 Hi, I'll be presenting silver silent bowl and oblivious transfer from the hardness of decoding LDPC codes This is joint work with Jeff law and Shrini along with myself Peter Rindall So as way of introduction, I'd like to introduce oblivious transfer Here this there's two parties a sender and a receiver the sender has two messages M0 and M1 And the receiver has a choice bit C the receiver should learn the message MC and nothing about the other message Oblivious chance is used throughout multi-party computation. It's one of the most fundamental protocols in cryptography there's also a variant of Oblivious transfer known as random alias transfer here the parties don't exactly have input instead the functionality or the protocol Chooses the everything at random. So the M0 and M1 is random and the choice bit C is random And otherwise the protocol is roughly the same and the nice thing about random OTS is that you can sort De-randomize them and get back to the original OT correlation. And so in some sense random OT is all that you need Further we can consider sort of a slight variant on this is that let the messages M0 and M1 be Offset by some Delta And then you can rewrite the receivers message MC as M0 plus C times this Delta value And this is a sort of naturally generalizes to something known as oblivious linear evaluation here the key distinction from OT is that C the choice bit is allowed to be a field element instead of just binary and We can further generalize this to what is known as vector OLE Here the message M0 is a vector messages and similarly the choice Value C is now a vector and so you get a vector correlation which MC equals vector M0 plus vector vector C times the scalar Delta and Rewriting sort of the terms to be ABC and Delta to clean it up a little We can see this is the correlation and the nice thing about this vocal relation is that you can sort of as I mentioned before De-randomize it to get back to OT Whichever variant of OT that you want or you can stay with this sort of vocal relation with this Choice vector a now it is over the field and so throughout this talk I'll be referring to this formulation and not the oblivious transfer one, but just understand that they're in some sense equivalent Another property that we want is this silent feature where the protocol itself is Only a setup protocol in that this it has low communication and it outputs some small keys to the sender and receiver and Then by local community local computation only they're able to expand these keys into the final vocal relation And particularly the setup should be sublinear in the size of the vectors and the expansion should be non-interactive Our our ball protocol that we use in this talk is in fact silent in this way And it's a nice property you have because it allows you to a get less communication and be You can put on the computer communication during a setup phase and then sort of go offline or store the keys for later use The ball protocol or OT protocol whichever this case That we're you put that we use It's setup phase Internally uses this thing to call the punctured PRF I'm not going to get into exactly what a punctured PRF is But suffice it to say that so the gen generation algorithm is run inside an MPC protocol which outputs these keys k0 and k1 These can then be expanded using the punctured PRF function to get the following correlation It's basically identical to the vocal relation that we want in the end with the catch that this a vector Is sparse meaning that only say a hundred or two hundred of locations of this a prime vector Is non-zero and overall this vector might be a length of million so it's highly sparse But it is close to the correlation that we want So the next step is that we'll run LPN to sort of bootstrap this sparse correlation into the standard vocal relation And we'll talk more about LPN later, but suffice it to say now What LPN consists of is multiplying a large random matrix G from left by the vector and then this gets you the final output and Critically LPN says that even though this a prime vector is sparse the final a vector is in fact uniformly random And this is sort of concludes what how our vocal protocol or that the vocal protocol that we use it works So drilling in to this LPN instance in particular We want to run generate say a million or many millions of OTS or both whatever you have And this means that the LPN instance will be very large So say if we want four million OTs then our G matrix here will be four million by eight million for example and this For classic LPN this mean this corresponds to this G matrix being uniformly random and Therefore the multiplication would be quadratic time taking you know roughly to the power 40 and time Which is clearly impractical if we're going for extremely high performance this leads us to Modification known as like structured LPN here. We place additional structure on this matrix G Which allows us to use matrix vector multiplication in in less time previous works had Achieve this is sort of n log n time while in this work. We do design our new matrix G That actually allows us to do linear time multiplication But importantly you have to be careful in that By modifying this matrix G you might weaken the LPN instance And so it's a careful balance between getting high performance or also maintaining the security of LPN and we'll discuss that next By way of doing this we're going to introduce what's known as primal LPN this is how it's traditionally thought of and Here you have a public matrix a is a large random matrix and then Someone takes their seed S and E these are vectors as shown here S will be sort of uniform and random but somewhat short while E is sparse But longer and so you'll do a times S plus E and this gives you R now LPN says that R should be indistinguishable from uniform and random Sort of shown here given that the matrix A is public In our work, we'll use what's known as the dual formulation Here we have a matrix G and we'll just we just do G times this sparse vector E And this gives us a short ideally uniform random vector R And again the the security statement somewhat similar is that G and R should be indistinguishable from uniform random These two formulations actually equivalent to see how this works I relabeled this a matrix as H transpose and then let G and H Be the generator and parity check matrix for an air correcting code So if you're starting with primal then you are given H as the LPN matrix and you can derive the corresponding Generator matrix for that air correcting code and then to see why these two are equivalent We use the property that the generator times the transpose the parity check matrix H Equals zero and so if you multiply the primal LPN instance from the left by G You get the following G times H transpose is zero and so zero times S is zero And so what you're left with is just G times the sparse vector E equals G times the sort of uniform and random vector R and By some properties of the generator matrix It's not hard to show that so long as R is uniformly random then G times R is uniformly random And that's how we arrive at our dual formation And so next I'll be talking about the security of the primal version of LPN But our implementation will use dual LPN and be sort of our equivalent So LPN has been studied extensively There's numerous attacks based on Gaussian elimination set Set recovery set information set decoding and so forth and so on And since we're in the business of designing a new LPN matrix It'd be very tedious to have to like go through each one of these papers and sort of just Decide whether their attack is relevant to our our particular LPN instance But fortunately we don't have to and that there's this framework which is introduced previous to us known as the linear test framework and Here the adversary is first given the the matrix in question H and they're allowed to pre-process arbitrarily Whatever they want and then they output a vector V and this and then As a way of distinguishing whether the R is from an LPN instance or uniform random The adversary will output a bit V inner product R And so it say if B is one then it's maybe saying that it's an LPN instance in otherwise it's random and Unfortunately, all these attacks can be framed in this framework with adversary pre-processes the LP of matrix puts a vector and then inner products the vector with R and Now that now that we have this sort of linear test We can sort of reason about it So first let us consider the case where this matrix H transpose is It's rows are d-wise independent meaning it takes at least d plus one rows to be added together to equals zero Then we can consider quote-unquote a sparse V meaning that the hamming weight of this test vector V is less than D that Row-wise independence value and what this will look like is so V times H transpose Times S which is sort of like the contribution S makes to R Will you call sort of some other? Matrix H prime times S where H prime is row-wise independent And it's not hard to see since S is uniformly random and you're multiplying by a row-wise independent Matrix H, which is sort of short then the output will be uniformly random And so what is saying is that when V is sparse that the S is what's saving our LPN instance or is what's giving our LP an instance In just making it indistinguishable from uniform and random On the other case when V is dense The E vector times into play in that to see this Roughly speaking is that once V is sufficiently dense then probability that intersects this air vector becomes high Overwhelming and in this case that further be randomizes the result And so then it becomes the E makes they are uniformly random and so it's sort of a balancing act between these two extremes sparse V and dense V This analysis strictly stems from the fact that we considered H to be H transpose to be D-wise row independent and This in turn sort of a lot tells us how to set how noisy the E vector needs to be but this Row-wise independence property is equivalent to saying that the code generated by this other matrix G should have minimum distance D And so this brings us to a way of searching for new Highly efficient LPN instances We simply need to find a linear code G with parity check matrix H, which has high minimum distance For the code it should have fast in code here We actually need the transposers of encoding algorithm This ends up not being an issue and finally this code should be efficient when the dimensions are very large So these properties are somewhat unique to us a lot of codes out there aimed to achieve additional properties Or some other set of properties and so we're looking to optimize just these properties to do this we turn to low-density parity check codes these codes are sort of are Characterized by having the parity check matrix H being sparse So this might mean the number of ones in any given column of H is some fixed constant And then to encode LDPC codes a common approach is to Instead of having X multiplied by the generator which is maybe the traditional traditional method you will solve the system of equations that H times the code word C equals zero and We're about to go over several examples of such LDPC codes Which are namely the uniform code which has good minimum distance, but poor encoding time and that till it's the more code Which is it sort of has the inverse? But first I want to talk about the G alt encoder. This is the encoder that we're going to use and here the way you the way of explaining the G alt encoder first we need to consider the Quota quote the systematic form of the code and here to given G and H You can get the systematic form G prime and H prime by doing row operations until H has the identity matrix on the right And G has a very matrix on the left and in some sense. This doesn't change the code It just you just sort of relay building things But and then this G alt encoder will actually encode under G prime sort of systematic form But we don't actually want to explicitly write out H prime because even though H is sparse H prime might not be But that's okay because we're can leverage the fact that The null space of these of H prime and H are the same meaning that if X times epsilon which is a some code word With H prime times that equals 0 then it would also hold true for H and then the next step is that and This allows us to run sort of solving the system of linear equations on H and X and epsilon is the idea But the next step in our encoder is that we first need to perform row and column operation swaps on H In order to put it in this formula is approximate G lower triangular Here the idea is that H should basically be a lower triangular matrix except for we allow the last G rows not to be So any matrix can be put into this form for some value of G, you know, you might almost be the whole thing or you know and so forth and Then we have any encoding algorithm written like this Basically, it's a form of like back propagation algorithm But the important takeaway even if all this didn't really make too much sense is that the running time of this encoding algorithm is m plus G squared so importantly we This algorithms only efficient I mean only linear time when G is a smaller or square root m So now let us consider the uniform LDPC code. The uniform LDPC codes is described by having some fixed column weight W So each column will have weight W and this in the shown example on the right is say 3 but in practice a bit 5 or maybe 11 and then It's been shown Sort of analytically that this code has linear minimum distance, which is great. Which is what we want But the problem is that how to encode, you know, there's various ways But if we're going to use our G alt encoder the first step right is to put it in this approximate lower triangular form and the way of doing this is you can do row and column swaps You don't want to do row addition operations because that will increase the weight Which is not desirable, but just doing row and column swaps is okay But the problem is that you can show at least for typical linear time algorithms Is that the when you do this row and column swaps? The the gap decided the gap will remain linear in the overall size of the code and this Basically means our overall running time will be quadratic and not efficient enough for our application This leads us to our second code, which is the Tillich-Zemore code Here the code is sort of broken up into a left half in the right half The left half is uniformly random subject to some calm weight W while the right half has two diagonals right next to each other of ones The reason for this structure is several fold But one of them is that it gives you a fast encoding in particular using the G alt encoder We have G equals one and so trivially linear time As we'll get back to actually the left half although linear time is actually quite slow due to its randomized nature One of the primary issues with this code is that it actually achieves sublinear minimum distance the authors of the code showed analytically that it's yeah, it is the minimum distance shown here and This is primarily or exclusively due to these diagonals that what they were introduced And their code had several reasons to introduce them Among them was fast encoding We in order to get a grips on the exact minimum distance that these codes have we actually implemented some extensive experimental techniques to Evaluate an upper bound on the actual minimum distance and given this we do observe that the uniform code does achieve Linear minimum distance while the Tillich-Zemore code gets sort of sub linear minimum distance As a way of explaining this you can consider what do these minimum distance? What is the minimum distance really look like with respect to the parity check matrix? And one way to formulate what this is is it's how many columns of this parity check matrix you need to add together such that you get the zero vector and One way of going about do this and in fact what typically are the low-weight code words in this Well happens is you take several columns on the left-hand side which almost cancel out But have maybe two ones which are nearby each other which don't cancel And then you include the corresponding column from the right which sort of bridges the gap between these two As shown here if the gap is more than one you can then include like the next two columns in the right Yeah, and so in some sense these diagonals allow you to sort of bridge the gap between Code words in the left which are almost equal and that's the structure of minimum weight code words in this code And so given this you know you could try to formulate ways to improve the the minimum weight performance of this code So this is believed us to our first code silver code one and we start with the Tillich-Zemore code Zemore code excuse me and we remove the weight two columns and we replace them with a higher weight sort of weight w columns We we keep the galt Form But allowed g to increase from one is the basic idea and below this main diagonal. We fill the Fill some region With uniform in random columns subject to having the desired column weight w So shown here you write we have a gap of four with a column weight of three And we just fill in the values below the gap you know from the random and the idea here is that you know if we go back to our example before right you might want to You know you get code work columns from the left half Which are almost equal and then you include the corresponding columns in the right You can see that it's no longer works because the non-zero locations below the main diagonal Won't cancel out nicely most likely and so this sort of allows this new code to Sort of defend partially at least defend against these bridging attacks so to speak And we experimentally validate that this alteration does in fact improve the tz code significantly And we almost get the same performance as uniform with the same column weight Through further iteration and looking at what What type of low weight code words exist in these codes we identified that often in the right hand side you'll get Two columns which are very similar and mostly cancel with each other and this allows a similar type of bridging attack Or bridging phenomenon per se And to prevent this we discovered through extensive experimentation that if you add Additional diagonals below this mean diagonal it helps prevent this attack sort of intuitively it ensures that this spreading is larger Across the rows and you can't simply get unlucky and have a few columns on the right hand side Cancel properly for more details to see the paper But the main takeaway is that this further significantly improves the performance of the code Now we turn to the Optimizing the left half where the main issue is that although our Code is linear time encodable the memory efficiency of Performing the left half of the parity check matrix is actually quite low Roughly speaking What this corresponds to is taking this left half of the matrix and multiplying it with a vector and since it's more or less Uniformly random this corresponds to performing Roughly, you know million random accesses into an array of like one million or you know, whatever Array size is and this ends up being really inefficient for from a memory perspective because every memory access It goes to main memory, which is significantly slower than say a cache or something that We tried numerous techniques to try to improve the cache efficiency And we ended up landing on this one which is surprisingly simple in that you replace the left half with just several diagonals w diagonals going across and They need to be spaced irregularly with a certain structure in order to avoid some pathological cases But we experimentally validated this that our codes do in fact work well And in fact this uniform or this silver code actually outperforms the uniform code with the same weight, which is somewhat surprising Our final optimization is that We change that the current most inefficient part of this code is that Sampling this main diagonal which consists of these sort of uniformly random Columns subject to being in this band Is actually quite inefficient Especially when this makes a size of one million you could say store in memory But this again is sort of undesirable due to its size and so We experimented with de-randomizing the this Main diagonal by repeating the Rows after sort of every g steps And we experimentally validated that this doesn't hurt a minimum distance performance We also make the rows regular meaning that they all have the same number of ones in each row and this further helps improve the efficiency of the implementation The final takeaway is that our final code is sort of highly structured And but still achieves as good of minimum distance performance as the uniform code We designed two codes, although others could be Considered which have column weight five and column weight 11 and I get the corresponding minimum distance from The other point of optimization that we considered is the sort of the right the running time of our codes So shown here at the bottom is our final code silver five And the weight five variant of it takes One point one three seconds to encode a vector of length 16 million You can compare this to the work of Boyle at all Which use quasi cyclic codes Which takes four seconds for the same operation or the tz code which takes two seconds So you can see it's a very significant order magnitude improvement over the state of art While when applying this to our oblivious transfer protocol, we can see that this significantly improves the performance So our protocol is basically the same protocol as the Boyle at all ones shown here But with our code replaced and you can see this reduces the running time from 10 seconds to half a second for 16 million ot's And we achieve the same sub linear communication Another work from 2020 Uses primal lpn and a sort of similar structure to ours and they Can perform 10 000 ot's in Roughly like 1.2 seconds while ours takes a quarter second. So very significant improvement What's more ours achieves the silent property whereas theirs does not Maybe the most surprising takeaway is that our protocol is actually faster than the original ot extension work of ikmp This work has stood the test time for almost 20 years and our and we finally are able to beat it in terms of running time and Also significantly improve its communication A similar story is true for the bull performance is that we are roughly five times faster than Another bull work from 2020 And this and we also achieve this silent property And with that I conclude my talk silver silent bull and oblivious transfer. Thank you