privacy-scaling-explorations · th4s · Jan 17, 2024 · Jan 19, 2024 · Jan 19, 2024 · Jan 19, 2024
diff --git a/crates/Cargo.toml b/crates/Cargo.toml
@@ -15,6 +15,8 @@ members = [
     "mpz-share-conversion-core",
     "matrix-transpose",
     "clmul",
+    "mpz-ole",
+    "mpz-ole-core"
 ]
 resolver = "2"
 
@@ -38,6 +40,8 @@ mpz-garble = { path = "mpz-garble" }
 mpz-garble-core = { path = "mpz-garble-core" }
 mpz-share-conversion = { path = "mpz-share-conversion" }
 mpz-share-conversion-core = { path = "mpz-share-conversion-core" }
+mpz-ole = { path = "mpz-ole" }
+mpz-ole-core = { path = "mpz-ole-core" }
 clmul = { path = "clmul" }
 matrix-transpose = { path = "matrix-transpose" }
 

diff --git a/crates/mpz-fields/src/lib.rs b/crates/mpz-fields/src/lib.rs
@@ -35,6 +35,7 @@ pub trait Field:
     + GetBit<Lsb0>
     + GetBit<Msb0>
     + BitLength
+    + Unpin
 {
     /// The number of bits of a field element.
     const BIT_SIZE: u32;

diff --git a/crates/mpz-ole-core/Cargo.toml b/crates/mpz-ole-core/Cargo.toml
@@ -0,0 +1,16 @@
+[package]
+name = "mpz-ole-core"
+version = "0.1.0"
+edition = "2021"
+
+[lib]
+name = "mpz_ole_core"
+
+[dependencies]
+rand.workspace = true
+itybity.workspace = true
+thiserror.workspace = true
+
+mpz-fields.workspace = true
+mpz-core.workspace = true
+mpz-ot-core.workspace = true
diff --git a/crates/mpz-ole-core/src/core/mod.rs b/crates/mpz-ole-core/src/core/mod.rs
@@ -0,0 +1,113 @@
+//! This implementation uses the COPEe protocol from <https://eprint.iacr.org/2016/505> page 10.
+//!
+//! We use this construction to implement oblivious linear function evaluation (OLE) instead of
+//! vector OLE (VOLE), which means that we do not use PRGs, i.e. Extend can only be called once.                                                  
+//!                                                                                       
+//! Note that this is an OLE with errors implementation. The sender can introduce additive errors.
+//! Input privacy is guaranteed, but output privacy is not, when `0` is chosen as an input value.
+
+mod receiver;
+mod sender;
+
+pub(crate) use receiver::{ReceiverAdjust, ReceiverShare};
+pub(crate) use sender::{SenderAdjust, SenderShare};
+
+use mpz_fields::Field;
+
+/// Workaround because of feature `generic_const_exprs` not available in stable.
+///
+/// This is used to check at compile-time that the correct const-generic implementation is used for
+/// a specific field.
+struct Check<const N: usize, F: Field>(std::marker::PhantomData<F>);
+
+impl<const N: usize, F: Field> Check<N, F> {
+    const IS_BITSIZE_CORRECT: () = assert!(
+        N as u32 == F::BIT_SIZE,
+        "Wrong bit size used for field. You need to use `F::BIT_SIZE` for N."
+    );
+}
+
+/// The masked input of the sender.
+///
+/// This is the correlation which is sent to the receiver and hides the sender's input.
+pub struct MaskedInput<const N: usize, F>([F; N]);
+
+/// The exchange field element for share adjustment.
+///
+/// This needs to be sent to each other in order to complete the share adjustment.
+pub struct ShareAdjust<F>(F);
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::tests::create_rot;
+    use mpz_core::{prg::Prg, Block};
+    use mpz_fields::{p256::P256, Field, UniformRand};
+    use rand::SeedableRng;
+
+    #[test]
+    fn test_ole_core() {
+        let mut rng = Prg::from_seed(Block::ZERO);
+
+        let sender_input = P256::rand(&mut rng);
+        let receiver_input = P256::rand(&mut rng);
+
+        let (sender_share, receiver_share) =
+            create_ole::<256, 32, P256>(sender_input, receiver_input);
+
+        let a = sender_input;
+        let b = receiver_input;
+        let x = sender_share.inner();
+        let y = receiver_share.inner();
+
+        assert_eq!(y, a * b + x);
+    }
+
+    #[test]
+    fn test_ole_adjust() {
+        let mut rng = Prg::from_seed(Block::ZERO);
+
+        let sender_input = P256::rand(&mut rng);
+        let receiver_input = P256::rand(&mut rng);
+
+        let sender_target = P256::rand(&mut rng);
+        let receiver_target = P256::rand(&mut rng);
+
+        let (sender_share, receiver_share) =
+            create_ole::<256, 32, P256>(sender_input, receiver_input);
+
+        let (sender_adjust, s_to_r_adjust) = sender_share.adjust(sender_target);
+        let (receiver_adjust, r_to_s_adjust) = receiver_share.adjust(receiver_target);
+
+        let sender_share_adjusted = sender_adjust.finish(r_to_s_adjust);
+        let receiver_share_adjusted = receiver_adjust.finish(s_to_r_adjust);
+
+        let a = sender_target;
+        let b = receiver_target;
+        let x = sender_share_adjusted.inner();
+        let y = receiver_share_adjusted.inner();
+
+        assert_eq!(y, a * b + x);
+    }
+
+    // Unergonomic API because of lack of proper const generic support
+    // N should be BIT_SIZE of F
+    // K should be BYTE_SIZE of F
+    fn create_ole<const N: usize, const K: usize, F: Field>(
+        sender_input: F,
+        receiver_input: F,
+    ) -> (SenderShare<F>, ReceiverShare<F>) {
+        let receiver_input_vec = vec![receiver_input];
+
+        let (ot_messages, ot_message_choices) = create_rot::<K, F>(receiver_input_vec);
+
+        let ot_messages: [[F; 2]; N] = ot_messages.try_into().unwrap();
+        let ot_message_choices: [F; N] = ot_message_choices.try_into().unwrap();
+        let ot_choice = receiver_input;
+
+        let (sender_share, correlation) = SenderShare::new(sender_input, ot_messages);
+        let receiver_share = ReceiverShare::new(ot_choice, ot_message_choices, correlation);
+
+        (sender_share, receiver_share)
+    }
+}
diff --git a/crates/mpz-ole-core/src/core/receiver.rs b/crates/mpz-ole-core/src/core/receiver.rs
@@ -0,0 +1,92 @@
+//! Receiver shares for Oblivious Linear Function Evaluation (OLE).
+
+use super::{Check, MaskedInput, ShareAdjust};
+use itybity::ToBits;
+use mpz_fields::Field;
+
+/// Receiver share for OLE.
+#[derive(Debug)]
+pub struct ReceiverShare<F> {
+    input: F,
+    output: F,
+}
+
+impl<F: Field> ReceiverShare<F> {
+    /// Creates a new [`ReceiverShare`].
+    ///
+    /// # Arguments
+    ///
+    /// * `input` - The receiver's input share. This is his OT choice bits as a field element.
+    /// * `ot_message_choices` - The receiver's OT message choices as field elements.
+    /// * `masked` - The correlation masking the sender's input.
+    ///
+    /// # Returns
+    ///
+    /// * The receiver's share.
+    pub(crate) fn new<const N: usize>(
+        input: F,
+        ot_message_choices: [F; N],
+        masked: MaskedInput<N, F>,
+    ) -> Self {
+        // Check that the right N is used depending on the needed bit size of the field.
+        let _: () = Check::<N, F>::IS_BITSIZE_CORRECT;
+
+        let delta_i = input.iter_lsb0();
+        let ui = masked.0.iter();
+        let t_delta_i = ot_message_choices.iter();
+
+        let output = delta_i.zip(ui).zip(t_delta_i).enumerate().fold(
+            F::zero(),
+            |acc, (i, ((delta, &u), &t))| {
+                let delta = if delta { F::one() } else { F::zero() };
+                acc + F::two_pow(i as u32) * (delta * u + t)
+            },
+        );
+
+        Self { input, output }
+    }
+
+    /// Returns the receiver's output share.
+    pub fn inner(self) -> F {
+        self.output
+    }
+
+    /// Adjust a preprocessed share.
+    ///
+    /// This is an implementation of <https://crypto.stackexchange.com/questions/100634/converting-a-random-ole-oblivious-linear-function-evaluation-to-an-ole>.
+    ///
+    /// # Arguments
+    ///
+    ///  * `target` - The new target input of the OLE.
+    ///
+    /// # Returns
+    ///
+    /// * The intermediate receiver share, which needs the sender's adjustment.
+    /// * The receiver adjustment which needs to be sent to the sender.
+    pub(crate) fn adjust(self, target: F) -> (ReceiverAdjust<F>, ShareAdjust<F>) {
+        (
+            ReceiverAdjust {
+                old_output: self.output,
+                new_input: target,
+            },
+            ShareAdjust(self.input + target),
+        )
+    }
+}
+
+/// Intermediate type for share adjustment of the receiver.
+#[derive(Debug)]
+pub struct ReceiverAdjust<F> {
+    old_output: F,
+    new_input: F,
+}
+
+impl<F: Field> ReceiverAdjust<F> {
+    /// Finishes the adjustment and returns the adjusted receiver's share.
+    pub(crate) fn finish(self, adjust: ShareAdjust<F>) -> ReceiverShare<F> {
+        ReceiverShare {
+            input: self.new_input,
+            output: self.old_output + self.new_input * adjust.0,
+        }
+    }
+}
diff --git a/crates/mpz-ole-core/src/core/sender.rs b/crates/mpz-ole-core/src/core/sender.rs
@@ -0,0 +1,94 @@
+//! Sender shares for Oblivious Linear Function Evaluation (OLE).
+
+use super::{Check, MaskedInput, ShareAdjust};
+use mpz_fields::Field;
+
+/// Sender share for OLE.
+#[derive(Debug)]
+pub struct SenderShare<F> {
+    input: F,
+    output: F,
+}
+
+impl<F: Field> SenderShare<F> {
+    /// Creates a new [`SenderShare`].
+    ///
+    /// # Arguments
+    ///
+    /// * `input` - The sender's input share.
+    /// * `ot_messages` - OT messages needed for the correlation.
+    ///
+    /// # Returns
+    ///
+    /// * The sender's share.
+    /// * The correlation which will be sent to the receiver.
+    pub(crate) fn new<const N: usize>(
+        input: F,
+        ot_messages: [[F; 2]; N],
+    ) -> (Self, MaskedInput<N, F>) {
+        // Check that the right N is used depending on the needed bit size of the field.
+        let _: () = Check::<N, F>::IS_BITSIZE_CORRECT;
+
+        let output = ot_messages
+            .iter()
+            .enumerate()
+            .fold(F::zero(), |acc, (i, &[zero, _])| {
+                acc + F::two_pow(i as u32) * zero
+            });
+        let share = Self { input, output };
+
+        let mut ui = [F::zero(); N];
+        ui.iter_mut()
+            .zip(ot_messages)
+            .for_each(|(u, [zero, one])| *u = zero + -one + input);
+        let masked = MaskedInput(ui);
+
+        (share, masked)
+    }
+
+    /// Returns the sender's output share.
+    pub fn inner(self) -> F {
+        self.output
+    }
+
+    /// Adjust a preprocessed share.
+    ///
+    /// This is an implementation of <https://crypto.stackexchange.com/questions/100634/converting-a-random-ole-oblivious-linear-function-evaluation-to-an-ole>.
+    ///
+    /// # Arguments
+    ///
+    ///  * `target` - The new target input for the OLE.
+    ///
+    /// # Returns
+    ///
+    /// * The intermediate sender share, which needs the receiver's adjustment.
+    /// * The sender adjustment which needs to be sent to the receiver.
+    pub(crate) fn adjust(self, target: F) -> (SenderAdjust<F>, ShareAdjust<F>) {
+        (
+            SenderAdjust {
+                old_input: self.input,
+                old_output: self.output,
+                new_input: target,
+            },
+            ShareAdjust(self.input + target),
+        )
+    }
+}
+
+/// Intermediate type for share adjustment of the sender.
+#[derive(Debug)]
+pub struct SenderAdjust<F> {
+    old_input: F,
+    old_output: F,
+    new_input: F,
+}
+
+impl<F: Field> SenderAdjust<F> {
+    /// Finishes the adjustment and returns the adjusted sender's share.
+    pub(crate) fn finish(self, adjust: ShareAdjust<F>) -> SenderShare<F> {
+        SenderShare {
+            input: self.new_input,
+            output: self.old_output + self.old_input * adjust.0,
+        }
+    }
+}