Oblivious Transfer

Oblivious Transfer is a cryptographic technique in which a sender and a receiver engage in a series of messages between one another such that a sender has messages which a receiver can request, the receiver makes a choice, and prepares a response which the sender consumes and applies to the messages being sent but is unaware of the choice made by the receiver, then responds with the choice-applied message data such that upon receipt by the receiver, they are able to consume the intended message, but gain no awareness of the contents of the other messages.

We begin by explaining some base concepts of oblivious transfer protocols such that it becomes easier to follow along in the broader construction.

Simplest OT

In "The Simplest Protocol for Oblivious Transfer", Chou and Orlandi defined a new approach to oblivious transfer in which the construction relied only on the same assumptions as Diffie-Hellman. The approach is summarized below:

Simplest OT:

Given a sender has two messages, m₀, m₁, and a receiver has a choice bit c, both parties sample a random private scalar x ← 𝔽_p The sender’s private scalar will be denoted as a, the receiver’s private scalar will be denoted as b.
The sender calculates the point A = a · G, and sends this to the receiver.
If the receiver’s choice bit is 0, the receiver replies with B = b · G. If 1, the receiver replies with B = A + (b · G).
The sender calculates two keys, k₀ = H(a · B), and k₁ = H(a · (B − A)), then encrypts m₀ with k₀, m₁ with k₁, and sends both encrypted messages to the receiver.
The receiver calculates k_c = H(b · A), and then uses this value to decrypt their chosen message.

Because neither party has the other party’s private scalar, provided the discrete logarithm assumption holds, it is impossible for the receiver to calculate the other message’s key, and impossible for the sender to calculate the receiver’s choice.

Simplest OT is capable of only delivering a singular choice of two messages, and has to be re-evaluated from scratch for each subsequent bit of information learned. Because of this, it is a poor system to directly construct oblivious protocols, however it is exceptionally useful to build on top of as a base OT seed for extension.

Correlated OT

Correlated oblivious transfer is a variant of oblivious transfer where instead of sending a singular choice, the choices themselves are implicitly correlated. The traditional extension approach involves a Random OT base, where the initial choice is random, and then pseudo-random extensions of the random seeds enable larger correlated constructions with many bits being able to be transferred based on the correlation without the cost of doing a singular OT for every bit. This is utilized in many MPC protocols, and further extended in subsequent papers such as "Actively Secure OT Extension with Optimal Overhead". At the lower level, correlated OT looks like the following:

Correlated OT (COT):

The receiver obtains a ∆ ∈ 𝔽_2^κ from the sender.
For every extension:

Sample v ← 𝔽^ℓ_2^κ. If the sender is corrupted, instead receive v ← 𝔽^ℓ_2^κ from the adversary.
Sample u ← 𝔽^ℓ₂ and compute w := v + u · ∆ ∈ 𝔽^ℓ_2^κ. If the receiver is corrupted, instead receive u ← 𝔽^ℓ₂ and w ← 𝔽^ℓ_2^κ from the adversary, and recompute w := v + u · ∆ ∈ 𝔽^ℓ_2^κ.

Correlated OT Extension over LPN

In "Ferret: Fast Extension for Correlated OT with Small Communication", the authors contributed improvements to this protocol have sufficiently made COT feasible for general computability at speed. In short, the speed improvements are nearly over 200 times faster per correlation. For brevity, we list only the functions relevant to Quilibrium’s instantiation of Ferret, from the article:

Multi-Point Correlated OT (MPCOT):

Given a family of efficiently-computable functions Φ = {Φ_n,t}_{n,t ∈ ℕ} such that for any n,t ∈ ℕ with t ≤ n, Φ_n,t takes as an input a sorted subset of [n] of size t and outputs another subset of [m] with the same size for some integer t ≤ m ≤ n.
The receiver obtains a ∆ ∈ 𝔽_2^κ from the sender.
For extension, the receiver and sender agree to n, t, and the receiver sends Q = {a₀, ..., a_t−1} where Q ⊆ [n] is a sorted set:

Sample v ← 𝔽ⁿ_2^κ. If the sender is corrupted, instead receive v ← 𝔽ⁿ_2^κ from the adversary.
Define an n-sized bit vector u := 𝕴(n, Q), and compute w := v + u · ∆ ∈ 𝔽ⁿ_2^κ. If the receiver is corrupted, instead receive u ← 𝔽ⁿ₂ and w ← 𝔽ⁿ_2^κ from the adversary, and recompute w := v + u · ∆ ∈ 𝔽ⁿ_2^κ.

Compute the set T = {β₀, ..., β_t−1} := Φ_n,t({α₀, ..., α_t−1}).
Wait for the adversary to input m sets I₀, ..., I_m−1 ⊆ [n] ∪ {−1}.
Check that α_i ∈ I_{β_i} for all i ∈ [t] and −1 ∈ I_j for all j ∈ [m] \ T. If the check fails, the process aborts.

Deal COT/MPCOT:

Given a family of efficiently-computable functions Φ = {Φ_n,t}_{n,t ∈ ℕ} such that for any n,t ∈ ℕ with t ≤ n, Φ_n,t takes as an input a sorted subset of [n] of size t and outputs another subset of [m] with the same size for some integer t ≤ m ≤ n.
The receiver obtains a ∆ ∈ 𝔽_2^κ from the sender.
To COT Extend: Call Correlated OT, receive ℓ random COT correlations.
To MPCOT Extend: Call MPCOT, receive a multi-point COT of length n.

Deal COT/MPCOT:

Given LPN parameters (n, k, t) and code generator C such that C(k, n, 𝔽) outputs a matrix A ∈ 𝔽^k×n₂.
Both parties initialize once, sender samples a uniform ∆ ∈ 𝔽_2^κ and both parties invoke the Deal initialization step.
Both parties invoke the COT extend functionality of Deal, returning v ← 𝔽^k_2^κ to sender, (u, w) ∈ 𝔽^k₂ × 𝔽^k_2^κ to the receiver such that w := v + u · ∆.
To Extend:

The receiver samples A ← C(k, n, 𝔽₂) and e ← HW_t, then sends A to the sender. Let Q = {a₀, ..., a_t−1} ⊆ [n] be the sorted indices of non-zero entries in e.
The sender and receiver invokes the Deal MPCOT functionality, returning s ∈ 𝔽ⁿ_2^κ to the sender and r ∈ 𝔽ⁿ_2^κ to the receiver, where r + s = e · ∆. If either party aborts, this protocol aborts.
The sender computes y := v · A + s ∈ 𝔽ⁿ_2^κ and the receiver computes x := u · A + e ∈ 𝔽ⁿ₂ and z := w · A + r ∈ 𝔽ⁿ_2^κ.
The sender updates vector v := y[0 : k] ∈ 𝔽^k_2^κ, and outputs a vector y′ := y[k : n] ∈ 𝔽^l_2^κ. The receiver updates vectors (u, w) := (x[0 : k], z[0 : k]) ∈ 𝔽^k₂ × 𝔽^k_2^κ and outputs two vectors (x′, z′) := (x[k : n], z[k : n]) ∈ 𝔽^l₂ × 𝔽^l_2^κ.