Extending Oblivious Transfers Efficiently Yuval Ishai 1 , Joe Kilian 2 , Kobbi Nissim 2⋆ , and Erez Petrank 1⋆⋆ 1 Department of Computer Science, Technion - Israel Institute of Technology, Haifa 32000, Israel. {yuvali|erez}@cs.technion.ac.il 2 NEC Laboratories America, 4 Independence Way, Princeton, NJ 08550, USA. {joe|kobbi}@nec-labs.com Abstract. We consider the problem of extending oblivious transfers: Given a small number of oblivious transfers “for free,” can one imple- ment a large number of oblivious transfers? Beaver has shown how to extend oblivious transfers given a one-way function. However, this pro- tocol is inefficient in practice, in part due to its non-black-box use of the underlying one-way function. We give efficient protocols for extending oblivious transfers in the random oracle model. We also put forward a new cryptographic primitive which can be used to instantiate the random oracle in our constructions. Our methods suggest particularly fast heuristics for oblivious transfer that may be useful in a wide range of applications. 1 Introduction Is it possible to base oblivious transfer on one-way functions? Partial answers to this question were given by Impagliazzo and Rudich [22] and Beaver [1]. Impagliazzo and Rudich [22] showed that a black-box reduction from oblivious transfer to a one-way function (or a one-way permutation) would imply P=NP. They gave an oracle that combines a random function and a PSPACE oracle and proved that relative to this oracle one-way functions exist, but secret-key agreement is impossible. In other words, even an idealized one-way function (a random oracle) is insufficient for constructing secret-key agreement and hence oblivious transfer. A number of papers have continued this line of research and drew the limits of black-box reductions in cryptography, mapping the separations between the power of cryptographic primitives in relativized worlds [34, 15, 16, 25, 14]. It is not known whether a non-black-box reduction from oblivious transfer to one-way functions exists. Impagliazzo and Rudich’s result strongly suggests that with the current knowledge in complexity theory we cannot base oblivious transfer on one-way functions. However, a remarkable theorem of Beaver [1] shows that a ‘second-best’ alternative is achievable – one-way functions are sufficient to extend a few oblivious transfers into many, i.e. it is possible to implement a large number of oblivious transfers given just a small number of oblivious transfers: ⋆ Work partially done while the second author was at DIMACS, Rutgers University, 96 Frelinghuysen Road Piscataway, NJ 08854, USA. ⋆⋆ This research was supported by the E. AND J. BISHOP RESEARCH FUND.