# Ginny & Evan: single AND gate
This notebook walks through the classical Yao garbled AND example from Section 1.1 of Sophia Yakoubov’s “A Gentle Introduction to Yao’s Garbled Circuits” ([PDF](https://web.mit.edu/sonka89/www/papers/2017ygc.pdf)). It shows how Ginny garbles a single AND gate, how labels are delivered first with a toy OT and then with a simple secp256k1 + SHA-256 OT, how Evan evaluates once, and how the output label is returned and decoded. Semi-honest only; includes a note on an optional OR-proof to prevent `(pk, pk)` cheating.

In [2]:
:dep rand = "0.8"
:dep sha2 = "0.10"
:dep base64 = "0.21"
:dep k256 = "0.13"
:dep once_cell = "1"

use std::sync::{Mutex, MutexGuard};
use once_cell::sync::Lazy;
use rand::{rngs::StdRng, seq::SliceRandom, Rng, RngCore, SeedableRng};
use sha2::{Digest, Sha256};
use base64::{engine::general_purpose::STANDARD_NO_PAD as B64, Engine};
use k256::{elliptic_curve::{sec1::ToEncodedPoint, Field, Group}, EncodedPoint, ProjectivePoint, Scalar};

static RNG: Lazy<Mutex<StdRng>> = Lazy::new(|| Mutex::new(StdRng::seed_from_u64(1)));

fn rng() -> MutexGuard<'static, StdRng> {
    RNG.lock().expect("rng poisoned")
}

#[derive(Clone, Debug)]
struct WireLabels {
    zero: [u8; 16],
    one: [u8; 16],
}

fn rand_label() -> [u8; 16] {
    let mut bytes = [0u8; 16];
    let mut r = rng();
    r.fill_bytes(&mut bytes);
    bytes
}

fn h(k1: &[u8], k2: &[u8]) -> [u8; 32] {
    let mut hasher = Sha256::new();
    hasher.update(k1);
    hasher.update(k2);
    hasher.finalize().into()
}

fn encrypt(key: &[u8; 32], msg: &[u8; 16]) -> [u8; 16] {
    let mut out = [0u8; 16];
    for i in 0..16 {
        out[i] = msg[i] ^ key[i];
    }
    out
}

fn hash_point(pt: &ProjectivePoint) -> [u8; 32] {
    let mut hasher = Sha256::new();
    let enc: EncodedPoint = pt.to_affine().to_encoded_point(false);
    hasher.update(enc.as_bytes());
    hasher.finalize().into()
}

fn xor_label(key: &[u8; 32], label: &[u8; 16]) -> [u8; 16] {
    let mut out = [0u8; 16];
    for i in 0..16 {
        out[i] = label[i] ^ key[i];
    }
    out
}

type Cipher = [u8; 16];

Garbled AND gate:

In [3]:
struct GarbledAnd {
    table: Vec<Cipher>,
    out_labels: WireLabels,
    input_a: WireLabels,
    input_b: WireLabels,
}

// Construct one garbled AND gate from fresh labels, shuffling the table.
fn garble_and() -> GarbledAnd {
    let input_a = WireLabels {
        zero: rand_label(),
        one: rand_label(),
    };
    let input_b = WireLabels {
        zero: rand_label(),
        one: rand_label(),
    };
    let out_labels = WireLabels {
        zero: rand_label(),
        one: rand_label(),
    };

    let mut table = Vec::new();
    for a in 0..=1 {
        for b in 0..=1 {
            let key = h(
                if a == 0 { &input_a.zero } else { &input_a.one },
                if b == 0 { &input_b.zero } else { &input_b.one },
            );
            let out = if (a & b) == 1 {
                &out_labels.one
            } else {
                &out_labels.zero
            };
            table.push(encrypt(&key, out));
        }
    }

    {
        let mut r = rng();
        table.shuffle(&mut *r);
    }

    GarbledAnd {
        table,
        out_labels,
        input_a,
        input_b,
    }
}

In [4]:
// Generate one garbled AND gate instance.
let garbled = garble_and();
println!("Garbled AND generated; ready to evaluate in the next cell.");


Garbled AND generated; ready to evaluate in the next cell.


Inspect the garbled table before any party chooses inputs.


In [5]:
{
    println!("Ciphertexts (shuffled, base64) before inputs are chosen:");
    for (i, ct) in garbled.table.iter().enumerate() {
        println!("  row {i}: `{}`", B64.encode(ct));
    }

    println!("\nInput labels (base64) known to both parties (via OT/pre-share):");
    println!("  Ginny g=0: `{}`", B64.encode(garbled.input_a.zero));
    println!("  Ginny g=1: `{}`", B64.encode(garbled.input_a.one));
    println!("  Evan  e=0: `{}`", B64.encode(garbled.input_b.zero));
    println!("  Evan  e=1: `{}`", B64.encode(garbled.input_b.one));
}


Ciphertexts (shuffled, base64) before inputs are chosen:


  row 0: `BSluLup0quDMeWNH8/glMA`


  row 1: `0yVtZqtH/mXzbNli2tK5iQ`


  row 2: `FWNvNZ6z2eIS+e4b1/3Nsg`


  row 3: `JEnqXL82rT+XDltbLrew+g`





Input labels (base64) known to both parties (via OT/pre-share):


  Ginny g=0: `YRgw02QaaPlKaQ3MJdH0sA`


  Ginny g=1: `2slIMlrBj23TJWQ3FzXzLA`


  Evan  e=0: `VHQ9xeJNKkE7FZWEwSJt9g`


  Evan  e=1: `7M/EyqjNe2PHy1b/Zs1gtQ`


()

Ginny now chooses a label; we assume a secure, authenticated channel when she sends it to Evan.

In [6]:
let ginny_pref: u8 = {
    let mut r = rng();
    if r.gen_bool(0.5) { 1 } else { 0 }
}; // Ginny decides now
let ginny_label: [u8; 16] = if ginny_pref == 0 {
    garbled.input_a.zero
} else {
    garbled.input_a.one
};

// Secure, authenticated channel is assumed; send Ginny's chosen label directly.
println!("Ginny preference g={ginny_pref}; sending label over the secure channel:");
println!("  label (base64): `{}`", B64.encode(ginny_label));
println!("Evan receives the correct Ginny label over the secure channel.");

Ginny preference g=0; sending label over the secure channel:


  label (base64): `YRgw02QaaPlKaQ3MJdH0sA`


Evan receives the correct Ginny label over the secure channel.


Oblivious transfer (toy demo; real protocols hide Evan’s choice and the unchosen label). Evan inputs his bit `e`; Ginny holds both Evan labels and uses OT to deliver only the chosen one.


In [7]:
fn toy_ot(sender_l0: &[u8; 16], sender_l1: &[u8; 16], choice: u8) -> [u8; 16] {
    // Toy/semi-honest only: just returns the chosen label; does not hide choice or the other label.
    if choice == 0 {
        *sender_l0
    } else {
        *sender_l1
    }
}

// Evan picks his bit and obtains the matching label via the toy OT.
let evan_pref: u8 = {
    let mut r = rng();
    if r.gen_bool(0.5) { 1 } else { 0 }
};
let evan_label = toy_ot(&garbled.input_b.zero, &garbled.input_b.one, evan_pref);
println!("Evan preference e={evan_pref}; OT delivers his input label:");
println!("  label (base64): `{}`", B64.encode(evan_label));

Evan preference e=0; OT delivers his input label:


  label (base64): `VHQ9xeJNKkE7FZWEwSJt9g`


Oblivious transfer (toy demo; real protocols hide Evan’s choice and the unchosen label). Evan inputs his bit `e`; Ginny holds both Evan labels and uses OT to deliver only the chosen one. **This toy OT leaks Evan’s choice to Ginny**, but assume she learns nothing here—we’ll introduce a proper, secure OT later.

In [8]:
// Evan evaluates once using his label and Ginny's label; keep the output label/bit for sending back.
let mut evan_output_label: Option<[u8; 16]> = None;
let mut evan_output_bit: Option<u8> = None;
{
    let key = h(&ginny_label, &evan_label);
    for ct in &garbled.table {
        let out = encrypt(&key, ct);
        if out == garbled.out_labels.zero {
            evan_output_label = Some(out);
            evan_output_bit = Some(0);
            break;
        }
        if out == garbled.out_labels.one {
            evan_output_label = Some(out);
            evan_output_bit = Some(1);
            break;
        }
    }
}
let evan_output_label = evan_output_label.expect("no matching row decrypted");
let evan_output_bit = evan_output_bit.expect("no matching bit decrypted");
println!("Recovered AND result: g={} ∧ e={} -> {}", ginny_pref, evan_pref, evan_output_bit);


Recovered AND result: g=0 ∧ e=0 -> 0


Evan sends the decrypted output label back to Ginny.


In [9]:
// Evan sends the output label to Ginny (no re-computation).
println!("Evan sends output label to Ginny (base64): `{}`", B64.encode(evan_output_label));


Evan sends output label to Ginny (base64): `prOzHBw/NYXqiOUnqBmwYg`


Ginny maps the returned label to a bit using her output-label map.


In [10]:
// Ginny decodes the label she received.
{
    let ginny_decoded = if evan_output_label == garbled.out_labels.zero { 0 } else { 1 };
    println!("Ginny maps the label to bit: {}", ginny_decoded);
    assert_eq!(ginny_decoded, evan_output_bit);
}


Ginny maps the label to bit: 0


()

### Simple secure 1-of-2 OT (secp256k1 + SHA-256)
Let's revisit our toy OT and use something more secure. We now split the steps into explicit sender/receiver phases for one bit.

Sender/receiver summary: the sender holds both labels; the receiver picks one bit.

Secure OT flow steps:
1) Sender samples an offset `D = d·G` and publishes it.
2) Receiver samples a keypair, embeds their choice into `(pk, pk + D)`, and sends those to the sender.
3) Sender encrypts both labels to `(pk, pk + D)` using fresh randomness, returning two ciphertexts with their `R` points.
4) Receiver decrypts only the chosen ciphertext using their secret key. The sender cannot tell which one was chosen.

This remains semi-honest and uses only secp256k1 ECDH plus SHA-256; no OT extension is needed for a single bit.

In [11]:
// Deterministic OT helpers using seeded RNG
#[derive(Clone, Debug)]
struct SenderOffset {
    point: ProjectivePoint,
    bytes: EncodedPoint,
}

#[derive(Clone, Debug)]
struct SenderCiphertexts {
    r0: ProjectivePoint,
    c0: [u8; 16],
    r1: ProjectivePoint,
    c1: [u8; 16],
}

#[derive(Clone, Debug)]
struct ReceiverState {
    sk: Scalar,
    choice: u8,
}

fn ot_sender_offset() -> SenderOffset {
    // Sender picks D = d·G once per OT and publishes it.
    let mut r = rng();
    let d = Scalar::random(&mut *r);
    drop(r);
    let point = ProjectivePoint::GENERATOR * &d;
    let bytes: EncodedPoint = point.to_affine().to_encoded_point(false);
    SenderOffset { point, bytes }
}

fn ot_receiver_choose(
    d_point: &ProjectivePoint,
    choice: u8,
    ) -> (ReceiverState, ProjectivePoint, ProjectivePoint, EncodedPoint, EncodedPoint) {
    // Receiver picks a keypair and embeds the choice bit into (pk, pk_plus_d).
    let g = ProjectivePoint::GENERATOR;
    let mut r = rng();
    let sk = Scalar::random(&mut *r);
    drop(r);
    let pk = g * &sk;
    let (pk_base, pk_plus_d) = if choice == 0 { (pk, pk + d_point) } else { (pk + d_point, pk) };
    let pk_base_bytes: EncodedPoint = pk_base.to_affine().to_encoded_point(false);
    let pk_plus_d_bytes: EncodedPoint = pk_plus_d.to_affine().to_encoded_point(false);
    (
        ReceiverState { sk, choice },
        pk_base,
        pk_plus_d,
        pk_base_bytes,
        pk_plus_d_bytes,
    )
}

fn ot_sender_encrypt(
    label0: [u8; 16],
    label1: [u8; 16],
    pk_base: &ProjectivePoint,
    pk_plus_d: &ProjectivePoint,
    ) -> SenderCiphertexts {
    // Sender encrypts both labels to the two public keys using fresh randomness.
    let g = ProjectivePoint::GENERATOR;

    let mut r = rng();
    let r0_s = Scalar::random(&mut *r);
    let r1_s = Scalar::random(&mut *r);
    drop(r);

    let r0 = g * &r0_s;
    let k0 = hash_point(&(pk_base * &r0_s));
    let c0 = xor_label(&k0, &label0);

    let r1 = g * &r1_s;
    let k1 = hash_point(&(pk_plus_d * &r1_s));
    let c1 = xor_label(&k1, &label1);

    SenderCiphertexts { r0, c0, r1, c1 }
}

fn ot_receiver_decrypt(state: &ReceiverState, cts: &SenderCiphertexts) -> [u8; 16] {
    // Receiver can decrypt only the chosen ciphertext using their secret key.
    let (r, c) = if state.choice == 0 { (&cts.r0, &cts.c0) } else { (&cts.r1, &cts.c1) };
    let k = hash_point(&(r * &state.sk));
    xor_label(&k, c)
}

Ginny (the sender) cannot see Evan’s (the receiver) choice, and Evan learns only one label. Ginny did create both labels, so she knows which raw value is `e=0` vs `e=1`, but OT hides which one Evan actually receives—as long as he never shows her his input label.

**Demo steps:** we run the secure OT in four messages and print each intermediate object. The receiver’s choice stays hidden, but we show the public data for teaching.

Step 1 (sender): publish a fresh random offset `D = d·G` and send it to the receiver. This point is public and used to embed the choice later.

In [12]:
let offset = ot_sender_offset();
let d_point = offset.point.clone();
println!("Sender offset D (uncompressed, base64): `{}`", B64.encode(offset.bytes.as_bytes()));

Sender offset D (uncompressed, base64): `BIUIX5SqFWLbtn2sNdGv8MbZmcc+HAQEoWz7SwJSJPaa6gZDLHlYiUp8mQnOK2yMh4oiePxUuXMa+/KIfVw7Z7k`


Step 2 (receiver): sample a fresh keypair `(sk, pk)`, derive `pk + D`, and send both keys in an order that encodes the choice bit: choice 0 → `(pk, pk + D)`, choice 1 → `(pk + D, pk)`. Ginny sees two ordinary public keys and cannot tell which one was shifted. We print both public keys in uncompressed base64.

Cheating note: if Evan sent `(pk, pk)`, he could decrypt both. A malicious-secure OT variant would add a consistency check (e.g., an OR-proof that either `pk1 - pk0 = D` or `pk0 - pk1 = D`) to stop that, but this demo stays semi-honest.

**Ginny’s view (what the sender knows/sees):**

```
D = d·G (known to Ginny)
|
| publishes to Evan
v
{ pk , pk + D }  (unordered; Ginny can’t tell which is shifted)
  |         |
  |         +-- encrypt -> (R1, c1)
  +------------ encrypt -> (R0, c0)
```

- Public offset: `D = d·G` (she also knows the secret scalar `d`).
- Two receiver points: an unordered pair `{pk, pk + D}` (she cannot tell which is shifted).
- Her own labels: `(label0, label1)` for Evan.
- What she does *not* know: Evan’s choice bit, Evan’s secret key `sk`, or which point is the base vs shifted.
- What she sends: two ciphertext tuples `(R0, c0)` to one point and `(R1, c1)` to the other, derived independently with fresh randomness.

She knows d and D, sees the two points, but not which is base vs shifted, and never sees sk or the choice.

**Evan’s view (this run):**

Receiver choice bit (printed above): e = 0 → he chose the base key `pk`.

```
Ginny sent ciphertexts bound to the two public keys:
  pk      -> (R0, c0)
  pk + D  -> (R1, c1)

Evan uses his one secret key sk (no +D applied by him):
  k = H(sk · R0); decrypts c0 -> label
  c1 stays garbage
```

Because e=0 in this run, only `(R0, c0)` decrypts; `(R1, c1)` remains unintelligible.

In [13]:
// Step 2 (receiver): embed choice into (pk, pk_plus_d) and send to sender.
let (receiver_state, pk, pk_plus_d, _, _) = ot_receiver_choose(&d_point, evan_pref);
let pk_bytes: EncodedPoint = pk.to_affine().to_encoded_point(false);
let pk_plus_d_bytes: EncodedPoint = pk_plus_d.to_affine().to_encoded_point(false);
println!("Receiver choice bit e={evan_pref}");
println!("pk (base, uncompressed, base64): `{}`", B64.encode(pk_bytes.as_bytes()));
println!("pk_plus_d (shifted, uncompressed, base64): `{}`", B64.encode(pk_plus_d_bytes.as_bytes()));

Receiver choice bit e=0


pk (base, uncompressed, base64): `BIUIX5SqFWLbtn2sNdGv8MbZmcc+HAQEoWz7SwJSJPaa6gZDLHlYiUp8mQnOK2yMh4oiePxUuXMa+/KIfVw7Z7k`


pk_plus_d (shifted, uncompressed, base64): `BIVGfSBUa5HzS1P4GXsPgt81gvvvV4YuQOcbJ3xblYQFXZ+P5A9Hqr8xYgPlZuJOGadyjMAhG6U4/Hc/T5T+FoA`


Step 3 (sender): encrypt both labels to `(pk, pk + D)` using fresh per-ciphertext randomness `r0_s`/`r1_s`. These are ephemeral DH secrets to derive one-time keys (R = r·G, k = H(pk·r)), keeping each ciphertext unlinkable even if the receiver reuses their keypair. We print the two ciphertexts and their R values (uncompressed base64).

In [14]:
// Step 3 (sender): encrypt both labels to (pk, pk_plus_d).
let sender_cts = {
    let cts = ot_sender_encrypt(garbled.input_b.zero, garbled.input_b.one, &pk, &pk_plus_d);
    let r0_bytes: EncodedPoint = cts.r0.to_affine().to_encoded_point(false);
    let r1_bytes: EncodedPoint = cts.r1.to_affine().to_encoded_point(false);

    let r0_b64 = B64.encode(r0_bytes.as_bytes());
    let r1_b64 = B64.encode(r1_bytes.as_bytes());
    let c0_b64 = B64.encode(cts.c0);
    let c1_b64 = B64.encode(cts.c1);
    let short = |s: &str, n: usize| s.chars().take(n).collect::<String>();

    println!("Cipher for pk (e=0): R={}..., c={}...", short(&r0_b64, 24), short(&c0_b64, 16));
    println!("Cipher for pk_plus_d (e=1): R={}..., c={}...", short(&r1_b64, 24), short(&c1_b64, 16));
    cts
};

Cipher for pk (e=0): R=BIUIX5SqFWLbtn2sNdGv8MbZ..., c=6lbvV51qaGUEqz9T...


Cipher for pk_plus_d (e=1): R=BBF2OT1f7Ha2gTOGthdoCXYF..., c=NhbJs3CJw0/wNFOq...


Step 4 (receiver): decrypt only the chosen ciphertext with the receiver’s secret key.


In [15]:
// Step 4 (receiver): decrypt only the chosen ciphertext.
let evan_secure_label = ot_receiver_decrypt(&receiver_state, &sender_cts);
println!("Receiver recovers label for e={evan_pref} (base64, keep private): `{}`", B64.encode(evan_secure_label));
assert_eq!(evan_secure_label, if evan_pref == 0 { garbled.input_b.zero } else { garbled.input_b.one });

Receiver recovers label for e=0 (base64, keep private): `VHQ9xeJNKkE7FZWEwSJt9g`


For larger circuits, if you only need a handful of bits and speed is not a concern, just run the four-step OT (offset, choose, encrypt, decrypt) separately for each bit.
- Fresh randomness each time; do not reuse keys or offsets across runs.
- Cost scales linearly with the number of bits (one public-key OT per bit), but privacy and correctness stay the same under the semi-honest assumption.
- OT extension only matters when you need many OTs and want to amortize the public-key work with fast symmetric crypto.

### Optional: OR-proof to stop `(pk, pk)` cheating

For the purpose of understanding BitVM3 we don't need this. The following is completely unverified.

Idea: receiver proves that the submitted pair encodes a valid shift by the published offset `D`, without revealing which key is shifted. Statements:
- S₀: `pk1 - pk0 = D` (pk0 base, pk1 shifted)
- S₁: `pk0 - pk1 = D` (pk1 base, pk0 shifted)

Use a standard Σ-protocol OR-proof from Chaum–Pedersen equality-of-discrete-log proofs, made non-interactive with Fiat–Shamir:
1) Build a real CP transcript for the true statement; simulate the other.
2) Hash all public values to one challenge; split it across the two branches (real + simulated).
3) Output both transcripts. Verifier checks both; soundness under DDH, zero-knowledge via simulation.

Cost: a few group elements + scalars. This notebook stays semi-honest; add this only if you need malicious security.

References: Chaum–Pedersen (Eurocrypt ’92); Cramer–Damgård–Schoenmakers OR-proofs (CRYPTO ’94); Fiat–Shamir (1986) for NIZK via hashing.