[MPC] Specify actively secure two-party authenticated bit protocol

[jschneider-bensch]

Specify the ~Ferret Correlated OT~ KOS15 correlated OT extension.

---

Original Issue

The main building block for n-party authenticated bits is the two-party authenticated bit protcol. The above diagram from the original TinyOT paper shows what basic building blocks are required, namely an oblivious transfer protocol and a secure equality check protocol. These are then used to build successively less leaky authenticated bit protocol LaBit, WaBit and finally aBit which has no leakage.

[jschneider-bensch]

Currently (as of #72) , the two-party bit authentication subprotocol uses the passively secure base OT directly as a correlated OT to authenticate bits between parties, i.e. it does not implement active security countermeasures against cheating. If active security for the whole protocol is required, then fundamentally the bit authentication must also provide active security.

A point to note here is that AFAICT, contrary to the prevailing description of the MPC engine in the paper, this would require all authenticated shares (and therefore all authenticated bits) to be computed upfront all at once instead of being able to iteratively call the bit authentication protocol on demand. This change would also improve performance since malicious security checks would only be performed once for the whole batch of bit authentications, cf. #73.

[franziskuskiefer]

Moved this back to backlog for this month

[jschneider-bensch]

As KOS15, a building block of the Ferret OT extension, is itself a correlated OT extension it makes sense to specify as a baseline actively secure COT extension. In case we ultimately decide to implement Ferret on top, we need it anyway, otherwise it itself can be used in the actively secure two-party bit authentication spec.