The Protocol We present the protocol sequentially, though if we are concerned with minimizing the number of back-and-forth rounds we can send some of the messages in parallel with each other (and use some additional shortcuts) to achieve a 4 round protocol. - Input: A has input (a0,a1){0,1} 2 and B has input b{0,1}. - Desired Output: A should receive no output while B should receive ab{0 ,1}. 1. BA:B chooses u{0,1}n, draws (k,z)Com(u) and sends z to A. 7 2. AB: A chooses u{0,1}n and sends u to B. 3. AB:A draws (N,e,d)RSAGen() and sends (N,e) to B. 4. BA:B sends (y0,y1)ZN2 to A where y0 and y1 are prepared as follows (recall b is B's input bit): - yb is set to yb=xe for a random xZN; . y1b is set to y1b=uu where u and u are the strings used in rounds 1 and 2( indicates the bit-wise XOR of two strings; we are using that since n=log(N), any n-bit binary string can be converted to an integer modN ). 5. BA : B and A use the zero knowledge proof system with B playing as the prover and A playing as the receiver, where: Statement: The statement which is used as common input to both players is (z,u,y0,y1)L5. BA:B and A use the zero knowledge proof system with B playing as the prover and A playing as the receiver, where: - Statement: The statement which is used as common input to both players is (z,u,y0,y1)L where membership in L holds if there exists (k,u,i) such that Decom(z,k)=u and yi=uu -Witness: B uses (k,u,1b) as his witness, where k is the decommitment string from the first round, u is the committed value in the first round and b{0,1} is B's input bit. If A rejects B's proof then A aborts the protocol; otherwise A continues. 6. AB:A computes (x0,x1)ZN by setting xi=yid for i=0,1 where d is the secret RSA exponent generated in round 3. Additionally, A draws r0,r1{0,1}n and sends (r0,r1,w0,w1) to B where wi=xi,riai{0,1} for i=0,1. - Output: B outputs the bit wbx,rb{0,1}. Intuition. In order to understand the protocol, first imagine that the protocol consists only of rounds 3,4,6 and in round 4 , B chooses yb as stated above, but draws y1bZN. This simpler protocol will satisfy correctness (since B will output ab ), and it will be secure against a corrupt A (since the only information sent by B is (y0,y1) and both yi are simply random elements of ZN ). However, security against B is problematic since B could choose x0,x1ZN and set yi=xie for i=0,1 and then would be able to learn both of A's bits (a0,a1). So the role of the extra rounds is essentially to boost security against B. So to summarize, the simpler scheme is secure as long as B generates (y0,y1) as he is supposed to (i.e., if yb=xe for random xZN and y1bZN ), but fails if B is able to deviate. At a high level, the function of the extra rounds is to ensure that one of the two yi is random in ZN. This works by running a type of "coin flipping" procedure in rounds 1 and 2 , and then using the ZK proof in round 5 to prove that one of the yi is equal to the output of this procedure (B proves th.