On unconditionally secure distributed oblivious transfer

This paper is about the oblivious transfer in the distributed model proposed by Naor and Pinkas. In this setting a Sender has n secrets and a Receiver is interested in one of them. During a set-up phase, the Sender gives information about the secrets to m Servers. Afterwards, in a recovering phase, the Receiver can compute the secret she wishes by interacting with any k of them. More precisely, from the answers received she computes the secret in which she is interested but she gets no information on the others and, at the same time, any coalition of k - 1 Servers can neither compute any secret nor figure out which one the Receiver has recovered. We present an analysis and new results holding for this model: lower bounds on the resources required to implement such a scheme (i.e., randomness, memory storage, communication complexity); some impossibility results for one-round distributed oblivious transfer protocols; two polynomial-based constructions implementing 1-out-of-n distributed oblivious transfer, which generalize and strengthen the two constructions for 1-out-of-2 given by Naor and Pinkas; as well as new one-round and two-round distributed oblivious transfer protocols, both for threshold and general access structures on the set of Servers, which are optimal with respect to some of the given bounds. Most of these constructions are basically combinatorial in nature.