1 Introduction

Oblivious Transfer (OT) is a fundamental primitive for multi-party computation (MPC). It has been shown to be complete [GMW87, Kil88] and has become the most widely used building block in both the two-party setting [Yao86, NNOB12] and the multi-party setting [BLO16, WRK17, HSS17]. However, oblivious transfer is expensive since it requires public key operations [IR89]. This limitation is mitigated by the seminal concept of OT extension [Bea96, IKNP03], which allows the parties to compute \(m = \text {poly}(\kappa )\) number of OTs using only \(\kappa \) “base OTs” and O(m) symmetric-key operations, where \(\kappa \) is the computational security parameter. This yields a large number of OTs at the cost of \(\mathcal {O}(1)\) symmetric key operations.

The state-of-the-art protocol for malicious OT extension [KOS15] can compute more than ten million OTs per second in a high bandwidth network setting. As such, it appears that the problem of constructing efficient OT extension has been resolved. However, some challenges remain. First, we note that the cost of the base OTs remains a significant consideration when m is only moderately larger than \(\kappa \) and security against all-but-one corruption is needed. For instance, Wang et al. [WRK17] reported that in their implementation of a malicious 128-party computation tolerating 127-party corruption in the WAN setting, it takes about 140 s to securely evaluate an AES circuit, where 80 s (more than 55% of the total cost!) are spent on computing base OTs.

Another challenge is the number of rounds. Ideally, we would like to obtain extended OT with only two rounds. However, here we have only two known solutions: The original OT extension pf Beaver [Bea96] which is highly inefficient due to non-black-box use of the underlying symmetric-key primitives, and the Boyle et al. [BCG+19] two-round OT extension, based on the Learning Parity with Noise (LPN) assumption, whose performance is better than IKNP-like OT extension only when the network bandwidth is low (\(\approx \)100 Mbps).

The other approach taken in the literature is to apply a black-box OT extension (such as that of [KOS15]) to some base OT. This method, however results in an additional round. In fact, recent result by Garg et al. [GMMM18] shows that this is inevitable, namely \((n+1)\) rounds for OT extension are necessary if an n-round base OT is used. Thus, this approach seems to result in extended OT protocols with three or more rounds. Furthermore, the state-of-the-art two-round OT protocols are much slower than the best three-round OT protocols. For example, the two-round OT by Peikert et al. [PVW08] requires 11 exponentiations. More recently, [MR19] proposed an OT that requires 6 exponentiations under standard DDH assumption or 4 exponentiations under non-standard IDDH assumption. This means that even three-round extended OT protocols, obtained in this way, are less than optimally efficient.

Another set of challenges revolves around the level of security obtained and the assumptions used. Chou and Orlandi [CO15] proposed a base-OT protocol with malicious security (dubbed as CO-OT). The work of [HL17] proposed a similar protocol. However, it has been shown [BPRS17, GIR17, LM18] that this protocol and [HL17] cannot be proven secure with simulation-based security because a simulator cannot extract a corrupt receiver’s choice bit. There have been some works [BPRS17, DKLs18] trying to fix this issue, but all of them require either much more computation or higher round complexity. Masny and Rindal [MR19] recently proposed a UC-secure OT in the programmable random oracle model (ROM). Their performance is slightly worse than CO-OT under non-standard notion of interactive version of the Decisional Diffie Hellman (IDDH) assumption and much worse under Decisional Diffie Hellman (DDH) assumption.

Table 1. Comparison to related protocols. “#Rounds of OT extension” is the round complexity of the best OT extension with selected base OT protocol. IDDH refers to interactive DDH, not known to be reducible to DDH. PRO refers to programmable RO; ORO refers to observable RO.
Full size table

1.1 Our Contributions

In this paper, we construct an OT protocol tailored to be base OT for the [KOS15] OT extension. Our protocol is highly efficient, and results in a 3 round extended OT that is UC secure in the observable ROM assuming only CDH. See Table 1 for comparison with the state of the art.

The key idea underlying our construction is to design a three-round base OT protocol that circumvents the lower bound proved by Garg et al. [GMMM18]. This is achieved by considering a slight modification of the KOS extension, that is specific to our base OT protocol: The parties use the inputs for the base OT protocol to compute the OT extension messages in parallel to the execution of the base-OT computation. This yields a round-preserving three-round OT extension protocol. To preserve efficiency, we only use some specific property of the base OT protocol (and thus non-black-box to base OT), but avoid non-black-box use of any underlying primitives or computational assumptions. We observe that our protocol is compatible with OT extension protocols [ALSZ15, PSS17, OOS17] in the IKNP domain. It also works for state-of-the-art 1-out-of-N OT extension protocols [PSS17, OOS17]. See Sect. 3 for more discussion. Our detailed contributions are listed as follows:

  • Weaker base-OT Functionality. To securely realize OT extension efficiently, we consider a UC-secure base-OT functionality that allows selective failure attack by a corrupt sender. We further relax the UC-security requirement to only sender-sided simulation-based security; on the receiver-side, we demonstrate that indistinguishability based security suffices for KOS, provided the receiver’s input can be extracted.

  • Weaker Assumptions. Our protocol is secure assuming CDH in the observable random oracle (ORO) model. Our assumptions and trusted setup are weaker and far more well-studied than other protocols with comparable efficiency. When used in the OT extension, the OT extension protocol becomes UC-secure.

  • Best efficiency. Our protocol requires three exponentiations per OT and is as efficient as the CO-OT [CO15]. This is also experimentally verified based on implementation. Since CO-OT (which is insecure) is the most efficient among all existing OT protocols, our new OT with provable security is also the most efficient.

  • Round Preserving. Our OT protocol requires three rounds, one round more than necessary; however, one unique feature of our protocol is that its last two rounds of messages can be securely sent in parallel with the OT-extension messages and thus resulting in a three-round OT extension protocol.

  • Empirical Comparison. Finally, we implement our protocol and demonstrate its high performance. In detail, our protocol is as efficient as the OT by Chou and Orlandi (which cannot be proven UC secure). When used in the OT extension, our protocol results in a even better performance due to reduced round complexity.

We note that the original KOS paper had an interactive coin tossing subprotocol. It resulted in a 5 rounds protocol and it relied on Correlation Robust Function (\( \textsc {CRF}\)). The subprotocol was made non-interactive by the work of [DKLs18] using the Fiat-Shamir transform by relying on a non-programmable random oracle. This reduced the round complexity to 3. We consider this round optimized variant of KOS in the RO model since we already require the RO for our OT protocol.

1.2 More Discussion on Related Works

Here we highlight the protocols from prior OT literature that are relevant to our work. A comparison can be found in Table 1.

  • The two-round UC-secure OT protocol by [PVW08] is a candidate for the base OTs in KOS. Its optimized variant computes 11 exponentiations and is proven secure in the common reference string model under DDH assumption.

  • The Simplest OT (or CO-OT) was proposed by Chou and Orlandi [CO15]. It computes 3 exponentiations in the programmable random oracle (PRO) model assuming CDH. It requires 2 rounds to compute a random OT, but their OT messages cannot be parallelized with the OT extension messages, thus resulting in a 4 round OT extension. It has been shown [LM18] that this protocol cannot be proven secure with simulation-based security because a simulator cannot extract a corrupt receiver’s choice bit. For proving UC-security of the OT extension protocol, the inputs of the receiver (of the base OT) has to be extracted.

  • The work of [DKLs18] proposed a 5 round OT protocol, with selective failure, for the base OTs in the ORO model. They compute 3 exponentiations per OT and incur a one-time computation of a non-interactive zero-knowledge proof of knowledge (NIZKPoK) for Discrete Log. The high round complexity of the base OTs leads to a 6 round OT extension since their last OT message cannot be parallelized with the last message of the OT extension.

  • A recent work by [MR19] proposed non-interactive OTs from non-interactive Key Exchange. The resulting OT extension would still require 3 rounds. Their optimized variant requires 4 exponentiations under IDDH assumption and their unoptimized variant requires 6 exponentiations in the PRO model. However, IDDH is not known to be reducible to the standard DDH assumption.

  • Silent OT extension [BCG+19] does not follow the IKNP-style extension. Instead, it can be viewed as a special case of vector OLE [BCGI18] and requires an LPN assumption. The resulting protocol can be more efficient than KOS under low network bandwidth.

Roadmap. In the next section, we introduce some notations and important concepts used in this paper. In Sect. 3, we present the key intuitions behind our protocols. This is followed by our weakened OT functionality in Sect. 4. Then, we show that our weakened OT functionality suffices to obtain the KOS OT extension in Sect. 5. We instantiate \(\kappa \) instances of our OT functionality in Sect. 6. Finally, we present our implementation details and compare it with the CO-OT in Sect. 7.

2 Preliminaries

Notations. We denote by \(a \leftarrow D\) a uniform sampling of an element a from a distribution D. The set of elements \(\{1,\ldots ,n\}\) is represented by [n]. A function \(\textsf {neg}(()\cdot )\) is said to be negligible, if for every polynomial \(p(\cdot )\), there exists a constant c, such that for all \(n > c\), it holds that \(\textsf {neg}(()n) < \tfrac{1}{p(n)}\). We denote a probabilistic polynomial time algorithm as PPT. We denote the computational security parameter by \(\kappa \) and statistical security parameter by \(\mu \) respectively. Let \(\mathbb {Z}_q\) denote the field of order q, where \(q=\frac{p-1}{2}\) and p are primes. Let \(\mathbb {G}\) be the multiplicative group corresponding to \(\mathbb {Z}_p^*\) with generator g, where CDH assumption holds. We denote a field of size \(2^\kappa \) as \(\mathbb {F}\). Our security proofs are in the Universal Composability (UC) framework of [Can01]. We refer to the original paper for details. For a bit \(b \in \{0,1\}\), we denote \(1-b\) by \(\bar{b}\). We denote a matrix as \(\mathbf {M}\) where \(\mathbf {M}^i\) refers to the ith column and \(\mathbf {M}_j\) as the jth row of \(\mathbf {M}\) respectively. Given a field element \(x \in \mathbb {F}\) and a bit vector \(\mathbf {a}=(a_1, a_2, \ldots , a_\kappa )\) we denote component-wise multiplication as \(x \cdot \mathbf {a}= (a_1 \cdot x, a_2 \cdot x, \ldots , a_\kappa \cdot x)\). In our OT extension protocol, the sender is denoted as \(\textsf {S}_{\textsf {Ext}} \) and the receiver is denoted as \(\textsf {R}_{\textsf {Ext}} \) respectively.

Random Oracle Model. A random oracle (RO) functionality is parametrized by a domain and a range and it is as \(\mathcal {F}_\textsf {RO}\) in Fig. 2. A random oracle query on message m is denoted by \(\mathcal {F}_\textsf {RO}(m)\). The random oracle functionality can be broadly classified [CDG+18] into three categories based on its features- plain RO, observable RO and programmable RO. A plain RO returns a random string, from its range, upon being queried on a message m, from its domain. An observable RO inherits the properties of the plain RO but in addition it grants the simulator to observe the queries made, to \(\mathcal {F}_\textsf {RO}\), by the adversary. Our proofs hold in the global RO (GRO) model of [CJS14] where the observable RO is replaced by the GRO.

Tweakable Correlation Robust Hash. OT extension requires a correlation robust hash function. We adopted the definition proposed by Guo et al. [GKW+19], where a tweak is explicitly included in the hash function too. Given a function \( \textsc {CRF}: \mathcal {T} \times \{0,1\}^\kappa \rightarrow \{0,1\}^\kappa \), define \(\mathcal{O}_{\varDelta }(t, w)\,{\mathop {=}\limits ^\mathrm{def}}\, \textsc {CRF}(t, w \oplus \varDelta )\), where \(t\in \mathcal {T} \). Let \(\mathsf{Func}\) denote the set of functions from \( \mathcal {T} \times \{0,1\}^\kappa \) to \(\{0,1\}^\kappa \).

Definition 1

Given a function \( \textsc {CRF}: \mathcal {T} \times \{0,1\}^\kappa \rightarrow \{0,1\}^\kappa \), a uniform distribution on \(\{0,1\}^\kappa \) namely \(U_{\kappa }\), we say that CRFis tweakable correlation robust if for any PPT distinguisher \(D \), if

$$ \left| \mathop {\Pr }\limits _{\varDelta \leftarrow U_{\kappa }}\big [D ^{\varDelta (\cdot )}=1\big ] - \mathop {\Pr }\limits _{f \leftarrow \mathsf{Func}}\left[ D ^{f (\cdot )}=1\right] \right| =\mathsf{negli}(\kappa ). $$

Note that in our use of tweakable correlation robust hash, \(\mathcal {T}\) is a tuple of values, one for \({\mathsf {sid}}\) and one for index i.

Oblivious Transfer. In a 1-out-of-2 OT, we have a sender (S) holding two inputs \(a_0,a_1 \in \{0,1\}^n\) and a receiver (\(\textsf {R}\)) holding a choice bit b. The correctness of OT means that \(\textsf {R}\) will obtain \(a_b\) as the outcome of the protocol. At the same time, S should learn nothing about b, and \(\textsf {R} \) should learn nothing about the other input of S, namely \(a_{\bar{b}}\). The ideal OT functionality \(\mathcal {F}_{\textsf {OT}}\) is shown in Fig. 1.

Fig. 1.
figure 1

The ideal functionality \(\mathcal {F}_{\textsf {OT}}\) for Oblivious Transfer

Full size image
Fig. 2.
figure 2

The ideal functionality \(\mathcal {F}_{\textsf {OT}}\) for Random Oracle

Full size image

3 Technical Overview

In this section we give an overview of our technical contributions. First, we recall the KOS OT extension from a high-level. We argue that the base OTs in KOS do not require UC security. Building on this idea, we propose a weaker OT functionality and then we provide an efficient three-round OT protocol which would yield a three round OT extension.

3.1 Overview of KOS

In the KOS OT extension, the sender \(\textsf {S}_{\textsf {Ext}} \) and receiver \(\textsf {R}_{\textsf {Ext}} \) wants to generate m OTs using \(\kappa \) invocations to \(\mathcal {F}_{\textsf {OT}}\) (base OTs) and symmetric key operations. The sender \(\textsf {S}_{\textsf {Ext}} \) plays the role of a receiver in the base OTs. He samples a random \(\kappa \) bit string \(\mathbf {s}\) and invokes ith instance of \(\mathcal {F}_{\textsf {OT}}\) with ith bit of \(\mathbf {s}\) for \(i \in [\kappa ]\). The receiver \(\textsf {R}_{\textsf {Ext}} \) invokes \(\mathcal {F}_{\textsf {OT}}\) as sender with random pads \((\mathbf {k}_{i, 0}, \mathbf {k}_{i, 1})\). \(\textsf {S}_{\textsf {Ext}} \) obtains \(\mathbf {k}_{i, s_i}\) from the ith base OT. In addition, \(\textsf {R}_{\textsf {Ext}} \) also sends a mapping \(\mathbf {D}\) from his inputs to the \((\mathbf {k}_{i, 0}, \mathbf {k}_{i, 1})\) values. Upon obtaining this mapping \(\mathbf {D}\) and the base-OT output, the sender computes his mapping \(\mathbf {Q}\). He computes correlated pads for the extended OTs using \(\mathbf {s}\) and \(\mathbf {Q}\) as \( \textsc {CRF}({\mathsf {sid}}, j, \mathbf {Q}_j)\) and \( \textsc {CRF}({\mathsf {sid}}, j, \mathbf {Q}_j \oplus \mathbf {s})\) for \(j \in [m]\), where \( \textsc {CRF}\) is a correlation robust function. If the receiver’s input bit for j-th extended OT is 0, then he can compute \(\mathbf {Q}_j\), else he can compute \(\mathbf {Q}_j \oplus \mathbf {s}\). The other value remains hidden due to \(\mathbf {s}\) and security of \( \textsc {CRF}\). Using the correlated pads, \(\textsf {S}_{\textsf {Ext}} \) encrypts his inputs for the extended OTs and sends it to \(\textsf {R}_{\textsf {Ext}} \).

In addition, \(\textsf {S}_{\textsf {Ext}} \) also performs a consistency check on matrix \(\mathbf {D}\) is correctly formed by \(\textsf {R}_{\textsf {Ext}} \), else a malformed \(\mathbf {D}\) matrix would leak the bits of \(\mathbf {s}\) rendering the protocol insecure. The original KOS paper had an interactive check phase. It was made non-interactive by the work of [DKLs18] using the Fiat-Shamir transform by relying on the observable random oracle. Our protocol also uses the same non-interactive check to obtain a 3-round OT extension protocol where the checks are run in the second OT extension message. The base OTs are run for 3 rounds and the last message of the OT extension is sent in parallel to the last message of the base OT. Next, we discuss our proposed relaxations in the base OT functionality.

3.2 Relaxation in the OT Functionality

Firstly, it can be observed that the parties invoke the base OTs in KOS with random OTs. So, one can consider random OT functionality instead of full OT functionality. Next, we can allow selective failure in the base OTs. The work of KOS and [DKLs18] showed that the base OTs do not require full UC-security of an OT functionality. Instead, the functionality can allow a corrupt sender (i.e. \(\textsf {R}_{\textsf {Ext}} \) in the OT extension) to launch a selective failure attack on the \(\mathbf {s}\) bits of the receiver (i.e. \(\textsf {S}_{\textsf {Ext}} \) in the OT extension). In such a case, the corrupt \(\textsf {R}_{\textsf {Ext}} ^*\) will still have a negligible advantage in breaking the security of the extended OTs. We claim that the OT functionality can be further relaxed based on the following observations in the KOS protocol.

  1. 1.

    Delayed input extraction of receiver: The inputs of the receiver (\(\textsf {S}_{\textsf {Ext}} \)) in the base OTs can be extracted after \(\textsf {S}_{\textsf {Ext}} \) sends the last message of the OT Extension protocol. Recall, that the last message of the OT Extension protocol consists of the inputs of \(\textsf {S}_{\textsf {Ext}} \) encrypted with the correlated pads. The simulator against a corrupt \(\textsf {S}_{\textsf {Ext}} ^*\) can simulate the second message of the OT extension without the knowledge of \(\mathbf {s}\). Later, it can extract \(\mathbf {s}\) from the base OTs and then extract \(\textsf {S}_{\textsf {Ext}} \)’s inputs from the last message.

  2. 2.

    Corrupt receiver can abort after base OT: A corrupt receiver (\(\textsf {S}_{\textsf {Ext}} \)) can abort after obtaining the results of base-OT protocol corresponding to \(\mathbf {s}\). In such a case, the honest \(\textsf {R}_{\textsf {Ext}} \) would just abort the protocol as the base OTs resulted in an abort. For each base OT, one of the input of \(\textsf {R}_{\textsf {Ext}} \) remain hidden from \(\textsf {S}_{\textsf {Ext}} \) due to the security of the OT; thus hiding \(\textsf {R}_{\textsf {Ext}} \)’s inputs.

  3. 3.

    Batch of \(\kappa \) OT: The OT extension protocol requires \(\kappa \) base OTs between the parties. So, the base OTs can be computed in a batch of \(\kappa \) OTs instead of \(\kappa \) independent instances of the OT protocol.

Based on the above observations we can consider the following relaxations to the OT functionality for a corrupt receiver.

  1. 1.

    Indistinguishability based security against corrupt receiver with input extraction: We can reduce the simulation based security for a corrupt receiver to an indistinguishability based security. We need an extractor algorithm \(\textsf {Ext} \) that can extract the input bit b of a corrupt receiver, given blackbox access to it. The corrupt receiver cannot distinguish its real world view from a view constructed with the sender’s message corresponding to bit \(\bar{b}\) set as \(0^\kappa \).

  2. 2.

    Corrupt receiver can abort without input extraction: A corrupt receiver can decide to abort in the OT functionality and in such a case the \(\textsf {Ext} \) does not need to extract his inputs.

  3. 3.

    Corrupt receiver cannot compute both sender messages: A corrupt receiver cannot compute both sender input messages from the OT transcript and his internal randomness, even if he aborts the protocol.

3.3 Usage in KOS OT Extension

The above relaxations in the base-OT functionality are justified since we do not require simulation based security in the OT extension protocol for the base OTs. This is because the base OTs are internal to the protocol; hence the input/output of the honest parties in the base OTs are inaccessible to the environment \(\mathcal {Z}\) who tries to distinguish between real and ideal world executions of the OT extension protocol. Indistinguishability based security suffices for a corrupt receiver (i.e. a corrupt \(\textsf {S}_{\textsf {Ext}} \)) in the base OTs, if we are guaranteed that the following conditions hold:

  1. 1.

    If the base OTs succeed then the input \(\mathbf {s}\) of the receiver (i.e. \(\textsf {S}_{\textsf {Ext}} \)) can be extracted after obtaining the OT extension last message as that is used by the simulator (for a corrupt \(\textsf {S}_{\textsf {Ext}} ^*\)) to extract the input messages of \(\textsf {S}_{\textsf {Ext}} ^*\). This is guaranteed by the correctness of \(\textsf {Ext} \) algorithm when the base OT protocol succeeds.

  2. 2.

    In case the base OT aborts, then the \(\textsf {Ext} \) does not need to extract the inputs of \(\textsf {S}_{\textsf {Ext}} ^*\) since the OT extension protocol terminates with an abort too.

  3. 3.

    The corrupt \(\textsf {S}_{\textsf {Ext}} ^*\) should not be able to distinguish between the real world interaction with honest \(\textsf {R}_{\textsf {Ext}} \), and ideal world interaction with the simulator. In the ideal world, the simulator runs with input for the extended OTs as all 0s string. \(\textsf {S}_{\textsf {Ext}} ^*\), playing the role of receiver in the base OT, cannot compute both sender messages of the base OT. Based on this property, we tweak our OT extension protocol by relying on the random oracle. The tweak ensures that one of the sender’s messages in the each base OT will be hidden from \(\textsf {S}_{\textsf {Ext}} ^*\). Thus, he cannot distinguish the real world from the ideal world by relying on the security of the original KOS protocol. Our tweak incurs a minimal overhead of 2 RO queries for each base OT.

We also utilize the fact that the base OTs are computed in a batch of \(\kappa \) OTs. This allows us to efficiently implement a batch of \(\kappa \) instances of the above (weakened) OT functionality based on observable random oracle. Next, we discuss our OT protocol which implements a batch of \(\kappa \) instances of weak OT functionality, as discussed above.

3.4 Optimized OT Protocol in the Observable RO Model

We consider an OT protocol in the observable random oracle model where the receiver \(\textsf {R} \) generates receiver OT parameter T by invoking a random oracle \(\mathcal {F}_\textsf {RO1}\) on a \(\textsf {seed}\). He samples a random \(\alpha \leftarrow \mathbb {Z}_q\) and computes his first message based on his input bit b as B, where

$$B=g^\alpha \cdot T^b$$

He sends B and \(\textsf {seed}\) to the sender \(\textsf {S} \). The sender computes T from \(\textsf {seed}\) and samples a random \(r \leftarrow \mathbb {Z}_q\). \(\textsf {S} \) computes sender OT parameters- \(z=g^r\) and sends z to \(\textsf {R} \). \(\textsf {S} \) computes his random pads \(p_0\) and \(p_1\) by invoking a random oracle \(\mathcal {F}_\textsf {RO2}\) as follows:

$$p_0 = \mathcal {F}_\textsf {RO2}({\mathsf {sid}}, B^r)$$
$$p_1=\mathcal {F}_\textsf {RO2}({\mathsf {sid}}, (\tfrac{B}{T})^r)$$

Upon obtaining z, \(\textsf {R} \) computes his output pad \(p_b\) as follows:

$$p_b = \mathcal {F}_\textsf {RO2}({\mathsf {sid}}, z^\alpha ) = \mathcal {F}_\textsf {RO2}({\mathsf {sid}}, g^{r\alpha })$$

This protocol ensures that a corrupt receiver \(\textsf {R} ^*\) cannot compute both random pads as that would require invoking \(\mathcal {F}_\textsf {RO2}\) on \(B^r\) and \((\tfrac{B}{T})^r = \frac{B^r}{T^r}\). Such a corrupt receiver could be used to break the CDH assumption where \((T, z)=(g^t, g^r)\) is the CDH challenge. The queries made by \(\textsf {R} ^*\) to \(\mathcal {F}_\textsf {RO2}\) can be used to obtain \(T^r\) which is the answer to the CDH challenge. This OT protocol also perfectly hides the input b of an honest receiver from a corrupt receiver as \(\alpha \) and \(\alpha -t\) are valid receiver randomness for \(b=0\) and \(b=1\) respectively, where \(B=g^\alpha \). However, this protocol doesn’t allow extraction of receiver or sender’s inputs from the OT messages in the observable RO model.

Adding Receiver Input Extraction. To add receiver’s input extraction the sender adds a challenge in the second round of the OT protocol.

$$\textsf {chall}= \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_0) \oplus \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_1).$$

The receiver has to respond to the challenge by computing his answer \(\texttt {Ans}\).

$$\texttt {Ans}= \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_b) \oplus (b\cdot \textsf {chall}) = \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_0).$$

\(\textsf {R} \) has to query \(\mathcal {F}_\textsf {RO3}\) to compute \(\texttt {Ans}\) and assists a simulator to extract a corrupt receiver’s input. \(\textsf {R} \) sends \(\texttt {Ans}\) to the sender in a third OT message. This increases the round complexity to 3 but it ensures that the simulator can extract the receiver’s input bit from the RO queries of \(\mathcal {F}_\textsf {RO3}\) if \(\texttt {Ans}\) is valid. This is similar to the challenge-response paradigm introduced in the work of [DKLs18]. However, a corrupt sender can compute the challenge in a malicious way such that he can find out the bits of receiver from the response and the receiver fails to identify such an attack. The work of [DKLs18] tackles this issue by making the sender open his randomness (for computing the challenge) to the receiver in a fourth OT message. We ensure correctness of the challenge by making the sender send a proof \(\gamma \) along with the challenge in the second OT message,

$$\gamma = \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_0)) = \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, \texttt {Ans}).$$

After obtaining the second OT message, the receiver can compute \(\texttt {Ans}\) and verify the proof \(\gamma \). If \(\gamma \) is valid then he sends \(\texttt {Ans}\) to sender else he aborts. This ensures input extraction of receiver as argued before but it adds selective failure attack by a corrupt sender \(\textsf {S} ^*\). \(\textsf {S} ^*\) can try to guess the bits of receiver and based on that he can maliciously construct the challenge. However, our OT functionality accommodates selective failure attack over a batch of \(\kappa \) OTs and hence this challenge-prove-response paradigm would work in our case. Next, we show that this trick already provides extraction of a corrupt sender’s input.

Adding Sender Input Extraction. Our challenge-prove-response paradigm allows us to construct a protocol where the sender’s inputs can be extracted if a batch of \(\ell > \mu \) OTs are run together. In KOS, \(\kappa \) OTs are run where \(\kappa >\mu \). Now, we will explain the reason behind our assumption of \(\ell >\mu \). In a batch of \(\ell \) OTs, every OT uses the same T and \(z=g^r\), i.e. the ith OT pad is of the form:

$$p_{i, 0} = \mathcal {F}_\textsf {RO2}({\mathsf {sid}}, B_i^r),$$
$$p_{i, 1} = \mathcal {F}_\textsf {RO2}({\mathsf {sid}}, (\tfrac{B_i}{T})^r),$$

where \(B_i\) is chosen by \(\textsf {R} \) based on his randomness \(\alpha _i\) and input bit \(b_i\) for the i-th OT. In such a case, the sender sends a unique challenge \(\textsf {chall}_i\) for each OT as follows:

$$\textsf {chall}_i = \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{i, 0}) \oplus \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{i, 1}).$$

Now, the receiver computes the answer \(\textsf {resp}\) to the challenge as:

$$\textsf {resp}_i = \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_b) \oplus (b\cdot \textsf {chall}) = \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_0).$$

The answer to the challenge is optimized to sending one string for the whole batch instead of \(\kappa \) strings, as follows:

$$\begin{aligned} \texttt {Ans}= & {} \mathcal {F}_\textsf {RO4}({\mathsf {sid}}, \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, \textsf {resp}_1), \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, \textsf {resp}_2), \ldots \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, \textsf {resp}_\kappa )) \\= & {} \mathcal {F}_\textsf {RO4}({\mathsf {sid}}, \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{1, 0}), \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{2, 0}), \ldots \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{\kappa , 0})). \end{aligned}$$

The proof sent by the sender is also modified accordingly as:

$$\begin{aligned} \gamma= & {} \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, \mathcal {F}_\textsf {RO4}({\mathsf {sid}}, \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{1, 0}), \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{2, 0}), \ldots \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{\kappa , 0}))) \\= & {} \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, \texttt {Ans}). \end{aligned}$$

The receiver can check his computed answer with the proof and then respond with \(\texttt {Ans}\). This tweak allows us to extract a corrupt sender’s input for \(\ell >\mu \) OTs. The simulator can extract \(T^r\) by observing the queries- \(B_i^r\) and \((\tfrac{B_i}{T})^r\) made by \(\textsf {S} \) to \(\mathcal {F}_\textsf {RO2}\). Sender needs to query \(\mathcal {F}_\textsf {RO2}\) for computing \(p_{i, 0}\) and \(p_{i, 1}\) values, which are in turn used to compute the challenge and proof for \(\ell >\mu \) OTs. Sender can avoid querying \(\mathcal {F}_\textsf {RO2}\) with both- \(B_i^r\) and \((\tfrac{B_i}{T})^r\). In that case, he has to either guess the corresponding RO query results, i.e. \(p_{i, 0}\) or \(p_{i, 1}\), or he launches a selective failure attack for every OT and he has to correctly guess receiver’s input bit for every OT. This is because, the receiver’s input is random and he will compute the \(\texttt {Ans}\) and it will not match with the \(\gamma \) sent by the sender, except with \(2^{-\mu }\) probability, since \(\gamma \) and \(\textsf {chall}_i\) were computed without correctly computing the \(p_{i, 0}\) or \(p_{i, 1}\) values, for every \(i \in [\ell ]\). Thus, the simulator can observe \(\mathcal {F}_\textsf {RO2}\), compute the candidate \(p_{i, 0}, p_{i, 1}\), match with \(\textsf {chall}_i\) values and \(\gamma \) and extract the correct \(T^r\). Using \(T^r\), he can extract the sender’s input messages.

3.5 Circumventing the Impossibility Result of [GMMM18]

We circumvent the impossibility result of [GMMM18] by allowing the OT extension receiver \(\textsf {R}_{\textsf {Ext}} \), i.e. base OT sender, to use the base OT output messages to send his mapping \(\mathbf {D}\) in the second round of the OT extension protocol. If the base OT receiver fails to answer the base OT challenge then \(\textsf {R}_{\textsf {Ext}} \) aborts else he computes his OT extension output message. The base OT security ensures that a corrupt base OT receiver (i.e. \(\textsf {S}_{\textsf {Ext}} ^*\)) cannot compute both messages of the base OT sender (i.e. \(\textsf {R}_{\textsf {Ext}} \)). This hides the input of \(\textsf {R}_{\textsf {Ext}} \) in \(\mathbf {D}\) even though we use the base OT messages before it has terminated. Such non-blackbox usage of the 3 round base-OT protocol allows us to obtain a 3 round OT extension protocol.

4 Weakening the Oblivious Transfer Functionality

In this section, we discuss the type of security that we require from the base OT protocols of the KOS OT extension. We demonstrate that by gradually relaxing the \(\mathcal {F}_{\textsf {OT}}\) functionality, where the parties choose their own input, to a random OT where the functionality provides random inputs to the parties. Next, we allow selective failure attack by a sender on receiver’s inputs and define it as \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\). We also allow a corrupt receiver to abort the protocol. We relax the UC-security of this protocol to one-sided simulation. Finally, we formally define our notion of weakened OT which provides simulation based security for a corrupt sender and indistinguishability security against a corrupt receiver.

Random Oblivious Transfer. The OT functionality can be relaxed to consider random inputs, i.e. \(\mathcal {F}_{\textsf {rOT}}\). In this case, the inputs of an honest sender and an honest receiver are chosen randomly by the functionality. However, a malicious sender (also a malicious receiver) can choose his own inputs. The ideal random OT functionality has been presented in Fig. 3.

Fig. 3.
figure 3

The ideal functionality \(\mathcal {F}_{\textsf {rOT}}\) for random Oblivious Transfer

Full size image

Random Oblivious Transfer with Selective Failure and Explicit Abort. We can further weaken the \(\mathcal {F}_{\textsf {rOT}}\) functionality to allow selective failure attacks by a corrupt sender. Here, the corrupt sender \(\textsf {S} ^*\) can try to guess the random input of the receiver by setting its message, corresponding to bit 0 as \(\bot \), whereas the message corresponding to bit 1 is set correctly. An honest receiver would abort if his input bit b is 0, else he continues with the protocol. This would leak b to \(\textsf {S} ^*\). We also allow a corrupt receiver \(\textsf {R} ^*\) to explicitly abort the protocol after it obtains its input message \(a_b\). In such a case, the functionality notifies the sender regarding the abort. Our \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) functionality has been modeled in Fig. 4.

Fig. 4.
figure 4

The ideal functionality \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) for Random Oblivious Transfer with Selective Failure

Full size image

Oblivious Transfer for KOS. It was shown in the work of KOS and [DKLs18] that \(\kappa \) instances of \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) (without the Abort option) suffices to instantiate the \(\kappa \) base OTs in the KOS OT extension protocol. However, this requires simulation based security against a corrupt \(\textsf {R} ^*\), where the simulator needs to extract the input of \(\textsf {R} ^*\) and simulate the sender’s message s.t. they open to the correct message, i.e. \(a_b\), even if \(\textsf {R} ^*\) aborts the protocol. However, such a strong requirement from \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) is an overkill for instantiating the base-OT protocols. We demonstrate that the security against a corrupt receiver can be reduced to indistinguishability based security and his input need not be extracted when he aborts. More precisely:

  • Indistinguishability against a Malicious : In the KOS OT extension, the invocations to the base OT functionality is internal to the OT extension protocol. The environment \(\mathcal {Z}\) does not have access to it; hence it cannot choose inputs for the honest parties in the base OT functionality. This permits us to use an efficient OT protocol to emulate the functionality, s.t. it provides simulation based security against a corrupt \(\textsf {S} ^*\) whereas for a corrupt \(\textsf {R} ^*\), it provides indistinguishability based security. Such a relaxation allows us to use observable random oracle instead of a programmable one in 3 rounds. Previous protocols, like [DKLs18] used observable RO but they required 5 rounds for the base OTs, where the last 2 rounds where spent in simulating the honest sender’s messages, i.e. providing simulation based security against corrupt \(\textsf {R} ^*\). The work of [MR19] obtain a two-round OT but they require twice the amount of exponentiation as ours by extracting the receiver’s input from the first OT message.

  • Input of need not be extracted during Abort: When the sender \(\textsf {S}_{\textsf {Ext}} ^*\) of the OT extension protocol (acting as the receiver \(\textsf {R} ^*\) of the base OTs) misbehaves and causes an abort, the OT extension protocol leads to an abort. In such a case, the input messages (in the extended OTs) of \(\textsf {S}_{\textsf {Ext}} ^*\) need not be extracted. Hence, it is not necessary to extract the inputs of \(\textsf {S}_{\textsf {Ext}} ^*\)(or \(\textsf {R} ^*\)) in the base OTs. This allows us to push the extraction of the \(\textsf {R} ^*\) input until the last round of the base OT (in our case also the last round of OT extension), where it can be extracted when he computes the base OTs correctly. In case he aborts then it is guaranteed that he cannot compute both sender messages. This allows us to save on the number of exponentiations.

  • Batch of \(\kappa > \mu \) OTs: We consider a batch of \(\kappa >\mu \) invocations of OT protocol for the base OTs. This is necessary since a corrupt receiver of OT extension \(\textsf {R}_{\textsf {Ext}} ^*\) can launch a selective failure attack on the inputs of \(\textsf {S}_{\textsf {Ext}} \) to the base OT. Since the inputs are random, \(\textsf {R}_{\textsf {Ext}} ^*\) can at most determine \(\mu \) inputs bits of \(\textsf {S}_{\textsf {Ext}} \)’s randomness. However, that gives him a negligible advantage in breaking the security of the OT extension protocol due to the security of the underlying OT extension protocol.

We also assume there exists a PPT algorithm \(\textsf {Ext} \) that can extract the input of a malicious \(\textsf {R} ^*\), if he does not abort the protocol. We formally define our sender-simulatable \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) with the following security properties required against a corrupt receiver:

Definition 2

Let \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) be the Oblivious Transfer functionality as shown in Fig. 4. We say that a protocol \(\pi _{\textsf {OT}}\) securely computes \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) with sender-sided simulation with input extractability of receiver if the following holds:

  1. 1.

    For every non-uniform PPT adversary \(\textsf {S} ^*\) controlling the sender in the real model, there exists a non-uniform PPT adversary \(\textsf {Sim}\) for the ideal model, such that for any environment \(\mathcal {Z}\),

    $$\textsc {ideal}_{\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}, \textsf {Sim}, \mathcal {Z}}((a_0, a_1), b, z)_{z \in \{0,1\}^*} \approx \textsc {real}_{\pi _{\textsf {OT}}, \textsf {S} ^*, \mathcal {Z}}((a_0, a_1), b, z)_{z \in \{0,1\}^*}.$$
  2. 2.

    For every non-uniform PPT adversary \(\mathcal {A}\) controlling the receiver \(\textsf {R} ^*\), the following holds:

    • Property 1: If the sender did not abort, then there exists a PPT extractor algorithm Ext such that the following holds:

      $$\begin{aligned} \Pr \Bigg [ (a_0, a_1) \leftarrow \textsf {S} ^{\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}}, (b, a_b)&\leftarrow \mathcal {A}^{\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}}, b' \leftarrow \textsf {Ext} ^\mathcal {A}\\&: (b \ne b') \wedge (a_0 \ne \bot ) \wedge (a_1 \ne \bot ) \Bigg ] \le \textsf {negli}(\kappa ) \end{aligned}$$

    • Property 2: If the sender did not abort, then the view of \(\textsf {R} ^*\) is independent of \(a_{\bar{b}}\). More formally the following condition holds:

      $$\mathcal {V}^{\textsf {S}}_{\pi _{\textsf {OT}}, \textsf {R} ^*(z)}((a_0, a_1), b, z)_{z \in \{0,1\}^*} \approx \mathcal {V}^{\textsf {S}}_{\pi _{\textsf {OT}}, \textsf {R} ^*(z)}((\widetilde{a_0}, \widetilde{a_1}), b, z)_{z \in \{0,1\}^*},$$

      where \(\textsf {Ext} \) outputs b on interacting with \(\textsf {R} ^*\). \(\mathcal {V}^{\textsf {S}}_{\pi _{\textsf {OT}}, \textsf {R} ^*(z)}\) denotes the view of adversarial \(\textsf {R} ^*\) after a real execution of protocol \(\pi _{\textsf {OT}}\) with the honest sender \(\textsf {S} \), with random sender inputs \((a_0, a_1)\), and \((\widetilde{a_0}, \widetilde{a_1})\) where \(\widetilde{a_{b}}\leftarrow \{0,1\}^\kappa \) and \(\widetilde{a_{\bar{b}}}=0^\kappa \) respectively.

    • Property 3: \(\textsf {R} ^*\) cannot compute both sender messages except with negligible probability. More formally the following condition holds:

      $$\Pr \Bigg [ (a_0, a_1) \leftarrow \textsf {S} ^{\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}}, (a_0', a_1') \leftarrow \mathcal {A}^{\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}} : (a_0=a_0') \wedge (a_1=a_1') \Bigg ] \le \textsf {negli}(\kappa )$$
Fig. 5.
figure 5

KOS OT Extension using \(\pi _{\textsf {OT}}^\kappa \)

Full size image

5 Oblivious Transfer Extension Using

In this section we show that the base OTs (a.k.a seed OTs) in the KOS OT extension can be instantiated using \(\kappa \) invocations to the modified (according to Definition 2) \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\). This results in an efficient seed OT phase, where each base OT requires 3 exponentiations. We assume that there exists a protocol \(\pi _{\textsf {OT}}^\kappa \) which implements(according to Definition 2) \(\kappa \) instances of \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\). Then we use \(\pi _{\textsf {OT}}^\kappa \) to implement the base OTs. Our protocol has been presented in Fig. 5.

5.1 Security Proof

We prove UC-security of our OT extension protocol \(\pi _{\textsf {KOS}}\) by relying on the security properties of \(\pi _{\textsf {OT}}^\kappa \), correlation robust function, PRG and RO. More precisely, we prove Theorem 1.

Theorem 1

Assuming \(\textsf {PRG}\) is a secure pseudorandom generator, \( \textsc {CRF}\) is a tweakable correlation robust function, \(\mathcal {F}_\textsf {RO2}\) is an observable random oracle and \(\pi _{\textsf {OT}}^\kappa \) implements (according to Definition 2) \(\kappa \) instances of \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\), then \(\pi _{\textsf {KOS}}\) UC-securely implements \(m=\text {poly}(\kappa )\) instances of \(\mathcal {F}_{\textsf {OT}}\) functionality.

Proof

We will first argue security for a corrupt sender and then for a corrupt receiver. In both cases, we give a simulator algorithm and provide an indistinguishability argument.

The simulator for a statically corrupt \(\textsf {S} ^*\) constructs the \(\mathbf {M}, \mathbf {R}\) and \(\mathbf {D}\) matrices using \(\mathbf {r}= 0^m\) by following the honest receiver algorithm. \(\textsf {S} ^*\) cannot obtain both \(\mathbf {k}_{i, 0}\) and \(\mathbf {k}_{i, 1}\) (due to the security of \(\pi _{\textsf {OT}}^\kappa \) against a corrupt receiver). Hence, \(\mathbf {R}\) remains hidden due to the \(\textsf {PRG}\) security. The simulator will invoke the \(\textsf {Ext} \) algorithm of \(\pi _{\textsf {OT}}^\kappa \) to obtain the randomness of \(\textsf {S} ^*\), i.e. \(\mathbf {s}\). Using \(\mathbf {s}\), the simulator can compute back the sender’s messages. Our simulator has been provided in Fig. 6. We argue indistinguishability between real and ideal world by providing hybrids and proving indistinguishability between each pair of consecutive hybrids as follows:

  • : Real world.

  • : Same as \(\textsf {HYB}_{\textsc {0}}\), except the reduction constructs \(\mathbf {M}, \mathbf {D}\) and \(\mathbf {R}\) using \(\mathbf {r}=0^m\). Indistinguishability follows since the corrupt sender cannot compute both messages in the base OTs due to security of \(\pi _{\textsf {OT}}^\kappa \). Then one of \(\mathcal {F}_\textsf {RO1}({\mathsf {sid}}, \mathbf {k}_{i, 0})\) and \(\mathcal {F}_\textsf {RO1}({\mathsf {sid}}, \mathbf {k}_{i, 1})\) remains hidden for every \(i \in [\kappa ]\) due to the RO assumption of \(\mathcal {F}_\textsf {RO1}\).

  • : Same as \(\textsf {HYB}_{\textsc {1}}\), except the reduction extracts \(\mathbf {s}\) by invoking \(\textsf {Ext} \) algorithm of \(\pi _{\textsf {OT}}^\kappa \). Indistinguishability follows due to the correctness of \(\textsf {Ext} \) algorithm, which is guaranteed by the security of \(\pi _{\textsf {OT}}^\kappa \) when the OT extension sender does not abort.

  • : Same as \(\textsf {HYB}_{\textsc {2}}\), except the reduction successfully extracts sender’s input messages using \(\mathbf {M}\) and \(\mathbf {s}\). This \(\textsf {HYB}_{\textsc {3}}\) is identical to \(\textsf {HYB}_{\textsc {2}}\) due to correctness of the OT extension protocol.

Next, we discuss the simulation for a corrupt \(\textsf {R} ^*\). The simulator will extract the \((\mathbf {k}_{i, 0}, \mathbf {k}_{i, 1})\) values by invoking the simulator(for corrupt sender) of \(\pi _{\textsf {OT}}^\kappa \). A corrupt \(\textsf {R} ^*\) can perform selective failure attack on the base OTs but the KOS protocol is resilient to such attacks. \(\textsf {R} ^*\) can also construct the \(\mathbf {R}\) matrix in such a way that it is not monochrome, i.e. some of the rows of \(\mathbf {M}\) does not contain all 0s or all 1s. In such a case the consistency checks detect it with high probability and the sender aborts. If the checks pass, then \(\textsf {R} ^*\) infers limited knowledge about the bits of \(\mathbf {s}\). We refer to the original KOS [KOS15] paper for more details. Our simulator algorithm has been presented in Fig. 7. Next, we present our hybrids and indistinguishability argument:

  • : Real world.

  • : Same as \(\textsf {HYB}_{\textsc {0}}\), except the reduction invokes the simulator (for corrupt sender) of \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) to obtain \((\mathbf {k}_{i, 0}, \mathbf {k}_{i, 1})\).

  • : Same as \(\textsf {HYB}_{\textsc {1}}\), except the reduction aborts if \(\mathbf {M}\) has more than \(\mu \) non-monochromatic rows. The real world sender would abort due to the correctness of the consistency checks, which follow from the RO assumption. Thus, indistinguishability follows from the RO assumption.

  • : Same as \(\textsf {HYB}_{\textsc {2}}\), except the simulator extracts \(\textsf {R} ^*\) input and simulates the \(\mathbf {y}_{j, 0}\) and \(\mathbf {y}_{j, 1}\) according to the simulation algorithm. Indistinguishability follows due to the \( \textsc {CRF}\) assumption.    \(\square \)

Fig. 6.
figure 6

Simulation against a statically corrupt \(\textsf {S} ^*\)

Full size image
Fig. 7.
figure 7

Simulation against a statically corrupt \(\textsf {R} ^*\)

Full size image

5.2 Efficiency

Our instantiation of the KOS protocol has a minimal overhead of two random oracle, per base OT, on top of the modified KOS protocol of [DKLs18]. The original communication complexity remains preserved. Using Fiat-Shamir like transform of [DKLs18] the consistency checks have become non-interactive. In the original KOS protocol, the consistency checks required 2 extra rounds for coin-tossing protocol between the parties. In the next section we will provide an efficient protocol for \(\pi _{\textsf {OT}}^\kappa \) using 3 rounds. The base-OT messages can be sent in parallel to the OT extension messages. Thus, it would be round preserving and it will circumvent the impossibility result of [GMMM18] since we consider non-blackbox usage of the base-OT protocol.

Fig. 8.
figure 8

Protocol computing \(\ell \) instances of \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) according to Definition 2

Full size image

6 Implementing Instances of

In this section we present our protocol \(\pi _{\textsf {OT}}^\ell \) which implements (according to Definition 2) \(\ell = \kappa \) instances of \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) assuming Observable Random Oracle, where \(\kappa > \mu \). We refer to Sect. 3 for a detailed overview. Our protocol has been presented in Fig. 8.

6.1 Security Proof

We prove security of our protocol \(\pi _{\textsf {OT}}\) by proving Theorem 2. In Sect. 5, we will show that such a relaxation in security suffices for KOS OT extension.

Theorem 2

Assuming the Decisional Diffie-Hellman holds in group \(\mathbb {G}\), then \(\pi _{\textsf {OT}}^\kappa \) (Fig. 8) UC-securely implements \(\ell (>\mu )\) instances of \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) functionality (according to Definition 2) in the observable random oracle model with sender-sided simulation.

Proof

We will first argue security for a corrupt sender and then for a corrupt receiver. In the first case we provide a simulator and in the latter part we provide an indistinguishability argument.

The simulator for a statically corrupt sender \(\textsf {S} ^*\) will use the observability of the ROs to extract the sender’s input, since he cannot program \(\mathcal {F}_\textsf {RO1}\) on \(\textsf {seed}\). He will compute the receiver message with random input bits. He can compute either \(g^{\alpha _ir}\) by following the receiver algorithm and extract one of the sender’s input message for ith OT. In order to extract the other sender’s input message, he needs to find out \(T^r\). Assume for sake of simplicity, that the simulator’s input bit for all OTs are \(b_i=0\) and he can compute \(p_{i, 0}\) and \(a_{i, 0}\), for all \(i \in [\kappa ]\). He tries to compute \(p_{i, 1}\) values as follows:

  1. 1.

    Observe the queries made by \(\textsf {S} ^*\) to \(\mathcal {F}_\textsf {RO3}\) for computing \(\textsf {chall}_i\) using \(p_{i, 1}\) for every \(i \in [\kappa ]\). Extract candidate \(p_{i, 1}\) values s.t. \(\textsf {chall}\) is well-formed using \(p_{i, 0}\) and \(p_{i, 1}\). It is guaranteed that from every \(\textsf {chall}_i\), \(\textsf {Sim}\) can get at most one candidate \(p_{i, 1}\) value.

  2. 2.

    After obtaining candidate \(p_{i, 1}\) values for each ith OT, the simulator observes the queries made to \(\mathcal {F}_\textsf {RO2}\) to obtain \(p_{i ,1}\). If there aren’t any such query, then the simulator sets adversary’s guess for ith OT as 0 in the selective failure attack. Else, simulator will obtain an unique (guaranteed by RO assumption) query \(\rho _{i, 1}\), s.t. \(\mathcal {F}_\textsf {RO2}({\mathsf {sid}}, \rho _{i, 1}) = p_{i, 1}\).

  3. 3.

    Simulator obtains all the candidate values of \(T^r\) from \(\rho _{i, 0}\)(which he can compute locally) and \(\rho _{i, 1}\). Let \(\mathbf {A}= \{A_1, A_2, \ldots , A_\ell \}\) denote the list of values obtained as \(A_i = \tfrac{\rho _{i, 0}}{\rho _{i, 1}}\) for \(i \in [\kappa ]\) for \(i \in [\kappa ]\). Let A be the value which has been obtained the maximum number of times from the OTs. The simulator sets A as the supposed \(T^r\) value. If there are more than \(\mu \) OTs whose \(A_i\) values are different from A, then simulator sends \((\textsc {Guess}, \textsf {Sim}, \top , {\mathsf {sid}})\) to \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) and aborts. In such a case, \(\textsf {S} ^*\) can distinguish the real and ideal world, only if the honest receiver does not abort. To ensure that, \(\textsf {S} ^*\) must correctly guess the random input bits of the honest \(\textsf {R} \). Thus, \(\textsf {S} ^*\) can distinguish with \(2^{-\mu }\) probability if he miscomputed more than \(\mu \) OTs. Otherwise, the simulator can extract \(T^r = A\) value correctly.

  4. 4.

    Given the correct \(T^r\) value, simulator computes the correct \(p_{i, 1}\) values whose corresponding \(A_j\) values were different from A.

Next, the simulator needs to simulate the selective OT failure attacks. \(\textsf {Sim}\) simulates the selective failure attack by checking whether \(\textsf {chall}_i\) is correctly formed or not, i.e. if \(\textsf {chall}_i = \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{i, 0})\oplus \mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{i, 1})\) then \(\mathcal {A}\) is not performing a selective failure attack. Else, he has performed a selective failure attack on the receiver’s input. Simulator needs to find out the bit \(b'\) which adversary has guessed and invoke \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) with \((\textsc {Guess}, \textsf {Sim}, {\mathsf {sid}}, \top )\). \(\textsf {Sim}\) performs this by observing the queries made by \(\mathcal {A}\) to \(\mathcal {F}_\textsf {RO4}\) and \(\mathcal {F}_\textsf {RO3}\).

  1. 1.

    \(\textsf {Sim}\) observes the queries made to \(\mathcal {F}_\textsf {RO3}\) and compares it with \(\gamma \). If \(\gamma \) was formed without querying \(\mathcal {F}_\textsf {RO3}\), then \(\textsf {Sim}\) aborts as the real world sender would also abort irrespective of input, due to RO assumption. There can be only one such candidate query \(\beta \) s.t. \(\mathcal {F}_\textsf {RO3}({\mathsf {sid}}, \beta ) = \gamma \), due to RO assumption. \(\beta \) is the candidate for \(\texttt {Ans}\) that \(\textsf {S} \) must have obtained while computing \(\gamma \).

  2. 2.

    Next, \(\textsf {Sim}\) searches for \(y=(y_1y_2\ldots y_\ell )\), s.t. \(\mathcal {F}_\textsf {RO4}({\mathsf {sid}}, y) = \beta \), due to RO assumption.

  3. 3.

    Upon finding such a y tuple, it individually checks for \(y_i'\) values s.t. \(y_i=\mathcal {F}_\textsf {RO3}({\mathsf {sid}}, y_i')\).

  4. 4.

    These \(y_i'\) values are then individually matched with the pads \((p_{i, 0}, p_{i, 1})\) and \(\textsf {chall}_i\). If \(p_{i, 0}=y_i'\), then \(\textsf {chall}_i\) is correctly formed for \(b'=0\) and so \(\textsf {Sim}\) sets \(b'=0\). If \(\mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{i, 1}) \oplus \textsf {chall}_i = y_i'\) then \(\textsf {chall}_i\) is correctly formed for \(b'=0\) and so \(\textsf {Sim}\) sets \(b' =1\). Else, the challenge is malformed for both \(b'=0\) and \(b'=1\); hence the simulator aborts as the honest sender would also abort.

If there are more than \(\mu \) OTs where the \(\mathcal {A}\) has launched a selective failure attack then the simulator aborts and sends \((\textsc {Guess}, \textsf {Sim}, {\mathsf {sid}}, \top )\) to \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\). Finally, the simulator invokes \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) with input \((\textsc {Guess}, \textsf {Sim}, b', {\mathsf {sid}})\). It should be noted that the input bit \(b_i\) remains perfectly hidden in \(B_i=g^{\alpha _i}\) since \(\alpha _i\) and \(\alpha _i-t\) are valid randomness for \(b_i=0\) and \(b_i=1\) respectively. The real and ideal world are statistically indistinguishable except with \(2^{-\mu }\) probability. The simulation algorithm has been provided in Fig. 9 and the formal hybrids and indistinguishability argument are as follows:

  • : Real world.

  • : Same as \(\textsf {HYB}_{\textsc {0}}\), except the reduction except the reduction computes \((p_{i, 0}, p_{i, 1})\) by following the simulation strategy and computes \(A=T^r\), or aborts if necessary. Indistinguishability follows due to RO assumption as discussed previously.

  • : Same as \(\textsf {HYB}_{\textsc {1}}\), except the reduction invokes \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) with input \(p_{i, 0}=p_{i, 1}= \bot \) and aborts if there are 0 or 2 (and more) candidate values for \(\beta \). Indistinguishability follows from RO assumption.

  • : Same as \(\textsf {HYB}_{\textsc {2}}\), except the reduction invokes \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) with input \(p_{i, 0}=p_{i, 1}= \bot \) and aborts if there are 0 or 2 (and more) candidate values for y. Indistinguishability follows from RO assumption.

  • : Same as \(\textsf {HYB}_{\textsc {3}}\), except the reduction invokes \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) with input \(p_{i, 0}=p_{i, 1}= \bot \) and aborts if there are 0 or 2 (and more) candidate values for \(y_i'\) for each \(i \in [\ell ]\). Indistinguishability follows from RO assumption.

  • : Same as \(\textsf {HYB}_{\textsc {4}}\), except the reduction aborts if there are >\(\mu \) OTs where the sender has launched a selective failure attack. Indistinguishability follows statistically since the inputs of the honest sender are identically distributed to the inputs of the reduction, and both are random. The probability that the reduction aborts and the sender doesn’t abort in the real world is \(2^{-\mu }\).

  • : Same as \(\textsf {HYB}_{\textsc {5}}\), except the reduction simulates the selective failure attack following the simulation algorithm. Indistinguishability follows due to the RO assumption.

  • : Same as \(\textsf {HYB}_{\textsc {6}}\), except \(\textsf {Sim}\) computes \((p_{i, 0}, p_{i, 1})\) following the simulation strategy and invokes \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) with it. This hybrid is identical to the previous hybrid.

Fig. 9.
figure 9

Simulation against a statically corrupt \(\textsf {S} ^*\)

Full size image
Fig. 10.
figure 10

Extractor Algorithm \(\textsf {Ext} \)

Full size image

This completes the security proof for a corrupt sender. Next, we discuss the case for a corrupt receiver. In this case, the simulator either extracts the input bit of a corrupt receiver or it aborts. In the real world, the honest sender would also abort. However, in both cases the receiver can obtain the message corresponding to his bit after the OT protocol results in an abort by the sender. More formally, the simulator for a corrupt receiver \(\textsf {R} ^*\) will set \((c_{i, 0}, c_{i, 1})\) values randomly. Later, upon obtaining the second OT second message, the receiver can follow either of the two tactics:

  • \(\texttt {Resp}\) is valid: The receiver can query \(\mathcal {F}_\textsf {RO2}\) to compute \(p_{i, b_i}\), corresponding to his input bit \(b_i\) for ith OT. Then he can correctly compute the response to the challenge by running the honest receiver algorithm. This would result in the sender accepting the response to the challenge. The simulator can observe the queries made to the random oracles to extract \(b_i\) and invoke \(\mathcal {F}_{\textsf {SF}{\text {-}}{\textsf {rOT}}}\) with input \(b_i\).

  • \(\texttt {Resp}\) is invalid: On the other hand, the receiver can send a random response to the challenge and force the sender to abort. However, the receiver can decrypt the message corresponding to his input bit \(b_i\) after the protocol ends by running the honest receiver’s algorithm. This would hamper simulation as the simulator cannot extract \(b_i\) during the protocol since \(\textsf {R} ^*\) did not query the random oracles. Hence, the message decrypted (after the protocol aborted) by \(\textsf {R} ^*\) in the simulated world will be distinguishable from the message decrypted (after the protocol aborted) by \(\textsf {R} ^*\) in the simulated world. Based on \(a_{b_i}\), the view of \(\textsf {R} ^*\) can be distinguished by the environment \(\mathcal {Z}\); hence simulation would fail.

Next, we show indistinguishability based security for a corrupt receiver. We demonstrate that there exists a PPT algorithm \(\textsf {Ext} \) who can extract the input choice bit of \(\textsf {R} ^*\) if \(\textsf {Ext} \) has blackbox access to \(\textsf {R} ^*\) for the protocol session. If \(\textsf {R} ^*\) decides to forcefully abort the protocol, then it is guaranteed that he cannot compute both sender input messages as that would require solving the CDH problem. We present our \(\textsf {Ext} \) algorithm in Fig. 10 and we modularly discuss the details of our proof by arguing that each property in Definition 2 holds for our protocol.

  • Correctness of algorithm: The corrupt receiver has to compute a correct answer to the challenge. To do that, he has to query either \(B_i^r\) or \((B_i\cdot T^{-1})^r\) to \(\mathcal {F}_\textsf {RO2}\), to obtain \(p_{i, 0}\) or \(p_{i, 1}\) and construct the correct response using \(\mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{i, 0})\) or \(\mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{i, 1})\). He can bypass querying the RO if he can correctly guess \(p_{i, 0}\) or \(p_{i, 1}\) or \(\mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{i, 0})\) or \(\mathcal {F}_\textsf {RO3}({\mathsf {sid}}, p_{i, 1})\). However, that occurs with negligible probability. Thus, the \(\textsf {Ext} \) algorithm succeeds if \(\textsf {R} ^*\) correctly responds to the challenge. In such a case, \(\textsf {R} ^*\) queries \(\mathcal {F}_\textsf {RO2}\); hence \(\textsf {Ext} \) can correctly extract \(b_i\).

  • cannot compute both \(p_{i, 0}\) and \(p_{i, 1}\): It can be observed that if \(\textsf {R} ^*\) obtains both \(p_{i, 0}\) and \(p_{i, 1}\) by querying \(\mathcal {F}_\textsf {RO2}\) on \(\rho _{i, 0}\) and \(\rho _{i, 1}\) respectively, then he can be used to solve the CDH problem where the CDH challenge instance is \(T=g^t\) and \(z=g^r\). The solution to the CDH challenge would be \(T^r= \tfrac{\rho _{i, 0}}{\rho _{i, 1}}\). Here, we can assume that the reduction programs \(\mathcal {F}_\textsf {RO1}\) on \(\textsf {seed}\) s.t. it returns the CDH challenge T. This is a reasonable assumption to make since we are programming the RO in the reduction. Such programming instances can be found out in the work of [DKLs18].

  • Indistinguishability of views: The real world view of the corrupt receiver \(\textsf {R} ^* - \mathcal {V}^{\textsf {S}}_{\pi _{\textsf {OT}}, \textsf {R} ^*(z)}((p_{i, 0}, p_{i, 1}), b, z)_{z \in \{0,1\}^*}\), after executing an OT protocol with \(\textsf {S} \) using random inputs is indistinguishable from the ideal world view of \(\textsf {R} ^*- \mathcal {V}^{\textsf {S}}_{\pi _{\textsf {OT}}, \textsf {R} ^*(z)}((\widetilde{p_{i, 0}}, \widetilde{p_{i, 1}}), b, z)_{z \in \{0,1\}^*}\), after executing an OT protocol with sender since the sender only sends z. This is because \(\textsf {R} ^*\) cannot query \(\rho _{i, \widetilde{b_i}}\) to \(\mathcal {F}_\textsf {RO2}\) (due to CDH assumption) and hence \({p_{i, \bar{b_i}}}\) and \(\widetilde{p_{i, \bar{b_i}}}=0^\kappa \) would look indistinguishable due to the RO assumption.

This completes our proof of Theorem 2.    \(\square \)

6.2 Efficiency

Overall the complexity of our protocol is similar to the CO-OT protocol. Our protocol requires the receiver to compute 2 exponentiations and the sender to compute 1 exponentiation for each OT. The sender needs to compute 5 RO queries and the receiver need to query the RO for 4 times, for each OT. The receiver needs to communicate one group element and one \(\kappa \) bit string for each OT. The sender needs to send \(4\kappa \) bit strings for each OT.

In addition, the sender has a one-time computation of 1 exponentiation, one RO query and communication of one group element, which can be reused. The receiver has a one-time communication of \(\kappa \) bit string and one-time computation of one RO query.

7 Implementation and Evaluation

We will study the concrete performance of our OT protocol in this section. As we have analyzed in previous sections, our OT protocol is expected to be as fast as the CO-OT protocol by Chou and Orlandi [CO15], which is the most efficient OT protocol but not provably UC-secure and does not provide input extraction of a corrupt receiver. Since all state-of-the-art OT protocols are slower than CO-OT, the above is sufficient to demonstrate the efficiency of our protocol against all other alternatives [MR19, DKLs18].

We implement CO-OT and our protocol using relic-toolkit [AG] and test them on a machine with a 3 GHz Intel Xeon CPU. No multi-thread or assembly-level optimization is used. We throttle the network bandwidth to be 1 Gbps but with different network round-trip time (RTT, measured by ping). The performance is summarized in Table 2, where we can see that the performance of our protocol is identical to the CO-OT protocol for different network latency values. This is expected as both protocols have the same number of exponentiation operations. Note that prior works [CO15, MR19] reported performance of CO-OT with low-level hardware-dependent accelerations. Our protocol can benefit from them too, resulting in even higher performance. We further applied both protocols as the base OT to compute OT extension. We can see that due to the reduce round complexity of our protocol, we are to obtain a better efficiency with the overall running time improved by one RTT (Table 3).

Table 2. Comparing the performance to compute \(\kappa =128\) base OTs using our protocol and CO-OT.
Full size table
Table 3. Comparing the performance to compute \(10^7\) random OTs using KOS with base OT as our protocol and CO-OT.
Full size table