Do standalone Oblivious Transfer (OT) Protocols exist?
$begingroup$
Are there any Oblivious Transfer (OT) protocols that don’t rely on asymmetrical encryption, public-key encryption or key-exchange?
I’m starting to wonder, as all the OT protocols I know of (and can understand how it works), rely on such an encryption layer. Are there any out there which is somewhat-standalone and does not depend on the security of the scheme/protocol it uses underneath?
public-key key-exchange oblivious-transfer
asked Nov 13 '18 at 18:57
zetaprimezetaprime
381215
$endgroup$
add a comment |
$begingroup$
Are there any Oblivious Transfer (OT) protocols that don’t rely on asymmetrical encryption, public-key encryption or key-exchange?
I’m starting to wonder, as all the OT protocols I know of (and can understand how it works), rely on such an encryption layer. Are there any out there which is somewhat-standalone and does not depend on the security of the scheme/protocol it uses underneath?
public-key key-exchange oblivious-transfer
asked Nov 13 '18 at 18:57
zetaprimezetaprime
381215
$endgroup$
add a comment |
$begingroup$
Are there any Oblivious Transfer (OT) protocols that don’t rely on asymmetrical encryption, public-key encryption or key-exchange?
I’m starting to wonder, as all the OT protocols I know of (and can understand how it works), rely on such an encryption layer. Are there any out there which is somewhat-standalone and does not depend on the security of the scheme/protocol it uses underneath?
public-key key-exchange oblivious-transfer
asked Nov 13 '18 at 18:57
zetaprimezetaprime
381215
$endgroup$
Are there any Oblivious Transfer (OT) protocols that don’t rely on asymmetrical encryption, public-key encryption or key-exchange?
I’m starting to wonder, as all the OT protocols I know of (and can understand how it works), rely on such an encryption layer. Are there any out there which is somewhat-standalone and does not depend on the security of the scheme/protocol it uses underneath?
public-key key-exchange oblivious-transfer
public-key key-exchange oblivious-transfer
asked Nov 13 '18 at 18:57
zetaprimezetaprime
381215
asked Nov 13 '18 at 18:57
zetaprimezetaprime
381215
asked Nov 13 '18 at 18:57
zetaprimezetaprime
381215
asked Nov 13 '18 at 18:57
zetaprimezetaprime
381215
asked Nov 13 '18 at 18:57
zetaprimezetaprime
381215
381215
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
The term "stand alone" in secure computation typically refers to the case of a protocol being run once, and not to assumptions. In any case, what I assume you are really asking is what assumptions are needed for OT. You are indeed correct that OT is built from asymmetric assumptions, and this is actually inherent for black-box constructions. This was studied in The Relationship Between Public Key Encryption and Oblivious Transfer.
answered Nov 13 '18 at 19:41
Yehuda LindellYehuda Lindell
18.6k3661
$endgroup$
$begingroup$
Thank you, it was also thinking in the same direction. This is a great confirmation (and expression) of what I have been thinking.
$endgroup$
– zetaprime
Nov 14 '18 at 8:54
add a comment |
$begingroup$
Are there any Oblivious Transfer (OT) protocols that don’t rely on
asymmetrical encryption, public-key encryption or key-exchange?
Surprisingly, there are indeed OT protocols which don't rely on public-key encryption. In Precomputing Oblivious Transfer, Beaver showed that if Alice and Bob are each given some correlated randomness by a trusted third party Ted, they are able to compute $2 choose 1$OT without requiring any public-key operations.
In the offline phase, Ted generates a random instance of $2 choose 1$OT:
- Ted samples $(r_0, r_1, d) in mathbbF^3$
- Ted sends $(r_0, r_1)$ to Alice
- Ted sends $(d, r_d)$ to Bob
Later, in the online phase, Alice has two inputs $(b_0, b_1)$ and Bob has his choice $c$. The players consume the $(r_0, r_1)$ and $(d, r_d)$ as follows:
- Bob sends $e = c oplus d$ to Alice
- Alice replies with $(x_0, x_1) = (b_0 oplus r_e, b_1 oplus r_bare)$
- Bob then outputs $b_c = x_c oplus r_d$
Note how Ted can play his part in the protocol long before Alice and Bob know their input to the protocol, and his presence is no longer required once he has sent the random OT to Alice and Bob.
In fact, this protocol is information-theoretic secure because even a computationally unbounded Bob cannot determine Alice's other input $b_barc$, nor can a computationally unbounded Alice learn Bob's choice $c$.
The construction works because Alice has no information on whether Bob knows $r_0$ or $r_1$, while Bob only knows one of $r_0$ or $r_1$. This asymmetry of knowledge is the assumption that allows us to do OT without resorting to public-key cryptography.
This technique is now known as the correlated randomness model, which was studied by Ishai et al in On the Power of Correlated Randomness in
Secure Computation. Beaver's multiplication triples (another type of correlated randomness) now feature prominently in state-of-the-art multiparty computation protocols such as SPDZ and BDOZ. These protocols use homomorphic encryption to simulate Ted during an expensive preprocessing phase, which allows them to use efficient information-theoretic operations during the online phase.
answered Nov 14 '18 at 9:21
kiwidrewkiwidrew
4489
$endgroup$
1
$begingroup$
I guess this sort of complements the previous answer - but you should really insist of the fact that this only gives OT from weaker assumptions (such as OWF) in a model where the parties are initially given some fixed amount of correlated randomness - in the plain model, the black-box impossibility mentioned by prof. Lindell holds. Also, in alternative models, we could also mention the unconditional constructions of OTs given access to any noisy channel.
$endgroup$
– Geoffroy Couteau
Nov 14 '18 at 23:39
$begingroup$
Yes, that's a good point, I will emphasize that this isn't in the standard model. I really like how this approach is being used by e.g. SPDZ/BDOZ to split things into an expensive (public key) offline phase that's independent of input followed by a cheap (information theoretic) online phase. It's yet anther example of how clever thinking lets one "work around" impossibility results...
$endgroup$
– kiwidrew
Nov 15 '18 at 0:43
add a comment |
Your Answer
StackExchange.ifUsing("editor", function ()
return StackExchange.using("mathjaxEditing", function ()
StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix)
StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [["$", "$"], ["\\(","\\)"]]);
);
);
, "mathjax-editing");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63965%2fdo-standalone-oblivious-transfer-ot-protocols-exist%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
The term "stand alone" in secure computation typically refers to the case of a protocol being run once, and not to assumptions. In any case, what I assume you are really asking is what assumptions are needed for OT. You are indeed correct that OT is built from asymmetric assumptions, and this is actually inherent for black-box constructions. This was studied in The Relationship Between Public Key Encryption and Oblivious Transfer.
answered Nov 13 '18 at 19:41
Yehuda LindellYehuda Lindell
18.6k3661
$endgroup$
$begingroup$
Thank you, it was also thinking in the same direction. This is a great confirmation (and expression) of what I have been thinking.
$endgroup$
– zetaprime
Nov 14 '18 at 8:54
add a comment |
$begingroup$
The term "stand alone" in secure computation typically refers to the case of a protocol being run once, and not to assumptions. In any case, what I assume you are really asking is what assumptions are needed for OT. You are indeed correct that OT is built from asymmetric assumptions, and this is actually inherent for black-box constructions. This was studied in The Relationship Between Public Key Encryption and Oblivious Transfer.
answered Nov 13 '18 at 19:41
Yehuda LindellYehuda Lindell
18.6k3661
$endgroup$
$begingroup$
Thank you, it was also thinking in the same direction. This is a great confirmation (and expression) of what I have been thinking.
$endgroup$
– zetaprime
Nov 14 '18 at 8:54
add a comment |
$begingroup$
The term "stand alone" in secure computation typically refers to the case of a protocol being run once, and not to assumptions. In any case, what I assume you are really asking is what assumptions are needed for OT. You are indeed correct that OT is built from asymmetric assumptions, and this is actually inherent for black-box constructions. This was studied in The Relationship Between Public Key Encryption and Oblivious Transfer.
answered Nov 13 '18 at 19:41
Yehuda LindellYehuda Lindell
18.6k3661
$endgroup$
The term "stand alone" in secure computation typically refers to the case of a protocol being run once, and not to assumptions. In any case, what I assume you are really asking is what assumptions are needed for OT. You are indeed correct that OT is built from asymmetric assumptions, and this is actually inherent for black-box constructions. This was studied in The Relationship Between Public Key Encryption and Oblivious Transfer.
answered Nov 13 '18 at 19:41
Yehuda LindellYehuda Lindell
18.6k3661
answered Nov 13 '18 at 19:41
Yehuda LindellYehuda Lindell
18.6k3661
answered Nov 13 '18 at 19:41
Yehuda LindellYehuda Lindell
18.6k3661
answered Nov 13 '18 at 19:41
Yehuda LindellYehuda Lindell
18.6k3661
18.6k3661
$begingroup$
Thank you, it was also thinking in the same direction. This is a great confirmation (and expression) of what I have been thinking.
$endgroup$
– zetaprime
Nov 14 '18 at 8:54
add a comment |
$begingroup$
Thank you, it was also thinking in the same direction. This is a great confirmation (and expression) of what I have been thinking.
$endgroup$
– zetaprime
Nov 14 '18 at 8:54
$begingroup$
Thank you, it was also thinking in the same direction. This is a great confirmation (and expression) of what I have been thinking.
$endgroup$
– zetaprime
Nov 14 '18 at 8:54
$begingroup$
Thank you, it was also thinking in the same direction. This is a great confirmation (and expression) of what I have been thinking.
$endgroup$
– zetaprime
Nov 14 '18 at 8:54
add a comment |
$begingroup$
Are there any Oblivious Transfer (OT) protocols that don’t rely on
asymmetrical encryption, public-key encryption or key-exchange?
Surprisingly, there are indeed OT protocols which don't rely on public-key encryption. In Precomputing Oblivious Transfer, Beaver showed that if Alice and Bob are each given some correlated randomness by a trusted third party Ted, they are able to compute $2 choose 1$OT without requiring any public-key operations.
In the offline phase, Ted generates a random instance of $2 choose 1$OT:
- Ted samples $(r_0, r_1, d) in mathbbF^3$
- Ted sends $(r_0, r_1)$ to Alice
- Ted sends $(d, r_d)$ to Bob
Later, in the online phase, Alice has two inputs $(b_0, b_1)$ and Bob has his choice $c$. The players consume the $(r_0, r_1)$ and $(d, r_d)$ as follows:
- Bob sends $e = c oplus d$ to Alice
- Alice replies with $(x_0, x_1) = (b_0 oplus r_e, b_1 oplus r_bare)$
- Bob then outputs $b_c = x_c oplus r_d$
Note how Ted can play his part in the protocol long before Alice and Bob know their input to the protocol, and his presence is no longer required once he has sent the random OT to Alice and Bob.
In fact, this protocol is information-theoretic secure because even a computationally unbounded Bob cannot determine Alice's other input $b_barc$, nor can a computationally unbounded Alice learn Bob's choice $c$.
The construction works because Alice has no information on whether Bob knows $r_0$ or $r_1$, while Bob only knows one of $r_0$ or $r_1$. This asymmetry of knowledge is the assumption that allows us to do OT without resorting to public-key cryptography.
This technique is now known as the correlated randomness model, which was studied by Ishai et al in On the Power of Correlated Randomness in
Secure Computation. Beaver's multiplication triples (another type of correlated randomness) now feature prominently in state-of-the-art multiparty computation protocols such as SPDZ and BDOZ. These protocols use homomorphic encryption to simulate Ted during an expensive preprocessing phase, which allows them to use efficient information-theoretic operations during the online phase.
answered Nov 14 '18 at 9:21
kiwidrewkiwidrew
4489
$endgroup$
1
$begingroup$
I guess this sort of complements the previous answer - but you should really insist of the fact that this only gives OT from weaker assumptions (such as OWF) in a model where the parties are initially given some fixed amount of correlated randomness - in the plain model, the black-box impossibility mentioned by prof. Lindell holds. Also, in alternative models, we could also mention the unconditional constructions of OTs given access to any noisy channel.
$endgroup$
– Geoffroy Couteau
Nov 14 '18 at 23:39
$begingroup$
Yes, that's a good point, I will emphasize that this isn't in the standard model. I really like how this approach is being used by e.g. SPDZ/BDOZ to split things into an expensive (public key) offline phase that's independent of input followed by a cheap (information theoretic) online phase. It's yet anther example of how clever thinking lets one "work around" impossibility results...
$endgroup$
– kiwidrew
Nov 15 '18 at 0:43
add a comment |
$begingroup$
Are there any Oblivious Transfer (OT) protocols that don’t rely on
asymmetrical encryption, public-key encryption or key-exchange?
Surprisingly, there are indeed OT protocols which don't rely on public-key encryption. In Precomputing Oblivious Transfer, Beaver showed that if Alice and Bob are each given some correlated randomness by a trusted third party Ted, they are able to compute $2 choose 1$OT without requiring any public-key operations.
In the offline phase, Ted generates a random instance of $2 choose 1$OT:
- Ted samples $(r_0, r_1, d) in mathbbF^3$
- Ted sends $(r_0, r_1)$ to Alice
- Ted sends $(d, r_d)$ to Bob
Later, in the online phase, Alice has two inputs $(b_0, b_1)$ and Bob has his choice $c$. The players consume the $(r_0, r_1)$ and $(d, r_d)$ as follows:
- Bob sends $e = c oplus d$ to Alice
- Alice replies with $(x_0, x_1) = (b_0 oplus r_e, b_1 oplus r_bare)$
- Bob then outputs $b_c = x_c oplus r_d$
Note how Ted can play his part in the protocol long before Alice and Bob know their input to the protocol, and his presence is no longer required once he has sent the random OT to Alice and Bob.
In fact, this protocol is information-theoretic secure because even a computationally unbounded Bob cannot determine Alice's other input $b_barc$, nor can a computationally unbounded Alice learn Bob's choice $c$.
The construction works because Alice has no information on whether Bob knows $r_0$ or $r_1$, while Bob only knows one of $r_0$ or $r_1$. This asymmetry of knowledge is the assumption that allows us to do OT without resorting to public-key cryptography.
This technique is now known as the correlated randomness model, which was studied by Ishai et al in On the Power of Correlated Randomness in
Secure Computation. Beaver's multiplication triples (another type of correlated randomness) now feature prominently in state-of-the-art multiparty computation protocols such as SPDZ and BDOZ. These protocols use homomorphic encryption to simulate Ted during an expensive preprocessing phase, which allows them to use efficient information-theoretic operations during the online phase.
answered Nov 14 '18 at 9:21
kiwidrewkiwidrew
4489
$endgroup$
1
$begingroup$
I guess this sort of complements the previous answer - but you should really insist of the fact that this only gives OT from weaker assumptions (such as OWF) in a model where the parties are initially given some fixed amount of correlated randomness - in the plain model, the black-box impossibility mentioned by prof. Lindell holds. Also, in alternative models, we could also mention the unconditional constructions of OTs given access to any noisy channel.
$endgroup$
– Geoffroy Couteau
Nov 14 '18 at 23:39
$begingroup$
Yes, that's a good point, I will emphasize that this isn't in the standard model. I really like how this approach is being used by e.g. SPDZ/BDOZ to split things into an expensive (public key) offline phase that's independent of input followed by a cheap (information theoretic) online phase. It's yet anther example of how clever thinking lets one "work around" impossibility results...
$endgroup$
– kiwidrew
Nov 15 '18 at 0:43
add a comment |
$begingroup$
Are there any Oblivious Transfer (OT) protocols that don’t rely on
asymmetrical encryption, public-key encryption or key-exchange?
Surprisingly, there are indeed OT protocols which don't rely on public-key encryption. In Precomputing Oblivious Transfer, Beaver showed that if Alice and Bob are each given some correlated randomness by a trusted third party Ted, they are able to compute $2 choose 1$OT without requiring any public-key operations.
In the offline phase, Ted generates a random instance of $2 choose 1$OT:
- Ted samples $(r_0, r_1, d) in mathbbF^3$
- Ted sends $(r_0, r_1)$ to Alice
- Ted sends $(d, r_d)$ to Bob
Later, in the online phase, Alice has two inputs $(b_0, b_1)$ and Bob has his choice $c$. The players consume the $(r_0, r_1)$ and $(d, r_d)$ as follows:
- Bob sends $e = c oplus d$ to Alice
- Alice replies with $(x_0, x_1) = (b_0 oplus r_e, b_1 oplus r_bare)$
- Bob then outputs $b_c = x_c oplus r_d$
Note how Ted can play his part in the protocol long before Alice and Bob know their input to the protocol, and his presence is no longer required once he has sent the random OT to Alice and Bob.
In fact, this protocol is information-theoretic secure because even a computationally unbounded Bob cannot determine Alice's other input $b_barc$, nor can a computationally unbounded Alice learn Bob's choice $c$.
The construction works because Alice has no information on whether Bob knows $r_0$ or $r_1$, while Bob only knows one of $r_0$ or $r_1$. This asymmetry of knowledge is the assumption that allows us to do OT without resorting to public-key cryptography.
This technique is now known as the correlated randomness model, which was studied by Ishai et al in On the Power of Correlated Randomness in
Secure Computation. Beaver's multiplication triples (another type of correlated randomness) now feature prominently in state-of-the-art multiparty computation protocols such as SPDZ and BDOZ. These protocols use homomorphic encryption to simulate Ted during an expensive preprocessing phase, which allows them to use efficient information-theoretic operations during the online phase.
answered Nov 14 '18 at 9:21
kiwidrewkiwidrew
4489
$endgroup$
Are there any Oblivious Transfer (OT) protocols that don’t rely on
asymmetrical encryption, public-key encryption or key-exchange?
Surprisingly, there are indeed OT protocols which don't rely on public-key encryption. In Precomputing Oblivious Transfer, Beaver showed that if Alice and Bob are each given some correlated randomness by a trusted third party Ted, they are able to compute $2 choose 1$OT without requiring any public-key operations.
In the offline phase, Ted generates a random instance of $2 choose 1$OT:
- Ted samples $(r_0, r_1, d) in mathbbF^3$
- Ted sends $(r_0, r_1)$ to Alice
- Ted sends $(d, r_d)$ to Bob
Later, in the online phase, Alice has two inputs $(b_0, b_1)$ and Bob has his choice $c$. The players consume the $(r_0, r_1)$ and $(d, r_d)$ as follows:
- Bob sends $e = c oplus d$ to Alice
- Alice replies with $(x_0, x_1) = (b_0 oplus r_e, b_1 oplus r_bare)$
- Bob then outputs $b_c = x_c oplus r_d$
Note how Ted can play his part in the protocol long before Alice and Bob know their input to the protocol, and his presence is no longer required once he has sent the random OT to Alice and Bob.
In fact, this protocol is information-theoretic secure because even a computationally unbounded Bob cannot determine Alice's other input $b_barc$, nor can a computationally unbounded Alice learn Bob's choice $c$.
The construction works because Alice has no information on whether Bob knows $r_0$ or $r_1$, while Bob only knows one of $r_0$ or $r_1$. This asymmetry of knowledge is the assumption that allows us to do OT without resorting to public-key cryptography.
This technique is now known as the correlated randomness model, which was studied by Ishai et al in On the Power of Correlated Randomness in
Secure Computation. Beaver's multiplication triples (another type of correlated randomness) now feature prominently in state-of-the-art multiparty computation protocols such as SPDZ and BDOZ. These protocols use homomorphic encryption to simulate Ted during an expensive preprocessing phase, which allows them to use efficient information-theoretic operations during the online phase.
answered Nov 14 '18 at 9:21
kiwidrewkiwidrew
4489
answered Nov 14 '18 at 9:21
kiwidrewkiwidrew
4489
answered Nov 14 '18 at 9:21
kiwidrewkiwidrew
4489
answered Nov 14 '18 at 9:21
kiwidrewkiwidrew
4489
4489
1
$begingroup$
I guess this sort of complements the previous answer - but you should really insist of the fact that this only gives OT from weaker assumptions (such as OWF) in a model where the parties are initially given some fixed amount of correlated randomness - in the plain model, the black-box impossibility mentioned by prof. Lindell holds. Also, in alternative models, we could also mention the unconditional constructions of OTs given access to any noisy channel.
$endgroup$
– Geoffroy Couteau
Nov 14 '18 at 23:39
$begingroup$
Yes, that's a good point, I will emphasize that this isn't in the standard model. I really like how this approach is being used by e.g. SPDZ/BDOZ to split things into an expensive (public key) offline phase that's independent of input followed by a cheap (information theoretic) online phase. It's yet anther example of how clever thinking lets one "work around" impossibility results...
$endgroup$
– kiwidrew
Nov 15 '18 at 0:43
add a comment |
1
$begingroup$
I guess this sort of complements the previous answer - but you should really insist of the fact that this only gives OT from weaker assumptions (such as OWF) in a model where the parties are initially given some fixed amount of correlated randomness - in the plain model, the black-box impossibility mentioned by prof. Lindell holds. Also, in alternative models, we could also mention the unconditional constructions of OTs given access to any noisy channel.
$endgroup$
– Geoffroy Couteau
Nov 14 '18 at 23:39
$begingroup$
Yes, that's a good point, I will emphasize that this isn't in the standard model. I really like how this approach is being used by e.g. SPDZ/BDOZ to split things into an expensive (public key) offline phase that's independent of input followed by a cheap (information theoretic) online phase. It's yet anther example of how clever thinking lets one "work around" impossibility results...
$endgroup$
– kiwidrew
Nov 15 '18 at 0:43
1
1
$begingroup$
I guess this sort of complements the previous answer - but you should really insist of the fact that this only gives OT from weaker assumptions (such as OWF) in a model where the parties are initially given some fixed amount of correlated randomness - in the plain model, the black-box impossibility mentioned by prof. Lindell holds. Also, in alternative models, we could also mention the unconditional constructions of OTs given access to any noisy channel.
$endgroup$
– Geoffroy Couteau
Nov 14 '18 at 23:39
$begingroup$
I guess this sort of complements the previous answer - but you should really insist of the fact that this only gives OT from weaker assumptions (such as OWF) in a model where the parties are initially given some fixed amount of correlated randomness - in the plain model, the black-box impossibility mentioned by prof. Lindell holds. Also, in alternative models, we could also mention the unconditional constructions of OTs given access to any noisy channel.
$endgroup$
– Geoffroy Couteau
Nov 14 '18 at 23:39
$begingroup$
Yes, that's a good point, I will emphasize that this isn't in the standard model. I really like how this approach is being used by e.g. SPDZ/BDOZ to split things into an expensive (public key) offline phase that's independent of input followed by a cheap (information theoretic) online phase. It's yet anther example of how clever thinking lets one "work around" impossibility results...
$endgroup$
– kiwidrew
Nov 15 '18 at 0:43
$begingroup$
Yes, that's a good point, I will emphasize that this isn't in the standard model. I really like how this approach is being used by e.g. SPDZ/BDOZ to split things into an expensive (public key) offline phase that's independent of input followed by a cheap (information theoretic) online phase. It's yet anther example of how clever thinking lets one "work around" impossibility results...
$endgroup$
– kiwidrew
Nov 15 '18 at 0:43
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f63965%2fdo-standalone-oblivious-transfer-ot-protocols-exist%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
