propose an infrastructure based on oblivious transfer (OT), which would consist of OT channels between some pairs of parties in the network. We devise informationtheoretically secure protocols that allow additional pairs of parties to establish secure OT correlations using the help of other parties in the network in the presence of a dishonest majority. Our main technical contribution is an upper bound that matches a lower bound of Harnik, Ishai, and Kushilevitz (Crypto 2007), who studied the number of OT channels necessary and sufficient for MPC. In particular, we characterize which nparty OT graphs G allow tsecure computation of OT correlations between all pairs of parties, showing that this is possible if and only if the complement of G does not contain the complete bipartite graph \(K_{nt,nt}\) as a subgraph.
Keywords
Secure Computation Oblivious Transfer Honest Party Computational Security Secure Multiparty Computation1 Introduction
Protocols for secure multiparty computation [8, 16, 31, 66] allow a set of mutually distrusting parties to carry out a distributed computation without compromising the privacy of inputs or the correctness of the end result. As a research area, secure computation has witnessed several breakthroughs in the last decade [40, 41, 43, 47, 52, 53, 54, 57, 59, 67]. However, despite a wide array of potential gamechanging applications, there is nearly no practical adoption of secure computation today (with the notable exceptions of [11, 12]). Computations wrapped in a secure computation protocol do not yet deliver results efficiently enough to be acceptable in many cloudcomputing applications. For instance, stateoftheart semihonest 2party protocols incur a factor \(\approx \)100 slowdown even for simple computations.
In the absence of practical realworld protocols for secure computation which are secure in the presence of any number of dishonest parties, there is a need for relaxations that are meaningful and yet provide significant performance benefits. As an example, classic protocols for secure computation [8, 16, 63] (with subsequent improvements e.g., [4, 9, 19, 20, 21, 23]) offer vastly better efficiency at the cost of tolerating only a small constant fraction of adversaries. The resilience offered is certainly acceptable when the number of participating parties is large, e.g., the setting of largescale secure computation [13, 14, 25, 68]. Although largescale secure computation is wellsuited for several interesting applications (such as voting, census, surveys), we posit that typical settings involve computations over data supplied by a few end users. In such cases, the overhead associated with interaction among a large number of helper parties is likely to render these protocols more expensive than a standard secure computation protocol among the end users. If the number of helper parties is small, security against a small fraction of corrupt parties may be a very weak guarantee, since a handful of corrupt parties could render the protocol insecure.
An orthogonal approach for reducing the online cost of secure computation protocols is the use of preprocessing [1, 3, 10, 24]. This approach can dramatically reduce the cost of secure computation: for instance, given preprocessing [3], the \(\approx \)100 factor slowdown for simple computations no longer applies. Recent theoretical research has shown that many primitives can even be made reusable (e.g. [34]). Perhaps the most important drawback of this approach (other than the fact that the preprocessing phase is typically very expensive) is that the preprocessing is not transferable. Clearly, a pair of parties that want to perform a secure computation cannot benefit from this approach without performing the expensive preprocessing step. Moreover, this seems to hold even if each of the two parties have set up the preprocessing with multiple others. Typically, the cost of the preprocessing phase is quite high, presenting a barrier for the practical use of preprocessed protocols. This is especially true in settings where parties are unlikely to run many secure computations that would amortize the cost of preprocessing.

Reusability/Amortization. Setting up an infrastructure component could be expensive, but using it and maintaining it should be inexpensive relative to setting up a new component.

Transferability/Routing. It should be possible to combine different components of the infrastructure to deliver benefits to the end users.

Robustness/Faulttolerance. Failure or unavailability of some components of the infrastructure should not nullify the usefulness of the infrastructure.
It is not hard to see that the above criteria are fulfilled for infrastructures that we use in daily life, for e.g., the infrastructure for online communication (email, instant messaging, etc.) consisting of transatlantic undersea cables, routers, wireless access points, etc. What cryptographic primitives would be good candidates for a secure computation infrastructure? In this work, we explore the possibility of using oblivious transfer [27, 62] for this purpose.
1.1 Our Model: Network Oblivious Transfer

Preprocessing. OT enables precomputation in an offline stage before the inputs or the function to be computed are known. The subsequent online phase is extremely efficient [3].

Amortization. The cost of computing OTs can be accelerated using efficient OT extension techniques [2, 43, 45, 59].

Security. OTs can be realized under a wide variety of computational assumptions [18, 27, 58, 60, 62] or under physical assumptions.
In this work, we consider n parties connected by a synchronous network with secure pointtopoint private communication channels between every pair of parties. In addition, some pairs of parties on the network have established OT channels between them providing them with the ability to perform arbitrarily many OT operations. We represent the OT channel network via an OT graph G. The vertices of G represent the n parties, and pairs of parties that have an established OT channel are connected by an edge in G. Since OT can be reversed unconditionally [64], we make no distinction between the sender and the receiver in an OT channel. This OT graph represents the infrastructure we begin with. The OT channels could either represent \(\mathop {\mathrm {poly}}\nolimits (\lambda )\) 1outof2 OT correlations for a computational security parameter \(\lambda \), or a physical channel (e.g., noisy channel) that realizes, say \(\delta \)Rabin OT [62].^{1} We are interested in obtaining security against adaptive semihonest adversaries. We also discuss security against adaptive malicious adversaries under computational assumptions.
Two parties that are connected by an edge can use the corresponding existing OT channel to run a secure computation protocol between themselves. What about parties that are not connected by an edge? Clearly, they can establish an OT channel between themselves via an OT protocol [18, 60] or perhaps using a physical channel. The latter option, if possible, is likely to be expensive and the costs of setting up a physical channel may be infeasible unless the two parties are likely to execute many secure computation protocols. The former option is also expensive as it involves use of publickey cryptography which is somewhat necessary in the light of [42].^{2} This motivates the question of whether additional parties can use an existing OT infrastructure to establish an OT channel between themselves unconditionally or relying only on the existence of symmetrickey cryptography. A positive result to this question would show that expensive cryptographic operations are not required to set up additional OT channels which could be used for efficient secure computation. In this work we construct OT protocols with informationtheoretic security against a threshold adversary.
The Generality of an OT Infrastructure. Consider the following candidate for an infrastructure. Suppose there is a channel between a pair of parties that allows them to securely evaluate any function. Since OT is complete for secure computation, one can apply the results of [45, 46] to use the OT channel to implement a secure evaluation channel. In the other direction, one can use a secure evaluation channel to trivially implement OT channels. Consequently, such a channel is equivalent to an OT channel. The same argument extends to channels that implement any 2party primitive that is complete for secure computation [5, 55]. Furthermore, the above argument also applies to the setting where a set of parties have a secure evaluation channel. Such a channel is equivalent to an OT graph where parties in the set have pairwise OT channels with everyone in the set.
Assuming a Full Network of Secure Channels. Secure channels between two parties can be implemented either via noninteractive key exchange and hybrid encryption or via a physical assumption. We emphasize that the onetime setup cost of emulating a secure channel (e.g. via DiffieHellman key exchange) is much lower than the onetime setup cost of emulating an OT channel that allows unbounded OT calls via an OT protocol even using OT extension. Furthermore, our assumption of secure channels is identical to the setting of [33, 45, 46], who show that secure computation reduces to OT under informationtheoretic reductions.
1.2 Related Work and Our Contributions
Related Work. As mentioned previously, there is a large body of work on secure computation in the offline/online model (cf. [10, 24, 50, 51, 59, 61] and references therein). These protocols exhibit an extremely fast online phase at the expense of a slow preprocessing phase (sometimes using MPC [51] or more typically, OT correlations [59] or a somewhat homomorphic encryption scheme [24]). To the best of our knowledge, the question of transferability of preprocessing has not been explicitly investigated in the literature with the notable exception of [36], which we will discuss in greater detail below. There is a large body of work on secure computation against a threshold adversary (e.g. [8, 16, 31, 63]). Popular regimes where secure computation against threshold adversaries have been investigated are for \(t < n/3\), \(t < n/2\), or \(t = n1\). In this work we are interested in threshold adversaries for a dishonest majority, that is, adversaries which can corrupt t out of n parties for \(n/2 \le t < n\).^{3} Such regimes were investigated in other contexts such as authenticated broadcast [29] and fairness in secure computation [6, 39, 44]. Infrastructures for perfectly secure message transmission (PSMT) were investigated in the seminal work of [26] (see also [28] and references therein). While the task of PSMT is similar to our question regarding OT channels, there are inherent differences. For example, our protocols can implement OT even between two parties that are isolated in the OT graph (i.e., not connected to any other party via an OT channel).^{4} In PSMT, on the other hand, there is no hope of achieving secure communication with a node that is not connected by any secure channel.
Most relevant to our results is the work of Harnik et al. [36]. The main question in their work is an investigation of the number of OT channels sufficient to implement a nparty secure computation protocol. In a nutshell, they show against an adaptive tthreshold adversary for \(t = (1\delta ) n\), an explicit construction of an OT graph consisting of \((n + o(n)){\lceil 1/\delta \rceil \atopwithdelims ()2}\) OT channels that suffices to implement secure computation among the n parties. They note further that against a static adversary, \({\lceil s/\delta \rceil \atopwithdelims ()2}\) OT channels suffice, where s denotes a statistical security parameter. On the negative side, they show that a complete OT graph is necessary for secure computation when dealing with an adversary that can corrupt \(t = n1\) parties. They derive this result by showing that in a 3party OT graph with two OT channels, it is not possible to obtain OT correlations between the third pair of parties with security against two corruptions. Moreover they generalize their 3party negative result to any OT graph whose complement contains the complete bipartite graph \(K_{nt,nt}\) as a subgraph. In our paper we extend and generalize the results of [36], fully characterizing the networks for which it is possible to obtain OT correlations between a designated pair of parties. We now proceed to explain our contributions in more detail.
Our Contributions. We introduce our main result:
 1.
(honest majority) it holds that \(t < n/2\); or
 2.
(trivial) A and B are connected by an edge in G; or
 3.
(partition) there exists no partition \(V_1, V_2, V_3\) of G such that all of the following conditions are satisfied: (a) \(V_1 = V_2 = nt\) and \(V_3 = 2tn\); (b) \(A \in V_1\) and \(B \in V_2\); and (c) for every \(A' \in V_1\) and \(B' \in V_2\) it holds that \((A',B') \not \in E\).
Our main theorem gives a complete characterization of networks for which a pair of parties can utilize the OT network infrastructure to execute a secure computation protocol. The first two conditions in our theorem are straightforward: (1) if \(t < n/2\), then we are in the honest majority regime, and thus it is possible to implement secure computation (or emulate an OT oracle) using the honest majority informationtheoretically secure protocols of [63]; (2) clearly if A and B are connected by an OT edge then by definition they can emulate an OT oracle.
Condition (3) applies when \( t \ge n/2\) and when A and B do not have an OT edge between them. This condition is effectively the converse of the impossibility result of [36], which states that any nparty OT graph whose complement contains \(K_{nt,nt}\) as a subgraph cannot allow a nparty secure computation that tolerates t semihonest corruptions. Condition (3) implies that any nparty OT graph whose complement does not contain \(K_{nt,nt}\) as a subgraph can run nparty secure computations tolerating t semihonest corruptions.
Applying Our Main Theorem. We first compare our positive results to those of [36]. They investigate how to construct an OT graph with the minimum number of edges allowing n parties to execute a secure computation protocol. They show a construction for a graph with \((n+o(n)){\lceil 1/\delta \rceil \atopwithdelims ()2}\) edges which they prove is sufficient for resilience against an adversary that corrupts \((1\delta )n\) parties. Our result provides a complete, simple characterization of which OT graphs on n vertices are sufficient to run a tsecure protocol generating OT correlations between all pairs of vertices for any \(t\ge n/2\), which is sufficient to obtain a protocol for secure computation among the n parties [45, 46]. Our main theorem also implies that determining the minimum number of OT edges needed to execute a secure computation protocol for general \(n,t\ge n/2\) is equivalent to an open problem in graph theory posed by Zarankiewicz in 1951 [48].
Our results immediately imply that for some values of t, extremely simple sparse OT graphs suffice for achieving secure multiparty computation. For n even and \(t=n/2\), we have that the tclaw graph (cf. Fig. 4(a)) has t edges and suffices to achieve tsecure multiparty computation. For n odd and \(t = (n+1)/2\), the \((t+1)\)cycle has \(t+1\) edges and suffices to achieve tsecure multiparty computation. We show in the full version that these examples are the sparsest possible graphs which can achieve \(\lfloor (n+1)/2\rfloor \)secure multiparty computation.
Next, our results are also wellsuited to make use of an OT infrastructure for secure computation. Specifically, let \(G_I\) denote the OT graph consisting of existing OT edges between parties that are part of the infrastructure. Now suppose a pair of parties A, B not connected by an OT edge wish to execute a secure computation protocol. Then they can find a subgraph G of \(G_I\) with \(A, B \in G\) and \(G = n\) such that they agree that at most t out of the n parties can be corrupt and the partition condition in our main theorem holds for G. Since it is possible to handle a dishonest majority, parties do not have to settle for a lower threshold and can enjoy increased confidence in the security of their protocol by making use of the infrastructure. Surprisingly, it turns out the OT subgraph G need not even contain t OT edges to offer resilience against t corruptions (cf. Fig. 2(c) with \(n = 4, t = 2\)).
A pair of parties may use the OT correlations generated as the base OTs for an OT extension protocol and inexpensively generate many OT correlations that can be saved for future use or to add to the OT infrastructure. In any case, it should be clear that our protocols readily allow loadbalancing across the OT infrastructure and are also aborttolerant in the sense that if some subgraph G ends up not delivering the output, then one can readily use a different subgraph \(G'\). Thus we believe that our results can be used to build a scalable infrastructure for secure computation that allows (1) amortization, (2) routing, and (3) is robust.
An Important Caveat Regarding Efficiency. In the special cases \(t=n/2+\mathcal {O}(1)\) and \(t=n\mathcal {O}(1)\), determining whether a graph satisfies the partition condition requires at most \(\mathop {\mathrm {poly}}\nolimits (n)\) time. However, in general the problem is coNPcomplete, since it can be restated in the graph complement as subgraph isomorphism of a complete bipartite graph [30]. Our protocols are efficient in n only for \(t = n/2 + \mathcal {O}(1)\) and \(t = n  \mathcal {O}(1)\).^{6} In particular, our protocol is quite efficient for small values of n, a setting in which computing OT correlations in the presence of a dishonest majority may be especially useful in practice.
2 Preliminaries
2.1 Notation and Definitions
All graphs addressed in this work are undirected. We denote a graph as \(G = (V, E)\) where V is a set of vertices and E is a set of edges. We denote an edge e as \(e = \{v_{1}, v_{2}\}\), where \(v_{1}, v_{2} \in V\).
For two graphs \(G_{1} = (V, E_{1})\) and \(G_{2} = (V, E_{2})\) with the same vertex set V, we say that \(G_1\) and \(G_2\) are \((v_1,\ldots ,v_{\ell })\) isomorphic, denoted by \(G_{1} \simeq _{v_{1}, \ldots , v_{\ell }} G_{2}\), if the two graphs are isomorphic to one another while fixing the labelings of vertices \(v_{1}, \ldots , v_{\ell } \in V\), that is, there exists an isomorphism \(\sigma \) such that \(\sigma (v_{i}) = v_{i}\) for all \(i \in [\ell ]\).
Similarly, given graphs \(G_1= (V_1, E_{1})\) and \(G_{2} = (V_2, E_{2})\) with \(V_1\subseteq V_2\) and \(v_1,\ldots ,v_{\ell }\in V_1\), we say that \(G_1\) is a \((v_1,\ldots ,v_{\ell })\) subgraph of \(G_2\), denoted \(G_1 \subseteq _{v_1,\ldots ,v_{\ell }} G_2\), if \(G_1\) is \((v_1,\ldots ,v_{\ell })\)isomorphic to some subgraph of \(G_2\).
In particular, in the special case that graph \(G=(V,E)\) contains vertices \(A,B\in V\), we say that G is an (A, B)subgraph of \( \varLambda _{a}^{s}\) (or that \(G\subseteq _{A,B} \varLambda _{a}^{s}\)) if there is an isomorphism \(\sigma \) between G and a subgraph of \( \varLambda _{a}^{s}\) such that A is mapped into set \(V_A\) and B is mapped into set \(V_B\) (that is, \(\sigma (A)\in V_A\) and \(\sigma (B)\in V_B\)).
Call an nvertex graph \(G=(V,E)\) kunsplittable for \(k\le n/2\) if any two disjoint sets of k vertices have some edge between them. That is, G is kunsplittable if for all partitions of the vertices V into three disjoint sets \(V_1, V_2, V_3\) of sizes \(V_1=V_2=k\) and \(V_3=n2k\), there exists some edge \((u,v)\in E\) with \(u\in V_1, v\in V_2\). It is immediate from this definition that G is kunsplittable if and only if \(G\not \subseteq \varLambda _{k}^{n2k}\).
Similarly, call G (k, A, B)unsplittable for \(k\le n/2\) and \(A,B\in V\) if any two disjoint sets of k vertices containing A and B, respectively, have some edge between them. That is, G is (k, A, B)unsplittable if for all partitions of the vertices of V into three disjoint sets \(V_1, V_2, V_3\) of sizes \(V_1=V_2=k\) and \(V_3=n2k\) such that \(A\in V_1\) and \(B\in V_2\), there exists some edge \((u,v)\in E\) with \(u\in V_1, v\in V_2\). From this definition we have immediately that G is (k, A, B)unsplittable if and only if \(G\not \subseteq _{A,B} \varLambda _{k}^{n2k}\).
2.2 Secure Computation
Consider the scenario of n parties \(P_{1}, \ldots , P_{n}\) with private inputs \(x_{1}, \ldots , x_{n} \in \mathcal {D}\) computing a function \(f : \mathcal {D}^{n} \rightarrow \mathcal {D}^{n}\). Let \(\varPi \) be a protocol computing f. We consider security against adaptive tthreshold adversaries, that is, adversaries that adaptively corrupt a set of at most t parties, where \(0 \le t < n\).^{7} We assume the adversary to be semihonest (i.e. honestbutcurious). That is, the corrupted parties follow the prescribed protocol, but the adversary may try to infer additional information about the inputs of the honest parties. As noted in [36], in the computational setting, using zeroknowledge proofs, it is possible to generically compile a protocol which is secure against semihonest adversaries into another protocol which is secure against adaptive malicious adversaries [32].^{8} This justifies our focus on the semihonest setting here.
For a PPT adversary \(\mathcal {A}\), let random variable \(\text {REAL}_{\varPi , \mathcal {A}}^{x_{1}, \ldots , x_{n}}\) consist of the views of the corrupted parties when the protocol \(\varPi \) is run on parties \(P_{1}, \ldots , P_{n}\) with inputs \(x_{1}, \ldots , x_{n}\) respectively. In the ideal world, the honest parties are replaced with a simulator \(\mathcal {S}\) that does not receive input values and knows only the output value of each corrupted party in an honest execution of the protocol. We define the random variable \(\text {IDEAL}_{\varPi ,\mathcal {A}, \mathcal {S}}^{x_{1}, \ldots , x_{n}}\) as the output of the adversary \(\mathcal {A}\) in the ideal game with the simulator when the inputs to parties \(P_{1}, \ldots , P_{n}\) are \(x_{1}, \ldots , x_{n}\), respectively.
Definition 1

For all \(x_{1}, \ldots , x_{n} \in \mathcal {D}^{n}\), party \(P_{i}\) receives \(y_{i}\), where \((y_{1}, \ldots , y_{n}) = f(x_{1}, \ldots , x_{n})\), at the end of the protocol.
 For all adaptive semihonest PPT tthreshold adversaries \(\mathcal {A}\), there exists a PPT simulator \(\mathcal {S}\) such that for all \(x_{1}, \ldots , x_{n} \in \mathcal {D}^{n}\)$$\left\{ \text {REAL}_{\varPi , \mathcal {A}}^{x_{1}, \ldots , x_{n}}\right\} \equiv \left\{ \text {IDEAL}_{\varPi ,\mathcal {A},\mathcal {S}}^{x_{1}, \ldots , x_{n}}\right\} $$
This definition is for secure computation with perfect informationtheoretic security and a nonadaptive adversary. By [15], in the semihonest setting with informationtheoretic security, any protocol which is nonadaptively secure is also adaptively secure. Consequently, satisfying this definition suffices to achieve adaptive security.
In the discussion below, we will sometimes relax security to statistical or computational definitions. A protocol is statistically tsecure if the random variables \(\text {REAL}_{\varPi , \mathcal {A}}^{x_{1}, \ldots , x_{n}}\) and \(\text {IDEAL}_{\varPi ,\mathcal {A},\mathcal {S}}^{x_{1}, \ldots , x_{n}}\) are statistically close, and computationally tsecure if they are computationally indistinguishable.
2.3 Oblivious Transfer
In this work OT refers to 1outof2 oblivious transfer defined as follows.
Definition 2
Note that while OT is typically defined as a 2party functionality, the definition above adapts it our setting and formulates OT as an nparty functionality where only two parties supply non\(\bot \) inputs.
Definition 3
Let G be a network consisting of n parties \(A = P_{1}, B = P_{2}, P_{3}, \ldots , P_{n}\). Then a tsecure OT protocol \(\varPi _{A \rightarrow B}^{G, t}\) is a protocol that tsecurely computes the function \(f_{\mathrm {OT}}\) on the inputs of the parties with A as the sender and B as the receiver.
We note that OT is symmetric, in the following sense.
Lemma 1
[64]. If there exists a tsecure OT protocol \(\varPi _{A \rightarrow B}^{G, t}\) for an nparty network G with n parties \(A = P_{1}, B = P_{2}, P_{3}, \ldots , P_{n}\) with A as the sender and B as the receiver, then there exists a tsecure OT protocol \(\widehat{\varPi }_{B \rightarrow A}^{G, t}\) for the same n parties with B as the sender and A as the receiver.
We represent parties as nodes of a graph G where an edge \(\{A, B\}\) indicates that parties A and B may run a 1secure OT protocol with A as the sender and B as the receiver. By Lemma 1, the roles of the sender and receiver may be reversed, so it makes sense to define G as an undirected graph.
We note the following result regarding the completeness of OT for achieving arbitrary secure multiparty computation.
Lemma 2
[33, 45, 46]. Consider the complete network \(G \simeq K_{n}\) on n vertices. Then, for any function \(f : \mathcal {D}^{n} \rightarrow \mathcal {R}^{n}\), there exists a protocol \(\varPi \) which \((n  1)\)securely computes f, where party i receives the ith input \(x_i \in \mathcal {D}\) and produces the ith output \((f(x))_i\in \mathcal {R}\).
3 WarmUps
Let \(G = (V, E)\) be an nvertex graph representing a network with n parties, where an edge \(\{P_i, P_j\}\in E\) indicates that parties \(P_i\) and \(P_j\) may run a 1secure 2party OT protocol with \(P_i\) as the sender and \(P_j\) as the receiver. Let \(t<n\) be an upper bound on the number of corruptions made by the adversary. The central question considered in this work is the following. For which graphs G and which pairs of parties \(A,B\in V\) does there exist a tsecure OT protocol with A as the sender and B as the receiver?
A few small cases have been resolved in prior work. For \(n = 2\), \(t = 1\), a 1secure OT protocol (with perfect security) between the vertices of the twovertex graph G does not exist unless the parties were already connected by an OT channel [17, 49]. This result is illustrated in Fig. 1(a).
For \(n = 3\), \(t = 2\), it is known that we can obtain a 2secure OT protocol between a pair of vertices A, B only if those vertices are already connected by an OT channel, even if there are OT channels from both A and B to the third vertex C as depicted in Fig. 1(b). More generally, for any \(n\ge 2\) and \(t=n1\), there exists a tsecure OT protocol with sender A and receiver B only if those vertices are already connected by an OT channel, even if all other \(\left( {\begin{array}{c}n\\ 2\end{array}}\right) 1\) pairs of vertices are connected by OT channels [36]. This also resolves the question for \(n=4, t=3\).
3.1 Case 1: Fig. 2(a)
We first show that if \(G \simeq _{A, B} G_{1}\) then there does not exist a 2secure OT protocol for G with A as the sender and B as the receiver.^{9} This is a consequence of the impossibility result of [17, 49]. An outline of the argument is as follows.
Consider components \(\mathcal {C}_1 = \{A, P_{3}\}\) and \(\mathcal {C}_2 = \{B, P_{4}\}\) of G, and let \(\varPi \) be a 2secure protocol computing \( f_\text {OT}\) in G with A as the sender and B as the receiver. Then we can use \(\varPi \) to construct a 1secure protocol \(\varPi '\) for the 2party network \(G_{\mathrm {CK}}\) in Fig. 1(a) with \(A'\) as the sender and \(B'\) as the receiver. In protocol \(\varPi '\), party \(A'\) runs \(\varPi \) for both parties of component \(\mathcal {C}_1\) of G, and \(B'\) runs \(\varPi \) for both parties of component \(\mathcal {C}_{2}\). OT channel invocations can be handled locally, since all OT channels in G are between parties in the same component. Since protocol \(\varPi \) is 2secure, in particular it is secure against corruptions of parties in \(\mathcal {C}_{1}\) or the parties in \(\mathcal {C}_{2}\). Consequently \(\varPi '\) is a 1secure OT protocol for a network \(G' \simeq _{A', B'} G_{\mathrm {CK}}\) with \(A'\) as the sender and \(B'\) as the receiver. However, from [17, 49], we know that no such protocol exists with perfect security. Consequently there is no 2secure protocol \(\varPi \) for a network \(G \simeq _{A, B} G_{1}\).
Note that this impossibility holds not only for \(G\simeq _{A,B} G_{1}\) but for any (A, B)subgraph of \(G_{1}\). In particular, if \(G=(V,E)\) is a fourvertex graph a single edge that is incident to vertex A or vertex B, then G cannot have a 2secure protocol computing \( f_\text {OT}\) between A and B except in the trivial case when there is already an edge \(\{A,B\}\in E\). This technique of reducing to the known impossiblity results of [17, 36, 49] to obtain lower bounds is described formally in Sect. 4.
3.2 Case 2: Fig. 2(b)
In this example we obtain a positive result, showing that there exists a 2secure OT protocol with A as the sender and B as the receiver. Since B has degree 2 in \(G_{2}\), we have that either B or one of its neighbors must be honest, and so one of the two OT channels must contain an honest party. This suggests the idea of using secretsharing to ensure security against 2 corruptions.
Consider the following OT protocol where sender A has inputs \(x_{0}, x_{1} \in \{0, 1\}^{m}\) and receiver B has input \(b \in \{0, 1\}\). A computes 2outof2 shares \((x_0^1, x_0^2)\) and \((x_1^1, x_1^2)\) of its inputs \(x_0, x_1\), respectively. A then sends shares \(x_0^1\) and \(x_1^1\) to party \(P_3\) and \(x_0^2\) and \(x_1^2\) to party \(P_4\). Parties \(P_3\) and B invoke their secure OT channel with inputs \((x_0^1, x_1^1)\) and b, and parties \(P_4\) and B invoke their secure OT channel with inputs \((x_0^2, x_1^2)\) and b respectively. B uses the obtained shares \(x_b^1, x_b^2\) to reconstruct \(x_b\).
We informally argue the 2security of this protocol assuming that exactly one of A and B is corrupt.^{10} Consider the case where A is corrupt and B is honest. The input of B is only used over secure OT channels, so by the 1security of the OT channels with \(P_3\) and \(P_4\), the corrupt parties can learn nothing about B’s input bit b. Now consider the case where B is corrupt and A is honest. Either \(P_3\) or \(P_4\) must be honest. If \(P_3\) is honest then the security of OT channel \(\{P_3,B\}\) implies that B learns nothing about share \(x_{1b}^1\), so the security of the secret sharing scheme implies that the corrupt parties do not use \(x_{1b}\). By symmetry, the same argument applies if \(P_4\) is honest. This completes the argument.
Note that by Lemma 1, we can also obtain a 2secure OT protocol from A to B whenever A has degree 2 in OT network. Furthermore, we can extend this idea to construct a tsecure OT protocol whenever either the sender or the receiver has degree at least t. We call this protocol the tclaw protocol and describe it in detail in Sect. 5.1.
3.3 Case 3: Fig. 2(c)
Somewhat surprisingly, we can also show a positive result for graphs \(G\simeq _{A,B} G_{3}\) even though the OT network has no edges involving either the sender A or the receiver B. The protocol is as follows. Since parties \(P_3\) and \(P_4\) have an OT channel between them, by Lemma 2, they can perform 1secure MPC between them. \(P_{3}\) and \(P_{4}\) use MPC to compute 2outof2 shares of OT correlations with uniformly random inputs and send corresponding shares to A and B, who can then reconstruct the correlations. More concretely, the MPC protocol computes 2outof2 shares \((r_0^1, r_0^2)\), \((r_1^1, r_1^2)\) of two randomly sampled mbit strings \(r_0, r_1\), 2outof2 shares \((c^1, c^2)\) of a random bit \(c \in \{0,1\}\), and independent 2outof2 shares \((s^1, s^2)\) of the string \(r_c\). Party \(P_3\) receives the first share of each secret, and party \(P_4\) receives the second share. Party \(P_3\) then sends shares \(r_0^1, r_1^1\) to A and \(s^1, c^1\) to B, while \(P_{4}\) sends shares \(r_0^2, r_1^2\) to A and \(s^2, c^2\) to B. A can then reconstruct \(r_0\) and \(r_1\), and B can reconstruct c and \(r_c\). Parties A and B have now established a random OT correlation, which they can use to perform OT with their original inputs using OT correction [3].^{11}
We now informally argue the 2security of this protocol. If A and B are both honest, then the corrupt parties receive no information about their inputs, while if A and B are both corrupt then there is nothing to prove. Consequently we can assume that exactly one of A and B is corrupt and that either \(P_3\) or \(P_4\) is honest. If A is corrupt and \(P_3\) or \(P_4\) is honest, then the adversary learns nothing about c and \(r_{c}\), since it only sees one of the two shares of each. The OT correction phase uses these strings as onetime pads for inputs which are unknown to the adversary, and consequently are informationtheoretically hidden from the adversary. Consequently A learns nothing about B. The case where B is corrupt and \(P_3\) or \(P_4\) is honest follows by the same argument.
This construction can be extended to obtain a tsecure OT protocol whenever the OT graph contains a tclique consisting of t parties which are not the OT sender or receiver. We call this protocol the tclique protocol and describe it in detail in Sect. 5.2.
3.4 Case 4: Fig. 2(d)
We also obtain a positive result for graphs \(G \simeq _{A,B} G_4\). We introduce here a technique we call cascading. The idea is as follows. Using the protocol described in Sect. 3.2 for network \(G_2\) of Fig. 2(b), we have 2secure OT protocol with \(P_{3}\) as the sender and \(P_{4}\) as the receiver. This effectively gives us an OT channel between \(P_3\) and \(P_4\). Applying the protocol from Sect. 3.3 on the augmented network, we obtain a 2secure OT protocol with A as the sender and B as the receiver. We describe this pictorially in Fig. 3.
3.5 Cases 1–4 are Exhaustive
Note that a tsecure OT protocol with sender A and receiver B in an OT network G trivially yields a tsecure protocol for any network \(G'\) such that \(G \subseteq _{A,B} G'\). From cases 1 and 3, we can securely compute \( f_\text {OT}\) in a network G containing at most a single edge if and only if the edge is \(\{A,B\}\) or \(\{P_3,P_4\}\). From cases 1, 2, and 4, we can compute \( f_\text {OT}\) in a network G containing two or more edges including neither of \(\{A,B\}\) or \(\{P_3,P_4\}\) if and only if there is some vertex with degree at least 2 in the OT graph. This completes the characterization of 4party networks with 2 corruptions.
4 Lower Bound
We now describe a family of impossibility results using a generic reduction to the impossiblity result in [36], which we restate in our language below.
Lemma 3
[36]. Consider any three party network G with \(G \simeq _{A', B'} G_{\mathrm {HIK}}\), the graph in Fig. 1(b). Then any 2secure OT protocol with \(A'\) as the sender and \(B'\) as the receiver can be used (as a black box) to obtain a 1secure OT protocol for a network \(G'\) with \(G' \simeq _{A', B'} G_{\mathrm {Kus}}\), the graph in Fig. 1(b), with \(A'\) as the sender and \(B'\) as the receiver.
The theorem below describes an impossibility result over a family of networks. We note that this result was observed in [36]; we restate it our language and defer the formal proof to the full version.
Theorem 1
Let \(n \ge 2\) and \(n/2 \le t < n\), and let G be an n party network such that \(G \subseteq \varLambda _{n  t}^{2t  n}\), with \(P_{1} \in V_{A}\) and \(P_{2} \in V_{B}\). Any tsecure OT protocol for G with \(P_{1}\) as the sender and \(P_{2}\) as the receiver can be used (as a black box) to obtain a 1secure OT protocol for a network \(G'\) with \(G' \simeq _{A, B} G_{\mathrm {CK}}\) with \(A'\) as the sender and \(B'\) as the receiver.
5 Building Blocks
5.1 The tclaw Protocol
Lemma 4
Protocol 1 is an efficient tsecure OT protocol for a network \(G \simeq _{A, B} G_{\mathrm {claw}}^{t}\) with A as the sender and B as the receiver.
Proof Intuition. The tsecurity of the protocol can be seen as follows. Steps 1, 2 and 7 perform OT correction, that is, they perform a transformation from random OT to 1outof2 OT. This transformation protects against the case that the parties \(P_{3}, \ldots , P_{t + 2}\) (that is, all but A and B) are corrupt. Suppose A were corrupt and B were honest. Clearly, A colluding with any of the parties \(P_{3}, \ldots , P_{t + 2}\) provides A with no additional information since all they possess are shares sent by A. Next, if A were honest and B corrupt, at least one of the parties \(P_{3}, \ldots , P_{t + 2}\) must be honest. B has no information about those shares and hence does not learn anything. Finally, if both A and B were corrupt, there is nothing to prove.
5.2 The tclique Protocol
The next protocol we describe is the tclique protocol, where the graph G describing the network is such that \(G \simeq _{A, B} G_{\mathrm {clique}}^{t}\). The protocol is described in Protocol 2. The protocol is a straightforward generalization of the one described in Sect. 3.3. The idea is for the parties \(P_{3}, \ldots , P_{t + 2}\) to compute toutoft shares of OT correlations and send them to A and B respectively. The parties have a complete network of OT channels, so this can be done via multiparty computation (Lemma 2). A and B then perform OT correction using their secure channel. We state the lemma, give a proof outline and defer the full proof to the full version.
Lemma 5
Protocol 2 is an efficient tsecure OT protocol for a network \(G \simeq _{A, B} G_{\mathrm {clique}}^{t}\) with A as the sender and B as the receiver.
5.3 Cascading
The following building block is a generalization of the technique described in Sect. 3.4. The technique describes a general method of combining protocols iteratively. In our context, this can be thought of a tool for transforming a network described by a graph G to one described by a graph \(G'\), where \(G \subseteq _{V} G'\) and G and \(G'\) are both graphs on the same vertex set V. In other words, it describes protocols as adding new edges indicating the establishment of OT correlations between new pairs of parties in the network. With this abstraction, it is easy to view the technique of cascading as one which combines protocols iteratively to transform the underlying network by adding new edges. This is described formally below.
Definition 4
Let \(G = (V, E)\) and \(G' = (V, E')\) be two graphs on the same set of vertices, V, with \(G \subseteq _{V} G'\). We say that a protocol \(\varPi \) ttransforms a network G into the network \(G'\) if for each \(\{P_{i}, P_{j}\} \in E'\setminus E\), \(\varPi \) is a tsecure OT protocol for a network G with \(P_{i}\) as the sender and \(P_{j}\) as the receiver.^{12}
Lemma 6
If \(\varPi _1\) is a protocol that runs in time \(T_1\) and ttransforms network \(G_1\) into \(G_2\), and \(\varPi _2\) is a protocol that runs in time \(T_2\) and ttransforms network \(G_2\) into \(G_3\), then there exists a protocol \(\varPi \) that runs in time \(T_1T_2\) and ttransforms \(G_1\) into \(G_3\).
Proof
The protocol \(\varPi \) simply runs \(\varPi _2\), running protocol \(\varPi _1\) to obtain the necessary correlations whenever \(\varPi _2\) invokes OT on an edge of \(G_2\setminus G_1\). Let \(\mathcal {S}_{1}\) and \(\mathcal {S}_{2}\) be the simulators associated with \(\varPi _1\) and \(\varPi _2\) respectively. The simulator for \(\varPi \) simply runs \(\mathcal {S}_{2}\), invoking \(\mathcal {S}_{1}\) for OT calls made on edges in \(G_{2} \setminus G_{1}\). \(\square \)
Using OT extension [2, 43], we can also obtain a computationally secure version of cascading with improved efficiency.
Lemma 7
Let \(\lambda \) be a computational security parameter. Assuming oneway functions or correlationrobust hash functions, if \(\varPi _1\) is a protocol that runs in time \(T_1\) and ttransforms network \(G_1\) into \(G_2\), and \(\varPi _2\) is a protocol that runs in time \(T_2\) and ttransforms network \(G_2\) into \(G_3\), then there exists a computationally secure protocol \(\varPi \) that runs in time \(\lambda \cdot T_1 + T_2\cdot \mathop {\mathrm {poly}}\nolimits (\lambda )\) and ttransforms \(G_1\) into \(G_3\).
Proof
First, run protocol \(\varPi _1\) \(\lambda \) times on random inputs to obtain \(\lambda \) independent OT correlations for each edge of \(G_2\setminus G_1\). Then run Protocol \(\varPi _2\), using OT extension to obtain OT correlations for OT calls made on edges in \(G_2\setminus G_1\). \(\square \)
5.4 The 2path Graph
The protocol described in this section is a commonly used subroutine in several of the protocols which follow. It is a particular combination of the tools encountered in Sects. 5.1, 5.2 and 5.3. The subroutine, which we call 2path, is the same as the one described in Sect. 3.4. It is used to obtain OT correlations between parties who have a common neighbor in a fourparty network with at most two corruptions (see Fig. 4(c)). The following lemma is immediate from Lemma 6 and the 2security of Protocols 1 and 2 for \(t = 2\) (Lemmata 4 and 5).
Lemma 8
Protocol 3 is an efficient 2secure OT protocol for a network \(G \simeq _{A, B} G_{\mathrm {2\text {}path}}^{2}\) with A as the sender and B as the receiver.
5.5 Combiners
OT combiners aim to combine several insecure candidate protocols for establishing OT correlations between two parties into a single secure protocol. For a class of adversaries \(\mathbb {A}\), it is possible to achieve this when the candidate protocols satisfy the property that a majority of them are secure against each adversary \(\mathcal {A} \in \mathbb {A}\). The following lemma is due to [37, 56], relying on prior work by [38, 65] and based on a construction by [22].
Lemma 9
[37, 56]. Let \(\mathbb {A}\) be an adversary class. Suppose there exist m protocols \(\varPi _1,\ldots , \varPi _m\) for \(f_{OT}(A, B, P_{1}, \ldots , P_{n})\) such that for any adversary \(\mathcal {A} \in \mathbb {A}\) a majority of the protocols are secure. Then, there exists a protocol \(\varPi ^*(\varPi _1, \ldots , \varPi _m)\) for \(f_{OT}(A, B, P_{1}, \ldots , P_{n})\) which is secure against all adversaries \(\mathcal {A}\in \mathbb {A}\). Moreover, if each protocol \(\varPi _i\) is efficient and perfectly secure, then so is \(\varPi ^*\).
6 The Case \(t = n/2\)
We now consider the specific case of \(t = n/2\), that is, when at most half the parties are corrupt. We note that this is the smallest value of t for which the question is nontrivial. From the lower bounds proven in Theorem 1, we already have that for all nparty networks G containing A and B such that \(G \subseteq _{A, B} \varLambda _{n/2}^{0}\), there exists no n / 2secure OT protocol with A as the sender and B as the receiver. Surprisingly Theorem 2 shows that these are the only networks for which (n / 2)secure OT between A and B is impossible. Below, we provide an explicit n / 2secure OT protocol between A and B whenever the network G is (n / 2, A, B)unsplittable.
Theorem 2
Let G be an nparty network OT containing parties A and B. Then Protocol 5 is an n / 2secure OT protocol between A and B if and only if G is (n / 2, A, B)unsplittable.
We analyze the efficiency of the protocol in Theorem 3 below. The protocol as stated runs in quasipolynomial time. We can also obtain a computationally secure protocol which runs in polynomial time. The protocol we describe proceeds in two stages. In the first stage, the protocol transforms every connected component of the network into a clique. This transformation is very specific to the case of \(t = n/2\), and in particular, for \(t>n/2\) a connected component cannot in general function as a clique. This transformation is carried out by means of repeatedly calling Protocol 4, which obtains OT correlations between a pair of parties who have a common neighbour. This protocol uses the building block Protocol 3 from Sect. 5.4 along with machinery of OT combiners described in Sect. 5.5.
Lemma 10
Let G be an nvertex OT network with edges \(\{A,C\}\) and \(\{B,C\}\). Protocol 4 is an n / 2secure OT protocol for the network G with A as the sender and B as the receiver.
Proof
We consider cases depending on the number of corrupted parties in the set \(T=\{A,B,C\}\). If T contains at most one corrupted party, then each tuple \((A,B,C,P_i)\) for \(i\ge 4\) contains at most 2 corrupted parties, so each protocol \(\varPi _i\) in step 1 is secure. If T contains two corrupted parties, then there are at most \(t  2 = (n4)/2\) corrupted parties among \(P_4, \ldots , P_n\), so a majority of these parties are honest. Consequently a majority of the protocols \(\varPi _i\) which are combined in step 1 are secure. Thus, in either case, by Lemma 9 the protocol is secure. Finally, if all three parties of T are corrupted, then all uncorrupted parties receive no input, so the simulator \(\mathcal {S}\) can perfectly simulate the uncorrupted parties by running the honest protocol. Therefore Protocol 4 is n / 2secure. \(\square \)
We now complete the proof of Theorem 2.
Proof Intuition (Theorem 2 ): It is easy to see that by invoking Protocol 4 repeatedly, one can obtain OT correlations between any pair of parties in the same connected component. In other words, using cascading (Lemma 6), we can assume that we are given a network which consists of disjoint cliques. This is done in step 1 of Protocol 5. Hence, if A and B were in the same connected component in G, this process would end up with correlations between A and B and we can terminate the protocol (step 2).
If A and B are in different components, then a natural next step is to run the clique protocol described in Sect. 5.2 with each of the cliques and parties A and B with the intent of setting up OT correlations between A and B. However, the number of corruptions t may be greater than the size of any clique, and so Protocol 2 may not be secure. However, for an invocation to be secure, we only require that the clique contains at least one honest party. A majority of parties must be in cliques containing at least one honest party, so if we invoke Protocol 2 for each of the parties on their respective cliques, for any adversary a majority of the invocations is secure. By Lemma 9 we can combine these candidate protocols to obtain a single secure protocol. This is performed in step 5 of Protocol 5. Finally, we note that steps 3, 4 and 6 perform OT correction, that is, they perform a transformation from random OT to 1outof2 OT. This yields the n / 2security of Protocol 5.
Proof
(Theorem 2 ). The “only if” part of theorem has been proven by virtue of the lower bound of Theorem 1 with \(t = n{/}2\). We now prove the “if” part. We note that in the case where A and B are in the same connected component in the network G, by the n / 2security of Protocol 4 and Lemma 6, we note that Protocol 5 is an n / 2secure OT protocol with A as the sender and B as the receiver, thus proving the theorem.
We now proceed to the case where A and B are not in the same connected component in G. We must show that the protocol is secure against tthreshold adversaries as long as the vertices cannot be partitioned into two sets \(V_A, V_B\) each of size \(t=n/2\) with \(A\in V_A, B\in V_B\) such that there are no edges between \(V_A\) and \(V_B\). Let \(\mathcal {A}\) be a tthreshold adversary which corrupts parties T, \(T\le t\). We will construct a simulator \(\mathcal {S}\) which plays the role of the uncorrupted parties.
If \(\{A,B\} \subset T\) then the uncorrupted parties receive no input, so the simulator can perfectly simulate the uncorrupted parties. If \(\{A,B\}\cap T = \emptyset \) then \(\mathcal {S}\) chooses arbitrary inputs \(x_0,x_1, b\) and runs the protocol. Since the only steps which depend on the input at all are on pointtopoint channels between A and B, the view of the adversary in the real and ideal worlds is identical.
Otherwise, we have that the corrupted parties T include exactly one of A, B. If \(A\in T\) but \(B\notin T\), then \(\mathcal {S}\) chooses an arbitrary bit b and runs the protocol, invoking the OT simulator for each invocation of Protocol 4. It follows that as long as the combined protocol \(\varPi ^*\) in step 5 is secure against \(\mathcal {A}\), Protocol 5 is secure against \(\mathcal {A}\). It remains to show that a majority of the n protocols \(\varPi _1,\ldots ,\varPi _n\) are secure against \(\mathcal {A}\). Since party B is honest, by Lemma 5, protocol \(\varPi _i\) is secure against \(\mathcal {A}\) as long as at least one of the parties in clique \(\mathcal {C}(i)\) is honest. In particular, if party \(P_i\) is honest then protocol \(\varPi _i\) is secure against \(\mathcal {A}\). At most t of the parties \(P_1,\ldots ,P_{n}\) are corrupt, so the only protocols which may be insecure against \(\mathcal {A}\) are the t protocols \(\varPi _i\) corresponding to the corrupted parties \(P_i\). Assume that all t of these protocols are insecure against \(\mathcal {A}\). Then the corrupted parties lie in completely corrupted cliques who sizes sum to n / 2. This then gives a set \(V_A = T\) of n / 2 parties containing A but not B such that there are no edges from \(V_A\) to the remaining vertices \(V_B = \overline{T}\). However, we know that G possesses no such partition. Hence, at most \(t  1 < n/2\) of the n protocols are insecure against \(\mathcal {A}\) and hence by Lemma 9, the combined protocol \(\varPi ^*\) in step 5 is secure and hence Protocol 5 is secure against \(\mathcal {A}\).
The remaining case that \(B\in T\) but \(A\notin T\) is similar. Here, the simulator \(\mathcal {S}\) is given the output value \(x_b\). \(\mathcal {S}\) runs the protocol with \((x_b,x_b)\) as the input to A, again invoking the OT simulator for each invocation of Protocol 4. As above, as long as the combined protocol \(\varPi ^*\) in step 5 is secure against \(\mathcal {A}\), Protocol 5 is secure against \(\mathcal {A}\). By the same argument, the only protocols \(\varPi _i\) which may be insecure against \(\mathcal {A}\) are the t protocols corresponding to the corrupted parties \(P_i\). If all t of these protocols are insecure against \(\mathcal {A}\), we have a set \(V_A = \overline{T}\) of n / 2 parties containing A but not B such that there are no edges from \(V_A\) to the remaining vertices \(V_B = T\). However, we know that G possesses no such partition, so at most \(t  1 < n/2\) of the n protocols are insecure against \(\mathcal {A}\). By Lemma 9, the combined protocol \(\varPi ^*\) in step 5 is secure and so Protocol 5 is secure against \(\mathcal {A}\). \(\square \)
We now analyze the efficiency of Protocol 5.
Theorem 3
Protocol 5 runs in quasipolynomial time. Assuming oneway functions, we can obtain a computationally secure protocol which runs in polynomial time using computationally secure cascading (Lemma 7).
Proof
Each iteration of step 1 decreases the length of a path between any pair of vertices from \(\ell \) to \(\lceil \ell + 1\rceil / 2\). Consequently, after \(O(\log n)\) iterations the graph will consist of a collection of disjoint cliques, and the protocol will move on to the next step. By Lemma 6 (Cascading), if each iteration can be performed in time at most T assuming the augmented graph, then the full cascaded protocol runs in time at most \(T^{O(\log n)}\). Since \(T=\mathop {\mathrm {poly}}\nolimits (n)\) and each other step of the protocol is efficient, this implies that Protocol 5 runs in quasipolynomial time.
Replacing the cascading of step 1 with the more efficient but computationally secure cascading of Lemma 7, we have the cascaded protocol runs in time \(O(T \mathop {\mathrm {poly}}\nolimits (\lambda )\cdot \log n)\). Since each other step of the protocol is efficient, this implies that assuming oneway functions, we have a computationallysecure version of Protocol 5 that runs in quasipolynomial time. \(\square \)
7 The Case \(t=n2\)
On account of the lower bound proven in [36], we note that \(t = n  2\) is the largest value of t for which the question is nontrivial. In this section we present an improved computationally efficient OT protocol between A and B for the special case \(t=n2\) for all (2, A, B)unsplittable networks G.
Theorem 4
Let G be an nparty OT network containing parties A and B. Then Protocol 6 is an efficient \((n2)\)secure OT protocol between A and B if and only if G is (2, A, B)unsplittable.
The protocol is built upon the following structural aspect of the network G under consideration. Since G is (2, A, B)unsplittable, for any two sets of vertices \(V_{A}A\) and \(V_{B}B\) such that \(V_{A} = V_{B} = 2\), there exists an edge from a vertex of \(V_{A}\) to a vertex of \(V_{B}\). In particular, this implies that for any two parties \(P_i, P_j\) where \(i, j \ge 3\), the subnetwork \(G_{i,j}\) induced by parties A, B, \(P_i\) and \(P_j\) is (2, A, B)unsplittable. Then for any i, j, we also have that the subnetwork \(G_{i, j}\) is \((2, P_{i}, P_{j})\)unsplittable. Hence, we could try to obtain OT correlations between every pair of vertices \(P_i, P_j\) by running Protocol 5 on every \(G_{i, j}\) for \(n = 4\) parties. Notice that if these invocations were secure, then we would obtain an \((n  2)\)clique in the network after which we can execute Protocol 2 in order to obtain OT correlations between A and B. This is described in Protocol 6. However, each of the execution of Protocol 5 is only guaranteed to be secure if at most two of the corresponding parties are corrupt. This need not be true in general, and so we cannot directly leverage the security of Protocol 5. Nonetheless, we will argue that Protocol 6 is secure against \(t = n2\) corruptions.
Proof Intuition (Theorem 4 ): In order to analyze the \((n  2)\)security of Protocol 6, we consider each invocation of Protocol 5 on a subnetwork \(G_{i,j}\). If at most two of the four parties in \(G_{i,j}\) are corrupt, then that invocation of Protocol 5 is secure and yields secure OT correlations between parties \(P_i\) and \(P_j\). Appealing to Lemma 6, we can augment G to include edge \(\{P_{i}, P_{j}\}\).
Each \(G_{i,j}\) must contain at least one honest party since either A or B must be honest (otherwise, there is nothing to prove). It remains to consider subnetworks \(G_{i,j}\) in which three of the parties are corrupt. Since at least one of A or B is honest, this implies that both \(P_{i}\) and \(P_{j}\) are corrupt. Thus, there is nothing to prove regarding the security of the invocation of Protocol 5 on \(G_{i,j}\) since we are establishing OT correlations between a pair of corrupt parties \(P_i\) and \(P_j\). Combining these claims, we have that each of the invocations of Protocol 5 is secure and yields secure OT correlations between the pairs of parties \(P_i,P_j\) for all \(i, j \ge 3\). By virtue of Lemma 6, we obtain an \((n  2)\)clique in the network and the \((n  2)\)security of Protocol 2 with \(t = n  2\) proves the \((n  2)\)security of Protocol 6.
The formal proof is deferred to the full version.
8 The General Case: \(t\ge n/2\)
In this section, we resolve the network OT question for general \(t \ge n/2\). Note that from the protocols in Sects. 6 and 7 we already have tight answers for the special cases \(t =n/2\) and \(t = n  2\). We address the general question from both ends of the spectrum, namely for t larger than n / 2 and t smaller than \(n  2\). These analyses yield two distinct protocols which employ the protocols from Sects. 6 and 7 as their respective base cases. The two protocols we describe are efficient in different parameter regimes. Protocol 7 described in Sect. 8.1 is quasipolynomially efficient^{13} when \(t=n/2+\mathcal {O}(1)\), and Protocol 8 described in Sect. 8.2 is (polynomially) efficient when \(t = n  \mathcal {O}(1)\). Putting these protocols together, we obtain a single protocol that is efficient under computational security when either \(t=n/2+\mathcal {O}(1)\) or \(t = n  \mathcal {O}(1)\). We note that the problem of recognizing whether there exists a tsecure OT protocol is efficient in these cases, while the recognition problem for general n, t is coNPcomplete.
8.1 General Protocol (Quasipolynomial for \(t=n/2+\mathcal {O}(1)\))
We now describe a tsecure OT protocol between A and B for all \((n  t, A, B)\)unsplittable networks G. As a consequence of the lower bound described in Sect. 4, this result is tight.
Theorem 5
Let G be an nparty OT network containing parties A and B, and let \(t \ge n/2\). Then Protocol 7 is a tsecure OT protocol between A and B if and only if G is \((n  t, A, B)\)unsplittable. The protocol achieves perfect security and runs in quasipolynomial time for \(t=n/2 + \mathcal {O}(1)\). Assuming oneway functions, we can also obtain a protocol which achieves computational security and runs in polynomial time for \(t=n/2 + \mathcal {O}(1)\).
The protocol proceeds by recursion, reducing the problem of obtaining an OT protocol on an nvertex graph with \(t>n/2\) corrupted parties to a number of instances of \(n'\)vertex graphs, a majority of which have at most \(t'\) corrupted parties, for \(n'=n1\) and \(t'=t1\). As shown below, each \(n'\)vertex subgraph \(G'\) has a structure similar to G in the sense that \(G'\) is \((n'  t', A, B)\)unsplittable whenever G is \((n  t, A, B)\)unsplittable. We can now recurse on these smaller problem instances, invoking an OT combiner to obtain the full protocol.
More precisely, the protocol constructs \(n  2\) subgraphs on \(n  1\) vertices, where each subgraph is obtained by deleting a single vertex other than A and B. We can recursively run a \((t  1)\)secure OT protocol on each of the subgraphs. The final protocol invokes a combiner on these \(n2\) candidate protocols. It remains to be shown that a majority of the subgraphs \(G'\) contain at most \(t  1\) corrupt parties.
Proof Intuition (Theorem 5 ): We may assume that at least one of A or B is honest. As described above, we wish to argue that a majority of the subgraphs \(G'\) contain at most \(t  1\) corrupt parties. Combining this with the claim that these subgraphs preserve an unsplittability property of G and invoking Lemma 9 completes the proof.
However, this claim follows from the following observation. Since \(t > n/2\), if exactly t parties are corrupt then a majority of the subgraphs contain at most \(t1\) corrupt parties since A and B are not both corrupt. If strictly fewer than t parties are corrupt then all of the subgraphs contain at most \(t1\) corrupt parties. In either case, for a majority of subgraphs, at most \(t1\) of the parties are corrupt.
We first present and prove a structure lemma.
Lemma 11
Given graph \(G=(V,E)\) and a vertex i, let \(G_i\) be the induced graph on the \(n1\) vertices \(V\setminus \{i\}\). If G is \((n  t, A, B)\)unsplittable, then \(G_i\) is also \((n  t, A, B)\)unsplittable.
Proof
We will prove the contrapositive. Suppose that \(G_i\subseteq _{A, B} \varLambda _{nt}^{2tn1}\). This means there exists a partition of the vertex set of \(G_{i}\) as Open image in new window with no edges between \(V_A\) and \(V_B\), where \(A \in V_{A}\), \(B \in V_{B}\), \(V_{A} = V_{B} = n  t\) and \(V_{S} = 2t  n  1\). But then we can partition the vertex set of G as Open image in new window , where \(V_{S}' = V_{S} \cup \{i\}\). We have that \(V_{A} = V_{B} = n  t\) and \(V_{S}' = 2t  n\), and there are no edges between \(V_A\) and \(V_B\), so \(G \subseteq _{A, B} \varLambda _{nt}^{2tn}\), which is a contradiction. \(\square \)
As an immediate consequence, the condition described in Theorem 5 is both necessary and sufficient in order to obtain a complete network of OT channels and perform secure multiparty computation among all parties in the network.
Corollary 1
Let G be an nparty network. For \(t\ge n/2\), we can tsecurely generate OT correlations between all pairs of parties (thus, completing the OT network) if and only if the G is \((n  t)\)unsplittable.
8.2 General Protocol (Efficient for \(t=n\mathcal {O}(1)\))
Theorem 6
Let G be an nparty OT network containing parties A and B, and let \(t \ge n/2\). Protocol 8 is a tsecure OT protocol between A and B if and only if G is \((n  t, A, B)\)unsplittable. The protocol is efficient for \(t=n\mathcal {O}(1)\).
The idea behind this protocol is the following. We increase the size of the network in order to obtain a large number N of wellconnected additional simulated parties such that at least one them is guaranteed to be honest. We may assume that at least one of A and B is honest, as otherwise there is nothing to prove. Consequently there are at least two honest parties in the augmented network. We will now apply the protocol from Sect. 7. It remains to describe the construction of these simulated parties, to show that at least one of them is honest, and to prove a structural lemma that if the original network G is \((n  t, A, B)\)unsplittable then the augmented network \(G'\) is (2, A, B)unsplittable.
Proof Intuition (Theorem 6 ): We first describe the new network generated by Protocol 8. The parties other than A and B in the newly constructed network consist of all subsets of size \(nt1\) of the parties in G containing neither A nor B. Lemma 12 below shows that this new network \(G'\) is (2, A, B)unsplittable whenever G is \((n  t, A, B)\)unsplittable, where the edges of \(G'\) are as described in Protocol 8. A party X in \(G'\) will be considered honest if all constituent parties \(P_i\in X\) from G are honest. Since one of A and B is honest and at most t parties are corrupt, at least \(n  t\) parties are honest and in particular, at least \(n  t  1\) of the parties other than A and B must be honest. This means that one of the subsets is completely honest. Since A or B is also honest, \(G'\) is guaranteed to have at least two honest parties. Combining these facts and invoking Theorem 4 completes the argument.
We will use the following structural lemma about the network \(G'\) constructed in Protocol 8. The formal proof of Theorem 6 is deferred to the full version.
Lemma 12
If G is \((n  t, A, B)\)unsplittable, then \(G'\) is a (2, A, B)unsplittable network on \(n'=\left( {\begin{array}{c}n2\\ nt1\end{array}}\right) + 2\) vertices, where \(G'\) is the network from Protocol 8.
Proof
We prove the contrapositive. Assume that \(G'\subseteq _{A,B} \varLambda _2^{n'2}\). Let \(k=nt\), and for \(i\in \mathbb {N}\), let \(S_i\) denote the set of subsets of \(V\setminus \{A,B\}=\{P_3,\ldots ,P_n\}\) of size i. Then there exist vertices \(X,Y \in S_{k1}\) such that there are no edges in \(G'\) between any of the parties in \(\{A,X\}\) and any of the parties in \(\{B,Y\}\). In particular, \(X\cap Y = \emptyset \), since otherwise \(\{X,Y\}\) would be an edge of \(G'\). This implies that we have \(2k=2(nt)\) parties \(\{A,B\}\cup X\cup Y\) such that there are no edges in G from the \(nt\) parties \(\{A\} \cup X\) to any of the \(nt\) parties \(\{B\}\cup Y\). By definition, this means that \(G\subseteq _{A,B} \varLambda _{nt}^{2tn}\), which is a contradiction. \(\square \)
Footnotes
 1.
 2.
As a rule of thumb, use of publickey cryptography is computationally around 4–6 orders of magnitude more expensive than using symmetrickey cryptography [7].
 3.
When \(t < n/2\), there is no need to rely on an OT infrastructure [63].
 4.
Recall that the model considered in this work, we assume a full network of secure private communication channels.
 5.
 6.
For \(t=n/2 + \mathcal {O}(1)\), we achieve efficiency using computationallysecure OT extension (e.g. [2, 43]). Our protocol with informationtheoretic security is quasipolynomialtime for \(t=n/2 + \mathcal {O}(1)\). We do, however, achieve informationtheoretic security in polynomial time for \(t=n\mathcal {O}(1)\).
 7.
Note that when \(t = n\), there is nothing to prove.
 8.
We note that in the computational setting, it is also possible to transform, in a blackbox way, a protocol which is secure against semihonest adversaries into another protocol which is secure against static malicious adversaries [35].
 9.
Recall that \(H\simeq _{A, B}H'\) for two graphs \(H,H'\) if there exists an isomorphism between H and \(H'\) preserving the labels of vertices A and B.
 10.
An additional step is needed to address the case in which \(P_3\) and \(P_4\) are corrupt and A and B are both honest. Then \(P_{3}\) and \(P_{4}\) can learn \(x_{0}\) and \(x_{1}\), the inputs of A, in the protocol just described. This can be handled with the technique of OT correction, using a onetime pad and the secure pointtopoint channel between A and B. Equivalently, we could run the protocol on random inputs, and then use method of [3] to obtain 1outof2 OT from random OT. If A and B are both corrupt then there is nothing to prove.
 11.
This OT correction step can be performed as follows. Party B sends \(b' = b\oplus c\) to A. A responds with \(y_0=x_0\oplus r_{b'}\) and \(y_1=x_1\oplus r_{1b'}\). Finally, B computes \(y_b \oplus r_c = x_b\).
 12.
Note that a single protocol \(\varPi \) may set up independent random OT correlations for several pairs of parties \(\{P_{i}, P_{j}\} \in E'\setminus E\). These correlations can be used to run 1outof2 OT using OT correction.
 13.
Or polynomially efficient under computational security.
References
 1.Applebaum, B., Ishai, Y., Kushilevitz, E., Waters, B.: Encoding functions with constant online rate or how to compress garbled circuits keys. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 166–184. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 2.Beaver, D.: Correlated pseudorandomness and the complexity of private computations. In: STOC, pp. 479–488 (1996)Google Scholar
 3.Beaver, D.: Precomputing oblivious transfer. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 97–109. Springer, Heidelberg (1995)Google Scholar
 4.BeerliováTrubíniová, Z., Hirt, M.: Perfectlysecure MPC with linear communication complexity. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 213–230. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 5.Beimel, A., Malkin, T., Micali, S.: The allornothing nature of twoparty secure computation. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 80–97. Springer, Heidelberg (1999)CrossRefGoogle Scholar
 6.Beimel, A., Omri, E., Orlov, I.: Protocols for multiparty coin toss with dishonest majority. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 538–557. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 7.Bellare, M., Hoang, V.T., Keelveedhi, S., Rogaway, P.: Efficient garbling from a fixedkey blockcipher. In: IEEE Security and Privacy, pp. 478–492 (2013)Google Scholar
 8.BenOr, M., Goldwasser, S., Wigderson, A.: Completeness theorems for noncryptographic faulttolerant distributed computations. In: STOC, pp. 1–10 (1988)Google Scholar
 9.BenSasson, E., Fehr, S., Ostrovsky, R.: Nearlinear unconditionallysecure multiparty computation with a dishonest minority. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 663–680. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 10.Bendlin, R., Damgård, I., Orlandi, C., Zakarias, S.: Semihomomorphic encryption and multiparty computation. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 169–188. Springer, Heidelberg (2011)CrossRefGoogle Scholar
 11.Bogdanov, D., Laur, S., Willemson, J.: Sharemind: a framework for fast privacypreserving computations. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 192–206. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 12.Bogetoft, P., et al.: Secure multiparty computation goes live. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 325–343. Springer, Heidelberg (2009)CrossRefGoogle Scholar
 13.Boyle, E., Chung, K.M., Pass, R.: Largescale secure computation: multiparty computation for (parallel) RAM programs. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 742–762. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 14.Boyle, E., Goldwasser, S., Tessaro, S.: Communication locality in secure multiparty computation  how to run sublinear algorithms in a distributed setting. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 356–376. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 15.Canetti, R., Damgård, I., Dziembowski, S., Ishai, Y., Malkin, T.: On adaptive vs. nonadaptive security of multiparty protocols. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 262–279. Springer, Heidelberg (2001)CrossRefGoogle Scholar
 16.Chaum, D., Crépeau, C., Damgård, I.: Multiparty unconditionally secure protocols. In: STOC, pp. 11–19 (1988)Google Scholar
 17.Chor, B., Kushilevitz, E.: A zeroone law for boolean privacy (extended abstract). In: STOC, pp. 62–72 (1989)Google Scholar
 18.Chou, T., Orlandi, C.: The simplest protocol for oblivious transfer. In: Lauter, K., RodríguezHenríquez, F. (eds.) LatinCrypt 2015. LNCS, vol. 9230, pp. 40–58. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 19.Damgård, I., Ishai, Y.: Scalable secure multiparty computation. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 501–520. Springer, Heidelberg (2006)CrossRefGoogle Scholar
 20.Damgård, I., Ishai, Y., Krøigaard, M.: Perfectly secure multiparty computation and the computational overhead of cryptography. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 445–465. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 21.Damgård, I., Ishai, Y., Krøigaard, M., Nielsen, J.B., Smith, A.: Scalable multiparty computation with nearly optimal work and resilience. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 241–261. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 22.Damgård, I., Kilian, J., Salvail, L.: On the (im)possibility of basing oblivious transfer and bit commitment on weakened security assumptions. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 56–73. Springer, Heidelberg (1999)Google Scholar
 23.Damgård, I., Nielsen, J.B.: Scalable and unconditionally secure multiparty computation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 572–590. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 24.Damgård, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 25.Dani, V., King, V., Movahedi, M., Saia, J.: Brief announcement: breaking the o(nm) bit barrier, secure multiparty computation with a static adversary. In: PODC, pp. 227–228 (2012)Google Scholar
 26.Dolev, D., Dwork, C., Waarts, O., Yung, M.: Perfectly secure message transmission. In: FOCS, pp. 36–45 (1990)Google Scholar
 27.Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 205–210. Springer, New York (1983)CrossRefGoogle Scholar
 28.Fitzi, M., Franklin, M.K., Garay, J.A., Vardhan, S.H.: Towards optimal and efficient perfectly secure message transmission. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 311–322. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 29.Garay, J.A., Katz, J., Koo, C.Y., Ostrovsky, R.: Round complexity of authenticated broadcast with a dishonest majority. In: FOCS, pp. 658–668 (2007)Google Scholar
 30.Garey, M., Johnson, D.: Computers and Intractability: A Guide to the Theory of NPCompleteness. W. H. Freeman, New York (1979)zbMATHGoogle Scholar
 31.Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game, or a completeness theorem for protocols with honest majority. In: STOC, pp. 218–229 (1987)Google Scholar
 32.Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity for all languages in NP have zeroknowledge proof systems. J. ACM 38(3), 691–729 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
 33.Goldreich, O., Vainish, R.: How to solve any protocol problem  an efficiency improvement. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 73–86. Springer, Heidelberg (1988)Google Scholar
 34.Goldwasser, S., Kalai, Y., Popa, R., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: STOC, pp. 555–564 (2013)Google Scholar
 35.Haitner, I.: Semihonest to malicious oblivious transfer—the blackbox way. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 412–426. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 36.Harnik, D., Ishai, Y., Kushilevitz, E.: How many oblivious transfers are needed for secure multiparty computation? In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 284–302. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 37.Harnik, D., Ishai, Y., Kushilevitz, E., Nielsen, J.B.: OTcombiners via secure computation. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 393–411. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 38.Harnik, D., Kilian, J., Naor, M., Reingold, O., Rosen, A.: On robust combiners for oblivious transfer and other primitives. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 96–113. Springer, Heidelberg (2005)CrossRefGoogle Scholar
 39.Hirt, M., Lucas, C., Maurer, U.: A dynamic tradeoff between active and passive corruptions in secure multiparty computation. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 203–219. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 40.Huang, Y., Katz, J., Evans, D.: Efficient secure twoparty computation using symmetric cutandchoose. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 18–35. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 41.Huang, Y., Katz, J., Kolesnikov, V., Kumaresan, R., Malozemoff, A.J.: Amortizing garbled circuits. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 458–475. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 42.Impagliazzo, R., Rudich, S.: Limits on the provable consequences of oneway permutations. In: STOC, pp. 44–61 (1989)Google Scholar
 43.Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 145–161. Springer, Heidelberg (2003)CrossRefGoogle Scholar
 44.Ishai, Y., Kushilevitz, E., Lindell, Y., Petrank, E.: On combining privacy with guaranteed output delivery in secure multiparty computation. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 483–500. Springer, Heidelberg (2006)CrossRefGoogle Scholar
 45.Ishai, Y., Prabhakaran, M., Sahai, A.: Founding cryptography on oblivious transfer – efficiently. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 572–591. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 46.Kilian, J.: Founding cryptography on oblivious transfer. In: STOC, pp. 20–31 (1988)Google Scholar
 47.Kolesnikov, V., Schneider, T.: Improved garbled circuit: free XOR gates and applications. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 48.Kovári, T., Sós, V., Turán, P.: On a problem of K. Zarankiewicz. Colloquium Math. 3(1), 50–57 (1954)MathSciNetzbMATHGoogle Scholar
 49.Kushilevitz, E.: Privacy and communication complexity. In: FOCS, pp. 416–421 (1989)Google Scholar
 50.Larraia, E., Orsini, E., Smart, N.P.: Dishonest majority multiparty computation for binary circuits. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 495–512. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 51.Lindell, Y., Pinkas, B., Smart, N.P., Yanai, A.: Efficient constant round multiparty computation combining BMR and SPDZ. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 319–338. Springer, Heidelberg (2015)CrossRefGoogle Scholar
 52.Lindell, Y., Riva, B.: Cutandchoose yaobased secure computation in the online/offline and batch settings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 476–494. Springer, Heidelberg (2014)CrossRefGoogle Scholar
 53.Lindell, Y.: Fast cutandchoose based protocols for malicious and covert adversaries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 1–17. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 54.Lindell, Y., Pinkas, B.: An efficient protocol for secure twoparty computation in the presence of malicious adversaries. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 52–78. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 55.Maji, H.K., Prabhakaran, M., Rosulek, M.: A zeroone law for cryptographic complexity with respect to computational UC security. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 595–612. Springer, Heidelberg (2010)CrossRefGoogle Scholar
 56.Meier, R., Przydatek, B., Wullschleger, J.: Robuster combiners for oblivious transfer. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 404–418. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 57.Mohassel, P., Riva, B.: Garbled circuits checking garbled circuits: more efficient and secure twoparty computation. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 36–53. Springer, Heidelberg (2013)CrossRefGoogle Scholar
 58.Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: SODA, pp. 448–457 (2001)Google Scholar
 59.Nielsen, J.B., Nordholt, P.S., Orlandi, C., Burra, S.S.: A new approach to practical activesecure twoparty computation. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 681–700. Springer, Heidelberg (2012)CrossRefGoogle Scholar
 60.Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008)CrossRefGoogle Scholar
 61.Prabhakaran, M., Prabhakaran, V.: On secure multiparty sampling for more than two parties. In: Information Theory Workshop (ITW) (2012)Google Scholar
 62.Rabin, M.: How to exchange secrets by oblivious transfer (1981)Google Scholar
 63.Rabin, T., BenOr, M.: Verifiable secret sharing and multiparty protocols with honest majority. In: STOC, pp. 73–85 (1989)Google Scholar
 64.Wolf, S., Wullschleger, J.: Oblivious transfer is symmetric. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 222–232. Springer, Heidelberg (2006)CrossRefGoogle Scholar
 65.Wullschleger, J.: Oblivioustransfer amplification. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 555–572. Springer, Heidelberg (2007)CrossRefGoogle Scholar
 66.Yao, A.C.C.: How to generate and exchange secrets. In: FOCS, pp. 162–167 (1986)Google Scholar
 67.Zahur, S., Rosulek, M., Evans, D.: Two halves make a whole. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 220–250. Springer, Heidelberg (2015)Google Scholar
 68.Zamani, M., Movahedi, M., Saia, J.: Millions of millionaires: Multiparty computation in large networks. In: ePrint 2014/149Google Scholar