silent

package

v1.0.6 Latest Latest Go to latest Published: Apr 15, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/keyzon-technologies/kryptology

Links

Open Source Insights

Documentation ¶

Overview ¶

Package silent implements a compact "lazy" seed-OT whose stored state is ~129 bytes per pair versus ~24 KB for the Simplest OT it replaces.

Trade-off ¶

Storage is reduced at the cost of one extra signing round (Alice sends 8 KB of ephemeral EC points to Bob). The overall signing round count stays the same because Alice's ephemeral points are bundled with her existing Round-1 seed message.

Protocol summary ¶

DKG setup (replaces 7-round Simplest OT, runs once per wallet pair):

NewSender  → Bob   generates b, B = b·G, Schnorr proof of b
NewReceiver← Alice verifies proof, generates (a_master, choice_bits), stores B

Storage per pair:

Alice : MasterScalar (32 B) + PackedChoiceBits (32 B) + SenderPublicKey (33 B) = 97 B
Bob   : SecretKey (32 B) + PublicKey (33 B)                                    = 65 B
Total : 162 B  vs ~24 576 B for Simplest OT  (≈ 150× reduction)

Signing (called once per session):

Alice.EphemeralPoints  → {A_i = a_i·G + w_i·B}  i=0…255   (8 448 B, sent to Bob)
Alice.ExpandReceiver   → *simplest.ReceiverOutput  (computed locally)
Bob.ExpandSender(A_i)  → *simplest.SenderOutput   (computed from Alice's points)

Both expanded outputs are passed directly to the KOS OT-extension layer (unchanged).

Index ¶

Constants
func DecodeEphemeralPoints(curve *curves.Curve, encoded [][]byte) ([]curves.Point, error)
func EncodeEphemeralPoints(pts []curves.Point) ([][]byte, error)
type ReceiverOutput
- func NewReceiver(curve *curves.Curve, senderProof *schnorr.Proof, senderProofSessionID []byte) (*ReceiverOutput, error)
type SenderOutput
- func NewSender(curve *curves.Curve, sessionID []byte) (*SenderOutput, *schnorr.Proof, error)
- func (s *SenderOutput) ExpandSender(curve *curves.Curve, pts []curves.Point, sessionID [digestSize]byte) (*simplest.SenderOutput, error)

Constants ¶

View Source

const (
	// BatchSize is the number of base OTs produced. Must equal kos.Kappa (256).
	BatchSize = 256
)

Variables ¶

This section is empty.

Functions ¶

func DecodeEphemeralPoints ¶

func DecodeEphemeralPoints(curve *curves.Curve, encoded [][]byte) ([]curves.Point, error)

DecodeEphemeralPoints deserialises the BatchSize compressed EC points.

func EncodeEphemeralPoints ¶

func EncodeEphemeralPoints(pts []curves.Point) ([][]byte, error)

EncodeEphemeralPoints serialises the BatchSize EC points for transmission.

Types ¶

type ReceiverOutput ¶

type ReceiverOutput struct {
	// MasterScalar is a 32-byte seed; a_i = PRF(MasterScalar, i).
	MasterScalar []byte
	// PackedChoiceBits holds one choice bit per OT (256 bits = 32 bytes).
	PackedChoiceBits []byte
	// SenderPublicKey is the 33-byte compressed point B = b·G (Bob's DH public key).
	SenderPublicKey []byte
	// RandomChoiceBits is the unpacked choice vector — derived from PackedChoiceBits,
	// never persisted.
	RandomChoiceBits []int
}

ReceiverOutput is Alice's compact silent-OT state (replaces simplest.ReceiverOutput).

func NewReceiver ¶

func NewReceiver(curve *curves.Curve, senderProof *schnorr.Proof, senderProofSessionID []byte) (*ReceiverOutput, error)

NewReceiver generates Alice's silent-OT DKG state. senderProof is Bob's Schnorr proof; senderProofSessionID is the agreed session ID. Returns an error if the proof fails to verify.

func (*ReceiverOutput) EphemeralPoints ¶

func (r *ReceiverOutput) EphemeralPoints(curve *curves.Curve) ([]curves.Point, error)

EphemeralPoints computes {A_i = a_i·G + w_i·B} from Alice's stored state. Alice sends these BatchSize EC points to Bob at the beginning of each signing session.

func (*ReceiverOutput) ExpandReceiver ¶

func (r *ReceiverOutput) ExpandReceiver(curve *curves.Curve, sessionID [digestSize]byte) (*simplest.ReceiverOutput, error)

ExpandReceiver regenerates Alice's simplest-compatible OT decryption keys from her stored master scalar. Call this at signing time before the KOS extension.

sessionID should be a fresh per-signing session identifier (e.g., derived from the Merlin transcript) so that keys are fresh for every signing session.

func (*ReceiverOutput) GobDecode ¶

func (r *ReceiverOutput) GobDecode(data []byte) error

GobDecode reconstructs RandomChoiceBits from PackedChoiceBits after decoding.

func (ReceiverOutput) GobEncode ¶

func (r ReceiverOutput) GobEncode() ([]byte, error)

GobEncode omits RandomChoiceBits (derived field) to keep the stored size minimal.

type SenderOutput ¶

type SenderOutput struct {
	// SecretKey is the 32-byte scalar b (Bob's DH secret).
	SecretKey []byte
	// PublicKey is the 33-byte compressed point B = b·G.
	PublicKey []byte
}

SenderOutput is Bob's compact silent-OT state (replaces simplest.SenderOutput). Bob retains his DH scalar so he can regenerate the OT encryption keys at signing time once Alice sends her ephemeral points {A_i}.

func NewSender ¶

func NewSender(curve *curves.Curve, sessionID []byte) (*SenderOutput, *schnorr.Proof, error)

NewSender generates Bob's silent-OT DKG state and a Schnorr proof of the DH secret. Alice must verify this proof before trusting SenderOutput.PublicKey.

func (*SenderOutput) ExpandSender ¶

func (s *SenderOutput) ExpandSender(curve *curves.Curve, pts []curves.Point, sessionID [digestSize]byte) (*simplest.SenderOutput, error)

ExpandSender regenerates Bob's simplest-compatible OT encryption keys. pts must be the BatchSize ephemeral points {A_i} received from Alice at signing time.

sessionID must match the value passed to Alice's ExpandReceiver call for the same signing session.

Source Files ¶

View all Source files

ot.go

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL