 Hi, this talk is about two-round Oblivious Linear Evaluation from Learning with Errors. I'm Pedro and this is joint work with Nick Woodotling and Paul Mateusz. Oblivious Linear Evaluation, or OLE, is a protocol between a sender and the receiver. The sender holds two values, A and B, from a finite field, and the receiver holds a value, X, also from the finite field. In the end, the receiver should learn A plus XB. In terms of security, we require that the receiver learns nothing about A and B, and that the sender learns nothing about X. OLE is usually seen as the arithmetic analog of the well-known Oblivious Transfer Primitive, and it is well known that the minimal number of rounds to perform it is two. OLE has found numerous applications throughout the years. The most natural one being, it allows us to securely realize computation of arithmetic circuits, just as OT realizes secure computation of Boolean circuits. It has also been used to realize efficient two-party secure computation schemes in a variety of different settings. OLE has also been used to realize specific tasks such as private-set intersection and machine-learning related tasks. Many OLE protocols have been proposed over the years. Some of these proposals are presented in this table. As you can see, current OLE protocols either require more than two rounds, or a trusted setup, or are based on non-post-quantum assumptions. This raises the question of whether we can build an OLE protocol, which is maliciously secure. It takes two rounds, and it's based on presumed post-quantum hardness assumptions. In this work, we provide an affirmative answer to this question by presenting two protocols for OLE from LWB. Recall that LWB is an assumption which is presumably post-quantum. Our first construction is a construction for an OLE protocol from LWB, which is secure against malicious receivers where security holds statistically and semi-honest senders assuming LWB. The main technical tool that we use in this construction is a new extraction mechanism that allows the simulator to extract the receiver's input and generalizes the PVW extraction mechanism for super polynomial modulus. Then we extend this construction into a fully malicious OLE protocol, and the resulting scheme is secure against malicious receivers, again where statistical security is maintained, and malicious senders. This protocol uses an additional OT protocol. Let us first recall the learning with errors assumption. The LWB assumption states that for a random matrix A, a random vector S, and a vector E, which is sampled from an error distribution, the distributions of S, A plus E, and is computationally indistinguishable from a random vector. Let us take a look at the structure of this talk. We will start by presenting the PVW OT protocol from LWB, and why its extraction mechanism in the security proof of malicious receiver only works for polynomial modulus. Then we generalize the PVW scheme into an OLE protocol and devise a new extraction mechanism that works for any modular skew, even super polynomial. Then we extend this result, this protocol into a maliciously secure OLE protocol, and at the cost of an additional OT scheme. Let us first recall how the PVW scheme works. In this scheme, the CRS is composed by a matrix A and a vector W. The receiver with input B starts by sampling uniformly at random a vector S and an error vector E, and it sends the value S times A plus E minus BW. The sender with input V0 and V1 will essentially encrypt V0 under the public key AZ and V1 under the public key AW, using the same randomness. That is, it will sample a vector R with the low norm and compute A times R, and the value C0, which is Z times R plus an encoding of V0, and C1, which is W times R plus an encoding of V1. The receiver can now compute the value B times C1 plus C0 minus S times C and round the result modulo 2. It is easy to see that the value obtained by the receiver will be equal to B times V1 plus V0. Security against semi-honest senders follows easily from the LWB assumption. Let us focus on the more interesting case of malicious receivers. The problem here is that the value Z chosen by the adversary can be chosen arbitrarily. However, independently of the choice of Z, it can be argued that one of these matrices, A0 or A1, does not have short vectors in its rock span. Thus, we can use the smoothing lemma, which guarantees that essentially one of the ciphertexts will be statistically coaxed with uniform. This means that one of the plaintexts will be statistically eaten. So the problem now is how the reduction knows which case holds. Let's see how the extraction works in PVW. The trick here is that the reduction will choose the matrix A, together with the lattice tractor. Now, given Z, the reduction can check if there is an alpha in ZQ, such that alpha times Z is close to the row span of A. If there exists such alpha, then Z plus W times R is statistically close to uniform and the reduction can set B equal to 0. On the other hand, if there is no alpha, then Z times R is the value which is statistically close to uniform and the reduction can set B equal to 0. However, there's a drawback. In the proof, Q must be of polynomial size, because the reduction needs to go through over all values of Q. This is not good for OLE, because this would restrict the functionality to fields of polynomial size. Instead, we want to perform OLE over any field, even with super polynomial size. Let's see how we can recast the PVW OT scheme as an OLE scheme. Again, the CRS is composed by a matrix A and a vector W over a ring ZQ. Here, Q is a modulus such that Q can be written as Q1 times Q2. The OLE is going to be performed over ZQ1. The receiver will compute the vector Z as before using X as the input. The sender will encrypt again V0 and V1 under the different public keys and send this ciphertext to the receiver. The receiver will compute the value X times C1 plus C0 minus S times C and reduce it modulo Q1. As we've seen in the PVW case, the value obtained by the receiver is a linear combination of V0 and V1. Again, security against a semi-on-sender can be trivially established from the LWB assumption. For the malicious receiver case, we're going to write Z as S times A minus XW plus alpha D for a D of minimal length. Using the partial smoothing lemma, we can actually simulate the receiver's sender's message given only the output of the functionality X times V1 plus V0. So, it remains to show how the reduction can extract X from the receiver's message. To extract S from Z, we're going to choose a matrix A' together with the lattice trapdoor. But now, contrary to PVW, we're going to set the CRS as a matrix A, which is the matrix A' except the last row, and W, which is the last row of A'. Here, T is a square matrix with no norm such that A' times T is equal to 0. So, how can we recover all the components of the vector Z? Well, if we compute F, which is Z times the trapdoor T, then since A' times T is equal to 0, this will be equal to alpha D times T. If D is short, then the product D times T is also short because T is a low-norm matrix. So, we have to solve the equation alpha times D' where D' is the product D times T equal to F, where only F is known. Let's see how we can solve this equation. Let's write F as the vector F as F1 to Fm, and the vector D' as D'1 to D'n. Then, we can construct the following system of equations where each Fi is equal to alpha times D'i. Now, we can eliminate alpha from the equations and obtain the system of equations where each equation is of the form minus Fi times D'1 plus F1 times D'i equal to 0. We can see that it's enough to find the first coordinate D'1 in order to obtain all the other ones. Essentially, the main observation here is that each one of these equations will define a lattice of dimension 2. Our main observation now is that finding the shortest vector in a two-dimensional lattice is actually an easy problem. More precisely, consider the lattice lambda j, which is the orthogonal q-ary lattice defined by the vector Bj. Bj is a vector whose first coordinate is minus Fj over F1 and the second one is 1. Each lambda j corresponds to the lattice defined by the equations on the previous slide. We can now apply an SVP solver to lambda j and obtain the shortest vector Gj. We now observe that D'1 must be a multiple of the first coordinates of each of the vectors Gj. We can now set D'1 to be the least common multiple of these values. Now, given D' we can recover D via linear algebra and given Z and D we can find the solution S' to the equation. Finally, given S' we can extract the receiver's input X. This concludes the proof against a malicious receiver. To conclude, we'd like to mention two additional results that we obtain in this work. The first one is that we can extend the OLE protocol into a batch OLE where the receiver can commit to a batch of inputs and that achieves better communication complexity. The second one is that we can extend the OLE protocol to allow for malicious senders using current choose techniques at the cost of an additional OT protocol. That's all. Thanks.