Abstract
Oblivious Transfer (OT) is an important building block for multiparty computation (MPC). Since OT requires expensive publickey operations, efficiencyconscious MPC protocols use an OT extension (OTE) mechanism [Beaver 96, Ishai et al. 03] to provide the functionality of many independent OT instances with the same sender and receiver, using only symmetrickey operations plus few instances of some base OT protocol. Consequently there is significant interest in constructing OTE friendly protocols, namely protocols that, when used as baseOT for OTE, result in extended OT that are both roundefficient and costefficient. We present the most efficient OTEfriendly protocol to date. Specifically:

Our base protocol incurs only 3 exponentiations per instance.

Our base protocol results in a 3 round extended OT protocol.

The extended protocol is UC secure in the Observable Random Oracle Model (ROM) under the CDH assumption.
For comparison, the state of the art for base OTs that result in 3round OTE are proven only in the programmable ROM, and require 4 exponentiations under Interactive DDH or 6 exponentiations under DDH [MasneyRindal 19]. We also implement our protocol and benchmark it against the Simplest OT protocol [Chou and Orlandi, Latincrypt 2015], which is the most efficient and widely used OT protocol but not known to suffice for OTE. The computation cost is roughly the same in both cases. Interestingly, our base OT is also 3 rounds. However, we slightly modify the extension mechanism (which normally adds a round) so as to preserve the number of rounds in our case.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
1 Introduction
Oblivious Transfer (OT) is a fundamental primitive for multiparty computation (MPC). It has been shown to be complete [GMW87, Kil88] and has become the most widely used building block in both the twoparty setting [Yao86, NNOB12] and the multiparty setting [BLO16, WRK17, HSS17]. However, oblivious transfer is expensive since it requires public key operations [IR89]. This limitation is mitigated by the seminal concept of OT extension [Bea96, IKNP03], which allows the parties to compute \(m = \text {poly}(\kappa )\) number of OTs using only \(\kappa \) “base OTs” and O(m) symmetrickey operations, where \(\kappa \) is the computational security parameter. This yields a large number of OTs at the cost of \(\mathcal {O}(1)\) symmetric key operations.
The stateoftheart protocol for malicious OT extension [KOS15] can compute more than ten million OTs per second in a high bandwidth network setting. As such, it appears that the problem of constructing efficient OT extension has been resolved. However, some challenges remain. First, we note that the cost of the base OTs remains a significant consideration when m is only moderately larger than \(\kappa \) and security against allbutone corruption is needed. For instance, Wang et al. [WRK17] reported that in their implementation of a malicious 128party computation tolerating 127party corruption in the WAN setting, it takes about 140 s to securely evaluate an AES circuit, where 80 s (more than 55% of the total cost!) are spent on computing base OTs.
Another challenge is the number of rounds. Ideally, we would like to obtain extended OT with only two rounds. However, here we have only two known solutions: The original OT extension pf Beaver [Bea96] which is highly inefficient due to nonblackbox use of the underlying symmetrickey primitives, and the Boyle et al. [BCG+19] tworound OT extension, based on the Learning Parity with Noise (LPN) assumption, whose performance is better than IKNPlike OT extension only when the network bandwidth is low (\(\approx \)100 Mbps).
The other approach taken in the literature is to apply a blackbox OT extension (such as that of [KOS15]) to some base OT. This method, however results in an additional round. In fact, recent result by Garg et al. [GMMM18] shows that this is inevitable, namely \((n+1)\) rounds for OT extension are necessary if an nround base OT is used. Thus, this approach seems to result in extended OT protocols with three or more rounds. Furthermore, the stateoftheart tworound OT protocols are much slower than the best threeround OT protocols. For example, the tworound OT by Peikert et al. [PVW08] requires 11 exponentiations. More recently, [MR19] proposed an OT that requires 6 exponentiations under standard DDH assumption or 4 exponentiations under nonstandard IDDH assumption. This means that even threeround extended OT protocols, obtained in this way, are less than optimally efficient.
Another set of challenges revolves around the level of security obtained and the assumptions used. Chou and Orlandi [CO15] proposed a baseOT protocol with malicious security (dubbed as COOT). The work of [HL17] proposed a similar protocol. However, it has been shown [BPRS17, GIR17, LM18] that this protocol and [HL17] cannot be proven secure with simulationbased security because a simulator cannot extract a corrupt receiver’s choice bit. There have been some works [BPRS17, DKLs18] trying to fix this issue, but all of them require either much more computation or higher round complexity. Masny and Rindal [MR19] recently proposed a UCsecure OT in the programmable random oracle model (ROM). Their performance is slightly worse than COOT under nonstandard notion of interactive version of the Decisional Diffie Hellman (IDDH) assumption and much worse under Decisional Diffie Hellman (DDH) assumption.
1.1 Our Contributions
In this paper, we construct an OT protocol tailored to be base OT for the [KOS15] OT extension. Our protocol is highly efficient, and results in a 3 round extended OT that is UC secure in the observable ROM assuming only CDH. See Table 1 for comparison with the state of the art.
The key idea underlying our construction is to design a threeround base OT protocol that circumvents the lower bound proved by Garg et al. [GMMM18]. This is achieved by considering a slight modification of the KOS extension, that is specific to our base OT protocol: The parties use the inputs for the base OT protocol to compute the OT extension messages in parallel to the execution of the baseOT computation. This yields a roundpreserving threeround OT extension protocol. To preserve efficiency, we only use some specific property of the base OT protocol (and thus nonblackbox to base OT), but avoid nonblackbox use of any underlying primitives or computational assumptions. We observe that our protocol is compatible with OT extension protocols [ALSZ15, PSS17, OOS17] in the IKNP domain. It also works for stateoftheart 1outofN OT extension protocols [PSS17, OOS17]. See Sect. 3 for more discussion. Our detailed contributions are listed as follows:

Weaker baseOT Functionality. To securely realize OT extension efficiently, we consider a UCsecure baseOT functionality that allows selective failure attack by a corrupt sender. We further relax the UCsecurity requirement to only sendersided simulationbased security; on the receiverside, we demonstrate that indistinguishability based security suffices for KOS, provided the receiver’s input can be extracted.

Weaker Assumptions. Our protocol is secure assuming CDH in the observable random oracle (ORO) model. Our assumptions and trusted setup are weaker and far more wellstudied than other protocols with comparable efficiency. When used in the OT extension, the OT extension protocol becomes UCsecure.

Best efficiency. Our protocol requires three exponentiations per OT and is as efficient as the COOT [CO15]. This is also experimentally verified based on implementation. Since COOT (which is insecure) is the most efficient among all existing OT protocols, our new OT with provable security is also the most efficient.

Round Preserving. Our OT protocol requires three rounds, one round more than necessary; however, one unique feature of our protocol is that its last two rounds of messages can be securely sent in parallel with the OTextension messages and thus resulting in a threeround OT extension protocol.

Empirical Comparison. Finally, we implement our protocol and demonstrate its high performance. In detail, our protocol is as efficient as the OT by Chou and Orlandi (which cannot be proven UC secure). When used in the OT extension, our protocol results in a even better performance due to reduced round complexity.
We note that the original KOS paper had an interactive coin tossing subprotocol. It resulted in a 5 rounds protocol and it relied on Correlation Robust Function (\( \textsc {CRF}\)). The subprotocol was made noninteractive by the work of [DKLs18] using the FiatShamir transform by relying on a nonprogrammable random oracle. This reduced the round complexity to 3. We consider this round optimized variant of KOS in the RO model since we already require the RO for our OT protocol.
1.2 More Discussion on Related Works
Here we highlight the protocols from prior OT literature that are relevant to our work. A comparison can be found in Table 1.

The tworound UCsecure OT protocol by [PVW08] is a candidate for the base OTs in KOS. Its optimized variant computes 11 exponentiations and is proven secure in the common reference string model under DDH assumption.

The Simplest OT (or COOT) was proposed by Chou and Orlandi [CO15]. It computes 3 exponentiations in the programmable random oracle (PRO) model assuming CDH. It requires 2 rounds to compute a random OT, but their OT messages cannot be parallelized with the OT extension messages, thus resulting in a 4 round OT extension. It has been shown [LM18] that this protocol cannot be proven secure with simulationbased security because a simulator cannot extract a corrupt receiver’s choice bit. For proving UCsecurity of the OT extension protocol, the inputs of the receiver (of the base OT) has to be extracted.

The work of [DKLs18] proposed a 5 round OT protocol, with selective failure, for the base OTs in the ORO model. They compute 3 exponentiations per OT and incur a onetime computation of a noninteractive zeroknowledge proof of knowledge (NIZKPoK) for Discrete Log. The high round complexity of the base OTs leads to a 6 round OT extension since their last OT message cannot be parallelized with the last message of the OT extension.

A recent work by [MR19] proposed noninteractive OTs from noninteractive Key Exchange. The resulting OT extension would still require 3 rounds. Their optimized variant requires 4 exponentiations under IDDH assumption and their unoptimized variant requires 6 exponentiations in the PRO model. However, IDDH is not known to be reducible to the standard DDH assumption.

Silent OT extension [BCG+19] does not follow the IKNPstyle extension. Instead, it can be viewed as a special case of vector OLE [BCGI18] and requires an LPN assumption. The resulting protocol can be more efficient than KOS under low network bandwidth.
Roadmap. In the next section, we introduce some notations and important concepts used in this paper. In Sect. 3, we present the key intuitions behind our protocols. This is followed by our weakened OT functionality in Sect. 4. Then, we show that our weakened OT functionality suffices to obtain the KOS OT extension in Sect. 5. We instantiate \(\kappa \) instances of our OT functionality in Sect. 6. Finally, we present our implementation details and compare it with the COOT in Sect. 7.
2 Preliminaries
Notations. We denote by \(a \leftarrow D\) a uniform sampling of an element a from a distribution D. The set of elements \(\{1,\ldots ,n\}\) is represented by [n]. A function \(\textsf {neg}(()\cdot )\) is said to be negligible, if for every polynomial \(p(\cdot )\), there exists a constant c, such that for all \(n > c\), it holds that \(\textsf {neg}(()n) < \tfrac{1}{p(n)}\). We denote a probabilistic polynomial time algorithm as PPT. We denote the computational security parameter by \(\kappa \) and statistical security parameter by \(\mu \) respectively. Let \(\mathbb {Z}_q\) denote the field of order q, where \(q=\frac{p1}{2}\) and p are primes. Let \(\mathbb {G}\) be the multiplicative group corresponding to \(\mathbb {Z}_p^*\) with generator g, where CDH assumption holds. We denote a field of size \(2^\kappa \) as \(\mathbb {F}\). Our security proofs are in the Universal Composability (UC) framework of [Can01]. We refer to the original paper for details. For a bit \(b \in \{0,1\}\), we denote \(1b\) by \(\bar{b}\). We denote a matrix as \(\mathbf {M}\) where \(\mathbf {M}^i\) refers to the ith column and \(\mathbf {M}_j\) as the jth row of \(\mathbf {M}\) respectively. Given a field element \(x \in \mathbb {F}\) and a bit vector \(\mathbf {a}=(a_1, a_2, \ldots , a_\kappa )\) we denote componentwise multiplication as \(x \cdot \mathbf {a}= (a_1 \cdot x, a_2 \cdot x, \ldots , a_\kappa \cdot x)\). In our OT extension protocol, the sender is denoted as \(\textsf {S}_{\textsf {Ext}} \) and the receiver is denoted as \(\textsf {R}_{\textsf {Ext}} \) respectively.
Random Oracle Model. A random oracle (RO) functionality is parametrized by a domain and a range and it is as \(\mathcal {F}_\textsf {RO}\) in Fig. 2. A random oracle query on message m is denoted by \(\mathcal {F}_\textsf {RO}(m)\). The random oracle functionality can be broadly classified [CDG+18] into three categories based on its features plain RO, observable RO and programmable RO. A plain RO returns a random string, from its range, upon being queried on a message m, from its domain. An observable RO inherits the properties of the plain RO but in addition it grants the simulator to observe the queries made, to \(\mathcal {F}_\textsf {RO}\), by the adversary. Our proofs hold in the global RO (GRO) model of [CJS14] where the observable RO is replaced by the GRO.
Tweakable Correlation Robust Hash. OT extension requires a correlation robust hash function. We adopted the definition proposed by Guo et al. [GKW+19], where a tweak is explicitly included in the hash function too. Given a function \( \textsc {CRF}: \mathcal {T} \times \{0,1\}^\kappa \rightarrow \{0,1\}^\kappa \), define \(\mathcal{O}_{\varDelta }(t, w)\,{\mathop {=}\limits ^\mathrm{def}}\, \textsc {CRF}(t, w \oplus \varDelta )\), where \(t\in \mathcal {T} \). Let \(\mathsf{Func}\) denote the set of functions from \( \mathcal {T} \times \{0,1\}^\kappa \) to \(\{0,1\}^\kappa \).
Definition 1
Given a function \( \textsc {CRF}: \mathcal {T} \times \{0,1\}^\kappa \rightarrow \{0,1\}^\kappa \), a uniform distribution on \(\{0,1\}^\kappa \) namely \(U_{\kappa }\), we say that CRFis tweakable correlation robust if for any PPT distinguisher \(D \), if
Note that in our use of tweakable correlation robust hash, \(\mathcal {T}\) is a tuple of values, one for \({\mathsf {sid}}\) and one for index i.
Oblivious Transfer. In a 1outof2 OT, we have a sender (S) holding two inputs \(a_0,a_1 \in \{0,1\}^n\) and a receiver (\(\textsf {R}\)) holding a choice bit b. The correctness of OT means that \(\textsf {R}\) will obtain \(a_b\) as the outcome of the protocol. At the same time, S should learn nothing about b, and \(\textsf {R} \) should learn nothing about the other input of S, namely \(a_{\bar{b}}\). The ideal OT functionality \(\mathcal {F}_{\textsf {OT}}\) is shown in Fig. 1.
3 Technical Overview
In this section we give an overview of our technical contributions. First, we recall the KOS OT extension from a highlevel. We argue that the base OTs in KOS do not require UC security. Building on this idea, we propose a weaker OT functionality and then we provide an efficient threeround OT protocol which would yield a three round OT extension.
3.1 Overview of KOS
In the KOS OT extension, the sender \(\textsf {S}_{\textsf {Ext}} \) and receiver \(\textsf {R}_{\textsf {Ext}} \) wants to generate m OTs using \(\kappa \) invocations to \(\mathcal {F}_{\textsf {OT}}\) (base OTs) and symmetric key operations. The sender \(\textsf {S}_{\textsf {Ext}} \) plays the role of a receiver in the base OTs. He samples a random \(\kappa \) bit string \(\mathbf {s}\) and invokes ith instance of \(\mathcal {F}_{\textsf {OT}}\) with ith bit of \(\mathbf {s}\) for \(i \in [\kappa ]\). The receiver \(\textsf {R}_{\textsf {Ext}} \) invokes \(\mathcal {F}_{\textsf {OT}}\) as sender with random pads \((\mathbf {k}_{i, 0}, \mathbf {k}_{i, 1})\). \(\textsf {S}_{\textsf {Ext}} \) obtains \(\mathbf {k}_{i, s_i}\) from the ith base OT. In addition, \(\textsf {R}_{\textsf {Ext}} \) also sends a mapping \(\mathbf {D}\) from his inputs to the \((\mathbf {k}_{i, 0}, \mathbf {k}_{i, 1})\) values. Upon obtaining this mapping \(\mathbf {D}\) and the baseOT output, the sender computes his mapping \(\mathbf {Q}\). He computes correlated pads for the extended OTs using \(\mathbf {s}\) and \(\mathbf {Q}\) as \( \textsc {CRF}({\mathsf {sid}}, j, \mathbf {Q}_j)\) and \( \textsc {CRF}({\mathsf {sid}}, j, \mathbf {Q}_j \oplus \mathbf {s})\) for \(j \in [m]\), where \( \textsc {CRF}\) is a correlation robust function. If the receiver’s input bit for jth extended OT is 0, then he can compute \(\mathbf {Q}_j\), else he can compute \(\mathbf {Q}_j \oplus \mathbf {s}\). The other value remains hidden due to \(\mathbf {s}\) and security of \( \textsc {CRF}\). Using the correlated pads, \(\textsf {S}_{\textsf {Ext}} \) encrypts his inputs for the extended OTs and sends it to \(\textsf {R}_{\textsf {Ext}} \).
In addition, \(\textsf {S}_{\textsf {Ext}} \) also performs a consistency check on matrix \(\mathbf {D}\) is correctly formed by \(\textsf {R}_{\textsf {Ext}} \), else a malformed \(\mathbf {D}\) matrix would leak the bits of \(\mathbf {s}\) rendering the protocol insecure. The original KOS paper had an interactive check phase. It was made noninteractive by the work of [DKLs18] using the FiatShamir transform by relying on the observable random oracle. Our protocol also uses the same noninteractive check to obtain a 3round OT extension protocol where the checks are run in the second OT extension message. The base OTs are run for 3 rounds and the last message of the OT extension is sent in parallel to the last message of the base OT. Next, we discuss our proposed relaxations in the base OT functionality.
3.2 Relaxation in the OT Functionality
Firstly, it can be observed that the parties invoke the base OTs in KOS with random OTs. So, one can consider random OT functionality instead of full OT functionality. Next, we can allow selective failure in the base OTs. The work of KOS and [DKLs18] showed that the base OTs do not require full UCsecurity of an OT functionality. Instead, the functionality can allow a corrupt sender (i.e. \(\textsf {R}_{\textsf {Ext}} \) in the OT extension) to launch a selective failure attack on the \(\mathbf {s}\) bits of the receiver (i.e. \(\textsf {S}_{\textsf {Ext}} \) in the OT extension). In such a case, the corrupt \(\textsf {R}_{\textsf {Ext}} ^*\) will still have a negligible advantage in breaking the security of the extended OTs. We claim that the OT functionality can be further relaxed based on the following observations in the KOS protocol.

1.
Delayed input extraction of receiver: The inputs of the receiver (\(\textsf {S}_{\textsf {Ext}} \)) in the base OTs can be extracted after \(\textsf {S}_{\textsf {Ext}} \) sends the last message of the OT Extension protocol. Recall, that the last message of the OT Extension protocol consists of the inputs of \(\textsf {S}_{\textsf {Ext}} \) encrypted with the correlated pads. The simulator against a corrupt \(\textsf {S}_{\textsf {Ext}} ^*\) can simulate the second message of the OT extension without the knowledge of \(\mathbf {s}\). Later, it can extract \(\mathbf {s}\) from the base OTs and then extract \(\textsf {S}_{\textsf {Ext}} \)’s inputs from the last message.

2.
Corrupt receiver can abort after base OT: A corrupt receiver (\(\textsf {S}_{\textsf {Ext}} \)) can abort after obtaining the results of baseOT protocol corresponding to \(\mathbf {s}\). In such a case, the honest \(\textsf {R}_{\textsf {Ext}} \) would just abort the protocol as the base OTs resulted in an abort. For each base OT, one of the input of \(\textsf {R}_{\textsf {Ext}} \) remain hidden from \(\textsf {S}_{\textsf {Ext}} \) due to the security of the OT; thus hiding \(\textsf {R}_{\textsf {Ext}} \)’s inputs.

3.
Batch of \(\kappa \) OT: The OT extension protocol requires \(\kappa \) base OTs between the parties. So, the base OTs can be computed in a batch of \(\kappa \) OTs instead of \(\kappa \) independent instances of the OT protocol.
Based on the above observations we can consider the following relaxations to the OT functionality for a corrupt receiver.

1.
Indistinguishability based security against corrupt receiver with input extraction: We can reduce the simulation based security for a corrupt receiver to an indistinguishability based security. We need an extractor algorithm \(\textsf {Ext} \) that can extract the input bit b of a corrupt receiver, given blackbox access to it. The corrupt receiver cannot distinguish its real world view from a view constructed with the sender’s message corresponding to bit \(\bar{b}\) set as \(0^\kappa \).

2.
Corrupt receiver can abort without input extraction: A corrupt receiver can decide to abort in the OT functionality and in such a case the \(\textsf {Ext} \) does not need to extract his inputs.

3.
Corrupt receiver cannot compute both sender messages: A corrupt receiver cannot compute both sender input messages from the OT transcript and his internal randomness, even if he aborts the protocol.
3.3 Usage in KOS OT Extension
The above relaxations in the baseOT functionality are justified since we do not require simulation based security in the OT extension protocol for the base OTs. This is because the base OTs are internal to the protocol; hence the input/output of the honest parties in the base OTs are inaccessible to the environment \(\mathcal {Z}\) who tries to distinguish between real and ideal world executions of the OT extension protocol. Indistinguishability based security suffices for a corrupt receiver (i.e. a corrupt \(\textsf {S}_{\textsf {Ext}} \)) in the base OTs, if we are guaranteed that the following conditions hold:

1.
If the base OTs succeed then the input \(\mathbf {s}\) of the receiver (i.e. \(\textsf {S}_{\textsf {Ext}} \)) can be extracted after obtaining the OT extension last message as that is used by the simulator (for a corrupt \(\textsf {S}_{\textsf {Ext}} ^*\)) to extract the input messages of \(\textsf {S}_{\textsf {Ext}} ^*\). This is guaranteed by the correctness of \(\textsf {Ext} \) algorithm when the base OT protocol succeeds.

2.
In case the base OT aborts, then the \(\textsf {Ext} \) does not need to extract the inputs of \(\textsf {S}_{\textsf {Ext}} ^*\) since the OT extension protocol terminates with an abort too.

3.
The corrupt \(\textsf {S}_{\textsf {Ext}} ^*\) should not be able to distinguish between the real world interaction with honest \(\textsf {R}_{\textsf {Ext}} \), and ideal world interaction with the simulator. In the ideal world, the simulator runs with input for the extended OTs as all 0s string. \(\textsf {S}_{\textsf {Ext}} ^*\), playing the role of receiver in the base OT, cannot compute both sender messages of the base OT. Based on this property, we tweak our OT extension protocol by relying on the random oracle. The tweak ensures that one of the sender’s messages in the each base OT will be hidden from \(\textsf {S}_{\textsf {Ext}} ^*\). Thus, he cannot distinguish the real world from the ideal world by relying on the security of the original KOS protocol. Our tweak incurs a minimal overhead of 2 RO queries for each base OT.
We also utilize the fact that the base OTs are computed in a batch of \(\kappa \) OTs. This allows us to efficiently implement a batch of \(\kappa \) instances of the above (weakened) OT functionality based on observable random oracle. Next, we discuss our OT protocol which implements a batch of \(\kappa \) instances of weak OT functionality, as discussed above.
3.4 Optimized OT Protocol in the Observable RO Model
We consider an OT protocol in the observable random oracle model where the receiver \(\textsf {R} \) generates receiver OT parameter T by invoking a random oracle \(\mathcal {F}_\textsf {RO1}\) on a \(\textsf {seed}\). He samples a random \(\alpha \leftarrow \mathbb {Z}_q\) and computes his first message based on his input bit b as B, where
He sends B and \(\textsf {seed}\) to the sender \(\textsf {S} \). The sender computes T from \(\textsf {seed}\) and samples a random \(r \leftarrow \mathbb {Z}_q\). \(\textsf {S} \) computes sender OT parameters \(z=g^r\) and sends z to \(\textsf {R} \). \(\textsf {S} \) computes his random pads \(p_0\) and \(p_1\) by invoking a random oracle \(\mathcal {F}_\textsf {RO2}\) as follows:
Upon obtaining z, \(\textsf {R} \) computes his output pad \(p_b\) as follows:
This protocol ensures that a corrupt receiver \(\textsf {R} ^*\) cannot compute both random pads as that would require invoking \(\mathcal {F}_\textsf {RO2}\) on \(B^r\) and \((\tfrac{B}{T})^r = \frac{B^r}{T^r}\). Such a corrupt receiver could be used to break the CDH assumption where \((T, z)=(g^t, g^r)\) is the CDH challenge. The queries made by \(\textsf {R} ^*\) to \(\mathcal {F}_\textsf {RO2}\) can be used to obtain \(T^r\) which is the answer to the CDH challenge. This OT protocol also perfectly hides the input b of an honest receiver from a corrupt receiver as \(\alpha \) and \(\alpha t\) are valid receiver randomness for \(b=0\) and \(b=1\) respectively, where \(B=g^\alpha \). However, this protocol doesn’t allow extraction of receiver or sender’s inputs from the OT messages in the observable RO model.
Adding Receiver Input Extraction. To add receiver’s input extraction the sender adds a challenge in the second round of the OT protocol.
The receiver has to respond to the challenge by computing his answer \(\texttt {Ans}\).
\(\textsf {R} \) has to query \(\mathcal {F}_\textsf {RO3}\) to compute \(\texttt {Ans}\) and assists a simulator to extract a corrupt receiver’s input. \(\textsf {R} \) sends \(\texttt {Ans}\) to the sender in a third OT message. This increases the round complexity to 3 but it ensures that the simulator can extract the receiver’s input bit from the RO queries of \(\mathcal {F}_\textsf {RO3}\) if \(\texttt {Ans}\) is valid. This is similar to the challengeresponse paradigm introduced in the work of [DKLs18]. However, a corrupt sender can compute the challenge in a malicious way such that he can find out the bits of receiver from the response and the receiver fails to identify such an attack. The work of [DKLs18] tackles this issue by making the sender open his randomness (for computing the challenge) to the receiver in a fourth OT message. We ensure correctness of the challenge by making the sender send a proof \(\gamma \) along with the challenge in the second OT message,
After obtaining the second OT message, the receiver can compute \(\texttt {Ans}\) and verify the proof \(\gamma \). If \(\gamma \) is valid then he sends \(\texttt {Ans}\) to sender else he aborts. This ensures input extraction of receiver as argued before but it adds selective failure attack by a corrupt sender \(\textsf {S} ^*\). \(\textsf {S} ^*\) can try to guess the bits of receiver and based on that he can maliciously construct the challenge. However, our OT functionality accommodates selective failure attack over a batch of \(\kappa \) OTs and hence this challengeproveresponse paradigm would work in our case. Next, we show that this trick already provides extraction of a corrupt sender’s input.
Adding Sender Input Extraction. Our challengeproveresponse paradigm allows us to construct a protocol where the sender’s inputs can be extracted if a batch of \(\ell > \mu \) OTs are run together. In KOS, \(\kappa \) OTs are run where \(\kappa >\mu \). Now, we will explain the reason behind our assumption of \(\ell >\mu \). In a batch of \(\ell \) OTs, every OT uses the same T and \(z=g^r\), i.e. the ith OT pad is of the form:
where \(B_i\) is chosen by \(\textsf {R} \) based on his randomness \(\alpha _i\) and input bit \(b_i\) for the ith OT. In such a case, the sender sends a unique challenge \(\textsf {chall}_i\) for each OT as follows:
Now, the receiver computes the answer \(\textsf {resp}\) to the challenge as:
The answer to the challenge is optimized to sending one string for the whole batch instead of \(\kappa \) strings, as follows:
The proof sent by the sender is also modified accordingly as:
The receiver can check his computed answer with the proof and then respond with \(\texttt {Ans}\). This tweak allows us to extract a corrupt sender’s input for \(\ell >\mu \) OTs. The simulator can extract \(T^r\) by observing the queries \(B_i^r\) and \((\tfrac{B_i}{T})^r\) made by \(\textsf {S} \) to \(\mathcal {F}_\textsf {RO2}\). Sender needs to query \(\mathcal {F}_\textsf {RO2}\) for computing \(p_{i, 0}\) and \(p_{i, 1}\) values, which are in turn used to compute the challenge and proof for \(\ell >\mu \) OTs. Sender can avoid querying \(\mathcal {F}_\textsf {RO2}\) with both \(B_i^r\) and \((\tfrac{B_i}{T})^r\). In that case, he has to either guess the corresponding RO query results, i.e. \(p_{i, 0}\) or \(p_{i, 1}\), or he launches a selective failure attack for every OT and he has to correctly guess receiver’s input bit for every OT. This is because, the receiver’s input is random and he will compute the \(\texttt {Ans}\) and it will not match with the \(\gamma \) sent by the sender, except with \(2^{\mu }\) probability, since \(\gamma \) and \(\textsf {chall}_i\) were computed without correctly computing the \(p_{i, 0}\) or \(p_{i, 1}\) values, for every \(i \in [\ell ]\). Thus, the simulator can observe \(\mathcal {F}_\textsf {RO2}\), compute the candidate \(p_{i, 0}, p_{i, 1}\), match with \(\textsf {chall}_i\) values and \(\gamma \) and extract the correct \(T^r\). Using \(T^r\), he can extract the sender’s input messages.
3.5 Circumventing the Impossibility Result of [GMMM18]
We circumvent the impossibility result of [GMMM18] by allowing the OT extension receiver \(\textsf {R}_{\textsf {Ext}} \), i.e. base OT sender, to use the base OT output messages to send his mapping \(\mathbf {D}\) in the second round of the OT extension protocol. If the base OT receiver fails to answer the base OT challenge then \(\textsf {R}_{\textsf {Ext}} \) aborts else he computes his OT extension output message. The base OT security ensures that a corrupt base OT receiver (i.e. \(\textsf {S}_{\textsf {Ext}} ^*\)) cannot compute both messages of the base OT sender (i.e. \(\textsf {R}_{\textsf {Ext}} \)). This hides the input of \(\textsf {R}_{\textsf {Ext}} \) in \(\mathbf {D}\) even though we use the base OT messages before it has terminated. Such nonblackbox usage of the 3 round baseOT protocol allows us to obtain a 3 round OT extension protocol.
4 Weakening the Oblivious Transfer Functionality
In this section, we discuss the type of security that we require from the base OT protocols of the KOS OT extension. We demonstrate that by gradually relaxing the \(\mathcal {F}_{\textsf {OT}}\) functionality, where the parties choose their own input, to a random OT where the functionality provides random inputs to the parties. Next, we allow selective failure attack by a sender on receiver’s inputs and define it as \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\). We also allow a corrupt receiver to abort the protocol. We relax the UCsecurity of this protocol to onesided simulation. Finally, we formally define our notion of weakened OT which provides simulation based security for a corrupt sender and indistinguishability security against a corrupt receiver.
Random Oblivious Transfer. The OT functionality can be relaxed to consider random inputs, i.e. \(\mathcal {F}_{\textsf {rOT}}\). In this case, the inputs of an honest sender and an honest receiver are chosen randomly by the functionality. However, a malicious sender (also a malicious receiver) can choose his own inputs. The ideal random OT functionality has been presented in Fig. 3.
Random Oblivious Transfer with Selective Failure and Explicit Abort. We can further weaken the \(\mathcal {F}_{\textsf {rOT}}\) functionality to allow selective failure attacks by a corrupt sender. Here, the corrupt sender \(\textsf {S} ^*\) can try to guess the random input of the receiver by setting its message, corresponding to bit 0 as \(\bot \), whereas the message corresponding to bit 1 is set correctly. An honest receiver would abort if his input bit b is 0, else he continues with the protocol. This would leak b to \(\textsf {S} ^*\). We also allow a corrupt receiver \(\textsf {R} ^*\) to explicitly abort the protocol after it obtains its input message \(a_b\). In such a case, the functionality notifies the sender regarding the abort. Our \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) functionality has been modeled in Fig. 4.
Oblivious Transfer for KOS. It was shown in the work of KOS and [DKLs18] that \(\kappa \) instances of \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) (without the Abort option) suffices to instantiate the \(\kappa \) base OTs in the KOS OT extension protocol. However, this requires simulation based security against a corrupt \(\textsf {R} ^*\), where the simulator needs to extract the input of \(\textsf {R} ^*\) and simulate the sender’s message s.t. they open to the correct message, i.e. \(a_b\), even if \(\textsf {R} ^*\) aborts the protocol. However, such a strong requirement from \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) is an overkill for instantiating the baseOT protocols. We demonstrate that the security against a corrupt receiver can be reduced to indistinguishability based security and his input need not be extracted when he aborts. More precisely:

Indistinguishability against a Malicious : In the KOS OT extension, the invocations to the base OT functionality is internal to the OT extension protocol. The environment \(\mathcal {Z}\) does not have access to it; hence it cannot choose inputs for the honest parties in the base OT functionality. This permits us to use an efficient OT protocol to emulate the functionality, s.t. it provides simulation based security against a corrupt \(\textsf {S} ^*\) whereas for a corrupt \(\textsf {R} ^*\), it provides indistinguishability based security. Such a relaxation allows us to use observable random oracle instead of a programmable one in 3 rounds. Previous protocols, like [DKLs18] used observable RO but they required 5 rounds for the base OTs, where the last 2 rounds where spent in simulating the honest sender’s messages, i.e. providing simulation based security against corrupt \(\textsf {R} ^*\). The work of [MR19] obtain a tworound OT but they require twice the amount of exponentiation as ours by extracting the receiver’s input from the first OT message.

Input of need not be extracted during Abort: When the sender \(\textsf {S}_{\textsf {Ext}} ^*\) of the OT extension protocol (acting as the receiver \(\textsf {R} ^*\) of the base OTs) misbehaves and causes an abort, the OT extension protocol leads to an abort. In such a case, the input messages (in the extended OTs) of \(\textsf {S}_{\textsf {Ext}} ^*\) need not be extracted. Hence, it is not necessary to extract the inputs of \(\textsf {S}_{\textsf {Ext}} ^*\)(or \(\textsf {R} ^*\)) in the base OTs. This allows us to push the extraction of the \(\textsf {R} ^*\) input until the last round of the base OT (in our case also the last round of OT extension), where it can be extracted when he computes the base OTs correctly. In case he aborts then it is guaranteed that he cannot compute both sender messages. This allows us to save on the number of exponentiations.

Batch of \(\kappa > \mu \) OTs: We consider a batch of \(\kappa >\mu \) invocations of OT protocol for the base OTs. This is necessary since a corrupt receiver of OT extension \(\textsf {R}_{\textsf {Ext}} ^*\) can launch a selective failure attack on the inputs of \(\textsf {S}_{\textsf {Ext}} \) to the base OT. Since the inputs are random, \(\textsf {R}_{\textsf {Ext}} ^*\) can at most determine \(\mu \) inputs bits of \(\textsf {S}_{\textsf {Ext}} \)’s randomness. However, that gives him a negligible advantage in breaking the security of the OT extension protocol due to the security of the underlying OT extension protocol.
We also assume there exists a PPT algorithm \(\textsf {Ext} \) that can extract the input of a malicious \(\textsf {R} ^*\), if he does not abort the protocol. We formally define our sendersimulatable \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) with the following security properties required against a corrupt receiver:
Definition 2
Let \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) be the Oblivious Transfer functionality as shown in Fig. 4. We say that a protocol \(\pi _{\textsf {OT}}\) securely computes \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) with sendersided simulation with input extractability of receiver if the following holds:

1.
For every nonuniform PPT adversary \(\textsf {S} ^*\) controlling the sender in the real model, there exists a nonuniform PPT adversary \(\textsf {Sim}\) for the ideal model, such that for any environment \(\mathcal {Z}\),
$$\textsc {ideal}_{\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}, \textsf {Sim}, \mathcal {Z}}((a_0, a_1), b, z)_{z \in \{0,1\}^*} \approx \textsc {real}_{\pi _{\textsf {OT}}, \textsf {S} ^*, \mathcal {Z}}((a_0, a_1), b, z)_{z \in \{0,1\}^*}.$$ 
2.
For every nonuniform PPT adversary \(\mathcal {A}\) controlling the receiver \(\textsf {R} ^*\), the following holds:

Property 1: If the sender did not abort, then there exists a PPT extractor algorithm Ext such that the following holds:
$$\begin{aligned} \Pr \Bigg [ (a_0, a_1) \leftarrow \textsf {S} ^{\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}}, (b, a_b)&\leftarrow \mathcal {A}^{\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}}, b' \leftarrow \textsf {Ext} ^\mathcal {A}\\&: (b \ne b') \wedge (a_0 \ne \bot ) \wedge (a_1 \ne \bot ) \Bigg ] \le \textsf {negli}(\kappa ) \end{aligned}$$ 
Property 2: If the sender did not abort, then the view of \(\textsf {R} ^*\) is independent of \(a_{\bar{b}}\). More formally the following condition holds:
$$\mathcal {V}^{\textsf {S}}_{\pi _{\textsf {OT}}, \textsf {R} ^*(z)}((a_0, a_1), b, z)_{z \in \{0,1\}^*} \approx \mathcal {V}^{\textsf {S}}_{\pi _{\textsf {OT}}, \textsf {R} ^*(z)}((\widetilde{a_0}, \widetilde{a_1}), b, z)_{z \in \{0,1\}^*},$$where \(\textsf {Ext} \) outputs b on interacting with \(\textsf {R} ^*\). \(\mathcal {V}^{\textsf {S}}_{\pi _{\textsf {OT}}, \textsf {R} ^*(z)}\) denotes the view of adversarial \(\textsf {R} ^*\) after a real execution of protocol \(\pi _{\textsf {OT}}\) with the honest sender \(\textsf {S} \), with random sender inputs \((a_0, a_1)\), and \((\widetilde{a_0}, \widetilde{a_1})\) where \(\widetilde{a_{b}}\leftarrow \{0,1\}^\kappa \) and \(\widetilde{a_{\bar{b}}}=0^\kappa \) respectively.

Property 3: \(\textsf {R} ^*\) cannot compute both sender messages except with negligible probability. More formally the following condition holds:
$$\Pr \Bigg [ (a_0, a_1) \leftarrow \textsf {S} ^{\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}}, (a_0', a_1') \leftarrow \mathcal {A}^{\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}} : (a_0=a_0') \wedge (a_1=a_1') \Bigg ] \le \textsf {negli}(\kappa )$$

5 Oblivious Transfer Extension Using
In this section we show that the base OTs (a.k.a seed OTs) in the KOS OT extension can be instantiated using \(\kappa \) invocations to the modified (according to Definition 2) \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\). This results in an efficient seed OT phase, where each base OT requires 3 exponentiations. We assume that there exists a protocol \(\pi _{\textsf {OT}}^\kappa \) which implements(according to Definition 2) \(\kappa \) instances of \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\). Then we use \(\pi _{\textsf {OT}}^\kappa \) to implement the base OTs. Our protocol has been presented in Fig. 5.
5.1 Security Proof
We prove UCsecurity of our OT extension protocol \(\pi _{\textsf {KOS}}\) by relying on the security properties of \(\pi _{\textsf {OT}}^\kappa \), correlation robust function, PRG and RO. More precisely, we prove Theorem 1.
Theorem 1
Assuming \(\textsf {PRG}\) is a secure pseudorandom generator, \( \textsc {CRF}\) is a tweakable correlation robust function, \(\mathcal {F}_\textsf {RO2}\) is an observable random oracle and \(\pi _{\textsf {OT}}^\kappa \) implements (according to Definition 2) \(\kappa \) instances of \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\), then \(\pi _{\textsf {KOS}}\) UCsecurely implements \(m=\text {poly}(\kappa )\) instances of \(\mathcal {F}_{\textsf {OT}}\) functionality.
Proof
We will first argue security for a corrupt sender and then for a corrupt receiver. In both cases, we give a simulator algorithm and provide an indistinguishability argument.
The simulator for a statically corrupt \(\textsf {S} ^*\) constructs the \(\mathbf {M}, \mathbf {R}\) and \(\mathbf {D}\) matrices using \(\mathbf {r}= 0^m\) by following the honest receiver algorithm. \(\textsf {S} ^*\) cannot obtain both \(\mathbf {k}_{i, 0}\) and \(\mathbf {k}_{i, 1}\) (due to the security of \(\pi _{\textsf {OT}}^\kappa \) against a corrupt receiver). Hence, \(\mathbf {R}\) remains hidden due to the \(\textsf {PRG}\) security. The simulator will invoke the \(\textsf {Ext} \) algorithm of \(\pi _{\textsf {OT}}^\kappa \) to obtain the randomness of \(\textsf {S} ^*\), i.e. \(\mathbf {s}\). Using \(\mathbf {s}\), the simulator can compute back the sender’s messages. Our simulator has been provided in Fig. 6. We argue indistinguishability between real and ideal world by providing hybrids and proving indistinguishability between each pair of consecutive hybrids as follows:

: Real world.

: Same as \(\textsf {HYB}_{\textsc {0}}\), except the reduction constructs \(\mathbf {M}, \mathbf {D}\) and \(\mathbf {R}\) using \(\mathbf {r}=0^m\). Indistinguishability follows since the corrupt sender cannot compute both messages in the base OTs due to security of \(\pi _{\textsf {OT}}^\kappa \). Then one of \(\mathcal {F}_\textsf {RO1}({\mathsf {sid}}, \mathbf {k}_{i, 0})\) and \(\mathcal {F}_\textsf {RO1}({\mathsf {sid}}, \mathbf {k}_{i, 1})\) remains hidden for every \(i \in [\kappa ]\) due to the RO assumption of \(\mathcal {F}_\textsf {RO1}\).

: Same as \(\textsf {HYB}_{\textsc {1}}\), except the reduction extracts \(\mathbf {s}\) by invoking \(\textsf {Ext} \) algorithm of \(\pi _{\textsf {OT}}^\kappa \). Indistinguishability follows due to the correctness of \(\textsf {Ext} \) algorithm, which is guaranteed by the security of \(\pi _{\textsf {OT}}^\kappa \) when the OT extension sender does not abort.

: Same as \(\textsf {HYB}_{\textsc {2}}\), except the reduction successfully extracts sender’s input messages using \(\mathbf {M}\) and \(\mathbf {s}\). This \(\textsf {HYB}_{\textsc {3}}\) is identical to \(\textsf {HYB}_{\textsc {2}}\) due to correctness of the OT extension protocol.
Next, we discuss the simulation for a corrupt \(\textsf {R} ^*\). The simulator will extract the \((\mathbf {k}_{i, 0}, \mathbf {k}_{i, 1})\) values by invoking the simulator(for corrupt sender) of \(\pi _{\textsf {OT}}^\kappa \). A corrupt \(\textsf {R} ^*\) can perform selective failure attack on the base OTs but the KOS protocol is resilient to such attacks. \(\textsf {R} ^*\) can also construct the \(\mathbf {R}\) matrix in such a way that it is not monochrome, i.e. some of the rows of \(\mathbf {M}\) does not contain all 0s or all 1s. In such a case the consistency checks detect it with high probability and the sender aborts. If the checks pass, then \(\textsf {R} ^*\) infers limited knowledge about the bits of \(\mathbf {s}\). We refer to the original KOS [KOS15] paper for more details. Our simulator algorithm has been presented in Fig. 7. Next, we present our hybrids and indistinguishability argument:

: Real world.

: Same as \(\textsf {HYB}_{\textsc {0}}\), except the reduction invokes the simulator (for corrupt sender) of \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) to obtain \((\mathbf {k}_{i, 0}, \mathbf {k}_{i, 1})\).

: Same as \(\textsf {HYB}_{\textsc {1}}\), except the reduction aborts if \(\mathbf {M}\) has more than \(\mu \) nonmonochromatic rows. The real world sender would abort due to the correctness of the consistency checks, which follow from the RO assumption. Thus, indistinguishability follows from the RO assumption.

: Same as \(\textsf {HYB}_{\textsc {2}}\), except the simulator extracts \(\textsf {R} ^*\) input and simulates the \(\mathbf {y}_{j, 0}\) and \(\mathbf {y}_{j, 1}\) according to the simulation algorithm. Indistinguishability follows due to the \( \textsc {CRF}\) assumption. \(\square \)
5.2 Efficiency
Our instantiation of the KOS protocol has a minimal overhead of two random oracle, per base OT, on top of the modified KOS protocol of [DKLs18]. The original communication complexity remains preserved. Using FiatShamir like transform of [DKLs18] the consistency checks have become noninteractive. In the original KOS protocol, the consistency checks required 2 extra rounds for cointossing protocol between the parties. In the next section we will provide an efficient protocol for \(\pi _{\textsf {OT}}^\kappa \) using 3 rounds. The baseOT messages can be sent in parallel to the OT extension messages. Thus, it would be round preserving and it will circumvent the impossibility result of [GMMM18] since we consider nonblackbox usage of the baseOT protocol.
6 Implementing Instances of
In this section we present our protocol \(\pi _{\textsf {OT}}^\ell \) which implements (according to Definition 2) \(\ell = \kappa \) instances of \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) assuming Observable Random Oracle, where \(\kappa > \mu \). We refer to Sect. 3 for a detailed overview. Our protocol has been presented in Fig. 8.
6.1 Security Proof
We prove security of our protocol \(\pi _{\textsf {OT}}\) by proving Theorem 2. In Sect. 5, we will show that such a relaxation in security suffices for KOS OT extension.
Theorem 2
Assuming the Decisional DiffieHellman holds in group \(\mathbb {G}\), then \(\pi _{\textsf {OT}}^\kappa \) (Fig. 8) UCsecurely implements \(\ell (>\mu )\) instances of \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) functionality (according to Definition 2) in the observable random oracle model with sendersided simulation.
Proof
We will first argue security for a corrupt sender and then for a corrupt receiver. In the first case we provide a simulator and in the latter part we provide an indistinguishability argument.
The simulator for a statically corrupt sender \(\textsf {S} ^*\) will use the observability of the ROs to extract the sender’s input, since he cannot program \(\mathcal {F}_\textsf {RO1}\) on \(\textsf {seed}\). He will compute the receiver message with random input bits. He can compute either \(g^{\alpha _ir}\) by following the receiver algorithm and extract one of the sender’s input message for ith OT. In order to extract the other sender’s input message, he needs to find out \(T^r\). Assume for sake of simplicity, that the simulator’s input bit for all OTs are \(b_i=0\) and he can compute \(p_{i, 0}\) and \(a_{i, 0}\), for all \(i \in [\kappa ]\). He tries to compute \(p_{i, 1}\) values as follows:

1.
Observe the queries made by \(\textsf {S} ^*\) to \(\mathcal {F}_\textsf {RO3}\) for computing \(\textsf {chall}_i\) using \(p_{i, 1}\) for every \(i \in [\kappa ]\). Extract candidate \(p_{i, 1}\) values s.t. \(\textsf {chall}\) is wellformed using \(p_{i, 0}\) and \(p_{i, 1}\). It is guaranteed that from every \(\textsf {chall}_i\), \(\textsf {Sim}\) can get at most one candidate \(p_{i, 1}\) value.

2.
After obtaining candidate \(p_{i, 1}\) values for each ith OT, the simulator observes the queries made to \(\mathcal {F}_\textsf {RO2}\) to obtain \(p_{i ,1}\). If there aren’t any such query, then the simulator sets adversary’s guess for ith OT as 0 in the selective failure attack. Else, simulator will obtain an unique (guaranteed by RO assumption) query \(\rho _{i, 1}\), s.t. \(\mathcal {F}_\textsf {RO2}({\mathsf {sid}}, \rho _{i, 1}) = p_{i, 1}\).

3.
Simulator obtains all the candidate values of \(T^r\) from \(\rho _{i, 0}\)(which he can compute locally) and \(\rho _{i, 1}\). Let \(\mathbf {A}= \{A_1, A_2, \ldots , A_\ell \}\) denote the list of values obtained as \(A_i = \tfrac{\rho _{i, 0}}{\rho _{i, 1}}\) for \(i \in [\kappa ]\) for \(i \in [\kappa ]\). Let A be the value which has been obtained the maximum number of times from the OTs. The simulator sets A as the supposed \(T^r\) value. If there are more than \(\mu \) OTs whose \(A_i\) values are different from A, then simulator sends \((\textsc {Guess}, \textsf {Sim}, \top , {\mathsf {sid}})\) to \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) and aborts. In such a case, \(\textsf {S} ^*\) can distinguish the real and ideal world, only if the honest receiver does not abort. To ensure that, \(\textsf {S} ^*\) must correctly guess the random input bits of the honest \(\textsf {R} \). Thus, \(\textsf {S} ^*\) can distinguish with \(2^{\mu }\) probability if he miscomputed more than \(\mu \) OTs. Otherwise, the simulator can extract \(T^r = A\) value correctly.

4.
Given the correct \(T^r\) value, simulator computes the correct \(p_{i, 1}\) values whose corresponding \(A_j\) values were different from A.
Next, the simulator needs to simulate the selective OT failure attacks. \(\textsf {Sim}\) simulates the selective failure attack by checking whether \(\textsf {chall}_i\) is correctly formed or not, i.e. if \(\textsf {chall}_i = \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{i, 0})\oplus \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{i, 1})\) then \(\mathcal {A}\) is not performing a selective failure attack. Else, he has performed a selective failure attack on the receiver’s input. Simulator needs to find out the bit \(b'\) which adversary has guessed and invoke \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) with \((\textsc {Guess}, \textsf {Sim}, {\mathsf {sid}}, \top )\). \(\textsf {Sim}\) performs this by observing the queries made by \(\mathcal {A}\) to \(\mathcal {F}_\textsf {RO4}\) and \(\mathcal {F}_\textsf {RO3}\).

1.
\(\textsf {Sim}\) observes the queries made to \(\mathcal {F}_\textsf {RO3}\) and compares it with \(\gamma \). If \(\gamma \) was formed without querying \(\mathcal {F}_\textsf {RO3}\), then \(\textsf {Sim}\) aborts as the real world sender would also abort irrespective of input, due to RO assumption. There can be only one such candidate query \(\beta \) s.t. \(\mathcal {F}_\textsf {RO3}({\mathsf {sid}}, \beta ) = \gamma \), due to RO assumption. \(\beta \) is the candidate for \(\texttt {Ans}\) that \(\textsf {S} \) must have obtained while computing \(\gamma \).

2.
Next, \(\textsf {Sim}\) searches for \(y=(y_1y_2\ldots y_\ell )\), s.t. \(\mathcal {F}_\textsf {RO4}({\mathsf {sid}}, y) = \beta \), due to RO assumption.

3.
Upon finding such a y tuple, it individually checks for \(y_i'\) values s.t. \(y_i=\mathcal {F}_\textsf {RO3}({\mathsf {sid}}, y_i')\).

4.
These \(y_i'\) values are then individually matched with the pads \((p_{i, 0}, p_{i, 1})\) and \(\textsf {chall}_i\). If \(p_{i, 0}=y_i'\), then \(\textsf {chall}_i\) is correctly formed for \(b'=0\) and so \(\textsf {Sim}\) sets \(b'=0\). If \(\mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{i, 1}) \oplus \textsf {chall}_i = y_i'\) then \(\textsf {chall}_i\) is correctly formed for \(b'=0\) and so \(\textsf {Sim}\) sets \(b' =1\). Else, the challenge is malformed for both \(b'=0\) and \(b'=1\); hence the simulator aborts as the honest sender would also abort.
If there are more than \(\mu \) OTs where the \(\mathcal {A}\) has launched a selective failure attack then the simulator aborts and sends \((\textsc {Guess}, \textsf {Sim}, {\mathsf {sid}}, \top )\) to \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\). Finally, the simulator invokes \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) with input \((\textsc {Guess}, \textsf {Sim}, b', {\mathsf {sid}})\). It should be noted that the input bit \(b_i\) remains perfectly hidden in \(B_i=g^{\alpha _i}\) since \(\alpha _i\) and \(\alpha _it\) are valid randomness for \(b_i=0\) and \(b_i=1\) respectively. The real and ideal world are statistically indistinguishable except with \(2^{\mu }\) probability. The simulation algorithm has been provided in Fig. 9 and the formal hybrids and indistinguishability argument are as follows:

: Real world.

: Same as \(\textsf {HYB}_{\textsc {0}}\), except the reduction except the reduction computes \((p_{i, 0}, p_{i, 1})\) by following the simulation strategy and computes \(A=T^r\), or aborts if necessary. Indistinguishability follows due to RO assumption as discussed previously.

: Same as \(\textsf {HYB}_{\textsc {1}}\), except the reduction invokes \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) with input \(p_{i, 0}=p_{i, 1}= \bot \) and aborts if there are 0 or 2 (and more) candidate values for \(\beta \). Indistinguishability follows from RO assumption.

: Same as \(\textsf {HYB}_{\textsc {2}}\), except the reduction invokes \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) with input \(p_{i, 0}=p_{i, 1}= \bot \) and aborts if there are 0 or 2 (and more) candidate values for y. Indistinguishability follows from RO assumption.

: Same as \(\textsf {HYB}_{\textsc {3}}\), except the reduction invokes \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) with input \(p_{i, 0}=p_{i, 1}= \bot \) and aborts if there are 0 or 2 (and more) candidate values for \(y_i'\) for each \(i \in [\ell ]\). Indistinguishability follows from RO assumption.

: Same as \(\textsf {HYB}_{\textsc {4}}\), except the reduction aborts if there are >\(\mu \) OTs where the sender has launched a selective failure attack. Indistinguishability follows statistically since the inputs of the honest sender are identically distributed to the inputs of the reduction, and both are random. The probability that the reduction aborts and the sender doesn’t abort in the real world is \(2^{\mu }\).

: Same as \(\textsf {HYB}_{\textsc {5}}\), except the reduction simulates the selective failure attack following the simulation algorithm. Indistinguishability follows due to the RO assumption.

: Same as \(\textsf {HYB}_{\textsc {6}}\), except \(\textsf {Sim}\) computes \((p_{i, 0}, p_{i, 1})\) following the simulation strategy and invokes \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) with it. This hybrid is identical to the previous hybrid.
This completes the security proof for a corrupt sender. Next, we discuss the case for a corrupt receiver. In this case, the simulator either extracts the input bit of a corrupt receiver or it aborts. In the real world, the honest sender would also abort. However, in both cases the receiver can obtain the message corresponding to his bit after the OT protocol results in an abort by the sender. More formally, the simulator for a corrupt receiver \(\textsf {R} ^*\) will set \((c_{i, 0}, c_{i, 1})\) values randomly. Later, upon obtaining the second OT second message, the receiver can follow either of the two tactics:

\(\texttt {Resp}\) is valid: The receiver can query \(\mathcal {F}_\textsf {RO2}\) to compute \(p_{i, b_i}\), corresponding to his input bit \(b_i\) for ith OT. Then he can correctly compute the response to the challenge by running the honest receiver algorithm. This would result in the sender accepting the response to the challenge. The simulator can observe the queries made to the random oracles to extract \(b_i\) and invoke \(\mathcal {F}_{\textsf {SF}{\text {}}{\textsf {rOT}}}\) with input \(b_i\).

\(\texttt {Resp}\) is invalid: On the other hand, the receiver can send a random response to the challenge and force the sender to abort. However, the receiver can decrypt the message corresponding to his input bit \(b_i\) after the protocol ends by running the honest receiver’s algorithm. This would hamper simulation as the simulator cannot extract \(b_i\) during the protocol since \(\textsf {R} ^*\) did not query the random oracles. Hence, the message decrypted (after the protocol aborted) by \(\textsf {R} ^*\) in the simulated world will be distinguishable from the message decrypted (after the protocol aborted) by \(\textsf {R} ^*\) in the simulated world. Based on \(a_{b_i}\), the view of \(\textsf {R} ^*\) can be distinguished by the environment \(\mathcal {Z}\); hence simulation would fail.
Next, we show indistinguishability based security for a corrupt receiver. We demonstrate that there exists a PPT algorithm \(\textsf {Ext} \) who can extract the input choice bit of \(\textsf {R} ^*\) if \(\textsf {Ext} \) has blackbox access to \(\textsf {R} ^*\) for the protocol session. If \(\textsf {R} ^*\) decides to forcefully abort the protocol, then it is guaranteed that he cannot compute both sender input messages as that would require solving the CDH problem. We present our \(\textsf {Ext} \) algorithm in Fig. 10 and we modularly discuss the details of our proof by arguing that each property in Definition 2 holds for our protocol.

Correctness of algorithm: The corrupt receiver has to compute a correct answer to the challenge. To do that, he has to query either \(B_i^r\) or \((B_i\cdot T^{1})^r\) to \(\mathcal {F}_\textsf {RO2}\), to obtain \(p_{i, 0}\) or \(p_{i, 1}\) and construct the correct response using \(\mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{i, 0})\) or \(\mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{i, 1})\). He can bypass querying the RO if he can correctly guess \(p_{i, 0}\) or \(p_{i, 1}\) or \(\mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{i, 0})\) or \(\mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{i, 1})\). However, that occurs with negligible probability. Thus, the \(\textsf {Ext} \) algorithm succeeds if \(\textsf {R} ^*\) correctly responds to the challenge. In such a case, \(\textsf {R} ^*\) queries \(\mathcal {F}_\textsf {RO2}\); hence \(\textsf {Ext} \) can correctly extract \(b_i\).

cannot compute both \(p_{i, 0}\) and \(p_{i, 1}\): It can be observed that if \(\textsf {R} ^*\) obtains both \(p_{i, 0}\) and \(p_{i, 1}\) by querying \(\mathcal {F}_\textsf {RO2}\) on \(\rho _{i, 0}\) and \(\rho _{i, 1}\) respectively, then he can be used to solve the CDH problem where the CDH challenge instance is \(T=g^t\) and \(z=g^r\). The solution to the CDH challenge would be \(T^r= \tfrac{\rho _{i, 0}}{\rho _{i, 1}}\). Here, we can assume that the reduction programs \(\mathcal {F}_\textsf {RO1}\) on \(\textsf {seed}\) s.t. it returns the CDH challenge T. This is a reasonable assumption to make since we are programming the RO in the reduction. Such programming instances can be found out in the work of [DKLs18].

Indistinguishability of views: The real world view of the corrupt receiver \(\textsf {R} ^*  \mathcal {V}^{\textsf {S}}_{\pi _{\textsf {OT}}, \textsf {R} ^*(z)}((p_{i, 0}, p_{i, 1}), b, z)_{z \in \{0,1\}^*}\), after executing an OT protocol with \(\textsf {S} \) using random inputs is indistinguishable from the ideal world view of \(\textsf {R} ^* \mathcal {V}^{\textsf {S}}_{\pi _{\textsf {OT}}, \textsf {R} ^*(z)}((\widetilde{p_{i, 0}}, \widetilde{p_{i, 1}}), b, z)_{z \in \{0,1\}^*}\), after executing an OT protocol with sender since the sender only sends z. This is because \(\textsf {R} ^*\) cannot query \(\rho _{i, \widetilde{b_i}}\) to \(\mathcal {F}_\textsf {RO2}\) (due to CDH assumption) and hence \({p_{i, \bar{b_i}}}\) and \(\widetilde{p_{i, \bar{b_i}}}=0^\kappa \) would look indistinguishable due to the RO assumption.
This completes our proof of Theorem 2. \(\square \)
6.2 Efficiency
Overall the complexity of our protocol is similar to the COOT protocol. Our protocol requires the receiver to compute 2 exponentiations and the sender to compute 1 exponentiation for each OT. The sender needs to compute 5 RO queries and the receiver need to query the RO for 4 times, for each OT. The receiver needs to communicate one group element and one \(\kappa \) bit string for each OT. The sender needs to send \(4\kappa \) bit strings for each OT.
In addition, the sender has a onetime computation of 1 exponentiation, one RO query and communication of one group element, which can be reused. The receiver has a onetime communication of \(\kappa \) bit string and onetime computation of one RO query.
7 Implementation and Evaluation
We will study the concrete performance of our OT protocol in this section. As we have analyzed in previous sections, our OT protocol is expected to be as fast as the COOT protocol by Chou and Orlandi [CO15], which is the most efficient OT protocol but not provably UCsecure and does not provide input extraction of a corrupt receiver. Since all stateoftheart OT protocols are slower than COOT, the above is sufficient to demonstrate the efficiency of our protocol against all other alternatives [MR19, DKLs18].
We implement COOT and our protocol using relictoolkit [AG] and test them on a machine with a 3 GHz Intel Xeon CPU. No multithread or assemblylevel optimization is used. We throttle the network bandwidth to be 1 Gbps but with different network roundtrip time (RTT, measured by ping). The performance is summarized in Table 2, where we can see that the performance of our protocol is identical to the COOT protocol for different network latency values. This is expected as both protocols have the same number of exponentiation operations. Note that prior works [CO15, MR19] reported performance of COOT with lowlevel hardwaredependent accelerations. Our protocol can benefit from them too, resulting in even higher performance. We further applied both protocols as the base OT to compute OT extension. We can see that due to the reduce round complexity of our protocol, we are to obtain a better efficiency with the overall running time improved by one RTT (Table 3).
References
Aranha, D.F., Gouvêa, C.P.L.: RELIC is an Efficient LIbrary for Cryptography. https://github.com/relictoolkit/relic
Asharov, G., Lindell, Y., Schneider, T., Zohner, M.: More efficient oblivious transfer extensions with security for malicious adversaries. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 673–701. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662468005_26
Boyle, E., et al.: Efficient tworound OT extension and silent noninteractive secure computation. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019: 26th Conference on Computer and Communications Security, pp. 291–308. ACM Press, November 2019
Boyle, E., Couteau, G., Gilboa, N., Ishai, Y.: Compressing vector OLE. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018: 25th Conference on Computer and Communications Security, pp. 896–912. ACM Press, October 2018
Beaver, D.: Correlated pseudorandomness and the complexity of private computations. In: 28th Annual ACM Symposium on Theory of Computing, pp. 479–488. ACM Press, May 1996
BenEfraim, A., Lindell, Y., Omri, E.: Optimizing semihonest secure multiparty computation for the internet. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016: 23rd Conference on Computer and Communications Security, pp. 578–590. ACM Press, October 2016
Byali, M., Patra, A., Ravi, D., Sarkar, P.: Fast and universallycomposable oblivious transfer and commitment scheme with adaptive security. Cryptology ePrint Archive, Report 2017/1165 (2017). https://eprint.iacr.org/2017/1165
Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd Annual Symposium on Foundations of Computer Science, pp. 136–145. IEEE Computer Society Press, October 2001
Camenisch, J., Drijvers, M., Gagliardoni, T., Lehmann, A., Neven, G.: The wonderful world of global random oracles. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10820, pp. 280–312. Springer, Cham (2018). https://doi.org/10.1007/9783319783819_11
Canetti, R., Jain, A., Scafuro, A.: Practical UC security with a global random oracle. In: Ahn, G.J., Yung, M., Li, N. (eds.) ACM CCS 2014: 21st Conference on Computer and Communications Security, pp. 597–608. ACM Press, November 2014
Chou, T., Orlandi, C.: The simplest protocol for oblivious transfer. In: Lauter, K., RodríguezHenríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 40–58. Springer, Cham (2015). https://doi.org/10.1007/9783319221748_3
Doerner, J., Kondi, Y., Lee, E., Shelat, A.: Secure twoparty threshold ECDSA from ECDSA assumptions. In: 2018 IEEE Symposium on Security and Privacy, pp. 980–997. IEEE Computer Society Press, May 2018
Genç, Z.A., Iovino, V., Rial, A.: “The simplest protocol for oblivious transfer” revisited. Cryptology ePrint Archive, Report 2017/370 (2017). http://eprint.iacr.org/2017/370
Guo, C., Katz, J., Wang, X., Weng, C., Yu, Y.: Better concrete security for halfgates garbling (in the multiinstance setting). Cryptology ePrint Archive, Report 2019/1168 (2019). https://eprint.iacr.org/2019/1168
Garg, S., Mahmoody, M., Masny, D., Meckler, I.: On the round complexity of OT extension. In: Shacham, H., Boldyreva, A. (eds.) CRYPTO 2018. LNCS, vol. 10993, pp. 545–574. Springer, Cham (2018). https://doi.org/10.1007/9783319968780_19
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: Aho, A. (ed.) 19th Annual ACM Symposium on Theory of Computing, pp. 218–229. ACM Press, May 1987
Hauck, E., Loss, J.: Efficient and universally composable protocols for oblivious transfer from the CDH assumption. Cryptology ePrint Archive, Report 2017/1011 (2017). http://eprint.iacr.org/2017/1011
Hazay, C., Scholl, P., SoriaVazquez, E.: Low cost constant round MPC combining BMR and oblivious transfer. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 598–628. Springer, Cham (2017). https://doi.org/10.1007/9783319706948_21
Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 145–161. Springer, Heidelberg (2003). https://doi.org/10.1007/9783540451464_9
Impagliazzo, R., Rudich, S.: Limits on the provable consequences of oneway permutations. In: Proceedings of the 21st Annual ACM Symposium on Theory of Computing, Seattle, Washigton, USA, 14–17 May 1989, pp. 44–61 (1989)
Kilian, J.: Zeroknowledge with logspace verifiers. In: 29th Annual Symposium on Foundations of Computer Science, pp. 25–35. IEEE Computer Society Press, October 1988
Keller, M., Orsini, E., Scholl, P.: Actively secure OT extension with optimal overhead. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9215, pp. 724–741. Springer, Heidelberg (2015). https://doi.org/10.1007/9783662479896_35
Li, B., Micciancio, D.: Equational security proofs of oblivious transfer protocols. In: Abdalla, M., Dahab, R. (eds.) PKC 2018. LNCS, vol. 10769, pp. 527–553. Springer, Cham (2018). https://doi.org/10.1007/9783319765785_18
Masny, D., Rindal, P.: Endemic oblivious transfer. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019: 26th Conference on Computer and Communications Security, pp. 309–326. ACM Press, November 2019
Nielsen, J.B., Nordholt, P.S., Orlandi, C., Burra, S.S.: A new approach to practical activesecure twoparty computation. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 681–700. Springer, Heidelberg (2012). https://doi.org/10.1007/9783642320095_40
Orrù, M., Orsini, E., Scholl, P.: Actively secure 1outofN OT extension with application to private set intersection. In: Handschuh, H. (ed.) CTRSA 2017. LNCS, vol. 10159, pp. 381–396. Springer, Cham (2017). https://doi.org/10.1007/9783319521534_22
Patra, A., Sarkar, P., Suresh, A.: Fast actively secure OT extension for short secrets. In: 24th Annual Network and Distributed System Security Symposium, NDSS 2017, San Diego, California, USA, 26 February–1 March 2017 (2017)
Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). https://doi.org/10.1007/9783540851745_31
Wang, X., Ranellucci, S., Katz, J.: Globalscale secure multiparty computation. In: Thuraisingham, B.M., Evans, D., Malkin, T., Xu, D. (eds.) ACM CCS 2017: 24th Conference on Computer and Communications Security, pp. 39–56. ACM Press, October/November 2017
Yao, A.C.C.: How to generate and exchange secrets (extended abstract). In: 27th Annual Symposium on Foundations of Computer Science, pp. 162–167. IEEE Computer Society Press, October 1986
Acknowledgements
This work was supported by the IARPA ACHILLES project, the NSF MACS project and NSF grant CNS1422965. The first author also thanks the Check Point Institute for Information Security.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 International Association for Cryptologic Research
About this paper
Cite this paper
Canetti, R., Sarkar, P., Wang, X. (2020). Blazing Fast OT for ThreeRound UC OT Extension. In: Kiayias, A., Kohlweiss, M., Wallden, P., Zikas, V. (eds) PublicKey Cryptography – PKC 2020. PKC 2020. Lecture Notes in Computer Science(), vol 12111. Springer, Cham. https://doi.org/10.1007/9783030453886_11
Download citation
DOI: https://doi.org/10.1007/9783030453886_11
Published:
Publisher Name: Springer, Cham
Print ISBN: 9783030453879
Online ISBN: 9783030453886
eBook Packages: Computer ScienceComputer Science (R0)