Oblivious Transfer from Rerandomizable PKE

Abstract

The relationship between oblivious transfer (OT) and public-key encryption (PKE) has been studied by Gertner et al. (FOCS 2000). They showed that OT can be constructed from special types of PKE, i.e., PKE with oblivious sampleability of public keys or ciphertexts. In this work, we give new black-box constructions of OT from PKE without any oblivious sampleability. Instead, we require that the PKE scheme is rerandomizable, meaning that one can use the public key to rerandomize a ciphertext into a fresh ciphertext. We give two different OT protocols with different efficiency features based on rerandomizable PKE. For 1-out-of-n OT, in our first OT protocol, the sender has sublinear (in n) cost, and in our second OT protocol, the cost of the receiver is independent of n. As a comparison, in the PKE-based OT protocols of Gertner et al., both the sender and receiver have linear cost.

A From Bit-OT to String-OT

Our OT protocols are designed for bit-OT where each item is a bit. In this section, we show how to extend our protocols to string-OT where each item is a bitstring. Concretely, we use the idea of [8]. Let \(x_1,\dots ,x_n\in \{0,1\}^l\) be the bitstrings held by the sender where each \(x_j=(x_{j,1},\dots ,x_{j,l})\), and let i be the index held by the receiver. The sender first defines \(X_k=(x_{1,k},\dots ,x_{n,k})\) for each \(k\in [l]\), then a naive string-OT protocol is that the sender and receiver direct invoke a bit-OT protocol l times, where the sender uses \(X_k\) as its input in the k-th invocation. However, the authors in [8] observed that some messages of the receiver may be used for multiples invocations because the receiver has the same input in every invocation, which allows us to reduce the communication cost. For the sake of completeness, we present the detailed descriptions of our PKE-based string-OT protocols in this section. We note that the security proofs of our string-OT protocols will be much like the security proofs of our bit-OT protocols, and we omit the details about the security proofs.

1.1 A.1 Sender-Friendly 1-out-of-n String-OT

In this section, we give the description of our sender-friendly string-OT protocol. Similar to our bit-OT protocol, we first give an inefficient string-OT protocol.

Complexity of \(\textsf{sOT}^{\textsf{sen}}_{\textsf{rpke}}{\mathbf {.}}\) The protocol \(\textsf{sOT}^{\textsf{sen}}_{\textsf{rpke}}\) requires the sender to send l ciphertexts and the receiver to send \(2^n-2\) ciphertexts (and a public key). The reduction from long OT to short OT described in Sect. 3.2 also applies to string-OT. By a similar discussion in Sect. 3.3, we could obtain an efficient string-OT protocol where the costs of the sender and receiver are \(O(ln/\log n)\) and \(O(n^{1+\varepsilon }/\log n)\) for a positive constant \(\varepsilon \), respectively.

1.2 A.2 Receiver-Friendly 1-out-of-n String-OT

This section presents the description of our receiver-friendly string-OT protocol.

Complexity of \(\textsf{sOT}^{\textsf{rec}}_{\textsf{rpke}}{\mathbf {.}}\) The protocol \(\textsf{sOT}^{\textsf{rec}}_{\textsf{rpke}}\) requires the sender to send 2ln ciphertexts and l plaintexts (and a public key) and the receiver to send l ciphertexts. Namely, the costs of the sender and receiver are O(ln) and O(l), respectively.