proof checking in KosOtExtSender sometimes fails and throws runtime error about libote HOT 9 CLOSED

Ill look into this.

from libote.

fixed. thanks for pointing this out.

from libote.

Thank you for the fix!

from libote.

Once again, thank you.

Can you please point out if the fix only affected the case of 1023 mod 1024.
My team and I have been using an edited version of the code (basically the same, but handling of the channel communication was extracted outside to be handled somewhere else in the code, and also the separation to classes is different). We always only use even number(*) of OTs each time, and so we are wondering if the code before this fix is good enough for our needs, or we need to re-factor the libOTe code again for our purposes.

(*) Indeed I found this issue by mistake...

from libote.

Yes, the bug appeared to be an error only for the edge case of 1023. The issue was as follows,

When generating the OTs, the parties generate a matrix of size (n+128) x 128. The extra 128 rows are for a malicious security check that's performed. When the first extra row was at index 1023 mod 1024, there was a bug that resulted in the choice bit of this extra OT being assigned randomly. This resulted in the malicious proof of correctness failing with
Pr 1/2. I rewrote the logic to avoid this edge case.

You should be fine if you always perform an even number of OTs.

Cheers,
Peter

from libote.

Out of curiosity, how is your networking performed? I have recently been reworking my networking framework and I'm wondering if the new framework would enable you to use libOTe out of the box.

Thanks,
Peter

from libote.

Hi Peter.

Thanks for pointing that out! I'll have a look.

But due to requirements of our development teams, we've so far separated completely the computation from the networking into different layers. The OT functions receives full messages (single round full memory buffers) and returns full round messages. Uncompromisingly, communication is done separately in other locations in the system.

Can the the renewed networking framework support such a requirement? It's not a big deal if not, because the code was flexible enough for us to extract the thing we wished for. Thanks!

from libote.

yes, it can but the API is not totally stable so maybe best to not switch yet. The new networking is based on the idea of c++20 coroutines but is written in c++11.

Roughly, all networking calls "pauses" the current function and returns to the caller. Once the networking is performed, you can resume the protocol where it was paused. All this is single threaded. This allows you to collect all messages for a single round of the protocol and send/receive them in a group. Or you can send/receive messages eagerly using a blocking socket or fully asynchronously.

Here is the branch which has everything but the silentOT protocol working https://github.com/osu-crypto/libOTe/tree/coproto

And here is how the networking works in detail. https://github.com/ladnir/coproto

from libote.

Oh wow...
All this is still way beyond my expertise. I do not know anything about the newer c++ standards. This coroutine behavior that you mentioned sounds quite like the python yield command with generators. But I am not sure, I'll definitely have to study this before we can use such behavior.

It could have saved me the effort of doing my own refactoring of the KOS code, that's for sure.
But as long as it works for now (until I figure out the coproto thing), I am definitely pleased.

Thanks!

from libote.