Oblivious Transfer (OT) is a cryptographic primitive in which a sender transfers some of potentially many pieces of information to a receiver.
The sender doesn't know which pieces of information have been transferred.
1outof2 OT
Oblivious transfer is central to many of the constructions for secure multiparty computation.
In its most basic form, the sender has two secret messages as inputs, m_{0} and m_{1}; the receiver has a choice bit c as input.
At the end of the 1outof2 OT protocol, the receiver should only learn message M_{c}, while the sender should not
learn the value of the receiver's input c.
The protocol is defined for elliptic curves over finite fields E(F_{q}). The set of points E(F_{q}) is a finite abelian group.
It works as follows:
 Alice samples a random a and computes A = aG. Sends A to Bob
 Bob has a choice c. He samples a random b.
 If c is 0, then he computes B = bG.
 If c is 1, then he computes B = A + bG.
Sends B to Alice
 Alice derives two keys:
 K_{0} = aB
 K_{1} = a(B  A)
It's easy to check that Bob can derive the key K_{c} corresponding to his choice bit, but cannot compute the other one.
1outofN OT
The 1outofN oblivious transfer protocol is a natural generalization of the 1outof2 OT protocol,
in which the sender has a vector of messages (M_{0}, ..., M_{n1}). The receiver only has a choice c.
We implement a protocol for random OT, where the sender, Alice, outputs n random keys and the receiver, Bob, only learns one of them.
It consists on three parts:
Setup
Alice samples a ∈ Z_{p} and computes A = aG and T = aA, where G and p are the generator and the order of the curve, respectively.
She sends A to Bob, who aborts if A is not a valid point in the curve.
Choose
Bob takes his choice c ∈ Z_{n}, samples b ∈ Z_{p} and replies R = cA + bG. Alice aborts if R is not a valid point in the curve.
Key derivation

For all e ∈ Z_{n}, Alice computes k_{e} = aR  eT. She now has a vector of keys (k_{0}, ..., k_{n1}).

Bob computes k_{R} = bA.
We can see that the key k_{e} = aR  eT = abG + (c  e)T. If e = c, then k_{c} = abG = bA = k_{R}.
Therefore, k_{R} = k_{c} if both parties are honest.
testOT :: ECC.Curve > Integer > IO Bool
testOT curve n = do
 Alice sets up the procotol
(sPrivKey, sPubKey, t) < OT.setup curve
 Bob picks a choice bit 'c'
(rPrivKey, response, c) < OT.choose curve n sPubKey
 Alice computes a set of n keys
let senderKeys = OT.deriveSenderKeys curve n sPrivKey response t
 Bob only gets to know one out of n keys. Alice doesn't know which one
let receiverKey = OT.deriveReceiverKey curve rPrivKey sPubKey
pure $ receiverKey == (senderKeys !! fromInteger c)
koutofN OT
1outofN oblivious transfer can be generalised one step further into
koutofN. This is very similar in structure to the methods above comprising
the same 3 parts:
Setup
As above, Alice samples a ∈ Z_{p} and computes A = aG and T = aA, where G and p are the generator and the order of the curve, respectively.
She sends A to Bob, who aborts if A is not a valid point in the curve.
Choose
Bob takes his choices c^{i} ∈ Z_{n}, samples b^{i} ∈ Z_{p} and replies R^{i} = c^{i}A + b^{i}G. Alice aborts if R^{i} is not a valid point in the curve.
Key derivation

For all e^{i} ∈ Z_{n}, Alice computes k_{e}^{i} = aR^{i}  e^{i}T. She now has a vector of vectors of keys (k_{0}^{i}, ..., k_{n1}^{i}).

Bob computes k_{R}^{i} = b^{i}A.
We can see that the key k_{e}^{i} = aR^{i}  e^{i}T = ab^{i}G + (c^{i}  e^{i})T. If e = c, then k_{c}^{i} = ab^{i}G = b^{i}A = k_{R}^{i}.
Therefore, k_{R}^{i} = k_{c}^{i} if both parties are honest.
References:
 Chou, T. and Orlandi, C. "The Simplest Protocol for Oblivious Transfer" Technische Universiteit Eindhoven and Aarhus University
Notation:
k: Lowercase letters are scalars.
P: Uppercase letters are points in an elliptic curve.
kP: Multiplication of a point P with a scalar k over an elliptic curve defined over a finite field modulo a prime number.
License
Copyright 2018 Adjoint Inc
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.