Oblivious-Transfer Amplification

Oblivious transfer (OT) is a primitive of paramount importance in cryptography or, more precisely, twoand multi-party computation due to its universality. On the other hand, OT cannot be achieved in an unconditionally secure way for both parties from scratch. Therefore, it is a natural question what information-theoretic primitives or computational assumptions OT can be based on. The results in our paper are threefold. First, we show how to optimally realize unconditionally secure OT from a weak variant of OT called universal OT, for which a malicious receiver can virtually obtain any possible information he wants, as long as he does not get all the information. This result is based on a novel distributed leftover hash-lemma which is of independent interest. Second, we give conditions for when OT can be obtained from a faulty variant of OT called weak OT , for which it can occur that any of the parties obtains too much information, or the result is incorrect. These bounds and protocols, which correct on previous results by Damg̊ard et. al., are of central interest since most known realizations of OT from weak primitives, such as noisy channels, a weak OT is constructed first. Finally, we carry over our results to the computational setting and show how a weak OT that is only mildly secure against computationally bounded adversaries can be strengthened.