Caution
This is research software and not intended for production use cases.
The cryprot crates implement several cryptographic protocols and utilities for their implementation. The current focus is on obilvious transfer implementations.
| Crate | Description | crates.io | Docs |
|---|---|---|---|
cryprot-core |
Core utilities such as a 128-bit block. |  |
 |
cryprot-net |
Networking abstractions built atop s2n-quic. |  |
 |
cryprot-pprf |
Distributed PPRF implementation used in Silent OT [BCG+19], based on libOTe. |  |
 |
cryprot-codes |
Expand-convolute linear code [RRT23], based on libOTe, used in Silent OT. |  |
 |
cryprot-ot |
Oblivious transfer implementations: • Base OT: "Simplest OT" [CO15] • OT extensions: [IKNP03] • Malicious OT extension: [KOS15] • Silent OT extension: [BCG+19] Silent OT using [RRT23] code and optional [YWL+20] consistency check for malicious security. |
 |
 |
All crates test-suites are run on Githubs ubuntu-latest, windows-latest and macos-latest (aarch64 ARM architecture) runners. Other platforms might work but are not tested.
Performance is optimized for x86_64 Linux systems with AVX2 instructions available and transparent huge table support. The protocols will work on the other supported platforms but might exhibit lower performance.
To enable all target features your CPU offers, compile with RUSTFLAGS="-C target-cpu=native" environment variable set (not needed when cloning the repo, as it is specified in .cargo/config.toml).
We continously run the benchmark suite in CI witht the results publicly available on bencher.dev. The raw criterion output, including throughput is available in the logs of the bench workflow (latest run > benchmarks job > Run Benchmarks step).
Benchmarks can be run locally using:
cargo bench
(Note that on a laptop, thermal throttling might lead to unreliable results.)
Following are benchmark numbers for several OT protocols on a 4-core VM running on an AMD EPYC 9454P. For up to date benchmarks view the links in the benchmarks section. Each OT sender/receiver uses one worker thread and number of cores many background threads for communication (which by default is also encrypted as part of QUIC).
| Benchmark | Mean Throughput (million OT/s) |
|---|---|
| Semi-honest R-OT ext. (2^24 R-OTs) | 51.539 |
| Malicious R-OT ext. (2^24 R-OTs) | 33.663 |
| Semi-Honest Silent C-OT ext. (2^21 C-OTs) | 4.2306 |
| Semi-Honest Silent R-OT ext. (2^21 R-OTs) | 9.5426 |
| Malicious Silent R-OT ext. (2^21 R-OTs) | 7.4180 |
Silent OT will perform faster for smaller numbers of OTs at slightly increased communication.
Our OT implementations should be on par or faster than those in libOTe. In the future we want to benchmark libOTe on the same hardware for a fair comparison.
Base OT Benchmark:
| Benchmark | Mean Time (ms) |
|---|---|
| 128 base R-OTs | 28.001 |
unsafe is used in cryprot-codes and cryprot-core for performance reasons, most importantly to use SIMD intrinsics. The test suite of those two crates is additionally run using miri to check for undefined behavior.
We try to use constant time operations when operating secret data and make use of subtle's Choice type. However, we may have missed non-constant operations on sensitive data and subtle's Choice provides no guarantee for constant-timeness. We provide no guarantee regarding constant-time.