cryprot-ot 0.3.0

Implementation of a Oblivious Transfer extension protocols.
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306

//! Adapters for OT types.

use std::io;

use bitvec::{order::Lsb0, vec::BitVec};
use cryprot_core::{Block, buf::Buf};
use cryprot_net::ConnectionError;
use futures::{SinkExt, StreamExt};
use subtle::ConditionallySelectable;
use thiserror::Error;
use tokio::io::{AsyncReadExt, AsyncWriteExt};

use crate::{
    Connected, CotReceiver, CotSender, Malicious, RandChoiceRotReceiver, RandChoiceRotSender,
    RotReceiver, RotSender, SemiHonest,
};

/// Adapts a [`RandChoiceRotReceiver`] into a [`RotReceiver`] and
/// [`RandChoiceRotSender`] into [`RotSender`].
///
/// This adapter can be used to adapt the [silent OT](`crate::silent_ot`)
/// protocol into a protocol with chosen choice bits at the cost number of OTs
/// bits of communication.
#[derive(Debug)]
pub struct ChosenChoice<P>(P);

impl<P> ChosenChoice<P> {
    pub fn new(ot_protocol: P) -> Self {
        Self(ot_protocol)
    }
}

impl<P: Connected> Connected for ChosenChoice<P> {
    fn connection(&mut self) -> &mut cryprot_net::Connection {
        self.0.connection()
    }
}

impl<P: SemiHonest> SemiHonest for ChosenChoice<P> {}

// TODO is there something I can cite that this holds?
impl<P: Malicious> Malicious for ChosenChoice<P> {}

#[derive(Error, Debug)]
pub enum Error<E> {
    #[error("unable to perform R-OTs")]
    Rot(E),
    #[error("error in sending correction values for C-OT")]
    Correction(io::Error),
    #[error("expected correction values but receiver is closed")]
    MissingCorrection,
    #[error("connection error to peer")]
    Connecion(#[from] ConnectionError),
}

impl<R: RandChoiceRotReceiver> RotReceiver for ChosenChoice<R> {
    type Error = Error<R::Error>;

    async fn receive_into(
        &mut self,
        ots: &mut impl cryprot_core::buf::Buf<cryprot_core::Block>,
        choices: &[subtle::Choice],
    ) -> Result<(), Self::Error> {
        let mut rand_choices = self
            .0
            .rand_choice_receive_into(ots)
            .await
            .map_err(Error::Rot)?;
        for (c1, c2) in rand_choices.iter_mut().zip(choices) {
            *c1 ^= *c2;
        }
        let mut bv: BitVec<u8, Lsb0> = BitVec::with_capacity(choices.len());
        bv.extend(rand_choices.iter().map(|c| c.unwrap_u8() != 0));

        let (mut tx, _) = self.connection().stream().await?;
        tx.send(bv).await.map_err(Error::Correction)?;
        Ok(())
    }
}

impl<S: RotSender + RandChoiceRotSender + Send> RotSender for ChosenChoice<S> {
    type Error = Error<S::Error>;

    async fn send_into(
        &mut self,
        ots: &mut impl cryprot_core::buf::Buf<[cryprot_core::Block; 2]>,
    ) -> Result<(), Self::Error> {
        self.0.send_into(ots).await.map_err(Error::Rot)?;
        let (_, mut rx) = self.connection().stream().await?;
        let correction: BitVec<u8, Lsb0> = rx
            .next()
            .await
            .ok_or(Error::MissingCorrection)?
            .map_err(Error::Correction)?;

        for (ots, c_bit) in ots.iter_mut().zip(correction) {
            let tmp = *ots;
            ots[0] = tmp[c_bit as usize];
            ots[1] = tmp[!c_bit as usize];
        }
        Ok(())
    }
}

/// Adapts any [`RotSender`]/[`RotReceiver`] into a
/// [`CotSender`]/[`CotReceiver`].
///
/// This adapter can also be used to easily implement the correlated OT traits
/// on the protocol types directly. Because `&mut S: RotSender` when `S:
/// RotSender` you can create a temporary [`CorrelatedFromRandom`] from a `&mut
/// self` inside an implementation of the correlated traits.
///
/// ```
/// use cryprot_core::{Block, buf::Buf};
///
/// use cryprot_ot::adapter::CorrelatedFromRandom;
/// use cryprot_ot::{Connected, CotSender, RotSender};
///
/// struct MyRotSender;
///
/// # impl Connected for MyRotSender {
/// #     fn connection(&mut self) -> &mut cryprot_net::Connection {
/// #         todo!()
/// #     }
/// # }
///
/// // Error type must implement `From<ConnectionError>` and `From<io::Error>` for
/// // adapter
/// #[derive(thiserror::Error, Debug)]
/// enum Error {
///     #[error("connection")]
///     Connection(#[from] cryprot_net::ConnectionError),
///     #[error("io")]
///     Io(#[from] std::io::Error),
/// }
///
/// impl RotSender for MyRotSender {
///     type Error = Error;
///
///     async fn send_into(
///         &mut self,
///         ots: &mut impl cryprot_core::buf::Buf<[cryprot_core::Block; 2]>,
///     ) -> Result<(), Self::Error> {
///         todo!()
///     }
/// }
///
/// impl CotSender for MyRotSender {
///     type Error = <MyRotSender as RotSender>::Error;
///
///     async fn correlated_send_into<B, F>(
///         &mut self,
///         ots: &mut B,
///         correlation: F,
///     ) -> Result<(), Self::Error>
///     where
///         B: Buf<Block>,
///         F: FnMut(usize) -> Block + Send,
///     {
///         // because &mut self also implements RotSender, we can use it for the adapter
///         CorrelatedFromRandom::new(self)
///             .correlated_send_into(ots, correlation)
///             .await
///     }
/// }
/// ```
#[derive(Debug)]
pub struct CorrelatedFromRandom<P>(P);

impl<P> CorrelatedFromRandom<P> {
    pub fn new(protocol: P) -> Self {
        Self(protocol)
    }
}

impl<P: Connected> Connected for CorrelatedFromRandom<P> {
    fn connection(&mut self) -> &mut cryprot_net::Connection {
        self.0.connection()
    }
}

impl<P: SemiHonest> SemiHonest for CorrelatedFromRandom<P> {}

// For a discussion of the security of this see https://github.com/osu-crypto/libOTe/issues/167
impl<P: Malicious> Malicious for CorrelatedFromRandom<P> {}

// should fit in one jumbo frame
const COR_CHUNK_SIZE: usize = 8500 / Block::BYTES;

impl<S: RotSender> CotSender for CorrelatedFromRandom<S>
where
    S::Error: From<ConnectionError> + From<std::io::Error>,
{
    type Error = S::Error;

    async fn correlated_send_into<B, F>(
        &mut self,
        ots: &mut B,
        mut correlation: F,
    ) -> Result<(), Self::Error>
    where
        B: Buf<Block>,
        F: FnMut(usize) -> Block + Send,
    {
        let mut r_ots = B::zeroed_arr2(ots.len());
        self.0.send_into(&mut r_ots).await?;
        let mut send_buf: Vec<Block> = Vec::zeroed(COR_CHUNK_SIZE);
        let (mut tx, _) = self.connection().byte_stream().await?;
        // Using spawn_compute here results in slightly lower performance.
        // I think there is just not enough work done per byte transmitted here.
        // This implementation is also simpler and less prone to errors than the
        // spawn_compute one.
        for (chunk_idx, (ot_chunk, rot_chunk)) in ots
            .chunks_mut(send_buf.len())
            .zip(r_ots.chunks(send_buf.len()))
            .enumerate()
        {
            for (idx, ((ot, r_ot), correction)) in ot_chunk
                .iter_mut()
                .zip(rot_chunk)
                .zip(&mut send_buf)
                .enumerate()
            {
                *ot = r_ot[0];
                *correction = r_ot[1] ^ r_ot[0] ^ correlation(chunk_idx * COR_CHUNK_SIZE + idx);
            }
            tx.write_all(bytemuck::must_cast_slice_mut(
                &mut send_buf[..ot_chunk.len()],
            ))
            .await?;
        }
        Ok(())
    }
}

impl<R: RotReceiver> CotReceiver for CorrelatedFromRandom<R>
where
    R::Error: From<ConnectionError> + From<std::io::Error>,
{
    type Error = R::Error;

    async fn correlated_receive_into<B>(
        &mut self,
        ots: &mut B,
        choices: &[subtle::Choice],
    ) -> Result<(), Self::Error>
    where
        B: Buf<Block>,
    {
        self.0.receive_into(ots, choices).await?;
        let mut recv_buf: Vec<Block> = Vec::zeroed(COR_CHUNK_SIZE);
        let (_, mut rx) = self.connection().byte_stream().await?;
        for (ot_chunk, choice_chunk) in ots
            .chunks_mut(COR_CHUNK_SIZE)
            .zip(choices.chunks(COR_CHUNK_SIZE))
        {
            rx.read_exact(bytemuck::must_cast_slice_mut(
                &mut recv_buf[..ot_chunk.len()],
            ))
            .await?;
            for ((ot, correction), choice) in ot_chunk.iter_mut().zip(&recv_buf).zip(choice_chunk) {
                let use_correction = Block::conditional_select(&Block::ZERO, &Block::ONES, *choice);
                *ot ^= use_correction & *correction;
            }
        }
        Ok(())
    }
}

#[cfg(test)]
mod tests {
    use cryprot_net::testing::{init_tracing, local_conn};
    use rand::{SeedableRng, rngs::StdRng};

    use crate::{
        RotReceiver, RotSender,
        adapter::ChosenChoice,
        random_choices,
        silent_ot::{SemiHonestSilentOtReceiver, SemiHonestSilentOtSender},
    };

    #[tokio::test]
    async fn test_chosen_choice_adapter() {
        let _g = init_tracing();
        let (c1, c2) = local_conn().await.unwrap();
        let mut sender = ChosenChoice::new(SemiHonestSilentOtSender::new(c1));
        let mut receiver = ChosenChoice::new(SemiHonestSilentOtReceiver::new(c2));

        let count = 2_usize.pow(10);
        let choices = random_choices(count, &mut StdRng::seed_from_u64(234));

        let (s_ots, r_ots) =
            tokio::try_join!(sender.send(count), receiver.receive(&choices)).unwrap();

        for (i, c) in choices.iter().enumerate() {
            assert_eq!(
                s_ots[i][c.unwrap_u8() as usize],
                r_ots[i],
                "ot {i}, choice: {}, s_ots: {:?}, r_ot: {:?}",
                c.unwrap_u8(),
                s_ots[i],
                r_ots[i]
            );
        }
    }
}