Hi, thanks for open sourcing swanky!
I'm a student interested in MPC and have just implemented Efficient and Universally Composable Protocols for Oblivious Transfer from the CDH Assumption (HL17) in a public repo.

Would you be interested in a PR for this OT protocol to be included in ocelot? Obviously I'd change my current implementation such that it is in line with the current chou orlandi implementation :)

Best, Robin

I'm not sure why, but SymChannel (in scuttlebutt) doesn't appear to be included in the documentation. I've checked the hosted documentation (https://galoisinc.github.io/swanky/scuttlebutt/) and built the documentation locally, neither seem to have it.

I'm not sure why this would be, it seems to be part of the public API in scuttlebutt/src/lib.rs.

Just leaving an issue here in case swanky begins active development again.

I'm developing a complex GC, and stuck in deadlock. I've managed to reduce the code causing problem, so here's a simplest circuit:

1. Both Garbler and Evaluator encode constant a = 1 (mod 2)
2. Garbler receives and Evaluator encodes some single value b (using FancyInput::{receive, encode})
3. Parties evaluate c = a ^ b
4. GC outputs c, Evaluator learns its value

Code snippet is available here. I'm using the latest version of the fancy-garbling library (e673c2 commit).

The code above produces deadlock. Specifically, Garbler freezes at step 2 (at FancyInput::receive value b), and Evaluator freezes at step 1 (while encoding the constant, it blocks at reading from a channel)

If we swap step 1 and step 2 (so parties exchange encoded value b first, and then encode the constant a), GC will terminate and produce a valid output c. Order of steps doesn't matter here, but matters in more complex GCs following streaming approach.

Is it a bug or known limitation?

Each round key is supposed to be 128 bits long, but they are hard-coded with only the low 64 bits specified.

pub const FIXED_KEY_AES128: Aes128 = Aes128 {
    rkeys: unsafe {
        [
            (__U128 {
                bytes: 0x15B5_32C2_F193_1C94,
            })
            .vector,
            (__U128 {
                bytes: 0xD754_876D_FE7E_6726,
            })
            .vector,
            // ...

This means that the high 64 bits of every round key are zero. As far as I can tell, there are no AES-128 keys that expand into such a sequence of round keys. It seems likely to me that not using the proper key schedule could make AES weaker.

Currently, the sigma function is implemented as per this comment

For example, among three parties, we have a garbler and an evaluator, there is another party providing the inputs. Can the third party get labels from the garbler via OT then send labels to evaluator? Can I implement such a scenario using this library?

Hi, ocelot currently uses a TCCR hash for breaking correlations after the KOS check acc.to this line

However, the security proof of the KOS paper uses a random oracle.

Since we are also implemting a KOS OT extension, we're trying to understand has there been any recent work which proves KOS security with a TCCR hash? Or is this a liberty that ocelot is taking without relying on a formal proof?

Thanks.

Issue:
Currently popsicle's cuckoo hashing has a bug where it is always full and fails for certain numbers like 100,000 and larger powers of 10.

Solution:
Use ocelot's cuckoo hash instead and turn popsicle's cuckoo hash into a wrapper for ocelot's.

Hi, I tried to plug in the aes_128.txt circuit from https://homes.esat.kuleuven.be/~nsmart/MPC/ by first "downgrading" its header into the old format:

36663 36919
128 128  128 

and also changing key,msg input ordering and reversing the output bits.

It passed the first 2 tests in parser.rs but failed on the 3rd:

Then I took another AES circuit from here https://github.com/n-for-1-auth/circuits/tree/main/aes (aes128_full.txt) , adjusted input/output ordering and set its header to

36548 36804
128 128 128

this time the test failed on test2

How can such non-deterministic behaviour happen? Does swanky choose different code paths based on the gate ordering of the circuit?
Either way, you probably want to look at this as some corner case is triggering a bug.

Hi,

I was browsing your OT protocols and noticed that Keller, Orsini, and Scholl (KOS) have posted an "update" to their paper acknowledging a flaw pointed out by Roy.

I haven't begun to dig into what precisely is happening but it looks like:

• The KOS protocol now lacks a security proof.
• There is a proposed fix to the original protocol [but it still lacks a security proof it seems?]

The current stable build in travis-ci fails because we use the --features argument, which no longer exists. We should probably fix that.

When I run the fancy-carbling test without cargo test, the following error occurs：

failures:

---- parser::tests::test_gc_eval stdout ----
thread 'parser::tests::test_gc_eval' panicked at 'called Result::unwrap() on an Err value: IoError(Os { code: 2, kind: NotFound, message: "No such file or directory" })', fancy-garbling/src/parser.rs:209:72
note: run with RUST_BACKTRACE=1 environment variable to display a backtrace

---- parser::tests::test_parser stdout ----
thread 'parser::tests::test_parser' panicked at 'called Result::unwrap() on an Err value: IoError(Os { code: 2, kind: NotFound, message: "No such file or directory" })', fancy-garbling/src/parser.rs:180:68

---- twopac::semihonest::tests::test_aes stdout ----
thread 'twopac::semihonest::tests::test_aes' panicked at 'called Result::unwrap() on an Err value: IoError(Os { code: 2, kind: NotFound, message: "No such file or directory" })', fancy-garbling/src/twopac/semihonest/mod.rs:110:68

I'm to understand the rational for ocelot's implementation choices.

Is there any reason why ocelot does not implement the IKNP OT Extension?

Why does ocelot implement two OT extensions that use Chou-Orlandi as the base OT (as listed in swanky/ocelot/src/ot/mod.rs ) but none that use Naor-Pinkas as the base OT?

Thank you!

It seems like all the implementations (so far) are parameterized by types that satisfy these traits already (e.g. https://github.com/GaloisInc/swanky/blob/master/scuttlebutt/src/channel/sync_channel.rs#L38). For example,

pub trait AbstractChannel: std::io::Read + std::io::Write {
...
}

Again, not urgent, just documenting for the future.

Hi,

I am using the semihonest_2pc.rs in examples for testing some garbled circuit txts. I found that the sha256 circuit comes from https://homes.esat.kuleuven.be/~nsmart/MPC/old-circuits.html where it provides some test vectors. However, I found that the result is not compatible with the given ones...

There are only one correct with all 1 (0xffff.ffff) as the first (garbler) input, but the remaining aren't... I did think of the endian problem, but the case with all 1 is correct and all 0 is not correct...

Could anyone give me some help or any approaches?

Thank you very much!