I was studying a protocol that used an OT and suddenly and suddenly I realize that I fail to imagine how a protocol using an OT could be malicious secure.
Suppose we have a protocol P that use an OT as subrotocol. Suppose that the OT is used $N$ times. Each OT has input $x_{0,i}$, $x_{1,i}$, where $i$ denotes the $i-$th istance of the OT, from 1 to $N$. It is reasonable to suppose that, for every istance, the receiver choose bit $0$ or $1$ according to its input (this is for example the case of a Yao protocol, where for each gate the receiver ask for 0 if its input is 0 or 1 otherwise).
Now suppose that the sender in OT is malicious and decides, a priori, to change $x_{0,N}$ with something else. It could be a random value, the value $x_{1,N}$ or whatever. We have three possibility
- The protocol abort. Then the sender knows that during the last OT the receiver asked for 0.
- The protocol does not abort and the input is indeed correct. The sender now knows that during the last OT the receiver asked for 1.
- The protocol does not abort, the input is wrong and the parties are able to detect it. The sender now knows that during the last OT the receiver asked for 0.
- The protocol does not abort, the input is wrong but the parties are not able to detect it. Then the sender can arbitrariely make the protocol to output different values from the prescribed one.
If the behaviour is one among the first three the sender can change every OTs in this way and it has $\frac{1}{2^N}$ probability of learning all the request without going detected, that since $N$ is a fixed parameters is not negligible (even more so if $N$ is small). In the other cases the receiver learn that the sender is malicious but this does not prevent the receiver to learn something.
If the behaviour is the last I fail to understand how such a protocol could be considered "secure", since it is very easy for an attacker to perform a "DoS" attack, where every output is meaningless.
In the case of Yao protocol, suppose that the sender sets the last OT $X_{0,N}, X_{0,N}$. How can we prevent that? If the protocol "goes wrong" then the sender knows that the last bit of Bob is 0. It is huge, no?
And I'm not considering the the symmetric case: what happens if the receiver instead of asking according to the rule, asks randomly? As far as I can understand this behaviour is not considered during security proof, am I wrong?
Am I missing something? Are these considerations out of the scope and we allow this kind of behaviour? Maybe do we assume that the sender always sets $x_0$ and $x_1$ in the right way?