Expand description
CryProt-OT implements several oblivious transfer protocols.
- base OT: “Simplest OT” [CO15] (classical security)
- post-quantum base OT: ML-KEM based OT [MR19]
(post-quantum security, enable one of the
ml-kem-base-ot-{512,768,1024}features) - semi-honest OT extension: optimized [IKNP03] protocol
- malicious OT extension: optimized [KOS15] protocol
- silent OT extension: [BCG+19] silent OT using [RRT23] code (semi-honest and malicious with [YWL+20] consistency check)
This library is heavily inspired by and in parts a port of the C++ libOTe library.
§ML-KEM Base OT
Enable one of the ml-kem-base-ot-{512,768,1024} features to use
ML-KEM-based OT for the base OT protocol, providing post-quantum security:
This replaces the classical “Simplest OT” with an ML-KEM-based construction
following FIPS 203 at https://csrc.nist.gov/pubs/fips/203/final, similar to libOTe’s ENABLE_MR_KYBER option.
We use the ML-KEM crate https://crates.io/crates/ml-kem.
§Benchmarks
We continously run the benchmark suite in CI witht the results publicly available on bencher.dev. The raw criterion output, including throughput is available in the logs of the bench workflow (latest run > benchmarks job > Run Benchmarks step).
§OT Extension Benchmarks
Following are benchmark numbers for several OT protocols on a 4-core VM running on an AMD EPYC 9454P. For up to date benchmarks view the links in the benchmarks section. Each OT sender/receiver uses one worker thread and number of cores many background threads for communication (which by default is also encrypted as part of QUIC).
| Benchmark | Mean Throughput (million OT/s) |
|---|---|
| Semi-honest R-OT ext. (2^24 R-OTs) | 51.539 |
| Malicious R-OT ext. (2^24 R-OTs) | 33.663 |
| Semi-Honest Silent C-OT ext. (2^21 C-OTs) | 4.2306 |
| Semi-Honest Silent R-OT ext. (2^21 R-OTs) | 9.5426 |
| Malicious Silent R-OT ext. (2^21 R-OTs) | 7.4180 |
Silent OT will perform faster for smaller numbers of OTs at slightly increased communication.
Our OT implementations should be on par or faster than those in libOTe. In the future we want to benchmark libOTe on the same hardware for a fair comparison.
Base OT Benchmark (Simplest OT):
| Benchmark | Mean Time (ms) |
|---|---|
| 128 base R-OTs | 28.001 |
Modules§
- adapter
- Adapters for OT types.
- extension
- Fast OT extension using optimized [IKNP03] (semi-honest) or [KOS15] (malicious) protocol.
- mlkem_
ot - Post-quantum base OT using ML-KEM.
- noisy_
vole - Noisy-Vole computes for chosen c and delta, a and b s.t. a = b + c * delta in GF(2^128).
- phase
- Phase identifiers used for
cryprot_net::metrics. - silent_
ot - Semi-honest and malicious Silent OT implementation using expand-convolute code [RRT23].
- simplest_
ot - Simplest-OT base OT protocol by [CO15] (malicious security).
Structs§
- Malicious
Marker - Used as a marker type for malicious security OT implementation.
- Semi
Honest Marker - Used as a marker type for semi-honest security OT implementation.
Traits§
- Connected
- Trait for OT receivers/senders which hold a
Connection. - CotReceiver
- CotSender
- Correlated OT sender (C-OT).
- Malicious
- Marker trait for OT implementations secure against malicious adversaries.
- Rand
Choice RotReceiver - Returns a random choice vector alongside OTs.
- Rand
Choice RotSender - Marker trait for R-OT Senders that are paired with a random choice receiver.
- RotReceiver
- A random OT receiver.
- RotSender
- A random OT sender.
- Security
- Used to abstract over
SemiHonestMarkerorMaliciousMarker - Semi
Honest - Marker trait for OT implementations secure against semi-honest adversaries.
Functions§
- random_
choices - Sample
countmanyChoicees using the provided rng.
Type Aliases§
- BaseOt
- Base OT implementation used by extension protocols.
- Base
OtError - Error type for base OT operations.