Fast Actively Secure OT Extension For Short Secrets [NDSS’17] OT Theory and Practice of MPC Arpita Patra, Pratik Sarkar, Ajith S

Roadmap Oblivious Transfer OT Extension - Kolesnikov-Kumaresan13 Extension (semi-honest secure) - Attack in malicious setting - A new consistency Check (succinct and fast) Some Empirical Findings (.012-.028 overhead over KK13) – actively security for free (almost) Application in PSI

Oblivious Transfer R S m1-r = ? r = ? m0 r 2 1 OT m1 mr - Complete for MPC - Used in both traditional approaches: Yao (per input) and GMW (per AND gate) - OT forms the basis for most of the practical MPCs/2PCs, special purpose problems PSI - OTs are intrinsically expensive- usually based on public key primitives - AES Circuit: Millions of AND gates

Setting the stage for OT Extension - X (task/object): executing/generating X is not very efficient - Small no. X  many no. X PRG: Truly Random short Seed  huge (pseudo-)random string s R {0,1}k PRG PRG(s)  {0,1}p(k) Hybrid Encryption (HE): one instance of PKE  many instances of PKE @ SKE operations PKE PKE HE PKE PKE

OT Extension: From small to many Extended OTs Seed OTs OT1 OT1 OT2 OT2 OT Extension OT3 OTk OTp(k) SKE operations > OT Ext is not possible information theoretically [Bea96] > OT Ext implies OWF [LZ13] k: security parameter

IKNP and Its Successors 2 1 OT1 2 1 OT1 2 1 OT2 2 1 OT2 OT Extension 2 1 OT3 2 1 OTk 2 1 OTp(k) SKE operations Semi-honest: IKNP, ALSZ13 Active: NNOB, ALSZ15,KOS15 k: security parameter

KK13 and Its Successors OT Extension xr’ = ? Used in PSI, PIR etc 2 1 OTk 𝑛 1 OTp(k) x1 x2 ….. xn r xr r = ? xr’ = ? Used in PSI, PIR etc Semi-honest: KK13 Active: PSS17, OOS17 k: security parameter

IKNP vs. KK13 log(n) 𝑛 1 OT 2 1 OT 𝑛 1 OT m O(m(k logn + nl )) O(m(k + nl )) l: input length of the sender k: security parameter

Walsh-Hadamard Code - WH Code: Linear Code over a Binary alphabet F2 L bit message is mapped to 2L codeword - WH( ) : {0,1}log(k) → {0,1}k - 𝒞: {C1,….,Ck} - Distance of 𝒞 is k/2. WH( x ) = (x ⊗ a) for all possible a of log(k) bits string k: security parameter

KK13- The Blueprint P0 P1 m Extended OTs x11 𝑛 1 OT1 ⋮ 𝑛 1 OTm r1 ⋮ x1n x 1 r 1 xm1 rm ⋮ xmn x m r m Seed OT Phase Correlated Random Matrices OT Extension Phase

KK13 P0 P1 m Extended OTs x11 𝑛 1 OT1 ⋮ 𝑛 1 OTm r1 ⋮ x1n x 1 r 1 xm1 rm ⋮ xmn x m r m Correlated Random Matrices Q = Q1 = T1 ⊕ (S ⨂ C r 1 ) T= T1 T2 … Tm Q2 = T2 ⊕ (S ⨂ C r 2 ) ….. Qm = Tm ⊕ (S ⨂ C r m ) Random S is known to P0 only |Ti| = k

KK13- Extension Phase P0 P1 𝒞: {C1,….,Ck} x11 r1 ⋮ ⋮ 𝑛 1 OT1 x1n Q = Q1 = T1 ⊕ (S ⨂ C r 1 ) T= T1 T2 … Tm ⋮ Q2 = T2 ⊕ (S ⨂ C r 2 ) ….. xm1 rm Qm = Tm ⊕ (S ⨂ C r m ) 𝑛 1 OTm ⋮ ⋮ S is known to P0 only xmn x m r m |Ti| = k Extension Phase H Distance of 𝒞 is k/2 (Q1 ⊕ (S ⨂ C 1 )) T1 ⊕ S ⨂ ( C r 1 ⊕ C 1 ) x11 x12 H (Q1 ⊕ (S ⨂ C 2 )) T1 ⊕ S ⨂ ( C r 1 ⊕ C 2 ) ….. ….. H ( Q 1 ⊕ (S ⨂ C r 1 )) T 1 ⊕ S ⨂ ( 𝐂 𝐫 𝟏 ⊕ 𝐂 𝐫 𝟏 ) T 1 x 1 r 1 x1n H (Q1 ⊕ (S ⨂ C n )) T1 ⊕ S ⨂ ( C r 1 ⊕ C n )

KK13- Seed OT Phase P0 P1 Seed OTs 2 1 OT1 ⋮ S 2 1 OTk ….. E= C r 1 C r 2 … C r m T= T1 T2 … Tm S ⋮ 2 1 OTk Q = Q1 = T1 ⊕ (S ⨂ C r 1 ) T= T1 T2 … Tm Q2 = T2 ⊕ (S ⨂ C r 2 ) ….. Qm = Tm ⊕ (S ⨂ C r m ) Random S is known to P0 only |Ti| = k

KK13 in Malicious Setting P0 P1 2 1 OT1 E= C r 1 C r 2 … C r m T= T1 T2 … Tm S ⋮ 2 1 OTk Q = Q1 = T1 ⊕ (S ⨂ C r 1 ) T= T1 T2 … Tm Q2 = T2 ⊕ (S ⨂ C r 2 ) ….. Qm = Tm ⊕ (S ⨂ C r m ) Random S is known to P0 only |Ti| = k

KK13 in Malicious Setting P0 P1 2 1 OT1 E= C r 1 C r 2 … C r m T= T1 T2 … Tm S ⋮ 2 1 OTk E’ = C′ r 1 C′ r 2 … C′ r m Q = Q1 = T1 ⊕ (S ⨂ C r 1 ) Q = Q1 = T1 ⊕ (S ⨂ C′ r 1 ) T= T1 T2 … Tm Q2 = T2 ⊕ (S ⨂ C r 2 ) Q2 = T2 ⊕ (S ⨂ C′ r 2 ) ….. ….. Qm = Tm ⊕ (S ⨂ C r m ) Qm = Tm ⊕ (S ⨂ C′ r m ) Random S is known to P0 only |Ti| = k

KK13 in Malicious Setting 𝒞: {C1,….,Ck} P0 P1 x11 r1 ⋮ ⋮ 𝑛 1 OT1 x1n x 1 r 1 Q = Q1 = T1 ⊕ (S ⨂ C′ r 1 ) T= T1 T2 … Tm ⋮ Q2 = T2 ⊕ (S ⨂ C′ r 2 ) ….. xm1 rm Qm = Tm ⊕ (S ⨂ C′ r m ) 𝑛 1 OTm ⋮ ⋮ S is known to P0 only xmn x m r m |Ti| = k Distance of 𝒞 is k/2 H (Q1 ⊕ (S ⨂ C 1 )) T1 ⊕ S ⨂ ( C′ r 1 ⊕ C 1 ) x11 x12 H (Q1 ⊕ (S ⨂ C 2 )) T1 ⊕ S ⨂ ( C′ r 1 ⊕ C 2 ) ….. ….. x 1 r 1 H ( Q 1 ⊕ (S ⨂ C r 1 )) T 1 ⊕ S ⨂ ( 𝐂′ 𝐫 𝟏 ⊕ 𝐂 𝐫 𝟏 ) T 1 ⊕(s1 0 (k-1) times) x 1 r 1 x1n H (Q1 ⊕ (S ⨂ C n )) T1 ⊕ S ⨂ ( C′ r 1 ⊕ C n )

KK13 in Malicious Setting P0 P1 2 1 OT1 E= C r 1 C r 2 … C r m T= T1 T2 … Tm S ⋮ 2 1 OTk Ensure E is a code-word matrix E’ = C′ r 1 C′ r 2 … C′ r m Q = Q1 = T1 ⊕ (S ⨂ C r 1 ) Q = Q1 = T1 ⊕ (S ⨂ C′ r 1 ) T= T1 T2 … Tm Q2 = T2 ⊕ (S ⨂ C r 2 ) Q2 = T2 ⊕ (S ⨂ C′ r 2 ) ….. ….. Qm = Tm ⊕ (S ⨂ C r m ) Qm = Tm ⊕ (S ⨂ C′ r m ) Random S is known to P0 only |Ti| = k

The Blueprint P0 P1 Seed OT Phase Correlated Random Matrices OT Extension Phase

The Blueprint P0 P1 Seed OT Phase Correlated Random Matrices Consistency check OT Extension Phase

KK13 with Consistency Check P0 P1 Q = Q1 = T1 ⊕ (S ⨂ C r 1 ) E’ = C′ r 1 C′ r 2 … C′ r m T= T1 T2 … Tm Q2 = T2 ⊕ (S ⨂ C r 2 ) S ….. Qm = Tm ⊕ (S ⨂ C r m ) Toss a random vector w1,w2,…..,wm q = w1Q1⊕w2Q2…⊕w𝑚Qm e = w1C′ r 1 ⊕ w2 C ′ r 2 …⊕w𝑚 C′ r m q = t ⊕ (S ⨂ e) t = w1T1⊕w2T2…⊕w𝑚Tm O(k) Communication t1 ⊕t2… ⊕tk q1⊕q2…⊕qk e1⊕e2…⊕ek O(log k) Communication Send e Send index of e - O( logk ) bits of communication to catch with probability 1/4 - 𝜇 repeations: O(𝜇 logk ) bits of communication to catch with probability (1-1/2.4 𝜇)

Empirical Findings - Communication

Empirical Findings - I

Empirical Findings - I Hardware: Our machine has 8 GB RAM and an Intel Core i5-4690 CPU with 3.5 GHz processor speed.

Empirical Findings - II [21]: KK [17]: IKNP [31]: NNOB [4]: ALSZ [18]: KOS

Oblivious Transfer Secure Multi-party Computation: Yao, GMW 2 1 OT Private Set Intersection, Private information retrieval 𝑛 1 OT

Oblivious Transfer R S R S Complete for MPC m1-r = ? r = ? m1 r 2 1 OT ….. mn r R 𝑛 1 OT S mr

A little diversion to RO Model >> Love and hate relationship with this model >> Many protocols have proof in RO model which otherwise does not have any proof. >> Real protocol: RO replaced with hash functions >> Protocol analyzed for Security: Hash functions replaced with RO box. >> Proof is for any good?: Existence of such a proof implies the real protocol go wrong only when hash function does not simulate RO. Some proof better than no proof >> Examples: RSA-OEAP (practically in use). CCA-secure extension of RSA >> Finding proof under relatively realistic assumption (e.g. CR) than RO has been very challenging and considered to be great achievement!! Random Function H: [m] × {0,1}k -> {0,1}l