TY - JOUR
T1 - Efficient protocols for oblivious linear function evaluation from ring-LWE
AU - Baum, Carsten
AU - Escudero, Daniel
AU - Pedrouzo-Ulloa, Alberto
AU - Scholl, Peter
AU - Troncoso-Pastoriza, Juan Ramón
N1 - Publisher Copyright:
© 2022 - IOS Press. All rights reserved.
PY - 2022/1
Y1 - 2022/1
N2 - An oblivious linear function evaluation protocol, or OLE, is a two-party protocol for the function f ( x ) = a x + b, where a sender inputs the field elements a, b, and a receiver inputs x and learns f ( x ). OLE can be used to build secret-shared multiplication, and is an essential component of many secure computation applications including general-purpose multi-party computation, private set intersection and more. In this work, we present several efficient OLE protocols from the ring learning with errors (RLWE) assumption. Technically, we build two new passively secure protocols, which build upon recent advances in homomorphic secret sharing from (R)LWE (Boyle et al. in: EUROCRYPT 2019, Part II (2019) 3-33 Springer), with optimizations tailored to the setting of OLE. We upgrade these to active security using efficient amortized zero-knowledge techniques for lattice relations (Baum et al. in: CRYPTO 2018, Part II (2018) 669-699 Springer), and design new variants of zero-knowledge arguments that are necessary for some of our constructions. Our protocols offer several advantages over existing constructions. Firstly, they have the lowest communication complexity amongst previous, practical protocols from RLWE and other assumptions; secondly, they are conceptually very simple, and have just one round of interaction for the case of OLE where b is randomly chosen. We demonstrate this with an implementation of one of our passively secure protocols, which can perform more than 1 million OLEs per second over the ring Z m , for a 120-bit modulus m, on standard hardware.
AB - An oblivious linear function evaluation protocol, or OLE, is a two-party protocol for the function f ( x ) = a x + b, where a sender inputs the field elements a, b, and a receiver inputs x and learns f ( x ). OLE can be used to build secret-shared multiplication, and is an essential component of many secure computation applications including general-purpose multi-party computation, private set intersection and more. In this work, we present several efficient OLE protocols from the ring learning with errors (RLWE) assumption. Technically, we build two new passively secure protocols, which build upon recent advances in homomorphic secret sharing from (R)LWE (Boyle et al. in: EUROCRYPT 2019, Part II (2019) 3-33 Springer), with optimizations tailored to the setting of OLE. We upgrade these to active security using efficient amortized zero-knowledge techniques for lattice relations (Baum et al. in: CRYPTO 2018, Part II (2018) 669-699 Springer), and design new variants of zero-knowledge arguments that are necessary for some of our constructions. Our protocols offer several advantages over existing constructions. Firstly, they have the lowest communication complexity amongst previous, practical protocols from RLWE and other assumptions; secondly, they are conceptually very simple, and have just one round of interaction for the case of OLE where b is randomly chosen. We demonstrate this with an implementation of one of our passively secure protocols, which can perform more than 1 million OLEs per second over the ring Z m , for a 120-bit modulus m, on standard hardware.
KW - cryptographic protocols
KW - Oblivious linear evaluation
KW - ring learning with errors
KW - two-party computation
KW - zero-knowledge arguments
UR - http://www.scopus.com/inward/record.url?scp=85123996239&partnerID=8YFLogxK
U2 - 10.3233/JCS-200116
DO - 10.3233/JCS-200116
M3 - Journal article
AN - SCOPUS:85123996239
SN - 0926-227X
VL - 30
SP - 39
EP - 78
JO - Journal of Computer Security
JF - Journal of Computer Security
IS - 1
ER -