I'm reading the paper Extending OT. In the extending OT protocol, the sender using $H(j, \textbf{q}_j)$ as the mask, why not use $H(\textbf{q}_j)$ directly?
Asked
Active
Viewed 93 times
1 Answers
1
Firstly, the index guards against collisions between values $\mathbf t_j$ and $\mathbf t_{j'}\oplus\mathbf s$. If these two values were equal and indices were not included, then all four messages $x_{j,0}$, $x_{j,1}$, $x_{j',0}$ and $x_{j',1}$ could be recovered by the receiver instead of just the two that should be permitted. For example if we have $j$ and $ j’$ with $r_j=0$ and $r_{j’}=1$, then $$x_{j,1}=y_{j,1}\oplus H(\mathbf t_j+\mathbf s)=y_{j,1}\oplus H(\mathbf t_{j'})=y_{j,1}\oplus y_{j',1}\oplus x_{j',1}$$ and $$x_{j',0}=y_{j',0}\oplus H(\mathbf t_{j}+\mathbf s)=y_{j',0}\oplus H(\mathbf t_j)=y_{j',0}\oplus y_{j',0}\oplus x_{j',0}.$$
More subtly a receiver could choose $T$ with two or more equal rows $\mathbf t_j=\mathbf t_{j'}$. This would not permit full recovery of additional values, but would permit the mod2 sum of two messages not meant for transfer to be recovered. Again, for example with $r_j=0$ and $r_{j'}=1$ we have $$x_{j,0}\oplus x_{j',1}=y_{j,0}\oplus y_{j',1}\oplus H(\mathbf t_j\oplus \mathbf s)\oplus H(\mathbf t_{j'}\oplus \mathbf s)=y_{j,0}\oplus y_{j',1}.$$
Daniel S
- 23,716
- 1
- 29
- 67