Oblivious transfers and intersecting codes

Assume A owns t secret k-bit strings. She is willing to disclose one of them to B, at his choosing, provided he does not learn anything about the other strings. Conversely, a does not want A to learn which secret he chose to learn. A protocol for the above task is said to implement One-out-of-t String Oblivious Transfer, denoted ((t)(1))-OT2k. This primitive is particularly useful in a variety of cryptographic settings. An apparently simpler task corresponds to the case k = 1 and t = 2 of two 1-bit secrets: this is known as One-out-of-two Bit Oblivious Transfer, denoted ((2)(1))-OT2. We address the question of implementing ((t)(1))-OT2k assuming the existence of a ((2)(1))-OT2. In particular, we prove that unconditionally secure ((2)(1))-OT2k can be implemented from Theta(k) calls to ((2)(1))-OT2. This is optimal up to a small multiplicative constant. Our solution is based on the notion of self-intersecting codes. Of independent interest, we give several efficient new constructions for such codes. Another contribution of this paper is a set of information-theoretic definitions for correctness and privacy of unconditionally secure oblivious transfer.