Actively Secure 1-out-of-N OT Extension with Application to Private Set Intersection

Michele Orrù*, Emmanuela Orsini, Peter Scholl

*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceedingConference Contribution (Conference Proceeding)

53 Citations (Scopus)


This paper describes a 1-out-of-N oblivious transfer (OT) extension protocol with active security, which achieves very low overhead compared with the passively secure protocol of Kolesnikov and Kumaresan (Crypto 2011). Our protocol obtains active security using a consistency check which requires only simple computation and has a communication overhead that is independent of the total number of OTs to be produced. We prove its security in both the random oracle model and the standard model, assuming a variant of correlation robustness. We describe an implementation, which demonstrates our protocol only incurs an overhead of around 5–30% on top of the passively secure protocol.

Random 1-out-of-N OT is a key building block in recent, very efficient, passively secure private set intersection (PSI) protocols. Our random OT extension protocol has the interesting feature that it even works when N is exponentially large in the security parameter, provided that the sender only needs to obtain polynomially many outputs. We show that this can be directly applied to improve the performance of PSI, allowing the core private equality test and private set inclusion subprotocols to be carried out using just a single OT each. This leads to a reduction in communication of up to 3 times for the main component of PSI.
Original languageEnglish
Title of host publicationTopics in Cryptology - CT-RSA 2017
Subtitle of host publicationThe Cryptographers' Track at the RSA Conference 2017
PublisherSpringer-Verlag Berlin
Number of pages16
ISBN (Electronic)9783319521534
ISBN (Print)9783319521527
Publication statusPublished - 1 Jan 2017

Publication series

NameLecture Notes in Computer Science
ISSN (Print)0302-9743


  • cryptographic protocols
  • Oblivious transfer
  • private set intersection
  • multi-party computation


Dive into the research topics of 'Actively Secure 1-out-of-N OT Extension with Application to Private Set Intersection'. Together they form a unique fingerprint.

Cite this