website/research/a2m_and_m2a.typ

#set page(paper: "a4")
#set par(justify: true)

= M2A
OT sender and receiver want to get an *additive* sharing $(y, overline(b))$ from a
*multiplicative* sharing $(x, a)$. So the sender starts with $x$ and ends up with
$y$ and the receiver starts with $a$ and ends up with $overline(b)$.

They compute $y=a x + b arrow.l.r.double y - b = a x arrow.l.r.double y +
overline(b) = a x$ in $n$ OTs, where $n$ is given by the bitsize of the field
elements $y, x, a, b$. The receiver's inputs for every $i$-th OT are $x_i$ and
his output is $y_i$. The sender's inputs are a linear combination of $a$ and
$b_i$ and he outputs $b_i$.

== Compute $y = a x + b$

#align(center)[
  #box[$P_R$ #v(4em)]
  #box[$x_i$ #line(length: 2cm) #v(3em) $y_i$ #line(length: 2cm) #v(1em)]
  #box[#square(size: 8em)[#v(3em) $"OT"_i$]]
  #box[$k_i = (b_i, a+b_i)$ #line(length: 2.5cm) #v(3em) $b_i$ #line(length: 2.5cm) #v(1em)]
  #box[$P_S$ #v(4em)]
]

=== *The OT sender $P_S$:*
+ Sample $n$ random field elements $b_i arrow.l \$$ so that $b = sum_(i = 0)^n 2^i b_i$
+ In each $i$-th OT: Send $k_i = (b_i, a + b_i)$ to $P_R$
+ Compute and output $overline(b) = - b = - sum_(i = 0)^n 2^i b_i$

=== *The OT receiver $P_R$:*
+ Bit-decomposes $x = sum_(i = 0)^n 2^i x_i$
+ In each $i$-th OT: Depending on the bit of $x_i$ he receives $y_i =
k_i^x_i$, which is
  - $k_i^0 = b_i$ if $x_i = 0$
  - $k_i^1 = a + b_i$ if $x_i = 1$
+ Compute and output $y = sum_(i = 0)^n 2^i k_i = a x + b$

== Correctness Check
+ Repeat the whole M2A protocol for the same $x$ but with random $a_2, b_2$. We
  now label $a_1 := a$ and $b_1 := b$, which are the original values from the
  previously executed M2A protocol
+ $P_R$ sends $2$ random field elements $chi_1, chi_2$ to $P_S$
+ $P_S$ computes $a^* = chi_1 a_1 + chi_2 a_2$ and $b^* = chi_1 b_1 + chi_2 b_2$
  and sends them to $P_R$.
+ $P_R$ checks that $ chi_1 y_1 + chi_2 y_2 = a^* x + b^*$ 

= A2M
OT sender and receiver want to get a *multiplicative* sharing $(y, overline(b))$
from an *additive* sharing $(x, a)$. So the sender starts with $x$ and ends up
with $y$ and the receiver starts with $a$ and ends up with $overline(b)$.

They compute $y=(a + x) b arrow.l.r.double y  b^(-1) = a + x arrow.l.r.double y 
overline(b) = a + x$ in $n$ OTs, where $n$ is given by the bitsize of the field
elements $y, x, a, b$. The receiver's inputs for every $i$-th OT are $x_i$ and
his output is $y_i$. The sender's inputs are a linear combination of $a_i$ and
$b$ including a mask $m_i$ and he outputs $b$.

== Compute $y = (a + x) b$

#align(center)[
  #box[$P_R$ #v(4em)]
  #box[$x_i$ #line(length: 2cm) #v(3em) $y_i$ #line(length: 2cm) #v(1em)]
  #box[#square(size: 8em)[#v(3em) *OT*]]
  #box[$k_i = (a_i b + m_i, (a_i + 1) b + m_i)$ #line(length: 5cm) #v(3em) $b$ #line(length: 5cm) #v(1em)]
  #box[$P_S$ #v(4em)]
]


=== *The OT sender $P_S$:*
+ Sample a random field element $b arrow.l \$$
+ Sample $n$ random field elements $m_i arrow.l \$$, with $sum_(i = 0)^n 2^i m_i = 0$
+ Bit-decomposes $a = sum_(i = 0)^n 2^i a_i$
+ In each $i$-th OT: Send $k_i = (a_i b + m_i, (a_i + 1) b + m_i)$ to $P_R$
+ Compute and output $overline(b) = b^(-1)$

=== *The OT receiver $P_R$:*
+ Bit-decomposes $x = sum_(i = 0)^n 2^i x_i$
+ In each $i$-th OT: Depending on the bit of $x_i$ he receives $y_i =
k_i^x_i$, which is
  - $k_i^0 = a_i b + m_i$ if $x_i = 0$
  - $k_i^1 = (a_i + 1) b + m_i$ if $x_i = 1$
+ Compute and output $y = sum_(i = 0)^n 2^i k_i = (a + x) b$

== Correctness Check
+ Repeat the whole A2M protocol for the same $x$ but with random $a_2, b_2$. We
  now label $a_1 := a$ and $b_1 := b$, which are the original values from the
  previously executed A2M protocol
+ $P_R$ sends $2$ random field elements $chi_1, chi_2$ to $P_S$
+ $P_S$ computes $z^* = chi_1 a_1 b_1 + chi_2 a_2 b_2$ and $b^* = chi_1 b_1 + chi_2 b_2$
  and sends them to $P_R$.
+ $P_R$ checks that $ chi_1 y_1 + chi_2 y_2 = b^* x + z^*$