{"id":21260139,"url":"https://github.com/sdiehl/oblivious-transfer","last_synced_at":"2025-12-11T23:16:53.642Z","repository":{"id":56874004,"uuid":"135729648","full_name":"sdiehl/oblivious-transfer","owner":"sdiehl","description":"Oblivious transfer for multiparty computation","archived":false,"fork":false,"pushed_at":"2020-02-25T10:55:58.000Z","size":32,"stargazers_count":37,"open_issues_count":0,"forks_count":6,"subscribers_count":11,"default_branch":"master","last_synced_at":"2025-06-13T01:21:01.652Z","etag":null,"topics":["cryptography","elliptic-curves","multiparty-computation","oblivious-transfer"],"latest_commit_sha":null,"homepage":"https://www.adjoint.io","language":"Haskell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"bsd-3-clause","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/sdiehl.png","metadata":{"files":{"readme":"README.md","changelog":"ChangeLog.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null}},"created_at":"2018-06-01T14:45:18.000Z","updated_at":"2024-11-27T13:59:17.000Z","dependencies_parsed_at":"2022-08-20T22:30:13.867Z","dependency_job_id":null,"html_url":"https://github.com/sdiehl/oblivious-transfer","commit_stats":null,"previous_names":["adjoint-io/oblivious-transfer"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/sdiehl/oblivious-transfer","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sdiehl%2Foblivious-transfer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sdiehl%2Foblivious-transfer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sdiehl%2Foblivious-transfer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sdiehl%2Foblivious-transfer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/sdiehl","download_url":"https://codeload.github.com/sdiehl/oblivious-transfer/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/sdiehl%2Foblivious-transfer/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":264721294,"owners_count":23653915,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cryptography","elliptic-curves","multiparty-computation","oblivious-transfer"],"created_at":"2024-11-21T04:17:04.124Z","updated_at":"2025-12-11T23:16:53.552Z","avatar_url":"https://github.com/sdiehl.png","language":"Haskell","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n\u003ca href=\"https://www.adjoint.io\"\u003e\n  \u003cimg width=\"250\" src=\"./.assets/adjoint.png\" alt=\"Adjoint Logo\" /\u003e\n\u003c/a\u003e\n\u003c/p\u003e\n\n[![CircleCI](https://circleci.com/gh/adjoint-io/oblivious-transfer.svg?style=svg)](https://circleci.com/gh/adjoint-io/oblivious-transfer)\n[![Hackage](https://img.shields.io/hackage/v/oblivious-transfer.svg)](http://hackage.haskell.org/package/oblivious-transfer)\n\nOblivious Transfer (OT) is a cryptographic primitive in which a sender transfers some of potentially many pieces of information to a receiver.\nThe sender doesn't know which pieces of information have been transferred.\n\n1-out-of-2 OT\n=============\n\nOblivious transfer is central to many of the constructions for secure multiparty computation.\nIn its most basic form, the sender has two secret messages as inputs, _m\u003csub\u003e0\u003c/sub\u003e_ and _m\u003csub\u003e1\u003c/sub\u003e_; the receiver has a choice bit _c_ as input.\nAt the end of the 1-out-of-2 OT protocol, the receiver should only learn message _M\u003csub\u003ec\u003c/sub\u003e_, while the sender should not\nlearn the value of the receiver's input _c_.\n\nThe protocol is defined for elliptic curves over finite fields _E(F\u003csub\u003eq\u003c/sub\u003e)_. The set of points _E(F\u003csub\u003eq\u003c/sub\u003e)_ is a finite abelian group.\nIt works as follows:\n\n1. Alice samples a random _a_ and computes _A = aG_. Sends _A_ to Bob\n2. Bob has a choice _c_. He samples a random _b_.\n    - If _c_ is 0, then he computes B = bG.\n    - If _c_ is 1, then he computes B = A + bG.\n\n  Sends B to Alice\n\n3. Alice derives two keys:\n    - _K\u003csub\u003e0\u003c/sub\u003e = aB_\n    - _K\u003csub\u003e1\u003c/sub\u003e = a(B - A)_\n\n  It's easy to check that Bob can derive the key _K\u003csub\u003ec\u003c/sub\u003e_ corresponding to his choice bit, but cannot compute the other one.\n\n1-out-of-N OT\n=============\n\nThe 1-out-of-N oblivious transfer protocol is a natural generalization of the 1-out-of-2 OT protocol,\nin which the sender has a vector of messages (_M\u003csub\u003e0\u003c/sub\u003e, ..., M\u003csub\u003en-1\u003c/sub\u003e_). The receiver only has a choice _c_.\n\nWe implement a protocol for *random* OT, where the sender, Alice, outputs _n_ random keys and the receiver, Bob, only learns one of them.\nIt consists on three parts:\n\n**Setup**\n\nAlice samples _a ∈ Z\u003csub\u003ep\u003c/sub\u003e_ and computes _A = aG_ and _T = aA_, where _G_ and _p_ are the generator and the order of the curve, respectively.\nShe sends _A_ to Bob, who aborts if _A_ is not a valid point in the curve.\n\n**Choose**\n\nBob takes his choice _c ∈ Z\u003csub\u003en\u003c/sub\u003e_, samples _b ∈ Z\u003csub\u003ep\u003c/sub\u003e_ and replies _R = cA + bG_. Alice aborts if _R_ is not a valid point in the curve.\n\n**Key derivation**\n\n1. For all _e ∈ Z\u003csub\u003en\u003c/sub\u003e_, Alice computes _k\u003csub\u003ee\u003c/sub\u003e = aR - eT_. She now has a vector of keys _(k\u003csub\u003e0\u003c/sub\u003e, ..., k\u003csub\u003en-1\u003c/sub\u003e)_.\n\n2. Bob computes _k\u003csub\u003eR\u003c/sub\u003e = bA_.\n\nWe can see that the key _k\u003csub\u003ee\u003c/sub\u003e = aR - eT = abG + (c - e)T_. If _e = c_, then _k\u003csub\u003ec\u003c/sub\u003e = abG = bA = k\u003csub\u003eR\u003c/sub\u003e_.\nTherefore, _k\u003csub\u003eR\u003c/sub\u003e = k\u003csub\u003ec\u003c/sub\u003e_ if both parties are honest.\n\n```haskell\n{-# LANGUAGE ScopedTypeVariables #-}\nimport Protolude\nimport Data.Curve.Weierstrass.SECP256K1\nimport qualified OT\n\ntestOT :: Integer -\u003e IO Bool\ntestOT n = do\n\n  -- Alice sets up the procotol\n  (sPrivKey, sPubKey, t) :: (Fr, PA, PA) \u003c- OT.setup\n\n  -- Bob picks a choice bit 'c'\n  (rPrivKey, response, c) \u003c- OT.choose n sPubKey\n\n  -- Alice computes a set of n keys\n  let senderKeys = OT.deriveSenderKeys n sPrivKey response t\n\n  -- Bob only gets to know one out of n keys. Alice doesn't know which one\n  let receiverKey = OT.deriveReceiverKey rPrivKey sPubKey\n\n  pure $ receiverKey == (senderKeys !! fromInteger c)\n```\n\nk-out-of-N OT\n=============\n\n1-out-of-N oblivious transfer can be generalised one step further into\nk-out-of-N. This is very similar in structure to the methods above comprising\nthe same 3 parts:\n\n**Setup**\nAs above, Alice samples _a ∈ Z\u003csub\u003ep\u003c/sub\u003e_ and computes _A = aG_ and _T = aA_, where _G_ and _p_ are the generator and the order of the curve, respectively.\nShe sends _A_ to Bob, who aborts if _A_ is not a valid point in the curve.\n\n**Choose**\nBob takes his choices _c\u003csup\u003ei\u003c/sup\u003e ∈ Z\u003csub\u003en\u003c/sub\u003e_, samples _b\u003csup\u003ei\u003c/sup\u003e ∈ Z\u003csub\u003ep\u003c/sub\u003e_ and replies _R\u003csup\u003ei\u003c/sup\u003e = c\u003csup\u003ei\u003c/sup\u003eA + b\u003csup\u003ei\u003c/sup\u003eG_. Alice aborts if _R\u003csup\u003ei\u003c/sup\u003e_ is not a valid point in the curve.\n\n**Key derivation**\n\n1. For all _e\u003csup\u003ei\u003c/sup\u003e ∈ Z\u003csub\u003en\u003c/sub\u003e_, Alice computes _k\u003csub\u003ee\u003c/sub\u003e\u003csup\u003ei\u003c/sup\u003e = aR\u003csup\u003ei\u003c/sup\u003e - e\u003csup\u003ei\u003c/sup\u003eT_. She now has a vector of vectors of keys _(k\u003csub\u003e0\u003c/sub\u003e\u003csup\u003ei\u003c/sup\u003e, ..., k\u003csub\u003en-1\u003c/sub\u003e\u003csup\u003ei\u003c/sup\u003e)_.\n\n2. Bob computes _k\u003csub\u003eR\u003c/sub\u003e\u003csup\u003ei\u003c/sup\u003e = b\u003csup\u003ei\u003c/sup\u003eA_.\n\nWe can see that the key _k\u003csub\u003ee\u003c/sub\u003e\u003csup\u003ei\u003c/sup\u003e = aR\u003csup\u003ei\u003c/sup\u003e - e\u003csup\u003ei\u003c/sup\u003eT = ab\u003csup\u003ei\u003c/sup\u003eG + (c\u003csup\u003ei\u003c/sup\u003e - e\u003csup\u003ei\u003c/sup\u003e)T_. If _e = c_, then _k\u003csub\u003ec\u003c/sub\u003e\u003csup\u003ei\u003c/sup\u003e = ab\u003csup\u003ei\u003c/sup\u003eG = b\u003csup\u003ei\u003c/sup\u003eA = k\u003csub\u003eR\u003c/sub\u003e\u003csup\u003ei\u003c/sup\u003e_.\nTherefore, _k\u003csub\u003eR\u003c/sub\u003e\u003csup\u003ei\u003c/sup\u003e = k\u003csub\u003ec\u003c/sub\u003e\u003csup\u003ei\u003c/sup\u003e_ if both parties are honest.\n\n**References**:\n\n1.  Chou, T. and Orlandi, C. \"The Simplest Protocol for Oblivious Transfer\" Technische Universiteit Eindhoven and Aarhus University\n\n\n**Notation**:\n\n_k_: Lower-case letters are scalars. \u003cbr /\u003e\n_P_: Upper-case letters are points in an elliptic curve. \u003cbr /\u003e\n_kP_: Multiplication of a point P with a scalar k over an elliptic curve defined over a finite field modulo a prime number.\n\nLicense\n-------\n\n```\nCopyright 2018-2020 Adjoint Inc\n\nLicensed under the Apache License, Version 2.0 (the \"License\");\nyou may not use this file except in compliance with the License.\nYou may obtain a copy of the License at\n\n    http://www.apache.org/licenses/LICENSE-2.0\n\nUnless required by applicable law or agreed to in writing, software\ndistributed under the License is distributed on an \"AS IS\" BASIS,\nWITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.\nSee the License for the specific language governing permissions and\nlimitations under the License.\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsdiehl%2Foblivious-transfer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsdiehl%2Foblivious-transfer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsdiehl%2Foblivious-transfer/lists"}