The Simplest Protocol for Oblivious Transfer

  • Tung Chou
  • Claudio Orlandi
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9230)


Oblivious Transfer (OT) is the fundamental building block of cryptographic protocols. In this paper we describe the simplest and most efficient protocol for 1-out-of-n OT to date, which is obtained by tweaking the Diffie-Hellman key-exchange protocol. The protocol achieves UC-security against active and adaptive corruptions in the random oracle model. Due to its simplicity, the protocol is extremely efficient and it allows to perform m 1-out-of-n OTs using only:
  • Computation: \((n+1)m+2\) exponentiations (mn for the receiver, \(mn+2\) for the sender) and

  • Communication: \(32(m+1)\) bytes (for the group elements), and 2mn ciphertexts.

We also report on an implementation of the protocol using elliptic curves, and on a number of mechanisms we employ to ensure that our software is secure against active attacks too. Experimental results show that our protocol (thanks to both algorithmic and implementation optimizations) is at least one order of magnitude faster than previous work.


Hash Function Encryption Scheme Random Oracle Random Oracle Model Oblivious Transfer 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.



We are very grateful to: Daniel J. Bernstein and Tanja Lange for invaluable comments and suggestions regarding elliptic curve cryptography and for editorial feedback on earlier versions of this paper; Yehuda Lindell for useful comments on our proof of security; Peter Schwabe for various helps on implementation, including providing low-level code for field arithmetic; the anonymous LATINCRYPT reviewer and in particular Gregory Neven.

Tung Chou is supported by Netherlands Organisation for Scientific Research (NWO) under grant 639.073.005. Claudio Orlandi is supported by: the Danish National Research Foundation and The National Science Foundation of China (grant 61361136003) for the Sino-Danish Center for the Theory of Interactive Computation; the Center for Research in Foundations of Electronic Markets (CFEM); the European Union Seventh Framework Programme ([FP7/2007-2013]) under grant agreement number ICT-609611 (PRACTICE).


  1. [ABN10]
    Abdalla, M., Bellare, M., Neven, G.: Robust encryption. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 480–497. Springer, Heidelberg (2010) CrossRefGoogle Scholar
  2. [ALSZ13]
    Asharov, G., Lindell, Y., Schneider, T., Zohner, M.: More efficient oblivious transfer and extensions for faster secure computation. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer Communications Security, pp. 535–548. ACM (2013)Google Scholar
  3. [ALSZ15]
    Asharov, G., Lindell, Y., Schneider, T., Zohner, M.: More efficient oblivious transfer extensions with security for malicious adversaries. Cryptology ePrint Archive, Report 2015/061 (2015).
  4. [BBJ+08]
    Bernstein, D.J., Birkner, P., Joye, M., Lange, T., Peters, C.: Twisted edwards curves. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 389–405. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  5. [BCP04]
    Bresson, E., Chevassut, O., Pointcheval, D.: New security results on encrypted key exchange. In: Bao, F., Deng, R., Zhou, J. (eds.) PKC 2004. LNCS, vol. 2947, pp. 145–158. Springer, Heidelberg (2004) CrossRefGoogle Scholar
  6. [BDL+11]
    Bernstein, D.J., Duif, N., Lange, T., Schwabe, P., Yang, B.-Y.: High-speed high-security signatures. In: Preneel, B., Takagi, T. (eds.) CHES 2011. LNCS, vol. 6917, pp. 124–142. Springer, Heidelberg (2011) CrossRefGoogle Scholar
  7. [BDPVA09]
    Bertoni, G., Daemen, J., Peeters, M., Van Assche, G.: Keccak sponge function family main document. Submission to NIST (Round 2), pp. 3–30 (2009)Google Scholar
  8. [Bea96]
    Beaver, D.: Correlated pseudorandomness and the complexity of private computations. In: Proceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, 22–24 May 1996, Philadelphia, Pennsylvania, USA, pp. 479–488 (1996)Google Scholar
  9. [Ber06]
    Bernstein, D.J.: Curve25519: new Diffie-Hellman speed records. In: Yung, M., Dodis, Y., Kiayias, A., Malkin, T. (eds.) PKC 2006. LNCS, vol. 3958, pp. 207–228. Springer, Heidelberg (2006) CrossRefGoogle Scholar
  10. [BL14]
    Bernstein, D.J., Lange, T.: Safecurves: choosing safe curves for elliptic-curve cryptography. Accessed on 1 December 2014
  11. [BL15]
    Bernstein, D.J., Lange, T.: eBACS: ecrypt benchmarking of cryptographic systems. Accessed on 16 March 2015
  12. [BLN+15]
    Burra, S.S., Larraia, E., Nielsen, J.B., Nordholt, P.S., Orlandi, C., Orsini, E., Scholl, P., Smart, N.P.: High performance multi-party computation for binary circuits based on oblivious transfer. Cryptology ePrint Archive, Report 2015/472 (2015).
  13. [BM89]
    Bellare, M., Micali, S.: Non-interactive oblivious transfer and applications. In: Brassard, G. (ed.) CRYPTO 1989. LNCS, vol. 435, pp. 547–557. Springer, Heidelberg (1990) Google Scholar
  14. [Can01]
    Canetti, R.: Universally composable security: a new paradigm for cryptographic protocols. In: 42nd Annual Symposium on Foundations of Computer Science, FOCS 2001, 14–17 October 2001, Las Vegas, Nevada, USA, pp. 136–145 (2001)Google Scholar
  15. [CF01]
    Canetti, R., Fischlin, M.: Universally composable commitments. IACR Cryptology ePrint Archive, 2001:55 (2001)Google Scholar
  16. [DNO08]
    Damgård, I., Nielsen, J.B., Orlandi, C.: Essentially optimal universally composable oblivious transfer. In: Lee, P.J., Cheon, J.H. (eds.) ICISC 2008. LNCS, vol. 5461, pp. 318–335. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  17. [EGL85]
    Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Commun. ACM 28(6), 637–647 (1985)MathSciNetCrossRefGoogle Scholar
  18. [FLPQ13]
    Farshim, P., Libert, B., Paterson, K.G., Quaglia, E.A.: Robust encryption, revisited. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 352–368. Springer, Heidelberg (2013) CrossRefGoogle Scholar
  19. [Fog14]
    Agner Fog. Instruction tables (2014).
  20. [HL10]
    Hazay, C., Lindell, Y.: Efficient Secure Two-Party Protocols - Techniques and Constructions. Information Security and Cryptography. Springer, Berin (2010) zbMATHCrossRefGoogle Scholar
  21. [HWCD08]
    Hisil, H., Wong, K.K.-H., Carter, G., Dawson, E.: Twisted edwards curves revisited. In: Pieprzyk, J. (ed.) ASIACRYPT 2008. LNCS, vol. 5350, pp. 326–343. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  22. [IKNP03]
    Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 145–161. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  23. [IR89]
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Proceedings of the 21st Annual ACM Symposium on Theory of Computing, May 14–17, 1989, Seattle, Washigton, USA, pp. 44–61 (1989)Google Scholar
  24. [Kil88]
    Kilian, J.: Founding cryptography on oblivious transfer. In: Proceedings of the 20th Annual ACM Symposium on Theory of Computing, 2–4 May 1988, Chicago, Illinois, USA, pp. 20–31 (1988)Google Scholar
  25. [KOS15]
    Keller, M., Orsini, E., Scholl, P.: Actively secure ot extension with optimal overhead. In: CRYPTO (2015)Google Scholar
  26. [Lar14]
    Larraia, E.: Extending oblivious transfer efficiently, or - how to get active security with constant cryptographic overhead. IACR Cryptology ePrint Archive, 2014:692 (2014)Google Scholar
  27. [MF15]
    Moon, A.: "Floodyberry": implementations of a fast elliptic-curve digital signature algorithm. Accessed on 16 March 2015
  28. [Nie07]
    Nielsen, J.B.: Extending oblivious transfers efficiently - how to get robustness almost for free. Cryptology ePrint Archive, Report 2007/215 (2007).
  29. [NNOB12]
    Nielsen, J.B., Nordholt, P.S., Orlandi, C., Burra, S.S.: A new approach to practical active-secure two-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 681–700. Springer, Heidelberg (2012) CrossRefGoogle Scholar
  30. [NP01]
    Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: Proceedings of the Twelfth Annual Symposium on Discrete Algorithms, 7–9 January 2001, Washington, DC, USA, pp. 448–457 (2001)Google Scholar
  31. [PVW08]
    Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008) CrossRefGoogle Scholar
  32. [Rab81]
    Rabin, M.O.: How to exchange secrets with oblivious transfer. Technical report TR-81, Aiken Computation Lab, Harvard University (1981)Google Scholar
  33. [Sch15]
    Schneider, T.: Personal communication (2015)Google Scholar
  34. [Wie83]
    Wiesner, S.: Conjugate coding. SIGACT News 15(1), 78–88 (1983)CrossRefGoogle Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  1. 1.Technische Universieit EindhovenEindhovenThe Netherlands
  2. 2.Aarhus UniversityAarhusDenmark

Personalised recommendations