# On the foundations of oblivious transfer

## Abstract

We show that oblivious transfer can be based on a very general notion of asymmetric information difference. We investigate a *Universal Oblivious Transfer*, denoted UOT*(X, Y)*, that gives Bob the freedom to access Alice's input *X* in an arbitrary way as long as he does not obtain full information about *X.* Alice does not learn which information Bob has chosen. We show that oblivious transfer can be reduced to a single execution of UOT*(X, Y)* with Bob's knowledge *Y* restricted in terms of Rényi entropy of order α *> 1.* For independently repeated UOT the reduction works even if only Bob's Shannon information is restricted, i.e. if *H(X¦Y)* > 0 in every UOT(*X, Y*). Our protocol requires that honest Bob obtains at least half of Alice's information *X* without error.

## Keywords

Cryptographic Protocols Oblivious Transfer Shannon Entropy Rényi Entropy Statistical Security Multiparty Computation## References

- 1.D. Beaver, “Precomputing oblivious transfer,” in
*Advances in Cryptology: CRYPTO '95*(D. Coppersmith, ed.), vol. 963 of*Lecture Notes in Computer Science*, Springer, 1995.Google Scholar - 2.C. H. Bennett, G. Brassard, C. Crépeau, and U. M. Maurer, “Generalized privacy amplification,”
*IEEE Transactions on Information Theory*, vol. 41, pp. 1915–1923,Nov. 1995.MATHCrossRefGoogle Scholar - 3.C. H. Bennett, G. Brassard, and J.-M. Robert, “How to reduce your enemy's information,” in
*Advances in Cryptology: CRYPTO '85*(H. C. Williams, ed.), vol. 218 of*Lecture Notes in Computer Science*, pp. 468–476, Springer, 1986.Google Scholar - 4.G. Brassard and C. Crépeau, “Oblivious transfers and privacy amplification,” in
*Advances in Cryptology: EUROCRYPT '97*(W. Fumy, ed.), vol. 1233 of*Lecture Notes in Computer Science*, pp. 334–347, Springer, 1997.Google Scholar - 5.G. Brassard, C. Crépeau, and J.-M. Robert, “Information theoretic reductions among disclosure problems,” in
*Proc. 27th IEEE Symposium on Foundations of Computer Science (FOCS)*, 1986.Google Scholar - 6.G. Brassard, C. Crépeau, and M. Sántha, “Oblivious transfers and intersecting codes,”
*IEEE Transactions on Information Theory*, vol. 42, pp. 1769–1780, Nov.1996.MATHCrossRefGoogle Scholar - 7.C. Cachin,
*Entropy Measures and Unconditional Security in Cryptography*, vol. 1 of*ETH Series in Information Security and Cryptography*. Konstanz, Germany:Hartung-Gorre Verlag, 1997. ISBN 3-89649-185-7 (Reprint of Ph.D. dissertation No. 12187, ETH Zürich).Google Scholar - 8.C. Cachin, “Smooth entropy and Rényi entropy,” in
*Advances in Cryptology: EUROCRYPT '97*(W. Fumy, ed.), vol. 1233 of*Lecture Notes in Computer Science*, pp. 193–208, Springer-Verlag, 1997.Google Scholar - 9.J. L. Carter and M. N. Wegman, “Universal classes of hash functions,”
*Journal of Computer and System Sciences*, vol. 18, pp. 143–154, 1979.MATHMathSciNetCrossRefGoogle Scholar - 10.T. M. Cover and J. A. Thomas,
*Elements of Information Theory*. Wiley, 1991.Google Scholar - 11.C. Crépeau, “Equivalence between two flavours of oblivious transfer,” in
*Advances in Cryptology: CRYPTO '87*(C. Pomerance, ed.), vol. 293 of*Lecture Notes in Computer Science*, pp. 350–354, Springer, 1988.Google Scholar - 12.C. Crépeau, “Efficient cryptographic protocols based on noisy channels,” in
*Advances in Cryptology: EUROCRYPT '97*(W. Fumy, ed.), vol. 1233 of*Lecture Notes in Computer Science*, pp. 306–317, Springer, 1997.Google Scholar - 13.C. Crépeau and J. Kilian, “Achieving oblivious transfer using weakened security assumptions,” in
*Proc. 29th IEEE Symposium on Foundations of Computer Science (FOCS)*, 1988.Google Scholar - 14.I. B. Damgård, T. P. Pedersen, and B. Pfitzmann, “Statistical secrecy and multi-bit commitments.” BRICS Report, RS-96-45, 1996.Google Scholar
- 15.S. Even, O. Goldreich, and A. Lempel, “A randomized protocol for signing contracts,” in
*Proc. CRYPTO '82*(R. L. Rivest, A. Sherman, and D. Chaum, eds.), pp. 205–210, Plenum Press, 1983.Google Scholar - 16.O. Goldreich, S. Micali, and A. Wigderson, “How to play any mental game or a completeness theorem for protocols with honest majority,” in
*Proc. 19th Annual ACM Symposium on Theory of Computing (STOC)*, pp. 218–229, 1987.Google Scholar - 17.O. Goldreich and R. Vainish, “How to solve any protocol problem — an efficiency improvement,” in
*Advances in Cryptology: CRYPTO '87*(C. Pomerance, ed.), vol. 293 of*Lecture Notes in Computer Science*, pp. 73–86, Springer, 1988.Google Scholar - 18.R. Impagliazzo, L. A. Levin, and M. Luby, “Pseudo-random generation from one-way functions,” in
*Proc. 21st Annual ACM Symposium on Theory of Computing (STOC)*, pp. 12–24, 1989.Google Scholar - 19.Y. Ishai and E. Kushilevitz, “Private simultaneous messages protocols with applications,” in
*Proc. 5th Israel Symposium on the Theory of Computing and Systems*, 1997.Google Scholar - 20.J. Kilian, “A general completeness theorems for 2-party games,” in
*Proc. 23rd Annual ACM Symposium on Theory of Computing (STOC)*, pp. 553–560, 1991.Google Scholar - 21.J. Kilian, “Founding cryptography on oblivious transfer,” in
*Proc. 20th Annual ACM Symposium on Theory of Computing (STOC)*, pp. 20–31, 1988.Google Scholar - 22.E. Kushilevitz, S. Micali, and R. Ostrovsky, “Reducibility and completeness in multi-party private computations,” in
*Proc. 35th IEEE Symposium on Foundations of Computer Science (FOCS)*, pp. 478–489, 1994.Google Scholar - 23.A. Orlitsky, “Worst-case interactive communication I: Two messages are almost optimal,”
*IEEE Transactions on Information Theory*, vol. 36, pp. 1111–1126, Sept. 1990.MATHMathSciNetCrossRefGoogle Scholar - 24.M. O. Rabin, “How to exchange secrets by oblivious transfer,” Tech. Rep. TR-81, Harvard, 1981.Google Scholar
- 25.A. Rényi, “On measures of entropy and information,” in
*Proc. 4th Berkeley Symposium on Mathematical Statistics and Probability*, vol. 1, pp. 547–561, Univ. of Calif. Press, 1961.Google Scholar - 26.A. C.-C. Yao, “How to generate and exchange secrets,” in
*Proc. 27th IEEE Symposium on Foundations of Computer Science (FOCS)*, pp. 162–167, 1986.Google Scholar