ot

package
v0.1.0 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Feb 16, 2026 License: Apache-2.0 Imports: 3 Imported by: 0

README

ot Oblivious Transfer

This package generalizes a common interface for 1-out-of-2 Oblivious Transfer protocols.

There are two main types of OT protocols:

  • Base OT: A protocol that implements an OT functionality (described below) from scratch by relying on public-key cryptography for each OT. We implement:
    • bbot "Batching Base OTs", a 3-round protocol from MRR21 providing endemic security.
    • vsot "Verifiable Secret Sharing OT", a 6-round protocol from DKLs18 (protocol 7) providing malicious security.
  • OT Extension: A protocol that implements an OT functionality (described below) by using a small number of Base OTs as seeds to generate a large number of OTs.
    • softspoken "SoftspokenOT", a 3-round protocol from SoftSpokenOT providing malicious security, requiring a Base OT with endemic security (e.g., bbot).

We implement all OT protocols to run ξ (Xi) instances of the protocol in parallel, where the batch size ξ must be a multiple of the computational security parameter κ (=128 bits).

We implement all the above as Random OT (ROT/ROTe) protocols, and we provide functions to convert them to standard OT (Sender.Encrypt & Receiver.Decrypt) and Correlated OT (Sender.CreateCorrelation & Receiver.ApplyCorrelation) protocols based on MR19.

Functionalities (flavors) of Oblivious Transfer: ROT, OT, COT

Random OT (ROT)

A 1-out-of-2 Random Oblivious Transfer (ROT) is a two-party protocol between a sender and a receiver that samples two random messages $(s_0, s_1)$ for the sender, and allows the receiver to choose one of them $(r_x = s_x)$ via a choice bit $(x)$, hiding:

  • the choice bit $(x)$ to the sender.
  • the other message $(s_{1-x})$ to the receiver.
┌------┐                      ┌------------------┐                  ┌--------┐
|      |                      |      1|2 ROT     |<---(x ∈{0,1})<---|        |
|      |                      |  s_0 <- {0,1}^*  |                  |        |
|Sender|                      |  s_1 <- {0,1}^*  |                  |Receiver|
|      |                      |  r_x = s_{x}     |                  |        |
|      |                      └------------------┘                  |        |
|      | <-- (s_0, s_1) <---------------┴-------------> (r_x) ----> |        |
└------┘                                                            └--------┘
            ┌-
s.t. r_x = -| s_0 if x = 0
            | s_1 if x = 1
		    └-
Standard OT

We can build a standard 1|2 Oblivious Transfer (OT) based on a 1|2 ROT.

┌------┐                      ┌------------------┐                  ┌--------┐
|      |                      |      1|2  OT     |<---(x ∈{0,1})<---|        |
|      |----- (m_0, m_1) ---> |                  |                  |        |
|Sender|                      |    m_x = m_{x}   |                  |Receiver|
|      |                      |                  |                  |        |
|      |                      └------------------┘                  |        |
|      |                                └-------------> (m_x) ----> |        |
└------┘                                                            └--------┘
            ┌-
s.t. m_x = -| m_0 if x = 0
            | m_1 if x = 1
		    └-

To achieve this functionality, uses the two random messages $(s_0, s_1)$ resulting from a ROT to Encrypt two messages $(m_0, m_1)$ fixed by the sender with one-time pad $(m_0 ⊕ s_0, m_1 ⊕ s_1)$ and send both to the receiver, who can Decrypt one with the message he chose in the ROT $m_x = (m_0 ⊕ r_x) * (1-x) + (m_1 ⊕ r_x) * x$.

Standard OT

Similarly, we can build a Correlated 1|2 Oblivious Transfer (COT) based on a 1|2 ROT, to establish a correlation $z_A + z_B = a \cdot x$ between the sender and the receiver, where the sender provides $a \in \Z_q$, the receiver sets the bit $x \in {0,1}$, and the sender and receiver each get a share ($z_A$, $z_B$ respectively) of the product $a \cdot x$.

┌------┐                      ┌------------------┐                  ┌--------┐
|      |------ (a ∈ℤq) -----> |      1|2 COT     |<---(x ∈{0,1})<---|        |
|      |                      |                  |                  |        |
|Sender|                      | z_A <- ℤq        |                  |Receiver|
|      |                      | z_B <- a⋅x - z_A |                  |        |
|      |                      └------------------┘                  |        |
|      | <---- (z_A∈ℤq) <---------------┴----------> (z_B∈ℤq) ----> |        |
└------┘                                                            └--------┘
            
s.t. z_A + z_B = a⋅x

To achieve this, both parties map their ROT messages $(s_0, s_1, r_x)$ to numbers in $\Z_q$. Then, the sender sets $z_A = s_0$ and sends a derandomising mask $\tau = s_1 - s_0 + a$ to the receiver, who can compute $z_B = \tau \cdot x - r_x$.

Documentation

Overview

Package ot provides generalises a common interface for 1-out-of-2 Oblivious Transfer protocols. .

See README.md for details.

Index

Constants

This section is empty.

Variables

View Source 
var (
	ErrInvalidArgument = errs.New("invalid argument")
	ErrFailed          = errs.New("failed")
	ErrRound           = errs.New("invalid round")
)

Functions

func TransposePackedBits 

func TransposePackedBits(inputMatrix [][]byte) ([][]byte, error)

TransposePackedBits transposes a 2D matrix of "packed" bits (represented in groups of 8 bits per bytes), yielding a new 2D matrix of "packed" bits. If we were to unpack the bits, inputMatrixBits[i][j] == outputMatrixBits[j][i].

Types

type DefaultSuite 

type DefaultSuite struct {
	// contains filtered or unexported fields
}

DefaultSuite implements Suite with fixed parameters.

func NewDefaultSuite 

func NewDefaultSuite(xi, l int) (*DefaultSuite, error)

NewDefaultSuite constructs a suite with the given batch size xi and message block length l.

func (*DefaultSuite) L 

func (s *DefaultSuite) L() int

L returns the message block length.

func (*DefaultSuite) Xi 

func (s *DefaultSuite) Xi() int

Xi returns the batch size (number of parallel OTs).

type PackedBits 

type PackedBits []byte

PackedBits is a byte vector of little-endian packed bits.

func Pack 

func Pack(unpackedBits []uint8) (PackedBits, error)

Pack compresses the bits in the input vector v, truncating each input byte to its least significant bit. E.g., [0x01,0x01,0x01,0x01, 0x00,0x00,0x01,0x00] ---> [0xF0].

func Parse 

func Parse(v string) (PackedBits, error)

Parse converts a binary string into PackedBits.

func (PackedBits) BitLen 

func (pb PackedBits) BitLen() int

BitLen returns the number of bits represented by the packed slice.

func (PackedBits) Clear 

func (pb PackedBits) Clear(i uint)

Clear sets the `i`th bit of a packed bits vector to 0.

func (PackedBits) Get 

func (pb PackedBits) Get(i uint) uint8

Get gets the `i`th bit of a packed bits vector. E.g., [0x12, 0x34] --> [0,1,0,0, 1,0,0,0, 1,1,0,0, 0,0,1,0].

func (PackedBits) Repeat 

func (pb PackedBits) Repeat(nRepetitions int) PackedBits

Repeat repeats the bits in the input vector `nrepetitions` times. E.g., if v = [0,1,0,1] and nrepetitions = 2, then the output is [0,0,1,1,0,0,1,1]. To do so, bits must be unpacked, repeated, and packed in the output.

func (PackedBits) Set 

func (pb PackedBits) Set(i uint)

Set sets the `i`th bit of a packed bits vector. Input `bit` is truncated to its least significant bit (i.e., we only consider the last bit of `bit`).

func (PackedBits) String 

func (pb PackedBits) String() string

String returns a string representation of the packed bits.

func (PackedBits) Swap 

func (pb PackedBits) Swap(i, j uint)

Swap swaps the `i`th and `j`th bits.

func (PackedBits) Unpack 

func (pb PackedBits) Unpack() []uint8

Unpack expands the bits of the input vector into separate bytes. E.g., [0xF0,0x12] ---> [1,1,1,1, 0,0,0,0, 0,0,0,1, 0,0,1,0].

type ReceiverOutput 

type ReceiverOutput[D any] struct {
	Choices  []byte `cbor:"choices"`
	Messages [][]D  `cbor:"messages"`
}

ReceiverOutput holds the receiver's choice bits and selected messages.

func (*ReceiverOutput[D]) InferredL 

func (ro *ReceiverOutput[D]) InferredL() int

InferredL infers l from the first row and validates consistency across all entries.

func (*ReceiverOutput[D]) InferredXi 

func (ro *ReceiverOutput[D]) InferredXi() int

InferredXi infers xi from choice bits and message count, returning 0 on mismatch.

type SenderOutput 

type SenderOutput[D any] struct {
	Messages [][2][]D `cbor:"messages"`
}

SenderOutput holds the sender's pair of messages for each OT and block index.

func (*SenderOutput[D]) InferredL 

func (so *SenderOutput[D]) InferredL() int

InferredL infers l from the first entry and validates consistency across all entries.

func (*SenderOutput[D]) InferredXi 

func (so *SenderOutput[D]) InferredXi() int

InferredXi infers xi from the message count, or returns 0 if inconsistent.

type Suite 

type Suite interface {
	Xi() int
	L() int
}

Suite captures batch and block sizes for an OT instantiation.

Source Files

View all Source files

Directories

Path Synopsis
base
ecbbot
Package ecbbot implements the "Batched Simplest OT", an OT protocol with endemic security defined in Figure 3 of MRR21, to run Random OTs (ROT) for a batch of choice bits in parallel.
 Package ecbbot implements the "Batched Simplest OT", an OT protocol with endemic security defined in Figure 3 of MRR21, to run Random OTs (ROT) for a batch of choice bits in parallel.
ecbbot/testutils
vsot
Package vsot implements the "Verified Simplest OT", as defined in "protocol 7" of DKLs18.
 Package vsot implements the "Verified Simplest OT", as defined in "protocol 7" of DKLs18.
extension
softspoken
Package softspoken implements of maliciously secure 1-out-of-2 Correlated Oblivious Transfer extension (COTe) protocol.
 Package softspoken implements of maliciously secure 1-out-of-2 Correlated Oblivious Transfer extension (COTe) protocol.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.