On the Feasibility of Extending Oblivious Transfer

Lindell, Yehuda; Zarosim, Hila

doi:10.1007/s00145-017-9269-5

On the Feasibility of Extending Oblivious Transfer

Published: 04 December 2017

Volume 31, pages 737–773, (2018)
Cite this article

Download PDF

Journal of Cryptology Aims and scope Submit manuscript

On the Feasibility of Extending Oblivious Transfer

Download PDF

Yehuda Lindell¹ &
Hila Zarosim¹

1857 Accesses
1 Citation
Explore all metrics

Abstract

Oblivious transfer is one of the most basic and important building blocks in cryptography. As such, understanding its cost is of prime importance. Beaver (in: The 28th STOC, pp 479–488, 1996) showed that it is possible to obtain $\mathsf{poly}(n)$ oblivious transfers given only n actual oblivious transfer calls and using one-way functions, where n is the security parameter. In addition, he showed that it is impossible to extend oblivious transfer information theoretically. The notion of extending oblivious transfer is important theoretically (to understand the complexity of computing this primitive) and practically (since oblivious transfers can be expensive and thus extending them using only one-way functions is very attractive). Despite its importance, very little is known about the feasibility of extending oblivious transfer, beyond the fact that it is impossible information theoretically. Specifically, it is not known whether or not one-way functions are actually necessary for extending oblivious transfer, whether or not it is possible to extend oblivious transfers with adaptive security, and whether or not it is possible to extend oblivious transfers when starting with $O(\log n)$ oblivious transfers. In this paper, we address these questions and provide almost complete answers to all of them. We show that the existence of any oblivious transfer extension protocol with security for static semi-honest adversaries implies one-way functions, that an oblivious transfer extension protocol with adaptive security implies oblivious transfer with static security, and that the existence of an oblivious transfer extension protocol from only $O(\log n)$ oblivious transfers implies oblivious transfer itself.

On the Feasibility of Extending Oblivious Transfer

More Efficient Oblivious Transfer Extensions

Article 23 September 2016

Extending Oblivious Transfer Efficiently

1 Introduction

1.1 Background: Extending Oblivious Transfer

In the one-out-of-two oblivious transfer problem [5, 16], a sender holds a pair of input bits $(b_0,b_1)$ and enables a receiver to obtain one of them at its choice. The security requirements are that the sender learns nothing about which input is obtained by the receiver, while the receiver learns only one of the sender’s bits. This must hold even if parties may be corrupted and adversarial. There are a number of different adversary models that have been considered in the literature. One distinction is between semi-honest and malicious adversaries. An adversary who is semi-honest follows the protocol specification as instructed, but tries to learn more than allowed by inspecting the transcript. In contrast, a malicious adversary may follow any arbitrary probabilistic polynomial-time strategy in its attempt to break the protocol. Another important distinction is between static and adaptive adversaries (where the adaptive corruption setting is further divided into a case where erasures may be assumed and may not be assumed). In the static adversary case, one of the parties is corrupted at the onset, before the execution begins. In the adaptive adversary case, the adversary can corrupt parties mid-execution, and based on the messages sent so far. When a party is corrupted, the adversary sees its current state. When erasures are not assumed, this means that the adversary sees everything that the honest party did until now. In contrast, in the erasures model, the honest party is assumed to have been able to erase previous state that is no longer needed.

Oblivious transfer is one of the most basic and important primitives in cryptography in general and in secure computation in particular. Oblivious transfer is used in almost all general protocols for secure computation with no honest majority (e.g., see [7, 18]) and has been shown to imply almost all basic cryptographic tasks [13]. Due to its importance, the complexity of computing oblivious transfer is of great importance. Oblivious transfer can be constructed from enhanced trapdoor permutations [5, 9] and from homomorphic encryption [1]. In addition, it is known that it is not possible to construct oblivious transfer from public-key encryption (or one-way functions and permutations) in a black-box manner [6]. Thus, oblivious transfer requires quite strong hardness assumptions (at least when considering black-box constructions, and no non-black-box constructions from weaker assumptions are known).

Due to the importance of oblivious transfer and its cost, Beaver asked whether or not it is possible to use a small number of oblivious transfers and a weaker assumption such as one-way functions in order to obtain many oblivious transfers [3]; such a construction is called an OT-extension. Beaver answered this question in the affirmative and in a beautiful construction showed how to obtain $\mathsf{poly}(n)$ oblivious transfers given ideal calls to O(n) oblivious transfers and using a pseudorandom generator and symmetric encryption, which can both be constructed from any one-way function. In addition, he showed that OT-extensions cannot be achieved information theoretically. These results of [3] are of great importance theoretically since they deepen our understanding of the complexity of oblivious transfer. In addition, OT-extensions are of interest practically, since oblivious transfer is much more expensive than symmetric primitives. Thus, OT-extensions can potentially be used to speed up protocols that rely on many oblivious transfers. Unfortunately, the construction of [3] is not practical. However, efficient OT-extensions (based on a stronger assumption than one-way functions) were presented in [11].

1.2 This Paper: A Feasibility Study of OT-Extensions

In this paper, we carry out a general feasibility study of OT-extensions. In particular, we ask what hardness assumptions are required for obtaining OT-extensions and for what parameters is it possible at all. We ask the following questions:

1.
What is the minimal assumption required for constructing OT-extensions? It has been shown that one-way functions suffice and that OT-extensions cannot be carried out information theoretically [3]. However, it is theoretically possible that OT-extensions can be achieved under a weaker assumption than that of the existence of one-way functions. Admittedly, it is hard to conceive of a cryptographic construction that is not information theoretic and does not require one-way functions. However, a proof that one-way functions really are necessary is highly desired.
2.
Can oblivious transfer be extended with adaptive security? The known constructions of OT-extensions maintain security only in the presence of static corruptions, where the set of corrupted parties is fixed before the protocol begins. This is because the messages sent by the sender in the constructions of [3, 11] are binding with respect to the sender’s input strings, and so an adaptive simulator cannot explain a transcript in multiple ways. Nothing is known about whether or not adaptively secure OT-extensions exist without assuming erasures.^{Footnote 1}
3.
How many oblivious transfers are needed for extensions? In the constructions of [3, 11], one must start with O(n) oblivious transfers where n is the security parameter. These constructions can also be made to work when a superlogarithmic number $\omega (\log n)$ of oblivious transfers are given. However, they completely break down if $O(\log n)$ oblivious transfers only are available. We ask whether or not it is possible to extend a logarithmic number of oblivious transfers.

We prove the following theorems:

Theorem 1.1

If there exists an OT-extension protocol from n to $n+1$ (with security in the presence of static semi-honest adversaries), then there exist one-way functions.

Thus, one-way functions are necessary and sufficient for OT-extensions.

Theorem 1.2

If there exists an OT-extension protocol from n to $n+1$ that is secure in the presence of adaptive semi-honest adversaries, then there exists an oblivious transfer protocol that is secure in the presence of static semi-honest adversaries.

This means that the construction of an adaptive OT-extension protocol involves constructing statically secure oblivious transfer from scratch. This can still be meaningful, since adaptive oblivious transfer cannot be constructed from static oblivious transfer in a black-box manner [15]. However, it does demonstrate that adaptive OT-extensions based on weaker assumptions than those necessary for static oblivious transfer do not exist. We also show that Theorem 1.2 holds for the weaker case where a single one-out-of-two string OT on strings of length $n+1$ is obtained from n invocations of one-out-of-two OT on single bits.

Theorem 1.3

If there exists an OT-extension protocol from $f(n)=\mathcal{O}(\log n)$ to $f(n)+1$ that is secure in the presence of static malicious adversaries, then there exists an oblivious transfer protocol that is secure in the presence of static malicious adversaries.

This demonstrates that in order to extend only a logarithmic number of oblivious transfers (with security for malicious adversaries), one has to construct an oblivious transfer protocol from scratch. Thus, meaningful OT-extensions exist only if one starts with a superlogarithmic number of oblivious transfers.

We stress that all of our results are unconditional, and are not black-box separations. Rather, we construct concrete one-way functions and OT protocols in order to prove our results.

Our results provide quite a complete picture regarding the feasibility of constructing OT-extensions. The construction of [3] is optimal in terms of the computational assumption, and the constructions of [3, 11] are optimal in terms of the number of oblivious transfers one starts with. Finally, the fact that no OT-extensions are known for the setting of adaptive corruptions is somewhat explained by Theorem 1.2.

1.3 Open Questions

Theorem 1.2 shows that there do not exist adaptively secure OT-extensions based on weaker assumptions than what is needed for statically secure OT. However, we do not know how to construct an adaptively secure OT-extension even from statically secure OT. Thus, the question of whether or not it is possible to construct an adaptively secure OT-extension from an assumption weaker than adaptive OT is still open.

Theorem 1.3 holds only with respect to OT-extensions that are secure against malicious adversaries. For the case of semi-honest adversaries, the question of whether one can construct an OT-extension from $f(n)=\mathcal{O}(\log n)$ to $f(n)+1$ from an assumption weaker than statically secure OT protocol is open.

We have shown that Theorem 1.2 holds also with respect to constructing string OT from multiple invocations of bit OT (with strings longer than the number of bit OT invocations). However, the status of this remains open with respect to Theorems 1.1 and 1.3.

All of our results consider OT that is secure under simulation-based definitions, according to the real/ideal paradigm [4, 9]. It would be very interesting to see whether there is any difference for weaker definitions of security that guarantee only indistinguishability.

In this paper, we have investigated OT-extensions. However, the basic question of extending a cryptographic primitive using a weaker assumption than that needed for obtaining the primitive from scratch is of interest in other contexts as well. For example, hybrid encryption (where one encrypts a symmetric key using an asymmetric scheme and then encrypts the message using a symmetric scheme) is actually an extension of public-key encryption that requires one-way functions only. A primitive that could certainly benefit from a study such as this one is key agreement. In this context, the question is whether it is possible for two parties to agree on an $m+1$-bit-long key, given an m-bit key, under assumptions that are weaker than those required for constructing a secure key agreement from scratch. In the basic case, it is clear that OWFs are necessary and sufficient for any non-trivial KA extension that starts with n bits (where n is the security parameter). A more interesting question regarding this problem relates to the adaptive setting. Specifically, since adaptive key agreement is very expensive, it would be very beneficial if one could extend this primitive more efficiently and/or under weaker assumptions.

2 Preliminaries

2.1 Definitions and Notations

We denote the security parameter by n, and we denote by $U_n$ a random variable uniformly distributed over $\{0,1\}^n$. We say that a function $\mu :{\mathbb N}\rightarrow {\mathbb N}$ is negligible if for every positive polynomial $p(\cdot )$ and all sufficiently large n it holds that $\mu (n)<\frac{1}{p(n)}$. We use the abbreviation PPT to denote probabilistic polynomial time. We denote the bits of a string $x\in \{0,1\}^n$ by $x_1,\ldots ,x_n$; for a subscripted string $x_b$, we denote the bits by $x_b^1,\ldots ,x_b^n$. In addition, for strings $x_0,x_1,\sigma \in \{0,1\}^n$ we denote by $x_\sigma $ the string $x_{\sigma _1}^1,\ldots ,x_{\sigma _n}^n$.

Definition 2.1

Let $X=\{X(a,n)\}_{a\in \{0,1\}^*,n\in {\mathbb N}}$ and $Y=\{Y(a,n)\}_{a\in \{0,1\}^*,n\in {\mathbb N}}$ be two distribution ensembles. We say that X and Y are computationally indistinguishable, denoted $X{\mathop {\equiv }\limits ^\mathrm{c}}Y$, if for every PPT machine D, every $a\in \{0,1\}^*$, every positive polynomial $p(\cdot )$ and all sufficiently large n:

$$\begin{aligned} \left| \phantom {2^{2^2}}\mathrm{Pr}\left[ D(X(a,n),a,1^n)=1\right] -\mathrm{Pr}\left[ D(Y(a,n),a,1^n)=1\right] \right| <\frac{1}{p(n)}. \end{aligned}$$

We say that X and Y are statistically close, denoted $X{\mathop {\equiv }\limits ^\mathrm{s}}Y$, if for every $a\in \{0,1\}^*$, every positive polynomial $p(\cdot )$ and all sufficiently large n:

$$\begin{aligned} SD(X,Y){\mathop {=}\limits ^\mathrm{def}}\frac{1}{2}\cdot \sum _\alpha \left| \phantom {2^{2^2}}\mathrm{Pr}[X(a,n)=\alpha ]-\mathrm{Pr}[Y(a,n)=\alpha ]\right| < \frac{1}{p(n)}. \end{aligned}$$

2.1.1 Interactive Protocols

Let $\pi =\langle A,B\rangle $ be an interactive protocol for computing a functionality f. We denote $f=(f_A,f_B)$, where $f_A$ is the first output of f (for party A) and $f_B$ is the second output of f (for party B). For inputs $x_A$ and $x_B$ of A and B (respectively) and random tapes $r_A$ and $r_B$, we denote by $\textsf {trans}^{\pi }(x_A,x_B;r_A,r_B)$ the transcript obtained by running $\pi $ on inputs $x_A$ and $x_B$ and random tapes $r_A$ and $r_B$, and by $\textsc {Trans}^{\pi }(x_A,x_B)$ the random variable describing $\textsf {trans}^{\pi }(x_A,x_B;r_A,r_B)$ where $r_A$ and $r_B$ are uniformly chosen.

The random variable $\textsc {View}^{\pi }_{A}(x_A,x_B)$ denotes the view of the party A in an execution of $\pi $ with inputs $x_A$ for A and $x_B$ for B, where the random tapes of the parties are uniformly chosen. A view of a party contains its input, randomness and the messages it has received during the execution.

The random variable $\textsc {Output}^{\pi }_{A}(x_A,x_B)$ denotes the output of the party A in an execution of $\pi $ with inputs $x_A$ for A and $x_B$ for B, where the random tapes of the parties are uniformly chosen.

Definition 2.2

Let $f(\cdot ,\cdot )$ be a deterministic binary functionality, let $\pi =\langle A,B\rangle $ be an interactive protocol and let n be the security parameter. We say that $\pi $ computes the functionality f if there exists a negligible function $\mathsf{negl}(\cdot )$ such that for all n, $x_A$ and $x_B$:

$$\begin{aligned} \mathrm{Pr}\left[ \langle A(1^n,x_A),B(1^n,x_B)\rangle =(f_A(x_A,x_B),f_B(x_A,x_B))\right] \ge 1-\mathsf{negl}(n). \end{aligned}$$

Definition 2.3

Let $\pi =\langle A,B\rangle $ be a protocol that computes a deterministic functionality $f=(f_A,f_B)$. We say that $\pi $ securely computes f in the presence of static semi-honest adversaries if there exist two probabilistic polynomial-time algorithms $\mathcal{S}_{A}$ and $\mathcal{S}_{B}$ such that:

$$\begin{aligned} \left\{ \phantom {2^{2^2}}\mathcal{S}_A(1^n,x_A,f_A(x_A,x_B))\right\} _ {x_A,x_B\in \{0,1\}^*,n\in {\mathbb N}}{\mathop {\equiv }\limits ^\mathrm{c}}\left\{ \phantom {2^{2^2}}\textsc {View}_A^{\pi }(1^n,x_A,x_B)\right\} _{x_A,x_B\in \{0,1\}^*,n\in {\mathbb N}} \end{aligned}$$

and

$$\begin{aligned} \left\{ \phantom {2^{2^2}}\mathcal{S}_B(1^n,x_B,f_B(x_A,x_B))\right\} _ {x_A,x_B\in \{0,1\}^*,n\in {\mathbb N}}{\mathop {\equiv }\limits ^\mathrm{c}}\left\{ \phantom {2^{2^2}}\textsc {View}_B^{\pi }(1^n,x_A,x_B)\right\} _{x_A,x_B\in \{0,1\}^*,n\in {\mathbb N}}. \end{aligned}$$

2.1.2 Security in the Presence of Malicious Adversaries

To define security in the presence of malicious adversaries, we use the ideal/real framework as defined by Canetti in [4]. Loosely speaking, in this approach we formalize the real-life computation as a setting where the parties, given their private inputs, interact according to the protocol in the presence of a real-life adversary that controls a set of corrupted parties. The real-life adversary can be either static (where the set of corrupted parties is fixed before the protocol begins) or adaptive (where the adversary can choose to corrupt parties during the protocol execution based on what it sees). At the end of the computation, the honest parties output what is specified by the protocol and the adversary outputs some arbitrary function of its view. If the adversary is adaptive, there is an additional entity $\mathcal{Z}$, called the environment, who sees the output of all of the parties. In addition, there is a “post-execution phase,” where $\mathcal{Z}$ can instruct the adversary to also corrupt parties after the execution of the protocol ends (and the transcript is fixed, implying that “rewinding” is no longer allowed). At the end of the post-execution phase, $\mathcal{Z}$ outputs some function of its view.

Next we consider an ideal process, where an ideal-world adversary controls a set of corrupted parties. Then, in the computation phase, all parties send their inputs to some incorruptible trusted party. The ideal-world adversary sends inputs on behalf of the corrupted parties. The trusted party evaluates the function and hands each party its output. The honest parties then output whatever they received from the trusted party and the ideal-world adversary outputs some arbitrary value. Similarly to the real-life setting, in the case of adaptive security, there is an environment $\mathcal{Z}$ who sees all outputs and can instruct the adversary to also corrupt parties in the post-execution phase. At the end of the post-execution phase, $\mathcal{Z}$ outputs some function of its view.

Loosely speaking, a protocol $\pi $ is secure in the presence of static malicious adversaries, if for every static malicious real-life adversary $\mathcal{A}$, there exists a static malicious ideal-world adversary $\mathcal{SIM}$ such that the distribution obtained in a real-life execution of $\pi $ with adversary $\mathcal{A}$ is indistinguishable from the distribution obtained in a ideal world with adversary $\mathcal{SIM}$. Likewise, a protocol $\pi $ is secure in the presence of adaptive malicious adversaries, if for every adaptive malicious real-life adversary $\mathcal{A}$ and environment $\mathcal{Z}$, there exists an adaptive malicious ideal-world adversary $\mathcal{SIM}$ such that the output of $\mathcal{Z}$ in a real-life execution of $\pi $ with adversary $\mathcal{A}$ is indistinguishable from its output in a ideal world with adversary $\mathcal{SIM}$.

Security in the presence of adaptive semi-honest adversaries is defined in the same way as adaptive malicious adversaries, except that the adversary only sees the internal state of a corrupted party but cannot instruct it to deviate from the protocol specification. For full definitions, see [4].

2.1.3 The Hybrid Model

Let $\phi $ be a functionality. The $\phi $-hybrid model is defined as follows. The real-life model for protocol $\pi $ is augmented with an incorruptible trusted party T for evaluating the functionality $\phi $, and the parties are allowed to make calls to the ideal functionality $\phi $ by sending their $\phi $-inputs to T. If we consider malicious adversaries, the adversary specifies the inputs of all parties under its control. If the adversary is semi-honest, then even the corrupted parties hand T inputs as specified by the protocol $\pi $. At each invocation of $\phi $, the trusted party T sends the parties their respective outputs.

If $\pi $ is in the $\phi $-hybrid model, then a view of a party A contains also the inputs sent by A to the functionality $\phi $ and the outputs sent to A by T computing $\phi $.

2.1.4 Oblivious Transfer and Extensions

We are now ready to define oblivious transfer and OT-extensions.

Definition 2.4

The bit oblivious transfer functionality OT is defined by${OT}((b_0,b_1),\sigma )=(\lambda ,b_{\sigma })$, for $b_0,b_1,\sigma \in \{0,1\}$, where $\lambda $ denotes the empty string. The m -string oblivious transfer functionality OT is defined by ${OT}((x_0,x_1),\sigma )=(\lambda ,x_{\sigma })$, for strings $x_0,x_1\in \{0,1\}^m$ and $\sigma \in \{0,1\}$. The parallel oblivious transfer functionality $m\times OT$ is defined by $m\times {OT}((x_0,x_1),\sigma )=(\lambda ,(x^1_{\sigma _1},\ldots ,x^m_{\sigma _m}))=(\lambda ,x_\sigma )$ for strings $x_0,x_1,\sigma \in \{0,1\}^m$, where $x_\sigma $ denotes the string $x_{\sigma _1}^1,\ldots ,x_{\sigma _n}^n$.

We denote by $OT^k$ the ideal functionality of k independent OT computations. We stress that $OT^k$ is not the same as $k\times OT$, since in the latter all of the inputs are given at once, whereas in $OT^k$ the inputs can be chosen over time. (In particular, the receiver can choose its inputs as a function of the previous outputs it received.)

Using this notation, we have that an OT-extension protocol is a protocol that securely computes $m\times OT$ given access to $OT^k$, where $k<m$. Formally:

Definition 2.5

(OT-extension) Let $\pi $ be a protocol and let $k,m:{\mathbb N}\rightarrow {\mathbb N}$ be two functions where $k(n)<m(n)$ for all n. We say that $\pi $ is an OT-extension from $k=k(n)$ to $m=m(n)$ if $\pi $ securely computes the $m\times OT$ functionality in the $OT^k$-hybrid model.

2.2 OT Precomputation and Extending Extensions

In this section, we present a proposition that we will use throughout the paper. The proposition states that OT that an OT-extension protocol that extends by a single execution only can be used to obtain an OT-extension protocol that extends by any polynomial factor. The proof of this proposition relies on a result by Beaver, showing that OT can be precomputed [2]. That is, it is possible to first compute OT on random inputs and then use the result to later compute an OT on any input. The fact that a single extension implies many has been stated previously in the literature (e.g., [3]) and is accepted folklore, but to the best of our knowledge has not been formally proved. We therefore prove this here. We stress that this holds irrespectively of how many oblivious transfers one starts with (even if only a constant number), as long as only a polynomial number of transfers are derived.

Proposition 2.6

Let $f:{\mathbb N}\rightarrow {\mathbb N}$ be any polynomially bounded function, and let n be the security parameter. If there exists a protocol $\pi $ that is an OT-extension from f(n) to $f(n)+1$ that is secure in the presence of adaptive (resp. static) malicious (resp. semi-honest) adversaries, then for every polynomial $p(\cdot )$ there exists an OT-extension protocol from f(n) to p(n) that is secure in the presence of adaptive (resp. static) malicious (resp. semi-honest) adversaries.

Proof

We prove security for the case of static malicious adversaries. The other cases are similar.

First, we define the random OT functionality $ROT_{f(n)}$, as follows:

1.
Input: $ROT_{f(n)}$ receives $1^n$ from both parties S and R. A corrupted sender may provide $r_1^0,r_1^1,\ldots ,r_{f(n)}^0,r_{f(n)}^1$, and a corrupted receiver may provide $b_1,\ldots ,b_{f(n)}$.
2.
Output: $ROT_{f(n)}$ chooses random bits $r_1^0,r_1^1,\ldots ,r_{f(n)}^0,r_{f(n)}^1,b_1,\ldots ,b_{f(n)}$ for any party who sent $1^n$. Then, $ROT_{f(n)}$ sends $\left\{ (r_i^0,r_i^1)\right\} _{i=1}^{f(n)}$ to S, and sends $\left\{ (b_i,r_i^{b_i})\right\} _{i=1}^{f(n)}$ to R.

(Note that the functionality does not require that there be random inputs from an adversarial party, but it does guarantee this for honest parties.)

We begin by showing that if there exists a protocol $\pi $ that is an OT-extension from f(n) to $f(n)+1$ (i.e., $\pi $ securely computes $(f(n)+1)\times OT$ in the $OT^{f(n)}$-hybrid model), then there exists a protocol that securely computes $(f(n)+1)\times OT$ in the $ROT_{f(n)}$-hybrid model. Furthermore, this protocol can be broken into two sequential parts, where the first just involves a call to $ROT_{f(n)}$, and the second just uses the output of $ROT_{f(n)}$.

Claim 2.7

If there exists a protocol $\pi $ that securely computes $(f(n)+1)\times OT$ in the $OT^{f(n)}$-hybrid model, then there exists a protocol $\pi '$ that securely computes $(f(n)+1)\times OT$ in the $ROT_{f(n)}$-hybrid model. Furthermore, $\pi '$ can be divided into $\pi _1',\pi _2'$, where $\pi _1'$ calls $ROT_{f(n)}$ and $\pi _2'$ just uses the output of $ROT_{f(n)}$.

Proof

The proof of this uses the construction of [2] for precomputing OT. For the sake of completeness, we will provide a full proof. Let $\pi $ be an OT-extension from f(n) to $f(n)+1$. We define a protocol $\pi '$ that securely computes $(f(n)+1)\times OT$ in the $ROT_{f(n)}$-hybrid model as follows:

1.
Parties S and R both send $1^n$ to $ROT_{f(n)}$ and receive back their respective outputs $\left\{ (r_i^0,r_i^1)\right\} _{i=1}^{f(n)}$ and $\left\{ (b_i,r_i^{b_i})\right\} _{i=1}^{f(n)}$.
2.
Parties S and R begin an execution of the OT-extension $\pi $ that is secure in the $OT^{f(n)}$-hybrid model.
3.
Upon the ith call of $\pi $ to $OT^{f(n)}$ (for $1\le i\le f(n)$), the parties work as follows:
1. (a)
  Let $\tau \in \{0,1\}$ be the input that R is supposed to send to $OT^{f(n)}$ in this call. Then, R sends $\delta =\tau \oplus b_i$ to S.
2. (b)
  Let $(u_0,u_1)\in \{0,1\}^{2}$ be the input that S is supposed to send to $OT^{f(n)}$ in this call. Then, S sends $v_0=u_0 \oplus r_i^\delta $ and $v_1=u_1 \oplus r_i^{1-\delta }$ to R.
3. (c)
  R computes $u_\tau = v_\tau \oplus r_i^{b_i}$ and takes this as the output of the call to $OT^{f(n)}$.
4.
At the conclusion of $\pi $, the receiver R outputs whatever instructed to as in $\pi $.

Before proving security of $\pi '$, we motivate the proof by showing that R receives the correct output from the simulated calls to $OT^{f(n)}$. Observe that $v_\tau = v_{\delta \oplus b_i}$. Now, if $\tau =0$, then $\delta =b_i$ and so $v_0 = u_0 \oplus r_i^\delta = u_0 \oplus r_i^{b_i}$. Thus, R will receive the correct value $u_0$. In contrast, if $\tau =1$, then $\delta = 1-b_i$ and so $v_1 = u_1 \oplus r_i^{1-\delta } = u_1 \oplus r_i^{b_i}$. Thus, R will receive the correct value $u_1$.

We now formally prove security. Formally, we prove that for every adversary $\mathcal{A}'$ for $\pi '$, there exists an adversary $\mathcal{A}$ for $\pi $, such that the distribution over the outputs of $\mathcal{A}$ and the honest party in $\pi $ is identical to the distribution over the outputs of $\mathcal{A}'$ and the honest party in $\pi '$. (Note that both $\pi $ is run in the $OT^{f(n)}$-hybrid model, whereas $\pi '$ is run in the real model).

Consider first the case that the sender S is corrupted. Then, $\mathcal{A}$ invokes $\mathcal{A}'$ upon its input $\left\{ (x_i^0,x_i^1)\right\} _{i=1}^{f(n)}$. If $\mathcal{A}$ receives $1^n$ from $\mathcal{A}'$ intended for $ROT_{f(n)}$, then $\mathcal{A}'$ chooses random $r_1^0,r_1^1,\ldots ,r_{f(n)}^0,r_{f(n)}^1$ and hands them to $\mathcal{A}$. Otherwise, it uses the $r_1^0,r_1^1,\ldots ,r_{f(n)}^0,r_{f(n)}^1$ sent by $\mathcal{A}'$. When $\pi '$ reaches the ith call to $OT^{f(n)}$, then $\mathcal{A}$ sends $\mathcal{A}'$ a random bit $\delta $. Upon receiving back $(v_0,v_1)$ that $\mathcal{A}'$ sends R as part of $\pi '$, adversary $\mathcal{A}$ computes $u_0=v_0 \oplus r_i^\delta $ and $u_1=v_1 \oplus r_i^{1-\delta }$, where the $r_i^0,r_i^1$ values are as chosen previously. Then, $\mathcal{A}$ sends $(u_0,u_1)$ to $OT^{f(n)}$. All other messages sent by $\mathcal{A}$ to R and vice versa are forwarded unchanged by $\mathcal{A}'$. At the end, $\mathcal{A}$ outputs whatever $\mathcal{A}'$ outputs. The simulation by $\mathcal{A}$ is perfect; the view of $\mathcal{A}'$ is identical in both cases, and the effective inputs $(u_0,u_1)$ defined by $\mathcal{A}'$’s messages and those sent by $\mathcal{A}$ to $OT^{f(n)}$ are identical. Thus, the output is identical. The simulation in the case that R is corrupted is almost identical and thus omitted.

The division of $\pi '$ into $\pi _1'$ and $\pi _2'$ is immediate from its description. $\square $

We now use Claim 2.7 to prove the proposition. Assume that $\pi $ is an OT-extension from f(n) to $f(n)+1$, and let p(n) be an arbitrary polynomial. Denote the inputs of the parties by $\{(x_i^0,x_i^1)\}_{i=1}^{p(n)}$ for the sender, and $\sigma _1,\ldots ,\sigma _{p(n)}$ for the receiver. Then, we construct a protocol $\tilde{\pi }$ that is an OT-extension from f(n) to p(n) as follows:

1.
The parties use $OT^{f(n)}$ on random inputs in order to compute $ROT_{f(n)}$. Denote the parties’ respective outputs by $\left\{ (r_i^0,r_i^1)\right\} _{i=1}^{f(n)}$ and $\left\{ (b_i,r_i^{b_i})\right\} _{i=1}^{f(n)}$.
2.
For $i=1,\ldots ,p(n)$:
1. (a)
  The parties run $\pi '$ with inputs determined as follows. S’s first input pair is $(x_i^0,x_i^1)$ and the remaining f(n) inputs are randomly chosen. R’s first input bit is $\sigma _i$ and the remaining f(n) are randomly chosen. They then proceed:
2. (b)
  The parties emulate $\pi _1'$ by setting the ROT outputs to be the stored values $\left\{ (r_i^0,r_i^1)\right\} _{i=1}^{f(n)}$ and $\left\{ (b_i,r_i^{b_i})\right\} _{i=1}^{f(n)}$.
3. (c)
  The parties run $\pi _2'$.
4. (d)
  S rewrites the stored values $\left\{ (r_i^0,r_i^1)\right\} _{i=1}^{f(n)}$ to be the random inputs it used as input in this iteration to $\pi '$ (i.e., the last f(n) inputs pairs).
5. (e)
  R stores the first output bit $x_i^{\sigma _i}$ later for output, and rewrites the stored values $\left\{ (b_i,r_i^{b_i})\right\} _{i=1}^{f(n)}$ to be its input and output for the last f(n) input pairs in this iteration.
3.
R outputs $x_1^{\sigma _1},\ldots ,x_{p(n)}^{\sigma _{p(n)}}$.

We now prove that $\tilde{\pi }$ is an OT-extension from f(n) to p(n); i.e., that $\tilde{\pi }$ securely computes $p(n)\times OT$ in the $OT^{f(n)}$-hybrid model. We prove this by reducing its security to $\pi '$, as proved in Claim 2.7. Let $\mathcal{SIM}$ be a simulator that invokes the adversary, and runs the simulator $\mathcal{S}_{\pi '}$ in every iteration (on the residual adversary up to that point) that is guaranteed to exist by Claim 2.7. Let $H_i$ be a hybrid protocol where the first i bits of the output are generated by the parties making sequential calls to $OT^{i}$, and the last $p(n)-i$ bits of the output are generated by the parties running the last $p(n)-i$ iterations in $\tilde{\pi }$ (and $ROT_{f(n)}$ is called before the first iteration). It is clear that $H_{p(n)}$ is equivalent to the ideal functionality $OT^{p(n)}$, and $H_0$ is exactly $\tilde{\pi }$. (The only difference between $H_0$ and $\tilde{\pi }$ is that in $H_0$ the parties call $ROT^{f(n)}$, whereas in $\tilde{\pi }$ they call $OT^{f(n)}$ with random inputs. These are the same, since the inputs chosen by the corrupted party in $OT^{f(n)}$ can be used also in $ROT^{f(n)}$.) By a standard hybrid argument, if there exist non-uniform probabilistic polynomial-time machines $\mathcal{A}$ and $\mathcal{D}$, and inputs $\{(x_i^0,x_i^1,\sigma _i)\}_{i=1}^{p(n)}$, such that D distinguishes between the outputs of a real execution of $\tilde{\pi }$ and an ideal execution with $\mathcal{SIM}$ and $p(n)\times OT$ on these inputs, then there exists an $0\le i < p(n)$ such that $\mathcal{A}$ and D distinguish between $H_i$ and $H_{i+1}$ upon inputs $(x_i^0,x_i^1,\sigma _i)$. We now show that $\mathcal{A}$ and D can be used to distinguish between a single execution of $\pi '$ and $(f(n)+1)\times OT$, in contradiction to Claim 2.7. Let $\mathcal{A}'$ be an adversary who chooses a random $i\in \{0,\ldots ,p(n)-1\}$. Then, $\mathcal{A}'$ emulates the first $i-1$ transfers with $\mathcal{A}$ using the inputs it has and $OT^i$. ($\mathcal{A}'$ knows both parties inputs and so can carry out this emulation.) Next, $\mathcal{A}'$ externally runs the ith execution by running $\pi '$ itself together with the honest party and using the corrupted party’s ith input. Finally, the remaining $p(n)-i-1$ executions are emulated using the instructions of $\tilde{\pi }$ for these iterations. Finally, $\mathcal{A}'$ outputs $\mathcal{A}$ output, and the honest party’s output in all of the $p(n)-1$ executions apart from the ith execution. We also construct $D'$ that just runs D on the input it receives (rearranging it first so that the honest party’s in the ith execution is placed in the appropriate position). Observe that when $\mathcal{A}'$ runs $\pi '$ externally with an honest party, then the output distribution is exactly $H_{i+1}$ (these are exactly the same since $H_{i+1}$ also begins with $ROT_{f(n)}$ and proceeds with $\pi _2'$). Furthermore, when $\mathcal{A}'$ interacts with $\mathcal{S}_{\pi '}$ then the output distribution is exactly $H_i$. By the contradicting assumption, $D'$ distinguishes $H_i$ from $H_{i+1}$, in contradiction to the security of $\pi '$ as in Claim 2.7.$\square $

2.3 A Lemma on Statistical Distance

Lemma 2.8

Let $D_1$ and $D_2$ be two distributions over a set U and let E be an event such that $\Pr _{D_1}[E]=\Pr _{D_2}[E].$ Then, it holds that

$$\begin{aligned} SD(D_1,D_2)\le SD(D_1\mid E,D_2\mid E)+\mathrm{Pr}_{D_1}[\lnot E] \end{aligned}$$

Proof

$$\begin{aligned} SD(D_1,D_2)= & {} \frac{1}{2}\sum _{x\in U}\left| \phantom {2^{2^2}}\mathrm{Pr}_{D_1}[x]-\mathrm{Pr}_{D_2}[x]\right| \\= & {} \frac{1}{2}\sum _{x\in U}\left| \phantom {2^{2^2}}\mathrm{Pr}_{D_1} [x\mid E]\cdot \mathrm{Pr}_{D_1}[E]+\mathrm{Pr}_{D_1}[x\mid \lnot E]\cdot \mathrm{Pr}_{D_1}[\lnot E]\right. \\&\quad \left. - ~ \mathrm{Pr}_{D_2}[x\mid E]\cdot \mathrm{Pr}_{D_2}[E] -\mathrm{Pr}_{D_2}[x\mid \lnot E]\cdot \mathrm{Pr}_{D_2}[\lnot E]\phantom {2^{2^2}}\right| \\= & {} \frac{1}{2}\sum _{x\in U}\left| \phantom {2^{2^2}}\mathrm{Pr}_{D_1}[x\mid E]\cdot \mathrm{Pr}_{D_1}[E] -\mathrm{Pr}_{D_2}[x\mid E]\cdot \mathrm{Pr}_{D_2}[E]\right. \\&\quad \left. + ~ \mathrm{Pr}_{D_1}[x\mid \lnot E]\cdot \mathrm{Pr}_{D_1}[\lnot E] -\mathrm{Pr}_{D_2}[x\mid \lnot E]\cdot \mathrm{Pr}_{D_2}[\lnot E]\phantom {2^{2^2}}\right| \\\le & {} \frac{1}{2}\sum _{x\in U}\left| \phantom {2^{2^2}}\mathrm{Pr}_{D_1}[x\mid E]\cdot \mathrm{Pr}_{D_1}[E] -\mathrm{Pr}_{D_2}[x\mid E]\cdot \mathrm{Pr}_{D_1}[E]\right| \\&\quad + ~ \frac{1}{2}\sum _{x\in U}\left| \mathrm{Pr}_{D_1}[x\mid \lnot E] \cdot \mathrm{Pr}_{D_1}[\lnot E] -\mathrm{Pr}_{D_2}[x\mid \lnot E]\cdot \mathrm{Pr}_{D_1}[\lnot E]\phantom {2^{2^2}}\right| \\= & {} \mathrm{Pr}_{D_1}[E]\cdot SD(D_1\mid E,D_2\mid E)+\mathrm{Pr}_{D_1}[\lnot E] \cdot SD(D_1\mid \lnot E,D_2\mid \lnot E)\\\le & {} SD(D_1\mid E,D_2\mid E)+\mathrm{Pr}_{D_1}[\lnot E] \end{aligned}$$

$\square $

3 OT-Extensions Imply One-Way Functions

In this section, we show that the existence of an OT-extension protocol implies the existence of one-way functions. We prove the theorem for any OT-extension that is secure in the presence of static semi-honest adversaries. (Thus, the theorem also holds when the OT-extension is secure in the presence of adaptive and/or malicious adversaries.)

Theorem 3.1

If there exists a protocol that is an OT-extension from n to $n+1$ (where n is the security parameter) that is secure for static semi-honest adversaries, then there exist one-way functions.

Proof

By Proposition 2.6, if there exists an OT-extension protocol from n to $n+1$ then there exists an OT-extension protocol from n to $2n+1$. We therefore prove the theorem by showing that the existence of a protocol $\pi $ that is an OT-extension from n to $2n+1$ implies the existence of two polynomial-time constructible probability ensembles that are computationally indistinguishable and yet their statistical distance is noticeable. The fact that this implies one-way functions was shown in the following theorem from [8]:

Theorem 3.2

(From [8]) The following two conditions are equivalent:

1.
There exists a pseudorandom generator,
2.
There exists a pair of polynomial-time constructible ensembles which are statistically different, yet polynomially indistinguishable.

We begin by defining the probability ensembles and then provide intuition as to why they fulfill the above property.

We start by an informal description of the ensembles, and then, we proceed to the formal definitions: Let $X_0,X_1$ and $\Sigma $ be three uniformly random strings of lengths $2n+1$. Let $\mathcal{E}^1$ be an ensemble generated by executing $\pi $ on inputs $(X_0,X_1)$ for the sender and input $\Sigma $ for the receiver and outputting $(X_0,X_1,\Sigma ,t)$ where t is transcript of $\pi $. Now, let $X'_0,X'_1$ be generated from $X_0,X_1$ and $\Sigma $ by changing the bits in $X_0,X_1$ that do not correspond to the receiver’s input $\Sigma $ to uniformly random bits. $\mathcal{E}^2$ is generated similarly to $\mathcal{E}^1$ except that instead of outputting the actual inputs $X_0,X_1,\Sigma $, we output $(X'_0,X'_1,\overline{\Sigma },t)$ (where t was generated by executing $\pi $ on inputs $(X_0,X_1)$ for the sender and input $\Sigma $ for the receiver).

Formally, let $X_0,X_1,X'_0,X'_1,\Sigma $ be the following (dependent) random variables:

1.
$\Sigma \in \{0,1\}^{2n+1}$ represents the receiver’s input and is a uniformly distributed string.
2.
$X_0, X_1\in \{0,1\}^{2n+1}$ represent a pair of sender’s input and are two uniformly random strings. $X'_0, X'_1\in \{0,1\}^{2n+1}$ represents a second pair of sender’s input and have the property that they agree with $(X_0,X_1)$ on the bits chosen by $\Sigma $ and are independent otherwise. Formally, for every $i=1,\ldots ,2n+1$ it holds that ${X'}_{\Sigma _i}^i = {X}_{\Sigma _i}^i$ and ${X'}_{1-\Sigma _i}^i$ is a random bit (where $X_0=X_0^1,\ldots ,X_0^{2n+1}$, and likewise for $X_1,X'_0,X'_1$).

Let $\textsc {Trans}^{\pi }(x_0,x_1,\sigma )$ be a random variable over the transcript of $\pi $ on sender-inputs $(x_0,x_1)$ and receiver-input $\sigma $. The transcript contains all of the messages sent between the parties, but does not contain the n input/output values sent by the parties to the ideal OT functionality within the extension protocol. We are now ready to define the two probability ensembles $\mathcal{E}^1=\left\{ \mathcal{E}^1_n\right\} _{n\in {\mathbb N}}$ and $\mathcal{E}^2=\left\{ \mathcal{E}^2_n\right\} _{n\in {\mathbb N}}$:

1.
$\mathcal{E}^1_n=(X_0,X_1,\Sigma ,\textsc {Trans}^\pi (X_0,X_1,\Sigma ))$
2.
$\mathcal{E}^2_n=(X'_0,X'_1,\overline{\Sigma },\textsc {Trans}^\pi (X_0,X_1,\Sigma ))$

where $\overline{\Sigma }$ denotes the bitwise complement of $\Sigma $. Observe that in $\mathcal{E}^1$ the transcript is generated from the given inputs $(X_0,X_1,\Sigma )$, whereas in $\mathcal{E}^2$ the given inputs are $(X'_0,X'_1)$ and $\overline{\Sigma }$ (and $(X'_0,X'_1)$ “agree” with $(X_0,X_1)$ on $\Sigma $ and are independent of each other on $\overline{\Sigma }$).

Intuitively, these ensembles are computationally indistinguishable by the privacy properties of oblivious transfer. (The change from $(X_0,X_1)$ to $(X'_0,X'_1)$ cannot be distinguished, or a receiver with input $\Sigma $ could learn more than allowed, and the change from $\Sigma $ to $\overline{\Sigma }$ cannot be distinguished, or the sender could learn something about the receiver’s input.) Furthermore, they are statistically far apart because the transcript must contain meaningful information about the inputs being used (in which case the transcript will be consistent with the inputs in $\mathcal{E}^1$ but not in $\mathcal{E}^2$). In order to see why this is the case, observe that since the number of calls made to the ideal OT functionality is only n, it cannot be the case that all information regarding the inputs is transferred via the use of the ideal OT calls. Thus, the transcript itself must contain some meaningful information, and this information will not be consistent in $\mathcal{E}^2$.

We begin by proving that $\mathcal{E}^1$ and $\mathcal{E}^2$ are computationally indistinguishable. Intuitively, this follows from the privacy property of secure oblivious transfer.

Lemma 3.3

The ensembles $\mathcal{E}^1$ and $\mathcal{E}^2$ are computationally indistinguishable.

Proof

We prove the lemma by separately considering the privacy guarantees with respect to the receiver’s input and the sender’s inputs. Toward this goal, consider the following hybrid ensemble: Let $\mathcal{E}^{h}=\left\{ \mathcal{E}^{h}_n\right\} _{n\in {\mathbb N}}$ be the following probability ensemble:

$$\begin{aligned} \mathcal{E}^{h}_n=(X'_0,X'_1,\Sigma ,\textsc {Trans}^\pi (X_0,X_1,\Sigma )). \end{aligned}$$

Note that $\mathcal{E}^h_n$ is generated from $\mathcal{E}^1_n$ by changing only the inputs of the sender, whereas $\mathcal{E}^2_n$ is generated by changing both the inputs of the sender and the receiver. We prove the claim by proving that $\mathcal{E}^1$ and $\mathcal{E}^h$ are computationally indistinguishable and $\mathcal{E}^h$ and $\mathcal{E}^2$ are computationally indistinguishable.

$\mathcal {E}^1$ and $\mathcal {E}^h$ are Indistinguishable. The only difference between $\mathcal{E}^1$ and $\mathcal{E}^h$ is that $\mathcal{E}^1$ contains the actual input used by the sender, whereas $\mathcal{E}^{h}$ outputs a pair of strings that are random in the locations that are not part of the receiver’s output. Intuitively, these are indistinguishable since otherwise a corrupted receiver could obtain information about the sender’s inputs that it did not choose, in contradiction to the security of oblivious transfer. This can be formalized by defining an experiment in which the receiver’s input $\sigma $ is chosen at random, and then, two sets of sender-inputs are chosen randomly under the constraint that they are the same for the bits to be received for the receiver-input $\sigma $. The oblivious transfers are run using one of the two sender-inputs, and an adversary receiving the receiver’s view attempts to guess which one was used. It is easy to show that the privacy of oblivious transfer implies that no adversary can succeed in guessing correctly with probability non-negligibly greater than 1 / 2. Formally, we define the following experiment:

Experiment $\mathsf{HybridExpt1}^{OT}_{\mathcal{A},\pi ,2n+1}(1^n)$

1.
A random string $\sigma \in _R\{0,1\}^{2n+1}$ is chosen.

2.
Two pairs of strings $(x_0,x_1)\in \{0,1\}^{2n+1} \times \{0,1\}^{2n+1}$ and $(x'_0,x'_1)\in \{0,1\}^{2n+1}\times \{0,1\}^{2n+1}$ are chosen such that the pairs $(x_0,x_1)$ and $(x'_0,x'_1)$ agree on the bits chosen by $\sigma $ and the other locations are independent random bits.

3.
A bit $c\in _R\{0,1\}$ is chosen.

4.
The protocol $\pi $ is executed with the following inputs: The receiver’s input is $\sigma $ and the input of the sender is $(x_0,x_1)$ if $c=0$, and $(x'_0,x'_1)$ if $c=1$.

5.
$\mathcal{A}$ is given the view of the receiver in the execution of $\pi $ and the two pairs $(x_0,x_1),(x'_0,x'_1)$.

6.
$\mathcal{A}$ outputs a bit $c'$ and the output of the experiment equals 1 if and only if $c=c'$.

We now prove the following claim:

Claim 3.4

Let $\pi $ be a secure OT-extension of n to $2n+1$. Then for every $PPT$ adversary $\mathcal{A}$, every polynomial $p(\cdot )$ and all sufficiently large n’s,

$$\begin{aligned} \mathrm{Pr}[\mathsf{HybridExpt1}^{OT}_{\mathcal{A},\pi ,2n+1}(1^n)=1]<\frac{1}{2}+\frac{1}{p(n)} \end{aligned}$$

Proof

Assume by contradiction that there exists a $PPT$ adversary $\mathcal{A}$ and a polynomial $p(\cdot )$ such that for infinitely many n’s,

$$\begin{aligned} \mathrm{Pr}[\mathsf{HybridExpt1}^{OT}_{\mathcal{A},\pi ,2n+1}(1^n)=1]\ge \frac{1}{2}+\frac{1}{p(n)}. \end{aligned}$$

Let $\mathcal{S}_R$ be the probabilistic polynomial-time simulator that is guaranteed to exist by the security of $\pi $. We construct a $PPT$ distinguisher such that for randomly chosen inputs $x_0,x_1,\sigma \in \{0,1\}^{2n+1}$, D can distinguish between the ensembles $\left\{ \phantom {2^{2^2}}\mathcal{S}_R(1^n,\sigma ,x_\sigma )\right\} _{n\in {\mathbb N}}$ and $\left\{ \phantom {2^{2^2}}\textsc {View}_R^{\pi }(1^n,x_0,x_1,\sigma )\right\} _{n\in {\mathbb N}}$ with a non-negligible probability.

D receives as input a view v of a receiver, inputs $x_0,x_1$ and $\sigma $ and works as follows: D chooses two strings $x'_0,x'_1$ that agree with $x_0,x_1$ on the coordinates that correspond to $\sigma $ and are random elsewhere. D then chooses a random bit c, and if $c=0$, it invokes the adversary A on v and the pairs $\left( (x_0,x_1), (x'_0,x'_1)\right) $. If $c=1$, it invokes the adversary A on v and the pairs $\left( (x'_0,x'_1), (x_0,x_1)\right) $. Let $c'$ be the output of $\mathcal{A}$, D outputs 1 if and only if $c'=c$.

Now, assume that v was generated in a real execution of $\pi $ with inputs $x_0,x_1$ and $\sigma $. In this case, the input handed to $\mathcal{A}$ is distributed exactly as in an execution of $\mathsf{HybridExpt1}^{OT}_{\mathcal{A},\pi ,2n+1}$ and thus the probability that $c'=c$ is at least $\frac{1}{2}+\frac{1}{p(n)}$. On the other hand, if v is the output of $\mathcal{S}_R(1^n,\sigma ,x_\sigma )$, then it is independent of the sender’s bit that are not determined by $\sigma $, and since $(x_0,x_1)$ and $(x'_0,x'_1)$ agree on $x_\sigma $ and random elsewhere, the probability that $\mathcal{A}$ correctly guesses c is exactly $\frac{1}{2}$. Hence, we obtain the D can distinguish between the cases with probability $\frac{1}{p(n)}$ as required.$\square $

Finally, we use the fact that a distinguisher for $\mathcal{E}^1$ and $\mathcal{E}^h$ can be transformed into an adversary that succeeds in experiment $\mathsf{HybridExpt1}^{OT}_{\mathcal{A},\pi ,2n+1}$ to obtain:

Corollary 3.5

Let $\pi $ be a secure OT-extension of n to $2n+1$. Then the ensembles $\mathcal{E}^1$ and $\mathcal{E}^h$ are computationally indistinguishable.

$\mathcal{E}^h$ and $\mathcal{E}^2$ are indistinguishable. The only difference between $\mathcal{E}^h$ and $\mathcal{E}^2$ is that in $\mathcal{E}^h$ the receiver’s actual input appears, whereas in $\mathcal{E}^2$ the complement of the receiver’s input appears. As above, these are indistinguishable since otherwise a corrupted sender could obtain some information about the receiver’s input, in contradiction to the security of oblivious transfer. Again, this can be formalized by defining an experiment where a string $\sigma $ is chosen at random and given to the sender. Then, the oblivious transfer implies that no adversary can succeed in guessing if the receiver-input was $\sigma $ or $\overline{\sigma }$ with probability non-negligibly greater than 1 / 2. Formally, we define the following experiment:

Experiment $\mathsf{HybridExpt2}^{OT}_{\mathcal{A},\pi ,2n+1}(1^n)$

1.
A random strings $\sigma \in _R\{0,1\}^{2n+1}$ is chosen.

2.
Two pairs of strings $(x_0,x_1)\in \{0,1\}^{2n+1} \times \{0,1\}^{2n+1}$ and $(x'_0,x'_1)\in \{0,1\}^{2n+1}\times \{0,1\}^{2n+1}$ are chosen such that the pairs $(x_0,x_1)$ and $(x'_0,x'_1)$ agree on the bits chosen by $\sigma $ and the other locations are independent random bits.

3.
The protocol $\pi $ is executed with receiver’s input being $\sigma $ and sender’s input being $(x_0,x_1)$.

4.
A bit $b\in _R\{0,1\}$ is chosen.

5.
If $b=0$, $\mathcal{A}$ is given $(x'_0,x'_1)$, the view of the sender in the execution of $\pi $ and $\sigma $, whereas in $b=1$, $\mathcal{A}$ is given $(x'_0,x'_1)$, the view of the sender in the execution of $\pi $ and $\overline{\sigma }$.

6.
$\mathcal{A}$ outputs a bit $b'$ and the output of the experiment equals 1 if and only if $b=b'$.

We now prove the following claim:

Claim 3.6

Let $\pi $ be a secure OT-extension of n to $2n+1$. Then for every $PPT$ adversary $\mathcal{A}$, every polynomial $p(\cdot )$ and all sufficiently large n’s,

$$\begin{aligned} \mathrm{Pr}[\mathsf{HybridExpt2}^{OT}_{\mathcal{A},\pi ,2n+1}(1^n)=1]<\frac{1}{2}+\frac{1}{p(n)}. \end{aligned}$$

Proof

Assume in contradiction that there exists a $PPT$ adversary $\mathcal{A}$ and a polynomial $p(\cdot )$ such that for infinitely many n’s,

$$\begin{aligned} \mathrm{Pr}[\mathsf{HybridExpt2}^{OT}_{\mathcal{A},\pi ,2n+1}(1^n)=1]\ge \frac{1}{2}+\frac{1}{p(n)}. \end{aligned}$$

Let $\mathcal{S}_S$ be the probabilistic polynomial-time simulator that is guaranteed to exist by the security of $\pi $. We construct a $PPT$ distinguisher such that for randomly chosen inputs $x_0,x_1,\sigma \in \{0,1\}^{2n+1}$, D can distinguish between the ensembles $\left\{ \phantom {2^{2^2}}\mathcal{S}_S(1^n,x_0,x_1)\right\} _{n\in {\mathbb N}}$ and $\left\{ \phantom {2^{2^2}}\textsc {View}_R\mathcal{S}^{\pi }(1^n,x_0,x_1,\sigma )\right\} _{n\in {\mathbb N}}$ with a non-negligible probability.

D receives as input a view v of the sender along with inputs $(x_0,x_1)$ and $\sigma $ and works as follows: D chooses two strings $x'_0,x'_1$ that agree with $x_0,x_1$ on the coordinates that correspond to $\sigma $ and are random elsewhere. It then chooses a random bit b and if $b=0$, it invokes $\mathcal{A}$ on $x'_0,x'_1$, v and $\sigma $, and if $b=1$, it invokes $\mathcal{A}$ on $x'_0,x'_1$, v and $\overline{\sigma }$. Let $b'$ be the output of $\mathcal{A}$, D outputs 1 if and only if $b'=b$. We now analyze the success probability of D.

First, assume that v was obtained in a real execution of $\pi $ with inputs $x_0,x_1$ and $\sigma $. In this case, the input handed to $\mathcal{A}$ is distributed exactly as in $\mathsf{HybridExpt2}^{OT}_{\mathcal{A},\pi ,2n+1}$ and thus the probability that $b'=b$ is at least $\frac{1}{2}+\frac{1}{p(n)}$. On the other hand, if v is the output of $\mathcal{S}_S(1^n,x_0,x_1)$, then it is independent of $\sigma $, and hence, the probability that $\mathcal{A}$ correctly guesses b is exactly $\frac{1}{2}$. Hence, we obtain the D can distinguish between the cases with probability $\frac{1}{p(n)}$ as required.$\square $

Finally, we use the fact that a distinguisher for $\mathcal{E}^2$ and $\mathcal{E}^h$ can be transformed into an adversary that succeeds in experiment $\mathsf{HybridExpt2}^{OT}_{\mathcal{A},\pi ,2n+1}$ to obtain:

Corollary 3.7

Let $\pi $ be a secure OT-extension of n to $2n+1$. Then $\mathcal{E}^h$ and $\mathcal{E}^2$ are computationally indistinguishable.

$\square $

We now prove that the ensembles are statistically far apart.

Lemma 3.8

There exists a polynomial $p(\cdot )$ such that for all large enough n’s, $SD(\mathcal{E}^1_n,\mathcal{E}^2_n)\ge \frac{1}{p(n)}$.

Proof

Given the input $\sigma \in \{0,1\}^{2n+1}$ of the receiver and a transcript t, let $\{(\tau _i,\omega _i)\}_{i=1}^n$ denote a sequence of size n containing the inputs $\{\tau _i\}_{i=1}^n$ sent by the receiver in the n calls to the ideal OT and the respective outputs $\{\omega _i\}_{i=1}^n$ obtained from these calls. We use the following notation:

For every sequence $\{(\tau _i,\omega _i)\}_{i=1}^n$, let $\mathsf{R}_\mathsf{All}(\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)$ denote the set of all random tapes of the receiver that are consistent with $\sigma $, t and $\{(\tau _i,\omega _i)\}_{i=1}^n$. Moreover, for every string $x\in \{0,1\}^{2n+1}$, let $\mathsf{R}_\mathsf{out}(x,\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)$ denote the set of all random tapes of the receiver that are consistent with $\sigma $, t and $\{(\tau _i,\omega _i)\}_{i=1}^n$ and lead the receiver to output x. Note that for every x, it holds that $\mathsf{R}_\mathsf{out}(x,\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)\subseteq \mathsf{R}_\mathsf{All}(\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)$. Let $p_{\pi }(x,\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)$ denote the ratio between the size of these two sets; that is:
$$\begin{aligned} p_{\pi }(x,\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n) = \frac{\left| \mathsf{R}_\mathsf{out}(x,\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)\right| }{\left| \mathsf{R}_\mathsf{All}(\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)\right| } \end{aligned}$$
Let $\textsf {LikelySet}(\sigma ,t)$ denote the set of all strings $x\in \{0,1\}^{2n+1}$ for which there exists a sequence of n pairs $\{(\tau _i,\omega _i)\}_{i=1}^n$ such that
$$\begin{aligned} p_{\pi }(x,\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n) > \frac{1}{2} \end{aligned}$$
($\textsf {LikelySet}(\sigma ,t)$ is empty if no such x exists). From the definition, for a given receiver-input $\sigma $ and transcript t, the set $\textsf {LikelySet}(\sigma ,t)$ contains all of the strings x for which there exists a sequence $\{(\tau _i,\omega _i)\}$ so that the receiver-outputs x after the execution of $\pi $ with probability greater than 1 / 2.

To prove the statistical distance, we construct an unbounded distinguisher $\mathcal{A}$ and show the existence of a polynomial $p(\cdot )$ such that for all sufficiently large n’s:

$$\begin{aligned} \left| \mathrm{Pr}[\mathcal{A}(\mathcal{E}^1_n)=1]-\mathrm{Pr}[\mathcal{A}(\mathcal{E}^2_n)=1]\right| \ge \frac{1}{p(n)}. \end{aligned}$$

We define our (computationally unbounded) distinguisher $\mathcal{A}$ as follows: $\mathcal{A}$ receives as input a tuple $({\tilde{x}}_0,{\tilde{x}}_1,{\tilde{\sigma }},t)$ that was chosen from either $\mathcal{E}^1$ or $\mathcal{E}^2$ and outputs 1 if and only if ${\tilde{x}}_{\tilde{\sigma }}\in \textsf {LikelySet}({\tilde{\sigma }},t)$. Observe that ${\tilde{x}}_{\tilde{\sigma }}$ is the correct receiver-output in the case that the parties’ inputs were ${\tilde{x}}_0,{\tilde{x}}_1,{\tilde{\sigma }}$.

The intuition behind this construction is as follows. If $(\tilde{x}_0,\tilde{x}_1,\tilde{\sigma },t)$ was sampled from $\mathcal{E}^1$, then $\tilde{x}_0,\tilde{x}_1$ and $\tilde{\sigma }$ are the inputs used to generate the transcript t, and by the correctness of the protocol the receiver should output $\tilde{x}_{\tilde{\sigma }}$ with probability close to 1. Thus, with high probability ${\tilde{x}}_{\tilde{\sigma }}\in \textsf {LikelySet}({\tilde{\sigma }},t)$. In contrast, if $({\tilde{x}}_0,{\tilde{x}}_1,{\tilde{\sigma }},t)$ was sampled from $\mathcal{E}^2=(X'_0,X'_1,\overline{\Sigma },\textsc {Trans}(X_0,X_1,\Sigma ))$, then t is a transcript generated from $(x_0,x_1,\sigma )$, where $x_0,x_1$ are uniform and independent of $({\tilde{x}}_0,{\tilde{x}}_1)$ on the bits chosen by ${\tilde{\sigma }}$, and ${\tilde{\sigma }}=\overline{\sigma }$. This implies that ${\tilde{x}}_{\tilde{\sigma }}={\tilde{x}}_{\overline{\sigma }}$ is a random string of size $2n+1$ that is independent of t and so the probability that ${\tilde{x}}_{\tilde{\sigma }}\in \textsf {LikelySet}({\tilde{\sigma }},t)$ cannot be too large.

We show that $\mathcal{A}$ distinguishes $\mathcal{E}^1$ from $\mathcal{E}^2$ with probability close to 1 / 2. Surprisingly, the main challenge is actually to show that $\mathcal{A}$ outputs 1 when receiving a sample from $\mathcal{E}^1$ with probability close to 1. We explain the difficulty involved at the beginning of the proof of Claim 3.10.

Claim 3.9

For every n, it holds that $\mathrm{Pr}[\mathcal{A}(\mathcal{E}^2_n)=1]\le \frac{1}{2}$.

Proof

Recall that upon input $({\tilde{x}}_0,{\tilde{x}}_1,{\tilde{\sigma }},t)$, distinguisher $\mathcal{A}$ outputs 1 if and only if ${\tilde{x}}_{\tilde{\sigma }}\in \textsf {LikelySet}({\tilde{\sigma }},t)$; that is, if and only if there exists a sequence of pairs $\{(\tau _i,\omega _i)\}_{i=1}^n$ for which it holds that $p_{\pi }({\tilde{x}}_{\tilde{\sigma }},{\tilde{\sigma }},t,\{(\tau _i,\omega _i)\}_{i=1}^n) > \frac{1}{2}$. As we have described, in this case of ensemble $\mathcal{E}^2$, the string ${\tilde{x}}_{\tilde{\sigma }}$ is independent of t. To stress this point, the distribution $\mathcal{E}^2$ can be generated by choosing $X_0,X_1,\Sigma $ and generating t, and only then choosing the bits of $X'_0,X'_1$ corresponding to $\overline{\Sigma }$. (Observe that ${\tilde{x}}_{\tilde{\sigma }}$ corresponds exactly to these bits chosen last.) Now, for every given $(\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)$ there exists at most one x such that $p_{\pi }(x,\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n) > \frac{1}{2}$ (since it is required that the probability be strictly greater than 1 / 2). Since t depends only on random coins generated before the remaining bits of $X'_0,X'_1$ and so ${\tilde{x}}_{\tilde{\sigma }}$ are chosen, this implies that for every series $\{(\tau _i,\omega _i)\}_{i=1}^n$,

$$\begin{aligned} \mathrm{Pr}\left[ p_{\pi }({\tilde{x}}_{\tilde{\sigma }},\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)> \frac{1}{2}\right] = \frac{1}{2^{2n+1}}. \end{aligned}$$

We therefore have that for every n,

$$\begin{aligned} \mathrm{Pr}\left[ \mathcal{A}(\mathcal{E}^2_n)=1\right]= & {} \mathrm{Pr}\left[ \phantom {2^{2^2}}\exists \{(\tau _i,\omega _i)\}_{i=1}^n~s.t.~ p_{\pi }({\tilde{x}}_{\tilde{\sigma }},\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)>\frac{1}{2}\right] \\\le & {} \sum _{\{(\tau _i,\omega _i)\}_{i=1}^{n}}\mathrm{Pr}\left[ p_{\pi } ({\tilde{x}}_{\tilde{\sigma }},\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)>\frac{1}{2}\right] \\\le & {} 2^{2n}\cdot \frac{1}{2^{2n+1}}=\frac{1}{2}\ , \end{aligned}$$

where the inequality follows from the union bound. $\square $

Denote by $\textsc {output}^\pi _R(x_0,x_1,\sigma ;1^n)$ the output of the receiver R after an execution with sender-inputs $(x_0,x_1)$, receiver-input $\sigma $ and security parameter n. We prove:

Claim 3.10

Let $\mu (\cdot )$ be the negligible function so that $\mathrm{Pr}\left[ \textsc {output}^\pi _R(x_0,x_1,\sigma ;1^n)\right. \left. =x_\sigma \right] \ge 1-\mu (n)$ (from the correctness requirement). Then, for every n it holds that $\mathrm{Pr}[\mathcal{A}(\mathcal{E}^1_n)=1]\ge 1-2\mu (n)$.

Proof

Recall that $\mathcal{E}^1$ samples tuples $(x_0,x_1,\sigma ,t)$ such that t is a transcript of $\pi $ on inputs $x_0,x_1$ and $\sigma $, where $x_0,x_1$ and $\sigma $ are uniformly chosen. Intuitively, this claim follows from the correctness of the oblivious transfer protocol. That is, if $x_\sigma \notin \textsf {LikelySet}(\sigma ,t)$ then the receiver would output the correct output $x_\sigma $ with probability less than 1 / 2, contradicting the correctness requirement. Unfortunately, this intuitive argument is far more involved to prove. The reason for this is that the correctness requirement is based on the probability over the random coins of both parties. In contrast, $\textsf {LikelySet}$ is defined based on the random coins of the receiver only. In order to demonstrate why this could be problematic, consider the situation where for any given transcript t and sequence $\{(\tau _i,\omega _i)\}_{i=1}^n$, the majority of receiver coins $r_R$ result in an incorrect output. However, there are only very few sender coins $r_S$ that are consistent with t and the bad receiver coins $r_R$. Therefore, when taking the probability over both the sender and receiver coins, the incorrect output is received with only very small probability. However, when considering the receiver’s coins only, the incorrect output is obtained very often. Such an event can be shown to not be possible in a standard protocol where the transcript contains all information. This is because there is no dependence between the sender’s coins and the receiver’s coins, for all possible coins that are consistent with the transcript. However, in our scenario where ideal OT calls are included (and the inputs and outputs to these calls are not part of the transcript), such dependence may be introduced via the ideal OT calls. Proving that such a case cannot occur constitutes the majority of the proof of this claim.

For inputs $x_0,x_1,$ and $\sigma $, let $\mathsf{Good}(x_0,x_1,\sigma )$ denote the set of all transcripts t such that $x_\sigma \in \textsf {LikelySet}(\sigma ,t)$; i.e., $\mathsf{Good}(x_0,x_1,\sigma )=\left\{ t\mid x_\sigma \in \textsf {LikelySet}(\sigma ,t)\right\} $. Intuitively, this is the set of all transcripts that are “good” in the sense that in those executions the receiver (may) output the correct output with a good probability. (It won’t necessarily output the correct output because this just means that there exists a sequence $\{(\tau _i,\omega _i)\}_{i=1}^n$ for which it outputs the correct output with probability greater than 1 / 2.) Recall that $\mathcal{A}$ on input $(x_0,x_1,\sigma ,t)$ returns 1 if and only if $x_\sigma \in \textsf {LikelySet}(\sigma ,t)$, and hence, $\mathcal{A}$ outputs 1 if and only if $t\in \mathsf{Good}(x_0,x_1,\sigma )$. Thus, it suffices to prove that $\mathrm{Pr}[t\in \mathsf{Good}(x_0,x_1,\sigma )]>1-2\mu (n)$, when $(x_0,x_1,\sigma ,t)$ are sampled from $\mathcal{E}^1$.

In order to prove this, we use the fact that

$$\begin{aligned}&{\mathrm{Pr}[\textsc {output}^\pi _R(x_0,x_1,\sigma ;1^n)=x_\sigma ]}\\&\quad = \mathrm{Pr}[\textsc {output}^\pi _R(x_0,x_1,\sigma ;1^n)=x_\sigma \mid t\in \mathsf{Good}(x_0,x_1,\sigma )]\cdot \mathrm{Pr}[t\in \mathsf{Good}(x_0,x_1,\sigma )]\\&\qquad ~ + ~ \mathrm{Pr}[\textsc {output}^\pi _R(x_0,x_1,\sigma ;1^n)=x_\sigma \mid t \not \in \mathsf{Good}(x_0,x_1,\sigma )]\cdot \mathrm{Pr}[t\not \in \mathsf{Good}(x_0,x_1,\sigma )]\\&\quad \le \mathrm{Pr}[t\in \mathsf{Good}(x_0,x_1,\sigma )]\\&\qquad ~ + ~ \mathrm{Pr}[\textsc {output}^\pi _R(x_0,x_1,\sigma ;1^n)=x_\sigma \mid t\not \in \mathsf{Good}(x_0,x_1,\sigma )] \cdot \mathrm{Pr}[t\not \in \mathsf{Good}(x_0,x_1,\sigma )]. \end{aligned}$$

Below, we will prove that

$$\begin{aligned} \mathrm{Pr}[\textsc {output}^\pi _R(x_0,x_1,\sigma ;1^n)=x_\sigma \mid t\not \in \mathsf{Good}(x_0,x_1,\sigma )] \le \frac{1}{2}. \end{aligned}$$

(1)

Combining the above calculation with (1) and with the correctness requirement of the protocol stating that $\mathrm{Pr}[\textsc {output}^\pi _R(x_0,x_1,\sigma ;1^n)=x_\sigma ]\ge 1-\mu (n)$, we have:

$$\begin{aligned} 1-\mu (n)\le & {} \mathrm{Pr}[t\in \mathsf{Good}(x_0,x_1,\sigma )] + \frac{1}{2} \cdot \mathrm{Pr}[t\not \in \mathsf{Good}(x_0,x_1,\sigma )]\\= & {} 1 - \frac{1}{2}\cdot \mathrm{Pr}[t\not \in \mathsf{Good}(x_0,x_1,\sigma )] \end{aligned}$$

and so $\mathrm{Pr}[t\not \in \mathsf{Good}(x_0,x_1,\sigma )] \le 2\mu (n)$. Thus, $\mathrm{Pr}[\mathcal{A}(\mathcal{E}^1_n)=1]=\mathrm{Pr}[t\in \mathsf{Good}(x_0,x_1,\sigma )]>1-2\mu (n)$ as required.

It therefore remains to prove (1) in order to prove Claim 3.10. By the definition of $\mathsf{Good}$, for every $t\not \in \mathsf{Good}(x_0,x_1,\sigma )$ we have that $x_\sigma \not \in \textsf {LikelySet}(\sigma ,t)$, which by the definition of $\textsf {LikelySet}(\sigma ,t)$ implies that for every sequence $\{(\tau _i,\omega _i)\}_{i=1}^n$, it holds that

$$\begin{aligned} p_\pi (x_\sigma ,\sigma , t,\{(\tau _i,\omega _i)\}_{i=1}^n)= \frac{\left| \mathsf{R}_\mathsf{out}(x_{\sigma },\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)\right| }{\left| \mathsf{R}_\mathsf{All}(\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)\right| } \le \frac{1}{2}. \end{aligned}$$

(2)

Fix $x_0,x_1,\sigma $ and fix $t\notin \mathsf{Good}(x_0,x_1,\sigma )$. We prove (1) by showing that for all $\{(\tau _i,\omega _i)\}_{i=1}^n$

$$\begin{aligned} _{}\mathrm{Pr}[\textsc {output}^\pi _R(x_0,x_1,\sigma ;1^n)=x_\sigma \mid t\wedge \{(\tau _i,\omega _i)\}_{i=1}^n]\le \frac{1}{2}. \end{aligned}$$

For every $t\notin \mathsf{Good}(x_0,x_1,\sigma )$ and $\{(\tau _i,\omega _i)\}_{i=1}^n$, we define the following two sets (recall that $x_0,x_1$ and $\sigma $ are fixed):

1.
Let $\mathsf{RS}_\mathsf{All}(t,\{(\tau _i,\omega _i)\}_{i=1}^n)$ contain all pairs of random tapes $(r_R,r_S)$ for which the execution $\langle S(x_0,x_1;r_S),R(\sigma ;r_R)\rangle $ results in transcript t and the sequence of input/output ideal calls $\{(\tau _i,\omega _i)\}_{i=1}^n$.
2.
Let $\mathsf{RS}_\mathsf{good}(t,\{(\tau _i,\omega _i)\}_{i=1}^n)$ contain all pairs of random tapes $(r_R,r_S)$ for which the execution $\langle S(x_0,x_1;r_S),R(\sigma ;r_R)\rangle $ results in transcript t, sequence $\{(\tau _i,\omega _i)\}_{i=1}^n$ and receiver-output $x_\sigma $.

It follows immediately from the definition of these sets that

$$\begin{aligned} \mathrm{Pr}[\textsc {output}^\pi _R(x_0,x_1,\sigma ;1^n)=x_\sigma \mid t\wedge \{(\tau _i,\omega _i)\}_{i=1}^n] = \frac{\left| \mathsf{RS}_\mathsf{good}(t,\{(\tau _i,\omega _i)\}_{i=1}^n)\right| }{\left| \mathsf{RS}_\mathsf{All}(t,\{(\tau _i,\omega _i)\}_{i=1}^n)\right| }. \end{aligned}$$

(3)

In order to see this, denote by $\mathsf All$ the set of all pairs of random tapes, and observe that

$$\begin{aligned} \mathrm{Pr}[\textsc {output}^\pi _R(x_0,x_1,\sigma ;1^n)=x_\sigma \wedge t\wedge \{(\tau _i,\omega _i)\}_{i=1}^n] = \frac{\left| \mathsf{RS}_\mathsf{good}(t,\{(\tau _i,\omega _i)\}_{i=1}^n)\right| }{\left| \mathsf All\right| } \end{aligned}$$

and

$$\begin{aligned} \mathrm{Pr}[t\wedge \{(\tau _i,\omega _i)\}_{i=1}^n] = \frac{\left| \mathsf{RS}_\mathsf{All}(t,\{(\tau _i,\omega _i)\}_{i=1}^n)\right| }{\left| \mathsf All\right| }\ . \end{aligned}$$

Observe that this is very similar to (2), except that (2) refers to $\mathsf{R}_\mathsf{All}$ and $\mathsf{R}_\mathsf{out}$ which are based on the receiver’s random tape only, and here we refer to $\mathsf{RS}_\mathsf{All}$ and $\mathsf{RS}_\mathsf{good}$ which refer to both the receiver and sender’s random tapes. Thus, it remains to show that they have the same ratio, and this will imply that $\mathrm{Pr}[\textsc {output}^\pi _R(x_0,x_1,\sigma ;1^n)=x_\sigma \mid t\wedge \{(\tau _i,\omega _i)\}_{i=1}^n]\le 1/2$.

Let $\mathsf{S}_\mathsf{All}(x_0,x_1,t,\{(\tau _i,\omega _i)\}_{i=1}^n)$ be the set of all random tapes of the sender that are consistent with $x_0,x_1,t$ and $\{(\tau _i,\omega _i)\}_{i=1}^n$. We prove:

$$\begin{aligned} \mathsf{RS}_\mathsf{All}(t,\{(\tau _i,\omega _i)\}_{i=1}^n)= & {} \mathsf{S}_\mathsf{All}(x_0,x_1,t, \{(\tau _i,\omega _i)\}_{i=1}^n)\times \mathsf{R}_\mathsf{All}(\sigma ,t,\{(\tau _i,\omega _i) \}_{i=1}^n) \nonumber \\ \end{aligned}$$

(4)

$$\begin{aligned} \mathsf{RS}_\mathsf{good}(t,\{(\tau _i,\omega _i)\}_{i=1}^n)= & {} \mathsf{S}_\mathsf{All}(x_0,x_1,t,\{(\tau _i,\omega _i)\}_{i=1}^n)\times \mathsf{R}_\mathsf{out}(x_{\sigma },\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n).\nonumber \\ \end{aligned}$$

(5)

(Recall that this is trivial in the case that there are no ideal calls to a functionality. However, in this case, it is conceivable that the ideal calls may introduce dependence, and thus, it requires a proof; see Footnote 2.) We begin by proving (4). Let $r_S\in \mathsf{S}_\mathsf{All}(x_0,x_1,t,\{(\tau _i,\omega _i)\}_{i=1}^n)$ and let $r_R\in \mathsf{R}_\mathsf{All}(\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)$. We show that $(r_R,r_S)\in \mathsf{RS}_\mathsf{All}(t,\{(\tau _i,\omega _i)\}_{i=1}^n)$ by showing that the execution $\langle S(x_0,x_1;r_S),R(\sigma ;r_R)\rangle $ results in transcript t and sequence $\{(\tau _i,\omega _i)\}_{i=1}^n$.

This can be proved by a simple induction on the round number k. Assume that up to the $k^{th}$ round, the execution $\langle S(x_0,x_1;r_S),R(\sigma ;r_R)\rangle $ is consistent with t and the n pairs $\{(\tau _i,\omega _i)\}_{i=1}^n$; we show that this argument holds also after the $k+1^{th}$ round. There are three cases for the $k+1^{th}$ round:

The sender sends a message: By the induction hypothesis, all the information that S has up to this point is consistent with t and $\{(\tau _i,\omega _i)\}_{i=1}^n$. Since $r_S\in \mathsf{S}_\mathsf{All}(x_0,x_1,t,\{(\tau _i,\omega _i)\}_{i=1}^n)$, it follows that the message sent by the sender in this round is consistent with t.
The receiver sends a message: Exactly as above, using the fact that $r_R\in \mathsf{R}_\mathsf{All}(\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)$.
The parties make the $j^{th}$ call to the ideal OT functionality: By a similar argument to the previous cases, we deduce that the input sent by the sender to the ideal OT functionality is consistent with $(\tau _j,\omega _j)$ and the input sent by the receiver is consistent with $(\tau _j,\omega _j)$. Hence, letting $m_0,m_1$ be the input of the sender to the OT functionality, we have that $m_{\tau _j}=\omega _j$ and the input of the receiver is $\tau _j$. This implies that the output of the receiver is $\omega _j$, and hence, $(r_R,r_S)$ remains consistent after this call to the OT functionality.^{Footnote 2}

We therefore conclude that (4) holds; the proof of (5) is almost identical (with the addition that the output remains the same). Combining Equations (2) to (5), we obtain that for every fixed $x_0,x_1,\sigma $, $t\notin \mathsf{Good}(x_0,x_1,\sigma )$ and for every sequence $\{(\tau _i,\omega _i)\}_{i=1}^n$,

$$\begin{aligned}&{\mathrm{Pr}[\textsc {output}^\pi _R(x_0,x_1,\sigma ;1^n)=x_\sigma \mid t \wedge \{(\tau _i,\omega _i)\}_{i=1}^n]}\\&\quad =\frac{\left| \mathsf{S}_\mathsf{All}(x_0,x_1,t,\{(\tau _i,\omega _i)\}_{i=1}^n)\right| \cdot \left| \mathsf{R}_\mathsf{out}(x_{\sigma },\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)\right| }{\left| \mathsf{S}_\mathsf{All}(x_0,x_1,t,\{(\tau _i,\omega _i)\}_{i=1}^n)\right| \cdot \left| \mathsf{R}_\mathsf{All}(\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)\right| } \\&\quad =\frac{\left| \mathsf{R}_\mathsf{out}(x_{\sigma },\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)\right| }{\left| \mathsf{R}_\mathsf{All}(\sigma ,t,\{(\tau _i,\omega _i)\}_{i=1}^n)\right| }\\&\quad =p_\pi (x_\sigma ,\sigma , t,\{(\tau _i,\omega _i)\}_{i=1}^n)\le \frac{1}{2}. \end{aligned}$$

This completes the proof of (1), thereby implying Claim 3.10.$\square $

Combining Claims 3.10 and 3.9, we obtain that the statistical distance of $\mathcal{E}^1$ and $\mathcal{E}^2$ is greater than $1/2-2\mu (n)$, completing the proof of Lemma 3.8.$\square $

We have demonstrated that the existence of an OT-extension protocol implies the existence of two ensembles that are computationally indistinguishable and yet statistically far apart, which in turn implies the existence of one-way functions, by [8].$\square $

4 Adaptive Security

In this section, we consider the feasibility of constructing OT-extension protocols that are secure in the presence of adaptive adversaries. It is easy to see that the OT-extension protocols of Beaver [3] and Ishai et al. [11] are not secure when considering adaptive security. This is because the receiver’s view is essentially a binding commitment to all of the sender’s inputs.^{Footnote 3} This raises the question as to whether there exists an OT-extension protocol at all in the presence of adaptive adversaries. Of course, if the existence of an OT-extension protocol (that is secure for adaptive adversaries) implies OT that is secure for adaptive adversaries, then this means that only a trivial OT-extension that constructs OT from scratch exists. We provide a partial answer to this question and show that a protocol for OT-extension that is secure in the presence of adaptive adversaries implies the existence of an OT protocol that is secure in the presence of static adversaries. Thus, any protocol for extending OT that maintains adaptive security needs to assume, at the very least, the existence of a statically secure protocol for OT. We state and prove this for semi-honest adversaries; an analogous theorem for malicious adversaries can be obtained by applying a GMW-type compiler. Formally, we prove the following theorem (the intuition appears immediately after Protocol 4.2):

Theorem 4.1

Let n be the security parameter. If there exists an OT-extension protocol from n to $n+1$ that is secure in the presence of adaptive semi-honest adversaries, then there exists an OT protocol that is secure in the presence of static semi-honest adversaries.

Proof

We prove the theorem by building an OT protocol that is secure in the presence of static adversaries from any OT-extension from n to 4n that is secure in the presence of adaptive adversaries. (Note that by Proposition 2.6, an OT-extension from n to 4n exists if there exists an extension from n to $n+1$.) We first present the construction of the OT protocol for static adversaries and then provide intuition as to why it is secure.

Let $\pi =\langle S,R\rangle $ be a protocol that securely computes the ${4n}\times OT$ functionality in the $OT^n$-hybrid model in the presence of adaptive semi-honest adversaries. Without loss of generality, we assume that all of the ideal calls to OT in $\pi $ are such that S plays the sender and R plays the receiver. This is without loss of generality since the roles in OT can always be reversed [17] (see “Appendix A” for a description of the transformation presented in [17] and the proof of security.) We construct an OT protocol $\hat{\pi }$ in the plain model (i.e., with no calls to an ideal OT functionality), as follows:

Protocol 4.2

(OT protocol $\hat{\pi }=\langle \hat{S},\hat{R}\rangle $ for Static Adversaries)

Inputs: The input of the sender $\hat{S}$ is $b_0,b_1\in \{0,1\}$ and the input of the $\hat{R}$ is $\sigma \in \{0,1\}$.
The protocol:
1. 1.
  $\hat{S}$ chooses two random strings $\alpha _0,\alpha _1\in \{0,1\}^{{4n}}$.
2. 2.
  $\hat{S}$ and $\hat{R}$ run the extension protocol $\pi $ as follows:
  1. (a)
    $\hat{S}$ plays the sender S in $\pi $ with inputs $(\alpha _0,\alpha _1)$.
  2. (b)
    $\hat{R}$ plays the receiver R in $\pi $ with input $\sigma ^{4n}$ (i.e., the string of length 4n with all bits set to $\sigma $)
  3. (c)
    The parties follow the instructions of $\pi $ exactly except that whenever $\pi $ instructs them to make an ideal call to the OT functionality with input $(\beta _0,\beta _1)$ for S and input $\tau $ for R, the sender $\hat{S}$ sends the pair $(\beta _0,\beta _1)$ to $\hat{R}$, and $\hat{R}$ proceeds to run R with output $\beta _\tau $ from the simulated ideal call.
  4. (d)
    Let $\gamma \in \{0,1\}^{4n}$ denote the output of R in the execution of $\pi $.
3. 3.
  $\hat{S}$ chooses two random strings $r_0,r_1\in _R\{0,1\}^{{4n}}$ and sets:
  $$\begin{aligned} z_0=\langle \alpha _0,r_0\rangle \oplus b_0 \mathrm{~~~and~~~} z_1=\langle \alpha _1,r_1\rangle \oplus b_1. \end{aligned}$$
  $\hat{S}$ sends $(r_0,z_0)$ and $(r_1,z_1)$ to $\hat{R}$.
Output: $\hat{R}$ outputs $z_{\sigma }\oplus \langle \gamma ,r_{\sigma }\rangle $.

First, we note that $\hat{\pi }$ correctly computes the OT functionality. This is because by the correctness of the OT-extension protocol, R will output $\gamma =\alpha _\sigma $ in Step 4.2, except with negligible probability. Thus, $z_\sigma \oplus \langle \gamma ,r_\sigma \rangle =z_\sigma \oplus \langle \alpha _\sigma ,r_\sigma \rangle =b_\sigma $, as required.

We proceed to prove that $\pi $ securely computes the OT functionality in the presence of semi-honest adversaries. We begin with the intuition. If $\hat{S}$ and $\hat{R}$ were to run the original extension protocol $\pi $ with the ideal calls, then $\hat{\pi }$ is a secure OT protocol. This is because by the security of the extension protocol $\pi =\langle S, R\rangle $, we have that $\hat{S}$, playing the role of S, learns nothing about $\sigma $, and $\hat{R}$, playing the role of R, learns $\alpha _\sigma $ but nothing about $\alpha _{1-\sigma }$. Thus, $\hat{R}$ learns $b_\sigma $ but nothing about $b_{1-\sigma }$ (observe that $\langle \alpha _{1-\sigma },r_{1-\sigma }\rangle $ hides $b_{1-\sigma }$ by the fact that $\alpha _{1-\sigma }$ is random). Now, in $\hat{\pi }$ the difference is that $\hat{S}$ sends both inputs to $\hat{R}$ in every ideal OT call within the execution of $\pi $. Clearly, $\hat{S}$’s view can be simulated since its view is identical to the case that $\pi $ with the ideal OT calls is used. In contrast, $\hat{R}$ learns more information since it obtains both sender-inputs in all ideal OT calls. Since the inputs to each ideal call are a single bit, we have that $\hat{R}$ obtains n more bits of information than in the original extension protocol using ideal OT calls. However, $\alpha _{1-\sigma }$ is 4n bits long and so still must have high entropy even given the n additional bits of information learned. This entropy is enough to hide $b_{1-\sigma }$ since $\langle \alpha _{1-\sigma },r_{1-\sigma }\rangle $ is a perfect universal hash function, and so a good randomness extractor.

The above seems to have nothing to do with the fact that the extension protocol $\pi $ is secure in the presence of adaptive adversaries. However, the argument that just n more bits of information are obtained is valid only in this case. Specifically, by the definition of security in the presence of adaptive adversaries, the simulator must be able to simulate in the case that the receiver is corrupted at the onset, and the sender is corrupted at the end after the protocol concludes (formally, in the “post-execution corruption phase”). This means that the simulator must first generate a receiver-view (given the receiver’s input and output), and must then later generate a sender view (given the sender’s input) that is consistent with the already fixed receiver-view that it previously generated. This sender view contains, among other things, the inputs that the sender uses in all of the n ideal calls to the OT functionality within the extension protocol $\pi $. Thus, it is possible to add these inputs of the sender to the previously generated receiver-view (we call this the extended receiver-view) and the result is the receiver-view in the modified extension protocol used in Step 2 of $\hat{\pi }$; in particular, both sender’s inputs to all ideal OT calls appear. Observe that only n bits of additional information are added to the receiver-view in order to obtain the extended view, and so there are at most $2^n$ extended views for any given receiver-view. However, there are $2^{4n}$ different possible strings $\alpha _{1-\sigma }$. The crucial point here is that the above implies that many different possible strings $\alpha _{1-\sigma }$ must be consistent with any given extended view (except with negligible probability). This relies critically on the fact that the receiver-view is fixed before the sender corruption and so the same extended receiver-view must be consistent with many different sender-inputs to the ideal OT calls. Now, once we have that many different possible $\alpha _{1-\sigma }$ strings are consistent, we can use the fact that $\alpha _{1-\sigma }$ is randomly chosen to apply the leftover hash lemma and conclude that $\langle \alpha _{1-\sigma },r_{1-\sigma }\rangle $ is a bit that is statistically close to uniform. We now proceed to the formal proof.

Corrupted Sender. The case of a corrupted sender is straightforward since the sender $\hat{S}$ receives no information in Step 2 of $\hat{\pi }$ beyond what it receives in a real execution of $\pi $ with ideal OT calls. Thus, the simulator that is assumed to exist for the sender S in $\pi $ can be used to generate the exact view of $\hat{S}$ in Step 2 of $\hat{\pi }$. Since $\hat{S}$ receives no messages beyond in Step 2, there is nothing more to be added to the view of $\hat{S}$.

Corrupted Receiver. The order to construct our simulator $\mathcal{S}_{\hat{R}}$ for the corrupted receiver $\hat{R}$ in $\hat{\pi }$, we first define a specific simulator $\mathcal{SIM}$ for the extension protocol $\pi $ for the adaptive setting. Let $\mathcal{A}$ and $\mathcal{Z}$ be the following real-life semi-honest adversary and environment for $\pi $; see Sect. 2.1 for a brief overview of the definition of adaptive security and [4] for full definitions. At the beginning of the execution of $\pi $, the adversary $\mathcal{A}$ corrupts the receiver and learns its input $\sigma \in \{0,1\}^{{4n}}$. It then follows the honest strategy for R and at the end of the execution, outputs its entire view. In the post-execution phase, $\mathcal{Z}$ generates a “corrupt S” message, sends it to $\mathcal{A}$ who corrupts S and hands $\mathcal{Z}$ the internal view of S. $\mathcal{Z}$ then outputs its internal view (note that it contains views of both R and S). Let $\mathcal{SIM}$ be the ideal-process adversary that is guaranteed to exist for this $\mathcal{A}$ and $\mathcal{Z}$ by the security of $\pi $. We remark that $\mathcal{SIM}$ generates a view of an execution of $\pi $ in the OT-hybrid model, where ideal calls are used for the n invocations of OT. We use $\mathcal{SIM}$ to construct the simulator $\mathcal{S}_{\hat{R}}$ for the case of a corrupted receiver in $\hat{\pi }$.

Construction 4.3

($\mathcal{S}_{\hat{R}}$) $\mathcal{S}_{\hat{R}}$ receives $\sigma $ and $b_{\sigma }$ as input and works in three stages as follows:

1.
Stage 1—obtain simulated receiver-view in $\pi $:
1. (a)
  Choose a random string $\alpha _\sigma \in _R\{0,1\}^{{4n}}$ as the “output of $\pi $” and a random tape $r_\mathcal{SIM}$ for $\mathcal{SIM}$ of the appropriate length.
2. (b)
  Start an execution of $\mathcal{SIM}$ with random tape $r_\mathcal{SIM}$. When $\mathcal{SIM}$ corrupts the receiver, hand $\sigma ^{{4n}}$ to $\mathcal{SIM}$ as the input of R.
3. (c)
  In the computation stage, play the role of the trusted party and send $\alpha _\sigma $ to $\mathcal{SIM}$ as the output of R from $4n\times OT$. (Since we are in the semi-honest setting, R always sends its specified input $\sigma ^{4n}$ and so the output that it would receive is always $\alpha _\sigma $.)
4. (d)
  Let $v_R$ be the output of $\mathcal{SIM}$ at the end of the execution phase (this consists of a view for the receiver). If $v_R$ is not consistent with $\sigma ^{{4n}}$ and $\alpha _{\sigma }$,^{Footnote 4} return $\bot $ and abort. Otherwise, proceed to the next stage.
2.
Stage 2—obtain extended receiver-view:
1. (a)
  Choose a random string $\alpha _{1-\sigma }\in \{0,1\}^{{4n}}$.
2. (b)
  Send a “corrupt S” message to $\mathcal{SIM}$ on behalf of $\mathcal{Z}$. When $\mathcal{SIM}$ corrupts the sender, hand $(\alpha _0,\alpha _1)$ to $\mathcal{SIM}$ as the input of S.
3. (c)
  Let $v_S$ be the view of the sender sent by $\mathcal{SIM}$ to $\mathcal{Z}$. If $v_S$ is not consistent with $v_R$ and the inputs, output $\bot $ and abort. If $v_S$ is consistent with $v_R$ and the inputs, then for each of the n calls for the ideal OT functionality, extend $v_R$ by appending the other input used by the sender (as appear in $v_S$) into the view $v_R$. (Note that $v_R$ already contains one of the inputs used by the sender in each call since the receiver receives one output in each ideal call.) Let $v'_R$ be the extended view.
3.
Stage 3—complete simulation:
1. (a)
  Choose two random strings $r_0,r_1\in \{0,1\}^{{4n}}$; let $z_\sigma =\langle \alpha _\sigma ,r_\sigma \rangle \oplus b_{\sigma }$ (where $b_{\sigma }$ is from the input of $\mathcal{S}_{\hat{R}}$) and let $z_{1-\sigma }$ be a random bit.
2. (b)
  Output $v'_R,r_0,r_1,z_0,z_1$.

We now prove that $\mathcal{S}_{\hat{R}}$ is a good simulator. That is, we prove that:

$$\begin{aligned} \left\{ \mathcal{S}_{\hat{R}}(1^n,\sigma ,b_{\sigma })\right\} _{b_0,b_1,\sigma \in \{0,1\},n\in {\mathbb N}} {\mathop {\equiv }\limits ^\mathrm{c}}\left\{ \textsc {View}^{\hat{\pi }}_{\hat{R}}(1^n,b_0,b_1,\sigma )\right\} _{b_0,b_1,\sigma \in \{0,1\},n\in {\mathbb N}}. \end{aligned}$$

(6)

To prove (6), we consider a hybrid simulator $\mathcal{S}^h$ that receives as input $b_{1-\sigma }$ in addition to the input $(\sigma ,b_{\sigma })$ of $\mathcal{S}_{\hat{R}}$. It then works exactly as $\mathcal{S}_{\hat{R}}$ except that in Stage 3 of the simulation it sets $z_{1-\sigma }=\langle \alpha _{1-\sigma },r_{1-\sigma }\rangle \oplus b_{1-\sigma }$ (instead of setting $z_{1-\sigma }$ to a random bit as $\mathcal{S}_{\hat{R}}$ does).

We first prove that the output of the hybrid simulator is indistinguishable from the receiver-view in a real execution. That is, we prove that:

$$\begin{aligned} \left\{ \mathcal{S}^h(1^n,\sigma ,b_0,b_1)\right\} _{b_0,b_1,\sigma \in \{0,1\},n \in {\mathbb N}}{\mathop {\equiv }\limits ^\mathrm{c}}\left\{ \textsc {View}^{\hat{\pi }}_{\hat{R}}(1^n,b_0,b_1,\sigma )\right\} _{b_0,b_1,\sigma \in \{0,1\},n\in {\mathbb N}}. \end{aligned}$$

(7)

Note that the only difference between the two distributions is that in $\textsc {View}^{\hat{\pi }}_{\hat{R}}(1^n,b_0,b_1,\sigma )$, the “extended view of R” (including both inputs used by the sender in each ideal OT call) is generated in a real execution of $\pi $, whereas in $\mathcal{S}^h(1^n,\sigma ,b_0,b_1)$ the extended view is generated by $\mathcal{SIM}$ after the corruption at the end. So intuitively the guarantee that $\mathcal{SIM}$ is a good simulator implies that the two ensembles are computationally indistinguishable. Formally, we define a machine $\mathcal{D}$ that receives the output of $\mathcal{Z}$ after an execution of $\pi $ in the adaptive setting, and attempts to determine whether it obtained a pair of receiver/sender views from a real or ideal execution. $\mathcal{D}$ generates an extended receiver-view from the pair of receiver/sender views that it received, and in addition computes the messages $(r_0,z_0),(r_1,z_1)$ using the correct sender-inputs $b_0,b_1$ (that it’s given as auxiliary input) and using the strings $\alpha _0,\alpha _1$ that appear in $\mathcal{Z}$’s output. Finally, $\mathcal{D}$ outputs the extended receiver-view together with the last message; this constitutes a view of the receiver $\hat{R}$ in $\hat{\pi }$. It is immediate that if $\mathcal{D}$ received a pair of views from a real execution of $\pi $, then it outputs a view which is identical to $\textsc {View}^{\hat{\pi }}_{\hat{R}}(1^n,b_0,b_1,\sigma )$. In contrast, if $\mathcal{D}$ received a pair of views generated by $\mathcal{SIM}$ in an ideal execution, then it outputs a view which is identical to $\mathcal{S}^h(1^n,\sigma ,b_0,b_1)$. Thus, (7) follows from the security of $\pi $ with simulator $\mathcal{SIM}$.

We now proceed to prove that the output of $\mathcal{S}_{\hat{R}}$ is statistically close to the output of the hybrid simulator $S^h$. That is:

$$\begin{aligned} \left\{ \mathcal{S}_{\hat{R}}(1^n,\sigma ,b_{\sigma })\right\} _{b_0,b_1,\sigma \in \{0,1\},n\in {\mathbb N}} {\mathop {\equiv }\limits ^\mathrm{s}}\left\{ \mathcal{S}^h(1^n,\sigma ,b_0,b_1)\right\} _{b_0,b_1,\sigma \in \{0,1\},n\in {\mathbb N}}. \end{aligned}$$

(8)

First note that $\mathcal{S}_{\hat{R}}$ and $\mathcal{S}^h$ work identically in the first two stages of the simulation and differ only in how $z_{1-\sigma }$ is computed. In particular, the distributions over the extended views generated by $\mathcal{S}_{\hat{R}}$ and by $\mathcal{S}^h$ are identical; let $V'_R(1^n,\sigma )$ denote this distribution.

The first step is to show that with probability negligibly close to 1, there are exponentially many strings $\alpha _{1-\sigma }$ that are consistent with an extended view generated by $\mathcal{SIM}$ (as run by $\mathcal{S}^h$ or equivalently $\mathcal{S}_{\hat{R}}$). Fix $\sigma \in \{0,1\}$ and $b_\sigma $. (The following holds for all $\sigma ,b_\sigma $ and we fix them here for clarity.) For a given random tape $r_{\mathcal{SIM}}$ of $\mathcal{SIM}$ and a given $\alpha _\sigma $, let $v_R$ be the (regular, non-extended) view generated by $\mathcal{SIM}$ with random tape $r_{\mathcal{SIM}}$ and $\alpha _{\sigma }$ in the execution phase. Let $\Delta (r_{\mathcal{SIM}},\alpha _\sigma )$ be the set of all strings $\alpha _{1-\sigma }$ of size ${4n}$ for which the views $v_R,v_S$ generated by $\mathcal{SIM}$ with random tape $r_{\mathcal{SIM}}$ and inputs $\alpha _{\sigma }$ and $\alpha _{1-\sigma }$ in the computation and post-execution phases, respectively, are all consistent. (We have already fixed $\sigma $ and $b_\sigma $, so consistency is also with respect to these values; see Footnote 4) Note that if $\mathcal{S}^h$ or $\mathcal{S}_{\hat{R}}$ would output $\bot $ in the first stage (i.e., if $v_R$ is not consistent with the input and output) when choosing $r_\mathcal{SIM},\alpha _\sigma $ then $\Delta (r_\mathcal{SIM},\alpha _\sigma )$ is empty.

We now prove that for every $\sigma ,b_\sigma \in \{0,1\}$, there exists a negligible function $\mu $ such that

$$\begin{aligned} \mathrm{Pr}_{r_\mathcal{SIM},\alpha _\sigma }\left[ \phantom {2^{2^2}}\left| \Delta (r_\mathcal{SIM},\alpha _\sigma )\right| \ge 2^{3n}\right] \ge 1-\mu (n). \end{aligned}$$

Intuitively, this holds because if $\Delta (r_\mathcal{SIM},\alpha _\sigma )$ is “small,” then this means that $\mathcal{SIM}$ would fail with high probability. Formally, assume that $\mathrm{Pr}_{r_\mathcal{SIM},\alpha _\sigma } [|\Delta (r_\mathcal{SIM},\alpha _\sigma )|\ge 2^{3n}]$ is non-negligibly smaller than 1. We consider two cases:

1.
With non-negligible probability, the view $v_R$ generated by $\mathcal{SIM}$ with random tape $r_{\mathcal{SIM}}$ and $\alpha _{\sigma }$ cause $\mathcal{S}^h$ and $\mathcal{S}_{\hat{R}}$ to output $\bot $ (i.e., it is not consistent with the inputs/outputs): In this case, a distinguisher $\mathcal{Z}$ distinguishes the output of $\mathcal{SIM}$ from the views of $v_R,v_S$ in a real execution of $\pi $ since in a real execution the views are consistent except with negligible probability.
2.
With non-negligible probability, the view $v_R$ is consistent but $\left| \Delta (r_{\mathcal{SIM}},\alpha _\sigma )\right| <2^{3n}$: In this case, it is possible to distinguish a real execution of $\pi $ from an ideal execution with $\mathcal{SIM}$ because the probability that a random $\alpha _{1-\sigma }$ is in $\Delta (r_\mathcal{SIM},\alpha _\sigma )$ is less than $\frac{2^{3n}}{2^{4n}}=2^{-n}$. Thus, the environment $\mathcal{Z}$ can just supply a random $\alpha _{1-\sigma }$ and see whether in the post-execution corruption it receives a consistent view. In the real execution, it will always receive a consistent view. However, in the ideal (simulated) execution, it will receive a consistent view with probability less than $2^{-n}$. This is due to the fact that when $\alpha _{1-\sigma }\notin \Delta (r_\mathcal{SIM},\alpha _\sigma )$ the view is not consistent. Thus, $\mathcal{Z}$ distinguishes with probability $(1-2^{-n})$ times the probability that this case occurs, which is non-negligible.

We stress that the calculation in the second case holds since the view of the receiver $v_R$ is fixed before the post-execution phase and thus is fixed before $\alpha _{1-\sigma }$ is essentially chosen.

We now fix $r^*_{\mathcal{SIM}}$ and $\alpha ^*_{\sigma }$ for which $|\Delta (r^*_\mathcal{SIM},\alpha ^*_\sigma )|\ge 2^{3n}$ and prove that the outputs of $\mathcal{S}^h$ and $\mathcal{S}_{\hat{R}}$ are statistically close for such $r^*_\mathcal{SIM}$ and $\alpha ^*_\sigma $. First, recall that an extended view $v'_R$ is obtained by concatenating the other (previously not received) input of the sender in the n calls to the ideal OT to the view $v_R$. Since there are $2^n$ possible “other sender-inputs” in the n ideal OT calls, it follows that for any given receiver-view $v_R$ (which is fully determined by $r^*_\mathcal{SIM}$ and $\alpha ^*_\sigma $; recall that $\sigma ,b_\sigma $ are already fixed) there are at most $2^n$ possible associated extended views. (Again, this relies on the fact that the receiver-view is fixed before the post-execution corruption phase.)

Now, since there are $2^n$ possible extended views, we can partition the at least $2^{3n}$ consistent strings $\alpha _{1-\sigma }\in \Delta (r^*_\mathcal{SIM},\alpha ^*_\sigma )$ so that each partition contains the set of strings $\alpha _{1-\sigma }$ that yield the extended view $v'_R$. Equivalently, we associate $\alpha _{1-\sigma }$ with $v'_R$ if $\mathcal{SIM}$ with $r^*_{\mathcal{SIM}}$ and $\alpha _{\sigma }^*$ outputs the extended view $v'_R$ when given $\alpha _{1-\sigma }$ in the post-execution corruption phase. We denote by $\Gamma (v'_R, r^*_{\mathcal{SIM}},\alpha _{\sigma }^*)$ the set of all strings $\alpha _{1-\sigma }\in \Delta (r^*_{\mathcal{SIM}},\alpha _{\sigma }^*)$ which are associated with $v'_R$, as described above.

We argue that the probability of obtaining an extended view $v'_R$ for which $\left| \Gamma (v'_R, r^*_{\mathcal{SIM}},\alpha _{\sigma }^*)\right| < 2^{n}$ is at most $2^{-n}$ (i.e., an extended view for which the set of associated strings $\alpha _{1-\sigma }$ is small is obtained with probability at most $2^{-n}$). We stress that the probability is over the choice of $\alpha _{1-\sigma }$. (All other randomness is fixed.)

In order to see this, observe that the fact that $\left| \Delta (r^*_{\mathcal{SIM}},\alpha _{\sigma }^*)\right| \ge 2^{3n}$ implies that there are at least $2^{3n}$ strings $\alpha _{1-\sigma }$ that are associated with some extended view $v'_R$. Now, for every $v'_R$ for which $\left| \Gamma (v'_R, r^*_{\mathcal{SIM}},\alpha _{\sigma }^*)\right| < 2^{n}$, we have that $v'_R$ is generated by less than $2^{n}$ of those $2^{3n}$ strings. Thus, such a $v'_R$ is obtained with probability less than $2^n/2^{3n} = 2^{-2n}$. By union bound over the $2^n$ possible extended views $v'_R$ (which also bounds the number of extended views for which $\left| \Gamma (v'_R, r^*_{\mathcal{SIM}},\alpha _{\sigma }^*)\right| < 2^{n}$), we conclude that

$$\begin{aligned} \mathrm{Pr}\left[ \phantom {2^{2^2}}\left| \Gamma (v'_R, r^*_{\mathcal{SIM}},\alpha _{\sigma }^*)\right|< 2^{n}\right] < 2^n \cdot \frac{1}{2^{2n}} = \frac{1}{2^n} \end{aligned}$$

(9)

where the probability is over the choice of $\alpha _{1-\sigma }$.

From (9), we know that when choosing $\alpha _{1-\sigma }$ at random, the probability that we will obtain an extended view $v'_R$ such that $\Gamma (v'_R,r^*_\mathcal{SIM},\alpha ^*_\sigma )$ is small (with less than $2^n$ strings $\alpha _{1-\sigma }$ associated with it) is less than $2^{-n}$. We therefore proceed by conditioning further over views $v'_R$ for which $\left| \Gamma (v'_R, r^*_{\mathcal{SIM}},\alpha _{\sigma }^*)\right| \ge 2^n$. Specifically, we argue that the distributions generated by $\mathcal{S}_{\hat{R}}$ and $\mathcal{S}^h$ are statistically close, conditioned on $r^*_\mathcal{SIM},\alpha ^*_\sigma $ such that $\left| \Delta (r^*_\mathcal{SIM},\alpha ^*_\sigma )\right| \ge 2^{3n}$ and conditioned on the extended view being a specific ${v'}^*_R$ for which $\left| \Gamma ({v'}^*_R, r^*_{\mathcal{SIM}},\alpha _{\sigma }^*)\right| \ge 2^n$.

First, observe that since $\alpha _{1-\sigma }$ is chosen uniformly and independently of $r^*_\mathcal{SIM},\alpha _\sigma $, it is uniformly distributed in $\Gamma ({v'}^*_R, r^*_{\mathcal{SIM}},\alpha _{\sigma }^*)$, when conditioning on all of the above. (The conditioning over ${v'}^*_R$ is equivalent to saying that $\alpha _{1-\sigma }$ is uniform in $\Gamma ({v'}^*_R, r^*_{\mathcal{SIM}},\alpha _{\sigma }^*)$ instead of being uniform in $\{0,1\}^{{4n}}$.) Second, recall that $\Gamma ({v'}^*_R, r^*_{\mathcal{SIM}},\alpha _{\sigma }^*)$ is a set of size at least $2^n$. Third, note that $H_{r_{1-\sigma }}(x)=\langle r_{1-\sigma },x\rangle $ is a universal hash function from $\{0,1\}^{4n}$ to $\{0,1\}$. Thus, by the Leftover Hash Lemma (the version given in [12]), it holds that:

$$\begin{aligned} SD\left( \phantom {2^{2^2}}(r_{1-\sigma },\langle r_{1-\sigma },\alpha _{1-\sigma }\rangle ), (r_{1-\sigma },U_1)\right) \le \frac{1}{2^{(n-1)/2}} \end{aligned}$$

where SD denotes statistical distance and $U_1$ denotes the uniform distribution over $\{0,1\}$. (As above, this statistical distance is computed when conditioned over ${v'}^*_R,r^*_{\mathcal{SIM}},\alpha _{\sigma }^*$.) Thus, these random variables are statistically close, conditioned on ${v'}^*_R,r^*_\mathcal{SIM},\alpha ^*_\sigma $ as above. Noting that in the output of $\mathcal{S}_{\hat{R}}$ we have $(r_{1-\sigma },z_{1-\sigma })=(r_{1-\sigma },U_1)$, and in the output of $\mathcal{S}^h$ we have that $(r_{1-\sigma },z_{1-\sigma })=(r_{1-\sigma },\langle r_{1-\sigma },\alpha _{1-\sigma }\rangle )$, we conclude that

$$\begin{aligned}&\left\{ \phantom {2^{2^2}}\mathcal{S}_{\hat{R}}(1^n,\sigma ,b_\sigma ) \mid {v'}^*_R,r^*_\mathcal{SIM},\alpha ^*_\sigma \right\} _{b_0,b_1,\sigma \in \{0,1\},n\in {\mathbb N}}\\&\quad {\mathop {\equiv }\limits ^\mathrm{s}}\left\{ \phantom {2^{2^2}}\mathcal{S}^h(1^n,\sigma ,b_0,b_1) \mid {v'}^*_R,r^*_\mathcal{SIM},\alpha ^*_\sigma \right\} _{b_0,b_1,\sigma \in \{0,1\},n\in {\mathbb N}} \end{aligned}$$

where the conditioning is as described above. We reiterate that this holds since the extended views and the pair $(r_\sigma ,z_\sigma )$ are generated in an identical way by $\mathcal{S}_{\hat{R}}$ and $\mathcal{S}^h$, and the only difference is with respect to $(r_{1-\sigma },z_{1-\sigma })$. (8) follows from the fact that we condition here on events that occur with all but negligible probability (and the events have identical probability with $\mathcal{S}_{\hat{R}}$ and $\mathcal{S}^h$; see Lemma 2.8). Combining (7) with (8), we derive (6), thereby completing the proof of Theorem 4.1.$\square $

Corollary: Lengthening String OT. Observe that in our proof above the receiver always uses $\sigma ^{4n}$ for input. Thus, it follows that the theorem holds even if the receiver is interested in only obtaining the string of all of the “0 inputs” or the string of all of the “1 inputs.” Stated differently, our proof holds also for the problem of lengthening string OT; i.e., for the problem of obtaining a single string OT for strings of length $n+1$ or more, given a single string OT for strings of length n. Formally,

Corollary 4.4

Let n be the security parameter. If there exists a protocol for computing string OT for strings of length $n+1$ in the $OT^n$ hybrid model that is secure in the presence of adaptive semi-honest adversaries, then there exists an OT protocol that is secure in the presence of static semi-honest adversaries.

5 OT-Extensions Require Superlogarithmic Calls

Theorem 5.1

Let $f:{\mathbb N}\rightarrow {\mathbb N}$ be a function such that $f(n)\in \mathcal{O}(\log n)$, and let n be the security parameter. Then, if there exists a protocol $\pi $ that is an OT-extension from f(n) to $f(n)+1$ that is secure in the presence of static malicious adversaries, then there exists a protocol for the OT functionality that is secure in the presence of static malicious adversaries.

Proof

Intuitively, in an OT-extension protocol using only $\mathcal{O}(\log n)$ ideal OT calls, it is possible for the receiver to guess the bits that it would receive as output from these calls instead of actually running them. Since there are only $\mathcal{O}(\log n)$ calls, the probability that the receiver guesses correctly is $2^{-\mathcal{O}(\log n)}=1/\mathsf{poly}(n)$. This idea can be used to construct an OT protocol that is weak in the sense that full privacy is maintained, but correctness only holds with probability $1/2+1/\mathsf{poly}(n)$. We stress that a naive attempt to implement the above idea will not work since it is necessary to ensure that if the receiver’s guesses are incorrect then it still outputs the correct output of the protocol with probability almost 1 / 2. Otherwise, the “advantage” in obtaining the correct output when the receiver guesses correctly can be canceled out by the “disadvantage” when the receiver guesses incorrectly. We therefore use a similar technique as in the proof regarding adaptive adversaries above. Specifically, we use the fact that an extension from f(n) to $f(n)+1$ implies an extension from f(n) to n, and then use this to obliviously transfer n random bits. The actual oblivious transfer is carried out by applying a universal hash function to the random strings and using the result to mask the actual bits being transferred. This ensures that we obtain correctness that is noticeable greater than 1 / 2 and can thus be amplified. However, in addition, we also have to claim that privacy is maintained. This is not immediate since the receiver does not follow the specified protocol. (Rather, it chooses the outputs from the ideal OT calls at random, and this may affect the other messages that it sends.) By requiring that the extension protocol be secure for malicious adversaries, this ensures that the receiver cannot learn more by behaving in this way. In addition, we show that a malicious sender can also achieve the same affect by inputting a random bit (for both sender-inputs) in each ideal OT call. This implies that a malicious sender can also not learn anything by the receiver behaving in this way. We now proceed to the formal proof.

Throughout the proof, we will construct protocols that are secure for semi-honest adversaries only. This suffices since semi-honest OT implies malicious OT [7, 10]. Let $f:{\mathbb N}\rightarrow {\mathbb N}$ be a function such that $f(n)\in \mathcal{O}(\log n)$ and let $\pi =\langle S,R\rangle $ be a protocol such that on security parameter n and inputs $x_0,x_1\in \{0,1\}^{f(n)+1}$ and $\sigma \in \{0,1\}^{f(n)+1}$ securely computes the $(f(n)+1)\times OT$ functionality in the $OT^{f(n)}$-hybrid model (that is, making at most f(n) calls to an ideal OT). We assume that $\pi $ is secure in the presence of malicious adversaries. We assume that in all of these calls, R is the one to receive output. (This is without loss of generality since oblivious transfer is symmetric [17] and so the roles can be reversed by adding additional messages in $\pi $.) We show how to construct a protocol for computing the OT functionality without any further assumptions other than the existence of an extension protocol $\pi $ with the parameters in the theorem statement. This is achieved in two steps. First, we use the OT-extension from $f(n)=\mathcal{O}(\log n)$ to n to construct a protocol $\tilde{\pi }$ which is simulatable and therefore fully secure, but whose error might be large. Then we amplify the correctness of the protocol using multiple execution. As we show, this can be done once the basic protocol is fully secure.

Step 1: constructing a weak-OT We begin by formally defining weak-OT, which is an oblivious transfer for semi-honest adversaries that has weak correctness but standard simulation security.^{Footnote 5} We then show how to construct a weak-OT protocol $\tilde{\pi }=\langle \tilde{S},\tilde{R}\rangle $ from an OT-extension from f(n) to n. Note that by Proposition 2.6, if there exists an extension protocol from f(n) to $f(n)+1$, then there exists an extension protocol from f(n) to n.

Definition 5.2

(Weak-OT) A two-party protocol $\pi =\langle S,R\rangle $ is a weak-OT if the following hold:

Weak correctness: There exists a polynomial $p(\cdot )$ such that for all $b_0,b_1,\sigma \in \{0,1\}$ and all sufficiently large n’s, it holds that $\mathrm{Pr}[\textsc {Output}^{\pi }_R(1^n,b_0,b_1,\sigma )=b_{\sigma }]\ge \frac{1}{2}+\frac{1}{p(n)}$.
Privacy: There exists $PPT$ machines $\mathcal{S}_R$ and $\mathcal{S}_S$ such that
$$\begin{aligned} \left\{ \mathcal{S}_{ R}(1^n,\sigma ,b_{\sigma })\right\} _{b_0,b_1,\sigma \in \{0,1\},n\in {\mathbb N}}&{\mathop {\equiv }\limits ^\mathrm{c}}&\left\{ \textsc {View}^{\pi }_{R} (1^n,b_0,b_1,\sigma )\right\} _{b_0,b_1,\sigma \in \{0,1\},n\in {\mathbb N}}\\ \left\{ \mathcal{S}_{S}(1^n,b_0,b_1)\right\} _{b_0,b_1,\sigma \in \{0,1\},n\in {\mathbb N}}&{\mathop {\equiv }\limits ^\mathrm{c}}&\left\{ \textsc {View}^{\pi }_{ S}(1^n,b_0,b_1,\sigma )\right\} _{b_0,b_1,\sigma \in \{0,1\},n\in {\mathbb N}} \end{aligned}$$

Let $\alpha _0,\alpha _1,c\in \{0,1\}^n$ be n-bit strings. Let $\alpha _0=\alpha _0^1,\ldots ,\alpha _0^n$, $\alpha _1=\alpha _1^1,\ldots ,\alpha _1^n$, and $c=c_1,\ldots ,c_n$. Recall that $\alpha _{c}=\alpha _{c_1}^1,\alpha _{c_2}^2,\ldots ,\alpha _{c_n}^n$; that is, the ith bit of $\alpha _c$ is either $\alpha _0^i$ or $\alpha _1^i$, depending on the value of $c_i$.

Let $\pi =\langle S,R\rangle $ be an OT-extension protocol from $f(n)=\mathcal{O}(\log n)$ to n. We construct a weak-OT protocol $\tilde{\pi }=\langle \tilde{S},\tilde{R}\rangle $ as follows:

Protocol 5.3

(A weak-OT with no ideal OT calls)

Inputs: The sender $\tilde{S}$ has two bits $b_0,b_1\in \{0,1\}$ and the receiver $\tilde{R}$ has $\sigma \in \{0,1\}$.
The protocol:
1. 1.
  $\tilde{S}$ chooses two random strings $\alpha _0,\alpha _1\in _R\{0,1\}^{n}$.
2. 2.
  $\tilde{R}$ chooses a random string $c\in _R\{0,1\}^{n}$.
3. 3.
  $\tilde{S}$ and $\tilde{R}$ simulate an execution of the extension protocol $\pi $, as follows:
  1. (a)
    $\tilde{S}$ plays the role of the sender S with input $\alpha _0,\alpha _1\in \{0,1\}^n$ and $\tilde{R}$ plays the role of the receiver R with input $c\in \{0,1\}^n$.
  2. (b)
    Whenever $\pi $ instructs the parties to make an OT call, the parties make no call and $\tilde{R}$ chooses a random bit as its output from the call. We denote by $\beta _1,\ldots ,\beta _{f(n)}$ the random bits chosen by $\tilde{R}$ as the OT outputs.
  3. (c)
    Let $\gamma \in \{0,1\}^{n}$ denote the receiver-output of the simulation of $\pi $ received by $\tilde{R}$.
4. 4.
  $\tilde{R}$ chooses a random $c'\in _R\{0,1\}^{n}$ and sends $(c_0,c_1)$ to $\tilde{S}$, where $c_\sigma =c$ and $c_{1-\sigma }=c'$.
5. 5.
  $\tilde{S}$ chooses two random strings $r_0,r_1\in _R\{0,1\}^{n}$, computes $z_0=\langle r_0,\alpha _{c_0}\rangle \oplus b_0$ and$z_1=\langle r_1,\alpha _{c_1}\rangle \oplus b_1$, and sends $(r_0,z_0),(r_1,z_1)$ to $\tilde{R}$.
Output: $\tilde{S}$ outputs nothing and $\tilde{R}$ outputs $\mathsf{out}= z_\sigma \oplus \langle r_\sigma ,\gamma \rangle $.

We now prove that Protocol 5.3, also denoted $\tilde{\pi }$, is a weak-OT protocol. We begin by showing the weak correctness of $\tilde{\pi }$; that is we show that the receiver $\tilde{R}$ outputs the correct bit $b_\sigma $ with probability at least $\frac{1}{2}+\frac{1}{2^{f(n)+2}}$. This suffices since $f(n)=\mathcal{O}(\log n)$ and thus $\frac{1}{2}+\frac{1}{2^{f(n)+2}}=\frac{1}{2}+\frac{1}{2^{c\cdot \log n+2}}=\frac{1}{2}+\frac{1}{4n^{c}}$ for some constant c. Intuitively, weak correctness holds because $\tilde{R}$ correctly guesses the outputs of the OT calls with probability $1/2^{f(n)}$ in which case $\gamma =\alpha _c$ (except with negligible probability) by the correctness of $\pi $ and thus $\langle r_\sigma ,\gamma \rangle =\langle r_{\sigma },\alpha _c\rangle $ and $\mathsf{out}=b_\sigma $. In addition, when the guesses made by $\tilde{R}$ are not correct, it still outputs $b_\sigma $ with probability 1 / 2.

Let $b_0,b_1$ and $\sigma $ be the inputs of $\tilde{S}$ and $\tilde{R}$. Note that $\mathsf{out}=z_{\sigma }\oplus \langle \gamma ,{r_\sigma }\rangle = \langle \alpha _{c_\sigma },r_\sigma \rangle \oplus b_\sigma \oplus \langle \gamma ,{r_\sigma }\rangle =\langle \alpha _c,r_\sigma \rangle \oplus b_\sigma \oplus \langle \gamma ,r_\sigma \rangle $ and thus $\mathsf{out}=b_\sigma $ if and only if $\langle \gamma ,r_\sigma \rangle =\langle \alpha _c,r_\sigma \rangle $, where $r_\sigma $ is a random string. Thus,

$$\begin{aligned} \mathrm{Pr}\left[ \mathsf{out}=b_\sigma \right]= & {} \mathrm{Pr}\left[ \langle \alpha _c,r_\sigma \rangle =\langle \gamma ,r_\sigma \rangle \right] \\= & {} \mathrm{Pr}\left[ \langle \alpha _c,r_\sigma \rangle =\langle \gamma ,r_\sigma \rangle \mid \gamma =\alpha _c\right] \cdot \mathrm{Pr}\left[ \gamma =\alpha _c\right] \\&~ + ~ \mathrm{Pr}\left[ \langle \alpha _c,r_\sigma \rangle =\langle \gamma ,r_\sigma \rangle \mid \gamma \ne \alpha _c\right] \cdot \mathrm{Pr}\left[ \gamma \ne \alpha _c\right] \\= & {} 1\cdot \mathrm{Pr}\left[ \gamma =\alpha _c\right] + \mathrm{Pr}\left[ \langle \alpha _c,r_\sigma \rangle {=}\langle \gamma ,r_\sigma \rangle \mid \gamma \ne \alpha _c\right] \cdot \left( 1-\mathrm{Pr}\left[ \gamma =\alpha _c\right] \right) . \end{aligned}$$

Now, let $\mathsf{Correct}$ denote the event that the guesses made by $\tilde{R}$ for the outputs of the f(n) ideal OT’s are the correct outputs. Consider as a mental experiment, a modified protocol $\pi '$ that works exactly as $\tilde{\pi }$, except that whenever $\pi $ instructs the parties to make the ith OT call, they make the call (in contrast to $\tilde{\pi }$ where they make no call) and $R'$ then chooses a random bit $\beta _i$. Let $\mathsf{Correct}'$ denote the event that all the guesses made by $R'$ equal the outputs of the OT calls. Now, observe that

$$\begin{aligned} \Pr _{\tilde{\pi }}[\gamma =\alpha _c \wedge \mathsf{Correct}]= & {} \Pr _{\tilde{\pi }}[\gamma =\alpha _c ~\mid ~ \mathsf{Correct}]\cdot \Pr _{\tilde{\pi }}[\mathsf{Correct}] \\= & {} \Pr _{\pi '}[\gamma =\alpha _c ~\mid ~ \mathsf{Correct}']\cdot \Pr _{\pi '}[\mathsf{Correct}']\\= & {} \Pr _{\pi '}[\gamma =\alpha _c \wedge \mathsf{Correct}']. \end{aligned}$$

The reason for this is that $\mathsf{R}'$ makes its guesses exactly in the same way as $\tilde{\pi }$ and as long as the guesses are correct, the protocols are identical. Now, we have that

$$\begin{aligned} \Pr _{\pi '}[\gamma =\alpha _c \wedge \mathsf{Correct}']= & {} \Pr _{\pi '}[\gamma =\alpha _c] \cdot \Pr _{\pi '}[\mathsf{Correct}'] = \Pr _{\pi }[\gamma =\alpha _c] \cdot \Pr _{\pi '}[\mathsf{Correct}']\\\ge & {} (1-\mathsf{negl}(n))\cdot \frac{1}{2^{f(n)}} , \end{aligned}$$

where the first equality holds because the bits chosen by $R'$ are random and independent of the execution of the protocol, and the last inequality holds by the correctness of $\pi $ and by the fact that $\pi $ makes f(n) calls to the ideal OT. Hence, we obtain that

$$\begin{aligned} \mathrm{Pr}_{\tilde{\pi }}[\gamma =\alpha _c] \ge \mathrm{Pr}_{\tilde{\pi }}[\gamma =\alpha _c\wedge \mathsf{Correct}] \ge (1-\mathsf{negl}(n))\cdot \frac{1}{2^{f(n)}}. \end{aligned}$$

In addition, since the inner-product function $H_{r_\sigma }(x)=\langle x,r_\sigma \rangle $ is a universal hash function (for randomly chosen $r_\sigma $), and since$r_{\sigma }$ is independent of $\alpha _c,\gamma $, it holds that $\mathrm{Pr}\left[ \langle \alpha _c,{r_\sigma }\rangle =\langle \gamma ,{r_\sigma }\rangle \mid \gamma \ne \alpha _c\right] =\frac{1}{2}$. Combining the above, we conclude that:

$$\begin{aligned} \mathrm{Pr}[\mathsf{out}=b_\sigma ]= & {} \mathrm{Pr}[\gamma =\alpha _c]+\mathrm{Pr}[\langle \alpha _c,{r_\sigma }\rangle =\langle \gamma ,{r_\sigma }\rangle \mid \gamma \ne \alpha _c]\cdot \left( 1-\mathrm{Pr}[\gamma =\alpha _c]\right) \\= & {} \mathrm{Pr}[\gamma =\alpha _c]+\frac{1}{2}\cdot \left( 1-\mathrm{Pr}[\gamma =\alpha _c]\right) \\= & {} \frac{1}{2}+\frac{1}{2}\cdot \mathrm{Pr}[\gamma =\alpha _c]\\= & {} \frac{1}{2}+\frac{1}{2}\cdot \frac{1}{2^{f(n)}}-\mathsf{negl}'(n)\ge \frac{1}{2}+\frac{1}{2^{f(n)+2}} \end{aligned}$$

for all large enough n’s. (The last inequality may not hold for small values of n.)

We proceed to prove privacy, by constructing $\mathcal{S}_{\tilde{S}}$ and $\mathcal{S}_{\tilde{R}}$ as required. We start by constructing the simulator $\mathcal{S}_{\tilde{S}}$ for the case that the sender is corrupted. To prove this, we use the fact that the original protocol $\pi $ is secure in the presence of malicious adversaries. Consider a malicious adversary $\mathcal{A}$ for $\pi $ that controls the sender and learns its input $\alpha _0,\alpha _1\in \{0,1\}^{n}$. $\mathcal{A}$ follows the honest strategy for S except that it chooses random bits $\beta _1,\ldots ,\beta _n$ and then in the jth call to the ideal OT functionality, it uses $\beta _j$ as both sender-inputs to the OT call (ensuring that R receives $\beta _j$). We stress that in the rest of the execution, it behaves as if it has used the correct inputs that were supposed to be sent to the OT calls. Observe that the view of $\mathcal{A}$ in an execution of $\pi $ is identically distributed to the view of $\tilde{S}$ in the simulation of $\pi $ run in Step 5.3 of Protocol 5.3. Let $\mathcal{SIM}$ be the simulator that is guaranteed to exist for $\mathcal{A}$ by the security of $\pi $. We construct the simulator $\mathcal{S}_{\tilde{S}}$ using $\mathcal{SIM}$:

Construction 5.4

($\mathcal{S}_{\tilde{S}}$): Upon input $b_0,b_1\in \{0,1\}$, simulator $\mathcal{S}_{\tilde{S}}$ works as follows:

1.
$\mathcal{S}_{\tilde{S}}$ chooses two random strings $\alpha _0,\alpha _1\in _R\{0,1\}^{n}$ and runs $\mathcal{SIM}$ with sender-inputs $\alpha _0,\alpha _1$. Let $v_S$ be the sender-view output by $\mathcal{SIM}$ at the end of its execution ($\mathcal{SIM}$ also sends input to the trusted party, but this is ignored by $\mathcal{S}_{\tilde{S}}$).
2.
$\mathcal{S}_{\tilde{S}}$ chooses two random strings $c_0,c_1\in _R\{0,1\}^{n}$ as the message received from $\tilde{R}$ in Step 5.3 of Protocol 5.3, and outputs $v_{\tilde{S}}=(v_S,c_0,c_1)$.

The fact that $\mathcal{S}_{\tilde{S}}$ is a good simulator follows immediately from the fact that $\mathcal{SIM}$ generates a sender view that is indistinguishable from what $\mathcal{A}$ would see in a real execution of $\pi $. Since we have already observed that the view of $\tilde{S}$ in Step 5.3 of Protocol 5.3 is identical to the view of $\mathcal{A}$ above in $\pi $, it follows that $v_S$ is indistinguishable from $\tilde{S}$’s view in Step 5.3 of Protocol 5.3. Next observe that a distinguisher $\mathcal{D}$ for $\mathcal{SIM}$ and $\pi $ obtains the input/output used $(\alpha _0,\alpha _1,c)$ and thus can extend the view of the sender to include $c_0,c_1$ where $c_\sigma =c$, and c is the input of R into the execution of $\pi $ with $\mathcal{A}$ (we can assume that D knows $\sigma $ as auxiliary input). Thus, the view of $\tilde{S}$ in Protocol 5.3 (resp., as generated by simulator $\mathcal{S}_{\tilde{S}}$) can be perfectly constructed by $\mathcal{D}$ from the real view $v_S$ of S in $\pi $ (resp., from a simulated view $v_S$ of S as generated by $\mathcal{SIM}$). This implies that if the output of $\mathcal{S}_{\tilde{S}}$ can be distinguished from the view of $\tilde{S}$ in a real execution of Protocol 5.3, then the output of $\mathcal{SIM}$ can be distinguished from the view of $\mathcal{A}$ in a real execution of $\pi $, in contradiction to the security of $\pi $ with simulator $\mathcal{SIM}$. The formal reduction is straightforward.

We now proceed to construct a simulator $\mathcal{S}_{\tilde{R}}$ for the case that the receiver is corrupted. As above, we consider a malicious adversary $\mathcal{A}$ for $\pi $ as follows. $\mathcal{A}$ receives the receiver’s input $c\in \{0,1\}^{n}$ and follows the honest receiver strategy except that in each of the calls to the ideal OT functionality, it chooses a random bit $\beta _j$ and proceeds with $\beta _j$ as the output of the ideal OT. Let $\mathcal{SIM}$ be the simulator that is guaranteed to exist for $\mathcal{A}$ by the security of $\pi $. We use it construct the simulator $\mathcal{S}_{\tilde{R}}$ (recall that $\mathcal{SIM}$ works in the setting for malicious adversaries and thus interacts with a trusted party and sends a receiver-input which is not necessarily the prescribed receiver-input):

Construction 5.5

($\mathcal{S}_{\tilde{R}}$): Upon input $\sigma ,b_\sigma \in \{0,1\}$, simulator $\mathcal{S}_{\tilde{R}}$ works as follows:

1.
$\mathcal{S}_{\tilde{R}}$ chooses three random strings $\alpha _0,\alpha _1,c\in _R\{0,1\}^{n}$.
2.
$\mathcal{S}_{\tilde{R}}$ runs $\mathcal{SIM}$ with receiver-input c.
3.
When $\mathcal{SIM}$ sends some $c^*\in \{0,1\}^{n}$ to the trusted party, $\mathcal{S}_{\tilde{R}}$ hands $\alpha _{c^*}$ as the receiver-output to $\mathcal{SIM}$ from the trusted party. Let $v_R$ be the output of $\mathcal{SIM}$.
4.
$\mathcal{S}_{\tilde{R}}$ chooses random strings $c',r_0,r_1\in _R\{0,1\}^{n}$, and sets $c_\sigma =c$ and $c_{1-\sigma }=c'$. Then, $\mathcal{S}_{\tilde{R}}$ computes $z_\sigma =\langle r_\sigma ,\alpha _{c_\sigma }\rangle \oplus b_\sigma $ and sets $z_{1-\sigma }\in _R\{0,1\}$ to be a random bit.
5.
$\mathcal{S}_{\tilde{R}}$ outputs a receiver-view $(c_0,c_1,v_R,r_0,z_0,r_1,z_1)$. (Note that $c_0,c_1$ are actually part of $\tilde{R}$’s random tape, since they are chosen by $\tilde{R}$.)

In order to show that $\mathcal{S}_{\tilde{R}}$ is a “good simulator,” we construct a hybrid simulator $\mathcal{S}^h$ and show that its output is indistinguishable both from the output of the real simulator and the view of the receiver in the real execution of the protocol.

$\mathcal{S}^h$ receives as input $\sigma $ and $b_0,b_1$ (in contrast to $\mathcal{S}_{\tilde{R}}$ which receives only $\sigma $ and $b_\sigma $) and works exactly as $\mathcal{S}_{\tilde{R}}$ except that it lets $z_{1-\sigma }=\langle r_{1-\sigma },\alpha _{c_{1-\sigma }}\rangle \oplus b_{1-\sigma }$ (rather than a random bit).

We begin by proving that the output of $S^h$ is indistinguishable from the output of the receiver $\tilde{R}$’s view in a real execution of Protocol 5.3. That is:

$$\begin{aligned} \left\{ \mathcal{S}^h(1^n,\sigma ,b_0,b_1)\right\} _{b_0,b_1,\sigma \in \{0,1\},n\in {\mathbb N}}{\mathop {\equiv }\limits ^\mathrm{c}}\left\{ \textsc {View}^{\tilde{\pi }}_{\tilde{R}}(1^n,b_0,b_1,\sigma )\right\} _{b_0,b_1,\sigma \in \{0,1\},n\in {\mathbb N}}. \end{aligned}$$

The only difference between the two distributions is that in $\textsc {View}^{\tilde{\pi }}_{\tilde{R}}(1^n,b_0,b_1,\sigma )$, $\pi $ is actually executed, and hence, elements in $\textsc {View}^{\tilde{\pi }}_{\tilde{R}}(1^n,b_0,b_1,\sigma )$ include a real view of the adversarial receiver $\mathcal{A}$ in $\pi $, whereas in $\left\{ \mathcal{S}^h(1^n,\sigma ,b_0,b_1)\right\} _{b_0,b_1,\sigma \in \{0,1\},n\in {\mathbb N}}$, $\pi $ is not executed, and hence, elements in this distributions contain an output of $\mathcal{SIM}$. Hence, intuitively the assumption that $\mathcal{SIM}$ is a good simulator implies that the two distributions are indistinguishable. The formal proof of this is almost identical to the proof of (7) in Theorem 4.1.

We now prove that the output of the hybrid simulator $\mathcal{S}^h$ is statistically close to the output of the actual simulator $\mathcal{S}_{\tilde{R}}$. That is,

$$\begin{aligned} \left\{ \mathcal{S}_{\tilde{R}}(1^n,\sigma ,b_{\sigma })\right\} _{b_0,b_1,\sigma \in \{0,1\},n\in {\mathbb N}} {\mathop {\equiv }\limits ^\mathrm{s}}\left\{ \mathcal{S}^h(1^n,\sigma ,b_0,b_1)\right\} _{b_0,b_1,\sigma \in \{0,1\},n\in {\mathbb N}}. \end{aligned}$$

The only difference between the two is that in $\mathcal{S}_{\tilde{R}}(1^n,\sigma ,b_{\sigma })$, it holds that $z_{1-\sigma }$ is a random bit, whereas in $\mathcal{S}^h(1^n,\sigma ,b_0,b_1)$, we have that $z_{1-\sigma }=\langle r_{1-\sigma },\alpha _{c_{1-\sigma }}\rangle \oplus b_{1-\sigma }$. However, we show that since $c_{1-\sigma }=c'$ is chosen at random independently of the execution, and since $\mathcal{SIM}$ learns only the bits in the sender’s input that correspond to $c^*$, with high probability there is enough uncertainty about $\langle \alpha _{c_{1-\sigma }},r_{1-\sigma }\rangle $ and thus $z_{1-\sigma }$ is statistically close to a random bit.

To prove this formally, we first note that a receiver-view $v_{\tilde{R}}$ of Protocol 5.3 contains a receiver-view $v_R$ in $\pi $, the strings c and $c'$ and $r_0,r_1,z_0,z_1$. We note that it does not necessarily contain $c^*$ and $\alpha _{c^*}$ (yet we include them anyway for clarity, and since this only strengthens the claim). Moreover, note that $v_R,c,c',c^*,\alpha _{c^*}, r_0,r_1$ and $z_\sigma $ are generated exactly the same in both distributions and hence are identically distributed. We now restate what we want to prove. For every $\sigma ,b_0,b_1\in \{0,1\}$, we show that

$$\begin{aligned}&\left\{ v_R,c,c',c^*,\alpha _{c^*},r_0,r_1,\langle r_\sigma ,\alpha _c\rangle ,\langle r_{1-\sigma },\alpha _{c'}\rangle \right\} \nonumber \\&\quad {\mathop {\equiv }\limits ^\mathrm{s}}\left\{ v_R,c,c',c^*,\alpha _{c^*},r_0,r_1,\langle r_\sigma ,\alpha _c\rangle ,U_1\right\} \end{aligned}$$

(10)

where $U_1$ is a random variable that is uniformly distributed over $\{0,1\}$. It suffices to show that, except with negligible probability, there exists an index $j\in \{1,\ldots ,n\}$ such that $c'_j\ne c^*_j$, $r_{1-\sigma }^j=1$ and $r_\sigma ^j=0$. This is due to the fact that if this holds then since $c'_j\ne c^*_j$ the receiver does not learn anything about $\alpha ^j_{c'_j}$ (by the security of $\pi $). In addition, since the jth bit of $\alpha _c$ is zeroed by $r_\sigma ^j$, the value $\langle r_\sigma ,\alpha _c\rangle $ reveals nothing about $\alpha ^j_{c'_j}$. (Note that $\alpha _c^j$ may be correlated with $\alpha ^j_{c'_j}$, and thus, this is needed.) Finally, since $r_{1-\sigma }^j=1$, it follows that $r_{1-\sigma }^j\cdot \alpha ^j_{c'_j}=\alpha ^j_{c'_j}$ and so is uniformly distributed. This implies that $\langle r_{1-\sigma },\alpha _{c'}\rangle $ is uniformly distributed since $\langle r_{1-\sigma },\alpha _{c'}\rangle = (\sum _{i\ne j} r_{1-\sigma }^i\cdot \alpha ^i_{c'_i}) + \alpha ^j_{c'_j} \bmod 2$. Observing now that $r_0,r_1,c'$ are all chosen at random and are of length n, a straightforward calculation yields that such a j exists except with at most negligible probability. This completes the proof of (10), demonstrating that Protocol 5.3 is a weak-OT protocol.

Step 2: full OT from weak-OT It remains to show that any weak-OT protocol can be transformed into an OT that is fully correct and secure in the presence of semi-honest adversaries. This is achieved by simply running multiple executions of the weak-OT protocol and taking the majority result. By the Chernoff bound, if enough executions are run (say, $n\cdot p^2(n)$ where correctness is guaranteed with probability $\frac{1}{2}+\frac{1}{p(n)}$), then the majority result will be the correct one, except with negligible probability. Furthermore, the simulation is carried out by simply running the simulators of the weak-OT for each repetition; a standard hybrid argument (as used to prove sequential composition) shows that this yields a satisfactory simulation for the repeated protocol.

We conclude that the existence of an OT-extension protocol that is secure for malicious adversaries and uses a logarithmic number of calls implies the existence of semi-honest OT. In order to show the existence of OT secure in the presence of malicious adversaries, one can simply apply the GMW compiler [7] (using the fact that OT implies one-way functions, or alternatively one could use the compilation of [10]).$\square $

Notes

We remark that that in the erasures model, an OT-extension can be constructed from one-way functions using the original construction of Beaver and the two-party computation protocol of [14] that is adaptively secure with erasures and is based on Yao’s protocol. Thus, this question is of interest only for the non-erasure model.
We stress that this argument does not hold if we considered only the outputs $\omega _j$ of the ideal OT calls, and not both the input $\tau _j$ and output $\omega _j$. This is because the consistency of $r_S$ with t and $\{\omega _i\}_{i=1}^n$ just guarantees that one of the inputs sent by S is $\omega _j$; it does not guarantee that this is the output received by R. For example, consider the case that R inputs a random bit, and the sender-inputs $(b,\overline{b})$ for a random b. The sender’s tape $r_S$ is consistent with t and any $\omega _j\in \{0,1\}$ since there exists a receiver’s tape $r_R$ for which R receives $\omega _j$. However, there also exists a receiver’s tape $r_R'$ that is in $\mathsf{R}_\mathsf{All}$ (because there exists a sender tape providing consistency), but the pair $(r_S,r_R')$ is not consistent. Thus, although seemingly trivial, this argument requires care and only holds since we consider both the inputs and outputs to the ideal OT calls.
In [3] a Yao garbled circuit is used which is binding when instantiated with known encryption methods. Likewise, [11] uses correlation-robust hash functions for which it is hard to find collisions, which is exactly what is needed in order to “explain the transcript” in different ways as is needed for proving adaptive security.
We say that a view is consistent with inputs and outputs if when running the party on the given view and input, it outputs the correct output.
Note that we cannot cast this as a special case of Definition 2.3 since full correctness is required there by stating that $\pi $ computes f.

References

W. Aiello, Y. Ishai, O. Reingold, Priced oblivious transfer: how to sell digital goods, in EUROCRYPT 2001. LNCS, vol. 2045 (Springer, Berlin, 2001), pp. 110–135
D. Beaver, Precomputing oblivious transfer, in CRYPTO’95. LNCS vol. 963 (Springer, Berlin, 1995), pp. 97–109
D. Beaver. Correlated pseudorandomness and the complexity of private computations, in The 28th STOC (1996), pp. 479–488
R. Canetti. Security and Composition of Multiparty Cryptographic Protocols. J. Cryptol., 13(1), 143–202 (2000)
Article MathSciNet MATH Google Scholar
S. Even, O. Goldreich, A. Lempel. A Randomized Protocol for Signing Contracts. In Commun. ACM, 28(6), 637–647 (1985)
Article MathSciNet MATH Google Scholar
Y. Gertner, S. Kannan, T. Malkin, O. Reingold, M. Viswanathan, The relationship between public key encryption and oblivious transfer, in The 41st FOCS (2000), pp. 325–335
O. Goldreich, S. Micali, A. Wigderson, How to play any mental game—a completeness theorem for protocols with honest majority, in 19th STOC, pp 218–229, 1987. For details see [10]
O. Goldreich. A Note on Computational Indistinguishability. Inf. Process. Lett., 34(6), 277–281 (1990)
Article MathSciNet MATH Google Scholar
O. Goldreich. Foundations of Cryptography: Volume 2 – Basic Applications (Cambridge University Press, Cambridge, 2004)
Book MATH Google Scholar
I. Haitner, Y. Ishai, E. Kushilevitz, Y. Lindell and E. Petrank. Black-Box Constructions of Protocols for Secure Computation. SIAM J. Comput., 40(2), 225–266 (2011)
Article MathSciNet MATH Google Scholar
Y. Ishai, J. Kilian, K. Nissim, E. Petrank. Extending oblivious transfer efficiently, in CRYPTO 2003. LNCS, vol. 2729 (Springer, Berlin, 2003), pp. 145–161
R. Impagliazzo, D. Zuckerman. How to recycle random bits, in the $30$ th FOCS (1989), pp. 248–253
J. Kilian. Founding cryptography on oblivious transfer, in the 20th STOC (1988), pp. 20–31
Y Lindell, Adaptively secure two-party computation with erasures, in CT-RSA 2009. LNCS vol. 5473 (Springer, Berlin, 2009) pp. 117–132
Y. Lindell, H. Zarosim, Adaptive zero-knowledge proofs and adaptively secure oblivious transfer. J. Cryptol. 24(4). 761–799 (2011). An extended abstract appeared in the $6$ th TCC. LNCS vol. 5444 (Springer, Berlin, 2009), pp. 183–201
M. Rabin, How to exchange secrets by oblivious transfer. Tech. Memo TR-81 (Aiken Computation Laboratory, Harvard University, 1981)
S. Wolf, J. Wullschleger. Oblivious transfer is symmetric, in EUROCRYPT 2006. LNCS vol. 4004 (Springer, Berlin, 2006), pp. 222–232
A. Yao, How to generate and exchange secrets, in 27th FOCS (1986), pp. 162–167

Download references

Author information

Authors and Affiliations

Department of Computer Science, Bar-Ilan University, Ramat Gan, Israel
Yehuda Lindell & Hila Zarosim

Authors

Yehuda Lindell
View author publications
You can also search for this author in PubMed Google Scholar
Hila Zarosim
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Hila Zarosim.

Additional information

Communicated by Eike Kiltz.

This research was supported by the israel science foundation (Grant No. 189/11). Hila Zarosim is grateful to the Azrieli Foundation for the award of an Azrieli Fellowship.

OT is Symmetric

In this section, we restate the theorem from [17] and prove it for the case of adaptive semi-honest adversaries (which is the case needed for Sect. 4.1). We first start with a graphical description of the role-reversing OT, as shown in Figure 1.

Theorem A.1

(From [17]) There exists a perfectly secure reduction from an OT protocol to an OT protocol where the roles of the sender and the receiver are reversed. Furthermore, the reduction uses one invocation of the inner OT protocol.

Theorem A.1 is proved in [17] with respect to static semi-honest and malicious adversaries. We now prove in Claim A.2 that the transformation is secure with respect to adaptive semi-honest adversaries.

Claim A.2

The reduction described in Figure 1 is secure with respect to adaptive semi-honest adversaries.

Proof

Let $\mathcal{A}$ and $\mathcal{Z}$ be an adaptive semi-honest real-life adversary and an environment for the protocol given in Figure 1, we construct a simulator $\mathcal{SIM}$ such that the view of $\mathcal{Z}$ in a real execution of $\pi $ with $\mathcal{A}$ is computationally indistinguishable from its view in an ideal execution of the OT functionality with the simulator $\mathcal{SIM}$.

The description of $\mathcal{SIM}$ consists of 2 parts: simulating the run of the protocol and simulating corruption of the parties.

Simulating the run of the protocol

We divide the description of the simulator into cases as follows:

Simulating the invocation of the reversed-OT protocol:
1. 1.
  None of the parties is corrupted: $\mathcal{SIM}$ does not need to simulate anything.
2. 2.
  Only the sender S is corrupted: $\mathcal{SIM}$ obtains $b_0\oplus b_1$ from $\mathcal{A}$ (we recall that $\mathcal{A}$ is semi-honest), chooses a random bit $a_\mathcal{SIM}$ as the output of the reversed $OT^2_1$ and hands it to $\mathcal{A}$.
3. 3.
  Only the receiver R is corrupted: $\mathcal{SIM}$ obtains r and $r\oplus \sigma $ from $\mathcal{A}$ and does nothing.
4. 4.
  Both parties are corrupted: $\mathcal{SIM}$ obtains r, $r\oplus \sigma $ and $b_0\oplus b_1$ and hands the correct output of the reversed-OT functionality to S.
Simulating the message m:
1. 1.
  The sender S is corrupted: $\mathcal{SIM}$ obtains $m=b_0\oplus a$ from $\mathcal{A}$ (remember that $\mathcal{A}$ is semi-honest) and sets it as the message sent by the sender.
2. 2.
  The sender is not corrupted:
  1. (a)
    If the receiver is corrupted, $\mathcal{SIM}$ knows $\sigma $ and r. It sends $\sigma $ to the trusted party and learns the output $b_\sigma $ of the functionality. $\mathcal{SIM}$ then sets $m_\mathcal{SIM}=b_\sigma \oplus r$.
  2. (b)
    If the receiver is not corrupted, $\mathcal{SIM}$ chooses a random bit $m_\mathcal{SIM}$ and sets it as the message sent by the sender.

Simulating corruptions.

1.
$\mathcal{A}$ corrupts the sender after the invocation of the reversed OT protocol: $\mathcal{SIM}$ obtains the input $b_0,b_1$ of the sender, and:
1. (a)
  If the receiver is already corrupted, $\mathcal{SIM}$ knows r and $r\oplus \sigma $ and hands the correct output of the reversed-OT that is specified by $b_0\oplus b_1$ to $\mathcal{A}$.
2. (b)
  If the receiver is not corrupted, $\mathcal{SIM}$ chooses a random bit $a_\mathcal{SIM}$ as the output of the reversed-OT and hands it to $\mathcal{A}$.
2.
$\mathcal{A}$ corrupts the receiver after the invocation of the reversed OT: $\mathcal{SIM}$ obtains the input $\sigma $ of the receiver, and:
1. (a)
  If the sender is already corrupted, then $\mathcal{SIM}$ knows $b_o\oplus b_1$ and a random bit $a_\mathcal{SIM}$ was already chosen by $\mathcal{SIM}$ as the output of the reversed OT. If $b_0\oplus b_1=0$, then $\mathcal{SIM}$ lets $r=a_\mathcal{SIM}$ and if $b_0\oplus b_1=1$, then $\mathcal{SIM}$ lets $r=a_\mathcal{SIM}\oplus \sigma $ (so that $r\oplus \sigma =a_\mathcal{SIM}$).
2. (b)
  If the sender is not corrupted, $\mathcal{SIM}$ does nothing.
3.
$\mathcal{A}$ corrupts the sender after the transmission of m or at the post-execution phase: $\mathcal{SIM}$ obtains the input $b_0,b_1$ of the sender, and:
1. (a)
  If the receiver is already corrupted, then by Step 2a of the simulation, we know that $m_\mathcal{SIM}=b_\sigma \oplus r$. Now, if $b_0\oplus b_1=0$, then $\mathcal{SIM}$ lets $a_\mathcal{SIM}= r$, and if $b_0\oplus b_1 =1$, then $\mathcal{SIM}$ lets $a_\mathcal{SIM}= r\oplus \sigma $. Note that indeed $m_\mathcal{SIM}=b_0\oplus a$, as specified by the protocol: If $b_0 = b_1$, then $m_\mathcal{SIM}=b_\sigma \oplus r =b _0 \oplus a_\mathcal{SIM}$, and if $b_0 \ne b_1$, then $m_\mathcal{SIM}=b_\sigma \oplus r =b_\sigma \oplus a_\mathcal{SIM}\oplus \sigma = b_\sigma \oplus \sigma \oplus a_\mathcal{SIM}=b_0\oplus a_\mathcal{SIM}$.
2. (b)
  If the receiver is not corrupted, then $m_\mathcal{SIM}$ is a random bit. $\mathcal{SIM}$ lets $a_\mathcal{SIM}= b_0 \oplus m_\mathcal{SIM}$ and hands it to $\mathcal{A}$ as the output of the reversed OT.
4.
$\mathcal{A}$ corrupts the receiver after the transmission of m or at the post-execution phase: $\mathcal{SIM}$ obtains the input $\sigma $ of the receiver, and:
1. (a)
  If the sender is already corrupted, then $a_\mathcal{SIM}$ is a random bit and $m=b_0\oplus a_\mathcal{SIM}$. If $b_0\oplus b_1=0$, then $\mathcal{SIM}$ lets $r=a_\mathcal{SIM}$ and if $b_0\oplus b_1=1$, then $\mathcal{SIM}$ lets $r=a_\mathcal{SIM}\oplus \sigma $.
2. (b)
  If the sender is not corrupted, $m_\mathcal{SIM}$ is a randomly chosen bit.

We conclude by noting that in each step of the simulation, the parties obtain exactly what they are supposed to obtain by the specification of the protocol, and hence, the simulation described above is a perfect simulation.$\square $

Rights and permissions

Reprints and permissions

About this article

Cite this article

Lindell, Y., Zarosim, H. On the Feasibility of Extending Oblivious Transfer. J Cryptol 31, 737–773 (2018). https://doi.org/10.1007/s00145-017-9269-5

Download citation

Received: 12 May 2013
Revised: 21 September 2017
Published: 04 December 2017
Issue Date: July 2018
DOI: https://doi.org/10.1007/s00145-017-9269-5

Use our pre-submission checklist

Avoid common mistakes on your manuscript.

On the Feasibility of Extending Oblivious Transfer

Abstract

Similar content being viewed by others

On the Feasibility of Extending Oblivious Transfer

More Efficient Oblivious Transfer Extensions

Extending Oblivious Transfer Efficiently

1 Introduction

1.1 Background: Extending Oblivious Transfer

1.2 This Paper: A Feasibility Study of OT-Extensions

Theorem 1.1

Theorem 1.2

Theorem 1.3

1.3 Open Questions

2 Preliminaries

2.1 Definitions and Notations

Definition 2.1

2.1.1 Interactive Protocols

Definition 2.2

Definition 2.3

2.1.2 Security in the Presence of Malicious Adversaries

2.1.3 The Hybrid Model

2.1.4 Oblivious Transfer and Extensions

Definition 2.4

Definition 2.5

2.2 OT Precomputation and Extending Extensions

Proposition 2.6

Proof

Claim 2.7

Proof

2.3 A Lemma on Statistical Distance

Lemma 2.8

Proof

3 OT-Extensions Imply One-Way Functions

Theorem 3.1

Proof

Theorem 3.2

Lemma 3.3

Proof

Claim 3.4

Proof

Corollary 3.5

Claim 3.6

Proof

Corollary 3.7

Lemma 3.8

Proof

Claim 3.9

Proof

Claim 3.10

Proof

4 Adaptive Security

Theorem 4.1

Proof

Protocol 4.2

Construction 4.3

Corollary 4.4

5 OT-Extensions Require Superlogarithmic Calls

Theorem 5.1

Proof

Definition 5.2

Protocol 5.3

Construction 5.4

Construction 5.5

Notes

References

Author information

Authors and Affiliations

Corresponding author

Additional information

OT is Symmetric

OT is Symmetric

Theorem A.1

Claim A.2

Proof

Rights and permissions

About this article

Cite this article

Share this article

Search

Navigation