 Thank you very much for the introduction. So hi everyone. I'm Lisa. I'm happy to be here today to talk about pseudo-random Correlation generators and why they're useful. This is joint work With the lead ball jufra couteau Nifkeboa, Yuval Ishai and Peter Scholl So the setting we're in is secure two-party computation where Alice and Bob want to securely evaluate a function on their inputs Without leaking anything more than the function output And this is great. We know how to do this for a long time, but the problem is always efficiency so one one way to deal with this is to push the expensive cryptographic part to an offline computation phase which can be Done long before the inputs are known and then one once the inputs are known the endland phase is very efficient and Has lots of nice properties But the problem is like or now we kind of shifted the expensive part to the pre-processing phase So in particular even though the parties can Generate like generate this correlated randomness that they need long ahead They have to store it for a long time and it requires lots of communication. So what we do in this talk is Or what we did in what we did in this in this work is how to significantly reduce the cost for communication and storage and The correlation I want to focus on today's oblivious transfer transfer We already seen it in all the talks before today briefly. So just to briefly recall Alice and Bob execute a protocol such that Alice learns exactly one messages of Bob and Bob doesn't learn anything about which of the two she learned and the Correlated random strings will look then something like like the blue parts that you see here where you have the input and the output of Alice in Bob and Those strings have to be long typically to compute circuits because what why is that for example if you consider the GMW protocol And you cry to OTS per end gate so for like a huge circuit you will need a huge number of those correlated OTS and So the problem so this is theoretical if you have OT we can do this, but this is very expensive It's computationally expensive because OT is lives in the public key vault So it's expensive and this is already this already has a solution So the solution towards this is as we've already also seen in the first talk today is a hybrid approach Where you use a few basaltese and then the rest you do with cheap? Symmetric key cryptography and This is super nice this solves the problem from like a computational viewpoint But still what I said before we still have the problem that the communication and the storage Required is linear in the number of OTS. We want to we want to generate and of course This is inherent if we care about chosen OT were actually Alice and Bob and chose their messages But for for the setting we're in for secure computation we actually we actually we actually find we just need this to be random and As you like for example, if you if you think about computation Communication for communication if you just care about random messages You don't need communication linear in the number of messages. You can just exchange a short Seat for for PRT and then you can locally extend and this is exactly what we did in this work We got rid of this part of the communication. So and This is what we call silent OT extension where the extension is local So and which will make the communication in the storage sublinear in the number of OTS to be generated And how how do we do this? What's the tool to achieve this? So this is so-called pseudo random correlation generators where Alice and Bob have short correlated seats that are correlated in some way and Then they can locally expand them to get long correlated pseudo random strings And how does this help us for what we want to achieve? Well If you think about it because the seats are only short a Few OTS are sufficient. We only need a few of these to exchange the seats and then the parties can locally expand them So without any Communication and then if we if the correlation we have a PCG for is the OT correlation Then what the long strings will be will be many many OTS that then can be used in by the online phase that then can be used for efficient online computation and What I want to stress in particular is that a PCG have the silent feature So the the only thing communication is necessary for is the short seats so in particular and the storage and the communication now only and Only depends on the seat size and not or not on the And there's no for expansion. There's no more communication necessary. So you can even for for a multi-party For protocols you can even you can even do this with many parties even if you're not sure if you if you will engage in a secure computation in the future because all you have to do is to store this very short seat and There has been some construction of PCG's around for very simple correlations like multi-linear correlations from one-way functions already and since 20 years ago and There has been also for more complex and correlation there were constructions but But but but not but not really practical and the first one that was like a complex correlation and practical was Was from from last year a vector oblivious linear function evaluation from the learning parity with noise assumption and Yeah, and this work actually builds on builds on builds on this work. So what we did in this work Was we defined? pseudo random correlation generators. So and we formally defined it for general correlations We gave connections to homomorphic secret sharing two-way connections And we concrete constructed like concrete constructions for oblivious transfer from the learning parity with noise assumption Or more generally I'm constant degree correlations We gave construction for one-time truth tables just based on one-way functions and For low-degree correlations in the two-party in the multi-party setting from either the multivariate quadratic assumption or again the LPN assumption together with learning with errors or rings or the symmetric external different human assumption and in the talk today I Want to focus on giving the definition of PCG for general correlations and on Oblivious transfer from the learning parity with noise assumption Okay, so Yes, so How can you define and pseudo random correlation generators? So you have two algorithms you have a Key-generation algorithm that that generates short correlated seats and then you have an expansion algorithm that you can use to That you can use to expand like locally expand those seats to long correlated strings and of course we want correctness so we want this Two strings to be correlated in whatever like for example satisfy the OT correlation that we care about in this setting and We want security and how we define security and is that we want Basically how we define security is is to say that either party can can learn nothing more From from from their own seat that they can trivially derive from knowing that the long That the own long string will be in correlation with the other party string and This is not the most natural definition that you can think of because we said we want to use this As a as a as a replacement in in protocols for secure computation. So more natural definition would be a simulation based Definition to say like for every protocol you can you can plug this in but unfortunately, this is impossible To achieve we showed this even even for deterministic functionalities, but we also show that the definition we give the indistinguishable base the definition is good enough for like a lot of protocols and That satisfies slightly stronger Security requirement. This is the case for example the GMW protocol that I mentioned also the speech protocol so in many you can actually just directly pluck out this this this in and Yes, so we talked about the definition and Now The now now I want to give you a construction. How can you actually instantiate this? for the correlation of of oblivious transfer So what we actually will give is not a PCG directly for oblivious transfer, but a PCG for Correlated or to oblivious transfer, which is exactly the same like oblivious transfer, but instead of having two Two unrelated messages Bob will the messages of Bob will be always the first message The second message will be always the first message plus some constant offset and Yeah, then you can rewrite Alice messages as as being as being the first message plus either this offset or not and As Ishae, Kylian, Nisim and Petrank showed if you have correlated OT and you have a correlation robust hash function This actually gives you OT so the idea is basically just you can hash and then this breaks the correlation And then you have just a normal OT that you want And So if you look at this and if you rephrase that like another way to saying what correlated OT is is saying so now like Putting many together so having like a random vector We can say so so Alice and Bob get a secret sharing of this choice bit of Alice times this offset Delta So this is another way So what we have to generate is actually this kind of secret sharing additive secret sharing So in order to to to get a get a PCG for that we need a compression of the vector So we need a compression of Q and B for Alice and we need a compression of the vector R for Bob such that Q plus R is this Delta times B and We will show how to do this in three steps So the first step is we use so-called distributed point functions to get a PCG whenever B is a unit vector then the next step is actually The next step is Is just we show that you can locally like it's it's super straightforward to go from a unit vector to a sparse vector And then the interesting part is once we have a sparse vector. How can we get to a pseudo random vector? And so as I said The main like the main tool for the for the first part are distributed point function So what is the point function? A point function is a function that is zero everywhere exactly except at At one single point where it will be some some some value y and the distributed point function is just Distributing the function between two parties such that the parties Alone don't learn about what the value alpha is and what the value y is but together they can recover So they can locally evaluate every input x on the keys to evaluate the output of the function And if you like write this graphically then then then if Alice has this key k0 and and Bob has this key k1 They can expand it and by expansion here I mean evaluating the point function on every point of the input so here We assume a polynomial input space so that you can actually do this So you evaluate on every point on the input and then if you add it up you get it you get the unit vector times times the y at exactly the position alpha and Why why are distributed point functions a good a good starting point for two reasons first? There's if there exists efficient constructions from one way functions and second by Dana and she'll add It's it's possible to efficiently Do a distributed setup which will be necessary to set up the seed that we actually need to expand and Once we have distributed point function then the PCG for unit vector you can it's it's it's very straightforward So all you give the parties is the keys for the distributed point function Alice additionally gets this point alpha So she knows where where it's punctured and she gets the value delta Blinded by the by the point of the distributed Point function and this will be good for her to replace the output value of the distributed point function by delta And so what the parties will do? So this is the this is the this is the seed and then the expansion is simply evaluating the distributed point function at every point Alice will add at the green part at the alpha part She will add this y plus delta and then because of the properties of the distributed point function We will have that if you add up q and r this will be delta times the unit vector And so so B is this unit vector that is that is alpha at this point So we have a PCG we can expand we have a PCG if B is the unit vector But of course we want more like we want B not to be the unit vector We want B to be a random vector in your so how can we go from a? How can we go from a unit vector to a to a random vector? Well first a sparse vector and if you take a look at the correlation again This is a this is a linear this is this is a linear term everything is linear so all all terms So we have a secret sharing all linear operations can just be performed in the shares So the addition if we want we can just repeat the sex same procedure t times and then add it all up Alice etcher output up Bob etcher her is output up, and then we get we get the same for sparse vector and Then the interesting part is to go from the sparse vector to the pseudo random vector and for this we use the learning parity with nice assumption Which basically states that if you have like an over the determined set of Linear equations, or you have this matrix product with a small secret vector, and then you add the sparse noise So the noise is zero except for a few points then this will look this will look random and What we actually need is the dual version of this where you multiply the The left kernel of this pink matrix And then you will see here in this equation what it will do It will take a random sparse vector and it will shrink it a bit But then you get something you will get something to suit a random, and this is exactly what we what we want And why why why this is so useful for our for our construction because again matrix Multiplication is something linear so the parties can perform this linearly. There's no no no communication required and The main challenge you have here is now in terms of of computation because this because this matrix is big It will be linear in the number of OTS and often if we're interested in in generating 10 million OTS Then this will this will be a big matrix So what we do is we use quasi cyclic codes where the multiplication Basically becomes a polynomial multiplication. So quasi linear in the in the number of OTS and The security that we get is similar to post quantum crypto systems like bike bike or HQC and Something something like I also want to mention so LPN is is is some kind of symmetric style assumption for two reasons So first of all it does not Imply a public key encryption for certain noise rates also noise rates were for our like Which you can use for our construction and second of all it's it's very efficient So so again, we get an OT extension where it like we only use symmetric style cryptography And I'll just putting everything together And the last step is is to multiply so take this this matrix and again Just locally apply it to to to to to to the the results We have from the previous operation and then and then we get the Q and the B and the R This will be actually the output of the of our PCG and bike because we have correctness of the distributed point function and Addition is linear and and the matrix multiplication is linear This will actually give us what we want and even though this might look I mean a bit small now on slides what we get in the end I mean, this is is a is a big compression like we have a bit of shrinkage by the LPN matrix But but so instead of having if the output here is n the the keys and What we need to exchange so the keys are only are only lambda mal Times log n so we have we have a we have a big achievement here and Yeah, to come to a comparison to to previous OT extension protocols I said in the beginning that what we have I Forgot that if you do it with the addition you actually also have to factor t because I have to do it t times but yeah If you compare it with previous OT extension protocols, I said it's linear in the number of OTS But it's actually even worse if you look at the concrete numbers and the communication and Is like for a single t even a bit or t you you get something like 70 at least 70 78 bits per per or t and we bring this down with this approach to to 0 to 3 bits per random per random or t so so significantly less and Like maybe on the downside of having a logarithmic in the number of n in the number of output lengths number of rounds We don't have active security, but actually both of this we solve in a in a follow-up work We together with peter Rindal where we get it down to two rounds So actually the first efficient to round OT extension and we back up the communication with a with an implementation So there we get 0.1 communication per random or t for generating 10 million OTS and we also get an get an active get active security and What does it mean for the GMW protocol that we had at the beginning? So If you use the GMW protocol with for example the IKMP you get more than a hundred bits per end gate So with all previous approaches and we bring it down to four So four is actually the cost of the online phase. So we make and pre-processing almost for free in terms of communication and On the other hand so talking about computation. So our approach needs we can generate about a million OTS per second So this is slower than IKMP, but over slow networks because we have huge this huge saving in terms of communication we we we outperform IKMP and So to conclude this talk So the random correlation generators are useful. So they give Secure multi-party computation with silent pre-processing We have a silent OT extension from the learning parity with noise assumption, which is concretely efficient and the idea is you take few base OTS and then you locally expand and the only thing you need is symmetric symmetric style crypto and we Also achieve like we improve this to actually get the two-round OT extension and also malicious security with with the same techniques But but getting a better better setup phase basically And from what is also interesting to mention What this line of work gives it gives new feasibility results and practical instantiation from learning parity with noise and and this is interesting because and Because because In particular for the practical instantiation We're not we don't know how to do is from from from strong from seemingly stronger assumption like you like learning with arrows so this is actually gives something new and Yeah, as this is there's lots of things to do There's lots of operand problems to work on so and we have we in our paper we give construction For beaver triples for oblivious linear function evaluation And but they're not as efficient as the OT construction that I showed you so like can we can we use similar techniques? Can we do things to get to get it actually as efficient as the OT? construction what would be super cool to achieve is a PCG where we don't have to expand it all at once but only expanded like however much much we need to extend and Because like a big part or like a very central part to our construction is learning parity with nice So so so further further study the learning parity with noise assumption, which code noise combinations are friendly our LP and LP and friendly What is what is the best way of implementing learning parity with noise in large scale because generally like people look more into when you have When you have a smaller smaller than smaller matrix, but we really interested We want to have like as big as possible because then we can get more OTS What is the best way to do so computationally efficiently and more from the theoretical side? giving a a generic LPN model because our construction and it's of course not a black box construction But it has some black box flavor and maybe giving a model where we can capture the black box Flavor of our construction. So yeah, that's it for me. So thank you very much for the attention and Any questions? Thanks for the talk. So I was wondering and if you apply this protocol to the GMW You get very small communication in the preprocessing. Can you comment on the local computation cost for the parties? So the as I said, so the local computation cost you have you have you have a Million OTS per second. So we studied so for the so for So for a T extension, like if you just consider the if you just consider the OT extension part For in our follow-up work if if you do this over like over over wide area network with 10 megabit megabit per second you get Almost a 50 times improvement. So even if you if you factor in the the the computation you you can get improvements over like replacing Can I add a second? So you mentioned that for the LPN you use the quasi-cyclic code for the improvement So I was wondering like a why does it not add another coding theory like a code-based cryptography assumption So does your protocol security still reduces to LPN itself with with no additional code-based cryptography assumption I mean we have to do to assume like like for that that is secure for you using this kind you for using This kind of code. So as I said, it's it's similar to the assumption that that people post-quantum like post-quantum crypto system. So it is is it equivalent to playing LPN or is it not It's It's not it's not so for for random matrices. So that's not Equivalent, okay, you know, okay Thank you. Yeah, let's thank the speaker again and