coleleavitt/opaque-lattice
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e893d6998f55d92524dd30149c5fa723dda7f265
opaque-lattice/papers_txt/vole-constructions.txt
Cole Leavitt dfa968ec7d initial
2026-01-06 12:49:26 -07:00

418 lines
16 KiB
Plaintext
Raw Blame History

This file contains invisible Unicode characters
This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
(Vector) Oblivious Linear Evaluation:
Basic Constructions and Applications
Peter Scholl
24 January 2022, Bar-Ilan Winter School
This talk What is it?
VOLE variants
OLE
Whats it good for?
Conclusion (V)OLE
How do you build it? correlated
randomness
active security homomorphic encryption
oblivious transfer
Oblivious PRF
Peter Scholl 3
Oblivious linear evaluation (OLE)
Input: 𝑥! Input:
𝑎, 𝑏!
Output: 𝑦 = 𝑎𝑥 + 𝑏
𝑥! 𝑎, 𝑏!
OLE functionality
𝑦 = 𝑎𝑥 + 𝑏
5
OLE is secret-shared multiplication
Input: 𝑥! Input:
𝑎!
𝑥 𝑎, 𝑏 𝑏!
OLE
𝑦
𝑦 𝑏 = 𝑎𝑥
6
Variants: random-OLE, vector-OLE
𝑥! 𝑎, 𝑏!
OLE
𝑦 = 𝑎𝑥 + 𝑏
𝑥! 𝑎, 𝑏!
𝑦 = 𝑎𝑥 + 𝑏 $-OLE
𝑥!
𝑏"!
𝑎,
VOLE
𝑦⃗ = 𝑎𝑥
⃗ +𝑏
7
A few basic observations
𝑛 × OLE ⇒ 1× VOLE (unconditional, passive security)
v VOLE is easier to build than 𝑛 × OLE
$-OLE ⇒ OLE (unconditional, send 3 ! elem.)
v $-(V)OLE is enough
Oblivious
OLE ⇒ (unconditional)
Transfer
v Public-key crypto is necessary [IR 89]
8
Motivation: Secure Computation with
Preprocessing
[Beaver 91]
Correlated randomness Preprocessing
𝑥 𝑦
Online phase
• Information-theoretic
𝑓(𝑥, 𝑦) • Cheap computation
Peter Scholl 9
Example: multiplication triples from OLE
𝑥, 𝑥 " , 𝑦, 𝑦 2x $-OLE 𝑎, 𝑎" , 𝑏, 𝑏
𝑦 𝑏 = 𝑎𝑥
𝑦 " 𝑏 = 𝑎" 𝑥 "
𝑥 + 𝑎𝑥 ! + 𝑎 = 𝑥𝑥 ! + 𝑎𝑎! + 𝑎𝑥 + 𝑎! 𝑥
𝑢𝑣 = 𝑤
10
(V)OLE for correlated randomness
v Scalar/vector triples, matrix triples
○ Build from VOLE
v Multi-party correlations:
○ From pairwise instances of (V)OLE
○ Other approaches: depth-1 homomorphic encryption [DPSZ 12]
v Authenticated secret shares:
○ Use VOLE to generate information-theoretic MACs
○ Key part of SPDZ protocols [DPSZ 12, KOS 16, KPR 18, …] 11
Application: Oblivious Pseudorandom Functions
PRF 𝐹 Oblivious PRF
𝑥 𝑏 ← 0,1
𝐾 ← 0,1 !
𝑦+ 𝐾 𝑥
Guess 𝑏 𝑦" = 𝐹(𝐾, 𝑥)
𝑦# = $(𝑥) 𝐹(𝐾, 𝑥)
𝐹(𝐾, 𝑦) remains
pseudorandom for any 𝑦𝑥
14
Vector-OLE ⇒ Batch OPRF evaluation [BCGIKS 19]
𝑠𝔽1 𝑎2 ∈ 𝔽1
VOLE
𝑡2 = 𝑎2 𝑠 + 𝑏2 𝑏2 ← 𝔽1
Keys 𝐾2 : = 𝑠, 𝑡2 2 Output 𝐻(𝑏" )
𝐹 𝐾, , 𝑎, ≔ 𝐻(𝑡, 𝑎, 𝑠)
v Relaxed OPRF: related keys, leakage
v Secure if 𝐻 is a random oracle
• Or variant of correlation-robustness
16
Random Vector-OLE ⇒ Batch OPRF evaluation
𝑠𝔽1 𝑟2 ← 𝔽1
$-VOLE
𝑡2 = 𝑟2 𝑠 + 𝑏2 𝑏2 ← 𝔽1
𝑑2 = 𝑎2 𝑟2
𝑡2 = 𝑡23 + 𝑑2 𝑠
Keys 𝐾2 : = 𝑠, 𝑡2 2 Output 𝐻(𝑏" )
v Optimal communication: 1 𝔽1 element
Ø (given $-VOLE)
17
Applications of OPRF
v Random 1-out-of-𝑞 OT
○ Correlated randomness, e.g. masked truth tables [DKSSZZ 17]
v Password-authenticated key exchange, e.g. OPAQUE [JKX 18]
○ Batch OPRF seems less useful
v Private set intersection
○ Reducing use of public-key crypto [KKRT 16, KMPRT 17, …]
○ With polynomial-based encoding [GPRTY 21, Sec 7.1]
■ Simple protocol, communication: |input| 18
Constructing VOLE, “non-silently”
19
Taxonomy of VOLE protocols
Oblivious Transfer Homomorphic Encryption
”Non-silent”
𝑏 𝑠# , 𝑠$ 𝑥 𝑓(𝑥)
OT Enc Eval Dec
𝑠%
”Silent”
v Mostly based on LPN
v Require “seed” VOLEs +
to bootstrap 20
(V)OLE from Oblivious Transfer [Gilboa 99]
𝑥1 𝑎, 𝑏1
𝑥$ 𝑏& , 𝑏& + 𝑎
Bit-decompose 𝑥 = ∑9 22:8 𝑥 Sample 𝑏2 ∈ 1 s.t.
278 2
OT 𝑏 = ∑2 22:8𝑏2 mod 𝑞
𝑦$
𝑥' 𝑏' , 𝑏' + 𝑎
OT
𝑦'
Repeat for VOLE
[KOS 16]
Output 𝑦 = ∑2 22:8𝑦2 𝑦2 = 𝑏2 + 𝑎𝑥2
𝑦 = 𝑏 + 𝑎𝑥
21
(V)OLE from Oblivious Transfer [Gilboa 99]
v Perfectly secure
v Each output: 𝑚 = log 𝑞 calls to OT on 𝑚-bit strings
○ Computational cost: cheap via OT extension [IKNP 03]
○ Communication: ≥ 𝑚< bits
v Active security?
22
(V)OLE from Oblivious Transfer: active security?
𝑥1 𝑎, 𝑏1
𝑥$ 𝑏& , 𝑏& + 𝑎
Bit-decompose 𝑥 = ∑2 22:8𝑥2 Sample 𝑏2 ∈ 1 s.t.
OT Bob uses 𝑎" ≠𝑏𝑎:= ∑2 22:8 𝑏2 mod 𝑞
𝑦$
Output becomes 𝑦 + 𝑎" 𝑎 𝑥$
𝑥' 𝑏' , 𝑏' + 𝑎
OT
𝑦'
Output 𝑦 = ∑2 22:8𝑦2
23
VOLE: lightweight correctness check
𝑥, 𝑦2 𝑎2 , 𝑏2
Goal: check that 𝑦2 = 𝑎2 𝑥 + 𝑏2 , for all 𝑖
Random challenges 𝜒# , … , 𝜒$ ∈ %
𝑎 = - 𝜒$ 𝑎$ , 𝑏 = - 𝜒$ 𝑏$
𝑎 , 𝑏 $ $
+𝑎"%& +𝑏"%&
𝑦 = ∑𝜒" 𝑦" +𝑦"%&
Intuition:
Check 𝑦 = 𝑎 𝑥 + 𝑏 • To pass check when 𝑦& is incorrect, Bob must guess 𝜒&
• Succeed with pr. 1/𝑝
24
Problems with selective failure
v Recall: corrupt Bob can induce error:
𝑦 / = 𝑦 + 𝑎/ 𝑎 𝑥0
○ Error depends on secret bit 𝑥8!
○ Even if VOLE is correct, leaks that 𝑥8 = 0
v Solutions:
○ 1) Relaxed VOLE: allow small leakage on 𝑥 [KOS 16], [WYKW 21]
○ 2) Privacy amplification via leftover hash lemma [KOS 16]
25
(V)OLE from OT: Summary
v Simple protocol with lightweight computation
○ Leveraging fast OT extension techniques
v Expensive communication
○ At least 𝑚< bits, where 𝑚 = log 𝑞
v Active security almost for free
○ If leakage on 𝑥 is OK
26
VOLE from Homomorphic Encryption
27
Linearly homomorphic encryption
vPKE scheme (𝐾𝑒𝑦𝐺𝑒𝑛, 𝐸𝑛𝑐, 𝐷𝑒𝑐), encrypts vectors over $
For 𝑎⃗ ∈ (! , write 𝑎⃗ ≔ Enc)* (𝑎)
vLinear homomorphism:
⃗ for 𝑐⃗ ∈ $' , s.t.
ØCan compute 𝑎⃗ + 𝑏 or 𝑐⃗ ⋅ [𝑎],
Dec 𝑎⃗ + 𝑏 = 𝑎⃗ + 𝑏
Dec 𝑐⃗ ⋅ 𝑎⃗ = 𝑐⃗ ⋅ 𝑎⃗
Component-wise
product
Peter Scholl 28
Examples of Linearly Homomorphic
Encryption
More on Wednesday!
vPaillier encryption
ØEach ciphertext encrypts a G element (𝑁 = 𝑝𝑞)
vDDH
ØElGamal in the exponent: poly-size plaintexts in
ØClass groups: ! for large prime 𝑝 [CL 15]
vRing Learning With Errors (RLWE) [LPR 10]
ØNatively encrypts a vector in 9
!
Peter Scholl 29
Naïve VOLE from Linearly Homomorphic
Encryption
𝑥! ⃗ 𝑏9
𝑎, !
𝑝𝑘, [𝑥]
(
𝑝𝑘, 𝑠𝑘𝐺𝑒𝑛(1 )
𝑦⃗ = 𝑎⃗ ⋅ 𝑥 + [𝑏]
𝑦⃗ = 𝐷𝑒𝑐)* ( 𝑦⃗ )
Security:
• Alice: CPA security
• Bob: circuit privacy
Peter Scholl 30
Circuit privacy in homomorphic encryption
vIn RLWE, message hidden by “noise”: message
extra noise ≫ 𝑎𝑒 + 𝑏
vAfter computing 𝑎⃗ ⋅ 𝑥 + [𝑏]:
noise 𝑒𝑎𝑒 + 𝑏
ØNoise depends on 𝑎⃗ and 𝑏 (removed in decryption)
vClassic solution:
Optimization: ”Gentle noise flooding” [dCHIV 21]
Ø“Noise flooding” • Encrypt 𝑡-out-of-𝑛 sharing of message
ØRequires much larger ciphertexts • A few leaked coordinates dont matter
Peter Scholl 31
What about active security?
vWhat can go wrong?
ØAlice/Bob could send garbage ciphertexts…
vWhat about correctness check as in OT?
ØSelective failure is more subtle
ØError may depend on ciphertext noise/secret key
vSolution: zero-knowledge proofs
ØAlice: proof of plaintext knowledge
ØBob: proof of correct multiplication
Peter Scholl 32
ZK proofs for homomorphic encryption
vRLWE is more challenging than number-theoretic assumptions
vProof of plaintext knowledge
ØNaïve sigma protocol: soundness ½
ØVarious optimizations [BCS 19], amortization [BBG 19]
ØStill computationally expensive, often need larger parameters
vProof of correct multiplication
ØEven worse! Tricky to amortize
ØCan be avoided, assuming linear-only encryption [BISW 18, KPR 18]
Peter Scholl 33
Conclusion: Basic constructions and applications
v OLE and VOLE are core building blocks of secure computation
○ Correlated randomness
○ Special-purpose applications like OPRF, private set intersection
○ Next talk: zero knowledge
v Non-silent protocols: OT, AHE
○ Important, even if silent protocols win J
○ Open question: improving RLWE parameters and efficiency
■ Especially for active security
34
Thank you!
Peter Scholl 35
Reference in New Issue View Git Blame Copy Permalink