A Framework for Efficient and Composable Oblivious Transfer

We propose a simple and general framework for constructing oblivious transfer (OT) protocols that are

efficient

,

universally composable

, and

generally realizable

under any one of a variety of standard number-theoretic assumptions, including the decisional Diffie-Hellman assumption, the quadratic residuosity and decisional composite residuosity assumptions, and

worst-case

lattice assumptions.

Our OT protocols are round-optimal (one message each way), quite efficient in computation and communication, and can use a single common string for an unbounded number of executions between the same sender and receiver. Furthermore, the protocols can provide

statistical

security to either the sender or the receiver, simply by changing the distribution of the common string. For certain instantiations of the protocol, even a common

uniformly random

string suffices.

Our key technical contribution is a simple abstraction that we call a

dual-mode

cryptosystem. We implement dual-mode cryptosystems by taking a unified view of several cryptosystems that have what we call “messy” public keys, whose defining property is that a ciphertext encrypted under such a key carries

no information

(statistically) about the encrypted message.

As a contribution of independent interest, we also provide a multi-bit

amortized

version of Regev’s lattice-based cryptosystem (STOC 2005) whose time and space complexity are improved by a linear factor in the security parameter

n

. The resulting amortized encryption and decryption times are only

$\tilde{O}(n)$

bit operations per message bit, and the ciphertext expansion can be made as small as a constant; the public key size and underlying lattice assumption remain essentially the same.