Part II: Pseudorandom Correlation Generators What are they? How - - PowerPoint PPT Presentation

Part II: Pseudorandom Correlation Generators

• What are they?
• How can we build them?

Re Recall: : Succinct Secure Computation from HSS

= C(x,x’)

y0 y1

EvalC EvalC

w0 w1

w

Share

Securely compute Share(x,x’)

x x’

Exchange additive

• utput shares

+

What if Additive Shares ARE the Output Goal?

= C(x,x’)

y0 y1

EvalC EvalC

w0 w1

w

Share

Securely compute Share(x,x’)

x x’

Exchange additive

• utput shares

+

Final exchange not needed!

Is this ever actually desired?

Secure Computation with Preprocessing

Preprocessing

𝑧 𝑦

Online phase 𝑔(𝑦, 𝑧) Interactive protocol Correlated randomness

[Beaver ’91]

45

• Information-theoretic
• Constant comp. and comm.
• verhead

Dominates overall cost

Secure Computation with Silent Preprocessing

Setup functionality

𝑧 𝑦

Online phase 𝑔(𝑦, 𝑧) “Small” setup protocol Correlated, short seeds

[BCGI 18, BCGIKS 19]

46

• Less communication
• Lower storage costs

Correlated pseudorandomness Silent expansion

“Silent” Generation of Large Correlations

y0 y1

EvalC EvalC

w0 w1

w

Share

Securely compute Share(x,x’)

x x’

Pseudorandom correlation generators

Standard Pseudorandom Generators (PRG)

s

Long Pseudorandomness

PRG

Short random seed ∀ PPT distinguisher: PRG(s) ≈ Random

Pseudorandom Cor Correlation

• n Generators (PC

PCG)

s0 Long Pseudorandom X0

PCG0

Short seeds

s1 Long Pseudorandom X1

PCG1

Expand to long correlated outputs ≈ 𝑌*, 𝑌+ ← 𝐸 Challenge: 𝑡/ should give no information on 𝑌+0/ beyond 𝑌/

Constructions of PCGs

[BCGI 18] [GI 99], [CDI 05] [BCGIKS 19] [BCGIKRS 19] Multi-party linear correlations (PRG) vector-OLE (LPN) OT (LPN) constant-degree poly (LPN) low-degree via HSS (LWE, pairings, MQ) truth tables (PRG) Multi-party bilinear (LPN, LWE) Also: [BCGIO 17], [S 18] (less practical)

Generic PCG construction for “Additive” Correlations from HSS

Additive Correlations

Distribution R K1 K0

Additive shares Beaver Triples

(a b ab) …

Authenticated Beaver Triples

𝜏 (a b ab) 𝜏(a b ab) …

Truth Table Correlations

f(x –r1, y–r2) …

…

Homomorphic Secret Sharing (HSS)

• Security:

xi hides x

• Size:

|xi| ~ |x|

• Correctness:

EvalP(x0) + EvalP(x1) = P(x)

= P(x)

y0 y1

+ EvalP EvalP

x0 x1

x

Share For program class P

HSS ⇒ PCG for Additive Correlations

Consider program P:

EvalP EvalP s0 s1

s

Share

[BCGIO17]

Distribution R K0 K1

s

Long Pseudorandomness PRG expansion Sampling from R

Question: Concretely efficient HSS for PRG?

Landscape of HSS – Concrete Efficiency

“High-level” LWE+ Circuits [DHRW16, BGI15, BGILT18] “Mid-level” DDH Branching Programs [BGI16, BCGIO17, DKK18] Paillier Branching Programs [FGJS17] LWE Branching Programs [BKS19] “Low-level” OWF Point Functions, [GI14, BGI15, BGI16b] Conjunctions, Intervals, Decision Trees “Algorithmica” None Linear Functions [Ben86]

Builds on top

• f FHE…

Faster…

Fast!

~200 million Evals per second [GKWY19] Growing number of applications…

Lightweight HSS for simple computations

Concrete Efficiency…?

Yes! Concretely efficient PCGs based on LPN For Today:

• “Vector OLE” Correlation
• “Oblivious Transfer” Correlation

Oblivious Linear Evaluation (OLE)

[NP99]

& Ve Vector OLE

• Enables secure computation of arithmetic circuits / vector operations

OLE 𝔾 a, b x ax + b VOLE 𝔾 x

b a ax + b

Goal: PCG for Vector OLE Correlation

• Pseudorandom vectors a,b
• Pseudorandom field element x and ax+b

x

b a ax + b s0

PCG0

Short seeds

s1

PCG1

Learning Parity with Noise (LPN) over 𝔾

(LWE with low-Hamming noise)

secret Public M Sparse noise

+

Uniform

≈

(Even given M) Note: Parameterized by M & by noise distribution Random 𝔾 elements

Our LPN Regime

• LPN over 𝔾 : Currently no better attacks than over 𝔾7
• High dimension k
• Low-noise (noise rate 1/𝑙; for some constant ε)
• Bounded number of samples

In this regime:

• No improvement known over the standard Gaussian elimination

attack (guessing noise-free coordinates)

• Not known to imply public-key encryption

secret Sparse noise

Learning Parity with Noise (LPN) over 𝔾

secret Public M Sparse noise

+

Uniform

≈

(Even given M) Idea: Leverage linearity to reduce problem to sparse case

Primal Construction

• Start with a short VOLE correlation

c d cx + d x

Primal Construction

• Start with a short VOLE correlation … and expand using M

c Public M d cx + d

x

Public M Public M

C = D = = Cx + D

VOLE correctness ✔ VOLE security: ❌

C, D distinguishable from random!

Primal Construction

c Public M

+

d cx + d

x

Public M Public M

C = D = = Cx + D

VOLE correctness ✔ VOLE security: ✔

Sparse noise

+

b’

a’

a’x + b’

+

Primal ConstrucQon

c Public M

+

d cx + d Public M Public M

C = D = = Cx + D

+ +

x

Sparse noise b’

a’

a’x + b’

Secret shares

• f a’x

LPN ⇒ Suffices to compress This distribution

Compressing Sparse Correlations

a’ x

(note: a’ can be represented succinctly)

Wanted:

K0 b’ a’x+b’ K1

Secret shares

• f a’x

Compressing Sparse Correlations

a’ x

(note: a’ can be represented succinctly)

K0 b’ a’x+b’ K1

Secret shares

• f a’x

What if it had been ONE nonzero value?

Wanted:

Long Pseudorandom string String that differs in 1 position (location of a’)

Idea: Use “Punctured PRFs”

GGM Pseudo-Random Function (PRF)

[Goldreich-Goldwasser-Micali 84]

s

Pseudorandomness

PRG

s

Very Long Pseudorandomness PRG PRG PRG

Pu Punctured Psuedorandom Functions

[Boneh-Waters’13, Kiayias-Papadopoulos-Triandopoulos-Zacharias’13, Boyle-Goldwasser-Ivan’13]

…

Secret shares of Size = 𝜇 x tree depth

x*-Punctured PRF key s*: Can evaluate PRF

• n all points

except x

s s*

Give evaluations of all Sibling nodes!

Primal Construction: All the Pieces

c Public M d cx + d

x C = D = = Cx + D a’

S* S Small VOLE Sparse a’ Punctured PRFs: Multi-point fn a’x c Public M d PRF-Eval(S*) cx+d Public M PRF-Eval(S)

+ + +

LPN: Du Dual InterpretaQon

secret Public G

+

Uniform

≈

Kernel of G (Parity- check H) = random noisy codeword Kernel of G (Parity- check H) Sparse noise

LPN: Du Dual Interpretation

secret Public G Sparse noise

+

Uniform

≈

Kernel of G (Parity- check H) = random noisy codeword

LPN: Du Dual Interpretation

Sparse noise Uniform

≈

Kernel of G (Parity- check H)

LPN: Du Dual InterpretaQon

Sparse noise Uniform

≈

Kernel of G (Parity-check H)

LPN hard for G ⇒ compressing noise vector by kernel H is pseudorandom

Dual Construction

x C = D = = Cx + D a’

S* S Sparse a’ & x Punctured PRF: at points (a’x) Public H PRF-Eval(S*) PRF-Eval(S) Public H Public H

Recap: PCGs from LPN

𝐼 𝐵

𝑡

+

“Primal” construction “Dual” construction

(𝑡, 𝑓) 𝑓

𝑓 𝑓

Arbitrary poly stretch (increase 𝑛, fix 𝐼𝑋(𝑓)) ⇒ best awack: exp(𝐼𝑋 𝑓 )

• Security: both equiv. to LPN (if 𝐼 is parity-check matrix of code 𝐵)
• Increase 𝑛 ⇒ increase 𝑜 or 𝐼𝑋(𝑓)

𝑛 𝑜 (𝑛 − 𝑜) 𝑛

Limited to quadratic stretch

A brief note on generayng OT correlayons

Oblivious Transfer & OT Correlation

• Complete primitive for general secure computation [Kilian]

OT

𝑌*, 𝑌+ b ∈ {0,1} 𝑌/

Preprocessing OT Correlayon OT Correlation

𝑌*, 𝑌+ … 𝑐, 𝑌/ …

Oblivious Transfer Correlation

• Problem: Need many OTs… and OT is expensive (“public-key”)
• OT extension: Many OTs from a few base OTs + symmetric crypto [IKNP??]
• Problem: Large communication 𝑃(𝑜𝜇) for 𝑜 OTs
• “Silent” OT extension [BCGIKS19]: Communication sublinear in 𝑜

Preprocessing OT Correlayon OT Correlayon

𝑌*, 𝑌+ … 𝑐, 𝑌/ …

Prior work: Large (linear) communication “Silent OT” [BCGIKS19]

“Silent” OT Extension: Securely Generating Seeds

• 2-round secure seed generation protocol (building from Vector OLE)
• Hash the vector OLE outputs to destroy unwanted correlations (similar to [IKNP03])
• Active security:
• Lightweight PPRF consistency checks for malicious sender
• Allows selective failure attacks – sender can guess 1 bit of LPN error
• Assume problem is hard with 1-bit leakage
• 10-20% overhead on top of semi-honest
• Implementation:
• Main challenge: fast mult. by 𝐼
• Quasi-cyclic 𝐼: polynomial mult. mod 𝑌O − 1
• Security based on quasi-cyclic syndrome decoding / ring-LPN

RunQmes (ms) for n=10 million random OTs

268 13728 128854 2441 2726 2756 1 10 100 1000 10000 100000

LAN (10 Gbps) WAN (100 MBps) WAN (10 MBps)

IKNP OT Extension vs Silent OT Extension

9x 5x 47x

Total comm: 160 MB vs 127 kB

Summary: Homomorphic Secret Sharing

• Many interesting applications!
• Constructions
• Part I: Simple HSS for Branching Programs from Lattices (R/LWE)
• Part II: “Pseudorandom Correlation Generators” from LPN

f(x)

y1 y2

Evalf Evalf

x1 x2

x

Share

𝑧 ⋅ sk LinDec Round 𝑦 ⋅ sk 𝑦 ⋅ 𝑧 ⋅ sk 𝑧 ⋅ sk Lift 𝑦 ⋅ 𝑧 ⋅ sk

s0 Long Pseudorandom X0

PCG0

s1 Long Pseudorandom X1

PCG1

Open Problems

• HSS Constructions
• 3+ party HSS (beyond pathetic)
• Beyond branching programs (without FHE)
• FHE-style bootstrapping?
• Lower bounds? Necessity of certain assumptions/tools?
• Pseudorandom correlation generators
• Efficient constructions for further correlations
• Understanding power of additive correlations
• New applications
• Better efficiency! (for all of the above)