Base OT

We introduce the CO15 OT as the base OT.

Notation. The protocol is described over an additive group of prime order generated by . Denote as a key-derivation function to extract a -bit key from group elements.

Note that here is different from the tweakable hash function in garbled circuit.

In the CO15 protocol, the sender holds -bit strings and the receiver holds -bit string . The protocol is as follows.

  • The sender samples , and computes and .

  • The sender sends to the receiver, who aborts if .

  • For , the receiver samples , and computes:

  • The receiver sends to the sender, who aborts if .

  • For , the sender computes and sends to the receiver.

  • For , the receiver computes , and outputs

Correctness. The receiver always computes the hash of . The sender sends the hashes of and . If , is the hash of , then the receive will get . if , is the hash of , then the receiver will get .

Security. We refer the security analysis to CO15.