Implementation of Oblivious Transfer over Binary-Input AWGN Channels by Polar Codes

We develop a one-out-of-two oblivious transfer protocol over the binary-input additive white Gaussian noise (BI-AWGN) channel using polar codes. The scheme uses two decoder views linked by automorphisms of the polar transform and publicly draws the encoder at random from the corresponding automorphism group. This yields perfect secrecy for Bob at any blocklength. Secrecy for Alice is obtained asymptotically via channel polarization combined with privacy amplification. Because the construction deliberately injects randomness into selected bad bit-channels, we derive a relaxed reliability criterion, which is empirically certified via Monte-Carlo simulations. We also evaluate finite-blocklength performance. Finally, we characterize the polar-transform automorphisms as bit-level permutations of bit-channel indices, and exploit this structure to derive and optimize an achievable finite-blocklength rate.

💡 Research Summary

The paper presents a novel one‑out‑of‑two Oblivious Transfer (OT) protocol that operates over a binary‑input additive white Gaussian noise (BI‑AWGN) channel using polar codes. The authors exploit two fundamental properties of polar coding: (i) the polarization of bit‑channels into a set of highly reliable “good” channels (G) and a set of unreliable “bad” channels (B), and (ii) the existence of a large automorphism group of the polar transform matrix. By randomly selecting an automorphism from this group, the encoder matrix is drawn uniformly from all permutations that preserve the polar transform structure. This randomization guarantees that the public encoder distribution is statistically independent of the receiver’s (Bob’s) choice bit, thereby achieving perfect secrecy for Bob (SfB) at any finite blocklength.

The protocol works as follows. Alice first determines the good and bad index sets G and B according to a threshold on the symmetric capacities of the polarized bit‑channels (computed via Gaussian approximation). She then draws a random permutation σ from Aut(T), the automorphism group of the polar matrix T, and forms the permuted encoder Tσ = Pσ T. The two messages M0 and M1 are embedded: bits placed on indices in G carry the chosen message, while bits placed on indices in B are filled with independent random bits unknown to Bob. Because the random bits occupy the bad channels, they act as virtual erasures for the unchosen message, providing the “erasure‑like” abstraction required for OT. Bob, who knows his choice bit c∈{0,1}, uses either the original decoder (view 1) or the permuted decoder (view 2) to recover the message corresponding to his choice while remaining oblivious to the other message.

Security analysis is split into two parts. For SfB, the uniform sampling of σ from Aut(T) ensures that the distribution of the encoder is independent of c, so Bob’s choice cannot be inferred from any public information. For SfA (Alice’s secrecy), the authors inject randomness into the bad channels and then apply a standard privacy‑amplification step (universal hashing) to reduce any residual leakage to an arbitrarily small ε. The analysis shows that, asymptotically, the leakage vanishes as the blocklength grows, while at finite n a relaxed reliability condition is introduced to account for the two‑view decoding structure. Monte‑Carlo simulations confirm that the empirical error probability matches the theoretical bound under this relaxed criterion.

A major technical contribution is the complete characterization of Aut(T). The authors prove that every automorphism corresponds to a unique permutation of the m bit‑positions in the Kronecker‑product construction T = T0⊗m, where T0 is Arıkan’s 2×2 kernel. Consequently, |Aut(T)| = m! and the group can be enumerated or sampled uniformly by simply permuting the m positions. This result provides a tractable search space for the encoder randomization and enables efficient implementation without resorting to ad‑hoc permutations.

For finite‑blocklength performance, the paper proposes an optimization framework that jointly selects the permutation σ and the index sets (G,B) to maximize the OT payload under constraints on leakage, reliability, and blocklength n. Using Gaussian‑approximation recursion, the mutual information of each bit‑channel at the operating SNR is computed. For a fixed σ, the optimal G is obtained by a closed‑form “max‑k” rule: select the k indices with the largest mutual information that also satisfy the cross‑cut condition (i.e., σ maps G into B). The outer optimization over σ reduces to a low‑complexity search over the factorial-sized permutation space, made feasible by the structural insight that only the relative ordering of good and bad indices matters. Numerical results show that the optimized scheme outperforms previous constructions that relied on linear codes with good Schur squares or on generalized erasure channel emulation.

The paper also discusses three decoding scenarios at Bob: (1) both views use the same code (P1 = P2), (2) the views use different codes but Bob decodes each with its matched decoder, and (3) Bob treats the permuted code as a matched decoder for the second view. The impact of each scenario on error probability and secrecy is analytically quantified.

In summary, the authors deliver the first polar‑code‑based OT protocol that directly handles a continuous‑alphabet BI‑AWGN channel without alphabet extension. By marrying channel polarization, automorphism‑induced encoder randomization, and privacy amplification, they achieve both perfect receiver secrecy at any blocklength and asymptotic sender secrecy, while providing a practical finite‑blocklength rate optimization method. The work bridges the gap between information‑theoretic OT capacity results and implementable coding schemes, opening avenues for extensions to multi‑user settings, asymmetric channels, and real‑time hardware implementations.