Advertisement

Network Oblivious Transfer

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9815)

Abstract

Motivated by the goal of improving the concrete efficiency of secure multiparty computation (MPC), we study the possibility of implementing an infrastructure for MPC. We propose an infrastructure based on oblivious transfer (OT), which would consist of OT channels between some pairs of parties in the network. We devise information-theoretically secure protocols that allow additional pairs of parties to establish secure OT correlations using the help of other parties in the network in the presence of a dishonest majority. Our main technical contribution is an upper bound that matches a lower bound of Harnik, Ishai, and Kushilevitz (Crypto 2007), who studied the number of OT channels necessary and sufficient for MPC. In particular, we characterize which n-party OT graphs G allow t-secure computation of OT correlations between all pairs of parties, showing that this is possible if and only if the complement of G does not contain the complete bipartite graph \(K_{n-t,n-t}\) as a subgraph.

Keywords

Secure Computation Oblivious Transfer Honest Party Computational Security Secure Multiparty Computation 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

1 Introduction

Protocols for secure multiparty computation [8, 16, 31, 66] allow a set of mutually distrusting parties to carry out a distributed computation without compromising the privacy of inputs or the correctness of the end result. As a research area, secure computation has witnessed several breakthroughs in the last decade [40, 41, 43, 47, 52, 53, 54, 57, 59, 67]. However, despite a wide array of potential game-changing applications, there is nearly no practical adoption of secure computation today (with the notable exceptions of [11, 12]). Computations wrapped in a secure computation protocol do not yet deliver results efficiently enough to be acceptable in many cloud-computing applications. For instance, state-of-the-art semihonest 2-party protocols incur a factor \(\approx \)100 slowdown even for simple computations.

In the absence of practical real-world protocols for secure computation which are secure in the presence of any number of dishonest parties, there is a need for relaxations that are meaningful and yet provide significant performance benefits. As an example, classic protocols for secure computation [8, 16, 63] (with subsequent improvements e.g., [4, 9, 19, 20, 21, 23]) offer vastly better efficiency at the cost of tolerating only a small constant fraction of adversaries. The resilience offered is certainly acceptable when the number of participating parties is large, e.g., the setting of large-scale secure computation [13, 14, 25, 68]. Although large-scale secure computation is well-suited for several interesting applications (such as voting, census, surveys), we posit that typical settings involve computations over data supplied by a few end users. In such cases, the overhead associated with interaction among a large number of helper parties is likely to render these protocols more expensive than a standard secure computation protocol among the end users. If the number of helper parties is small, security against a small fraction of corrupt parties may be a very weak guarantee, since a handful of corrupt parties could render the protocol insecure.

An orthogonal approach for reducing the online cost of secure computation protocols is the use of preprocessing [1, 3, 10, 24]. This approach can dramatically reduce the cost of secure computation: for instance, given preprocessing [3], the \(\approx \)100 factor slowdown for simple computations no longer applies. Recent theoretical research has shown that many primitives can even be made reusable (e.g. [34]). Perhaps the most important drawback of this approach (other than the fact that the preprocessing phase is typically very expensive) is that the preprocessing is not transferable. Clearly, a pair of parties that want to perform a secure computation cannot benefit from this approach without performing the expensive preprocessing step. Moreover, this seems to hold even if each of the two parties have set up the preprocessing with multiple others. Typically, the cost of the preprocessing phase is quite high, presenting a barrier for the practical use of preprocessed protocols. This is especially true in settings where parties are unlikely to run many secure computations that would amortize the cost of preprocessing.

Motivated by the discussion above, we conclude that some directions that seem to offer efficiency benefits for secure computation are (1) highly resilient protocols that use only a small number of helper parties, and (2) a preprocessing procedure that allows a notion of transferability between users. Taken together, these two ideas have the potential to provide an infrastructure for efficient secure computation. Some sets of parties might run a preprocessing phase among themselves. These parties can then act as helper parties and “transfer” their preprocessing to help users who want to run a secure computation protocol. We informally describe some desiderata for such an infrastructure:
  • Reusability/Amortization. Setting up an infrastructure component could be expensive, but using it and maintaining it should be inexpensive relative to setting up a new component.

  • Transferability/Routing. It should be possible to combine different components of the infrastructure to deliver benefits to the end users.

  • Robustness/Fault-tolerance. Failure or unavailability of some components of the infrastructure should not nullify the usefulness of the infrastructure.

It is not hard to see that the above criteria are fulfilled for infrastructures that we use in daily life, for e.g., the infrastructure for online communication (e-mail, instant messaging, etc.) consisting of transatlantic undersea cables, routers, wireless access points, etc. What cryptographic primitives would be good candidates for a secure computation infrastructure? In this work, we explore the possibility of using oblivious transfer [27, 62] for this purpose.

1.1 Our Model: Network Oblivious Transfer

Oblivious transfer (OT) is a fundamental building block of secure computation [45, 46]. As discussed in [45], some of the benefits of basing secure computation on OT include:
  • Preprocessing. OT enables precomputation in an offline stage before the inputs or the function to be computed are known. The subsequent online phase is extremely efficient [3].

  • Amortization. The cost of computing OTs can be accelerated using efficient OT extension techniques [2, 43, 45, 59].

  • Security. OTs can be realized under a wide variety of computational assumptions [18, 27, 58, 60, 62] or under physical assumptions.

In this work, we consider n parties connected by a synchronous network with secure point-to-point private communication channels between every pair of parties. In addition, some pairs of parties on the network have established OT channels between them providing them with the ability to perform arbitrarily many OT operations. We represent the OT channel network via an OT graph G. The vertices of G represent the n parties, and pairs of parties that have an established OT channel are connected by an edge in G. Since OT can be reversed unconditionally [64], we make no distinction between the sender and the receiver in an OT channel. This OT graph represents the infrastructure we begin with. The OT channels could either represent \(\mathop {\mathrm {poly}}\nolimits (\lambda )\) 1-out-of-2 OT correlations for a computational security parameter \(\lambda \), or a physical channel (e.g., noisy channel) that realizes, say \(\delta \)-Rabin OT [62].1 We are interested in obtaining security against adaptive semihonest adversaries. We also discuss security against adaptive malicious adversaries under computational assumptions.

Two parties that are connected by an edge can use the corresponding existing OT channel to run a secure computation protocol between themselves. What about parties that are not connected by an edge? Clearly, they can establish an OT channel between themselves via an OT protocol [18, 60] or perhaps using a physical channel. The latter option, if possible, is likely to be expensive and the costs of setting up a physical channel may be infeasible unless the two parties are likely to execute many secure computation protocols. The former option is also expensive as it involves use of public-key cryptography which is somewhat necessary in the light of [42].2 This motivates the question of whether additional parties can use an existing OT infrastructure to establish an OT channel between themselves unconditionally or relying only on the existence of symmetric-key cryptography. A positive result to this question would show that expensive cryptographic operations are not required to set up additional OT channels which could be used for efficient secure computation. In this work we construct OT protocols with information-theoretic security against a threshold adversary.

The Generality of an OT Infrastructure. Consider the following candidate for an infrastructure. Suppose there is a channel between a pair of parties that allows them to securely evaluate any function. Since OT is complete for secure computation, one can apply the results of [45, 46] to use the OT channel to implement a secure evaluation channel. In the other direction, one can use a secure evaluation channel to trivially implement OT channels. Consequently, such a channel is equivalent to an OT channel. The same argument extends to channels that implement any 2-party primitive that is complete for secure computation [5, 55]. Furthermore, the above argument also applies to the setting where a set of parties have a secure evaluation channel. Such a channel is equivalent to an OT graph where parties in the set have pairwise OT channels with everyone in the set.

Assuming a Full Network of Secure Channels. Secure channels between two parties can be implemented either via non-interactive key exchange and hybrid encryption or via a physical assumption. We emphasize that the one-time setup cost of emulating a secure channel (e.g. via Diffie-Hellman key exchange) is much lower than the one-time setup cost of emulating an OT channel that allows unbounded OT calls via an OT protocol even using OT extension. Furthermore, our assumption of secure channels is identical to the setting of [33, 45, 46], who show that secure computation reduces to OT under information-theoretic reductions.

1.2 Related Work and Our Contributions

Related Work. As mentioned previously, there is a large body of work on secure computation in the offline/online model (cf. [10, 24, 50, 51, 59, 61] and references therein). These protocols exhibit an extremely fast online phase at the expense of a slow preprocessing phase (sometimes using MPC [51] or more typically, OT correlations [59] or a somewhat homomorphic encryption scheme [24]). To the best of our knowledge, the question of transferability of preprocessing has not been explicitly investigated in the literature with the notable exception of [36], which we will discuss in greater detail below. There is a large body of work on secure computation against a threshold adversary (e.g. [8, 16, 31, 63]). Popular regimes where secure computation against threshold adversaries have been investigated are for \(t < n/3\), \(t < n/2\), or \(t = n-1\). In this work we are interested in threshold adversaries for a dishonest majority, that is, adversaries which can corrupt t out of n parties for \(n/2 \le t < n\).3 Such regimes were investigated in other contexts such as authenticated broadcast [29] and fairness in secure computation [6, 39, 44]. Infrastructures for perfectly secure message transmission (PSMT) were investigated in the seminal work of [26] (see also [28] and references therein). While the task of PSMT is similar to our question regarding OT channels, there are inherent differences. For example, our protocols can implement OT even between two parties that are isolated in the OT graph (i.e., not connected to any other party via an OT channel).4 In PSMT, on the other hand, there is no hope of achieving secure communication with a node that is not connected by any secure channel.

Most relevant to our results is the work of Harnik et al. [36]. The main question in their work is an investigation of the number of OT channels sufficient to implement a n-party secure computation protocol. In a nutshell, they show against an adaptive t-threshold adversary for \(t = (1-\delta ) n\), an explicit construction of an OT graph consisting of \((n + o(n)){\lceil 1/\delta \rceil \atopwithdelims ()2}\) OT channels that suffices to implement secure computation among the n parties. They note further that against a static adversary, \({\lceil s/\delta \rceil \atopwithdelims ()2}\) OT channels suffice, where s denotes a statistical security parameter. On the negative side, they show that a complete OT graph is necessary for secure computation when dealing with an adversary that can corrupt \(t = n-1\) parties. They derive this result by showing that in a 3-party OT graph with two OT channels, it is not possible to obtain OT correlations between the third pair of parties with security against two corruptions. Moreover they generalize their 3-party negative result to any OT graph whose complement contains the complete bipartite graph \(K_{n-t,n-t}\) as a subgraph. In our paper we extend and generalize the results of [36], fully characterizing the networks for which it is possible to obtain OT correlations between a designated pair of parties. We now proceed to explain our contributions in more detail.

Our Contributions. We introduce our main result:

Theorem (informal). Let \(G=(V,E)\) be an OT graph on n parties \(P_1,\ldots P_n\), so that any pair of parties \(P_i,P_j\) which are connected by an edge may make an unbounded number of calls to an OT oracle. Let \(\mathbb {A}\) be the class of semihonest t-threshold adversaries which may adaptively corrupt at most t parties.5 Then two parties A and B in \(\{P_1,\ldots ,P_n\}\) can information-theoretically emulate an OT oracle while being secure against all adversaries \(\mathcal {A}\in \mathbb {A}\) if and only if
  1. 1.

    (honest majority) it holds that \(t < n/2\); or

     
  2. 2.

    (trivial) A and B are connected by an edge in G; or

     
  3. 3.

    (partition) there exists no partition \(V_1, V_2, V_3\) of G such that all of the following conditions are satisfied: (a) \(|V_1| = |V_2| = n-t\) and \(|V_3| = 2t-n\); (b) \(A \in V_1\) and \(B \in V_2\); and (c) for every \(A' \in V_1\) and \(B' \in V_2\) it holds that \((A',B') \not \in E\).

     

Our main theorem gives a complete characterization of networks for which a pair of parties can utilize the OT network infrastructure to execute a secure computation protocol. The first two conditions in our theorem are straightforward: (1) if \(t < n/2\), then we are in the honest majority regime, and thus it is possible to implement secure computation (or emulate an OT oracle) using the honest majority information-theoretically secure protocols of [63]; (2) clearly if A and B are connected by an OT edge then by definition they can emulate an OT oracle.

Condition (3) applies when \( t \ge n/2\) and when A and B do not have an OT edge between them. This condition is effectively the converse of the impossibility result of [36], which states that any n-party OT graph whose complement contains \(K_{n-t,n-t}\) as a subgraph cannot allow a n-party secure computation that tolerates t semihonest corruptions. Condition (3) implies that any n-party OT graph whose complement does not contain \(K_{n-t,n-t}\) as a subgraph can run n-party secure computations tolerating t semihonest corruptions.

Applying Our Main Theorem. We first compare our positive results to those of [36]. They investigate how to construct an OT graph with the minimum number of edges allowing n parties to execute a secure computation protocol. They show a construction for a graph with \((n+o(n)){\lceil 1/\delta \rceil \atopwithdelims ()2}\) edges which they prove is sufficient for resilience against an adversary that corrupts \((1-\delta )n\) parties. Our result provides a complete, simple characterization of which OT graphs on n vertices are sufficient to run a t-secure protocol generating OT correlations between all pairs of vertices for any \(t\ge n/2\), which is sufficient to obtain a protocol for secure computation among the n parties [45, 46]. Our main theorem also implies that determining the minimum number of OT edges needed to execute a secure computation protocol for general \(n,t\ge n/2\) is equivalent to an open problem in graph theory posed by Zarankiewicz in 1951 [48].

Our results immediately imply that for some values of t, extremely simple sparse OT graphs suffice for achieving secure multiparty computation. For n even and \(t=n/2\), we have that the t-claw graph (cf. Fig. 4(a)) has t edges and suffices to achieve t-secure multiparty computation. For n odd and \(t = (n+1)/2\), the \((t+1)\)-cycle has \(t+1\) edges and suffices to achieve t-secure multiparty computation. We show in the full version that these examples are the sparsest possible graphs which can achieve \(\lfloor (n+1)/2\rfloor \)-secure multiparty computation.

Next, our results are also well-suited to make use of an OT infrastructure for secure computation. Specifically, let \(G_I\) denote the OT graph consisting of existing OT edges between parties that are part of the infrastructure. Now suppose a pair of parties AB not connected by an OT edge wish to execute a secure computation protocol. Then they can find a subgraph G of \(G_I\) with \(A, B \in G\) and \(|G| = n\) such that they agree that at most t out of the n parties can be corrupt and the partition condition in our main theorem holds for G. Since it is possible to handle a dishonest majority, parties do not have to settle for a lower threshold and can enjoy increased confidence in the security of their protocol by making use of the infrastructure. Surprisingly, it turns out the OT subgraph G need not even contain t OT edges to offer resilience against t corruptions (cf. Fig. 2(c) with \(n = 4, t = 2\)).

A pair of parties may use the OT correlations generated as the base OTs for an OT extension protocol and inexpensively generate many OT correlations that can be saved for future use or to add to the OT infrastructure. In any case, it should be clear that our protocols readily allow load-balancing across the OT infrastructure and are also abort-tolerant in the sense that if some subgraph G ends up not delivering the output, then one can readily use a different subgraph \(G'\). Thus we believe that our results can be used to build a scalable infrastructure for secure computation that allows (1) amortization, (2) routing, and (3) is robust.

An Important Caveat Regarding Efficiency. In the special cases \(t=n/2+\mathcal {O}(1)\) and \(t=n-\mathcal {O}(1)\), determining whether a graph satisfies the partition condition requires at most \(\mathop {\mathrm {poly}}\nolimits (n)\) time. However, in general the problem is coNP-complete, since it can be restated in the graph complement as subgraph isomorphism of a complete bipartite graph [30]. Our protocols are efficient in n only for \(t = n/2 + \mathcal {O}(1)\) and \(t = n - \mathcal {O}(1)\).6 In particular, our protocol is quite efficient for small values of n, a setting in which computing OT correlations in the presence of a dishonest majority may be especially useful in practice.

2 Preliminaries

2.1 Notation and Definitions

Let \(\mathcal {X}, \mathcal {Y}\) be two probability distributions over some set S. Their statistical distance isWe say that \(\mathcal {X}\) and \(\mathcal {Y}\) are \(\epsilon \)-close if \(\mathbf {SD}\left( \mathcal {X},\mathcal {Y}\right) \le \epsilon \) and this is denoted by \(\mathcal {X} \approx _{\epsilon } \mathcal {Y}\). We say that \(\mathcal {X}\) and \(\mathcal {Y}\) are identical if \(\mathbf {SD}\left( \mathcal {X},\mathcal {Y}\right) = 0\) and this is denoted by \(\mathcal {X} \equiv \mathcal {Y}\).

All graphs addressed in this work are undirected. We denote a graph as \(G = (V, E)\) where V is a set of vertices and E is a set of edges. We denote an edge e as \(e = \{v_{1}, v_{2}\}\), where \(v_{1}, v_{2} \in V\).

For \(n \in \mathbb {N}\), let \(K_{n}\) denote the complete graph on n vertices. Let \( \varLambda _{a}^{s}\) denote the graph \(G = (V, E)\) on \(2a+s\) vertices with Open image in new window , where \(|V_{A}| = |V_{B}| = a\) and \(|V_{S}| = s\), and
$$E = \{\{v_{1}, v_{2}\} : v_{1} \not \in V_{A} \vee v_{2} \not \in V_{B}\}$$
We will sometimes consider subgraphs of \( \varLambda _{a}^{s}\) which preserve labels of vertices. In this case we will always label the vertices so that vertex \(A\in V_A\) and vertex \(B\in V_B\).

For two graphs \(G_{1} = (V, E_{1})\) and \(G_{2} = (V, E_{2})\) with the same vertex set V, we say that \(G_1\) and \(G_2\) are \((v_1,\ldots ,v_{\ell })\) -isomorphic, denoted by \(G_{1} \simeq _{v_{1}, \ldots , v_{\ell }} G_{2}\), if the two graphs are isomorphic to one another while fixing the labelings of vertices \(v_{1}, \ldots , v_{\ell } \in V\), that is, there exists an isomorphism \(\sigma \) such that \(\sigma (v_{i}) = v_{i}\) for all \(i \in [\ell ]\).

Similarly, given graphs \(G_1= (V_1, E_{1})\) and \(G_{2} = (V_2, E_{2})\) with \(V_1\subseteq V_2\) and \(v_1,\ldots ,v_{\ell }\in V_1\), we say that \(G_1\) is a \((v_1,\ldots ,v_{\ell })\) -subgraph of \(G_2\), denoted \(G_1 \subseteq _{v_1,\ldots ,v_{\ell }} G_2\), if \(G_1\) is \((v_1,\ldots ,v_{\ell })\)-isomorphic to some subgraph of \(G_2\).

In particular, in the special case that graph \(G=(V,E)\) contains vertices \(A,B\in V\), we say that G is an (AB)-subgraph of \( \varLambda _{a}^{s}\) (or that \(G\subseteq _{A,B} \varLambda _{a}^{s}\)) if there is an isomorphism \(\sigma \) between G and a subgraph of \( \varLambda _{a}^{s}\) such that A is mapped into set \(V_A\) and B is mapped into set \(V_B\) (that is, \(\sigma (A)\in V_A\) and \(\sigma (B)\in V_B\)).

Call an n-vertex graph \(G=(V,E)\) k-unsplittable for \(k\le n/2\) if any two disjoint sets of k vertices have some edge between them. That is, G is k-unsplittable if for all partitions of the vertices V into three disjoint sets \(V_1, V_2, V_3\) of sizes \(|V_1|=|V_2|=k\) and \(|V_3|=n-2k\), there exists some edge \((u,v)\in E\) with \(u\in V_1, v\in V_2\). It is immediate from this definition that G is k-unsplittable if and only if \(G\not \subseteq \varLambda _{k}^{n-2k}\).

Similarly, call G (kAB)-unsplittable for \(k\le n/2\) and \(A,B\in V\) if any two disjoint sets of k vertices containing A and B, respectively, have some edge between them. That is, G is (kAB)-unsplittable if for all partitions of the vertices of V into three disjoint sets \(V_1, V_2, V_3\) of sizes \(|V_1|=|V_2|=k\) and \(|V_3|=n-2k\) such that \(A\in V_1\) and \(B\in V_2\), there exists some edge \((u,v)\in E\) with \(u\in V_1, v\in V_2\). From this definition we have immediately that G is (kAB)-unsplittable if and only if \(G\not \subseteq _{A,B} \varLambda _{k}^{n-2k}\).

2.2 Secure Computation

Consider the scenario of n parties \(P_{1}, \ldots , P_{n}\) with private inputs \(x_{1}, \ldots , x_{n} \in \mathcal {D}\) computing a function \(f : \mathcal {D}^{n} \rightarrow \mathcal {D}^{n}\). Let \(\varPi \) be a protocol computing f. We consider security against adaptive t-threshold adversaries, that is, adversaries that adaptively corrupt a set of at most t parties, where \(0 \le t < n\).7 We assume the adversary to be semihonest (i.e. honest-but-curious). That is, the corrupted parties follow the prescribed protocol, but the adversary may try to infer additional information about the inputs of the honest parties. As noted in [36], in the computational setting, using zero-knowledge proofs, it is possible to generically compile a protocol which is secure against semihonest adversaries into another protocol which is secure against adaptive malicious adversaries [32].8 This justifies our focus on the semihonest setting here.

For a PPT adversary \(\mathcal {A}\), let random variable \(\text {REAL}_{\varPi , \mathcal {A}}^{x_{1}, \ldots , x_{n}}\) consist of the views of the corrupted parties when the protocol \(\varPi \) is run on parties \(P_{1}, \ldots , P_{n}\) with inputs \(x_{1}, \ldots , x_{n}\) respectively. In the ideal world, the honest parties are replaced with a simulator \(\mathcal {S}\) that does not receive input values and knows only the output value of each corrupted party in an honest execution of the protocol. We define the random variable \(\text {IDEAL}_{\varPi ,\mathcal {A}, \mathcal {S}}^{x_{1}, \ldots , x_{n}}\) as the output of the adversary \(\mathcal {A}\) in the ideal game with the simulator when the inputs to parties \(P_{1}, \ldots , P_{n}\) are \(x_{1}, \ldots , x_{n}\), respectively.

Definition 1

A protocol \(\varPi \) is said to t-securely compute the function f if
  • For all \(x_{1}, \ldots , x_{n} \in \mathcal {D}^{n}\), party \(P_{i}\) receives \(y_{i}\), where \((y_{1}, \ldots , y_{n}) = f(x_{1}, \ldots , x_{n})\), at the end of the protocol.

  • For all adaptive semihonest PPT t-threshold adversaries \(\mathcal {A}\), there exists a PPT simulator \(\mathcal {S}\) such that for all \(x_{1}, \ldots , x_{n} \in \mathcal {D}^{n}\)
    $$\left\{ \text {REAL}_{\varPi , \mathcal {A}}^{x_{1}, \ldots , x_{n}}\right\} \equiv \left\{ \text {IDEAL}_{\varPi ,\mathcal {A},\mathcal {S}}^{x_{1}, \ldots , x_{n}}\right\} $$

This definition is for secure computation with perfect information-theoretic security and a nonadaptive adversary. By [15], in the semihonest setting with information-theoretic security, any protocol which is nonadaptively secure is also adaptively secure. Consequently, satisfying this definition suffices to achieve adaptive security.

In the discussion below, we will sometimes relax security to statistical or computational definitions. A protocol is statistically t-secure if the random variables \(\text {REAL}_{\varPi , \mathcal {A}}^{x_{1}, \ldots , x_{n}}\) and \(\text {IDEAL}_{\varPi ,\mathcal {A},\mathcal {S}}^{x_{1}, \ldots , x_{n}}\) are statistically close, and computationally t-secure if they are computationally indistinguishable.

2.3 Oblivious Transfer

In this work OT refers to 1-out-of-2 oblivious transfer defined as follows.

Definition 2

We define 1-out-of-2 oblivious transfer \(f_{\mathrm {OT}}\) for a sender \(A = P_{1}\) with inputs \(x_{0}, x_{1} \in \{0, 1\}^{m}\), a receiver \(B = P_{2}\) with input \(b \in \{0, 1\}\) and \(n - 2\) parties \(P_{3}, \ldots , P_{n}\) with input \(\perp \) as
$$f_{\mathrm {OT}}((x_{0}, x_{1}), b, \perp , \ldots , \perp ) = (\perp , x_{b}, \perp , \ldots , \perp )$$

Note that while OT is typically defined as a 2-party functionality, the definition above adapts it our setting and formulates OT as an n-party functionality where only two parties supply non-\(\bot \) inputs.

Definition 3

Let G be a network consisting of n parties \(A = P_{1}, B = P_{2}, P_{3}, \ldots , P_{n}\). Then a t-secure OT protocol \(\varPi _{A \rightarrow B}^{G, t}\) is a protocol that t-securely computes the function \(f_{\mathrm {OT}}\) on the inputs of the parties with A as the sender and B as the receiver.

We note that OT is symmetric, in the following sense.

Lemma 1

[64]. If there exists a t-secure OT protocol \(\varPi _{A \rightarrow B}^{G, t}\) for an n-party network G with n parties \(A = P_{1}, B = P_{2}, P_{3}, \ldots , P_{n}\) with A as the sender and B as the receiver, then there exists a t-secure OT protocol \(\widehat{\varPi }_{B \rightarrow A}^{G, t}\) for the same n parties with B as the sender and A as the receiver.

We represent parties as nodes of a graph G where an edge \(\{A, B\}\) indicates that parties A and B may run a 1-secure OT protocol with A as the sender and B as the receiver. By Lemma 1, the roles of the sender and receiver may be reversed, so it makes sense to define G as an undirected graph.

We note the following result regarding the completeness of OT for achieving arbitrary secure multiparty computation.

Lemma 2

[33, 45, 46]. Consider the complete network \(G \simeq K_{n}\) on n vertices. Then, for any function \(f : \mathcal {D}^{n} \rightarrow \mathcal {R}^{n}\), there exists a protocol \(\varPi \) which \((n - 1)\)-securely computes f, where party i receives the ith input \(x_i \in \mathcal {D}\) and produces the ith output \((f(x))_i\in \mathcal {R}\).

3 Warm-Ups

Let \(G = (V, E)\) be an n-vertex graph representing a network with n parties, where an edge \(\{P_i, P_j\}\in E\) indicates that parties \(P_i\) and \(P_j\) may run a 1-secure 2-party OT protocol with \(P_i\) as the sender and \(P_j\) as the receiver. Let \(t<n\) be an upper bound on the number of corruptions made by the adversary. The central question considered in this work is the following. For which graphs G and which pairs of parties \(A,B\in V\) does there exist a t-secure OT protocol with A as the sender and B as the receiver?

We begin by discussing some simple special cases of small networks. These will provide useful intuition for our main results. For \(t<n/2\), it is possible to obtain a t-secure OT protocol for any n-vertex graph \(G=(V,E)\) between any \(A,B\in V\), since we can perform secure multiparty computation without any pre-existing OT channels if there is an honest majority [63]. It remains to consider the setting where \(t\ge n/2\).
Fig. 1.

Known impossibility results. Securely computing \( f_\text {OT}\) between \(A'\) and \(B'\) is impossible for \(t=1\) in \(G_{\mathrm {CK}}\) and is impossible for \(t=2\) in \(G_{\mathrm {HIK}}\).

A few small cases have been resolved in prior work. For \(n = 2\), \(t = 1\), a 1-secure OT protocol (with perfect security) between the vertices of the two-vertex graph G does not exist unless the parties were already connected by an OT channel [17, 49]. This result is illustrated in Fig. 1(a).

For \(n = 3\), \(t = 2\), it is known that we can obtain a 2-secure OT protocol between a pair of vertices AB only if those vertices are already connected by an OT channel, even if there are OT channels from both A and B to the third vertex C as depicted in Fig. 1(b). More generally, for any \(n\ge 2\) and \(t=n-1\), there exists a t-secure OT protocol with sender A and receiver B only if those vertices are already connected by an OT channel, even if all other \(\left( {\begin{array}{c}n\\ 2\end{array}}\right) -1\) pairs of vertices are connected by OT channels [36]. This also resolves the question for \(n=4, t=3\).

The remainder of this section is devoted to an exploration of the setting \(n=4, t=2\). This is the smallest case not resolved by prior techniques, and will illustrate many of the tools used in subsequent sections to obtain our general protocols. The key cases for \(n=4, t=2\) are shown in Fig. 2. As discussed below, these cases are sufficient to completely resolve the four-party setting.
Fig. 2.

Cases for \(n=4\) parties with \(t=2\) corruptions.

3.1 Case 1: Fig. 2(a)

We first show that if \(G \simeq _{A, B} G_{1}\) then there does not exist a 2-secure OT protocol for G with A as the sender and B as the receiver.9 This is a consequence of the impossibility result of [17, 49]. An outline of the argument is as follows.

Consider components \(\mathcal {C}_1 = \{A, P_{3}\}\) and \(\mathcal {C}_2 = \{B, P_{4}\}\) of G, and let \(\varPi \) be a 2-secure protocol computing \( f_\text {OT}\) in G with A as the sender and B as the receiver. Then we can use \(\varPi \) to construct a 1-secure protocol \(\varPi '\) for the 2-party network \(G_{\mathrm {CK}}\) in Fig. 1(a) with \(A'\) as the sender and \(B'\) as the receiver. In protocol \(\varPi '\), party \(A'\) runs \(\varPi \) for both parties of component \(\mathcal {C}_1\) of G,  and \(B'\) runs \(\varPi \) for both parties of component \(\mathcal {C}_{2}\). OT channel invocations can be handled locally, since all OT channels in G are between parties in the same component. Since protocol \(\varPi \) is 2-secure, in particular it is secure against corruptions of parties in \(\mathcal {C}_{1}\) or the parties in \(\mathcal {C}_{2}\). Consequently \(\varPi '\) is a 1-secure OT protocol for a network \(G' \simeq _{A', B'} G_{\mathrm {CK}}\) with \(A'\) as the sender and \(B'\) as the receiver. However, from [17, 49], we know that no such protocol exists with perfect security. Consequently there is no 2-secure protocol \(\varPi \) for a network \(G \simeq _{A, B} G_{1}\).

Note that this impossibility holds not only for \(G\simeq _{A,B} G_{1}\) but for any (AB)-subgraph of \(G_{1}\). In particular, if \(G=(V,E)\) is a four-vertex graph a single edge that is incident to vertex A or vertex B, then G cannot have a 2-secure protocol computing \( f_\text {OT}\) between A and B except in the trivial case when there is already an edge \(\{A,B\}\in E\). This technique of reducing to the known impossiblity results of [17, 36, 49] to obtain lower bounds is described formally in Sect. 4.

3.2 Case 2: Fig. 2(b)

In this example we obtain a positive result, showing that there exists a 2-secure OT protocol with A as the sender and B as the receiver. Since B has degree 2 in \(G_{2}\), we have that either B or one of its neighbors must be honest, and so one of the two OT channels must contain an honest party. This suggests the idea of using secret-sharing to ensure security against 2 corruptions.

Consider the following OT protocol where sender A has inputs \(x_{0}, x_{1} \in \{0, 1\}^{m}\) and receiver B has input \(b \in \{0, 1\}\). A computes 2-out-of-2 shares \((x_0^1, x_0^2)\) and \((x_1^1, x_1^2)\) of its inputs \(x_0, x_1\), respectively. A then sends shares \(x_0^1\) and \(x_1^1\) to party \(P_3\) and \(x_0^2\) and \(x_1^2\) to party \(P_4\). Parties \(P_3\) and B invoke their secure OT channel with inputs \((x_0^1, x_1^1)\) and b, and parties \(P_4\) and B invoke their secure OT channel with inputs \((x_0^2, x_1^2)\) and b respectively. B uses the obtained shares \(x_b^1, x_b^2\) to reconstruct \(x_b\).

We informally argue the 2-security of this protocol assuming that exactly one of A and B is corrupt.10 Consider the case where A is corrupt and B is honest. The input of B is only used over secure OT channels, so by the 1-security of the OT channels with \(P_3\) and \(P_4\), the corrupt parties can learn nothing about B’s input bit b. Now consider the case where B is corrupt and A is honest. Either \(P_3\) or \(P_4\) must be honest. If \(P_3\) is honest then the security of OT channel \(\{P_3,B\}\) implies that B learns nothing about share \(x_{1-b}^1\), so the security of the secret sharing scheme implies that the corrupt parties do not use \(x_{1-b}\). By symmetry, the same argument applies if \(P_4\) is honest. This completes the argument.

Note that by Lemma 1, we can also obtain a 2-secure OT protocol from A to B whenever A has degree 2 in OT network. Furthermore, we can extend this idea to construct a t-secure OT protocol whenever either the sender or the receiver has degree at least t. We call this protocol the t-claw protocol and describe it in detail in Sect. 5.1.

3.3 Case 3: Fig. 2(c)

Somewhat surprisingly, we can also show a positive result for graphs \(G\simeq _{A,B} G_{3}\) even though the OT network has no edges involving either the sender A or the receiver B. The protocol is as follows. Since parties \(P_3\) and \(P_4\) have an OT channel between them, by Lemma 2, they can perform 1-secure MPC between them. \(P_{3}\) and \(P_{4}\) use MPC to compute 2-out-of-2 shares of OT correlations with uniformly random inputs and send corresponding shares to A and B, who can then reconstruct the correlations. More concretely, the MPC protocol computes 2-out-of-2 shares \((r_0^1, r_0^2)\), \((r_1^1, r_1^2)\) of two randomly sampled m-bit strings \(r_0, r_1\), 2-out-of-2 shares \((c^1, c^2)\) of a random bit \(c \in \{0,1\}\), and independent 2-out-of-2 shares \((s^1, s^2)\) of the string \(r_c\). Party \(P_3\) receives the first share of each secret, and party \(P_4\) receives the second share. Party \(P_3\) then sends shares \(r_0^1, r_1^1\) to A and \(s^1, c^1\) to B, while \(P_{4}\) sends shares \(r_0^2, r_1^2\) to A and \(s^2, c^2\) to B. A can then reconstruct \(r_0\) and \(r_1\), and B can reconstruct c and \(r_c\). Parties A and B have now established a random OT correlation, which they can use to perform OT with their original inputs using OT correction [3].11

We now informally argue the 2-security of this protocol. If A and B are both honest, then the corrupt parties receive no information about their inputs, while if A and B are both corrupt then there is nothing to prove. Consequently we can assume that exactly one of A and B is corrupt and that either \(P_3\) or \(P_4\) is honest. If A is corrupt and \(P_3\) or \(P_4\) is honest, then the adversary learns nothing about c and \(r_{c}\), since it only sees one of the two shares of each. The OT correction phase uses these strings as one-time pads for inputs which are unknown to the adversary, and consequently are information-theoretically hidden from the adversary. Consequently A learns nothing about B. The case where B is corrupt and \(P_3\) or \(P_4\) is honest follows by the same argument.

This construction can be extended to obtain a t-secure OT protocol whenever the OT graph contains a t-clique consisting of t parties which are not the OT sender or receiver. We call this protocol the t-clique protocol and describe it in detail in Sect. 5.2.

3.4 Case 4: Fig. 2(d)

We also obtain a positive result for graphs \(G \simeq _{A,B} G_4\). We introduce here a technique we call cascading. The idea is as follows. Using the protocol described in Sect. 3.2 for network \(G_2\) of Fig. 2(b), we have 2-secure OT protocol with \(P_{3}\) as the sender and \(P_{4}\) as the receiver. This effectively gives us an OT channel between \(P_3\) and \(P_4\). Applying the protocol from Sect. 3.3 on the augmented network, we obtain a 2-secure OT protocol with A as the sender and B as the receiver. We describe this pictorially in Fig. 3.

The 2-security of the protocol follows from the 2-security of the underlying protocols of Sects. 3.2 and 3.3. The technique of cascading for combining t-secure protocols is described in detail in Sect. 5.3.
Fig. 3.

Illustrating the cascading protocol for Case 4: Fig. 2(d); (a) \(\rightarrow \) (b) \(\rightarrow \) (c)

3.5 Cases 1–4 are Exhaustive

Note that a t-secure OT protocol with sender A and receiver B in an OT network G trivially yields a t-secure protocol for any network \(G'\) such that \(G \subseteq _{A,B} G'\). From cases 1 and 3, we can securely compute \( f_\text {OT}\) in a network G containing at most a single edge if and only if the edge is \(\{A,B\}\) or \(\{P_3,P_4\}\). From cases 1, 2, and 4, we can compute \( f_\text {OT}\) in a network G containing two or more edges including neither of \(\{A,B\}\) or \(\{P_3,P_4\}\) if and only if there is some vertex with degree at least 2 in the OT graph. This completes the characterization of 4-party networks with 2 corruptions.

4 Lower Bound

We now describe a family of impossibility results using a generic reduction to the impossiblity result in [36], which we restate in our language below.

Lemma 3

[36]. Consider any three party network G with \(G \simeq _{A', B'} G_{\mathrm {HIK}}\), the graph in Fig. 1(b). Then any 2-secure OT protocol with \(A'\) as the sender and \(B'\) as the receiver can be used (as a black box) to obtain a 1-secure OT protocol for a network \(G'\) with \(G' \simeq _{A', B'} G_{\mathrm {Kus}}\), the graph in Fig. 1(b), with \(A'\) as the sender and \(B'\) as the receiver.

The theorem below describes an impossibility result over a family of networks. We note that this result was observed in [36]; we restate it our language and defer the formal proof to the full version.

Theorem 1

Let \(n \ge 2\) and \(n/2 \le t < n\), and let G be an n party network such that \(G \subseteq \varLambda _{n - t}^{2t - n}\), with \(P_{1} \in V_{A}\) and \(P_{2} \in V_{B}\). Any t-secure OT protocol for G with \(P_{1}\) as the sender and \(P_{2}\) as the receiver can be used (as a black box) to obtain a 1-secure OT protocol for a network \(G'\) with \(G' \simeq _{A, B} G_{\mathrm {CK}}\) with \(A'\) as the sender and \(B'\) as the receiver.

5 Building Blocks

In this section, we describe a few key protocols and techniques that we use in the subsequent sections to prove our main theorem.
Fig. 4.

Building block networks. (a) t-claw graph (b) t-clique graph (c) 2-path graph

5.1 The t-claw Protocol

The first protocol we describe is the t-claw protocol, where the graph G describing the network is such that \(G \simeq _{A, B} G_{\mathrm {claw}}^{t}\). The protocol is described in Protocol 1. The protocol is a straightforward generalization of the one described in Sect. 3.2. The idea is for A to compute t-out-of-t shares of its inputs and distribute them among the t parties connected to B. These t parties then perform OT with B so that B receives the shares to reconstruct his output.

Lemma 4

Protocol 1 is an efficient t-secure OT protocol for a network \(G \simeq _{A, B} G_{\mathrm {claw}}^{t}\) with A as the sender and B as the receiver.

Proof Intuition. The t-security of the protocol can be seen as follows. Steps 1, 2 and 7 perform OT correction, that is, they perform a transformation from random OT to 1-out-of-2 OT. This transformation protects against the case that the parties \(P_{3}, \ldots , P_{t + 2}\) (that is, all but A and B) are corrupt. Suppose A were corrupt and B were honest. Clearly, A colluding with any of the parties \(P_{3}, \ldots , P_{t + 2}\) provides A with no additional information since all they possess are shares sent by A. Next, if A were honest and B corrupt, at least one of the parties \(P_{3}, \ldots , P_{t + 2}\) must be honest. B has no information about those shares and hence does not learn anything. Finally, if both A and B were corrupt, there is nothing to prove.

5.2 The t-clique Protocol

The next protocol we describe is the t-clique protocol, where the graph G describing the network is such that \(G \simeq _{A, B} G_{\mathrm {clique}}^{t}\). The protocol is described in Protocol 2. The protocol is a straightforward generalization of the one described in Sect. 3.3. The idea is for the parties \(P_{3}, \ldots , P_{t + 2}\) to compute t-out-of-t shares of OT correlations and send them to A and B respectively. The parties have a complete network of OT channels, so this can be done via multiparty computation (Lemma 2). A and B then perform OT correction using their secure channel. We state the lemma, give a proof outline and defer the full proof to the full version.

Lemma 5

Protocol 2 is an efficient t-secure OT protocol for a network \(G \simeq _{A, B} G_{\mathrm {clique}}^{t}\) with A as the sender and B as the receiver.

Proof Intuition. The t-security of the protocol can be seen as follows. Steps 4, 5 and 6 perform OT correction, that is, they perform a transformation from random OT to 1-out-of-2 OT. This transformation protects against the case that all of parties \(P_{3}, \ldots , P_{t + 2}\) (that is, all but A and B) are corrupt. If one of A and B were corrupt, there exists at least one honest party among the parties \(P_{3}, \ldots , P_{t + 2}\). Hence, even by colluding, A or B would have no information about those shares and would not learn anything. Finally, if both A and B were corrupt, there is nothing to prove.

5.3 Cascading

The following building block is a generalization of the technique described in Sect. 3.4. The technique describes a general method of combining protocols iteratively. In our context, this can be thought of a tool for transforming a network described by a graph G to one described by a graph \(G'\), where \(G \subseteq _{V} G'\) and G and \(G'\) are both graphs on the same vertex set V. In other words, it describes protocols as adding new edges indicating the establishment of OT correlations between new pairs of parties in the network. With this abstraction, it is easy to view the technique of cascading as one which combines protocols iteratively to transform the underlying network by adding new edges. This is described formally below.

Definition 4

Let \(G = (V, E)\) and \(G' = (V, E')\) be two graphs on the same set of vertices, V, with \(G \subseteq _{V} G'\). We say that a protocol \(\varPi \) t-transforms a network G into the network \(G'\) if for each \(\{P_{i}, P_{j}\} \in E'\setminus E\), \(\varPi \) is a t-secure OT protocol for a network G with \(P_{i}\) as the sender and \(P_{j}\) as the receiver.12

Lemma 6

If \(\varPi _1\) is a protocol that runs in time \(T_1\) and t-transforms network \(G_1\) into \(G_2\), and \(\varPi _2\) is a protocol that runs in time \(T_2\) and t-transforms network \(G_2\) into \(G_3\), then there exists a protocol \(\varPi \) that runs in time \(T_1T_2\) and t-transforms \(G_1\) into \(G_3\).

Proof

The protocol \(\varPi \) simply runs \(\varPi _2\), running protocol \(\varPi _1\) to obtain the necessary correlations whenever \(\varPi _2\) invokes OT on an edge of \(G_2\setminus G_1\). Let \(\mathcal {S}_{1}\) and \(\mathcal {S}_{2}\) be the simulators associated with \(\varPi _1\) and \(\varPi _2\) respectively. The simulator for \(\varPi \) simply runs \(\mathcal {S}_{2}\), invoking \(\mathcal {S}_{1}\) for OT calls made on edges in \(G_{2} \setminus G_{1}\).    \(\square \)

Using OT extension [2, 43], we can also obtain a computationally secure version of cascading with improved efficiency.

Lemma 7

Let \(\lambda \) be a computational security parameter. Assuming one-way functions or correlation-robust hash functions, if \(\varPi _1\) is a protocol that runs in time \(T_1\) and t-transforms network \(G_1\) into \(G_2\), and \(\varPi _2\) is a protocol that runs in time \(T_2\) and t-transforms network \(G_2\) into \(G_3\), then there exists a computationally secure protocol \(\varPi \) that runs in time \(\lambda \cdot T_1 + T_2\cdot \mathop {\mathrm {poly}}\nolimits (\lambda )\) and t-transforms \(G_1\) into \(G_3\).

Proof

First, run protocol \(\varPi _1\) \(\lambda \) times on random inputs to obtain \(\lambda \) independent OT correlations for each edge of \(G_2\setminus G_1\). Then run Protocol \(\varPi _2\), using OT extension to obtain OT correlations for OT calls made on edges in \(G_2\setminus G_1\).    \(\square \)

5.4 The 2-path Graph

The protocol described in this section is a commonly used subroutine in several of the protocols which follow. It is a particular combination of the tools encountered in Sects. 5.1, 5.2 and 5.3. The subroutine, which we call 2-path, is the same as the one described in Sect. 3.4. It is used to obtain OT correlations between parties who have a common neighbor in a four-party network with at most two corruptions (see Fig. 4(c)). The following lemma is immediate from Lemma 6 and the 2-security of Protocols 1 and 2 for \(t = 2\) (Lemmata 4 and 5).

Lemma 8

Protocol 3 is an efficient 2-secure OT protocol for a network \(G \simeq _{A, B} G_{\mathrm {2\text {-}path}}^{2}\) with A as the sender and B as the receiver.

5.5 Combiners

OT combiners aim to combine several insecure candidate protocols for establishing OT correlations between two parties into a single secure protocol. For a class of adversaries \(\mathbb {A}\), it is possible to achieve this when the candidate protocols satisfy the property that a majority of them are secure against each adversary \(\mathcal {A} \in \mathbb {A}\). The following lemma is due to [37, 56], relying on prior work by [38, 65] and based on a construction by [22].

Lemma 9

[37, 56]. Let \(\mathbb {A}\) be an adversary class. Suppose there exist m protocols \(\varPi _1,\ldots , \varPi _m\) for \(f_{OT}(A, B, P_{1}, \ldots , P_{n})\) such that for any adversary \(\mathcal {A} \in \mathbb {A}\) a majority of the protocols are secure. Then, there exists a protocol \(\varPi ^*(\varPi _1, \ldots , \varPi _m)\) for \(f_{OT}(A, B, P_{1}, \ldots , P_{n})\) which is secure against all adversaries \(\mathcal {A}\in \mathbb {A}\). Moreover, if each protocol \(\varPi _i\) is efficient and perfectly secure, then so is \(\varPi ^*\).

6 The Case \(t = n/2\)

We now consider the specific case of \(t = n/2\), that is, when at most half the parties are corrupt. We note that this is the smallest value of t for which the question is non-trivial. From the lower bounds proven in Theorem 1, we already have that for all n-party networks G containing A and B such that \(G \subseteq _{A, B} \varLambda _{n/2}^{0}\), there exists no n / 2-secure OT protocol with A as the sender and B as the receiver. Surprisingly Theorem 2 shows that these are the only networks for which (n / 2)-secure OT between A and B is impossible. Below, we provide an explicit n / 2-secure OT protocol between A and B whenever the network G is (n / 2, AB)-unsplittable.

Theorem 2

Let G be an n-party network OT containing parties A and B. Then Protocol 5 is an n / 2-secure OT protocol between A and B if and only if G is (n / 2, AB)-unsplittable.

We analyze the efficiency of the protocol in Theorem 3 below. The protocol as stated runs in quasi-polynomial time. We can also obtain a computationally secure protocol which runs in polynomial time. The protocol we describe proceeds in two stages. In the first stage, the protocol transforms every connected component of the network into a clique. This transformation is very specific to the case of \(t = n/2\), and in particular, for \(t>n/2\) a connected component cannot in general function as a clique. This transformation is carried out by means of repeatedly calling Protocol 4, which obtains OT correlations between a pair of parties who have a common neighbour. This protocol uses the building block Protocol 3 from Sect. 5.4 along with machinery of OT combiners described in Sect. 5.5.

Lemma 10

Let G be an n-vertex OT network with edges \(\{A,C\}\) and \(\{B,C\}\). Protocol 4 is an n / 2-secure OT protocol for the network G with A as the sender and B as the receiver.

Proof

We consider cases depending on the number of corrupted parties in the set \(T=\{A,B,C\}\). If T contains at most one corrupted party, then each tuple \((A,B,C,P_i)\) for \(i\ge 4\) contains at most 2 corrupted parties, so each protocol \(\varPi _i\) in step 1 is secure. If T contains two corrupted parties, then there are at most \(t - 2 = (n-4)/2\) corrupted parties among \(P_4, \ldots , P_n\), so a majority of these parties are honest. Consequently a majority of the protocols \(\varPi _i\) which are combined in step 1 are secure. Thus, in either case, by Lemma 9 the protocol is secure. Finally, if all three parties of T are corrupted, then all uncorrupted parties receive no input, so the simulator \(\mathcal {S}\) can perfectly simulate the uncorrupted parties by running the honest protocol. Therefore Protocol 4 is n / 2-secure.    \(\square \)

We now complete the proof of Theorem 2.

Proof Intuition (Theorem 2 ): It is easy to see that by invoking Protocol 4 repeatedly, one can obtain OT correlations between any pair of parties in the same connected component. In other words, using cascading (Lemma 6), we can assume that we are given a network which consists of disjoint cliques. This is done in step 1 of Protocol 5. Hence, if A and B were in the same connected component in G, this process would end up with correlations between A and B and we can terminate the protocol (step 2).

If A and B are in different components, then a natural next step is to run the clique protocol described in Sect. 5.2 with each of the cliques and parties A and B with the intent of setting up OT correlations between A and B. However, the number of corruptions t may be greater than the size of any clique, and so Protocol 2 may not be secure. However, for an invocation to be secure, we only require that the clique contains at least one honest party. A majority of parties must be in cliques containing at least one honest party, so if we invoke Protocol 2 for each of the parties on their respective cliques, for any adversary a majority of the invocations is secure. By Lemma 9 we can combine these candidate protocols to obtain a single secure protocol. This is performed in step 5 of Protocol 5. Finally, we note that steps 3, 4 and 6 perform OT correction, that is, they perform a transformation from random OT to 1-out-of-2 OT. This yields the n / 2-security of Protocol 5.

Proof

(Theorem 2 ). The “only if” part of theorem has been proven by virtue of the lower bound of Theorem 1 with \(t = n{/}2\). We now prove the “if” part. We note that in the case where A and B are in the same connected component in the network G, by the n / 2-security of Protocol 4 and Lemma 6, we note that Protocol 5 is an n / 2-secure OT protocol with A as the sender and B as the receiver, thus proving the theorem.

We now proceed to the case where A and B are not in the same connected component in G. We must show that the protocol is secure against t-threshold adversaries as long as the vertices cannot be partitioned into two sets \(V_A, V_B\) each of size \(t=n/2\) with \(A\in V_A, B\in V_B\) such that there are no edges between \(V_A\) and \(V_B\). Let \(\mathcal {A}\) be a t-threshold adversary which corrupts parties T, \(|T|\le t\). We will construct a simulator \(\mathcal {S}\) which plays the role of the uncorrupted parties.

If \(\{A,B\} \subset T\) then the uncorrupted parties receive no input, so the simulator can perfectly simulate the uncorrupted parties. If \(\{A,B\}\cap T = \emptyset \) then \(\mathcal {S}\) chooses arbitrary inputs \(x_0,x_1, b\) and runs the protocol. Since the only steps which depend on the input at all are on point-to-point channels between A and B, the view of the adversary in the real and ideal worlds is identical.

Otherwise, we have that the corrupted parties T include exactly one of AB. If \(A\in T\) but \(B\notin T\), then \(\mathcal {S}\) chooses an arbitrary bit b and runs the protocol, invoking the OT simulator for each invocation of Protocol 4. It follows that as long as the combined protocol \(\varPi ^*\) in step 5 is secure against \(\mathcal {A}\), Protocol 5 is secure against \(\mathcal {A}\). It remains to show that a majority of the n protocols \(\varPi _1,\ldots ,\varPi _n\) are secure against \(\mathcal {A}\). Since party B is honest, by Lemma 5, protocol \(\varPi _i\) is secure against \(\mathcal {A}\) as long as at least one of the parties in clique \(\mathcal {C}(i)\) is honest. In particular, if party \(P_i\) is honest then protocol \(\varPi _i\) is secure against \(\mathcal {A}\). At most t of the parties \(P_1,\ldots ,P_{n}\) are corrupt, so the only protocols which may be insecure against \(\mathcal {A}\) are the t protocols \(\varPi _i\) corresponding to the corrupted parties \(P_i\). Assume that all t of these protocols are insecure against \(\mathcal {A}\). Then the corrupted parties lie in completely corrupted cliques who sizes sum to n / 2. This then gives a set \(V_A = T\) of n / 2 parties containing A but not B such that there are no edges from \(V_A\) to the remaining vertices \(V_B = \overline{T}\). However, we know that G possesses no such partition. Hence, at most \(t - 1 < n/2\) of the n protocols are insecure against \(\mathcal {A}\) and hence by Lemma 9, the combined protocol \(\varPi ^*\) in step 5 is secure and hence Protocol 5 is secure against \(\mathcal {A}\).

The remaining case that \(B\in T\) but \(A\notin T\) is similar. Here, the simulator \(\mathcal {S}\) is given the output value \(x_b\). \(\mathcal {S}\) runs the protocol with \((x_b,x_b)\) as the input to A, again invoking the OT simulator for each invocation of Protocol 4. As above, as long as the combined protocol \(\varPi ^*\) in step 5 is secure against \(\mathcal {A}\), Protocol 5 is secure against \(\mathcal {A}\). By the same argument, the only protocols \(\varPi _i\) which may be insecure against \(\mathcal {A}\) are the t protocols corresponding to the corrupted parties \(P_i\). If all t of these protocols are insecure against \(\mathcal {A}\), we have a set \(V_A = \overline{T}\) of n / 2 parties containing A but not B such that there are no edges from \(V_A\) to the remaining vertices \(V_B = T\). However, we know that G possesses no such partition, so at most \(t - 1 < n/2\) of the n protocols are insecure against \(\mathcal {A}\). By Lemma 9, the combined protocol \(\varPi ^*\) in step 5 is secure and so Protocol 5 is secure against \(\mathcal {A}\).    \(\square \)

We now analyze the efficiency of Protocol 5.

Theorem 3

Protocol 5 runs in quasi-polynomial time. Assuming one-way functions, we can obtain a computationally secure protocol which runs in polynomial time using computationally secure cascading (Lemma 7).

Proof

Each iteration of step 1 decreases the length of a path between any pair of vertices from \(\ell \) to \(\lceil \ell + 1\rceil / 2\). Consequently, after \(O(\log n)\) iterations the graph will consist of a collection of disjoint cliques, and the protocol will move on to the next step. By Lemma 6 (Cascading), if each iteration can be performed in time at most T assuming the augmented graph, then the full cascaded protocol runs in time at most \(T^{O(\log n)}\). Since \(T=\mathop {\mathrm {poly}}\nolimits (n)\) and each other step of the protocol is efficient, this implies that Protocol 5 runs in quasi-polynomial time.

Replacing the cascading of step 1 with the more efficient but computationally secure cascading of Lemma 7, we have the cascaded protocol runs in time \(O(T \mathop {\mathrm {poly}}\nolimits (\lambda )\cdot \log n)\). Since each other step of the protocol is efficient, this implies that assuming one-way functions, we have a computationally-secure version of Protocol 5 that runs in quasi-polynomial time.    \(\square \)

7 The Case \(t=n-2\)

On account of the lower bound proven in [36], we note that \(t = n - 2\) is the largest value of t for which the question is non-trivial. In this section we present an improved computationally efficient OT protocol between A and B for the special case \(t=n-2\) for all (2, AB)-unsplittable networks G.

Theorem 4

Let G be an n-party OT network containing parties A and B. Then Protocol 6 is an efficient \((n-2)\)-secure OT protocol between A and B if and only if G is (2, AB)-unsplittable.

The protocol is built upon the following structural aspect of the network G under consideration. Since G is (2, AB)-unsplittable, for any two sets of vertices \(V_{A}A\) and \(V_{B}B\) such that \(|V_{A}| = |V_{B}| = 2\), there exists an edge from a vertex of \(V_{A}\) to a vertex of \(V_{B}\). In particular, this implies that for any two parties \(P_i, P_j\) where \(i, j \ge 3\), the sub-network \(G_{i,j}\) induced by parties A, B, \(P_i\) and \(P_j\) is (2, AB)-unsplittable. Then for any ij, we also have that the sub-network \(G_{i, j}\) is \((2, P_{i}, P_{j})\)-unsplittable. Hence, we could try to obtain OT correlations between every pair of vertices \(P_i, P_j\) by running Protocol 5 on every \(G_{i, j}\) for \(n = 4\) parties. Notice that if these invocations were secure, then we would obtain an \((n - 2)\)-clique in the network after which we can execute Protocol 2 in order to obtain OT correlations between A and B. This is described in Protocol 6. However, each of the execution of Protocol 5 is only guaranteed to be secure if at most two of the corresponding parties are corrupt. This need not be true in general, and so we cannot directly leverage the security of Protocol 5. Nonetheless, we will argue that Protocol 6 is secure against \(t = n-2\) corruptions.

Proof Intuition (Theorem 4 ): In order to analyze the \((n - 2)\)-security of Protocol 6, we consider each invocation of Protocol 5 on a sub-network \(G_{i,j}\). If at most two of the four parties in \(G_{i,j}\) are corrupt, then that invocation of Protocol 5 is secure and yields secure OT correlations between parties \(P_i\) and \(P_j\). Appealing to Lemma 6, we can augment G to include edge \(\{P_{i}, P_{j}\}\).

Each \(G_{i,j}\) must contain at least one honest party since either A or B must be honest (otherwise, there is nothing to prove). It remains to consider sub-networks \(G_{i,j}\) in which three of the parties are corrupt. Since at least one of A or B is honest, this implies that both \(P_{i}\) and \(P_{j}\) are corrupt. Thus, there is nothing to prove regarding the security of the invocation of Protocol 5 on \(G_{i,j}\) since we are establishing OT correlations between a pair of corrupt parties \(P_i\) and \(P_j\). Combining these claims, we have that each of the invocations of Protocol 5 is secure and yields secure OT correlations between the pairs of parties \(P_i,P_j\) for all \(i, j \ge 3\). By virtue of Lemma 6, we obtain an \((n - 2)\)-clique in the network and the \((n - 2)\)-security of Protocol 2 with \(t = n - 2\) proves the \((n - 2)\)-security of Protocol 6.

The formal proof is deferred to the full version.

8 The General Case: \(t\ge n/2\)

In this section, we resolve the network OT question for general \(t \ge n/2\). Note that from the protocols in Sects. 6 and 7 we already have tight answers for the special cases \(t =n/2\) and \(t = n - 2\). We address the general question from both ends of the spectrum, namely for t larger than n / 2 and t smaller than \(n - 2\). These analyses yield two distinct protocols which employ the protocols from Sects. 6 and 7 as their respective base cases. The two protocols we describe are efficient in different parameter regimes. Protocol 7 described in Sect. 8.1 is quasi-polynomially efficient13 when \(t=n/2+\mathcal {O}(1)\), and Protocol 8 described in Sect. 8.2 is (polynomially) efficient when \(t = n - \mathcal {O}(1)\). Putting these protocols together, we obtain a single protocol that is efficient under computational security when either \(t=n/2+\mathcal {O}(1)\) or \(t = n - \mathcal {O}(1)\). We note that the problem of recognizing whether there exists a t-secure OT protocol is efficient in these cases, while the recognition problem for general nt is coNP-complete.

8.1 General Protocol (Quasi-polynomial for \(t=n/2+\mathcal {O}(1)\))

We now describe a t-secure OT protocol between A and B for all \((n - t, A, B)\)-unsplittable networks G. As a consequence of the lower bound described in Sect. 4, this result is tight.

Theorem 5

Let G be an n-party OT network containing parties A and B, and let \(t \ge n/2\). Then Protocol 7 is a t-secure OT protocol between A and B if and only if G is \((n - t, A, B)\)-unsplittable. The protocol achieves perfect security and runs in quasi-polynomial time for \(t=n/2 + \mathcal {O}(1)\). Assuming one-way functions, we can also obtain a protocol which achieves computational security and runs in polynomial time for \(t=n/2 + \mathcal {O}(1)\).

The protocol proceeds by recursion, reducing the problem of obtaining an OT protocol on an n-vertex graph with \(t>n/2\) corrupted parties to a number of instances of \(n'\)-vertex graphs, a majority of which have at most \(t'\) corrupted parties, for \(n'=n-1\) and \(t'=t-1\). As shown below, each \(n'\)-vertex subgraph \(G'\) has a structure similar to G in the sense that \(G'\) is \((n' - t', A, B)\)-unsplittable whenever G is \((n - t, A, B)\)-unsplittable. We can now recurse on these smaller problem instances, invoking an OT combiner to obtain the full protocol.

More precisely, the protocol constructs \(n - 2\) subgraphs on \(n - 1\) vertices, where each subgraph is obtained by deleting a single vertex other than A and B. We can recursively run a \((t - 1)\)-secure OT protocol on each of the subgraphs. The final protocol invokes a combiner on these \(n-2\) candidate protocols. It remains to be shown that a majority of the subgraphs \(G'\) contain at most \(t - 1\) corrupt parties.

Proof Intuition (Theorem 5 ): We may assume that at least one of A or B is honest. As described above, we wish to argue that a majority of the subgraphs \(G'\) contain at most \(t - 1\) corrupt parties. Combining this with the claim that these subgraphs preserve an unsplittability property of G and invoking Lemma 9 completes the proof.

However, this claim follows from the following observation. Since \(t > n/2\), if exactly t parties are corrupt then a majority of the subgraphs contain at most \(t-1\) corrupt parties since A and B are not both corrupt. If strictly fewer than t parties are corrupt then all of the sub-graphs contain at most \(t-1\) corrupt parties. In either case, for a majority of subgraphs, at most \(t-1\) of the parties are corrupt.

We first present and prove a structure lemma.

Lemma 11

Given graph \(G=(V,E)\) and a vertex i, let \(G_i\) be the induced graph on the \(n-1\) vertices \(V\setminus \{i\}\). If G is \((n - t, A, B)\)-unsplittable, then \(G_i\) is also \((n - t, A, B)\)-unsplittable.

Proof

We will prove the contrapositive. Suppose that \(G_i\subseteq _{A, B} \varLambda _{n-t}^{2t-n-1}\). This means there exists a partition of the vertex set of \(G_{i}\) as Open image in new window with no edges between \(V_A\) and \(V_B\), where \(A \in V_{A}\), \(B \in V_{B}\), \(|V_{A}| = |V_{B}| = n - t\) and \(|V_{S}| = 2t - n - 1\). But then we can partition the vertex set of G as Open image in new window , where \(V_{S}' = V_{S} \cup \{i\}\). We have that \(|V_{A}| = |V_{B}| = n - t\) and \(|V_{S}'| = 2t - n\), and there are no edges between \(V_A\) and \(V_B\), so \(G \subseteq _{A, B} \varLambda _{n-t}^{2t-n}\), which is a contradiction.    \(\square \)

As an immediate consequence, the condition described in Theorem 5 is both necessary and sufficient in order to obtain a complete network of OT channels and perform secure multiparty computation among all parties in the network.

Corollary 1

Let G be an n-party network. For \(t\ge n/2\), we can t-securely generate OT correlations between all pairs of parties (thus, completing the OT network) if and only if the G is \((n - t)\)-unsplittable.

The formal proofs of Theorem 5 and Corollary 1 are deferred to the full version.

8.2 General Protocol (Efficient for \(t=n-\mathcal {O}(1)\))

We now describe another t-secure OT protocol for all networks G with A as the sender and B as the receiver whenever the network G is \((n - t, A, B)\)-unsplittable. This protocol uses, in spirit, a reduction in the opposite sense than the one described in Sect. 8.1. The protocol is efficient whenever \(t=n-\mathcal {O}(1)\).

Theorem 6

Let G be an n-party OT network containing parties A and B, and let \(t \ge n/2\). Protocol 8 is a t-secure OT protocol between A and B if and only if G is \((n - t, A, B)\)-unsplittable. The protocol is efficient for \(t=n-\mathcal {O}(1)\).

The idea behind this protocol is the following. We increase the size of the network in order to obtain a large number N of well-connected additional simulated parties such that at least one them is guaranteed to be honest. We may assume that at least one of A and B is honest, as otherwise there is nothing to prove. Consequently there are at least two honest parties in the augmented network. We will now apply the protocol from Sect. 7. It remains to describe the construction of these simulated parties, to show that at least one of them is honest, and to prove a structural lemma that if the original network G is \((n - t, A, B)\)-unsplittable then the augmented network \(G'\) is (2, AB)-unsplittable.

Proof Intuition (Theorem 6 ): We first describe the new network generated by Protocol 8. The parties other than A and B in the newly constructed network consist of all subsets of size \(n-t-1\) of the parties in G containing neither A nor B. Lemma 12 below shows that this new network \(G'\) is (2, AB)-unsplittable whenever G is \((n - t, A, B)\)-unsplittable, where the edges of \(G'\) are as described in Protocol 8. A party X in \(G'\) will be considered honest if all constituent parties \(P_i\in X\) from G are honest. Since one of A and B is honest and at most t parties are corrupt, at least \(n - t\) parties are honest and in particular, at least \(n - t - 1\) of the parties other than A and B must be honest. This means that one of the subsets is completely honest. Since A or B is also honest, \(G'\) is guaranteed to have at least two honest parties. Combining these facts and invoking Theorem 4 completes the argument.

We will use the following structural lemma about the network \(G'\) constructed in Protocol 8. The formal proof of Theorem 6 is deferred to the full version.

Lemma 12

If G is \((n - t, A, B)\)-unsplittable, then \(G'\) is a (2, AB)-unsplittable network on \(n'=\left( {\begin{array}{c}n-2\\ n-t-1\end{array}}\right) + 2\) vertices, where \(G'\) is the network from Protocol 8.

Proof

We prove the contrapositive. Assume that \(G'\subseteq _{A,B} \varLambda _2^{n'-2}\). Let \(k=n-t\), and for \(i\in \mathbb {N}\), let \(S_i\) denote the set of subsets of \(V\setminus \{A,B\}=\{P_3,\ldots ,P_n\}\) of size i. Then there exist vertices \(X,Y \in S_{k-1}\) such that there are no edges in \(G'\) between any of the parties in \(\{A,X\}\) and any of the parties in \(\{B,Y\}\). In particular, \(X\cap Y = \emptyset \), since otherwise \(\{X,Y\}\) would be an edge of \(G'\). This implies that we have \(2k=2(n-t)\) parties \(\{A,B\}\cup X\cup Y\) such that there are no edges in G from the \(n-t\) parties \(\{A\} \cup X\) to any of the \(n-t\) parties \(\{B\}\cup Y\). By definition, this means that \(G\subseteq _{A,B} \varLambda _{n-t}^{2t-n}\), which is a contradiction.    \(\square \)

Footnotes

  1. 1.

    Recall that \(\lambda \) 1-out-of-2 OT correlations can be extended to \(\mathop {\mathrm {poly}}\nolimits (\lambda )\) 1-out-of-2 OT correlations via OT extension using just symmetric-key cryptography (e.g. one-way functions [2] or correlation-robust hash functions [43]).

  2. 2.

    As a rule of thumb, use of public-key cryptography is computationally around 4–6 orders of magnitude more expensive than using symmetric-key cryptography [7].

  3. 3.

    When \(t < n/2\), there is no need to rely on an OT infrastructure [63].

  4. 4.

    Recall that the model considered in this work, we assume a full network of secure private communication channels.

  5. 5.

    Combining our work with results from [32, 35], we can also obtain computational security against malicious adversaries in both the nonadaptive and adaptive settings.

  6. 6.

    For \(t=n/2 + \mathcal {O}(1)\), we achieve efficiency using computationally-secure OT extension (e.g. [2, 43]). Our protocol with information-theoretic security is quasipolynomial-time for \(t=n/2 + \mathcal {O}(1)\). We do, however, achieve information-theoretic security in polynomial time for \(t=n-\mathcal {O}(1)\).

  7. 7.

    Note that when \(t = n\), there is nothing to prove.

  8. 8.

    We note that in the computational setting, it is also possible to transform, in a black-box way, a protocol which is secure against semihonest adversaries into another protocol which is secure against static malicious adversaries [35].

  9. 9.

    Recall that \(H\simeq _{A, B}H'\) for two graphs \(H,H'\) if there exists an isomorphism between H and \(H'\) preserving the labels of vertices A and B.

  10. 10.

    An additional step is needed to address the case in which \(P_3\) and \(P_4\) are corrupt and A and B are both honest. Then \(P_{3}\) and \(P_{4}\) can learn \(x_{0}\) and \(x_{1}\), the inputs of A, in the protocol just described. This can be handled with the technique of OT correction, using a one-time pad and the secure point-to-point channel between A and B. Equivalently, we could run the protocol on random inputs, and then use method of [3] to obtain 1-out-of-2 OT from random OT. If A and B are both corrupt then there is nothing to prove.

  11. 11.

    This OT correction step can be performed as follows. Party B sends \(b' = b\oplus c\) to A. A responds with \(y_0=x_0\oplus r_{b'}\) and \(y_1=x_1\oplus r_{1-b'}\). Finally, B computes \(y_b \oplus r_c = x_b\).

  12. 12.

    Note that a single protocol \(\varPi \) may set up independent random OT correlations for several pairs of parties \(\{P_{i}, P_{j}\} \in E'\setminus E\). These correlations can be used to run 1-out-of-2 OT using OT correction.

  13. 13.

    Or polynomially efficient under computational security.

References

  1. 1.
    Applebaum, B., Ishai, Y., Kushilevitz, E., Waters, B.: Encoding functions with constant online rate or how to compress garbled circuits keys. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 166–184. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  2. 2.
    Beaver, D.: Correlated pseudorandomness and the complexity of private computations. In: STOC, pp. 479–488 (1996)Google Scholar
  3. 3.
    Beaver, D.: Precomputing oblivious transfer. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 97–109. Springer, Heidelberg (1995)Google Scholar
  4. 4.
    Beerliová-Trubíniová, Z., Hirt, M.: Perfectly-secure MPC with linear communication complexity. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 213–230. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  5. 5.
    Beimel, A., Malkin, T., Micali, S.: The all-or-nothing nature of two-party secure computation. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 80–97. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  6. 6.
    Beimel, A., Omri, E., Orlov, I.: Protocols for multiparty coin toss with dishonest majority. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 538–557. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  7. 7.
    Bellare, M., Hoang, V.T., Keelveedhi, S., Rogaway, P.: Efficient garbling from a fixed-key blockcipher. In: IEEE Security and Privacy, pp. 478–492 (2013)Google Scholar
  8. 8.
    Ben-Or, M., Goldwasser, S., Wigderson, A.: Completeness theorems for noncryptographic fault-tolerant distributed computations. In: STOC, pp. 1–10 (1988)Google Scholar
  9. 9.
    Ben-Sasson, E., Fehr, S., Ostrovsky, R.: Near-linear unconditionally-secure multiparty computation with a dishonest minority. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 663–680. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  10. 10.
    Bendlin, R., Damgård, I., Orlandi, C., Zakarias, S.: Semi-homomorphic encryption and multiparty computation. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 169–188. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  11. 11.
    Bogdanov, D., Laur, S., Willemson, J.: Sharemind: a framework for fast privacy-preserving computations. In: Jajodia, S., Lopez, J. (eds.) ESORICS 2008. LNCS, vol. 5283, pp. 192–206. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  12. 12.
    Bogetoft, P., et al.: Secure multiparty computation goes live. In: Dingledine, R., Golle, P. (eds.) FC 2009. LNCS, vol. 5628, pp. 325–343. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  13. 13.
    Boyle, E., Chung, K.-M., Pass, R.: Large-scale secure computation: multi-party computation for (parallel) RAM programs. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 742–762. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  14. 14.
    Boyle, E., Goldwasser, S., Tessaro, S.: Communication locality in secure multi-party computation - how to run sublinear algorithms in a distributed setting. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 356–376. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  15. 15.
    Canetti, R., Damgård, I., Dziembowski, S., Ishai, Y., Malkin, T.: On adaptive vs. non-adaptive security of multiparty protocols. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 262–279. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  16. 16.
    Chaum, D., Crépeau, C., Damgård, I.: Multiparty unconditionally secure protocols. In: STOC, pp. 11–19 (1988)Google Scholar
  17. 17.
    Chor, B., Kushilevitz, E.: A zero-one law for boolean privacy (extended abstract). In: STOC, pp. 62–72 (1989)Google Scholar
  18. 18.
    Chou, T., Orlandi, C.: The simplest protocol for oblivious transfer. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LatinCrypt 2015. LNCS, vol. 9230, pp. 40–58. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  19. 19.
    Damgård, I., Ishai, Y.: Scalable secure multiparty computation. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 501–520. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  20. 20.
    Damgård, I., Ishai, Y., Krøigaard, M.: Perfectly secure multiparty computation and the computational overhead of cryptography. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 445–465. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  21. 21.
    Damgård, I., Ishai, Y., Krøigaard, M., Nielsen, J.B., Smith, A.: Scalable multiparty computation with nearly optimal work and resilience. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 241–261. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  22. 22.
    Damgård, I., Kilian, J., Salvail, L.: On the (im)possibility of basing oblivious transfer and bit commitment on weakened security assumptions. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 56–73. Springer, Heidelberg (1999)Google Scholar
  23. 23.
    Damgård, I., Nielsen, J.B.: Scalable and unconditionally secure multiparty computation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 572–590. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  24. 24.
    Damgård, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  25. 25.
    Dani, V., King, V., Movahedi, M., Saia, J.: Brief announcement: breaking the o(nm) bit barrier, secure multiparty computation with a static adversary. In: PODC, pp. 227–228 (2012)Google Scholar
  26. 26.
    Dolev, D., Dwork, C., Waarts, O., Yung, M.: Perfectly secure message transmission. In: FOCS, pp. 36–45 (1990)Google Scholar
  27. 27.
    Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. In: Chaum, D., Rivest, R.L., Sherman, A.T. (eds.) Advances in Cryptology, pp. 205–210. Springer, New York (1983)CrossRefGoogle Scholar
  28. 28.
    Fitzi, M., Franklin, M.K., Garay, J.A., Vardhan, S.H.: Towards optimal and efficient perfectly secure message transmission. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 311–322. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  29. 29.
    Garay, J.A., Katz, J., Koo, C.-Y., Ostrovsky, R.: Round complexity of authenticated broadcast with a dishonest majority. In: FOCS, pp. 658–668 (2007)Google Scholar
  30. 30.
    Garey, M., Johnson, D.: Computers and Intractability: A Guide to the Theory of NP-Completeness. W. H. Freeman, New York (1979)zbMATHGoogle Scholar
  31. 31.
    Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game, or a completeness theorem for protocols with honest majority. In: STOC, pp. 218–229 (1987)Google Scholar
  32. 32.
    Goldreich, O., Micali, S., Wigderson, A.: Proofs that yield nothing but their validity for all languages in NP have zero-knowledge proof systems. J. ACM 38(3), 691–729 (1991)MathSciNetCrossRefzbMATHGoogle Scholar
  33. 33.
    Goldreich, O., Vainish, R.: How to solve any protocol problem - an efficiency improvement. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 73–86. Springer, Heidelberg (1988)Google Scholar
  34. 34.
    Goldwasser, S., Kalai, Y., Popa, R., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: STOC, pp. 555–564 (2013)Google Scholar
  35. 35.
    Haitner, I.: Semi-honest to malicious oblivious transfer—the black-box way. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 412–426. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  36. 36.
    Harnik, D., Ishai, Y., Kushilevitz, E.: How many oblivious transfers are needed for secure multiparty computation? In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 284–302. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  37. 37.
    Harnik, D., Ishai, Y., Kushilevitz, E., Nielsen, J.B.: OT-combiners via secure computation. In: Canetti, R. (ed.) TCC 2008. LNCS, vol. 4948, pp. 393–411. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  38. 38.
    Harnik, D., Kilian, J., Naor, M., Reingold, O., Rosen, A.: On robust combiners for oblivious transfer and other primitives. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 96–113. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  39. 39.
    Hirt, M., Lucas, C., Maurer, U.: A dynamic tradeoff between active and passive corruptions in secure multi-party computation. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 203–219. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  40. 40.
    Huang, Y., Katz, J., Evans, D.: Efficient secure two-party computation using symmetric cut-and-choose. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 18–35. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  41. 41.
    Huang, Y., Katz, J., Kolesnikov, V., Kumaresan, R., Malozemoff, A.J.: Amortizing garbled circuits. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 458–475. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  42. 42.
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: STOC, pp. 44–61 (1989)Google Scholar
  43. 43.
    Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 145–161. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  44. 44.
    Ishai, Y., Kushilevitz, E., Lindell, Y., Petrank, E.: On combining privacy with guaranteed output delivery in secure multiparty computation. In: Dwork, C. (ed.) CRYPTO 2006. LNCS, vol. 4117, pp. 483–500. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  45. 45.
    Ishai, Y., Prabhakaran, M., Sahai, A.: Founding cryptography on oblivious transfer – efficiently. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 572–591. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  46. 46.
    Kilian, J.: Founding cryptography on oblivious transfer. In: STOC, pp. 20–31 (1988)Google Scholar
  47. 47.
    Kolesnikov, V., Schneider, T.: Improved garbled circuit: free XOR gates and applications. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  48. 48.
    Kovári, T., Sós, V., Turán, P.: On a problem of K. Zarankiewicz. Colloquium Math. 3(1), 50–57 (1954)MathSciNetzbMATHGoogle Scholar
  49. 49.
    Kushilevitz, E.: Privacy and communication complexity. In: FOCS, pp. 416–421 (1989)Google Scholar
  50. 50.
    Larraia, E., Orsini, E., Smart, N.P.: Dishonest majority multi-party computation for binary circuits. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 495–512. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  51. 51.
    Lindell, Y., Pinkas, B., Smart, N.P., Yanai, A.: Efficient constant round multi-party computation combining BMR and SPDZ. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 319–338. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  52. 52.
    Lindell, Y., Riva, B.: Cut-and-choose yao-based secure computation in the online/offline and batch settings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 476–494. Springer, Heidelberg (2014)CrossRefGoogle Scholar
  53. 53.
    Lindell, Y.: Fast cut-and-choose based protocols for malicious and covert adversaries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 1–17. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  54. 54.
    Lindell, Y., Pinkas, B.: An efficient protocol for secure two-party computation in the presence of malicious adversaries. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 52–78. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  55. 55.
    Maji, H.K., Prabhakaran, M., Rosulek, M.: A zero-one law for cryptographic complexity with respect to computational UC security. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 595–612. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  56. 56.
    Meier, R., Przydatek, B., Wullschleger, J.: Robuster combiners for oblivious transfer. In: Vadhan, S.P. (ed.) TCC 2007. LNCS, vol. 4392, pp. 404–418. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  57. 57.
    Mohassel, P., Riva, B.: Garbled circuits checking garbled circuits: more efficient and secure two-party computation. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 36–53. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  58. 58.
    Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: SODA, pp. 448–457 (2001)Google Scholar
  59. 59.
    Nielsen, J.B., Nordholt, P.S., Orlandi, C., Burra, S.S.: A new approach to practical active-secure two-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 681–700. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  60. 60.
    Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  61. 61.
    Prabhakaran, M., Prabhakaran, V.: On secure multiparty sampling for more than two parties. In: Information Theory Workshop (ITW) (2012)Google Scholar
  62. 62.
    Rabin, M.: How to exchange secrets by oblivious transfer (1981)Google Scholar
  63. 63.
    Rabin, T., Ben-Or, M.: Verifiable secret sharing and multiparty protocols with honest majority. In: STOC, pp. 73–85 (1989)Google Scholar
  64. 64.
    Wolf, S., Wullschleger, J.: Oblivious transfer is symmetric. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 222–232. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  65. 65.
    Wullschleger, J.: Oblivious-transfer amplification. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 555–572. Springer, Heidelberg (2007)CrossRefGoogle Scholar
  66. 66.
    Yao, A.C.-C.: How to generate and exchange secrets. In: FOCS, pp. 162–167 (1986)Google Scholar
  67. 67.
    Zahur, S., Rosulek, M., Evans, D.: Two halves make a whole. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 220–250. Springer, Heidelberg (2015)Google Scholar
  68. 68.
    Zamani, M., Movahedi, M., Saia, J.: Millions of millionaires: Multiparty computation in large networks. In: ePrint 2014/149Google Scholar

Copyright information

© International Association for Cryptologic Research 2016

Authors and Affiliations

  1. 1.MITCambridgeUSA

Personalised recommendations