A Framework for Efficient and Composable Oblivious Transfer


Peikert, C., Vaikuntanathan, V., Waters, B. (2008). A Framework for Efficient and Composable Oblivious Transfer. In: Wagner, D. (eds) Advances in Cryptology – CRYPTO 2008. CRYPTO 2008. Lecture Notes in Computer Science, vol 5157. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-540-85174-5_31


We propose a simple and general framework for constructing oblivious transfer (OT) protocols that are efficientuniversally composable, and generally realizable under any one of a variety of standard number-theoretic assumptions, including the decisional Diffie-Hellman assumption, the quadratic residuosity and decisional composite residuosity assumptions, and worst-case lattice assumptions.

Our OT protocols are round-optimal (one message each way), quite efficient in computation and communication, and can use a single common string for an unbounded number of executions between the same sender and receiver. Furthermore, the protocols can provide statistical security to either the sender or the receiver, simply by changing the distribution of the common string. For certain instantiations of the protocol, even a common uniformly random string suffices.

Our key technical contribution is a simple abstraction that we call a dual-mode cryptosystem. We implement dual-mode cryptosystems by taking a unified view of several cryptosystems that have what we call “messy” public keys, whose defining property is that a ciphertext encrypted under such a key carries no information (statistically) about the encrypted message.

As a contribution of independent interest, we also provide a multi-bit amortized version of Regev’s lattice-based cryptosystem (STOC 2005) whose time and space complexity are improved by a linear factor in the security parameter n. The resulting amortized encryption and decryption times are only 𝑂̃ (𝑛)O~(n) bit operations per message bit, and the ciphertext expansion can be made as small as a constant; the public key size and underlying lattice assumption remain essentially the same.

Keywords : Security Parameter, Oblivious Transfer, Common Reference String, Decryption Mode, Oblivious Transfer Protocol

Read more from SRI