1. Fast Actively Secure OT Extension For Short Secrets
[NDSS’17] OT
Theory and Practice of MPC
Arpita Patra, Pratik Sarkar, Ajith S

2. Roadmap Oblivious Transfer OT Extension
- Kolesnikov-Kumaresan13 Extension (semi-honest secure)
- Attack in malicious setting
- A new consistency Check (succinct and fast)
Some Empirical Findings ( overhead over KK13) – actively security for free (almost)
Application in PSI

3. Oblivious Transfer R S m1-r = ? r = ? m0 r 2 1 OT m1 mr
- Complete for MPC
- Used in both traditional approaches: Yao (per input) and GMW (per AND gate)
- OT forms the basis for most of the practical MPCs/2PCs, special purpose problems PSI
- OTs are intrinsically expensive- usually based on public key primitives
- AES Circuit: Millions of AND gates

4. Setting the stage for OT Extension
- X (task/object): executing/generating X is not very efficient
- Small no. X  many no. X
PRG: Truly Random short Seed  huge (pseudo-)random string
s R {0,1}k
PRG
PRG(s)  {0,1}p(k)
Hybrid Encryption (HE): one instance of PKE  many instances of SKE operations
PKE
PKE HE
PKE
PKE

5. OT Extension: From small to many
Extended OTs
Seed OTs
OT1
OT1
OT2
OT2
OT Extension
OT3
OTk
OTp(k)
SKE operations
> OT Ext is not possible information theoretically [Bea96]
> OT Ext implies OWF [LZ13]
k: security parameter

6. IKNP and Its Successors
2 1 OT1
2 1 OT1
2 1 OT2
2 1 OT2
OT Extension
2 1 OT3
2 1 OTk
2 1 OTp(k)
SKE operations
Semi-honest: IKNP, ALSZ13
Active: NNOB, ALSZ15,KOS15
k: security parameter

7. KK13 and Its Successors OT Extension xr’ = ? Used in PSI, PIR etc
2 1 OTk
𝑛 1 OTp(k) x1 x2
….. xn r xr
r = ?
xr’ = ?
Used in PSI, PIR etc
Semi-honest: KK13
Active: PSS17, OOS17
k: security parameter

8. IKNP vs. KK13 log(n) 𝑛 1 OT 2 1 OT 𝑛 1 OT m O(m(k logn + nl ))
O(m(k + nl ))
l: input length of the sender
k: security parameter

9. Walsh-Hadamard Code - WH Code: Linear Code over a Binary alphabet F2
L bit message is mapped to 2L codeword
- WH( ) : {0,1}log(k) → {0,1}k
- 𝒞: {C1,….,Ck}
- Distance of 𝒞 is k/2.
WH( x ) = (x ⊗ a) for all possible a of log(k) bits string
k: security parameter

10. KK13- The Blueprint P0 P1 m Extended OTs x11 𝑛 1 OT1 ⋮ 𝑛 1 OTm r1 ⋮
x1n
x 1 r 1
xm1 rm ⋮
xmn
x m r m
Seed OT Phase
Correlated Random Matrices
OT Extension Phase

11. KK13 P0 P1 m Extended OTs x11 𝑛 1 OT1 ⋮ 𝑛 1 OTm r1 ⋮ x1n x 1 r 1 xm1rm ⋮
xmn
x m r m
Correlated Random Matrices
Q = Q1 = T1 ⊕ (S ⨂ C r 1 )
T= T1 T2 … Tm
Q2 = T2 ⊕ (S ⨂ C r 2 )
…..
Qm = Tm ⊕ (S ⨂ C r m )
Random S is known to P0 only
|Ti| = k

12. KK13- Extension Phase P0 P1 𝒞: {C1,….,Ck} x11 r1 ⋮ ⋮ 𝑛 1 OT1 x1n
Q = Q1 = T1 ⊕ (S ⨂ C r 1 )
T= T1 T2 … Tm ⋮
Q2 = T2 ⊕ (S ⨂ C r 2 )
…..
xm1 rm
Qm = Tm ⊕ (S ⨂ C r m )
𝑛 1 OTm ⋮ ⋮
S is known to P0 only
xmn
x m r m
|Ti| = k
Extension Phase H
Distance of 𝒞 is k/2
(Q1 ⊕ (S ⨂ C 1 ))
T1 ⊕ S ⨂ ( C r 1 ⊕ C 1 )
x11
x12 H
(Q1 ⊕ (S ⨂ C 2 ))
T1 ⊕ S ⨂ ( C r 1 ⊕ C 2 )
…..
….. H
( Q 1 ⊕ (S ⨂ C r 1 ))
T 1 ⊕ S ⨂ ( 𝐂 𝐫 𝟏 ⊕ 𝐂 𝐫 𝟏 )
T 1
x 1 r 1
x1n H
(Q1 ⊕ (S ⨂ C n ))
T1 ⊕ S ⨂ ( C r 1 ⊕ C n )

13. KK13- Seed OT Phase P0 P1 Seed OTs 2 1 OT1 ⋮ S 2 1 OTk …..
E= C r 1
C r 2 …
C r m
T= T1 T2 … Tm S ⋮
2 1 OTk
Q = Q1 = T1 ⊕ (S ⨂ C r 1 )
T= T1 T2 … Tm
Q2 = T2 ⊕ (S ⨂ C r 2 )
…..
Qm = Tm ⊕ (S ⨂ C r m )
Random S is known to P0 only
|Ti| = k

14. KK13 in Malicious SettingP0 P1
2 1 OT1
E= C r 1
C r 2 …
C r m
T= T1 T2 … Tm S ⋮
2 1 OTk
Q = Q1 = T1 ⊕ (S ⨂ C r 1 )
T= T1 T2 … Tm
Q2 = T2 ⊕ (S ⨂ C r 2 )
…..
Qm = Tm ⊕ (S ⨂ C r m )
Random S is known to P0 only
|Ti| = k

15. KK13 in Malicious SettingP0 P1
2 1 OT1
E= C r 1
C r 2 …
C r m
T= T1 T2 … Tm S ⋮
2 1 OTk
E’ = C′ r 1
C′ r 2 …
C′ r m
Q = Q1 = T1 ⊕ (S ⨂ C r 1 )
Q = Q1 = T1 ⊕ (S ⨂ C′ r 1 )
T= T1 T2 … Tm
Q2 = T2 ⊕ (S ⨂ C r 2 )
Q2 = T2 ⊕ (S ⨂ C′ r 2 )
…..
…..
Qm = Tm ⊕ (S ⨂ C r m )
Qm = Tm ⊕ (S ⨂ C′ r m )
Random S is known to P0 only
|Ti| = k

16. KK13 in Malicious Setting
𝒞: {C1,….,Ck} P0 P1
x11 r1 ⋮ ⋮
𝑛 1 OT1
x1n
x 1 r 1
Q = Q1 = T1 ⊕ (S ⨂ C′ r 1 )
T= T1 T2 … Tm ⋮
Q2 = T2 ⊕ (S ⨂ C′ r 2 )
…..
xm1 rm
Qm = Tm ⊕ (S ⨂ C′ r m )
𝑛 1 OTm ⋮ ⋮
S is known to P0 only
xmn
x m r m
|Ti| = k
Distance of 𝒞 is k/2 H
(Q1 ⊕ (S ⨂ C 1 ))
T1 ⊕ S ⨂ ( C′ r 1 ⊕ C 1 )
x11
x12 H
(Q1 ⊕ (S ⨂ C 2 ))
T1 ⊕ S ⨂ ( C′ r 1 ⊕ C 2 )
…..
…..
x 1 r 1 H
( Q 1 ⊕ (S ⨂ C r 1 ))
T 1 ⊕ S ⨂ ( 𝐂′ 𝐫 𝟏 ⊕ 𝐂 𝐫 𝟏 )
T 1 ⊕(s1 0 (k-1) times)
x 1 r 1
x1n H
(Q1 ⊕ (S ⨂ C n ))
T1 ⊕ S ⨂ ( C′ r 1 ⊕ C n )

17. KK13 in Malicious SettingP0 P1
2 1 OT1
E= C r 1
C r 2 …
C r m
T= T1 T2 … Tm S ⋮
2 1 OTk
Ensure E is a code-word matrix
E’ = C′ r 1
C′ r 2 …
C′ r m
Q = Q1 = T1 ⊕ (S ⨂ C r 1 )
Q = Q1 = T1 ⊕ (S ⨂ C′ r 1 )
T= T1 T2 … Tm
Q2 = T2 ⊕ (S ⨂ C r 2 )
Q2 = T2 ⊕ (S ⨂ C′ r 2 )
…..
…..
Qm = Tm ⊕ (S ⨂ C r m )
Qm = Tm ⊕ (S ⨂ C′ r m )
Random S is known to P0 only
|Ti| = k

18. The Blueprint P0 P1 Seed OT Phase Correlated Random Matrices
OT Extension Phase

19. The Blueprint P0 P1 Seed OT Phase Correlated Random Matrices
Consistency check
OT Extension Phase

20. KK13 with Consistency CheckP0 P1
Q = Q1 = T1 ⊕ (S ⨂ C r 1 )
E’ = C′ r 1
C′ r 2 …
C′ r m
T= T1 T2 … Tm
Q2 = T2 ⊕ (S ⨂ C r 2 ) S
…..
Qm = Tm ⊕ (S ⨂ C r m )
Toss a random vector w1,w2,…..,wm
q = w1Q1⊕w2Q2…⊕w𝑚Qm
e = w1C′ r 1 ⊕ w2 C ′ r 2 …⊕w𝑚 C′ r m
q = t ⊕ (S ⨂ e)
t = w1T1⊕w2T2…⊕w𝑚Tm
O(k) Communication
t1 ⊕t2… ⊕tk
q1⊕q2…⊕qk
e1⊕e2…⊕ek
O(log k) Communication
Send e
Send index of e
- O( logk ) bits of communication to catch with probability 1/4
- 𝜇 repeations: O(𝜇 logk ) bits of communication to catch with probability (1-1/2.4 𝜇)

21. Empirical Findings - Communication

22. Empirical Findings - I

24. Empirical Findings - I
Hardware: Our machine has 8 GB RAM and an Intel Core i CPU with 3.5 GHz processor speed.

25. Empirical Findings - II
[21]: KK
[17]: IKNP
[31]: NNOB
[4]: ALSZ
[18]: KOS

26. Oblivious Transfer Secure Multi-party Computation: Yao, GMW 2 1 OT
Private Set Intersection, Private information retrieval
𝑛 1 OT

27. Oblivious Transfer R S R S Complete for MPC m1-r = ? r = ? m1 r 2 1 OT
….. mn r R
𝑛 1 OT S mr

28. A little diversion to RO Model
>> Love and hate relationship with this model
>> Many protocols have proof in RO model which otherwise does not have any proof.
>> Real protocol: RO replaced with hash functions
>> Protocol analyzed for Security: Hash functions replaced with RO box.
>> Proof is for any good?: Existence of such a proof implies the real protocol go wrong only when hash function does not simulate RO. Some proof better than no proof
>> Examples: RSA-OEAP (practically in use). CCA-secure extension of RSA
>> Finding proof under relatively realistic assumption (e.g. CR) than RO has been very challenging and considered to be great achievement!!
Random Function H: [m] × {0,1}k -> {0,1}l