(Vector) Oblivious Linear Evaluation: Basic Constructions and Applications Peter Scholl 24 January 2022, Bar-Ilan Winter School This talk What is it? VOLE variants OLE Whatโ€™s it good for? Conclusion (V)OLE How do you build it? correlated randomness active security homomorphic encryption oblivious transfer Oblivious PRF Peter Scholl 3 Oblivious linear evaluation (OLE) Input: ๐‘ฅ โˆˆ โ„ค! Input: ๐‘Ž, ๐‘ โˆˆ โ„ค! โ‹ฎ Output: ๐‘ฆ = ๐‘Ž๐‘ฅ + ๐‘ ๐‘ฅ โˆˆ โ„ค! ๐‘Ž, ๐‘ โˆˆ โ„ค! OLE functionality ๐‘ฆ = ๐‘Ž๐‘ฅ + ๐‘ 5 OLE is secret-shared multiplication Input: ๐‘ฅ โˆˆ โ„ค! Input: ๐‘Ž โˆˆ โ„ค! ๐‘ฅ ๐‘Ž, ๐‘ ๐‘ โ† โ„ค! OLE ๐‘ฆ ๐‘ฆ โˆ’ ๐‘ = ๐‘Ž๐‘ฅ 6 Variants: random-OLE, vector-OLE ๐‘ฅ โˆˆ โ„ค! ๐‘Ž, ๐‘ โˆˆ โ„ค! OLE ๐‘ฆ = ๐‘Ž๐‘ฅ + ๐‘ ๐‘ฅ โ† โ„ค! ๐‘Ž, ๐‘ โ† โ„ค! ๐‘ฆ = ๐‘Ž๐‘ฅ + ๐‘ $-OLE ๐‘ฅ โˆˆ โ„ค! โƒ— ๐‘ โˆˆ โ„ค"! ๐‘Ž, VOLE ๐‘ฆโƒ— = ๐‘Ž๐‘ฅ โƒ— +๐‘ 7 A few basic observations ๐‘› ร— OLE โ‡’ 1ร— VOLE (unconditional, passive security) โ‡ v VOLE is easier to build than ๐‘› ร— OLE $-OLE โ‡’ OLE (unconditional, send 3 โ„ค! elem.) v $-(V)OLE is enough Oblivious OLE โ‡’ (unconditional) Transfer v Public-key crypto is necessary [IR 89] 8 Motivation: Secure Computation with Preprocessing [Beaver โ€™91] Correlated randomness Preprocessing ๐‘ฅ ๐‘ฆ Online phase โ€ข Information-theoretic ๐‘“(๐‘ฅ, ๐‘ฆ) โ€ข Cheap computation Peter Scholl 9 Example: multiplication triples from OLE ๐‘ฅ, ๐‘ฅ " , ๐‘ฆ, ๐‘ฆโ€ฒ 2x $-OLE ๐‘Ž, ๐‘Ž" , ๐‘, ๐‘โ€ฒ ๐‘ฆ โˆ’ ๐‘ = ๐‘Ž๐‘ฅ ๐‘ฆ " โˆ’ ๐‘โ€ฒ = ๐‘Ž" ๐‘ฅ " ๐‘ฅ + ๐‘Žโ€ฒ โ‹… ๐‘ฅ ! + ๐‘Ž = ๐‘ฅ๐‘ฅ ! + ๐‘Ž๐‘Ž! + ๐‘Ž๐‘ฅ + ๐‘Ž! ๐‘ฅโ€ฒ ๐‘ข โ‹… ๐‘ฃ = ๐‘ค 10 (V)OLE for correlated randomness v Scalar/vector triples, matrix triples โ—‹ Build from VOLE v Multi-party correlations: โ—‹ From pairwise instances of (V)OLE โ—‹ Other approaches: depth-1 homomorphic encryption [DPSZ 12] v Authenticated secret shares: โ—‹ Use VOLE to generate information-theoretic MACs โ—‹ Key part of SPDZ protocols [DPSZ 12, KOS 16, KPR 18, โ€ฆ] 11 Application: Oblivious Pseudorandom Functions PRF ๐น Oblivious PRF ๐‘ฅ ๐‘ โ† 0,1 ๐พ โ† 0,1 ! ๐‘ฆ+ ๐พ ๐‘ฅ โ‹ฎ Guess ๐‘ ๐‘ฆ" = ๐น(๐พ, ๐‘ฅ) ๐‘ฆ# = $(๐‘ฅ) ๐น(๐พ, ๐‘ฅ) ๐น(๐พ, ๐‘ฆ) remains pseudorandom for any ๐‘ฆ โ‰  ๐‘ฅ 14 Vector-OLE โ‡’ Batch OPRF evaluation [BCGIKS 19] ๐‘  โ† ๐”ฝ1 ๐‘Ž2 โˆˆ ๐”ฝ1 VOLE ๐‘ก2 = ๐‘Ž2 ๐‘  + ๐‘2 ๐‘2 โ† ๐”ฝ1 Keys ๐พ2 : = ๐‘ , ๐‘ก2 2 Output ๐ป(๐‘" ) ๐น ๐พ, , ๐‘Ž, โ‰” ๐ป(๐‘ก, โˆ’ ๐‘Ž, ๐‘ ) v Relaxed OPRF: related keys, leakage v Secure if ๐ป is a random oracle โ€ข Or variant of correlation-robustness 16 Random Vector-OLE โ‡’ Batch OPRF evaluation ๐‘  โ† ๐”ฝ1 ๐‘Ÿ2 โ† ๐”ฝ1 $-VOLE ๐‘ก2 โ€ฒ = ๐‘Ÿ2 ๐‘  + ๐‘2 ๐‘2 โ† ๐”ฝ1 ๐‘‘2 = ๐‘Ž2 โˆ’ ๐‘Ÿ2 ๐‘ก2 = ๐‘ก23 + ๐‘‘2 ๐‘  Keys ๐พ2 : = ๐‘ , ๐‘ก2 2 Output ๐ป(๐‘" ) v Optimal communication: 1 ๐”ฝ1 element ร˜ (given $-VOLE) 17 Applications of OPRF v Random 1-out-of-๐‘ž OT โ—‹ Correlated randomness, e.g. masked truth tables [DKSSZZ 17] v Password-authenticated key exchange, e.g. OPAQUE [JKX 18] โ—‹ Batch OPRF seems less useful v Private set intersection โ—‹ Reducing use of public-key crypto [KKRT 16, KMPRT 17, โ€ฆ] โ—‹ With polynomial-based encoding [GPRTY 21, Sec 7.1] โ–  Simple protocol, communication: |input| 18 Constructing VOLE, โ€œnon-silentlyโ€ 19 Taxonomy of VOLE protocols Oblivious Transfer Homomorphic Encryption โ€Non-silentโ€ ๐‘ ๐‘ # , ๐‘ $ ๐‘ฅ ๐‘“(๐‘ฅ) OT Enc Eval Dec ๐‘ % โ€Silentโ€ v Mostly based on LPN v Require โ€œseedโ€ VOLEs + to bootstrap 20 (V)OLE from Oblivious Transfer [Gilboa 99] ๐‘ฅ โˆˆ โ„ค1 ๐‘Ž, ๐‘ โˆˆ โ„ค1 ๐‘ฅ$ ๐‘& , ๐‘& + ๐‘Ž Bit-decompose ๐‘ฅ = โˆ‘9 22:8 ๐‘ฅ Sample ๐‘2 โˆˆ โ„ค1 s.t. 278 2 OT ๐‘ = โˆ‘2 22:8๐‘2 mod ๐‘ž ๐‘ฆ$ โ‹ฎ ๐‘ฅ' ๐‘' , ๐‘' + ๐‘Ž OT ๐‘ฆ' Repeat for VOLE [KOS 16] Output ๐‘ฆ = โˆ‘2 22:8๐‘ฆ2 ๐‘ฆ2 = ๐‘2 + ๐‘Ž๐‘ฅ2 โ‡’ ๐‘ฆ = ๐‘ + ๐‘Ž๐‘ฅ 21 (V)OLE from Oblivious Transfer [Gilboa 99] v Perfectly secure v Each output: ๐‘š = log ๐‘ž calls to OT on ๐‘š-bit strings โ—‹ Computational cost: cheap via OT extension [IKNP 03] โ—‹ Communication: โ‰ฅ ๐‘š< bits v Active security? 22 (V)OLE from Oblivious Transfer: active security? ๐‘ฅ โˆˆ โ„ค1 ๐‘Ž, ๐‘ โˆˆ โ„ค1 ๐‘ฅ$ ๐‘& , ๐‘& + ๐‘Ž Bit-decompose ๐‘ฅ = โˆ‘2 22:8๐‘ฅ2 Sample ๐‘2 โˆˆ โ„ค1 s.t. OT Bob uses ๐‘Ž" โ‰ ๐‘๐‘Ž:= โˆ‘2 22:8 ๐‘2 mod ๐‘ž ๐‘ฆ$ Output becomes ๐‘ฆ + ๐‘Ž" โˆ’ ๐‘Ž ๐‘ฅ$ โ‹ฎ ๐‘ฅ' ๐‘' , ๐‘' + ๐‘Ž OT ๐‘ฆ' Output ๐‘ฆ = โˆ‘2 22:8๐‘ฆ2 23 VOLE: lightweight correctness check ๐‘ฅ, ๐‘ฆ2 ๐‘Ž2 , ๐‘2 Goal: check that ๐‘ฆ2 = ๐‘Ž2 ๐‘ฅ + ๐‘2 , for all ๐‘– Random challenges ๐œ’# , โ€ฆ , ๐œ’$ โˆˆ โ„ค% ๐‘Žโˆ— = - ๐œ’$ ๐‘Ž$ , ๐‘ โˆ— = - ๐œ’$ ๐‘$ ๐‘Žโˆ— , ๐‘ โˆ— $ $ +๐‘Ž"%& +๐‘"%& ๐‘ฆ โˆ— = โˆ‘๐œ’" ๐‘ฆ" +๐‘ฆ"%& Intuition: Check ๐‘ฆ โˆ— = ๐‘Žโˆ— ๐‘ฅ + ๐‘ โˆ— โ€ข To pass check when ๐‘ฆ& is incorrect, Bob must guess ๐œ’& โ€ข Succeed with pr. 1/๐‘ 24 Problems with selective failure v Recall: corrupt Bob can induce error: ๐‘ฆ / = ๐‘ฆ + ๐‘Ž/ โˆ’ ๐‘Ž ๐‘ฅ0 โ—‹ Error depends on secret bit ๐‘ฅ8! โ—‹ Even if VOLE is correct, leaks that ๐‘ฅ8 = 0 v Solutions: โ—‹ 1) Relaxed VOLE: allow small leakage on ๐‘ฅ [KOS 16], [WYKW 21] โ—‹ 2) Privacy amplification via leftover hash lemma [KOS 16] 25 (V)OLE from OT: Summary v Simple protocol with lightweight computation โ—‹ Leveraging fast OT extension techniques v Expensive communication โ—‹ At least ๐‘š< bits, where ๐‘š = log ๐‘ž v Active security almost for free โ—‹ If leakage on ๐‘ฅ is OK 26 VOLE from Homomorphic Encryption 27 Linearly homomorphic encryption vPKE scheme (๐พ๐‘’๐‘ฆ๐บ๐‘’๐‘›, ๐ธ๐‘›๐‘, ๐ท๐‘’๐‘), encrypts vectors over โ„ค$ For ๐‘Žโƒ— โˆˆ โ„ค(! , write ๐‘Žโƒ— โ‰” Enc)* (๐‘Ž) โƒ— vLinear homomorphism: โƒ— for ๐‘โƒ— โˆˆ โ„ค$' , s.t. ร˜Can compute ๐‘Žโƒ— + ๐‘ or ๐‘โƒ— โ‹… [๐‘Ž], Dec ๐‘Žโƒ— + ๐‘ = ๐‘Žโƒ— + ๐‘ Dec ๐‘โƒ— โ‹… ๐‘Žโƒ— = ๐‘โƒ— โ‹… ๐‘Žโƒ— Component-wise product Peter Scholl 28 Examples of Linearly Homomorphic Encryption More on Wednesday! vPaillier encryption ร˜Each ciphertext encrypts a โ„คG element (๐‘ = ๐‘๐‘ž) vDDH ร˜ElGamal in the exponent: poly-size plaintexts in โ„ค ร˜Class groups: โ„ค! for large prime ๐‘ [CL 15] vRing Learning With Errors (RLWE) [LPR 10] ร˜Natively encrypts a vector in โ„ค9 ! Peter Scholl 29 Naรฏve VOLE from Linearly Homomorphic Encryption ๐‘ฅ โˆˆ โ„ค! โƒ— ๐‘ โˆˆ โ„ค9 ๐‘Ž, ! ๐‘๐‘˜, [๐‘ฅ] ( ๐‘๐‘˜, ๐‘ ๐‘˜ โ† ๐บ๐‘’๐‘›(1 ) ๐‘ฆโƒ— = ๐‘Žโƒ— โ‹… ๐‘ฅ + [๐‘] ๐‘ฆโƒ— = ๐ท๐‘’๐‘)* ( ๐‘ฆโƒ— ) Security: โ€ข Alice: CPA security โ€ข Bob: circuit privacy Peter Scholl 30 Circuit privacy in homomorphic encryption vIn RLWE, message hidden by โ€œnoiseโ€: message extra noise โ‰ซ ๐‘Ž โ‹… ๐‘’ + ๐‘ vAfter computing ๐‘Žโƒ— โ‹… ๐‘ฅ + [๐‘]: noise ๐‘’๐‘Ž โ‹… ๐‘’ + ๐‘ ร˜Noise depends on ๐‘Žโƒ— and ๐‘ (removed in decryption) vClassic solution: Optimization: โ€Gentle noise floodingโ€ [dCHIV 21] ร˜โ€œNoise floodingโ€ โ€ข Encrypt ๐‘ก-out-of-๐‘› sharing of message ร˜Requires much larger ciphertexts โ€ข A few leaked coordinates donโ€™t matter Peter Scholl 31 What about active security? vWhat can go wrong? ร˜Alice/Bob could send garbage ciphertextsโ€ฆ vWhat about correctness check as in OT? ร˜Selective failure is more subtle ร˜Error may depend on ciphertext noise/secret key vSolution: zero-knowledge proofs ร˜Alice: proof of plaintext knowledge ร˜Bob: proof of correct multiplication Peter Scholl 32 ZK proofs for homomorphic encryption vRLWE is more challenging than number-theoretic assumptions vProof of plaintext knowledge ร˜Naรฏve sigma protocol: soundness ยฝ ร˜Various optimizations [BCS 19], amortization [BBG 19] ร˜Still computationally expensive, often need larger parameters vProof of correct multiplication ร˜Even worse! Tricky to amortize ร˜Can be avoided, assuming linear-only encryption [BISW 18, KPR 18] Peter Scholl 33 Conclusion: Basic constructions and applications v OLE and VOLE are core building blocks of secure computation โ—‹ Correlated randomness โ—‹ Special-purpose applications like OPRF, private set intersection โ—‹ Next talk: zero knowledge v Non-silent protocols: OT, AHE โ—‹ Important, even if silent protocols win J โ—‹ Open question: improving RLWE parameters and efficiency โ–  Especially for active security 34 Thank you! Peter Scholl 35