## Extending Oblivious Transfers Efficiently

Yuval Ishai, Joe Kilian, Kobbi Nissim, Erez Petrank
CRYPTO 2003 [pdf] [bibtex]

Introduces the concept of OT extension. It is well known that oblivious transfer (OT) cannot be based on symmetric-key primitives alone (in a black-box way). Hence OT protocols necessarily rely on expensive public-key operations. OT extension is a method for obtaining a large number of effective OTs using only a small number of "base" OTs (depending only on the security parameter) plus symmetric-key operations, minimizing the cost of OT in an amortized sense.

The protocol achieves {$n$} instances of 1-out-of-2, {$\ell$}-bit string OT, using only {$k$} instances of 1-out-of-2, {$n$}-bit string OT, where {$k$} is the security parameter. Note that it is trivial to extend the bit length of an OT by transfering (via a base OT) a length-{$k$} seed to a PRG and masking a longer message with the PRG output (this variant of OT extension is due to Beaver). Hence, the important parameter is that a small, fixed number {$k$} of OTs is extended to an arbitrarily larger number {$n$} of OTs.

1. The receiver chooses a random {$n \times k$} matrix {$T$} of bits and a string {$r \in \{0,1\}^n$} denoting his choice bits in the {$n$} logical OTs. The sender chooses random string {$s \in \{0,1\}^k$}.
2. Let {$T_{*,j}$} denote the {$j$}th column of {$T$} (an {$n$}-bit string). The parties use the base OTs (in the opposite direction!), with the receiver providing messages {$T_{*,j}$} and {$T_{*,j} \oplus r$}, and the sender providing choice bit {$s_j$}.
3. Let {$Q$} denote the matrix that the sender receives from these base OTs (received column-wise). Let {$Q_{i,*}$} denote the {$i$}th row of {$Q$}. The important part of the protocol is that {$Q_{i,*}$} is either {$T_{i,*}$} or {$T_{i,*} \oplus s$}, depending on the receiver's choice bit {$r_i$}.
4. To execute the {$i$}th logical OT, the sender encrypts the two messages {$m_0, m_1$} under one-time pads with keys {$H(i \| Q_{i,*})$} and {$H(i \| Q_{i,*} \oplus s)$}, respectively, where {$H$} is a random oracle. Exactly one of these masks is {$H(i\|T_{i,*})$}, according to the receiver's choice bit, so the receiver can unmask his desired message. The other mask is {$H(i\| T_{i,*} \oplus s)$}, where {$s$} is unknown to the receiver.

Note that, besides the base OTs, the only other operations are calls to the random oracle {$H$}. The protocol is secure against semi-honest adversaries. A cut-and-choose technique can be used to provide security in the malicious setting.

For simplicity, the hash function {$H$} is assumed to be a random oracle. More concretely, the protocol requires that the joint distribution of

{$t_1,t_2,...,t_n$} and {$H(1\|t_1\oplus s),H(2\|t_2\oplus s),...,H(n\|t_n\oplus s)$}

be psuedorandom where {$s$} is unknown. This security property is called correlation-robustness.