Oblivious transfers and privacy amplification

  • Authors:

  • Gilles Brassard;Claude Crépeau

  • Affiliations:

  • Département IRO, Université de Montréal, Montréal, Québec, Canada;Département IRO, Université de Montréal, Montréal, Québec, Canada

  • Venue:
  • EUROCRYPT'97 Proceedings of the 16th annual international conference on Theory and application of cryptographic techniques
  • Year:
  • 1997

Quantified Score

Hi-index 0.00

Visualization

Abstract

Assume A owns two secret k-bit strings. She is willing to disclose one of them to B, at his choosing, provided he does not learn anything about the other string. Conversely, B does not want A to learn which secret he chose to learn. A protocol for the above task is said to implement One-out-of-two String Oblivious Transfer, denoted (2 1)-OTk. This primitive is particularly useful in a variety of cryptographic settings. An apparently simpler task corresponds to the case k = 1 of two one-bit secrets: this is known as One-out-of-two Bit Oblivious Transfer, denoted (2 1)-OT. We address the question of reducing (2 1)-OTk to (2 1)-OT. This question is not new: it was introduced in 1986. However, most solutions until now have implicitly or explicitly depended on the notion of self-intersecting codes. It can be proved that this restriction makes it asymptotically impossible to implement (2 1)-OTk with fewer than about 3.5277k instances of (2 1)-OT. The current paper introduces the idea of using privacy amplification as underlying technique to reduce (2 1)-OTk to (2 1)-OT. This allows for more efficient solutions at the cost of an exponentially small probability of failure: it is sufficient to use slightly more than 2k instances of (2 1)-OT in order to implement (2 1)-OTk. Moreover, we show that privacy amplification allows for the efficient implementation of (2 1)-OTk from generalized versions of (2 1)-OT that would not have been suitable for the earlier techniques based on self-intersecting codes. An application of this more general reduction is given.