Oblivious Transfer and Linear Functions

  • Ivan B. Damgård
  • Serge Fehr
  • Louis Salvail
  • Christian Schaffner
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4117)


We study unconditionally secure 1-out-of-2 Oblivious Transfer (1–2 OT). We first point out that a standard security requirement for 1–2 OT of bits, namely that the receiver only learns one of the bits sent, holds if and only if the receiver has no information on the XOR of the two bits. We then generalize this to 1–2 OT of strings and show that the security can be characterized in terms of binary linear functions. More precisely, we show that the receiver learns only one of the two strings sent if and only if he has no information on the result of applying any binary linear function (which non-trivially depends on both inputs) to the two strings.

We then argue that this result not only gives new insight into the nature of 1–2 OT, but it in particular provides a very powerful tool for analyzing 1–2 OT protocols. We demonstrate this by showing that with our characterization at hand, the reducibility of 1–2 OT (of strings) to a wide range of weaker primitives follows by a very simple argument. This is in sharp contrast to previous literature, where reductions of 1–2 OT to weaker flavors have rather complicated and sometimes even incorrect proofs.


Hash Function Noisy Channel Oblivious Transfer Obliviousness Condition Annual IEEE Symposium 


  1. 1.
    Beaver, D.: Precomputing oblivious transfer. In: Coppersmith, D. (ed.) CRYPTO 1995. LNCS, vol. 963, pp. 97–109. Springer, Heidelberg (1995)Google Scholar
  2. 2.
    Bennett, C.H., Brassard, G., Crépeau, C., Maurer, U.M.: Generalized privacy amplification. IEEE Transactions on Information Theory 41(6) (1995)Google Scholar
  3. 3.
    Brassard, G., Crépeau, C.: Oblivious transfers and privacy amplification. In: Kaliski Jr., B.S. (ed.) CRYPTO 1997. LNCS, vol. 1294. Springer, Heidelberg (1997)Google Scholar
  4. 4.
    Brassard, G., Crépeau, C., Wolf, S.: Oblivious transfer and privacy amplification. Journal of Cryptology 16(4) (2003)Google Scholar
  5. 5.
    Cachin, C.: On the foundations of oblivious transfer. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 361–374. Springer, Heidelberg (1998)CrossRefGoogle Scholar
  6. 6.
    Cachin, C., Crépeau, C., Marcil, J.: Oblivious transfer with a memory-bounded receiver. In: 39th Annual IEEE Symposium on Foundations of Computer Science (FOCS), pp. 493–502 (1998)Google Scholar
  7. 7.
    Crépeau, C.: Equivalence between two flavours of oblivious transfers. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 350–354. Springer, Heidelberg (1988)Google Scholar
  8. 8.
    Crépeau, C., Kilian, J.: Achieving oblivious transfer using weakened security assumptions (extended abstract). In: 29th Annual IEEE Symposium on Foundations of Computer Science (FOCS) (1988)Google Scholar
  9. 9.
    Crépeau, C., Morozov, K., Wolf, S.: Efficient unconditional oblivious transfer from almost any noisy channel. In: Blundo, C., Cimato, S. (eds.) SCN 2004. LNCS, vol. 3352, pp. 47–59. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Crépeau, C., Savvides, G.: Optimal reductions between oblivious transfers using interactive hashing. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 201–221. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  11. 11.
    Crépeau, C., Savvides, G., Schaffner, C., Wullschleger, J.: Information-theoretic conditions for two-party secure function evaluation. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 538–554. Springer, Heidelberg (2006); Full version: http://eprint.iacr.org CrossRefGoogle Scholar
  12. 12.
    Damgård, I.B., Fehr, S., Morozov, K., Salvail, L.: Unfair noisy channels and oblivious transfer. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 355–373. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  13. 13.
    Damgård, I.B., Fehr, S., Renner, R., Salvail, L., Schaffner, C.: A tight high-order entropic uncertainty relation with applications in the bounded quantum-storage model (in preparation, 2006)Google Scholar
  14. 14.
    Damgård, I.B., Fehr, S., Salvail, L., Schaffner, C.: Cryptography in the bounded quantum-storage model. In: 46th Annual IEEE Symposium on Foundations of Computer Science (FOCS) (2005)Google Scholar
  15. 15.
    Damgård, I.B., Fehr, S., Salvail, L., Schaffner, C.: Oblivious transfer and linear functions (full version) (2006), Available at: http://eprint.iacr.org/2005/349
  16. 16.
    Damgård, I.B., Kilian, J., Salvail, L.: On the (Im)possibility of basing oblivious transfer and bit commitment on weakened security assumptions. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, p. 56. Springer, Heidelberg (1999)Google Scholar
  17. 17.
    Ding, Y.Z.: Oblivious transfer in the bounded storage model. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, p. 155. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  18. 18.
    Ding, Y.Z., Harnik, D., Rosen, A., Shaltiel, R.: Constant-round oblivious transfer in the bounded storage model. In: Naor, M. (ed.) TCC 2004. LNCS, vol. 2951, pp. 446–472. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  19. 19.
    Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. In: Advances in Cryptology: Proceedings of CRYPTO 1982, Plenum Press, New York (1982)Google Scholar
  20. 20.
    Håstad, J., Impagliazzo, R., Levin, L.A., Luby, M.: A pseudorandom generator from any one-way function. SIAM Journal on Computing 28(4) (1999)Google Scholar
  21. 21.
    Impagliazzo, R., Levin, L.A., Luby, M.: Pseudo-random generation from one-way functions. In: 21st Annual ACM Symposium on Theory of Computing (STOC) (1989)Google Scholar
  22. 22.
    Kilian, J.: Founding cryptography on oblivious transfer. In: 20th Annual ACM Symposium on Theory of Computing (STOC) (1988)Google Scholar
  23. 23.
    Lo, H.-K., Chau, H.F.: Is quantum bit commitment really possible? Physical Review Letters 78(17), 3410–3413 (1997)CrossRefGoogle Scholar
  24. 24.
    Mayers, D.: Unconditionally secure quantum bit commitment is impossible. Physical Review Letters 78(17), 3414–3417 (1997)CrossRefGoogle Scholar
  25. 25.
    Rabin, M.O.: How to exchange secrets by oblivious transfer. Technical Report TR-81, Harvard Aiken Computation Laboratory (1981)Google Scholar
  26. 26.
    Renner, R.S., König, R.: Universally composable privacy amplification against quantum adversaries. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 407–425. Springer, Heidelberg (2005); Also available at: http://arxiv.org/abs/quant-ph/0403133 CrossRefGoogle Scholar
  27. 27.
    Wegman, M.N., Carter, J.L.: New classes and applications of hash functions. In: 20th Annual IEEE Symposium on Foundations of Computer Science (FOCS) (1979)Google Scholar
  28. 28.
    Wiesner, S.: Conjugate coding. ACM Special Interest Group on Automata and Computability Theory (SIGACT News), 15 (1983); Original manuscript written circa (1970)Google Scholar
  29. 29.
    Wolf, S.: Reducing oblivious string transfer to universal oblivious transfer. In: IEEE International Symposium on Information Theory (ISIT) (2000)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Ivan B. Damgård
    • 1
  • Serge Fehr
    • 2
  • Louis Salvail
    • 1
  • Christian Schaffner
    • 1
  1. 1.BRICS, FICSAarhus UniversityDenmark
  2. 2.CWIAmsterdamThe Netherlands

Personalised recommendations