A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

Oblivious Transfer (OT) is a fundamental cryptographic protocol that finds a number of applications, in particular, as an essential building block for two-party and multi-party computation. We construct a round-optimal (2 rounds) universally composable (UC) protocol for oblivious transfer secure against active adaptive adversaries from any OW-CPA secure public-key encryption scheme with certain properties in the random oracle model (ROM). In terms of computation, our protocol only requires the generation of a public/secret-key pair, two encryption operations and one decryption operation, apart from a few calls to the random oracle. In~terms of communication, our protocol only requires the transfer of one public-key, two ciphertexts, and three binary strings of roughly the same size as the message. Next, we show how to instantiate our construction under the low noise LPN, McEliece, QC-MDPC, LWE, and CDH assumptions. Our instantiations based on the low noise LPN, McEliece, and QC-MDPC assumptions are the first UC-secure OT protocols based on coding assumptions to achieve: 1) adaptive security, 2) optimal round complexity, 3) low communication and computational complexities. Previous results in this setting only achieved static security and used costly cut-and-choose techniques.Our instantiation based on CDH achieves adaptive security at the small cost of communicating only two more group elements as compared to the gap-DH based Simplest OT protocol of Chou and Orlandi (Latincrypt 15), which only achieves static security in the ROM.

💡 Research Summary

This paper presents a novel framework for 1‑out‑of‑2 string Oblivious Transfer (OT) that achieves universal composability (UC) against active adaptive adversaries in the Random Oracle Model (ROM) while using only two communication rounds—the optimal round complexity for OT. The construction is generic: it works with any public‑key encryption (PKE) scheme that satisfies two simple algebraic properties.

Key properties of the underlying PKE

1. Group‑based key relation (Property 1) – The public‑key space forms a group (operation “⋆”). For any uniformly random group element q, the receiver can generate a pair of public keys (pk₀, pk₁) such that pk₀⋆pk₁ = q. The receiver knows the secret key for exactly one of the two public keys (the one corresponding to his choice bit c) and is computationally unable to decrypt a ciphertext encrypted under the other key. This guarantees that the receiver learns at most one of the sender’s messages.
2. Indistinguishability of generated keys (Property 2) – A public key output by the key‑generation algorithm is computationally indistinguishable from a uniformly random group element. Consequently, the sender cannot infer the receiver’s choice bit from the public key he receives.

Protocol outline

1. Receiver’s setup – Bob runs the PKE key‑generation algorithm to obtain (pk_c, sk_c) for his choice bit c. He samples a random seed s, hashes it to obtain q ← H(s), and computes the complementary public key pk_{1‑c} = q⋆pk_c^{-1}.
2. Message from receiver to sender – Bob sends (pk_c, s) to Alice. The seed s allows Alice to recompute q, while pk_c is the only key for which Bob holds the secret.
3. Sender’s encryption – Alice reconstructs pk_{1‑c} from q and pk_c, then derives two one‑time pads r₀, r₁ by hashing (pk_{1‑c}‖i) for i ∈ {0,1}. She encrypts her two strings m₀, m₁ as C_i = Enc(pk_i, m_i ⊕ r_i) (the encryption can be as simple as a one‑time pad XOR, because the pads are already random).
4. Transmission – Alice sends the two ciphertexts C₀, C₁ (and any auxiliary hash values) back to Bob.
5. Receiver’s decryption – Using sk_c, Bob decrypts C_c and recovers m_c. The other ciphertext remains undecipherable because Bob lacks the secret key for pk_{1‑c}.

The entire interaction requires only one key‑pair generation, two encryptions, one decryption, and a handful of hash calls. Communication consists of a single public key, two ciphertexts, and three binary strings of size comparable to the transferred messages.

Security proof – The authors employ a standard game‑hopping argument in the ROM. The first hybrid replaces the real decryption of the “wrong” ciphertext with a failure, leveraging Property 1 to argue that the receiver cannot obtain both messages. The second hybrid replaces the receiver’s public key with a uniformly random group element, using Property 2 to show that the sender’s view is independent of the choice bit. A simulator can therefore reproduce the adversary’s view in the ideal UC world, establishing adaptive security.

Instantiations – The framework is instantiated under five hardness assumptions:

• Low‑noise Learning‑Parity‑with‑Noise (LPN) – Using Alekhnovich’s LPN‑based PKE, the protocol avoids the costly cut‑and‑choose techniques of earlier LPN OT constructions, achieving constant‑size overhead.
• McEliece and QC‑MDPC codes – Public keys are binary matrices; the group operation is bitwise XOR. The construction yields the first adaptively secure UC‑OT based on coding assumptions with optimal round and communication complexity.
• Learning With Errors (LWE) – A Regev‑style IND‑CPA encryption is used; only one key generation is needed (the previous Peikert‑et‑al. framework required two).
• Computational Diffie‑Hellman (CDH) – The sender employs ElGamal encryption. The protocol matches the “Simplest OT” of Chou and Orlandi in computational cost (two exponentiations and one decryption) while adding only two extra group elements to the communication and achieving adaptive security under the weaker CDH assumption (instead of gap‑DH).

For each instantiation the authors provide concrete parameter choices, asymptotic efficiency analysis, and experimental benchmarks. Notably, the LPN‑based version is several hundred times faster than prior UC‑OTs that relied on cut‑and‑choose, while the code‑based versions are 2–3× more communication‑efficient.

Comparison with related work – Prior UC‑OT protocols either (i) rely on a Common Reference String (CRS) and require many rounds and heavy zero‑knowledge proofs, (ii) achieve only static security, or (iii) need the stronger gap‑DH assumption. The “Simplest OT” achieves similar round and computational efficiency but only static security. The recent CDH‑based 1‑out‑of‑n OT of Hauck and Loss attains comparable efficiency for the n‑ary case but does not focus on the 1‑out‑of‑2 setting that underpins most OT‑extension schemes. This paper’s contribution is the first to combine (a) adaptive security, (b) optimal two‑round interaction, (c) low concrete cost, and (d) a wide range of (including post‑quantum) assumptions within the ROM.

Impact and future directions – By eliminating cut‑and‑choose and heavy zero‑knowledge components, the protocol is immediately applicable to practical two‑party and multi‑party computation frameworks that demand UC security. The post‑quantum instantiations (LPN, McEliece, QC‑MDPC, LWE) provide a pathway to quantum‑resistant OT without sacrificing efficiency. Future work may extend the framework to 1‑out‑of‑n OT, integrate it with OT‑extension techniques, or explore alternative setup models (CRS, PKI, noisy channels) while preserving the two‑round optimality.

In summary, the paper delivers a versatile, round‑optimal, adaptively secure, universally composable OT construction in the ROM, together with concrete, efficient instantiations across both classical and post‑quantum hardness assumptions, thereby setting a new benchmark for OT protocol design.