标题：Fast Cut-and-Choose Bilateral Oblivious Transfer for Malicious Adversaries
作者：Wei, Xiaochao; Jiang, Han; Zhao, Chuan; Zhao, Minghao; Xu, Qiuliang
作者机构：[Wei, Xiaochao; Jiang, Han; Zhao, Chuan; Zhao, Minghao; Xu, Qiuliang] Shandong Univ, Sch Comp Sci & Technol, Jinan, Peoples R China.
会议名称：15th IEEE Int Conf on Trust, Security and Privacy in Comp and Commun / 10th IEEE Int Conf on Big Data Science and Engineering / 14th IEEE Int Symposium on Parallel and Distributed Proc with Applicat (IEEE Trustcom/BigDataSE/ISPA)
会议日期：AUG 23-26, 2016
来源：2016 IEEE TRUSTCOM/BIGDATASE/ISPA
关键词：cut-and-choose bilateral oblivious transfer; malicious adversaries; DDH; assumption; secure two-party computation
摘要：In secure two-party computation protocols based on garbled circuit, oblivious transfer (OT) plays an important role in transferring the garbled keys of the participants. In addition to the traditional OT primitive, many other variants of OT have also been presented, such as outsourced oblivious transfer (OOT), cut-and-choose oblivious transfer (CCOT), cut-and-choose bilateral oblivious transfer (CCBOT), etc. These new primitives significantly improve the efficiency and feasibility of secure two-party computation protocols, mainly in optimising computational complexity and interactive rounds. Among these primitives, CCBOT proposed by Zhao et al. in TrustCom 2015 is a novel one and helps to minimize the round complexity of the outer secure two-party computation protocols. In addition, they constructed a CCBOT protocol based on homomorphic encryption scheme in the malicious model. However, their protocol uses the cut-and-choose technique to guarantee security against malicious adversaries, as a result the protocol has an error probability. The commitment scheme is also inevitably involved in their protocol. In this paper, we present a CCBOT protocol with the security against malicious adversaries based on the Decisional Diffie-Hellman (DDH) assumption. Our proposed protocol avoids using the cut-and-choose technique and commitment scheme. In terms of efficiency, our protocol is much more efficient than the previous protocol.