在互联网快速发展、大数据的挖掘与应用已渗透到各行各业的今天, 如何安全且高效地共享、使用海量数据成为新的热点研究问题. 安全多方计算是解决该问题的关键技术之一, 它允许一组参与方在不泄露隐私输入的前提下进行交互, 共同计算一个函数并得到输出结果. 不经意传输协议, 也叫茫然传输协议, 是一种保护隐私的两方通信协议, 消息发送者持有两条待发送的消息, 接收者选择一条进行接收, 事后发送者对接收者获取哪一条消息毫不知情, 接收者对于未选择的消息也无法获取任何信息. 不经意传输协议是安全多方计算技术的关键模块之一, 其效率优化可有效推动安全多方计算技术的应用落地, 对于特殊的两方安全计算协议如隐私集合交集计算尤为重要. 总结了不经意传输协议的分类及几种常见的变体, 分别阐述了基于公钥密码的不经意传输协议的构造和研究进展, 以及不经意传输扩展协议的构造和研究进展, 由此引出不经意传输扩展协议的效率优化研究的重要性. 同时, 在半诚实敌手和恶意敌手这两种敌手模型下, 分别对不经意传输协议和不经意传输扩展协议的效率优化研究进展进行了全面梳理. 另一方面, 从应用角度对不经意传输协议和不经意传输扩展协议在工程实现中常用的优化技术进行了系统化分析. 最后, 总结了不经意传输协议和不经意传输扩展协议研究目前所面临的主要问题及未来发展趋势.
With the rapid development of the Internet and the penetration of big data mining and applications into all walks of life, how to share and use massive data securely and efficiently has become a new hot research issue. Secure multi-party computation is one of the key technologies to solve this problem. It allows a group of participants to interact compute a function together, and get the output without revealing private inputs. Oblivious transfer is a privacy-protected two-party communication protocol in which a sender holds two messages to be sent, and a receiver selects one to receive, but after that, the sender knows nothing about which message the receiver gets, and the receiver cannot get any information about the unselected message. Oblivious transfer has become one of the key modules of secure multi-party computation, and its efficiency optimization can effectively promote the application of secure multi-party computation, especially for special two-party secure computation protocols such as private set intersection. This paper summarizes the classification of oblivious transfer and several common variants, and respectively describes the construction and research progress of the oblivious transfer protocol based on public key cryptography and oblivious transfer extension, which leads to the importance of the efficiency optimization research of oblivious transfer. At the same time, this paper comprehensively reviews the research progress of efficiency optimization of oblivious transfer and oblivious transfer extension from the perspectives of semi-honest adversary and malicious adversary. On the other hand, in practical application, this paper systematically summarizes the optimization technologies used in the engineering implementation of oblivious transfer and oblivious transfer extension protocols. Finally, this paper points out the main problems and future works of oblivious transfer and oblivious transfer extension protocols.
随着云计算、大数据和人工智能技术的迅速发展与应用, 数据安全和隐私保护成为全球关注的热点问题. 2018年, 欧盟出台《通用数据保护条例》(general data protection regulation, GDPR)用于保护欧盟境内的个人隐私数据. 2021年, 我国通过了《中华人民共和国数据安全法》和《中华人民共和国个人信息保护法》, 旨在从立法层面规范全面构筑我国信息与数据安全领域的法律框架. 与传统数据使用方式相比较, 隐私计算可以平衡数据利用和安全, 实现数据的“可用不可见”, 可为数据安全和隐私保护问题提供了较为有效的解决方案.
不经意传输协议(oblivious transfer, OT)是隐私计算领域重要技术之一, 最早由Rabin提出[
OT协议是安全多方计算协议中需要大量使用的关键构建模块. 1988年, Kilian[
1996年之前, OT协议均基于公钥密码学原语建立, 这使得OT协议的计算效率较低. 1989年, Impagliazzo和Rudich[
作为SMPC协议中被大量使用的构建模块, OT协议和OT扩展协议的效率在很大程度上决定着整个SMPC协议的效率. 在实际应用方面, 除了几种最实用有效的通用SMPC协议[
另一方面, 考虑到不同OT协议变体的计算效率以及应用需求, 目前学术界关注度最高的OT变体主要是2-选-1 OT[
Phong[
由于篇幅原因, 本文省去了对安全性相关定义的阐述, 包括但不限于敌手模型[
本文第1节概述OT协议基本知识, 给出OT协议及各种变体的分类, 以及构造OT协议的基本框架. 第2节梳理基于公钥的基础OT协议相关研究成果和效率优化进展, 并对其进行比较分析. 第3节梳理OT扩展协议的研究进展与相关成果, 并对其进行比较分析. 第4节对工程实现上的OT扩展优化思路以及相关技术的研究进展进行总结. 第5节概括OT协议的使用需求和使用场景. 最后, 在第6节总结目前OT协议效率研究方面存在的问题以及未来发展趋势.
OT协议是一种保证通信双方信息隐私性的通信协议, 协议中有两个参与方, 一是信息持有方, 即发送方S (下文均用S表示), 二为接收方R (下文均用R表示). 本节给出目前存在的不同OT协议及其变体.
(1) 原始OT协议
1981年, Rabin[
(2) 2-选-1 OT协议
1985年, Even等人[
1987年, Crépeau[
2020年, Garg等人[
(3)
1986年, Brassard等人[
Brassard等人[
(4) 随机OT协议
假设有两个参与方S和R, R输入选择比特
ROT最早在1995年由Beaver[
从随机OT到OT协议的转化
(5) OT扩展协议
在1996年, Beaver提出OT扩展(OT extension, OTE)协议[
OT扩展协议
(6) 广义OT协议
广义OT协议(简称GOT)最早在1997年由Ishai和Kushilevitz[
(7)
在1999年Naor等人[
对于
因为
(8) 自适应OT协议
1999年, Naor等人[
自适应OT方案有很多应用场景, 比如不经意搜索、不经意数据库查询、私有信息检索等. 后续也有一些对自适应OT的通信效率进行优化的方案[
(9) 门限OT (也叫分布式OT)协议
2000年由Naor和Pinkas[
(10) 相关OT协议
相关OT协议在2013年由Asharov等人提出[
COT在很多SMPC协议的预处理阶段中都作为核心构建模块存在[
(11) 其他变体协议
变体协议的研究让OT协议本身的特性得到更多挖掘与关注, 也使其在更多应用场景下发挥作用, 比如Wolf等人[
本节分别在半诚实敌手和恶意敌手两种模型下介绍Base OT协议的构造. Base OT协议即基于公钥密码学实现的
(1) 半诚实敌手
1989年Bellare和Micali[
协议构造思路[
半诚实敌手下构造
(2) 恶意敌手
为了应对接收方R作恶的情形, 必须要求R只能知道其中一个公钥所对应的私钥, 为实现这一目的, 可令R随机生成的公钥
恶意敌手下
(1) 半诚实敌手
OT扩展协议由Beaver[
然而, 由于Beaver的协议基于Yao的混淆电路非黑盒地实现了PRG, 所以协议非常低效, 难以应用于实际. Ishai和Kilian等人[
半诚实敌手下的IKNP OT扩展协议框架
IKNP协议主要可分为3阶段: Base OT阶段、OT扩展阶段和输出阶段, 其中, OT扩展阶段可进一步分为3部分, 包含2次交互. 即对
半诚实敌手下OT扩展协议的构造思路
IKNP协议的核心技巧在于OT扩展阶段的步骤(b), S是通过计算
由式(1), S可用
IKNP协议使用对称密码学原语的OT扩展思想, 既保证消息加解密的效率, 又限制了接收方解密的能力.
(2) 恶意敌手
由于IKNP协议对恶意的发送方和半诚实的接收方是安全的. 因此如果要实现恶意敌手下的OT扩展协议, 只需考虑如何抵御接收方的恶意行为即可.
首先, 接收方R可采取的有效攻击行为非常有限: 因为中途退出协议、发送不真实的选择向量
在OT扩展阶段, R需要发送
恶意敌手下安全的OT扩展协议框架
由
Base OT协议在SMPC协议和OT扩展协议中都是最基础、最核心的密码学原语. 目前广泛使用的Base OT原语以及后续工作都是基于恶意敌手模型下安全的, 故本节对Base OT协议进展的总结也将仅在恶意敌手模型下展开.
但因为现实中不存在真正的随机函数, 学术界认为随机谕言机模型在实现时仍存在安全隐患, 并且以上两个方案[
2013年, Asharov等人[
2015年, Chou和Orlandi[
NP01协议与CO15协议对比图
由
在安全性上, CO15协议[
2019年, Masny和Rindal[
CO15协议与MR19协议对比图
2020年, Canetti等人[
CO15协议与CSW20协议对比图
现以执行
Base OT协议对比
协议 | 通信开销(bits) | 计算开销(指数计算) | 依赖假设 | 轮数 | 是否恶意安全 | ||
Sender | Receiver | Sender | Receiver | ||||
Bellare |
2048 |
2 |
RO, CDH | 3 | √ | ||
Naor |
1024 |
RO, CDH | 3 | √ | |||
Chou |
1024 |
2 |
RO, GapDH | 2 | √ | ||
Mansy |
1 024 | 2048 |
2 |
RO, DDH | 1 | √ | |
Canetti |
4 |
(1024+ |
2 |
RO, CDH | 3 | √ |
目前大多数OT协议都是基于传统密码体制提出的, 而自1994年Shor[
现有的后量子OT协议主要可分为两类: 一类是依赖于统计安全构造的后量子OT协议, 基于比如噪声信道存在性(existence of noisy channels)[
David等人[
基于伴随式译码问题困难性假设的UC模型下安全OT协议最早由Bernardo等人[
OT扩展协议的提出主要是为了解决在执行大量OT协议时公钥密码学原语所带来的巨大开销, 其主要思想为参与双方先执行少量Base OT协议交换“种子”信息, 然后通过高效的对称密钥原语(如哈希函数、伪随机数生成器(PRG)、伪随机函数(PRF)等)对种子信息进行长度扩展, 进而生成大量OT实例.
从OT扩展协议的构造方式角度来进行划分, 目前OT扩展协议的构造方式主要可分为: 基于IKNP的OT扩展框架(IKNP-style OTE)和基于伪随机相关生成器(pseudorandom correlation generators, PCG)的OT扩展框架(PCG-style OTE).
其中, 最基础的协议框架是2003年Ishai等人[
而基于PCG的OT扩展框架则源自Boyle等人[
2013年, Asharov等人[
同年, Kolesnikov和Kolesnikov[
2019年, Boyle等人[
Silent OT扩展协议示意图
Silent OT扩展协议主要分为“种子密钥建立分发”阶段、“本地伪随机长度扩展”阶段和“输出”阶段, 其最大的特点在于: 参与双方仅需在建立阶段执行少量OT协议交换种子信息, 而在OT扩展阶段则无需通信, 在本地执行PCG扩展算法即可将具有相关性的短种子信息扩展为具有相关性的长伪随机比特串, 其扩展长度可达多项式级, 这使Silent OT扩展协议无论是在通信开销还是存储压力方面都具备显著优势, 在
为了降低Silent OT扩展协议在密钥建立阶段以及dual-LPN假设所带来的较大计算开销, Schoppmann等人[
后来Yang等人[
Silent OT扩展协议的提出开辟了一种新的OT扩展协议构造框架, 这种构造能够对COT进行高效扩展, COT广泛应用于混淆电路协议中, 而且也能很容易地转化为可选择的标准OT (chosen-input OT), 用来构造PSI协议. 基于Silent OT构造的PSI协议[
恶意敌手下安全协议的最终设计目的是在满足恶意安全性的同时, 其效率尽可能接近半诚实敌手下安全协议的效率.
Ishai等人[
近年来, 恶意敌手下安全的OT扩展协议的运行成本已经大大降低, 并优化至固定开销.
2012年, Nielsen等人[
用哈希函数实现一致性检测的思想在后来得到沿用与改进. 2015年, Asharov等人[
ALSZ15协议一致性检测优化示意图
进一步地, 作者考虑在此结论的基础上增加少量的Base OT来降低一致性检测的数量, 通过调整参数
同样是在2015年, Keller等人[
另一方面, 在低带宽的WAN网络环境下, 如何降低通信开销是OT扩展协议亟需解决的又一问题. Boyle等人[
至此, Silent OT协议的瓶颈问题从通信开销转移到了建立阶段的计算开销. Schoppmann等人[
由于文献[
OT扩展协议通信开销分析比较
协议 | 种子OT |
通信开销(bits) | OT实例均摊 |
通信轮数 | 依赖假设 | 是否恶意安全 | |
Beaver D[ |
128 | Poly | poly | 2 | OWF | × | |
Ishai Y, |
128 | 2 |
256 | 2 | CR | × | |
Asharov G, |
128 | 128 | 2 | CR | × | ||
Kolesnikov V, |
256 | 32 | 2 | CR | × | ||
Boyle E, |
128 | 0−3 | dual-LPN, CR | × | |||
Yang K, |
Ferret-Uni | 128 | o( |
0.73 | 2 |
primal-LPN, CR | × |
Ferret-Reg | 128 | o( |
0.44 | 2 |
primal-LPN, CR | × | |
Ishai Y, |
5 120 | > 10240 | 3 | CR | √ | ||
Nielsen JB, |
342 | 342 |
342 | 3 | RO | √ | |
Asharov G, |
Local | 191 | 191 | 3 | RO, CR | √ | |
Cloud | 175 | 175 | |||||
Keller M, |
128 | 128 |
128 | 3 | CR | √ | |
Boyle E, |
128 | o( |
0.1 | 2 | dual-LPN, CR | √ | |
Yang K, |
Ferret-Uni | 128 | o( |
0.73 | 4 |
primal-LPN, TCR | √ |
Ferret-Reg | 128 | o( |
0.44 | 4 |
primal-LPN, TCR | √ |
如第3.1节中所提到的, 2013年Kolesnikov等人[
进一步地, 作者认为只需保证
即不同的
由于
2017年, Orrù等人[
另一方面, 通过使用合适的二元线性码,
2020年, Pinkas等人[
本节以
Base OT阶段的主要特点是基于公钥密码学构造, 在实现时计算效率较低、通信开销较大, 因此在实现上可考虑通过将有限域上的模幂运算转换为椭圆曲线上的倍点运算以降低计算和通信开销, 也可结合多线程技术进行计算效率的优化.
对于Base OT阶段的公钥密码运算, 文献[
安全性参数和推荐的密钥长度
安全性 | SYM | FFC | ECC |
短(传统长度) | 80 | 1 024 | 160−223 |
中(< 2030) | 112 | 2 048 | 224−255 |
长(> 2030) | 128 | 3 072 | 256−383 |
为更好地进行比对, 后来Asharov等人[
2015年, Chou和Orlandi[
当需要实现大量OT时, 一个很自然的优化思路便是并行计算, 通过将运算任务分配给多个不同的线程并行处理, 以实现计算效率的优化, Henecka和Schneider[
批处理Base OT (batching Base OT)一般的实现方式是借助Base OT协议中发送方提供的可复用的消息(如第2节所示), 接收方在本地构造出128个OT实例密文, 然后一次性批量发送给发送方, 通过两轮交互即可完成Base OT阶段. 但在2021年亚密会上McQuoid等人[
对于OT扩展-第Ⅰ阶段, 主要的瓶颈在于较为繁重的通信开销, 而对该部分并行化处理是一个可行的通信效率优化思路, Henecka和Schneider[
针对这一问题, 文献[
OT扩展-第Ⅱ阶段的主要操作为发送方S根据第Ⅰ阶段收到的消息生成矩阵
密码协议的计算复杂度通常是通过计算密码原语的调用次数来衡量的, 这是因为它们的开销往往在运行时占主导地位. Asharov等人[
注意到在IKNP协议中, 接收方R生成的两个
经过实验, Asharov等人[
OT extension主要计算开销占比[
运算名称 | 主要计算开销占比(%) |
矩阵转置 | 43 |
33 | |
14 |
由
后来在文献[
对于PRG, 可以考虑3种实现方式: CTR-模式的分组密码、流密码和哈希函数. 其中最常用的是通过分组密码实现, 这是因为现代CPU的硬件支持, AES的实现比SHA-1、SHA-256更高效, 故在2013年, Henecka和Schneider[
后来在2015年的欧密会上, Albrecht等人[
OT扩展-第Ⅲ阶段中发送方S加密消息对的安全性依赖于RO假设或CRH假设, 其中CRH假设是比RO假设更弱的安全性假设. 通常在协议设计和分析时都会用哈希函数来模拟RO和CRH以保证实现的安全性.
就哈希函数的实现效率而言, 可以考虑采用BLAKE2哈希算法[
由于AES具备良好的硬件实现支持, 它的实现效率是一般哈希函数(SHA-3, SHA256等)的15−50倍[
针对这一问题, Guo等人[
OT扩展协议中
安全性 | 安全性假设 | 构造方式 |
半诚实敌手下安全 | CR | |
恶意敌手下安全 | TCR |
OT协议最早用于构建公平的秘密交换协议[
19世纪80年代末, 有两个重要的SMPC协议被提出: Yao的混淆电路协议[
混淆电路协议(garbled circuit, GC)是基于大整数分解的困难性问题提出的一种通用的半诚实敌手模型下的安全两方计算协议, 其核心思想是将函数看作布尔电路来实现. 布尔电路与算术电路相比, 虽然在算术运算上, 特别是乘法运算, 不如算术电路执行高效, 但它可以很容易地实现比较运算[
而Goldwasser等人[
在混淆电路协议与GMW协议提出后, Kilian[
随着安全多方计算技术的不断发展, 为了满足不同的场景需求, 安全多方计算协议也被不断地优化并产生了各种各样的协议变体. 对于安全多方计算协议的设计者来说, 将合适的安全协议应用到相匹配的场景中是较容易的, 但是对于非专家来讲, 为特定的部署场景选择合适并高效的计算协议仍存在困难. Daniel等人[
ABY框架、混淆电路协议在近几年机器学习隐私保护方案中得到广泛应用与进一步发展, 比如基于秘密共享的SecureML[
综上, OT协议及相关变体已成为SMPC协议的关键基础构件, 并得到广泛应用, 而OT协议及相关变体本身的效率, 也往往成为了使用它的协议的性能瓶颈[
隐私集合交集计算作为SMPC领域一个热门问题, 具备十分广泛的应用前景, 如: 联系人发现[
私有信息检索协议[
不经意多项式求值的研究始于Naor和Pinkas在1999年提出的方案[
综上所述, 从Base OT协议, 到
结合当前OT协议和OT扩展协议的研究进展, 目前可进一步研究的问题包括但不限于.
(1) 满足UC安全性的高效OT扩展协议、COT扩展协议的设计及其在不同安全多方计算协议中的应用和测试;
(2) 将解决了通信开销瓶颈的Silent OT扩展协议和Ferret OT扩展协议应用到不同SMPC协议以及机器学习隐私保护方案中, 并做进一步的开销对比以及可用性分析;
(3) 基于PCG的OT扩展协议框架构造高效的
(4) 结合分布式的思想实现OT扩展协议;
(5) rate-1 OT的计算和通信效率优化、rate-1 OT思想与OT扩展协议的结合以及其他变体应用的研究.
使用已有的最新可用的工程优化技术进行实现对比, 并探索更多易普及的工程优化思路.
Rabin MO. How to exchange secrets with oblivious transfer. IACR Cryptol. ePrint Arch., 2005, 2005(187).
Even S, Goldreich O, Lempel A. A randomized protocol for signing contracts. Communications of the ACM, 1985, 28(6): 637-647.
Líšková L, Stanek M. Efficient simultaneous contract signing. In: Proc. of the IFIP Int'l Information Security Conf. Boston: Springer, 2004. 441-455.
Staneková L, Stanek M. Fast contract signing with batch oblivious transfer. In: Proc. of the IFIP Int'l Conf. on Communications and Multimedia Security. Berlin, Heidelberg: Springer, 2005. 1-10.
Brassard G, Crépeau C, Robert JM. All-or-nothing disclosure of secrets. In: Proc. of the Conf. on the Theory and Application of Cryptographic Techniques. Berlin, Heidelberg: Springer, 1986. 234-238.
Kilian J. Founding cryptography on oblivious transfer. In: Proc. of the 20th Annual ACM Symp. on Theory of Computing. 1988. 20-31.
Blum M. Coin flipping by telephone a protocol for solving impossible problems. ACM SIGACT News, 1983, 15(1): 23-27.
Harn L, Lin HY. An oblivious transfer protocol and its application for the exchange of secrets. In: Proc. of the Int'l Conf. on the Theory and Application of Cryptology. Berlin, Heidelberg: Springer, 1991. 312-320.
Bellare M, Micali S. Non-interactive oblivious transfer and applications. In: Proc. of the Conf. on the Theory and Application of Cryptology. New York: Springer, 1989. 547-557.
Impagliazzo R, Rudich S. Limits on the provable consequences of one-way permutations. In: Proc. of the 21st Annual ACM Symp. on Theory of Computing. 1989. 44-61.
Beaver D. Precomputing oblivious transfer. In: Proc. of the Annual Int'l Cryptology Conf. Berlin, Heidelberg: Springer, 1995. 97-109.
Beaver D. Correlated pseudorandomness and the complexity of private computations. In: Proc. of the 28th Annual ACM Symp. on Theory of Computing. 1996. 479-488.
Kolesnikov V, Kumaresan R, Rosulek M,
Orrù M, Orsini E, Scholl P. Actively secure 1-out-of-n OT extension with application to private set intersection. In: Proc. of the Cryptographers' Track at the RSA Conf. Cham: Springer, 2017. 381-396.
Ishai Y, Kilian J, Nissim K,
Peikert C, Vaikuntanathan V, Waters B. A framework for efficient and composable oblivious transfer. In: Proc. of the Annual Int'l Cryptology Conf. Berlin, Heidelberg: Springer, 2008. 554-571.
Nielsen JB, Nordholt PS, Orlandi C,
Kolesnikov V, Kumaresan R. Improved OT extension for transferring short secrets. In: Proc. of the Annual Cryptology Conf. Berlin, Heidelberg: Springer, 2013. 54-70.
Asharov G, Lindell Y, Schneider T,
Keller M, Orsini E, Scholl P. Actively secure OT extension with optimal overhead. In: Proc. of the Annual Cryptology Conf. Berlin, Heidelberg: Springer, 2015. 724-741.
Asharov G, Lindell Y, Schneider T,
Boyle E, Couteau G, Gilboa N,
Boyle E, Couteau G, Gilboa N,
Schoppmann P, Gascón A, Reichert L,
Yang K, Weng C, Lan X,
Nielsen J B, Orlandi C. LEGO for two-party secure computation. In: Proc. of the Theory of Cryptography Conf. Berlin, Heidelberg: Springer, 2009. 368-386.
Shelat A, Shen CH. Fast two-party secure computation with minimal assumptions. In: Proc. of the 2013 ACM SIGSAC Conf. on Computer & Communications Security. 2013. 523-534.
Frederiksen TK, Jakobsen TP, Nielsen JB,
Huang Y, Katz J, Kolesnikov V,
Lindell Y, Pinkas B. An efficient protocol for secure two-party computation in the presence of malicious adversaries. Journal of Cryptology, 2015, 28(2): 312-350.
Lindell Y, Riva B. Blazing fast 2PC in the offline/online setting with security for malicious adversaries. In: Proc. of the 22nd ACM SIGSAC Conf. on Computer and Communications Security. 2015. 579-590.
Lindell Y. Fast cut-and-choose-based protocols for malicious and covert adversaries. Journal of Cryptology, 2016, 29(2): 456-490.
Keller M, Orsini E, Scholl P. MASCOT: Faster malicious arithmetic secure computation with oblivious transfer. In: Proc. of the 2016 ACM SIGSAC Conf. on Computer and Communications Security. 2016. 830-842.
Dong C, Chen L, Wen Z. When private set intersection meets big data: An efficient and scalable protocol. In: Proc. of the 2013 ACM SIGSAC Conf. on Computer & Communications Security. 2013. 789-800.
Pinkas B, Schneider T, Zohner M. Faster private set intersection based on OT extension. In: Proc. of the 23rd USENIX Security Symp. 2014. 797-812.
Rindal P, Rosulek M. Improved private set intersection against malicious adversaries. In: Proc. of the Annual Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Cham: Springer, 2017. 235-259.
Pinkas B, Schneider T, Segev G,
Pinkas B, Schneider T, Zohner M. Scalable private set intersection based on OT extension. ACM Trans. on Privacy and Security, 2018, 21(2): 1-35.
Pinkas B, Rosulek M, Trieu N,
Pinkas B, Schneider T, Tkachenko O,
Pinkas B, Rosulek M, Trieu N,
Chase M, Miao P. Private set intersection in the internet setting from lightweight oblivious PRF. In: Proc. of the Annual Int'l Cryptology Conf. Cham: Springer, 2020. 34-63.
Rindal P, Schoppmann P. VOLE-PSI: Fast OPRF and circuit-PSI from Vector-OLE. Cryptology ePrint Archive, Report 2021/266, 2021.
Kolesnikov V, Matania N, Pinkas B,
Kiss Á, Liu J, Schneider T,
Kales D, Rechberger C, Schneider T,
Ion M, Kreuter B, Nergiz E,
Lv S, Ye J, Yin S,
Ion M, Kreuter B, Nergiz AE,
Demmler D, Schneider T, Zohner M. ABY-A framework for efficient mixed-protocol secure two-party computation. NDSS, 2015.
Mohassel P, Zhang Y. SecureML: A system for scalable privacy-preserving machine learning. In: Proc. of the 2017 IEEE Symp. on Security and Privacy. IEEE, 2017. 19-38.
Mohassel P, Rindal P. ABY 3: A mixed protocol framework for machine learning. In: Proc. of the 2018 ACM Conf. on Computer and Communications Security. ACM, 2018. 35-52.
Agrawal N, Shahin Shamsabadi A, Kusner M J,
Naor M, Pinkas B. Efficient oblivious transfer protocols. In: Proc. of the 2001 ACM SODA. 2001, 448-457.
Chou T, Orlandi C. The simplest protocol for oblivious transfer. In: Proc. of the Int'l Conf. on Cryptology and Information Security in Latin America. Cham: Springer, 2015. 40-58.
Mansy D, Rindal P. Endemic oblivious transfer. In: Proc. of the 2019 ACM SIGSAC Conf. on Computer and Communications Security. 2019. 309-326.
Döttling N, Garg S, Ishai Y,
Grag S, Hajiabadi M, Ostrovsky R. Efficient range-trapdoor functions and applications: Rate-1 OT and more. In: Proc. of the Theory of Cryptography Conf. Cham: Springer, 2020. 88-116.
Chase M, Grag S, Hajiabadi M,
Tzeng WG. Efficient 1-out-
Patra A, Sarkar P, Suresh A. Fast actively secure OT extension for short secrets. arXiv: 1911.08834, 2019.
Yao ACC. How to generate and exchange secrets. In: Proc. of the 27th Annual Symp. on Foundations of Computer Science. IEEE, 1986. 162-167.
Goldwasser S. How to play any mental game, or a completeness theorem for protocols with an honest majority. In: Proc. of the 19th Annual ACM STOC 1987. 1987. 218-229.
Naor M, Pinkas B. Computationally secure oblivious transfer. Journal of Cryptology, 2005, 18(1): 1-35.
Naor M, Pinkas B. Oblivious transfer and polynomial evaluation. In: Proc. of the 21st Annual ACM Symp. on Theory of Computing. 1999. 245-254.
Phong LT. A survey on oblivious transfer protocols. Journal of the National Institute of Information and Communications Technology, 2011, 58(3): 181-186.
Evans D, Kolesnikov V, Rosulek M. A pragmatic introduction to secure multi-party computation. Foundations and TrendsⓇ in Privacy and Security, 2017, 2(2-3).
Shen LY, Chen XJ, Shi JJ,
申立艳, 陈小军, 时金桥, 等. 隐私保护集合交集计算技术研究综述. 计算机研究与发展, 2017, 54(10): 2153.
Aumann Y, Lindell Y. Security against covert adversaries: Efficient protocols for realistic adversaries. In: Proc. of the Theory of Cryptography Conf. Berlin, Heidelberg: Springer, 2007. 137-156.
Green M, Hohenberger S. Blind identity-based encryption and simulatable oblivious transfer. In: Proc. of the Int'l Conf. on the Theory and Application of Cryptology and Information Security. Berlin, Heidelberg: Springer, 2007. 265-282.
Lindell AY. Efficient fully-simulatable oblivious transfer. In: Proc. of the Cryptographers' Track at the RSA Conf. Berlin, Heidelberg: Springer, 200. 52-70.
Canetti R. Universally composable security: A new paradigm for cryptographic protocols. In: Proc. of the 42nd IEEE Symp. on Foundations of Computer Science. IEEE, 2001. 136-145.
Blazy O, Chevalier C. Generic construction of UC-secure oblivious transfer. In: Proc. of the Int'l Conf. on Applied Cryptography and Network Security. Cham: Springer, 2015. 65-86.
Hauck E, Loss J. Efficient and universally composable protocols for oblivious transfer from the CDH assumption. IACR Cryptol. ePrint Arch., 2017, 2017: 1011.
Guo C, Katz J, Wang X,
Crépeau C. Equivalence between two flavours of oblivious transfers. In: Proc. of the Conf. on the Theory and Application of Cryptographic Techniques. Berlin, Heidelberg: Springer, 1987. 350-354.
Wang FH, Hu YP, Liu ZH. Lattice-based oblivious transfer protocol. Journal on Communications, 2011, 32(3): 125-130 (in Chinese with English abstract).
王凤和, 胡予濮, 刘振华. 格基不经意传输协议. 通信学报, 2011, 32(3): 125-130.
Li Z, Zhang Y, Zhang F,
李子臣, 张亚泽, 张峰娟, 等. 理想格上可证明安全的不经意传输协议. 计算机应用研究, 2017, 34(1): 242-245.
Ishai Y, Kushilevitz E. Private simultaneous messages protocols with applications. In: Proc. of the Fifth Israeli Symp. on Theory of Computing and Systems. IEEE, 1997. 174-183.
Tassa T. Generalized oblivious transfer by secret sharing. Designs, Codes and Cryptography, 2011, 58(1): 11-21.
Chu CK, Tzeng WG. Efficient
Xu YJ, Li DS, Chen ZH. Efficient oblivious transfer protocol based on bilinear pairing. Computer Engineering, 2013, 39(6): 166-169 (in Chinese with English abstract).
徐彦蛟, 李顺东, 陈振华. 基于双线性对的高效不经意传输协议. 计算机工程, 2013, 39(6): 166-169.
Xu YJ, Li DS, Wang DS,
徐彦蛟, 李顺东, 王道顺, 等. 基于椭圆曲线公钥系统的不经意传输协议. 计算机科学, 2013, 40(12): 186-191.
Lai J, Mu Y, Guo F,
Naor M, Pinkas B. Oblivious transfer with adaptive queries. In: Proc. of the Annual Int'l Cryptology Conf. Berlin, Heidelberg: Springer, 1999. 573-590.
Ogata W, Kurosawa K. Oblivious keyword search. Journal of Complexity, 2004, 20(2-3): 356-371.
Chu CK, Tzeng WG. Efficient
Green M, Hohenberger S. Practical adaptive oblivious transfer from simple assumptions. In: Proc. of the Theory of Cryptography Conf. Berlin, Heidelberg: Springer, 2011. 347-363.
Kurosawa K, Nojima R, Phong LT. Efficiency-improved fully simulatable adaptive OT under the DDH assumption. In: Proc. of the Int'l Conf. on Security and Cryptography for Networks. Berlin, Heidelberg: Springer, 2010. 172-181.
Kurosawa K, Nojima R, Phong LT. Generic fully simulatable adaptive oblivious transfer. In: Proc. of the Int'l Conf. on Applied Cryptography and Network Security. Berlin, Heidelberg: Springer, 2011. 274-291.
Camenisch J, Neven G. Simulatable adaptive oblivious transfer. In: Proc. of the Annual Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Berlin, Heidelberg: Springer, 2007. 573-590.
Green M, Hohenberger S. Universally composable adaptive oblivious transfer. In: Proc. of the Int'l Conf. on the Theory and Application of Cryptology and Information Security. Berlin, Heidelberg: Springer, 2008. 179-197.
Jarecki S, Liu X. Efficient oblivious pseudorandom function with applications to adaptive OT and secure computation of set intersection. In: Proc. of the Theory of Cryptography Conf. Berlin, Heidelberg: Springer, 2009. 577-594.
Kurosawa K, Nojima R. Simple adaptive oblivious transfer without random oracle. In: Proc. of the Int'l Conf. on the Theory and Application of Cryptology and Information Security. Berlin, Heidelberg: Springer, 2009. 334-346.
Naor M, Pinkas B. Distributed oblivious transfer. In: Proc. of the Int'l Conf. on the Theory and Application of Cryptology and Information Security. Berlin, Heidelberg: Springer, 2000. 205-219.
Frederiksen TK, Keller M, Orsini E,
Hazay C, Scholl P, Soria-Vazquez E. Low cost constant round MPC combining BMR and oblivious transfer. Journal of Cryptology, 2020, 33(4): 1732-1786.
Wolf S, Wullschleger J. Oblivious transfer is symmetric. In: Proc. of the Annual Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Berlin, Heidelberg: Springer, 2006. 222-232.
Crépeau C, Sántha M. On the reversibility of oblivious transfer. In: Proc. of the Workshop on the Theory and Application of Cryptographic Techniques. Berlin, Heidelberg: Springer, 1991. 106-113.
Huang Q, Zhao YM. Independent oblivious transfer. Ruan Jian Xue Bao/Journal of Software, 2007, 18(4): 1015-1025.
Wei Y, Xiong GH, Zhang XK,
隗云, 熊国华, 张兴凯, 等. 辫群上的不经意传输协议. 计算机应用研究, 2010, 27(8): 3042-3044.
Zhang YS, Zhao HS, Chen HY, Yang YT. On scheme design of probabilistic 1 out of 2 oblivious transfer protocol. Journal of Cryptologic Research, 2021, 8(2): 282-293 (in Chinese with English abstract).
张艳硕, 赵瀚森, 陈辉焱, 等. 概率型2选1不经意传输协议的方案设计. 密码学报, 2021, 8(2): 282-293.
Liu MM. Analysis and design of lattice-based oblivious transfer protocols[Ph. D. Thesis]. Xi'an: Xidian University, 2018 (in Chinese with English abstract).
刘沫萌. 格上不经意传输协议的分析与设计[博士学位论文]. 西安: 西安电子科技大学, 2018.
Damgård I, Nielsen J B, Orlandi C. Essentially optimal universally composable oblivious transfer. In: Proc. of the Int'l Conf. on Information Security and Cryptology. Berlin, Heidelberg: Springer, 2008. 318-335.
Hazay C, Lindell Y. Efficient secure two-party protocols: Techniques and constructions. Springer Science & Business Media, 2010.
Li B, Micciancio D. Equational security proofs of oblivious transfer protocols. In: Proc. of the IACR Int'l Workshop on Public Key Cryptography. Cham: Springer, 2018. 527-553.
Genç ZA, Iovino V, Rial A. "The simplest protocol for oblivious transfer" revisited. Information Processing Letters, 2020, 105975.
Byali M, Patra A, Ravi D,
Doerner J, Kondi Y, Lee E,
Canetti R, Sarkar P, Wang X. Blazing fast OT for three-round UC OT extension. In: Proc. of the 23rd IACR Int'l Conf. on the Practice and Theory of Public-key Cryptography, PKC 2020. Springer, 2020. 299-327.
Shor PW. Algorithms for quantum computation: Discrete logarithms and factoring. In: Proc. of the 35th Annual Symp. on Foundations of Computer Science. IEEE, 1994. 124-134.
Crépeau C, Kilian J. Achieving oblivious transfer using weakened security assumptions. In: Proc. of the 29th Annual Symp. on Foundations of Computer Science. IEEE Computer Society, 1988. 42-52.
Crépeau C. Efficient cryptographic protocols based on noisy channels. In: Proc. of the Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Berlin, Heidelberg: Springer, 1997. 306-317.
Damgård I, Kilian J, Salvail L. On the (im) possibility of basing oblivious transfer and bit commitment on weakened security assumptions. In: Proc. of the Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Berlin, Heidelberg: Springer, 1999. 56-73.
Stebila D, Wolf S. Efficient oblivious transfer from any non-trivial binary-symmetric channel. In: Proc. of the IEEE Int'l Symp. on Information Theory. IEEE, 2002. 293.
Crépeau C, Morozov K, Wolf S. Efficient unconditional oblivious transfer from almost any noisy channel. In: Proc. of the Int'l Conf. on Security in Communication Networks. Berlin, Heidelberg: Springer, 2004. 47-59.
Nascimento ACA, Winter A. On the oblivious-transfer capacity of noisy resources. IEEE Trans. on Information Theory, 2008, 54(6): 2572-2581.
Pinto ACB, Dowsley R, Morozov K,
Dowsley R, Nascimento ACA. On the oblivious transfer capacity of generalized erasure channels against malicious adversaries: The case of low erasure probability. IEEE Trans. on Information Theory, 2017, 63(10): 6819-6826.
Beaver D. Commodity-based cryptography. In: Proc. of the 29th Annual ACM Symp. on Theory of Computing. 1997. 446-455.
Rivest R. Unconditionally secure commitment and oblivious transfer schemes using private channels and a trusted initializer. Unpublished manuscript, 1999.
Kilian J. More general completeness theorems for secure two-party computation. In: Proc. of the 22nd Annual ACM Symp. on Theory of Computing. 2000. 316-324.
Beimel A, Malkin T, Micali S. The all-or-nothing nature of two-party secure computation. In: Proc. of the Annual Int'l Cryptology Conf. Berlin, Heidelberg: Springer, 1999. 80-97.
Regev O. On lattices, learning with errors, random linear codes, and cryptography. Journal of the ACM, 2009, 56(6): 1-40.
McEliece RJ. A public-key cryptosystem based on algebraic. Coding Thv., 1978, 4244: 114-116.
David B, Dowsley R, Nascimento ACA. Universally composable oblivious transfer based on a variant of LPN. In: Proc. of the Int'l Conf. on Cryptology and Network Security. Cham: Springer, 2014. 143-158.
David BM, Nascimento ACA, Müller-Quade J. Universally composable oblivious transfer from lossy encryption and the mceliece assumptions. In: Proc. of the Int'l Conf. on Information Theoretic Security. Berlin, Heidelberg: Springer, 2012. 80-99.
Barreto PSLM, David B, Dowsley R,
Lai YF, Galbraith SD, de Saint Guilhem CD. Compact, efficient and UC-secure isogeny-based oblivious transfer. In: Proc. of the Annual Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Cham: Springer, 2021. 213-241.
Barreto P, Nascimento A, Oliveira G,
Vitse V. Simple oblivious transfer protocols compatible with supersingular isogenies. In: Proc. of the Int'l Conf. on Cryptology in Africa. Cham: Springer, 2019. 56-78.
Boyle E, Couteau G, Gilboa N,
Schoppmann P, Gascón A, Reichert L,
Pinkas B. Fair secure two-party computation. In: Proc. of the Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Berlin, Heidelberg: Springer, 2003. 87-105.
Lindell Y, Pinkas B. An efficient protocol for secure two-party computation in the presence of malicious adversaries. In: Proc. of the Annual Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Berlin, Heidelberg: Springer, 2007. 52-78.
Lindell Y, Pinkas B. Secure two-party computation via cut-and-choose oblivious transfer. Journal of Cryptology, 2012, 25(4): 680-722.
Shen C. Two-output secure computation with malicious adversaries. In: Proc. of the Annual Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Berlin, Heidelberg: Springer, 2011. 386-405.
Huang Y, Katz J, Evans D. Efficient secure two-party computation using symmetric cut-and-choose. In: Proc. of the Annual Cryptology Conf. Berlin, Heidelberg: Springer, 2013. 18-35.
Mohassel P, Riva B. Garbled circuits checking garbled circuits: More efficient and secure two-party computation. In: Proc. of the Annual Cryptology Conf. Berlin, Heidelberg: Springer, 2013. 36-53.
Lindell Y, Riva B. Cut-and-choose based two-party computation in the online/offline and batch settings. IACR Cryptol. ePrint Arch., 2014, 2014: 667.
Kolesnikov V, Kumaresan R. On cut-and-choose oblivious transfer and its variants. In: Proc. of the Int'l Conf. on the Theory and Application of Cryptology and Information Security. Berlin, Heidelberg: Springer, 2015. 386-412.
Harnik D, Ishai Y, Kushilevitz E,
Nielsen JB. Extending oblivious transfers efficiently-How to get robustness almost for free. IACR Cryptol. ePrint Arch., 2007, 2007: 215.
Damgård I, Keller M, Larraia E,
Doerner J, Shelat A. Scaling ORAM for secure computation. In: Proc. of the 2017 ACM SIGSAC Conf. on Computer and Communications Security. 2017. 523-535.
Henecka W, Schneider T. Faster secure two-party computation with less memory. In: Proc. of the 8th ACM SIGSAC Symp. on Information, Computer and Communications Security. 2013. 437-446.
Barker E, Barker W, Burr W,
Huang Y, Evans D, Katz J,
McQuoid I, Rosulek M, Roy L. Batching Base Oblivious Transfers. In: Proc. of Advances in Cryptdogy-ASIACRYPT 2001. 2001. 281-310.
McQuoid I, Rosulek M, Roy L. Minimal symmetric PAKE and 1-out-of-
Eklundh JO. A fast computer method for matrix transposing. IEEE Trans. on Computers, 1972, 100(7): 801-803.
Albrecht MR, Rechberger C, Schneider T,
Aumasson JP, Neves S, Wilcox-O'Hearn Z,
Aiello B, Ishai Y, Reingold O. Priced oblivious transfer: How to sell digital goods. In: Proc. of the Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Berlin, Heidelberg: Springer, 2001. 119-135.
Pinkas B, Schneider T, Smart NP,
Schneider T, Zohner M. GMW vs. Yao? Efficient secure two-party computation with low depth circuits. In: Proc. of the Int'l Conf. on Financial Cryptography and Data Security. Berlin, Heidelberg: Springer, 2013. 275-292.
Lindell Y, Pinkas B. A proof of security of Yao's protocol for two-party computation. Journal of Cryptology, 2009, 22(2): 161-188.
Crépeau C, van de Graaf J, Tapp A. Committed oblivious transfer and private multi-party computation. In: Proc. of the Annual Int'l Cryptology Conf. Berlin, Heidelberg: Springer, 1995. 110-123.
Ishai Y, Prabhakaran M, Sahai A. Founding cryptography on oblivious transfer–efficiently. In: Proc. of the Annual Int'l Cryptology Conf. Berlin, Heidelberg: Springer, 2008. 572-591.
Baldi P, Baronio R, De Cristofaro E,
Chor B, Goldreich O, Kushilevitz E,
Gertner Y, Ishai Y, Kushilevitz E,
Di Crescenzo G, Malkin T, Ostrovsky R. Single database private information retrieval implies oblivious transfer. In: Proc. of the Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Berlin, Heidelberg: Springer, 2000. 122-138.
Freedman MJ, Nissim K, Pinkas B. Efficient private matching and set intersection. In: Proc. of the Int'l Conf. on the Theory and Applications of Cryptographic Techniques. Berlin, Heidelberg: Springer, 2004. 1-19.
Kissner L, Song D. Privacy-preserving set operations. In: Proc. of the Annual Int'l Cryptology Conf. Berlin, Heidelberg: Springer, 2005. 241-257.
Hazay C, Nissim K. Efficient set operations in the presence of malicious adversaries. In: Proc. of the Int'l Workshop on Public Key Cryptography. Berlin, Heidelberg: Springer, 2010. 312-331.