1- //! Simplest-OT base OT protocol by [[CO15](https://eprint.iacr.org/2015/267)] (malicious security).
1+ //! Simplest-OT base OT protocol by [[CO15]] (malicious security).
2+ //!
3+ //! This module implements the Simplest OT protocol described in [[CO15]]
4+ //! with a slight variation that ensures the sender and receiver's OTs are
5+ //! uniformly distributed.
6+ //!
7+ //! This protocol provides "uniform message security" as defined by [[MR19]]
8+ //!
9+ //! [CO15]: https://eprint.iacr.org/2015/267
10+ //! [MR19]: https://eprint.iacr.org/2019/706.pdf
211
312use std:: io;
413
@@ -17,6 +26,7 @@ use tracing::Level;
1726
1827use crate :: { Connected , Malicious , RotReceiver , RotSender , SemiHonest , phase} ;
1928
29+ /// Sender and Receiver for the base OT protocol.
2030pub struct SimplestOt {
2131 rng : StdRng ,
2232 conn : Connection ,
@@ -69,6 +79,16 @@ impl RotSender for SimplestOt {
6979 let count = ots. len ( ) ;
7080 let a = Scalar :: random ( & mut RngCompat ( & mut self . rng ) ) ;
7181 let mut A = RISTRETTO_BASEPOINT_TABLE * & a;
82+ // The usual CO15 protocol only provides receiver chosen message security.
83+ // To ensure the OTs are uniformly distributed, the sender samples a random seed
84+ // s and sends a commitment of that seed to the receiver alongside A.
85+ // Only after receiving `b` from the receiver, does the sender send the
86+ // decommitment. The random seed is then part of the final hashing to
87+ // generate the OTs. As the receiver doesn't know the seed before
88+ // sending `b`, they can't choose `b` in a way that would influence the
89+ // distribution of OTs. The seed commitment and decommitment along with
90+ // the random `b` value essentially implements a cointoss protocol.
91+ // For more information refer to the MR19 paper.
7292 let seed: Block = self . rng . random ( ) ;
7393 // commit to the seed
7494 let seed_commitment = seed. ro_hash ( ) ;
0 commit comments