Add 'usenix-artifact/cpir-read/' from commit 'b49e8544ab3404ee1194e7760b84a86a0f5f228f'

git-subtree-dir: usenix-artifact/cpir-read
git-subtree-mainline: b6172fc381ed6dbadac2ff1fb30b8f70c6a6e60c
git-subtree-split: b49e8544ab3404ee1194e7760b84a86a0f5f228f

cpir-read/.gitignore

@@ -0,0 +1,2 @@
+/Cargo.lock
+/target

cpir-read/Cargo.toml

@@ -0,0 +1,38 @@
+[package]
+name = "spiral-spir"
+version = "0.1.0"
+authors = ["Ian Goldberg <iang@uwaterloo.ca>"]
+edition = "2021"
+
+# See more keys and their definitions at https://doc.rust-lang.org/cargo/reference/manifest.html
+
+[dependencies]
+aes = "0.8"
+# curve25519-dalek needs this older version of rand
+rand07 = { package = "rand", version = "0.7" }
+# but Spiral needs this newer version
+rand = "0.8"
+curve25519-dalek = { package = "curve25519-dalek-ng", version = "3", default-features = false, features = ["serde", "std"] }
+lazy_static = "1"
+sha2 = "0.9"
+subtle = { package = "subtle-ng", version = "2.4" }
+spiral-rs = { git = "https://github.com/menonsamir/spiral-rs/", rev = "176e396d" }
+rayon = "1.5"
+bincode = "1"
+serde = "1"
+serde_with = "2"
+rand_chacha = "0.3"
+
+[lib]
+crate_type = ["lib", "staticlib"]
+path = "src/lib.rs"
+
+[[bin]]
+name = "spiral-spir"
+path = "src/main.rs"
+
+[features]
+default = ["u64_backend"]
+u32_backend = ["curve25519-dalek/u32_backend"]
+u64_backend = ["curve25519-dalek/u64_backend"]
+simd_backend = ["curve25519-dalek/simd_backend"]

cpir-read/README.md

@@ -0,0 +1,148 @@
+# Symmetric Private Information Retrieval (SPIR) built on Spiral
+
+*Ian Goldberg (iang@uwaterloo.ca), July 2022*
+
+Last update August 2022
+
+This code implements Symmetric Private Information Retrieval, building
+on the Spiral PIR library (this code is not written by the Spiral
+authors).
+
+Spiral is a recent single-server (computational) PIR system from 2022:
+
+  * Samir Jordan Menon, David J. Wu,
+"Spiral: Fast, High-Rate Single-Server PIR via FHE Composition".
+IEEE Symposium on Security and Privacy, 2022.
+eprint:
+[https://eprint.iacr.org/2022/368](https://eprint.iacr.org/2022/368),
+code:
+[https://github.com/menonsamir/spiral-rs](https://github.com/menonsamir/spiral-rs)
+
+In ordinary PIR, the client learns the database record they were looking for, and the server does not learn which record that was.  The client is _not_ prevented, however, from learning _additional_ database records.  Downloading the whole database, for example, can be seen as a trivial form of PIR (though one that transfers way too much data, except for tiny databases).
+
+In Symmetric PIR (SPIR), the client must learn only one database record, in addition to the server learning no information about which record that was.  SPIR is similar to oblivious transfer (OT), except that SPIR aims to have sublinear communication (at no time is something the size of the whole database downloaded), while OT does not have that restriction.
+
+This code builds SPIR from ordinary PIR (using Spiral), using a strategy based on that of Naor and Pinkas:
+
+  * Moni Naor and Benny Pinkas, "Oblivious Transfer and Polynomial Evaluation".
+STOC 1999.  paper: [https://dl.acm.org/doi/10.1145/301250.301312](https://dl.acm.org/doi/10.1145/301250.301312)
+
+The general strategy is this (for a database with N=2^r records):
+
+  1. Server: Encrypt each record of the database with a unique key
+  2. Client: Use 1-of-N OT to retrieve exactly one key
+  3. Client: Privately download the encrypted record and decrypt it with the key retrieved above
+
+In the Naor and Pinkas paper, step 3 was just trivial download of the whole encrypted database, but we use Sprial to privately retrieve the encrypted record of interest.  Note, however, that the client will typically learn additional nearby records as well, which is why we need to encrypt each record separately.
+
+The 1-of-N OT is built from r 1-of-2 OTs in the same manner as in the Naor and Pinkas paper: the server picks r pairs of random keys, and the client chooses one key from each pair, according to the bits of the desired query index value.  Then each database entry is encrypted with the combination of keys associated with its index.
+
+The Naor and Pinkas paper uses this for its encryption, where F is a pseudorandom function (PRF) family:
+
+   Enc[j] = Db[j] XOR F\_{K_1,j1}(j) XOR F\_{K_2,j2}(j) XOR ... XOR F\_{K_r,jr}(j)
+
+where j1,j2,...,jr are the bits of j, as j ranges from 0 to N-1.
+
+We instead use:
+
+   Ktot = K_1,j1 XOR K_2,k2 XOR ... XOR K_r,kr
+
+   Enc[j] = Db[j] XOR F\_{Ktot}(j)
+
+That is, Naor and Pinkas XOR the _outputs_ of the PRF, whereas we XOR the _keys_.  This requires a slightly stronger assumption on the PRF family (for example, that the functions with different keys are independent, even if the keys have some known XOR relation), but we're going to use AES for F, so that should be fine.
+
+For the 1-of-2 OT protocol, we base it on the simple one from the 1989 paper of Bellare and Micali:
+
+  * Mihir Bellare and Silvio Micali, "Non-Interactive Oblivious Transfer and Applications".  CRYPTO 1989.  paper: [https://cseweb.ucsd.edu/~mihir/papers/niot.pdf](https://cseweb.ucsd.edu/~mihir/papers/niot.pdf)
+
+We slightly optimize the protocol in that instead of the client sending both β0 and β1 to the server, and the server checking that their sum (in elliptic curve terms) is C, the client just sends β0 and the server computes β1 = C-β0.  In addition, the server sends back the two keys ElGamal-encrypted to the keys β0 and β1, where the client can know the private key for at most one of them.  Bellare and Micali's paper does this as (s0\*G, H(s0\*β0) XOR K0, s1\*G, H(s1\*β1) XOR K1), whereas we use the slightly more efficient (s\*G, H(s\*β0) XOR K0, H(s\*β1) XOR K1).
+
+## Running the code
+
+In the August 2022 version, this code is now built as a Rust library
+that can be called from Rust or from C++.
+
+To build the Rust library and a Rust test program:
+
+`RUSTFLAGS="-C target-cpu=native" cargo build --release`
+
+To build the C++ library that wraps the Rust library and a C++ test program:
+
+`make -C cxx`
+
+To run the Rust test program:
+
+`./target/release/spiral-spir 20 4 100 2`
+
+To run the C++ test program:
+
+`./cxx/spir_test 20 4 100 2`
+
+Here:
+
+  * `20` is the value of r (that is, the database will have N=2^20 entries)
+  * `4` is the number of threads to use (defaults to 1)
+  * `100` is the number of SPIR queries to prepare in the preprocessing
+    step; there is only one round trip from the client to the server
+    regardless of this number, but the message and response are larger
+    (defaults to 1)
+  * `2` is the number of SPIR queries to do, one at a time. Must be at
+    most the number of preprocessed queries, and defaults to that
+    number
+  
+Each entry is 8 bytes.  There are three phases of execution: a one-time Spiral public key generation (this only has to be done once, regardless of how many SPIR queries you do), a preprocessing phase per SPIR query (this can be done _before_ knowing the contents of the database on the server side, or the desired index on the client side, as as above, the preprocessing for all of the SPIR queries are all done in a single round trip), and the runtime phase per SPIR query (once the contents of the database and the desired index are known).
+
+A sample output (for r=20, 4 threads, 100 preprocessed SPIR queries, 2
+SPIR queries performed):
+
+```
+===== ONE-TIME SETUP =====
+
+One-time setup: 201893 µs
+pub_params len = 10878976
+
+===== PREPROCESSING =====
+
+num_preproc = 100
+Preprocessing client: 76869 µs
+preproc_msg len = 3342408
+Preprocessing server: 53409 µs
+preproc_resp len = 128808
+Preprocessing client finish: 26688 µs
+
+===== SPIR QUERY 1 =====
+
+Query client: 107 µs
+query_msg len = 8
+expansion (took 99798 us).
+Query server: 411422 µs
+query_resp len = 14336
+Query client finish: 832 µs
+idx = 778275; entry = 7783750778395
+
+===== SPIR QUERY 2 =====
+
+Query client: 73 µs
+query_msg len = 8
+expansion (took 90281 us).
+Query server: 406014 µs
+query_resp len = 14336
+Query client finish: 810 µs
+idx = 675158; entry = 6752580675278
+```
+
+The various lines show the amount of wall-clock time taken for various
+parts of the computation and the amount of data transferred between the
+client and the server.  The last line of each SPIR query shows the
+random index that was looked up, and the database value the client
+retrieved.  The value for index i should be (10000001\*(i+100)+20).
+
+## Using the C++ library yourself
+
+Build the C++ library as above:
+
+`make -C cxx`
+
+Then `cxx/spir.hpp` and `cxx/libspir_cxx.a` are the files you'll need.
+\#include the former in your code, and link your program with the latter
+as well as `-lpthread -ldl`.

cpir-read/cxx/Makefile

@@ -0,0 +1,14 @@
+CXXFLAGS = -O3 -Wall
+
+spir_test: spir_test.o libspir_cxx.a
+	g++ -o $@ $^ -lpthread -ldl
+
+libspir_cxx.a: spir.o ../target/release/libspiral_spir.a
+	cp ../target/release/libspiral_spir.a $@
+	ar r $@ $<
+
+../target/release/libspiral_spir.a: $(wildcard ../src/*.rs)
+	RUSTFLAGS="-C target-cpu=native" cargo build --release
+
+clean:
+	-rm -f libspir_cxx.a spir.o spir_test.o spir_test

cpir-read/cxx/spir.cpp

@@ -0,0 +1,79 @@
+#include <stdio.h>
+#include "spir.hpp"
+#include "spir_ffi.h"
+
+void SPIR::init(uint32_t num_threads)
+{
+    spir_init(num_threads);
+}
+
+SPIR_Client::SPIR_Client(uint8_t r, string &pub_params)
+{
+    ClientNewRet ret = spir_client_new(r);
+    pub_params.assign(ret.pub_params.data, ret.pub_params.len);
+    spir_vecdata_free(ret.pub_params);
+    this->client = ret.client;
+}
+
+SPIR_Client::~SPIR_Client()
+{
+    spir_client_free(this->client);
+}
+
+string SPIR_Client::preproc(uint32_t num_preproc)
+{
+    VecData msg = spir_client_preproc(this->client, num_preproc);
+    string ret(msg.data, msg.len);
+    spir_vecdata_free(msg);
+    return ret;
+}
+
+void SPIR_Client::preproc_finish(const string &server_preproc)
+{
+    spir_client_preproc_finish(this->client, server_preproc.data(),
+        server_preproc.length());
+}
+
+string SPIR_Client::query(size_t idx)
+{
+    VecData msg = spir_client_query(this->client, idx);
+    string ret(msg.data, msg.len);
+    spir_vecdata_free(msg);
+    return ret;
+}
+
+SPIR::DBEntry SPIR_Client::query_finish(const string &server_resp)
+{
+    return spir_client_query_finish(this->client,
+        server_resp.data(), server_resp.length());
+}
+
+SPIR_Server::SPIR_Server(uint8_t r, const string &pub_params)
+{
+    this->server = spir_server_new(r, pub_params.data(),
+        pub_params.length());
+}
+
+SPIR_Server::~SPIR_Server()
+{
+    spir_server_free(this->server);
+}
+
+string SPIR_Server::preproc_process(const string &msg)
+{
+    VecData retmsg = spir_server_preproc_process(this->server, msg.data(),
+        msg.length());
+    string ret(retmsg.data, retmsg.len);
+    spir_vecdata_free(retmsg);
+    return ret;
+}
+
+string SPIR_Server::query_process(const string &client_query,
+        const SPIR::DBEntry *db, size_t rot, SPIR::DBEntry blind)
+{
+    VecData retmsg = spir_server_query_process(this->server,
+        client_query.data(), client_query.length(), db, rot, blind);
+    string ret(retmsg.data, retmsg.len);
+    spir_vecdata_free(retmsg);
+    return ret;
+}

cpir-read/cxx/spir.hpp

@@ -0,0 +1,64 @@
+#ifndef __SPIR_HPP__
+#define __SPIR_HPP__
+
+#include <string>
+#include <stdint.h>
+
+using std::string;
+
+class SPIR {
+public:
+    typedef uint64_t DBEntry;  // The type of each DB entry (64 bits)
+
+    static void init(uint32_t nthreads);  // Call this once at startup
+};
+
+class SPIR_Client {
+public:
+    // constructor and destructor
+    SPIR_Client(uint8_t r, string &pub_params); // 2^r records in the database; pub_params will be _filled in_
+    ~SPIR_Client();
+
+    // preprocessing
+    string preproc(uint32_t num_pirs); // returns the string to send to the server
+
+    void preproc_finish(const string &server_preproc);
+
+    // SPIR query for index idx
+    string query(size_t idx); // returns the string to send to the server
+
+    // process the server's response to yield the server's db[(idx + rot)%N] + blind
+    // where N=2^r, idx is provided by the client above, and
+    // db, rot, and blind are provided by the server below
+    SPIR::DBEntry query_finish(const string &server_reply);
+
+private:
+    void *client;
+    SPIR_Client() = default;
+    SPIR_Client(const SPIR_Client&) = delete;
+    SPIR_Client& operator=(const SPIR_Client&) = delete;
+};
+
+class SPIR_Server {
+public:
+    // constructor and destructor
+    SPIR_Server(uint8_t r, const string &client_pub_params);
+    ~SPIR_Server();
+
+    // preprocessing
+    string preproc_process(const string &client_preproc); // returns the string to reply to the client
+  
+    // SPIR query on the given database of N=2^r records, each of type DBEntry
+    // rotate the database by rot, and blind each entry in the database additively with blind
+    // returns the string to reply to the client
+    string query_process(const string &client_query, const SPIR::DBEntry *db,
+        size_t rot, SPIR::DBEntry blind);
+
+private:
+    void *server;
+    SPIR_Server() = default;
+    SPIR_Server(const SPIR_Server&) = delete;
+    SPIR_Server& operator=(const SPIR_Server&) = delete;
+};
+
+#endif

cpir-read/cxx/spir_ffi.h

@@ -0,0 +1,57 @@
+#ifndef __SPIR_FFI_H__
+#define __SPIR_FFI_H__
+
+#include <stdint.h>
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef size_t DBEntry;
+
+typedef struct {
+    const char *data;
+    size_t len;
+    size_t capacity;
+} VecData;
+
+typedef struct {
+    void *client;
+    VecData pub_params;
+} ClientNewRet;
+
+extern void spir_init(uint32_t num_threads);
+
+extern ClientNewRet spir_client_new(uint8_t r);
+
+extern void spir_client_free(void *client);
+
+extern VecData spir_client_preproc(void *client, uint32_t num_preproc);
+
+extern void spir_client_preproc_finish(void *client,
+    const char *msgdata, size_t msglen);
+
+extern VecData spir_client_query(void *client, size_t idx);
+
+extern DBEntry spir_client_query_finish(void *client,
+    const char *msgdata, size_t msglen);
+
+extern void* spir_server_new(uint8_t r, const char *pub_params,
+    size_t pub_params_len);
+
+extern void spir_server_free(void *server);
+
+extern VecData spir_server_preproc_process(void *server,
+    const char *msgdata, size_t msglen);
+
+extern VecData spir_server_query_process(void *server,
+    const char *msgdata, size_t msglen, const DBEntry *db,
+    size_t rot, DBEntry blind);
+
+extern void spir_vecdata_free(VecData vecdata);
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif

cpir-read/cxx/spir_test.cpp

@@ -0,0 +1,126 @@
+#include <iostream>
+#include <stdlib.h>
+#include <sys/random.h>
+#include <sys/time.h>
+#include <unistd.h>
+#include "spir.hpp"
+
+using std::cout;
+using std::cerr;
+
+static inline size_t elapsed_us(const struct timeval *start)
+{
+    struct timeval end;
+    gettimeofday(&end, NULL);
+    return (end.tv_sec-start->tv_sec)*1000000 + end.tv_usec - start->tv_usec;
+}
+
+int main(int argc, char **argv)
+{
+    if (argc < 2 || argc > 5) {
+        cerr << "Usage: " << argv[0] << " r [num_threads [num_preproc [num_pirs]]]\n";
+        cerr << "r = log_2(num_records)\n";
+        exit(1);
+    }
+    uint32_t r, num_threads = 1, num_preproc = 1, num_pirs = 1;
+    r = strtoul(argv[1], NULL, 10);
+    size_t num_records = ((size_t) 1)<<r;
+    size_t num_records_mask = num_records - 1;
+    if (argc > 2) {
+        num_threads = strtoul(argv[2], NULL, 10);
+    }
+    if (argc > 3) {
+        num_preproc = strtoul(argv[3], NULL, 10);
+    }
+    if (argc > 4) {
+        num_pirs = strtoul(argv[4], NULL, 10);
+    } else {
+        num_pirs = num_preproc;
+    }
+
+    cout << "===== ONE-TIME SETUP =====\n\n";
+
+    struct timeval otsetup_start;
+    gettimeofday(&otsetup_start, NULL);
+
+    SPIR::init(num_threads);
+    string pub_params;
+    SPIR_Client client(r, pub_params);
+    SPIR_Server server(r, pub_params);
+
+    size_t otsetup_us = elapsed_us(&otsetup_start);
+    cout << "One-time setup: " << otsetup_us << " µs\n";
+    cout << "pub_params len = " << pub_params.length() << "\n";
+
+    cout << "\n===== PREPROCESSING =====\n\n";
+
+    cout << "num_preproc = " << num_preproc << "\n";
+
+    struct timeval preproc_client_start;
+    gettimeofday(&preproc_client_start, NULL);
+
+    string preproc_msg = client.preproc(num_preproc);
+    size_t preproc_client_us = elapsed_us(&preproc_client_start);
+    cout << "Preprocessing client: " << preproc_client_us << " µs\n";
+    cout << "preproc_msg len = " << preproc_msg.length() << "\n";
+
+    struct timeval preproc_server_start;
+    gettimeofday(&preproc_server_start, NULL);
+
+    string preproc_resp = server.preproc_process(preproc_msg);
+    size_t preproc_server_us = elapsed_us(&preproc_server_start);
+    cout << "Preprocessing server: " << preproc_server_us << " µs\n";
+    cout << "preproc_resp len = " << preproc_resp.length() << "\n";
+
+    struct timeval preproc_finish_start;
+    gettimeofday(&preproc_finish_start, NULL);
+
+    client.preproc_finish(preproc_resp);
+    size_t preproc_finish_us = elapsed_us(&preproc_finish_start);
+    cout << "Preprocessing client finish: " << preproc_finish_us << " µs\n";
+
+    // Create the database
+    SPIR::DBEntry *db = new SPIR::DBEntry[num_records];
+    for (size_t i=0; i<num_records; ++i) {
+        db[i] = i * 10000001;
+    }
+
+    for (size_t i=0; i<num_pirs; ++i) {
+        cout << "\n===== SPIR QUERY " << i+1 << " =====\n\n";
+
+        size_t idx;
+        if (getrandom(&idx, sizeof(idx), 0) != sizeof(idx)) {
+            cerr << "Failure in getrandom\n";
+            exit(1);
+        }
+        idx &= num_records_mask;
+
+        struct timeval query_client_start;
+        gettimeofday(&query_client_start, NULL);
+
+        string query_msg = client.query(idx);
+        size_t query_client_us = elapsed_us(&query_client_start);
+        cout << "Query client: " << query_client_us << " µs\n";
+        cout << "query_msg len = " << query_msg.length() << "\n";
+
+        struct timeval query_server_start;
+        gettimeofday(&query_server_start, NULL);
+
+        string query_resp = server.query_process(query_msg, db, 100, 20);
+        size_t query_server_us = elapsed_us(&query_server_start);
+        cout << "Query server: " << query_server_us << " µs\n";
+        cout << "query_resp len = " << query_resp.length() << "\n";
+
+        struct timeval query_finish_start;
+        gettimeofday(&query_finish_start, NULL);
+
+        SPIR::DBEntry entry = client.query_finish(query_resp);
+        size_t query_finish_us = elapsed_us(&query_finish_start);
+        cout << "Query client finish: " << query_finish_us << " µs\n";
+        cout << "idx = " << idx << "; entry = " << entry << "\n";
+    }
+
+    delete[] db;
+
+    return 0;
+}

cpir-read/src/client.rs

@@ -0,0 +1,298 @@
+use rand::RngCore;
+
+use std::collections::VecDeque;
+use std::mem;
+use std::os::raw::c_uchar;
+use std::sync::mpsc::*;
+use std::thread::*;
+
+use aes::Block;
+
+use rayon::prelude::*;
+
+use subtle::Choice;
+
+use curve25519_dalek::scalar::Scalar;
+
+use crate::dbentry_decrypt;
+use crate::ot::*;
+use crate::params;
+use crate::to_vecdata;
+use crate::DbEntry;
+use crate::PreProcSingleMsg;
+use crate::PreProcSingleRespMsg;
+use crate::VecData;
+
+enum Command {
+    PreProc(usize),
+    PreProcFinish(Vec<PreProcSingleRespMsg>),
+    Query(usize),
+    QueryFinish(Vec<u8>),
+}
+
+enum Response {
+    PubParams(Vec<u8>),
+    PreProcMsg(Vec<u8>),
+    PreProcDone,
+    QueryMsg(Vec<u8>),
+    QueryDone(DbEntry),
+}
+
+// The internal client state for a single outstanding preprocess query
+struct PreProcOutSingleState {
+    rand_idx: usize,
+    ot_state: Vec<(Choice, Scalar)>,
+}
+
+// The internal client state for a single preprocess ready to be used
+struct PreProcSingleState {
+    rand_idx: usize,
+    ot_key: Block,
+}
+
+pub struct Client {
+    incoming_cmd: SyncSender<Command>,
+    outgoing_resp: Receiver<Response>,
+}
+
+impl Client {
+    pub fn new(r: usize) -> (Self, Vec<u8>) {
+        let (incoming_cmd, incoming_cmd_recv) = sync_channel(0);
+        let (outgoing_resp_send, outgoing_resp) = sync_channel(0);
+        spawn(move || {
+            let spiral_params = params::get_spiral_params(r);
+            let mut spiral_client = spiral_rs::client::Client::init(&spiral_params);
+            let num_records = 1 << r;
+            let num_records_mask = num_records - 1;
+            let spiral_blocking_factor = spiral_params.db_item_size / mem::size_of::<DbEntry>();
+
+            // The first communication is the pub_params
+            let pub_params = spiral_client.generate_keys().serialize();
+            outgoing_resp_send
+                .send(Response::PubParams(pub_params))
+                .unwrap();
+
+            // State for outstanding preprocessing queries
+            let mut preproc_out_state: Vec<PreProcOutSingleState> = Vec::new();
+
+            // State for preprocessing queries ready to be used
+            let mut preproc_state: VecDeque<PreProcSingleState> = VecDeque::new();
+
+            // State for outstanding active queries
+            let mut query_state: VecDeque<PreProcSingleState> = VecDeque::new();
+
+            // Wait for commands
+            loop {
+                match incoming_cmd_recv.recv() {
+                    Err(_) => break,
+                    Ok(Command::PreProc(num_preproc)) => {
+                        // Ensure we don't already have outstanding
+                        // preprocessing state
+                        assert!(preproc_out_state.is_empty());
+                        let mut preproc_msg: Vec<PreProcSingleMsg> = Vec::new();
+                        (0..num_preproc)
+                        .into_par_iter()
+                        .map(|_| {
+                            let mut rng = rand::thread_rng();
+                            let rand_idx = (rng.next_u64() as usize) & num_records_mask;
+                            let rand_pir_idx = rand_idx / spiral_blocking_factor;
+                            let spc_query = spiral_client.generate_query(rand_pir_idx).serialize();
+                            let (ot_state, ot_query) = otkey_request(rand_idx, r);
+                            (PreProcOutSingleState { rand_idx, ot_state },
+                            PreProcSingleMsg {
+                                ot_query,
+                                spc_query,
+                            })
+                        })
+                        .unzip_into_vecs(&mut preproc_out_state, &mut preproc_msg);
+                        let ret: Vec<u8> = bincode::serialize(&preproc_msg).unwrap();
+                        outgoing_resp_send.send(Response::PreProcMsg(ret)).unwrap();
+                    }
+                    Ok(Command::PreProcFinish(srvresp)) => {
+                        let num_preproc = srvresp.len();
+                        assert!(preproc_out_state.len() == num_preproc);
+                        let mut newstate: VecDeque<PreProcSingleState> = preproc_out_state
+                            .into_par_iter()
+                            .zip(srvresp)
+                            .map(|(c, s)| {
+                                let ot_key = otkey_receive(c.ot_state, &s.ot_resp);
+                                PreProcSingleState {
+                                    rand_idx: c.rand_idx,
+                                    ot_key,
+                                }
+                            })
+                            .collect();
+                        preproc_state.append(&mut newstate);
+                        preproc_out_state = Vec::new();
+                        outgoing_resp_send.send(Response::PreProcDone).unwrap();
+                    }
+                    Ok(Command::Query(idx)) => {
+                        // panic if there are no preproc states
+                        // available
+                        let nextstate = preproc_state.pop_front().unwrap();
+                        let offset = (num_records + idx - nextstate.rand_idx) & num_records_mask;
+                        let mut querymsg: Vec<u8> = Vec::new();
+                        querymsg.extend(offset.to_le_bytes());
+                        query_state.push_back(nextstate);
+                        outgoing_resp_send
+                            .send(Response::QueryMsg(querymsg))
+                            .unwrap();
+                    }
+                    Ok(Command::QueryFinish(msg)) => {
+                        // panic if there is no outstanding state
+                        let nextstate = query_state.pop_front().unwrap();
+                        let encdbblock = spiral_client.decode_response(msg.as_slice());
+                        // Extract the one encrypted DbEntry we were
+                        // looking for (and the only one we are able to
+                        // decrypt)
+                        let entry_in_block = nextstate.rand_idx % spiral_blocking_factor;
+                        let loc_in_block = entry_in_block * mem::size_of::<DbEntry>();
+                        let loc_in_block_end = (entry_in_block + 1) * mem::size_of::<DbEntry>();
+                        let encdbentry = DbEntry::from_le_bytes(
+                            encdbblock[loc_in_block..loc_in_block_end]
+                                .try_into()
+                                .unwrap(),
+                        );
+                        let decdbentry =
+                            dbentry_decrypt(&nextstate.ot_key, nextstate.rand_idx, encdbentry);
+                        outgoing_resp_send
+                            .send(Response::QueryDone(decdbentry))
+                            .unwrap();
+                    }
+                    // When adding new messages, the following line is
+                    // useful during development
+                    // _ => panic!("Received something unexpected in client loop"),
+                }
+            }
+        });
+        let pub_params = match outgoing_resp.recv() {
+            Ok(Response::PubParams(x)) => x,
+            _ => panic!("Received something unexpected in client new"),
+        };
+
+        (
+            Client {
+                incoming_cmd,
+                outgoing_resp,
+            },
+            pub_params,
+        )
+    }
+
+    pub fn preproc(&self, num_preproc: usize) -> Vec<u8> {
+        self.incoming_cmd
+            .send(Command::PreProc(num_preproc))
+            .unwrap();
+        match self.outgoing_resp.recv() {
+            Ok(Response::PreProcMsg(x)) => x,
+            _ => panic!("Received something unexpected in preproc"),
+        }
+    }
+
+    pub fn preproc_finish(&self, msg: &[u8]) {
+        self.incoming_cmd
+            .send(Command::PreProcFinish(bincode::deserialize(msg).unwrap()))
+            .unwrap();
+        match self.outgoing_resp.recv() {
+            Ok(Response::PreProcDone) => (),
+            _ => panic!("Received something unexpected in preproc_finish"),
+        }
+    }
+
+    pub fn query(&self, idx: usize) -> Vec<u8> {
+        self.incoming_cmd.send(Command::Query(idx)).unwrap();
+        match self.outgoing_resp.recv() {
+            Ok(Response::QueryMsg(x)) => x,
+            _ => panic!("Received something unexpected in preproc"),
+        }
+    }
+
+    pub fn query_finish(&self, msg: &[u8]) -> DbEntry {
+        self.incoming_cmd
+            .send(Command::QueryFinish(msg.to_vec()))
+            .unwrap();
+        match self.outgoing_resp.recv() {
+            Ok(Response::QueryDone(entry)) => entry,
+            _ => panic!("Received something unexpected in preproc_finish"),
+        }
+    }
+}
+
+#[repr(C)]
+pub struct ClientNewRet {
+    client: *mut Client,
+    pub_params: VecData,
+}
+
+#[no_mangle]
+pub extern "C" fn spir_client_new(r: u8) -> ClientNewRet {
+    let (client, pub_params) = Client::new(r as usize);
+    ClientNewRet {
+        client: Box::into_raw(Box::new(client)),
+        pub_params: to_vecdata(pub_params),
+    }
+}
+
+#[no_mangle]
+pub extern "C" fn spir_client_free(client: *mut Client) {
+    if client.is_null() {
+        return;
+    }
+    unsafe {
+        Box::from_raw(client);
+    }
+}
+
+#[no_mangle]
+pub extern "C" fn spir_client_preproc(clientptr: *mut Client, num_preproc: u32) -> VecData {
+    let client = unsafe {
+        assert!(!clientptr.is_null());
+        &mut *clientptr
+    };
+    let retvec = client.preproc(num_preproc as usize);
+    to_vecdata(retvec)
+}
+
+#[no_mangle]
+pub extern "C" fn spir_client_preproc_finish(
+    clientptr: *mut Client,
+    msgdata: *const c_uchar,
+    msglen: usize,
+) {
+    let client = unsafe {
+        assert!(!clientptr.is_null());
+        &mut *clientptr
+    };
+    let msg_slice = unsafe {
+        assert!(!msgdata.is_null());
+        std::slice::from_raw_parts(msgdata, msglen)
+    };
+    client.preproc_finish(msg_slice);
+}
+
+#[no_mangle]
+pub extern "C" fn spir_client_query(clientptr: *mut Client, idx: usize) -> VecData {
+    let client = unsafe {
+        assert!(!clientptr.is_null());
+        &mut *clientptr
+    };
+    let retvec = client.query(idx);
+    to_vecdata(retvec)
+}
+
+#[no_mangle]
+pub extern "C" fn spir_client_query_finish(
+    clientptr: *mut Client,
+    msgdata: *const c_uchar,
+    msglen: usize,
+) -> DbEntry {
+    let client = unsafe {
+        assert!(!clientptr.is_null());
+        &mut *clientptr
+    };
+    let msg_slice = unsafe {
+        assert!(!msgdata.is_null());
+        std::slice::from_raw_parts(msgdata, msglen)
+    };
+    client.query_finish(msg_slice)
+}

cpir-read/src/lib.rs

@@ -0,0 +1,167 @@
+pub mod client;
+mod ot;
+mod params;
+pub mod server;
+mod spiral_mt;
+
+use aes::cipher::{BlockEncrypt, KeyInit};
+use aes::Aes128Enc;
+use aes::Block;
+use std::mem;
+
+use serde::{Deserialize, Serialize};
+
+use std::os::raw::c_uchar;
+
+use rayon::scope;
+use rayon::ThreadPoolBuilder;
+
+use serde_with::serde_as;
+
+use spiral_rs::params::*;
+
+use crate::ot::{otkey_init, xor16};
+use crate::spiral_mt::*;
+
+pub type DbEntry = u64;
+
+// Encrypt a database of 2^r elements, where each element is a DbEntry,
+// using the 2*r provided keys (r pairs of keys).  Also rotate the
+// database by rot positions, and add the provided blinding factor to
+// each element before encryption (the same blinding factor for all
+// elements).  Each element is encrypted in AES counter mode, with the
+// counter being the element number and the key computed as the XOR of r
+// of the provided keys, one from each pair, according to the bits of
+// the element number.  Outputs a byte vector containing the encrypted
+// database.
+fn db_encrypt(
+    db: &[DbEntry],
+    keys: &[[u8; 16]],
+    r: usize,
+    rot: usize,
+    blind: DbEntry,
+    num_threads: usize,
+) -> Vec<u8> {
+    let num_records: usize = 1 << r;
+    let num_record_mask: usize = num_records - 1;
+    let mut ret = vec![0; num_records * mem::size_of::<DbEntry>()];
+    scope(|s| {
+        let mut record_thread_start = 0usize;
+        let records_per_thread_base = num_records / num_threads;
+        let records_per_thread_extra = num_records % num_threads;
+        let mut retslice = ret.as_mut_slice();
+        for thr in 0..num_threads {
+            let records_this_thread =
+                records_per_thread_base + if thr < records_per_thread_extra { 1 } else { 0 };
+            let record_thread_end = record_thread_start + records_this_thread;
+            let (thread_ret, retslice_) =
+                retslice.split_at_mut(records_this_thread * mem::size_of::<DbEntry>());
+            retslice = retslice_;
+            s.spawn(move |_| {
+                let mut offset = 0usize;
+                for j in record_thread_start..record_thread_end {
+                    let rec = (j + rot) & num_record_mask;
+                    let mut key = Block::from([0u8; 16]);
+                    for i in 0..r {
+                        let bit = if (j & (1 << i)) == 0 { 0 } else { 1 };
+                        xor16(&mut key, &keys[2 * i + bit]);
+                    }
+                    let aes = Aes128Enc::new(&key);
+                    let mut block = Block::from([0u8; 16]);
+                    block[0..8].copy_from_slice(&j.to_le_bytes());
+                    aes.encrypt_block(&mut block);
+                    let aeskeystream = DbEntry::from_le_bytes(block[0..8].try_into().unwrap());
+                    let encelem = (db[rec].wrapping_add(blind)) ^ aeskeystream;
+                    thread_ret[offset..offset + mem::size_of::<DbEntry>()]
+                        .copy_from_slice(&encelem.to_le_bytes());
+                    offset += mem::size_of::<DbEntry>();
+                }
+            });
+            record_thread_start = record_thread_end;
+        }
+    });
+    ret
+}
+
+// Having received the key for element q with r parallel 1-out-of-2 OTs,
+// and having received the encrypted element with (non-symmetric) PIR,
+// use the key to decrypt the element.
+fn dbentry_decrypt(key: &Block, q: usize, encelement: DbEntry) -> DbEntry {
+    let aes = Aes128Enc::new(key);
+    let mut block = Block::from([0u8; 16]);
+    block[0..8].copy_from_slice(&q.to_le_bytes());
+    aes.encrypt_block(&mut block);
+    let aeskeystream = DbEntry::from_le_bytes(block[0..8].try_into().unwrap());
+    encelement ^ aeskeystream
+}
+
+// Things that are only done once total, not once for each SPIR
+pub fn init(num_threads: usize) {
+    otkey_init();
+
+    // Initialize the thread pool
+    ThreadPoolBuilder::new()
+        .num_threads(num_threads)
+        .build_global()
+        .unwrap();
+}
+
+pub fn print_params_summary(params: &Params) {
+    let db_elem_size = params.item_size();
+    let total_size = params.num_items() * db_elem_size;
+    println!(
+        "Using a {} x {} byte database ({} bytes total)",
+        params.num_items(),
+        db_elem_size,
+        total_size
+    );
+}
+
+// The message format for a single preprocess query
+#[derive(Serialize, Deserialize)]
+struct PreProcSingleMsg {
+    ot_query: Vec<[u8; 32]>,
+    spc_query: Vec<u8>,
+}
+
+// The message format for a single preprocess response
+#[serde_as]
+#[derive(Serialize, Deserialize)]
+struct PreProcSingleRespMsg {
+    #[serde_as(as = "Vec<[_; 64]>")]
+    ot_resp: Vec<[u8; 64]>,
+}
+
+#[no_mangle]
+pub extern "C" fn spir_init(num_threads: u32) {
+    init(num_threads as usize);
+}
+
+#[repr(C)]
+pub struct VecData {
+    data: *const c_uchar,
+    len: usize,
+    cap: usize,
+}
+
+#[repr(C)]
+pub struct VecMutData {
+    data: *mut c_uchar,
+    len: usize,
+    cap: usize,
+}
+
+pub fn to_vecdata(v: Vec<u8>) -> VecData {
+    let vecdata = VecData {
+        data: v.as_ptr(),
+        len: v.len(),
+        cap: v.capacity(),
+    };
+    std::mem::forget(v);
+    vecdata
+}
+
+#[no_mangle]
+pub extern "C" fn spir_vecdata_free(vecdata: VecMutData) {
+    unsafe { Vec::from_raw_parts(vecdata.data, vecdata.len, vecdata.cap) };
+}

cpir-read/src/main.rs

@@ -0,0 +1,107 @@
+use std::env;
+use std::time::Instant;
+
+use rand::RngCore;
+
+use spiral_spir::client::Client;
+use spiral_spir::init;
+use spiral_spir::server::Server;
+use spiral_spir::DbEntry;
+
+fn main() {
+    let args: Vec<String> = env::args().collect();
+    if args.len() < 2 || args.len() > 5 {
+        println!(
+            "Usage: {} r [num_threads [num_preproc [num_pirs]]]\nr = log_2(num_records)",
+            args[0]
+        );
+        return;
+    }
+    let r: usize = args[1].parse().unwrap();
+    let mut num_threads = 1usize;
+    let mut num_preproc = 1usize;
+    let num_pirs: usize;
+    if args.len() > 2 {
+        num_threads = args[2].parse().unwrap();
+    }
+    if args.len() > 3 {
+        num_preproc = args[3].parse().unwrap();
+    }
+    if args.len() > 4 {
+        num_pirs = args[4].parse().unwrap();
+    } else {
+        num_pirs = num_preproc;
+    }
+    let num_records = 1 << r;
+    let num_records_mask = num_records - 1;
+
+    println!("===== ONE-TIME SETUP =====\n");
+
+    let otsetup_start = Instant::now();
+
+    init(num_threads);
+    let (client, pub_params) = Client::new(r);
+    let pub_params_len = pub_params.len();
+    let server = Server::new(r, pub_params);
+
+    let otsetup_us = otsetup_start.elapsed().as_micros();
+    println!("One-time setup: {} µs", otsetup_us);
+    println!("pub_params len = {}", pub_params_len);
+
+    println!("\n===== PREPROCESSING =====\n");
+
+    println!("num_preproc = {}", num_preproc);
+
+    let preproc_client_start = Instant::now();
+    let preproc_msg = client.preproc(num_preproc);
+    let preproc_client_us = preproc_client_start.elapsed().as_micros();
+
+    println!("Preprocessing client: {} µs", preproc_client_us);
+    println!("preproc_msg len = {}", preproc_msg.len());
+
+    let preproc_server_start = Instant::now();
+    let preproc_resp = server.preproc_process(&preproc_msg);
+    let preproc_server_us = preproc_server_start.elapsed().as_micros();
+
+    println!("Preprocessing server: {} µs", preproc_server_us);
+    println!("preproc_resp len = {}", preproc_resp.len());
+
+    let preproc_finish_start = Instant::now();
+    client.preproc_finish(&preproc_resp);
+    let preproc_finish_us = preproc_finish_start.elapsed().as_micros();
+
+    println!("Preprocessing client finish: {} µs", preproc_finish_us);
+
+    // Create a database with recognizable contents
+    let db: Vec<DbEntry> = ((0 as DbEntry)..(num_records as DbEntry))
+        .map(|x| 10000001 * x)
+        .collect();
+    let dbptr = db.as_ptr();
+
+    let mut rng = rand::thread_rng();
+    for i in 1..num_pirs + 1 {
+        println!("\n===== SPIR QUERY {} =====\n", i);
+
+        let idx = (rng.next_u64() as usize) & num_records_mask;
+        let query_client_start = Instant::now();
+        let query_msg = client.query(idx);
+        let query_client_us = query_client_start.elapsed().as_micros();
+
+        println!("Query client: {} µs", query_client_us);
+        println!("query_msg len = {}", query_msg.len());
+
+        let query_server_start = Instant::now();
+        let query_resp = server.query_process(&query_msg, dbptr, 100, 20);
+        let query_server_us = query_server_start.elapsed().as_micros();
+
+        println!("Query server: {} µs", query_server_us);
+        println!("query_resp len = {}", query_resp.len());
+
+        let query_finish_start = Instant::now();
+        let entry = client.query_finish(&query_resp);
+        let query_finish_us = query_finish_start.elapsed().as_micros();
+
+        println!("Query client finish: {} µs", query_finish_us);
+        println!("idx = {}; entry = {}", idx, entry);
+    }
+}

cpir-read/src/ot.rs

@@ -0,0 +1,150 @@
+// We really want points to be capital letters and scalars to be
+// lowercase letters
+#![allow(non_snake_case)]
+
+// Oblivious transfer
+
+use subtle::Choice;
+use subtle::ConditionallySelectable;
+
+use aes::Block;
+
+use rand::RngCore;
+
+use sha2::Digest;
+use sha2::Sha256;
+use sha2::Sha512;
+
+use curve25519_dalek::constants as dalek_constants;
+use curve25519_dalek::ristretto::CompressedRistretto;
+use curve25519_dalek::ristretto::RistrettoBasepointTable;
+use curve25519_dalek::ristretto::RistrettoPoint;
+use curve25519_dalek::scalar::Scalar;
+
+use lazy_static::lazy_static;
+
+// Generators of the Ristretto group (the standard B and another one C,
+// for which the DL relationship is unknown), and their precomputed
+// multiplication tables.  Used for the Oblivious Transfer protocol
+lazy_static! {
+    pub static ref OT_B: RistrettoPoint = dalek_constants::RISTRETTO_BASEPOINT_POINT;
+    pub static ref OT_C: RistrettoPoint =
+        RistrettoPoint::hash_from_bytes::<Sha512>(b"OT Generator C");
+    pub static ref OT_B_TABLE: RistrettoBasepointTable = dalek_constants::RISTRETTO_BASEPOINT_TABLE;
+    pub static ref OT_C_TABLE: RistrettoBasepointTable = RistrettoBasepointTable::create(&OT_C);
+}
+
+// 1-out-of-2 Oblivious Transfer (OT)
+
+fn ot12_request(sel: Choice) -> ((Choice, Scalar), [u8; 32]) {
+    let Btable: &RistrettoBasepointTable = &OT_B_TABLE;
+    let C: &RistrettoPoint = &OT_C;
+    let mut rng = rand07::thread_rng();
+    let x = Scalar::random(&mut rng);
+    let xB = &x * Btable;
+    let CmxB = C - xB;
+    let P = RistrettoPoint::conditional_select(&xB, &CmxB, sel);
+    ((sel, x), P.compress().to_bytes())
+}
+
+fn ot12_serve(query: &[u8; 32], m0: &[u8; 16], m1: &[u8; 16]) -> [u8; 64] {
+    let Btable: &RistrettoBasepointTable = &OT_B_TABLE;
+    let Ctable: &RistrettoBasepointTable = &OT_C_TABLE;
+    let mut rng = rand07::thread_rng();
+    let y = Scalar::random(&mut rng);
+    let yB = &y * Btable;
+    let yC = &y * Ctable;
+    let P = CompressedRistretto::from_slice(query).decompress().unwrap();
+    let yP0 = y * P;
+    let yP1 = yC - yP0;
+    let mut HyP0 = Sha256::digest(yP0.compress().as_bytes());
+    for i in 0..16 {
+        HyP0[i] ^= m0[i];
+    }
+    let mut HyP1 = Sha256::digest(yP1.compress().as_bytes());
+    for i in 0..16 {
+        HyP1[i] ^= m1[i];
+    }
+    let mut ret = [0u8; 64];
+    ret[0..32].copy_from_slice(yB.compress().as_bytes());
+    ret[32..48].copy_from_slice(&HyP0[0..16]);
+    ret[48..64].copy_from_slice(&HyP1[0..16]);
+    ret
+}
+
+fn ot12_receive(state: (Choice, Scalar), response: &[u8; 64]) -> [u8; 16] {
+    let yB = CompressedRistretto::from_slice(&response[0..32])
+        .decompress()
+        .unwrap();
+    let yP = state.1 * yB;
+    let mut HyP = Sha256::digest(yP.compress().as_bytes());
+    for i in 0..16 {
+        HyP[i] ^= u8::conditional_select(&response[32 + i], &response[48 + i], state.0);
+    }
+    HyP[0..16].try_into().unwrap()
+}
+
+// Obliviously fetch the key for element q of the database (which has
+// 2^r elements total).  Each bit of q is used in a 1-out-of-2 OT to get
+// one of the keys in each of the r pairs of keys on the server side.
+// The resulting r keys are XORed together.
+
+pub fn otkey_init() {
+    // Resolve the lazy statics
+    let _B: &RistrettoPoint = &OT_B;
+    let _Btable: &RistrettoBasepointTable = &OT_B_TABLE;
+    let _C: &RistrettoPoint = &OT_C;
+    let _Ctable: &RistrettoBasepointTable = &OT_C_TABLE;
+}
+
+pub fn otkey_request(q: usize, r: usize) -> (Vec<(Choice, Scalar)>, Vec<[u8; 32]>) {
+    let mut state: Vec<(Choice, Scalar)> = Vec::with_capacity(r);
+    let mut query: Vec<[u8; 32]> = Vec::with_capacity(r);
+    for i in 0..r {
+        let bit = ((q >> i) & 1) as u8;
+        let (si, qi) = ot12_request(bit.into());
+        state.push(si);
+        query.push(qi);
+    }
+    (state, query)
+}
+
+pub fn otkey_serve(query: Vec<[u8; 32]>, keys: &Vec<[u8; 16]>) -> Vec<[u8; 64]> {
+    let r = query.len();
+    assert!(keys.len() == 2 * r);
+    let mut response: Vec<[u8; 64]> = Vec::with_capacity(r);
+    for i in 0..r {
+        response.push(ot12_serve(&query[i], &keys[2 * i], &keys[2 * i + 1]));
+    }
+    response
+}
+
+// XOR a 16-byte slice into a Block (which will be used as an AES key)
+pub fn xor16(outar: &mut Block, inar: &[u8; 16]) {
+    for i in 0..16 {
+        outar[i] ^= inar[i];
+    }
+}
+
+pub fn otkey_receive(state: Vec<(Choice, Scalar)>, response: &Vec<[u8; 64]>) -> Block {
+    let r = state.len();
+    assert!(response.len() == r);
+    let mut key = Block::from([0u8; 16]);
+    for i in 0..r {
+        xor16(&mut key, &ot12_receive(state[i], &response[i]));
+    }
+    key
+}
+
+// Generate the keys for encrypting the database
+pub fn gen_db_enc_keys(r: usize) -> Vec<[u8; 16]> {
+    let mut keys: Vec<[u8; 16]> = Vec::new();
+
+    let mut rng = rand::thread_rng();
+    for _ in 0..2 * r {
+        let mut k: [u8; 16] = [0; 16];
+        rng.fill_bytes(&mut k);
+        keys.push(k);
+    }
+    keys
+}

cpir-read/src/params.rs

@@ -0,0 +1,298 @@
+use spiral_rs::params::*;
+use spiral_rs::util::*;
+
+// Get the Spiral params for a database of 2^r 8-byte entries.  These
+// params are taken from spiral's params_store.json file, but adjusted
+// for 8-byte entries.
+
+pub fn get_spiral_params(r: usize) -> Params {
+    let json = match r {
+        15 => {
+            r#"{
+      "n": 2,
+      "nu_1": 6,
+      "nu_2": 4,
+      "p": 4,
+      "q2_bits": 13,
+      "t_gsw": 4,
+      "t_conv": 4,
+      "t_exp_left": 4,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 256
+    }"#
+        }
+        16 => {
+            r#"{
+      "n": 2,
+      "nu_1": 6,
+      "nu_2": 4,
+      "p": 4,
+      "q2_bits": 13,
+      "t_gsw": 4,
+      "t_conv": 4,
+      "t_exp_left": 4,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 512
+    }"#
+        }
+        17 => {
+            r#"{
+      "n": 2,
+      "nu_1": 6,
+      "nu_2": 4,
+      "p": 4,
+      "q2_bits": 13,
+      "t_gsw": 4,
+      "t_conv": 4,
+      "t_exp_left": 4,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 1024
+    }"#
+        }
+        18 => {
+            r#"{
+      "n": 2,
+      "nu_1": 6,
+      "nu_2": 4,
+      "p": 4,
+      "q2_bits": 13,
+      "t_gsw": 4,
+      "t_conv": 4,
+      "t_exp_left": 4,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 2048
+    }"#
+        }
+        19 => {
+            r#"{
+      "n": 2,
+      "nu_1": 7,
+      "nu_2": 4,
+      "p": 4,
+      "q2_bits": 13,
+      "t_gsw": 4,
+      "t_conv": 32,
+      "t_exp_left": 4,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 2048
+    }"#
+        }
+        20 => {
+            r#"{
+      "n": 2,
+      "nu_1": 7,
+      "nu_2": 4,
+      "p": 16,
+      "q2_bits": 16,
+      "t_gsw": 4,
+      "t_conv": 4,
+      "t_exp_left": 4,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 4096
+    }"#
+        }
+        21 => {
+            r#"{
+      "n": 2,
+      "nu_1": 7,
+      "nu_2": 5,
+      "p": 16,
+      "q2_bits": 16,
+      "t_gsw": 5,
+      "t_conv": 4,
+      "t_exp_left": 4,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 4096
+    }"#
+        }
+        22 => {
+            r#"{
+      "n": 2,
+      "nu_1": 8,
+      "nu_2": 5,
+      "p": 16,
+      "q2_bits": 16,
+      "t_gsw": 5,
+      "t_conv": 4,
+      "t_exp_left": 4,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 4096
+    }"#
+        }
+        23 => {
+            r#"{
+      "n": 2,
+      "nu_1": 8,
+      "nu_2": 6,
+      "p": 16,
+      "q2_bits": 16,
+      "t_gsw": 5,
+      "t_conv": 4,
+      "t_exp_left": 4,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 4096
+    }"#
+        }
+        24 => {
+            r#"{
+      "n": 2,
+      "nu_1": 8,
+      "nu_2": 6,
+      "p": 256,
+      "q2_bits": 20,
+      "t_gsw": 8,
+      "t_conv": 4,
+      "t_exp_left": 8,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 8192
+    }"#
+        }
+        25 => {
+            r#"{
+      "n": 2,
+      "nu_1": 9,
+      "nu_2": 6,
+      "p": 256,
+      "q2_bits": 20,
+      "t_gsw": 8,
+      "t_conv": 4,
+      "t_exp_left": 8,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 8192
+    }"#
+        }
+        26 => {
+            r#"{
+      "n": 2,
+      "nu_1": 9,
+      "nu_2": 7,
+      "p": 256,
+      "q2_bits": 20,
+      "t_gsw": 8,
+      "t_conv": 4,
+      "t_exp_left": 8,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 8192
+    }"#
+        }
+        27 => {
+            r#"{
+      "n": 2,
+      "nu_1": 9,
+      "nu_2": 8,
+      "p": 256,
+      "q2_bits": 20,
+      "t_gsw": 8,
+      "t_conv": 4,
+      "t_exp_left": 8,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 8192
+    }"#
+        }
+        28 => {
+            r#"{
+      "n": 2,
+      "nu_1": 10,
+      "nu_2": 8,
+      "p": 256,
+      "q2_bits": 20,
+      "t_gsw": 8,
+      "t_conv": 4,
+      "t_exp_left": 16,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 8192
+    }"#
+        }
+        29 => {
+            r#"{
+      "n": 2,
+      "nu_1": 10,
+      "nu_2": 9,
+      "p": 256,
+      "q2_bits": 23,
+      "t_gsw": 9,
+      "t_conv": 4,
+      "t_exp_left": 16,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 8192
+    }"#
+        }
+        30 => {
+            r#"{
+      "n": 4,
+      "nu_1": 10,
+      "nu_2": 8,
+      "p": 256,
+      "q2_bits": 20,
+      "t_gsw": 8,
+      "t_conv": 4,
+      "t_exp_left": 16,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 32768
+    }"#
+        }
+        31 => {
+            r#"{
+      "n": 8,
+      "nu_1": 10,
+      "nu_2": 8,
+      "p": 256,
+      "q2_bits": 20,
+      "t_gsw": 8,
+      "t_conv": 4,
+      "t_exp_left": 16,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 65536
+    }"#
+        }
+        32 => {
+            r#"{
+      "n": 8,
+      "nu_1": 10,
+      "nu_2": 9,
+      "p": 256,
+      "q2_bits": 20,
+      "t_gsw": 10,
+      "t_conv": 32,
+      "t_exp_left": 16,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 65536
+    }"#
+        }
+        33 => {
+            r#"{
+      "n": 8,
+      "nu_1": 10,
+      "nu_2": 10,
+      "p": 256,
+      "q2_bits": 20,
+      "t_gsw": 10,
+      "t_conv": 32,
+      "t_exp_left": 16,
+      "t_exp_right": 56,
+      "instances": 1,
+      "db_item_size": 65536
+    }"#
+        }
+        _ => panic!(),
+    };
+    params_from_json(json)
+}

cpir-read/src/server.rs

@@ -0,0 +1,222 @@
+use std::collections::VecDeque;
+use std::os::raw::c_uchar;
+use std::sync::mpsc::*;
+use std::thread::*;
+
+use rayon::prelude::*;
+
+use spiral_rs::client::PublicParameters;
+use spiral_rs::client::Query;
+use spiral_rs::server::process_query;
+
+use crate::db_encrypt;
+use crate::load_db_from_slice_mt;
+use crate::ot::*;
+use crate::params;
+use crate::to_vecdata;
+use crate::DbEntry;
+use crate::PreProcSingleMsg;
+use crate::PreProcSingleRespMsg;
+use crate::VecData;
+
+enum Command {
+    PreProcMsg(Vec<PreProcSingleMsg>),
+    QueryMsg(usize, usize, usize, DbEntry),
+}
+
+enum Response {
+    PreProcResp(Vec<u8>),
+    QueryResp(Vec<u8>),
+}
+
+// The internal client state for a single preprocess query
+struct PreProcSingleState<'a> {
+    db_keys: Vec<[u8; 16]>,
+    query: Query<'a>,
+}
+
+pub struct Server {
+    incoming_cmd: SyncSender<Command>,
+    outgoing_resp: Receiver<Response>,
+}
+
+impl Server {
+    pub fn new(r: usize, pub_params: Vec<u8>) -> Self {
+        let (incoming_cmd, incoming_cmd_recv) = sync_channel(0);
+        let (outgoing_resp_send, outgoing_resp) = sync_channel(0);
+        spawn(move || {
+            let spiral_params = params::get_spiral_params(r);
+            let pub_params = PublicParameters::deserialize(&spiral_params, &pub_params);
+            let num_records = 1 << r;
+            let num_records_mask = num_records - 1;
+
+            // State for preprocessing queries
+            let mut preproc_state: VecDeque<PreProcSingleState> = VecDeque::new();
+
+            // Wait for commands
+            loop {
+                match incoming_cmd_recv.recv() {
+                    Err(_) => break,
+                    Ok(Command::PreProcMsg(cliquery)) => {
+                        let num_preproc = cliquery.len();
+                        let mut resp_state: Vec<PreProcSingleState> =
+                            Vec::with_capacity(num_preproc);
+                        let mut resp_msg: Vec<PreProcSingleRespMsg> =
+                            Vec::with_capacity(num_preproc);
+                        cliquery
+                            .into_par_iter()
+                            .map(|q| {
+                                let db_keys = gen_db_enc_keys(r);
+                                let query = Query::deserialize(&spiral_params, &q.spc_query);
+                                let ot_resp = otkey_serve(q.ot_query, &db_keys);
+                                (
+                                    PreProcSingleState { db_keys, query },
+                                    PreProcSingleRespMsg { ot_resp },
+                                )
+                            })
+                            .unzip_into_vecs(&mut resp_state, &mut resp_msg);
+                        preproc_state.append(&mut VecDeque::from(resp_state));
+                        let ret: Vec<u8> = bincode::serialize(&resp_msg).unwrap();
+                        outgoing_resp_send.send(Response::PreProcResp(ret)).unwrap();
+                    }
+                    Ok(Command::QueryMsg(offset, db, rot, blind)) => {
+                        // Panic if there's no preprocess state
+                        // available
+                        let nextstate = preproc_state.pop_front().unwrap();
+                        // Encrypt the database with the keys, rotating
+                        // and blinding in the process.  It is safe to
+                        // construct a slice out of the const pointer we
+                        // were handed because that pointer will stay
+                        // valid until we return something back to the
+                        // caller.
+                        let totoffset = (offset + rot) & num_records_mask;
+                        let num_threads = rayon::current_num_threads();
+                        let encdb = unsafe {
+                            let dbslice =
+                                std::slice::from_raw_parts(db as *const DbEntry, num_records);
+                            db_encrypt(
+                                dbslice,
+                                &nextstate.db_keys,
+                                r,
+                                totoffset,
+                                blind,
+                                num_threads,
+                            )
+                        };
+                        // Load the encrypted db into Spiral
+                        let sps_db = load_db_from_slice_mt(&spiral_params, &encdb, num_threads);
+                        // Process the query
+                        let resp = process_query(
+                            &spiral_params,
+                            &pub_params,
+                            &nextstate.query,
+                            sps_db.as_slice(),
+                        );
+                        outgoing_resp_send.send(Response::QueryResp(resp)).unwrap();
+                    }
+                    // When adding new messages, the following line is
+                    // useful during development
+                    // _ => panic!("Received something unexpected in server loop"),
+                }
+            }
+        });
+        Server {
+            incoming_cmd,
+            outgoing_resp,
+        }
+    }
+
+    pub fn preproc_process(&self, msg: &[u8]) -> Vec<u8> {
+        self.incoming_cmd
+            .send(Command::PreProcMsg(bincode::deserialize(msg).unwrap()))
+            .unwrap();
+        let ret = match self.outgoing_resp.recv() {
+            Ok(Response::PreProcResp(x)) => x,
+            _ => panic!("Received something unexpected in preproc_process"),
+        };
+        ret
+    }
+
+    pub fn query_process(
+        &self,
+        msg: &[u8],
+        db: *const DbEntry,
+        rot: usize,
+        blind: DbEntry,
+    ) -> Vec<u8> {
+        let offset = usize::from_le_bytes(msg.try_into().unwrap());
+        self.incoming_cmd
+            .send(Command::QueryMsg(offset, db as usize, rot, blind))
+            .unwrap();
+        let ret = match self.outgoing_resp.recv() {
+            Ok(Response::QueryResp(x)) => x,
+            _ => panic!("Received something unexpected in query_process"),
+        };
+        ret
+    }
+}
+
+#[no_mangle]
+pub extern "C" fn spir_server_new(
+    r: u8,
+    pub_params: *const c_uchar,
+    pub_params_len: usize,
+) -> *mut Server {
+    let pub_params_slice = unsafe {
+        assert!(!pub_params.is_null());
+        std::slice::from_raw_parts(pub_params, pub_params_len)
+    };
+    let mut pub_params_vec: Vec<u8> = Vec::new();
+    pub_params_vec.extend_from_slice(pub_params_slice);
+    let server = Server::new(r as usize, pub_params_vec);
+    Box::into_raw(Box::new(server))
+}
+
+#[no_mangle]
+pub extern "C" fn spir_server_free(server: *mut Server) {
+    if server.is_null() {
+        return;
+    }
+    unsafe {
+        Box::from_raw(server);
+    }
+}
+
+#[no_mangle]
+pub extern "C" fn spir_server_preproc_process(
+    serverptr: *mut Server,
+    msgdata: *const c_uchar,
+    msglen: usize,
+) -> VecData {
+    let server = unsafe {
+        assert!(!serverptr.is_null());
+        &mut *serverptr
+    };
+    let msg_slice = unsafe {
+        assert!(!msgdata.is_null());
+        std::slice::from_raw_parts(msgdata, msglen)
+    };
+    let retvec = server.preproc_process(msg_slice);
+    to_vecdata(retvec)
+}
+
+#[no_mangle]
+pub extern "C" fn spir_server_query_process(
+    serverptr: *mut Server,
+    msgdata: *const c_uchar,
+    msglen: usize,
+    db: *const DbEntry,
+    rot: usize,
+    blind: DbEntry,
+) -> VecData {
+    let server = unsafe {
+        assert!(!serverptr.is_null());
+        &mut *serverptr
+    };
+    let msg_slice = unsafe {
+        assert!(!msgdata.is_null());
+        std::slice::from_raw_parts(msgdata, msglen)
+    };
+    let retvec = server.query_process(msg_slice, db, rot, blind);
+    to_vecdata(retvec)
+}

cpir-read/src/spiral_mt.rs

@@ -0,0 +1,128 @@
+use spiral_rs::aligned_memory::*;
+use spiral_rs::arith::*;
+use spiral_rs::params::*;
+use spiral_rs::poly::*;
+use spiral_rs::server::*;
+use spiral_rs::util::*;
+
+use rayon::scope;
+
+pub fn load_item_from_slice<'a>(
+    params: &'a Params,
+    slice: &[u8],
+    instance: usize,
+    trial: usize,
+    item_idx: usize,
+) -> PolyMatrixRaw<'a> {
+    let db_item_size = params.db_item_size;
+    let instances = params.instances;
+    let trials = params.n * params.n;
+
+    let chunks = instances * trials;
+    let bytes_per_chunk = f64::ceil(db_item_size as f64 / chunks as f64) as usize;
+    let logp = f64::ceil(f64::log2(params.pt_modulus as f64)) as usize;
+    let modp_words_per_chunk = f64::ceil((bytes_per_chunk * 8) as f64 / logp as f64) as usize;
+    assert!(modp_words_per_chunk <= params.poly_len);
+
+    let idx_item_in_file = item_idx * db_item_size;
+    let idx_chunk = instance * trials + trial;
+    let idx_poly_in_file = idx_item_in_file + idx_chunk * bytes_per_chunk;
+
+    let mut out = PolyMatrixRaw::zero(params, 1, 1);
+
+    let modp_words_read = f64::ceil((bytes_per_chunk * 8) as f64 / logp as f64) as usize;
+    assert!(modp_words_read <= params.poly_len);
+
+    for i in 0..modp_words_read {
+        out.data[i] = read_arbitrary_bits(
+            &slice[idx_poly_in_file..idx_poly_in_file + bytes_per_chunk],
+            i * logp,
+            logp,
+        );
+        assert!(out.data[i] <= params.pt_modulus);
+    }
+
+    out
+}
+
+pub fn load_db_from_slice_mt(params: &Params, slice: &[u8], num_threads: usize) -> AlignedMemory64 {
+    let instances = params.instances;
+    let trials = params.n * params.n;
+    let dim0 = 1 << params.db_dim_1;
+    let num_per = 1 << params.db_dim_2;
+    let num_items = dim0 * num_per;
+    let db_size_words = instances * trials * num_items * params.poly_len;
+    let mut v: AlignedMemory64 = AlignedMemory64::new(db_size_words);
+
+    // Get a pointer to the memory pool of the AlignedMemory64.  We
+    // treat it as a usize explicitly so we can pass the same pointer to
+    // multiple threads, each of which will cast it to a *mut u64, in
+    // order to *write* into the memory pool concurrently. There is a
+    // caveat that the threads *must not* try to write into the same
+    // memory location.  In Spiral, each polynomial created from the
+    // database ends up scattered into noncontiguous words of memory,
+    // but any one word still only comes from one polynomial.  So with
+    // this mechanism, different threads can read different parts of the
+    // database to produce different polynomials, and write those
+    // polynomials into the same memory pool (but *not* the same memory
+    // locations) at the same time.
+
+    let vptrusize = unsafe { v.as_mut_ptr() as usize };
+
+    for instance in 0..instances {
+        for trial in 0..trials {
+            scope(|s| {
+                let mut item_thread_start = 0usize;
+                let items_per_thread_base = num_items / num_threads;
+                let items_per_thread_extra = num_items % num_threads;
+                for thr in 0..num_threads {
+                    let items_this_thread =
+                        items_per_thread_base + if thr < items_per_thread_extra { 1 } else { 0 };
+                    let item_thread_end = item_thread_start + items_this_thread;
+                    s.spawn(move |_| {
+                        let vptr = vptrusize as *mut u64;
+                        for i in item_thread_start..item_thread_end {
+                            // Swap the halves of the item index so that
+                            // the polynomials based on the items are
+                            // written to the AlignedMemory64 more
+                            // sequentially
+                            let ii = i / dim0;
+                            let j = i % dim0;
+                            let db_idx = j * num_per + ii;
+
+                            let mut db_item =
+                                load_item_from_slice(params, slice, instance, trial, db_idx);
+                            // db_item.reduce_mod(params.pt_modulus);
+
+                            for z in 0..params.poly_len {
+                                db_item.data[z] = recenter_mod(
+                                    db_item.data[z],
+                                    params.pt_modulus,
+                                    params.modulus,
+                                );
+                            }
+
+                            let db_item_ntt = db_item.ntt();
+                            for z in 0..params.poly_len {
+                                let idx_dst = calc_index(
+                                    &[instance, trial, z, ii, j],
+                                    &[instances, trials, params.poly_len, num_per, dim0],
+                                );
+
+                                unsafe {
+                                    vptr.add(idx_dst).write(
+                                        db_item_ntt.data[z]
+                                            | (db_item_ntt.data[params.poly_len + z]
+                                                << PACKED_OFFSET_2),
+                                    );
+                                }
+                            }
+                        }
+                    });
+                    item_thread_start = item_thread_end;
+                }
+            });
+        }
+    }
+    v
+}