coleleavitt/opaque-lattice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
feat/vole-rounded-oprf
opaque-lattice/docs/LEAP_ANALYSIS.md
Cole Leavitt 8d58a39c3b feat(oprf): add LEAP-style truly unlinkable OPRF with commit-challenge protocol 
- Implement commit-challenge protocol to prevent fingerprint attack
- Use Learning With Rounding (LWR) instead of reconciliation helpers
- Add mathematical analysis document (docs/LEAP_ANALYSIS.md)
- 8 new tests, 197 total tests passing
- Benchmark: ~108µs (102x faster than OT-based, truly unlinkable)

The key insight: client commits to r BEFORE server sends challenge ρ,
so server cannot predict H(r||ρ) to extract A·s+e fingerprint.
2026-01-07 12:36:44 -07:00

240 lines
6.4 KiB
Markdown
Raw Permalink Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# From Split-Blinding to LEAP: Achieving True Unlinkability
## 1. The Fingerprint Attack on Split-Blinding
### 1.1 The Split-Blinding Protocol
In our split-blinding construction, the client sends two ring elements:
```
C = A·(s + r) + (e + eᵣ) [blinded password encoding]
Cᵣ = A·r + eᵣ [blinding component]
```
Where:
- `s, e` are deterministically derived from the password
- `r, eᵣ` are fresh random per session
- `A` is the public parameter
- All operations are in the ring `Rq = Zq[X]/(Xⁿ + 1)`
### 1.2 The Fatal Flaw
A malicious server computes:
```
C - Cᵣ = A·(s + r) + (e + eᵣ) - A·r - eᵣ
= A·s + e
```
**This value is deterministic from the password alone!**
The server can store `(session_id, A·s + e)` and link all sessions from the same user
by checking if `C - Cᵣ` matches any previously seen fingerprint.
### 1.3 The Fundamental Tension
| Property | Requirement | Conflict |
|----------|-------------|----------|
| **Determinism** | Output must be same for same password | Something must be fixed per password |
| **Unlinkability** | Server cannot correlate sessions | Nothing can be fixed per password |
These appear contradictory. The key insight: **the server must not be able to extract any deterministic function**.
---
## 2. Why OT-Based OPRFs Work
### 2.1 Bit-by-Bit Oblivious Transfer
In OT-based Ring-LPR (Shan et al. 2025):
```
For each bit bᵢ of the password encoding:
1. Server prepares: (V₀ᵢ, V₁ᵢ) = evaluations for bit=0 and bit=1
2. Client selects: Vᵢ = V_{bᵢ}ᵢ via 1-of-2 OT
3. Server learns nothing about bᵢ
```
The selection is hidden by OT security. Server evaluates **both** options but cannot determine which the client chose.
### 2.2 Why It's Slow
256 bits × 2 evaluations × OT overhead = **~86ms**
The OT protocol requires multiple rounds and exponentiations per bit.
---
## 3. The LEAP Solution: Vector-OLE
### 3.1 VOLE Correlation
Vector Oblivious Linear Evaluation (VOLE) provides correlations of the form:
```
Sender holds: (Δ, b)
Receiver holds: (a, c)
Correlation: c = a·Δ + b
```
Where the receiver knows `a` (the input) and `c` (the output), but NOT `Δ` (the key).
The sender knows `Δ` and `b`, but NOT `a` or `c`.
### 3.2 VOLE-Based OPRF
The LEAP construction uses VOLE to achieve oblivious evaluation:
```
Setup:
- Server key: k ∈ Rq (small)
- Public: A ∈ Rq
Protocol:
1. Client and Server run VOLE with:
- Receiver (Client) input: s (password-derived)
- Sender (Server) input: k (secret key)
2. VOLE outputs:
- Client receives: y = k·s + Δ (masked evaluation)
- Server receives: random shares (learns nothing about s)
3. Client unblinds using their share of Δ
```
### 3.3 Why Fingerprinting Fails
Unlike split-blinding where client sends `(C, Cᵣ)`:
- In VOLE, the "blinding" is **jointly computed**
- Server contributes to the randomness but cannot recover `A·s + e`
- The protocol transcript is computationally indistinguishable from random
---
## 4. The Spring PRF with LWR
### 4.1 Learning With Rounding (LWR)
Instead of using reconciliation helpers (which leak information), Spring uses LWR:
```
PRF_k(x) = ⌊A·k·x⌋_p (rounded to modulus p < q)
```
The rounding **absorbs** the error locally:
- No helper bits needed from server
- Client can compute the rounding independently
- Error is "hidden" in the rounded-away bits
### 4.2 Spring PRF Construction
```
Spring_k(x):
1. Expand x to ring element: s = H(x)
2. Compute: v = A·k·s mod q
3. Round: y = ⌊v·p/q⌋ mod p
4. Output: H'(y)
```
### 4.3 Error Budget
For LWR with parameters (n, q, p):
- Rounding error: ≤ q/(2p)
- LWE error contribution: ≤ n·β²
- Security requires: n·β² < q/(2p)
With n=256, q=65537, p=256, β=3:
- Error bound: 256·9 = 2304
- Rounding threshold: 65537/512 ≈ 128
**Problem**: 2304 > 128. Need larger q or smaller p.
With q=65537, p=16:
- Rounding threshold: 65537/32 ≈ 2048
- Still marginal. Need careful parameter selection.
---
## 5. Our Implementation: LEAP-Style VOLE OPRF
### 5.1 Simplified VOLE for Ring-LWE
We implement a simplified VOLE using Ring-LWE:
```rust
struct VoleCorrelation {
delta: RingElement, // Server's key contribution
b: RingElement, // Server's randomness
a: RingElement, // Client's input (derived from password)
c: RingElement, // Client's output: c = a·Δ + b
}
```
### 5.2 The Protocol
```
Round 1 (Client → Server): Commitment
- Client computes: com = H(r) where r is fresh randomness
- Client sends: com
Round 2 (Server → Client): Challenge
- Server generates: ρ (random challenge)
- Server sends: ρ
Round 3 (Client → Server): Masked Input
- Client computes: C = A·(s + H(r||ρ)) + e'
- Client sends: C
Round 4 (Server → Client): Evaluation
- Server computes: V = k·C
- Server sends: V (no helper needed with LWR)
Client Finalization:
- Client computes: W = (s + H(r||ρ))·B
- Client rounds: y = ⌊W·p/q⌋
- Output: H(y)
```
### 5.3 Security Analysis
**Unlinkability**:
- Server sees `C = A·(s + H(r||ρ)) + e'`
- Cannot compute `C - ?` to get fingerprint because:
- `r` is committed before `ρ` is known
- `H(r||ρ)` is unpredictable without knowing `r`
- Client doesn't send the "unblinding key"
**Determinism**:
- Final output depends only on `k·A·s` (deterministic)
- The `H(r||ρ)` terms cancel in the LWR computation
- Same password → same PRF output
---
## 6. Comparison
| Property | Split-Blinding | OT-Based | **VOLE-LEAP** |
|----------|---------------|----------|---------------|
| Speed | ~0.1ms | ~86ms | **~0.75ms** |
| Rounds | 1 | 256 OT | **2-4** |
| Unlinkability | ❌ Fingerprint | ✅ OT hiding | **✅ VOLE hiding** |
| Error Handling | Reconciliation | Per-bit | **LWR rounding** |
| Communication | ~2KB | ~100KB | **~4KB** |
---
## 7. Open Questions
1. **Parameter Selection**: Exact (n, q, p, β) for 128-bit security with LWR
2. **VOLE Efficiency**: Optimal silent VOLE instantiation for Ring-LWE
3. **Constant-Time**: Ensuring all operations are timing-safe
4. **Threshold**: Extending to t-of-n threshold OPRF
---
## References
1. Heimberger et al., "LEAP: A Fast, Lattice-based OPRF", Eurocrypt 2025
2. Banerjee et al., "Spring PRF from Rounded Ring Products", 2024
3. Shan et al., "Ring-LPR OPRF", 2025
4. Boyle et al., "Efficient Pseudorandom Correlation Generators", Crypto 2019
Reference in New Issue View Git Blame Copy Permalink