Oblivious transfer (OT) is a cryptographic primitive originally used to transfer a collection of messages from the sender to the receiver in an oblivious manner. OT extension protocol reduces expensive asymmetric operations by running a small number of OT instances first and then cheap symmetric operations. While most earlier works discussed security model or communication and computation complexity of OT in general case, we focus on concrete application scenarios, especially where the sender in the OT protocol is a database with less computation and limited interaction capability. In this paper, we propose a generic outsourced OT extension protocol (
Oblivious transfer (OT) is one of the most important primitives in secure computation. It is wildly used in Yao’s protocol [
However, OT is public-key primitive centered, which makes it computational expensive for secure computation. Many privacy-preserving protocols, such as private membership test (PMT) and private set intersection (PSI), rely heavily on huge number of OT instances for secure computation to get the trade-off between computation and communication. The most efficient way to produce many OT instances is through OT extension protocol [
In an OT extension protocol, the sender
Nowadays, many applications are rapidly transferred to cloud-based service, and it would be desired to seek some server-aided OT extension protocol to relief the burden of
To this end, we propose a generic outsourced oblivious transfer extension protocol
Recent trends in OT extension have led to a proliferation of studies showing how to design an efficient PSI [
Rabin [
Because OT is public-key primitive centered, the issue of efficiency has received considerable critical attention after Rabin’s work [
The research to date has tended to focus more on the cost of the receiver and less on the sender in OT, and there are few studies that have investigated computation and communication complexity on sender side. The aim of this work is to explore the cost of sender in OT and construct efficient OT extension framework assisted by a third party. In addition, OT extension provides a brief but useful account of the construction of oblivious pseudorandom function (PRF). Also, oblivious PRF has been attracting a lot of interest in very recent years, such as multiparty PSI [
In this paper, we focus on server-aided OT to reduce the sender’s public-key computation and rounds of interaction with the receiver. Main contributions of our work go as follows: We propose a generic outsourced OT extension protocol We analyze the complexity of our construction and perform implementation, and the experiment shows that our construction is practical and efficient. Our
Unless otherwise stated, we use OT to denote 1-out-of-2 OT and
The formal definition of security of a secure multiparty protocol [
In this paper, we focus on semihonest model and honest majority case where an adversary can corrupt at most one participant and any two participants will not get colluded. In the following, the formal security definition is proposed.
Let The correctness holds: There exist probabilistic polynomial-time simulators
In
Outsourced oblivious transfer functionality
We start by introducing the definition of standard 1-out-of-2 OT, where a sender holding two messages
1-out-of-2 oblivious transfer functionality
In most settings, it is necessary to run a large number of OT instances at the same time. The multiexecution of OT is called batch OT (see Figure
Batch oblivious transfer functionality
As shown in Figure
As described above, the IKNP protocol begins with running
Freedman et al. [
Oblivious PRF functionality
A general definition of OPRF is that the receiver
Kolesnikov and Kumaresan [
Notably,
Based on 1-out-of-
Notably, the random seed
The functionality of
The codeword length of code schemes in equations (
Overview of OT iteration.
To better understand our work, let us review IKNP OT extension where
In more general case, two parties
The transformation among
Construction of
Our
In this section, we show how to construct an outsourced oblivious transfer extension protocol
Our
Procedure of outsourced oblivious transfer.
First, in the
We describe
Outsourced oblivious transfer extension protocol.
According to equation (
Notably, in more general case, the outputs of
The
We begin by proving the correctness. After
Then, in the responding phase, Step 5,
Therefore, in Step 6, for
For
It holds that
When
In summary,
This concludes the correctness of
We now construct three simulators Now, Let In the outsourced phase, given the security parameter In the outputting phase, given the security parameter
Then,
Combining two phases described above in sequence, we finally claim that the output of
This completes the construction of three simulators:
We now analyze the performance of
Complexity of
Party | Computation | Communication | Round | |
---|---|---|---|---|
Asymmetric | Symmetric | |||
1 | ||||
– | – | |||
1 |
Since we focus on the efficiency of the sender
Efficiency comparison.
Protocol | Round | Communication | Asymmetric computation | Security model |
---|---|---|---|---|
[ | 2 | Semihonest and malicious | ||
[ | 2 | Semihonest | ||
[ | 2 | Semihonest and one-sided malicious | ||
[ | 2 | Semihonest | ||
[ | 3 | Malicious | ||
Ours | – | – | Semihonest |
Note: the efficiency of
In this section, we test the performance of
Our tests refer to the implement on GitHub:
Comparison of running time.
The other advantage of
Average time for OT instances in
The
We first introduce a private membership test (PMT) protocol to estimate whether an element
Private set intersection functionality
PMT protocol involves two parties:
Based on OPRF, we can construct PMT protocol as follows. First, during the OPRF phase,
The security of PMT via OPRF relies on the fact that an OPRF protocol is secure. In a secure OPRF, it guarantees that
Given functionality
We can apply pseudorandom code to equation (
Then, the only adaption they need take in
Given 1-out-of-
To obtain the final PSI protocol that computes
Outsourced private set intersection protocol.
Some details on method of preprocessing items in set are simply omitted in Figure
In this paper, we proposed a generic outsourced OT extension protocol (
The performance test data used to support the findings of this study are included within the article.
The authors declare that they have no conflicts of interest.
This work was supported by the National Natural Science Foundation of China (Grant nos. 61572294 and 61632020), Major Innovation Project of Science and Technology of Shandong Province (Grant no. 2018CXGC0702), Natural Science Foundation of Shandong Province (Grant no. ZR2017MF021), and Fundamental Research Funds of Shandong University (Grant no. 2017JC019).