simplest

package
v1.8.9 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: May 2, 2022 License: Apache-2.0 Imports: 10 Imported by: 0

Documentation

Overview

Package simplest implements the "Verified Simplest OT", as defined in "protocol 7" of [DKLs18](https://eprint.iacr.org/2018/499.pdf). The original "Simplest OT" protocol is presented in [CC15](https://eprint.iacr.org/2015/267.pdf). In our implementation, we run OTs for multiple choice bits in parallel. Furthermore, as described in the DKLs paper, we implement this as Random OT protocol. We also add encryption and decryption steps as defined in the protocol, but emphasise that these steps are optional. Specifically, in the setting where this OT is used as the seed OT in an OT Extension protocol, the encryption and decryption steps are not needed.

Limitation: currently we only support batch OTs that are multiples of 8.

Ideal functionalities:

  • We have used ZKP Schnorr for the F^{R_{DL}}_{ZK}
  • We have used HMAC for realizing the Random Oracle Hash function, the key for HMAC is received as input to the protocol.

Index

Constants

View Source
const (

	// DigestSize is the length of hash. Similarly, when it comes to encrypting and decryption, it is the size of the
	// plaintext and ciphertext.
	DigestSize = 32
)

Variables

This section is empty.

Functions

func ExtractBitFromByteVector

func ExtractBitFromByteVector(vector []byte, index int) byte

ExtractBitFromByteVector interprets the byte-vector `vector` as if it were a _bit_-vector with len(vector) * 8 bits. it extracts the `index`th such bit, interpreted in the little-endian way (i.e., both across bytes and within bytes).

func NewPipeWrappers

func NewPipeWrappers() (*pipeWrapper, *pipeWrapper)

func ReceiverStreamOTRun

func ReceiverStreamOTRun(receiver *Receiver, rw io.ReadWriter) error

ReceiverStreamOTRun exposes the entire seed OT process for the receiver in "stream mode" to the user. what this means is that instead of calling the component methods in the process manually, and manually handling the encoding and decoding of the resulting output and input structs, the user needs _only_ to pass a ReadWriter (in practice this will be something like a websocket object), and this method will handle the entire process. this serves the dual (though related) purpose of conveniently bundling up the entire seed OT process, for use in tests, both in this package, as well as in the other packages which use this one (like cOT and mult).

func SenderStreamOTRun

func SenderStreamOTRun(sender *Sender, rw io.ReadWriter) error

SenderStreamOTRun exposes the entire seed OT process for the sender in "stream mode" to the user. similarly to the above, this means that the user needs only to pass a `ReadWriter` representing the comm channel; this method will handle all encoding and decoding + writing and reading to the channel.

Types

type ChallengeOpening

type ChallengeOpening = [keyCount][DigestSize]byte

ChallengeOpening is the type of hashed Rho^0 and Rho^1

type OneTimePadDecryptionKey

type OneTimePadDecryptionKey = [DigestSize]byte

OneTimePadDecryptionKey is the type of Rho^w, Rho^0, and RHo^1 in the paper.

type OneTimePadEncryptionKeys

type OneTimePadEncryptionKeys = [keyCount][DigestSize]byte

OneTimePadEncryptionKeys is the type of Rho^0, and RHo^1 in the paper.

type OtChallenge

type OtChallenge = [DigestSize]byte

OtChallenge is the type of xi in the paper.

type OtChallengeResponse

type OtChallengeResponse = [DigestSize]byte

OtChallengeResponse is the type of Rho' in the paper.

type Receiver

type Receiver struct {
	// Output is the output that is produced as a result of running random OT protocol.
	Output *ReceiverOutput
	// contains filtered or unexported fields
}

Receiver stores state for the "receiver" role in OT. Protocol 7, Appendix A, of DKLs.

func NewReceiver

func NewReceiver(curve *curves.Curve, batchSize int, uniqueSessionId [DigestSize]byte) (*Receiver, error)

NewReceiver is a Random OT receiver. Therefore, the choice bits are created randomly. The choice bits are stored in a packed format (e.g., each choice is a single bit in a byte array).

func (*Receiver) Round2VerifySchnorrAndPadTransfer

func (receiver *Receiver) Round2VerifySchnorrAndPadTransfer(proof *schnorr.Proof) ([]ReceiversMaskedChoices, error)

Round2VerifySchnorrAndPadTransfer verifies the schnorr proof of the public key sent by the sender, i.e., step 2), and then does receiver's "Pad Transfer" phase in OT, i.e., step 3), of Protocol 7 (page 16) of the paper.

func (*Receiver) Round4RespondToChallenge

func (receiver *Receiver) Round4RespondToChallenge(challenge []OtChallenge) ([]OtChallengeResponse, error)

Round4RespondToChallenge corresponds to initial round of the receiver's "Verify" phase; see step 6 of page 16 of the paper. this is just the start of Verification. In this round, the receiver outputs "rho'", which the sender will check.

func (*Receiver) Round6Verify

func (receiver *Receiver) Round6Verify(challengeOpenings []ChallengeOpening) error

Round6Verify is the _last_ part of the "Verification" phase of OT; see p. 16 of https://eprint.iacr.org/2018/499.pdf. See step 8 of page 16 of the paper. Abort if H(Rho^w) != the one it calculated itself or

if Xi != H(H(Rho^0)) XOR H(H(Rho^1))

In other words,

if opening_w != H(decryption key)  or
if challenge != H(opening 0) XOR H(opening 0)

func (*Receiver) Round8Decrypt

func (receiver *Receiver) Round8Decrypt(ciphertext [][keyCount][DigestSize]byte) ([][DigestSize]byte, error)

Round8Decrypt wraps a `Decrypt` operation on the Receiver's underlying output from the random OT; see `Decrypt` below this is optional; it will be used only in circumstances when you want to run "actual" (i.e., non-random) OT

type ReceiverOutput

type ReceiverOutput struct {
	// PackedRandomChoiceBits is a packed version of the choice vector, the packing is done for performance reasons.
	PackedRandomChoiceBits []byte

	// RandomChoiceBits is the choice vector represented as unpacked int array. Initialed from PackedRandomChoiceBits.
	RandomChoiceBits []int

	// OneTimePadDecryptionKey is Rho^w, the output of the random OT. For the receiver, there is just 1 output per execution.
	// This value will be used to decrypt one of the messages sent by the sender.
	// Therefore, for readability this is called OneTimePadDecryptionKey in the code.
	OneTimePadDecryptionKey []OneTimePadDecryptionKey
}

ReceiverOutput are the outputs that the receiver will obtain as a result of running the "random" OT protocol.

func (*ReceiverOutput) Decrypt

func (r *ReceiverOutput) Decrypt(ciphertexts [][keyCount][DigestSize]byte) ([][DigestSize]byte, error)

Decrypt is step 10) of the seed OT Protocol 7) of https://eprint.iacr.org/2018/499.pdf, where the seed OT receiver "decrypts" the message it's receiving using the "key" it received in the random OT.

type ReceiversMaskedChoices

type ReceiversMaskedChoices = []byte

ReceiversMaskedChoices corresponds to the "A" value in the paper in compressed format.

type Sender

type Sender struct {
	// Output is the output that is produced as a result of running random OT protocol.
	Output *SenderOutput
	// contains filtered or unexported fields
}

Sender stores state for the "sender" role in OT. see Protocol 7 in Appendix A of DKLs18.

func NewSender

func NewSender(curve *curves.Curve, batchSize int, uniqueSessionId [DigestSize]byte) (*Sender, error)

NewSender creates a new "sender" object, ready to participate in a _random_ verified simplest OT in the role of the sender. no messages are specified by the sender, because random ones will be sent (hence the random OT). ultimately, the `Sender`'s `Output` field will be appropriately populated. you can use it directly, or alternatively bootstrap it into an _actual_ (non-random) OT using `Round7Encrypt` below

func (*Sender) Round1ComputeAndZkpToPublicKey

func (sender *Sender) Round1ComputeAndZkpToPublicKey() (*schnorr.Proof, error)

Round1ComputeAndZkpToPublicKey is the first phase of the protocol. computes and stores public key and returns the schnorr proof. serialized / packed. This implements step 1 of Protocol 7 of DKLs18, page 16.

func (*Sender) Round3PadTransfer

func (sender *Sender) Round3PadTransfer(compressedReceiversMaskedChoice []ReceiversMaskedChoices) ([]OtChallenge, error)

Round3PadTransfer is the sender's "Pad Transfer" phase in OT; see steps 4 and 5 of page 16 of the paper. Returns the challenges xi

func (*Sender) Round5Verify

func (sender *Sender) Round5Verify(challengeResponses []OtChallengeResponse) ([]ChallengeOpening, error)

Round5Verify verifies the challenge response. If the verification passes, sender opens his challenges to the receiver. See step 7 of page 16 of the paper. Abort if Rho' != H(H(Rho^0)) in other words, if challengeResponse != H(H(encryption key 0)). opening is H(encryption key)

func (*Sender) Round7Encrypt

func (sender *Sender) Round7Encrypt(messages [][keyCount][DigestSize]byte) ([][keyCount][DigestSize]byte, error)

Round7Encrypt wraps an `Encrypt` operation on the Sender's underlying output from the random OT; see `Encrypt` below. this is optional; it will be used only in circumstances when you want to run "actual" (i.e., non-random) OT

type SenderOutput

type SenderOutput struct {
	// OneTimePadEncryptionKeys are  Rho^0 and Rho^1, the output of the random OT.
	// These can be used to encrypt and send two messages to the receiver.
	// Therefore, for readability they are called OneTimePadEncryptionKeys  in the code.
	OneTimePadEncryptionKeys []OneTimePadEncryptionKeys
}

SenderOutput are the outputs that the sender will obtain as a result of running the "random" OT protocol.

func (*SenderOutput) Encrypt

func (s *SenderOutput) Encrypt(plaintexts [][keyCount][DigestSize]byte) ([][keyCount][DigestSize]byte, error)

Encrypt runs step 9) of the seed OT Protocol 7) of https://eprint.iacr.org/2018/499.pdf, in which the seed OT sender "encrypts" both messages under the "one-time keys" output by the random OT.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL