Notes of Oblivious Transfer Protocol From Homomorphic Encryption Schemes

# Notes of Oblivious Transfer Protocol From Homomorphic Encryption Schemes https://eprint.iacr.org/2020/647.pdf ## OT Problem 1. A sender has two secrets (m0 and m1) 2. A receiver wants to learn one of them (mσ where σ is 0 or 1) Two Main condition on OT Schema is: **Condition_1** : Receiver learns nothing about other message **Condition_2** : Sender shouldn't learn about what receiver asked for i.e `mσ` ## Generic OT Schema ![image](https://hackmd.io/_uploads/rJVcn-vVyl.png) ### Different Variations of OT: 1. OT²₁: Basic 1-out-of-2 transfer 2. OTⁿ₁: 1-out-of-n transfer 3. OTⁿₖ: k-out-of-n transfer vikas todos! Todo_1 ✅: OT protocol based on Diffie-Hellman key exchange Todo_2 ⏳: Hauck and Loss improved it to be fully UC-secure (Universal Composability secure) ## Chou and Orlandi’s OT²₁ https://eprint.iacr.org/archive/2015/267/1527602042.pdf - Sender has two messages (m₀, m₁) - Receiver has a choice bit σ ∈ {0,1} - Sender doesn't learn which message was chosen - Receiver only learns mσ ![image](https://hackmd.io/_uploads/ryHPo6KNJe.png) 1. At the sender's side, you will compute two keys, k0 and k1, and create two encrypted messages, c0 and c1. 2. On the receiver's side, since we already know the σ bit (either 0 or 1), we will simply choose either c0 or c1 according to the bit and use this function 3. The protocol involves three rounds: sender sends A, receiver responds with B, and sender transmits {c₀, c₁}. 4. Regarding security considerations, it's important to note that this protocol is not fully UC-secure and requires secure random number generation. Additionally, keys should be reused in the initial setups! ### Hauck and Loss’s OT²₁ protocol