1outof$n$ Oblivious Transfer
Suppose $A$ has a list $({x}_{1},...,{x}_{n})$, $B$ has $i\in \{1,...,n\}$.
We want a SFE protocol where ${F}_{A}=0,{F}_{B}={x}_{i}$, that is,

$B$ learns ${x}_{i}$ and nothing else

$A$ learns nothing about $i$
Theorem: [Kilian'87] 1outof2 OT is universal for 2party SFE
In other words, given a 1outof2 OT protocol, one can do any 2party SFE. (Yao's construction requires a block cipher in addition to a 1outof2 OT protocol.)
Note that oblivious transfer implies 2party SFE, which implies key exchange, and hence 1outof2 OT cannot be built from a blackbox oneway function. Instead, we build one using the DDH assumption [BellareMicali'92].
BellareMicali Construction
Let $G$ be a group of prime order $p$, and let $g\in G$ be a generator, and $H:G\to \{\mathrm{0,1}{\}}^{n}$ be a hash function.
Suppose $A$ has ${x}_{0},{x}_{1}\in \{\mathrm{0,1}{\}}^{n}$, and $B$ has $b\in \{\mathrm{0,1}\}$.

$A$ publishes a random $c\leftarrow G$, $B$ picks $k\leftarrow {\mathbb{Z}}_{p}$, sets ${\mathrm{PK}}_{b}={g}^{K},{\mathrm{PK}}_{1b}=c/{g}^{k}$ and sends ${\mathrm{PK}}_{0},{\mathrm{PK}}_{1}$ to $A$. $A$ checks ${\mathrm{PK}}_{0}{\mathrm{PK}}_{1}=c$.

$A$ encrypts ${x}_{0}$ with El Gamal using ${\mathrm{PK}}_{0}$, i.e. sets ${C}_{0}=[{g}^{{r}_{0}},H({\mathrm{PK}}_{0}^{{r}_{0}})\oplus {x}_{0}]$, encrypts ${x}_{1}$ using ${\mathrm{PK}}_{1}$, and sends ${C}_{0},{C}_{1}$ to $B$.

$B$ decrypts ${C}_{b}$ using $K$, i.e. if ${C}_{b}=[{V}_{1},{V}_{2}]$, $B$ computes ${X}_{b}=H({V}_{1}^{K})\oplus {V}_{2}$.
Security: $A$ cannot learn anything about $b$ (information theoretic result).
If $B$ is honestbutcurious, then assuming DDH, $B$ can only decrypt one of ${C}_{0}$ or ${C}_{1}$.
If $B$ is malicious, then assuming DDH is not enough: conceivably $B$ could generate ${\mathrm{PK}}_{0},{\mathrm{PK}}_{1}$ in such a way that $B$ knows partial information about their corresponding private keys, and perhaps $B$ can then learn partial information about both ${x}_{0}$ and ${x}_{1}$. However, if $H$ is a random oracle, then the protocol is secure under CDH.
NaorPinkas Construction
[Naor, Pinkas '00] Let $G$ be a group of prime order $q$ and let $g\in G$ be a generator. Suppose $A$ has ${m}_{0},{m}_{1}$ and $B$ has $V\in \{\mathrm{0,1}\}$.

$B$ sends the tuple $(g,x={g}^{a},y={g}^{b},{z}_{0}={g}^{{c}_{0}},{z}_{1}={g}^{{c}_{1}}$ to $A$, where $a,b\leftarrow {\mathbb{Z}}_{q}$, ${c}_{v}=\mathrm{ab}$ and ${c}_{1v}\leftarrow {\mathbb{Z}}_{q}$.

$A$ verifies that ${z}_{0}\ne {z}_{1}$ and applies a partial DDH random selfreduction: $(g,x,y,{z}_{0})$ becomes ${T}_{0}=(g,x,{y}_{0},z{\prime}_{0})$, and $(g,x,y,{z}_{1})$ becomes ${T}_{1}=(g,x,{y}_{1},z{\prime}_{1})$.

$A$ encrypts ${m}_{0}$ using ${T}_{0}$ and ${m}_{1}$ using ${T}_{1}$, that is, $A$ sends to $B$ the ciphertexts $({\mathrm{CT}}_{0}=({y}_{0},\mathrm{mz}{\prime}_{0}),{\mathrm{CT}}_{1}=({y}_{1},\mathrm{mz}{\prime}_{1}))$.

$B$ decrypts ${\mathrm{CT}}_{v}$.
This protocol is information theoretically secure against $B$, and DDH secure against $A$. The random selfreduction destroys any partial information in the message $B$ sends to $A$. Note that this construction also generalizes to a 1outof$n$ protocol.
DDH Random SelfReduction
Suppose we have a tuple $g,{g}^{x},{g}^{y},{g}^{z}$. Then to perform a random selfreduction, pick random $a,b\leftarrow {\mathbb{Z}}_{p}^{*}$, and output $g,{g}^{(x+b)a},{g}^{y},{g}^{(z+\mathrm{by})a}$.
Note that this transformation takes DHtuples to DHtuples, and nonDHtuples to nonDHtuples. Furthermore, the new exponents are independent of the originals. This is easy to see if we start with a DH tuple. On the other hand, if the tuple is not DH, then given any $x\prime ,z\prime $, there exists a unique $a,b$ such that $(x+b)a=x\prime ,(z+\mathrm{by})a=z\prime $ (we can solve to get $a=(z\prime x\prime y)/(z\mathrm{xy})$ and $b$ can be easily determined from $a$). As expected, these solutions are not well defined if $z=\mathrm{xy}$, i.e. the original tuple is DH.
1outofn From 1outof2
We show how to construct a 1outof$n$ OT protocol from any 1outof2 OT protocol.
Suppose $A$ has ${m}_{0},...,{m}_{N}\in \{\mathrm{0,1}{\}}^{n}$ and $B$ has $t\in \{0,...,N\}$. Assume $N={2}^{l}1$ for some $l$.

$A$ prepares $2l$ keys $({K}_{1}^{0},{K}_{1}^{1}),...,({K}_{l}^{0},{K}_{l}^{1})$.

Let ${F}_{k}:\{\mathrm{0,1}{\}}^{l}\to \{\mathrm{0,1}{\}}^{n}$ be a PRF. $A$ sends to $B$ the tuple $({C}_{0},...,{C}_{N})$: view the message index as a bit string $I={I}_{1}...{I}_{l}\in \{\mathrm{0,1}{\}}^{l}$, and encrypt using
$${C}_{I}={m}_{I}\oplus {\oplus}_{i=1}^{l}{F}_{{K}_{i}^{{I}_{i}}}(I)$$Note $A$ sends $O(N)$ bits to $B$.

Let $t={t}_{1}...{t}_{l}\in \{\mathrm{0,1}{\}}^{l}$. Then $l$ 1outof2 OT's are performed where during the $j$th OT, $A$ has $({K}_{j}^{0},{K}_{j}^{1})$ and $B$ has ${t}_{j}\in \{\mathrm{0,1}\}$.

$B$ now has ${K}_{1}^{{t}_{1}},...,{K}_{l}^{{t}_{l}}$ and can decrypt ${C}_{t}$ to get ${m}_{t}$.
Thus with $\mathrm{log}N$ 1outof2 OT's, a single 1outof$N$ OT can be constructed, that has $O(N)$ communication complexity.