Module ot

This module implements “The Simplest Protocol for Oblivious Transfer” due to Orlandi and Chou. (cf. https://eprint.iacr.org/archive/2015/267/1527602042.pdf)

The protocol works as follows in an elliptic curve group G with base point B and scalars Scalars

Sender(l, r)            Receiver(c)
y <-$ Scalars
S := yB
T := yS    -- S -->     x <-$ Scalars
                        R := cS + xB
           <-- R --
k_l                     k = H(S, R, xS)
 = H(S, R, yR)       
k_r
 = H(S, R, yR - T)

c_l = E(k_l, l)
c_r = E(k_r, r)

         -- c_l -->
         -- c_r -->     output = D(k, c_l) if decryption successful
                        otherwise output = D(k, c_r)

We instantiate the primitives as follows: - H: HKDF(SHA-256) - group G: P256 - Encryption scheme: Chacha20Poly1305

Structs

OTCiphertext

The encryption of an OT input.

OTReceiver

The state of the receiver

OTReceiverSelect

The OT receiver’s first message.

OTSender

The state of the sender

OTSenderInit

The OT sender’s first message.

OTSenderSend

The OT sender’s second message.