Oblivious transfers and intersecting codes

Assume A owns t secret k-bit strings. She is willing to disclose one of them to B, at his choosing, provided he does not learn anything about the other strings. Conversely, B does not want A to learn which secret he chose to learn. A protocol for the above task is said to implement one-out-of-t string oblivious transfer, denoted (^t ₁)-OT^k₂. This primitive is particularly useful in a variety of cryptographic settings. An apparently simpler task corresponds to the case k=1 and t=2 of two 1-bit secrets: this is known as one-out-of-two bit oblivious transfer, denoted (² ₁)-OT₂. We address the question of implementing ( ^t₁)-OT^k₂ assuming the existence of a (²₁)-OT₂. In particular, we prove that unconditionally secure (²₁)-OT^k ₂ can be implemented from Θ(k) calls to (² ₁)-OT₂. This is optimal up to a small multiplicative constant. Our solution is based on the notion of self-intersecting codes. Of independent interest, we give several efficient new constructions for such codes. Another contribution of this paper is a set of information-theoretic definitions for correctness and privacy of unconditionally secure oblivious transfer