
What we need is something called oblivious transfer, and in particular,

we need what we'll call "oneoutoftwo oblivious transfer"

and what that means is Alice can create two values, X0 and X1.

Bob will obtain one of those values, but Alice doesn't learn which one Bob learned.

Bob can only obtain one of the two values but Alice doesn't know which one Bob obtained.

There are lots of different protocols that provide this.

The one I'm going to describe was invented by Even, Goldreich, and Lempel in 1985.

It builds on RSA encryption and we're going to look at it

as we need to use it in the garbled circuit protocol.

Our goal is that Alice has two wire labels; this correspond to the inputs to some gate,

and she wants to transfer one of them to Bob without revealing the other one.

We're going to use Alice's public key.

We'll assume that is known to Bob before the protocol starts.

Our goal is to transfer one of these two wire labels to Bob.

The first step is to create two random values.

These are separate from the wire labels. These are going to be transferred to Bob.

These have no meaning. They're just two random nonces created by Alice.

Depending on which wire label Bob wants, Bob has some input either zero or one.

He's going to pick either the first or the second of these. So, he is going to pick Xb.

Is it equal to either X0 or X1, depending on his value of b.

Then Bob will pick some random value r. Bob is going to use this to blind the response.

He can allow Alice to learn whether he pick X0 or X1. That would reveal his input.

What he's going to do instead is use this random value to blind the response.

He'll compute this new value, which is the value of the X that he selected

plus the random value raised to that public exponent modn.

We're going to hide the value of Xb by adding a random value raised to the e power to it.

That value is what sent back to Alice, and Alice is going to perform two different RSA decryptions.

She knows the values that she selected for X0 and X1.

She's going to subtract each of those from V.

She'll decrypt it using her private key and we'll call the first one K0,

that was the one constructed using X0, and the second one, K1,

that was the one constructed using X1.

The question is if b selected, what is it's input?

That means b has the value for Xb is equal to X1.

What are the values of K0 and K1? Select the best answer for each choice.

It could be meaningless, it could match X0, X1, or r.