ot

package

v0.0.0-...-c62aa3f Latest Latest Go to latest Published: Mar 30, 2026 License: MIT Imports: 6 Imported by: 0

Details

Valid go.mod file
Redistributable license
Tagged version
Stable version
Learn more about best practices

Repository

github.com/f3rmion/fy

Links

Open Source Insights

Documentation ¶

Overview ¶

Package ot implements Oblivious Transfer protocols for DKLs23.

It provides both base OT and OT extension:

Base OT uses the endemic OT protocol from Zhou et al. (https://eprint.iacr.org/2022/1525.pdf) as suggested in DKLs23.
OT Extension (KOS) amortizes the cost of base OT by extending a small number of base OTs (Kappa = 256) into a large batch (BatchSize = 416) using pseudorandom generators and consistency checks over GF(2^208).

The base OT protocol operates in a sender/receiver model with choice-bit-based selection. The extension protocol reverses the OT roles: the extension sender acts as a base OT receiver and vice versa.

Index ¶

Constants
Variables
type DataToSender
type ExtReceiver
- func InitExtReceiverPhase2(otSender *Sender, sessionID []byte, seed *Seed, encProofs []*dkls23.EncProof) (*ExtReceiver, error)
type ExtSender
- func InitExtSenderPhase2(otReceiver *Receiver, sessionID []byte, correlation []bool, ...) (*ExtSender, error)
- func (s *ExtSender) Run(sessionID []byte, otWidth uint8, inputCorrelations [][]group.Scalar, ...) ([][]group.Scalar, [][]group.Scalar, error)
- func (s *ExtSender) Zero()
type FieldElement
type PRGOutput
type Receiver
- func InitExtSenderPhase1(sessionID []byte) (*Receiver, []bool, []group.Scalar, []*dkls23.EncProof, error)
- func NewReceiver() (*Receiver, error)
type Seed
type Sender
- func InitExtReceiverPhase1(sessionID []byte) (*Sender, *dkls23.DLogProof, error)
- func NewSender(sessionID []byte) (*Sender, error)

Constants ¶

View Source

const (
	// Kappa is the computational security parameter (256 bits).
	Kappa = dkls23.RawSecurity
	// OTSecurity is the statistical security for the KOS consistency check
	// in GF(2^OTSecurity). Equals 128 + StatSecurity = 208 bits.
	OTSecurity = 128 + dkls23.StatSecurity
	// BatchSize is the number of usable OTs per extension invocation.
	// Equals Kappa + 2*StatSecurity = 416.
	BatchSize = dkls23.RawSecurity + 2*dkls23.StatSecurity
	// ExtendedBatchSize is the total PRG expansion width.
	// Equals BatchSize + OTSecurity = 624.
	ExtendedBatchSize = BatchSize + OTSecurity
)

OT Extension constants from DKLs23.

The relationships between these constants follow the KOS OT extension security analysis (DKLs23, Section 3.3):

Kappa             = 256          (computational security: secp256k1 scalar bits)
StatSecurity      = 80           (statistical security parameter)
OTSecurity        = 128 + 80     = 208  (KOS consistency check field size)
BatchSize         = 256 + 2*80   = 416  (OTs per extension: Kappa + 2*StatSecurity)
ExtendedBatchSize = 416 + 208    = 624  (BatchSize + OTSecurity for PRG expansion)

BatchSize includes 2*StatSecurity extra OTs beyond Kappa to absorb the statistical error from the KOS consistency check. ExtendedBatchSize adds OTSecurity bits for the GF(2^208) verification field.

Variables ¶

View Source

var ErrOTFailed = errors.New("OT protocol failed")

ErrOTFailed is returned when the OT protocol fails

Functions ¶

This section is empty.

Types ¶

type DataToSender ¶

type DataToSender struct {
	U       []PRGOutput    // Matrix U (KAPPA rows)
	VerifyX FieldElement   // Verification value x
	VerifyT []FieldElement // Verification values t (KAPPA elements)
}

DataToSender is the data transmitted from receiver to sender

type ExtReceiver ¶

type ExtReceiver struct {
	Seeds0 []dkls23.HashOutput // Seeds for bit=0
	Seeds1 []dkls23.HashOutput // Seeds for bit=1
}

ExtReceiver holds the OT extension receiver's state

func InitExtReceiverPhase2 ¶

func InitExtReceiverPhase2(
	otSender *Sender,
	sessionID []byte,
	seed *Seed,
	encProofs []*dkls23.EncProof,
) (*ExtReceiver, error)

InitExtReceiverPhase2 finishes the extension receiver initialization. The otSender's secret scalar is zeroed after use.

func (*ExtReceiver) RunPhase1 ¶

func (r *ExtReceiver) RunPhase1(sessionID []byte, choiceBits []bool) ([]PRGOutput, *DataToSender, error)

RunPhase1 runs the first phase of the receiver's protocol. The caller is responsible for calling Zero() when the ExtReceiver is no longer needed (e.g., when the signing party is disposed). Seeds are reused across signing sessions.

func (*ExtReceiver) RunPhase2 ¶

func (r *ExtReceiver) RunPhase2(
	sessionID []byte,
	otWidth uint8,
	choiceBits []bool,
	extendedSeeds []PRGOutput,
	vectorOfTau [][]group.Scalar,
) ([][]group.Scalar, error)

RunPhase2 finishes the receiver's protocol

func (*ExtReceiver) Zero ¶

func (r *ExtReceiver) Zero()

Zero securely erases seeds from the extension receiver.

type ExtSender ¶

type ExtSender struct {
	Correlation []bool              // Choice bits (KAPPA bits)
	Seeds       []dkls23.HashOutput // Seeds from base OT
}

ExtSender holds the OT extension sender's state

func InitExtSenderPhase2 ¶

func InitExtSenderPhase2(
	otReceiver *Receiver,
	sessionID []byte,
	correlation []bool,
	vecR []group.Scalar,
	dlogProof *dkls23.DLogProof,
) (*ExtSender, error)

InitExtSenderPhase2 finishes the extension sender initialization. The otReceiver's seed is zeroed after use.

func (*ExtSender) Run ¶

func (s *ExtSender) Run(
	sessionID []byte,
	otWidth uint8,
	inputCorrelations [][]group.Scalar,
	data *DataToSender,
) ([][]group.Scalar, [][]group.Scalar, error)

Run runs the sender's protocol. The caller is responsible for calling Zero() when the ExtSender is no longer needed (e.g., when the signing party is disposed). Seeds are reused across signing sessions.

func (*ExtSender) Zero ¶

func (s *ExtSender) Zero()

Zero securely erases seeds and correlation bits from the extension sender.

type FieldElement ¶

type FieldElement = [OTSecurity / 8]byte

FieldElement is an element in GF(2^OTSecurity)

type PRGOutput ¶

type PRGOutput = [ExtendedBatchSize / 8]byte

PRGOutput is the output of the pseudo-random generator

type Receiver ¶

type Receiver struct {
	Seed Seed // Random seed for generating h
}

Receiver holds the receiver's state for the base OT protocol

func InitExtSenderPhase1 ¶

func InitExtSenderPhase1(sessionID []byte) (*Receiver, []bool, []group.Scalar, []*dkls23.EncProof, error)

InitExtSenderPhase1 starts the extension sender initialization Note: Extension sender acts as base OT receiver (roles reversed)

func NewReceiver ¶

func NewReceiver() (*Receiver, error)

NewReceiver creates a new OT receiver with a fresh seed

func (*Receiver) GetSeed ¶

func (r *Receiver) GetSeed() *Seed

GetSeed returns a copy of the receiver's seed (to be sent to the sender). A copy is returned so that zeroing the Receiver does not invalidate seed values already transmitted to the counterparty.

func (*Receiver) Phase1 ¶

func (r *Receiver) Phase1(sessionID []byte, bit bool) (group.Scalar, *dkls23.EncProof, error)

Phase1 generates the receiver's data for the given choice bit. Returns the secret scalar r (to keep), the EncProof (to send), and an error. The caller MUST zero the returned scalar after use (e.g., via Phase2Step2 or Phase2Batch).

func (*Receiver) Phase1Batch ¶

func (r *Receiver) Phase1Batch(sessionID []byte, bits []bool) ([]group.Scalar, []*dkls23.EncProof, error)

Phase1Batch generates receiver data for multiple choice bits

func (*Receiver) Phase2Batch ¶

func (r *Receiver) Phase2Batch(sessionID []byte, vecR []group.Scalar, dlogProof *dkls23.DLogProof) ([]dkls23.HashOutput, error)

Phase2Batch verifies the proof and computes outputs for all scalars. The vecR scalars are zeroed after use to prevent secret leakage.

func (*Receiver) Phase2Step1 ¶

func (r *Receiver) Phase2Step1(sessionID []byte, dlogProof *dkls23.DLogProof) (group.Point, error)

Phase2Step1 verifies the sender's DLogProof and returns the point z

func (*Receiver) Phase2Step2 ¶

func (r *Receiver) Phase2Step2(sessionID []byte, rScalar group.Scalar, z group.Point) dkls23.HashOutput

Phase2Step2 computes the receiver's output message. The rScalar is zeroed after use to prevent secret leakage.

func (*Receiver) Zero ¶

func (r *Receiver) Zero()

Zero securely erases the receiver's seed.

type Seed ¶

type Seed = [dkls23.Security]byte

Seed is a 32-byte random seed used by the receiver

type Sender ¶

type Sender struct {
	S     group.Scalar      // Secret scalar
	Proof *dkls23.DLogProof // Proof of discrete log for s * G
}

Sender holds the sender's state for the base OT protocol

func InitExtReceiverPhase1 ¶

func InitExtReceiverPhase1(sessionID []byte) (*Sender, *dkls23.DLogProof, error)

InitExtReceiverPhase1 starts the extension receiver initialization Note: Extension receiver acts as base OT sender (roles reversed)

func NewSender ¶

func NewSender(sessionID []byte) (*Sender, error)

NewSender creates a new OT sender with a fresh secret and proof

func (*Sender) Phase1 ¶

func (s *Sender) Phase1() *dkls23.DLogProof

Phase1 returns the DLogProof to be sent to the receiver

func (*Sender) Phase2 ¶

func (s *Sender) Phase2(sessionID []byte, seed *Seed, encProof *dkls23.EncProof) (m0, m1 dkls23.HashOutput, err error)

Phase2 processes the receiver's data and computes the two output messages

func (*Sender) Phase2Batch ¶

func (s *Sender) Phase2Batch(sessionID []byte, seed *Seed, encProofs []*dkls23.EncProof) ([]dkls23.HashOutput, []dkls23.HashOutput, error)

Phase2Batch processes multiple encryption proofs from the receiver

func (*Sender) Zero ¶

func (s *Sender) Zero()

Zero securely erases the sender's secret scalar.

Source Files ¶

View all Source files

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL