diff --git a/crates/mpz-core/src/ggm_tree.rs b/crates/mpz-core/src/ggm_tree.rs
index 913fffb6..840efcc6 100644
--- a/crates/mpz-core/src/ggm_tree.rs
+++ b/crates/mpz-core/src/ggm_tree.rs
@@ -32,33 +32,35 @@ impl GgmTree {
         assert_eq!(k0.len(), self.depth);
         assert_eq!(k1.len(), self.depth);
         let mut buf = [Block::ZERO; 8];
-        self.tkprp.expand_1to2(tree, seed);
-        k0[0] = tree[0];
-        k1[0] = tree[1];
+        if self.depth > 1 {
+            self.tkprp.expand_1to2(tree, seed);
+            k0[0] = tree[0];
+            k1[0] = tree[1];
 
-        self.tkprp.expand_2to4(&mut buf, tree);
-        k0[1] = buf[0] ^ buf[2];
-        k1[1] = buf[1] ^ buf[3];
-        tree[0..4].copy_from_slice(&buf[0..4]);
-
-        for h in 2..self.depth {
-            k0[h] = Block::ZERO;
-            k1[h] = Block::ZERO;
-
-            // How many nodes there are in this layer
-            let sz = 1 << h;
-            for i in (0..=sz - 4).rev().step_by(4) {
-                self.tkprp.expand_4to8(&mut buf, &tree[i..]);
-                k0[h] ^= buf[0];
-                k0[h] ^= buf[2];
-                k0[h] ^= buf[4];
-                k0[h] ^= buf[6];
-                k1[h] ^= buf[1];
-                k1[h] ^= buf[3];
-                k1[h] ^= buf[5];
-                k1[h] ^= buf[7];
+            self.tkprp.expand_2to4(&mut buf, tree);
+            k0[1] = buf[0] ^ buf[2];
+            k1[1] = buf[1] ^ buf[3];
+            tree[0..4].copy_from_slice(&buf[0..4]);
 
-                tree[2 * i..2 * i + 8].copy_from_slice(&buf);
+            for h in 2..self.depth {
+                k0[h] = Block::ZERO;
+                k1[h] = Block::ZERO;
+
+                // How many nodes there are in this layer
+                let sz = 1 << h;
+                for i in (0..=sz - 4).rev().step_by(4) {
+                    self.tkprp.expand_4to8(&mut buf, &tree[i..]);
+                    k0[h] ^= buf[0];
+                    k0[h] ^= buf[2];
+                    k0[h] ^= buf[4];
+                    k0[h] ^= buf[6];
+                    k1[h] ^= buf[1];
+                    k1[h] ^= buf[3];
+                    k1[h] ^= buf[5];
+                    k1[h] ^= buf[7];
+
+                    tree[2 * i..2 * i + 8].copy_from_slice(&buf);
+                }
             }
         }
     }
diff --git a/crates/mpz-core/src/lpn.rs b/crates/mpz-core/src/lpn.rs
index 2543fdb2..26d44a07 100644
--- a/crates/mpz-core/src/lpn.rs
+++ b/crates/mpz-core/src/lpn.rs
@@ -113,7 +113,7 @@ impl<const D: usize> LpnEncoder<D> {
 }
 
 /// Lpn paramters
-#[derive(Copy, Clone, Debug)]
+#[derive(Copy, Clone, Debug, Default)]
 pub struct LpnParameters {
     /// The length of output vecotrs.
     pub n: usize,
diff --git a/crates/mpz-garble-core/benches/garble.rs b/crates/mpz-garble-core/benches/garble.rs
index 143b0adb..c720bf01 100644
--- a/crates/mpz-garble-core/benches/garble.rs
+++ b/crates/mpz-garble-core/benches/garble.rs
@@ -1,83 +1,39 @@
 use criterion::{black_box, criterion_group, criterion_main, Criterion};
 use mpz_circuits::circuits::AES128;
-use mpz_garble_core::{ChaChaEncoder, Encoder, Evaluator, Generator};
+use mpz_garble_core::{ChaChaEncoder, Encoder, Generator};
 
 fn criterion_benchmark(c: &mut Criterion) {
-    let mut gb_group = c.benchmark_group("garble");
+    let mut group = c.benchmark_group("garble_circuits");
 
     let encoder = ChaChaEncoder::new([0u8; 32]);
-    let full_inputs = AES128
+    let inputs = AES128
         .inputs()
         .iter()
         .map(|value| encoder.encode_by_type(0, &value.value_type()))
         .collect::<Vec<_>>();
-
-    let active_inputs = vec![
-        full_inputs[0].clone().select([0u8; 16]).unwrap(),
-        full_inputs[1].clone().select([0u8; 16]).unwrap(),
-    ];
-
-    gb_group.bench_function("aes128", |b| {
-        let mut gen = Generator::default();
-        b.iter(|| {
-            let mut gen_iter = gen
-                .generate(&AES128, encoder.delta(), full_inputs.clone())
-                .unwrap();
-
-            let _: Vec<_> = gen_iter.by_ref().collect();
-
-            black_box(gen_iter.finish().unwrap())
-        })
-    });
-
-    gb_group.bench_function("aes128_batched", |b| {
-        let mut gen = Generator::default();
-        b.iter(|| {
-            let mut gen_iter = gen
-                .generate_batched(&AES128, encoder.delta(), full_inputs.clone())
-                .unwrap();
-
-            let _: Vec<_> = gen_iter.by_ref().collect();
-
-            black_box(gen_iter.finish().unwrap())
-        })
-    });
-
-    gb_group.bench_function("aes128_with_hash", |b| {
-        let mut gen = Generator::default();
+    group.bench_function("aes128", |b| {
         b.iter(|| {
-            let mut gen_iter = gen
-                .generate(&AES128, encoder.delta(), full_inputs.clone())
-                .unwrap();
-
-            gen_iter.enable_hasher();
+            let mut gen = Generator::new(AES128.clone(), encoder.delta(), &inputs).unwrap();
 
-            let _: Vec<_> = gen_iter.by_ref().collect();
+            let mut enc_gates = Vec::with_capacity(AES128.and_count());
+            for gate in gen.by_ref() {
+                enc_gates.push(gate);
+            }
 
-            black_box(gen_iter.finish().unwrap())
+            black_box(gen.outputs().unwrap())
         })
     });
-
-    drop(gb_group);
-
-    let mut ev_group = c.benchmark_group("evaluate");
-
-    ev_group.bench_function("aes128", |b| {
-        let mut gen = Generator::default();
-        let mut gen_iter = gen
-            .generate(&AES128, encoder.delta(), full_inputs.clone())
-            .unwrap();
-        let gates: Vec<_> = gen_iter.by_ref().collect();
-
-        let mut ev = Evaluator::default();
+    group.bench_function("aes128_with_hash", |b| {
         b.iter(|| {
-            let mut ev_consumer = ev.evaluate(&AES128, active_inputs.clone()).unwrap();
+            let mut gen =
+                Generator::new_with_hasher(AES128.clone(), encoder.delta(), &inputs).unwrap();
 
-            for gate in &gates {
-                ev_consumer.next(*gate);
+            let mut enc_gates = Vec::with_capacity(AES128.and_count());
+            for gate in gen.by_ref() {
+                enc_gates.push(gate);
             }
 
-            black_box(ev_consumer.finish().unwrap());
+            black_box(gen.outputs().unwrap())
         })
     });
 }
diff --git a/crates/mpz-garble-core/src/evaluator.rs b/crates/mpz-garble-core/src/evaluator.rs
index f503ef0e..5f28b0b9 100644
--- a/crates/mpz-garble-core/src/evaluator.rs
+++ b/crates/mpz-garble-core/src/evaluator.rs
@@ -1,16 +1,12 @@
-use core::fmt;
+use std::sync::Arc;
 
 use blake3::Hasher;
 
 use crate::{
     circuit::EncryptedGate,
     encoding::{state, EncodedValue, Label},
-    EncryptedGateBatch, DEFAULT_BATCH_SIZE,
-};
-use mpz_circuits::{
-    types::{BinaryRepr, TypeError},
-    Circuit, CircuitError, Gate,
 };
+use mpz_circuits::{types::TypeError, Circuit, CircuitError, Gate};
 use mpz_core::{
     aes::{FixedKeyAes, FIXED_KEY_AES},
     hash::Hash,
@@ -58,34 +54,57 @@ pub(crate) fn and_gate(
     Label::new(w_g ^ w_e)
 }
 
-/// Output of the evaluator.
-#[derive(Debug)]
-pub struct EvaluatorOutput {
-    /// Encoded outputs of the circuit.
-    pub outputs: Vec<EncodedValue<state::Active>>,
-    /// Hash of the encrypted gates.
-    pub hash: Option<Hash>,
-}
-
-/// Garbled circuit evaluator.
-#[derive(Debug, Default)]
+/// Core evaluator type for evaluating a garbled circuit.
 pub struct Evaluator {
-    /// Buffer for the active labels.
-    buffer: Vec<Label>,
+    /// Cipher to use to encrypt the gates
+    cipher: &'static FixedKeyAes,
+    /// Circuit to evaluate
+    circ: Arc<Circuit>,
+    /// Active label state
+    active_labels: Vec<Option<Label>>,
+    /// Current position in the circuit
+    pos: usize,
+    /// Current gate id
+    gid: usize,
+    /// Whether the evaluator is finished
+    complete: bool,
+    /// Hasher to use to hash the encrypted gates
+    hasher: Option<Hasher>,
 }
 
 impl Evaluator {
-    /// Returns a consumer over the encrypted gates of a circuit.
+    /// Creates a new evaluator for the given circuit.
+    ///
+    /// # Arguments
+    ///
+    /// * `circ` - The circuit to evaluate.
+    /// * `inputs` - The inputs to the circuit.
+    pub fn new(
+        circ: Arc<Circuit>,
+        inputs: &[EncodedValue<state::Active>],
+    ) -> Result<Self, EvaluatorError> {
+        Self::new_with(circ, inputs, None)
+    }
+
+    /// Creates a new evaluator for the given circuit. Evaluator will compute
+    /// a hash of the encrypted gates while they are evaluated.
     ///
     /// # Arguments
     ///
     /// * `circ` - The circuit to evaluate.
-    /// * `inputs` - The input values to the circuit.
-    pub fn evaluate<'a>(
-        &'a mut self,
-        circ: &'a Circuit,
-        inputs: Vec<EncodedValue<state::Active>>,
-    ) -> Result<EncryptedGateConsumer<'_, std::slice::Iter<'_, Gate>>, EvaluatorError> {
+    /// * `inputs` - The inputs to the circuit.
+    pub fn new_with_hasher(
+        circ: Arc<Circuit>,
+        inputs: &[EncodedValue<state::Active>],
+    ) -> Result<Self, EvaluatorError> {
+        Self::new_with(circ, inputs, Some(Hasher::new()))
+    }
+
+    fn new_with(
+        circ: Arc<Circuit>,
+        inputs: &[EncodedValue<state::Active>],
+        hasher: Option<Hasher>,
+    ) -> Result<Self, EvaluatorError> {
         if inputs.len() != circ.inputs().len() {
             return Err(CircuitError::InvalidInputCount(
                 circ.inputs().len(),
@@ -93,12 +112,8 @@ impl Evaluator {
             ))?;
         }
 
-        // Expand the buffer to fit the circuit
-        if circ.feed_count() > self.buffer.len() {
-            self.buffer.resize(circ.feed_count(), Default::default());
-        }
-
-        for (encoded, input) in inputs.into_iter().zip(circ.inputs()) {
+        let mut active_labels: Vec<Option<Label>> = vec![None; circ.feed_count()];
+        for (encoded, input) in inputs.iter().zip(circ.inputs()) {
             if encoded.value_type() != input.value_type() {
                 return Err(TypeError::UnexpectedType {
                     expected: input.value_type(),
@@ -107,205 +122,111 @@ impl Evaluator {
             }
 
             for (label, node) in encoded.iter().zip(input.iter()) {
-                self.buffer[node.id()] = *label;
+                active_labels[node.id()] = Some(*label);
             }
         }
 
-        Ok(EncryptedGateConsumer::new(
-            circ.gates().iter(),
-            circ.outputs(),
-            &mut self.buffer,
-            circ.and_count(),
-        ))
-    }
-
-    /// Returns a consumer over batched encrypted gates of a circuit.
-    ///
-    /// # Arguments
-    ///
-    /// * `circ` - The circuit to evaluate.
-    /// * `inputs` - The input values to the circuit.
-    pub fn evaluate_batched<'a>(
-        &'a mut self,
-        circ: &'a Circuit,
-        inputs: Vec<EncodedValue<state::Active>>,
-    ) -> Result<EncryptedGateBatchConsumer<'_, std::slice::Iter<'_, Gate>>, EvaluatorError> {
-        self.evaluate(circ, inputs).map(EncryptedGateBatchConsumer)
-    }
-}
-
-/// Consumer over the encrypted gates of a circuit.
-pub struct EncryptedGateConsumer<'a, I: Iterator> {
-    /// Cipher to use to encrypt the gates.
-    cipher: &'static FixedKeyAes,
-    /// Buffer for the active labels.
-    labels: &'a mut [Label],
-    /// Iterator over the gates.
-    gates: I,
-    /// Circuit outputs.
-    outputs: &'a [BinaryRepr],
-    /// Current gate id.
-    gid: usize,
-    /// Hasher to use to hash the encrypted gates.
-    hasher: Option<Hasher>,
-    /// Number of AND gates evaluated.
-    counter: usize,
-    /// Total number of AND gates in the circuit.
-    and_count: usize,
-    /// Whether the entire circuit has been garbled.
-    complete: bool,
-}
-
-impl<'a, I: Iterator> fmt::Debug for EncryptedGateConsumer<'a, I> {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(f, "EncryptedGateConsumer {{ .. }}")
-    }
-}
-
-impl<'a, I> EncryptedGateConsumer<'a, I>
-where
-    I: Iterator<Item = &'a Gate>,
-{
-    fn new(gates: I, outputs: &'a [BinaryRepr], labels: &'a mut [Label], and_count: usize) -> Self {
-        Self {
+        let mut ev = Self {
             cipher: &(*FIXED_KEY_AES),
-            gates,
-            outputs,
-            labels,
+            circ,
+            active_labels,
+            pos: 0,
             gid: 1,
-            hasher: None,
-            counter: 0,
-            and_count,
             complete: false,
+            hasher,
+        };
+
+        // If circuit has no AND gates we can evaluate it immediately for cheap
+        if ev.circ.and_count() == 0 {
+            ev.evaluate(std::iter::empty());
         }
-    }
 
-    /// Enables hashing of the encrypted gates.
-    pub fn enable_hasher(&mut self) {
-        self.hasher = Some(Hasher::new());
+        Ok(ev)
     }
 
-    /// Returns `true` if the evaluator wants more encrypted gates.
+    /// Evaluates the next batch of encrypted gates.
     #[inline]
-    pub fn wants_gates(&self) -> bool {
-        self.counter != self.and_count
-    }
+    pub fn evaluate<'a>(&mut self, mut encrypted_gates: impl Iterator<Item = &'a EncryptedGate>) {
+        let labels = &mut self.active_labels;
 
-    /// Evaluates the next encrypted gate in the circuit.
-    #[inline]
-    pub fn next(&mut self, encrypted_gate: EncryptedGate) {
-        while let Some(gate) = self.gates.next() {
-            match gate {
+        // Process gates until we run out of encrypted gates
+        while self.pos < self.circ.gates().len() {
+            match &self.circ.gates()[self.pos] {
+                Gate::Inv {
+                    x: node_x,
+                    z: node_z,
+                } => {
+                    let x = labels[node_x.id()].expect("feed should be initialized");
+                    labels[node_z.id()] = Some(x);
+                }
                 Gate::Xor {
                     x: node_x,
                     y: node_y,
                     z: node_z,
                 } => {
-                    let x = self.labels[node_x.id()];
-                    let y = self.labels[node_y.id()];
-                    self.labels[node_z.id()] = x ^ y;
+                    let x = labels[node_x.id()].expect("feed should be initialized");
+                    let y = labels[node_y.id()].expect("feed should be initialized");
+                    labels[node_z.id()] = Some(x ^ y);
                 }
                 Gate::And {
                     x: node_x,
                     y: node_y,
                     z: node_z,
                 } => {
-                    let x = self.labels[node_x.id()];
-                    let y = self.labels[node_y.id()];
-                    let z = and_gate(self.cipher, &x, &y, &encrypted_gate, self.gid);
-                    self.labels[node_z.id()] = z;
-
-                    self.gid += 2;
-                    self.counter += 1;
-
-                    if let Some(hasher) = &mut self.hasher {
-                        hasher.update(&encrypted_gate.to_bytes());
-                    }
-
-                    // If we have more AND gates to evaluate, return.
-                    if self.wants_gates() {
+                    if let Some(encrypted_gate) = encrypted_gates.next() {
+                        if let Some(hasher) = &mut self.hasher {
+                            hasher.update(&encrypted_gate.to_bytes());
+                        }
+
+                        let x = labels[node_x.id()].expect("feed should be initialized");
+                        let y = labels[node_y.id()].expect("feed should be initialized");
+                        let z = and_gate(self.cipher, &x, &y, encrypted_gate, self.gid);
+                        labels[node_z.id()] = Some(z);
+                        self.gid += 2;
+                    } else {
+                        // We ran out of encrypted gates, so we return until we get more
                         return;
                     }
                 }
-                Gate::Inv {
-                    x: node_x,
-                    z: node_z,
-                } => {
-                    let x = self.labels[node_x.id()];
-                    self.labels[node_z.id()] = x;
-                }
             }
+            self.pos += 1;
         }
 
         self.complete = true;
     }
 
-    /// Returns the encoded outputs of the circuit.
-    pub fn finish(mut self) -> Result<EvaluatorOutput, EvaluatorError> {
-        if self.wants_gates() {
-            return Err(EvaluatorError::NotFinished);
-        }
+    /// Returns whether the evaluator has finished evaluating the circuit.
+    pub fn is_complete(&self) -> bool {
+        self.complete
+    }
 
-        // If there were 0 AND gates in the circuit, we need to evaluate the "free" gates now.
-        if !self.complete {
-            self.next(Default::default());
+    /// Returns the active encoded outputs of the circuit.
+    pub fn outputs(&self) -> Result<Vec<EncodedValue<state::Active>>, EvaluatorError> {
+        if !self.is_complete() {
+            return Err(EvaluatorError::NotFinished);
         }
 
-        let outputs = self
-            .outputs
+        Ok(self
+            .circ
+            .outputs()
             .iter()
             .map(|output| {
-                let labels: Vec<Label> = output.iter().map(|node| self.labels[node.id()]).collect();
+                let labels: Vec<Label> = output
+                    .iter()
+                    .map(|node| self.active_labels[node.id()].expect("feed should be initialized"))
+                    .collect();
 
                 EncodedValue::<state::Active>::from_labels(output.value_type(), &labels)
                     .expect("encoding should be correct")
             })
-            .collect();
-
-        Ok(EvaluatorOutput {
-            outputs,
-            hash: self.hasher.as_ref().map(|hasher| {
-                let hash: [u8; 32] = hasher.finalize().into();
-                Hash::from(hash)
-            }),
-        })
-    }
-}
-
-/// Consumer returned by [`Evaluator::evaluate_batched`].
-#[derive(Debug)]
-pub struct EncryptedGateBatchConsumer<'a, I: Iterator, const N: usize = DEFAULT_BATCH_SIZE>(
-    EncryptedGateConsumer<'a, I>,
-);
-
-impl<'a, I, const N: usize> EncryptedGateBatchConsumer<'a, I, N>
-where
-    I: Iterator<Item = &'a Gate>,
-{
-    /// Enables hashing of the encrypted gates.
-    pub fn enable_hasher(&mut self) {
-        self.0.enable_hasher()
+            .collect())
     }
 
-    /// Returns `true` if the evaluator wants more encrypted gates.
-    pub fn wants_gates(&self) -> bool {
-        self.0.wants_gates()
-    }
-
-    /// Evaluates the next batch of gates in the circuit.
-    #[inline]
-    pub fn next(&mut self, batch: EncryptedGateBatch<N>) {
-        for encrypted_gate in batch.into_array() {
-            self.0.next(encrypted_gate);
-            if !self.0.wants_gates() {
-                // Skipping any remaining gates which may have been used to pad the last batch.
-                return;
-            }
-        }
-    }
-
-    /// Returns the encoded outputs of the circuit, and the hash of the encrypted gates if present.
-    pub fn finish(self) -> Result<EvaluatorOutput, EvaluatorError> {
-        self.0.finish()
+    /// Returns the hash of the encrypted gates.
+    pub fn hash(&self) -> Option<Hash> {
+        self.hasher.as_ref().map(|hasher| {
+            let hash: [u8; 32] = hasher.finalize().into();
+            Hash::from(hash)
+        })
     }
 }
diff --git a/crates/mpz-garble-core/src/generator.rs b/crates/mpz-garble-core/src/generator.rs
index cfcc99f9..37e0cdec 100644
--- a/crates/mpz-garble-core/src/generator.rs
+++ b/crates/mpz-garble-core/src/generator.rs
@@ -1,16 +1,12 @@
-use core::fmt;
+use std::sync::Arc;
 
 use blake3::Hasher;
 
 use crate::{
     circuit::EncryptedGate,
     encoding::{state, Delta, EncodedValue, Label},
-    EncryptedGateBatch, DEFAULT_BATCH_SIZE,
-};
-use mpz_circuits::{
-    types::{BinaryRepr, TypeError},
-    Circuit, CircuitError, Gate,
 };
+use mpz_circuits::{types::TypeError, Circuit, CircuitError, Gate};
 use mpz_core::{
     aes::{FixedKeyAes, FIXED_KEY_AES},
     hash::Hash,
@@ -67,36 +63,66 @@ pub(crate) fn and_gate(
     (z_0, EncryptedGate::new([t_g, t_e]))
 }
 
-/// Output of the generator.
-#[derive(Debug)]
-pub struct GeneratorOutput {
-    /// Encoded outputs of the circuit.
-    pub outputs: Vec<EncodedValue<state::Full>>,
-    /// Hash of the encrypted gates.
-    pub hash: Option<Hash>,
-}
-
-/// Garbled circuit generator.
-#[derive(Debug, Default)]
+/// Core generator type used to generate garbled circuits.
+///
+/// A generator is to be used as an iterator of encrypted gates. Each
+/// iteration will return the next encrypted gate in the circuit until the
+/// entire garbled circuit has been yielded.
 pub struct Generator {
-    /// Buffer for the 0-bit labels.
-    buffer: Vec<Label>,
+    /// Cipher to use to encrypt the gates
+    cipher: &'static FixedKeyAes,
+    /// Circuit to generate a garbled circuit for
+    circ: Arc<Circuit>,
+    /// Delta value to use while generating the circuit
+    delta: Delta,
+    /// The 0 bit labels for the garbled circuit
+    low_labels: Vec<Option<Label>>,
+    /// Current position in the circuit
+    pos: usize,
+    /// Current gate id
+    gid: usize,
+    /// Hasher to use to hash the encrypted gates
+    hasher: Option<Hasher>,
 }
 
 impl Generator {
-    /// Returns an iterator over the encrypted gates of a circuit.
+    /// Creates a new generator for the given circuit.
+    ///
+    /// # Arguments
+    ///
+    /// * `circ` - The circuit to generate a garbled circuit for.
+    /// * `delta` - The delta value to use.
+    /// * `inputs` - The inputs to the circuit.
+    pub fn new(
+        circ: Arc<Circuit>,
+        delta: Delta,
+        inputs: &[EncodedValue<state::Full>],
+    ) -> Result<Self, GeneratorError> {
+        Self::new_with(circ, delta, inputs, None)
+    }
+
+    /// Creates a new generator for the given circuit. Generator will compute a hash
+    /// of the encrypted gates while they are produced.
     ///
     /// # Arguments
     ///
-    /// * `circ` - The circuit to garble.
-    /// * `delta` - The delta value to use for garbling.
-    /// * `inputs` - The input values to the circuit.
-    pub fn generate<'a>(
-        &'a mut self,
-        circ: &'a Circuit,
+    /// * `circ` - The circuit to generate a garbled circuit for.
+    /// * `delta` - The delta value to use.
+    /// * `inputs` - The inputs to the circuit.
+    pub fn new_with_hasher(
+        circ: Arc<Circuit>,
+        delta: Delta,
+        inputs: &[EncodedValue<state::Full>],
+    ) -> Result<Self, GeneratorError> {
+        Self::new_with(circ, delta, inputs, Some(Hasher::new()))
+    }
+
+    fn new_with(
+        circ: Arc<Circuit>,
         delta: Delta,
-        inputs: Vec<EncodedValue<state::Full>>,
-    ) -> Result<EncryptedGateIter<'_, std::slice::Iter<'_, Gate>>, GeneratorError> {
+        inputs: &[EncodedValue<state::Full>],
+        hasher: Option<Hasher>,
+    ) -> Result<Self, GeneratorError> {
         if inputs.len() != circ.inputs().len() {
             return Err(CircuitError::InvalidInputCount(
                 circ.inputs().len(),
@@ -104,12 +130,8 @@ impl Generator {
             ))?;
         }
 
-        // Expand the buffer to fit the circuit
-        if circ.feed_count() > self.buffer.len() {
-            self.buffer.resize(circ.feed_count(), Default::default());
-        }
-
-        for (encoded, input) in inputs.into_iter().zip(circ.inputs()) {
+        let mut low_labels: Vec<Option<Label>> = vec![None; circ.feed_count()];
+        for (encoded, input) in inputs.iter().zip(circ.inputs()) {
             if encoded.value_type() != input.value_type() {
                 return Err(TypeError::UnexpectedType {
                     expected: input.value_type(),
@@ -118,189 +140,100 @@ impl Generator {
             }
 
             for (label, node) in encoded.iter().zip(input.iter()) {
-                self.buffer[node.id()] = *label;
+                low_labels[node.id()] = Some(*label);
             }
         }
 
-        Ok(EncryptedGateIter::new(
-            delta,
-            circ.gates().iter(),
-            circ.outputs(),
-            &mut self.buffer,
-            circ.and_count(),
-        ))
-    }
-
-    /// Returns an iterator over batched encrypted gates of a circuit.
-    ///
-    /// # Arguments
-    ///
-    /// * `circ` - The circuit to garble.
-    /// * `delta` - The delta value to use for garbling.
-    /// * `inputs` - The input values to the circuit.
-    pub fn generate_batched<'a>(
-        &'a mut self,
-        circ: &'a Circuit,
-        delta: Delta,
-        inputs: Vec<EncodedValue<state::Full>>,
-    ) -> Result<EncryptedGateBatchIter<'_, std::slice::Iter<'_, Gate>>, GeneratorError> {
-        self.generate(circ, delta, inputs)
-            .map(EncryptedGateBatchIter)
-    }
-}
-
-/// Iterator over encrypted gates of a garbled circuit.
-pub struct EncryptedGateIter<'a, I> {
-    /// Cipher to use to encrypt the gates.
-    cipher: &'static FixedKeyAes,
-    /// Global offset.
-    delta: Delta,
-    /// Buffer for the 0-bit labels.
-    labels: &'a mut [Label],
-    /// Iterator over the gates.
-    gates: I,
-    /// Circuit outputs.
-    outputs: &'a [BinaryRepr],
-    /// Current gate id.
-    gid: usize,
-    /// Hasher to use to hash the encrypted gates.
-    hasher: Option<Hasher>,
-    /// Number of AND gates generated.
-    counter: usize,
-    /// Number of AND gates in the circuit.
-    and_count: usize,
-    /// Whether the entire circuit has been garbled.
-    complete: bool,
-}
-
-impl<'a, I> fmt::Debug for EncryptedGateIter<'a, I> {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        write!(f, "EncryptedGateIter {{ .. }}")
-    }
-}
-
-impl<'a, I> EncryptedGateIter<'a, I>
-where
-    I: Iterator<Item = &'a Gate>,
-{
-    fn new(
-        delta: Delta,
-        gates: I,
-        outputs: &'a [BinaryRepr],
-        labels: &'a mut [Label],
-        and_count: usize,
-    ) -> Self {
-        Self {
+        Ok(Self {
             cipher: &(*FIXED_KEY_AES),
+            circ,
             delta,
-            gates,
-            outputs,
-            labels,
+            low_labels,
+            pos: 0,
             gid: 1,
-            hasher: None,
-            counter: 0,
-            and_count,
-            complete: false,
-        }
-    }
-
-    /// Enables hashing of the encrypted gates.
-    pub fn enable_hasher(&mut self) {
-        self.hasher = Some(Hasher::new());
+            hasher,
+        })
     }
 
-    /// Returns `true` if the generator has more encrypted gates to generate.
-    #[inline]
-    pub fn has_gates(&self) -> bool {
-        self.counter != self.and_count
+    /// Returns whether the generator has finished generating the circuit.
+    pub fn is_complete(&self) -> bool {
+        self.pos >= self.circ.gates().len()
     }
 
-    /// Returns the encoded outputs of the circuit, and the hash of the encrypted gates if present.
-    pub fn finish(mut self) -> Result<GeneratorOutput, GeneratorError> {
-        if self.has_gates() {
+    /// Returns the encoded outputs of the circuit.
+    pub fn outputs(&self) -> Result<Vec<EncodedValue<state::Full>>, GeneratorError> {
+        if !self.is_complete() {
             return Err(GeneratorError::NotFinished);
         }
 
-        // Finish computing any "free" gates.
-        if !self.complete {
-            assert_eq!(self.next(), None);
-        }
-
-        let outputs = self
-            .outputs
+        Ok(self
+            .circ
+            .outputs()
             .iter()
             .map(|output| {
-                let labels: Vec<Label> = output.iter().map(|node| self.labels[node.id()]).collect();
+                let labels: Vec<Label> = output
+                    .iter()
+                    .map(|node| self.low_labels[node.id()].expect("feed should be initialized"))
+                    .collect();
 
                 EncodedValue::<state::Full>::from_labels(output.value_type(), self.delta, &labels)
                     .expect("encoding should be correct")
             })
-            .collect();
+            .collect())
+    }
 
-        Ok(GeneratorOutput {
-            outputs,
-            hash: self.hasher.as_ref().map(|hasher| {
-                let hash: [u8; 32] = hasher.finalize().into();
-                Hash::from(hash)
-            }),
+    /// Returns the hash of the encrypted gates.
+    pub fn hash(&self) -> Option<Hash> {
+        self.hasher.as_ref().map(|hasher| {
+            let hash: [u8; 32] = hasher.finalize().into();
+            Hash::from(hash)
         })
     }
 }
 
-impl<'a, I> Iterator for EncryptedGateIter<'a, I>
-where
-    I: Iterator<Item = &'a Gate>,
-{
+impl Iterator for Generator {
     type Item = EncryptedGate;
 
     #[inline]
     fn next(&mut self) -> Option<Self::Item> {
-        while let Some(gate) = self.gates.next() {
+        let low_labels = &mut self.low_labels;
+        while let Some(gate) = self.circ.gates().get(self.pos) {
+            self.pos += 1;
             match gate {
+                Gate::Inv {
+                    x: node_x,
+                    z: node_z,
+                } => {
+                    let x_0 = low_labels[node_x.id()].expect("feed should be initialized");
+                    low_labels[node_z.id()] = Some(x_0 ^ self.delta);
+                }
                 Gate::Xor {
                     x: node_x,
                     y: node_y,
                     z: node_z,
                 } => {
-                    let x_0 = self.labels[node_x.id()];
-                    let y_0 = self.labels[node_y.id()];
-                    self.labels[node_z.id()] = x_0 ^ y_0;
+                    let x_0 = low_labels[node_x.id()].expect("feed should be initialized");
+                    let y_0 = low_labels[node_y.id()].expect("feed should be initialized");
+                    low_labels[node_z.id()] = Some(x_0 ^ y_0);
                 }
                 Gate::And {
                     x: node_x,
                     y: node_y,
                     z: node_z,
                 } => {
-                    let x_0 = self.labels[node_x.id()];
-                    let y_0 = self.labels[node_y.id()];
+                    let x_0 = low_labels[node_x.id()].expect("feed should be initialized");
+                    let y_0 = low_labels[node_y.id()].expect("feed should be initialized");
                     let (z_0, encrypted_gate) =
                         and_gate(self.cipher, &x_0, &y_0, &self.delta, self.gid);
-                    self.labels[node_z.id()] = z_0;
-
+                    low_labels[node_z.id()] = Some(z_0);
                     self.gid += 2;
-                    self.counter += 1;
 
                     if let Some(hasher) = &mut self.hasher {
                         hasher.update(&encrypted_gate.to_bytes());
                     }
 
-                    // If we have generated all AND gates, we can compute
-                    // the rest of the "free" gates.
-                    if !self.has_gates() {
-                        assert!(self.next().is_none());
-
-                        self.complete = true;
-                    }
-
                     return Some(encrypted_gate);
                 }
-                Gate::Inv {
-                    x: node_x,
-                    z: node_z,
-                } => {
-                    let x_0 = self.labels[node_x.id()];
-                    self.labels[node_z.id()] = x_0 ^ self.delta;
-                }
             }
         }
 
@@ -308,64 +241,10 @@ where
     }
 }
 
-/// Iterator returned by [`Generator::generate_batched`].
-#[derive(Debug)]
-pub struct EncryptedGateBatchIter<'a, I: Iterator, const N: usize = DEFAULT_BATCH_SIZE>(
-    EncryptedGateIter<'a, I>,
-);
-
-impl<'a, I, const N: usize> EncryptedGateBatchIter<'a, I, N>
-where
-    I: Iterator<Item = &'a Gate>,
-{
-    /// Enables hashing of the encrypted gates.
-    pub fn enable_hasher(&mut self) {
-        self.0.enable_hasher()
-    }
-
-    /// Returns `true` if the generator has more encrypted gates to generate.
-    pub fn has_gates(&self) -> bool {
-        self.0.has_gates()
-    }
-
-    /// Returns the encoded outputs of the circuit, and the hash of the encrypted gates if present.
-    pub fn finish(self) -> Result<GeneratorOutput, GeneratorError> {
-        self.0.finish()
-    }
-}
-
-impl<'a, I, const N: usize> Iterator for EncryptedGateBatchIter<'a, I, N>
-where
-    I: Iterator<Item = &'a Gate>,
-{
-    type Item = EncryptedGateBatch<N>;
-
-    #[inline]
-    fn next(&mut self) -> Option<Self::Item> {
-        if !self.has_gates() {
-            return None;
-        }
-
-        let mut batch = [EncryptedGate::default(); N];
-        let mut i = 0;
-        for gate in self.0.by_ref() {
-            batch[i] = gate;
-            i += 1;
-
-            if i == N {
-                break;
-            }
-        }
-
-        Some(EncryptedGateBatch::new(batch))
-    }
-}
-
 #[cfg(test)]
 mod tests {
     use crate::{ChaChaEncoder, Encoder};
-    use mpz_circuits::{circuits::AES128, CircuitBuilder};
-    use pretty_assertions::assert_eq;
+    use mpz_circuits::circuits::AES128;
 
     use super::*;
 
@@ -378,43 +257,14 @@ mod tests {
             .map(|input| encoder.encode_by_type(0, &input.value_type()))
             .collect();
 
-        let mut gen = Generator::default();
-        let mut gate_iter = gen.generate(&AES128, encoder.delta(), inputs).unwrap();
+        let mut gen = Generator::new_with_hasher(AES128.clone(), encoder.delta(), &inputs).unwrap();
 
-        let enc_gates: Vec<EncryptedGate> = gate_iter.by_ref().collect();
+        let enc_gates: Vec<EncryptedGate> = gen.by_ref().collect();
 
-        assert!(!gate_iter.has_gates());
+        assert!(gen.is_complete());
         assert_eq!(enc_gates.len(), AES128.and_count());
 
-        _ = gate_iter.finish().unwrap();
-    }
-
-    #[test]
-    fn test_generator_no_and() {
-        let encoder = ChaChaEncoder::new([0; 32]);
-
-        let builder = CircuitBuilder::new();
-        let a = builder.add_input::<u8>();
-        let b = builder.add_input::<u8>();
-
-        let c = a ^ b;
-        builder.add_output(c);
-
-        let circ = builder.build().unwrap();
-
-        let inputs: Vec<_> = circ
-            .inputs()
-            .iter()
-            .map(|input| encoder.encode_by_type(0, &input.value_type()))
-            .collect();
-
-        let mut gen = Generator::default();
-        let mut gate_iter = gen
-            .generate_batched(&circ, encoder.delta(), inputs)
-            .unwrap();
-
-        let enc_gates: Vec<_> = gate_iter.by_ref().collect();
-
-        assert!(enc_gates.is_empty());
+        let _ = gen.outputs().unwrap();
+        let _ = gen.hash().unwrap();
     }
 }
diff --git a/crates/mpz-garble-core/src/lib.rs b/crates/mpz-garble-core/src/lib.rs
index 35b08a4a..ef7429e2 100644
--- a/crates/mpz-garble-core/src/lib.rs
+++ b/crates/mpz-garble-core/src/lib.rs
@@ -6,9 +6,7 @@
 //!
 //! ```
 //! use mpz_circuits::circuits::AES128;
-//! use mpz_garble_core::{
-//!     Generator, Evaluator, ChaChaEncoder, Encoder, GeneratorOutput, EvaluatorOutput
-//! };
+//! use mpz_garble_core::{Generator, Evaluator, ChaChaEncoder, Encoder};
 //!
 //!
 //! let encoder = ChaChaEncoder::new([0u8; 32]);
@@ -21,22 +19,30 @@
 //! let active_key = encoded_key.select(*key).unwrap();
 //! let active_plaintext = encoded_plaintext.select(*plaintext).unwrap();
 //!
-//! let mut gen = Generator::default();
-//! let mut ev = Evaluator::default();
+//! let mut gen =
+//!     Generator::new(
+//!         AES128.clone(),
+//!         encoder.delta(),
+//!         &[encoded_key, encoded_plaintext]
+//!     ).unwrap();
 //!
-//! let mut gen_iter = gen
-//!    .generate_batched(&AES128, encoder.delta(), vec![encoded_key, encoded_plaintext]).unwrap();
-//! let mut ev_consumer = ev.evaluate_batched(&AES128, vec![active_key, active_plaintext]).unwrap();
+//! let mut ev =
+//!     Evaluator::new(
+//!         AES128.clone(),
+//!         &[active_key, active_plaintext]
+//!     ).unwrap();
 //!
-//! for batch in gen_iter.by_ref() {
-//!    ev_consumer.next(batch);
+//! const BATCH_SIZE: usize = 1000;
+//! while !(gen.is_complete() && ev.is_complete()) {
+//!     let batch: Vec<_> = gen.by_ref().take(BATCH_SIZE).collect();
+//!     ev.evaluate(batch.iter());
 //! }
 //!
-//! let GeneratorOutput { outputs: encoded_outputs, .. } = gen_iter.finish().unwrap();
+//! let encoded_outputs = gen.outputs().unwrap();
 //! let encoded_ciphertext = encoded_outputs[0].clone();
 //! let ciphertext_decoding = encoded_ciphertext.decoding();
 //!
-//! let EvaluatorOutput { outputs: active_outputs, .. } = ev_consumer.finish().unwrap();
+//! let active_outputs = ev.outputs().unwrap();
 //! let active_ciphertext = active_outputs[0].clone();
 //! let ciphertext: [u8; 16] =
 //!     active_ciphertext.decode(&ciphertext_decoding).unwrap().try_into().unwrap();
@@ -51,33 +57,15 @@ pub(crate) mod circuit;
 pub mod encoding;
 mod evaluator;
 mod generator;
+pub mod msg;
 
-pub use circuit::{EncryptedGate, EncryptedGateBatch, GarbledCircuit};
+pub use circuit::{EncryptedGate, GarbledCircuit};
 pub use encoding::{
     state as encoding_state, ChaChaEncoder, Decoding, Delta, Encode, EncodedValue, Encoder,
     EncodingCommitment, EqualityCheck, Label, ValueError,
 };
-pub use evaluator::{
-    EncryptedGateBatchConsumer, EncryptedGateConsumer, Evaluator, EvaluatorError, EvaluatorOutput,
-};
-pub use generator::{
-    EncryptedGateBatchIter, EncryptedGateIter, Generator, GeneratorError, GeneratorOutput,
-};
-
-const KB: usize = 1024;
-const BYTES_PER_GATE: usize = 32;
-
-/// Maximum size of a batch in bytes.
-const MAX_BATCH_SIZE: usize = 4 * KB;
-
-/// Default amount of encrypted gates per batch.
-///
-/// Batches are stack allocated, so we will limit the size to `MAX_BATCH_SIZE`.
-///
-/// Additionally, because the size of each batch is static, if a circuit is smaller than a batch
-/// we will be wasting some bandwidth sending empty bytes. This puts an upper limit on that
-/// waste.
-pub(crate) const DEFAULT_BATCH_SIZE: usize = MAX_BATCH_SIZE / BYTES_PER_GATE;
+pub use evaluator::{Evaluator, EvaluatorError};
+pub use generator::{Generator, GeneratorError};
 
 #[cfg(test)]
 mod tests {
@@ -85,7 +73,7 @@ mod tests {
         cipher::{BlockEncrypt, KeyInit},
         Aes128,
     };
-    use mpz_circuits::{circuits::AES128, types::Value, CircuitBuilder};
+    use mpz_circuits::{circuits::AES128, types::Value};
     use mpz_core::aes::FIXED_KEY_AES;
     use rand::SeedableRng;
     use rand_chacha::ChaCha12Rng;
@@ -121,6 +109,7 @@ mod tests {
 
         let key = [69u8; 16];
         let msg = [42u8; 16];
+        const BATCH_SIZE: usize = 1000;
 
         let expected: [u8; 16] = {
             let cipher = Aes128::new_from_slice(&key).unwrap();
@@ -140,35 +129,33 @@ mod tests {
             full_inputs[1].clone().select(msg).unwrap(),
         ];
 
-        let mut gen = Generator::default();
-        let mut ev = Evaluator::default();
-
-        let mut gen_iter = gen
-            .generate_batched(&AES128, encoder.delta(), full_inputs)
-            .unwrap();
-        let mut ev_consumer = ev.evaluate_batched(&AES128, active_inputs).unwrap();
+        let mut gen =
+            Generator::new_with_hasher(AES128.clone(), encoder.delta(), &full_inputs).unwrap();
+        let mut ev = Evaluator::new_with_hasher(AES128.clone(), &active_inputs).unwrap();
+
+        while !(gen.is_complete() && ev.is_complete()) {
+            let mut batch = Vec::with_capacity(BATCH_SIZE);
+            for enc_gate in gen.by_ref() {
+                batch.push(enc_gate);
+                if batch.len() == BATCH_SIZE {
+                    break;
+                }
+            }
+            ev.evaluate(batch.iter());
+        }
 
-        gen_iter.enable_hasher();
-        ev_consumer.enable_hasher();
+        let full_outputs = gen.outputs().unwrap();
+        let active_outputs = ev.outputs().unwrap();
 
-        for batch in gen_iter.by_ref() {
-            ev_consumer.next(batch);
-        }
+        let gen_digest = gen.hash().unwrap();
+        let ev_digest = ev.hash().unwrap();
 
-        let GeneratorOutput {
-            outputs: full_outputs,
-            hash: gen_hash,
-        } = gen_iter.finish().unwrap();
-        let EvaluatorOutput {
-            outputs: active_outputs,
-            hash: ev_hash,
-        } = ev_consumer.finish().unwrap();
+        assert_eq!(gen_digest, ev_digest);
 
         let outputs: Vec<Value> = active_outputs
             .iter()
             .zip(full_outputs)
             .map(|(active_output, full_output)| {
-                full_output.commit().verify(active_output).unwrap();
                 active_output.decode(&full_output.decoding()).unwrap()
             })
             .collect();
@@ -176,72 +163,5 @@ mod tests {
         let actual: [u8; 16] = outputs[0].clone().try_into().unwrap();
 
         assert_eq!(actual, expected);
-        assert_eq!(gen_hash, ev_hash);
-    }
-
-    // Tests garbling a circuit with no AND gates
-    #[test]
-    fn test_garble_no_and() {
-        let encoder = ChaChaEncoder::new([0; 32]);
-
-        let builder = CircuitBuilder::new();
-        let a = builder.add_input::<u8>();
-        let b = builder.add_input::<u8>();
-        let c = a ^ b;
-        builder.add_output(c);
-        let circ = builder.build().unwrap();
-        assert_eq!(circ.and_count(), 0);
-
-        let mut gen = Generator::default();
-        let mut ev = Evaluator::default();
-
-        let a = 1u8;
-        let b = 2u8;
-
-        let full_inputs: Vec<EncodedValue<encoding_state::Full>> = circ
-            .inputs()
-            .iter()
-            .map(|input| encoder.encode_by_type(0, &input.value_type()))
-            .collect();
-
-        let active_inputs: Vec<EncodedValue<encoding_state::Active>> = vec![
-            full_inputs[0].clone().select(a).unwrap(),
-            full_inputs[1].clone().select(b).unwrap(),
-        ];
-
-        let mut gen_iter = gen
-            .generate_batched(&circ, encoder.delta(), full_inputs)
-            .unwrap();
-        let mut ev_consumer = ev.evaluate_batched(&circ, active_inputs).unwrap();
-
-        gen_iter.enable_hasher();
-        ev_consumer.enable_hasher();
-
-        for batch in gen_iter.by_ref() {
-            ev_consumer.next(batch);
-        }
-
-        let GeneratorOutput {
-            outputs: full_outputs,
-            hash: gen_hash,
-        } = gen_iter.finish().unwrap();
-        let EvaluatorOutput {
-            outputs: active_outputs,
-            hash: ev_hash,
-        } = ev_consumer.finish().unwrap();
-
-        let outputs: Vec<Value> = active_outputs
-            .iter()
-            .zip(full_outputs)
-            .map(|(active_output, full_output)| {
-                full_output.commit().verify(active_output).unwrap();
-                active_output.decode(&full_output.decoding()).unwrap()
-            })
-            .collect();
-
-        let actual: u8 = outputs[0].clone().try_into().unwrap();
-
-        assert_eq!(actual, a ^ b);
-        assert_eq!(gen_hash, ev_hash);
     }
 }
diff --git a/crates/mpz-garble-core/src/msg.rs b/crates/mpz-garble-core/src/msg.rs
new file mode 100644
index 00000000..46b704c9
--- /dev/null
+++ b/crates/mpz-garble-core/src/msg.rs
@@ -0,0 +1,29 @@
+//! Messages used in garbled circuit protocols.
+
+use mpz_core::{commit::Decommitment, hash::Hash};
+use serde::{Deserialize, Serialize};
+
+use crate::{
+    circuit::EncryptedGate, encoding_state, Decoding, Delta, EncodedValue, EncodingCommitment,
+    EqualityCheck,
+};
+
+/// Top-level message type encapsulating all messages used in garbled circuit protocols.
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[non_exhaustive]
+#[allow(missing_docs)]
+pub enum GarbleMessage {
+    ActiveValue(Box<EncodedValue<encoding_state::Active>>),
+    ActiveValues(Vec<EncodedValue<encoding_state::Active>>),
+    EncryptedGates(Vec<EncryptedGate>),
+    EncodingCommitments(Vec<EncodingCommitment>),
+    ValueDecoding(Box<Decoding>),
+    ValueDecodings(Vec<Decoding>),
+    EqualityCheck(EqualityCheck),
+    HashCommitment(Hash),
+    EqualityCheckDecommitment(Decommitment<EqualityCheck>),
+    EqualityCheckDecommitments(Vec<Decommitment<EqualityCheck>>),
+    ProofDecommitments(Vec<Decommitment<Hash>>),
+    Delta(Delta),
+    EncoderSeed(Vec<u8>),
+}
diff --git a/crates/mpz-garble/benches/deap.rs b/crates/mpz-garble/benches/deap.rs
index 84ddecea..febcb078 100644
--- a/crates/mpz-garble/benches/deap.rs
+++ b/crates/mpz-garble/benches/deap.rs
@@ -1,90 +1,154 @@
-use criterion::{criterion_group, criterion_main, Criterion};
+use std::pin::Pin;
 
+use criterion::{black_box, criterion_group, criterion_main, Criterion};
+use futures::Future;
 use mpz_circuits::circuits::AES128;
-use mpz_common::executor::test_mt_executor;
-use mpz_garble::{config::Role, protocol::deap::DEAPThread, Decode, Execute, Memory};
-use mpz_ot::ideal::ot::ideal_ot;
+use mpz_garble::{
+    protocol::deap::mock::create_mock_deap_vm, Decode, Execute, Memory, Thread, Vm, VmError,
+};
+
+async fn bench_deap() {
+    let (mut leader_vm, mut follower_vm) = create_mock_deap_vm("mock").await;
+    let mut leader_thread = leader_vm.new_thread("mock_thread").await.unwrap();
+    let mut follower_thread = follower_vm.new_thread("mock_thread").await.unwrap();
+
+    let key = [0u8; 16];
+    let msg = [0u8; 16];
+
+    let leader_fut = {
+        let key_ref = leader_thread.new_private_input::<[u8; 16]>("key").unwrap();
+        let msg_ref = leader_thread.new_blind_input::<[u8; 16]>("msg").unwrap();
+        let ciphertext_ref = leader_thread.new_output::<[u8; 16]>("ciphertext").unwrap();
+
+        leader_thread.assign(&key_ref, key).unwrap();
+
+        async {
+            leader_thread
+                .execute(
+                    AES128.clone(),
+                    &[key_ref, msg_ref],
+                    &[ciphertext_ref.clone()],
+                )
+                .await
+                .unwrap();
+
+            leader_thread.decode(&[ciphertext_ref]).await.unwrap();
+
+            leader_vm.finalize().await.unwrap();
+        }
+    };
+
+    let follower_fut = {
+        let key_ref = follower_thread.new_blind_input::<[u8; 16]>("key").unwrap();
+        let msg_ref = follower_thread
+            .new_private_input::<[u8; 16]>("msg")
+            .unwrap();
+        let ciphertext_ref = follower_thread
+            .new_output::<[u8; 16]>("ciphertext")
+            .unwrap();
+
+        follower_thread.assign(&msg_ref, msg).unwrap();
+
+        async {
+            follower_thread
+                .execute(
+                    AES128.clone(),
+                    &[key_ref, msg_ref],
+                    &[ciphertext_ref.clone()],
+                )
+                .await
+                .unwrap();
+
+            follower_thread.decode(&[ciphertext_ref]).await.unwrap();
+
+            follower_vm.finalize().await.unwrap();
+        }
+    };
+
+    _ = futures::join!(leader_fut, follower_fut)
+}
+
+fn bench_aes_leader<T: Thread + Execute + Decode + Send>(
+    thread: &mut T,
+    block: usize,
+) -> Pin<Box<dyn Future<Output = Result<[u8; 16], VmError>> + Send + '_>> {
+    Box::pin(async move {
+        let key = thread.new_private_input::<[u8; 16]>(&format!("key/{block}"))?;
+        let msg = thread.new_private_input::<[u8; 16]>(&format!("msg/{block}"))?;
+        let ciphertext = thread.new_output::<[u8; 16]>(&format!("ciphertext/{block}"))?;
+
+        thread.assign(&key, [0u8; 16])?;
+        thread.assign(&msg, [0u8; 16])?;
+
+        thread
+            .execute(AES128.clone(), &[key, msg], &[ciphertext.clone()])
+            .await?;
+
+        let mut values = thread.decode(&[ciphertext]).await?;
+
+        Ok(values.pop().unwrap().try_into().unwrap())
+    })
+}
+
+fn bench_aes_follower<T: Thread + Execute + Decode + Send>(
+    thread: &mut T,
+    block: usize,
+) -> Pin<Box<dyn Future<Output = Result<[u8; 16], VmError>> + Send + '_>> {
+    Box::pin(async move {
+        let key = thread.new_blind_input::<[u8; 16]>(&format!("key/{block}"))?;
+        let msg = thread.new_blind_input::<[u8; 16]>(&format!("msg/{block}"))?;
+        let ciphertext = thread.new_output::<[u8; 16]>(&format!("ciphertext/{block}"))?;
+
+        thread
+            .execute(AES128.clone(), &[key, msg], &[ciphertext.clone()])
+            .await?;
+
+        let mut values = thread.decode(&[ciphertext]).await?;
+
+        Ok(values.pop().unwrap().try_into().unwrap())
+    })
+}
+
+async fn bench_aes_threadpool(thread_count: usize, block_count: usize) {
+    let (mut leader_vm, mut follower_vm) = create_mock_deap_vm("bench_vm").await;
+
+    let (mut leader_pool, mut follower_pool) = futures::try_join!(
+        leader_vm.new_thread_pool("bench_pool", thread_count),
+        follower_vm.new_thread_pool("bench_pool", thread_count),
+    )
+    .unwrap();
+
+    let mut leader_scope = leader_pool.new_scope();
+    let mut follower_scope = follower_pool.new_scope();
+
+    for block in 0..block_count {
+        leader_scope.push(move |thread| bench_aes_leader(thread, block));
+        follower_scope.push(move |thread| bench_aes_follower(thread, block));
+    }
+
+    _ = futures::join!(leader_scope.wait(), follower_scope.wait());
+
+    futures::try_join!(leader_vm.finalize(), follower_vm.finalize()).unwrap();
+}
 
 fn criterion_benchmark(c: &mut Criterion) {
     let mut group = c.benchmark_group("deap");
+    let thread_count = 4;
+    let block_count = 128;
 
     let rt = tokio::runtime::Runtime::new().unwrap();
     group.bench_function("aes", |b| {
         b.to_async(&rt).iter(|| async {
-            let (mut leader_exec, mut follower_exec) = test_mt_executor(8);
-
-            let (leader_ot_send, follower_ot_recv) = ideal_ot();
-            let (follower_ot_send, leader_ot_recv) = ideal_ot();
-
-            let key = [0u8; 16];
-            let msg = [0u8; 16];
-
-            let leader_fut = {
-                async move {
-                    let leader_ctx = leader_exec.new_thread().await.unwrap();
-
-                    let mut leader_vm = DEAPThread::new(
-                        Role::Leader,
-                        [42u8; 32],
-                        leader_ctx,
-                        leader_ot_send,
-                        leader_ot_recv,
-                    );
-
-                    let key_ref = leader_vm.new_private_input::<[u8; 16]>("key").unwrap();
-                    let msg_ref = leader_vm.new_private_input::<[u8; 16]>("msg").unwrap();
-                    let ciphertext_ref = leader_vm.new_output::<[u8; 16]>("ciphertext").unwrap();
-
-                    leader_vm.assign(&key_ref, key).unwrap();
-                    leader_vm.assign(&msg_ref, msg).unwrap();
-
-                    leader_vm
-                        .execute(
-                            AES128.clone(),
-                            &[key_ref.clone(), msg_ref],
-                            &[ciphertext_ref.clone()],
-                        )
-                        .await
-                        .unwrap();
-
-                    leader_vm.decode(&[ciphertext_ref]).await.unwrap();
-
-                    leader_vm.finalize().await.unwrap();
-                }
-            };
-
-            let follower_fut = {
-                async move {
-                    let follower_ctx = follower_exec.new_thread().await.unwrap();
-
-                    let mut follower_vm = DEAPThread::new(
-                        Role::Follower,
-                        [69u8; 32],
-                        follower_ctx,
-                        follower_ot_send,
-                        follower_ot_recv,
-                    );
-
-                    let key_ref = follower_vm.new_blind_input::<[u8; 16]>("key").unwrap();
-                    let msg_ref = follower_vm.new_blind_input::<[u8; 16]>("msg").unwrap();
-                    let ciphertext_ref = follower_vm.new_output::<[u8; 16]>("ciphertext").unwrap();
-
-                    follower_vm
-                        .execute(
-                            AES128.clone(),
-                            &[key_ref.clone(), msg_ref],
-                            &[ciphertext_ref.clone()],
-                        )
-                        .await
-                        .unwrap();
-
-                    follower_vm.decode(&[ciphertext_ref]).await.unwrap();
-
-                    follower_vm.finalize().await.unwrap();
-                }
-            };
-
-            futures::join!(leader_fut, follower_fut);
+            bench_deap().await;
+            black_box(())
+        })
+    });
+
+    group.throughput(criterion::Throughput::Bytes(block_count as u64 * 16));
+    group.bench_function("aes_mt", |b| {
+        b.to_async(&rt).iter(|| async {
+            bench_aes_threadpool(thread_count, block_count).await;
+            black_box(())
         })
     });
 }
diff --git a/crates/mpz-garble/src/protocol/deap/mock.rs b/crates/mpz-garble/src/protocol/deap/mock.rs
index 6a620d32..4bbcd67b 100644
--- a/crates/mpz-garble/src/protocol/deap/mock.rs
+++ b/crates/mpz-garble/src/protocol/deap/mock.rs
@@ -1,39 +1,51 @@
 //! Mocked DEAP VMs for testing
 
-use mpz_common::executor::{test_st_executor, STExecutor};
-use mpz_core::Block;
-use mpz_ot::ideal::ot::{ideal_ot, IdealOTReceiver, IdealOTSender};
-use serio::channel::MemoryDuplex;
+use mpz_ot::ideal::{ideal_ot_shared_pair, IdealSharedOTReceiver, IdealSharedOTSender};
+use utils_aio::mux::{mock::MockMuxChannelFactory, MuxChannel};
 
-use crate::{config::Role, protocol::deap::vm::DEAPThread};
+use crate::config::Role;
 
-type OTSender = IdealOTSender<[Block; 2]>;
-type OTReceiver = IdealOTReceiver<Block>;
-type Ctx = STExecutor<MemoryDuplex>;
+use super::{vm::DEAPVm, DEAPThread};
 
-/// Mock DEAP Leader.
-pub type MockLeader = DEAPThread<Ctx, OTSender, OTReceiver>;
-/// Mock DEAP Follower.
-pub type MockFollower = DEAPThread<Ctx, OTSender, OTReceiver>;
+/// Mock DEAP Leader VM.
+pub type MockLeader = DEAPVm<IdealSharedOTSender, IdealSharedOTReceiver>;
+/// Mock DEAP Leader thread.
+pub type MockLeaderThread = DEAPThread<IdealSharedOTSender, IdealSharedOTReceiver>;
+/// Mock DEAP Follower VM.
+pub type MockFollower = DEAPVm<IdealSharedOTSender, IdealSharedOTReceiver>;
+/// Mock DEAP Follower thread.
+pub type MockFollowerThread = DEAPThread<IdealSharedOTSender, IdealSharedOTReceiver>;
 
 /// Create a pair of mocked DEAP VMs
-pub fn create_mock_deap_vm() -> (MockLeader, MockFollower) {
-    let (leader_ctx, follower_ctx) = test_st_executor(128);
-    let (leader_ot_send, follower_ot_recv) = ideal_ot();
-    let (follower_ot_send, leader_ot_recv) = ideal_ot();
-
-    let leader = DEAPThread::new(
+pub async fn create_mock_deap_vm(
+    id: &str,
+) -> (
+    DEAPVm<IdealSharedOTSender, IdealSharedOTReceiver>,
+    DEAPVm<IdealSharedOTSender, IdealSharedOTReceiver>,
+) {
+    let mut mux_factory = MockMuxChannelFactory::new();
+    let (leader_ot_send, follower_ot_recv) = ideal_ot_shared_pair();
+    let (follower_ot_send, leader_ot_recv) = ideal_ot_shared_pair();
+
+    let leader_channel = mux_factory.get_channel(id).await.unwrap();
+    let follower_channel = mux_factory.get_channel(id).await.unwrap();
+
+    let leader = DEAPVm::new(
+        id,
         Role::Leader,
         [42u8; 32],
-        leader_ctx,
+        leader_channel,
+        Box::new(mux_factory.clone()),
         leader_ot_send,
         leader_ot_recv,
     );
 
-    let follower = DEAPThread::new(
+    let follower = DEAPVm::new(
+        id,
         Role::Follower,
         [69u8; 32],
-        follower_ctx,
+        follower_channel,
+        Box::new(mux_factory),
         follower_ot_send,
         follower_ot_recv,
     );
diff --git a/crates/mpz-garble/src/protocol/deap/vm.rs b/crates/mpz-garble/src/protocol/deap/vm.rs
index a1965e64..c7708eb4 100644
--- a/crates/mpz-garble/src/protocol/deap/vm.rs
+++ b/crates/mpz-garble/src/protocol/deap/vm.rs
@@ -1,24 +1,28 @@
 use std::{
-    mem,
+    collections::HashSet,
     sync::{Arc, Weak},
 };
 
 use async_trait::async_trait;
-use futures::TryFutureExt;
+use futures::{
+    stream::{SplitSink, SplitStream},
+    StreamExt, TryFutureExt,
+};
 
 use mpz_circuits::{
     types::{Value, ValueType},
     Circuit,
 };
-use mpz_common::Context;
-use mpz_garble_core::{encoding_state::Active, EncodedValue};
+use mpz_garble_core::{encoding_state::Active, msg::GarbleMessage, EncodedValue};
+use utils::id::NestedId;
+use utils_aio::{duplex::Duplex, mux::MuxChannel};
 
 use crate::{
     config::{Role, Visibility},
     ot::{VerifiableOTReceiveEncoding, VerifiableOTSendEncoding},
     value::ValueRef,
     Decode, DecodeError, DecodePrivate, Execute, ExecutionError, Load, LoadError, Memory,
-    MemoryError, Prove, ProveError, Thread, Verify, VerifyError,
+    MemoryError, Prove, ProveError, Thread, Verify, VerifyError, Vm, VmError,
 };
 
 use super::{
@@ -26,135 +30,218 @@ use super::{
     DEAPError, DEAP,
 };
 
-#[derive(Debug)]
-enum State {
-    Main(Arc<DEAP>),
-    Child(Weak<DEAP>),
-    Finalized,
+type ChannelFactory = Box<dyn MuxChannel<GarbleMessage> + Send + 'static>;
+type GarbleChannel = Box<dyn Duplex<GarbleMessage>>;
+
+/// A DEAP Vm.
+pub struct DEAPVm<OTS, OTR> {
+    /// The id of the vm.
+    id: NestedId,
+    /// The role of the vm.
+    role: Role,
+    /// Channel factory used to create new channels for new threads.
+    channel_factory: ChannelFactory,
+    /// The OT sender.
+    ot_send: Arc<OTS>,
+    /// The OT receiver.
+    ot_recv: Arc<OTR>,
+    /// The duplex channel sink to the peer.
+    sink: SplitSink<GarbleChannel, GarbleMessage>,
+    /// The duplex channel stream from the peer.
+    stream: SplitStream<GarbleChannel>,
+    /// The DEAP instance.
+    ///
+    /// The DEAPVm is the only owner of a strong reference to the instance,
+    /// and unwraps it during finalization.
+    deap: Option<Arc<DEAP>>,
+    /// The set of threads spawned by this vm.
+    threads: HashSet<NestedId>,
+    /// Whether the instance has been finalized.
+    finalized: bool,
 }
 
-impl State {
-    fn get(&self) -> Arc<DEAP> {
-        match self {
-            State::Main(deap) => deap.clone(),
-            State::Child(deap) => deap.upgrade().expect("instance should not be dropped"),
-            State::Finalized => panic!("instance is finalized"),
+impl<OTS, OTR> DEAPVm<OTS, OTR>
+where
+    OTS: VerifiableOTSendEncoding,
+    OTR: VerifiableOTReceiveEncoding,
+{
+    /// Create a new DEAP Vm.
+    pub fn new(
+        id: &str,
+        role: Role,
+        encoder_seed: [u8; 32],
+        channel: GarbleChannel,
+        channel_factory: ChannelFactory,
+        ot_send: OTS,
+        ot_recv: OTR,
+    ) -> Self {
+        let (sink, stream) = channel.split();
+        Self {
+            id: NestedId::new(id),
+            role,
+            channel_factory,
+            ot_send: Arc::new(ot_send),
+            ot_recv: Arc::new(ot_recv),
+            sink,
+            stream,
+            deap: Some(Arc::new(DEAP::new(role, encoder_seed))),
+            threads: HashSet::default(),
+            finalized: false,
+        }
+    }
+
+    /// Finalizes the DEAP instance.
+    ///
+    /// If this instance is the leader this function returns the follower's
+    /// encoder seed.
+    pub async fn finalize(&mut self) -> Result<Option<[u8; 32]>, DEAPError> {
+        if self.finalized {
+            return Err(FinalizationError::AlreadyFinalized)?;
+        } else {
+            self.finalized = true;
         }
+
+        let mut instance =
+            Arc::try_unwrap(self.deap.take().expect("instance set until finalization"))
+                .expect("vm should have only strong reference");
+
+        instance
+            .finalize(&mut self.sink, &mut self.stream, &*self.ot_recv)
+            .await
     }
+}
+
+#[async_trait]
+impl<OTS, OTR> Vm for DEAPVm<OTS, OTR>
+where
+    OTS: VerifiableOTSendEncoding + Clone + Send + Sync + 'static,
+    OTR: VerifiableOTReceiveEncoding + Clone + Send + Sync + 'static,
+{
+    type Thread = DEAPThread<OTS, OTR>;
 
-    fn is_finalized(&self) -> bool {
-        matches!(self, State::Finalized)
+    async fn new_thread(&mut self, id: &str) -> Result<DEAPThread<OTS, OTR>, VmError> {
+        if self.finalized {
+            return Err(VmError::Shutdown);
+        }
+
+        let thread_id = self.id.append_string(id);
+
+        if self.threads.contains(&thread_id) {
+            return Err(VmError::ThreadAlreadyExists(thread_id.to_string()));
+        }
+
+        let channel = self
+            .channel_factory
+            .get_channel(&thread_id.to_string())
+            .await?;
+
+        Ok(DEAPThread::new(
+            thread_id,
+            self.role,
+            channel,
+            Arc::downgrade(self.deap.as_ref().expect("instance set until finalization")),
+            self.ot_send.clone(),
+            self.ot_recv.clone(),
+        ))
     }
 }
 
 /// A DEAP thread.
-#[derive(Debug)]
-pub struct DEAPThread<Ctx, OTS, OTR> {
-    /// The thread context.
-    ctx: Ctx,
+pub struct DEAPThread<OTS, OTR> {
+    /// The thread id.
+    _id: NestedId,
+    /// The DEAP role of the VM.
+    _role: Role,
+    /// The current operation id.
+    op_id: NestedId,
+    /// Reference to the DEAP instance.
+    deap: Weak<DEAP>,
     /// OT sender.
-    ot_send: OTS,
+    ot_send: Arc<OTS>,
     /// OT receiver.
-    ot_recv: OTR,
-    state: State,
+    ot_recv: Arc<OTR>,
+    /// The duplex channel sink to the peer.
+    sink: SplitSink<GarbleChannel, GarbleMessage>,
+    /// The duplex channel stream from the peer.
+    stream: SplitStream<GarbleChannel>,
 }
 
-impl<Ctx, OTS, OTR> DEAPThread<Ctx, OTS, OTR> {
-    /// Creates a new DEAP instance.
-    pub fn new(role: Role, encoder_seed: [u8; 32], ctx: Ctx, ot_send: OTS, ot_recv: OTR) -> Self {
-        Self {
-            ctx,
-            ot_send,
-            ot_recv,
-            state: State::Main(Arc::new(DEAP::new(role, encoder_seed))),
-        }
-    }
-
-    /// Creates a new DEAP thread.
-    pub fn new_thread(&self, ctx: Ctx, ot_send: OTS, ot_recv: OTR) -> Result<Self, DEAPError> {
-        match &self.state {
-            State::Main(state) => Ok(Self {
-                ctx,
-                ot_send,
-                ot_recv,
-                state: State::Child(Arc::downgrade(state)),
-            }),
-            State::Child(state) => Ok(Self {
-                ctx,
-                ot_send,
-                ot_recv,
-                state: State::Child(state.clone()),
-            }),
-            State::Finalized => Err(FinalizationError::AlreadyFinalized.into()),
-        }
+impl<OTS, OTR> DEAPThread<OTS, OTR> {
+    fn deap(&self) -> Arc<DEAP> {
+        self.deap.upgrade().expect("instance should not be dropped")
     }
 }
 
-impl<Ctx, OTS, OTR> DEAPThread<Ctx, OTS, OTR>
+impl<OTS, OTR> DEAPThread<OTS, OTR>
 where
-    Ctx: Context,
-    OTR: VerifiableOTReceiveEncoding<Ctx>,
+    OTS: VerifiableOTSendEncoding,
+    OTR: VerifiableOTReceiveEncoding,
 {
-    /// Finalizes the DEAP instance.
-    ///
-    /// If this instance is the leader, this function returns the follower's
-    /// encoder seed.
-    pub async fn finalize(&mut self) -> Result<Option<[u8; 32]>, DEAPError> {
-        match mem::replace(&mut self.state, State::Finalized) {
-            State::Main(deap) => {
-                let mut deap =
-                    Arc::try_unwrap(deap).expect("state should have only strong reference");
-                deap.finalize(&mut self.ctx, &mut self.ot_recv).await
-            }
-            State::Child(_) => Err(FinalizationError::NotMainThread.into()),
-            State::Finalized => Err(FinalizationError::AlreadyFinalized.into()),
+    fn new(
+        id: NestedId,
+        role: Role,
+        channel: GarbleChannel,
+        deap: Weak<DEAP>,
+        ot_send: Arc<OTS>,
+        ot_recv: Arc<OTR>,
+    ) -> Self {
+        let (sink, stream) = channel.split();
+        let op_id = id.append_counter();
+        Self {
+            _id: id,
+            _role: role,
+            op_id,
+            deap,
+            ot_send,
+            ot_recv,
+            sink,
+            stream,
         }
     }
 }
 
-impl<Ctx, OTS, OTR> Thread for DEAPThread<Ctx, OTS, OTR> {}
+impl<OTS, OTR> Thread for DEAPThread<OTS, OTR> {}
 
-impl<Ctx, OTS, OTR> Memory for DEAPThread<Ctx, OTS, OTR> {
+impl<OTS, OTR> Memory for DEAPThread<OTS, OTR> {
     fn new_input_with_type(
         &self,
         id: &str,
         typ: ValueType,
         visibility: Visibility,
     ) -> Result<ValueRef, MemoryError> {
-        self.state.get().new_input_with_type(id, typ, visibility)
+        self.deap().new_input_with_type(id, typ, visibility)
     }
 
     fn new_output_with_type(&self, id: &str, typ: ValueType) -> Result<ValueRef, MemoryError> {
-        self.state.get().new_output_with_type(id, typ)
+        self.deap().new_output_with_type(id, typ)
     }
 
     fn assign(&self, value_ref: &ValueRef, value: impl Into<Value>) -> Result<(), MemoryError> {
-        self.state.get().assign(value_ref, value)
+        self.deap().assign(value_ref, value)
     }
 
     fn assign_by_id(&self, id: &str, value: impl Into<Value>) -> Result<(), MemoryError> {
-        self.state.get().assign_by_id(id, value)
+        self.deap().assign_by_id(id, value)
     }
 
     fn get_value(&self, id: &str) -> Option<ValueRef> {
-        self.state.get().get_value(id)
+        self.deap().get_value(id)
     }
 
     fn get_value_type(&self, value_ref: &ValueRef) -> ValueType {
-        self.state.get().get_value_type(value_ref)
+        self.deap().get_value_type(value_ref)
     }
 
     fn get_value_type_by_id(&self, id: &str) -> Option<ValueType> {
-        self.state.get().get_value_type_by_id(id)
+        self.deap().get_value_type_by_id(id)
     }
 }
 
 #[async_trait]
-impl<Ctx, OTS, OTR> Load for DEAPThread<Ctx, OTS, OTR>
+impl<OTS, OTR> Load for DEAPThread<OTS, OTR>
 where
-    Ctx: Context,
-    OTS: VerifiableOTSendEncoding<Ctx> + Send + Sync,
-    OTR: VerifiableOTReceiveEncoding<Ctx> + Send + Sync,
+    OTS: VerifiableOTSendEncoding + Send + Sync,
+    OTR: VerifiableOTReceiveEncoding + Send + Sync,
 {
     async fn load(
         &mut self,
@@ -162,44 +249,35 @@ where
         inputs: &[ValueRef],
         outputs: &[ValueRef],
     ) -> Result<(), LoadError> {
-        self.state
-            .get()
-            .load(&mut self.ctx, circ, inputs, outputs)
+        self.deap()
+            .load(circ, inputs, outputs, &mut self.sink, &mut self.stream)
             .map_err(LoadError::from)
             .await
     }
 }
 
 #[async_trait]
-impl<Ctx, OTS, OTR> Execute for DEAPThread<Ctx, OTS, OTR>
+impl<OTS, OTR> Execute for DEAPThread<OTS, OTR>
 where
-    Ctx: Context,
-    OTS: VerifiableOTSendEncoding<Ctx> + Send + Sync,
-    OTR: VerifiableOTReceiveEncoding<Ctx> + Send + Sync,
+    OTS: VerifiableOTSendEncoding + Send + Sync,
+    OTR: VerifiableOTReceiveEncoding + Send + Sync,
 {
-    async fn commit(&mut self, values: &[ValueRef]) -> Result<(), ExecutionError> {
-        self.state
-            .get()
-            .commit(&mut self.ctx, values, &mut self.ot_send, &mut self.ot_recv)
-            .map_err(ExecutionError::from)
-            .await
-    }
-
     async fn execute(
         &mut self,
         circ: Arc<Circuit>,
         inputs: &[ValueRef],
         outputs: &[ValueRef],
     ) -> Result<(), ExecutionError> {
-        self.state
-            .get()
+        self.deap()
             .execute(
-                &mut self.ctx,
+                &self.op_id.increment_in_place().to_string(),
                 circ,
                 inputs,
                 outputs,
-                &mut self.ot_send,
-                &mut self.ot_recv,
+                &mut self.sink,
+                &mut self.stream,
+                &*self.ot_send,
+                &*self.ot_recv,
             )
             .map_err(ExecutionError::from)
             .await
@@ -207,66 +285,63 @@ where
 }
 
 #[async_trait]
-impl<Ctx, OTS, OTR> Prove for DEAPThread<Ctx, OTS, OTR>
+impl<OTS, OTR> Prove for DEAPThread<OTS, OTR>
 where
-    Ctx: Context,
-    OTS: VerifiableOTSendEncoding<Ctx> + Send + Sync,
-    OTR: VerifiableOTReceiveEncoding<Ctx> + Send + Sync,
+    OTS: VerifiableOTSendEncoding + Send + Sync,
+    OTR: VerifiableOTReceiveEncoding + Send + Sync,
 {
-    async fn commit_prove(&mut self, values: &[ValueRef]) -> Result<(), ProveError> {
-        self.state
-            .get()
-            .commit_prove(&mut self.ctx, values, &mut self.ot_recv)
-            .map_err(ProveError::from)
-            .await
-    }
-
     async fn execute_prove(
         &mut self,
         circ: Arc<Circuit>,
         inputs: &[ValueRef],
         outputs: &[ValueRef],
     ) -> Result<(), ProveError> {
-        self.state
-            .get()
-            .execute_prove(&mut self.ctx, circ, inputs, outputs, &mut self.ot_recv)
+        self.deap()
+            .execute_prove(
+                &self.op_id.increment_in_place().to_string(),
+                circ,
+                inputs,
+                outputs,
+                &mut self.stream,
+                &*self.ot_recv,
+            )
             .map_err(ProveError::from)
             .await
     }
 
     async fn prove(&mut self, values: &[ValueRef]) -> Result<(), ProveError> {
-        self.state
-            .get()
-            .defer_prove(&mut self.ctx, values)
+        self.deap()
+            .defer_prove(
+                &self.op_id.increment_in_place().to_string(),
+                values,
+                &mut self.sink,
+            )
             .map_err(ProveError::from)
             .await
     }
 }
 
 #[async_trait]
-impl<Ctx, OTS, OTR> Verify for DEAPThread<Ctx, OTS, OTR>
+impl<OTS, OTR> Verify for DEAPThread<OTS, OTR>
 where
-    Ctx: Context,
-    OTS: VerifiableOTSendEncoding<Ctx> + Send + Sync,
-    OTR: VerifiableOTReceiveEncoding<Ctx> + Send + Sync,
+    OTS: VerifiableOTSendEncoding + Send + Sync,
+    OTR: VerifiableOTReceiveEncoding + Send + Sync,
 {
-    async fn commit_verify(&mut self, values: &[ValueRef]) -> Result<(), VerifyError> {
-        self.state
-            .get()
-            .commit_verify(&mut self.ctx, values, &mut self.ot_send)
-            .map_err(VerifyError::from)
-            .await
-    }
-
     async fn execute_verify(
         &mut self,
         circ: Arc<Circuit>,
         inputs: &[ValueRef],
         outputs: &[ValueRef],
     ) -> Result<(), VerifyError> {
-        self.state
-            .get()
-            .execute_verify(&mut self.ctx, circ, inputs, outputs, &mut self.ot_send)
+        self.deap()
+            .execute_verify(
+                &self.op_id.increment_in_place().to_string(),
+                circ,
+                inputs,
+                outputs,
+                &mut self.sink,
+                &*self.ot_send,
+            )
             .map_err(VerifyError::from)
             .await
     }
@@ -276,57 +351,81 @@ where
         values: &[ValueRef],
         expected_values: &[Value],
     ) -> Result<(), VerifyError> {
-        self.state
-            .get()
-            .defer_verify(&mut self.ctx, values, expected_values)
+        self.deap()
+            .defer_verify(
+                &self.op_id.increment_in_place().to_string(),
+                values,
+                expected_values,
+                &mut self.stream,
+            )
             .map_err(VerifyError::from)
             .await
     }
 }
 
 #[async_trait]
-impl<Ctx, OTS, OTR> Decode for DEAPThread<Ctx, OTS, OTR>
+impl<OTS, OTR> Decode for DEAPThread<OTS, OTR>
 where
-    Ctx: Context,
-    OTS: VerifiableOTSendEncoding<Ctx> + Send + Sync,
-    OTR: VerifiableOTReceiveEncoding<Ctx> + Send + Sync,
+    OTS: VerifiableOTSendEncoding + Send + Sync,
+    OTR: VerifiableOTReceiveEncoding + Send + Sync,
 {
     async fn decode(&mut self, values: &[ValueRef]) -> Result<Vec<Value>, DecodeError> {
-        self.state
-            .get()
-            .decode(&mut self.ctx, values)
+        self.deap()
+            .decode(
+                &self.op_id.increment_in_place().to_string(),
+                values,
+                &mut self.sink,
+                &mut self.stream,
+            )
             .map_err(DecodeError::from)
             .await
     }
 }
 
 #[async_trait]
-impl<Ctx, OTS, OTR> DecodePrivate for DEAPThread<Ctx, OTS, OTR>
+impl<OTS, OTR> DecodePrivate for DEAPThread<OTS, OTR>
 where
-    Ctx: Context,
-    OTS: VerifiableOTSendEncoding<Ctx> + Send + Sync,
-    OTR: VerifiableOTReceiveEncoding<Ctx> + Send + Sync,
+    OTS: VerifiableOTSendEncoding + Send + Sync,
+    OTR: VerifiableOTReceiveEncoding + Send + Sync,
 {
     async fn decode_private(&mut self, values: &[ValueRef]) -> Result<Vec<Value>, DecodeError> {
-        self.state
-            .get()
-            .decode_private(&mut self.ctx, values, &mut self.ot_send, &mut self.ot_recv)
+        self.deap()
+            .decode_private(
+                &self.op_id.increment_in_place().to_string(),
+                values,
+                &mut self.sink,
+                &mut self.stream,
+                &*self.ot_send,
+                &*self.ot_recv,
+            )
             .map_err(DecodeError::from)
             .await
     }
 
     async fn decode_blind(&mut self, values: &[ValueRef]) -> Result<(), DecodeError> {
-        self.state
-            .get()
-            .decode_blind(&mut self.ctx, values, &mut self.ot_send, &mut self.ot_recv)
+        self.deap()
+            .decode_blind(
+                &self.op_id.increment_in_place().to_string(),
+                values,
+                &mut self.sink,
+                &mut self.stream,
+                &*self.ot_send,
+                &*self.ot_recv,
+            )
             .map_err(DecodeError::from)
             .await
     }
 
     async fn decode_shared(&mut self, values: &[ValueRef]) -> Result<Vec<Value>, DecodeError> {
-        self.state
-            .get()
-            .decode_shared(&mut self.ctx, values, &mut self.ot_send, &mut self.ot_recv)
+        self.deap()
+            .decode_shared(
+                &self.op_id.increment_in_place().to_string(),
+                values,
+                &mut self.sink,
+                &mut self.stream,
+                &*self.ot_send,
+                &*self.ot_recv,
+            )
             .map_err(DecodeError::from)
             .await
     }
@@ -345,16 +444,16 @@ pub trait PeerEncodings {
     ) -> Result<Vec<EncodedValue<Active>>, PeerEncodingsError>;
 }
 
-impl<Ctx, OTS, OTR> PeerEncodings for DEAPThread<Ctx, OTS, OTR> {
+impl<OTS, OTR> PeerEncodings for DEAPVm<OTS, OTR> {
     fn get_peer_encodings(
         &self,
         value_ids: &[&str],
     ) -> Result<Vec<EncodedValue<Active>>, PeerEncodingsError> {
-        if self.state.is_finalized() {
+        if self.finalized {
             return Err(PeerEncodingsError::AlreadyFinalized);
         }
 
-        let deap = self.state.get();
+        let deap = self.deap.as_ref().expect("instance set until finalization");
 
         value_ids
             .iter()
@@ -382,22 +481,39 @@ mod tests {
 
     use crate::protocol::deap::mock::create_mock_deap_vm;
 
-    #[tokio::test]
-    async fn test_vm() {
-        let (mut leader_vm, mut follower_vm) = create_mock_deap_vm();
+    use core::{future::Future, pin::Pin};
+    use mpz_ot::ideal::{IdealSharedOTReceiver, IdealSharedOTSender};
+    use rstest::{fixture, rstest};
+
+    // Leader and follower VMs in a set up state and the futures which need to be awaited
+    // to trigger circuit execution.
+    struct VmFixture {
+        leader_vm: DEAPVm<IdealSharedOTSender, IdealSharedOTReceiver>,
+        leader_fut: Pin<Box<dyn Future<Output = Vec<Value>>>>,
+        follower_vm: DEAPVm<IdealSharedOTSender, IdealSharedOTReceiver>,
+        follower_fut: Pin<Box<dyn Future<Output = Vec<Value>>>>,
+    }
+
+    // Sets up leader and follower VMs.
+    #[fixture]
+    async fn set_up_vms() -> VmFixture {
+        let (mut leader_vm, mut follower_vm) = create_mock_deap_vm("test_vm").await;
+
+        let mut leader_thread = leader_vm.new_thread("test_thread").await.unwrap();
+        let mut follower_thread = follower_vm.new_thread("test_thread").await.unwrap();
 
         let key = [42u8; 16];
         let msg = [69u8; 16];
 
         let leader_fut = {
-            let key_ref = leader_vm.new_private_input::<[u8; 16]>("key").unwrap();
-            let msg_ref = leader_vm.new_blind_input::<[u8; 16]>("msg").unwrap();
-            let ciphertext_ref = leader_vm.new_output::<[u8; 16]>("ciphertext").unwrap();
+            let key_ref = leader_thread.new_private_input::<[u8; 16]>("key").unwrap();
+            let msg_ref = leader_thread.new_blind_input::<[u8; 16]>("msg").unwrap();
+            let ciphertext_ref = leader_thread.new_output::<[u8; 16]>("ciphertext").unwrap();
 
-            leader_vm.assign(&key_ref, key).unwrap();
+            leader_thread.assign(&key_ref, key).unwrap();
 
-            async {
-                leader_vm
+            async move {
+                leader_thread
                     .execute(
                         AES128.clone(),
                         &[key_ref, msg_ref],
@@ -406,19 +522,23 @@ mod tests {
                     .await
                     .unwrap();
 
-                leader_vm.decode(&[ciphertext_ref]).await.unwrap()
+                leader_thread.decode(&[ciphertext_ref]).await.unwrap()
             }
         };
 
         let follower_fut = {
-            let key_ref = follower_vm.new_blind_input::<[u8; 16]>("key").unwrap();
-            let msg_ref = follower_vm.new_private_input::<[u8; 16]>("msg").unwrap();
-            let ciphertext_ref = follower_vm.new_output::<[u8; 16]>("ciphertext").unwrap();
-
-            follower_vm.assign(&msg_ref, msg).unwrap();
-
-            async {
-                follower_vm
+            let key_ref = follower_thread.new_blind_input::<[u8; 16]>("key").unwrap();
+            let msg_ref = follower_thread
+                .new_private_input::<[u8; 16]>("msg")
+                .unwrap();
+            let ciphertext_ref = follower_thread
+                .new_output::<[u8; 16]>("ciphertext")
+                .unwrap();
+
+            follower_thread.assign(&msg_ref, msg).unwrap();
+
+            async move {
+                follower_thread
                     .execute(
                         AES128.clone(),
                         &[key_ref, msg_ref],
@@ -427,10 +547,28 @@ mod tests {
                     .await
                     .unwrap();
 
-                follower_vm.decode(&[ciphertext_ref]).await.unwrap()
+                follower_thread.decode(&[ciphertext_ref]).await.unwrap()
             }
         };
 
+        VmFixture {
+            leader_vm,
+            leader_fut: Box::pin(leader_fut),
+            follower_vm,
+            follower_fut: Box::pin(follower_fut),
+        }
+    }
+
+    #[rstest]
+    #[tokio::test]
+    async fn test_vm(set_up_vms: impl Future<Output = VmFixture>) {
+        let VmFixture {
+            mut leader_vm,
+            leader_fut,
+            mut follower_vm,
+            follower_fut,
+        } = set_up_vms.await;
+
         let (leader_result, follower_result) = futures::join!(leader_fut, follower_fut);
 
         assert_eq!(leader_result, follower_result);
@@ -442,58 +580,19 @@ mod tests {
         follower_result.unwrap();
     }
 
+    #[rstest]
     #[tokio::test]
-    async fn test_peer_encodings() {
-        let (mut leader_vm, mut follower_vm) = create_mock_deap_vm();
-
-        let key = [42u8; 16];
-        let msg = [69u8; 16];
-
-        let leader_fut = {
-            let key_ref = leader_vm.new_private_input::<[u8; 16]>("key").unwrap();
-            let msg_ref = leader_vm.new_blind_input::<[u8; 16]>("msg").unwrap();
-            let ciphertext_ref = leader_vm.new_output::<[u8; 16]>("ciphertext").unwrap();
-
-            leader_vm.assign(&key_ref, key).unwrap();
-
-            // Encodings are not yet available because the circuit hasn't yet been executed
-            let err = leader_vm.get_peer_encodings(&["msg"]).unwrap_err();
-            assert!(matches!(err, PeerEncodingsError::EncodingNotAvailable(_)));
-
-            async {
-                leader_vm
-                    .execute(
-                        AES128.clone(),
-                        &[key_ref, msg_ref],
-                        &[ciphertext_ref.clone()],
-                    )
-                    .await
-                    .unwrap();
-
-                leader_vm.decode(&[ciphertext_ref]).await.unwrap()
-            }
-        };
-
-        let follower_fut = {
-            let key_ref = follower_vm.new_blind_input::<[u8; 16]>("key").unwrap();
-            let msg_ref = follower_vm.new_private_input::<[u8; 16]>("msg").unwrap();
-            let ciphertext_ref = follower_vm.new_output::<[u8; 16]>("ciphertext").unwrap();
-
-            follower_vm.assign(&msg_ref, msg).unwrap();
-
-            async {
-                follower_vm
-                    .execute(
-                        AES128.clone(),
-                        &[key_ref, msg_ref],
-                        &[ciphertext_ref.clone()],
-                    )
-                    .await
-                    .unwrap();
-
-                follower_vm.decode(&[ciphertext_ref]).await.unwrap()
-            }
-        };
+    async fn test_peer_encodings(set_up_vms: impl Future<Output = VmFixture>) {
+        let VmFixture {
+            mut leader_vm,
+            leader_fut,
+            mut follower_vm,
+            follower_fut,
+        } = set_up_vms.await;
+
+        // Encodings are not yet available because the circuit hasn't yet been executed
+        let err = leader_vm.get_peer_encodings(&["msg"]).unwrap_err();
+        assert!(matches!(err, PeerEncodingsError::EncodingNotAvailable(_)));
 
         // Execute the circuits
         _ = futures::join!(leader_fut, follower_fut);
diff --git a/crates/mpz-ot-core/src/ferret/mod.rs b/crates/mpz-ot-core/src/ferret/mod.rs
index 3ad7701e..bbbf264a 100644
--- a/crates/mpz-ot-core/src/ferret/mod.rs
+++ b/crates/mpz-ot-core/src/ferret/mod.rs
@@ -36,11 +36,12 @@ pub const LPN_PARAMETERS_UNIFORM: LpnParameters = LpnParameters {
 };
 
 /// The type of Lpn parameters.
-#[derive(Debug)]
+#[derive(Debug, Clone, Copy, Default)]
 pub enum LpnType {
     /// Uniform error distribution.
     Uniform,
     /// Regular error distribution.
+    #[default]
     Regular,
 }
 
@@ -48,7 +49,6 @@ pub enum LpnType {
 mod tests {
     use super::*;
 
-    use msgs::LpnMatrixSeed;
     use receiver::Receiver;
     use sender::Sender;
 
@@ -56,7 +56,6 @@ mod tests {
     use crate::test::assert_cot;
     use crate::{MPCOTReceiverOutput, MPCOTSenderOutput, RCOTReceiverOutput, RCOTSenderOutput};
     use mpz_core::{lpn::LpnParameters, prg::Prg};
-    use rand::SeedableRng;
 
     const LPN_PARAMETERS_TEST: LpnParameters = LpnParameters {
         n: 9600,
@@ -66,7 +65,7 @@ mod tests {
 
     #[test]
     fn ferret_test() {
-        let mut prg = Prg::from_seed([1u8; 16].into());
+        let mut prg = Prg::new();
         let delta = prg.random_block();
         let mut ideal_cot = IdealCOT::default();
         let mut ideal_mpcot = IdealMpcot::default();
@@ -101,18 +100,8 @@ mod tests {
             )
             .unwrap();
 
-        let LpnMatrixSeed {
-            seed: lpn_matrix_seed,
-        } = seed;
-
         let mut sender = sender
-            .setup(
-                delta,
-                LPN_PARAMETERS_TEST,
-                LpnType::Regular,
-                lpn_matrix_seed,
-                &v,
-            )
+            .setup(delta, LPN_PARAMETERS_TEST, LpnType::Regular, seed, &v)
             .unwrap();
 
         // extend once
diff --git a/crates/mpz-ot-core/src/ferret/mpcot/receiver.rs b/crates/mpz-ot-core/src/ferret/mpcot/receiver.rs
index 0f8613af..e4d362da 100644
--- a/crates/mpz-ot-core/src/ferret/mpcot/receiver.rs
+++ b/crates/mpz-ot-core/src/ferret/mpcot/receiver.rs
@@ -32,11 +32,11 @@ impl Receiver {
     /// # Argument
     ///
     /// * `hash_seed` - Random seed to generate hashes, will be sent to the sender.
-    pub fn setup(self, hash_seed: Block) -> (Receiver<state::PreExtension>, HashSeed) {
+    pub fn setup(self, hash_seed: Block) -> (Receiver<state::Extension>, HashSeed) {
         let mut prg = Prg::from_seed(hash_seed);
         let hashes = std::array::from_fn(|_| AesEncryptor::new(prg.random_block()));
         let recv = Receiver {
-            state: state::PreExtension {
+            state: state::Extension {
                 counter: 0,
                 hashes: Arc::new(hashes),
             },
@@ -48,7 +48,7 @@ impl Receiver {
     }
 }
 
-impl Receiver<state::PreExtension> {
+impl Receiver<state::Extension> {
     /// Performs the hash procedure in MPCOT extension.
     /// Outputs the length of each bucket plus 1.
     ///
@@ -63,7 +63,7 @@ impl Receiver<state::PreExtension> {
         self,
         alphas: &[u32],
         n: u32,
-    ) -> Result<(Receiver<state::Extension>, Vec<(usize, u32)>), ReceiverError> {
+    ) -> Result<(Receiver<state::ExtensionInternal>, Vec<(usize, u32)>), ReceiverError> {
         if alphas.len() as u32 > n {
             return Err(ReceiverError::InvalidInput(
                 "length of alphas should not exceed n".to_string(),
@@ -104,7 +104,7 @@ impl Receiver<state::PreExtension> {
         }
 
         let receiver = Receiver {
-            state: state::Extension {
+            state: state::ExtensionInternal {
                 counter: self.state.counter,
                 m,
                 n,
@@ -117,7 +117,7 @@ impl Receiver<state::PreExtension> {
         Ok((receiver, p))
     }
 }
-impl Receiver<state::Extension> {
+impl Receiver<state::ExtensionInternal> {
     /// Performs MPCOT extension.
     ///
     /// See Step 5 in Figure 7.
@@ -128,7 +128,7 @@ impl Receiver<state::Extension> {
     pub fn extend(
         self,
         rt: &[Vec<Block>],
-    ) -> Result<(Receiver<state::PreExtension>, Vec<Block>), ReceiverError> {
+    ) -> Result<(Receiver<state::Extension>, Vec<Block>), ReceiverError> {
         if rt.len() != self.state.m {
             return Err(ReceiverError::InvalidInput(
                 "the length rt should be m".to_string(),
@@ -165,7 +165,7 @@ impl Receiver<state::Extension> {
         }
 
         let receiver = Receiver {
-            state: state::PreExtension {
+            state: state::Extension {
                 counter: self.state.counter + 1,
                 hashes: self.state.hashes,
             },
@@ -182,8 +182,8 @@ pub mod state {
         pub trait Sealed {}
 
         impl Sealed for super::Initialized {}
-        impl Sealed for super::PreExtension {}
         impl Sealed for super::Extension {}
+        impl Sealed for super::ExtensionInternal {}
     }
 
     /// The receiver's state.
@@ -200,20 +200,20 @@ pub mod state {
     /// The receiver's state before extending.
     ///
     /// In this state the receiver performs pre extension in MPCOT (potentially multiple times).
-    pub struct PreExtension {
+    pub struct Extension {
         /// Current MPCOT counter
         pub(super) counter: usize,
         /// The hashes to generate Cuckoo hash table.
         pub(super) hashes: Arc<[AesEncryptor; CUCKOO_HASH_NUM]>,
     }
 
-    impl State for PreExtension {}
+    impl State for Extension {}
 
-    opaque_debug::implement!(PreExtension);
+    opaque_debug::implement!(Extension);
     /// The receiver's state of extension.
     ///
     /// In this state the receiver performs MPCOT extension (potentially multiple times).
-    pub struct Extension {
+    pub struct ExtensionInternal {
         /// Current MPCOT counter
         pub(super) counter: usize,
         /// Current length of Cuckoo hash table, will possibly be changed in each extension.
@@ -228,7 +228,7 @@ pub mod state {
         pub(super) buckets_length: Vec<usize>,
     }
 
-    impl State for Extension {}
+    impl State for ExtensionInternal {}
 
-    opaque_debug::implement!(Extension);
+    opaque_debug::implement!(ExtensionInternal);
 }
diff --git a/crates/mpz-ot-core/src/ferret/mpcot/receiver_regular.rs b/crates/mpz-ot-core/src/ferret/mpcot/receiver_regular.rs
index 2b226108..e1e7edfe 100644
--- a/crates/mpz-ot-core/src/ferret/mpcot/receiver_regular.rs
+++ b/crates/mpz-ot-core/src/ferret/mpcot/receiver_regular.rs
@@ -19,13 +19,13 @@ impl Receiver {
     }
 
     /// Completes the setup phase of the protocol.
-    pub fn setup(self) -> Receiver<state::PreExtension> {
+    pub fn setup(self) -> Receiver<state::Extension> {
         Receiver {
-            state: state::PreExtension { counter: 0 },
+            state: state::Extension { counter: 0 },
         }
     }
 }
-impl Receiver<state::PreExtension> {
+impl Receiver<state::Extension> {
     /// Performs the prepare procedure in MPCOT extension.
     /// Outputs the indices for SPCOT.
     ///
@@ -38,7 +38,7 @@ impl Receiver<state::PreExtension> {
         self,
         alphas: &[u32],
         n: u32,
-    ) -> Result<(Receiver<state::Extension>, Vec<(usize, u32)>), ReceiverError> {
+    ) -> Result<(Receiver<state::ExtensionInternal>, Vec<(usize, u32)>), ReceiverError> {
         let t = alphas.len() as u32;
         if t > n {
             return Err(ReceiverError::InvalidInput(
@@ -91,7 +91,7 @@ impl Receiver<state::PreExtension> {
             .collect();
 
         let receiver = Receiver {
-            state: state::Extension {
+            state: state::ExtensionInternal {
                 counter: self.state.counter,
                 n,
                 queries_length,
@@ -103,7 +103,7 @@ impl Receiver<state::PreExtension> {
     }
 }
 
-impl Receiver<state::Extension> {
+impl Receiver<state::ExtensionInternal> {
     /// Performs MPCOT extension.
     ///
     /// # Arguments.
@@ -112,7 +112,7 @@ impl Receiver<state::Extension> {
     pub fn extend(
         self,
         rt: &[Vec<Block>],
-    ) -> Result<(Receiver<state::PreExtension>, Vec<Block>), ReceiverError> {
+    ) -> Result<(Receiver<state::Extension>, Vec<Block>), ReceiverError> {
         if rt
             .iter()
             .zip(self.state.queries_depth.iter())
@@ -130,7 +130,7 @@ impl Receiver<state::Extension> {
         }
 
         let receiver = Receiver {
-            state: state::PreExtension {
+            state: state::Extension {
                 counter: self.state.counter + 1,
             },
         };
@@ -145,8 +145,8 @@ pub mod state {
         pub trait Sealed {}
 
         impl Sealed for super::Initialized {}
-        impl Sealed for super::PreExtension {}
         impl Sealed for super::Extension {}
+        impl Sealed for super::ExtensionInternal {}
     }
 
     /// The receiver's state.
@@ -162,19 +162,19 @@ pub mod state {
     /// The receiver's state before extending.
     ///
     /// In this state the receiver performs pre extension in MPCOT (potentially multiple times).
-    pub struct PreExtension {
+    pub struct Extension {
         /// Current MPCOT counter
         pub(super) counter: usize,
     }
 
-    impl State for PreExtension {}
+    impl State for Extension {}
 
-    opaque_debug::implement!(PreExtension);
+    opaque_debug::implement!(Extension);
 
     /// The receiver's state after the setup phase.
     ///
     /// In this state the receiver performs MPCOT extension (potentially multiple times).
-    pub struct Extension {
+    pub struct ExtensionInternal {
         /// Current MPCOT counter
         #[allow(dead_code)]
         pub(super) counter: usize,
@@ -186,7 +186,7 @@ pub mod state {
         pub(super) queries_depth: Vec<usize>,
     }
 
-    impl State for Extension {}
+    impl State for ExtensionInternal {}
 
-    opaque_debug::implement!(Extension);
+    opaque_debug::implement!(ExtensionInternal);
 }
diff --git a/crates/mpz-ot-core/src/ferret/mpcot/sender.rs b/crates/mpz-ot-core/src/ferret/mpcot/sender.rs
index f1e49105..ad025574 100644
--- a/crates/mpz-ot-core/src/ferret/mpcot/sender.rs
+++ b/crates/mpz-ot-core/src/ferret/mpcot/sender.rs
@@ -31,12 +31,12 @@ impl Sender {
     ///
     /// * `delta` - The sender's global secret.
     /// * `hash_seed` - The seed for Cuckoo hash sent by the receiver.
-    pub fn setup(self, delta: Block, hash_seed: HashSeed) -> Sender<state::PreExtension> {
+    pub fn setup(self, delta: Block, hash_seed: HashSeed) -> Sender<state::Extension> {
         let HashSeed { seed: hash_seed } = hash_seed;
         let mut prg = Prg::from_seed(hash_seed);
         let hashes = std::array::from_fn(|_| AesEncryptor::new(prg.random_block()));
         Sender {
-            state: state::PreExtension {
+            state: state::Extension {
                 delta,
                 counter: 0,
                 hashes: Arc::new(hashes),
@@ -45,7 +45,7 @@ impl Sender {
     }
 }
 
-impl Sender<state::PreExtension> {
+impl Sender<state::Extension> {
     /// Performs the hash procedure in MPCOT extension.
     /// Outputs the length of each bucket plus 1.
     ///
@@ -59,7 +59,7 @@ impl Sender<state::PreExtension> {
         self,
         t: u32,
         n: u32,
-    ) -> Result<(Sender<state::Extension>, Vec<usize>), SenderError> {
+    ) -> Result<(Sender<state::ExtensionInternal>, Vec<usize>), SenderError> {
         if t > n {
             return Err(SenderError::InvalidInput(
                 "t should not exceed n".to_string(),
@@ -86,7 +86,7 @@ impl Sender<state::PreExtension> {
         }
 
         let sender = Sender {
-            state: state::Extension {
+            state: state::ExtensionInternal {
                 delta: self.state.delta,
                 counter: self.state.counter,
                 m,
@@ -101,7 +101,7 @@ impl Sender<state::PreExtension> {
     }
 }
 
-impl Sender<state::Extension> {
+impl Sender<state::ExtensionInternal> {
     /// Performs MPCOT extension.
     ///
     /// See Step 5 in Figure 7.
@@ -112,7 +112,7 @@ impl Sender<state::Extension> {
     pub fn extend(
         self,
         st: &[Vec<Block>],
-    ) -> Result<(Sender<state::PreExtension>, Vec<Block>), SenderError> {
+    ) -> Result<(Sender<state::Extension>, Vec<Block>), SenderError> {
         if st.len() != self.state.m {
             return Err(SenderError::InvalidInput(
                 "the length st should be m".to_string(),
@@ -147,7 +147,7 @@ impl Sender<state::Extension> {
         }
 
         let sender = Sender {
-            state: state::PreExtension {
+            state: state::Extension {
                 delta: self.state.delta,
                 counter: self.state.counter + 1,
                 hashes: self.state.hashes,
@@ -166,8 +166,8 @@ pub mod state {
         pub trait Sealed {}
 
         impl Sealed for super::Initialized {}
-        impl Sealed for super::PreExtension {}
         impl Sealed for super::Extension {}
+        impl Sealed for super::ExtensionInternal {}
     }
 
     /// The sender's state.
@@ -184,7 +184,7 @@ pub mod state {
     /// The sender's state before extending.
     ///
     /// In this state the sender performs pre extension in MPCOT (potentially multiple times).
-    pub struct PreExtension {
+    pub struct Extension {
         /// Sender's global secret.
         pub(super) delta: Block,
         /// Current MPCOT counter
@@ -193,13 +193,13 @@ pub mod state {
         pub(super) hashes: Arc<[AesEncryptor; CUCKOO_HASH_NUM]>,
     }
 
-    impl State for PreExtension {}
-    opaque_debug::implement!(PreExtension);
+    impl State for Extension {}
+    opaque_debug::implement!(Extension);
 
     /// The sender's state of extension.
     ///
     /// In this state the sender performs MPCOT extension (potentially multiple times).
-    pub struct Extension {
+    pub struct ExtensionInternal {
         /// Sender's global secret.
         pub(super) delta: Block,
         /// Current MPCOT counter
@@ -217,7 +217,7 @@ pub mod state {
         pub(super) buckets_length: Vec<usize>,
     }
 
-    impl State for Extension {}
+    impl State for ExtensionInternal {}
 
-    opaque_debug::implement!(Extension);
+    opaque_debug::implement!(ExtensionInternal);
 }
diff --git a/crates/mpz-ot-core/src/ferret/mpcot/sender_regular.rs b/crates/mpz-ot-core/src/ferret/mpcot/sender_regular.rs
index db0646b6..7afa5106 100644
--- a/crates/mpz-ot-core/src/ferret/mpcot/sender_regular.rs
+++ b/crates/mpz-ot-core/src/ferret/mpcot/sender_regular.rs
@@ -23,14 +23,14 @@ impl Sender {
     /// # Argument.
     ///
     /// * `delta` - The sender's global secret.
-    pub fn setup(self, delta: Block) -> Sender<state::PreExtension> {
+    pub fn setup(self, delta: Block) -> Sender<state::Extension> {
         Sender {
-            state: state::PreExtension { delta, counter: 0 },
+            state: state::Extension { delta, counter: 0 },
         }
     }
 }
 
-impl Sender<state::PreExtension> {
+impl Sender<state::Extension> {
     /// Performs the prepare procedure in MPCOT extension.
     /// Outputs the information for SPCOT.
     ///
@@ -42,7 +42,7 @@ impl Sender<state::PreExtension> {
         self,
         t: u32,
         n: u32,
-    ) -> Result<(Sender<state::Extension>, Vec<usize>), SenderError> {
+    ) -> Result<(Sender<state::ExtensionInternal>, Vec<usize>), SenderError> {
         if t > n {
             return Err(SenderError::InvalidInput(
                 "t should not exceed n".to_string(),
@@ -78,7 +78,7 @@ impl Sender<state::PreExtension> {
         }
 
         let sender = Sender {
-            state: state::Extension {
+            state: state::ExtensionInternal {
                 delta: self.state.delta,
                 counter: self.state.counter,
                 n,
@@ -91,7 +91,7 @@ impl Sender<state::PreExtension> {
     }
 }
 
-impl Sender<state::Extension> {
+impl Sender<state::ExtensionInternal> {
     /// Performs MPCOT extension.
     ///
     /// # Arguments.
@@ -100,7 +100,7 @@ impl Sender<state::Extension> {
     pub fn extend(
         self,
         st: &[Vec<Block>],
-    ) -> Result<(Sender<state::PreExtension>, Vec<Block>), SenderError> {
+    ) -> Result<(Sender<state::Extension>, Vec<Block>), SenderError> {
         if st
             .iter()
             .zip(self.state.queries_depth.iter())
@@ -117,7 +117,7 @@ impl Sender<state::Extension> {
         }
 
         let sender = Sender {
-            state: state::PreExtension {
+            state: state::Extension {
                 delta: self.state.delta,
                 counter: self.state.counter + 1,
             },
@@ -135,8 +135,8 @@ pub mod state {
         pub trait Sealed {}
 
         impl Sealed for super::Initialized {}
-        impl Sealed for super::PreExtension {}
         impl Sealed for super::Extension {}
+        impl Sealed for super::ExtensionInternal {}
     }
 
     /// The sender's state.
@@ -153,20 +153,20 @@ pub mod state {
     /// The sender's state before extending.
     ///
     /// In this state the sender performs pre extension in MPCOT (potentially multiple times).
-    pub struct PreExtension {
+    pub struct Extension {
         /// Sender's global secret.
         pub(super) delta: Block,
         /// Current MPCOT counter
         pub(super) counter: usize,
     }
 
-    impl State for PreExtension {}
-    opaque_debug::implement!(PreExtension);
+    impl State for Extension {}
+    opaque_debug::implement!(Extension);
 
     /// The sender's state after the setup phase.
     ///
     /// In this state the sender performs MPCOT extension (potentially multiple times).
-    pub struct Extension {
+    pub struct ExtensionInternal {
         /// Sender's global secret.
         pub(super) delta: Block,
         /// Current MPCOT counter
@@ -179,7 +179,7 @@ pub mod state {
         pub(super) queries_depth: Vec<usize>,
     }
 
-    impl State for Extension {}
+    impl State for ExtensionInternal {}
 
-    opaque_debug::implement!(Extension);
+    opaque_debug::implement!(ExtensionInternal);
 }
diff --git a/crates/mpz-ot-core/src/ferret/receiver.rs b/crates/mpz-ot-core/src/ferret/receiver.rs
index 4d08c69b..e5939c60 100644
--- a/crates/mpz-ot-core/src/ferret/receiver.rs
+++ b/crates/mpz-ot-core/src/ferret/receiver.rs
@@ -4,7 +4,10 @@ use mpz_core::{
     Block,
 };
 
-use crate::ferret::{error::ReceiverError, LpnType};
+use crate::{
+    ferret::{error::ReceiverError, LpnType},
+    TransferId,
+};
 
 use super::msgs::LpnMatrixSeed;
 
@@ -59,6 +62,7 @@ impl Receiver {
                     u: u.to_vec(),
                     w: w.to_vec(),
                     e: Vec::default(),
+                    id: TransferId::default(),
                 },
             },
             LpnMatrixSeed { seed },
@@ -69,10 +73,6 @@ impl Receiver {
 impl Receiver<state::Extension> {
     /// The prepare precedure of extension, sample error vectors and outputs information for MPCOT.
     /// See step 3 and 4.
-    ///
-    /// # Arguments.
-    ///
-    /// * `lpn_type` - The type of LPN parameters.
     pub fn get_mpcot_query(&mut self) -> (Vec<u32>, usize) {
         match self.state.lpn_type {
             LpnType::Uniform => {
@@ -105,6 +105,8 @@ impl Receiver<state::Extension> {
             return Err(ReceiverError("the length of r should be n".to_string()));
         }
 
+        self.state.id.next();
+
         // Compute z = A * w + r.
         let mut z = r.to_vec();
         self.state.lpn_encoder.compute(&mut z, &self.state.w);
@@ -133,6 +135,11 @@ impl Receiver<state::Extension> {
 
         Ok((x_, z_))
     }
+
+    /// Returns id
+    pub fn id(&self) -> TransferId {
+        self.state.id
+    }
 }
 
 /// The receiver's state.
@@ -176,6 +183,9 @@ pub mod state {
 
         /// Receiver's lpn error vector.
         pub(super) e: Vec<Block>,
+
+        /// TransferID
+        pub(super) id: TransferId,
     }
 
     impl State for Extension {}
diff --git a/crates/mpz-ot-core/src/ferret/sender.rs b/crates/mpz-ot-core/src/ferret/sender.rs
index 9e8db180..f2e366dd 100644
--- a/crates/mpz-ot-core/src/ferret/sender.rs
+++ b/crates/mpz-ot-core/src/ferret/sender.rs
@@ -4,7 +4,12 @@ use mpz_core::{
     Block,
 };
 
-use crate::ferret::{error::SenderError, LpnType};
+use crate::{
+    ferret::{error::SenderError, LpnType},
+    TransferId,
+};
+
+use super::msgs::LpnMatrixSeed;
 
 /// Ferret sender.
 #[derive(Debug, Default)]
@@ -36,7 +41,7 @@ impl Sender {
         delta: Block,
         lpn_parameters: LpnParameters,
         lpn_type: LpnType,
-        seed: Block,
+        seed: LpnMatrixSeed,
         v: &[Block],
     ) -> Result<Sender<state::Extension>, SenderError> {
         if v.len() != lpn_parameters.k {
@@ -44,6 +49,7 @@ impl Sender {
                 "the length of v should be equal to k".to_string(),
             ));
         }
+        let LpnMatrixSeed { seed } = seed;
         let lpn_encoder = LpnEncoder::<10>::new(seed, lpn_parameters.k as u32);
 
         Ok(Sender {
@@ -54,6 +60,7 @@ impl Sender {
                 lpn_type,
                 lpn_encoder,
                 v: v.to_vec(),
+                id: TransferId::default(),
             },
         })
     }
@@ -63,6 +70,7 @@ impl Sender<state::Extension> {
     /// Outputs the information for MPCOT.
     ///
     /// See step 3 and 4.
+    #[inline]
     pub fn get_mpcot_query(&self) -> (u32, u32) {
         (
             self.state.lpn_parameters.t as u32,
@@ -83,6 +91,8 @@ impl Sender<state::Extension> {
             return Err(SenderError("the length of s should be n".to_string()));
         }
 
+        self.state.id.next();
+
         // Compute y = A * v + s
         let mut y = s.to_vec();
         self.state.lpn_encoder.compute(&mut y, &self.state.v);
@@ -97,6 +107,11 @@ impl Sender<state::Extension> {
 
         Ok(y_)
     }
+
+    /// Returns id
+    pub fn id(&self) -> TransferId {
+        self.state.id
+    }
 }
 
 /// The sender's state.
@@ -141,6 +156,9 @@ pub mod state {
 
         /// Sender's COT message in the setup phase.
         pub(super) v: Vec<Block>,
+
+        /// TransferID.
+        pub(crate) id: TransferId,
     }
 
     impl State for Extension {}
diff --git a/crates/mpz-ot-core/src/ferret/spcot/mod.rs b/crates/mpz-ot-core/src/ferret/spcot/mod.rs
index 802efb66..63ebea15 100644
--- a/crates/mpz-ot-core/src/ferret/spcot/mod.rs
+++ b/crates/mpz-ot-core/src/ferret/spcot/mod.rs
@@ -7,8 +7,6 @@ pub mod sender;
 
 #[cfg(test)]
 mod tests {
-    use mpz_core::prg::Prg;
-
     use super::{receiver::Receiver as SpcotReceiver, sender::Sender as SpcotSender};
     use crate::{ferret::CSP, ideal::cot::IdealCOT, RCOTReceiverOutput, RCOTSenderOutput};
 
@@ -18,49 +16,82 @@ mod tests {
         let sender = SpcotSender::new();
         let receiver = SpcotReceiver::new();
 
-        let mut prg = Prg::new();
-        let sender_seed = prg.random_block();
         let delta = ideal_cot.delta();
 
-        let mut sender = sender.setup(delta, sender_seed);
+        let mut sender = sender.setup(delta);
         let mut receiver = receiver.setup();
 
-        let h1 = 8;
-        let alpha1 = 3;
+        let hs = [8, 4, 10];
+        let alphas = [3, 2, 4];
 
-        // Extend once
-        let (msg_for_sender, msg_for_receiver) = ideal_cot.random_correlated(h1);
+        let h_sum = hs.iter().sum();
+        // batch extension
+        let (msg_for_sender, msg_for_receiver) = ideal_cot.random_correlated(h_sum);
 
         let RCOTReceiverOutput {
-            choices: rs,
-            msgs: ts,
+            choices: rss,
+            msgs: tss,
             ..
         } = msg_for_receiver;
-        let RCOTSenderOutput { msgs: qs, .. } = msg_for_sender;
-        let maskbits = receiver.extend_mask_bits(h1, alpha1, &rs).unwrap();
 
-        let msg_from_sender = sender.extend(h1, &qs, maskbits).unwrap();
+        let RCOTSenderOutput { msgs: qss, .. } = msg_for_sender;
+
+        let maskbits = receiver.extend_mask_bits(&hs, &alphas, &rss).unwrap();
+
+        let msg_from_sender = sender.extend(&hs, &qss, &maskbits).unwrap();
+
+        receiver
+            .extend(&hs, &alphas, &tss, &msg_from_sender)
+            .unwrap();
+
+        // Check
+        let (msg_for_sender, msg_for_receiver) = ideal_cot.random_correlated(CSP);
+
+        let RCOTReceiverOutput {
+            choices: x_star,
+            msgs: z_star,
+            ..
+        } = msg_for_receiver;
+
+        let RCOTSenderOutput { msgs: y_star, .. } = msg_for_sender;
+
+        let check_from_receiver = receiver.check_pre(&x_star).unwrap();
 
-        receiver.extend(h1, alpha1, &ts, msg_from_sender).unwrap();
+        let (mut output_sender, check) = sender.check(&y_star, check_from_receiver).unwrap();
 
-        // Extend twice
-        let h2 = 4;
-        let alpha2 = 2;
+        let output_receiver = receiver.check(&z_star, check).unwrap();
 
-        let (msg_for_sender, msg_for_receiver) = ideal_cot.random_correlated(h2);
+        assert!(output_sender
+            .iter_mut()
+            .zip(output_receiver.iter())
+            .all(|(vs, (ws, alpha))| {
+                vs[*alpha as usize] ^= delta;
+                vs == ws
+            }));
+
+        // extend twice
+        let hs = [6, 9, 8];
+        let alphas = [2, 1, 3];
+
+        let h_sum = hs.iter().sum();
+
+        let (msg_for_sender, msg_for_receiver) = ideal_cot.random_correlated(h_sum);
 
         let RCOTReceiverOutput {
-            choices: rs,
-            msgs: ts,
+            choices: rss,
+            msgs: tss,
             ..
         } = msg_for_receiver;
-        let RCOTSenderOutput { msgs: qs, .. } = msg_for_sender;
 
-        let maskbits = receiver.extend_mask_bits(h2, alpha2, &rs).unwrap();
+        let RCOTSenderOutput { msgs: qss, .. } = msg_for_sender;
+
+        let maskbits = receiver.extend_mask_bits(&hs, &alphas, &rss).unwrap();
 
-        let msg_from_sender = sender.extend(h2, &qs, maskbits).unwrap();
+        let msg_from_sender = sender.extend(&hs, &qss, &maskbits).unwrap();
 
-        receiver.extend(h2, alpha2, &ts, msg_from_sender).unwrap();
+        receiver
+            .extend(&hs, &alphas, &tss, &msg_from_sender)
+            .unwrap();
 
         // Check
         let (msg_for_sender, msg_for_receiver) = ideal_cot.random_correlated(CSP);
diff --git a/crates/mpz-ot-core/src/ferret/spcot/receiver.rs b/crates/mpz-ot-core/src/ferret/spcot/receiver.rs
index 5e860f31..d60d8316 100644
--- a/crates/mpz-ot-core/src/ferret/spcot/receiver.rs
+++ b/crates/mpz-ot-core/src/ferret/spcot/receiver.rs
@@ -6,6 +6,10 @@ use mpz_core::{
     utils::blake3, Block,
 };
 use rand_core::SeedableRng;
+#[cfg(feature = "rayon")]
+use rayon::iter::{
+    IndexedParallelIterator, IntoParallelRefIterator, IntoParallelRefMutIterator, ParallelIterator,
+};
 
 use super::msgs::{CheckFromReceiver, CheckFromSender, ExtendFromSender, MaskBits};
 
@@ -43,71 +47,101 @@ impl Receiver {
 }
 
 impl Receiver<state::Extension> {
-    /// Performs the mask bit step in extension.
+    /// Performs the mask bit step in batch in extension.
     ///
     /// See step 4 in Figure 6.
     ///
     /// # Arguments
     ///
-    /// * `h` - The depth of the GGM tree.
-    /// * `alpha` - The chosen position.
-    /// * `rs` - The message from COT ideal functionality for the receiver. Only the random bits are used.
+    /// * `hs` - The depths of the GGM trees.
+    /// * `alphas` - The vector of chosen positions.
+    /// * `rss` - The message from COT ideal functionality for the receiver for all the tress. Only the random bits are used.
     pub fn extend_mask_bits(
         &mut self,
-        h: usize,
-        alpha: u32,
-        rs: &[bool],
-    ) -> Result<MaskBits, ReceiverError> {
+        hs: &[usize],
+        alphas: &[u32],
+        rss: &[bool],
+    ) -> Result<Vec<MaskBits>, ReceiverError> {
         if self.state.extended {
             return Err(ReceiverError::InvalidState(
                 "extension is not allowed".to_string(),
             ));
         }
 
-        if alpha >= (1 << h) {
+        if alphas.len() != hs.len() {
+            return Err(ReceiverError::InvalidLength(
+                "the length of alphas should be the length of hs".to_string(),
+            ));
+        }
+
+        if alphas
+            .iter()
+            .zip(hs.iter())
+            .any(|(alpha, h)| *alpha >= (1 << h))
+        {
             return Err(ReceiverError::InvalidInput(
                 "the input pos should be no more than 2^h-1".to_string(),
             ));
         }
 
-        if rs.len() != h {
+        let h_sum = hs.iter().sum();
+
+        if rss.len() != h_sum {
             return Err(ReceiverError::InvalidLength(
-                "the length of r should be h".to_string(),
+                "the length of r should be the sum of h".to_string(),
             ));
         }
 
-        // Step 4 in Figure 6
+        let mut rs_s = vec![Vec::<bool>::new(); hs.len()];
+        let mut rss_vec = rss.to_vec();
+        for (index, h) in hs.iter().enumerate() {
+            rs_s[index] = rss_vec.drain(0..*h).collect();
+        }
 
-        let bs: Vec<bool> = alpha
-            .iter_msb0()
-            .skip(32 - h)
-            // Computes alpha_i XOR r_i XOR 1.
-            .zip(rs.iter())
-            .map(|(alpha, &r)| alpha == r)
-            .collect();
+        // Step 4 in Figure 6
+        let mut bss = vec![Vec::<bool>::new(); hs.len()];
+
+        let iter = bss
+            .iter_mut()
+            .zip(alphas.iter())
+            .zip(hs.iter())
+            .zip(rs_s.iter())
+            .map(|(((bs, alpha), h), rs)| (bs, alpha, h, rs));
+
+        for (bs, alpha, h, rs) in iter {
+            *bs = alpha
+                .iter_msb0()
+                .skip(32 - h)
+                // Computes alpha_i XOR r_i XOR 1.
+                .zip(rs.iter())
+                .map(|(alpha, &r)| alpha == r)
+                .collect();
+        }
 
         // Updates hasher.
-        self.state.hasher.update(&bs.to_bytes());
+        self.state.hasher.update(&bss.to_bytes());
+
+        let res: Vec<MaskBits> = bss.into_iter().map(|bs| MaskBits { bs }).collect();
 
-        Ok(MaskBits { bs })
+        Ok(res)
     }
 
-    /// Performs the GGM reconstruction step in extension. This function can be called multiple times before checking.
+    /// Performs the GGM reconstruction step in batch in extension. This function can be called multiple times before checking.
     ///
     /// See step 5 in Figure 6.
     ///
     /// # Arguments
     ///
-    /// * `h` - The depth of the GGM tree.
-    /// * `alpha` - The chosen position.
-    /// * `ts` - The message from COT ideal functionality for the receiver. Only the chosen blocks are used.
-    /// * `extendfs` - The message sent by the sender.
+    /// * `hs` - The depths of the GGM trees.
+    /// * `alphas` - The vector of chosen positions.
+    /// * `tss` - The message from COT ideal functionality for the receiver. Only the chosen blocks are used.
+    /// * `extendfss` - The vector of messages sent by the sender.
     pub fn extend(
         &mut self,
-        h: usize,
-        alpha: u32,
-        ts: &[Block],
-        extendfs: ExtendFromSender,
+        hs: &[usize],
+        alphas: &[u32],
+        tss: &[Block],
+        extendfss: &[ExtendFromSender],
     ) -> Result<(), ReceiverError> {
         if self.state.extended {
             return Err(ReceiverError::InvalidState(
@@ -115,61 +149,122 @@ impl Receiver<state::Extension> {
             ));
         }
 
-        if alpha >= (1 << h) {
+        if alphas.len() != hs.len() {
+            return Err(ReceiverError::InvalidLength(
+                "the length of alphas should be the length of hs".to_string(),
+            ));
+        }
+
+        if alphas
+            .iter()
+            .zip(hs.iter())
+            .any(|(alpha, h)| *alpha >= (1 << h))
+        {
             return Err(ReceiverError::InvalidInput(
                 "the input pos should be no more than 2^h-1".to_string(),
             ));
         }
 
-        let ExtendFromSender { ms, sum } = extendfs;
-        if ts.len() != h {
+        let h_sum = hs.iter().sum();
+
+        if tss.len() != h_sum {
             return Err(ReceiverError::InvalidLength(
-                "the length of t should be h".to_string(),
+                "the length of tss should be the sum of h".to_string(),
             ));
         }
 
-        if ms.len() != h {
+        let mut ts_s = vec![Vec::<Block>::new(); hs.len()];
+        let mut tss_vec = tss.to_vec();
+        for (index, h) in hs.iter().enumerate() {
+            ts_s[index] = tss_vec.drain(0..*h).collect();
+        }
+
+        if extendfss.len() != hs.len() {
             return Err(ReceiverError::InvalidLength(
-                "the length of M should be h".to_string(),
+                "the length of extendfss should be the length of hs".to_string(),
             ));
         }
 
-        // Updates hasher
-        self.state.hasher.update(&ms.to_bytes());
-        self.state.hasher.update(&sum.to_bytes());
-
-        let alpha_bar_vec: Vec<bool> = alpha.iter_msb0().skip(32 - h).map(|a| !a).collect();
-
-        // Step 5 in Figure 6.
-        let k: Vec<Block> = ms
-            .into_iter()
-            .zip(ts)
-            .zip(alpha_bar_vec.iter())
-            .enumerate()
-            .map(|(i, (([m0, m1], &t), &b))| {
-                let tweak: Block = bytemuck::cast([i, self.state.exec_counter]);
-                if !b {
-                    // H(t, i|ell) ^ M0
-                    FIXED_KEY_AES.tccr(tweak, t) ^ m0
-                } else {
-                    // H(t, i|ell) ^ M1
-                    FIXED_KEY_AES.tccr(tweak, t) ^ m1
-                }
-            })
-            .collect();
+        let mut ms_s = vec![Vec::<[Block; 2]>::new(); hs.len()];
+        let mut sum_s = vec![Block::ZERO; hs.len()];
 
-        // Reconstructs GGM tree except `ws[alpha]`.
-        let ggm_tree = GgmTree::new(h);
-        let mut tree = vec![Block::ZERO; 1 << h];
-        ggm_tree.reconstruct(&mut tree, &k, &alpha_bar_vec);
+        for (index, extendfs) in extendfss.iter().enumerate() {
+            ms_s[index] = extendfs.ms.clone();
+            sum_s[index] = extendfs.sum;
+        }
+
+        if ms_s.iter().zip(hs.iter()).any(|(ms, h)| ms.len() != *h) {
+            return Err(ReceiverError::InvalidLength(
+                "the length of ms should be h".to_string(),
+            ));
+        }
+        // Updates hasher
+        self.state.hasher.update(&ms_s.to_bytes());
+        self.state.hasher.update(&sum_s.to_bytes());
+
+        let mut trees = vec![Vec::<Block>::new(); hs.len()];
+
+        cfg_if::cfg_if! {
+            if #[cfg(feature = "rayon")]{
+                let iter = alphas
+                    .par_iter()
+                    .zip(ms_s.par_iter())
+                    .zip(sum_s.par_iter())
+                    .zip(hs.par_iter())
+                    .zip(ts_s.par_iter())
+                    .zip(trees.par_iter_mut())
+                    .map(|(((((alpha, ms), sum), h), ts), tree)| (alpha, ms, sum, h, ts, tree));
+            }else{
+                let iter = alphas
+                    .iter()
+                    .zip(ms_s.iter())
+                    .zip(sum_s.iter())
+                    .zip(hs.iter())
+                    .zip(ts_s.iter())
+                    .zip(trees.iter_mut())
+                    .map(|(((((alpha, ms), sum), h), ts), tree)| (alpha, ms, sum, h, ts, tree));
+            }
+        }
 
-        // Sets `tree[alpha]`, which is `ws[alpha]`.
-        tree[alpha as usize] = tree.iter().fold(sum, |acc, &x| acc ^ x);
+        iter.for_each(|(alpha, ms, sum, h, ts, tree)| {
+            let alpha_bar_vec: Vec<bool> = alpha.iter_msb0().skip(32 - h).map(|a| !a).collect();
+
+            // Step 5 in Figure 6.
+            let k: Vec<Block> = ms
+                .iter()
+                .zip(ts)
+                .zip(alpha_bar_vec.iter())
+                .enumerate()
+                .map(|(i, (([m0, m1], &t), &b))| {
+                    let tweak: Block = bytemuck::cast([i, self.state.exec_counter]);
+                    if !b {
+                        // H(t, i|ell) ^ M0
+                        FIXED_KEY_AES.tccr(tweak, t) ^ *m0
+                    } else {
+                        // H(t, i|ell) ^ M1
+                        FIXED_KEY_AES.tccr(tweak, t) ^ *m1
+                    }
+                })
+                .collect();
+
+            // Reconstructs GGM tree except `ws[alpha]`.
+            let ggm_tree = GgmTree::new(*h);
+            *tree = vec![Block::ZERO; 1 << h];
+            ggm_tree.reconstruct(tree, &k, &alpha_bar_vec);
+
+            // Sets `tree[alpha]`, which is `ws[alpha]`.
+            tree[(*alpha) as usize] = tree.iter().fold(*sum, |acc, &x| acc ^ x);
+        });
+
+        for tree in trees {
+            self.state.unchecked_ws.extend_from_slice(&tree);
+        }
 
-        self.state.unchecked_ws.extend_from_slice(&tree);
-        self.state.alphas_and_length.push((alpha, 1 << h));
+        for (alpha, h) in alphas.iter().zip(hs.iter()) {
+            self.state.alphas_and_length.push((*alpha, 1 << h));
+        }
 
-        self.state.exec_counter += 1;
+        self.state.exec_counter += hs.len();
 
         Ok(())
     }
@@ -248,7 +343,6 @@ impl Receiver<state::Extension> {
         }
 
         self.state.cot_counter += self.state.unchecked_ws.len();
-        self.state.extended = true;
 
         let mut res = Vec::new();
         for (alpha, n) in &self.state.alphas_and_length {
@@ -256,8 +350,19 @@ impl Receiver<state::Extension> {
             res.push((tmp, *alpha));
         }
 
+        self.state.hasher = blake3::Hasher::new();
+        self.state.alphas_and_length.clear();
+        self.state.chis.clear();
+        self.state.unchecked_ws.clear();
+
         Ok(res)
     }
+
+    /// Complete extension.
+    #[inline]
+    pub fn finalize(&mut self) {
+        self.state.extended = true;
+    }
 }
 
 /// The receiver's state.
diff --git a/crates/mpz-ot-core/src/ferret/spcot/sender.rs b/crates/mpz-ot-core/src/ferret/spcot/sender.rs
index fef1327e..a62ad3bb 100644
--- a/crates/mpz-ot-core/src/ferret/spcot/sender.rs
+++ b/crates/mpz-ot-core/src/ferret/spcot/sender.rs
@@ -5,6 +5,10 @@ use mpz_core::{
     utils::blake3, Block,
 };
 use rand_core::SeedableRng;
+#[cfg(feature = "rayon")]
+use rayon::iter::{
+    IndexedParallelIterator, IntoParallelRefIterator, IntoParallelRefMutIterator, ParallelIterator,
+};
 
 use super::msgs::{CheckFromReceiver, CheckFromSender, ExtendFromSender, MaskBits};
 
@@ -29,8 +33,7 @@ impl Sender {
     /// # Arguments
     ///
     /// * `delta` - The sender's global secret.
-    /// * `seed`  - The random seed to generate PRG.
-    pub fn setup(self, delta: Block, seed: Block) -> Sender<state::Extension> {
+    pub fn setup(self, delta: Block) -> Sender<state::Extension> {
         Sender {
             state: state::Extension {
                 delta,
@@ -39,7 +42,6 @@ impl Sender {
                 cot_counter: 0,
                 exec_counter: 0,
                 extended: false,
-                prg: Prg::from_seed(seed),
                 hasher: blake3::Hasher::new(),
             },
         }
@@ -47,85 +49,137 @@ impl Sender {
 }
 
 impl Sender<state::Extension> {
-    /// Performs the SPCOT extension.
+    /// Performs batch SPCOT extension.
     ///
     /// See Step 1-5 in Figure 6.
     ///
     /// # Arguments
     ///
-    /// * `h` - The depth of the GGM tree.
-    /// * `qs`- The blocks received by calling the COT functionality.
-    /// * `mask`- The mask bits sent by the receiver.
+    /// * `hs` - The depths of the GGM trees.
+    /// * `qss`- The blocks received by calling the COT functionality for hs trees.
+    /// * `masks`- The vector of mask bits sent by the receiver.
     pub fn extend(
         &mut self,
-        h: usize,
-        qs: &[Block],
-        mask: MaskBits,
-    ) -> Result<ExtendFromSender, SenderError> {
+        hs: &[usize],
+        qss: &[Block],
+        masks: &[MaskBits],
+    ) -> Result<Vec<ExtendFromSender>, SenderError> {
         if self.state.extended {
             return Err(SenderError::InvalidState(
                 "extension is not allowed".to_string(),
             ));
         }
 
-        if qs.len() != h {
+        let h_sum = hs.iter().sum();
+
+        if qss.len() != h_sum {
             return Err(SenderError::InvalidLength(
-                "the length of q should be h".to_string(),
+                "the length of qss should be the sum of h".to_string(),
             ));
         }
 
-        let MaskBits { bs } = mask;
+        let mut qs_s = vec![Vec::<Block>::new(); hs.len()];
+        let mut qss_vec = qss.to_vec();
+        for (index, h) in hs.iter().enumerate() {
+            qs_s[index] = qss_vec.drain(0..*h).collect();
+        }
 
-        if bs.len() != h {
+        if masks.len() != hs.len() {
+            return Err(SenderError::InvalidLength(
+                "the length of masks should be the length of hs".to_string(),
+            ));
+        }
+
+        let bss: Vec<Vec<bool>> = masks.iter().map(|m| m.clone().bs).collect();
+
+        if bss.iter().zip(hs.iter()).any(|(b, h)| b.len() != *h) {
             return Err(SenderError::InvalidLength(
                 "the length of b should be h".to_string(),
             ));
         }
 
         // Updates hasher.
-        self.state.hasher.update(&bs.to_bytes());
+        self.state.hasher.update(&bss.to_bytes());
 
         // Step 3-4, Figure 6.
 
         // Generates a GGM tree with depth h and seed s.
-        let s = self.state.prg.random_block();
-        let ggm_tree = GgmTree::new(h);
-        let mut k0 = vec![Block::ZERO; h];
-        let mut k1 = vec![Block::ZERO; h];
-        let mut tree = vec![Block::ZERO; 1 << h];
-        ggm_tree.gen(s, &mut tree, &mut k0, &mut k1);
+        let mut trees = vec![Vec::<Block>::new(); hs.len()];
+        let mut ms_s = vec![Vec::<[Block; 2]>::new(); hs.len()];
+        let mut sum_s = vec![Block::ZERO; hs.len()];
+
+        cfg_if::cfg_if! {
+            if #[cfg(feature = "rayon")]{
+                let iter = trees
+                .par_iter_mut().zip(hs.par_iter())
+                .zip(qs_s.par_iter())
+                .zip(bss.par_iter())
+                .zip(ms_s.par_iter_mut())
+                .zip(sum_s.par_iter_mut())
+                .map(|(((((tree, h), qs), bs), ms), sum)| (tree, h, qs, bs, ms, sum));
+            }else{
+                let iter = trees
+                .iter_mut()
+                .zip(hs.iter())
+                .zip(qs_s.iter())
+                .zip(bss.iter())
+                .zip(ms_s.iter_mut())
+                .zip(sum_s.iter_mut())
+                .map(|(((((tree, h), qs), bs), ms), sum)| (tree, h, qs, bs, ms, sum));
+            }
+        }
+
+        iter.for_each(|(tree, h, qs, bs, ms, sum)| {
+            let s = Prg::new().random_block();
+            let ggm_tree = GgmTree::new(*h);
+            let mut k0 = vec![Block::ZERO; *h];
+            let mut k1 = vec![Block::ZERO; *h];
+            *tree = vec![Block::ZERO; 1 << h];
+            ggm_tree.gen(s, tree, &mut k0, &mut k1);
+
+            // Computes the sum of the leaves and delta.
+            *sum = tree.iter().fold(self.state.delta, |acc, &x| acc ^ x);
+
+            // Computes M0 and M1.
+            for (((i, &q), b), (k0, k1)) in
+                qs.iter().enumerate().zip(bs).zip(k0.into_iter().zip(k1))
+            {
+                let mut m = if *b {
+                    [q ^ self.state.delta, q]
+                } else {
+                    [q, q ^ self.state.delta]
+                };
+                let tweak: Block = bytemuck::cast([i, self.state.exec_counter]);
+                FIXED_KEY_AES.tccr_many(&[tweak, tweak], &mut m);
+                m[0] ^= k0;
+                m[1] ^= k1;
+                ms.push(m);
+            }
+        });
 
         // Stores the tree, i.e., the possible output of sender.
-        self.state.unchecked_vs.extend_from_slice(&tree);
+        for tree in trees {
+            self.state.unchecked_vs.extend_from_slice(&tree);
+        }
 
         // Stores the length of this extension.
-        self.state.vs_length.push(1 << h);
-
-        // Computes the sum of the leaves and delta.
-        let sum = tree.iter().fold(self.state.delta, |acc, &x| acc ^ x);
-
-        // Computes M0 and M1.
-        let mut ms: Vec<[Block; 2]> = Vec::with_capacity(qs.len());
-        for (((i, &q), b), (k0, k1)) in qs.iter().enumerate().zip(bs).zip(k0.into_iter().zip(k1)) {
-            let mut m = if b {
-                [q ^ self.state.delta, q]
-            } else {
-                [q, q ^ self.state.delta]
-            };
-            let tweak: Block = bytemuck::cast([i, self.state.exec_counter]);
-            FIXED_KEY_AES.tccr_many(&[tweak, tweak], &mut m);
-            m[0] ^= k0;
-            m[1] ^= k1;
-            ms.push(m);
+        for h in hs {
+            self.state.vs_length.push(1 << h);
         }
 
         // Updates hasher
-        self.state.hasher.update(&ms.to_bytes());
-        self.state.hasher.update(&sum.to_bytes());
+        self.state.hasher.update(&ms_s.to_bytes());
+        self.state.hasher.update(&sum_s.to_bytes());
 
-        self.state.exec_counter += 1;
+        self.state.exec_counter += hs.len();
+
+        let res: Vec<ExtendFromSender> = ms_s
+            .into_iter()
+            .zip(sum_s.iter())
+            .map(|(ms, &sum)| ExtendFromSender { ms, sum })
+            .collect();
 
-        Ok(ExtendFromSender { ms, sum })
+        Ok(res)
     }
 
     /// Performs the consistency check for the resulting COTs.
@@ -193,10 +247,18 @@ impl Sender<state::Extension> {
             res.push(tmp);
         }
 
-        self.state.extended = true;
+        self.state.hasher = blake3::Hasher::new();
+        self.state.unchecked_vs.clear();
+        self.state.vs_length.clear();
 
         Ok((res, CheckFromSender { hashed_v }))
     }
+
+    /// Complete extension.
+    #[inline]
+    pub fn finalize(&mut self) {
+        self.state.extended = true;
+    }
 }
 
 /// The sender's state.
@@ -239,8 +301,6 @@ pub mod state {
         /// This is to prevent the receiver from extending twice
         pub(super) extended: bool,
 
-        /// A PRG to generate random strings.
-        pub(super) prg: Prg,
         /// A hasher to generate chi seed.
         pub(super) hasher: blake3::Hasher,
     }
diff --git a/crates/mpz-ot/src/ferret/error.rs b/crates/mpz-ot/src/ferret/error.rs
new file mode 100644
index 00000000..6952f0ec
--- /dev/null
+++ b/crates/mpz-ot/src/ferret/error.rs
@@ -0,0 +1,67 @@
+use crate::OTError;
+
+/// A Ferret sender error.
+#[derive(Debug, thiserror::Error)]
+#[allow(missing_docs)]
+pub enum SenderError {
+    #[error(transparent)]
+    IOError(#[from] std::io::Error),
+    #[error(transparent)]
+    CoreError(#[from] mpz_ot_core::ferret::error::SenderError),
+    #[error(transparent)]
+    MPCOTSenderError(#[from] crate::ferret::mpcot::SenderError),
+    #[error(transparent)]
+    RandomCOTError(#[from] OTError),
+    #[error("{0}")]
+    StateError(String),
+    #[error("{0}")]
+    MPCOTSenderTypeError(String),
+}
+
+impl From<SenderError> for OTError {
+    fn from(err: SenderError) -> Self {
+        match err {
+            SenderError::IOError(e) => e.into(),
+            e => OTError::SenderError(Box::new(e)),
+        }
+    }
+}
+
+impl From<crate::ferret::sender::StateError> for SenderError {
+    fn from(err: crate::ferret::sender::StateError) -> Self {
+        SenderError::StateError(err.to_string())
+    }
+}
+
+/// A Ferret receiver error.
+#[derive(Debug, thiserror::Error)]
+#[allow(missing_docs)]
+pub enum ReceiverError {
+    #[error(transparent)]
+    IOError(#[from] std::io::Error),
+    #[error(transparent)]
+    CoreError(#[from] mpz_ot_core::ferret::error::ReceiverError),
+    #[error(transparent)]
+    MPCOTReceiverError(#[from] crate::ferret::mpcot::ReceiverError),
+    #[error(transparent)]
+    RandomCOTError(#[from] OTError),
+    #[error("{0}")]
+    StateError(String),
+    #[error("{0}")]
+    MPCOTReceiverTypeError(String),
+}
+
+impl From<ReceiverError> for OTError {
+    fn from(err: ReceiverError) -> Self {
+        match err {
+            ReceiverError::IOError(e) => e.into(),
+            e => OTError::ReceiverError(Box::new(e)),
+        }
+    }
+}
+
+impl From<crate::ferret::receiver::StateError> for ReceiverError {
+    fn from(err: crate::ferret::receiver::StateError) -> Self {
+        ReceiverError::StateError(err.to_string())
+    }
+}
diff --git a/crates/mpz-ot/src/ferret/mod.rs b/crates/mpz-ot/src/ferret/mod.rs
new file mode 100644
index 00000000..2b2047b9
--- /dev/null
+++ b/crates/mpz-ot/src/ferret/mod.rs
@@ -0,0 +1,175 @@
+//! An implementation of the [`Ferret`](https://eprint.iacr.org/2020/924.pdf) protocol.
+mod error;
+mod mpcot;
+mod receiver;
+mod sender;
+mod spcot;
+
+pub use error::{ReceiverError, SenderError};
+pub use receiver::Receiver;
+pub use sender::Sender;
+
+use mpz_core::lpn::LpnParameters;
+use mpz_ot_core::ferret::LpnType;
+
+/// Configuration of Ferret.
+#[derive(Debug)]
+pub struct FerretConfig<RandomCOT, SetupRandomCOT> {
+    rcot: RandomCOT,
+    setup_rcot: SetupRandomCOT,
+    lpn_parameters: LpnParameters,
+    lpn_type: LpnType,
+}
+
+impl<RandomCOT: Clone, SetupRandomCOT> FerretConfig<RandomCOT, SetupRandomCOT> {
+    /// Create a new instance.
+    ///
+    /// # Arguments.
+    ///
+    /// * `rcot` - The rcot for MPCOT.
+    /// * `setup_rcot` - The rcot for setup.
+    /// * `lpn_parameters` - The parameters of LPN.
+    /// * `lpn_type` - The type of LPN.
+    pub fn new(
+        rcot: RandomCOT,
+        setup_rcot: SetupRandomCOT,
+        lpn_parameters: LpnParameters,
+        lpn_type: LpnType,
+    ) -> Self {
+        Self {
+            rcot,
+            setup_rcot,
+            lpn_parameters,
+            lpn_type,
+        }
+    }
+
+    /// Get rcot
+    pub fn rcot(&self) -> RandomCOT {
+        self.rcot.clone()
+    }
+
+    /// Get the setup rcot
+    pub fn setup_rcot(&mut self) -> &mut SetupRandomCOT {
+        &mut self.setup_rcot
+    }
+
+    /// Get the lpn type
+    pub fn lpn_type(&self) -> LpnType {
+        self.lpn_type
+    }
+
+    /// Get the lpn parameters
+    pub fn lpn_parameters(&self) -> LpnParameters {
+        self.lpn_parameters
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use futures::TryFutureExt;
+    use mpz_common::executor::test_st_executor;
+    use mpz_core::{lpn::LpnParameters, Block};
+    use mpz_ot_core::{ferret::LpnType, test::assert_cot, RCOTReceiverOutput, RCOTSenderOutput};
+
+    use crate::{
+        ideal::cot::{ideal_rcot, IdealCOTReceiver, IdealCOTSender},
+        OTError, RandomCOTReceiver, RandomCOTSender,
+    };
+
+    use super::*;
+
+    // l = n - k = 8380
+    const LPN_PARAMETERS_TEST: LpnParameters = LpnParameters {
+        n: 9600,
+        k: 1220,
+        t: 600,
+    };
+
+    fn setup() -> (
+        Sender<IdealCOTSender, IdealCOTSender>,
+        Receiver<IdealCOTReceiver, IdealCOTReceiver>,
+        Block,
+    ) {
+        let (mut rcot_sender, rcot_receiver) = ideal_rcot();
+
+        let sender_config = FerretConfig::new(
+            rcot_sender.clone(),
+            rcot_sender.clone(),
+            LPN_PARAMETERS_TEST,
+            LpnType::Regular,
+        );
+
+        let receiver_config = FerretConfig::new(
+            rcot_receiver.clone(),
+            rcot_receiver,
+            LPN_PARAMETERS_TEST,
+            LpnType::Regular,
+        );
+
+        let delta = rcot_sender.alice().get_mut().delta();
+
+        let sender = Sender::new(sender_config);
+
+        let receiver = Receiver::new(receiver_config);
+
+        (sender, receiver, delta)
+    }
+
+    #[tokio::test]
+    async fn test_ferret() {
+        let (mut ctx_sender, mut ctx_receiver) = test_st_executor(8);
+
+        let (mut sender, mut receiver, delta) = setup();
+
+        tokio::try_join!(
+            sender
+                .setup_with_delta(&mut ctx_sender, delta)
+                .map_err(OTError::from),
+            receiver.setup(&mut ctx_receiver).map_err(OTError::from)
+        )
+        .unwrap();
+
+        // extend once.
+        let count = 8000;
+        let (
+            RCOTSenderOutput {
+                id: sender_id,
+                msgs: u,
+            },
+            RCOTReceiverOutput {
+                id: receiver_id,
+                choices: b,
+                msgs: w,
+            },
+        ) = tokio::try_join!(
+            sender.send_random_correlated(&mut ctx_sender, count),
+            receiver.receive_random_correlated(&mut ctx_receiver, count)
+        )
+        .unwrap();
+
+        assert_eq!(sender_id, receiver_id);
+        assert_cot(delta, &b, &u, &w);
+
+        // extend twice
+        let count = 9000;
+        let (
+            RCOTSenderOutput {
+                id: sender_id,
+                msgs: u,
+            },
+            RCOTReceiverOutput {
+                id: receiver_id,
+                choices: b,
+                msgs: w,
+            },
+        ) = tokio::try_join!(
+            sender.send_random_correlated(&mut ctx_sender, count),
+            receiver.receive_random_correlated(&mut ctx_receiver, count)
+        )
+        .unwrap();
+
+        assert_eq!(sender_id, receiver_id);
+        assert_cot(delta, &b, &u, &w);
+    }
+}
diff --git a/crates/mpz-ot/src/ferret/mpcot/error.rs b/crates/mpz-ot/src/ferret/mpcot/error.rs
new file mode 100644
index 00000000..238808d0
--- /dev/null
+++ b/crates/mpz-ot/src/ferret/mpcot/error.rs
@@ -0,0 +1,59 @@
+use crate::OTError;
+
+/// A MPCOT sender error.
+#[derive(Debug, thiserror::Error)]
+#[allow(missing_docs)]
+pub enum SenderError {
+    #[error(transparent)]
+    IOError(#[from] std::io::Error),
+    #[error(transparent)]
+    CoreError(#[from] mpz_ot_core::ferret::mpcot::error::SenderError),
+    #[error(transparent)]
+    SPCOTSenderError(#[from] crate::ferret::spcot::SenderError),
+    #[error("{0}")]
+    StateError(String),
+}
+
+impl From<SenderError> for OTError {
+    fn from(err: SenderError) -> Self {
+        match err {
+            SenderError::IOError(e) => e.into(),
+            e => OTError::SenderError(Box::new(e)),
+        }
+    }
+}
+
+impl From<crate::ferret::mpcot::sender::StateError> for SenderError {
+    fn from(err: crate::ferret::mpcot::sender::StateError) -> Self {
+        SenderError::StateError(err.to_string())
+    }
+}
+
+/// A MPCOT receiver error
+#[derive(Debug, thiserror::Error)]
+#[allow(missing_docs)]
+pub enum ReceiverError {
+    #[error(transparent)]
+    IOError(#[from] std::io::Error),
+    #[error(transparent)]
+    CoreError(#[from] mpz_ot_core::ferret::mpcot::error::ReceiverError),
+    #[error(transparent)]
+    SpcotReceiverError(#[from] crate::ferret::spcot::ReceiverError),
+    #[error("{0}")]
+    StateError(String),
+}
+
+impl From<ReceiverError> for OTError {
+    fn from(err: ReceiverError) -> Self {
+        match err {
+            ReceiverError::IOError(e) => e.into(),
+            e => OTError::ReceiverError(Box::new(e)),
+        }
+    }
+}
+
+impl From<crate::ferret::mpcot::receiver::StateError> for ReceiverError {
+    fn from(err: crate::ferret::mpcot::receiver::StateError) -> Self {
+        ReceiverError::StateError(err.to_string())
+    }
+}
diff --git a/crates/mpz-ot/src/ferret/mpcot/mod.rs b/crates/mpz-ot/src/ferret/mpcot/mod.rs
new file mode 100644
index 00000000..598b5734
--- /dev/null
+++ b/crates/mpz-ot/src/ferret/mpcot/mod.rs
@@ -0,0 +1,165 @@
+//! Implementation of the Multiple-Point COT (mpcot) protocol in the [`Ferret`](https://eprint.iacr.org/2020/924.pdf) paper.
+
+mod error;
+mod receiver;
+mod sender;
+
+pub(crate) use error::{ReceiverError, SenderError};
+pub(crate) use receiver::Receiver;
+pub(crate) use sender::Sender;
+
+#[cfg(test)]
+mod tests {
+    use futures::TryFutureExt;
+    use mpz_common::executor::test_st_executor;
+    use mpz_core::Block;
+    use mpz_ot_core::ferret::LpnType;
+
+    use crate::{
+        ideal::cot::{ideal_rcot, IdealCOTReceiver, IdealCOTSender},
+        OTError,
+    };
+
+    use receiver::Receiver;
+    use sender::Sender;
+
+    use super::*;
+
+    fn setup(
+        lpn_type: LpnType,
+    ) -> (
+        Sender<IdealCOTSender>,
+        Receiver<IdealCOTReceiver>,
+        IdealCOTSender,
+        IdealCOTReceiver,
+        Block,
+    ) {
+        let (mut rcot_sender, rcot_receiver) = ideal_rcot();
+
+        let delta = rcot_sender.alice().get_mut().delta();
+
+        let sender = Sender::new(lpn_type);
+
+        let receiver = Receiver::new(lpn_type);
+
+        (sender, receiver, rcot_sender, rcot_receiver, delta)
+    }
+
+    #[tokio::test]
+    async fn test_mpcot() {
+        let (mut ctx_sender, mut ctx_receiver) = test_st_executor(8);
+
+        let (mut sender, mut receiver, rcot_sender, rcot_receiver, delta) = setup(LpnType::Uniform);
+
+        let alphas = [0, 1, 3, 4, 2];
+        let t = alphas.len();
+        let n = 10;
+
+        tokio::try_join!(
+            sender
+                .setup_with_delta(&mut ctx_sender, delta, rcot_sender)
+                .map_err(OTError::from),
+            receiver
+                .setup(&mut ctx_receiver, rcot_receiver)
+                .map_err(OTError::from)
+        )
+        .unwrap();
+
+        let (mut output_sender, output_receiver) = tokio::try_join!(
+            sender
+                .extend(&mut ctx_sender, t as u32, n)
+                .map_err(OTError::from),
+            receiver
+                .extend(&mut ctx_receiver, &alphas, n)
+                .map_err(OTError::from)
+        )
+        .unwrap();
+
+        for i in alphas {
+            output_sender[i as usize] ^= delta;
+        }
+
+        assert_eq!(output_sender, output_receiver);
+
+        // extend twice
+        let alphas = [5, 1, 7, 2];
+        let t = alphas.len();
+        let n = 16;
+
+        let (mut output_sender, output_receiver) = tokio::try_join!(
+            sender
+                .extend(&mut ctx_sender, t as u32, n)
+                .map_err(OTError::from),
+            receiver
+                .extend(&mut ctx_receiver, &alphas, n)
+                .map_err(OTError::from)
+        )
+        .unwrap();
+
+        for i in alphas {
+            output_sender[i as usize] ^= delta;
+        }
+
+        assert_eq!(output_sender, output_receiver);
+
+        sender.finalize().unwrap();
+        receiver.finalize().unwrap();
+
+        let (mut sender, mut receiver, rcot_sender, rcot_receiver, delta) = setup(LpnType::Regular);
+
+        // extend once.
+        let alphas = [0, 3, 4, 7, 9];
+        let t = alphas.len();
+        let n = 10;
+
+        tokio::try_join!(
+            sender
+                .setup_with_delta(&mut ctx_sender, delta, rcot_sender)
+                .map_err(OTError::from),
+            receiver
+                .setup(&mut ctx_receiver, rcot_receiver)
+                .map_err(OTError::from)
+        )
+        .unwrap();
+
+        let (mut output_sender, output_receiver) = tokio::try_join!(
+            sender
+                .extend(&mut ctx_sender, t as u32, n)
+                .map_err(OTError::from),
+            receiver
+                .extend(&mut ctx_receiver, &alphas, n)
+                .map_err(OTError::from)
+        )
+        .unwrap();
+
+        for i in alphas {
+            output_sender[i as usize] ^= delta;
+        }
+
+        assert_eq!(output_sender, output_receiver);
+
+        // extend twice.
+        let alphas = [0, 3, 7, 9, 14, 15];
+        let t = alphas.len();
+        let n = 16;
+
+        let (mut output_sender, output_receiver) = tokio::try_join!(
+            sender
+                .extend(&mut ctx_sender, t as u32, n)
+                .map_err(OTError::from),
+            receiver
+                .extend(&mut ctx_receiver, &alphas, n)
+                .map_err(OTError::from)
+        )
+        .unwrap();
+
+        for i in alphas {
+            output_sender[i as usize] ^= delta;
+        }
+
+        assert_eq!(output_sender, output_receiver);
+
+        sender.finalize().unwrap();
+        receiver.finalize().unwrap();
+    }
+}
diff --git a/crates/mpz-ot/src/ferret/mpcot/receiver.rs b/crates/mpz-ot/src/ferret/mpcot/receiver.rs
new file mode 100644
index 00000000..e2553efd
--- /dev/null
+++ b/crates/mpz-ot/src/ferret/mpcot/receiver.rs
@@ -0,0 +1,192 @@
+use crate::{
+    ferret::{mpcot::error::ReceiverError, spcot::Receiver as SpcotReceiver},
+    RandomCOTReceiver,
+};
+use enum_try_as_inner::EnumTryAsInner;
+
+use mpz_common::Context;
+use mpz_core::{prg::Prg, Block};
+use mpz_ot_core::ferret::{
+    mpcot::{
+        receiver::{state as uniform_state, Receiver as UniformReceiverCore},
+        receiver_regular::{state as regular_state, Receiver as RegularReceiverCore},
+    },
+    LpnType,
+};
+use serio::SinkExt;
+use utils_aio::non_blocking_backend::{Backend, NonBlockingBackend};
+
+#[derive(Debug, EnumTryAsInner)]
+#[derive_err(Debug)]
+pub(crate) enum State {
+    UniformInitialized(UniformReceiverCore<uniform_state::Initialized>),
+    UniformExtension(UniformReceiverCore<uniform_state::Extension>),
+    RegularInitialized(RegularReceiverCore<regular_state::Initialized>),
+    RegularExtension(RegularReceiverCore<regular_state::Extension>),
+    Complete,
+    Error,
+}
+
+/// MPCOT receiver.
+#[derive(Debug)]
+pub(crate) struct Receiver<RandomCOT> {
+    state: State,
+    spcot: SpcotReceiver<RandomCOT>,
+    lpn_type: LpnType,
+}
+
+impl<RandomCOT: Send + Default> Receiver<RandomCOT> {
+    /// Creates a new Sender.
+    ///
+    /// # Arguments.
+    ///
+    /// * `lpn_type` - The type of LPN.
+    pub(crate) fn new(lpn_type: LpnType) -> Self {
+        match lpn_type {
+            LpnType::Uniform => Self {
+                state: State::UniformInitialized(UniformReceiverCore::new()),
+                spcot: crate::ferret::spcot::Receiver::new(),
+                lpn_type,
+            },
+            LpnType::Regular => Self {
+                state: State::RegularInitialized(RegularReceiverCore::new()),
+                spcot: crate::ferret::spcot::Receiver::new(),
+                lpn_type,
+            },
+        }
+    }
+
+    /// Performs setup for receiver.
+    ///
+    /// # Arguments
+    ///
+    /// * `ctx` - The context.
+    /// * `rcot` - The random COT used by Receiver.
+    pub(crate) async fn setup<Ctx: Context>(
+        &mut self,
+        ctx: &mut Ctx,
+        rcot: RandomCOT,
+    ) -> Result<(), ReceiverError> {
+        match self.lpn_type {
+            LpnType::Uniform => {
+                let ext_receiver = std::mem::replace(&mut self.state, State::Error)
+                    .try_into_uniform_initialized()?;
+
+                let hash_seed = Prg::new().random_block();
+
+                let (ext_receiver, hash_seed) = ext_receiver.setup(hash_seed);
+
+                ctx.io_mut().send(hash_seed).await?;
+
+                self.state = State::UniformExtension(ext_receiver);
+            }
+            LpnType::Regular => {
+                let ext_receiver = std::mem::replace(&mut self.state, State::Error)
+                    .try_into_regular_initialized()?;
+
+                let ext_receiver = ext_receiver.setup();
+
+                self.state = State::RegularExtension(ext_receiver);
+            }
+        }
+
+        self.spcot.setup(rcot)?;
+
+        Ok(())
+    }
+
+    /// Performs MPCOT extension.
+    ///
+    ///
+    /// # Arguments
+    ///
+    /// * `ctx` - The context,
+    /// * `alphas` - The queried indices.
+    /// * `n` - The total number of indices.
+    pub(crate) async fn extend<Ctx: Context>(
+        &mut self,
+        ctx: &mut Ctx,
+        alphas: &[u32],
+        n: u32,
+    ) -> Result<Vec<Block>, ReceiverError>
+    where
+        RandomCOT: RandomCOTReceiver<Ctx, bool, Block>,
+    {
+        let alphas_vec = alphas.to_vec();
+
+        match self.lpn_type {
+            LpnType::Uniform => {
+                let ext_receiver = std::mem::replace(&mut self.state, State::Error)
+                    .try_into_uniform_extension()?;
+
+                let (ext_receiver, h_and_pos) =
+                    Backend::spawn(move || ext_receiver.pre_extend(&alphas_vec, n)).await?;
+
+                let mut hs = vec![0usize; h_and_pos.len()];
+
+                let mut pos = vec![0u32; h_and_pos.len()];
+                for (index, (h, p)) in h_and_pos.iter().enumerate() {
+                    hs[index] = *h;
+                    pos[index] = *p;
+                }
+
+                self.spcot.extend(ctx, &pos, &hs).await?;
+
+                let rt = self.spcot.check(ctx).await?;
+
+                let rt: Vec<Vec<Block>> = rt.into_iter().map(|(elem, _)| elem).collect();
+                let (ext_receiver, output) =
+                    Backend::spawn(move || ext_receiver.extend(&rt)).await?;
+
+                self.state = State::UniformExtension(ext_receiver);
+
+                Ok(output)
+            }
+
+            LpnType::Regular => {
+                let ext_receiver = std::mem::replace(&mut self.state, State::Error)
+                    .try_into_regular_extension()?;
+
+                let (ext_receiver, h_and_pos) =
+                    Backend::spawn(move || ext_receiver.pre_extend(&alphas_vec, n)).await?;
+
+                let mut hs = vec![0usize; h_and_pos.len()];
+
+                let mut pos = vec![0u32; h_and_pos.len()];
+                for (index, (h, p)) in h_and_pos.iter().enumerate() {
+                    hs[index] = *h;
+                    pos[index] = *p;
+                }
+
+                self.spcot.extend(ctx, &pos, &hs).await?;
+
+                let rt = self.spcot.check(ctx).await?;
+
+                let rt: Vec<Vec<Block>> = rt.into_iter().map(|(elem, _)| elem).collect();
+                let (ext_receiver, output) =
+                    Backend::spawn(move || ext_receiver.extend(&rt)).await?;
+
+                self.state = State::RegularExtension(ext_receiver);
+
+                Ok(output)
+            }
+        }
+    }
+
+    /// Complete extension.
+    pub(crate) fn finalize(&mut self) -> Result<(), ReceiverError> {
+        match self.lpn_type {
+            LpnType::Uniform => {
+                std::mem::replace(&mut self.state, State::Error).try_into_uniform_extension()?;
+            }
+            LpnType::Regular => {
+                std::mem::replace(&mut self.state, State::Error).try_into_regular_extension()?;
+            }
+        }
+
+        self.spcot.finalize()?;
+        self.state = State::Complete;
+
+        Ok(())
+    }
+}
diff --git a/crates/mpz-ot/src/ferret/mpcot/sender.rs b/crates/mpz-ot/src/ferret/mpcot/sender.rs
new file mode 100644
index 00000000..a0256276
--- /dev/null
+++ b/crates/mpz-ot/src/ferret/mpcot/sender.rs
@@ -0,0 +1,166 @@
+use crate::{
+    ferret::{mpcot::error::SenderError, spcot::Sender as SpcotSender},
+    RandomCOTSender,
+};
+use enum_try_as_inner::EnumTryAsInner;
+use mpz_common::Context;
+use mpz_core::Block;
+use mpz_ot_core::ferret::{
+    mpcot::{
+        msgs::HashSeed,
+        sender::{state as uniform_state, Sender as UniformSenderCore},
+        sender_regular::{state as regular_state, Sender as RegularSenderCore},
+    },
+    LpnType,
+};
+use serio::stream::IoStreamExt;
+use utils_aio::non_blocking_backend::{Backend, NonBlockingBackend};
+
+#[derive(Debug, EnumTryAsInner)]
+#[derive_err(Debug)]
+pub(crate) enum State {
+    UniformInitialized(UniformSenderCore<uniform_state::Initialized>),
+    UniformExtension(UniformSenderCore<uniform_state::Extension>),
+    RegularInitialized(RegularSenderCore<regular_state::Initialized>),
+    RegularExtension(RegularSenderCore<regular_state::Extension>),
+    Complete,
+    Error,
+}
+
+/// MPCOT sender.
+#[derive(Debug)]
+pub(crate) struct Sender<RandomCOT> {
+    state: State,
+    spcot: SpcotSender<RandomCOT>,
+    lpn_type: LpnType,
+}
+
+impl<RandomCOT: Send + Default> Sender<RandomCOT> {
+    /// Creates a new Sender.
+    ///
+    /// # Arguments.
+    ///
+    /// * `lpn_type` - The type of LPN.
+    pub(crate) fn new(lpn_type: LpnType) -> Self {
+        match lpn_type {
+            LpnType::Uniform => Self {
+                state: State::UniformInitialized(UniformSenderCore::new()),
+                spcot: crate::ferret::spcot::Sender::new(),
+                lpn_type,
+            },
+            LpnType::Regular => Self {
+                state: State::RegularInitialized(RegularSenderCore::new()),
+                spcot: crate::ferret::spcot::Sender::new(),
+                lpn_type,
+            },
+        }
+    }
+
+    /// Performs setup with provided delta.
+    ///
+    /// # Arguments
+    ///
+    /// * `ctx` - The channel.
+    /// * `delta` - The delta value to use for OT extension.
+    /// * `rcot` - The random COT used by Sender.
+    pub(crate) async fn setup_with_delta<Ctx: Context>(
+        &mut self,
+        ctx: &mut Ctx,
+        delta: Block,
+        rcot: RandomCOT,
+    ) -> Result<(), SenderError> {
+        match self.lpn_type {
+            LpnType::Uniform => {
+                let ext_sender = std::mem::replace(&mut self.state, State::Error)
+                    .try_into_uniform_initialized()?;
+
+                let hash_seed: HashSeed = ctx.io_mut().expect_next().await?;
+
+                let ext_sender = ext_sender.setup(delta, hash_seed);
+
+                self.state = State::UniformExtension(ext_sender);
+            }
+
+            LpnType::Regular => {
+                let ext_sender = std::mem::replace(&mut self.state, State::Error)
+                    .try_into_regular_initialized()?;
+
+                let ext_sender = ext_sender.setup(delta);
+
+                self.state = State::RegularExtension(ext_sender);
+            }
+        }
+
+        self.spcot.setup_with_delta(delta, rcot)?;
+
+        Ok(())
+    }
+
+    /// Performs MPCOT extension.
+    ///
+    ///
+    /// # Arguments.
+    ///
+    /// * `ctx` - The context.
+    /// * `t` - The number of queried indices.
+    /// * `n` - The total number of indices.
+    pub(crate) async fn extend<Ctx: Context>(
+        &mut self,
+        ctx: &mut Ctx,
+        t: u32,
+        n: u32,
+    ) -> Result<Vec<Block>, SenderError>
+    where
+        RandomCOT: RandomCOTSender<Ctx, Block>,
+    {
+        match self.lpn_type {
+            LpnType::Uniform => {
+                let ext_sender = std::mem::replace(&mut self.state, State::Error)
+                    .try_into_uniform_extension()?;
+
+                let (ext_sender, hs) = Backend::spawn(move || ext_sender.pre_extend(t, n)).await?;
+
+                self.spcot.extend(ctx, &hs).await?;
+
+                let st = self.spcot.check(ctx).await?;
+
+                let (ext_sender, output) = Backend::spawn(move || ext_sender.extend(&st)).await?;
+
+                self.state = State::UniformExtension(ext_sender);
+                Ok(output)
+            }
+            LpnType::Regular => {
+                let ext_sender = std::mem::replace(&mut self.state, State::Error)
+                    .try_into_regular_extension()?;
+
+                let (ext_sender, hs) = Backend::spawn(move || ext_sender.pre_extend(t, n)).await?;
+
+                self.spcot.extend(ctx, &hs).await?;
+
+                let st = self.spcot.check(ctx).await?;
+
+                let (ext_sender, output) = Backend::spawn(move || ext_sender.extend(&st)).await?;
+
+                self.state = State::RegularExtension(ext_sender);
+                Ok(output)
+            }
+        }
+    }
+
+    /// Complete extension.
+    pub(crate) fn finalize(&mut self) -> Result<(), SenderError> {
+        match self.lpn_type {
+            LpnType::Uniform => {
+                std::mem::replace(&mut self.state, State::Error).try_into_uniform_extension()?;
+            }
+            LpnType::Regular => {
+                std::mem::replace(&mut self.state, State::Error).try_into_regular_extension()?;
+            }
+        }
+
+        self.spcot.finalize()?;
+        self.state = State::Complete;
+
+        Ok(())
+    }
+}
diff --git a/crates/mpz-ot/src/ferret/receiver.rs b/crates/mpz-ot/src/ferret/receiver.rs
new file mode 100644
index 00000000..520506e8
--- /dev/null
+++ b/crates/mpz-ot/src/ferret/receiver.rs
@@ -0,0 +1,192 @@
+use crate::{
+    ferret::{mpcot::Receiver as MpcotReceiver, ReceiverError},
+    RandomCOTReceiver,
+};
+use enum_try_as_inner::EnumTryAsInner;
+use mpz_common::Context;
+use mpz_core::{prg::Prg, Block};
+use mpz_ot_core::{
+    ferret::receiver::{state, Receiver as ReceiverCore},
+    RCOTReceiverOutput,
+};
+use serio::SinkExt;
+use utils_aio::non_blocking_backend::{Backend, NonBlockingBackend};
+
+use super::FerretConfig;
+use crate::{async_trait, OTError};
+
+#[derive(Debug, EnumTryAsInner)]
+#[derive_err(Debug)]
+pub(crate) enum State {
+    Initialized(ReceiverCore<state::Initialized>),
+    Extension(ReceiverCore<state::Extension>),
+    Complete,
+    Error,
+}
+
+/// Ferret Receiver.
+#[derive(Debug)]
+pub struct Receiver<RandomCOT, SetupRandomCOT> {
+    state: State,
+    mpcot: MpcotReceiver<RandomCOT>,
+    config: FerretConfig<RandomCOT, SetupRandomCOT>,
+}
+
+impl<RandomCOT, SetupRandomCOT> Receiver<RandomCOT, SetupRandomCOT>
+where
+    RandomCOT: Send + Default + Clone,
+    SetupRandomCOT: Send,
+{
+    /// Creates a new Receiver.
+    ///
+    /// # Arguments.
+    ///
+    /// * `config` - Ferret configuration.
+    pub fn new(config: FerretConfig<RandomCOT, SetupRandomCOT>) -> Self {
+        Self {
+            state: State::Initialized(ReceiverCore::new()),
+            mpcot: MpcotReceiver::new(config.lpn_type()),
+            config,
+        }
+    }
+
+    /// Setup for receiver.
+    ///
+    /// # Arguments.
+    ///
+    /// * `ctx` - The channel context.
+    pub async fn setup<Ctx>(&mut self, ctx: &mut Ctx) -> Result<(), ReceiverError>
+    where
+        Ctx: Context,
+        SetupRandomCOT: RandomCOTReceiver<Ctx, bool, Block>,
+    {
+        let ext_receiver =
+            std::mem::replace(&mut self.state, State::Error).try_into_initialized()?;
+
+        let rcot = self.config.rcot();
+        self.mpcot.setup(ctx, rcot).await?;
+
+        let params = self.config.lpn_parameters();
+        let lpn_type = self.config.lpn_type();
+
+        // Get random blocks from ideal Random COT.
+
+        let RCOTReceiverOutput {
+            choices: u,
+            msgs: w,
+            ..
+        } = self
+            .config
+            .setup_rcot()
+            .receive_random_correlated(ctx, params.k)
+            .await?;
+
+        let seed = Prg::new().random_block();
+
+        let (ext_receiver, seed) = ext_receiver.setup(params, lpn_type, seed, &u, &w)?;
+
+        ctx.io_mut().send(seed).await?;
+
+        self.state = State::Extension(ext_receiver);
+
+        Ok(())
+    }
+
+    /// Performs extension.
+    ///
+    /// # Arguments
+    ///
+    /// * `ctx` - The channel context.
+    async fn extend<Ctx>(&mut self, ctx: &mut Ctx) -> Result<(Vec<bool>, Vec<Block>), ReceiverError>
+    where
+        Ctx: Context,
+        RandomCOT: RandomCOTReceiver<Ctx, bool, Block>,
+    {
+        let mut ext_receiver =
+            std::mem::replace(&mut self.state, State::Error).try_into_extension()?;
+
+        let (alphas, n) = ext_receiver.get_mpcot_query();
+
+        let r = self.mpcot.extend(ctx, &alphas, n as u32).await?;
+
+        let (ext_receiver, choices, msgs) = Backend::spawn(move || {
+            ext_receiver
+                .extend(&r)
+                .map(|(choices, msgs)| (ext_receiver, choices, msgs))
+        })
+        .await?;
+
+        self.state = State::Extension(ext_receiver);
+
+        Ok((choices, msgs))
+    }
+
+    /// Complete extension
+    pub fn finalize(&mut self) -> Result<(), ReceiverError> {
+        std::mem::replace(&mut self.state, State::Error).try_into_extension()?;
+        self.state = State::Complete;
+        self.mpcot.finalize()?;
+
+        Ok(())
+    }
+}
+
+#[async_trait]
+impl<Ctx, RandomCOT, SetupRandomCOT> RandomCOTReceiver<Ctx, bool, Block>
+    for Receiver<RandomCOT, SetupRandomCOT>
+where
+    Ctx: Context,
+    RandomCOT: RandomCOTReceiver<Ctx, bool, Block> + Send + Clone + Default + 'static,
+    SetupRandomCOT: Send + 'static,
+{
+    async fn receive_random_correlated(
+        &mut self,
+        ctx: &mut Ctx,
+        count: usize,
+    ) -> Result<RCOTReceiverOutput<bool, Block>, OTError> {
+        let (mut choices_buffer, mut msgs_buffer) = self.extend(ctx).await?;
+
+        assert_eq!(choices_buffer.len(), msgs_buffer.len());
+
+        let l = choices_buffer.len();
+
+        let id = self
+            .state
+            .try_as_extension()
+            .map_err(ReceiverError::from)?
+            .id();
+
+        if count <= l {
+            let choices_res = choices_buffer.drain(..count).collect();
+
+            let msgs_res = msgs_buffer.drain(..count).collect();
+
+            return Ok(RCOTReceiverOutput {
+                id,
+                choices: choices_res,
+                msgs: msgs_res,
+            });
+        } else {
+            let mut choices_res = choices_buffer;
+            let mut msgs_res = msgs_buffer;
+
+            for _ in 0..count / l - 1 {
+                (choices_buffer, msgs_buffer) = self.extend(ctx).await?;
+
+                choices_res.extend_from_slice(&choices_buffer);
+                msgs_res.extend_from_slice(&msgs_buffer);
+            }
+
+            (choices_buffer, msgs_buffer) = self.extend(ctx).await?;
+
+            choices_res.extend_from_slice(&choices_buffer[0..count % l]);
+            msgs_res.extend_from_slice(&msgs_buffer[0..count % l]);
+
+            return Ok(RCOTReceiverOutput {
+                id,
+                choices: choices_res,
+                msgs: msgs_res,
+            });
+        }
+    }
+}
diff --git a/crates/mpz-ot/src/ferret/sender.rs b/crates/mpz-ot/src/ferret/sender.rs
new file mode 100644
index 00000000..709ff8e2
--- /dev/null
+++ b/crates/mpz-ot/src/ferret/sender.rs
@@ -0,0 +1,160 @@
+use crate::{ferret::mpcot::Sender as MpcotSender, RandomCOTSender};
+use enum_try_as_inner::EnumTryAsInner;
+use mpz_common::Context;
+use mpz_core::Block;
+use mpz_ot_core::{
+    ferret::sender::{state, Sender as SenderCore},
+    RCOTSenderOutput,
+};
+use serio::stream::IoStreamExt;
+use utils_aio::non_blocking_backend::{Backend, NonBlockingBackend};
+
+use super::{FerretConfig, SenderError};
+use crate::{async_trait, OTError};
+
+#[derive(Debug, EnumTryAsInner)]
+#[derive_err(Debug)]
+pub(crate) enum State {
+    Initialized(SenderCore<state::Initialized>),
+    Extension(SenderCore<state::Extension>),
+    Complete,
+    Error,
+}
+
+/// Ferret Sender.
+#[derive(Debug)]
+pub struct Sender<RandomCOT, SetupRandomCOT> {
+    state: State,
+    mpcot: MpcotSender<RandomCOT>,
+    config: FerretConfig<RandomCOT, SetupRandomCOT>,
+}
+
+impl<RandomCOT, SetupRandomCOT> Sender<RandomCOT, SetupRandomCOT>
+where
+    RandomCOT: Send + Default + Clone,
+    SetupRandomCOT: Send,
+{
+    /// Creates a new Sender.
+    pub fn new(config: FerretConfig<RandomCOT, SetupRandomCOT>) -> Self {
+        Self {
+            state: State::Initialized(SenderCore::new()),
+            mpcot: MpcotSender::new(config.lpn_type()),
+            config,
+        }
+    }
+
+    /// Setup with provided delta.
+    ///
+    /// # Argument
+    ///
+    /// * `ctx` - The channel context.
+    /// * `delta` - The provided delta used for sender.
+    pub async fn setup_with_delta<Ctx>(
+        &mut self,
+        ctx: &mut Ctx,
+        delta: Block,
+    ) -> Result<(), SenderError>
+    where
+        Ctx: Context,
+        SetupRandomCOT: RandomCOTSender<Ctx, Block>,
+    {
+        let ext_sender = std::mem::replace(&mut self.state, State::Error).try_into_initialized()?;
+
+        let rcot = self.config.rcot();
+
+        self.mpcot.setup_with_delta(ctx, delta, rcot).await?;
+
+        let params = self.config.lpn_parameters();
+        let lpn_type = self.config.lpn_type();
+
+        // Get random blocks from ideal Random COT.
+        let RCOTSenderOutput { msgs: v, .. } = self
+            .config
+            .setup_rcot()
+            .send_random_correlated(ctx, params.k)
+            .await?;
+
+        // Get seed for LPN matrix from receiver.
+        let seed = ctx.io_mut().expect_next().await?;
+
+        // Ferret core setup.
+        let ext_sender = ext_sender.setup(delta, params, lpn_type, seed, &v)?;
+
+        self.state = State::Extension(ext_sender);
+
+        Ok(())
+    }
+
+    /// Performs extension.
+    ///
+    /// # Argument
+    ///
+    /// * `ctx` - The channel context.
+    async fn extend<Ctx: Context>(&mut self, ctx: &mut Ctx) -> Result<Vec<Block>, SenderError>
+    where
+        RandomCOT: RandomCOTSender<Ctx, Block>,
+    {
+        let mut ext_sender =
+            std::mem::replace(&mut self.state, State::Error).try_into_extension()?;
+
+        let (t, n) = ext_sender.get_mpcot_query();
+
+        let s = self.mpcot.extend(ctx, t, n).await?;
+
+        let (ext_sender, output) =
+            Backend::spawn(move || ext_sender.extend(&s).map(|output| (ext_sender, output)))
+                .await?;
+        self.state = State::Extension(ext_sender);
+
+        Ok(output)
+    }
+
+    /// Complete extension
+    pub fn finalize(&mut self) -> Result<(), SenderError> {
+        std::mem::replace(&mut self.state, State::Error).try_into_extension()?;
+        self.state = State::Complete;
+        self.mpcot.finalize()?;
+
+        Ok(())
+    }
+}
+
+#[async_trait]
+impl<Ctx, RandomCOT, SetupRandomCOT> RandomCOTSender<Ctx, Block>
+    for Sender<RandomCOT, SetupRandomCOT>
+where
+    Ctx: Context,
+    RandomCOT: RandomCOTSender<Ctx, Block> + Send + Default + Clone + 'static,
+    SetupRandomCOT: Send + 'static,
+{
+    async fn send_random_correlated(
+        &mut self,
+        ctx: &mut Ctx,
+        count: usize,
+    ) -> Result<RCOTSenderOutput<Block>, OTError> {
+        let mut buffer = self.extend(ctx).await?;
+        let l = buffer.len();
+
+        let id = self
+            .state
+            .try_as_extension()
+            .map_err(SenderError::from)?
+            .id();
+
+        if count <= l {
+            let res = buffer.drain(..count).collect();
+            return Ok(RCOTSenderOutput { id, msgs: res });
+        } else {
+            let mut res = buffer;
+            for _ in 0..count / l - 1 {
+                buffer = self.extend(ctx).await?;
+                res.extend_from_slice(&buffer);
+            }
+
+            buffer = self.extend(ctx).await?;
+            res.extend_from_slice(&buffer[0..count % l]);
+
+            return Ok(RCOTSenderOutput { id, msgs: res });
+        }
+    }
+}
diff --git a/crates/mpz-ot/src/ferret/spcot/error.rs b/crates/mpz-ot/src/ferret/spcot/error.rs
new file mode 100644
index 00000000..0fa9dc9c
--- /dev/null
+++ b/crates/mpz-ot/src/ferret/spcot/error.rs
@@ -0,0 +1,59 @@
+use crate::OTError;
+
+/// A SPCOT sender error.
+#[derive(Debug, thiserror::Error)]
+#[allow(missing_docs)]
+pub enum SenderError {
+    #[error(transparent)]
+    IOError(#[from] std::io::Error),
+    #[error(transparent)]
+    CoreError(#[from] mpz_ot_core::ferret::spcot::error::SenderError),
+    #[error(transparent)]
+    RandomCOTError(#[from] OTError),
+    #[error("{0}")]
+    StateError(String),
+}
+
+impl From<SenderError> for OTError {
+    fn from(err: SenderError) -> Self {
+        match err {
+            SenderError::IOError(e) => e.into(),
+            e => OTError::SenderError(Box::new(e)),
+        }
+    }
+}
+
+impl From<crate::ferret::spcot::sender::StateError> for SenderError {
+    fn from(err: crate::ferret::spcot::sender::StateError) -> Self {
+        SenderError::StateError(err.to_string())
+    }
+}
+
+/// A SPCOT receiver error.
+#[derive(Debug, thiserror::Error)]
+#[allow(missing_docs)]
+pub enum ReceiverError {
+    #[error(transparent)]
+    IOError(#[from] std::io::Error),
+    #[error(transparent)]
+    CoreError(#[from] mpz_ot_core::ferret::spcot::error::ReceiverError),
+    #[error(transparent)]
+    RandomCOTError(#[from] OTError),
+    #[error("{0}")]
+    StateError(String),
+}
+
+impl From<ReceiverError> for OTError {
+    fn from(err: ReceiverError) -> Self {
+        match err {
+            ReceiverError::IOError(e) => e.into(),
+            e => OTError::ReceiverError(Box::new(e)),
+        }
+    }
+}
+
+impl From<crate::ferret::spcot::receiver::StateError> for ReceiverError {
+    fn from(err: crate::ferret::spcot::receiver::StateError) -> Self {
+        ReceiverError::StateError(err.to_string())
+    }
+}
diff --git a/crates/mpz-ot/src/ferret/spcot/mod.rs b/crates/mpz-ot/src/ferret/spcot/mod.rs
new file mode 100644
index 00000000..6e53fd28
--- /dev/null
+++ b/crates/mpz-ot/src/ferret/spcot/mod.rs
@@ -0,0 +1,103 @@
+//! Implementation of the Single-Point COT (spcot) protocol in the [`Ferret`](https://eprint.iacr.org/2020/924.pdf) paper.
+
+mod error;
+mod receiver;
+mod sender;
+
+pub(crate) use error::{ReceiverError, SenderError};
+pub(crate) use receiver::Receiver;
+pub(crate) use sender::Sender;
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::{
+        ideal::cot::{ideal_rcot, IdealCOTReceiver, IdealCOTSender},
+        OTError,
+    };
+    use futures::TryFutureExt;
+    use mpz_common::executor::test_st_executor;
+    use mpz_core::Block;
+
+    fn setup() -> (
+        Sender<IdealCOTSender>,
+        Receiver<IdealCOTReceiver>,
+        IdealCOTSender,
+        IdealCOTReceiver,
+        Block,
+    ) {
+        let (mut rcot_sender, rcot_receiver) = ideal_rcot();
+
+        let delta = rcot_sender.alice().get_mut().delta();
+
+        let sender = Sender::new();
+        let receiver = Receiver::new();
+
+        (sender, receiver, rcot_sender, rcot_receiver, delta)
+    }
+
+    #[tokio::test]
+    async fn test_spcot() {
+        let (mut ctx_sender, mut ctx_receiver) = test_st_executor(8);
+
+        let (mut sender, mut receiver, rcot_sender, rcot_receiver, delta) = setup();
+
+        // shold set the same delta as in RCOT.
+        sender.setup_with_delta(delta, rcot_sender).unwrap();
+        receiver.setup(rcot_receiver).unwrap();
+
+        let hs = [8, 4];
+        let alphas = [4, 2];
+
+        tokio::try_join!(
+            sender.extend(&mut ctx_sender, &hs).map_err(OTError::from),
+            receiver
+                .extend(&mut ctx_receiver, &alphas, &hs)
+                .map_err(OTError::from)
+        )
+        .unwrap();
+
+        let (mut output_sender, output_receiver) = tokio::try_join!(
+            sender.check(&mut ctx_sender).map_err(OTError::from),
+            receiver.check(&mut ctx_receiver).map_err(OTError::from)
+        )
+        .unwrap();
+
+        assert!(output_sender
+            .iter_mut()
+            .zip(output_receiver.iter())
+            .all(|(vs, (ws, alpha))| {
+                vs[*alpha as usize] ^= delta;
+                vs == ws
+            }));
+
+        // extend twice.
+        let hs = [6, 9, 8];
+        let alphas = [2, 1, 3];
+
+        tokio::try_join!(
+            sender.extend(&mut ctx_sender, &hs).map_err(OTError::from),
+            receiver
+                .extend(&mut ctx_receiver, &alphas, &hs)
+                .map_err(OTError::from)
+        )
+        .unwrap();
+
+        let (mut output_sender, output_receiver) = tokio::try_join!(
+            sender.check(&mut ctx_sender).map_err(OTError::from),
+            receiver.check(&mut ctx_receiver).map_err(OTError::from)
+        )
+        .unwrap();
+
+        assert!(output_sender
+            .iter_mut()
+            .zip(output_receiver.iter())
+            .all(|(vs, (ws, alpha))| {
+                vs[*alpha as usize] ^= delta;
+                vs == ws
+            }));
+
+        sender.finalize().unwrap();
+        receiver.finalize().unwrap();
+    }
+}
diff --git a/crates/mpz-ot/src/ferret/spcot/receiver.rs b/crates/mpz-ot/src/ferret/spcot/receiver.rs
new file mode 100644
index 00000000..3c48bfad
--- /dev/null
+++ b/crates/mpz-ot/src/ferret/spcot/receiver.rs
@@ -0,0 +1,164 @@
+use crate::{ferret::spcot::error::ReceiverError, RandomCOTReceiver};
+use enum_try_as_inner::EnumTryAsInner;
+use mpz_common::Context;
+use mpz_core::Block;
+use mpz_ot_core::{
+    ferret::{
+        spcot::{
+            msgs::ExtendFromSender,
+            receiver::{state, Receiver as ReceiverCore},
+        },
+        CSP,
+    },
+    RCOTReceiverOutput,
+};
+use serio::{stream::IoStreamExt, SinkExt};
+use utils_aio::non_blocking_backend::{Backend, NonBlockingBackend};
+
+#[derive(Debug, EnumTryAsInner)]
+#[derive_err(Debug)]
+pub(crate) enum State {
+    Initialized(ReceiverCore<state::Initialized>),
+    Extension(Box<ReceiverCore<state::Extension>>),
+    Complete,
+    Error,
+}
+
+/// SPCOT Receiver.
+#[derive(Debug)]
+pub(crate) struct Receiver<RandomCOT> {
+    state: State,
+    rcot: RandomCOT,
+}
+
+impl<RandomCOT: Send + Default> Receiver<RandomCOT> {
+    /// Creates a new Receiver.
+    pub(crate) fn new() -> Self {
+        Self {
+            state: State::Initialized(ReceiverCore::new()),
+            rcot: Default::default(),
+        }
+    }
+
+    /// Performs setup for receiver.
+    ///
+    /// # Arguments.
+    ///
+    /// * `rcot` - The random COT used by the receiver.
+    pub(crate) fn setup(&mut self, rcot: RandomCOT) -> Result<(), ReceiverError> {
+        let ext_receiver =
+            std::mem::replace(&mut self.state, State::Error).try_into_initialized()?;
+
+        let ext_receiver = ext_receiver.setup();
+        self.state = State::Extension(Box::new(ext_receiver));
+        self.rcot = rcot;
+        Ok(())
+    }
+
+    /// Performs spcot extension for receiver.
+    ///
+    /// # Arguments
+    ///
+    /// * `ctx` - The context.
+    /// * `alphas`` - The vector of chosen positions.
+    /// * `h` - The depth of GGM tree.
+    pub(crate) async fn extend<Ctx: Context>(
+        &mut self,
+        ctx: &mut Ctx,
+        alphas: &[u32],
+        hs: &[usize],
+    ) -> Result<(), ReceiverError>
+    where
+        RandomCOT: RandomCOTReceiver<Ctx, bool, Block>,
+    {
+        let mut ext_receiver =
+            std::mem::replace(&mut self.state, State::Error).try_into_extension()?;
+
+        let h = hs.iter().sum();
+        let RCOTReceiverOutput {
+            choices: rss,
+            msgs: tss,
+            ..
+        } = self.rcot.receive_random_correlated(ctx, h).await?;
+
+        // extend
+        let h_in = hs.to_vec();
+        let alphas_in = alphas.to_vec();
+        let (mut ext_receiver, masks) = Backend::spawn(move || {
+            ext_receiver
+                .extend_mask_bits(&h_in, &alphas_in, &rss)
+                .map(|mask| (ext_receiver, mask))
+        })
+        .await?;
+
+        ctx.io_mut().send(masks).await?;
+
+        let extendfss: Vec<ExtendFromSender> = ctx.io_mut().expect_next().await?;
+
+        let h_in = hs.to_vec();
+        let alphas_in = alphas.to_vec();
+        let ext_receiver = Backend::spawn(move || {
+            ext_receiver
+                .extend(&h_in, &alphas_in, &tss, &extendfss)
+                .map(|_| ext_receiver)
+        })
+        .await?;
+
+        self.state = State::Extension(ext_receiver);
+
+        Ok(())
+    }
+
+    /// Performs batch check for SPCOT extension.
+    ///
+    /// # Arguments
+    ///
+    /// * `ctx` - The context.
+    pub(crate) async fn check<Ctx: Context>(
+        &mut self,
+        ctx: &mut Ctx,
+    ) -> Result<Vec<(Vec<Block>, u32)>, ReceiverError>
+    where
+        RandomCOT: RandomCOTReceiver<Ctx, bool, Block>,
+    {
+        let mut ext_receiver =
+            std::mem::replace(&mut self.state, State::Error).try_into_extension()?;
+
+        // batch check
+        let RCOTReceiverOutput {
+            choices: x_star,
+            msgs: z_star,
+            ..
+        } = self.rcot.receive_random_correlated(ctx, CSP).await?;
+
+        let (mut ext_receiver, checkfr) = Backend::spawn(move || {
+            ext_receiver
+                .check_pre(&x_star)
+                .map(|checkfr| (ext_receiver, checkfr))
+        })
+        .await?;
+
+        ctx.io_mut().send(checkfr).await?;
+        let check = ctx.io_mut().expect_next().await?;
+
+        let (ext_receiver, output) = Backend::spawn(move || {
+            ext_receiver
+                .check(&z_star, check)
+                .map(|output| (ext_receiver, output))
+        })
+        .await?;
+
+        self.state = State::Extension(ext_receiver);
+
+        Ok(output)
+    }
+
+    /// Complete extension.
+    pub(crate) fn finalize(&mut self) -> Result<(), ReceiverError> {
+        std::mem::replace(&mut self.state, State::Error).try_into_extension()?;
+
+        self.state = State::Complete;
+
+        Ok(())
+    }
+}
diff --git a/crates/mpz-ot/src/ferret/spcot/sender.rs b/crates/mpz-ot/src/ferret/spcot/sender.rs
new file mode 100644
index 00000000..9178b787
--- /dev/null
+++ b/crates/mpz-ot/src/ferret/spcot/sender.rs
@@ -0,0 +1,144 @@
+use crate::{ferret::spcot::error::SenderError, RandomCOTSender};
+use enum_try_as_inner::EnumTryAsInner;
+use mpz_common::Context;
+use mpz_core::Block;
+use mpz_ot_core::{
+    ferret::{
+        spcot::{
+            msgs::MaskBits,
+            sender::{state, Sender as SenderCore},
+        },
+        CSP,
+    },
+    RCOTSenderOutput,
+};
+use serio::{stream::IoStreamExt, SinkExt};
+use utils_aio::non_blocking_backend::{Backend, NonBlockingBackend};
+
+#[derive(Debug, EnumTryAsInner)]
+#[derive_err(Debug)]
+pub(crate) enum State {
+    Initialized(SenderCore<state::Initialized>),
+    Extension(Box<SenderCore<state::Extension>>),
+    Complete,
+    Error,
+}
+
+/// SPCOT sender.
+#[derive(Debug)]
+pub(crate) struct Sender<RandomCOT> {
+    state: State,
+    rcot: RandomCOT,
+}
+
+impl<RandomCOT: Send + Default> Sender<RandomCOT> {
+    /// Creates a new Sender.
+    pub(crate) fn new() -> Self {
+        Self {
+            state: State::Initialized(SenderCore::new()),
+            rcot: Default::default(),
+        }
+    }
+
+    /// Performs setup with the provided delta.
+    ///
+    /// # Arguments
+    ///
+    /// * `delta` - The delta value to use for OT extension.
+    /// * `rcot` - The random COT used by the sender.
+    pub(crate) fn setup_with_delta(
+        &mut self,
+        delta: Block,
+        rcot: RandomCOT,
+    ) -> Result<(), SenderError> {
+        let ext_sender = std::mem::replace(&mut self.state, State::Error).try_into_initialized()?;
+
+        let ext_sender = ext_sender.setup(delta);
+
+        self.state = State::Extension(Box::new(ext_sender));
+        self.rcot = rcot;
+        Ok(())
+    }
+
+    /// Performs spcot extension for sender.
+    ///
+    /// # Arguments
+    ///
+    /// * `ctx` - The context.
+    /// * `hs` - The depths of GGM trees.
+    pub(crate) async fn extend<Ctx: Context>(
+        &mut self,
+        ctx: &mut Ctx,
+        hs: &[usize],
+    ) -> Result<(), SenderError>
+    where
+        RandomCOT: RandomCOTSender<Ctx, Block>,
+    {
+        let mut ext_sender =
+            std::mem::replace(&mut self.state, State::Error).try_into_extension()?;
+
+        let h = hs.iter().sum();
+        let RCOTSenderOutput { msgs: qss, .. } = self.rcot.send_random_correlated(ctx, h).await?;
+
+        let masks: Vec<MaskBits> = ctx.io_mut().expect_next().await?;
+
+        // extend
+        let h_in = hs.to_vec();
+        let (ext_sender, extend_msg) = Backend::spawn(move || {
+            ext_sender
+                .extend(&h_in, &qss, &masks)
+                .map(|extend_msg| (ext_sender, extend_msg))
+        })
+        .await?;
+
+        ctx.io_mut().send(extend_msg).await?;
+
+        self.state = State::Extension(ext_sender);
+
+        Ok(())
+    }
+
+    /// Performs batch check for SPCOT extension.
+    ///
+    /// # Arguments
+    ///
+    /// * `ctx` - The context.
+    pub(crate) async fn check<Ctx: Context>(
+        &mut self,
+        ctx: &mut Ctx,
+    ) -> Result<Vec<Vec<Block>>, SenderError>
+    where
+        RandomCOT: RandomCOTSender<Ctx, Block>,
+    {
+        let mut ext_sender =
+            std::mem::replace(&mut self.state, State::Error).try_into_extension()?;
+
+        // batch check
+        let RCOTSenderOutput { msgs: y_star, .. } =
+            self.rcot.send_random_correlated(ctx, CSP).await?;
+
+        let checkfr = ctx.io_mut().expect_next().await?;
+
+        let (ext_sender, output, check_msg) = Backend::spawn(move || {
+            ext_sender
+                .check(&y_star, checkfr)
+                .map(|(output, check_msg)| (ext_sender, output, check_msg))
+        })
+        .await?;
+
+        ctx.io_mut().send(check_msg).await?;
+
+        self.state = State::Extension(ext_sender);
+
+        Ok(output)
+    }
+
+    /// Complete extension.
+    pub(crate) fn finalize(&mut self) -> Result<(), SenderError> {
+        std::mem::replace(&mut self.state, State::Error).try_into_extension()?;
+
+        self.state = State::Complete;
+
+        Ok(())
+    }
+}
diff --git a/crates/mpz-share-conversion-core/src/lib.rs b/crates/mpz-share-conversion-core/src/lib.rs
index ddfce1e3..3082d793 100644
--- a/crates/mpz-share-conversion-core/src/lib.rs
+++ b/crates/mpz-share-conversion-core/src/lib.rs
@@ -1,56 +1,77 @@
-//! Secure two-party (2PC) multiplication-to-addition (M2A) and addition-to-multiplication (A2M)
-//! algorithms, both with semi-honest security.
+//! This crate implements secure two-party (2PC) multiplication-to-addition (M2A) and
+//! addition-to-multiplication (A2M) algorithms, both with semi-honest security.
+//!
+//! ### M2A algorithm (implementation of chapter 4.1 in <https://link.springer.com/content/pdf/10.1007/3-540-48405-1_8.pdf>)
+//! Let `A` be an element of some finite field with `A = a * b`, where `a` is only known to Alice
+//! and `b` is only known to Bob. A is unknown to both parties and it is their goal that each of
+//! them ends up with an additive share of A. So both parties start with `a` and `b` and want to
+//! end up with `x` and `y`, where `A = a * b = x + y`.
+//!
+//! ### A2M algorithm (adaptation of chapter 4 in <https://www.cs.umd.edu/~fenghao/paper/modexp.pdf>)
+//! This is the other way round.
+//! Let `A` be an element of some finite field with `A = x + y`, where `x` is only known to Alice
+//! and `y` is only known to Bob. A is unknown to both parties and it is their goal that each of
+//! them ends up with a multiplicative share of A. So both parties start with `x` and `y` and want to
+//! end up with `a` and `b`, where `A = x + y = a * b`.
 
 #![deny(missing_docs, unreachable_pub, unused_must_use)]
 #![deny(clippy::all)]
 #![deny(unsafe_code)]
 
-pub mod ideal;
 pub mod msgs;
+mod shares;
 
-mod a2m;
-mod m2a;
+pub use shares::{AddShare, MulShare, Share, ShareType};
 
-pub use a2m::{a2m_convert_receiver, a2m_convert_sender, A2MMasks};
-pub use m2a::m2a_convert;
+#[cfg(test)]
+mod tests {
+    use mpz_fields::{gf2_128::Gf2_128, p256::P256, Field};
 
-use std::{error::Error, fmt::Display};
+    use std::marker::PhantomData;
 
-/// A share conversion error.
-#[derive(Debug, thiserror::Error)]
-pub struct ShareConversionError {
-    kind: ErrorKind,
-    #[source]
-    source: Option<Box<dyn Error + Send + Sync>>,
-}
+    use super::*;
+    use rand::SeedableRng;
+    use rand_chacha::ChaCha12Rng;
+    use rstest::*;
 
-impl ShareConversionError {
-    fn new<E>(kind: ErrorKind, source: E) -> Self
-    where
-        E: Into<Box<dyn Error + Send + Sync>>,
-    {
-        Self {
-            kind,
-            source: Some(source.into()),
-        }
-    }
-}
+    #[rstest]
+    #[case::gf2_add(ShareType::Add, PhantomData::<Gf2_128>)]
+    #[case::gf2_mul(ShareType::Mul, PhantomData::<Gf2_128>)]
+    #[case::p256_add(ShareType::Add, PhantomData::<P256>)]
+    #[case::p256_mul(ShareType::Mul, PhantomData::<P256>)]
+    fn test_conversion<F: Field>(#[case] ty: ShareType, #[case] _pd: PhantomData<F>) {
+        let mut rng = ChaCha12Rng::from_seed([0; 32]);
 
-impl Display for ShareConversionError {
-    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
-        match self.kind {
-            ErrorKind::UnequalLength => write!(f, "Unequal Length Error"),
-        }?;
+        let a = ty.new_share(F::rand(&mut rng));
+        let b = ty.new_share(F::rand(&mut rng));
 
-        if let Some(source) = self.source.as_ref() {
-            write!(f, " caused by: {source}")?;
-        }
+        let (x, summands) = a.convert(&mut rng);
+        let summands = mock_ot(&summands, b);
 
-        Ok(())
+        let y = ty.new_from_summands(&summands);
+
+        let (a, b, x, y) = (a.to_inner(), b.to_inner(), x.to_inner(), y.to_inner());
+
+        match ty {
+            ShareType::Add => assert_eq!(a + b, x * y),
+            ShareType::Mul => assert_eq!(a * b, x + y),
+        }
     }
-}
 
-#[derive(Debug)]
-pub(crate) enum ErrorKind {
-    UnequalLength,
+    fn mock_ot<F: Field>(summands: &[[F; 2]], receiver_share: Share<F>) -> Vec<F> {
+        receiver_share
+            .binary_encoding()
+            .into_iter()
+            .zip(summands)
+            .map(
+                |(choice, summand)| {
+                    if choice {
+                        summand[1]
+                    } else {
+                        summand[0]
+                    }
+                },
+            )
+            .collect()
+    }
 }
diff --git a/crates/mpz-share-conversion-core/src/msgs.rs b/crates/mpz-share-conversion-core/src/msgs.rs
index 5d048633..150b3df6 100644
--- a/crates/mpz-share-conversion-core/src/msgs.rs
+++ b/crates/mpz-share-conversion-core/src/msgs.rs
@@ -1,23 +1,21 @@
-//! Message types used in share conversion.
+//! Message types used in share conversion protocols
+
+use crate::Share;
+use mpz_fields::Field;
 
-use crate::a2m::A2MMasks;
 use serde::{Deserialize, Serialize};
 
-/// Message type for sending [`A2MMasks`] to the receiver.
+/// The messages exchanged between sender and receiver
+#[derive(Debug, Clone, Serialize, Deserialize)]
 #[allow(missing_docs)]
-#[derive(Debug, Serialize, Deserialize)]
-pub struct Masks<F> {
-    pub masks: Vec<F>,
-}
-
-impl<F> From<A2MMasks<F>> for Masks<F> {
-    fn from(value: A2MMasks<F>) -> Self {
-        Self { masks: value.0 }
-    }
+pub enum ShareConversionMessage<T: Field> {
+    SenderRecordings(SenderRecordings<T>),
 }
 
-impl<F> From<Masks<F>> for A2MMasks<F> {
-    fn from(value: Masks<F>) -> Self {
-        Self(value.masks)
-    }
+/// A message containing the sender's seed and the conversion inputs
+#[derive(Debug, Clone, Serialize, Deserialize)]
+#[allow(missing_docs)]
+pub struct SenderRecordings<T: Field> {
+    pub seed: Vec<u8>,
+    pub inputs: Vec<Share<T>>,
 }
diff --git a/crates/mpz-share-conversion-core/src/shares.rs b/crates/mpz-share-conversion-core/src/shares.rs
new file mode 100644
index 00000000..284ff3f4
--- /dev/null
+++ b/crates/mpz-share-conversion-core/src/shares.rs
@@ -0,0 +1,274 @@
+//! Types for representing shares of field elements.
+
+use mpz_fields::Field;
+
+use itybity::IntoBits;
+use rand::{CryptoRng, Rng};
+use serde::{Deserialize, Serialize};
+
+/// A share of a field element.
+#[derive(Clone, Copy, Serialize, Deserialize)]
+pub enum Share<T> {
+    /// An additive share.
+    Add(AddShare<T>),
+    /// A multiplicative share.
+    Mul(MulShare<T>),
+}
+
+impl<T> std::fmt::Debug for Share<T> {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        match self {
+            Self::Add(_) => f.debug_tuple("Add").field(&"..").finish(),
+            Self::Mul(_) => f.debug_tuple("Mul").field(&"..").finish(),
+        }
+    }
+}
+
+/// The type of a share.
+#[derive(Clone, Copy, Debug, PartialEq, Eq)]
+pub enum ShareType {
+    /// An additive share.
+    Add,
+    /// A multiplicative share.
+    Mul,
+}
+
+impl ShareType {
+    /// Creates a share of this type.
+    pub fn new_share<F: Field>(&self, share: F) -> Share<F> {
+        match self {
+            Self::Add => Share::Add(AddShare::new(share)),
+            Self::Mul => Share::Mul(MulShare::new(share)),
+        }
+    }
+
+    /// Creates a share of this type from a slice of summands.
+    pub fn new_from_summands<F: Field>(&self, summands: &[F]) -> Share<F> {
+        let share = summands.iter().fold(F::zero(), |acc, x| acc + *x);
+        match self {
+            Self::Add => Share::Add(AddShare::new(share)),
+            Self::Mul => Share::Mul(MulShare::new(share)),
+        }
+    }
+
+    /// Returns the other share type.
+    pub fn other(&self) -> Self {
+        match self {
+            Self::Add => Self::Mul,
+            Self::Mul => Self::Add,
+        }
+    }
+}
+
+impl<T> Share<T>
+where
+    T: Field,
+{
+    /// Create a new additive share.
+    pub fn new_add(share: T) -> Self {
+        Self::Add(AddShare::new(share))
+    }
+
+    /// Create a new multiplicative share.
+    pub fn new_mul(share: T) -> Self {
+        Self::Mul(MulShare::new(share))
+    }
+
+    /// Returns the type of the share.
+    pub fn ty(&self) -> ShareType {
+        match self {
+            Self::Add(_) => ShareType::Add,
+            Self::Mul(_) => ShareType::Mul,
+        }
+    }
+
+    /// Returns the binary representation of the share.
+    pub fn binary_encoding(&self) -> Vec<bool> {
+        match self {
+            Self::Add(share) => share.0.into_lsb0_vec(),
+            Self::Mul(share) => share.0.into_lsb0_vec(),
+        }
+    }
+
+    /// Returns the field element of the share.
+    pub fn to_inner(self) -> T {
+        match self {
+            Self::Add(share) => share.0,
+            Self::Mul(share) => share.0,
+        }
+    }
+
+    /// Converts the share representation.
+    ///
+    /// Returns the converted share and the summands to be transferred via oblivious transfer.
+    ///
+    /// If the share is additive, it will be converted to multiplicative and vice versa.
+    ///
+    /// # Arguments
+    ///
+    /// * `rng` - A cryptographically secure random number generator.
+    pub fn convert<R: Rng + CryptoRng>(&self, rng: &mut R) -> (Self, Vec<[T; 2]>) {
+        match self {
+            Self::Add(share) => {
+                let (share, summands) = share.to_multiplicative(rng);
+                (Self::Mul(share), summands)
+            }
+            Self::Mul(share) => {
+                let (share, summands) = share.to_additive(rng);
+                (Self::Add(share), summands)
+            }
+        }
+    }
+}
+
+impl<T> From<AddShare<T>> for Share<T> {
+    fn from(value: AddShare<T>) -> Self {
+        Self::Add(value)
+    }
+}
+
+impl<T> From<MulShare<T>> for Share<T> {
+    fn from(value: MulShare<T>) -> Self {
+        Self::Mul(value)
+    }
+}
+
+/// An additive share of a field element.
+#[derive(Clone, Copy, Serialize, Deserialize)]
+pub struct AddShare<T>(T);
+
+impl<T> std::fmt::Debug for AddShare<T> {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_tuple("AddShare").field(&"..").finish()
+    }
+}
+
+impl<T> AddShare<T>
+where
+    T: Field,
+{
+    /// Create a new additive share.
+    pub(crate) fn new(share: T) -> Self {
+        Self(share)
+    }
+
+    /// Turn into a multiplicative share and get values for OT
+    pub(crate) fn to_multiplicative<R: Rng + CryptoRng>(
+        self,
+        rng: &mut R,
+    ) -> (MulShare<T>, Vec<[T; 2]>) {
+        // We need to exclude 0 here, because it does not have an inverse
+        // which is needed later
+        let random: T = loop {
+            let r = T::rand(rng);
+            if r != T::zero() {
+                break r;
+            }
+        };
+
+        // generate random masks
+        let mut masks: Vec<T> = (0..T::BIT_SIZE as usize).map(|_| T::rand(rng)).collect();
+
+        // set the last mask such that the sum of all [T::BIT_SIZE] masks equals 0
+        masks[T::BIT_SIZE as usize - 1] = -masks
+            .iter()
+            .take(T::BIT_SIZE as usize - 1)
+            .fold(T::zero(), |acc, i| acc + *i);
+
+        // split up our additive share `x` into random summands
+        let mut x_summands: Vec<T> = (0..T::BIT_SIZE as usize).map(|_| T::rand(rng)).collect();
+
+        // set the last summand such that the sum of all [T::BIT_SIZE] summands equals `x`
+        x_summands[T::BIT_SIZE as usize - 1] = self.0
+            + -x_summands
+                .iter()
+                .take(T::BIT_SIZE as usize - 1)
+                .fold(T::zero(), |acc, i| acc + *i);
+
+        // the inverse of the random share will be the multiplicative share for the sender
+        let mul_share = MulShare(random.inverse());
+
+        // Each choice bit of the peer's share `y` represents a summand of `y`, e.g.
+        // if `y` is 10110 (in binary), then the choice bits in lsb0 order (0,1,1,0,1) represent the
+        // summands (0, 10, 100, 0000, 10000).
+        // For each peer's summand (called `y_summand`), we send back `(x_summand + y_summand) * random
+        // + mask`. The purpose of the mask is to hide the product.
+
+        let summands: Vec<[T; 2]> = (0..T::BIT_SIZE as usize)
+            .map(|k| {
+                // when y_summand is zero, we send `x_summand * random + mask`
+                let v0 = x_summands[k] * random + masks[k];
+
+                // otherwise we send `(x_summand + y_summand) * random + mask`
+                let mut bits = vec![false; T::BIT_SIZE as usize];
+                bits[k] = true;
+                let y_summand = T::from_lsb0_iter(bits);
+                let v1 = (x_summands[k] + y_summand) * random + masks[k];
+
+                [v0, v1]
+            })
+            .collect();
+
+        // when the peer adds up all the received values, the masks will cancel one another out and
+        // the remaining `(x + y) * random` will be the peer's multiplicative share
+
+        (mul_share, summands)
+    }
+}
+
+impl<F> From<F> for AddShare<F>
+where
+    F: Field,
+{
+    fn from(share: F) -> Self {
+        Self::new(share)
+    }
+}
+
+/// A multiplicative share of a field element.
+#[derive(Clone, Copy, Serialize, Deserialize)]
+pub struct MulShare<T>(T);
+
+impl<T> std::fmt::Debug for MulShare<T> {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        f.debug_tuple("MulShare").field(&"..").finish()
+    }
+}
+
+impl<T> MulShare<T>
+where
+    T: Field,
+{
+    /// Create a new multiplicative share.
+    pub(crate) fn new(share: T) -> Self {
+        Self(share)
+    }
+
+    /// Turn into an additive share and get values for OT
+    pub(crate) fn to_additive<R: Rng + CryptoRng>(self, rng: &mut R) -> (AddShare<T>, Vec<[T; 2]>) {
+        // create random masks
+        let masks: Vec<T> = (0..T::BIT_SIZE).map(|_| T::rand(rng)).collect();
+
+        // we multiply this share with 2^k and add a mask
+        let summands: Vec<[T; 2]> = masks
+            .iter()
+            .copied()
+            .enumerate()
+            .map(|(k, t0)| [t0, t0 + (self.0 * T::two_pow(k as u32))])
+            .collect();
+
+        // the additive share for the sender is the sum over t0 with a minus sign
+        let add_share = AddShare(-masks.into_iter().fold(T::zero(), |acc, i| acc + i));
+
+        (add_share, summands)
+    }
+}
+
+impl<T> From<T> for MulShare<T>
+where
+    T: Field,
+{
+    fn from(share: T) -> Self {
+        Self::new(share)
+    }
+}
diff --git a/crates/mpz-share-conversion/src/config.rs b/crates/mpz-share-conversion/src/config.rs
new file mode 100644
index 00000000..849d0b0d
--- /dev/null
+++ b/crates/mpz-share-conversion/src/config.rs
@@ -0,0 +1,73 @@
+use derive_builder::Builder;
+
+/// Share conversion sender configuration.
+#[derive(Debug, Clone, Builder)]
+pub struct SenderConfig {
+    /// The ID of the sender.
+    #[builder(setter(into))]
+    id: String,
+    /// Whether recording is enabled.
+    #[builder(default = "false", setter(custom))]
+    record: bool,
+}
+
+impl SenderConfig {
+    /// Creates a new builder.
+    pub fn builder() -> SenderConfigBuilder {
+        SenderConfigBuilder::default()
+    }
+
+    /// Returns the ID of the sender.
+    pub fn id(&self) -> &str {
+        &self.id
+    }
+
+    /// Returns whether recording is enabled.
+    pub fn record(&self) -> bool {
+        self.record
+    }
+}
+
+impl SenderConfigBuilder {
+    /// Enables recording of the protocol tape.
+    pub fn record(&mut self) -> &mut Self {
+        self.record = Some(true);
+        self
+    }
+}
+
+/// Share conversion receiver configuration.
+#[derive(Debug, Clone, Builder)]
+pub struct ReceiverConfig {
+    /// The ID of the receiver.
+    #[builder(setter(into))]
+    id: String,
+    /// Whether recording is enabled.
+    #[builder(default = "false", setter(custom))]
+    record: bool,
+}
+
+impl ReceiverConfig {
+    /// Creates a new builder.
+    pub fn builder() -> ReceiverConfigBuilder {
+        ReceiverConfigBuilder::default()
+    }
+
+    /// Returns the ID of the receiver.
+    pub fn id(&self) -> &str {
+        &self.id
+    }
+
+    /// Returns whether recording is enabled.
+    pub fn record(&self) -> bool {
+        self.record
+    }
+}
+
+impl ReceiverConfigBuilder {
+    /// Enables recording of the protocol tape.
+    pub fn record(&mut self) -> &mut Self {
+        self.record = Some(true);
+        self
+    }
+}
diff --git a/crates/mpz-share-conversion/src/converter.rs b/crates/mpz-share-conversion/src/converter.rs
new file mode 100644
index 00000000..ce976d0f
--- /dev/null
+++ b/crates/mpz-share-conversion/src/converter.rs
@@ -0,0 +1,311 @@
+use std::sync::{Arc, Weak};
+
+use async_trait::async_trait;
+use mpz_fields::Field;
+use mpz_share_conversion_core::Share;
+
+use crate::{
+    AdditiveToMultiplicative, GilboaReceiver, GilboaSender, MultiplicativeToAdditive,
+    OTReceiveElement, OTSendElement, ReceiverConfig, SenderConfig, ShareConversionChannel,
+    ShareConversionError, ShareConversionReveal, ShareConversionVerify,
+};
+
+/// The share conversion sender
+pub struct ConverterSender<F: Field, OT> {
+    ot: OT,
+    // Sender is wrapped in an option so that we can take ownership of it in `finalize`
+    // This prevents the sender from being used after finalization
+    sender: Option<Arc<GilboaSender<F>>>,
+    channel: ShareConversionChannel<F>,
+}
+
+impl<F: Field, OT> std::fmt::Debug for ConverterSender<F, OT> {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "Sender {{ .. }}")
+    }
+}
+
+impl<F, OT> ConverterSender<F, OT>
+where
+    F: Field,
+    OT: OTSendElement<F> + Clone,
+{
+    /// Create a new sender
+    pub fn new(config: SenderConfig, ot: OT, channel: ShareConversionChannel<F>) -> Self {
+        Self {
+            ot,
+            sender: Some(Arc::new(GilboaSender::new(config))),
+            channel,
+        }
+    }
+
+    /// Returns a handle to the sender
+    pub fn handle(&self) -> Result<ConverterSenderHandle<F, OT>, ShareConversionError> {
+        Ok(ConverterSenderHandle {
+            ot: self.ot.clone(),
+            sender: Arc::downgrade(
+                self.sender
+                    .as_ref()
+                    .ok_or(ShareConversionError::AlreadyFinalized)?,
+            ),
+        })
+    }
+}
+
+#[async_trait]
+impl<F, OT> ShareConversionReveal for ConverterSender<F, OT>
+where
+    F: Field,
+    OT: OTSendElement<F>,
+{
+    /// Reveals the Sender's seed and tape to the Receiver for verification.
+    async fn reveal(&mut self) -> Result<(), ShareConversionError> {
+        let sender = self
+            .sender
+            .take()
+            .ok_or(ShareConversionError::AlreadyFinalized)?;
+
+        let mut sender = Arc::try_unwrap(sender).expect("only one strong reference");
+
+        sender.reveal(&mut self.channel).await
+    }
+}
+
+#[async_trait]
+impl<F, OT> AdditiveToMultiplicative<F> for ConverterSender<F, OT>
+where
+    F: Field,
+    OT: OTSendElement<F>,
+{
+    async fn to_multiplicative(&self, input: Vec<F>) -> Result<Vec<F>, ShareConversionError> {
+        self.sender
+            .as_ref()
+            .ok_or(ShareConversionError::AlreadyFinalized)?
+            .convert_from(
+                &self.ot,
+                &input.into_iter().map(Share::new_add).collect::<Vec<_>>(),
+            )
+            .await
+            .map(|shares| shares.into_iter().map(|share| share.to_inner()).collect())
+    }
+}
+
+#[async_trait]
+impl<F, OT> MultiplicativeToAdditive<F> for ConverterSender<F, OT>
+where
+    F: Field,
+    OT: OTSendElement<F>,
+{
+    async fn to_additive(&self, input: Vec<F>) -> Result<Vec<F>, ShareConversionError> {
+        self.sender
+            .as_ref()
+            .ok_or(ShareConversionError::AlreadyFinalized)?
+            .convert_from(
+                &self.ot,
+                &input.into_iter().map(Share::new_mul).collect::<Vec<_>>(),
+            )
+            .await
+            .map(|shares| shares.into_iter().map(|share| share.to_inner()).collect())
+    }
+}
+
+/// A handle to a sender
+#[derive(Clone)]
+pub struct ConverterSenderHandle<F: Field, OT> {
+    ot: OT,
+    sender: Weak<GilboaSender<F>>,
+}
+
+impl<F: Field, OT> std::fmt::Debug for ConverterSenderHandle<F, OT> {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "ConverterSenderHandle {{ .. }}")
+    }
+}
+
+#[async_trait]
+impl<F, OT> AdditiveToMultiplicative<F> for ConverterSenderHandle<F, OT>
+where
+    F: Field,
+    OT: OTSendElement<F>,
+{
+    async fn to_multiplicative(&self, input: Vec<F>) -> Result<Vec<F>, ShareConversionError> {
+        self.sender
+            .upgrade()
+            .ok_or(ShareConversionError::AlreadyFinalized)?
+            .convert_from(
+                &self.ot,
+                &input.into_iter().map(Share::new_add).collect::<Vec<_>>(),
+            )
+            .await
+            .map(|shares| shares.into_iter().map(|share| share.to_inner()).collect())
+    }
+}
+
+#[async_trait]
+impl<F, OT> MultiplicativeToAdditive<F> for ConverterSenderHandle<F, OT>
+where
+    F: Field,
+    OT: OTSendElement<F>,
+{
+    async fn to_additive(&self, input: Vec<F>) -> Result<Vec<F>, ShareConversionError> {
+        self.sender
+            .upgrade()
+            .ok_or(ShareConversionError::AlreadyFinalized)?
+            .convert_from(
+                &self.ot,
+                &input.into_iter().map(Share::new_mul).collect::<Vec<_>>(),
+            )
+            .await
+            .map(|shares| shares.into_iter().map(|share| share.to_inner()).collect())
+    }
+}
+
+/// The share conversion receiver
+pub struct ConverterReceiver<F: Field, OT> {
+    ot: OT,
+    // Receiver is wrapped in an option so that we can take ownership of it in `finalize`
+    // This prevents the receiver from being used after finalization
+    receiver: Option<Arc<GilboaReceiver<F>>>,
+    channel: ShareConversionChannel<F>,
+}
+
+impl<F: Field, OT> std::fmt::Debug for ConverterReceiver<F, OT> {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "Receiver {{ .. }}")
+    }
+}
+
+impl<F, OT> ConverterReceiver<F, OT>
+where
+    F: Field,
+    OT: OTReceiveElement<F> + Clone,
+{
+    /// Create a new receiver
+    pub fn new(config: ReceiverConfig, ot: OT, channel: ShareConversionChannel<F>) -> Self {
+        Self {
+            ot,
+            receiver: Some(Arc::new(GilboaReceiver::new(config))),
+            channel,
+        }
+    }
+
+    /// Returns a handle to the receiver
+    pub fn handle(&self) -> Result<ConverterReceiverHandle<F, OT>, ShareConversionError> {
+        Ok(ConverterReceiverHandle {
+            ot: self.ot.clone(),
+            receiver: Arc::downgrade(
+                self.receiver
+                    .as_ref()
+                    .ok_or(ShareConversionError::AlreadyFinalized)?,
+            ),
+        })
+    }
+}
+
+#[async_trait]
+impl<F, OT> ShareConversionVerify for ConverterReceiver<F, OT>
+where
+    F: Field,
+    OT: OTReceiveElement<F>,
+{
+    /// Verifies the Sender's seed and tape.
+    async fn verify(&mut self) -> Result<(), ShareConversionError> {
+        let receiver = self
+            .receiver
+            .take()
+            .ok_or(ShareConversionError::AlreadyFinalized)?;
+
+        let mut receiver = Arc::try_unwrap(receiver).expect("only one strong reference");
+
+        receiver.verify(&mut self.channel).await
+    }
+}
+
+#[async_trait]
+impl<F, OT> AdditiveToMultiplicative<F> for ConverterReceiver<F, OT>
+where
+    F: Field,
+    OT: OTReceiveElement<F>,
+{
+    async fn to_multiplicative(&self, input: Vec<F>) -> Result<Vec<F>, ShareConversionError> {
+        self.receiver
+            .as_ref()
+            .ok_or(ShareConversionError::AlreadyFinalized)?
+            .convert_from(
+                &self.ot,
+                &input.into_iter().map(Share::new_add).collect::<Vec<_>>(),
+            )
+            .await
+            .map(|shares| shares.into_iter().map(|share| share.to_inner()).collect())
+    }
+}
+
+#[async_trait]
+impl<F, OT> MultiplicativeToAdditive<F> for ConverterReceiver<F, OT>
+where
+    F: Field,
+    OT: OTReceiveElement<F>,
+{
+    async fn to_additive(&self, input: Vec<F>) -> Result<Vec<F>, ShareConversionError> {
+        self.receiver
+            .as_ref()
+            .ok_or(ShareConversionError::AlreadyFinalized)?
+            .convert_from(
+                &self.ot,
+                &input.into_iter().map(Share::new_mul).collect::<Vec<_>>(),
+            )
+            .await
+            .map(|shares| shares.into_iter().map(|share| share.to_inner()).collect())
+    }
+}
+
+/// A handle to a receiver
+#[derive(Clone)]
+pub struct ConverterReceiverHandle<F: Field, OT> {
+    ot: OT,
+    receiver: Weak<GilboaReceiver<F>>,
+}
+
+impl<F: Field, OT> std::fmt::Debug for ConverterReceiverHandle<F, OT> {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "ConverterReceiverHandle {{ .. }}")
+    }
+}
+
+#[async_trait]
+impl<F, OT> AdditiveToMultiplicative<F> for ConverterReceiverHandle<F, OT>
+where
+    F: Field,
+    OT: OTReceiveElement<F>,
+{
+    async fn to_multiplicative(&self, input: Vec<F>) -> Result<Vec<F>, ShareConversionError> {
+        self.receiver
+            .upgrade()
+            .ok_or(ShareConversionError::AlreadyFinalized)?
+            .convert_from(
+                &self.ot,
+                &input.into_iter().map(Share::new_add).collect::<Vec<_>>(),
+            )
+            .await
+            .map(|shares| shares.into_iter().map(|share| share.to_inner()).collect())
+    }
+}
+
+#[async_trait]
+impl<F, OT> MultiplicativeToAdditive<F> for ConverterReceiverHandle<F, OT>
+where
+    F: Field,
+    OT: OTReceiveElement<F>,
+{
+    async fn to_additive(&self, input: Vec<F>) -> Result<Vec<F>, ShareConversionError> {
+        self.receiver
+            .upgrade()
+            .ok_or(ShareConversionError::AlreadyFinalized)?
+            .convert_from(
+                &self.ot,
+                &input.into_iter().map(Share::new_mul).collect::<Vec<_>>(),
+            )
+            .await
+            .map(|shares| shares.into_iter().map(|share| share.to_inner()).collect())
+    }
+}
diff --git a/crates/mpz-share-conversion/src/error.rs b/crates/mpz-share-conversion/src/error.rs
index c061df2d..a8146b98 100644
--- a/crates/mpz-share-conversion/src/error.rs
+++ b/crates/mpz-share-conversion/src/error.rs
@@ -1,67 +1,37 @@
-use core::fmt;
-use mpz_ole::OLEError;
-use mpz_share_conversion_core::ShareConversionError as ShareConversionCoreError;
-use std::error::Error;
-use std::io::Error as IOError;
+use mpz_ot::OTError;
 
-/// A share conversion error.
+/// An error for what can go wrong during conversion
 #[derive(Debug, thiserror::Error)]
-pub struct ShareConversionError {
-    #[allow(dead_code)]
-    kind: ErrorKind,
-    #[source]
-    source: Option<Box<dyn std::error::Error + Send + Sync>>,
+#[allow(missing_docs)]
+pub enum ShareConversionError {
+    #[error(transparent)]
+    OTError(Box<OTError>),
+    #[error(transparent)]
+    IOError(#[from] std::io::Error),
+    #[error("Received invalid seed")]
+    InvalidSeed,
+    #[error("Tape not configured")]
+    TapeNotConfigured,
+    #[error(transparent)]
+    TapeError(#[from] TapeVerificationError),
+    #[error("Already finalized")]
+    AlreadyFinalized,
 }
 
-impl ShareConversionError {
-    fn new<E>(kind: ErrorKind, source: E) -> Self
-    where
-        E: Into<Box<dyn Error + Send + Sync>>,
-    {
-        Self {
-            kind,
-            source: Some(source.into()),
-        }
+impl From<mpz_ot::OTError> for ShareConversionError {
+    fn from(value: mpz_ot::OTError) -> Self {
+        ShareConversionError::OTError(Box::new(value))
     }
 }
 
-#[derive(Debug)]
-pub(crate) enum ErrorKind {
-    Ole,
-    IO,
-    ShareConversionCore,
-}
-
-impl fmt::Display for ShareConversionError {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        match self.kind {
-            ErrorKind::Ole => write!(f, "OLE Error"),
-            ErrorKind::IO => write!(f, "IO Error"),
-            ErrorKind::ShareConversionCore => write!(f, "Core Error"),
-        }?;
-
-        if let Some(source) = self.source.as_ref() {
-            write!(f, " caused by: {source}")?;
-        }
-
-        Ok(())
-    }
-}
-
-impl From<OLEError> for ShareConversionError {
-    fn from(value: OLEError) -> Self {
-        Self::new(ErrorKind::Ole, value)
-    }
-}
-
-impl From<ShareConversionCoreError> for ShareConversionError {
-    fn from(value: ShareConversionCoreError) -> Self {
-        Self::new(ErrorKind::ShareConversionCore, value)
-    }
-}
-
-impl From<IOError> for ShareConversionError {
-    fn from(value: IOError) -> Self {
-        Self::new(ErrorKind::IO, value)
-    }
+/// An error which can occur during tape verification
+#[derive(Debug, thiserror::Error)]
+#[allow(missing_docs)]
+pub enum TapeVerificationError {
+    #[error("incorrect tape length: expected {0}, got {1}")]
+    IncorrectLength(usize, usize),
+    #[error("incorrect share type")]
+    IncorrectShareType,
+    #[error("incorrect share value")]
+    IncorrectShareValue,
 }
diff --git a/crates/mpz-share-conversion/src/lib.rs b/crates/mpz-share-conversion/src/lib.rs
index 90deb1d1..a4ce915d 100644
--- a/crates/mpz-share-conversion/src/lib.rs
+++ b/crates/mpz-share-conversion/src/lib.rs
@@ -1,131 +1,189 @@
-//! This crate provides additive-to-multiplicative (A2M) and multiplicative-to-additive (M2A) share conversion protocols.
+//! This crate provides a semi-honest protocol (with optional covert security) for converting secret-shared finite field elements
+//! between additive and multiplicative representations.
+//!
+//! The protocol is based on `Two Party RSA Key Generation [Gil99]` which describes a method for
+//! converting multiplicative shares of a finite field element into additive shares (M2A). We use a similar technique
+//! to convert additive shares into multiplicative shares (A2M), inspired by `Efficient Secure Two-Party Exponentiation [YCCL11]`.
 
 #![deny(missing_docs, unreachable_pub, unused_must_use)]
-#![deny(unsafe_code)]
 #![deny(clippy::all)]
+#![deny(unsafe_code)]
+
+use async_trait::async_trait;
 
+mod config;
+mod converter;
 mod error;
-#[cfg(feature = "ideal")]
-pub mod ideal;
+#[cfg(feature = "mock")]
+pub mod mock;
+mod ot;
 mod receiver;
 mod sender;
-
-use async_trait::async_trait;
-
-pub use error::ShareConversionError;
-pub use receiver::ShareConversionReceiver;
-pub use sender::ShareConversionSender;
+pub(crate) mod tape;
+
+pub use config::{
+    ReceiverConfig, ReceiverConfigBuilder, ReceiverConfigBuilderError, SenderConfig,
+    SenderConfigBuilder, SenderConfigBuilderError,
+};
+pub use converter::{
+    ConverterReceiver, ConverterReceiverHandle, ConverterSender, ConverterSenderHandle,
+};
+pub use error::{ShareConversionError, TapeVerificationError};
+pub use mpz_fields::{gf2_128::Gf2_128, p256::P256, Field};
+pub use mpz_share_conversion_core::msgs::ShareConversionMessage;
+pub use ot::{OTReceiveElement, OTSendElement};
+pub use receiver::GilboaReceiver;
+pub use sender::GilboaSender;
+
+use utils_aio::duplex::Duplex;
+
+/// A channel used by conversion protocols for messaging
+pub type ShareConversionChannel<T> = Box<dyn Duplex<ShareConversionMessage<T>>>;
 
 /// A trait for converting additive shares into multiplicative shares.
 #[async_trait]
-pub trait AdditiveToMultiplicative<Ctx, T> {
-    /// Converts additive shares into multiplicative shares.
-    ///
-    /// # Arguments
-    ///
-    /// * `ctx` - The thread context.
-    /// * `inputs` - The additive shares to convert.
-    async fn to_multiplicative(
-        &mut self,
-        ctx: &mut Ctx,
-        inputs: Vec<T>,
-    ) -> Result<Vec<T>, ShareConversionError>;
+pub trait AdditiveToMultiplicative<T: Field> {
+    /// Converts additive shares into multiplicative shares
+    async fn to_multiplicative(&self, input: Vec<T>) -> Result<Vec<T>, ShareConversionError>;
 }
 
 /// A trait for converting multiplicative shares into additive shares.
 #[async_trait]
-pub trait MultiplicativeToAdditive<Ctx, T> {
-    /// Converts multiplicative shares into additive shares.
-    ///
-    /// # Arguments
-    ///
-    /// * `ctx` - The thread context.
-    /// * `inputs` - The multiplicative shares to convert.
-    async fn to_additive(
-        &mut self,
-        ctx: &mut Ctx,
-        inputs: Vec<T>,
-    ) -> Result<Vec<T>, ShareConversionError>;
+pub trait MultiplicativeToAdditive<T: Field> {
+    /// Converts multiplicative shares into additive shares
+    async fn to_additive(&self, input: Vec<T>) -> Result<Vec<T>, ShareConversionError>;
 }
 
-/// A trait for converting between additive and multiplicative shares.
-pub trait ShareConvert<Ctx, T>:
-    AdditiveToMultiplicative<Ctx, T> + MultiplicativeToAdditive<Ctx, T>
+/// A trait for converting secret-shared finite field elements between additive and multiplicative
+/// representations.
+pub trait ShareConversion<F: Field>:
+    AdditiveToMultiplicative<F> + MultiplicativeToAdditive<F>
 {
 }
 
-impl<Ctx, T, U> ShareConvert<Ctx, T> for U where
-    U: AdditiveToMultiplicative<Ctx, T> + MultiplicativeToAdditive<Ctx, T>
+impl<T, F> ShareConversion<F> for T
+where
+    T: AdditiveToMultiplicative<F> + MultiplicativeToAdditive<F>,
+    F: Field,
 {
 }
 
-#[cfg(test)]
-mod tests {
-    use crate::{
-        AdditiveToMultiplicative, MultiplicativeToAdditive, ShareConversionReceiver,
-        ShareConversionSender,
-    };
-    use mpz_common::executor::test_st_executor;
-    use mpz_core::{prg::Prg, Block};
-    use mpz_fields::{p256::P256, UniformRand};
-    use mpz_ole::ideal::ideal_ole;
-    use rand::SeedableRng;
-
-    #[tokio::test]
-    async fn test_m2a() {
-        let count = 12;
-        let mut rng = Prg::from_seed(Block::ZERO);
-
-        let (ole_sender, ole_receiver) = ideal_ole();
+/// Send a tape used for verification of the conversion
+///
+/// Senders record their inputs used during conversion and can send them to the receiver
+/// afterwards. This will allow the receiver to use [VerifyTape].
+#[async_trait]
+pub trait ShareConversionReveal {
+    /// Reveals the private inputs of the sender to the receiver for verification.
+    async fn reveal(&mut self) -> Result<(), ShareConversionError>;
+}
 
-        let mut sender = ShareConversionSender::new(ole_sender);
-        let mut receiver = ShareConversionReceiver::new(ole_receiver);
+/// Verify the recorded inputs of the sender
+///
+/// Will check if the conversion worked correctly. This allows to catch a malicious sender but
+/// requires that he/she makes use of [SendTape].
+#[async_trait]
+pub trait ShareConversionVerify {
+    /// Verifies all share conversions.
+    async fn verify(&mut self) -> Result<(), ShareConversionError>;
+}
 
-        let sender_input: Vec<P256> = (0..count).map(|_| P256::rand(&mut rng)).collect();
-        let receiver_input: Vec<P256> = (0..count).map(|_| P256::rand(&mut rng)).collect();
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use rstest::*;
+    use utils_aio::duplex::MemoryDuplex;
 
-        let (mut ctx_sender, mut ctx_receiver) = test_st_executor(10);
+    use std::marker::PhantomData;
 
-        let (sender_output, receiver_output) = tokio::try_join!(
-            sender.to_additive(&mut ctx_sender, sender_input.clone()),
-            receiver.to_additive(&mut ctx_receiver, receiver_input.clone())
+    use mpz_fields::{gf2_128::Gf2_128, p256::P256};
+    use mpz_ot::ideal::{ideal_ot_shared_pair, IdealSharedOTReceiver, IdealSharedOTSender};
+    use mpz_share_conversion_core::ShareType;
+    use rand::SeedableRng;
+    use rand_chacha::ChaCha20Rng;
+
+    fn create_pair<F: Field>() -> (GilboaSender<F>, GilboaReceiver<F>) {
+        (
+            GilboaSender::new(SenderConfig::builder().id("test").record().build().unwrap()),
+            GilboaReceiver::new(
+                ReceiverConfig::builder()
+                    .id("test")
+                    .record()
+                    .build()
+                    .unwrap(),
+            ),
         )
-        .unwrap();
-
-        sender_input
-            .iter()
-            .zip(receiver_input)
-            .zip(sender_output)
-            .zip(receiver_output)
-            .for_each(|(((&si, ri), so), ro)| assert_eq!(si * ri, so + ro));
     }
 
+    #[rstest]
+    #[case::gf2_add(ShareType::Add, PhantomData::<Gf2_128>)]
+    #[case::gf2_mul(ShareType::Mul, PhantomData::<Gf2_128>)]
+    #[case::p256_add(ShareType::Add, PhantomData::<P256>)]
+    #[case::p256_mul(ShareType::Mul, PhantomData::<P256>)]
     #[tokio::test]
-    async fn test_a2m() {
-        let count = 12;
-        let mut rng = Prg::from_seed(Block::ZERO);
-
-        let (ole_sender, ole_receiver) = ideal_ole();
-
-        let mut sender = ShareConversionSender::new(ole_sender);
-        let mut receiver = ShareConversionReceiver::new(ole_receiver);
-
-        let sender_input: Vec<P256> = (0..count).map(|_| P256::rand(&mut rng)).collect();
-        let receiver_input: Vec<P256> = (0..count).map(|_| P256::rand(&mut rng)).collect();
-
-        let (mut ctx_sender, mut ctx_receiver) = test_st_executor(10);
-
-        let (sender_output, receiver_output) = tokio::try_join!(
-            sender.to_multiplicative(&mut ctx_sender, sender_input.clone()),
-            receiver.to_multiplicative(&mut ctx_receiver, receiver_input.clone())
+    async fn test_conversion<T: Field>(
+        #[case] ty: ShareType,
+        #[case] _pd: PhantomData<T>,
+        #[values(false, true)] malicious: bool,
+    ) where
+        IdealSharedOTSender: OTSendElement<T>,
+        IdealSharedOTReceiver: OTReceiveElement<T>,
+    {
+        let (ot_sender, ot_receiver) = ideal_ot_shared_pair();
+        let (mut sender_channel, mut receiver_channel) = MemoryDuplex::new();
+        let (mut sender, mut receiver) = create_pair::<T>();
+        let mut rng = ChaCha20Rng::from_seed([0; 32]);
+
+        // Create some random shares
+        let sender_shares = (0..16)
+            .map(|_| ty.new_share(T::rand(&mut rng)))
+            .collect::<Vec<_>>();
+        let receiver_shares = (0..16)
+            .map(|_| ty.new_share(T::rand(&mut rng)))
+            .collect::<Vec<_>>();
+
+        let (sender_converted, receiver_converted) = tokio::try_join!(
+            sender.convert_from(&ot_sender, &sender_shares),
+            receiver.convert_from(&ot_receiver, &receiver_shares)
         )
         .unwrap();
 
-        sender_input
+        // If sender is malicious, we modify the tape to be inconsistent
+        if malicious {
+            *sender
+                .state_mut()
+                .tape
+                .as_mut()
+                .unwrap()
+                .inputs
+                .last_mut()
+                .unwrap() = ty.new_share(T::one());
+        }
+
+        let res = tokio::try_join!(
+            sender.reveal(&mut sender_channel),
+            receiver.verify(&mut receiver_channel)
+        );
+
+        if malicious {
+            assert!(res.is_err());
+        } else {
+            assert!(res.is_ok());
+        }
+
+        for ((a, b), (x, y)) in sender_shares
             .iter()
-            .zip(receiver_input)
-            .zip(sender_output)
-            .zip(receiver_output)
-            .for_each(|(((&si, ri), so), ro)| assert_eq!(si + ri, so * ro));
+            .zip(receiver_shares.iter())
+            .zip(sender_converted.iter().zip(receiver_converted.iter()))
+        {
+            match ty {
+                ShareType::Add => {
+                    assert_eq!(a.to_inner() + b.to_inner(), x.to_inner() * y.to_inner())
+                }
+                ShareType::Mul => {
+                    assert_eq!(a.to_inner() * b.to_inner(), x.to_inner() + y.to_inner())
+                }
+            }
+        }
     }
 }
diff --git a/crates/mpz-share-conversion/src/mock.rs b/crates/mpz-share-conversion/src/mock.rs
new file mode 100644
index 00000000..701b0ca4
--- /dev/null
+++ b/crates/mpz-share-conversion/src/mock.rs
@@ -0,0 +1,36 @@
+//! Mocks for testing the share conversion protocol.
+
+use crate::{OTReceiveElement, OTSendElement};
+
+use super::{ConverterReceiver, ConverterSender, ReceiverConfig, SenderConfig};
+use mpz_fields::Field;
+use mpz_ot::ideal::{ideal_ot_shared_pair, IdealSharedOTReceiver, IdealSharedOTSender};
+use utils_aio::duplex::MemoryDuplex;
+
+/// A mock converter sender
+pub type MockConverterSender<F> = ConverterSender<F, IdealSharedOTSender>;
+/// A mock converter receiver
+pub type MockConverterReceiver<F> = ConverterReceiver<F, IdealSharedOTReceiver>;
+
+/// Creates a mock sender and receiver for testing the share conversion protocol.
+#[allow(clippy::type_complexity)]
+pub fn mock_converter_pair<F: Field>(
+    sender_config: SenderConfig,
+    receiver_config: ReceiverConfig,
+) -> (
+    ConverterSender<F, IdealSharedOTSender>,
+    ConverterReceiver<F, IdealSharedOTReceiver>,
+)
+where
+    IdealSharedOTSender: OTSendElement<F>,
+    IdealSharedOTReceiver: OTReceiveElement<F>,
+{
+    let (c1, c2) = MemoryDuplex::new();
+
+    let (ot_sender, ot_receiver) = ideal_ot_shared_pair();
+
+    let sender = ConverterSender::new(sender_config, ot_sender, Box::new(c1));
+    let receiver = ConverterReceiver::new(receiver_config, ot_receiver, Box::new(c2));
+
+    (sender, receiver)
+}
diff --git a/crates/mpz-share-conversion/src/ot.rs b/crates/mpz-share-conversion/src/ot.rs
new file mode 100644
index 00000000..7681dca7
--- /dev/null
+++ b/crates/mpz-share-conversion/src/ot.rs
@@ -0,0 +1,81 @@
+use async_trait::async_trait;
+
+use mpz_core::Block;
+use mpz_fields::{gf2_128::Gf2_128, p256::P256, Field};
+
+/// A trait for sending field elements via oblivious transfer.
+#[async_trait]
+pub trait OTSendElement<F: Field>: Send + Sync {
+    /// Sends elements to the receiver.
+    async fn send(&self, id: &str, input: Vec<[F; 2]>) -> Result<(), mpz_ot::OTError>;
+}
+
+#[async_trait]
+impl<T> OTSendElement<P256> for T
+where
+    T: mpz_ot::OTSenderShared<[[u8; 32]; 2]> + Send + Sync,
+{
+    async fn send(&self, id: &str, input: Vec<[P256; 2]>) -> Result<(), mpz_ot::OTError> {
+        let bytes: Vec<[[u8; 32]; 2]> = input
+            .into_iter()
+            .map(|[a, b]| [a.into(), b.into()])
+            .collect();
+
+        self.send(id, &bytes).await
+    }
+}
+
+#[async_trait]
+impl<T> OTSendElement<Gf2_128> for T
+where
+    T: mpz_ot::OTSenderShared<[Block; 2]> + Send + Sync,
+{
+    async fn send(&self, id: &str, input: Vec<[Gf2_128; 2]>) -> Result<(), mpz_ot::OTError> {
+        let blocks: Vec<_> = input
+            .into_iter()
+            .map(|[a, b]| [a.into(), b.into()])
+            .collect();
+
+        self.send(id, &blocks).await
+    }
+}
+
+/// A trait for receiving field elements via oblivious transfer.
+#[async_trait]
+pub trait OTReceiveElement<F: Field>: Send + Sync {
+    /// Receives elements from the sender.
+    async fn receive(&self, id: &str, choice: Vec<bool>) -> Result<Vec<F>, mpz_ot::OTError>;
+}
+
+#[async_trait]
+impl<T> OTReceiveElement<P256> for T
+where
+    T: mpz_ot::OTReceiverShared<bool, [u8; 32]> + Send + Sync,
+{
+    async fn receive(&self, id: &str, choice: Vec<bool>) -> Result<Vec<P256>, mpz_ot::OTError> {
+        let bytes = self.receive(id, &choice).await?;
+
+        bytes
+            .into_iter()
+            .map(|bytes| bytes.try_into())
+            .collect::<Result<Vec<_>, _>>()
+            .map_err(|_| {
+                mpz_ot::OTError::IOError(std::io::Error::new(
+                    std::io::ErrorKind::InvalidData,
+                    "invalid P256 element",
+                ))
+            })
+    }
+}
+
+#[async_trait]
+impl<T> OTReceiveElement<Gf2_128> for T
+where
+    T: mpz_ot::OTReceiverShared<bool, Block> + Send + Sync,
+{
+    async fn receive(&self, id: &str, choice: Vec<bool>) -> Result<Vec<Gf2_128>, mpz_ot::OTError> {
+        let blocks = self.receive(id, &choice).await?;
+
+        Ok(blocks.into_iter().map(|block| block.into()).collect())
+    }
+}
diff --git a/crates/mpz-share-conversion/src/receiver.rs b/crates/mpz-share-conversion/src/receiver.rs
index 4262aa95..b94631b8 100644
--- a/crates/mpz-share-conversion/src/receiver.rs
+++ b/crates/mpz-share-conversion/src/receiver.rs
@@ -1,101 +1,139 @@
-use crate::{AdditiveToMultiplicative, MultiplicativeToAdditive, ShareConversionError};
-use async_trait::async_trait;
-use mpz_common::{Allocate, Context, Preprocess};
+//! This module implements the Receiver for the share conversion protocol.
+
+use std::sync::Mutex;
+
+use futures::{Stream, StreamExt};
+
 use mpz_fields::Field;
-use mpz_ole::{OLEError, OLEReceiver};
-use mpz_share_conversion_core::{a2m_convert_receiver, msgs::Masks, A2MMasks};
-use serio::{stream::IoStreamExt, Deserialize, Serialize};
-use std::marker::PhantomData;
+use mpz_share_conversion_core::{
+    msgs::{SenderRecordings, ShareConversionMessage},
+    Share,
+};
+use utils_aio::expect_msg_or_err;
 
-/// Receiver for share conversion.
+use crate::{ot::OTReceiveElement, tape::ReceiverTape, ReceiverConfig, ShareConversionError};
+
+/// The share conversion receiver
 #[derive(Debug)]
-pub struct ShareConversionReceiver<T, F> {
-    ole_receiver: T,
-    _pd: PhantomData<F>,
+pub struct GilboaReceiver<F>
+where
+    F: Field,
+{
+    config: ReceiverConfig,
+    state: Mutex<State<F>>,
 }
 
-impl<T: Clone, F> Clone for ShareConversionReceiver<T, F> {
-    fn clone(&self) -> Self {
-        Self {
-            ole_receiver: self.ole_receiver.clone(),
-            _pd: PhantomData,
-        }
-    }
+struct State<F: Field> {
+    tape: Option<ReceiverTape<F>>,
+    /// keeps track of how many batched share conversions we've made so far
+    counter: usize,
+    finalized: bool,
 }
 
-impl<T, F> ShareConversionReceiver<T, F> {
-    /// Creates a new receiver.
-    pub fn new(ole_receiver: T) -> Self {
-        Self {
-            ole_receiver,
-            _pd: PhantomData,
-        }
+impl<F: Field> std::fmt::Debug for State<F> {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "State {{ .. }}")
     }
 }
 
-impl<F, T> Allocate for ShareConversionReceiver<T, F>
+impl<F> GilboaReceiver<F>
 where
-    T: Allocate,
     F: Field,
 {
-    fn alloc(&mut self, count: usize) {
-        self.ole_receiver.alloc(count);
+    /// Create a new receiver
+    pub fn new(config: ReceiverConfig) -> Self {
+        let tape = config.record().then(ReceiverTape::default);
+        Self {
+            config,
+            state: Mutex::new(State {
+                tape,
+                counter: 0,
+                finalized: false,
+            }),
+        }
     }
-}
 
-#[async_trait]
-impl<Ctx, F, T> Preprocess<Ctx> for ShareConversionReceiver<T, F>
-where
-    T: Preprocess<Ctx, Error = OLEError> + Send,
-    F: Field + Serialize + Deserialize,
-    Ctx: Context,
-{
-    type Error = ShareConversionError;
+    /// Converts a batch of shares using oblivious transfer
+    pub async fn convert_from<OT: OTReceiveElement<F>>(
+        &self,
+        ot: &OT,
+        shares: &[Share<F>],
+    ) -> Result<Vec<Share<F>>, ShareConversionError> {
+        if shares.is_empty() {
+            return Ok(vec![]);
+        }
 
-    async fn preprocess(&mut self, ctx: &mut Ctx) -> Result<(), ShareConversionError> {
-        self.ole_receiver
-            .preprocess(ctx)
-            .await
-            .map_err(ShareConversionError::from)
-    }
-}
+        let choices = shares
+            .iter()
+            .flat_map(|share| share.binary_encoding())
+            .collect::<Vec<_>>();
 
-#[async_trait]
-impl<Ctx, F, T> MultiplicativeToAdditive<Ctx, F> for ShareConversionReceiver<T, F>
-where
-    T: OLEReceiver<Ctx, F> + Send,
-    F: Field + Serialize + Deserialize,
-    Ctx: Context,
-{
-    async fn to_additive(
-        &mut self,
-        ctx: &mut Ctx,
-        inputs: Vec<F>,
-    ) -> Result<Vec<F>, ShareConversionError> {
-        self.ole_receiver
-            .receive(ctx, inputs)
-            .await
-            .map_err(ShareConversionError::from)
+        let ot_id = {
+            let mut state = self.state.lock().unwrap();
+
+            if state.finalized {
+                return Err(ShareConversionError::AlreadyFinalized);
+            }
+
+            let ot_id = format!("{}/{}", &self.config.id(), state.counter);
+            state.counter += 1;
+
+            ot_id
+        };
+
+        // Receive OT shares from the sender and increment batch counter
+        let summands = ot.receive(&ot_id, choices).await?;
+
+        // Aggregate summands into shares
+        let converted_shares: Vec<Share<F>> = summands
+            .chunks(F::BIT_SIZE as usize)
+            .zip(shares)
+            .map(|(summands, share)| share.ty().other().new_from_summands(summands))
+            .collect();
+
+        if let Some(tape) = self.state.lock().unwrap().tape.as_mut() {
+            tape.record(shares, &converted_shares);
+        }
+
+        Ok(converted_shares)
     }
-}
 
-#[async_trait]
-impl<Ctx, F, T> AdditiveToMultiplicative<Ctx, F> for ShareConversionReceiver<T, F>
-where
-    T: OLEReceiver<Ctx, F> + Send,
-    F: Field + Serialize + Deserialize,
-    Ctx: Context,
-{
-    async fn to_multiplicative(
+    /// Receives the Sender's seed and tape and verifies them against the receiver's tape
+    /// to detect malicious behavior.
+    pub async fn verify<
+        S: Stream<Item = Result<ShareConversionMessage<F>, std::io::Error>> + Unpin,
+    >(
         &mut self,
-        ctx: &mut Ctx,
-        inputs: Vec<F>,
-    ) -> Result<Vec<F>, ShareConversionError> {
-        let ole_output = self.ole_receiver.receive(ctx, inputs).await?;
+        stream: &mut S,
+    ) -> Result<(), ShareConversionError> {
+        let tape = {
+            let mut state = self.state.lock().unwrap();
+
+            if state.finalized {
+                return Err(ShareConversionError::AlreadyFinalized);
+            } else {
+                state.finalized = true;
+            }
+
+            state
+                .tape
+                .take()
+                .ok_or(ShareConversionError::TapeNotConfigured)?
+        };
+
+        let message = expect_msg_or_err!(stream, ShareConversionMessage::SenderRecordings)?;
+
+        let SenderRecordings {
+            seed,
+            inputs: sender_inputs,
+        } = message;
+
+        let seed: [u8; 32] = seed
+            .try_into()
+            .map_err(|_| ShareConversionError::InvalidSeed)?;
 
-        let channel = ctx.io_mut();
-        let masks: A2MMasks<F> = channel.expect_next::<Masks<F>>().await?.into();
+        tape.verify(seed, &sender_inputs)?;
 
-        a2m_convert_receiver(masks, ole_output).map_err(ShareConversionError::from)
+        Ok(())
     }
 }
diff --git a/crates/mpz-share-conversion/src/sender.rs b/crates/mpz-share-conversion/src/sender.rs
index 9d78dec1..2d3c9074 100644
--- a/crates/mpz-share-conversion/src/sender.rs
+++ b/crates/mpz-share-conversion/src/sender.rs
@@ -1,115 +1,150 @@
-use crate::{AdditiveToMultiplicative, MultiplicativeToAdditive, ShareConversionError};
-use async_trait::async_trait;
-use mpz_common::{Allocate, Context, Preprocess};
+//! This module implements the Sender for the share conversion protocol.
+
+use std::sync::Mutex;
+
+use futures::{Sink, SinkExt};
+use rand::SeedableRng;
+use rand_chacha::ChaCha20Rng;
+
 use mpz_fields::Field;
-use mpz_ole::{OLEError, OLESender};
-use mpz_share_conversion_core::{a2m_convert_sender, m2a_convert, msgs::Masks};
-use rand::thread_rng;
-use serio::{Deserialize, Serialize, SinkExt};
-use std::marker::PhantomData;
+use mpz_share_conversion_core::{
+    msgs::{SenderRecordings, ShareConversionMessage},
+    Share,
+};
 
-/// Sender for share conversion.
+use crate::{ot::OTSendElement, tape::SenderTape, SenderConfig, ShareConversionError};
+
+/// The share conversion sender
 #[derive(Debug)]
-pub struct ShareConversionSender<T, F> {
-    ole_sender: T,
-    _pd: PhantomData<F>,
+pub struct GilboaSender<F>
+where
+    F: Field,
+{
+    config: SenderConfig,
+    state: Mutex<State<F>>,
 }
 
-impl<T: Clone, F> Clone for ShareConversionSender<T, F> {
-    fn clone(&self) -> Self {
-        Self {
-            ole_sender: self.ole_sender.clone(),
-            _pd: PhantomData,
-        }
-    }
+pub(crate) struct State<F: Field> {
+    rng: ChaCha20Rng,
+    pub(crate) tape: Option<SenderTape<F>>,
+    /// keeps track of how many batched share conversions we've made so far
+    counter: usize,
+    finalized: bool,
 }
 
-impl<T, F> ShareConversionSender<T, F> {
-    /// Creates a new sender.
-    pub fn new(ole_sender: T) -> Self {
-        Self {
-            ole_sender,
-            _pd: PhantomData,
-        }
+impl<F: Field> std::fmt::Debug for State<F> {
+    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
+        write!(f, "State {{ .. }}")
     }
 }
 
-impl<F, T> Allocate for ShareConversionSender<T, F>
+impl<F> GilboaSender<F>
 where
-    T: Allocate,
     F: Field,
 {
-    fn alloc(&mut self, count: usize) {
-        self.ole_sender.alloc(count);
+    /// Create a new sender
+    pub fn new(config: SenderConfig) -> Self {
+        let rng = ChaCha20Rng::from_entropy();
+        let tape = config.record().then(SenderTape::default);
+
+        Self {
+            config,
+            state: Mutex::new(State {
+                rng,
+                tape,
+                counter: 0,
+                finalized: false,
+            }),
+        }
     }
-}
 
-#[async_trait]
-impl<Ctx, F, T> Preprocess<Ctx> for ShareConversionSender<T, F>
-where
-    T: Preprocess<Ctx, Error = OLEError> + Send,
-    F: Field + Serialize + Deserialize,
-    Ctx: Context,
-{
-    type Error = ShareConversionError;
+    /// Converts a batch of shares using oblivious transfer
+    ///
+    /// # Arguments
+    ///
+    /// * `ot` - OT sender
+    /// * `shares` - field element shares
+    pub async fn convert_from<OT: OTSendElement<F>>(
+        &self,
+        ot: &OT,
+        shares: &[Share<F>],
+    ) -> Result<Vec<Share<F>>, ShareConversionError> {
+        if shares.is_empty() {
+            return Ok(vec![]);
+        }
 
-    async fn preprocess(&mut self, ctx: &mut Ctx) -> Result<(), ShareConversionError> {
-        self.ole_sender
-            .preprocess(ctx)
-            .await
-            .map_err(ShareConversionError::from)
-    }
-}
+        let (new_shares, summands, ot_id) = {
+            let mut state = self.state.lock().unwrap();
 
-#[async_trait]
-impl<Ctx, F, T> MultiplicativeToAdditive<Ctx, F> for ShareConversionSender<T, F>
-where
-    T: OLESender<Ctx, F> + Send,
-    F: Field + Serialize + Deserialize,
-    Ctx: Context,
-{
-    async fn to_additive(
-        &mut self,
-        ctx: &mut Ctx,
-        inputs: Vec<F>,
-    ) -> Result<Vec<F>, ShareConversionError> {
-        let ole_output = self.ole_sender.send(ctx, inputs).await?;
-        Ok(m2a_convert(ole_output))
+            if state.finalized {
+                return Err(ShareConversionError::AlreadyFinalized);
+            }
+
+            if let Some(tape) = state.tape.as_mut() {
+                tape.record(shares);
+            }
+
+            let ot_id = format!("{}/{}", &self.config.id(), state.counter);
+            state.counter += 1;
+
+            let mut new_shares: Vec<Share<F>> = Vec::with_capacity(shares.len());
+            let mut all_summands = Vec::with_capacity(shares.len() * F::BIT_SIZE as usize);
+            for share in shares {
+                let (new_share, summands) = share.convert(&mut state.rng);
+                new_shares.push(new_share);
+                all_summands.extend(summands);
+            }
+
+            (new_shares, all_summands, ot_id)
+        };
+
+        // Send OT shares to the receiver
+        ot.send(&ot_id, summands).await?;
+
+        Ok(new_shares)
     }
-}
 
-#[async_trait]
-impl<Ctx, F, T> AdditiveToMultiplicative<Ctx, F> for ShareConversionSender<T, F>
-where
-    T: OLESender<Ctx, F> + Send,
-    F: Field + Serialize + Deserialize,
-    Ctx: Context,
-{
-    async fn to_multiplicative(
+    /// Reveals the Sender's RNG seed and tape to the Receiver.
+    pub async fn reveal<S: Sink<ShareConversionMessage<F>, Error = std::io::Error> + Unpin>(
         &mut self,
-        ctx: &mut Ctx,
-        inputs: Vec<F>,
-    ) -> Result<Vec<F>, ShareConversionError> {
-        let random: Vec<F> = {
-            let mut rng = thread_rng();
-            (0..inputs.len())
-                .map(|_| loop {
-                    let rand = F::rand(&mut rng);
-                    if rand != F::zero() {
-                        break rand;
-                    }
-                })
-                .collect()
+        sink: &mut S,
+    ) -> Result<(), ShareConversionError> {
+        let message = {
+            let mut state = self.state.lock().unwrap();
+
+            if state.finalized {
+                return Err(ShareConversionError::AlreadyFinalized);
+            } else {
+                state.finalized = true;
+            }
+
+            let Some(tape) = state.tape.take() else {
+                return Err(ShareConversionError::TapeNotConfigured);
+            };
+
+            SenderRecordings {
+                seed: state.rng.get_seed().to_vec(),
+                inputs: tape.inputs,
+            }
         };
 
-        let ole_output = self.ole_sender.send(ctx, random.clone()).await?;
-        let (output, masks) = a2m_convert_sender(inputs, random, ole_output)?;
+        sink.send(ShareConversionMessage::SenderRecordings(message))
+            .await?;
 
-        let masks: Masks<F> = masks.into();
-        let channel = ctx.io_mut();
+        Ok(())
+    }
+}
 
-        channel.send(masks).await?;
+#[cfg(test)]
+use std::ops::DerefMut;
 
-        Ok(output)
+// Used for unit testing
+#[cfg(test)]
+impl<F> GilboaSender<F>
+where
+    F: Field,
+{
+    pub(crate) fn state_mut(&mut self) -> impl DerefMut<Target = State<F>> + '_ {
+        self.state.try_lock().unwrap()
     }
 }
diff --git a/crates/mpz-share-conversion/src/tape.rs b/crates/mpz-share-conversion/src/tape.rs
new file mode 100644
index 00000000..39aa733b
--- /dev/null
+++ b/crates/mpz-share-conversion/src/tape.rs
@@ -0,0 +1,96 @@
+use crate::TapeVerificationError;
+
+use mpz_fields::Field;
+use mpz_share_conversion_core::Share;
+use rand::SeedableRng;
+use rand_chacha::ChaCha20Rng;
+
+/// A tape which allows to record inputs and outputs of the conversion.
+/// The sender can reveal his tape (and rng seed for generating shares) to the receiver
+/// who will check it against her tape to detect any malicious behaviour of the sender.
+pub(crate) struct SenderTape<F> {
+    pub(crate) inputs: Vec<Share<F>>,
+}
+
+impl<F> Default for SenderTape<F> {
+    fn default() -> Self {
+        Self { inputs: Vec::new() }
+    }
+}
+
+impl<F: Field> SenderTape<F> {
+    pub(crate) fn record(&mut self, inputs: &[Share<F>]) {
+        self.inputs.extend_from_slice(inputs);
+    }
+}
+
+pub(crate) struct ReceiverTape<F> {
+    pub(crate) inputs: Vec<Share<F>>,
+    pub(crate) outputs: Vec<Share<F>>,
+}
+
+impl<F> Default for ReceiverTape<F> {
+    fn default() -> Self {
+        Self {
+            inputs: Vec::new(),
+            outputs: Vec::new(),
+        }
+    }
+}
+
+impl<F: Field> ReceiverTape<F> {
+    pub(crate) fn record(&mut self, inputs: &[Share<F>], outputs: &[Share<F>]) {
+        self.inputs.extend_from_slice(inputs);
+        self.outputs.extend_from_slice(outputs);
+    }
+
+    pub(crate) fn verify(
+        &self,
+        seed: [u8; 32],
+        sender_inputs: &[Share<F>],
+    ) -> Result<(), TapeVerificationError> {
+        let mut rng = ChaCha20Rng::from_seed(seed);
+
+        if sender_inputs.len() != self.inputs.len() {
+            return Err(TapeVerificationError::IncorrectLength(
+                self.inputs.len(),
+                sender_inputs.len(),
+            ));
+        }
+
+        for ((sender_input, receiver_input), receiver_output) in
+            sender_inputs.iter().zip(&self.inputs).zip(&self.outputs)
+        {
+            if sender_input.ty() != receiver_input.ty() {
+                return Err(TapeVerificationError::IncorrectShareType);
+            }
+
+            // We now replay the conversion internally
+            let (_, expected_summands) = sender_input.convert(&mut rng);
+
+            let expected_share = sender_input.ty().other().new_from_summands(
+                &receiver_input
+                    .binary_encoding()
+                    .iter()
+                    .zip(expected_summands)
+                    .map(
+                        |(choice, summand)| {
+                            if *choice {
+                                summand[1]
+                            } else {
+                                summand[0]
+                            }
+                        },
+                    )
+                    .collect::<Vec<_>>(),
+            );
+
+            // Now we check if the outputs match
+            if expected_share.to_inner() != receiver_output.to_inner() {
+                return Err(TapeVerificationError::IncorrectShareValue);
+            }
+        }
+
+        Ok(())
+    }
+}
diff --git a/crates/mpz-share-conversion/tests/converter.rs b/crates/mpz-share-conversion/tests/converter.rs
new file mode 100644
index 00000000..6c8239f1
--- /dev/null
+++ b/crates/mpz-share-conversion/tests/converter.rs
@@ -0,0 +1,67 @@
+use std::marker::PhantomData;
+
+use rstest::*;
+
+use mpz_ot::ideal::{ideal_ot_shared_pair, IdealSharedOTReceiver, IdealSharedOTSender};
+use mpz_share_conversion::{
+    AdditiveToMultiplicative, ConverterReceiver, ConverterSender, Field, Gf2_128,
+    MultiplicativeToAdditive, OTReceiveElement, OTSendElement, ReceiverConfig, SenderConfig,
+    ShareConversionReveal, ShareConversionVerify, P256,
+};
+use utils_aio::duplex::MemoryDuplex;
+
+use rand::SeedableRng;
+use rand_chacha::ChaCha12Rng;
+
+#[rstest]
+#[case::gf2(PhantomData::<Gf2_128>)]
+#[case::p256(PhantomData::<P256>)]
+#[tokio::test]
+async fn test_converter<T: Field>(#[case] _pd: PhantomData<T>)
+where
+    IdealSharedOTSender: OTSendElement<T>,
+    IdealSharedOTReceiver: OTReceiveElement<T>,
+{
+    let mut rng = ChaCha12Rng::seed_from_u64(0);
+
+    let (ot_sender, ot_receiver) = ideal_ot_shared_pair();
+    let (sender_channel, receiver_channel) = MemoryDuplex::new();
+
+    let mut sender = ConverterSender::<T, _>::new(
+        SenderConfig::builder().id("test").record().build().unwrap(),
+        ot_sender,
+        Box::new(sender_channel),
+    );
+
+    let mut receiver = ConverterReceiver::<T, _>::new(
+        ReceiverConfig::builder()
+            .id("test")
+            .record()
+            .build()
+            .unwrap(),
+        ot_receiver,
+        Box::new(receiver_channel),
+    );
+
+    let sender_handle = sender.handle().unwrap();
+    let receiver_handle = receiver.handle().unwrap();
+
+    let a = T::rand(&mut rng);
+    let b = T::rand(&mut rng);
+
+    let (x, y) = tokio::join!(
+        async { sender_handle.to_multiplicative(vec![a]).await.unwrap()[0] },
+        async { receiver_handle.to_multiplicative(vec![b]).await.unwrap()[0] }
+    );
+
+    assert_eq!(a + b, x * y);
+
+    let (x, y) = tokio::join!(
+        async { sender_handle.to_additive(vec![a]).await.unwrap()[0] },
+        async { receiver_handle.to_additive(vec![b]).await.unwrap()[0] }
+    );
+
+    assert_eq!(a * b, x + y);
+
+    tokio::try_join!(sender.reveal(), receiver.verify()).unwrap();
+}