Prove that any two rounds of (1,2)-oblivious transfer, that is semi honestly secure, imply public key encryption.
My ideas so far:
Let's say Alice samples two $n$ random strings $(x_1, x_2)$, and Bob will ask for $x_i$ using the given OT.
Now, wlog, we'll deal with 1 bit encryptions.
The main idea I had, is that Bob will send a random string $s$ when he asks for the string $i$ with the given OT. Then, Alice will always answer with $pk=(x_i, r)$ (the inner product). According to the Goldreich-Levin theorem, guessing $x_i$ based on the inner product is only with negligible advantage over 1/2. In such case, everyone can encrypt using $E_{pk}(m, r)=r, pk \oplus m$, and only Alice can decrypt cause she knows both $x_i$. However, how could she tell which $x_i$ has been used?
I'm not sure if this is indeed PKE, cause there may be many PKs, which looks weird at first. Moreover I didn't actually use the OT-ness, and the fact OT is two rounds, which may be related.
Secondly, I think that making some secret key agreement between Alice an Bob will suffice to build PKE, but I'm not sure either how to build it from OT.
So the real problem is how the public key should be generated, and that's my problem. Please help me to prove this theorem.
