Questions: Oblivious Transfer

This separation result is fundamental: OT (and therefore general MPC without honest majority) requires strictly stronger assumptions than private-key cryptography. One-way functions suffice for encryption, MACs, signatures, and ZK proofs, but OT needs something like CDH, RSA, or LWE. This is the theoretical boundary between what symmetric and public-key cryptography can achieve.

Completeness means OT is sufficient for all of secure computation, not that it replaces all crypto primitives. Kilian's result shows: given access to OT, the parties can securely compute any function. The garbler sends the garbled circuit; the evaluator obtains their input labels via OT (one OT per input bit). This requires no additional cryptographic assumptions beyond what OT provides. Other primitives (encryption, signatures) serve different purposes and are not subsumed.

OT extension is one of the most important practical optimizations in MPC. The base OTs (128 or 256, matching the security parameter) use expensive public-key crypto, but this cost is amortized over millions of extended OTs. The extension protocol uses a matrix transposition trick: the receiver sends a matrix of bits, and the sender uses the base OT keys to 'switch' rows, generating correlated random OT pairs. The cost drops from one RSA/ECC operation per OT to one hash evaluation per OT.

Answer: True

This is the receiver's privacy guarantee and must hold against a malicious sender. In Naor-Pinkas OT (based on DDH), the receiver sends a specially constructed message that information-theoretically hides b — the sender cannot determine which of the two messages the receiver will be able to decrypt, regardless of the sender's computational power. The sender's privacy (receiver learns only m_b) holds computationally against a malicious receiver.

The preprocessing model separates expensive cryptographic operations (done offline when inputs are unknown) from lightweight operations (done online with actual inputs). Random OTs are input-independent and can be stockpiled. When the real computation begins, converting them to chosen-message OTs requires only XOR operations — essentially free. This amortization strategy is fundamental to achieving practical MPC performance.