for a primitive
takes as input
candidate implementations of
and constructs an implementation of
, which is secure assuming that at least
of the input candidates are secure. Such constructions provide robustness against insecure implementations and wrong assumptions underlying the candidate schemes. In a recent work Harnik
(Eurocrypt 2005) have proposed a (2;3)-robust combiner for oblivious transfer (OT), and have shown that (1;2)-robust OT-combiners of a certain type are impossible.
In this paper we propose new, generalized notions of combiners for two-party primitives, which capture the fact that in many two-party protocols the security of one of the parties is unconditional, or is based on an assumption independent of the assumption underlying the security of the other party. This fine-grained approach results in OT-combiners
than the constructions known before. In particular, we propose an OT-combiner which guarantees secure OT even when only one candidate is secure for both parties, and every remaining candidate is flawed for one of the parties. Furthermore, we present an efficient
OT-combiner, i.e., a single combiner which is secure
for a wide range of candidates’ failures. Finally, our definition allows for a very simple impossibility result, which shows that the proposed OT-combiners achieve optimal robustness.