Cut-and-choose bilateral oblivious transfer protocol based on DDH assumption

Abstract

In secure two-party computation protocols, the cut-and-choose paradigm is used to prevent the malicious party who constructs the garbled circuits from cheating. In previous realization of the cut-and-choose technique on the garbled circuits, the delivery of the random keys is divided into multiple stages. Thus, the round complexity is high and the consistency of cut-and-choose challenge should be proved. Based on DDH assumption, we build a so-called cut-and-choose bilateral oblivious transfer protocol, which transfers all necessary keys of garbled circuits in one process. Specifically, in our oblivious transfer protocol, the sender inputs two pairs $$(k_0^1,k_1^1)$$ , $$(k_0^2,k_1^2)$$ and a bit $$\tau$$ ; the receiver inputs two bits $$\sigma$$ and j. After the protocol execution, the receiver obtains $$k_{\tau }^1,k_{\sigma }^2$$ for $$j=1$$ , and $$k_0^1,k_1^1,k_0^2,k_1^2$$ for $$j=0$$ . The protocol inherit the cut-and-choose OT protocol in Lindell and Pinkas (Proceedings of the 8th conference on theory of cryptography, Springer, 2011), and can be applied into the state-of-the-art cut-and-choose secure two party computation protocol without any obstacles. By the cut-and-choose bilateral oblivious transfer protocol, the cut-and-choose challenge j is no need to be opened anymore, therefore the consistency proof of j is omitted, and the round complexity of secure two-party computation protocol can be decreased.