How to implement oblivious transfer where probability of the receiver getting secret is exactly 1 out of 4?

Question

As we know that oblivious transfer is done with probability of 1 out of 2. But how to implement it with probability of 1 out of 3 or 1 out of 4??

Answer 1

I'll try to answer both your original question, and your question in the comment section.

The original definition of oblivious transfer is the following: a sender holds a message $m$ and interacts with the receiver. The receiver gets to know $m$ with probability $1/2$, without the sender being able to know whether the receiver learned $m$ or not. i'll call it "Rabin OT" to distinguish from the other definition.

Nowadays, the definition of oblivious transfer which is universally used is the following: The sender S holds two messages $m_0$ and $m_1$ The receiver holds a selection bit $b \in \{0,1\}$ At the end of the oblivious transfer, the receiver learns $m_b$ (and does not learn anything about $m_{1-b}$) and the sender learns nothing (and in particular nothing about $b$).

This"classical" oblivious transfer easily allows to implement the Rabin OT: the sender holds $m$, picks a bit $x$ at random and sets $m_x \gets m$ and $m_{1-x} \gets r$ for a uniformly random value $r$. The receiver picks his selection bit $b$ at random. Then they perform a classical oblivious transfer; with probability $1/2$, the receiver learns $m$, else he learns a random $r$ (hence nothing). More generally, if you have a $1$-out-of-$N$ OT (where the sender holds $m_1, \cdots, m_N$ and the receiver an integer $i$ between $1$ and $N$ and gets to learn $m_i$), you can easily implement a Rabin OT with probability $1/N$.

Now, there are several ways to answer your question. If you are asking whether $1$-out-of-$2$ oblivious transfer can be used to implement other kinds of oblivious transfers, the answer is yes, as $1$-out-of-$2$ oblivious transfer can be used to implement any kind of two party functionalities (more formally, it implies general two-party computation, in the honest-but-curious model - but that's just to be a bit formal in my statement). But in practice, you will probabily not want to construct a $1$-out-of-$3$ oblivious transfer directly by calling "in black box" a $1$-out-of-$2$ oblivious transfer.

However, most known constructions of $1$-out-of-$2$ OTs do easily extend to $1$-out-of-$N$ OTs (see for example "Efficient Oblivious Transfer Protocols" by Naor and Pinkas).

Here is an example of such a protocol (taken from the article of Naor and Pinkas) :

We fix a group $\mathbb{G}$ in which the DDH problem is hard. Let $g$ be a generator of $\mathbb{G}$. We also have access to a hash function $H()$ which is seen as a random oracle.

The sender has an input $M_0, \cdots, M_{N-1}$. He picks random group elements $C_1, \cdots, C_{N-1}$, a random exponent $r$, and computes $g^r$. He sends $C_1, \cdots, C_{N-1}, g^r$ to the receiver.

The receiver has a selection integer $j \in \{0, \cdots, N-1\}$; he picks a random exponent $k$ and sets pk$_j \gets g^k$. If $k \neq 0$, the receiver also computes pk$_0 \gets C_j/\text{pk}_j$. He sends pk$_0$ to the sender.

The sender computes $\text{pk}_0^r$ and for $i=1$ to $N-1$, $\text{pk}_i^r = C_i^r/\text{pk}_0^r$. Then, he picks a random $R$ and sends for all $i$ the value $E_i \gets H(\text{pk}_i^r,R,i) \oplus M_i$ ($\oplus$ is the xor) to the receiver, together with $R$.

As he knows $k$, the receiver can compute $(g^r)^k = \text{pk}_j^r$, hence he can compute $H(\text{pk}_j^r,R,j)$ by himself, and therefore recover $M_j$. One can show that if $H()$ acts as a random oracle and the DDH assumption holds, he cannot learn anything else on the other inputs of the sender.