 It's secure computation from leaky correlated randomness The authors are Divya Gupta, Yuvali Shai, Amantamaji, Amit Sahai, and Divya will give you the talk. Thank you Thanks for the introduction. I will be talking about secure computation from leaky correlated randomness This is a joint work with Yuvali Shai, Amantamaji and Amit Sahai Let me begin by describing our favorite secure two-party computation Here we have two parties Alice and Bob holding secret inputs X and Y and they want to compute a joint function of their inputs Now they can run a secure computation protocol at the end of which both parties will get the output The security goal is that we want correctness of output and privacy of inputs That is a corrupt party should not be able to learn anything beyond the output of the function Though our results would be applicable in the computational setting as well in this work I will be focusing on information theoretic security that is without any computational assumptions and where Where the parties have unbounded computational power against semi-honest adversaries that is that is parties who follow the protocol But want to learn more in The setting we know that general two-party computation is impossible in the plain model But it is possible in the OT hybrid model So, what is this OT hybrid model? Let's say we have two parties who want to secure computation Then in the offline phase long before they even know their inputs or the function to be evaluated They can compute large copies of OT this can be done long long before they know their inputs and In the online phase when they get to know their inputs and the function to be evaluated They can run their favorite cryptographic protocol to evaluate the function This is called the OT hybrid model Now the question is why do we even care about this model? So OTs can be pre-computed well in advance even before knowing the inputs and the function to be evaluated This is one plus point next Given these OTs the online phase where we run the cryptographic protocol can be very very fast Moreover in the OT hybrid model, we can get very strong notions of security that is unconditional security And finally, there are many practically efficient MPC protocols Which actually start by computing large copies of OT in the pre-processing phase Examples of these include GMW combined with beaver, fair play, tiny OT and speeds So I hope that by now I have convinced you that this OT hybrid model is very interesting and this brings me to the main problem As I told you already these OTs can be pre-computed and stored with the parties till the time They want to use them to compute the function So in this time gap an adversary can leak useful information from the secret state of the honest parties And what this leaves us is leaky versions of these OTs that is OTs which are not perfectly secure Now the question is how does this leakage affect us? That is how does leakage on these OTs affect the security of the protocol which we want to run? Does the security degrade gradually? That is does small amount of leakage only lead to a small breach of security in the cryptographic protocol? The answer is no even small leakage can lead to complete break of security So, what do we do? Do we just throw away all the work we did or can we salvage the situation in some way? Of course, we do not want to throw away the hard work which we did in computing these OTs So here's the objective. We want some kind of a refreshing procedure Which can take these compromised OTs and give us new fresh and secure OTs We want to tolerate high amount of leakage and we want to get large number of secure OTs That is we want high leakage resilience and high production rate Why this is interesting is because this solution is universal and modular and works irrespective of the cryptographic protocol Which we want to run in future This notion is called OT extractor as and was introduced by Ishai Kushilev with Ostrovsky and Sahai in 2009 This relates very closely to classical problems of privacy amplification and under and under this extraction Where the goal is to protect against an eavesdropper Here our job is even harder because we want to protect against insider attacks Okay, now let me define this anti OT extractor more formally So in the offline phase we are given n copies of the OT to both the parties Now as time passes the adversary might make corrupt one of the parties Let's say he corrupt the sender and he can leak at most e-bits of information from the secret state of the honest receiver Or it can corrupt the receiver and leak t-bits of information from the honest sender and We are left with n OTs from which t-bits have been leaked Now in the refresh phase we want to run an interactive protocol at the end of which both parties establish secure copies of OT So an OT extractor is an interactive protocol where we start with n compromise OTs Where t-bits have been leaked and try to establish new secure copies of OT This notion is closely related to that of OT combiner, which is a special case Here the kind of leakage the adversary can do is restricted to be a local leakage or are also called physical bits of leakage So the adversary again can corrupt one of the parties Let's say sender and can leak the secret information from at most t OTs and it cannot touch the others Similarly, he can even corrupt the receiver and leak t OTs So what we are left with is t fully compromised OTs and n minus t fully secure OTs but we do not know which is which and Again the task is to run our interactive protocol at the end of which we establish secure OTs Okay, so in short OT combiner can only handle this local or physical bits of leakage But OT extractor is much more general and needs to handle any arbitrary global leakage Though this OT combiner is is well studied in literature in various settings This more realistic notion of general leakage and OT extractors is far less unexplored is very unexplored The best-known result is that of icos-09 which showed an Nt OT extractor where t is bettys amount of leakage, which is less than alpha n That is it tolerate some constant fraction of leakage, but this constant is very tiny They can produce constant rate of good OTs and their protocol has four messages This result should only be seen as a proof of concept feasibility result because the amount of leakage is very tiny Even a generous estimate puts it to be below 10 to the power minus 7 fraction of leakage and it uses heavy tools and techniques such as algebraic geometric codes Our protocol will try to resolve all these issues The focus of this work is trying to understand What is the maximum amount of leakage after which we can still get something meaningful in the plain model? That is we should be able to get at least one copy of secure OT in the plain model So, can we actually tolerate 90% of leakage? The answer is no even for the more restrictive class of OT combiners where we are only allowed local leakage Isha et al showed that No OT combiner is possible when the leakage When the leakage exceeds n by 2 minus constant They show almost matching positive result and showed a OT combiner when the leakage is upper bounded by n by 2 minus omega log n So, the question is we cannot do better than this that is clear So, can we actually match this result of OT combiners in the much more general setting of OT extractors and The first result exactly answers this question in the affirmative We show a two message OT extractor which produces one secure copy of OT When the amount of leakage which is t is bounded by n by 2 minus omega log n Some of the salient features of our protocol are this is the first protocol which deals with near optimal leakage resilience We get optimal round complexity that is only two messages one from each party We get a linear communication complexity This even improves the OT combiner result from IMSW from IMSW where the communication complexity was quadratic and And finally our protocol is much more simple and avoids the use of heavy machinery like algebraic geometric codes In fact, I will be able to describe our protocol in just one slide Okay, so coming back to a result. I have shown a result which gives you one secure OT But it's but is this really really useful even to do a finite functionality. We need much more number of OTs So the next question is can we produce multiple secure copies of OTs in the highly kit setting? We show that if the adversary can leak at most n by 2 minus rho n bits of leakage Then we can produce rho n by log n copies of secure OT That is if his leakage is less than rho n than what is maximum allowed. We can get multiple secure copies of OT This result is an extension of the previous result and we trade off a small amount of leakage resilience to get much better production rates Finally, we ask the question is there some other useful correlation other than OT by useful I mean something which can help us do general MPC and is more leakage resilient than OT For this we look at the literature on leakage and cryptography and consider this inner product correlation Which was also considered by Zimbabwe's key first In this correlation the first party gets an n-bit vector and the second party gets an n-bit orthogonal vector In our work we show that this inner product correlation is much more leakage resilient than OT and We can in fact extract one secure copy of OT after a large amount of leakage in this talk I will not have the time to go into to the Details of this result, but you can look at our paper for more concrete numbers Okay, so in the rest of the talk I would like to focus on the following result Where we try to extract one secure copy of OT after the adversary can leak at most n by 2 minus omega log n bits So, let me try to describe OT more formally. This Oblivious transfer was introduced by Rabin in 83 and since then has proved to be very useful in cryptography We have two parties a sender and a receiver sender has two input bits x0 and x1 and receiver has a choice bit xc C They sent these inputs to the OT functionality and the receiver gets back xc Security says that a corrupt sender should not learn anything about the choice bit of the receiver And a corrupt receiver should not be able to learn the other bit of the sender that is x1 minus c Before I describe the protocol, let me tell you a bit about binary linear codes, which would be crucial for our construction as well as proof So what we need is a nk binary linear code C Which is defined by a k cross n matrix g and Code words are simply x times g where x is any k-dimensional vector Corresponding dual codes are defined by n minus k cross n matrices H The only thing crucial to us is the following that code words in C and C perp are orthogonal to each other That is if I take any code word in C and any code word in C perp and take the Component wise dot product then these code Then this resulting code word has even parity Okay So let's refresh our goal. Our goal is that we are given these n ot's From which t bits have been leaked by the adversary. So we have these leaked version of ot's We want to design an interactive protocol at the end of which we can get one secure ot and We know that the amount of leakage is close to point five in particular particular. It is less than point five n minus omega log n Okay, so here is our protocol We have the center and the receiver The center will pick a code word u0 u1 up till u n in the code word C Which is some binary linear code? It will also pick v0 v1 up till vn in the parity code That is the sum of all the bits v0 v1 till vn is 0 The receiver will pick a code word r0 to rn in the corresponding dual code In the ot which we are trying to construct this u0 v0 and r0 will be part of the inputs Okay, now we are given these n ot's which are not secure, but still we are given these n ot boxes What this ender can do it will play vi as the first input and ui plus vi as a second input in the ith ot and The receiver will play ri as input to this ot and get back some output zi Next what the receiver will do it will simply add all these zis which are n in number to get z Note that in this whole protocol the the parties have not used u0 v0 and r0 these are secret In the end the sender outputs v0 as a first bit of the ot u0 plus v0 as a second bit of the ot and the receiver will output r0 and z where r0 will be his choice bit So is this protocol correct For it to be a correct ot protocol I need to prove that if If the choice bit that is r0 is 0 then z which is output of the receiver is indeed v0 If the choice bit is 1 then the output of the receiver is u0 plus v0 In other words, I have to prove that z is equal to u0 r0 plus v0 Okay, now let's see why this is true So here's a protocol in the compressed version and we need to prove that z is equal to u0 r0 plus v0 The first observation is that since each of these ot's are correct. They might be insecure, but they are correct So in each of these ot's When the receiver feeds in ri the zi it gets is a correct ot output That is if ri is 0 zi is equal to vi and if ri is 1 zi is equal to ui plus vi That is zi is ui ri plus vi in all of the n executions It computes z as sum of all these zi's mod 2 So it computes ui ri plus vi for all n and this I claim is u0 r0 plus v0 because of the following First note that this vector u and r belong to dual code spaces So recall that I said that dual code spaces Code words from dual spaces are orthogonal to each other. That is their component wise dot product has even parity So ui vi added from 1 to n gives you u0 r0 Also, this vector v is picked from the parity code. Hence it is also of even parity So summation of vi is is equal to v0 Okay, so this shows that the protocol is correct Next question is receiver privacy So here we are talking about a corrupt sender which leaks at most t bits from these ot's and We are trying to ask whether the choice bit of r0 is hidden from the sender Proving this security reduces to the following security experiment between Which is a game between a challenger and an adversary The first step is that the challenger has some min entropy distribution m which has min entropy small m And it picks an element from this min entropy distribution, which is a vector of length n Next it picks a random code word in other words It picks a random generator matrix of dimension n by 2 cross n plus 1 and Picks a random element x in n by 2 and picks a random code word, which is x times g Let's say this code word is c0 to cn next it would send for all i in n yi plus ci that is the sum of The element picked from the min entropy distribution and this code word ignore Ignoring the 0th element and all and also the matrix g The task of the adversary is to guess the bit c0 which needs to be hidden Okay, so in our in our protocol the first distribution, which is the min entropy distribution Comes from the leaked version of the OTs and the second distribution comes from the code words, which are picked by the by the receiver We show that For a random matrix g the code words x times g form a family of small bias distributions Why this is interesting is it was shown by Dodess and Smith that if you add a Min entropy distribution with a family of small bias distributions, then you get something which is close to uniform In particular we show That the sg which is a statistical distance of this bit c0 from uniform is bounded by Under root of 2 to the power n by 2 divided by 2 to the power m where m is the min entropy of the original distribution It is easy to see that this sg is negligible when m is greater than n by 2 plus omega log n in other words This would be satisfied when the leakage performed is less than n by 2 minus omega log n and Hence we will be able to argue receiver privacy whenever the amount of leakage is upper bounded by n by 2 minus Omega log n Finally, I would like to say a few words about reducing the communication complexity of our protocol The protocol I told you involved picking code words from c and c part So these code words have to be known to both the parties So what do we do one party picks it since we are talking about some of us parties and gives it to the other party So the task is that we need to communicate these code words c and c part and these would be the dominating factors in our communication complexity So the first protocol work by picking this code words at random that is picking a random binary Picking a random binary linear matrix with all the elements were random So this involved a communication complexity of quadratic in n What we can do is we can pick matrices of highly structured form which looks something like this The left part is identity and the right part is a topolitz matrix A topolitz matrix is fully defined by picking its first row and first column at random and rest of the matrix It deterministic in terms of these elements So this way we reduce the communication complexity from quadratic to linear and We show that a collection of topolitz matrices Gives us a family of small bios distributions and this is all which was crucial to our result To conclude I would like to say that efficient secure party computer Efficient secure computation is possible in the OT hybrid model Since these OTs can be pre-computed and stored adversity can leak information on these OTs In this work, we give the first OT extractor which works with With near optimal leakage resilience and optimal number of rounds. This opens the possibility of Constructing efficient information theoretic secure computation protocols in the high leakage setting. We also show another Correlation which is even more leakage resilient than OTs the question is is in a product the most leakage resilient Correlation or is there are even better correlation which we can work with Thank you