Compressing Vector OLE

Boyle, Elette; Couteau, Geoffroy; Gilboa, Niv; Ishai, Yuval

doi:10.1145/3243734.3243868

Cited by 97 publications

(81 citation statements)

References 48 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…At a high level, OT extension protocols [IKNP03, KOS15, KKRT16, OOS17] turns a small number of base OTs into a near-arbitrary number of OTs, using only cheap operations. The latest generation of these protocols, initiated in [BCG + 17], leverages the notion of pseudorandom correlation generators (PCGs) [BCGI18,BCG + 19b] to enable the construction of extremely efficient OT extension protocols. This line of work recently culminated with the protocols of [BCG + 19a, SGRR19, WYKW20, YWL + 20].…”

Section: Introductionmentioning

confidence: 99%

Silver: Silent VOLE and Oblivious Transfer from Hardness of Decoding Structured LDPC Codes

Couteau

Rindal

Raghuraman

2021

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

We put forth new protocols for oblivious transfer extension and vector OLE, called Silver, for SILent Vole and oblivious transfER. Silver offers extremely high performances: generating 10 million random OTs on one core of a standard laptop requires only 300ms of computation and 122KB of communication. This represents 37% less computation and ∼ 1300× less communication than the standard IKNP protocol, as well as ∼ 4× less computation and ∼ 14× less communication than the recent protocol of Yang et al. (CCS 2020). Silver is silent: after a one-time cheap interaction, two parties can store small seeds, from which they can later locally generate a large number of OTs while remaining offline. Neither IKNP nor Yang et al. enjoys this feature; compared to the best known silent OT extension protocol of Boyle et al. (CCS 2019), upon which we build up, Silver has 19× less computation, and the same communication. Due to its attractive efficiency features, Silver yields major efficiency improvements in numerous MPC protocols. Our approach is a radical departure from the standard paradigm for building MPC protocols, in that we do not attempt to base our constructions on a well-studied assumption. Rather, we follow an approach closer in spirit to the standard paradigm in the design of symmetric primitives: we identify a set of fundamental structural properties that allow us to withstand all known attacks, and put forth a candidate design, guided by our analysis. We also rely on extensive experimentations to analyze our candidate and experimentally validate their properties. In essence, our approach boils down to constructing new families of linear codes with (plausibly) high minimum distance and extremely low encoding time. While further analysis is of course welcomed in order to gain total confidence in the security of Silver, we hope and believe that initiating this approach to the design of MPC primitives will pave the way to new secure primitives with extremely attractive efficiency features.

show abstract

Section: Introductionmentioning

confidence: 99%

Silver: Silent VOLE and Oblivious Transfer from Hardness of Decoding Structured LDPC Codes

Couteau

Rindal

Raghuraman

2021

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…More precisely, we investigate the possibility of building NIZKs in groups where CDH does not hold. Then, further assuming the 2 −cλ -OW-KDM security of ElGamal with c = 28/29 + o(1), together with the assumption that Goldreich's PRG [22] instantiated under the Lombardi-Vaikuntanathan predicate [36] is secure up to some (arbitrarily small) polynomial stretch 6 , we propose an adaptively-sound, adaptively-multitheorem zero-knowledge (infinitely often) NIZK for all of NP. Both soundness and zero knowledge are computational, the first is implied by OW-KDM, while the second is implied by OW-KDM and the pseudorandomness of Goldreich's PRG.…”

Section: Our Contributionmentioning

confidence: 99%

“…In fact, the bigger picture is unclear, even for relaxations of NIZKs such as designated-verifier NIZKs (which are known based on DDH groups [14,31,49], factorization [12], or LPN [35] with a noise rate that implies PKE). The only known positive results are preprocessing NIZKs (where the prover and the verifier share a secret key) from flavors of LPN not known to imply PKE [6,7] and designated-prover NIZKs based on SIS [32]. Interestingly, we note that although the assumption of [9] is not known to imply PKE, a slight strengthening of the assumption would: assuming that it is hard to recover k given (g a , g k , g ak+f (k) ) (note the additional g k term) for any (even inefficient) f already implies PKE: setting f such that g f (k) = Encode(k) where Encode is some efficiently invertible encoding of k into a group element, we get that the assumption implies CDH (which itself is known to imply PKE).…”

Section: Introductionmentioning

confidence: 99%

Non-interactive Zero-Knowledge in Pairing-Free Groups from Weaker Assumptions

Couteau¹,

Katsumata²,

Ursu³

2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

We provide two new constructions of non-interactive zero-knowledge arguments (NIZKs) for NP from discrete-logarithm-style assumptions over cyclic groups, without relying on pairings. A previous construction from (Canetti et al., Eurocrypt'18) achieves such NIZKs under the assumption that no efficient adversary can break the key-dependent message (KDM) security of (additive) ElGamal with respect to all (even inefficient) functions over groups of size 2 λ , with probability better than poly(λ)/2 λ . This is an extremely strong, non-falsifiable assumption. In particular, even mild (polynomial) improvements over the current best known attacks on the discrete logarithm problem would already contradict this assumption. (Canetti et al. STOC'19) describe how to improve the assumption to rely only on KDM security with respect to efficient functions while additionally assuming public-key encryption schemes, therefore obtaining an assumption that is (in spirit) falsifiable. Our first construction improves this state of affairs. We provide a construction of NIZKs for NP under the CDH assumption together with the assumption that no efficient adversary can break the key-dependent message one-wayness of ElGamal with respect to efficient functions over groups of size 2 λ , with probability better than poly(λ)/2 cλ (denoted 2 −cλ -OW-KDM), for a constant c = 3/4. Unlike the previous assumption, our assumption leaves an exponential gap between the best known attack and the required security guarantee. Our second construction is interested in the case where CDH does not hold. Namely, as a second contribution, we construct an infinitely often NIZK argument system for NP (where soundness and zero-knowledge are only guaranteed to hold for infinitely many security parameters), under the assumption that CDH is easy together with the 2 −cλ -OW-KDM security of ElGamal with c = 28/29 + o(1) and the existence of low-depth pseudorandom generators (PRG). Combining our two results, we obtain a construction of (infinitely-often) NIZKs for NP under the 2 −cλ -OW-KDM security of ElGamal with c = 28/29 + o(1) and the existence of low-depth PRG, independently of whether CDH holds. To our knowledge, since neither OW-KDM security of ElGamal nor low-depth PRGs are known to imply public key encryption, this provides the first construction of NIZKs from concrete and falsifiable Minicrypt-style assumptions.

show abstract

“…Several recent works have also explored other relaxations of the standard notion of publiclyverifiable NIZKs such as the reusable designated-prover model (where there is a secret proving key and a public verification key) [KW18,KNYY19a] or the reusable preprocessing model (where both the proving and verifications keys are secret) [BCGI18,BCG + 19]. In this work, our focus is on reusable designated-verifier NIZKs and publicly-verifiable NIZKs.…”

Section: Introductionmentioning

confidence: 99%

New Constructions of Statistical NIZKs: Dual-Mode DV-NIZKs and More

Libert

Passelègue

Wee³

et al. 2020

Advances in Cryptology – EUROCRYPT 2020

View full text Add to dashboard Cite

Non-interactive zero-knowledge proofs (NIZKs) are important primitives in cryptography. A major challenge since the early works on NIZKs has been to construct NIZKs with a statistical zero-knowledge guarantee against unbounded verifiers. In the common reference string (CRS) model, such "statistical NIZK arguments" are currently known from k-Lin in a pairing-group and from LWE. In the (reusable) designated-verifier model (DV-NIZK), where a trusted setup algorithm generates a reusable verification key for checking proofs, we also have a construction from DCR. If we relax our requirements to computational zero-knowledge, we additionally have NIZKs from factoring and CDH in a pairing group in the CRS model, and from nearly all assumptions that imply public-key encryption (e.g., CDH, LPN, LWE) in the designated-verifier model. Thus, there still remains a gap in our understanding of statistical NIZKs in both the CRS and the designated-verifier models. In this work, we develop new techniques for constructing statistical NIZK arguments. First, we construct statistical DV-NIZK arguments from the k-Lin assumption in pairing-free groups, the QR assumption, and the DCR assumption. These are the first constructions in pairing-free groups and from QR that satisfy statistical zero-knowledge. All of our constructions are secure even if the verification key is chosen maliciously (i.e., they are "malicious-designated-verifier" NIZKs), and moreover, they satisfy a "dual-mode" property where the CRS can be sampled from two computationally indistinguishable distributions: one distribution yields statistical DV-NIZK arguments while the other yields computational DV-NIZK proofs. We then show how to adapt our k-Lin construction in a pairing group to obtain new publicly-verifiable statistical NIZK arguments from pairings with a qualitatively weaker assumption than existing constructions of pairing-based statistical NIZKs. Our constructions follow the classic paradigm of Feige, Lapidot, and Shamir (FLS). While the FLS framework has traditionally been used to construct computational (DV)-NIZK proofs, we newly show that the same framework can be leveraged to construct dual-mode (DV)-NIZKs.

show abstract

Compressing Vector OLE

Cited by 97 publications

References 48 publications

Silver: Silent VOLE and Oblivious Transfer from Hardness of Decoding Structured LDPC Codes

Silver: Silent VOLE and Oblivious Transfer from Hardness of Decoding Structured LDPC Codes

Non-interactive Zero-Knowledge in Pairing-Free Groups from Weaker Assumptions

New Constructions of Statistical NIZKs: Dual-Mode DV-NIZKs and More

Contact Info

Product

Resources

About