An Efficient Outsourced Oblivious Transfer Extension Protocol and Its Applications

Oblivious transfer (OT) is a cryptographic primitive originally used to transfer a collection of messages from the sender to the receiver in an oblivious manner. OT extension protocol reduces expensive asymmetric operations by running a small number of OT instances first and then cheap symmetric operations. While most earlier works discussed security model or communication and computation complexity of OT in general case, we focus on concrete application scenarios, especially where the sender in the OTprotocol is a database with less computation and limited interaction capability. In this paper, we propose a generic outsourced OTextension protocol (OTex) that outsources all the asymmetric operations of the sender to a semihonest server so as to adapt to specific scenarios above. We give OTex a standard security definition, and the proposed protocol is proven secure in the semihonest model. InOTex, the sender works on the fly and performs only symmetric operations locally.Whatever the number of rounds OT to be executed and the length of messages in OT to be sent, our protocol realizes optimal complexity. Besides, OTex can be used to construct high-level protocols, such as private membership test (PMT) and private set intersection (PSI). We believe our OTex construction may be a building block in other applications as well.


Introduction
Oblivious transfer (OT) is one of the most important primitives in secure computation. It is wildly used in Yao's protocol [1], GMW construction [2], and preprocessing phase of SPDZ-like [3] protocols. With the development of big data, cloud computing, and mobile computing, the demand for joint computation grows rapidly between different organizations and individuals. In order to ensure the security of such computing tasks against complicated external environment, cryptographic components have to be used to design protocols, in which OT plays a pivotal role together with homomorphic encryption, secret sharing, and garbled circuit.
However, OT is public-key primitive centered, which makes it computational expensive for secure computation. Many privacy-preserving protocols, such as private membership test (PMT) and private set intersection (PSI), rely heavily on huge number of OT instances for secure computation to get the trade-off between computation and communication. e most efficient way to produce many OT instances is through OT extension protocol [4,5]. In such protocol, two participants collectively run few "base" OT instances and then perform some cheap symmetric operations to produce many OT instances.

Motivation.
In an OT extension protocol, the sender S needs to interact with the receiver R for each step during the protocol, which involves exponential calculation and intensive interaction. In some application scenarios, however, S could be a mobile device with less computation power or a database holder with limited interaction capability. When invoking OT extension as a subprotocol in some more complex computation tasks, S needs to respond requests from R as fast as possible.
Nowadays, many applications are rapidly transferred to cloud-based service, and it would be desired to seek some server-aided OT extension protocol to relief the burden of S under reasonable security assumption. A considerable literature [6][7][8][9][10][11][12] has grown up around the theme of fertilizing functionality of OTor optimizing communication cost of the receiver R. However, far too little attention has been paid to investigate sender side of OT adapting to specific scenarios.
To this end, we propose a generic outsourced oblivious transfer extension protocol (OTex) in the semihonest model. In OTex, the sender S first outsources all expensive asymmetric operations to a third party who runs a subprotocol called "base" OT instances with the receiver R. Based on the corresponding outputs of the subprotocol and other auxiliary information, S generates symmetric keys used to encrypt sending messages in OT. As a result, the sender S works on the fly and sends its inputs encrypted by symmetric key generated from OTex to the receiver R, and thus, it enables two parties to complete the whole OT extension protocol.
Recent trends in OT extension have led to a proliferation of studies showing how to design an efficient PSI [13][14][15][16][17] or PSI-based protocols [18][19][20][21] in different secure models since OT extension protocol is an important component in secure computation and plays a key role in set operations. Take PSI as an example, without violating individuals' privacy, and the use of PSI in contact tracing [21] can help prevent the further spread of COVID-19. erefore, OTex framework has a wide range of applications in outsourced scenarios, and as a building block, we think OTex can be applied conveniently to high-level protocols.

Related Work.
Rabin [22] first introduced the notion of OT that the receiver receives a message sent from the sender with probability 1/2 and the sender does not know whether the receiver has received the message or not. en, a line of works seek to enrich functionality of OT, and they mainly consist of 1-out-of-2 OT [6], 1-out-of-n OT [7,8], and k-outof-n OT [9,10], in which the first two functionalities are considered in this paper. Some researchers [23][24][25] proposed OT protocols in different security models although we focus on semihonest model that is sufficient enough to deploy our framework in future among including malicious model, covert adversary model, and universally composable model.
Because OT is public-key primitive centered, the issue of efficiency has received considerable critical attention after Rabin's work [22]. Beaver [26] showed that OT can be precomputed using only prior transfers. Studies over the past two decades have proved that extending a small number of OT to huge number of OT instances can be achieved by one-way function [27][28][29]. Until 2003, Ishai et al. [4] proposed an efficient method to extend 1-out-of-2 OTs by running few "base" OT instances, which is also known as the IKNP OT extension protocol. Kolesnikov and Kumaresan [5] generalized IKNP from a coding understanding and proposed an improved OT extension protocol allowing to do 1-of-out-n OTs with less communication and computation cost. Lindell et al. [11] studied input-size hiding two-party computation based on fully homomorphic encryption (FHE) and proposed a secure OT extension protocol to reduce the communication cost of both the sender and receiver. Cho et al. [12] focused on the receivers' communication cost in OT and proposed laconic OT protocol based on the decisional Diffie-Hellman (DDH) assumption. Carter et al. [30] proposed outsourced OT protocol specifically for the mobile use-case where the cloud receives outputs of OT. Recently, Mansy and Rindal proposed [31] noninteractive OTs from noninteractive key exchange. However, the resulting OT extension would require 3 rounds. e research to date has tended to focus more on the cost of the receiver and less on the sender in OT, and there are few studies that have investigated computation and communication complexity on sender side. e aim of this work is to explore the cost of sender in OT and construct efficient OT extension framework assisted by a third party. In addition, OT extension provides a brief but useful account of the construction of oblivious pseudorandom function (PRF). Also, oblivious PRF has been attracting a lot of interest in very recent years, such as multiparty PSI [14], PSI cardinality [21], and private set union [32]. is indicates a need to adapt OT extension to outsourcing scenarios due to practical constraints.

Our Contribution.
In this paper, we focus on serveraided OT to reduce the sender's public-key computation and rounds of interaction with the receiver. Main contributions of our work go as follows: (i) We propose a generic outsourced OT extension protocol (OTex). In OTex, the server and the receiver cooperatively run a small number of OT instances, and at this moment, the sender can be offline. After the first phase, the sender can fetch necessary corelated randomness from the server whenever needed; then, the sender can send their inputs encrypted only by a symmetric key to the receiver, which completes an OT instance. We design a novel mechanism for this purpose and formally prove its security under semihonest model. (ii) We analyze the complexity of our construction and perform implementation, and the experiment shows that our construction is practical and efficient. (iii) Our OTex construction can be applied to improve the efficiency of OT-based privacy-preserving primitives in server-aided setting, such as oblivious pseudorandom function, and high-level protocols, such as PMT and PSI, which is of independent interest.

Notation.
Unless otherwise stated, we use OT to denote 1-out-of-2 OT and OT k l to denote k instances of 1-out-of-2 OT of l-bit strings. For simplicity, let H(·) denote random oracles with a suitable secure output length, which will be well defined in an actual protocol. Matrices are denoted by capital letters, and vectors are denoted by small bold letters; that is, t i denotes the i-th row of a matrix T, and t j denotes the j-th column of T. Small light front with subscript s i denotes the i-th bit of a string s. Notably, we regard strings as vectors and do not distinguish the difference between strings and vectors. If s � s 1 ‖ · · · ‖s n and t � t 1 ‖ · · · ‖t n are two strings, then the notation s ⊕ t denotes (s 1 ⊕ t 1 )‖ · · · ‖(s n ⊕ t n ). Similarly, the notation s ⊙ t denotes the vector (s 1 · t 1 )‖ · · · ‖(s n · t n ). Specially, when c ∈ 0, 1 { }, c · s denotes the vector (c · s 1 )‖ · · · ‖(c · s n ).

Secure Computation and Security Model.
e formal definition of security of a secure multiparty protocol [33] is based on comparing two output distributions coming from an ideal world and a real world, respectively. e functionality of three parties P 1 , P 2 , P 3 is denoted as f: and P i gets f i as output.
Ideal/reality Simulation Paradigm. In an ideal world, participants send the input to an external trusted party who computes the functionality and sends each participant the corresponding output. Suppose there exists an adversary who has the inputs and outputs of a protocol in the ideal world and executes attack against a real protocol, then there always be an adversary executing the same attack in the ideal world. In a real protocol, if no adversary can do more harm than the execution of the protocol in the ideal world, the protocol in the real world is said to secure. Computationally Indistinguishability. Two distribution probability ensembles X � X(a, n) n∈N are said to be computationally indistinguishable, denoted by X c ≡ Y, if for every nonuniform polynomial-time algorithm D, there exists a negligible function μ(·) such that for every a ∈ 0, 1 { } * and every n ∈ N: Semihonest Adversary Model. In the semihonest adversary model, corrupted participant must execute the protocol correctly. However, the adversary can comprehensively obtain the internal status of the corrupted party, e.g., the transcripts of all received messages, and then tries to obtain additional information that should be kept confidential. Semihonest model is sufficient and captures many scenarios in practice although it is a very weak adversary model.
In this paper, we focus on semihonest model and honest majority case where an adversary can corrupt at most one participant and any two participants will not get colluded. In the following, the formal security definition is proposed.
be a deterministic functionality and π be a three-party protocol for computing f. Given the security parameter κ and triple inputs (x, y, z), where x is from P 1 , y is from P 2 , and z is from P 3 , the view of where w ∈ x, y, z , r i is the randomness used by P i , and m j i is the j-th message received by P i ; the output of P i is denoted as output π i (x, y, z, κ), and the joint output of the parties is output π (x, y, z, κ) � (output π 1 (x, y, z, κ), output π 2 (x, y, z, κ), outpu t π 3 (x, y, z, κ)). We say that π securely computes f in the semihonest model if the following holds: (i) e correctness holds: (ii) ere exist probabilistic polynomial-time simulators S 1 , S 2 , and S 3 such that

OTex Security Model.
In OTex, a simpler definition can be used since two of three parties output nothing (see F OTex in Figure 1). Specifically, three parties P 1 , P 2 , P 3 stand for server S, sender S, and receiver R, respectively. e functionality of OTex can be given by simply writing where λ denotes the empty string. We still require correctness described above, and security meaning that there exist three simulators Sim S , Sim S , and Sim R such that of R, and ⊥ denotes null value.

OT Extension.
We start by introducing the definition of standard 1-out-of-2 OT, where a sender holding two messages (m 0 , m 1 ) interacts with a receiver holding a choice bit b. e 1-out-of-2 OT protocol guarantees that the receiver obtains m b without knowing anything about m 1−b , while the sender knows nothing about b. e ideal functionality for 1out-of-2 OT, denoted as F OT , is described in Figure 2.
In most settings, it is necessary to run a large number of OT instances at the same time. e multiexecution of OT is Security and Communication Networks called batch OT (see Figure 3) denoted as F OT m l . e IKNP OT extension protocol [4] is a real milestone in the development of OT research computing F OT m l efficiently. It is trivial to compute F OT m l by simultaneously running F OT m times although it leads to large costs on computation and communication. erefore, OT extension is the most efficient way for executing F OT m l instead of running m instances of OT in parallel.
As shown in Figure 3, the functionality of IKNP is that R receives messages x where c i denotes the i-th bit of c. In the IKNP protocol, after acting as the receiver in F OT and running it k times, S computes m pairs of symmetric keys denoted as . For each pair of symmetric keys (K 0 i , K 1 i ), R only knows the exact one according to his selection string, i.e., K . e key insight of IKNP OT extension is to execute such an OT-based key agreement between S and R in the following way: R forms m × k matrix T at random and then computes matrix U such that , and S acts as the receiver with selection bit s j . S receives q j after each computation of F OT and then forms matrix Q. For each column of matrix Q, it implies . e essential observation is that, for each row of matrix Q, it holds S prepares key pairs by K 0 i � H(q i ) and where t i is generated by R locally. In addition, due to the randomness of s chosen by S, R learns K with no more than a negligible probability (1/2 k ). en, S can execute just symmetric operations so as to encrypt each pair of messages using key pairs (K 0 i , K 1 i ) and sends m pairs of encrypted messages to R. Finally, R can decrypt the corresponding message for each message pairs under K c i i � H(t i ). As described above, the IKNP protocol begins with running F OT k times and then executes lots of symmetric operations to "extend" these OT instances, which are also called as "base" OTs.

Oblivious PRF.
Freedman et al. [34] proposed oblivious evaluation of pseudorandom function (OPRF) and gave a general construction of OPRF from OT. An OPRF is a two-party protocol where a sender P 1 inputting a random seed s obtains nothing while a receiver P 2 inputting an evaluation point x obtains f s (x) for some pseudorandom function family f s . e functionality of OPRF (see Figure 4) can be defined by (s, x)↦(λ, f s (x)).
A general definition of OPRF is that the receiver P 2 inputs an evaluation set X � x i and obtains the evaluations on a PRF in an oblivious manner, i.e., f s (x i ) . e functionality in Figure 4 can be regarded as a special and simplified case although it is sufficient to construct such an Functionality F Tex Let k be security parameter.
ree parties: sender S, receiver R, server .
(ii) Output: S has no outputs.
Let l Є N.Two parties: sender S and receiver R.
Let l, m Є N. Two parties: sender S and receiver R. 4 Security and Communication Networks efficient OPRF for some scenarios. In this paper, we consider only the definition where receiver P 2 evaluates the PRF on a single point x, which can be constructed massively in an efficient manner.

Batched OPRF Based on OT Extension. Kolesnikov and
Kumaresan [5] generalized IKNP and proposed KK protocol realizing 1 − out − of − 2 l OTs in an efficient way. In IKNP, the equation t i ⊕ u i � (c i ‖ · · · ‖c i ) means that each row of matrix T ⊕ U is either all zeros or all ones. is feature was interpreted as a repetition code in KK, and they improved it using a linear error correcting code denoted by C. Now for each row in T and U, it holds that where C is a public linear error correcting code of dimension l and codeword length k. erefore, in KK, equation (5) becomes Notably, c i stands for the i-th element in vector c, and now, it is no longer a binary bit in equation (5) but an l-bit string. e codeword length of C(c i ) determines the length of s and the number of columns of matrices T and U, instead in IKNP of k (k is relative to a security parameter κ). In KK, to reach the same security requirement, the codeword length k ′ is about twice as much as k. at is to say, k KK ≈ 2.5k IKNP . As a consequence, the number of "base" OT in KK is doubled than that in IKNP.
Based on 1-out-of-n OT extension, Kolesnikov et al. [13] proposed a variant of OPRF and described an efficient protocol to generate batched OPRF instances (known as BaRK-OPRF). From the point of adaption of OT extension, the variant OPRF functionality based on equation (6) is that where C now is a pseudorandom code instead of a linear error correcting code.
Notably, the random seed s consists of (q i , s) in BaRK-OPRF and i ∈ [m], indicating that equation (6) essentially instantiates m different OPRFs in total, and this is why BaRK-OPRF is called bathed and key-related OPRF. In addition, the codeword length of pseudorandom code in BaRK-OPRF is approximately 2 times longer than the output length of linear error correcting code in KK, which is necessary to reach security requirement. Based on OPRF, it is trivial to construct the private membership test, which will be illustrated later.

Overview of Our Construction
e functionality of OTex is described in Figure 1. While the essential difference between F OT m l in Figure 3 and F OTex in Figure 1 may appear to be unimpressive and unnecessary, the distinction becomes more pronounced in the case of practical OT extension applications and even more so in outsourced OT scenarios. e codeword length of code schemes in equations (6) and (7), i.e., pseudorandom code and linear error correcting code, determines the number of "base" OT instances to be evaluated. is gives us the intuition that we could use a specific number of OTs to extend any large amount of OT instances we need. Both Ishai et al. [4] and Kolesnikov et al. [5,13] show n OTs of long strings that can be reduced to k "base" OTs of shorter strings. at is, given pseudo-random generator and a small number of OTs, we can implement any F OT m′ l′ we want. erefore, we make OT execute in a program-iteration-like way (see Figure 5) to reach the final functionality F OT m l . Here, for clarity, we denote selection string in F OT  (5) and sends encrypted T 2 and T 2 ′ to R. Using symmetric-key operations only, R receives V 2 from T 2 and T 2 ′ in an oblivious way. For i ∈ [m], each row of matrix V 2 is x c i i . We have reviewed the whole framework of IKNP protocol so far, and it does matter the relationships among T 1 , T 1 ′ , and r 2 . If we write the algorithm implementing OT k i k i+1 as recursive function F OT(k i ,k i+1 ) in programming language, then the key step in IKNP is that F OT(m,l) invokes F OT(κ,m) ; i.e., OT m l is reduced to OT κ m , where κ is the security parameter in IKNP. us, we implement F OT(m,l) by invoking F OT(κ,m) first and then executing some symmetric-key encryption operations.
In more general case, two parties P 1 and P 2 prepare to run protocol OT k i k i+1 , where P 1 acts as sender S holding messages matrices T i and T i ′ while P 2 holds chosen vector r i . After OT k i k i+1 , P 2 gets outputs V i consisting of those messages he/she chooses to receive. According to OTextension protocol, P 1 and P 2 first run OT k i−1 k i , where P 1 acts as a receiver and P 2 acts as a sender. For each OT k i k i+1 and OT denotes j-th element of r i , and f(·) for some encoding scheme, such as repetition code in equation (5) and linear error correcting code in equation (6). We present detailed (1) S inputs a random seed s.
Let f be a pseudorandom function. Two parties: sender S and receiver R. k i+2 is a necessary component in protocol, we can precompute OT k i−1 k i assisted with a semihonest server. We focus on a special-but-sufficient case where S and R prepare to execute OT k 2 k 3 ; notably, the innermost is OT k 1 k 1 (see Figure 6) instead of OT k 1 k 2 . In such a scenario, k 1 should not be less than security parameter. If R is a normal user acting as the receiver in OT k 2 k 3 and S is a database with limited computation power and interaction capability, the framework becomes more useful and efficient. erefore, we consider a server-aided oblivious transfer reducing the sender's all public-key computation and numbers of interaction with other parties. As shown in Figure 6, S outsources the computation marked with blue rectangle to a server.
Our OTex protocol consists of two major phases. First, in the outsourced phase, R and server S run OT k 1 k 1 as follows. R inputs random selection string r 1 , while S inputs two random k 1 × k 1 matrices T 1 and T 1 ′ . After OT k 1 k 1 , R gets output V 1 and prepares T 2 (and T 2 ′ ) for OT k 1 k 2 . In the second phase, S aims to respond to the request for OT k 2 l . is phase can be concluded as F OT(k 1 ,k 2 ) invoking F OT(k 1 ,k 1 ) and S sending pairs of messages (T 3 and T 3 ′ encrypted by V 2 ) to R. In the last phase, R gets outputs from OT k 2 l , which can be seen as F OT(k 2 ,l) invoking F OT(k 1 ,k 2 ) .

Outsourced Oblivious Transfer Extension
In this section, we show how to construct an outsourced oblivious transfer extension protocol OTex, where threeparty functionality F OTex can be securely computed in the presence of semihonest adversaries.
Our OTex protocol consists of two major phases among three parties, sender S, receiver R, and server S. Figure 6 shows OTex construction in a program-iteration-like way, where a small number of OT instances, the innermost OT k 1 k 1 , are first to be executed cooperatively. In fact, we let k 1 � κ, and it becomes OT κ κ , where κ is the security parameter in real protocol. From the global perspective, we give procedure of OTex in Figure 7 so as to have a better understanding of roles three parties play in every phase.
First, in the outsourced phase, R and S run OT κ κ as follows. R inputs random selection string r, while S inputs two random κ × κ matrices T and T ′ . After OT κ κ , R gets outputs D and prepares V (and V ′ ) for OT κ m . In the second phase, S aims to respond to the request for OT m l . is phase can be concluded as F OT(κ,m) invoking F OT(κ,κ) and S sending pairs of messages (T and T ′ encrypted by E) to R. In the last phase, R gets outputs from OT m l , which can be seen as F OT(m,l) invoking F OT(κ,m) .
We describe OTex in Figure 8 which realizes functionality F OTex in Figure 4. e invoking procedure in OTex can be written as F OT(m,l) ≫ F OT(κ,m) ≫ F OT(κ,κ) .
According to equation (8), ). Let f(·) represent different encoding schemes each time iteration occurs. In OTex, we have T [i] , where both f 1 (·) and f 2 (·) are repetition code with output length κ, i.e., Notably, in more general case, the outputs of f 1 (r i [j]) and f 1 (r i+1 [j]) may be not equal length, which is determined by OT e OTex protocol in Figure 8 securely computes the functionality F OTex (Figure 4) in semihonest setting, as described in Definition 1, given random oracle and functionality F OT (Figure 1). Proof. We begin by proving the correctness. After OTex, we prove that R only receives x c i i and knows nothing about x Figure 5: Overview of OT iteration.
en, in the responding phase, Step 5, R essentially computes erefore, in Step 6, for j ∈ [κ], by computing e j � y For and essentially sends to S the following messages: (1) R chooses r ← {0, 1} κ at random.
(2)  computes κ × κ matrix T at random and sets matrix T′ such that R forms κ × κ matrix D such that the j-th column of D is the vector d j .
(4)  sends string s and matrix T to S.

Security and Communication Networks
When c i � 1, R computes In summary, R only receives x c i i in OTex and cannot recover x is concludes the correctness of OTex. We now construct three simulators Sim S , Sim R , and Sim R for simulating corrupt S, S, and R such that the produced transcript and the view of real execution are computationally indistinguishable. at is, where x denotes input set (x 0 i , x 1 i ) from S, x denotes output x i of R, and ⊥ denotes the null value.
Corrupt S. Given F OT , it is easy to perfectly simulate the view of the Server S because S only has input, neither receives messages nor outputs during the execution of the protocol. at is, Sim S (1 κ , s, ⊥) x,s,c,κ is computationally indistinguishable with view π S (x, s, c, κ)} x,s,c,κ . Corrupt S. In protocol, Sender S works only in the responding phase, when S receives messages from S and R then sends encrypted inputs to R. e messages obtained by S are s, T, (y 0 j , y 1 j ) . at is to say, view π S (x, s, c, κ) consists of input x and messages s, T, (y 0 j , y 1 j ) , where j ∈ [κ]. It is trivial for Sim S to generate a simulation of s, T { } since both are random values from the point of view of S. Now, Sim S simulates a simulation of (y 0 j , y 1 j )|j ∈ [κ] by choosing a κ-length string s, m-length strings r j , κ × κ matrix T, and m × κ matrix E at random and computing Let s, tTn, q(y 0 j , y 1 j ) be the output of Sim S (1 κ , x, ⊥).
erefore, we claim that the view generated by Sim S and the view of corrupt S in a real protocol are computationally indistinguishable. Corrupt R. We construct a simulator Sim R that simulates the view of corrupt R in the real protocol execution.
We first analyze R's view view π R (x, s, c, κ) in OTex. R obtains matrix D in the outsourced phase and (z 0 i , z 1 i ) in the outputting phase. erefore, view π R (x, s, c, κ) consists of R's input c and messages D, (z 0 i , z 1 i ) . To construct the simulation of the view, Sim R works as follows. (i) In the outsourced phase, given the security parameter κ, R's input c, and the randomness r, Sim R calls simulation Sim OT κ κ with input (T, T ′ , r) and gets output D. en, Sim R appends the output of Sim OT κ κ , i.e., matrix D, to its own output. (ii) In the outputting phase, given the security parameter κ, R's input c, the randomness V, and output x, Sim R simulates a simulation of (z 0 i , z 1 i )|it ∈ n[m by choosing m-length strings r j and computing en, Sim R appends (z 0 i , z 1 i )|it ∈ n(m to its output. Combining two phases described above in sequence, we finally claim that the output of Sim R is computationally indistinguishable from the real execution, i.e., Sim s, c, κ) x,s,c,κ . is completes the construction of three simulators: Sim S , Sim R , and Sim R . In summary, OTex is secure under semihonest model.  Table 1.
e number of symmetric and asymmetric operation to be executed in OTex essentially depends on the size of matrices T, V, and E, respectively. In the outsourced phase, F OT κ κ consists of O(κ) public-key and O(κ) privatekey operations, for both S (acting as sender) and R (acting as receiver). In the responding phase, R invokes random oracle and performs XOR operation for O(κ) times. en, S recovers matrix E and encrypts messages (x 0 i , x 1 i ), which only consists of O(m + κ) symmetric operations. In the outputting phase, R performs symmetric operations O(m) times to compute its outputs. (ii) Communication complexity. In the outsourced phase, the number of bits transferred between S and R is bounded by O(κ 2 ). In the responding phase, S receives messages from S and R and sends encrypted messages to R, which consist of O(ml + κ 2 ). In the outputting phase, R receives 2ml-bit messages in total from S. (iii) Round complexity. e only interaction in OTex exists in the outsourced phase between S and R, i.e., F OT κ κ . e number of interaction round in F OT κ κ is bounded by 1.

Efficiency Comparison.
Since we focus on the efficiency of the sender S in OT, we provide comparisons to prior classical protocols from the S's point of view in Table 2. In OTex, all asymmetric operations are operated between the receiver R and the cloud server S, and S works on the fly and conducts symmetric computations locally.

Performance
In this section, we test the performance of OTex. e experiments were performed on a Linux machine equipped with 4 cores 3.40 GHz Intel Core i5-7500 CPU and 8 GB RAM.
Our tests refer to the implement on GitHub: https:// github.com/emp-toolkit/emp-ot. We simulated main asymmetric operations in OTex on a single machine. We compared OTex with the OT protocol used in recent work [32], where they compute at least 450 OT instances locally from 128 "base" OTs. erefore, we regarded n � 2 8 as a reference and simulated the outsourced phase. After setting the length of security parameter equal to 128, we simulated OTex for n � 2 7 , 2 9 , and 2 10 , respectively. We repeated each simulation 20 times, and the result is shown in Figure 9. Although OTex shows an almost identical performance to Vladimir's, the running time tends to be steady sooner when n � 2 9 . In addition, in Figure 9, the sender S of OTex works offline for most of the time during simulation, and this is one of the advantages of OTex.
e other advantage of OTex found in performance tests is the reduction of communication bottleneck caused by the sender S. e main idea of OT extension protocol is to extend a small number of base OTs to perform many OTs. As a consequence, we summed from the time of base OTon setup to the time of protocol finish and then computed average time for each original OT. e averaged time is illustrated in Figure 10. We tested n ′ � 2 8+x OT instances for different x values and computed the average running time for one single OT, i.e., OT 1 n . From Figure 10, we can see that the average time keeps steady when x is less than 8. If we extend base OT to an adequate number of OTs, for example, n ′ � 2 18 , the average time has a sharp increase. It does not matter in OTex, however, since the extension process is conducted between R and S in the outsourced phase.

Applications of OTex
e OTex framework has a wide range of applications in outsourced scenarios. In this section, we take private set intersection (PSI) as a case study and demonstrate that, as a Note: the efficiency of sender in OT is presented here, who inputs m pairs of l-bit length messages in protocol. Specially, κ is security parameter, G denotes a group, and k ≈ 2.5κ in 1-out-of-n OT.   Alice holds a set X, while Bob holds Y, and after PMT, Alice knows whether her element x i belongs to Y or not, i.e., the intersection of two sets. Some details on method of preprocessing items in set are simply omitted in Figure 12. We can hash the item to bins and then operate the OTex-based PSI protocol on each bin separately. Specifically, we use Cuckoo hashing [35] for PSI in the following way. First, Alice and Bob agree on 3 random hash functions h 1 , h 2 , h 3 : 0, 1 { } * ⟶ [m ′ ] suitable for 3-way Cuckoo hashing. Alice places her items into m in either h 1 (x), h 2 (x), or h 3 (x), and each bin contains at most one item. Bob places each of his items y in locations h 1 (y), h 2 (y), and h 3 (y). At this point, Alice pads her input with dummy items so that each bin contains exactly 1 item. Note that when we use cuckoo hashing, then there will be some items which cannot be placed into the table and have to be moved to a stash, which does not matter because of the usage of stash-less cuckoo hashing [20]. Finally, Alice and Bob perform a PSI in each bin.

Conclusions and Future Work
In this paper, we proposed a generic outsourced OT extension protocol (OTex) which can outsource all the "base" OT from the sender to a semihonest server. e proposed protocol realizes optimal computational and communication complexity relative to security parameter. In addition, we showed that OTex can be efficiently used in private membership test and private set intersection. In the future, we will consider malicious model and construct efficient outsourced OT extension protocols secure against malicious adversary.
Data Availability e performance test data used to support the findings of this study are included within the article.

Conflicts of Interest
e authors declare that they have no conflicts of interest.