4.3 Oblivious Transfer for Semi-Honest Adversaries
In this section, we consider a standard two-party functionality, where both parties have private
inputs and wish to compute an output. We will show how to securely compute the bit obli v iou s
transfer functionality, defined by f((b
0
, b
1
), σ) = (λ, b
σ
), where b
0
, b
1
, σ ∈ {0, 1} [35, 16]. Stated i n
words, P
1
has a pair of input bits (b
0
, b
1
) and P
2
has a choice bit σ. The function is such that P
1
receives no output (denoted by the empty string λ), and in particular learns nothing about σ. In
contrast , P
2
receives the bit of its choice b
σ
and learns n ot hi n g about the other bit b
1−σ
. This is
called “oblivious transfer” since the first party has two in pu t s and sends exactly one of the inputs
to the receiver, according to the receiver’s choice, without knowing which is sent . We present the
protocol of [16] in Protocol 4.2, which relies on enhanced trapdoor permutations .
Background – enhanced trapdoor permutations [18, Appendi x C.1]. Informally, a family
of trapdoor permutation s is a family of bijective functions with the property that randomly-sampled
functions are hard to invert on randomly sampled values (in its range). However , there exists a
trapdoor so that given the trapdoor, the function can be efficiently inverted. Enhanced trapdoor
permutation have the additional property that it is possible to sample values from the range , so
that it is hard to invert t he function on these values e ven when given the coins used for sampling.
Formally, a collection of trapdoor permutations i s a collection of function s {f
α
}
α
accompanied by
four pr obab il i st i c -polynomial t i me algorithms I, S, F, F
−1
such that:
1. I(1
n
) selects a random n-bit index α of a permut at i on f
α
along with a corresponding trap-
door τ. De not e by I
1
(1
n
) the α-part of the output.
2. S(α) samples an (al mos t unifor m) element in the domain (equivalently, the range) of f
α
. We
denote by S(α; r) the output of S(α) with random tape r; for simplicity we assume that
r ∈ {0, 1}
n
.
3. F (α, x) = f
α
(x), for α in the range of I
1
and x in the range of S(α).
4. F
−1
(τ, y) = f
−1
α
(y) for y in the range of f
α
and (α, τ) in the range of I.
Then, the family is a collection of enhanced trapdoor permutations if for every non-uniform probabilistic-
polynomial time adversary A there exists a negligible func ti on µ such that for every n,
Pr
'
A(1
n
, α, r) = f
−1
α
(S(α; r))
(
≤ µ(n)
where α ← I
1
(1
n
) and r ∈
R
{0, 1}
n
is random. Ob se rve that given α and r, A can compute
y = S(α; r). Thus, A’s task is to invert y, when it is also given the random coins used by S to
sample y. See [18, Appendi x C.1] for more discussion on the definition and for constructions of
enhanced trapdoor permut at ion s.
We wi l l also refer to a hard-core predicate B of a family of enhanced trapdoor permutations
[17, Section 2.5]. We say that B is a hard-core predicate of (I, S, F, F
−1
) if for every non- un if or m
probabilistic-polynomial time adversary A there exists a negligible function µ such that for every n,
Pr
'
A(1
n
, α, r) = B
#
α, f
−1
α
(S(α; r))
$(
≤
1
2
+ µ(n).
10