International Association for Cryptologic Research (IACR)
Abstract
In 1-out-of-q Oblivious Transfer (OT) protocols, a sender Alice is able to send one of q≥2 messages to a receiver Bob, all while being oblivious to which message was transferred. Moreover, the receiver learns only one of these messages. Oblivious Transfer combiners take n instances of OT protocols as input, and produce an OT protocol that is secure if sufficiently many of the n original OT instances are secure.
We present new 1-out-of-q OT combiners that are perfectly secure against active adversaries. Our combiners arise from secret sharing techniques. We show that given an Fq-linear secret sharing scheme on a set of n participants and adversary structure A, we can construct n-server, 1-out-of-q OT combiners that are secure against an adversary corrupting either Alice and a set of servers in A, or Bob and a set of servers B with Bˉ∈/A. If the normalized total share size of the scheme is ℓ, then the resulting OT combiner requires ℓ calls to OT protocols, and the total amount of bits exchanged during the protocol is (q2+q+1)ℓlogq.
We also present a construction based on 1-out-of-2 OT combiners that uses the protocol of Crépeau, Brassard and Robert (FOCS 1986). This construction provides smaller communication costs for certain adversary structures, such as threshold ones: For any prime power q≥n, there are n-server, 1-out-of-q OT combiners that are perfectly secure against active adversaries corrupting either Alice or Bob, and a minority of the OT candidates, exchanging O(qnlogq) bits in total