Oblivious transfer (OT) is a cryptographic primitive originally used to transfer a collection of messages from the sender to the receiver in an oblivious manner. OT extension protocol reduces expensive asymmetric operations by running a small number of OT instances first and then cheap symmetric operations. While most earlier works discussed security model or communication and computation complexity of OT in general case, we focus on concrete application scenarios, especially where the sender in the OT protocol is a database with less computation and limited interaction capability. In this paper, we propose a generic outsourced OT extension protocol () that outsources all the asymmetric operations of the sender to a semihonest server so as to adapt to specific scenarios above. We give a standard security definition, and the proposed protocol is proven secure in the semihonest model. In , the sender works on the fly and performs only symmetric operations locally. Whatever the number of rounds OT to be executed and the length of messages in OT to be sent, our protocol realizes optimal complexity. Besides, can be used to construct high-level protocols, such as private membership test (PMT) and private set intersection (PSI). We believe our construction may be a building block in other applications as well.

1. Introduction

Oblivious transfer (OT) is one of the most important primitives in secure computation. It is wildly used in Yao’s protocol [1], GMW construction [2], and preprocessing phase of SPDZ-like [3] protocols. With the development of big data, cloud computing, and mobile computing, the demand for joint computation grows rapidly between different organizations and individuals. In order to ensure the security of such computing tasks against complicated external environment, cryptographic components have to be used to design protocols, in which OT plays a pivotal role together with homomorphic encryption, secret sharing, and garbled circuit.

However, OT is public-key primitive centered, which makes it computational expensive for secure computation. Many privacy-preserving protocols, such as private membership test (PMT) and private set intersection (PSI), rely heavily on huge number of OT instances for secure computation to get the trade-off between computation and communication. The most efficient way to produce many OT instances is through OT extension protocol [4, 5]. In such protocol, two participants collectively run few “base” OT instances and then perform some cheap symmetric operations to produce many OT instances.

1.1. Motivation

In an OT extension protocol, the sender needs to interact with the receiver for each step during the protocol, which involves exponential calculation and intensive interaction. In some application scenarios, however, could be a mobile device with less computation power or a database holder with limited interaction capability. When invoking OT extension as a subprotocol in some more complex computation tasks, needs to respond requests from as fast as possible.

Nowadays, many applications are rapidly transferred to cloud-based service, and it would be desired to seek some server-aided OT extension protocol to relief the burden of under reasonable security assumption. A considerable literature [612] has grown up around the theme of fertilizing functionality of OT or optimizing communication cost of the receiver . However, far too little attention has been paid to investigate sender side of OT adapting to specific scenarios.

To this end, we propose a generic outsourced oblivious transfer extension protocol in the semihonest model. In , the sender first outsources all expensive asymmetric operations to a third party who runs a subprotocol called “base” OT instances with the receiver . Based on the corresponding outputs of the subprotocol and other auxiliary information, generates symmetric keys used to encrypt sending messages in OT. As a result, the sender works on the fly and sends its inputs encrypted by symmetric key generated from to the receiver , and thus, it enables two parties to complete the whole OT extension protocol.

Recent trends in OT extension have led to a proliferation of studies showing how to design an efficient PSI [1317] or PSI-based protocols [1821] in different secure models since OT extension protocol is an important component in secure computation and plays a key role in set operations. Take PSI as an example, without violating individuals’ privacy, and the use of PSI in contact tracing [21] can help prevent the further spread of COVID-19. Therefore, framework has a wide range of applications in outsourced scenarios, and as a building block, we think can be applied conveniently to high-level protocols.

1.2. Related Work

Rabin [22] first introduced the notion of OT that the receiver receives a message sent from the sender with probability and the sender does not know whether the receiver has received the message or not. Then, a line of works seek to enrich functionality of OT, and they mainly consist of 1-out-of-2 OT [6], 1-out-of- OT [7, 8], and k-out-of- OT [9, 10], in which the first two functionalities are considered in this paper. Some researchers [2325] proposed OT protocols in different security models although we focus on semihonest model that is sufficient enough to deploy our framework in future among including malicious model, covert adversary model, and universally composable model.

Because OT is public-key primitive centered, the issue of efficiency has received considerable critical attention after Rabin’s work [22]. Beaver [26] showed that OT can be precomputed using only prior transfers. Studies over the past two decades have proved that extending a small number of OT to huge number of OT instances can be achieved by one-way function [2729]. Until 2003, Ishai et al. [4] proposed an efficient method to extend 1-out-of-2 OTs by running few “base” OT instances, which is also known as the IKNP OT extension protocol. Kolesnikov and Kumaresan [5] generalized IKNP from a coding understanding and proposed an improved OT extension protocol allowing to do 1-of-out- OTs with less communication and computation cost. Lindell et al. [11] studied input-size hiding two-party computation based on fully homomorphic encryption (FHE) and proposed a secure OT extension protocol to reduce the communication cost of both the sender and receiver. Cho et al. [12] focused on the receivers’ communication cost in OT and proposed laconic OT protocol based on the decisional Diffie–Hellman (DDH) assumption. Carter et al. [30] proposed outsourced OT protocol specifically for the mobile use-case where the cloud receives outputs of OT. Recently, Mansy and Rindal proposed [31] noninteractive OTs from noninteractive key exchange. However, the resulting OT extension would require 3 rounds.

The research to date has tended to focus more on the cost of the receiver and less on the sender in OT, and there are few studies that have investigated computation and communication complexity on sender side. The aim of this work is to explore the cost of sender in OT and construct efficient OT extension framework assisted by a third party. In addition, OT extension provides a brief but useful account of the construction of oblivious pseudorandom function (PRF). Also, oblivious PRF has been attracting a lot of interest in very recent years, such as multiparty PSI [14], PSI cardinality [21], and private set union [32]. This indicates a need to adapt OT extension to outsourcing scenarios due to practical constraints.

1.3. Our Contribution

In this paper, we focus on server-aided OT to reduce the sender’s public-key computation and rounds of interaction with the receiver. Main contributions of our work go as follows:(i)We propose a generic outsourced OT extension protocol . In , the server and the receiver cooperatively run a small number of OT instances, and at this moment, the sender can be off-line. After the first phase, the sender can fetch necessary corelated randomness from the server whenever needed; then, the sender can send their inputs encrypted only by a symmetric key to the receiver, which completes an OT instance. We design a novel mechanism for this purpose and formally prove its security under semihonest model.(ii)We analyze the complexity of our construction and perform implementation, and the experiment shows that our construction is practical and efficient.(iii)Our construction can be applied to improve the efficiency of OT-based privacy-preserving primitives in server-aided setting, such as oblivious pseudorandom function, and high-level protocols, such as PMT and PSI, which is of independent interest.

2. Preliminaries

2.1. Notation

Unless otherwise stated, we use OT to denote 1-out-of-2 OT and to denote instances of 1-out-of-2 OT of l-bit strings. For simplicity, let denote random oracles with a suitable secure output length, which will be well defined in an actual protocol. Matrices are denoted by capital letters, and vectors are denoted by small bold letters; that is, denotes the i-th row of a matrix , and denotes the j-th column of . Small light front with subscript denotes the -th bit of a string . Notably, we regard strings as vectors and do not distinguish the difference between strings and vectors. If and are two strings, then the notation denotes . Similarly, the notation denotes the vector . Specially, when , denotes the vector .

2.2. Secure Computation and Security Model

The formal definition of security of a secure multiparty protocol [33] is based on comparing two output distributions coming from an ideal world and a real world, respectively. The functionality of three parties is denoted as , where and gets as output.Ideal/reality Simulation Paradigm. In an ideal world, participants send the input to an external trusted party who computes the functionality and sends each participant the corresponding output. Suppose there exists an adversary who has the inputs and outputs of a protocol in the ideal world and executes attack against a real protocol, then there always be an adversary executing the same attack in the ideal world. In a real protocol, if no adversary can do more harm than the execution of the protocol in the ideal world, the protocol in the real world is said to secure.Computationally Indistinguishability. Two distribution probability ensembles and are said to be computationally indistinguishable, denoted by , if for every nonuniform polynomial-time algorithm , there exists a negligible function such that for every and every :Semihonest Adversary Model. In the semihonest adversary model, corrupted participant must execute the protocol correctly. However, the adversary can comprehensively obtain the internal status of the corrupted party, e.g., the transcripts of all received messages, and then tries to obtain additional information that should be kept confidential. Semihonest model is sufficient and captures many scenarios in practice although it is a very weak adversary model.

In this paper, we focus on semihonest model and honest majority case where an adversary can corrupt at most one participant and any two participants will not get colluded. In the following, the formal security definition is proposed.

Definition 1. Let be a deterministic functionality and be a three-party protocol for computing . Given the security parameter and triple inputs , where is from , is from , and is from , the view of in the protocol is denoted as , where , is the randomness used by , and is the -th message received by ; the output of is denoted as , and the joint output of the parties is . We say that securely computes in the semihonest model if the following holds:(i)The correctness holds:(ii)There exist probabilistic polynomial-time simulators , , and such that

2.2.1. Security Model

In , a simpler definition can be used since two of three parties output nothing (see in Figure 1). Specifically, three parties stand for server , sender , and receiver , respectively. The functionality of can be given by simply writing , where denotes the empty string. We still require correctness described above, and security meaning that there exist three simulators , , and such thatwhere denotes input set from , denotes output of , and denotes null value.

2.3. OT Extension

We start by introducing the definition of standard 1-out-of-2 OT, where a sender holding two messages interacts with a receiver holding a choice bit . The 1-out-of-2 OT protocol guarantees that the receiver obtains without knowing anything about , while the sender knows nothing about . The ideal functionality for 1-out-of-2 OT, denoted as , is described in Figure 2.

In most settings, it is necessary to run a large number of OT instances at the same time. The multiexecution of OT is called batch OT (see Figure 3) denoted as . The IKNP OT extension protocol [4] is a real milestone in the development of OT research computing efficiently. It is trivial to compute by simultaneously running times although it leads to large costs on computation and communication. Therefore, OT extension is the most efficient way for executing instead of running instances of OT in parallel.

As shown in Figure 3, the functionality of IKNP is that receives messages without knowing anything about , while knows nothing about , where denotes the -th bit of . In the IKNP protocol, after acting as the receiver in and running it times, computes pairs of symmetric keys denoted as , which are used to encrypt each pair of messages , where . For each pair of symmetric keys , only knows the exact one according to his selection string, i.e.,. The key insight of IKNP OT extension is to execute such an OT-based key agreement between and in the following way:

forms matrix at random and then computes matrix such that . chooses at random. For each , invokes with input , and acts as the receiver with selection bit . receives after each computation of and then forms matrix . For each column of matrix , it implies . The essential observation is that, for each row of matrix , it holds

prepares key pairs by and and exactly knows , where is generated by locally. In addition, due to the randomness of chosen by , learns with no more than a negligible probability . Then, can execute just symmetric operations so as to encrypt each pair of messages using key pairs and sends pairs of encrypted messages to . Finally, can decrypt the corresponding message for each message pairs under .

As described above, the IKNP protocol begins with running times and then executes lots of symmetric operations to “extend” these OT instances, which are also called as “base” OTs.

2.4. Oblivious PRF

Freedman et al. [34] proposed oblivious evaluation of pseudorandom function (OPRF) and gave a general construction of OPRF from OT. An OPRF is a two-party protocol where a sender inputting a random seed obtains nothing while a receiver inputting an evaluation point obtains for some pseudorandom function family . The functionality of OPRF (see Figure 4) can be defined by .

A general definition of OPRF is that the receiver inputs an evaluation set and obtains the evaluations on a PRF in an oblivious manner, i.e.,. The functionality in Figure 4 can be regarded as a special and simplified case although it is sufficient to construct such an efficient OPRF for some scenarios. In this paper, we consider only the definition where receiver evaluates the PRF on a single point , which can be constructed massively in an efficient manner.

2.4.1. Batched OPRF Based on OT Extension

Kolesnikov and Kumaresan [5] generalized IKNP and proposed KK protocol realizing OTs in an efficient way. In IKNP, the equation means that each row of matrix is either all zeros or all ones. This feature was interpreted as a repetition code in KK, and they improved it using a linear error correcting code denoted by . Now for each row in and , it holds that , where is a public linear error correcting code of dimension and codeword length . Therefore, in KK, equation (5) becomes

Notably, stands for the -th element in vector , and now, it is no longer a binary bit in equation (5) but an -bit string. The codeword length of determines the length of and the number of columns of matrices and , instead in IKNP of ( is relative to a security parameter ). In KK, to reach the same security requirement, the codeword length is about twice as much as . That is to say, . As a consequence, the number of “base” OT in KK is doubled than that in IKNP.

Based on 1-out-of- OT extension, Kolesnikov et al. [13] proposed a variant of OPRF and described an efficient protocol to generate batched OPRF instances (known as ). From the point of adaption of OT extension, the variant OPRF functionality based on equation (6) is thatwhere now is a pseudorandom code instead of a linear error correcting code.

Notably, the random seed consists of in and , indicating that equation (6) essentially instantiates different OPRFs in total, and this is why is called bathed and key-related OPRF. In addition, the codeword length of pseudorandom code in is approximately 2 times longer than the output length of linear error correcting code in KK, which is necessary to reach security requirement. Based on OPRF, it is trivial to construct the private membership test, which will be illustrated later.

3. Overview of Our Construction

The functionality of is described in Figure 1. While the essential difference between in Figure 3 and in Figure 1 may appear to be unimpressive and unnecessary, the distinction becomes more pronounced in the case of practical OT extension applications and even more so in outsourced OT scenarios.

The codeword length of code schemes in equations (6) and (7), i.e., pseudorandom code and linear error correcting code, determines the number of “base” OT instances to be evaluated. This gives us the intuition that we could use a specific number of OTs to extend any large amount of OT instances we need. Both Ishai et al. [4] and Kolesnikov et al. [5, 13] show OTs of long strings that can be reduced to “base” OTs of shorter strings. That is, given pseudo-random generator and a small number of OTs, we can implement any we want. Therefore, we make OT execute in a program-iteration-like way (see Figure 5) to reach the final functionality . Here, for clarity, we denote selection string in by bold letter instead of , and -th element of is denoted by .

To better understand our work, let us review IKNP OT extension where holds pairs of -length messages , and the receiver holds -bit selection vector . According to Figure 5, we now focus on and only. For , each row of matrices and consists of and , respectively; that is, both and are matrices and . Now, serves as “base” OT in IKNP, while the final functionality is to realize , where is the security parameter, , and . After , computes equation (5) and sends encrypted and to . Using symmetric-key operations only, receives from and in an oblivious way. For , each row of matrix is . We have reviewed the whole framework of IKNP protocol so far, and it does matter the relationships among , , and . If we write the algorithm implementing as recursive function in programming language, then the key step in IKNP is that invokes ; i.e., is reduced to , where is the security parameter in IKNP. Thus, we implement by invoking first and then executing some symmetric-key encryption operations.

In more general case, two parties and prepare to run protocol , where acts as sender holding messages matrices and while holds chosen vector . After , gets outputs consisting of those messages he/she chooses to receive. According to OT extension protocol, and first run , where acts as a receiver and acts as a sender. For each and , it holds

denotes the -th row of matrix , denotes -th element of , and for some encoding scheme, such as repetition code in equation (5) and linear error correcting code in equation (6). We present detailed in concrete protocol and just emphasize the connections between and here.

and are named as outer and inner OT, respectively. Specially, is the innermost one. Then, we find that the two input vectors and of the inner are determined by the input of the outer . The role of and get reversed each time invokes ; that is to say, in outer OT becomes the receiver in inner OT, so as to . Furthermore, (if exists) is the outer OT related to ; therefore, the input vectors of and are determined by .

The transformation among , , and is the main part of our work. The key observation is that the inputs of both two parties in and are independent. That is, and , and , and and are independent. If is a necessary component in protocol, we can precompute assisted with a semihonest server. We focus on a special-but-sufficient case where and prepare to execute ; notably, the innermost is (see Figure 6) instead of . In such a scenario, should not be less than security parameter. If is a normal user acting as the receiver in and is a database with limited computation power and interaction capability, the framework becomes more useful and efficient. Therefore, we consider a server-aided oblivious transfer reducing the sender’s all public-key computation and numbers of interaction with other parties. As shown in Figure 6, outsources the computation marked with blue rectangle to a server.

Our protocol consists of two major phases. First, in the outsourced phase, and server run as follows. inputs random selection string , while inputs two random matrices and . After , gets output and prepares (and ) for . In the second phase, aims to respond to the request for . This phase can be concluded as invoking and sending pairs of messages ( and encrypted by ) to . In the last phase, gets outputs from , which can be seen as invoking .

4. Outsourced Oblivious Transfer Extension

In this section, we show how to construct an outsourced oblivious transfer extension protocol , where three-party functionality can be securely computed in the presence of semihonest adversaries.

Our protocol consists of two major phases among three parties, sender, receiver, and server. Figure 6 shows construction in a program-iteration-like way, where a small number of OT instances, the innermost , are first to be executed cooperatively. In fact, we let , and it becomes , where is the security parameter in real protocol. From the global perspective, we give procedure of in Figure 7 so as to have a better understanding of roles three parties play in every phase.

First, in the outsourced phase, and run as follows. inputs random selection string , while inputs two random matrices and . After , gets outputs and prepares (and ) for . In the second phase, aims to respond to the request for . This phase can be concluded as invoking and sending pairs of messages ( and encrypted by ) to . In the last phase, gets outputs from , which can be seen as invoking .

We describe in Figure 8 which realizes functionality in Figure 4. The invoking procedure in can be written as .

According to equation (8), each time invokes , and it holds . Let represent different encoding schemes each time iteration occurs. In , we have and , where both and are repetition code with output length , i.e.,

Notably, in more general case, the outputs of and may be not equal length, which is determined by and , respectively. Figures 7 and 8 illustrate framework and procedure, where the symbols are consistent and the output length of repetition code is embodied in the number of columns in the matrices and .

Theorem 1. The protocol in Figure 8 securely computes the functionality (Figure 4) in semihonest setting, as described in Definition 1, given random oracle and functionality (Figure 1).

Proof. We begin by proving the correctness. After , we prove that only receives and knows nothing about when computing . In the outsourced phase, it holds thatThen, in the responding phase, Step 5, essentially computesTherefore, in Step 6, for , by computing , gets when and gets when . Due to , we have andFor , computes and essentially sends to the following messages:It holds that if and only if . Concretely, when , computesWhen , computesIn summary, only receives in and cannot recover by computing because knows nothing about , i.e.,.
This concludes the correctness of .
We now construct three simulators , , and for simulating corrupt , , and such that the produced transcript and the view of real execution are computationally indistinguishable. That is,where denotes input set from , denotes output of , and denotes the null value.Corrupt. Given , it is easy to perfectly simulate the view of the Server because only has input, neither receives messages nor outputs during the execution of the protocol. That is, is computationally indistinguishable with .Corrupt. In protocol, Sender works only in the responding phase, when receives messages from and then sends encrypted inputs to . The messages obtained by are . That is to say, consists of input and messages , where . It is trivial for to generate a simulation of since both are random values from the point of view of .Now, simulates a simulation of by choosing a -length string , -length strings , matrix , and matrix at random and computingLet be the output of . Therefore, we claim that the view generated by and the view of corrupt in a real protocol are computationally indistinguishable.Corrupt. We construct a simulator that simulates the view of corrupt in the real protocol execution. We first analyze ’s view in . obtains matrix in the outsourced phase and in the outputting phase. Therefore, consists of ’s input and messages . To construct the simulation of the view, works as follows.(i)In the outsourced phase, given the security parameter , ’s input , and the randomness , calls simulation with input and gets output . Then, appends the output of , i.e., matrix , to its own output.(ii)In the outputting phase, given the security parameter , ’s input , the randomness , and output , simulates a simulation of by choosing -length strings and computingThen, appends to its output.
Combining two phases described above in sequence, we finally claim that the output of is computationally indistinguishable from the real execution, i.e.,.
This completes the construction of three simulators: , , and . In summary, is secure under semihonest model.

4.1. Performance Analysis

We now analyze the performance of in semihonest model. The complexities of are presented in Table 1.(i)Computation complexity. The number of symmetric and asymmetric operation to be executed in essentially depends on the size of matrices , , and , respectively. In the outsourced phase, consists of public-key and private-key operations, for both (acting as sender) and (acting as receiver). In the responding phase, invokes random oracle and performs XOR operation for times. Then, recovers matrix and encrypts messages , which only consists of symmetric operations. In the outputting phase, performs symmetric operations times to compute its outputs.(ii)Communication complexity. In the outsourced phase, the number of bits transferred between and is bounded by . In the responding phase, receives messages from and and sends encrypted messages to , which consist of . In the outputting phase, receives -bit messages in total from .(iii)Round complexity. The only interaction in exists in the outsourced phase between and , i.e.,. The number of interaction round in is bounded by 1.

4.2. Efficiency Comparison

Since we focus on the efficiency of the sender in OT, we provide comparisons to prior classical protocols from the ’s point of view in Table 2. In , all asymmetric operations are operated between the receiver and the cloud server , and works on the fly and conducts symmetric computations locally.

5. Performance

In this section, we test the performance of . The experiments were performed on a Linux machine equipped with 4 cores 3.40 GHz Intel Core i5-7500 CPU and 8 GB RAM.

Our tests refer to the implement on GitHub: https://github.com/emp-toolkit/emp-ot. We simulated main asymmetric operations in on a single machine. We compared with the OT protocol used in recent work [32], where they compute at least 450 OT instances locally from 128 “base” OTs. Therefore, we regarded as a reference and simulated the outsourced phase. After setting the length of security parameter equal to 128, we simulated for , , and , respectively. We repeated each simulation 20 times, and the result is shown in Figure 9. Although shows an almost identical performance to Vladimir’s, the running time tends to be steady sooner when . In addition, in Figure 9, the sender of works offline for most of the time during simulation, and this is one of the advantages of .

The other advantage of found in performance tests is the reduction of communication bottleneck caused by the sender . The main idea of OT extension protocol is to extend a small number of base OTs to perform many OTs. As a consequence, we summed from the time of base OTon setup to the time of protocol finish and then computed average time for each original OT. The averaged time is illustrated in Figure 10. We tested OT instances for different values and computed the average running time for one single OT, i.e.,. From Figure 10, we can see that the average time keeps steady when is less than 8. If we extend base OT to an adequate number of OTs, for example, , the average time has a sharp increase. It does not matter in , however, since the extension process is conducted between and in the outsourced phase.

6. Applications of

The framework has a wide range of applications in outsourced scenarios. In this section, we take private set intersection (PSI) as a case study and demonstrate that, as a building block, can be applied conveniently to high-level protocol.

We first introduce a private membership test (PMT) protocol to estimate whether an element belongs to a set or not and then describe how to efficiently implement it via . The resulting protocol can then be simply extended to compute functionality in Figure 11 by applying the -based PMT protocol.

6.1. OPRF-Based PMT Protocol

PMT protocol involves two parties: Alice who holds an element and Bob who holds a set . After PMT, Bob knows nothing about , and Alice only knows whether her element belongs to the set or not.

Based on OPRF, we can construct PMT protocol as follows. First, during the OPRF phase, Bob acts as sender with a random seed . And Alice, acting as receiver, inputs her element . After OPRF, Alice obtains and Bob has . Then, Bob sends all to Alice who compares with one by one. In conclusion, Alice outputs 1 if and only if there exits an such that and else outputs 0.

The security of PMT via OPRF relies on the fact that an OPRF protocol is secure. In a secure OPRF, it guarantees that is a one-way pseudorandom function and the length of equals to secure parameter. Therefore, Alice receives and then learns whether there exists an such that , but she will not learn the exact values with nonnegligible probability. We omit concrete security proof here.

6.2. -Based PMT Protocol

Given functionality , we can construct PMT protocol in a simple manner. In this section, we introduce how to design OPRF protocol based on . Equation (7) indicates that 1-out-of- OT extension implies ; therefore, we focus on the transformation from 1-out-of- OT extension to . As a result, can be easily used to construct PMT protocol.

We can apply pseudorandom code to equation (8) for defining new relationship among and in Figure 6, which implements functionality in Figure 3. In , however, we stress that it always holds and , where is the repetition code. This means that we implement INKP protocol in an outsourced manner since we use the same repetition code in and . That is to say, three parties, , , and , evaluate corporately instances of 1-out-of-2 OT of -bit messages where repetition code is used twice in total, each by and , respectively. Now, suppose Alice and Bob would like to execute instances of 1-out-of- OT where Bob inputs and Alice inputs her selection vector , and they need make the following adjustments:(i)Bob organizes the inputs in with matrices , where the -th row of matrix is .(ii)Alice makes her selection vector in be .

Then, the only adaption they need take in is that , where is the linear error correcting code . To reach the security requirement defined in [13], in , we need to reset security parameter rather than —concretely .

Given 1-out-of- OT protocol designed from , it is trivial to design -based OPRF so is to -based PMT. Again, Alice prepares her element , while Bob holds set . In brief, if it holds in thatwhere is the repetition code and is the pseudorandom code; implies the functionality where the seed consists of generated by Bob and Alice gets . Meanwhile, this essentially completes the main construction of -based PMT protocol. All needed to do next is that Bob sends to Alice who compares with locally.

6.3. -Based PSI Protocol

To obtain the final PSI protocol that computes , Alice simply invokes the PMT protocol for each . The protocol in Figure 12 computes in an outsourced manner. The intuition is that Alice holds a set , while Bob holds , and after PMT, Alice knows whether her element belongs to or not, i.e., the intersection of two sets.

Some details on method of preprocessing items in set are simply omitted in Figure 12. We can hash the item to bins and then operate the -based PSI protocol on each bin separately. Specifically, we use Cuckoo hashing [35] for PSI in the following way. First, Alice and Bob agree on 3 random hash functions suitable for 3-way Cuckoo hashing. Alice places her items into in either , , or , and each bin contains at most one item. Bob places each of his items in locations , , and . At this point, Alice pads her input with dummy items so that each bin contains exactly 1 item. Note that when we use cuckoo hashing, then there will be some items which cannot be placed into the table and have to be moved to a stash, which does not matter because of the usage of stash-less cuckoo hashing [20]. Finally, Alice and Bob perform a PSI in each bin.

7. Conclusions and Future Work

In this paper, we proposed a generic outsourced OT extension protocol () which can outsource all the “base” OT from the sender to a semihonest server. The proposed protocol realizes optimal computational and communication complexity relative to security parameter. In addition, we showed that can be efficiently used in private membership test and private set intersection. In the future, we will consider malicious model and construct efficient outsourced OT extension protocols secure against malicious adversary.

Data Availability

The performance test data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.


This work was supported by the National Natural Science Foundation of China (Grant nos. 61572294 and 61632020), Major Innovation Project of Science and Technology of Shandong Province (Grant no. 2018CXGC0702), Natural Science Foundation of Shandong Province (Grant no. ZR2017MF021), and Fundamental Research Funds of Shandong University (Grant no. 2017JC019).