Batch-OT with Optimal Rate

Abstract

We show that it is possible to perform n independent copies of 1-out-of-2 oblivious transfer in two messages, where the communication complexity of the receiver and sender (each) is \(n(1+o(1))\) for sufficiently large n. Note that this matches the information-theoretic lower bound. Prior to this work, this was only achievable by using the heavy machinery of rate-1 fully homomorphic encryption (Rate-1 FHE, Brakerski et al., TCC 2019).

To achieve rate-1 both on the receiver’s and sender’s end, we use the LPN assumption, with slightly sub-constant noise rate \(1/m^{\epsilon }\) for any \(\epsilon >0\) together with either the DDH, QR or LWE assumptions. In terms of efficiency, our protocols only rely on linear homomorphism, as opposed to the FHE-based solution which inherently requires an expensive “bootstrapping” operation. We believe that in terms of efficiency we compare favorably to existing batch-OT protocols, while achieving superior communication complexity. We show similar results for Oblivious Linear Evaluation (OLE).

For our DDH-based solution we develop a new technique that may be of independent interest. We show that it is possible to “emulate” the binary group \(\mathbb {Z}_2\) (or any other small-order group) inside a prime-order group \(\mathbb {Z}_p\) in a function-private manner. That is, \(\mathbb {Z}_2\) operations are mapped to \(\mathbb {Z}_p\) operations such that the outcome of the latter do not reveal additional information beyond the \(\mathbb {Z}_2\) outcome. Our encoding technique uses the discrete Gaussian distribution, which to our knowledge was not done before in the context of DDH.

A Additional Preliminaries

1.1 A.1 UC Security

In terms of security, we work in the standard UC-framework [13]. Let \(\mathcal {F}\) be a functionality, \(\pi \) a protocol that implements \(\mathcal {F}\) and \(\mathcal {E}\) be a environment, an entity that oversees the execution of the protocol in both the real and the ideal worlds. Let \(\mathsf {IDEAL}_{\mathcal {F},\mathsf {Sim},\mathcal {E}}\) be a random variable that represents the output of \(\mathcal {E}\) after the execution of \(\mathcal {F}\) with adversary \(\mathsf {Sim}\). Similarly, let \(\mathsf {REAL}_{\pi ,\mathcal {A},\mathcal {E}}\) be a random variable that represents the output of \(\mathcal {E}\) after the execution of \(\pi \) with adversary \(\mathcal {A}\).

In this work, we only consider semi-honest adversaries.

Definition 13

A protocol \(\pi \) implements \(\mathcal {F}\) if for every PPT adversary \(\mathcal {A}\) there is a PPT simulator \(\mathsf {Sim}\) such that for all PPT environments \(\mathcal {E}\), the distributions \(\mathsf {IDEAL}_{\mathcal {F},\mathsf {Sim},\mathcal {E}}\) and \( \mathsf {REAL}_{\pi ,\mathcal {A},\mathcal {E}}\) are computationally indistinguishable.

1.2 A.2 Learning Parity with Noise

The LPN assumption is closely related to the problem of decoding a random linear code. Informally, it states that it is hard to find a solution for a noisy system of linear equations over \(\mathbb {Z}_2\).

Definition 14

(LPN assumption). Let \(n,m,t\in \mathbb {N}\) such that \(n\in \mathsf {poly}(\lambda )\) and let \(\chi _{m,t}\) be uniform distribution over the set of error vectors of size m and hamming weight t. The Learning Parity with Noise (LPN) assumption \(\mathsf {LPN}(n,m,\rho )\) holds if for any PPT adversary \(\mathcal {A}\) we have that

where \(\rho =m/t\) (\(\rho \) is called the noise rate).

In this work, we assume that the noise rate \(\rho \) is \(m^{1-\varepsilon }\) for any constant \(\varepsilon >0\). The LPN assumption is believed to be hard for that noise rate (see e.g. [5] and references therein).

For other missing preliminaries please refer to the full version paper.