pith. sign in

arxiv: 2606.02344 · v1 · pith:AQ7YQMO3new · submitted 2026-06-01 · 💻 cs.CR

I-(OT)²: A Client-optimal Oblivious Transfer Protocol for IoT Devices

Elia Onofri , Andrea Ciccotelli , Roberto Di Pietro This is my paper

Pith reviewed 2026-06-28 13:46 UTC · model grok-4.3

classification 💻 cs.CR
keywords oblivious transferIoT devicesquadratic residuositybase OTclient computationprivacy-preserving computationsecure multi-party computation
0
0 comments X

The pith

I-(OT)^2 achieves online oblivious transfer costs of 39.90 μs on IoT devices for the receiver at 128-bit security.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper introduces I-(OT)^2, a base 1-out-of-2 oblivious transfer protocol grounded in the quadratic residuosity problem. It targets client-server settings where the receiver runs on low-power IoT hardware by using an offline pre-computation phase that shifts most work to the sender. Online interaction is limited to six messages and four digests. A formal security proof is given and an open-source C implementation on real IoT hardware reports receiver online costs more than 10 times lower than SimplestOT. Such efficiency matters for privacy-preserving tasks like secure multi-party computation when the number of transfers is modest and batch extensions are impractical.

Core claim

I-(OT)^2 is a novel base 1-out-of-2 OT protocol grounded in the quadratic residuosity problem, specifically designed to minimise receiver-side computation and interaction. Through a lightweight offline pre-computation phase, I-(OT)^2 shifts the on-transfer computational burden almost entirely to the Sender, while reducing online communication to only six messages and four digests exchanged. The protocol comes with a formal proof of its security, and an implementation achieves average online costs per OT as low as 2.80 μs on desktop and 39.90 μs on IoT devices for 128-bit security with 3072-bit RSA modulus, more than 10× faster than SimplestOT.

What carries the argument

The I-(OT)^2 construction, a quadratic-residuosity-based 1-out-of-2 OT that uses offline pre-computation to move computation from receiver to sender.

If this is right

  • Base OT protocols remain necessary when the number of transfers is modest or communication latency dominates.
  • The design supports client-server architectures with the receiver on constrained IoT hardware.
  • Online phase requires only six messages and four digests.
  • Formal security is established under the quadratic residuosity assumption.
  • Measured receiver costs exceed 10× improvement over SimplestOT on IoT devices.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The receiver-side savings could extend the range of real-time IoT applications that can afford OT-based privacy features.
  • The offline-to-online split might transfer to other cryptographic building blocks on power-limited devices.
  • Hybrid use with OT-extension methods could combine low per-instance cost with high-volume amortisation.
  • Re-running the benchmarks on additional IoT platforms would test whether the reported speedups generalise beyond the tested hardware.

Load-bearing premise

Security and reported performance hold if the quadratic residuosity assumption is valid and the implementation realizes the protocol without unaccounted side-channel or practical attacks.

What would settle it

An experiment measuring substantially higher receiver online times than 39.90 μs on comparable IoT hardware, or a reduction of the quadratic residuosity problem to a tractable computation for the stated modulus size, would disprove the central performance and security claims.

Figures

Figures reproduced from arXiv: 2606.02344 by Andrea Ciccotelli, Elia Onofri, Roberto Di Pietro.

Figure 1
Figure 1. Figure 1: Abstraction of a Base OT protocol. In detail, I-(OT) 2 introduces several technical contributions, synthesised in the following: Minimal message exchanges:: The proposed solution eliminates the need for an initial mes￾sage exchange from the Sender to the Receiver. The Receiver sends a single ring element (masked key) to the Sender, which then responds with a nonce for the KDF (say one ring ele￾ment to ease… view at source ↗
Figure 2
Figure 2. Figure 2: Setup phase of the oblivious transfer. 4.3.2. Transfer phase. Let M0, M1 ∈ Y be the two messages the Sender is willing to transfer to the Receiver. Conversely to a classical OT2 1 where the transfer phase is opened with the Sender sending two nonces to the Receiver to be used as message keys/discriminant, in our protocol the Receiver session key k is unique and it is generated by the Receiver itself as a r… view at source ↗
Figure 3
Figure 3. Figure 3: Transfer phase of I-(OT) 2 divided into offline and online operations. Upon delivery, the Receiver is able to determine which message c (ˆj) b he can decrypt with k by checking which digest d (j) b equals the precomputed d = H(k). The transfer phase is finally concluded by decrypting Mb: this can be done by simply evaluating K = Fs(k) and xor-ing it from the correct ciphertext c (ˆj) b . 4.3.3. CheckReveal… view at source ↗
Figure 4
Figure 4. Figure 4: Check-congruency phase of the oblivious transfer. (and hence b = 0) or r ̸∈ QR (hence −r ∈ QR and b = 1) and can still produce a valid encryption for Mb; clearly no valid encryptions are allowed for M1−b in this case, but the Receiver remains unaware of the tampering until a Check Reveal is issued. To mitigate this problem, a simple yet clearly sub-optimal solution is requiring a trusted third party (TTP) … view at source ↗
Figure 5
Figure 5. Figure 5: Performances (in kilocycles) achieved during receiver online and offline phases of the transfer. The average Sender-side processing time was primarily dominated by the composite square-root operation required by the protocol, whereas the Receiver overhead remained minimal. The latter mainly consisted of a single modular squaring operation –that can be computed offline– and a one hash computation during the… view at source ↗
Figure 6
Figure 6. Figure 6: Performance (in µs) comparison between our I-(OT) 2 and our C porting of SimplestOT [14]. We present a detailed comparison of the two approaches in [PITH_FULL_IMAGE:figures/full_fig_p022_6.png] view at source ↗
Figure 7
Figure 7. Figure 7: Probability Density Functions (PDFs) of elements sampled from the expected distribution D0 (blue circles) and produced according to the best malicious strategy D1 (orange stars) when the samples are (left panel) k = 30 and (right panel) k = 75. The normal approximations of the two Bernoulli are represented for comparison as full lines. Do notice that y-scales are different being the domains different in si… view at source ↗
Figure 8
Figure 8. Figure 8: Probability of exceeding a given number x of positive responses for the two distributions D0 and D1 from [PITH_FULL_IMAGE:figures/full_fig_p028_8.png] view at source ↗
Figure 9
Figure 9. Figure 9: Bayesian analysis of the probability that the Sender is badly behaving w.r.t. the number of t samples obtained in R (top panels) and corresponding uncertainty (bottom panels). Results are presented for three values of Receiver distrust δ ∈ {1/100, 1/2, 3/4} (from left to right). Do notice that the x-axis is 0-1 normalised to make plots at the varying of l comparable and limited to [1/5, 4/5] for readabilit… view at source ↗
read the original abstract

Oblivious Transfer (OT) is a fundamental cryptographic primitive enabling privacy-preserving computation and constitutes a core building block for secure multi-party computation while supporting a wide range of security-sensitive applications: private information retrieval, zero-knowledge proofs, and password-authenticated key exchange, to cite a few. While recent advances in OT extension have significantly reduced amortised costs, their reliance on batches of random base OTs and substantial pre-computation phases limits their practicality in scenarios where the number of transfers is modest or where communication latency and client-side computation are critical constraints. In such settings, efficient base OT protocols remain both relevant and necessary. In this work, we introduce $I$-$(OT)^2$, a novel base 1-out-of-2 OT protocol grounded in the quadratic residuosity problem, specifically designed to minimise receiver-side computation and interaction. Our construction is particularly appealing on client--server architectures in which the receiver operates on low-power hardware, such as Internet of Things (IoT) devices. Through a lightweight offline pre-computation phase, $I$-$(OT)^2$ shifts the on-transfer computational burden almost entirely to the Sender, while reducing online communication to only six messages and four digests exchanged. We provide a detailed description of the protocol, accompanied by a formal proof of its security. Moreover, to demonstrate the viability of $I$-$(OT)^2$, we also present an open-source proof-of-concept implementation (in C language) evaluated on real IoT hardware. Results are staggering: for 128-bit security using a 3072-bit RSA modulus, the receiver incurs an average online cost per OT as low as 2.80 {\mu}s on desktop platforms and 39.90 {\mu}s on IoT devices, more than 10$\times$ faster than the well known SimplestOT.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Referee Report

0 major / 3 minor

Summary. The paper introduces I-(OT)^2, a base 1-out-of-2 oblivious transfer protocol based on the quadratic residuosity assumption. It features an offline pre-computation phase that shifts most computation to the sender, reduces the online phase to six messages and four digests, includes a formal security proof, and provides an open-source C implementation benchmarked on real IoT hardware. For 128-bit security with 3072-bit RSA, it reports average online costs of 2.80 μs on desktop and 39.90 μs on IoT devices, claimed to be more than 10× faster than SimplestOT.

Significance. If the security reduction and implementation details hold, the protocol would represent a meaningful practical advance for base OT in client-server settings with resource-constrained receivers such as IoT devices. The formal security proof under the quadratic residuosity assumption, the open-source reproducible implementation, and the hardware-specific benchmarks are explicit strengths that support verifiability and adoption.

minor comments (3)
  1. [Abstract] Abstract: the informal phrasing 'Results are staggering' should be replaced with quantitative or measured language consistent with the rest of the manuscript.
  2. [Evaluation] The performance comparison is limited to SimplestOT; additional baselines (e.g., other QR-based or lattice-based base OT constructions) would strengthen the evaluation section.
  3. [Protocol Description] Notation for the six-message online flow and the offline phase should be cross-referenced explicitly to the security proof to aid readability.

Simulated Author's Rebuttal

0 responses · 0 unresolved

We thank the referee for the positive assessment of our manuscript on I-(OT)^2, the recognition of its practical contributions for IoT settings, and the recommendation for minor revision. No major comments were raised in the report.

Circularity Check

0 steps flagged

No significant circularity

full rationale

The paper introduces a new base OT protocol construction under the standard quadratic residuosity assumption, accompanied by an explicit protocol description, a formal security proof, and direct empirical benchmarks from an open-source C implementation on real hardware. No load-bearing step reduces by definition or construction to its own inputs; performance figures are measured outputs rather than fitted predictions; no self-citation chain or ansatz smuggling is indicated in the provided material. The derivation is self-contained against external assumptions and measurements.

Axiom & Free-Parameter Ledger

0 free parameters · 1 axioms · 0 invented entities

The central claim rests on the standard quadratic residuosity assumption for security and the correctness of the protocol construction; no free parameters or new entities are introduced in the abstract.

axioms (1)
  • domain assumption Quadratic residuosity problem is computationally hard
    Protocol security is grounded in this number-theoretic assumption.

pith-pipeline@v0.9.1-grok · 5876 in / 1171 out tokens · 25624 ms · 2026-06-28T13:46:43.090699+00:00 · methodology

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

52 extracted references · 40 canonical work pages

  1. [1]

    M. O. Rabin, How to exchange secrets with oblivious transfer, IACR Cryptol. ePrint Arch. (1981 (2005)) 187. URLhttp://eprint.iacr.org/2005/187

    1981

  2. [2]

    Rajagopalan, K

    A. Rajagopalan, K. Singh, B. Jayashrri, A. E. John, Zero knowledge bi-party computation using oblivious transfers for recommender systems (Mar. 2024).doi:10.21203/rs.3.rs-3228844/v5

    work page doi:10.21203/rs.3.rs-3228844/v5 2024

  3. [3]

    Schmitt, A

    P. Schmitt, A. Edmundson, A. Mankin, N. Feamster, Oblivious DNS: practical privacy for DNS queries, Proc. Priv. Enhancing Technol. 2019 (2) (2019) 228–244.doi:10.2478/POPETS-2019-0028

    work page doi:10.2478/popets-2019-0028 2019

  4. [4]

    Z. Chen, S. Yu, M. Fan, X. Liu, R. H. Deng, Privacy-enhancing and robust backdoor defense for federated learning on heterogeneous data, IEEE Trans. Inf. Forensics Secur. 19 (2024) 693–707.doi:10.1109/TIFS.2023.3326983

    work page doi:10.1109/tifs.2023.3326983 2024

  5. [5]

    T¨ obke, O

    L. T¨ obke, O. Grote, A. Ahrens, A practical approach to quantum resilient cloud usage obtaining data privacy, in: 2023 International Interdisciplinary PhD Workshop (IIPhDW), IEEE, 2023, pp. 1–4.doi:10.1109/IIPhDW54739. 2023.10124397

    work page doi:10.1109/iiphdw54739 2023

  6. [6]

    Z. G. Al-Mekhlafi, S. A. Lashari, J. M. H. Altmemi, M. A. Al-Shareeda, B. A. Mohammed, A. A. Sallam, B. A. Al- Qatab, M. T. Alshammari, A. M. Alayba, Oblivious transfer-based authentication and privacy-preserving protocol for 5g-enabled vehicular fog computing, IEEE Access 12 (2024) 100152–100166.doi:10.1109/ACCESS.2024.3429179

    work page doi:10.1109/access.2024.3429179 2024

  7. [7]

    Tzeng, Efficient 1-out-of-n oblivious transfer schemes with universally usable parameters, IEEE Trans

    W. Tzeng, Efficient 1-out-of-n oblivious transfer schemes with universally usable parameters, IEEE Trans. Com- puters 53 (2) (2004) 232–240.doi:10.1109/TC.2004.1261831

    work page doi:10.1109/tc.2004.1261831 2004

  8. [8]

    M. Naor, B. Pinkas, Efficient oblivious transfer protocols, in: Proceedings of the Twelfth Annual ACM-SIAM Symposium on Discrete Algorithms, SODA ’01, Society for Industrial and Applied Mathematics, USA, 2001, pp. 448–457. URLhttps://dl.acm.org/doi/10.5555/365411.365502

    work page doi:10.5555/365411.365502 2001

  9. [9]

    Goyal, A

    V. Goyal, A. Jain, Z. Jin, G. Malavolta, Statistical zaps and new oblivious transfer protocols, in: A. Canteaut, Y. Ishai (Eds.), Advances in Cryptology - EUROCRYPT 2020 - 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, May 10-14, 2020, Proceedings, Part III, Vol. 12107 of Lecture Notes in ...

    work page doi:10.1007/978-3-030-45727-3_23 2020

  10. [10]

    Asharov, Y

    G. Asharov, Y. Lindell, T. Schneider, M. Zohner, More efficient oblivious transfer extensions with security for malicious adversaries, in: E. Oswald, M. Fischlin (Eds.), Advances in Cryptology - EUROCRYPT 2015 - 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26-30, 2015, Proceedings,...

    work page doi:10.1007/978-3-662-46800-5_26 2015

  11. [11]

    Beaver, Correlated pseudorandomness and the complexity of private computations, in: G

    D. Beaver, Correlated pseudorandomness and the complexity of private computations, in: G. L. Miller (Ed.), Pro- ceedings of the Twenty-Eighth Annual ACM Symposium on the Theory of Computing, Philadelphia, Pennsylvania, USA, May 22-24, 1996, ACM, 1996, pp. 479–488.doi:10.1145/237814.237996

    work page doi:10.1145/237814.237996 1996

  12. [12]

    Ishai, J

    Y. Ishai, J. Kilian, K. Nissim, E. Petrank, Extending Oblivious Transfers Efficiently, Springer Berlin Heidelberg, 2003, pp. 145–161.doi:10.1007/978-3-540-45146-4_9

    work page doi:10.1007/978-3-540-45146-4_9 2003

  13. [13]

    Canetti, A

    R. Canetti, A. K. Sarkar, C. Wang, Blazing fast oblivious transfer from pseudorandomness, in: Public-Key Cryp- tography – PKC 2020, Springer, 2020, pp. 327–356.doi:10.1007/978-3-030-45388-6_11

    work page doi:10.1007/978-3-030-45388-6_11 2020

  14. [14]

    T. Chou, C. Orlandi, The simplest protocol for oblivious transfer, in: Progress in Cryptology – LATINCRYPT 2015, Springer International Publishing, 2015, p. 40–58.doi:10.1007/978-3-319-22174-8_3

    work page doi:10.1007/978-3-319-22174-8_3 2015

  15. [15]

    S. Even, O. Goldreich, A. Lempel, A randomized protocol for signing contracts, Commun. ACM 28 (6) (1985) 637–647.doi:10.1145/3812.3818

    work page doi:10.1145/3812.3818 1985

  16. [16]

    Bellare, S

    M. Bellare, S. Micali, Non-interactive oblivious transfer and applications, in: G. Brassard (Ed.), Advances in Cryptology - CRYPTO ’89, 9th Annual International Cryptology Conference, Santa Barbara, California, USA, August 20-24, 1989, Proceedings, Vol. 435 of Lecture Notes in Computer Science, Springer, 1989, pp. 547–557. doi:10.1007/0-387-34805-0_48

    work page doi:10.1007/0-387-34805-0_48 1989

  17. [17]

    R. L. Rivest, Unconditionally secure commitment and oblivious transfer schemes using private channels and a trusted initializer (1999). URLhttps://people.csail.mit.edu/rivest/pubs/Riv99d.pdf

    1999

  18. [18]

    Cr´ epeau, K

    C. Cr´ epeau, K. Morozov, S. Wolf, Efficient unconditional oblivious transfer from almost any noisy channel, in: C. Blundo, S. Cimato (Eds.), Security in Communication Networks, 4th International Conference, SCN 2004, Amalfi, Italy, September 8-10, 2004, Revised Selected Papers, Vol. 3352 of Lecture Notes in Computer Science, Springer, 2004, pp. 47–59.doi...

    work page doi:10.1007/978-3-540-30598-9_4 2004

  19. [19]

    Peikert, V

    C. Peikert, V. Vaikuntanathan, B. Waters, A framework for efficient and composable oblivious transfer, in: Advances in Cryptology – CRYPTO 2008, Springer Berlin Heidelberg, 2008, pp. 554–571.doi:10.1007/978-3-540-85174-5_ 31

    work page doi:10.1007/978-3-540-85174-5_ 2008

  20. [20]

    Ishai, E

    Y. Ishai, E. Kushilevitz, R. Ostrovsky, M. Prabhakaran, A. Sahai, J. Wullschleger, Constant-rate oblivious transfer from noisy channels, in: P. Rogaway (Ed.), Advances in Cryptology - CRYPTO 2011 - 31st Annual Cryptology Conference, Santa Barbara, CA, USA, August 14-18, 2011. Proceedings, Vol. 6841 of Lecture Notes in Computer Science, Springer, 2011, pp....

    work page doi:10.1007/978-3-642-22792-9_38 2011

  21. [21]

    Lindell, B

    Y. Lindell, B. Pinkas, Secure two-party computation via cut-and-choose oblivious transfer, in: Y. Ishai (Ed.), Theory of Cryptography - 8th Theory of Cryptography Conference, TCC 2011, Providence, RI, USA, March 28-30, 24

    2011

  22. [22]

    6597 of Lecture Notes in Computer Science, Springer, 2011, pp

    Proceedings, Vol. 6597 of Lecture Notes in Computer Science, Springer, 2011, pp. 329–346.doi:10.1007/ 978-3-642-19571-6_20

    2011

  23. [23]

    M. Liu, Y. Hu, Universally composable oblivious transfer from ideal lattice, Frontiers Comput. Sci. 13 (4) (2019) 879–906.doi:10.1007/S11704-018-6507-4

    work page doi:10.1007/s11704-018-6507-4 2019

  24. [24]

    Mansy, P

    D. Mansy, P. Rindal, Endemic oblivious transfer, in: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS ’19, ACM, 2019, p. 309–326.doi:10.1145/3319535.3354210

    work page doi:10.1145/3319535.3354210 2019

  25. [25]

    D¨ ottling, S

    N. D¨ ottling, S. Garg, M. Hajiabadi, D. Masny, D. Wichs, Two-round oblivious transfer from CDH or LPN, in: A. Canteaut, Y. Ishai (Eds.), Advances in Cryptology - EUROCRYPT 2020 - 39th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, May 10-14, 2020, Proceedings, Part II, Vol. 12106 of Lecture No...

    work page doi:10.1007/978-3-030-45724-2_ 2020

  26. [26]

    Aragon, O

    N. Aragon, O. Blazy, N. Fournaise, P. Gaborit, CROOT: code-based round-optimal oblivious transfer, in: P. Samar- ati, S. D. C. di Vimercati, M. S. Obaidat, J. Ben-Othman (Eds.), Proceedings of the 17th International Joint Conference on e-Business and Telecommunications, ICETE 2020 - Volume 2: SECRYPT, Lieusaint, Paris, France, July 8-10, 2020, ScitePress,...

    work page doi:10.5220/0009776700760085 2020

  27. [27]

    Y. Lai, S. D. Galbraith, C. D. de Saint Guilhem, Compact, efficient and UC-secure isogeny-based oblivious transfer, in: A. Canteaut, F. Standaert (Eds.), Advances in Cryptology - EUROCRYPT 2021 - 40th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Zagreb, Croatia, October 17-21, 2021, Proceedings, Part I, Vol. ...

    2021

  28. [28]

    Badrinarayanan, D

    S. Badrinarayanan, D. Masny, P. Mukherjee, Efficient and tight oblivious transfer from PKE with tight multi-user security, in: G. Ateniese, D. Venturi (Eds.), Applied Cryptography and Network Security - 20th International Conference, ACNS 2022, Rome, Italy, June 20-23, 2022, Proceedings, Vol. 13269 of Lecture Notes in Computer Science, Springer, 2022, pp....

    work page doi:10.1007/978-3-031-09234-3_31 2022

  29. [29]

    Branco, N

    P. Branco, N. D¨ ottling, A. Srinivasan, Two-round maliciously-secure oblivious transfer with optimal rate, in: M. Joye, G. Leander (Eds.), Advances in Cryptology – EUROCRYPT 2024, Springer Nature Switzerland, Cham, 2024, pp. 271–300.doi:10.1007/978-3-031-58751-1_10

    work page doi:10.1007/978-3-031-58751-1_10 2024

  30. [30]

    Abadi, Y

    A. Abadi, Y. Desmedt, Supersonic OT: Fast unconditionally secure oblivious transfer, Cryptology ePrint Archive, Paper 2024/1012 (2024). URLhttps://eprint.iacr.org/2024/1012

    2024

  31. [31]

    Couteau, L

    G. Couteau, L. Devadas, S. Devadas, A. Koch, S. Servan-Schreiber, QuietOT: Lightweight oblivious transfer with a public-key setup, in: K.-M. Chung, Y. Sasaki (Eds.), Advances in Cryptology – ASIACRYPT 2024, Springer Nature Singapore, Singapore, 2025, pp. 197–231.doi:10.1007/978-981-96-0888-1_7

    work page doi:10.1007/978-981-96-0888-1_7 2024

  32. [32]

    Berti, C

    F. Berti, C. Hazay, I. Levi, LR-OT: leakage-resilient oblivious transfer, Cryptography and Communications 17 (5) (2025) 1191–1248.doi:10.1007/s12095-025-00824-4

    work page doi:10.1007/s12095-025-00824-4 2025

  33. [33]

    Y.-G. Yang, S. Qiu, Y. Chang, G.-B. Xu, D.-H. Jiang, D. Li, Quantum oblivious transfer for quantum messages, Physical Review A 112 (4) (2025) 042617.doi:10.1103/8963-6537

    work page doi:10.1103/8963-6537 2025

  34. [34]

    Y.-G. Yang, S. Qiu, R.-C. Huang, Y.-C. Wang, G.-B. Xu, D.-H. Jiang, D. Li, All-or-nothing quantum oblivious transfer for unknown unitary operations, Advanced Quantum Technologies 8 (11) (2025) e00511.doi:10.1002/ qute.202500511

    2025

  35. [35]

    Abadi, Y

    A. Abadi, Y. Desmedt, Oblivis: A framework for delegated and efficient oblivious transfer, to appear at PETS 2026 (2026).arXiv:2603.14492,doi:10.48550/arXiv.2603.14492

    work page doi:10.48550/arxiv.2603.14492 2026

  36. [36]

    V. K. Yadav, N. Andola, S. Verma, S. Venkatesan, A survey of oblivious transfer protocol, ACM Comput. Surv. 54 (10s) (Sep. 2022).doi:10.1145/3503045

    work page doi:10.1145/3503045 2022

  37. [37]

    M. Naor, B. Pinkas, Oblivious transfer and polynomial evaluation, in: Proceedings of the thirty-first annual ACM symposium on Theory of Computing, STOC99, ACM, 1999, p. 245–254.doi:10.1145/301250.301312

    work page doi:10.1145/301250.301312 1999

  38. [38]

    Di Crescenzo, T

    G. Di Crescenzo, T. Malkin, R. Ostrovsky, Single database private information retrieval implies oblivious transfer, in: Advances in Cryptology – EUROCRYPT 2000, Springer Berlin Heidelberg, 2000, pp. 122–138.doi:10.1007/ 3-540-45539-6_10

    2000

  39. [39]

    T. Chou, C. Orlandi, The simplest protocol for oblivious transfer, Cryptology ePrint Archive, Paper 2015/267 (rev 2018). URLhttps://eprint.iacr.org/2015/267

    2015

  40. [40]

    the simplest protocol for oblivious transfer

    Z. A. Gen¸ c, V. Iovino, A. Rial, “the simplest protocol for oblivious transfer” revisited, Inf. Process. Lett. 161 (2020) 105975.doi:10.1016/J.IPL.2020.105975

    work page doi:10.1016/j.ipl.2020.105975 2020

  41. [41]

    Sarkar, V

    S. Sarkar, V. Srivastava, T. Mohanty, S. K. Debnath, S. Mesnager, An efficient quantum oblivious transfer protocol, Cluster Computing 27 (10) (2024) 14037–14048.doi:10.1007/s10586-024-04642-w

    work page doi:10.1007/s10586-024-04642-w 2024

  42. [42]

    Zhang, C

    X. Zhang, C. Wei, S. Qin, F. Gao, Q. Wen, Practical efficient 1-out-of-n quantum oblivious transfer protocol, Quantum Inf. Process. 22 (2) (2023) 99.doi:10.1007/S11128-022-03817-X

    work page doi:10.1007/s11128-022-03817-x 2023

  43. [43]

    A. Gan, S. Yuki, T. Rogers, Z. Ghodsi, Cuot: Accelerating oblivious transfer on gpus for privacy-preserving com- putation, in: 2025 IEEE International Symposium on Hardware Oriented Security and Trust (HOST), IEEE, 2025, pp. 300–311.doi:10.1109/HOST64725.2025.11050054. 25

    work page doi:10.1109/host64725.2025.11050054 2025

  44. [44]

    C. Lin, K. Yang, T. Xu, L. Liang, Y. Wang, Z. Chen, R. Wang, M. Gao, M. Li, Ironman: Accelerating oblivious transfer extension for privacy-preserving AI with near-memory processing, in: Proceedings of the 58th IEEE/ACM International Symposium on Microarchitecture, 2025, pp. 354–368.doi:10.1145/3725843.3756025

    work page doi:10.1145/3725843.3756025 2025

  45. [45]

    Abadi, Y

    A. Abadi, Y. Desmedt, Scalable post-quantum oblivious transfers for resource-constrained receivers, IACR Cryptol. ePrint Arch. (2025) 36. URLhttps://eprint.iacr.org/2025/036

    2025

  46. [46]

    Barker, Recommendation for key management:: part 1 - general, Tech

    E. Barker, Recommendation for key management:: part 1 - general, Tech. Rep. 800-57 Pt1, National Institute of Standards and Technology (U.S.), Gaithersburg, MD (2020).doi:10.6028/nist.sp.800-57pt1r5

    work page doi:10.6028/nist.sp.800-57pt1r5 2020

  47. [47]

    National Institute of Standards and Technology (U.S.), SHA-3 standard: permutation-based hash and extendable- output functions, Tech. Rep. 202, National Institute of Standards and Technology (U.S.), Gaithersburg, MD (Aug. 2015).doi:10.6028/nist.fips.202

    work page doi:10.6028/nist.fips.202 2015

  48. [48]

    McQuoid, M

    I. McQuoid, M. Rosulek, L. Roy, Batching base oblivious transfers, in: M. Tibouchi, H. Wang (Eds.), Advances in Cryptology - ASIACRYPT 2021 - 27th International Conference on the Theory and Application of Cryptology and Information Security, Singapore, December 6-10, 2021, Proceedings, Part III, Vol. 13092 of Lecture Notes in Computer Science, Springer, 2...

    work page doi:10.1007/978-3-030-92078-4_10 2021

  49. [49]

    Bellare, A

    M. Bellare, A. Desai, D. Pointcheval, P. Rogaway, Relations among notions of security for public-key encryption schemes, in: Advances in Cryptology — CRYPTO ’98, Springer Berlin Heidelberg, 1998, pp. 26–45.doi:10.1007/ bfb0055718

    1998

  50. [50]

    R. Pass, A. Rosen, New and improved constructions of non-malleable cryptographic protocols, in: H. N. Gabow, R. Fagin (Eds.), Proceedings of the 37th Annual ACM Symposium on Theory of Computing, Baltimore, MD, USA, May 22-24, 2005, ACM, 2005, pp. 533–542.doi:10.1145/1060590.1060670

    work page doi:10.1145/1060590.1060670 2005

  51. [51]

    R. J. Davis, R. Zuccherato, J. Randall, Comments on nist special publication 800-57, recommendation for key management, part 1: General, Draft comments, National Institute of Standards and Technology (NIST) (2005). URLhttps://csrc.nist.gov/files/pubs/sp/800/57/pt1/final/docs/sp800-57-pt1-draft-apr2005-comments. pdf

    2005

  52. [52]

    Z > l/4 p 3l/16 # =P

    R. Canetti, Universally composable security: A new paradigm for cryptographic protocols, in: Proceedings of the 42nd Annual IEEE Symposium on Foundations of Computer Science (FOCS), IEEE, 2001, pp. 136–145.doi: 10.1109/SFCS.2001.959888. AppendixA.Probabilistic and Bayesian Analysis of the Check-Congruency Game In this appendix, we present a thorough proba...

    work page doi:10.1109/sfcs.2001.959888 2001