 Okay, so the next presentation change of title again, maybe I don't know so actively secure OT extension with optimal overhead Given by Marcel Keller Emanuele. Oh given by Marcel Keller co-authored with Emanuele Orsini and Peter Shaw. Thank you Thank you. So Yeah, so we changed the title because this sounds a bit sexier Thank you for the introduction. Thank you for attending especially if you happen to be an NPC person So what is this about? Well for those who don't have heard about oblivious transfer yet So here we go oblivious transfer is a very basic primitive We have a sender and the receiver and the sender inputs two strings the receiver inputs a choice bit and essentially gets this choice and string as an output and the whole idea about the security is that Nobody learns anything extra. So the sender doesn't learn the receiver's choice and at the same time the receiver doesn't learn The string he chose not to learn which he chose not to learn A few facts about oblivious transfer It's complete for multi-part computation and thus any protocol because multi-part computation is the most complete protocol you can think of scheme In GMW like protocols. We need one OT per end gate so that means Yeah, we need a lot and unfortunately, we need some public key crypto like assumption like DDH or RSA and There is a recent implementation by Chu and Olandi and they achieved to Generate 10,000 OTs per second. So the question is how can you how can you be faster? Yeah, how can you do? How can you achieve more and and This is essentially the Idea of OT extension. So you start out with a few OTs Add some cheap symmetric crypto and as an output you could many OTs without running the actual OT protocol again so no public key crypto at that stage and This was brought up by shy at all at crypto 2003 and they proposed their like a passively secure honest But cure is construction which is secure against an honest, but curious Adversary at the same at the same time. They also had an Active least secure construction based on cotton shoes. So hence the big overhead in terms of communication from passive to active later Nilsen et al and the sheriff et al came up with Proposals that reduced the amount of communication per extended OT but there was still an overhead in those works and What we present here in this work is essentially for free. So asymptotically We're just gonna communicate as much as as for passively secure OT extension and all those figures are for sender random OT that is The sender doesn't in the extended OT the sender doesn't get to choose Its inputs. So there is a bit if you want to have like normal OT You need to do like kind of a correction, which just essentially just means more communication Okay, so What's what's the idea? How does it work? So as I said, we start with a few OTS. Sometimes they're called seed OTS Here we call them base OTS and Those are a few short OTS So kappa think kappa of think of kappa as a security parameter. So that's like 128 in in the example of the Table of the previous slide so 128 OTS of length 128 and then in first extension ship we extend the length with a PRG and As a result we get kappa random OTS of length n and now imagine n is big much bigger than kappa and Then we introduce Correlation I will come in a minute to what it means what it means a correlated OT so As a result we get kappa correlated OTS with length n and then Interesting thing about correlation, which I will explain in a minute is that correlated OTS are Essentially symmetric so that means we can essentially kind of turn the whole thing around like transpose if you will and as an Output of that step we get n correlated OTS of length kappa. So imagine Before we had a few OTS and now suddenly we have a lot of OTS that are much shorter and in a last step essentially we use some hashing to break the correlation and then we get We're back to random OTS and have n random OTS so Where is the crucial step security wise that is the correlation because the correlation step requires One party to be honest to stick to the protocol Which I will explain in a minute so Let's look at OT. So here we have a Standard OT a couple of standard OT three and you recognize there's like pairs of strings and there is choice bits and then there is like The receiver gets the chosen string as an output now just Rewriting things a bit we can define some Z strings Essentially as the difference between the two strings and that means we can formulate the output that Receiver gets is essentially the first string plus and that is that is an addition in in a vector field in the in a vectoring over G over gf2 plus the bit times the difference So this is just this is just simple. This is just simple rewriting But then essentially we can drop all this and say well instead of having two two strings to be chosen off we have essentially like the first string and the difference and and Output of the receiver is essentially the the basic so some some sort of basic string plus the difference if he chooses so and Then it's just a very small step to correlated OT very essentially The definition of correlated OT is that the difference is always the same so instead of having a Z 0 Z 1 and so on we have why why why and The rest everything of the rest is the same But of course as I said this if we want to have this based on standard OT this requires Sender at this stage to be honest But I now what that to explain like why we can do the transpose. I kind of want to Get away from this notion of like we have several ot's to kind of a more global view and in a sense It's just rewriting again So instead of several having several strings T and several strings Z we just put them in matrices So we have a matrix T of bits a matrix Z of bits and we have a vector of choice bits X and Then it is rather straightforward to compute that the output of the receiver is essentially the the combined output of the different OT instances is the kind of base matrix T plus DX Z Where's DX is a matrix with the choice bits X in the diagonal and zero and zero otherwise and If you don't see it right away, you just have to believe me that this is true. So now Going from again from standard OT to correlated OT. We actually found that DX Z then turns into the tensor product product of X and Y and By that we mean this is a matrix that contains all the possible products of all the possible entries of the strings X and Y and then in a kind of last three writing step if we say well if we Cannot define the protocol For a random T so that the T essentially is an output for for the sender we get to this multiplication box and Here It is very clear that this is essentially symmetric So we have two parties. They both input the string and as an output they get a Additive secret sharing of the tensor product and and this is essentially at the heart of the OT extension Proposed by Scheidl in 2003 that with some rewriting and introducing this correlation We get something that is symmetric and this essentially explains how we can get from copper OTs of length n to n OTs of length copper Because yeah, we just turn things around So now we want to go from passive security to active security So this is kind of a repeat in the case of an on a standard the two outputs called Q and T Form a random secret sharing of the tensor product of X and Y. So this is how such a matrix Would look like for length six Yeah, like the bit length six of X and Y now if we have a dishonest sender This can be formulated as follows. So and top of the tensor product or in addition to the tensor product and we get some error and and remember Yeah, so we have it there DX Z. So if the Sender temp or something we can rewrite this as X tensor product Y plus DX E for some error matrix and then You can see we get some deviating entries over there and this gives rise to What is called a selective failure attack? What do we mean that that just imagine as an example that at the later stage the sender will reveal Essentially his information for the first column of this Yeah, the first column here and that means he has to reveal Y1 and he has to reveal Reveal the first column of T. Now the receiver can essentially can essentially check on him and The interesting thing now is if X six If X six is zero that means Nothing special happens because zero times whatever is always zero So everything is will be fine on the other hand if X six is one then the receiver will notice that Sender cheated and as a result like we would say in a in a protocol. He will abort. So there is Essentially, there is a chance. There's like a 50 if X Six was generated randomly, which usually is in our Context there's a 50-50 chance of learning that the bit is zero or Failing the protocol and this is a selective failure. This is a selective failure attack We can put this slightly differently if there is at least one error in the I throw X I X I might leak later, but there is a cost of being detected for the sender So and now we come to the magic if you will of of of our work. So remember that In case of an on a standard Q and T are Secret sharing of the tensor product of X and Y So put it a bit differently if we now if you denote the columns of Q and T as QJ and TJ We essentially get this equation that QJ plus TJ is YJ the chafe bit of Y times X For all J, of course now what we what we do in our protocol we check a random linear combination of those equations and We do so by essentially confusing the vectoring and the extension field so How does it work? Well, actually rather straightforward. So we sample we sample random coefficients and the sender essentially computes the random linear combination of his information and these results in V and W and Receiver computes the random linear combination of his information, which is just a matrix Q and checks against the information received from the sender So if you now look at the case of a dishonest sender So then we have in general that Q and T the sum of Q and T. It's just D X Z denoting the columns of set by said one to set N In case of a dishonest standard those columns are not all zero zero zero one one one So we get that the columns of D X Z are X sure product Z J so by sure product we mean the component wise the component wise product So if you put all the equations together the sender needs to compute V and W that fulfills the equation The equation but at the same time he doesn't know X and the intuition here is that This is impossible without doing some guessing about X and this in turn is related to the selective failure attack so essentially we can kind of bet on a certain X and then The sender can bet on a certain X Come up with an answer and the check will go through if his bet was correct so here we have a We have a quick example about this this like assuming he kind of deviates in the first OT instance So all the Z and then for simplicity we assume that all the Z J's are one zero zero zero zero So basically it's the first entry that is the problem now if he assumes that X one is Zero we see that all the sure products that appear are zero and that means he can pass the check by By a setting W to zero and just computing V essentially honestly as the Random linear combination of the T's so Again the big picture is here Essentially he bet this is a bet on the first bit of X being zero If he passes the check he knows that the first bit of X is zero if he fails the check He knew he was wrong. So essentially the observation here is that The Adversary and or a corrupted sender can learn M bits of X with success probability two to the minus M and Putting things together in the How does it work out in a in the hashing step? So the hashing step of the passive protocol essentially involves the Receiver of the base protocol, which then will become the sender of the extended protocol because there's a transpose step and This the random these inputs or outputs from the random OT will be the hash of QJ and the hash of QJ Plus X and the intuition is here like obviously if you know both QJ and QJ plus X then you know X and and And of course like there's so like some possibility to like try several things with the With the hash function, which we model as a random oracle model So basically to rapid to rapid up if the Sender of the base OT chooses to deviate Just a little he will have a little knowledge about X. So he would make to Do a lot of hash queries or random oracle queries To break the sender privacy to compute both hashes listed above on the other hand He can also choose to deviate a lot, which then make it Makes it very unlikely That he will pass the correlation check and this is in informal terms Explains the security of our protocol. There is one side one side issue that I would like to mention that obviously Essentially the which is like Sender no yet the sender of the base OT which is the receiver of the extended OT in the correlation check Give some information about his input Y, but that is not Really a big problem because we have the the chi chase were randomly generated So like securely randomly generate We require we require that and we just discard a few bits of Y and then this essentially like Essentially like the sum is like a privacy amplification. So that's not really a problem So so much about the theory a few words about the implementation and not well that There's some in there's some improvements from the paper in here that we made after the Camera diversity was too. So as you can see We love CPU extensions, especially the cryptographer's delight as and I we use it for the PRG and for hashing and Of course also for our correlation check with which involves the operation in extension fields of characteristic tools, of course PCL mall is the Is the CPU instruction of our choice also a brief word about the transpose step? previous implementations of OT extensions have noted that they People people who implemented it have noted that they needed echelons algorithm We found that this is not really necessary and the reason for that is we don't have we don't have to transpose like an arbitrary Matrix we have to transpose a matrix that Has only 128 rows for security 120 days. So it's arbitrarily It has arbitrarily many columns But only a very limited number of rows So if you if you store the matrix in chunks of 128 times 128 you can do the transpose chunk wise and This is Very little information. So it fits perfectly into the one crash of your CPU So you don't really need cash optimized. You don't echelons algorithm is essentially a cash optimized algorithm for matrix transpose and This brings me to some to some figures of our implementation So in a let's say local network where you have two gigabit per second available You can see that Already there most of the time is Spent sending information you have to do because that is just part of the passive OT extension that you have to have that You have to send kappa times n bits So if you want to have a billion OT with 128 bit security you have to send one hundred and three billion Bits and this takes just over a minute and then there's a small overhead for the computation. So To stick with the theme of the of the session you could say this is like a lot of Macchiato You have a lot of milk and a shot of espresso and then the overhead for the active OT is the sugar It's not very much in terms of volume, but it significantly Significantly changes the flavor of your drink going on to One billion OTS over let's say a wide area network where you only have 50 mil bits per second Here it becomes even even clearer by far the dominating component is simply your communication and the overhead for That doing the computation for the OT extension just becomes negligible and This brings me to my last slide. So the take-home message here is for OT extension the pipe is the limit if you can send kappa bits you can have one random OT with security kappa and On top of that if you want to have standard or regular OT you have for length L You have to send two L bits essentially just send those bits and do some X or I didn't go into details of this. So if you can send kappa plus two L bits You can have one regular OT with security kappa and input length L Link input length L and this concludes my talk. Thank you