add ML-KEM as an option for base OT

This makes the base OT post-quantum secure by utilizing ML-KEM key
encapsulation via https://crates.io/crates/ml-kem.

We keep the Simplest OT as default base OT and make ML-KEM optional by
adding a compile-time feature, namely `ml-kem-base-ot`.

Note that `MlKemOt` is not `trait Malicious` secure (it is only
`trait SemiHonest` secure) as the receiver can generate two real
decapsulation keys, allowing it to decapsulate both ciphertexts and
learn both OT messages. When used in an OT extension protocol,
semi-honest base OT is sufficient for the whole protocol to have
malicious security.

Author: dartdart26

.devcontainer/devcontainer.json

@@ -0,0 +1,22 @@
+{
+    "image": "mcr.microsoft.com/devcontainers/base:ubuntu-24.04",
+    "features": {
+        "ghcr.io/devcontainers/features/rust:1": {},
+        "ghcr.io/devcontainers/features/common-utils:2": {},
+        "ghcr.io/devcontainers/features/node:1": {}
+    },
+    "customizations": {
+        "vscode": {
+            "extensions": [
+                "rust-lang.rust-analyzer",
+                "vadimcn.vscode-lldb",
+                "eamodio.gitlens"
+            ],
+            "settings": {
+                "git.allowForcePush": true,
+                "diffEditor.ignoreTrimWhitespace": false,
+                "editor.formatOnSave": true
+            }
+        }
+    }
+}

Cargo.lock

@@ -31,6 +31,7 @@ fastdivide = "0.4.2"
 futures = "0.3.30"
 hybrid-array = { version = "0.4.1", features = ["bytemuck"] }
 libc = "0.2.169"
+ml-kem = "0.2.2"
 ndarray = "0.17.2"
 num-traits = "0.2.19"
 rand = "0.9.0"
@@ -40,7 +41,8 @@ rayon = "1.10.0"
 s2n-quic = "1.37.0"
 seq-macro = "=0.3.6"
 serde = "1.0.203"
-subtle = "2.6.1"
+serde_bytes = "0.11.19"
+subtle = { version = "2.6.1", features = ["const-generics"] }
 thiserror = "2.0.18"
 tokio = "1.37.0"
 tokio-serde = "0.9.0"

Cargo.toml

@@ -11,7 +11,7 @@ The `cryprot` crates implement several **cryp**tographic **prot**ocols and utili
 | [`cryprot-net`] | Networking abstractions built atop [s2n-quic](https://docs.rs/s2n-quic/latest/s2n_quic/). | [![crates.io](https://img.shields.io/crates/v/cryprot-net)](https://crates.io/crates/cryprot-net) | [![docs.rs](https://img.shields.io/docsrs/cryprot-net)](https://docs.rs/cryprot-net) |
 | [`cryprot-pprf`] | Distributed PPRF implementation used in Silent OT [[BCG+19]](https://eprint.iacr.org/2019/1159), based on [libOTe](https://github.com/osu-crypto/libOTe). | [![crates.io](https://img.shields.io/crates/v/cryprot-pprf)](https://crates.io/crates/cryprot-pprf) | [![docs.rs](https://img.shields.io/docsrs/cryprot-pprf)](https://docs.rs/cryprot-pprf) |
 | [`cryprot-codes`] | Expand-convolute linear code [[RRT23]](https://eprint.iacr.org/2023/882), based on [libOTe](https://github.com/osu-crypto/libOTe), used in Silent OT. | [![crates.io](https://img.shields.io/crates/v/cryprot-codes)](https://crates.io/crates/cryprot-codes) | [![docs.rs](https://img.shields.io/docsrs/cryprot-codes)](https://docs.rs/cryprot-codes) |
-| [`cryprot-ot`] | Oblivious transfer implementations:<br>• Base OT: "Simplest OT" [[CO15]](https://eprint.iacr.org/2015/267)<br>• OT extensions: [[IKNP03]](https://www.iacr.org/archive/crypto2003/27290145/27290145.pdf)<br>• Malicious OT extension: [[KOS15]](https://eprint.iacr.org/2015/546.pdf)<br>• Silent OT extension: [[BCG+19]](https://eprint.iacr.org/2019/1159) Silent OT using [[RRT23]](https://eprint.iacr.org/2023/882) code and optional [[YWL+20]](https://dl.acm.org/doi/pdf/10.1145/3372297.3417276) consistency check for malicious security. | [![crates.io](https://img.shields.io/crates/v/cryprot-ot)](https://crates.io/crates/cryprot-ot) | [![docs.rs](https://img.shields.io/docsrs/cryprot-ot)](https://docs.rs/cryprot-ot) |
+| [`cryprot-ot`] | Oblivious transfer implementations:<br>• Base OT: "Simplest OT" [[CO15]](https://eprint.iacr.org/2015/267)<br>• Base OT (post-quantum, optional): [ML-KEM-768](https://crates.io/crates/ml-kem) based OT [[FIPS 203]](https://csrc.nist.gov/pubs/fips/203/final)<br>• OT extensions: [[IKNP03]](https://www.iacr.org/archive/crypto2003/27290145/27290145.pdf)<br>• Malicious OT extension: [[KOS15]](https://eprint.iacr.org/2015/546.pdf)<br>• Silent OT extension: [[BCG+19]](https://eprint.iacr.org/2019/1159) Silent OT using [[RRT23]](https://eprint.iacr.org/2023/882) code and optional [[YWL+20]](https://dl.acm.org/doi/pdf/10.1145/3372297.3417276) consistency check for malicious security. | [![crates.io](https://img.shields.io/crates/v/cryprot-ot)](https://crates.io/crates/cryprot-ot) | [![docs.rs](https://img.shields.io/docsrs/cryprot-ot)](https://docs.rs/cryprot-ot) |
 
 Documentation for the latest main branch state is available [here](https://robinhundt.github.io/CryProt/cryprot_ot/).
 ## Platform Support

README.md

@@ -9,6 +9,10 @@ version = "0.2.1"
 authors.workspace = true
 repository.workspace = true
 
+[features]
+# Use ML-KEM-based OT for base OT.
+ml-kem-base-ot = []
+
 [lints]
 workspace = true
 
@@ -25,7 +29,10 @@ cryprot-net.workspace = true
 cryprot-pprf.workspace = true
 curve25519-dalek = { workspace = true, features = ["rand_core", "serde"] }
 futures.workspace = true
+ml-kem.workspace = true
 rand.workspace = true
+serde_bytes.workspace = true
+serde = { workspace = true, features = ["derive"] }
 subtle.workspace = true
 thiserror.workspace = true
 tokio = { workspace = true, features = ["io-util"] }

cryprot-ot/Cargo.toml

@@ -6,6 +6,7 @@
 Oblivious transfer implementations. Currently implemented are the following:
 
 - base OT: "Simplest OT" [[CO15](https://eprint.iacr.org/2015/267)]
+- base OT (post-quantum, optional): [ML-KEM-768](https://crates.io/crates/ml-kem) based OT [[FIPS 203](https://csrc.nist.gov/pubs/fips/203/final)]
 - semi-honest OT extension: optimized [[IKNP03](https://www.iacr.org/archive/crypto2003/27290145/27290145.pdf)] protocol
 - malicious OT extension: optimized [[KOS15]](https://eprint.iacr.org/2015/546.pdf) protocol
 - silent OT extension: [[BCG+19](https://eprint.iacr.org/2019/1159)] silent OT using [[RRT23](https://eprint.iacr.org/2023/882)] code (semi-honest and malicious with [[YWL+20](https://dl.acm.org/doi/pdf/10.1145/3372297.3417276)] consistency check)
@@ -27,7 +28,7 @@ Silent OT will perform faster for smaller numbers of OTs at slightly increased c
 
 Our OT implementations should be on par or faster than those in libOTe. In the future we want to benchmark libOTe on the same hardware for a fair comparison.
 
-**Base OT Benchmark:**
+**Base OT Benchmark (Simplest OT):**
 
 | Benchmark      | Mean Time (ms) |
 |---------------|---------------|

cryprot-ot/README.md

@@ -8,7 +8,6 @@ use cryprot_core::{Block, alloc::HugePageMemory};
 use cryprot_net::testing::{init_bench_tracing, local_conn};
 use cryprot_ot::{
     CotReceiver, CotSender, RotReceiver, RotSender,
-    base::SimplestOt,
     extension::{
         MaliciousOtExtensionReceiver, MaliciousOtExtensionSender, SemiHonestOtExtensionReceiver,
         SemiHonestOtExtensionSender,
@@ -18,6 +17,7 @@ use cryprot_ot::{
         MaliciousSilentOtReceiver, MaliciousSilentOtSender, SemiHonestSilentOtReceiver,
         SemiHonestSilentOtSender,
     },
+    simplest_ot::SimplestOt,
 };
 use rand::{SeedableRng, rngs::StdRng};
 use tokio::runtime::{self, Runtime};

cryprot-ot/benches/bench.rs

@@ -35,10 +35,8 @@ use tokio::{
 use tracing::Level;
 
 use crate::{
-    Connected, CotReceiver, CotSender, Malicious, MaliciousMarker, RotReceiver, RotSender,
-    Security, SemiHonest, SemiHonestMarker,
-    adapter::CorrelatedFromRandom,
-    base::{self, SimplestOt},
+    BaseOt, BaseOtError, Connected, CotReceiver, CotSender, Malicious, MaliciousMarker,
+    RotReceiver, RotSender, Security, SemiHonest, SemiHonestMarker, adapter::CorrelatedFromRandom,
     phase, random_choices,
 };
 
@@ -49,7 +47,7 @@ pub const DEFAULT_OT_BATCH_SIZE: usize = 2_usize.pow(16);
 /// OT extension sender generic over its [`Security`] level.
 pub struct OtExtensionSender<S> {
     rng: StdRng,
-    base_ot: SimplestOt,
+    base_ot: BaseOt,
     conn: Connection,
     base_rngs: Vec<AesRng>,
     base_choices: Vec<Choice>,
@@ -60,7 +58,7 @@ pub struct OtExtensionSender<S> {
 
 /// OT extension receiver generic over its [`Security`] level.
 pub struct OtExtensionReceiver<S> {
-    base_ot: SimplestOt,
+    base_ot: BaseOt,
     conn: Connection,
     base_rngs: Vec<[AesRng; 2]>,
     batch_size: usize,
@@ -83,7 +81,7 @@ pub type MaliciousOtExtensionReceiver = OtExtensionReceiver<MaliciousMarker>;
 #[non_exhaustive]
 pub enum Error {
     #[error("unable to compute base OTs")]
-    BaseOT(#[from] base::Error),
+    BaseOT(#[from] BaseOtError),
     #[error("connection error to peer")]
     Connection(#[from] ConnectionError),
     #[error("error in sending/receiving data")]
@@ -114,7 +112,7 @@ impl<S: Security> OtExtensionSender<S> {
     ///
     /// For an rng seeded with a fixed seed, the output is deterministic.
     pub fn new_with_rng(mut conn: Connection, mut rng: StdRng) -> Self {
-        let base_ot = SimplestOt::new_with_rng(conn.sub_connection(), StdRng::from_rng(&mut rng));
+        let base_ot = BaseOt::new_with_rng(conn.sub_connection(), StdRng::from_rng(&mut rng));
         Self {
             rng,
             base_ot,
@@ -435,7 +433,7 @@ impl<S: Security> OtExtensionReceiver<S> {
     ///
     /// For an rng seeded with a fixed seed, the output is deterministic.
     pub fn new_with_rng(mut conn: Connection, mut rng: StdRng) -> Self {
-        let base_ot = SimplestOt::new_with_rng(conn.sub_connection(), StdRng::from_rng(&mut rng));
+        let base_ot = BaseOt::new_with_rng(conn.sub_connection(), StdRng::from_rng(&mut rng));
         Self {
             rng,
             base_ot,

cryprot-ot/src/extension.rs

@@ -1,7 +1,8 @@
 #![warn(clippy::unwrap_used)]
 //! CryProt-OT implements several [oblivious transfer](https://en.wikipedia.org/wiki/Oblivious_transfer) protocols.
 //!
-//! - base OT: "Simplest OT" [[CO15](https://eprint.iacr.org/2015/267)]
+//! - base OT: "Simplest OT" [[CO15](https://eprint.iacr.org/2015/267)] (classical security)
+//! - post-quantum base OT: ML-KEM-768 based OT [[MR19](https://eprint.iacr.org/2019/706)] (post-quantum security)
 //! - semi-honest OT extension: optimized [[IKNP03](https://www.iacr.org/archive/crypto2003/27290145/27290145.pdf)]
 //!   protocol
 //! - malicious OT extension: optimized [[KOS15](https://eprint.iacr.org/2015/546.pdf)]
@@ -13,6 +14,15 @@
 //!
 //! This library is heavily inspired by and in parts a port of the C++ [libOTe](https://github.com/osu-crypto/libOTe) library.
 //!
+//! ## ML-KEM Base OT
+//!
+//! Enable the `ml-kem-base-ot` feature to use ML-KEM-based OT for the base OT
+//! protocol, providing post-quantum security:
+//!
+//! This replaces the classical "Simplest OT" with an ML-KEM-based construction following
+//! FIPS 203 at https://csrc.nist.gov/pubs/fips/203/final, similar to libOTe's `ENABLE_MR_KYBER` option.
+//! We use the ML-KEN crate https://crates.io/crates/ml-kem.
+//!
 //! ## Benchmarks
 //! We continously run the benchmark suite in CI witht the results publicly
 //! available on [bencher.dev](https://bencher.dev/perf/cryprot/plots). The raw criterion output, including throughput is
@@ -55,11 +65,32 @@ use rand::{CryptoRng, Rng, SeedableRng, distr, prelude::Distribution, rngs::StdR
 use subtle::Choice;
 
 pub mod adapter;
-pub mod base;
 pub mod extension;
+pub mod mlkem_ot;
 pub mod noisy_vole;
 pub mod phase;
 pub mod silent_ot;
+pub mod simplest_ot;
+
+/// Base OT implementation used by extension protocols.
+///
+/// When the `ml-kem-base-ot` feature is enabled, use [`mlkem_ot::MlKemOt`]
+#[cfg(feature = "ml-kem-base-ot")]
+pub type BaseOt = mlkem_ot::MlKemOt;
+
+/// Base OT implementation used by extension protocols.
+///
+/// When the `ml-kem-base-ot` feature is not enabled, use [`simplest_ot::SimplestOt`].
+#[cfg(not(feature = "ml-kem-base-ot"))]
+pub type BaseOt = simplest_ot::SimplestOt;
+
+/// Error type for base OT operations.
+#[cfg(feature = "ml-kem-base-ot")]
+pub type BaseOtError = mlkem_ot::Error;
+
+/// Error type for base OT operations.
+#[cfg(not(feature = "ml-kem-base-ot"))]
+pub type BaseOtError = simplest_ot::Error;
 
 /// Trait for OT receivers/senders which hold a [`Connection`].
 pub trait Connected {