 Hello, I'm Pei Hai Miao. I'm going to talk about amortizing rate one OT and applications to PIR and PSI. This is joint work with Melissa Chase, Sanjam Garg, Muhammad Hajjabadi, and Jialing Li. We start with the problem of oblivious transfer or OT for short, which is a protocol between two parties. We call them center and receiver. The center has two messages M0 and M1, each of length N, and the receiver has a single choice bit B as input. And from the OT protocol, the receiver will get one of the two messages, depending on his choice bit, namely M sub B, and the center gets nothing. The security guarantee is that the choice bit B is hidden to the center and the other message M sub 1 minus B is hidden to the receiver. In this work, we're interested in two message OT, where there are two messages sent between the parties. In particular, in the first round, the receiver will somehow encrypt his choice bit B and send to the center and keep some secret state. And then in the second round, the center will somehow encrypt her two messages and send to the receiver. And then the receiver can use the secret state to recover M sub B. If we look at the message sent from the center to the receiver, which we call OT S, and consider the ratio between the length of a single message M0 to the length of OT S, we know that information theoretically, OT S cannot be shorter than M0, so this ratio is at most one. And in fact, rate half is fairly easy to achieve generically. In this work, we're particularly interested in rate one OT, where this ratio goes to one as N goes to infinity. Now you might be asking, why do we care about two message OT and why in particular rate one? Let's see an example of 1 out of 4 OT, where the center has four messages M0 to M1 and the receiver wants to get one of them, in particular M sub BC. So the receiver has two choice bits, B and C. We can achieve 1 out of 4 OT from two message OT in the following way. In the first round, the receiver will send two OT messages, an encryption of B and an encryption of C, and keep two secret states, STB and STC. And then the center will first generate an OT S message using the encryption of C and this pair of messages. And she will generate another OT S message using encryption of C and another pair of messages. And then she will think of these two OT S messages as a pair of messages to generate another OT S message using the encryption of B and send that to the receiver. Now the receiver can first use STB to recover one of these OT S messages depending on the choice bit B and then use STC to recover the desired message M sub BC. If you think about this example, the two round OT allows us to do one OT inside another OT inside another OT. It allows for a sequence of nested OT. And the rate one property guarantees that the final OT S message is not too much longer than the original message. The extra communication cost only grows linearly in the number of sequential OTs, not exponentially. So at a high level, the two message rate one OT allows us to do nested OT with low communication. And this leads to more applications where the sender has a large database and the receiver is interested in a particular location, the database, but he doesn't want to reveal this location to the sender. In these applications of rate one OT, we can achieve this much communication where D is the size of a database and alumni is a security parameter. So the communication doesn't have to grow linearly in the size of the database, but only logarithmically. And here is a list of concrete applications of rate one OT. For example, single server private information retrieval or PIR with polylog communication and private set intersection or PSI with unbalanced set sizes where the communication is only polylog in the size of the larger set and so on. The next question is, can we actually achieve rate one OT? The answer is yes. The Damgard-Eurek crypto system gives a rate one OT from the DCR assumption and the recent work by Dottling et al. in 2019 constructed rate one OT from a primitive called trapdoor hash functions, which can be realized from various assumptions, including DTH, QR, LW and DCR. Now let's take a step back and look at rate one OT again. So far, we have only focused on the communication from the sender to the receiver. It is rate one, this is the best we can hope for. But how about receiver communication? If you look at the rate one OT construction from DTH, for the first bit of the messages, the receiver has to send order and group elements. And this repeats for every bit of the messages. So the overall communication from the receiver is order n square group elements. A recent work by Garg Pajapati and Ostrovsky last year improved the receiver communication from order n square group elements to order n based on the power DTH assumption. And the high level idea is to use a sliding window where the first bit uses these group elements, the second bit uses these group elements and so on. Now an actual question to ask is whether we can further reduce the receiver communication to let's say a constant number of group elements. And now you might be asking why do we even care because the receiver communication doesn't seem too bad for a single instance of OT. But if you think about the one out of four OT example, the receiver has to send two OT messages and each OT message contains order n square group elements from the DTH assumption or order n group elements from the power DTH assumption. And in the more advanced applications from rate one OT, the receiver needs to send more OT messages. In particular, this n here is equal to some polylog in D and the number of OT is also some polylog in D. So this becomes more expensive. Now can we further reduce the receiver communication to save another polylog factor? Or if you think about it another way, can we reuse some of the elements from the first OT in the other OT's to save a polylog factor? And here's our result. So we proposed a new primitive called amortized rate one OT that works as follows. There are two phases, an offline phase and an online phase. In the offline phase, the receiver will send order n square group elements to the sender and keep a secret state. This is the offline setup that's done once and for all. And then after that, in the online phase, the sender will get two messages M0 and M1, each of less n. And the receiver gets a single choice bit B. And then the receiver will use the secret state to generate an OT message and send to the sender. And the sender will somehow encrypt her two messages and send to the receiver. And then the receiver can use the secret state to recover the message M sub B. We still require the rate one property, but now the communication from the receiver to the sender in the online phase becomes only a constant number of group elements. And the online phase isn't just one time. It can be done arbitrary number of times. For example, if they get another pair of messages and another choice bit and they can do it again arbitrary number of times. Another nice property about our construction is that the secret state remains unchanged throughout the entire execution. And this is crucial for some of our PSI applications. So this is amortized rate one OT. And we gave a construction based on the bilinear SXDH assumption where we assume a bilinear map where both G1 and G2 are DDH hard. And we can further reduce the offline communication from order n square to order n group elements based on the bilinear power DDH assumption where we additionally assume G1 is power DDH hard. We call this primitive amortized rate one OT because although the offline communication is roughly the same as before, the online communication from the receiver is reduced by a lot and it can be done arbitrary number of times. So if we want to run a large number of rate one OT, we get much better amortized communication from the receiver. And given that we can save a polylog factor in the receiver communication in a lot of applications from rate one OT. Or if you think about it another way, there is an offline phase where the receiver sends a polylog number of group elements to the sender and then the online communication from the receiver is reduced by a polylog factor and this can be done arbitrary number of times. To summarize our results, we proposed a new primitive called amortized rate one OT where the receiver sends order n square group elements in the offline phase and then in the online phase the receiver only needs to send constant number of group elements and the online phase can be done arbitrary number of times. And this can be constructed from bilinear SXDH assumption and we can further reduce the offline communication from order n square to order n group elements based on the bilinear power DDH assumption. And given these new tools, we can reduce the receiver communication in a lot of applications such as PIR and PSI just to name a few. And the sender communication remains the same as before. In the rest of the talk, I will first to present the rate one OT construction from DDH and then talk about how to get amortized rate one OT from bilinear maps. And finally, I will briefly mention some concrete optimizations. Okay, first the rate one OT construction from DDH. Recall that for every bit of the messages, the receiver needs to send order n group elements and let's see how that works. Let's first look at the first bit of the two messages. The receiver will randomly sample two n group elements to form a vector HK. And then he will randomly sample an exponent row and raise every group element to the power row except these two group elements. This group element is additionally multiplied by G to the power of one minus B. And this group element is additionally multiplied by G to the power B, where G is the generator of the group and B is the choice bit. Let's take a closer look at what's going on. If B equals zero, then only this group element is additionally multiplied by G, where all the other group elements are just HK raised to the power row. So we say that there is a bump here because there is an additional G here. On the other hand, if B equals one, then there's a bump here. This group element is additionally multiplied by G, where all the other group elements are just HK raised to the power row. And the sender cannot distinguish between these two cases. She has no idea about where the bump is based on the DDH assumption. For simplicity, we're going to assume B equals zero for the rest of the talk. So there's a bump here and the receiver wants to learn the first bit of M zero. And then the receiver will send all these group elements to the sender. And then the sender will consider another vector M, which is a concatenation of M zero and M one. And then she will compute the inner product of HK and M, and also the inner product of EK and M. So for example, if the message M looks like this, then H is a product of these highlighted group elements and E is a product of these highlighted group elements. So in this case, because the first bit of M zero is equal to zero, E should be exactly equal to H to the power row. On the other hand, if the first bit of M zero equals one, then E should be equal to H to the power row times G. So in general, E should be equal to either H to the row or H to the row times G. And then the sender can just send both elements H and E to the receiver. And the receiver can figure out the first bit of M zero. By testing whether E is equal to H to the row or H to the row times G. This is just for the first bit. And then the receiver can do the same thing for all the other bits generating EK2 to EKN where there is a bump here and here. And he will send everything to the sender and the sender will compute the inner product between every vector and the message vector. And send all the results to the receiver and the receiver can recover every bit of M zero. So if we look at this construction, it is not really rate one because the communication from sender to receiver contains M plus one group elements. But our goal is to achieve one group element plus M bits so that it is rate one. So our goal is to somehow compress these group elements E1 to EN to a bunch of bits B1 to BN one group element into one bit. How can we achieve this? Let's go back to the first bit of the messages. We know that E is either equal to H to the row or H to the row times G. And the sender only needs to convey this bit of information to the receiver. We will leverage a function phi which is defined from G to bits such that for every element V in the group, we have phi of V is not equal to phi of V times G. Given such a function, the sender can just send the group element H along with phi of E. So that the receiver can learn the first bit of M zero by testing whether phi of V is equal to phi of H to the row or phi of H to the row times G. And this function phi can be achieved by the work of Boyle, Gilbo and Ishai in 2016. And that completes the construction where the sender only needs to apply the function phi on all the group elements to compress these group elements into bits. And then we're done. So that's the rate one OT construction from DDH. Next, let's see how to construct amortized rate one OT from bilinear maps. So the very, very high level idea is the following. In the offline phase, the receiver will generate all these group elements in G1 and send to the sender, where in each of the vectors here, there are two bumps, one bump here and one bump here. Because at this point, the receiver doesn't know the choice bit yet. And then in the online phase, the receiver learns the choice bit, let's say B equals zero. And then he is going to generate some group element in G2 and send to the sender. And then the sender will map all these group elements in G1 with this group element in G2 using the bilinear map to generate a bunch of group elements in GT. And somehow we want to make sure that there is only one bump in every vector, one bump here, one bump here and so on. And if this is the case, then we can run rate one OT in the target group, same as before. However, this idea doesn't quite work if there is only a single group element in each of the small boxes here. We need two group elements per box. Let's take a closer look. In each of the small boxes, it will contain two group elements in G1. We use the notation Ri to denote a random vector of dimension 2 and we use this notation to denote the vector of G to the power r. So in this vector, each small box contains two random group elements in G1. And then vk1 is just raising all these group elements to a random exponent rho1 and then we add two bumps here and here. And similarly for vk2, it is just raising all these group elements to a random exponent rho2 and adding two bumps here and here and so on. So this is the offline phase. And then in the online phase, after learning the choice bit, let's say b equals 0, the receiver will generate two boxes. Each box contains two group elements in G2. Where s and t are two random vectors of dimension 2 such that the inner product of s and u equals 1 and the inner product of t and u equals 0. And we use this notation similarly as before, but just to differentiate group elements in G1 or G2. And then the sender will map these boxes with s and these boxes with t using the bilinear map. So remember every box contains two group elements. So the mapping is like doing an inner product between the two boxes. And then the sender will get a vector of group elements in GT. And similarly for the other vectors. So because the inner product of s and u equals 1, so there is a bump here. On the other hand, because the inner product of t and u is equal to 0, there is no bump here. And similarly there is a bump here and not here. So in this way we can make sure that in every vector there is exactly one bump and it is in the correct position. And then we're done. That's the construction of amortized OH10T from bilinear map. And finally I want to briefly mention some of our concrete optimizations. In this construction, the online communication from the receiver contains four group elements in G2. There are two boxes and each box contains two group elements in G2. And we can reduce this communication to three group elements in G2. And here is the idea. First we will increase the number of group elements in each box from 2 to 3. So these vectors become vectors of dimension 3. And then we put a different bump here and here. Here we put plus u and here we put plus v. And then in the online phase, the receiver will generate a single vector s of dimension 3 such that the inner product of s and u equals 1 and the inner product of s and v equals 0. And then we're done. The rest is the same as before, but we reduce the receiver communication from four group elements to three group elements in G2. And we have more optimizations discussed in the paper. To summarize, we proposed a new primitive called amortized RH10T and we give a construction from the bilinear SXDH assumption. And we can further reduce the offline communication from the bilinear power DDH assumption. And given this primitive, we can reduce the receiver's communication in a lot of applications such as PIR and PSI. Finally, I want to mention a few open problems. Can we achieve amortized RH10T from other assumptions? And can we achieve some sort of amortized RH10T extension? And in terms of applications, can we find more applications of amortized RH10T? And can we get concretely efficient implementation of the existing applications? Thank you.