Abstract
We study the complexity of two-party secure arithmetic computation where the goal is to evaluate an arithmetic circuit over a finite field \(\mathbb {F}\) in the presence of an active (aka malicious) adversary. In the passive setting, Applebaum et al. (Crypto 2017) constructed a protocol that only makes a constant (amortized) number of field operations per gate. This protocol uses the underlying field \(\mathbb {F}\) as a black box, makes black-box use of (standard) oblivious transfer, and its security is based on arithmetic analogs of well-studied cryptographic assumptions. We present an actively-secure variant of this protocol that achieves, for the first time, all the above features. The protocol relies on the same assumptions and adds only a minor overhead in computation and communication.
Along the way, we construct a highly-efficient Vector Oblivious Linear Evaluation (VOLE) protocol and present several practical and theoretical optimizations, as well as a prototype implementation. Our most efficient variant can achieve an asymptotic rate of 1/4 (i.e., for vectors of length w we send roughly 4w elements of \(\mathbb {F}\)), which is only slightly worse than the passively-secure protocol whose rate is 1/3. The protocol seems to be practically competitive over fast networks, even for relatively small fields \(\mathbb {F}\) and relatively short vectors. Specifically, our VOLE protocol has 3 rounds, and even for 10K-long vectors, it has an amortized cost per entry of less than 4 OT’s and less than 300 arithmetic operations. Most of these operations (about 200) can be pre-processed locally in an offline non-interactive phase. (Better constants can be obtained for longer vectors.) Some of our optimizations rely on a novel intractability assumption regarding the non-malleability of noisy linear codes, that may be of independent interest.
Our technical approach employs two new ingredients. First, we present a new information-theoretic construction of Conditional Disclosure of Secrets (CDS) and show how to use it in order to immunize the VOLE protocol of Applebaum et al. against active adversaries. Second, by using elementary properties of low-degree polynomials, we show that, for some simple arithmetic functionalities, one can easily upgrade Yao’s garbled-circuit protocol to the active setting with a minor overhead while preserving the round complexity.
Supported by the Israel Science Foundation grant no. 2805/21. The full version of this paper appears in [10].
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
More complex numerical computations can typically be efficiently reduced to these simple ones, e.g., by using suitable low-degree approximations.
- 2.
For example, for the case of finite fields with n-bit elements, the size of the best known Boolean multiplication circuits is \(\omega (n \log n)\).
- 3.
The protocol additionally uses standard “bit-operations” whose complexity is dominated by the field operations.
- 4.
We mention that the aforementioned assumptions are not known to imply OT.
- 5.
In fact, even our most conservative protocol (VOLE3) that proves Theorem 1 has an assymptotic rate of 1/5 and its amortized computational complexity is roughly the same. However, VOLE3 achieves this only over significantly longer vectors.
- 6.
The current implementations of the compressed-VOLE-based solution are either restricted to the binary field [18] or achieve passive security [48] and so we cannot compare the actual performance of our implementation against a compressed-VOLE-based implementation. Indeed, to the best of our knowledge, it seems that our work provides the first implementation of actively-secure VOLE over large fields.
- 7.
The exact level of stretch is not important since one can transform a given PRG with a polynomial stretch of \(n=k^c\) for some \(c>1\), to a PRG with a stretch of \(n=k^{c'}\) for an arbitrary constant \(c'>c\) while increasing the depth of the circuit by a constant factor (see, e.g., [3]).
- 8.
This information suffices to recover the plaintext \(x\boldsymbol{a}+\boldsymbol{b}\) since the encryption internally employs a suitable error-correcting code. Indeed, [5] show how to combine a fast pseudorandom matrix with a linear-time error-correcting code and derive a linear-time encodable code that is pseudorandom under random noise but can be decoded in linear-time in the presence of random erasures.
- 9.
GOT allows Bob to retrieve a subset of the messages of Alice that are “authorized” according to some predicate P. Previous constructions were either based on decomposable randomized encoding (aka private-simultaneous messages protocols) [35] or on secret-sharing [29, 49, 50]. We generalize these approaches by using CDS which is strictly weaker than both primitives.
- 10.
Interestingly, this detection is performed “silently”: To test a session Bob just plays this session in a “detection mode”. In contrast, in typical cut-and-choose-based solutions, Bob asks Alice to “open” a session. In fact, in our protocol we can even hide from Alice which sessions were tested by Bob.
- 11.
Indeed, here we assume that the field is sufficiently large. In contrast, the VOLE1 and VOLE2 protocols can be realized over small fields as well.
- 12.
The computational complexity and communication complexity of batch-OT are measured as the total bit-length of the sent messages; see the full version [10] for a justification for this convention.
- 13.
In the context of binary codes, LPN-style assumptions with sub-constant \(\mu \) are quite standard.
- 14.
The concrete formulation that is taken here is chosen for the sake of simplicity. More refined and conservative versions (e.g., that assume better speed-ups and consider sub-constant noise regimes) can be adopted as well.
- 15.
Recall that VOLE1 is obtained by combining the RVOLE-to-VOLE transformation with Protocol 4 for RVOLE. Accordingly, the latter protocol achieves provable active security against the Sender, provable passive security against the Receiver, and heuristic active security against the Receiver.
References
Aiello, W., Ishai, Y., Reingold, O.: Priced oblivious transfer: how to sell digital goods. In: Pfitzmann, B. (ed.) EUROCRYPT 2001. LNCS, vol. 2045, pp. 119–135. Springer, Heidelberg (May 2001). https://doi.org/10.1007/3-540-44987-6_8
Alekhnovich, M.: More on average case vs approximation complexity. In: 44th FOCS, pp. 298–307. IEEE Computer Society Press (October 2003). https://doi.org/10.1109/SFCS.2003.1238204
Applebaum, B.: Cryptographic hardness of random local functions. Comput. Complex. 25(3), 667–722 (2015). https://doi.org/10.1007/s00037-015-0121-8
Applebaum, B., Avron, J., Brzuska, C.: Arithmetic cryptography. J. ACM 64(2), 10:1–10:74 (2017). https://doi.org/10.1145/3046675
Applebaum, B., Damgård, I., Ishai, Y., Nielsen, M., Zichron, L.: Secure arithmetic computation with constant computational overhead. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017. LNCS, vol. 10401, pp. 223–254. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-63688-7_8
Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in nc\({}^{\text{0 }}\). SIAM J. Comput. 36(4), 845–888 (2006). https://doi.org/10.1137/S0097539705446950
Applebaum, B., Ishai, Y., Kushilevitz, E.: On pseudorandom generators with linear stretch in nc\({}^{\text{0 }}\). Comput. Complex. 17(1), 38–69 (2008). https://doi.org/10.1007/s00037-007-0237-6
Applebaum, B., Ishai, Y., Kushilevitz, E.: How to garble arithmetic circuits. SIAM J. Comput. 43(2), 905–929 (2014). https://doi.org/10.1137/120875193
Applebaum, B., Kachlon, E.: Sampling graphs without forbidden subgraphs and unbalanced expanders with negligible error. In: Zuckerman, D. (ed.) 60th FOCS. pp. 171–179. IEEE Computer Society Press (November 2019). https://doi.org/10.1109/FOCS.2019.00020
Applebaum, B., Konstantini, N.: Actively secure arithmetic computation and vole with constant computational overhead. Cryptology ePrint Archive, Paper 2023/270 (2023). https://eprint.iacr.org/2023/270, https://eprint.iacr.org/2023/270
Applebaum, B., Lovett, S.: Algebraic attacks against random local functions and their countermeasures. In: Wichs, D., Mansour, Y. (eds.) 48th ACM STOC. pp. 1087–1100. ACM Press (June 2016). https://doi.org/10.1145/2897518.2897554
Asharov, G., Lindell, Y., Schneider, T., Zohner, M.: More efficient oblivious transfer extensions with security for malicious adversaries. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 673–701. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46800-5_26
Baum, C., Malozemoff, A.J., Rosen, M.B., Scholl, P.: \(\sf Mac^{\prime }n^{\prime }Cheese\): zero-knowledge proofs for boolean and arithmetic circuits with nested disjunctions. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021. LNCS, vol. 12828, pp. 92–122. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84259-8_4
Beaver, D.: Correlated pseudorandomness and the complexity of private computations. In: 28th ACM STOC. pp. 479–488. ACM Press (May 1996). https://doi.org/10.1145/237814.237996
Bootle, J., Cerulli, A., Ghadafi, E., Groth, J., Hajiabadi, M., Jakobsen, S.K.: Linear-time zero-knowledge proofs for arithmetic circuit satisfiability. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10626, pp. 336–365. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70700-6_12
Bordewijk, J.L.: Inter-reciprocity applied to electrical networks. Appl. Sci. Res. Sect. A 6(1), 1–74 (1957)
Boyle, E., Couteau, G., Gilboa, N., Ishai, Y.: Compressing vector OLE. In: Lie, D., Mannan, M., Backes, M., Wang, X. (eds.) ACM CCS 2018, pp. 896–912. ACM Press (October 2018). https://doi.org/10.1145/3243734.3243868
Boyle, E.,et al.: Efficient two-round OT extension and silent non-interactive secure computation. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019. pp. 291–308. ACM Press (November 2019). https://doi.org/10.1145/3319535.3354255
Chase, M., et al.: Reusable non-interactive secure computation. In: Boldyreva, A., Micciancio, D. (eds.) CRYPTO 2019. LNCS, vol. 11694, pp. 462–488. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-26954-8_15
Chor, B., Goldreich, O., Håstad, J., Friedman, J., Rudich, S., Smolensky, R.: The bit extraction problem of t-resilient functions (preliminary version). In: 26th FOCS. pp. 396–407. IEEE Computer Society Press (October 1985). https://doi.org/10.1109/SFCS.1985.55
Crépeau, C.: Equivalence between two Flavours of oblivious transfers. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 350–354. Springer, Heidelberg (1988). https://doi.org/10.1007/3-540-48184-2_30
Crépeau, C., Kilian, J.: Weakening security assumptions and oblivious transfer. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 2–7. Springer, New York (1990). https://doi.org/10.1007/0-387-34799-2_1
Dittmer, S., Ishai, Y., Ostrovsky, R.: Line-point zero knowledge and its applications. In: Tessaro, S. (ed.) ITC 2021. LIPIcs, vol. 199, pp. 5:1–5:24. Schloss Dagstuhl (2021). https://doi.org/10.4230/LIPIcs.ITC.2021.5
Druk, E.: Linear time encodable codes and cryptography. Master’s thesis, Technion (2013)
Druk, E., Ishai, Y.: Linear-time encodable codes meeting the gilbert-varshamov bound and their cryptographic applications. In: Naor, M. (ed.) ITCS 2014. pp. 169–182. ACM (January 2014). https://doi.org/10.1145/2554797.2554815
Freedman, M.J., Ishai, Y., Pinkas, B., Reingold, O.: Keyword search and oblivious pseudorandom functions. In: Kilian, J. (ed.) TCC 2005. LNCS, vol. 3378, pp. 303–324. Springer, Heidelberg (2005). https://doi.org/10.1007/978-3-540-30576-7_17
Genkin, D., Ishai, Y., Prabhakaran, M., Sahai, A., Tromer, E.: Circuits resilient to additive attacks with applications to secure computation. In: Shmoys, D.B. (ed.) 46th ACM STOC, pp. 495–504. ACM Press (May/June 2014). https://doi.org/10.1145/2591796.2591861
Gertner, Y., Ishai, Y., Kushilevitz, E., Malkin, T.: Protecting data privacy in private information retrieval schemes. In: 30th ACM STOC, pp. 151–160. ACM Press (May 1998). https://doi.org/10.1145/276698.276723
Ghosh, S., Nielsen, J.B., Nilges, T.: Maliciously secure oblivious linear function evaluation with constant overhead. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10624, pp. 629–659. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70694-8_22
Ghosh, S., Nilges, T.: An algebraic approach to maliciously secure private set intersection. In: Ishai, Y., Rijmen, V. (eds.) EUROCRYPT 2019. LNCS, vol. 11478, pp. 154–185. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17659-4_6
Gilboa, N.: Two party RSA key generation. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 116–129. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48405-1_8
Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: Aho, A. (ed.) 19th ACM STOC. pp. 218–229. ACM Press (May 1987). https://doi.org/10.1145/28395.28420
Guruswami, V., Indyk, P.: Linear-time encodable/decodable codes with near-optimal rate. IEEE Trans. Inf. Theory 51(10), 3393–3400 (2005). https://doi.org/10.1109/TIT.2005.855587
Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 145–161. Springer, Heidelberg (2003). https://doi.org/10.1007/978-3-540-45146-4_9
Ishai, Y., Kushilevitz, E.: Private simultaneous messages protocols with applications. In: Fifth Israel Symposium on Theory of Computing and Systems, ISTCS 1997, Ramat-Gan, Israel, 17–19 June 1997, Proceedings, pp. 174–184. IEEE Computer Society (1997). https://doi.org/10.1109/ISTCS.1997.595170
Ishai, Y., Kushilevitz, E.: Randomizing polynomials: a new representation with applications to round-efficient secure computation. In: 41st FOCS, pp. 294–304. IEEE Computer Society Press (November 2000). https://doi.org/10.1109/SFCS.2000.892118
Ishai, Y., Kushilevitz, E.: Perfect constant-round secure computation via perfect randomizing polynomials. In: Widmayer, P., et al. (eds.) ICALP 2002. LNCS, vol. 2380, pp. 244–256. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-45465-9_22
Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Cryptography with constant computational overhead. In: Ladner, R.E., Dwork, C. (eds.) 40th ACM STOC, pp. 433–442. ACM Press (May 2008). https://doi.org/10.1145/1374376.1374438
Ishai, Y., Prabhakaran, M., Sahai, A.: Founding cryptography on oblivious transfer – efficiently. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 572–591. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_32
Ishai, Y., Prabhakaran, M., Sahai, A.: Secure arithmetic computation with no honest majority. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 294–314. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00457-5_18
Kushilevitz, E., Lindell, Y., Rabin, T.: Information-theoretically secure protocols and security under composition. SIAM J. Comput. 39(5), 2090–2112 (2010). https://doi.org/10.1137/090755886, https://doi.org/10.1137/090755886
Lindell, Y.: General composition and universal composability in secure multi-party computation. In: 44th FOCS, pp. 394–403. IEEE Computer Society Press (October 2003). https://doi.org/10.1109/SFCS.2003.1238213
Mohassel, P., Weinreb, E.: Efficient secure linear algebra in the presence of covert or computationally unbounded adversaries. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 481–496. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_27
Naor, M., Pinkas, B.: Oblivious transfer and polynomial evaluation. In: 31st ACM STOC, pp. 245–254. ACM Press (May 1999). https://doi.org/10.1145/301250.301312
Naor, M., Pinkas, B.: Efficient oblivious transfer protocols. In: Kosaraju, S.R. (ed.) 12th SODA, pp. 448–457. ACM-SIAM (January 2001)
Peikert, C., Vaikuntanathan, V., Waters, B.: A framework for efficient and composable oblivious transfer. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 554–571. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85174-5_31
Rabin, M.O.: How to exchange secrets with oblivious transfer. IACR Cryptol. ePrint Arch. p. 187 (2005), http://eprint.iacr.org/2005/187
Schoppmann, P., Gascón, A., Reichert, L., Raykova, M.: Distributed vector-OLE: Improved constructions and implementation. In: Cavallaro, L., Kinder, J., Wang, X., Katz, J. (eds.) ACM CCS 2019, pp. 1055–1072. ACM Press (November 2019). https://doi.org/10.1145/3319535.3363228
Shankar, B., Srinathan, K., Rangan, C.P.: Alternative protocols for generalized oblivious transfer. In: Rao, S., Chatterjee, M., Jayanti, P., Murthy, C.S.R., Saha, S.K. (eds.) ICDCN 2008. LNCS, vol. 4904, pp. 304–309. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-77444-0_31
Tassa, T.: Generalized oblivious transfer by secret sharing. Des. Codes Cryptogr. 58(1), 11–21 (2011). https://doi.org/10.1007/s10623-010-9378-8
Weng, C., Yang, K., Katz, J., Wang, X.: Wolverine: Fast, scalable, and communication-efficient zero-knowledge proofs for boolean and arithmetic circuits. In: 42nd IEEE Symposium on Security and Privacy, SP 2021, San Francisco, CA, USA, 24–27 May 2021, pp. 1074–1091. IEEE (2021). https://doi.org/10.1109/SP40001.2021.00056
Yao, A.C.C.: How to generate and exchange secrets (extended abstract). In: 27th FOCS, pp. 162–167. IEEE Computer Society Press (October 1986). https://doi.org/10.1109/SFCS.1986.25
Zichron, L.: Locally computable arithmetic pseudorandom generators. Master’s thesis, Tel Aviv University (2017), available from Applebaum’s home page
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Applebaum, B., Konstantini, N. (2023). Actively Secure Arithmetic Computation and VOLE with Constant Computational Overhead. In: Hazay, C., Stam, M. (eds) Advances in Cryptology – EUROCRYPT 2023. EUROCRYPT 2023. Lecture Notes in Computer Science, vol 14005. Springer, Cham. https://doi.org/10.1007/978-3-031-30617-4_7
Download citation
DOI: https://doi.org/10.1007/978-3-031-30617-4_7
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30616-7
Online ISBN: 978-3-031-30617-4
eBook Packages: Computer ScienceComputer Science (R0)