Improved OT Extension for Transferring Short Secrets

Vladimir Kolesnikov, Ranjit Kumaresan
CRYPTO 2013 [pdf] [bibtex]


This summary expects the reader to have a basic understanding of the IKNP03 protocol.


KK describe an generalization and optimization to IKNP03 protocol for {$OT$} extension in the semi-honest setting. The protocol provides a {$O(\log k)$} performance improvement over the IKNP 1-out-of-2 {$OT$} protocol and generalizes it to a 1-out-of-{$n$} {$OT$} with the same asymptotic improvement over the state of the art 1-out-of-{$n$} {$OT$}. The protocol is also applicable in the multi-party setting unlike the original IKNP version. In concrete terms, this yields a 2-3 factor performance improvement for the 1-out-of-2 {$OT$} protocol.

The main observation made by KK is that in the IKNP protocol, the {$Receiver$}'s selection vector {$r$} is reused on each of the {$k$} initial {$OT$}s. This can be seen below on the left.

On each one of the (red/green) Column pairs, a 1-out-of-2 {$OT$} is performed in the IKNP protocol. If you take the transpose of these columns, each red row encoding is {$t_j\oplus \{1\}^k$} or {$t_j\oplus \{0\}^k$} based upon the bit {$r_j$}. Inspired by the observation that these repetitious codes ({$\{1\}^k$} and {$\{0\}^k$}) dictate the receivers selection, what if the codes were vectors of {$\{0,1\}^k$}. Would this enable to protocol to generalize to a 1-out-of-{$n$} {$OT$}?

To accommodate a 1-out-of-{$n$} {$OT$} protocol, the IKNP {$Receiver$} selection vector {$r\in \{0,1\}^m$} will need to be expanded to {$r\in \{0,1,...,n-1\}^m$} to denote the {$Receiver$}'s 1-out-of-{$n$} selection on all {$m$} {$OT$}s.

To securely achieve this result, the new {$\{0,1\}^k$} vector codes will need to have a relative distance of {$\frac{1}{2}$} between each other. That is, each code must be different enough from the others to maintain the security. The Walsh-Hadamard codes have this exact property. We will denote the Walsh-Hadamard encoding of {$r_j$} as {$c(r_j)$}.

1-out-of-n Protocol

Let the {$Receiver$} generate {$T_0$} as a {$m \times k$} random bit matrix, shown below as the green vectors. Let {$T_1$} be the matrix whose {$j^{th}$} row is the {$j^{th}$} row of {$T_0$} XOR {$c(r_j)$}, as seen below by the red vectors. Note: {$k$} is the security parameter.

where {$t_{j,0}$} is the {$j^{th}$} row of {$T_0$}, and {$t_x^i$} is the {$i^{th}$} column of {$T_x$}

The protocol now performs {$k$} 1-out-of-2 {$OT$}s on the {$k$} columns of the two matrices {$T_0$} and {$T_1$}, where the {$Receiver$} acts as the sender. Note: these {$OT$}s are the same as the IKNP protocol except that the rows of {$T_1$} are {$t_{j,0}$}{$\oplus c(r_j)$} instead of {$t_{j,0}$}{$\oplus \{r_j\}^k$}.

As before in IKNP, the {$Sender$} will randomly select between these two (red/green) columns for each of the {$k$} pairs. Let {$s\in \{0,1\}^k$} be the vector denoting this random selection and let {$Q$} be the matrix denoting the collection of these {$k$} {$OT$}s when they are stored column wise. That is {$q^i=t^i_{s_i}$}

As shown in blue, each row of {$Q$} (denoted as {$q_i$}) will be the corresponding row in {$T_0$} XORed with the Walsh-Hadamard code for {$r_i$} bitwise ANDed with {$s$}. The main take away here is that each row of {$Q$} has 1-out-of-{$n$} possible values if you fix {$T_0$} and {$s$}. In particular, this 1-out-of-{$n$} decision is made by the {$Receiver$} and is unknown to the {$Sender$}.

The initialization phase has now completed and the real 1-out-of-{$n$} {$OT$}s can now be performed.

The {$Sender$} will send the {$Receiver$} an one time pad encryption of each of the {$n$} messages for each of the 1-out-of-{$n$} {$OT$}s. The {$i^{th}$} messages in this {$OT$} will be encrypted with the hash, {$H(j,q_j\oplus ( c(i)\odot s ))$} as a one time pad mask. Based upon the {$receiver$}'s choice of {$r_j$}, exactly one of these messages will be equivalent to {$H(j,$}{$t_{j,0}$}{$)$}. That is {$q_j\equiv $}{$t_{j,0}$}{$\oplus (c(r_j)\odot s)$} will cancel with {$( c(i)\odot s )$} leaving {$t_{j,0}$} when {$i=r_j$}.

Put algorithmically,
For each {$j$} in the {$m$} {$OT$}s:

For each {$i$} in the {$n$} messages of the {$j^{th}$} {$OT$}:
The {$Sender$} sends the {$Receiver$}: {$y_{j,i}=M_{j,i}\oplus H(j,q_j\oplus ( c(i)\odot s ))$}

Where {$M_{j,i}$} is the {$i^{th}$} message of the {$j^{th}$} {$OT$}.

The {$Receiver$} will then decrypt the {$y_{j,r_j}$} message by re-XORing {$y_{j,r_j}$} with {$H(j,$}{$t_{j,0}$}{$)$}. This results in {$M_{j,r_j}$}, which is precisely the {$Receiver$}'s desired message on the {$j^{th}$} {$OT$}. All of the other message encryptions of the {$j^{th}$} {$OT$} will remain pseudo random because the {$Receiver$} does not know the random bit vector {$s$} that the {$Sender$} picked.

In sum, {$m$} instances of a 1-out-of-{$n$} {$OT$} can be obtained by {$k$} instances of a 1-out-of-2 {$OT$} plus at most {$mn$} calls to a random oracle by both parties. Since {$k$} is the security parameter this can yeild a significant improvement when {$m$} becomes large.

1-out-of-2 Optimization

Let {$n\choose 1$}-{$OT_{l}^{m}$} denote {$m$} instances of a 1-out-of-{$n$} {$OT$} each of length {$l$}.

From an observation not shown here, {$\log n$} instances of a {$2\choose 1$}-{$OT$} can be obtained from a single instance of {$n\choose 1$}-{$OT$} of slightly longer message length. Put precisely, a {$2\choose1$}-{$OT_{l}^m$} has the same exact cost as a {$n\choose 1$}-{$OT_{l\log n}^{m/\log n}$}. This hints that the generalization KK describe can also be used to further optimize the 1-out-of-2 variant.

With the use of this observation, {$m$} instances of a 1-out-of-2 {$OT$} can be obtained with the additional asymptotic cost of {$O(mk/\log(k/l))$}, where {$k$} is the security parameter. This contrasts with the IKNP cost of {$O(m(k+l))$}. In the important case when {$l=1$}, we obtain a logarithmic improvement over IKNP.

Random Oracle

Similar to the IKNP protocol, a {$Code$}-{$Correlation$} {$Robust$} random oracle is required to ensure a semi-honest {$Receiver$} cannot learn {$s$} and therefore all of {$M$}. {$Code$}-{$Correlation$} {$Robustness$} is a property of a random oracle ensuring that no information about the input is leaked when the input are known values XORed/ANDed with an unknown value. Even if polynomial many queries with different know values are made. Specifically, the joint distribution of

{$\{t_1,t_2,...,t_n\}$} , {$\{c_1,c_2,...,c_n\}$} and {$H(t_j\oplus (c_{j'}\odot s)),H(t_l\oplus (c_{l'}\odot s)),...,H(t_n\oplus (c_{n'}\odot s)) $}

must be pseudo random, where {$s$} is unknown and {$H$} is queried a polynomial number of times with respect to the security parameter. This is a requirement because the {$Receiver$} knows all of these {$t_i$} and {$c_i$} values. i.e. {$t_{i,0}$} and {$c(r_i)$}. If the correlations between the inputs and the hash values are not pseudo random, the {$Receiver$} could learn {$s$}, and thereby all of {$M$}.


In summary, this protocol reduces {$m$} instances of a 1-out-of-{$n$} {$OT$} to a small security parameter number of 1-out-of-2 {$OT$}s. In practice {$m$} can be several orders of magnitude larger than the security parameter {$k$}. For example {$m=30000, k=256$}. This yields a significant performance increase over a na´ve implementation of {$m$} instances of a 1-out-of-{$n$} {$OT$}. At the time this paper was published, the protocol results in a logarithmic improvement over the state of the art, which translates to an approximate speed up of 5 fold.

In addition, this 1-out-of-{$n$} protocol yields a performance improvement for the 1-out-of-2 variant when they are implemented by a black box use of this 1-out-of-{$n$} protocol. Beyond these improvement, KK describe another optimization by using a pseudo random generator instead of the completely random matrix {$T_0$}.



Other links:

CRYPTO presentation video


OTExtension Todo