Closed th4s closed 4 months ago
After thinking more about this, I think that it is not possible to reuse an OT for a Random OLE. What you get is not a random OLE but a correlated OLE. I think it is safer for us to take a step back and not to have the Initialize
, Extend
calls and also not to use PRGs for the ROLE construction (for RVOLE and VOLE it works).
Note that this is not too bad for us, since we use an OT extension and basically start with a very large pre-distributed number of random OTs already. So it should not matter too much that we need random OTs for every ROLE.
Currently there is an issue in the ROLE protocol.
A malicious
P_A
can sende_k = e
in everyExtend_k
call. Becausef
is fixed, andb_k = e_k + f
, this will also fixb_k = b = e + f
. Thus it is is no longer a random OLE. This is detectable byP_B
sincee_k
is public. But this does not fix it, because in the endP_A
can enforce an arbitrary distribution ofe_k
which might look random, but isn't. And the fact thatf
is fixed, means that the outputb_k
will only be the distribution ofe_k
shifted byf
.EDIT: I do not think that there is a fix for that, so this PR restores the ROLE construction to the original idea, without using PRGs.