The Protocol We present the protocol sequentially, though if we are concerned with minimizing the number of back-and-forth rounds we can send some of the messages in parallel with each other (and use some additional shortcuts) to achieve a 4 round protocol. - Input: A has input (a0,a1){0,1} 2 and B has input b{0,1}. - Desired Output: A should receive no output while B should receive ab{0 ,1}. 1. BA:B chooses u{0,1}n, draws (k,z)Com(u) and sends z to A. 7 2. AB: A chooses u{0,1}n and sends u to B. 3. AB:A draws (N,e,d)RSAGen() and sends (N,e) to B. 4. BA:B sends (y0,y1)ZN2 to A where y0 and y1 are prepared as follows (recall b is B's input bit): - yb is set to yb=xe for a random xZN; . y1b is set to y1b=uu where u and u are the strings used in rounds 1 and 2( indicates the bit-wise XOR of two strings; we are using that since n=log(N), any n-bit binary string can be converted to an integer modN ). 5. BA : B and A use the zero knowledge proof system with B playing as the prover and A playing as the receiver, where: Statement: The statement which is used as common input to both players is (z,u,y0,y1)L5. BA:B and A use the zero knowledge proof system with B playing as the prover and A playing as the receiver, where: - Statement: The statement which is used as common input to both players is (z,u,y0,y1)L where membership in L holds if there exists (k,u,i) such that Decom(z,k)=u and yi=uu -Witness: B uses (k,u,1b) as his witness, where k is the decommitment string from the first round, u is the committed value in the first round and b{0,1} is B's input bit. If A rejects B's proof then A aborts the protocol; otherwise A continues. 6. AB:A computes (x0,x1)ZN by setting xi=yid for i=0,1 where d is the secret RSA exponent generated in round 3. Additionally, A draws r0,r1{0,1}n and sends (r0,r1,w0,w1) to B where wi=xi,riai{0,1} for i=0,1. - Output: B outputs the bit wbx,rb{0,1}. Intuition. In order to understand the protocol, first imagine that the protocol consists only of rounds 3,4,6 and in round 4 , B chooses yb as stated above, but draws y1bZN. This simpler protocol will satisfy correctness (since B will output ab ), and it will be secure against a corrupt A (since the only information sent by B is (y0,y1) and both yi are simply random elements of ZN ). However, security against B is problematic since B could choose x0,x1ZN and set yi=xie for i=0,1 and then would be able to learn both of A's bits (a0,a1). So the role of the extra rounds is essentially to boost security against B. So to summarize, the simpler scheme is secure as long as B generates (y0,y1) as he is supposed to (i.e., if yb=xe for random xZN and y1bZN ), but fails if B is able to deviate. At a high level, the function of the extra rounds is to ensure that one of the two yi is random in ZN. This works by running a type of "coin flipping" procedure in rounds 1 and 2 , and then using the ZK proof in round 5 to prove that one of the yi is equal to the output of this procedure (B proves th.

1. The Protocol We present the protocol sequentially, though if we are concerned with minimizing the
number of back-and-forth rounds we can send some of the messages in parallel with each other
(and use some additional shortcuts) to achieve a 4 round protocol. - Input: A has input (a0,a1){0,1}
2 and B has input b{0,1}. - Desired Output: A should receive no output while B should receive ab{0
,1}. 1. BA:B chooses u{0,1}n, draws (k,z)Com(u) and sends z to A. 7 2. AB: A chooses u{0,1}n and
sends u to B. 3. AB:A draws (N,e,d)RSAGen() and sends (N,e) to B. 4. BA:B sends (y0,y1)ZN2 to
A where y0 and y1 are prepared as follows (recall b is B's input bit): - yb is set to yb=xe for a
random xZN; . y1b is set to y1b=uu where u and u are the strings used in rounds 1 and 2(
indicates the bit-wise XOR of two strings; we are using that since n=log(N), any n-bit binary string
can be converted to an integer modN ). 5. BA : B and A use the zero knowledge proof system with
B playing as the prover and A playing as the receiver, where: Statement: The statement which is
used as common input to both players is (z,u,y0,y1)L5. BA:B and A use the zero knowledge proof
system with B playing as the prover and A playing as the receiver, where: - Statement: The
statement which is used as common input to both players is (z,u,y0,y1)L where membership in L
holds if there exists (k,u,i) such that Decom(z,k)=u and yi=uu -Witness: B uses (k,u,1b) as his
witness, where k is the decommitment string from the first round, u is the committed value in the
first round and b{0,1} is B's input bit. If A rejects B's proof then A aborts the protocol; otherwise A
continues. 6. AB:A computes (x0,x1)ZN by setting xi=yid for i=0,1 where d is the secret RSA
exponent generated in round 3. Additionally, A draws r0,r1{0,1}n and sends (r0,r1,w0,w1) to B
where wi=xi,riai{0,1} for i=0,1. - Output: B outputs the bit wbx,rb{0,1}. Intuition. In order to
understand the protocol, first imagine that the protocol consists only of rounds 3,4,6 and in round 4
, B chooses yb as stated above, but draws y1bZN. This simpler protocol will satisfy correctness
(since B will output ab ), and it will be secure against a corrupt A (since the only information sent
by B is (y0,y1) and both yi are simply random elements of ZN ). However, security against B is
problematic since B could choose x0,x1ZN and set yi=xie for i=0,1 and then would be able to learn
both of A's bits (a0,a1). So the role of the extra rounds is essentially to boost security against B.
So to summarize, the simpler scheme is secure as long as B generates (y0,y1) as he is supposed
to (i.e., if yb=xe for random xZN and y1bZN ), but fails if B is able to deviate. At a high level, the
function of the extra rounds is to ensure that one of the two yi is random in ZN. This works by
running a type of "coin flipping" procedure in rounds 1 and 2 , and then using the ZK proof in round
5 to prove that one of the yi is equal to the output of this procedure (B proves that y1b=uu ). So the
security of the overall OT protocol against B will follow from 1) the fact that the output of the coin-
flipping procedure is random; 2) the soundness of the ZK proof system to force B to send y1b
which is equal to the output of the coin-flipping procedure; 3) the fact that the simplified scheme is
secure as long as B sends a random y1b.Intuition. In order to understand the protocol, first
imagine that the protocol consists only of rounds 3,4,6 and in round 4 , B chooses yb as stated
above, but draws y1bZN. This simpler protocol will satisfy correctness (since B will output ab ),
and it will be secure against a corrupt A (since the only information sent by B is (y0,y1) and both yi
are simply random elements of ZN ). However, security against B is problematic since B could
choose x0,x1ZN and set yi=xie for i=0,1 and then would be able to learn both of A's bits (a0,a1).
So the role of the extra rounds is essentially to boost security against B. So to summarize, the
simpler scheme is secure as long as B generates (y0,y1) as he is supposed to (i.e., if yb=xe for

2. random xZN and y1bZN ), but fails if B is able to deviate. At a high level, the function of the extra
rounds is to ensure that one of the two yi is random in ZN. This works by running a type of "coin
flipping" procedure in rounds 1 and 2 , and then using the ZK proof in round 5 to prove that one of
the yi is equal to the output of this procedure (B proves that y1b=uu ). So the security of the overall
OT protocol against B will follow from 1 ) the fact that the output of the coin-flipping procedure is
random; 2) the soundness of the ZK proof system to force B to send y1b which is equal to the
output of the coin-flipping procedure; 3) the fact that the simplified scheme is secure as long as B
sends a random y1b. 8 Finally, let's look more closely at the coin-flipping scheme in rounds 1 and
2 . They are very simple; in round 1, B sends a commitment to a random string u{0,1}n and in
round 2, A sends a random u{0,1}n, and the "output" of the coin-flipping procedure is set to uu{0,1}
n. Notice two things. 1. B commits himself to u in round 1, before A selects her random string.
Therefore, as far as B is concerned, the output string uu is random due to the randomness of u{0,1
}n. 2. A cannot learn any information about u from the commitment she receives in round 1 .
Therefore, she too sends her random string u before knowing anything about B's random string u,
and so as far as A is concerned, the output string uu is random.- Choose a random u{0,1}n and (z,
k)Com(u) and send z to A. - On receiving u{0,1}n and (N,e) from A, choose y0,y1ZN at random
and send (y0,y1) to A. - Run the ZK simulator ZK.SIM on input (z,u,y0,y1) and obtain a ZK
transcript T. - Finally, on receiving A 's final message (r0,r1,w0,w1), output the entire transcript T=(
z,u,N,e,y0,y1,T,r0,r1,w0,w1). The OTA Game. Given a corrupt A, the OTA game is played
between a challenger C and adversary A as follows. - A begins by sending an input bit b{0,1} for B
to C. - C chooses a bit c{0,1} and then generates a protocol transcript T as follows: - if c=0,C
obtains T by running the protocol between A and an honest B who uses input b;- if c=1,C obtains
T by running SIM. C sends the transcript T to A. - A sends a bit c{0,1} to C signaling the end of the
game. A wins if c=c. Problem 10. Prove that the OT protocol is secure against A by completing the
following outline to show that no efficient adversary can win the OTA game with probability 1/2+
for non-negligible >0. (a) (nothing for you to prove here) Notice that there are three differences
between the transcript generated by an honest protocol execution and a transcript generated by
SIM: (a) the value yb=xe for a random xZN in the honest transcript while in SIM ybZN is drawn
randomly; (b) the value y1b=uu in the honest transcript while in SIM y1bZN is drawn randomly; (c)
the ZK proof is completed by honest B using witness (k,u,1b) in the honest transcript, while in SIM,
the proof is simulated. Let us shorthand these differences as writing 1) yb=xe versus yb$;2)y1b=u
u vs y1b$; and 3) T honest vs T ZK.SIM. Define Pi for i=0,1,2,3 as: - P0:=Pr[c=0yb=xe&y1b=uu&T
honest ] - P1:=Pr[c=0yb( mathrm{P}_{1}:=operatorname{Pr}left[c^{prime}=0 mid y_{b} sim $ &
y_{1-b}=u oplus u^{prime} & Tright. )amp;y1b=uu&T honest ] - P2:=Pr[c=0yb(
mathrm{P}_{2}:=operatorname{Pr}left[c^{prime}=0 mid y_{b} sim $ & y_{1-b}=u oplus u^{prime} &
T simright. )amp;y1b=uu&T ZK.SIM ] - P3:=Pr[c=0yb(
mathrm{P}_{3}:=operatorname{Pr}left[c^{prime}=0 mid y_{b} sim $ & y_{1-b} sim $ & T simright.
)amp;y1b( mathrm{P}_{3}:=operatorname{Pr}left[c^{prime}=0 mid y_{b} sim $ & y_{1-b} sim $ & T
simright. )amp;T ZK.SIM ]. Note that Pr[A wins ]=21+21(P0P3). As usual, we will complete the
proof by showing that the differences (P0P1),(P1P2) and (P2P3) are all negligible. (b) Show that (
P0P1)=0. (c) Show that (P1P2) is negligible by appealing to the ZK security of the proof system.
(d) Show that (P2P3) is negligible by appealing to the hiding of the commitment scheme.