jschneider-bensch
commented
7 months ago Currently (as of #72) , the two-party bit authentication subprotocol uses the passively secure base OT directly as a correlated OT to authenticate bits between parties, i.e. it does not implement active security countermeasures against cheating. If active security for the whole protocol is required, then fundamentally the bit authentication must also provide active security.
A point to note here is that AFAICT, contrary to the prevailing description of the MPC engine in the paper, this would require all authenticated shares (and therefore all authenticated bits) to be computed upfront all at once instead of being able to iteratively call the bit authentication protocol on demand. This change would also improve performance since malicious security checks would only be performed once for the whole batch of bit authentications, cf. #73.
franziskuskiefer
Specify the ~Ferret Correlated OT~ KOS15 correlated OT extension.
Original Issue
The main building block for n-party authenticated bits is the two-party authenticated bit protcol. The above diagram from the original TinyOT paper shows what basic building blocks are required, namely an oblivious transfer protocol and a secure equality check protocol. These are then used to build successively less leaky authenticated bit protocol
LaBit,WaBitand finallyaBitwhich has no leakage.