# Oblivious Transfer (OT) and OT Extensions

This page implements several base oblivious transfer (OT) schemes and OT extensions which are needed when performing a large number of oblivious transfers.

## Semi-Honest Base OT Syntax and Semantics

Semi-Honest Alice ($\mathbb{A}$) has two single-bit messages $m_0$ and $m_1$. Semi-Honest Bob ($\mathbb{B}$) has a single bit choice bit $b$. Alice wants to send one -- and only one -- of her two messages to Bob. Bob, depending upon his choice bit $b$, wants to access $m_b$ but does not want Alice to know which message he picked. This interaction is summarized in the following diagram:

<img id="basic-ot" src="./Diagrams/BasicOT.svg" style="margin-left:auto; margin-right:auto"/>


The correctness requirements for an OT protocol are obvious: If Bob's choice bit is $b$, then $\forall m_0, m_i \in \{0,1\}$, with high probability Bob should receive $m_b$. 

**Notation**


> * Alice's view (transcript) while interacting with Bob is denoted as $$\langle\mathbb{A}, \mathbb{B}\rangle(m_0, m_1, b;\; r_{\mathbb{A}})$$ where $r_{\mathbb{A}}$ is Alice's private randomness during protocol execution.
> * Similarly Bob's view while interacting with Alice is denoted as $$\langle\mathbb{B}, \mathbb{A}\rangle(m_0, m_1, b;\; r_{\mathbb{B}})$$ where $r_{\mathbb{B}}$ is Bob's private randomness during protocol execution.

The privacy requirements for Alice and Bob are summarized below:

##### Privacy Requirements 

1. **Alice's Privacy**: Let Bob's choice bit be $b$ and let $\mathcal{D}$ be a polynomial time distinguisher that a corrupt Bob is trying to use to glean extra information about $m_{1-b}$ from its message transcript $$\tau := \langle \mathbb{B}, \mathbb{A}\rangle(m_1, m_2, b;\;r_\mathbb{B})$$ An OT scheme preserves Alice's privacy if, given $\tau$, the probability that $\mathcal{D}$ can distinguish $m_{1-b}$ from $1$ (or $0$) with probability significantly greater than $\frac{1}{2}$ is negligible, i.e.,  $$\forall \mathcal{D} \in \text{p.p.t}:\;\mathbf{Pr}\left[\mathcal{D}(b, m_b, \tau) = 1\right] < \frac{1}{2} + \textsf{negl}$$ where the probability is taken over the random choices made by $\mathcal{D}$.
2. **Bob's Privacy**: Let $\mathcal{D}'$ be a polynomial time distinguisher that a corrupt Alice is trying to use to find information about $b$ from its message transcript $$\tau' := \langle \mathbb{A}, \mathbb{B}\rangle(m_1, m_2, b;\;r_\mathbb{A})$$ An OT scheme preserves Bob's privacy if, given $\tau'$, the probability that $\mathcal{D}'$ can guess the value of $b$ with probability significantly greater than $\frac{1}{2}$ is negligible, i.e.,  $$\forall \mathcal{D}' \in \text{p.p.t}:\;\mathbf{Pr}\left[\mathcal{D}'(m_1, m_0, \tau') = b\right] < \frac{1}{2} + \textsf{negl}$$ where the probability is taken over the random choices made by $\mathcal{D}'$.

The following code abstracts this interface: