# Note for Committed Oblivious Transfer ## What is committed oblivious transfer(COT)? COT is oblivious transfer with commitments to sender's messages, chooser's choice bit, and chooser's received message. Verifiable OT(VOT) is almost the same with COT but it doesn't require the commitment to received message. COT can produce commitment to the chooser's output value which can be used by the surrounding protocol later e.g. in zkSNARK. Any VOT protocol can be transformed into COT by committing to the output message $s_b$ and prove its authenticity. It can prevent selective failure attack. ## COT for single bits COT for single bits was first introduced in 1995 [1]. OT sender Alice is committed to bits $a_0$, $a_1$. OT receiver Bob is committed to bit $b$. At the end of the protocol, Bob is committed to $a_b$ and knows nothing about $a_{\bar b}$ and Alice learns nothing about $b$. We will not cover this protocol in detail in this doc. Please refer to [2]. [2] gives COT with constant number of exponentiations and communication rounds per transfer based on common reference string(CRS) model. # COT for bit strings [3] achieves committed oblivious transfer for bit strings. Sender can commit to bit strings instead of committing to single bits. This protocol enables sender to commit to every garbled circuit input labels and chooser to commit to those corresponding to their choice bits without revealing the actual choices. Hence, COT enables to prove correct garbled circuit generation and evaluation using the commitment values. In [3], COT is done in 2 round of communucations based on the random oracle model. The protocol uses (2,2)-threshold homomorphic encryption like Elgamal or Paillier and its privacy for both parties are computational which is given by the encryption scheme. ## Protocol Sender's messages $s_0, s_1$, randomness $r_0, r_1$, secret key share of threshold encryption $sk_S$, chooser's choice bit $b$, randomness $r$, secret key share $sk_C$. First, sender computes commitments to their input $e_0 = E(s_0, r_0), e_1 = E(s_1, r_1)$ and chooser computes the commitment to their choice bit $e = E(b, r)$ and open the commitment values $e, e_0, e_1$ to each other. Sender computes secure evaluation of oblivious transfer equation $t = (s_1 - s_0)\cdot b + s_0$, which evaluates to $s_1$ when $b$ is 1 and $s_0$ when $b$ is 0, by computing on ciphertexts $e' = e^{s_1-s_0} \cdot e_0 \cdot E(0)$ and sends it to chooser. Sender also sends the decryption key share for the ciphertext $e'$: $s_S = D_{sk_S}(e')$. Sender also generate proof of the correctness of the decryption key share using sigma protocol. Choser verify the decryption key share using sigma proof. If it's correct, choser computes its decryption key share and decrypt $e'$ to retrieve $s_b$. Choser computes fresh commitment for $s_b$ with new randomness $u$: $e'' = E(s_b, u)$. Additionaly, the choser computes decryption key share for $e''/e'$: $\hat{s_C} = D_{sk_C}(e''/e')$ and send them to the sender with sigma proof for the key share correctness. Sender checks the validity of the new commitment $e''$ by checking the reconstructed value is 0. If public verifiability matters, sender just opens the last decryption key share with sigma proof.  **Important note** - COT requires DKG setup for (2,2)-homomorphic encryption schemes like ElGamal or Paillier. - Efficiency ## Now, the challenges - How to achieve committed oblivious transfer for OT extension? - Does extending this protocol make COT for OT extension? - What about silent OT protocols? - How to achieve committed oblivious transfer for correlated oblivious transfer? # ROT/COT and commitments Random OT Correlated OT And commitments ## Reference [1] Cr´epeau, Graaf and Tapp, 1995, Committed Oblivious Transfer and Private Multi-Party Computation [2] Garay, MacKenzie, Yang, 2004, Efficient and Universally Composable Committed Oblivious Transfer and Applications [3] Kiraz, Schoenmakers, Villegas, 2007, Efficient Committed Oblivious Transfer of Bit Strings ## Appendix ### Bit commitment Alice commit to a bit $a$ and later reveal the value but cannot open as $\bar a$. Bob cannot know the value of $a$ before Alice reveals that. OT can be converted to bit commitment(BC). **Commit Phase:** - Committer sends $m_0$ and $m_1$ (random and secret) using 1-out-of-2 OT - Receiver gets one of the two values but doesn't know if they received the secret $r$ or a random value. **Reveal Phase:** - Committer reveals bit $b$ and the random value $r$. - Receiver verifies if the received message from OT matches the bit and random value. --- \* COT is sometimes abbreviation of Correlated Oblivious Transfer but it is different protocol.