5

If we define Oblivious Transfer as following:

Alice inputs $(x_0,x_1) \in F^2$, where $F$ is a field, and Bob inputs $b\in\{0,1\}$, then Alice gets a dummy output(for which she knows nothing about b), and Bob gets $x_b$. Now if we use a Random functionality R, which requires no input but output random bits $(z_0,z_1)\in F^2$ to Alice and $(c,z_c)$ to Bob, where $c \in \{0,1\}$ is also a random bit.

How can I design a protocol, so that it will realize OT securely with access to R only once at the beginning of the protocol?

I am thinking that the protocol should be as following:

First, Alice inputs $(x_0,x_1)$, then she gets $(x_0 \oplus z_0,x_1 \oplus z_1)$ as output, thus learning nothing. Now Bob gets $(c,z_c)$, treat $c$ as his input $b$, then he can recover $x_c$ from $(x_0 \oplus z_0,x_1 \oplus z_1)$.

I don't know if it will work, or maybe I am working in the wrong direction?

Mike Edward Moras
  • 18,161
  • 12
  • 87
  • 240
huyichen
  • 783
  • 1
  • 6
  • 16

1 Answers1

9

No, as written, your protocol doesn't work -- the problem is that Bob is supposed to be allowed to choose $b$, your protocol selects a random one for him.

However, it is close -- here is a modification that I believe does work:

First, suppose Alice has her values $(x_0, x_1)$, and Bob has his bit $b$.

They run their Random functionality R, and so Alice gets the values $(z_0, z_1)$, and Bob gets the values $(c, z_c)$.

Now, Bob sends the Alice the bit $e$ defined as $e = b \oplus c$; Alice sends back a pair of values $(y_0, y_1)$ defined as $(y_0, y_1) = (x_0 \oplus z_e, x_1 \oplus z_{1 \oplus e})$.

Bob then computes $z_c \oplus y_b = x_b$.

I claim that Alice gets no information about the value of $b$, and that Bob gets no information about the value of $(x_{1 \oplus b})$, and thus this is a valid Oblivious Transfer function.

poncho
  • 154,064
  • 12
  • 239
  • 382