In this post, we see an
efficient Oblivious Transfer (OT) Extension technique for short secrets. The OT extension protocol of IKNP stands as the basis for this protocol. The building block is an IKNP-based
framework for 1-out-of-n OT extension. Before going into the details of the protocol,
let’s have a quick overview of the IKNP protocol.
IKNP Protocol
We assume the existence
of a correlation-robust hash function, H, and the protocol works in the static
semi-honest security model.
Protocol Overview
S
first
acts as the receiver and R as the sender in the underlying k
OTs. S chooses a random string s ∈ {0,1}k as
the selection bits and R inputs (ti, ti
⊕
r),
i ∈ [k], ti ∈ {0,1}n where
r are the actual selection bits of R. S calls
her ith chosen message in the underlying OTs qi = ti
⊕ si .r,
where qi is the ith column of a m x k matrix Q. Note that jth row of matrix Q, qj = tj ⊕ rj . s. Finally, S sends the actual messages by sending zj,0 =
H(qj) ⊕ xj,0
and zj,1 = H(qj ⊕ s)
⊕
xj,1 and R recovers xj,ri by computing xj,ri = H(ti)
⊕ zj,ri , where j ∈ [m] and H(∙)
is the hash function.
Protocol Efficiency
The protocol makes a
single call to OTkm. In addition, each party evaluates at
most 2m times (an implementation of) a random oracle mapping k+log m bits to l bits. All other costs are negligible. The cost of OTkm
is no more than k times the cost of OT1k (the type
of OT realized by most direct implementations) plus a generation of 2m pseudo-random
bits. In terms of round complexity, the protocol requires a single message from
S to R in addition to the round complexity of the OTkm
implementation. To summarize, the communication complexity of IKNP is O(m(k+l)) and for bit messages (l=1), the complexity turns out to be O(mk).
Now we can look to the efficient Oblivious Transfer (OT) Extension protocol of KK13. The main difference from IKNP is that each row of the matrix
possessed by S is now used to perform a 1-out-of-n
OT instead of 1-out-of-2, but of shorter secrets. On a very
intuitive level, the protocol works as follows: Let C denote a
binary code, and let rj denote the input of R
to the j-th instance of 1-out-of-n OT. For each row j,
S receives (via OT) the actual j-th row of the m x k matrix
XORed with a vector that is the result of the rj-th codeword
in C bitwise ANDed with the k-bit selection vector. This allows S
to generate n random pads from each row of the matrix- the i-th
such pad being the j-th row it received (via OT) XORed with a vector
that is the result of the i-th codeword in C bitwise ANDed with
the k bit selection vector. These n random pads may then be used
by S to carry out a 1-out-of-n OT with R
KK Protocol
We assume the existence of a hash function (in the random oracle model), H, and the protocol works in the static semi-honest security model.
Protocol Overview
Input of S
is m tuples (xj,0, … ,xj,n-1) of l-bit
strings while input of R is an m element selection vector r
= (r1, … , rm) where each ri
can ranges from 1 to n. S first acts as the
receiver and R as the sender in the underlying k OTs. S chooses
a random string s ∈ {0,1}k as
the selection bits. R forms m x k matrices T0
and T1 in the following way: Choose tj,0 , tj,1
← {0,1}k at random such that tj,0 ⊕ tj,1
=
crj , where crj is
a Walsh-Hadamard code. R then inputs {(tj,0, tj,1)}j∈[k] for
each of the k base OTs. S calls her ith chosen
message in the underlying OTs qi = ti,si , where qi is
the ith column of a m x k matrix Q.
Note that jth row of matrix Q, qj = tj,0
⊕
crj . s. Finally, S sends
messages zj,r = xj,r
⊕ H(j,
qj ⊕ cr.s)
for
1≤ r
≤
n
and R recovers xj,ri by
computing xj,ri = H(j,tj,0) ⊕ zj,ri ,
where j ∈ [m]
and H(∙) is the hash function.
Protocol Efficiency
The protocol makes a
single call to OTkm. The cost of OTkm
is the cost of OTkk (which is independent of m)
plus a generation of 2k pseudo-random strings each of length m. Other
than this, each party evaluates at most mn times a random oracle. Thus
the total communication cost of OTml
is the communication cost of implementing OTkm plus
mnl bits transferred between S and R, which
turns out to be O(m(k+nl). In the semi-honest model, a single instance
of 1-out-of-n OT may be used to generate log n
instances of 1-out-of-2 OT over slightly shorter strings with no
additional cost. More precisely, the cost of OTml
is exactly equal to the cost of 1-out-of-n OTm/log nl.log n
. To summarize, the communication complexity of KK for 1-out-of-2
OT extension is O(mk / log(k/l) ) and for bit messages (l=1), the
complexity turns out to be O(mk / log k).
No comments:
Post a Comment