Advertisement

On the Round Complexity of OT Extension

  • Sanjam Garg
  • Mohammad Mahmoody
  • Daniel Masny
  • Izaak Meckler
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10993)

Abstract

We show that any OT extension protocol based on one-way functions (or more generally any symmetric-key primitive) either requires an additional round compared to the base OTs or must make a non-black-box use of one-way functions. This result also holds in the semi-honest setting or in the case of certain setup models such as the common random string model. This implies that OT extension in any secure computation protocol must come at the price of an additional round of communication or the non-black-box use of symmetric key primitives. Moreover, we observe that our result is tight in the sense that positive results can indeed be obtained using non-black-box techniques or at the cost of one additional round of communication.

References

  1. [AIR01]
    Aiello, W., Ishai, Y., Reingold, O.: Priced oblivious transfer: how to sell digital goods. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 119–135. Springer, Heidelberg (2001).  https://doi.org/10.1007/3-540-44987-6_8CrossRefGoogle Scholar
  2. [AJL+12]
    Asharov, G., Jain, A., López-Alt, A., Tromer, E., Vaikuntanathan, V., Wichs, D.: Multiparty computation with low communication, computation and interaction via threshold FHE. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 483–501. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-29011-4_29CrossRefGoogle Scholar
  3. [Ald83]
    Aldous, D.: Random walks on finite groups and rapidly mixing Markov chains. In: Azéma, J., Yor, M. (eds.) Séminaire de Probabilités XVII 1981/82. LNM, vol. 986, pp. 243–297. Springer, Heidelberg (1983).  https://doi.org/10.1007/BFb0068322CrossRefGoogle Scholar
  4. [ALSZ13]
    Asharov, G., Lindell, Y., Schneider, T., Zohner, M.: More efficient oblivious transfer and extensions for faster secure computation. In: Sadeghi, A.-R., Gligor, V.D., Yung, M. (eds.) ACM CCS 2013, Berlin, Germany, 4–8 November 2013, pp. 535–548. ACM Press (2013)Google Scholar
  5. [ALSZ15]
    Asharov, G., Lindell, Y., Schneider, T., Zohner, M.: More efficient oblivious transfer extensions with security for malicious adversaries. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part I. LNCS, vol. 9056, pp. 673–701. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-46800-5_26CrossRefGoogle Scholar
  6. [BCR87]
    Brassard, G., Crepeau, C., Robert, J.-M.: All-or-nothing disclosure of secrets. In: Odlyzko, A.M. (ed.) CRYPTO 1986. LNCS, vol. 263, pp. 234–238. Springer, Heidelberg (1987).  https://doi.org/10.1007/3-540-47721-7_17CrossRefGoogle Scholar
  7. [Bea96]
    Beaver, D.: Correlated pseudorandomness and the complexity of private computations. In: 28th ACM STOC, Philadephia, PA, USA, 22–24 May 1996, pp. 479–488. ACM Press (1996)Google Scholar
  8. [BGI+14]
    Beimel, A., Gabizon, A., Ishai, Y., Kushilevitz, E., Meldgaard, S., Paskin-Cherniavsky, A.: Non-interactive secure multiparty computation. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 387–404. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-662-44381-1_22CrossRefGoogle Scholar
  9. [BL17]
    Benhamouda, F., Lin, H.: k-round multiparty computation from k-round oblivious transfer via garbled interactive circuits. Cryptology ePrint Archive, Report 2017/1125 (2017). EUROCRYPT 2018Google Scholar
  10. [BM17]
    Barak, B., Mahmoody, M.: Merkle’s key agreement protocol is optimal: an O(n\(^2\)) attack on any key agreement from random oracles. J. Cryptol. 30(3), 699–734 (2017)MathSciNetCrossRefGoogle Scholar
  11. [BMG09]
    Barak, B., Mahmoody-Ghidary, M.: Merkle puzzles are optimal — an O(n2)-query attack on any key exchange from a random oracle. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 374–390. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_22CrossRefGoogle Scholar
  12. [BMR90]
    Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols (extended abstract). In: 22nd ACM STOC, Baltimore, MD, USA, 14–16 May 1990, pp. 503–513. ACM Press (1990)Google Scholar
  13. [CPS08]
    Coron, J.-S., Patarin, J., Seurin, Y.: The random oracle model and the ideal cipher model are equivalent. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 1–20. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85174-5_1CrossRefGoogle Scholar
  14. [DLMM11]
    Dachman-Soled, D., Lindell, Y., Mahmoody, M., Malkin, T.: On the black-box complexity of optimally-fair coin tossing. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 450–467. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19571-6_27CrossRefzbMATHGoogle Scholar
  15. [EGL85]
    Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. Commun. ACM 28(6), 637–647 (1985)MathSciNetCrossRefGoogle Scholar
  16. [Fan68]
    Fano, R.M.: Transmission of Information. A Ststistical Theory of Communications. MIT Press, Cambridge (1968)Google Scholar
  17. [FKN94]
    Feige, U., Kilian, J., Naor, M.: A minimal model for secure computation (extended abstract). In: 26th ACM STOC, Montréal, Québec, Canada, 23–25 May 1994, pp. 554–563. ACM Press (1994)Google Scholar
  18. [GGHR14]
    Garg, S., Gentry, C., Halevi, S., Raykova, M.: Two-round secure MPC from indistinguishability obfuscation. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 74–94. Springer, Heidelberg (2014).  https://doi.org/10.1007/978-3-642-54242-8_4CrossRefGoogle Scholar
  19. [GKLM12]
    Goyal, V., Kumar, V., Lokam, S., Mahmoody, M.: On black-box reductions between predicate encryption schemes. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 440–457. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-28914-9_25CrossRefGoogle Scholar
  20. [GMMM17]
    Garg, S., Mahmoody, M., Masny, D., Meckler, I.: On the round complexity of OT extension. Cryptology ePrint Archive, Report 2017/1187 (2017). https://eprint.iacr.org/2017/1187
  21. [GMPP16]
    Garg, S., Mukherjee, P., Pandey, O., Polychroniadou, A.: The exact round complexity of secure computation. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 448–476. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49896-5_16CrossRefGoogle Scholar
  22. [GMW87]
    Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: Aho, A. (ed.) 19th ACM STOC, New York City, NY, USA, 25–27 May 1987, pp. 218–229. ACM Press (1987)Google Scholar
  23. [GS17a]
    Garg, S., Srinivasan, A.: Garbled protocols and two-round MPC from bilinear maps. In: 58th FOCS, pp. 588–599. IEEE Computer Society Press (2017)Google Scholar
  24. [GS17b]
    Garg, S., Srinivasan, A.: Two-round multiparty secure computation from minimal assumptions. Cryptology ePrint Archive, Report 2017/1156 (2017). EUROCRYPT 2018Google Scholar
  25. [HK12]
    Halevi, S., Kalai, Y.T.: Smooth projective hashing and two-message oblivious transfer. J. Cryptol. 25(1), 158–193 (2012)MathSciNetCrossRefGoogle Scholar
  26. [HKT11]
    Holenstein, T., Künzler, R., Tessaro, S.: The equivalence of the random oracle model and the ideal cipher model, revisited. In: Fortnow, L., Vadhan, S.P. (eds.) 43rd ACM STOC, San Jose, CA, USA, 6–8 June 2011, pp. 89–98. ACM Press (2011)Google Scholar
  27. [HOZ16]
    Haitner, I., Omri, E., Zarosim, H.: Limits on the usefulness of random oracles. J. Cryptol. 29(2), 283–335 (2016)MathSciNetCrossRefGoogle Scholar
  28. [IKM+13]
    Ishai, Y., Kushilevitz, E., Meldgaard, S., Orlandi, C., Paskin-Cherniavsky, A.: On the power of correlated randomness in secure computation. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 600–620. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36594-2_34CrossRefzbMATHGoogle Scholar
  29. [IKNP03]
    Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 145–161. Springer, Heidelberg (2003).  https://doi.org/10.1007/978-3-540-45146-4_9CrossRefGoogle Scholar
  30. [IPS08]
    Ishai, Y., Prabhakaran, M., Sahai, A.: Founding cryptography on oblivious transfer – efficiently. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 572–591. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85174-5_32CrossRefGoogle Scholar
  31. [IR89]
    Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Proceedings of the 21st Annual ACM Symposium on Theory of Computing (STOC), pp. 44–61. ACM Press (1989)Google Scholar
  32. [Kil88]
    Kilian, J.: Founding cryptography on oblivious transfer. In: Proceedings of the 20th Annual ACM Symposium on Theory of Computing (STOC), pp. 20–31 (1988)Google Scholar
  33. [KK13]
    Kolesnikov, V., Kumaresan, R.: Improved OT extension for transferring short secrets. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 54–70. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-40084-1_4CrossRefGoogle Scholar
  34. [KO04]
    Katz, J., Ostrovsky, R.: Round-optimal secure two-party computation. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 335–354. Springer, Heidelberg (2004).  https://doi.org/10.1007/978-3-540-28628-8_21CrossRefGoogle Scholar
  35. [Lin16]
    Lindell, Y.: How to simulate it - a tutorial on the simulation proof technique. Cryptology ePrint Archive, Report 2016/046 (2016)Google Scholar
  36. [LZ13]
    Lindell, Y., Zarosim, H.: On the feasibility of extending oblivious transfer. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 519–538. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-36594-2_29CrossRefzbMATHGoogle Scholar
  37. [MW16]
    Mukherjee, P., Wichs, D.: Two round multiparty computation via multi-key FHE. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016, Part II. LNCS, vol. 9666, pp. 735–763. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-49896-5_26CrossRefGoogle Scholar
  38. [NNOB12]
    Nielsen, J.B., Nordholt, P.S., Orlandi, C., Burra, S.S.: A new approach to practical active-secure two-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 681–700. Springer, Heidelberg (2012).  https://doi.org/10.1007/978-3-642-32009-5_40CrossRefGoogle Scholar
  39. [NP01]
    Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: Kosaraju, S.R. (ed.) 12th SODA, Washington, DC, USA, 7–9 January 2001, pp. 448–457. ACM-SIAM (2001)Google Scholar
  40. [ORS15]
    Ostrovsky, R., Richelson, S., Scafuro, A.: Round-optimal black-box two-party computation. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015, Part II. LNCS, vol. 9216, pp. 339–358. Springer, Heidelberg (2015).  https://doi.org/10.1007/978-3-662-48000-7_17CrossRefGoogle Scholar
  41. [PVW08]
    Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008).  https://doi.org/10.1007/978-3-540-85174-5_31CrossRefGoogle Scholar
  42. [Rab81]
    Rabin, M.: How to exchange secrets by oblivious transfer. Technical report TR-81, Harvard Aiken Computation Laboratory (1981)Google Scholar
  43. [Sho09]
    Shoup, V.: A Computational Introduction to Number Theory and Algebra. Cambridge University Press, Cambridge (2009)zbMATHGoogle Scholar
  44. [WW06]
    Wolf, S., Wullschleger, J.: Oblivious transfer is symmetric. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 222–232. Springer, Heidelberg (2006).  https://doi.org/10.1007/11761679_14CrossRefGoogle Scholar
  45. [Yao82]
    Yao, A.C.-C.: Protocols for secure computations (extended abstract). In: 23rd FOCS, Chicago, Illinois, 3–5 November 1982, pp. 160–164. IEEE Computer Society Press (1982)Google Scholar

Copyright information

© International Association for Cryptologic Research 2018

Authors and Affiliations

  • Sanjam Garg
    • 1
  • Mohammad Mahmoody
    • 2
  • Daniel Masny
    • 1
  • Izaak Meckler
    • 1
  1. 1.University of California, BerkeleyBerkeleyUSA
  2. 2.University of VirginiaCharlottesvilleUSA

Personalised recommendations