Secure Computation using Leaky Correlations ... · SecureComputationusingLeakyCorrelations (AsymptoticallyOptimalConstructions) Alexander R. Block1,DivyaGupta2,HemantaK.Maji1,HaiH

Secure Computation using Leaky Correlations(Asymptotically Optimal Constructions)

Alexander R. Block1, Divya Gupta2, Hemanta K. Maji1, Hai H.Nguyen1

1Purdue University, {block9,hmaji,nguye245}@purdue.edu2Microsoft Research, Banaglore, India, [email protected]

1 / 21

Correlated Private Randomness (Correlation)

(rA, rB) ∼ (RA, RB)

rA rBPreprocessingPhase

1

2

mBob

mAlice

OnlinePhase

LAlice(rB)LBob(rA)

2 / 21




1

2

mBob

mAlice

OnlinePhase

LAlice(rB)LBob(rA)

2 / 21


OT



1

2

mBob

mAlice

OnlinePhase

LAlice(rB)LBob(rA)

ExampleParties can use (rA, rB) to generate multiple samples of ObliviousTransfer in an online protocol, which can then be used to securelycompute any circuit.

2 / 21




1

2

mBob

mAlice

OnlinePhase

LAlice(rB)LBob(rA)

NotesThe preprocessing phase is independent of the functionality or theinputs fed to the functionality by the parties.Secret shares (rA, rB) are vulnerable to arbitrary leakage attacks.

2 / 21




1

2

mBob

mAlice

OnlinePhase

LAlice(rB)

LBob(rA)

NotesThe preprocessing phase is independent of the functionality or theinputs fed to the functionality by the parties.Secret shares (rA, rB) are vulnerable to arbitrary leakage attacks.

2 / 21




1

2

mBob

mAlice

OnlinePhase

LAlice(rB)

LBob(rA)

QuestionsGiven such leakage attacks, how can we securely use the initialpreprocessing?

2 / 21

Correlation Extractors (CorrExt)

Introduced by Ishai, Kushilevitz, Ostrovsky, and Sahai at FOCS2009 [IKOS09] to address leakage attacksTake leaky correlations as input and produce secure independentcopies of oblivious transfer (OT) (or Randomized OTs)

3 / 21

(n,m, t, ε)-Correlation Extractor for (RA, RB)



n-bits

rA rB

t-bitleakage

t-bitleakage

sender corruptionor

receiver corruption

LeakagePhase

1

2

mBob

mAlice

ε-SecureOnline Phase

ROT1 ROTmROT2 · · ·· · · · · ·Fresh ROTOutput Phase

4 / 21




n-bits

rA rB

t-bitleakage

t-bitleakage

sender corruptionor

receiver corruption

LeakagePhase

1

2

mBob

mAlice



4 / 21




n-bits

rA rB

t-bitleakage

t-bitleakage

sender corruptionor

receiver corruption

LeakagePhase

1

2

mBob

mAlice



4 / 21




n-bits

rA rB

t-bitleakage

t-bitleakage

sender corruptionor

receiver corruption

LeakagePhase

1

2

mBob

mAlice



4 / 21




n-bits

rA rB

t-bitleakage

t-bitleakage

sender corruptionor

receiver corruption

LeakagePhase

1

2

mBob

mAlice



4 / 21

Correlation Extractors (CorrExt): which (RA, RB)?

Random Oblivious Transfer (ROT):

ROTn/2

m(i)0 ,m

(i)1 , c(i) $←{0, 1}

(m(i)0 ,m

(i)1 ) ∈ {0, 1}n (c(i),m

(i)

c(i)) ∈ {0, 1}n

Random Oblivious Linear-function Evaluation (ROLE(F)):

ROLE(F)n/2a(i), b(i), x(i) $← F

z(i) := a(i)x(i) + b(i)

(a(i), b(i)) ∈ Fn (x(i), z(i)) ∈ Fn

Note ROT ≡ ROLE(GF [2]

)since mc = (m1 −m0)c+m0.

5 / 21



ROTn/2

m(i)0 ,m

(i)1 , c(i) $←{0, 1}

(m(i)0 ,m

(i)1 ) ∈ {0, 1}n (c(i),m

(i)

c(i)) ∈ {0, 1}n



z(i) := a(i)x(i) + b(i)

(a(i), b(i)) ∈ Fn (x(i), z(i)) ∈ Fn



5 / 21



ROTn/2

m(i)0 ,m

(i)1 , c(i) $←{0, 1}

(m(i)0 ,m

(i)1 ) ∈ {0, 1}n (c(i),m

(i)

c(i)) ∈ {0, 1}n



z(i) := a(i)x(i) + b(i)

(a(i), b(i)) ∈ Fn (x(i), z(i)) ∈ Fn



5 / 21

Prior Work and Our Contribution

Result Correlation m t ε #

[IKOS09] ROTn/2 Θ(n) Θ(n) 2−Θ(n) 4

[GIMS15]ROTn/2 n

poly logn(1/4− g)n 2−gn/m 2

6 / 21




[GIMS15]ROTn/2 n


3IP(GF [2]n

)1 (1/2− g)n 2−gn 2

3The inner-product correlation IP(Kn/lg |K|

)is a correlation in which each party

gets a vector in Kn/lg |K| such that their vectors are orthogonal.6 / 21




[GIMS15]ROTn/2 n


IP(GF [2]n

)1 (1/2− g)n 2−gn 2

[BMN17] IP(Kn/lg |K|

)n1−o(1) (1/2− g)n 2−gn 2

6 / 21




[GIMS15] ROTn/2 n/poly log n (1/4− g)n 2−gn/m 2IP(GF [2]n

)1 (1/2− g)n 2−gn 2


)n1−o(1) (1/2− g)n 2−gn 2

Our WorkROTn/2

ROLE(F)n/2 lg |F|

NotesIn an ongoing work, we reduce the communication complexity of ourextractors from Θ(n log n) to Θ(n).

7 / 21





)1 (1/2− g)n 2−gn 2


)n1−o(1) (1/2− g)n 2−gn 2

Our WorkROTn/2 Θ(n) Θ(n) 2−Θ(n) 2

ROLE(F)n/2 lg |F|

Θ(n) Θ(n) 2−Θ(n) 2


7 / 21





)1 (1/2− g)n 2−gn 2


)n1−o(1) (1/2− g)n 2−gn 2


ROLE(F)n/2 lg |F|

Θ(n) Θ(n) 2−Θ(n) 2


)Θ(n) (1/2− g)n 2−gn 2


7 / 21





)1 (1/2− g)n 2−gn 2


)n1−o(1) (1/2− g)n 2−gn 2


ROLE(F)n/2 lg |F|

Θ(n) Θ(n) 2−Θ(n) 2


)Θ(n) (1/2− g)n 2−gn 2


7 / 21

Main Results

Theorem (Asymptotically Optimal Correlation Extractor for ROT)

∃ a 2-message (n,m, t, ε)-correlation extractor for ROTn/2 such that

m = Θ(n) t = Θ(n) ε = 2−Θ(n)

The technical heart of this theorem is another correlation extractor forROLE

(F).

Theorem (Asymptotically Optimal Correlation Extractor forROLE

(F))

For all large enough constant sized fields F (e.g., |F| = 64)

∃ a 2-message (n,m, t, ε)-correlation extractor for ROLE(F)n/2 lg |F|

such that

m = Θ(n) t = Θ(n) ε = 2−Θ(n)

8 / 21

Main Results



m = Θ(n) t = Θ(n) ε = 2−Θ(n)


(F).


(F))



such that

m = Θ(n) t = Θ(n) ε = 2−Θ(n)

8 / 21

Main Results



m = Θ(n) t = Θ(n) ε = 2−Θ(n)


(F).


(F))



such that

m = Θ(n) t = Θ(n) ε = 2−Θ(n)

8 / 21

Comparison of Concrete Efficiency I

We compare our CorrExt for ROLE(F)with the [BMN17] CorrExt for

IP(Kn/lg |K|

).

The [BMN17] CorrExt achieves highest production rate whenusing IP

(GF[2n/4

]4), and achieves leakage rate t/n = (1/4− g).We shall use ROLE

(F)for F = GF

[216]as a comparison.

n[BMN17] CorrExt Our CorrExt

t/n = (1/4− g) t/n = 1% t/n = 20%

103 66 163 30

106 5, 223 163, 200 30, 000

109 413, 913 163, 200, 000 30, 000, 000

9 / 21



IP(Kn/lg |K|

).


(GF[2n/4


(F)for F = GF



t/n = (1/4− g) t/n = 1% t/n = 20%

103 66 163 30

106 5, 223 163, 200 30, 000

109 413, 913 163, 200, 000 30, 000, 000

9 / 21



IP(Kn/lg |K|

).


(GF[2n/4


(F)for F = GF



t/n = (1/4− g) t/n = 1% t/n = 20%

103 66 163 30

106 5, 223 163, 200 30, 000

109 413, 913 163, 200, 000 30, 000, 000

9 / 21

Comparison of Concrete Efficiency II

We compare our CorrExt for ROTn/2 with the [GIMS15] CorrExt forROTn/2.

[GIMS15] trades off simulation error to achieve higher productionby sampling the ROTs.

I Thus to achieve negligible simulation error, the production ism = n/4 log2(n) with leakage rate t/n = 1%.

Our CorrExt trades off leakage resilience to achieve higherproduction.

I This tradeoff is inevitable due to information theoretic results.

n[GIMS15] CorrExt Our CorrExt

t/n = 1% t/n = 1%

103 3 42

106 625 42, 000

109 277, 777 42, 000, 000

10 / 21








t/n = 1% t/n = 1%

103 3 42

106 625 42, 000

109 277, 777 42, 000, 000

10 / 21








t/n = 1% t/n = 1%

103 3 42

106 625 42, 000

109 277, 777 42, 000, 000

10 / 21








t/n = 1% t/n = 1%

103 3 42

106 625 42, 000

109 277, 777 42, 000, 000

10 / 21

Construction Overview

Goal: Given leaky correlation ROTn/2, Alice and Bob want tosecurely compute m/2 ROT samples

BMNEmbedding

BMNEmbedding

BilinearMultiplication EXTROTn/2 with

t-bits leaked

n′ copies(ROLE

(F))[t] m′ copies

ROLE(F) ROTm/2

We use the well-known bilinear multiplication algorithms[CC87, TVZ82] to implement multiplications over F usingmultiplications over GF [2].

I Note the n′ copies of ROLE(F)retain the same t-bit leakage!

We use the [BMN17] embedding protocol to embed multiplesamples of ROT into a single ROLE

(F).

The heart of our construction is this ROLE(F)-to-ROLE

(F)

correlation extractor.

11 / 21



BMNEmbedding

BMNEmbedding

BilinearMultiplication

EXT

ROTn/2 witht-bits leaked

n′ copies(ROLE

(F))[t]

m′ copiesROLE

(F) ROTm/2




(F).


(F)


11 / 21



BMNEmbedding

BMNEmbedding

BilinearMultiplication

EXT

ROTn/2 witht-bits leaked

n′ copies(ROLE

(F))[t] m′ copies

ROLE(F) ROTm/2




(F).


(F)


11 / 21



BMNEmbedding

BMNEmbedding

BilinearMultiplication EXTROTn/2 with

t-bits leaked

n′ copies(ROLE

(F))[t] m′ copies

ROLE(F) ROTm/2




(F).


(F)

correlation extractor.11 / 21

(n′,m′, t, ε)-ROLE(F)-to-ROLE

(F)CorrExt

Given finite field F:

(rA, rB) ∼ ROLE(F)n′/2

PreprocessingPhase

n′ elements of FrA rB

t-bitleakage

t-bitleakage

sender corruptionor

receiver corruption

LeakagePhase

1

2

mBob

mAlice


ROLE1 ROLEm′ROLE2 · · ·· · · · · ·Fresh ROLE(F)

Output Phase12 / 21

Our ROLE(F)-to-ROLE

(F)CorrExt Construction

Let {Cj}j∈J be some appropriate family of linear codes over Fm′+n′ .

ROLE(F)n′

(a[n′], b[n′]) (x[n′], z[n′])

j$←J

r[−m′,n′] ∼ Cjmi = ri + xi , j

u[−m′,n′] ∼ Cjv[−m′,n′] ∼ Cj ∗ Cj αi = ui − ai,

βi = ai ·mi + bi + vi

mi, αi, and βi are computed for all i ∈ {1, . . . , n′}.Bob computes ti = αi · ri + βi − zi for all i ∈ {1, . . . , n′}.Performing erasure recovery of Cj ∗ Cj on t[n′], Bob obtainstk = uk · rk + vk for k ∈ {−m, . . . ,−1}.

13 / 21

Our ROLE(F)-to-ROLE



ROLE(F)n′

(a[n′], b[n′]) (x[n′], z[n′])

j$←J





13 / 21

Our ROLE(F)-to-ROLE



ROLE(F)n′

(a[n′], b[n′]) (x[n′], z[n′])

j$←J




mi, αi, and βi are computed for all i ∈ {1, . . . , n′}.

Bob computes ti = αi · ri + βi − zi for all i ∈ {1, . . . , n′}.Performing erasure recovery of Cj ∗ Cj on t[n′], Bob obtainstk = uk · rk + vk for k ∈ {−m, . . . ,−1}.

13 / 21

Our ROLE(F)-to-ROLE



ROLE(F)n′

(a[n′], b[n′]) (x[n′], z[n′])

j$←J




mi, αi, and βi are computed for all i ∈ {1, . . . , n′}.

Bob computes ti = αi · ri + βi − zi for all i ∈ {1, . . . , n′}.Performing erasure recovery of Cj ∗ Cj on t[n′], Bob obtainstk = uk · rk + vk for k ∈ {−m, . . . ,−1}.

13 / 21

Our ROLE(F)-to-ROLE



ROLE(F)n′

(a[n′], b[n′]) (x[n′], z[n′])

j$←J




mi, αi, and βi are computed for all i ∈ {1, . . . , n′}.Bob computes ti = αi · ri + βi − zi for all i ∈ {1, . . . , n′}.

Performing erasure recovery of Cj ∗ Cj on t[n′], Bob obtainstk = uk · rk + vk for k ∈ {−m, . . . ,−1}.

13 / 21

Our ROLE(F)-to-ROLE



ROLE(F)n′

(a[n′], b[n′]) (x[n′], z[n′])

j$←J





13 / 21

Our Suitable Family of Codes: the Key

Let {Cj}j∈J be a family of linear codes of block length s ∈ N overa constant sized field F.For our ROLE-to-ROLE extractor to work, this family {Cj} needsthe following properties

1 Each code Cj is a multiplication friendly good code:

F the rate and distance of Cj , C⊥j , andCj ∗ Cj = := 〈c ∗ c′ : c, c′ ∈ Cj〉 are Θ(s).

2 {Cj} is a small-bias family of distributions.

Key Technical ContributionConstruction of this family {Cj}j∈J !

14 / 21



1 Each code Cj is a multiplication friendly good code:F the rate and distance of Cj , C⊥j , and

Cj ∗ Cj = := 〈c ∗ c′ : c, c′ ∈ Cj〉 are Θ(s).

2 {Cj} is a small-bias family of distributions.


14 / 21




Cj ∗ Cj = := 〈c ∗ c′ : c, c′ ∈ Cj〉 are Θ(s).2 {Cj} is a small-bias family of distributions.


14 / 21




Cj ∗ Cj = := 〈c ∗ c′ : c, c′ ∈ Cj〉 are Θ(s).2 {Cj} is a small-bias family of distributions.


14 / 21

Small-Bias Family of Distributions

Our goal is for {Cj} to be a family of psuedorandom distributions onlinear tests.

For any S ∈ Fs, the vector S defines the linear testLS(x) := x1S1 + · · ·+ xsSs for x ∈ Fs.

Consider the distribution

DS

sample: j $←Jsample: c ∼ CjOutput: LS(c)

If {Cj} is ρ-biased, then SD ( DS , UF ) 6 ρ, and we say {Cj}ρ-fools LS .

I In fact, {Cj} ρ-fools all linear tests.

15 / 21



For any S ∈ Fs, the vector S defines the linear testLS(x) := x1S1 + · · ·+ xsSs for x ∈ Fs.Consider the distribution

DS




15 / 21



For any S ∈ Fs, the vector S defines the linear testLS(x) := x1S1 + · · ·+ xsSs for x ∈ Fs.Consider the distribution

DS




15 / 21


We emphasize that a single linear code cannot fool all linear tests.

For any linear code C ⊆ Fs and linear test LS ,I If we sample c $← C, then

LS(c) =

{UF S 6∈ C⊥

0 S ∈ C⊥

Key insight: a single code cannot fool every linear testI But an appropriate family of linear codes can fool every linear test

Intuition: given this family, a fixed S is unlikely to be in the dualof a randomly chosen code.

16 / 21


We emphasize that a single linear code cannot fool all linear tests.For any linear code C ⊆ Fs and linear test LS ,

I If we sample c $← C, then

LS(c) =

{UF S 6∈ C⊥

0 S ∈ C⊥



16 / 21




LS(c) =

{UF S 6∈ C⊥

0 S ∈ C⊥



16 / 21




LS(c) =

{UF S 6∈ C⊥

0 S ∈ C⊥



16 / 21

Code Construction: Multiplication Friendly

First we demonstrate how to construct a single code C∗ such that C∗,(C∗)⊥, and C∗ ∗ C∗ have distance and rate Θ(s).

There are explicit constructions of such multiplication friendlycodes: Algebraic Geometric (AG) Codes [Gop81, GS96, CC06].We carefully choose the parameters of the AG code C∗ in ourconstruction using Garcia-Stichtenoth curves [GS96] over constantsized finite fields F.

17 / 21



There are explicit constructions of such multiplication friendlycodes: Algebraic Geometric (AG) Codes [Gop81, GS96, CC06].

We carefully choose the parameters of the AG code C∗ in ourconstruction using Garcia-Stichtenoth curves [GS96] over constantsized finite fields F.

17 / 21



There are explicit constructions of such multiplication friendlycodes: Algebraic Geometric (AG) Codes [Gop81, GS96, CC06].We carefully choose the parameters of the AG code C∗ in ourconstruction using Garcia-Stichtenoth curves [GS96] over constantsized finite fields F.

17 / 21

Code Construction: Small-bias Family(“Twist-then-Permute”)

Fix our multiplication friendly AG code C∗.

Let λ ∈ (F×)s. We define a λ-twist of the code C∗ as

C∗ 3 (c1, . . . , cs) (λ1c1, . . . , λscs) ∈ C∗λλ-twist

λ has no 0 entries =⇒ rate and distance of C∗λ are the same as C∗.Let π : {1, . . . , s} → {1, . . . , s} be any permutation. We define aπ-permutation of the code C∗λ as

C∗λ 3 (λ1c1, . . . , λscs) (λπ(s)cπ(s), . . . , λπ(s)cπ(s)) ∈ C∗π,λπ-permutation

permutation of C∗λ does not change its rate or distance.

18 / 21





λ has no 0 entries =⇒ rate and distance of C∗λ are the same as C∗.

Let π : {1, . . . , s} → {1, . . . , s} be any permutation. We define aπ-permutation of the code C∗λ as



18 / 21








18 / 21







permutation of C∗λ does not change its rate or distance.18 / 21

Code Construction: Small-bias Family

Let J = {(π, λ)} for all permutations π : {1, . . . , s} → {1, . . . , s} andλ ∈ (F×)s.

Theorem (Our Code Construction)The family of linear codes {C∗j }j∈J over Fs, where |F| = q is constant,

is a family of multiplication friendly good codes, andis a 2−δ-bias family of distributions for δ = Θ(s).

NotesThe parameter δ has a dependence on the dual distance d⊥.Better d⊥ yields smaller bias!

19 / 21






19 / 21






19 / 21

Showing Small-bias: High Level Idea

We give our key observation towards demonstrating that thefamily {C∗j } is a family of small-bias distributions.

Fix 0s 6= S ∈ Fs and draw (π, λ)$←J .

Draw x ∼ C∗π,λ and consider LS(x).

LS(x) =s∑i=1

xiSi

s∑i=1

(cπ(i)λπ(i))Si

s∑i=1

ciTi = LT (c)

s∑i=1

ci(Sπ-1(i)λi)

s∑i=1

(ciλi)Sπ-1(i)

Here T $← Fs such that wt (T ) = wt (S) and c ∼ C∗.

20 / 21





LS(x) =s∑i=1

xiSi

s∑i=1

(cπ(i)λπ(i))Si

s∑i=1

ciTi = LT (c)

s∑i=1

ci(Sπ-1(i)λi)

s∑i=1

(ciλi)Sπ-1(i)


20 / 21





LS(x) =s∑i=1

xiSi

s∑i=1

(cπ(i)λπ(i))Si

s∑i=1

ciTi = LT (c)

s∑i=1

ci(Sπ-1(i)λi)

s∑i=1

(ciλi)Sπ-1(i)


20 / 21





LS(x) =s∑i=1

xiSi

s∑i=1

(cπ(i)λπ(i))Si

s∑i=1

ciTi = LT (c)

s∑i=1

ci(Sπ-1(i)λi)

s∑i=1

(ciλi)Sπ-1(i)


20 / 21





LS(x) =s∑i=1

xiSi

s∑i=1

(cπ(i)λπ(i))Si

s∑i=1

ciTi = LT (c)

s∑i=1

ci(Sπ-1(i)λi)

s∑i=1

(ciλi)Sπ-1(i)


20 / 21





LS(x) =s∑i=1

xiSi

s∑i=1

(cπ(i)λπ(i))Si

s∑i=1

ciTi = LT (c)

s∑i=1

ci(Sπ-1(i)λi)

s∑i=1

(ciλi)Sπ-1(i)


20 / 21





LS(x) =s∑i=1

xiSi

s∑i=1

(cπ(i)λπ(i))Si

s∑i=1

ciTi = LT (c)

s∑i=1

ci(Sπ-1(i)λi)

s∑i=1

(ciλi)Sπ-1(i)


20 / 21





LS(x) =s∑i=1

xiSi

s∑i=1

(cπ(i)λπ(i))Si

s∑i=1

ciTi = LT (c)

s∑i=1

ci(Sπ-1(i)λi)

s∑i=1

(ciλi)Sπ-1(i)

Here T $← Fs such that wt (T ) = wt (S) and c ∼ C∗.20 / 21

Conclusions

Contribution I: There exists a correlation extractor thatUses n/2 independent samples of ROTproduces Θ(n) secure independent OTsresilient to Θ(n) bits of leakagehas 2−Θ(n) securityUses only 2 messages

Contribution II: There exists a family of linear codes such thateach code in the family is a multiplication friendly good codethe Schur product code of each code in the family is amultiplication friendly good codethe family is a small-bias family of distributions

Thank You!

21 / 21

Conclusions



Thank You!

21 / 21

Conclusions



Thank You!21 / 21

Documents

Secure Computation using Leaky Correlations ... · SecureComputationusingLeakyCorrelations (AsymptoticallyOptimalConstructions) Alexander R. Block1,DivyaGupta2,HemantaK.Maji1,HaiH