A secure protocol for the oblivious transfer (extended abstract)

There has been a great deal of interest lately in cryptographic protocols. Vaguely, a cryptographic protocol is a mean whereby two or more people can interact in such a manner as to exchange a certain amount of information, while keeping other information secret (either from one of the participants or from another party). One interesting task for which one would like a protocol is the "oblivious transfer" introduced by Rabin in [4]. This involves two parties A and B; A would like to send a message of some sort to B, with the constraint that B has a 50% chance of receiving the message, and the other half of the time B receives no information at all about the message. The additional constraint is that A has no idea whether or not B received the message. Oblivious transfer can be viewed as a special type of coin tossing. Although it is not useful in and of itself, it appears to be very useful as a means towards other ends, and in fact has been used in a number of other protocols by a number of different researchers [1]-[3]. In [4], Rabin proposed a protocol for the oblivious transfer. It was intended that the protocol be correct, assuming only that it is hard to factor certain large composite numbers. However, as described below, there is a potential flaw in his protocol; it is possible that B can cheat and obtain extra information from A, even if the assumption about the difficulty of factoring is true. Although we cannot prove that B can cheat in this way, no one has yet been able to prove that B cannot. In Section 4 we present a new protocol for the oblivious transfer. It is similar to Rabin's, but we fix the potential flaw so that it is possible to prove that our protocol works, subject only to the assumption about the difficulty of factoring.