Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Secure Computation using Leaky Correlations(Asymptotically Optimal Constructions)
Alexander R. Block1, Divya Gupta2, Hemanta K. Maji1, Hai H.Nguyen1
1Purdue University, {block9,hmaji,nguye245}@purdue.edu2Microsoft Research, Banaglore, India, [email protected]
1 / 21
Correlated Private Randomness (Correlation)
(rA, rB) ∼ (RA, RB)
rA rBPreprocessingPhase
1
2
mBob
mAlice
OnlinePhase
LAlice(rB)LBob(rA)
2 / 21
Correlated Private Randomness (Correlation)
(rA, rB) ∼ (RA, RB)
rA rBPreprocessingPhase
1
2
mBob
mAlice
OnlinePhase
LAlice(rB)LBob(rA)
2 / 21
Correlated Private Randomness (Correlation)
OT
(rA, rB) ∼ (RA, RB)
rA rBPreprocessingPhase
1
2
mBob
mAlice
OnlinePhase
LAlice(rB)LBob(rA)
ExampleParties can use (rA, rB) to generate multiple samples of ObliviousTransfer in an online protocol, which can then be used to securelycompute any circuit.
2 / 21
Correlated Private Randomness (Correlation)
(rA, rB) ∼ (RA, RB)
rA rBPreprocessingPhase
1
2
mBob
mAlice
OnlinePhase
LAlice(rB)LBob(rA)
NotesThe preprocessing phase is independent of the functionality or theinputs fed to the functionality by the parties.Secret shares (rA, rB) are vulnerable to arbitrary leakage attacks.
2 / 21
Correlated Private Randomness (Correlation)
(rA, rB) ∼ (RA, RB)
rA rBPreprocessingPhase
1
2
mBob
mAlice
OnlinePhase
LAlice(rB)
LBob(rA)
NotesThe preprocessing phase is independent of the functionality or theinputs fed to the functionality by the parties.Secret shares (rA, rB) are vulnerable to arbitrary leakage attacks.
2 / 21
Correlated Private Randomness (Correlation)
(rA, rB) ∼ (RA, RB)
rA rBPreprocessingPhase
1
2
mBob
mAlice
OnlinePhase
LAlice(rB)
LBob(rA)
QuestionsGiven such leakage attacks, how can we securely use the initialpreprocessing?
2 / 21
Correlation Extractors (CorrExt)
Introduced by Ishai, Kushilevitz, Ostrovsky, and Sahai at FOCS2009 [IKOS09] to address leakage attacksTake leaky correlations as input and produce secure independentcopies of oblivious transfer (OT) (or Randomized OTs)
3 / 21
(n,m, t, ε)-Correlation Extractor for (RA, RB)
(rA, rB) ∼ (RA, RB)
rA rBPreprocessingPhase
n-bits
rA rB
t-bitleakage
t-bitleakage
sender corruptionor
receiver corruption
LeakagePhase
1
2
mBob
mAlice
ε-SecureOnline Phase
ROT1 ROTmROT2 · · ·· · · · · ·Fresh ROTOutput Phase
4 / 21
(n,m, t, ε)-Correlation Extractor for (RA, RB)
(rA, rB) ∼ (RA, RB)
rA rBPreprocessingPhase
n-bits
rA rB
t-bitleakage
t-bitleakage
sender corruptionor
receiver corruption
LeakagePhase
1
2
mBob
mAlice
ε-SecureOnline Phase
ROT1 ROTmROT2 · · ·· · · · · ·Fresh ROTOutput Phase
4 / 21
(n,m, t, ε)-Correlation Extractor for (RA, RB)
(rA, rB) ∼ (RA, RB)
rA rBPreprocessingPhase
n-bits
rA rB
t-bitleakage
t-bitleakage
sender corruptionor
receiver corruption
LeakagePhase
1
2
mBob
mAlice
ε-SecureOnline Phase
ROT1 ROTmROT2 · · ·· · · · · ·Fresh ROTOutput Phase
4 / 21
(n,m, t, ε)-Correlation Extractor for (RA, RB)
(rA, rB) ∼ (RA, RB)
rA rBPreprocessingPhase
n-bits
rA rB
t-bitleakage
t-bitleakage
sender corruptionor
receiver corruption
LeakagePhase
1
2
mBob
mAlice
ε-SecureOnline Phase
ROT1 ROTmROT2 · · ·· · · · · ·Fresh ROTOutput Phase
4 / 21
(n,m, t, ε)-Correlation Extractor for (RA, RB)
(rA, rB) ∼ (RA, RB)
rA rBPreprocessingPhase
n-bits
rA rB
t-bitleakage
t-bitleakage
sender corruptionor
receiver corruption
LeakagePhase
1
2
mBob
mAlice
ε-SecureOnline Phase
ROT1 ROTmROT2 · · ·· · · · · ·Fresh ROTOutput Phase
4 / 21
Correlation Extractors (CorrExt): which (RA, RB)?
Random Oblivious Transfer (ROT):
ROTn/2
m(i)0 ,m
(i)1 , c(i) $←{0, 1}
(m(i)0 ,m
(i)1 ) ∈ {0, 1}n (c(i),m
(i)
c(i)) ∈ {0, 1}n
Random Oblivious Linear-function Evaluation (ROLE(F)):
ROLE(F)n/2a(i), b(i), x(i) $← F
z(i) := a(i)x(i) + b(i)
(a(i), b(i)) ∈ Fn (x(i), z(i)) ∈ Fn
Note ROT ≡ ROLE(GF [2]
)since mc = (m1 −m0)c+m0.
5 / 21
Correlation Extractors (CorrExt): which (RA, RB)?
Random Oblivious Transfer (ROT):
ROTn/2
m(i)0 ,m
(i)1 , c(i) $←{0, 1}
(m(i)0 ,m
(i)1 ) ∈ {0, 1}n (c(i),m
(i)
c(i)) ∈ {0, 1}n
Random Oblivious Linear-function Evaluation (ROLE(F)):
ROLE(F)n/2a(i), b(i), x(i) $← F
z(i) := a(i)x(i) + b(i)
(a(i), b(i)) ∈ Fn (x(i), z(i)) ∈ Fn
Note ROT ≡ ROLE(GF [2]
)since mc = (m1 −m0)c+m0.
5 / 21
Correlation Extractors (CorrExt): which (RA, RB)?
Random Oblivious Transfer (ROT):
ROTn/2
m(i)0 ,m
(i)1 , c(i) $←{0, 1}
(m(i)0 ,m
(i)1 ) ∈ {0, 1}n (c(i),m
(i)
c(i)) ∈ {0, 1}n
Random Oblivious Linear-function Evaluation (ROLE(F)):
ROLE(F)n/2a(i), b(i), x(i) $← F
z(i) := a(i)x(i) + b(i)
(a(i), b(i)) ∈ Fn (x(i), z(i)) ∈ Fn
Note ROT ≡ ROLE(GF [2]
)since mc = (m1 −m0)c+m0.
5 / 21
Prior Work and Our Contribution
Result Correlation m t ε #
[IKOS09] ROTn/2 Θ(n) Θ(n) 2−Θ(n) 4
[GIMS15]ROTn/2 n
poly logn(1/4− g)n 2−gn/m 2
6 / 21
Prior Work and Our Contribution
Result Correlation m t ε #
[IKOS09] ROTn/2 Θ(n) Θ(n) 2−Θ(n) 4
[GIMS15]ROTn/2 n
poly logn(1/4− g)n 2−gn/m 2
3IP(GF [2]n
)1 (1/2− g)n 2−gn 2
3The inner-product correlation IP(Kn/lg |K|
)is a correlation in which each party
gets a vector in Kn/lg |K| such that their vectors are orthogonal.6 / 21
Prior Work and Our Contribution
Result Correlation m t ε #
[IKOS09] ROTn/2 Θ(n) Θ(n) 2−Θ(n) 4
[GIMS15]ROTn/2 n
poly logn(1/4− g)n 2−gn/m 2
IP(GF [2]n
)1 (1/2− g)n 2−gn 2
[BMN17] IP(Kn/lg |K|
)n1−o(1) (1/2− g)n 2−gn 2
6 / 21
Prior Work and Our Contribution
Result Correlation m t ε #
[IKOS09] ROTn/2 Θ(n) Θ(n) 2−Θ(n) 4
[GIMS15] ROTn/2 n/poly log n (1/4− g)n 2−gn/m 2IP(GF [2]n
)1 (1/2− g)n 2−gn 2
[BMN17] IP(Kn/lg |K|
)n1−o(1) (1/2− g)n 2−gn 2
Our WorkROTn/2
ROLE(F)n/2 lg |F|
NotesIn an ongoing work, we reduce the communication complexity of ourextractors from Θ(n log n) to Θ(n).
7 / 21
Prior Work and Our Contribution
Result Correlation m t ε #
[IKOS09] ROTn/2 Θ(n) Θ(n) 2−Θ(n) 4
[GIMS15] ROTn/2 n/poly log n (1/4− g)n 2−gn/m 2IP(GF [2]n
)1 (1/2− g)n 2−gn 2
[BMN17] IP(Kn/lg |K|
)n1−o(1) (1/2− g)n 2−gn 2
Our WorkROTn/2 Θ(n) Θ(n) 2−Θ(n) 2
ROLE(F)n/2 lg |F|
Θ(n) Θ(n) 2−Θ(n) 2
NotesIn an ongoing work, we reduce the communication complexity of ourextractors from Θ(n log n) to Θ(n).
7 / 21
Prior Work and Our Contribution
Result Correlation m t ε #
[IKOS09] ROTn/2 Θ(n) Θ(n) 2−Θ(n) 4
[GIMS15] ROTn/2 n/poly log n (1/4− g)n 2−gn/m 2IP(GF [2]n
)1 (1/2− g)n 2−gn 2
[BMN17] IP(Kn/lg |K|
)n1−o(1) (1/2− g)n 2−gn 2
Our WorkROTn/2 Θ(n) Θ(n) 2−Θ(n) 2
ROLE(F)n/2 lg |F|
Θ(n) Θ(n) 2−Θ(n) 2
[BMN18] IP(Kn/lg |K|
)Θ(n) (1/2− g)n 2−gn 2
NotesIn an ongoing work, we reduce the communication complexity of ourextractors from Θ(n log n) to Θ(n).
7 / 21
Prior Work and Our Contribution
Result Correlation m t ε #
[IKOS09] ROTn/2 Θ(n) Θ(n) 2−Θ(n) 4
[GIMS15] ROTn/2 n/poly log n (1/4− g)n 2−gn/m 2IP(GF [2]n
)1 (1/2− g)n 2−gn 2
[BMN17] IP(Kn/lg |K|
)n1−o(1) (1/2− g)n 2−gn 2
Our WorkROTn/2 Θ(n) Θ(n) 2−Θ(n) 2
ROLE(F)n/2 lg |F|
Θ(n) Θ(n) 2−Θ(n) 2
[BMN18] IP(Kn/lg |K|
)Θ(n) (1/2− g)n 2−gn 2
NotesIn an ongoing work, we reduce the communication complexity of ourextractors from Θ(n log n) to Θ(n).
7 / 21
Main Results
Theorem (Asymptotically Optimal Correlation Extractor for ROT)
∃ a 2-message (n,m, t, ε)-correlation extractor for ROTn/2 such that
m = Θ(n) t = Θ(n) ε = 2−Θ(n)
The technical heart of this theorem is another correlation extractor forROLE
(F).
Theorem (Asymptotically Optimal Correlation Extractor forROLE
(F))
For all large enough constant sized fields F (e.g., |F| = 64)
∃ a 2-message (n,m, t, ε)-correlation extractor for ROLE(F)n/2 lg |F|
such that
m = Θ(n) t = Θ(n) ε = 2−Θ(n)
8 / 21
Main Results
Theorem (Asymptotically Optimal Correlation Extractor for ROT)
∃ a 2-message (n,m, t, ε)-correlation extractor for ROTn/2 such that
m = Θ(n) t = Θ(n) ε = 2−Θ(n)
The technical heart of this theorem is another correlation extractor forROLE
(F).
Theorem (Asymptotically Optimal Correlation Extractor forROLE
(F))
For all large enough constant sized fields F (e.g., |F| = 64)
∃ a 2-message (n,m, t, ε)-correlation extractor for ROLE(F)n/2 lg |F|
such that
m = Θ(n) t = Θ(n) ε = 2−Θ(n)
8 / 21
Main Results
Theorem (Asymptotically Optimal Correlation Extractor for ROT)
∃ a 2-message (n,m, t, ε)-correlation extractor for ROTn/2 such that
m = Θ(n) t = Θ(n) ε = 2−Θ(n)
The technical heart of this theorem is another correlation extractor forROLE
(F).
Theorem (Asymptotically Optimal Correlation Extractor forROLE
(F))
For all large enough constant sized fields F (e.g., |F| = 64)
∃ a 2-message (n,m, t, ε)-correlation extractor for ROLE(F)n/2 lg |F|
such that
m = Θ(n) t = Θ(n) ε = 2−Θ(n)
8 / 21
Comparison of Concrete Efficiency I
We compare our CorrExt for ROLE(F)with the [BMN17] CorrExt for
IP(Kn/lg |K|
).
The [BMN17] CorrExt achieves highest production rate whenusing IP
(GF[2n/4
]4), and achieves leakage rate t/n = (1/4− g).We shall use ROLE
(F)for F = GF
[216]as a comparison.
n[BMN17] CorrExt Our CorrExt
t/n = (1/4− g) t/n = 1% t/n = 20%
103 66 163 30
106 5, 223 163, 200 30, 000
109 413, 913 163, 200, 000 30, 000, 000
9 / 21
Comparison of Concrete Efficiency I
We compare our CorrExt for ROLE(F)with the [BMN17] CorrExt for
IP(Kn/lg |K|
).
The [BMN17] CorrExt achieves highest production rate whenusing IP
(GF[2n/4
]4), and achieves leakage rate t/n = (1/4− g).We shall use ROLE
(F)for F = GF
[216]as a comparison.
n[BMN17] CorrExt Our CorrExt
t/n = (1/4− g) t/n = 1% t/n = 20%
103 66 163 30
106 5, 223 163, 200 30, 000
109 413, 913 163, 200, 000 30, 000, 000
9 / 21
Comparison of Concrete Efficiency I
We compare our CorrExt for ROLE(F)with the [BMN17] CorrExt for
IP(Kn/lg |K|
).
The [BMN17] CorrExt achieves highest production rate whenusing IP
(GF[2n/4
]4), and achieves leakage rate t/n = (1/4− g).We shall use ROLE
(F)for F = GF
[216]as a comparison.
n[BMN17] CorrExt Our CorrExt
t/n = (1/4− g) t/n = 1% t/n = 20%
103 66 163 30
106 5, 223 163, 200 30, 000
109 413, 913 163, 200, 000 30, 000, 000
9 / 21
Comparison of Concrete Efficiency II
We compare our CorrExt for ROTn/2 with the [GIMS15] CorrExt forROTn/2.
[GIMS15] trades off simulation error to achieve higher productionby sampling the ROTs.
I Thus to achieve negligible simulation error, the production ism = n/4 log2(n) with leakage rate t/n = 1%.
Our CorrExt trades off leakage resilience to achieve higherproduction.
I This tradeoff is inevitable due to information theoretic results.
n[GIMS15] CorrExt Our CorrExt
t/n = 1% t/n = 1%
103 3 42
106 625 42, 000
109 277, 777 42, 000, 000
10 / 21
Comparison of Concrete Efficiency II
We compare our CorrExt for ROTn/2 with the [GIMS15] CorrExt forROTn/2.
[GIMS15] trades off simulation error to achieve higher productionby sampling the ROTs.
I Thus to achieve negligible simulation error, the production ism = n/4 log2(n) with leakage rate t/n = 1%.
Our CorrExt trades off leakage resilience to achieve higherproduction.
I This tradeoff is inevitable due to information theoretic results.
n[GIMS15] CorrExt Our CorrExt
t/n = 1% t/n = 1%
103 3 42
106 625 42, 000
109 277, 777 42, 000, 000
10 / 21
Comparison of Concrete Efficiency II
We compare our CorrExt for ROTn/2 with the [GIMS15] CorrExt forROTn/2.
[GIMS15] trades off simulation error to achieve higher productionby sampling the ROTs.
I Thus to achieve negligible simulation error, the production ism = n/4 log2(n) with leakage rate t/n = 1%.
Our CorrExt trades off leakage resilience to achieve higherproduction.
I This tradeoff is inevitable due to information theoretic results.
n[GIMS15] CorrExt Our CorrExt
t/n = 1% t/n = 1%
103 3 42
106 625 42, 000
109 277, 777 42, 000, 000
10 / 21
Comparison of Concrete Efficiency II
We compare our CorrExt for ROTn/2 with the [GIMS15] CorrExt forROTn/2.
[GIMS15] trades off simulation error to achieve higher productionby sampling the ROTs.
I Thus to achieve negligible simulation error, the production ism = n/4 log2(n) with leakage rate t/n = 1%.
Our CorrExt trades off leakage resilience to achieve higherproduction.
I This tradeoff is inevitable due to information theoretic results.
n[GIMS15] CorrExt Our CorrExt
t/n = 1% t/n = 1%
103 3 42
106 625 42, 000
109 277, 777 42, 000, 000
10 / 21
Construction Overview
Goal: Given leaky correlation ROTn/2, Alice and Bob want tosecurely compute m/2 ROT samples
BMNEmbedding
BMNEmbedding
BilinearMultiplication EXTROTn/2 with
t-bits leaked
n′ copies(ROLE
(F))[t] m′ copies
ROLE(F) ROTm/2
We use the well-known bilinear multiplication algorithms[CC87, TVZ82] to implement multiplications over F usingmultiplications over GF [2].
I Note the n′ copies of ROLE(F)retain the same t-bit leakage!
We use the [BMN17] embedding protocol to embed multiplesamples of ROT into a single ROLE
(F).
The heart of our construction is this ROLE(F)-to-ROLE
(F)
correlation extractor.
11 / 21
Construction Overview
Goal: Given leaky correlation ROTn/2, Alice and Bob want tosecurely compute m/2 ROT samples
BMNEmbedding
BMNEmbedding
BilinearMultiplication
EXT
ROTn/2 witht-bits leaked
n′ copies(ROLE
(F))[t]
m′ copiesROLE
(F) ROTm/2
We use the well-known bilinear multiplication algorithms[CC87, TVZ82] to implement multiplications over F usingmultiplications over GF [2].
I Note the n′ copies of ROLE(F)retain the same t-bit leakage!
We use the [BMN17] embedding protocol to embed multiplesamples of ROT into a single ROLE
(F).
The heart of our construction is this ROLE(F)-to-ROLE
(F)
correlation extractor.
11 / 21
Construction Overview
Goal: Given leaky correlation ROTn/2, Alice and Bob want tosecurely compute m/2 ROT samples
BMNEmbedding
BMNEmbedding
BilinearMultiplication
EXT
ROTn/2 witht-bits leaked
n′ copies(ROLE
(F))[t] m′ copies
ROLE(F) ROTm/2
We use the well-known bilinear multiplication algorithms[CC87, TVZ82] to implement multiplications over F usingmultiplications over GF [2].
I Note the n′ copies of ROLE(F)retain the same t-bit leakage!
We use the [BMN17] embedding protocol to embed multiplesamples of ROT into a single ROLE
(F).
The heart of our construction is this ROLE(F)-to-ROLE
(F)
correlation extractor.
11 / 21
Construction Overview
Goal: Given leaky correlation ROTn/2, Alice and Bob want tosecurely compute m/2 ROT samples
BMNEmbedding
BMNEmbedding
BilinearMultiplication EXTROTn/2 with
t-bits leaked
n′ copies(ROLE
(F))[t] m′ copies
ROLE(F) ROTm/2
We use the well-known bilinear multiplication algorithms[CC87, TVZ82] to implement multiplications over F usingmultiplications over GF [2].
I Note the n′ copies of ROLE(F)retain the same t-bit leakage!
We use the [BMN17] embedding protocol to embed multiplesamples of ROT into a single ROLE
(F).
The heart of our construction is this ROLE(F)-to-ROLE
(F)
correlation extractor.11 / 21
(n′,m′, t, ε)-ROLE(F)-to-ROLE
(F)CorrExt
Given finite field F:
(rA, rB) ∼ ROLE(F)n′/2
PreprocessingPhase
n′ elements of FrA rB
t-bitleakage
t-bitleakage
sender corruptionor
receiver corruption
LeakagePhase
1
2
mBob
mAlice
ε-SecureOnline Phase
ROLE1 ROLEm′ROLE2 · · ·· · · · · ·Fresh ROLE(F)
Output Phase12 / 21
Our ROLE(F)-to-ROLE
(F)CorrExt Construction
Let {Cj}j∈J be some appropriate family of linear codes over Fm′+n′ .
ROLE(F)n′
(a[n′], b[n′]) (x[n′], z[n′])
j$←J
r[−m′,n′] ∼ Cjmi = ri + xi , j
u[−m′,n′] ∼ Cjv[−m′,n′] ∼ Cj ∗ Cj αi = ui − ai,
βi = ai ·mi + bi + vi
mi, αi, and βi are computed for all i ∈ {1, . . . , n′}.Bob computes ti = αi · ri + βi − zi for all i ∈ {1, . . . , n′}.Performing erasure recovery of Cj ∗ Cj on t[n′], Bob obtainstk = uk · rk + vk for k ∈ {−m, . . . ,−1}.
13 / 21
Our ROLE(F)-to-ROLE
(F)CorrExt Construction
Let {Cj}j∈J be some appropriate family of linear codes over Fm′+n′ .
ROLE(F)n′
(a[n′], b[n′]) (x[n′], z[n′])
j$←J
r[−m′,n′] ∼ Cjmi = ri + xi , j
u[−m′,n′] ∼ Cjv[−m′,n′] ∼ Cj ∗ Cj αi = ui − ai,
βi = ai ·mi + bi + vi
mi, αi, and βi are computed for all i ∈ {1, . . . , n′}.Bob computes ti = αi · ri + βi − zi for all i ∈ {1, . . . , n′}.Performing erasure recovery of Cj ∗ Cj on t[n′], Bob obtainstk = uk · rk + vk for k ∈ {−m, . . . ,−1}.
13 / 21
Our ROLE(F)-to-ROLE
(F)CorrExt Construction
Let {Cj}j∈J be some appropriate family of linear codes over Fm′+n′ .
ROLE(F)n′
(a[n′], b[n′]) (x[n′], z[n′])
j$←J
r[−m′,n′] ∼ Cjmi = ri + xi , j
u[−m′,n′] ∼ Cjv[−m′,n′] ∼ Cj ∗ Cj αi = ui − ai,
βi = ai ·mi + bi + vi
mi, αi, and βi are computed for all i ∈ {1, . . . , n′}.
Bob computes ti = αi · ri + βi − zi for all i ∈ {1, . . . , n′}.Performing erasure recovery of Cj ∗ Cj on t[n′], Bob obtainstk = uk · rk + vk for k ∈ {−m, . . . ,−1}.
13 / 21
Our ROLE(F)-to-ROLE
(F)CorrExt Construction
Let {Cj}j∈J be some appropriate family of linear codes over Fm′+n′ .
ROLE(F)n′
(a[n′], b[n′]) (x[n′], z[n′])
j$←J
r[−m′,n′] ∼ Cjmi = ri + xi , j
u[−m′,n′] ∼ Cjv[−m′,n′] ∼ Cj ∗ Cj αi = ui − ai,
βi = ai ·mi + bi + vi
mi, αi, and βi are computed for all i ∈ {1, . . . , n′}.
Bob computes ti = αi · ri + βi − zi for all i ∈ {1, . . . , n′}.Performing erasure recovery of Cj ∗ Cj on t[n′], Bob obtainstk = uk · rk + vk for k ∈ {−m, . . . ,−1}.
13 / 21
Our ROLE(F)-to-ROLE
(F)CorrExt Construction
Let {Cj}j∈J be some appropriate family of linear codes over Fm′+n′ .
ROLE(F)n′
(a[n′], b[n′]) (x[n′], z[n′])
j$←J
r[−m′,n′] ∼ Cjmi = ri + xi , j
u[−m′,n′] ∼ Cjv[−m′,n′] ∼ Cj ∗ Cj αi = ui − ai,
βi = ai ·mi + bi + vi
mi, αi, and βi are computed for all i ∈ {1, . . . , n′}.Bob computes ti = αi · ri + βi − zi for all i ∈ {1, . . . , n′}.
Performing erasure recovery of Cj ∗ Cj on t[n′], Bob obtainstk = uk · rk + vk for k ∈ {−m, . . . ,−1}.
13 / 21
Our ROLE(F)-to-ROLE
(F)CorrExt Construction
Let {Cj}j∈J be some appropriate family of linear codes over Fm′+n′ .
ROLE(F)n′
(a[n′], b[n′]) (x[n′], z[n′])
j$←J
r[−m′,n′] ∼ Cjmi = ri + xi , j
u[−m′,n′] ∼ Cjv[−m′,n′] ∼ Cj ∗ Cj αi = ui − ai,
βi = ai ·mi + bi + vi
mi, αi, and βi are computed for all i ∈ {1, . . . , n′}.Bob computes ti = αi · ri + βi − zi for all i ∈ {1, . . . , n′}.Performing erasure recovery of Cj ∗ Cj on t[n′], Bob obtainstk = uk · rk + vk for k ∈ {−m, . . . ,−1}.
13 / 21
Our Suitable Family of Codes: the Key
Let {Cj}j∈J be a family of linear codes of block length s ∈ N overa constant sized field F.For our ROLE-to-ROLE extractor to work, this family {Cj} needsthe following properties
1 Each code Cj is a multiplication friendly good code:
F the rate and distance of Cj , C⊥j , andCj ∗ Cj = := 〈c ∗ c′ : c, c′ ∈ Cj〉 are Θ(s).
2 {Cj} is a small-bias family of distributions.
Key Technical ContributionConstruction of this family {Cj}j∈J !
14 / 21
Our Suitable Family of Codes: the Key
Let {Cj}j∈J be a family of linear codes of block length s ∈ N overa constant sized field F.For our ROLE-to-ROLE extractor to work, this family {Cj} needsthe following properties
1 Each code Cj is a multiplication friendly good code:F the rate and distance of Cj , C⊥j , and
Cj ∗ Cj = := 〈c ∗ c′ : c, c′ ∈ Cj〉 are Θ(s).
2 {Cj} is a small-bias family of distributions.
Key Technical ContributionConstruction of this family {Cj}j∈J !
14 / 21
Our Suitable Family of Codes: the Key
Let {Cj}j∈J be a family of linear codes of block length s ∈ N overa constant sized field F.For our ROLE-to-ROLE extractor to work, this family {Cj} needsthe following properties
1 Each code Cj is a multiplication friendly good code:F the rate and distance of Cj , C⊥j , and
Cj ∗ Cj = := 〈c ∗ c′ : c, c′ ∈ Cj〉 are Θ(s).2 {Cj} is a small-bias family of distributions.
Key Technical ContributionConstruction of this family {Cj}j∈J !
14 / 21
Our Suitable Family of Codes: the Key
Let {Cj}j∈J be a family of linear codes of block length s ∈ N overa constant sized field F.For our ROLE-to-ROLE extractor to work, this family {Cj} needsthe following properties
1 Each code Cj is a multiplication friendly good code:F the rate and distance of Cj , C⊥j , and
Cj ∗ Cj = := 〈c ∗ c′ : c, c′ ∈ Cj〉 are Θ(s).2 {Cj} is a small-bias family of distributions.
Key Technical ContributionConstruction of this family {Cj}j∈J !
14 / 21
Small-Bias Family of Distributions
Our goal is for {Cj} to be a family of psuedorandom distributions onlinear tests.
For any S ∈ Fs, the vector S defines the linear testLS(x) := x1S1 + · · ·+ xsSs for x ∈ Fs.
Consider the distribution
DS
sample: j $←Jsample: c ∼ CjOutput: LS(c)
If {Cj} is ρ-biased, then SD ( DS , UF ) 6 ρ, and we say {Cj}ρ-fools LS .
I In fact, {Cj} ρ-fools all linear tests.
15 / 21
Small-Bias Family of Distributions
Our goal is for {Cj} to be a family of psuedorandom distributions onlinear tests.
For any S ∈ Fs, the vector S defines the linear testLS(x) := x1S1 + · · ·+ xsSs for x ∈ Fs.Consider the distribution
DS
sample: j $←Jsample: c ∼ CjOutput: LS(c)
If {Cj} is ρ-biased, then SD ( DS , UF ) 6 ρ, and we say {Cj}ρ-fools LS .
I In fact, {Cj} ρ-fools all linear tests.
15 / 21
Small-Bias Family of Distributions
Our goal is for {Cj} to be a family of psuedorandom distributions onlinear tests.
For any S ∈ Fs, the vector S defines the linear testLS(x) := x1S1 + · · ·+ xsSs for x ∈ Fs.Consider the distribution
DS
sample: j $←Jsample: c ∼ CjOutput: LS(c)
If {Cj} is ρ-biased, then SD ( DS , UF ) 6 ρ, and we say {Cj}ρ-fools LS .
I In fact, {Cj} ρ-fools all linear tests.
15 / 21
Small-Bias Family of Distributions
We emphasize that a single linear code cannot fool all linear tests.
For any linear code C ⊆ Fs and linear test LS ,I If we sample c $← C, then
LS(c) =
{UF S 6∈ C⊥
0 S ∈ C⊥
Key insight: a single code cannot fool every linear testI But an appropriate family of linear codes can fool every linear test
Intuition: given this family, a fixed S is unlikely to be in the dualof a randomly chosen code.
16 / 21
Small-Bias Family of Distributions
We emphasize that a single linear code cannot fool all linear tests.For any linear code C ⊆ Fs and linear test LS ,
I If we sample c $← C, then
LS(c) =
{UF S 6∈ C⊥
0 S ∈ C⊥
Key insight: a single code cannot fool every linear testI But an appropriate family of linear codes can fool every linear test
Intuition: given this family, a fixed S is unlikely to be in the dualof a randomly chosen code.
16 / 21
Small-Bias Family of Distributions
We emphasize that a single linear code cannot fool all linear tests.For any linear code C ⊆ Fs and linear test LS ,
I If we sample c $← C, then
LS(c) =
{UF S 6∈ C⊥
0 S ∈ C⊥
Key insight: a single code cannot fool every linear testI But an appropriate family of linear codes can fool every linear test
Intuition: given this family, a fixed S is unlikely to be in the dualof a randomly chosen code.
16 / 21
Small-Bias Family of Distributions
We emphasize that a single linear code cannot fool all linear tests.For any linear code C ⊆ Fs and linear test LS ,
I If we sample c $← C, then
LS(c) =
{UF S 6∈ C⊥
0 S ∈ C⊥
Key insight: a single code cannot fool every linear testI But an appropriate family of linear codes can fool every linear test
Intuition: given this family, a fixed S is unlikely to be in the dualof a randomly chosen code.
16 / 21
Code Construction: Multiplication Friendly
First we demonstrate how to construct a single code C∗ such that C∗,(C∗)⊥, and C∗ ∗ C∗ have distance and rate Θ(s).
There are explicit constructions of such multiplication friendlycodes: Algebraic Geometric (AG) Codes [Gop81, GS96, CC06].We carefully choose the parameters of the AG code C∗ in ourconstruction using Garcia-Stichtenoth curves [GS96] over constantsized finite fields F.
17 / 21
Code Construction: Multiplication Friendly
First we demonstrate how to construct a single code C∗ such that C∗,(C∗)⊥, and C∗ ∗ C∗ have distance and rate Θ(s).
There are explicit constructions of such multiplication friendlycodes: Algebraic Geometric (AG) Codes [Gop81, GS96, CC06].
We carefully choose the parameters of the AG code C∗ in ourconstruction using Garcia-Stichtenoth curves [GS96] over constantsized finite fields F.
17 / 21
Code Construction: Multiplication Friendly
First we demonstrate how to construct a single code C∗ such that C∗,(C∗)⊥, and C∗ ∗ C∗ have distance and rate Θ(s).
There are explicit constructions of such multiplication friendlycodes: Algebraic Geometric (AG) Codes [Gop81, GS96, CC06].We carefully choose the parameters of the AG code C∗ in ourconstruction using Garcia-Stichtenoth curves [GS96] over constantsized finite fields F.
17 / 21
Code Construction: Small-bias Family(“Twist-then-Permute”)
Fix our multiplication friendly AG code C∗.
Let λ ∈ (F×)s. We define a λ-twist of the code C∗ as
C∗ 3 (c1, . . . , cs) (λ1c1, . . . , λscs) ∈ C∗λλ-twist
λ has no 0 entries =⇒ rate and distance of C∗λ are the same as C∗.Let π : {1, . . . , s} → {1, . . . , s} be any permutation. We define aπ-permutation of the code C∗λ as
C∗λ 3 (λ1c1, . . . , λscs) (λπ(s)cπ(s), . . . , λπ(s)cπ(s)) ∈ C∗π,λπ-permutation
permutation of C∗λ does not change its rate or distance.
18 / 21
Code Construction: Small-bias Family(“Twist-then-Permute”)
Fix our multiplication friendly AG code C∗.
Let λ ∈ (F×)s. We define a λ-twist of the code C∗ as
C∗ 3 (c1, . . . , cs) (λ1c1, . . . , λscs) ∈ C∗λλ-twist
λ has no 0 entries =⇒ rate and distance of C∗λ are the same as C∗.
Let π : {1, . . . , s} → {1, . . . , s} be any permutation. We define aπ-permutation of the code C∗λ as
C∗λ 3 (λ1c1, . . . , λscs) (λπ(s)cπ(s), . . . , λπ(s)cπ(s)) ∈ C∗π,λπ-permutation
permutation of C∗λ does not change its rate or distance.
18 / 21
Code Construction: Small-bias Family(“Twist-then-Permute”)
Fix our multiplication friendly AG code C∗.
Let λ ∈ (F×)s. We define a λ-twist of the code C∗ as
C∗ 3 (c1, . . . , cs) (λ1c1, . . . , λscs) ∈ C∗λλ-twist
λ has no 0 entries =⇒ rate and distance of C∗λ are the same as C∗.Let π : {1, . . . , s} → {1, . . . , s} be any permutation. We define aπ-permutation of the code C∗λ as
C∗λ 3 (λ1c1, . . . , λscs) (λπ(s)cπ(s), . . . , λπ(s)cπ(s)) ∈ C∗π,λπ-permutation
permutation of C∗λ does not change its rate or distance.
18 / 21
Code Construction: Small-bias Family(“Twist-then-Permute”)
Fix our multiplication friendly AG code C∗.
Let λ ∈ (F×)s. We define a λ-twist of the code C∗ as
C∗ 3 (c1, . . . , cs) (λ1c1, . . . , λscs) ∈ C∗λλ-twist
λ has no 0 entries =⇒ rate and distance of C∗λ are the same as C∗.Let π : {1, . . . , s} → {1, . . . , s} be any permutation. We define aπ-permutation of the code C∗λ as
C∗λ 3 (λ1c1, . . . , λscs) (λπ(s)cπ(s), . . . , λπ(s)cπ(s)) ∈ C∗π,λπ-permutation
permutation of C∗λ does not change its rate or distance.18 / 21
Code Construction: Small-bias Family
Let J = {(π, λ)} for all permutations π : {1, . . . , s} → {1, . . . , s} andλ ∈ (F×)s.
Theorem (Our Code Construction)The family of linear codes {C∗j }j∈J over Fs, where |F| = q is constant,
is a family of multiplication friendly good codes, andis a 2−δ-bias family of distributions for δ = Θ(s).
NotesThe parameter δ has a dependence on the dual distance d⊥.Better d⊥ yields smaller bias!
19 / 21
Code Construction: Small-bias Family
Let J = {(π, λ)} for all permutations π : {1, . . . , s} → {1, . . . , s} andλ ∈ (F×)s.
Theorem (Our Code Construction)The family of linear codes {C∗j }j∈J over Fs, where |F| = q is constant,
is a family of multiplication friendly good codes, andis a 2−δ-bias family of distributions for δ = Θ(s).
NotesThe parameter δ has a dependence on the dual distance d⊥.Better d⊥ yields smaller bias!
19 / 21
Code Construction: Small-bias Family
Let J = {(π, λ)} for all permutations π : {1, . . . , s} → {1, . . . , s} andλ ∈ (F×)s.
Theorem (Our Code Construction)The family of linear codes {C∗j }j∈J over Fs, where |F| = q is constant,
is a family of multiplication friendly good codes, andis a 2−δ-bias family of distributions for δ = Θ(s).
NotesThe parameter δ has a dependence on the dual distance d⊥.Better d⊥ yields smaller bias!
19 / 21
Showing Small-bias: High Level Idea
We give our key observation towards demonstrating that thefamily {C∗j } is a family of small-bias distributions.
Fix 0s 6= S ∈ Fs and draw (π, λ)$←J .
Draw x ∼ C∗π,λ and consider LS(x).
LS(x) =s∑i=1
xiSi
s∑i=1
(cπ(i)λπ(i))Si
s∑i=1
ciTi = LT (c)
s∑i=1
ci(Sπ-1(i)λi)
s∑i=1
(ciλi)Sπ-1(i)
Here T $← Fs such that wt (T ) = wt (S) and c ∼ C∗.
20 / 21
Showing Small-bias: High Level Idea
We give our key observation towards demonstrating that thefamily {C∗j } is a family of small-bias distributions.
Fix 0s 6= S ∈ Fs and draw (π, λ)$←J .
Draw x ∼ C∗π,λ and consider LS(x).
LS(x) =s∑i=1
xiSi
s∑i=1
(cπ(i)λπ(i))Si
s∑i=1
ciTi = LT (c)
s∑i=1
ci(Sπ-1(i)λi)
s∑i=1
(ciλi)Sπ-1(i)
Here T $← Fs such that wt (T ) = wt (S) and c ∼ C∗.
20 / 21
Showing Small-bias: High Level Idea
We give our key observation towards demonstrating that thefamily {C∗j } is a family of small-bias distributions.
Fix 0s 6= S ∈ Fs and draw (π, λ)$←J .
Draw x ∼ C∗π,λ and consider LS(x).
LS(x) =s∑i=1
xiSi
s∑i=1
(cπ(i)λπ(i))Si
s∑i=1
ciTi = LT (c)
s∑i=1
ci(Sπ-1(i)λi)
s∑i=1
(ciλi)Sπ-1(i)
Here T $← Fs such that wt (T ) = wt (S) and c ∼ C∗.
20 / 21
Showing Small-bias: High Level Idea
We give our key observation towards demonstrating that thefamily {C∗j } is a family of small-bias distributions.
Fix 0s 6= S ∈ Fs and draw (π, λ)$←J .
Draw x ∼ C∗π,λ and consider LS(x).
LS(x) =s∑i=1
xiSi
s∑i=1
(cπ(i)λπ(i))Si
s∑i=1
ciTi = LT (c)
s∑i=1
ci(Sπ-1(i)λi)
s∑i=1
(ciλi)Sπ-1(i)
Here T $← Fs such that wt (T ) = wt (S) and c ∼ C∗.
20 / 21
Showing Small-bias: High Level Idea
We give our key observation towards demonstrating that thefamily {C∗j } is a family of small-bias distributions.
Fix 0s 6= S ∈ Fs and draw (π, λ)$←J .
Draw x ∼ C∗π,λ and consider LS(x).
LS(x) =s∑i=1
xiSi
s∑i=1
(cπ(i)λπ(i))Si
s∑i=1
ciTi = LT (c)
s∑i=1
ci(Sπ-1(i)λi)
s∑i=1
(ciλi)Sπ-1(i)
Here T $← Fs such that wt (T ) = wt (S) and c ∼ C∗.
20 / 21
Showing Small-bias: High Level Idea
We give our key observation towards demonstrating that thefamily {C∗j } is a family of small-bias distributions.
Fix 0s 6= S ∈ Fs and draw (π, λ)$←J .
Draw x ∼ C∗π,λ and consider LS(x).
LS(x) =s∑i=1
xiSi
s∑i=1
(cπ(i)λπ(i))Si
s∑i=1
ciTi = LT (c)
s∑i=1
ci(Sπ-1(i)λi)
s∑i=1
(ciλi)Sπ-1(i)
Here T $← Fs such that wt (T ) = wt (S) and c ∼ C∗.
20 / 21
Showing Small-bias: High Level Idea
We give our key observation towards demonstrating that thefamily {C∗j } is a family of small-bias distributions.
Fix 0s 6= S ∈ Fs and draw (π, λ)$←J .
Draw x ∼ C∗π,λ and consider LS(x).
LS(x) =s∑i=1
xiSi
s∑i=1
(cπ(i)λπ(i))Si
s∑i=1
ciTi = LT (c)
s∑i=1
ci(Sπ-1(i)λi)
s∑i=1
(ciλi)Sπ-1(i)
Here T $← Fs such that wt (T ) = wt (S) and c ∼ C∗.
20 / 21
Showing Small-bias: High Level Idea
We give our key observation towards demonstrating that thefamily {C∗j } is a family of small-bias distributions.
Fix 0s 6= S ∈ Fs and draw (π, λ)$←J .
Draw x ∼ C∗π,λ and consider LS(x).
LS(x) =s∑i=1
xiSi
s∑i=1
(cπ(i)λπ(i))Si
s∑i=1
ciTi = LT (c)
s∑i=1
ci(Sπ-1(i)λi)
s∑i=1
(ciλi)Sπ-1(i)
Here T $← Fs such that wt (T ) = wt (S) and c ∼ C∗.20 / 21
Conclusions
Contribution I: There exists a correlation extractor thatUses n/2 independent samples of ROTproduces Θ(n) secure independent OTsresilient to Θ(n) bits of leakagehas 2−Θ(n) securityUses only 2 messages
Contribution II: There exists a family of linear codes such thateach code in the family is a multiplication friendly good codethe Schur product code of each code in the family is amultiplication friendly good codethe family is a small-bias family of distributions
Thank You!
21 / 21
Conclusions
Contribution I: There exists a correlation extractor thatUses n/2 independent samples of ROTproduces Θ(n) secure independent OTsresilient to Θ(n) bits of leakagehas 2−Θ(n) securityUses only 2 messages
Contribution II: There exists a family of linear codes such thateach code in the family is a multiplication friendly good codethe Schur product code of each code in the family is amultiplication friendly good codethe family is a small-bias family of distributions
Thank You!
21 / 21
Conclusions
Contribution I: There exists a correlation extractor thatUses n/2 independent samples of ROTproduces Θ(n) secure independent OTsresilient to Θ(n) bits of leakagehas 2−Θ(n) securityUses only 2 messages
Contribution II: There exists a family of linear codes such thateach code in the family is a multiplication friendly good codethe Schur product code of each code in the family is amultiplication friendly good codethe family is a small-bias family of distributions
Thank You!21 / 21