One of two oblivious transfer

Alice holds two items of information, say $m_0$ and $m_1$. Bob wants to know on tof these two items of information, but does not want Alice to know which one he wants.

This problem is known as the oblivious transfer problem. It can be solved in several ways. We will do it using RSA techniques.

1. $N$ is Alice's public RSA modulus and $e$ is the corresponding public exponent; $d$ is the corresponding private decryption exponent.

2. At Bob's request, Alice generates two random messages $x_0$ and $x_1$ (random numbers smaller than $N$) and sends them to Bob.

3. Bob wants $m_b$, where $b \in \lbrace 0,1 \rbrace$. So, Bob generates a random $k$ and computes and send to Alice $v = (x_0 + k^e)mod N$.

4. Alice computes $m'_0 = m_0 + (v - x_0)^d mod N$ and $m'_1 = m_1 + (v - x_1)^d mod N$ and sends both to Bod. Either $(v - x_0)^d mod N$ or $(v - x_1)^d mod N$ will be equal to $k$, but Alice has no way of knowing which one is the case.

5. Bob computes $m_b = m'_b - k mod N$. He cannot infer $m_{1-b}$ from $m'_{1-b}$.