README
¶
S decides on its input (what it will offer to R).
There are going to be m transfers.
S will offer n possibilities per transfer, each possibility is an l-bit vector.
For transfer j, S offers (xj,0, ..., xj,n-1).
R makes its choices r1...rm in advance. (NB 1-indexed)
Each choice rj is a number 0 <= rj < n <= k.
So R wants to receive x1,r1 ... xm,rm.
Each choice rj can be encoded into k bits by enc(rj) = crj.
(Encoding must be injective and satisfy distance requirements for security;
in practice n must be much less than k, e.g., n=log(k)).
S chooses s (vector of k bits) at random.
R chooses k-bit vectors t1,0 ... tm,0 at random.
R sets k-bit vectors t1,1 ... tm,1 such that XOR(tj,0 , tj,1) = crj
This defines two matrices T0 and T1.
Now we do base OT with R acting as sender and S acting as receiver.
There are k transfers where S receives according to s0, ..., sk-1,
and R sends the corresponding columns of T0 and T1.
S forms the received columns into a matrix Q.
Now we can check that for each qj (row j of Q),
XOR(qj,tj,0) = AND(crj, s).
Now for transfer j S has input (xj,0, ..., xj,n-1) and sends for each 0 <= r < n
XOR(xj,r, H(j,XOR(qj,AND(cr,s))
Note that here for every 0 <= r < n the codeword cr is public,
and R has chosen one of them crj.
The point is that S has all the info it needs to send.
Now r knows that its choice is rj, where 0 <= rj < n.
So it ignores all that S has sent but
[*] = XOR(xj,rj, H(j,XOR(qj,AND(crj,s))))
Then it XORs this with H(j, tj,0) i.e. tj,0 is the jth row of T0.
Recall
XOR(qj,tj,0) = AND(crj, s).
So,
tj,0 = XOR(qj,AND(crj,s))
So plugging in to [*],
[*] = XOR(xj,rj, H(j,tj,0))
Now since R has T0 it can compute H(j,tj,0) and recover xj,rj = XOR([*], H(j,tj,0)).
MODIFICATION for streaming and fork is easy.
MODIFICATION so that R can choose later?
R chooses r1...rm randomly.
R uses "real choices" w1...wm.
Now on transfer j R starts by sending an "adjustment factor" A = (wj - rj) mod n.
Note that S never knew rj so can't recover wj or rj from this.
Recall in the original version, for transfer j S has input (xj,0, ..., xj,n-1) and sends for each 0 <= r < n
XOR(xj,r, H(j,XOR(qj,AND(cr,s))
In our modification S has (xj,0, ..., xj,n-1) and sends for each 0 <= r < n
XOR(xj,r, H(j,XOR(qj,AND(c((r-A) mod n),s))
Note that when r=wj
rj = (r-A) mod n
Therefore R looks at the choice where r=wj which has the form
[*] = XOR(xj,wj, H(j,XOR(qj,AND(crj,s))
Just as in the original we have
tj,0 = XOR(qj,AND(crj,s))
So plugging in to [*],
[*] = XOR(xj,wj, H(j,tj,0))
Now since R has T0 it can compute H(j,tj,0) and recover xj,wj = XOR([*], H(j,tj,0)).
Documentation
¶
Index ¶
- Constants
- func AddMod(z, x, y, n *big.Int) *big.Int
- func GenNPParam() *big.Int
- func MuxBytes(c, a, b []byte) []byte
- func NewNP() (*NPSender, *NPReceiver)
- func NewPRG(seed []byte) cipher.Stream
- func NewSimple() (*SimpleSender, *SimpleReceiver)
- func PrimaryReceiver(S Sender, refreshCh chan int, k, m int) chan nextRequest
- func PrimarySender(R Receiver, refreshCh chan int, k, m int) chan getRequest
- func PrintBits(r []byte)
- func PrintBytes(r []byte)
- func RO(input []byte, outBits int) []byte
- func RO_j(curPair int, input []byte, outBits int) []byte
- func RandomBytes(numBytes int) []byte
- func SubMod(z, x, y, n *big.Int) *big.Int
- func XorBytes(a, b []byte) []byte
- func XorBytesTo(a, b, result []byte)
- type ExtChans
- type ExtendReceiver
- type ExtendSender
- type HashedElGamalCiph
- type Message
- type MessagePair
- type MplexReceiver
- type MplexSender
- type NPChans
- type NPReceiver
- type NPSender
- type PerBlockMplexChans
- type PerNodePairMplexChans
- type PrivateKey
- type PublicKey
- type Receiver
- type Selector
- type SendRequest
- type Sender
- type SimpleReceiver
- type SimpleSender
- type StreamReceiver
- func (R *StreamReceiver) Fork(to chan []byte, from chan MessagePair) *StreamReceiver
- func (R *StreamReceiver) Receive(s Selector) Message
- func (R *StreamReceiver) ReceiveM(r []byte) []Message
- func (R *StreamReceiver) ReceiveMBits(r []byte) []byte
- func (R *StreamReceiver) ReceiveMRandomBits(r []byte) []byte
- type StreamSender
Constants ¶
View Source
const ( KEY_SIZE = aes.BlockSize NUM_PAIRS = 1024 * 64 SEC_PARAM = 80 )
View Source
const ( RSA_KEYSIZE = 1024 NONCE_SIZE = 117 // size of public modulus (==128) - 11 == 117 is max size that can be applyPermed )
View Source
const ( SeedBytes = 16 NumStreams = 80 // the constant formerly known as k. Must be a multiple of 8 )
Variables ¶
This section is empty.
Functions ¶
func GenNPParam ¶
func MuxBytes ¶
Bitwise MUX of byte sequences a and b, according to byte sequence c. Each bit of the result is the corresponding bit of a if the corresponding bit of c is 0, or the corresponding bit of b if the corresponding bit of c is 1.
func NewNP ¶
func NewNP() (*NPSender, *NPReceiver)
func NewSimple ¶
func NewSimple() (*SimpleSender, *SimpleReceiver)
func PrimaryReceiver ¶
func PrimarySender ¶
func PrintBytes ¶
func PrintBytes(r []byte)
func RO_j ¶
Currently not used because of Footnote 10, page 13 of Ishai03: It is not hard to verify that as long as the receiver is honest, the protocol remains secure. The inclusion of j in the input to the random oracle slightly simplifies the analysis and is useful towards realizing the fully secure variant of this protocol.
func RandomBytes ¶
func XorBytesTo ¶
func XorBytesTo(a, b, result []byte)
Bitwise XOR of byte sequences a and b, which must have the same length
Types ¶
type ExtendReceiver ¶
func (*ExtendReceiver) Receive ¶
func (self *ExtendReceiver) Receive(s Selector) Message
func (*ExtendReceiver) ReceiveM ¶
func (R *ExtendReceiver) ReceiveM(r []byte) []Message
func (*ExtendReceiver) ReceiveMBits ¶
func (R *ExtendReceiver) ReceiveMBits(r []byte) []byte
type ExtendSender ¶
type ExtendSender struct {
R Receiver
// contains filtered or unexported fields
}
func (*ExtendSender) Send ¶
func (self *ExtendSender) Send(m0, m1 Message)
func (*ExtendSender) SendM ¶
func (S *ExtendSender) SendM(a, b []Message)
Send m message pairs in one call
func (*ExtendSender) SendMBits ¶
func (S *ExtendSender) SendMBits(a, b []byte)
Send m pairs of bits (1-bit messages) in one call
type HashedElGamalCiph ¶
type MessagePair ¶
type MessagePair struct {
M0, M1 []byte
}
type MplexReceiver ¶
type MplexReceiver struct {
// contains filtered or unexported fields
}
func (*MplexReceiver) Receive ¶
func (self *MplexReceiver) Receive(s Selector) Message
func (*MplexReceiver) ReceiveM ¶
func (R *MplexReceiver) ReceiveM(r []byte) []Message
func (*MplexReceiver) ReceiveMBits ¶
func (R *MplexReceiver) ReceiveMBits(r []byte) []byte
type MplexSender ¶
type MplexSender struct {
// contains filtered or unexported fields
}
func (*MplexSender) Send ¶
func (self *MplexSender) Send(m0, m1 Message)
func (*MplexSender) SendM ¶
func (S *MplexSender) SendM(a, b []Message)
Send m message pairs in one call
func (*MplexSender) SendMBits ¶
func (S *MplexSender) SendMBits(a, b []byte)
Send m pairs of bits (1-bit messages) in one call
type NPChans ¶
type NPChans struct {
ParamChan chan *big.Int `fatchan:"reply"`
NpRecvPk chan *big.Int `fatchan:"request"`
NpSendEncs chan HashedElGamalCiph `fatchan:"reply"`
}
type NPReceiver ¶
func NewNPReceiver ¶
func NewNPReceiver(npC chan *big.Int, npRecvPk chan *big.Int, npSendEncs chan HashedElGamalCiph) *NPReceiver
func (*NPReceiver) Receive ¶
func (self *NPReceiver) Receive(s Selector) Message
func (*NPReceiver) ReceiveM ¶
func (R *NPReceiver) ReceiveM(r []byte) []Message
func (*NPReceiver) ReceiveMBits ¶
func (R *NPReceiver) ReceiveMBits(r []byte) []byte
type NPSender ¶
func NewNPSender ¶
type PerBlockMplexChans ¶
type PerBlockMplexChans struct {
RepCh chan []byte `fatchan:"request"` // One per sender/receiver pair, sender->receiver
ReqCh chan SendRequest `fatchan:"reply"` // One per sender/receiver pair, receiver->sender
}
type PerNodePairMplexChans ¶
type PerNodePairMplexChans struct {
RefreshCh chan int `fatchan:"reply"` // One per SET of multiplexed sender/receiver, receiver->sender
}
Channels needed for multiplex OT to function In gc case, generator is client and sender, evaluator is server and receiver We send an MplexChans from client to server, so fatchan notations are relative to generator/client/sender
type PrivateKey ¶
PrivateKey represents an ElGamal private key.
type Receiver ¶
type Receiver interface {
Receive(Selector) Message
ReceiveM(r []byte) []Message
ReceiveMBits(r []byte) []byte
}
func NewExtendReceiver ¶
func NewMplexReceiver ¶
func NewMplexReceiver(c chan []byte, reqCh chan SendRequest, nextCh chan nextRequest) Receiver
func NewOTChansReceiver ¶
type SendRequest ¶
type SendRequest struct {
// contains filtered or unexported fields
}
type Sender ¶
func NewExtendSender ¶
func NewMplexSender ¶
func NewMplexSender(c chan []byte, reqCh chan SendRequest, getCh chan getRequest) Sender
func NewOTChansSender ¶
type SimpleReceiver ¶
type SimpleReceiver struct {
// contains filtered or unexported fields
}
func (SimpleReceiver) Receive ¶
func (self SimpleReceiver) Receive(b Selector) Message
type SimpleSender ¶
type SimpleSender struct {
// contains filtered or unexported fields
}
func (SimpleSender) Send ¶
func (self SimpleSender) Send(a0, a1 Message)
type StreamReceiver ¶
type StreamReceiver struct {
// contains filtered or unexported fields
}
func NewStreamReceiver ¶
func NewStreamReceiver(sender Sender, to chan<- []byte, from <-chan MessagePair) *StreamReceiver
func (*StreamReceiver) Fork ¶
func (R *StreamReceiver) Fork(to chan []byte, from chan MessagePair) *StreamReceiver
Create a new StreamReceiver that can operate independently of the parent StreamReceiver (concurrent operation). It must be paired (via to/from) with a StreamSender forked from the original StreamReceiver's StreamSender.
func (*StreamReceiver) Receive ¶
func (R *StreamReceiver) Receive(s Selector) Message
func (*StreamReceiver) ReceiveM ¶
func (R *StreamReceiver) ReceiveM(r []byte) []Message
func (*StreamReceiver) ReceiveMBits ¶
func (R *StreamReceiver) ReceiveMBits(r []byte) []byte
func (*StreamReceiver) ReceiveMRandomBits ¶
func (R *StreamReceiver) ReceiveMRandomBits(r []byte) []byte
type StreamSender ¶
type StreamSender struct {
// contains filtered or unexported fields
}
func NewStreamSender ¶
func NewStreamSender(receiver Receiver, to chan<- MessagePair, from <-chan []byte) *StreamSender
func (*StreamSender) Fork ¶
func (S *StreamSender) Fork(to chan<- MessagePair, from chan []byte) *StreamSender
Create a new StreamSender that can operate independently of the parent StreamSender (concurrent operation). It must be paired (via to/from) with a StreamReceiver forked from the original StreamSender's StreamReceiver.
func (*StreamSender) Send ¶
func (S *StreamSender) Send(a, b Message)
Inefficient, just for compatibility
func (*StreamSender) SendM ¶
func (S *StreamSender) SendM(a, b []Message)
Send m message pairs at once
func (*StreamSender) SendMBits ¶
func (S *StreamSender) SendMBits(a, b []byte)
Send m pairs of bits (1-bit messages) at once
func (*StreamSender) SendMRandomBits ¶
func (S *StreamSender) SendMRandomBits(m int) ([]byte, []byte)
Send m pairs of random bits (1-bit messages) at once
Source Files
Click to show internal directories.
Click to hide internal directories.