Add correlated OT

Author: robinhundt

cryprot-core/src/buf.rs

@@ -14,6 +14,9 @@ use crate::alloc::{HugePageMemory, allocate_zeroed_vec};
 pub trait Buf<T>:
     Default + Debug + Deref<Target = [T]> + DerefMut + Send + Sync + 'static + private::Sealed
 {
+    type BufKind<E>: Buf<E>
+    where
+        E: Zeroable + Clone + Default + Debug + Send + Sync + 'static;
     /// Create a new `Buf` of length `len` with all elements set to zero.
     ///
     /// Implementations of this directly allocate zeroed memory and do not write
@@ -41,6 +44,11 @@ pub trait Buf<T>:
 }
 
 impl<T: Zeroable + Clone + Default + Debug + Send + Sync + 'static> Buf<T> for Vec<T> {
+    type BufKind<E>
+        = Vec<E>
+    where
+        E: Zeroable + Clone + Default + Debug + Send + Sync + 'static;
+
     fn zeroed(len: usize) -> Self {
         allocate_zeroed_vec(len)
     }
@@ -66,6 +74,11 @@ impl<T: Zeroable + Clone + Default + Debug + Send + Sync + 'static> Buf<T> for V
 }
 
 impl<T: Zeroable + Clone + Default + Debug + Send + Sync + 'static> Buf<T> for HugePageMemory<T> {
+    type BufKind<E>
+        = HugePageMemory<E>
+    where
+        E: Zeroable + Clone + Default + Debug + Send + Sync + 'static;
+
     fn zeroed(len: usize) -> Self {
         HugePageMemory::zeroed(len)
     }

cryprot-ot/benches/bench.rs

@@ -7,7 +7,7 @@ use criterion::{BatchSize, Criterion, criterion_group, criterion_main};
 use cryprot_core::{Block, alloc::HugePageMemory};
 use cryprot_net::testing::{init_bench_tracing, local_conn};
 use cryprot_ot::{
-    RotReceiver, RotSender,
+    CotReceiver, CotSender, RotReceiver, RotSender,
     base::SimplestOt,
     extension::{
         MaliciousOtExtensionReceiver, MaliciousOtExtensionSender, SemiHonestOtExtensionReceiver,
@@ -99,7 +99,7 @@ fn criterion_benchmark(c: &mut Criterion) {
                         }),
                         tokio::spawn(async move {
                             receiver
-                                .receive_into(&choices, &mut receiver_ots)
+                                .receive_into(&mut receiver_ots, &choices)
                                 .await
                                 .unwrap();
                             receiver_ots
@@ -113,64 +113,53 @@ fn criterion_benchmark(c: &mut Criterion) {
         })
     });
 
-    g.bench_function(format!("2 parallel 2**{p} extension OTs"), |b| {
+    g.bench_function(format!("2**{p} correlated extension OTs"), |b| {
         b.to_async(&rt).iter_custom(|iters| {
             let mut c11 = c1.sub_connection();
             let mut c22 = c2.sub_connection();
+
             async move {
                 let mut duration = Duration::ZERO;
+                let mut sender_ots = HugePageMemory::zeroed(count);
+                let mut receiver_ots = HugePageMemory::zeroed(count);
                 for _ in 0..iters {
-                    let (
-                        mut sender1,
-                        mut receiver1,
-                        mut sender2,
-                        mut receiver2,
-                        choices1,
-                        choices2,
-                    ) = {
+                    // setup not included in duration
+                    let (mut sender, mut receiver, choices) = {
                         let mut rng1 = StdRng::seed_from_u64(42);
-                        let mut rng2 = StdRng::seed_from_u64(42 * 42);
-                        let choices1 = random_choices(count, &mut rng1);
-                        let choices2 = random_choices(count, &mut rng2);
-                        let mut sender1 = SemiHonestOtExtensionSender::new_with_rng(
-                            c11.sub_connection(),
-                            rng1.clone(),
-                        );
-                        let mut receiver1 = SemiHonestOtExtensionReceiver::new_with_rng(
-                            c22.sub_connection(),
-                            rng2.clone(),
-                        );
-
-                        let mut sender2 =
+                        let rng2 = StdRng::seed_from_u64(42 * 42);
+                        let choices = random_choices(count, &mut rng1);
+                        let mut sender =
                             SemiHonestOtExtensionSender::new_with_rng(c11.sub_connection(), rng1);
-                        let mut receiver2 =
+                        let mut receiver =
                             SemiHonestOtExtensionReceiver::new_with_rng(c22.sub_connection(), rng2);
-
-                        tokio::try_join!(
-                            sender1.do_base_ots(),
-                            receiver1.do_base_ots(),
-                            sender2.do_base_ots(),
-                            receiver2.do_base_ots()
-                        )
-                        .unwrap();
-                        (sender1, receiver1, sender2, receiver2, choices1, choices2)
+                        tokio::try_join!(sender.do_base_ots(), receiver.do_base_ots()).unwrap();
+                        (sender, receiver, choices)
                     };
                     let now = Instant::now();
-                    let jh1 = tokio::spawn(async move { sender1.send(count).await });
-                    let jh2 = tokio::spawn(async move { receiver1.receive(&choices1).await });
-                    let jh3 = tokio::spawn(async move { sender2.send(count).await });
-                    let jh4 = tokio::spawn(async move { receiver2.receive(&choices2).await });
-                    let (ot1, ot2, ot3, ot4) = tokio::try_join!(jh1, jh2, jh3, jh4).unwrap();
+                    (sender_ots, receiver_ots) = tokio::try_join!(
+                        tokio::spawn(async move {
+                            sender
+                                .correlated_send_into(&mut sender_ots, |_| Block::ONES)
+                                .await
+                                .unwrap();
+                            sender_ots
+                        }),
+                        tokio::spawn(async move {
+                            receiver
+                                .correlated_receive_into(&mut receiver_ots, &choices)
+                                .await
+                                .unwrap();
+                            receiver_ots
+                        })
+                    )
+                    .unwrap();
                     duration += now.elapsed();
-                    ot1.unwrap();
-                    ot2.unwrap();
-                    ot3.unwrap();
-                    ot4.unwrap();
                 }
                 duration
             }
         })
     });
+
     g.finish();
 
     let mut g = c.benchmark_group("malicious OT extension");
@@ -206,7 +195,7 @@ fn criterion_benchmark(c: &mut Criterion) {
                         }),
                         tokio::spawn(async move {
                             receiver
-                                .receive_into(&choices, &mut receiver_ots)
+                                .receive_into(&mut receiver_ots, &choices)
                                 .await
                                 .unwrap();
                             receiver_ots

cryprot-ot/src/adapter.rs

@@ -1,9 +1,16 @@
 //! Adapters for OT types.
 
 use bitvec::{order::Lsb0, vec::BitVec};
+use cryprot_core::{Block, buf::Buf};
+use cryprot_net::ConnectionError;
 use futures::{SinkExt, StreamExt};
+use subtle::ConditionallySelectable;
+use tokio::io::{AsyncReadExt, AsyncWriteExt};
 
-use crate::{Connected, RandChoiceRotReceiver, RandChoiceRotSender, RotReceiver, RotSender};
+use crate::{
+    Connected, CotReceiver, CotSender, Malicious, RandChoiceRotReceiver, RandChoiceRotSender,
+    RotReceiver, RotSender, SemiHonest,
+};
 
 /// Adapts a [`RandChoiceRotReceiver`] into a [`RotReceiver`] and
 /// [`RandChoiceRotSender`] into [`RotSender`].
@@ -26,13 +33,18 @@ impl<P: Connected> Connected for ChosenChoice<P> {
     }
 }
 
+impl<P: SemiHonest> SemiHonest for ChosenChoice<P> {}
+
+// TODO is there something I can cite that this holds?
+impl<P: Malicious> Malicious for ChosenChoice<P> {}
+
 impl<R: RandChoiceRotReceiver> RotReceiver for ChosenChoice<R> {
     type Error = R::Error;
 
     async fn receive_into(
         &mut self,
-        choices: &[subtle::Choice],
         ots: &mut impl cryprot_core::buf::Buf<cryprot_core::Block>,
+        choices: &[subtle::Choice],
     ) -> Result<(), Self::Error> {
         let mut rand_choices = self
             .0
@@ -72,6 +84,171 @@ impl<S: RotSender + RandChoiceRotSender + Send> RotSender for ChosenChoice<S> {
     }
 }
 
+/// Adapts any [`RotSender`]/[`RotReceiver`] into a
+/// [`CotSender`]/[`CotReceiver`].
+///
+/// This adapter can also be used to easily implement the correlated OT traits
+/// on the protocol types directly. Because `&mut S: RotSender` when `S:
+/// RotSender` you can create a temporary [`CorrelatedFromRandom`] from a `&mut
+/// self` inside an implementation of the correlated traits.
+///
+/// ```
+/// use cryprot_core::{Block, buf::Buf};
+///
+/// use cryprot_ot::adapter::CorrelatedFromRandom;
+/// use cryprot_ot::{Connected, CotSender, RotSender};
+///
+/// struct MyRotSender;
+///
+/// # impl Connected for MyRotSender {
+/// #     fn connection(&mut self) -> &mut cryprot_net::Connection {
+/// #         todo!()
+/// #     }
+/// # }
+///
+/// // Error type must implement `From<ConnectionError>` and `From<io::Error>` for
+/// // adapter
+/// #[derive(thiserror::Error, Debug)]
+/// enum Error {
+///     #[error("connection")]
+///     Connection(#[from] cryprot_net::ConnectionError),
+///     #[error("io")]
+///     Io(#[from] std::io::Error),
+/// }
+///
+/// impl RotSender for MyRotSender {
+///     type Error = Error;
+///
+///     async fn send_into(
+///         &mut self,
+///         ots: &mut impl cryprot_core::buf::Buf<[cryprot_core::Block; 2]>,
+///     ) -> Result<(), Self::Error> {
+///         todo!()
+///     }
+/// }
+///
+/// impl CotSender for MyRotSender {
+///     type Error = <MyRotSender as RotSender>::Error;
+///
+///     async fn correlated_send_into<B, F>(
+///         &mut self,
+///         ots: &mut B,
+///         correlation: F,
+///     ) -> Result<(), Self::Error>
+///     where
+///         B: Buf<Block>,
+///         F: FnMut(usize) -> Block + Send,
+///     {
+///         // because &mut self also implements RotSender, we can use it for the adapter
+///         CorrelatedFromRandom::new(self)
+///             .correlated_send_into(ots, correlation)
+///             .await
+///     }
+/// }
+/// ```
+#[derive(Debug)]
+pub struct CorrelatedFromRandom<P>(P);
+
+impl<P> CorrelatedFromRandom<P> {
+    pub fn new(protocol: P) -> Self {
+        Self(protocol)
+    }
+}
+
+impl<P: Connected> Connected for CorrelatedFromRandom<P> {
+    fn connection(&mut self) -> &mut cryprot_net::Connection {
+        self.0.connection()
+    }
+}
+
+impl<P: SemiHonest> SemiHonest for CorrelatedFromRandom<P> {}
+
+// TODO is there something I can cite that this holds?
+impl<P: Malicious> Malicious for CorrelatedFromRandom<P> {}
+
+// should fit in one jumbo frame
+const COR_CHUNK_SIZE: usize = 8500 / Block::BYTES;
+
+impl<S: RotSender> CotSender for CorrelatedFromRandom<S>
+where
+    S::Error: From<ConnectionError> + From<std::io::Error>,
+{
+    type Error = S::Error;
+
+    async fn correlated_send_into<B, F>(
+        &mut self,
+        ots: &mut B,
+        mut correlation: F,
+    ) -> Result<(), Self::Error>
+    where
+        B: Buf<Block>,
+        F: FnMut(usize) -> Block + Send,
+    {
+        let mut r_ots: B::BufKind<[Block; 2]> = B::BufKind::zeroed(ots.len());
+        self.0.send_into(&mut r_ots).await?;
+        let mut send_buf: Vec<Block> = Vec::zeroed(COR_CHUNK_SIZE);
+        let (mut tx, _) = self.connection().byte_stream().await?;
+        // Using spawn_compute here results in slightly lower performance.
+        // I think there is just not enough work done per byte transmitted here.
+        // This implementation is also simpler and less prone to errors than the
+        // spawn_compute one.
+        for (chunk_idx, (ot_chunk, rot_chunk)) in ots
+            .chunks_mut(send_buf.len())
+            .zip(r_ots.chunks(send_buf.len()))
+            .enumerate()
+        {
+            for (idx, ((ot, r_ot), correction)) in ot_chunk
+                .iter_mut()
+                .zip(rot_chunk)
+                .zip(&mut send_buf)
+                .enumerate()
+            {
+                *ot = r_ot[0];
+                *correction = r_ot[1] ^ r_ot[0] ^ correlation(chunk_idx * COR_CHUNK_SIZE + idx);
+            }
+            tx.write_all(bytemuck::must_cast_slice_mut(
+                &mut send_buf[..ot_chunk.len()],
+            ))
+            .await?;
+        }
+        Ok(())
+    }
+}
+
+impl<R: RotReceiver> CotReceiver for CorrelatedFromRandom<R>
+where
+    R::Error: From<ConnectionError> + From<std::io::Error>,
+{
+    type Error = R::Error;
+
+    async fn correlated_receive_into<B>(
+        &mut self,
+        ots: &mut B,
+        choices: &[subtle::Choice],
+    ) -> Result<(), Self::Error>
+    where
+        B: Buf<Block>,
+    {
+        self.0.receive_into(ots, choices).await?;
+        let mut recv_buf: Vec<Block> = Vec::zeroed(COR_CHUNK_SIZE);
+        let (_, mut rx) = self.connection().byte_stream().await?;
+        for (ot_chunk, choice_chunk) in ots
+            .chunks_mut(COR_CHUNK_SIZE)
+            .zip(choices.chunks(COR_CHUNK_SIZE))
+        {
+            rx.read_exact(bytemuck::must_cast_slice_mut(
+                &mut recv_buf[..ot_chunk.len()],
+            ))
+            .await?;
+            for ((ot, correction), choice) in ot_chunk.iter_mut().zip(&recv_buf).zip(choice_chunk) {
+                let use_correction = Block::conditional_select(&Block::ZERO, &Block::ONES, *choice);
+                *ot ^= use_correction & *correction;
+            }
+        }
+        Ok(())
+    }
+}
+
 #[cfg(test)]
 mod tests {
     use cryprot_net::testing::{init_tracing, local_conn};

cryprot-ot/src/base.rs

@@ -114,8 +114,8 @@ impl RotReceiver for SimplestOt {
     #[tracing::instrument(target = "cryprot_metrics", level = Level::TRACE, skip_all, fields(phase = phase::BASE_OT))]
     async fn receive_into(
         &mut self,
-        choices: &[Choice],
         ots: &mut impl Buf<Block>,
+        choices: &[Choice],
     ) -> Result<(), Self::Error> {
         assert_eq!(choices.len(), ots.len());
         let (mut send, mut recv) = self.conn.byte_stream().await?;