Two-Round Adaptively Secure Multiparty C

We start with an overview of our construction of 2-round adaptive-OT and then move to 2-round adaptive MPC in the local CRS model. In the end, we briefly discuss future work on extending our results to the single CRS model.

2.1 2-Round Adaptive-OT

To construct a 2-round adaptive-OT $\varPi _3$, we start with a basic 2-round static-OT^{Footnote 3} $\varPi $ with the special property of sender and receiver oblivious sampleability, and transform it in three steps to gradually achieve security against different adaptive corruption scenarios:

Sender semi-adaptive corruption refers to the case where the receiver is corrupted at the beginning of the protocol execution and the sender is corrupted after the execution, i.e. post-execution.
Receiver semi-adaptive corruption refers to the symmetric case where the sender is corrupted from the beginning and the receiver is corrupted post-execution.
Semi-adaptive corruption refers to either of the above two scenarios. In comparison, full fledged adaptive corruption considers the additional scenario where neither sender nor receiver is corrupted during execution, and both corrupted post-execution in an arbitrary order; we refer to the latter semi-honest post-execution corruption.

Starting with a static-OT $\varPi $ with sender and receiver oblivious sampleability,

In Transformation 1, we transform $\varPi $ into $\varPi _1$ that achieves security against sender-semi-adaptive corruption (and preserves security in static corruption scenarios). This step crucially relies on the sender oblivious sampleability of $\varPi $, and preserves receiver oblivious sampleability.
In Transformation 2, we rely on receiver oblivious sampleability to transform $\varPi _1$ into $\varPi _2$ to achieve security under receiver-semi-adaptive corruption, while preserving security under sender-semi-adaptive corruption. $\varPi _2$ is now secure under semi-adaptive corruption.
In Transformation 3, finally, we transform the semi-adaptive-OT $\varPi _2$ into an adaptive-OT $\varPi _3$, using additionally augmented NCE.

Below, we describe ideas in these three transformation, starting with the third transformation.

Transformation 3: Semi-Adaptive-OT to Adaptive-OT. Consider a semi-adaptive OT $\varPi _2$, whose algorithms for generating the CRS, the sender, and receiver messages are denoted as ${\mathsf {Setup}}$, $S_2$, $R_2$. The only corruption scenario that $\varPi _2$ does not handle is semi-honest post-execution corruption (i.e., neither sender nor receiver is corrupted during execution, but both corrupted post-execution in an arbitrary order). It is known that semi-adaptive OT can be transformed into adaptive-OT by sending messages of the former using private channels implemented by Non-Committing Encryption (NCE) [24], which, however, produces a three-round protocol. In two rounds, the above corruption case alone can be handled using augmented NCE as done in the construction of semi-honest adaptive-OT by Canetti, Lindell, Ostrovsky, and Sahai (CLOS) [15]. Below, we use their protocol to lift the security of $\varPi _2$.

Augmented NCE. NCE is a public key encryption with the special property of equivocality: one can simulate a pair of pubic key and ciphertext $(\mathrm {pk}, c)$ and later “open” them to any plaintext m, by efficiently finding randomness $\rho $ and $\tau $ that “explains” the public key and ciphertext consistently w.r.t. m (meaning ${\tilde{c}}= {\mathsf {NEnc}}({\tilde{\mathrm {pk}}},m; \rho )$, $({\tilde{\mathrm {pk}}}, {\tilde{\mathrm {sk}}}) = {\mathsf {NGen}}(1^\lambda ; \tau )$, $m = {\mathsf {NDec}}({\tilde{\mathrm {sk}}},{\tilde{c}})$).

A NCE is “augmented” if it has i) oblivious key sampleability: one can obliviously sample a public key $\mathrm {pk}'$ without knowing any corresponding secret key, and ii) inverse key sampleability: one can claim that an honestly generated or simulated public key $\mathrm {pk}$ was sampled obliviously by efficiently finding randomness that would make the oblivious key sampling algorithm produce $\mathrm {pk}$.

To handle semi-honest post-execution corruption, we run $\varPi _2$ with the CLOS semi-honest adaptive-OT from augmented NCE in parallel as depicted below. The instance of $\varPi _2$ is generated using the receiver’s choice bit $\sigma $ and the sender’s messages padded with two random strings $(m_0\oplus r_0, m_1 \oplus r_1)$. In the instance of CLOS, the receiver samples one public key $\mathrm {pk}_\sigma $ honestly with $\mathrm {sk}_\sigma $, and another $\mathrm {pk}_{1-\sigma }$ obliviously, followed by the sender encrypting the two random pads $r_0, r_1$ using respectively these two keys.

To handle semi-honest post-execution, the trick is simulating the instance $({\mathrm {ot1}}, {\mathrm {ot2}})$ of $\varPi _2$ using its simulator ${\mathsf {Sim}}_2$ for the case where the sender is statically corrupted (recall that $\varPi _2$ is secure under semi-adaptive corruption). This can be done as the simulator can generate ${\mathrm {ot2}}$ honestly using just random messages $r_0', r_1'$: effectively, the sender of $\varPi _2$ is “corrupted” and instructed to act honestly with input $r_0',r_1'$. Thus, ${\mathsf {Sim}}_2$ can be used to simulate and equivocate the receiver’s messages. The keys and ciphertexts in the instance of CLOS is simulated relying on properties of augmented NCE. Later, for instance, when the sender is corrupted first post-execution, the simulator, learning $(m_0, m_1)$, finds the right “pads” $r_0 = m_0 \oplus r_0'$, $r_1 = m_1 \oplus r_1'$, and uses the equivocality of NCE to “explain” that the keys and ciphertexts are consistent with $r_0, r_1$. In the other case, when the receiver is corrupted first post-execution, the simulator, learning $\sigma , m_\sigma $, can explain $\mathrm {pk}_\sigma $ consistently with $r_\sigma $, and claim that $\mathrm {pk}_{1-\sigma }$ were obliviously sampled using the inverse oblivious sampleability property.

It might seem that the above transformation can use any semi-honest adaptive OT. This is indeed the case only if semi-honest post-execution corruption was concerned. But, we also want the transformation to preserve security under semi-adaptive corruption (when $\varPi _2$ has this property). For that, we rely on special properties of the CLOS protocol; in particular, it is already secure against malicious sender, and simulated public keys from the receiver can be easily equivocated. See Sect. 5.5 for more details.

Transformation 2: Handling Receiver-Semi-Adaptive Corruption. We now move to handling the first scenario in semi-adaptive corruption, i.e. receiver semi-adaptive corruption. When the sender is maliciously corrupted from the beginning and the receiver is corrupted post-execution, the simulator needs to (i) simulate the receiver’s message ${\widetilde{{\mathrm {ot1}}}}$ without knowing the choice bit, (ii) extract both sender’s messages $m_0, m_1$, (iii) and later equivocate ${\widetilde{{\mathrm {ot1}}}}$ to any choice bit $\sigma $. A common approach in the literature for enabling equivocation is relying on appropriate oblivious sampleability property. We follow this approach and formalize the following receiver oblivious sampleability property.

Receiver Oblivious Sampleability: A two-round OT protocol (in the CRS model) has receiver oblivious sampleability if (1) one can obliviously sample receiver’s message ${\widetilde{{\mathrm {ot1}}}}$, and (2) can claim that an honestly generated receiver’s message ${\mathrm {ot1}}$ for any choice bit $\sigma $ was obliviously sampled, by efficiently finding consistent randomness $\rho $ that would make the oblivious sampling algorithm produce ${\mathrm {ot1}}$. Furthermore, messages and randomness produced in these two ways are indistinguishable
$$\begin{aligned} (\mathrm {crs}, {\widetilde{{\mathrm {ot1}}}}, {\widetilde{\rho }}) \approx (\mathrm {crs}, {\mathrm {ot1}}, \rho ). \end{aligned}$$

A Naive Idea and its Problem. Given $\varPi _1$ with receiver oblivious sampleability, the basic idea is to let the receiver of $\varPi _2$ send two messages, where ${\mathrm {ot1}}_\sigma $ is generated honestly using the choice bit $\sigma $ while ${\widetilde{{\mathrm {ot1}}}}_{1-\sigma }$ is sampled obliviously. The sender then replies ${\mathrm {ot2}}_0, {\mathrm {ot2}}_1$ respectively, where ${\mathrm {ot2}}_b$ is generated honestly w.r.t. ${\mathrm {ot1}}_b$ using message $m_b$ at slot b and random message $r_b$ at slot $1-b$. See the depiction below on the left.

For the above protocol, simulation under receiver-semi-adaptive corruption can be done as follows: (i) the simulator can “plant” honestly generated receiver’s messages ${\mathrm {ot1}}_0, {\mathrm {ot1}}_1$ for both choice bit 0 and 1. (ii) Upon receiving sender’s messages ${\mathrm {ot2}}_0, {\mathrm {ot2}}_1$, it uses the OT output strings as the extracted sender’s messages. Finally, (iii) the simulator equivocates the receiver’s messages w.r.t. a choice bit by revealing the randomness $\rho _\sigma $ used for generating ${\mathrm {ot1}}_\sigma $ honestly, and reverse sampling randomness ${\widetilde{\rho }}_{1-\sigma }$ for claiming that ${\mathrm {ot1}}_{1-\sigma }$ were obliviously sampled.

Though receiver-semi-adaptive corruption is resolved, unfortunately, the above protocol is not secure against malicious receivers (even though $\varPi _1$ is), as a cheating receiver can use the same strategy the simulator uses and violate sender’s privacy.

Fixing the Problem. To overcome this, the simulator needs to have some unique advantage that malicious receivers do not have. Our idea is using an equivocal commitment ${\mathsf {ECom}}$ (in CRS model). More specifically, the receiver should send a ${\mathsf {ECom}}$ commitment c to its choice bit $\sigma $, so that, only the simulator can generate a simulated commitment ${\tilde{c}}$ and open it to both 0 and 1, but not cheating receivers. To incorporate this, the rest of the protocol needs to be modified accordingly: The two instances of OT $\varPi _1$ are replaced with two instances of 2 Party Computation (2PC): the b’th instance reveals to the receiver the message $m_b$ conditioned on the receiver having a valid opening of c to b.

Simulation in the receiver-semi-adaptive corruption scenario uses similar ideas as described above w.r.t. the naive protocol. Again, the simulator “plants” valid receiver’s messages for both choice bit 0 and 1. In particular, it generates a simulated ${\mathsf {ECom}}$ commitment ${\tilde{c}}$ and two sets of ${\mathrm {ot1}}$ messages corresponding to both opening $\tau ^0, \tau ^1$ of ${\tilde{c}}$ to 0 and 1, $\{{\mathrm {ot1}}_{0,k}(\tau ^0_k)\}_k$, $\{{\mathrm {ot1}}_{1,k}(\tau ^1_k)\}_k$. To equivocate to any choice bit $\sigma $, the simulator can again reveal the randomness used for generating the set $\{{\mathrm {ot1}}_{\sigma , k}\}$ of messages corresponding to $\tau _\sigma $, and claim that the other set $\{{\mathrm {ot1}}_{1-\sigma , k}\}$ was sampled obliviously. The advantage of this protocol is that now malicious receiver cannot copy the simulator’s strategy, as it cannot find opening of a ${\mathsf {ECom}}$ commitment to both 0 and 1.

Preserving Security under Sender-Semi-Adaptive Corruption. Furthermore, we show that if $\varPi _1$ is secure under sender-semi-adaptive corruption (i.e. where the receiver is maliciously corrupted from the beginning and the sender is corrupted post-execution), the above transformation preserves it. To this end, we need the second message of 2PC to be equivocal. This can be achieved by implementing 2PC using $\varPi _1$ and equivocal garbled circuits constructed by [17] from one-way functions.

In summary, our transformation 2 produces a semi-adaptive OT, starting from one that is only secure under sender-semi-adaptive corruption (and static corruption of the sender by a semi-honest adversary). We remark that our transformation is quite similar to the transformation presented in the recent work of [28] for achieving some equivocal property of receiver’s message. However, their notion of equivocality is tailored for simulation in static corruption cases, and only need to provide partial randomness consistent with a choice bit $\sigma $. In adaptive corruption, equivocation requires providing complete randomness for generating the receiver’s message. Thus, the two transformation differ in details; in particular, we crucially rely on receiver oblivious sampleability which is not needed in [28].

Transformation 1: Handling Sender-Semi-Adaptive Corruption. When the receiver is maliciously corrupted from the beginning and the sender is corrupted post-execution, the simulator needs to (i) extract the choice bit $\sigma $ from the receiver’s message ${\mathrm {ot1}}$, and then obtain the output message $m_\sigma $, (ii) next simulate the sender’s message ${\widetilde{{\mathrm {ot2}}}}$ knowing only $m_{\sigma }$, (iii) and finally be able to equivocate ${\widetilde{{\mathrm {ot2}}}}$ w.r.t. arbitrary $m_{1-\sigma }$. To enable equivocation, we again formulate an oblivious sampleability property now w.r.t. sender’s messages.

Sender Oblivious Sampleability (Overly Simplified): Roughly speaking, we want the property that (1) one can obliviously sample a sender’s message ${\widetilde{{\mathrm {ot2}}}}$ (w.r.t. a $\mathrm {crs}$ and receiver’s message ${\mathrm {ot1}}$), and (2) can claim that an honestly generated sender’s message ${\mathrm {ot2}}$ for random messages $r_0, r_1$ was obliviously sampled, by efficiently finding randomness $\rho $ that would make the oblivious sampling algorithm output ${\mathrm {ot2}}$. Moreover, messages and randomness generated in these two ways are indistinguishable:
$$\begin{aligned} (\mathrm {crs}, {\mathrm {ot1}}, {\widetilde{{\mathrm {ot2}}}}, {\widetilde{\rho }}) \approx (\mathrm {crs}, {\mathrm {ot1}}, {\mathrm {ot2}}, \rho ). \end{aligned}$$

We remark that unfortunately the above description is overly simplified; for the proof to go through, the actual sender oblivious sampleability is more complex. However, for simplicity of exposition, we use the above simple version in this high-level overview.

Staring from a static-OT $\varPi $ with sender oblivious sampleability, we construct a bit-OT $\varPi _1$ with security under sender semi-adaptive corruption. (Note that constructing bit-OT is without loss of generality, as it implies string-OT with the same security in different corruption scenarios.) The basic idea is again to let sender of $\varPi _1$ send multiple messages of $\varPi $. This redundancy allows simulation to “plant” honestly generated sender’s messages for both input bit 0 and 1, at either slot. Then, later to equivocate to $m_{1-\sigma }$, the simulator can correctly open the message generated with value $m_{1-\sigma }$, and claim that the other message was sampled obliviously.

More specifically, $\varPi _1$ (depicted above) works as follows. Upon receiving a single receiver’s message ${\mathrm {ot1}}$ of $\varPi $, the sender replies two pairs of sender’s messages of $\varPi $: The b’th pair contains ${\mathrm {ot2}}_{b,m_b}, {\widetilde{{\mathrm {ot2}}}}_{b, 1-m_b}$, where the former is honestly generated for random messages $(r_{b0}, r_{b1})$, and the latter obliviously sampled. The 4 ${\mathrm {ot2}}$ messages are ordered according to their index. In addition, the sender reveals in the clear $r_{00}$ and $r_{11}$. It is easy to see that an honest receiver with a choice bit $\sigma $ will recover exactly the string $r_{\sigma \sigma }$ from message ${\mathrm {ot2}}_{\sigma ,m_\sigma }$, and from the order of ${\mathrm {ot2}}_{\sigma ,m_\sigma }$ in the 4 ${\mathrm {ot2}}$ messages, it learns $m_\sigma $.

Sender Semi-Adaptive Corruption. Simulation in the sender-semi-adaptive corruption scenario can now be achieved as follows. (i) The simulator can extract the receiver’s choice bit $\sigma $ using the simulator of $\varPi $ for the case with a (statically corrupted) malicious receiver, and then learns the output string $m_\sigma $. (ii) To simulate sender’s message, it generates the $\sigma $’th pair $({\mathrm {ot2}}_{\sigma , m_\sigma }, {\widetilde{{\mathrm {ot2}}}}_{\sigma , 1-m_\sigma })$ honestly as $\varPi _1$ specifies, and simulates the $1-\sigma $’th pair by generating both ${\mathrm {ot2}}_{1-\sigma , 0}, {\mathrm {ot2}}_{1-\sigma ,1}$ honestly, using the same message $r_{1-\sigma , 1-\sigma }$ at slot $1-\sigma $ and different random strings at slot $\sigma $; in addition $r_{00}, r_{11}$ are revealed in the clear.

(iii) Finally, to equivocate to sender’s true inputs $(m_0, m_1)$, the simulator can reveal the randomness used for generating the $\sigma $’th pair $({\mathrm {ot2}}_{\sigma , m_\sigma }, {\widetilde{{\mathrm {ot2}}}}_{\sigma , 1-m_\sigma })$, which were generated correctly using $m_\sigma $. For the $1-\sigma $’th pair ${\mathrm {ot2}}_{1-\sigma , 0}, {\mathrm {ot2}}_{1-\sigma ,1}$, the simulator needs to “explain” w.r.t. $m_{1-\sigma }$. This can simply be done by revealing the randomness used for generating ${\mathrm {ot2}}_{1-\sigma , m_{1-\sigma }}$ honestly, and claim that ${\mathrm {ot2}}_{1-\sigma , 1-m_{1-\sigma }}$ were sampled obliviously.

Making the above idea work turns out to require a more complex formulation of the sender oblivious sampleability property. Roughly speaking, the complexity stems from the fact that when reducing to sender oblivious sampleability, to simulate the adversary’s view, the reduction needs to obtain the choice bit $\sigma $ of the corrupted receiver (as simulation of sender’s message depends on $\sigma $). This means sender oblivious sampleability needs to hold against adversaries (the reduction) who receive help in “breaking” a receiver’s message of its choice. We omit the complexity here and refer the reader to Sect. 5.3 for more detail.

Fortunately, we can achieve such strong sender oblivious sampleability, as well as receiver oblivious sampleability, from various concrete assumptions, including DDH, QR, and LWE.

2.2 Instantiation of Static-OT with Oblivious Sampleability

We now briefly summarize ideas behind our instantiation from concrete assumptions. To construct the static-OT with oblivious sampleability, we start from a variant of the OT construction based on Smooth Projective Hash Functions (SPHFs) from Halevi and Kalai [32] which generalizes the construction from Naor and Pinkas [35]. In our setting, the SPHF we consider is a primitive which allows some party to generate a hash value $\mathsf {H}$ of a pair $(\mathrm {ct},\sigma ')$ of a ciphertext $\mathrm {ct}$ and a value $\sigma '$, together with what is called a projection key $\mathsf {hp}$ so that: if $\mathrm {ct}$ is indeed a ciphertext of $\sigma '$, it is possible to compute $\mathsf {H}$ from $\mathsf {hp}$ and the random coins used to generated $\mathrm {ct}$. But if $\mathrm {ct}$ is not a ciphertext of $\sigma '$, $\mathsf {H}$ looks completely random even knowing $\mathsf {hp}$.

The construction works as follows. The CRS contains a public key of an encryption scheme. The receiver’s message is a ciphertext $\mathrm {ct}$ of the selection bit $\sigma $. The sender then uses the SPHF to mask its inputs $x_0$ and $x_1$, so that only the one corresponding to the plaintext of $\mathrm {ct}$ can be unmasked. More precisely, the sender’s message consists of two projection keys $\mathsf {hp}_0$ and $\mathsf {hp}_1$ for the ciphertext $\mathrm {ct}$ and the values 0 and 1 respectively, as well as the values $\mathsf {H}_0 \oplus x_0$ and $\mathsf {H}_1 \oplus x_1$ where $\mathsf {H}_0$ and $\mathsf {H}_1$ are the two hash values corresponding to $\mathsf {hp}_0$ and $\mathsf {hp}_1$. Using the random coins used to generate $\mathrm {ct}$, the receiver, can recover $\mathsf {H}_\sigma $ and then $x_\sigma $. But the value $x_{1-\sigma }$ will remain completely hidden, masked by $\mathsf {H}_{1-\sigma }$ which looks random to the receiver.

To achieve oblivious sampleability, we just need ciphertexts of the encryption scheme and projection keys of the SPHF to be obliviously sampleable. We can instantiate them using the ElGamal encryption scheme and the associated SPHF from [21], which already satisfies the oblivious sampleability requirements. This directly gives a static-OT with oblivious sampleability under the Decisional Diffie-Hellman (DDH) assumption.

To instantiate the scheme under the Quadratic Residuosity assumption (QR), we start from the Goldwasser-Micali [30] encryption scheme and the SPHF from [21]. While the Goldwasser-Micali encryption scheme satisfies ciphertext oblivious sampleability, we do not know how to obliviously sample the projection keys of the associated SPHF. The issue is that projection keys are quadratic residues which we do not know how to sample obliviously. To solve this issue, we slightly change the SPHF to use the group of signed quadratic residues instead [33].

Finally, we show how to achieve a slightly weaker variant of 2-round static-OT, called half-OT, with oblivious sampleability under LWE. Roughly speaking, in a half-OT, the sender has a bit b and a single message m, and the receiver with choice bit $\sigma $ only receives m if $b = \sigma $. We show that this weaker variant of half-OT, is already sufficient for our transformation to obtain adaptive-OT. We then instantiate half-OT essentially using the IND-CPA encryption scheme and the SPHF from [4] based on LWE. At a very high-level, the encryption scheme can be seen as the dual-Regev encryption scheme where decryption is done using a full trapdoor for the lattice, to ensure that incorrect ciphertexts are far away from the lattice in all directions (otherwise, we do not know how to prove smoothness of the associated SPHF).

Please see Sect. 5.6 for more details of our instantiation.

2.3 From Adaptive-OT to Adaptive-MPC

Two recent works [5, 28] constructed 2-round static-MPC in the CRS model from 2-round static-OT. Actually, the protocol presented in [5] additionally relies on NIZK; but as implicitly observed in [28] and in this paper the use of NIZK can be removed. Moving to the adaptive setting, the natural approach is replacing static-OT with adaptive-OT and ask whether the resulting MPC protocols become adaptively secure. We give affirmative answer. At a very high-level, the proof follows similar ideas as in [5, 28]. Still, the formal proof requires carefully examination of all adaptive corruption scenarios and new analysis. In particular, the garbled circuits used in the protocols need to be equivocal for adaptive security to hold.

A subtle issue arises when using equivocal garble circuits: If using them modularly as black-box, we can only collapse rounds of constant-round MPC protocols, as opposed to any polynomial-round protocols as in [5, 28]. The overall approach of [5, 28], followed by this work, is using garbled circuits and OT to collapse rounds of a multi-round MPC protocol. The resulting protocol generates chains of garbled circuits, where each circuit in a chain corresponds to one round in the original MPC protocol, has the lables of the next garble circuit in the chain hardcoded inside. Equivocating a chain entails recursively equivocating the garbled circuits in it. Due to the complexity requirement of equivocal garbling scheme, the size of the equivocal garbled circuits grows exponentially with the length of the chain. As a result, we can only collapse rounds of constant-round MPC protocols. (Note that this issue does not exist in the static setting, simulating a chain of standard garbled circuits does not lead to exponential size-growth.) We can alternatively address the issue of exponential size-growth by applying the techniques of [17] for constructing equivocal garbling scheme (instead of using equivocal garbled circuits as black-boxe).^{Footnote 4} For simplicity and modularity, we take the first approach and collapse rounds of the constant-round MPC protocols from [17] using the equivocal garbling scheme in the same work. See Sect. 6 for the new protocol and analysis.

In terms of writing, we follow the protocol of [5], but for convenience, we present directly the entire protocol without using their intermediate abstraction (namely witness selectors and garbled interactive circuits); this avoids re-defining every intermediate notion in the adaptive setting, which would add unnecessary complexity.

2.4 Future Work: Moving to the Single CRS Model

Our constructions are in the local CRS model, where every session of protocol execution has its “local” independently sampled CRS. A more stringent model is the single CRS model as formalized in [15], where all sessions share a single CRS.^{Footnote 5} We believe that our construction of 2-round adaptive-OT can be adapted to the single CRS model, and when plugging such an OT in our construction of MPC, the resulting 2-round adaptive MPC protocols also work with single CRS. Recall that we gradually transform a static-OT with sender and receiver oblivious sampleability into an adaptive-OT in three steps. We believe that these transformation also works in the single CRS model. Thus it boils down to instantiate static-OT with oblivious sampleability in the single CRS model from concrete assumptions. The main difference from our current instantiation in the local CRS model is that in the single CRS model, the protocols must satisfy certain non-malleability or simulation-extractability property. But, they can be easily achieved using CCA encryption, which is implied by DDH, QR, and LWE. We leave the formal proof as future work.

Two-Round Adaptively Secure Multiparty Computation from Standard Assumptions | Springer Nature Link

2.1 2-Round Adaptive-OT

2.2 Instantiation of Static-OT with Oblivious Sampleability

2.3 From Adaptive-OT to Adaptive-MPC

2.4 Future Work: Moving to the Single CRS Model