1 Introduction

In this work, we consider leakage problems of the following kind: Assume we have a device which takes an input x and is supposed to compute a function f(x) from a certain class of legitimate functions \({\mathcal {F}}\). For concreteness, assume that the class \({\mathcal {F}}\) consists of functions computing linear combinations, e.g., \(f(x_1,x_2) = a_1 x_1 + a_2 x_2\). However, the device might be faulty, and instead of computing f it might compute another function g. We want to find a way to encode x into an \({\hat{x}}\) such that the following two properties hold:

  • If the device correctly implements a linear function f, then we can efficiently decode the output y to f(x).

  • If, on the other hand, the device implements a non-linear function g, then the output \(g({\hat{x}})\) does not reveal more information about x than f(x) for some linear function f.

First, note that this notion is trivially achievable if \({\mathcal {F}}\) includes the identity function, or in fact any invertible function, as in this case we can simulate \(g({\hat{x}})\) from f(x) by first recovering x from f(x), encoding x to \({\hat{x}}\) and finally evaluating g on \({\hat{x}}\). For this reason, in this work, we will focus on function classes \({\mathcal {F}}\) whose output-length is smaller than their input-length, such as the linear combination functions mentioned above. In general, we will allow both the encoding and decoding procedure to depend on a secret seed, which is not given to the evaluating device/adversary.

It is worthwhile comparing the type of security this notion provides to tamper-resilient primitives such as non-malleable codes (NM-codes) [1,2,3] and non-malleable extractors [4,5,6,7]. Such notions are geared towards prohibiting tampering altogether. Moreover, a central aspect for security for such notions is that the decoder tries to detect if some tampering happened, and indeed the decoder plays a crucial role in modelling the security of non-malleable codes. In contrast, AR codes do and should allow manipulation by benign functions from the class \({\mathcal {F}}\). Furthermore, we only require a decoder for correctness purposes, whereas security is defined independently of the decoder.

One motivation to study the above problem comes from cryptography, specifically secure computation, where this is, in fact, a natural scenario. Indeed, a typical blueprint for secure two-party computation [8] in two rounds proceeds as follows: One party, called the receiver, encrypts his input y under a homomorphic encryption scheme [9,10,11,12] obtaining a ciphertext c, and sends both the public key \({\textsf{pk}}\) and the ciphertext c to the other party, called the sender. The sender, in possession of an input x homomorphically performs a computation f on input x and ciphertext c, obtaining a ciphertext \(c'\) which encrypts f(xy). The ciphertext \(c'\) is sent back to the receiver who can then decrypt it to f(xy).

For the case of a malicious receiver, the security of this blueprint breaks down completely: A malicious receiver can choose both the public key \({\textsf{pk}}\) and the ciphertext c maliciously, i.e. they are generally not well-formed. Effectively, this means that the sender’s homomorphic evaluation will result in some value \({\tilde{f}}(x)\) (where \({\tilde{f}}\) will be specified by the receiver’s protocol message) instead of an encryption of f(xy). Critically, the value \({\tilde{f}}(x)\) might reveal substantially more information about x than f(xy) and compromise the sender’s security.

Generally speaking, in this situation, there is no direct way for the sender to enforce which information about x the receiver obtains. A typical cryptographic solution for achieving malicious security involves using zero-knowledge proofs to enforce honest behavior for the receiver. This technique, however, is typically undesirable as it often leads to less efficient protocols (due to these tools using non-black-box techniques) and the need for several rounds of interaction or a trusted setup. We aim to upgrade such protocols to achieve security against malicious receivers without additional cryptographic machinery.

To see how algebraic restriction codes will help in this scenario, consider the following. Upon receiving a public key \({\textsf{pk}}\) and a ciphertext c from the receiver (who potentially generated them in a malicious way) the sender proceeds as follows. First, he encodes his own input x into \({\hat{x}}\) using a suitable AR code with a fresh seed s. Next, also then sender evaluates the function \(f({\hat{x}},\cdot )\) homomorphically on the ciphertext c (which encrypts the receiver’s input y), resulting in a ciphertext \(c' = {\textsf{Eval}}({\textsf{pk}},f({\hat{x}},\cdot ),c)\). For simplicity’s sake, assume that the sender now sends \(c'\) and the seed s back to the receiver, who decrypts \(c'\) to \({\hat{z}} = f({\hat{x}},y)\) and uses the seed s to decode \({\hat{z}}\) to his output z using the decoding algorithm of the AR code.

How can we argue that even a malicious receiver cannot learn more than the legitimate output z? Let’s take a closer look on the computation which is actually performed on the encoding \({\hat{x}}\). The output ciphertext \(c'\) is computed via \(c' = {\textsf{Eval}}({\textsf{pk}},f({\hat{x}},\cdot ),c)\). Thus, if we can assure that the function \(g({\hat{x}}) = {\textsf{Eval}}({\textsf{pk}},f({\hat{x}},\cdot ),c)\) is in the class \({\mathcal {G}}\) which is restricted by the AR code, then security of the AR code guarantees that \(c'\) does not leak more than \(z = f(x,y)\) about x, irrespective of the choice of \({\textsf{pk}}\) and c.

1.1 Our Results

In this work, we formalize the notion of algebraic restriction codes and provide constructions which restrict general function classes to linear functions over finite fields. Let \({\mathcal {G}}\) and \({\mathcal {F}}\) be two function classes. Roughly, a \({\mathcal {G}}\)\({\mathcal {F}}\) AR code provides a way to encode an x in the domain of the functions in \({\mathcal {F}}\) into a codeword \({\hat{x}}\) in the domain of the functions in \({\mathcal {G}}\), in a way that any function \(f \in {\mathcal {F}}\) can still be evaluated on \({\hat{x}}\), by evaluating a function \(f' \in {\mathcal {G}}\) on \({\hat{x}}\). Furthermore, given \(f'({\hat{x}})\) we can decode to f(x). Security-wise, we require that for any \(g \in {\mathcal {G}}\) there exists a function \(f \in {\mathcal {F}}\), such that \(g({\hat{x}})\) can be simulated given only the legitimate output f(x). AR codes provide an information-theoretic interface to limit the capabilities of an unbounded adversary in protocols in which some weak restrictions (characterized by the class \({\mathcal {G}}\)) are already in place. In this way, AR codes will allow us to harness simple structural restrictions of protocols to implement very strong security guarantees.

In this work we consider seeded AR codes, where both the encoding and decoding procedures of the AR code have access to a random seed s, which is not provided to the function g.

Our first construction of AR-codes restricts general linear functions to linear combinations.

Theorem 1

(Formal: Theorem 4, Page 21) Let \({\mathbb {F}}_q\) be a finite field, let \({\mathcal {F}}\) be the class of functions \({\mathbb {F}}_q^k \times {\mathbb {F}}_q^k \rightarrow {\mathbb {F}}_q^k\) of the form \((\textbf{x},\textbf{y}) \mapsto a \textbf{x} + \textbf{y}\), and let \({\mathcal {G}}\) be the class of all linear functions \({\mathbb {F}}_q^n \times {\mathbb {F}}_q^n \rightarrow {\mathbb {F}}_q^n\) of the form \((\textbf{x},\textbf{y}) \mapsto \textbf{A} \textbf{x} + \textbf{y}\). There exists a seeded AR code \({\textsf{AR}}_1\) which restricts \({\mathcal {G}}\) to \({\mathcal {F}}\).

Our main contribution is a construction of seeded AR codes restricting arbitrary functions with bounded output length to linear combinations.

Theorem 2

(Formal: Theorem 5, Page 26) Let \({\mathbb {F}}_q\) be a finite field, let \({\mathcal {F}}\) be the class of functions \({\mathbb {F}}_q \times {\mathbb {F}}_q \rightarrow {\mathbb {F}}_q\) of the form \((x,y) \mapsto a x + b y\), and let \({\mathcal {G}}\) be the class of all functions \({\mathbb {F}}_q^n \times {\mathbb {F}}_q^n \rightarrow \{0,1\}^{1.5 \cdot n \log (q)}\). There exists a seeded AR code \({\textsf{AR}}_2\) which restricts \({\mathcal {G}}\) to \({\mathcal {F}}\).

We note that the constant 1.5 in the theorem is arbitrary and can in fact be replaced with any constant between 1 and 2.

The main ingredient of this construction is the following theorem, which may be of independent interest and which we will discuss in some greater detail. The theorem exhibits a new correlation-breaking property of the inner-product extractor.

In essence, it states that for a suitable parameter choice, if \(\textbf{x}_1,\dots ,\textbf{x}_t\) are uniformly random vectors in a finite vector space and \(\textbf{s}\) is a random seed (in the same vector space), then anything that can be inferred about the \(\langle \textbf{x}_1,\textbf{s} \rangle ,\dots ,\langle \textbf{x}_t,\textbf{s} \rangle \) via a joint leak \(f(\textbf{x}_1,\dots ,\textbf{x}_t)\) of bounded length can also be inferred from a linear combination \(\sum _i a_i \langle \textbf{x}_i,\textbf{s} \rangle \), i.e. \(f(\textbf{x}_1,\dots ,\textbf{x}_t)\) does not leak more than \(\sum _i a_i \langle \textbf{x}_i,\textbf{s} \rangle \).

Theorem 3

(Formal: Theorem 5, Page 26) Let q be a prime power, let ts be positive integers, and \(\varepsilon > 0\) and \(n = O(t + s/\log (q) + (\log \frac{1}{\varepsilon }) / \log (q))\). Let \(\textbf{x}_1, \ldots , \textbf{x}_t\) be uniform in \( {\mathbb {F}}_q^{n}\) and \(\textbf{s}\) is uniform in \({\mathbb {F}}_q^n\) and independent of the \(\textbf{x}_i\). For any \(f:{\mathbb {F}}_q^{tn} \rightarrow \{0,1\}^{n \log q + s}\), there exists a simulator \({\textsf{Sim}}\) and random variables \(a_1, \ldots , a_t \in {\mathbb {F}}_q\) such that

$$\begin{aligned}&\textbf{s}, f(\textbf{x}_1,\ldots , \textbf{x}_t), \langle \textbf{x}_1,\textbf{s} \rangle , \ldots , \langle \textbf{x}_t,\textbf{s} \rangle , a_1, \ldots , a_t\\&\quad \approx _{2\varepsilon }\;{\textsf{Sim}}\left( \textbf{s},a_1,\ldots , a_t, \sum _{i=1}^t a_i u_i \right) ,u_1, \ldots , u_t, a_1, \ldots , a_t \end{aligned}$$

where \(u_1, \ldots , u_t\) are uniform and independent random variables in \({\mathbb {F}}_q\), independent of \((a_1, \ldots , a_t)\).

One way to interpret the theorem is that the inner product extractor breaks all correlations [induced by a leak \(f(\textbf{x}_1,\dots ,\textbf{x}_t)\)], except linear ones. Recall that our notion of AR codes it is crucial that linear relations are preserved.

We then demonstrate an application of AR codes in upgrading the security of oblivious transfer (OT) protocols while simultaneously achieving optimal communication, a question that had remained opened due to insurmountable difficulties, explained later. Specifically, we obtain the first rate-1 OT protocol with statistical sender privacy from the decisional Diffie Hellman (DDH) assumption. While our motivation to study AR codes is to construct efficient and high rate statistically sender private OT protocols, we expect AR codes and in particular the ideas used to construct them to be useful in a broader sense.

2 Technical Outline

In what follows, we provide an informal overview of the techniques developed in this work.

2.1 Warmup: Algebraic Restriction Codes for General Linear Functions

Before discussing the ideas leading up to our main result, we will first discuss the instructive case of AR codes restricting general linear functions to simple linear functions. Specifically, fix a finite field \({\mathbb {F}}_q\) and let \({\mathcal {G}}\) be the class of linear functions \({\mathbb {F}}_q^{2m} \rightarrow {\mathbb {F}}_q^m\) of the form \(g(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2) = \textbf{A} \hat{\textbf{x}}_1 + \hat{\textbf{x}}_2\), where \(\textbf{A} \in {\mathbb {F}}_q^{m \times m}\) is an arbitrary matrix. We want to restrict \({\mathcal {G}}\) to the class \({\mathcal {F}}\) consisting of linear functions \({\mathbb {F}}_q^{2n} \rightarrow {\mathbb {F}}^n\) of the form \(f(\textbf{x}_1,\textbf{x}_2) = a \cdot \textbf{x}_1 + \textbf{x}_2\), where \(a \in {\mathbb {F}}_q\) is a scalar.

Our construction proceeds as follows. The seed s specifies a random matrix \(\textbf{R} \in {\mathbb {F}}_q^{n \times m}\), such a matrix has full rank except with probability \(\le 2^{-(m - n)}\). To encode a pair of input vectors \(\textbf{x}_1,\textbf{x}_2 \in {\mathbb {F}}_q^n\), the encoder samples uniformly random \(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2 \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\mathbb {F}}_q^m\) such that \(\textbf{R} \hat{\textbf{x}}_1 = \textbf{x}_1\) and \(\textbf{R} \hat{\textbf{x}}_2 = \textbf{x}_2\), and outputs the codeword \((\hat{\textbf{x}}_1,\hat{\textbf{x}}_2)\). To evaluate a scalar linear function given by \(a \in {\mathbb {F}}_q\) on such a codeword, we (unsurprisingly) compute \(\hat{\textbf{y}} = a \hat{\textbf{x}}_1 + \hat{\textbf{x}}_2\). To decode \(\hat{\textbf{y}}\) we compute \(\textbf{y} = \textbf{R} \hat{\textbf{y}}\). Correctness of this AR code construction follows routinely:

$$\begin{aligned} \textbf{y} = \textbf{R} \hat{\textbf{y}} = \textbf{R} (a \hat{\textbf{x}}_1 + \hat{\textbf{x}}_2) = \textbf{R} a \hat{\textbf{x}}_1 + \textbf{R} \hat{\textbf{x}}_2 = a \textbf{R} \hat{\textbf{x}} + \textbf{R} \hat{\textbf{x}}_2 = a \textbf{x}_1 + \textbf{x}_2. \end{aligned}$$

i.e. correctness holds as the scalar a commutes with the matrix \(\textbf{R}\).

In this case it will also be more convenient to look at the problem from the angle of randomness extraction; Specifically, assume that \(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2 \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\mathbb {F}}_q^m\) are chosen uniformly random. We want to show that for any matrix \(\textbf{A} \in {\mathbb {F}}_q^{m \times m}\) anything that can be learned about \(\textbf{R}\hat{\textbf{x}}_1\) and \(\textbf{R}\hat{\textbf{x}}_2\) from \(\textbf{A} \hat{\textbf{x}}_1 + \hat{\textbf{x}}_2\) can also be learned from \(a \cdot \textbf{R}\hat{\textbf{x}}_1 + \textbf{R}\hat{\textbf{x}}_2\) for some \(a \in {\mathbb {F}}_q\).

How can we find such an a for any given \(\textbf{A}\)?

First notice that if \(\hat{\textbf{x}}_1\) happens to be an eigenvector of \(\textbf{A}\) with respect to an eigenvalue \(a_i\), then it indeed holds that \(\textbf{A} \textbf{x}_1 + \textbf{x}_2 = a_i \textbf{x}_1 + \textbf{x}_2\). Thus, a reasonable approach is to set the extracted scalar \(a \in {\mathbb {F}}_q\) to one of the eigenvalues of \(\textbf{A}\) (or 0 if there are no eigenvalues). If the matrix \(\textbf{A}\) has several distinct eigenvalues \(a_i\), we will set a to be the eigenvalue whose eigenspace \({{\textsf{V}}}_i\) has maximal dimension. Note that since the sum of the dimensions of all eigenspaces of \(\textbf{A}\) is at most n, there can be at most one eigenspace whose dimension is larger than m/2. Furthermore, the eigenvalue \(a_i\) corresponding to this eigenspace will necessarily be the extracted value a.

Rather than showing how we can simulate \(\hat{\textbf{y}} = \textbf{A} \hat{\textbf{x}}_1 + \hat{\textbf{x}}_2\) in general, in this sketch we will only briefly argue the following special case. Namely, if all the eigenspaces of \(\textbf{A}\) have dimension smaller than or equal to m/2, then with high probability over the choice of the random matrix \(\textbf{R} \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\mathbb {F}}_q^{n \times m}\) it holds that \(\textbf{x}_1 = \textbf{R} \hat{\textbf{x}}_1\) and \(\textbf{x}_2 = \textbf{R} \hat{\textbf{x}}_2\) are uniform and independent of \(\hat{\textbf{y}}\). Thus assume that \(\hat{\textbf{y}} = \textbf{A} \hat{\textbf{x}}_1 + \hat{\textbf{x}}_2\) was not independent of \(\textbf{x}_1 = \textbf{R} \hat{\textbf{x}}_1\) and \(\textbf{x}_2 = \textbf{R} \hat{\textbf{x}}_2\). Since these three variables are linear functions of the uniformly random \(\hat{\textbf{x}}_1\) and \(\hat{\textbf{x}}_2\) there must exist a non-zero linear relation given by vectors \(\textbf{u},\textbf{v} \in {\mathbb {F}}_q^n\) and \(\textbf{w} \in {\mathbb {F}}_q^m\) such that \(\textbf{u}^\top \textbf{x}_1 + \textbf{v}^\top \textbf{x}_2 + \textbf{w}^\top \hat{\textbf{y}} = 0\) for all choices of \(\hat{\textbf{x}}_1\) and \(\hat{\textbf{x}}_2\). But this means that it holds that \(\textbf{u}^\top \textbf{R} + \textbf{w}^\top \textbf{A} = 0\) and \(\textbf{v}^\top \textbf{R} + \textbf{w}^\top = 0\). Eliminating \(\textbf{w}^\top \), this simplifies to the equation \(\textbf{u}^\top \textbf{R} = \textbf{v}^\top \textbf{R} \textbf{A}\).

We will now argue that for any such matrix \(\textbf{A} \in {\mathbb {F}}_q^{m \times m}\) (whose eigenspaces all have dimension \(\le m/2\)) with high probability over the choice of the random matrix \(\textbf{R}\), such a relation given by \((\textbf{u},\textbf{v}) \ne 0\) does not exist. We will take a union bound over all non-zero \(\textbf{u},\textbf{v}\) and distinguish the following cases:

  • If \(\textbf{u}\) and \(\textbf{v}\) are linearly independent, then \(\textbf{u}^\top \textbf{R}\) and \(\textbf{v}^\top \textbf{R}\) are uniformly random and independent (over the random choice of \(\textbf{R}\)). Thus the probability that \(\textbf{u}^\top \textbf{R}\) and \(\textbf{v}^\top \textbf{R} \textbf{A}\) collide is \(1/q^m\).

  • If \(\textbf{u}\) and \(\textbf{v}\) are linearly dependent, then (say) \(\textbf{u} = \alpha \textbf{v}\). In this case \(\textbf{u}^\top \textbf{R} = \textbf{v}^\top \textbf{R} \textbf{A}\) is equivalent to \(\alpha \textbf{v}^\top \textbf{R} = \textbf{v}^\top \textbf{R} \textbf{A}\), i.e. the uniformly random vector \(\textbf{v}^\top \textbf{R}\) is an eigenvector of the matrix \(\textbf{A}\) with respect to the eigenvalue \(\alpha \). However, since all eigenspaces of \(\textbf{A}\) have dimension at most m/2, the probability that \(\textbf{v}^\top \textbf{R}\) lands in one of the eigenspaces bounded by \(m/q^{m/2}\).

Since there are \(q^{2n}\) possible choices for the vectors \(\textbf{u},\textbf{v} \in {\mathbb {F}}_q^n\), choosing m sufficiently large (e.g. \(m > 5n\)) implies that the probability that such \(\textbf{u},\textbf{v} \in {\mathbb {F}}_q^n\) exist is negligible. The full proof is provided in Sect. 6.

2.2 Algebraic Restriction Codes for Bounded Output Functions

We will now turn to algebraic restriction codes for arbitrary functions with bounded output length. Now let \({\mathbb {F}}_q\) be the finite field of size q, let \({\mathcal {G}}\) be the class of all functions from \({\mathbb {F}}_q^{2n} \rightarrow \{0,1\}^{1.5 n \log (q)}\) and let \({\mathcal {F}}\) be the class of linear functions \({\mathbb {F}}_q^2 \rightarrow {\mathbb {F}}_q\), i.e. all functions of the form \(f(x_1,x_2) = a_1 x_1 + a_2 x_2\) for some \(a_1,a_2 \in {\mathbb {F}}_q\). Our AR code construction follows naturally from the inner product extractor. The seed s consists of a random vector \(\textbf{s} \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\mathbb {F}}_q^n\), to encode \(x_1,x_2 \in {\mathbb {F}}_q\) we choose uniformly random \(\textbf{x}_1,\textbf{x}_2 \in {\mathbb {F}}_q^n\) with \(\langle \textbf{x}_1,\textbf{s} \rangle = x_1\) and \(\langle \textbf{x}_2,\textbf{s} \rangle = x_2\). Likewise, to decode a value \(\textbf{y}\) we compute \(y = \langle \textbf{y},\textbf{s} \rangle \), correctness follows immediately as above. To show that this construction restricts \({\mathcal {G}}\) to \({\mathcal {F}}\), we will again take the extractor perspective. Thus, assume that \(\textbf{x}_1,\textbf{x}_2 \in {\mathbb {F}}_q^n\) are distributed uniformly random and let \(g: {\mathbb {F}}_q^n \times {\mathbb {F}}_q^n \rightarrow \{0,1\}^{1.5 n \log (p)}\) be an arbitrary function.

We need to argue that for any \(g \in {\mathcal {G}}\) there exist exist \(a_1,a_2 \in {\mathbb {F}}_q\) such that \(g(\textbf{x}_1,\textbf{x}_2)\) can be simulated given \(y = a_1 \langle \textbf{x}_1,\textbf{s} \rangle + a_2 \langle \textbf{x}_2,\textbf{s} \rangle \), but no further information about \(\langle \textbf{x}_1,\textbf{s} \rangle \) and \(\langle \textbf{x}_2,\textbf{s} \rangle \). Our analysis distinguishes two cases.

  • In the first case, both \(\langle \textbf{x}_1,\textbf{s} \rangle \) and \(\langle \textbf{x}_2,\textbf{s} \rangle \) are statistically close to uniform given \(g(\textbf{x}_1,\textbf{x}_2)\). In other words, it directly holds that \(g(\textbf{x}_1,\textbf{x}_2)\) contains no information about \(\langle \textbf{x}_1,\textbf{s} \rangle \) and \(\langle \textbf{x}_2,\textbf{s} \rangle \). We can simulate \(g(\textbf{x}_1,\textbf{x}_2)\) by choosing two independent \(\textbf{x}'_1\) and \(\textbf{x}'_2\) and computing \(g(\textbf{x}'_1,\textbf{x}'_2)\).

  • In the second case \(\langle \textbf{x}_1,\textbf{s} \rangle \) and \(\langle \textbf{x}_2,\textbf{s} \rangle \) are (jointly) statistically far from uniform given \(g(\textbf{x}_1,\textbf{x}_2)\). In this case we will rely on a variant of the XOR Lemma [13] to conclude that there must exist \(a_1,a_2 \in {\mathbb {F}}_q\) such that \(a_1 x_1 + a_2 x_2\) is also far from uniform given \(g(\textbf{x}_1,\textbf{x}_2)\). Roughly, the XOR Lemma states that if it holds for two (correlated) random variables \(z_1,z_2\) that for all \(a_1,a_2 \in {\mathbb {F}}_q\) (such that one of them is non-zero) that \(a_1 z_1 + a_2 z_2\) are statistically close to uniform, then \((z_1,z_2)\) must be statistically close to uniform in \({\mathbb {F}}_q^2\). Consequently, the existence of such \(a_1,a_2 \in {\mathbb {F}}_q\) in our setting follows directly from the contrapositive of the XOR Lemma. But this implies that \(a_1 \textbf{x}_1 + a_2 \textbf{x}_2\) must have very low min-entropy given \(g(\textbf{x}_1,\textbf{x}_2)\). Otherwise, the leftover hash lemma would imply that \(a_1 x_1 + a_2 x_2 = \langle a_1 \textbf{x}_1 + a_2 \textbf{x}_2,\textbf{s} \rangle \) is close to uniform given \(g(\textbf{x}_1,\textbf{x}_2)\), in contradiction to the conclusion above. But this means that \(a_1 \textbf{x}_1 + a_2 \textbf{x}_2\) is essentially fully specified by \(g(\textbf{x}_1,\textbf{x}_2)\). In other words \(g(\textbf{x}_1,\textbf{x}_2)\) carries essentially the entire information about \(a_1 \textbf{x}_1 + a_2 \textbf{x}_2\). But now recall that the bit size of \(g(\textbf{x}_1,\textbf{x}_2)\) is \(1.5 n \log (q)\) bits and the bit size of \(a_1 \textbf{x}_1 + a_2 \textbf{x}_2\) is \( n \log (q)\) bits. Thus, there is essentially not enough room in \(g(\textbf{x}_1,\textbf{x}_2)\) to carry significant further information about \(\textbf{x}_1\) or \(\textbf{x}_2\). Again relying on the leftover hash lemma, we then conclude that given \(g(\textbf{x}_1,\textbf{x}_2)\), \(\langle \textbf{x}_1,\textbf{s} \rangle \) and \(\langle \textbf{x}_2,\textbf{s} \rangle \) are statistically close to uniform subject to \(a_1 \langle \textbf{x}_1,\textbf{s} \rangle + a_2 \langle \textbf{x}_2,\textbf{s} \rangle = y\).

While this sketch captures the very high level ideas of our proof, the actual proof needs to overcome some additional technical challenges and relies on a careful partitioning argument. The proof can be found in Sect. 7.

2.3 From AR Codes to Efficient Oblivious Transfer

We display the usefulness of AR codes in cryptography by constructing a new oblivious transfer (OT) [14, 15] protocol. OT is a protocol between two parties, a sender, who has a pair of messages \((m_0, m_1)\), and a receiver who has a bit b, where at the end, the receiver learns \(m_b\), while the sender should learn nothing. OT is a central primitive of study in the field of secure computation: Any multiparty functionality can be securely computed given a secure OT protocol [16, 17]. In particular, statistically-sender private (SSP) [18, 19] 2-message OT has recently received a lot of attention due to its wide array of applications, such as statistical ZAPs [20, 21] and maliciously circuit-private homomorphic encryption [22]. While the standard security definitions for OT are simulation-based (via efficient simulators), SSP OT settles for a weaker indistinguishability-based security notion for the receiver and an inefficient simulation notion for the sender. On the other hand, SSP OT can be realized in just two messages, without a setup and from standard assumptions, a regime in which no OT protocols with simulation-based security are known.Footnote 1

In this work, we obtain the first OT protocol that simultaneously satisfies the following properties:

  1. (1)

    It is round-optimal (2 messages) and it does not assume a trusted setup.

  2. (2)

    It satisfies the notion of statistical sender privacy (and computational receiver privacy). That is, a receiver who may (potentially) choose her first round message maliciously will be statistically oblivious to at least one of the two messages of the sender.

  3. (3)

    It achieves optimal rate for information transfer (i.e., it is rate-1).

  4. (4)

    It makes only black-box use of cryptographic primitives, in the sense that our protocol does not depend on circuit-level implementations of the underlying primitives.

Prior to our work, we did not know any OT protocol that simultaneously satisfied all of the above properties from any assumption. The only previous construction was based on LWE (using expensive fully-homomorphic encryption techniques), which only satisfies the first three conditions, but not the last one. (See Sect. 3.) We obtain constructions that satisfy all the above conditions from DDH/LWE. Optimal-rate OT is an indispensable tool in relazing various MPC functionalities with sublinear communication [24]. As direct corollaries, we obtain two-message maliciously secure protocols for keyword search [24] and symmetric private information retrieval (PIR) protocols [25] with statistical server privacy and with asymptotically optimal communication complexity from DDH/LWE. Our scheme is the first that makes only black-box use of cryptography, which we view as an important step towards the practical applicability of these protocols.

2.3.1 Packed ElGamal

Before delving into the description of our scheme, we recall the vectorized variant of the ElGamal encryption scheme [26]. Let \({\mathbb {G}}\) be an Abelian group of prime order p and let g be a generator of \({\mathbb {G}}\). In the packed ElGamal scheme, a public key \({\textsf{pk}}\) consists of a vector \(\textbf{h} = (h_1,\dots ,h_n) \in {\mathbb {G}}^n\) where \(h_i = g^{x_i}\) for random \(x_i \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\mathbb {Z}}_p\). The secret \({\textsf{sk}}\) is the vector \(\textbf{x} = (x_1,\dots ,x_n) \in {\mathbb {Z}}_p^n\). To encrypt a \(\textbf{m} = (m_1,\dots ,m_n) \in \{0,1\}^n\), we choose a uniformly random \(r \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\mathbb {Z}}_p\) and set the ciphertext \(\textbf{c}\) to

$$\begin{aligned} \textbf{c} = (d_0,\textbf{d}) = (g^r,\textbf{h}^r \cdot g^\textbf{m}) \end{aligned}$$

where both exponentiations and group operations of vectors are component-wise. We call \(d_0\) the header of the ciphertext and \(\textbf{d} = (d_1,\dots ,d_n)\) the payload of \(\textbf{c}\), we further call \(d_1,\dots ,d_n\) the slots. To decrypt a ciphertext \(\textbf{c}\), we compute \(\textbf{m} = {\textsf{dlog}}_g(d_0^{-\textbf{x}} \cdot \textbf{d})\). If we disregard the need for efficient decryption, we can encrypt arbitrary \({\mathbb {Z}}_p^n\) vectors rather than just binary vectors. For such full range plaintexts the rate of packed ElGamal, i.e. the ratio between plaintext size and ciphertext size comes down to \((1 - 1/(n+1)) \log (p) / \lambda \), assuming a group element can be described using \(\lambda \) bits. If \(\lambda \approx \log (p)\), as is the case for dense groups, the rate approaches 1, for sufficiently large n. Finally, for a matrix \(\textbf{X} \in \{0,1\}^{n \times k}\), we encrypt \(\textbf{X}\) column-wise, to obtain a ciphertext-matrix \(\textbf{C}\).

2.3.2 Homomorphism and Ciphertext Compression

Packed ElGamal supports two types of homomorphism. It is linearly homomorphic with respect to \({\mathbb {Z}}_p\)-linear combinations. Namely, if \(\textbf{c}\) is an encryption of a vector \(\textbf{m} \in {\mathbb {Z}}_p^n\) and \(\textbf{c}'\) is an encryption of a vector \(\textbf{m}' \in {\mathbb {Z}}_p^n\), then for any \(\alpha ,\beta \in {\mathbb {Z}}_p\) it holds that \(\textbf{c}'' = \textbf{c}^\alpha \cdot {\textbf{c}'}^\beta \) is a well-formed encryption of \(\alpha \textbf{m} + \beta \textbf{m}'\) (again, disregarding the need for efficient decryption for large plaintexts). This routinely generalizes to arbitrary linear combinations, namely we can define a homomorphic evaluation algorithm \({\textsf{Eval}}_1\) which takes as input a public key \({\textsf{pk}}\), a ciphertext matrix \(\textbf{C}\) encrypting a matrix \(\textbf{X} \in {\mathbb {Z}}_p^{n \times m}\), and two vectors \(\textbf{a} \in {\mathbb {Z}}_p^m\) and \(\textbf{b} \in {\mathbb {Z}}_p^n\) and outputs an encryption of \(\textbf{X} \textbf{a} + \textbf{b}\). By re-randomizing the resulting ciphertext this can be made function private, i.e. the output ciphertext leaks nothing beyond \(\textbf{X} \textbf{a} + \textbf{b}\) about \(\textbf{a}\) and \(\textbf{b}\).

The second type of homomorphism supported by packed ElGamal is a limited type of homomorphism across the slots. Specifically, let \(\textbf{c} = (d_0,\textbf{d})\) be an encryption of a message \(\textbf{m} \in {\mathbb {Z}}_p^n\) and let \(\textbf{M} \in {\mathbb {Z}}_p^{m \times n}\) be a matrix. Then there is a homomorphic evaluation algorithm \({\textsf{Eval}}_2\) which takes the public key \({\textsf{pk}}\), the ciphertext \(\textbf{c}\) and a matrix \(\textbf{M} \in {\mathbb {Z}}_p^{m \times n}\) and outputs a ciphertext \(\textbf{c}'\), such that \(\textbf{c}'\) encrypts the message \(\textbf{m}' = \textbf{M} \textbf{m}\) under a modified public key \({\textsf{pk}}' = g^{\textbf{M} \textbf{x}}\). Furthermore, if the decrypter knows the matrix \(\textbf{M}\), it can derive the modified secret \({\textsf{sk}}' = \textbf{M} \textbf{x}\) and decrypt \(\textbf{c}'\) to \(\textbf{m}'\) (given that \(\textbf{m}' \in \{0,1\}^m\)).

Finally, the packed ElGamal scheme supports ciphertext compression for bit-encryptions [27]. There is an efficient algorithm \({\textsf{Shrink}}\) which takes a ciphertext \(\textbf{c} = (d_0,\textbf{d})\) and produces a compressed ciphertext \(\tilde{\textbf{c}} = (d_0,K,\textbf{b})\), where K is a (short) key and \(\textbf{b} \in \{0,1\}^n\) is a binary vector. Consequently, compressed ciphertexts are of size \(n + {\textsf{poly}}\) bits and therefore have rate \(1 - {\textsf{poly}}/ n\), which approaches 1 for a sufficiently large n (independent of the description size of group elements). Such compressed ciphertexts can then be decrypted using a special algorithm \({\textsf{ShrinkDec}}\), using the same secret key \({\textsf{sk}}\). Compressed ciphertexts generally do not support any further homomorphic operations, so ciphertext compression is performed after all homomorphic operations.

2.3.3 Semi-Honest Rate-1 OT from Packed ElGamal

The packed ElGamal encryption scheme with ciphertext compression immediately gives rise to a semi-honestly secure OT protocol with download rate 1. Specifically, the receiver whose choice-bit is b generates a key-pair \({\textsf{pk}},{\textsf{sk}}\), encrypts the matrix \(b \cdot \textbf{I}\) to a ciphertext matrix \(\textbf{C}\), and sends \(ot_1 = ({\textsf{pk}},\textbf{C})\) to the sender. The sender, whose input are two strings \(\textbf{m}_0\) and \(\textbf{m}_1 \in \{0,1\}^n\) uses \({\textsf{Eval}}_1\) to homomorphically evaluate the function

$$\begin{aligned} f(\textbf{X}) = \textbf{X} (\textbf{m}_1 - \textbf{m}_0) + \textbf{m}_0 \end{aligned}$$

on the ciphertext \(\textbf{C}\), obtaining a ciphertext \(\textbf{c}\). It then compresses the ciphertext \(\textbf{c}\) to a compressed ciphertext \(\tilde{\textbf{c}}\) and sends \(ot_1 = \tilde{\textbf{c}}\) back to the receiver who can decrypt it to a value \(\textbf{m}'\) using the \({\textsf{ShrinkDec}}\) algorithm. By homomorphic correctness it holds that \(b \cdot \textbf{I}\cdot (\textbf{m}_1 - \textbf{m}_0) + \textbf{m}_0 = \textbf{m}_b\).

However, note that the sender privacy of this protocol completely breaks down against malicious receivers. Specifically, a malicious receiver is not bound to encrypting the scalar matrix \(b \cdot \textbf{I}\), but could instead encrypt an arbitrary matrix \(\textbf{A} \in {\mathbb {Z}}_p^{n \times n}\), thereby learning \(\textbf{A} (\textbf{m}_1 - \textbf{m}_0) + \textbf{m}_0\) instead of \(\textbf{m}_b\). By e.g. choosing

$$\begin{aligned} \textbf{A} = \left( \begin{array}{cc} 0 &{} 0\\ 0 &{} \textbf{I} \end{array} \right) \end{aligned}$$

the receiver could learn half of the bits of \(\textbf{m}_0\) and half of the bits of \(\textbf{m}_1\), thus breaking sender privacy.

2.3.4 Malicious Security via AR Codes

Next we show how to make the above protocol statistically sender private against malicious receivers using AR codes. The protocol follows the same outline as above, except that the sender samples a seed \(\textbf{R}\) for an AR code and encodes its inputs

$$\begin{aligned} \hat{\textbf{x}}_1 = {\textsf{Encode}}(\textbf{R}, \textbf{m}_1 - \textbf{m}_0) \text { and }\hat{\textbf{x}}_2 = {\textsf{Encode}}(\textbf{R}, \textbf{m}_0). \end{aligned}$$

Then it computes a ciphertext \(\textbf{c} = {\textsf{Eval}}_1({\textsf{pk}},\textbf{C},\hat{\textbf{x}}_1,\hat{\textbf{x}}_2)\). If the sender were to transmit directly this ciphertext, the rate of the scheme would degrade (due to the size of the encodings) and the decryption would not be efficient, since \(\textbf{c}\) contains an encoding \(\hat{\textbf{y}}\in {\mathbb {Z}}_p^m\). To deal with this issue, we observe that decoding \(\hat{\textbf{y}}\) to \(\textbf{y}\) via \(\textbf{y} = \textbf{R} \hat{\textbf{y}}\) is exactly the type of operation supported by the homomorphic evaluation \({\textsf{Eval}}_2\). Thus, we let the sender further compute \(\textbf{c}' = {\textsf{Eval}}_2({\textsf{pk}},\textbf{c},\textbf{R})\). By homomorphic correctness of \({\textsf{Eval}}_2\), it holds that \(\textbf{c}'\) is an encryption of \(\textbf{R} \hat{\textbf{y}} = \textbf{y} = \textbf{m}_b \in \{0,1\}^n\) under a modified public key \({\textsf{pk}}'\) (which depends on \(\textbf{R}\)). Since \(\textbf{c}'\) encrypts a binary message, the sender can further use the ciphertext compression algorithm \({\textsf{Shrink}}\) to shrink \(\textbf{c}'\) into a rate-1 ciphertext \(\tilde{\textbf{c}}\). The sender now sends \(\textbf{R}\) and \(\tilde{\textbf{c}}\) back to the receiver, who derives a key from \({\textsf{sk}}\) and \(\textbf{R}\), and uses it to decrypt \(\tilde{\textbf{c}}\) via \({\textsf{ShrinkDec}}\).

If we were to do things naively, the protocol would still not achieve rate-1 since we have to also attach to the OT second message a potentially large matrix \(\textbf{R}\). This can be resolved via a standard trick: By reusing the same matrix \(\textbf{R}\) in several parallel instances of the protocol, we can amortize the cost of sending the matrix \(\textbf{R}\). Note that \(\textbf{R}\) can be reused as we only need to ensure that the matrix \(\textbf{A}\) does not depend on \(\textbf{R}\). Thus, we have achieved a rate-1 protocol.

There is one subtle aspect that we need to address before declaring victory: The security of AR codes only guarantees that a malicious receiver may learn \(a (\textbf{m}_1 - \textbf{m}_0) + \textbf{m}_0\) for some \(a \in {\mathbb {Z}}_p\), rather than \(b (\textbf{m}_1 - \textbf{m}_0) + \textbf{m}_0 = \textbf{m}_b\) for \(b \in \{0,1\}\). To address this last issue, we let the sender compute \(\hat{\textbf{x}}_1\) and \(\hat{\textbf{x}}_2\) by

$$\begin{aligned} \hat{\textbf{x}}_1&= {\textsf{Encode}}(\textbf{R}, \textbf{x}_1)\\ \hat{\textbf{x}}_2&= {\textsf{Encode}}(\textbf{R}, \textbf{x}_2), \end{aligned}$$

where \(\textbf{x}_1 = \left( \begin{array}{c} \textbf{m}_1 - \textbf{m}_0 + \textbf{r}_0 \\ \textbf{m}_1 - \textbf{m}_0 + \textbf{r}_1 \end{array} \right) \) and \(\textbf{x}_2 = \left( \begin{array}{c} \textbf{m}_0 \\ \textbf{m}_0 - \textbf{r}_1 \end{array}\right) \) and \(\textbf{r}_0,\textbf{r}_1\) are uniformly random.

Consequently, instead of \(a (\textbf{m}_1 - \textbf{m}_0) + \textbf{m}_0\) the ciphertext \(\textbf{c}\) now encrypts

$$\begin{aligned} f(\textbf{x}_1,\textbf{x}_2) = a \cdot \left( \begin{array}{c} \textbf{m}_1 - \textbf{m}_0 + \textbf{r}_0 \\ \textbf{m}_1 - \textbf{m}_0 + \textbf{r}_1 \end{array} \right) + \left( \begin{array}{c} \textbf{m}_0 \\ \textbf{m}_0 - \textbf{r}_1 \end{array}\right) , \end{aligned}$$

and by the security of the AR code \(\textbf{c}\) does not leak more information about \(\textbf{x}_1\) and \(\textbf{x}_2\) then \(f(\textbf{x}_1,\textbf{x}_2)\). Now, note that if \(a = 0\), then

$$\begin{aligned} f(\textbf{x}_1,\textbf{x}_2) = \left( \begin{array}{c} \textbf{m}_0 \\ \textbf{m}_0 - \textbf{r}_1 \end{array} \right) , \end{aligned}$$

where we note that \(\textbf{r}'_1 = \textbf{m}_0 - \textbf{r}_1\) is uniformly random. On the other hand, if \(a = 1\), then

$$\begin{aligned} f(\textbf{x}_1,\textbf{x}_2) = \left( \begin{array}{c} \textbf{m}_1 + \textbf{r}_0 \\ \textbf{m}_1 \end{array} \right) , \end{aligned}$$

where we note that \(\textbf{r}'_0 = \textbf{m}_1 + \textbf{r}_0\) is uniformly random. Finally, if \(a \notin \{0,1\}\), then

$$\begin{aligned} f(\textbf{x}_0,\textbf{x}_1)&= a \cdot \left( \begin{array}{c} \textbf{m}_1 - \textbf{m}_0 + \textbf{r}_0 \\ \textbf{m}_1 - \textbf{m}_0 + \textbf{r}_1 \end{array} \right) + \left( \begin{array}{c} \textbf{m}_0 \\ \textbf{m}_0 - \textbf{r}_1 \end{array}\right) \\&= \left( \begin{array}{c} a \textbf{m}_1 + (1 - a) \textbf{m}_0 \\ a \textbf{m}_1 + (1 - a) \textbf{m}_0 \end{array} \right) + \left( \begin{array}{c} a \cdot \textbf{r}_0 \\ (1-a) \cdot \textbf{r}_1 \end{array}\right) , \end{aligned}$$

which is uniformly random as the last term is uniformly random. I.e. if \(a \notin \{0,1\}\) the receiver will learn nothing about \(\textbf{m}_0\) and \(\textbf{m}_1\). Thus, we can conclude that even for a malformed public key \({\textsf{pk}}\) and ciphertext \(\textbf{C}\) the view of the receiver can be simulated given at most one \(\textbf{m}_b\), and statistical sender privacy follows.

2.3.5 Back to Rate-1

Note that now the ciphertext \(\textbf{c}\) is twice as long as before, which again ruins the rate of our scheme. However, note that in order to get a correct scheme, if \(a = 0\) the receiver only needs to recover the first half \(\textbf{z}_0\) of the vector \(f(\textbf{x}_1,\textbf{x}_2) = \left( \begin{array}{c} \textbf{z}_0 \\ \textbf{z}_1 \end{array} \right) \), whereas if \(a = 1\) she needs the second part \(\textbf{z}_1\). Our final idea is to facilitate this by additionally using a rate-1 OT protocol \({\textsf{OT}}' = ({\textsf{OT}}'_1,{\textsf{OT}}'_2,{\textsf{OT}}'_3)\) with semi-honest security (e.g. as given in [27]). We will further use the fact that the packed ElGamal ciphertext \(\tilde{\textbf{c}}\) can be written as \((h,\tilde{\textbf{c}}_0,\tilde{\textbf{c}}_1)\), where h is the ciphertext header, \(\tilde{\textbf{c}}_0\) is a rate-1 ciphertext encrypting \(\textbf{z}_0\) and \(\tilde{\textbf{c}}_1\) is a rate-1 ciphertext encrypts \(\textbf{z}_1\) (both with respect to the header h).

We modify the above protocol such that the receiver additionally includes a first message \(ot'_1\) computed using his choice bit b. Instead of sending both \(\tilde{\textbf{c}}_0\) and \(\tilde{\textbf{c}}_1\) to the receiver (which would ruin the rate), we compute the sender message \(ot'_2\) for \({\textsf{OT}}'\) as \(ot'_2 \leftarrow {\textsf{OT}}_2(ot'_1,\tilde{\textbf{c}}_0,\tilde{\textbf{c}}_1)\) and send \((h,ot'_2)\) to the receiver. The receiver can now recover \(\tilde{\textbf{c}}_b\) from \(ot'_2\) and decrypt the ciphertext \((h,\tilde{\textbf{c}}_b)\) as above. Note that now the communication rate from sender to receiver is 1. Note that we do not require any form of sender security from the rate-1 OT. Finally, note that as discussed above the the protocol can be made overall rate-1 by amortizing for the size of the receiver’s message (i.e. repeating the protocol in parallel for the same receiver message but independent blocks of the sender message).

2.3.6 Certified Versus Uncertified Groups

We conclude this overview by discussing two variants of groups where we can implement the OT as specified above. In certified groups, we can assume that \({\mathbb {G}}\) in fact implements a group of prime order p, even if maliciously chosen. In these settings, our simpler variant of AR codes suffices, since we are warranted that a malicious receiver can only obtain information of the form \(\textbf{A} \hat{\textbf{x}}_1 + \hat{\textbf{x}}_2\) (for an arbitrarily chosen matrix \(\textbf{A}\)). In non-certified groups, the linearity of the group is no longer checkable by just looking at its description \({\mathbb {G}}\). Here we can only appeal to the fact that have a bound on the size of the output learned by the receiver, enforced by the fact that our OT achieves rate-1: The second OT message is too short to encode both \(\hat{\textbf{x}}_1\) and \(\hat{\textbf{x}}_2\). In these settings, we need the full power of bounded-output AR codes, in order to show the statistical privacy of the above protocol.

2.4 Roadmap

We discuss some related works in Sect. 3. The preliminaries are provided in Sect. 4. We will introduce algebraic restriction codes in Sect. 5. In Sect. 6 we show that canonic AR codes restrict general linear functions to simple linear functions. In Sect. 7 we show that canonic AR codes restrict output-bounded functions to simple linear combinations, where the main result of this section is stated in Theorem 5. In Sect. 8 we provide our construction of rate-1 SSP OT from DDH and we discuss novel applications in Sect. 9.

3 Related Work

A recent line of works [27] proposed a new approach to constructing semi-honest OT with a rate approaching 1. This framework can be instantiated from a wide range of standard assumptions, such as the DDH, QR and LWE problems. The core idea of this approach is to construct OT from a special type of packed linearly homomorphic encryption scheme which allows compressing ciphertexts after homomorphic evaluation. Pre-evaluation ciphertexts in such packed encryption schemes typically need to encrypt a structured plaintext containing redundant information to guarantee correctness of homomorphic evaluation. In the context of statistical sender privacy, this presents an issue as a malicious receiver may deviate from the structure required by the protocol to (potentially) learn correlated information about \(m_0\) and \(m_1\).

Regarding the construction of SSP OT, all current schemes roughly follow one of three approaches sketched below.

3.1 The Two Keys Approach [18, 19, 28, 29]

In this construction blueprint, the receiver message \(ot_1\) specifies two (correlated) public keys \({\textsf{pk}}_0\) and \({\textsf{pk}}'_1\) under potentially different public key encryption schemes. The sender’s message \(ot_2\) now consists of two ciphertexts \(c_0 = {\textsf{Enc}}({\textsf{pk}}_0,m_0)\) and \(c_1 = {\textsf{Enc}}'({\textsf{pk}}'_1,m_1)\). Statistical sender privacy is established by choosing the correlation between the keys \({\textsf{pk}}_0\) and \({\textsf{pk}}'_1\) in such a way that one of these keys must be lossy, and that this is either directly enforced by the underlying structure or checkable by the sender. Here, lossiness means that either \(c_0\) or \(c_1\) loses information about their respective encrypted message. In group-based constructions following this paradigm [18, 19, 28], the sender must trust that the structure on which the encryption schemes are defined actually implements a group in order to be convinced that either \({\textsf{pk}}_0\) or \({\textsf{pk}}'_1\) is lossy. We say that the group \({\mathbb {G}}\) must be a certified group. This is problematic if the group \({\mathbb {G}}\) is chosen by the receiver, as the group \({\mathbb {G}}\) could e.g. have non-trivial subgroups which prevent lossiness.

Furthermore, note that since the sender’s message \(ot_2\) contains two ciphertexts, each of which should, from the sender’s perspective be potentially decryptable, this approach is inherently limited to rates below 1/2.

3.2 The Compactness Approach [30]

The second approach to construct SSP OT is based on high rate OT. Specifically, assume we are starting with any two round OT protocol with a (download) rate greater than 1/2, say for the sake of simplicity with rate close to 1. This means that the sender’s message \(ot_2\) is shorter than the concatenation of \(m_0\) and \(m_1\). But this means that, from an information theoretic perspective \(ot_2\) must lose information about either \(m_0\) or \(m_1\). This lossiness can now be used to bootstrap statistical sender privacy as follows. The sender chooses two random messages \(r_0\) and \(r_1\) and uses them as his input to the OT. Moreover, he uses a randomness extractor to derive a key \(k_0\) from \(r_0\) and \(k_1\) from \(r_1\) respectively. Now the sender provides two one-time pad encrypted ciphertexts \(c_0 = k_0 \oplus m_0\) and \(c_1 = k_1 \oplus m_1\) to the receiver. A receiver with choice bit b can then recover \(r_b\) from the OT, derive the key \(k_b\) via the randomness extractor and obtain \(m_b\) by decrypting \(c_b\).

To argue statistical sender privacy using this approach, we need to ensure that one of the keys \(k_0\) or \(k_1\) is uniformly random from a malicious receivers perspective. Roughly speaking, due to the discussion above the second OT message \(ot_2\) needs to lose either half of the information in \(r_0\) or \(r_1\). Thus, in the worst case, the receiver could learn half of the information in each \(r_0\) and \(r_1\) from \(ot_2\). Consequently, we need a randomness extractor which produces a uniformly random output as long as its input has n/2 bits of min-entropy. Thus, we can prove statistical sender privacy for messages of length smaller than n/2.

But in terms of communication efficiency, this means that we used a high rate n-bit string OT to implement a string OT of length \(\le n/2\), which means that the rate of the SSP OT we’ve constructed is less than 1/2. This is true without even taking into account the addition communication cost required to transmit the ciphertexts \(c_0\) and \(c_1\). Thus, this approach effectively trades high rate for statistical sender privacy at the expense of falling back to a lower rate. We conclude that this approach is also fundamentally stuck at rate 1/2.

3.3 The Non Black-Box Approach [31, 32]

While the above discussion seems to imply that there might be an inherent barrier in achieving SSP OT with rate \(> 1/2\), there is in fact a way to convert any SSP OT protocol into a rate-1 SSP OT protocol using sufficiently powerful tools. Specifically, using a rate-1 fully-homomorphic encryption (FHE) scheme [31, 32], the receiver can delegate the decryption of \(ot_2\) to the sender. In more detail, assume that \({\textsf{OT}}_3(st,ot_2)\) is the decryption operation which is performed by the receiver at the end of the SSP OT protocol. By providing an FHE encryption \(FHE.{\textsf{Enc}}(st)\) of the OT receiver state st along with the first message \(ot_1\), the receiver enables the sender to perform \({\textsf{OT}}_3(st,ot_2)\) homomorphically, resulting in an FHE encryption c of the receivers output \(m_b\). Now the receiver merely has to decrypt c to recover \(m_b\). In terms of rate, note that the OT sender message now merely consists of c, which is rate-1 as the FHE scheme is rate-1. Further note that this transformation does not harm SSP security, as from the sender’s view the critical part of the protocol is over once \(ot_2\) has been computed. I.e. for the sender performing the homomorphic decryption is merely a post-processing operation. On the downside, this transformation uses quite heavy tools. In particular, this transformation needs to make non black-box use of the underlying SSP OT protocol by performing the \({\textsf{OT}}_3\) operation homomorphically.

In summary, to the best of our knowledge, all previous approaches to construct SSP OT are either fundamentally stuck at rate 1/2 or make non black-box usage of the underlying cryptographic machinery, making it prohibitively expensive to run such a protocol in practice.

Finally, we mention that if one wishes to settle on a computational instead of statistical privacy for the sender, it is possible to build rate-1 OT using existing techniques by relying on super-polynomial hardness assumptions. The idea is that the parties will first engage in a (low-rate) OT protocol \({\textsf{OT}}_1\), so that the receiver will learn one of the two random PRG seeds \((s_0,s_1)\) sampled by the sender. In parallel, the sender prepares two ciphertexts \(( {\textsf{ct}}_0:= {\textsf{PRG}}(s_0) \oplus m_0, {\textsf{ct}}_1:= {\textsf{PRG}}(s_1) \oplus m_1 )\) for his two input messages \((m_0,m_1)\), and communicates one of them to the receiver using a semi-honest rate-1 OT protocol. Even given both \(({\textsf{ct}}_0, {\textsf{ct}}_1)\) the receiver cannot recover both \(m_0\) and \(m_1\), because \({\textsf{OT}}_1\) will guarantee at least one of the seeds remains computationally hidden to the receiver. The above protocol is rate-1 because the added communication of obliviously transferring \((s_0, s_1)\) is independent of the size of \(m_0\). The main drawback of this above protocol is that, since we do not rely on a trusted setup, we cannot extract the choice bit in polynomial time from the receiver, and hence we will have to rely on complexity leveraging to establish sender security. In particular, the best we can guarantee is that a malicious computationally-bounded receiver cannot compute both messages of the sender. This notion will fall short in replacing rate-1 SSP OT in the aforementioned applications.

4 Preliminaries

We will denote finite fields of unspecified size by \({\mathbb {F}}\), and for any prime-power q we will denote the finite field of size q by \({\mathbb {F}}_q\). We will use \(u_{\mathbb {F}}\) to denote a uniform and independent random variable over \({\mathbb {F}}\), and likewise \(\textbf{u}_{{\mathbb {F}}^t}\) to denote a uniform and independent random variable over \({\mathbb {F}}^t\).

\({\mathbb {Z}}\) are the integers and \({\mathbb {Z}}_q={\mathbb {Z}}/q{\mathbb {Z}}\) are the integers modulo q. Vectors are small, bold letter (i.e. \(\textbf{a},\textbf{b}\)) while matrices are big, bold letters (i.e. \(\textbf{A},\textbf{B}\)). For sets of functions we use big, italic letters (i.e. \({\mathcal {F}}, {\mathcal {G}}\)). We also use [n] instead of \(\{1,\dots ,n\}\).

For a cyclic group we use \({\mathbb {G}}\) and usually call its generator g. As a shorthand for the matrix of group elements \((g^{M_{i,j}})_{i,j\in [n]}\) we write \(g^\textbf{M}\) where \(\textbf{M}\) is a matrix is from \({\mathbb {Z}}^{n\times n}\) and similarly for vectors and rectangular matrices. This allows for notations such as \((g^\textbf{M})^\textbf{v}=g^{\textbf{M}\textbf{v}}\) where \(\textbf{M}\) is a \(n\times n\) matrix of group elements and \(\textbf{v}\) is a n vector of group elements.

We use \({\textsf{span}}(\textbf{M})\) to indicate the column span of matrix \(\textbf{M}\) and \({\textsf{LKer}}(\textbf{M})\) its left kernel.

Definition 1

(Computational Indistinguishability) Two random variables B and C are computationally indistinguishable if for every polynomial adversary \({\mathcal {A}}\)

$$\begin{aligned} \left| \Pr _{b\sim B}[{\mathcal {A}}(b)=1]-\Pr _{c\sim C}[{\mathcal {A}}(c)=1]\right| \end{aligned}$$

is negligible in the security parameter

Sometimes we denote this with \(A\approx B\).

4.1 Statistical Measures

We introduce some standard concepts for statistical measures.

Definition 2

(Statistical Distance) We define the statistical distance between two discrete random variables AB to be

$$\begin{aligned} \Delta (A; B) = \frac{1}{2}\sum _\upsilon \left| \Pr [A=\upsilon ]-\Pr [B=\upsilon ]\right| \end{aligned}$$

We use \(\Delta (A; B\vert C)\) as a shorthand for \(\Delta ((A,C)\;; (B,C))\). Sometimes we write \(A \approx _\epsilon B\) instead of \(\Delta (A; B)\le \epsilon \).

We call two random variables statistically indistinguishable if their statistical distance is negligible in some the security parameter. We denote this as \(\approx \) or \(\approx _s\). Since \(\approx \) by itself is ambiguous we will make it clear from the context.

Definition 3

(Min-Entropy) We define the min-entropy of a random variable A to be

$$\begin{aligned} {\textbf{H}}_\infty (A)=-\log (\max _\upsilon \Pr [A=\upsilon ]) \end{aligned}$$

Definition 4

(Average Conditional Min-Entropy) We define the average conditional min-entropy of random variable A given the random variable B

$$\begin{aligned} \widetilde{{\textbf{H}}}_\infty (A\vert B)=-\log \left( {\mathbb {E}}_{b\sim B}\left[ \max _a\Pr [A=a\vert B=b]\right] \right) \end{aligned}$$

We will make use of the following simple Lemma.

Lemma 1

(See e.g. [33]) Let \({\mathbb {F}}\) be a finite field and \(m > n\) be integers. A uniformly random matrix \(\textbf{R} \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\mathbb {F}}^{n \times m}\) has full rank, except with probability \(2^{-(m - n)}\).

We will use the following variant of the leftover hash lemma.

Lemma 2

Let \(\textbf{r}\) be uniform in \({\mathbb {F}}^n\), and \(\textbf{l}\) be a random variable in \({\mathbb {F}}^n\), \(Z \in {{\mathcal {Z}}}\) such that \((\textbf{l},Z)\) is independent of \(\textbf{r}\). If

$$\begin{aligned} \widetilde{{\textbf{H}}}_\infty (\textbf{l}\vert Z) \ge \log q + 2 \log \left( \frac{1}{\varepsilon }\right) , \end{aligned}$$

then

$$\begin{aligned} \Delta ((\textbf{r},Z,\langle \textbf{l},\textbf{r} \rangle )\;\ (\textbf{r},Z, u_{\mathbb {F}})) \le \varepsilon , \end{aligned}$$

where \(\langle \cdot , \cdot \rangle \) is the inner product over \({\mathbb {F}}\).

We will need the following simple lemma from [34]. Variants of this lemma have been used in the past to prove the security of various non-malleable code constructions (such as [2, 3]).

Lemma 3

Let S be some random variable distributed over a set \({{\mathcal {S}}}\), and let \({{\mathcal {S}}}_1,\ldots ,{{\mathcal {S}}}_j\) be a partition of \({{\mathcal {S}}}\). Let \(\phi :{{\mathcal {S}}}\rightarrow {{\mathcal {T}}}\) be some function, and let \(D_1, \ldots , D_j\) be some random variables over the set \({{\mathcal {T}}}\). Assume that for all \(1 \le i \le j\),

$$\begin{aligned} \Delta \left( \phi (S) \vert _{S \in {{\mathcal {S}}}_i} \; \ D_i \right) \le \varepsilon _{i}. \end{aligned}$$

Then

$$\begin{aligned} \Delta \left( \phi (S) \; \ D \right) \le \sum \varepsilon _{i} \Pr [S \in S_i], \end{aligned}$$

for some random variable \(D \in {{\mathcal {T}}}\) such that for all d \(\Pr [D = d] = \sum _i \Pr [S \in {{\mathcal {S}}}_i] \cdot \Pr [D_i = d]\). In particular, if \(\varepsilon _i \le \varepsilon \) for \(i=1, \ldots , j-1\), and \(\Pr [S \in {{\mathcal {S}}}_j] \le \delta \), then

$$\begin{aligned} \Delta \left( \phi (S) \vert _{S \in {{\mathcal {S}}}_i} \; \ D_i \right) \le \varepsilon \sum _{i=1}^{j-1} \Pr [S \in {{\mathcal {S}}}_i] + \Pr [S \in {{\mathcal {S}}}_j] \le \varepsilon + \delta ,. \end{aligned}$$

The following is a fundamental property of statistical distance.

Lemma 4

For any, possibly random, function \(\alpha \), if \(\Delta (A \;; \; B) \le \varepsilon \), then \(\Delta (\alpha (A) \;; \; \alpha (B)) \le \varepsilon .\)

We will need the following lemma.

Lemma 5

([3, Claim 4]) Let \(X_1, X_2, Y_1, Y_2\) be random variables such that \((X_1, X_2) \approx _{\epsilon } (Y_1,Y_2)\). Then, for any non-empty set \( {\mathcal {A}}\), we have:

$$\begin{aligned} \Delta (X_2\vert _{X_1 \in {\mathcal {A}}};Y_2\vert _{ Y_1 \in {\mathcal {A}}})\le \frac{2 \epsilon }{\Pr [X_1 \in {\mathcal {A}}]}. \end{aligned}$$

5 Algebraic Restriction Codes

In this section, we will define our main technical tool: Algebraic Restriction Codes. An algebraic restriction code allows encoding a linear function so that any (suitably bounded) malicious evaluation algorithm cannot exfiltrate information that could not have been obtained via a valid evaluation of the function. We will use algebraic restriction codes as a powerful interface to achieve circuit privacy without sacrificing other crucial properties such as high rate. Algebraic restriction codes can be seen as a specific type of secret sharing which allows for certain homomorphic operations while inhibiting others.

In particular, algebraic restriction codes will become useful in striking a balance between seemingly conflicting goals: Relying on additional structure to achieve advanced functionality while not making this additional structure a potential avenue to attack function privacy. Generally, we allow AR-codes to be seeded, i.e. all operations take as additional input a seed s. We now will define algebraic restriction codes as follows.

Definition 5

An algebraic restriction code consists of three algorithms \({\textsf{Encode}}\), \({\textsf{Eval}}\) and \({\textsf{Decode}}\) with the following syntax.

  • \({\textsf{Encode}}(s,x)\): Takes as input a seed s, an input x and outputs an encoding c

  • \({\textsf{Eval}}(c,f)\): Takes as input an encoding c, a function \(f \in {\mathcal {F}}\) and outputs an encoding d

  • \({\textsf{Decode}}(s,d)\): Takes as input a seed s, an encoding d and outputs a value y

In terms of correctness, we require that for all seeds s, all inputs x and all functions \(f \in {\mathcal {F}}\) that

$$\begin{aligned} {\textsf{Decode}}(s,{\textsf{Eval}}({\textsf{Encode}}(s,x),f)) = f(x). \end{aligned}$$

In terms of security we require that AR codes restrict a potentially larger class \({\mathcal {G}}\) of functions to \({\mathcal {F}}\). Specifically, we require that for any malicious evaluation function \(g \in {\mathcal {G}}\) that evaluating g on an encoding of an input x corresponds to an honest evaluation of a function \(f \in {\mathcal {F}}\) on x. We formalize this via a simulation-based security notion.

Definition 6

(Restriction Security) We say that a code \({\textsf{AR}}\) is \({\mathcal {G}}\)-\({\mathcal {F}}\) restriction secure, if there exists a (randomized) extractor \({\mathcal {E}}\), which takes as input a function \(g \in {\mathcal {G}}\) and outputs a function \(f \in {\mathcal {F}}\) and auxiliary information \({\textsf{aux}}\), and a simulator \({\mathcal {S}}\) such that for every x and every function \(g \in {\mathcal {G}}\) it holds that

$$\begin{aligned} (s,g({\textsf{Encode}}(s,x)),{\textsf{aux}}) \approx (s,{\mathcal {S}}(s,{\textsf{aux}},f(x)),{\textsf{aux}}), \end{aligned}$$

where s is a uniformly random seed and \((f,{\textsf{aux}}) \leftarrow {\mathcal {E}}(g)\). Here, \(\approx \) is either computational or statistical indistinguishability.

A crucial aspect of algebraic restriction codes will be the complexity of both evaluation and decoding. Specifically, we will be interested in algebraic restriction codes for which both \({\textsf{Eval}}\) and \({\textsf{Decode}}\) are linear functions.

5.1 Concatenating AR Codes

Concatenation is a powerful concept in coding theory, allowing to combine properties of different codes. We will now briefly show that concatenating AR codes has the expected effect: If \({\textsf{AR}}_1\) restricts a class \({\mathcal {H}}\) to a class \({\mathcal {G}}'\) and \({\textsf{AR}}_2\) restricts a class \({\mathcal {G}} \supseteq {\mathcal {G}}'\) to another class \({\mathcal {F}}\), then the code \({\textsf{AR}}_3\) obtained by first encoding with \({\textsf{AR}}_2\) and then with \({\textsf{AR}}_1\) restricts \({\mathcal {H}}\) to \({\mathcal {F}}\).

Lemma 6

Let \({\textsf{AR}}_1\) be an AR code which restricts a class \({\mathcal {H}}\) to a class \({\mathcal {G}}\). Let further \({\textsf{AR}}_2\) be an AR code which restricts the class \({\mathcal {G}}\) to a class \({\mathcal {F}}\). Let \({\textsf{AR}}_3\) be the AR code obtained by first encoding with \({\textsf{AR}}_2\) and then with \({\textsf{AR}}_1\), i.e. \({\textsf{AR}}_3.{\textsf{Encode}}_{s_1,s_2}(x) = {\textsf{AR}}_1.{\textsf{Encode}}_{s_1}({\textsf{AR}}_2.{\textsf{Encode}}_{s_2}(x))\). Then the code \({\textsf{AR}}_3\) restricts \({\mathcal {H}}\) to \({\mathcal {F}}\).

Proof

Let \({\mathcal {S}}_1\) be the simulator for \({\textsf{AR}}_1\) and \({\mathcal {S}}_2\) be the simulator for \({\textsf{AR}}_2\). We define the extractor in the canonic way via \({\mathcal {E}}_3\) via \({\mathcal {E}}_3(h) = (f,({\textsf{aux}}_1,{\textsf{aux}}_2))\) where \((f,{\textsf{aux}}_2) = {\mathcal {E}}_2(g)\) and \((g,{\textsf{aux}}_1) = {\mathcal {E}}(h)\). Furthermore, we define the simulator \({\mathcal {S}}_3\) via \({\mathcal {S}}_3(({\textsf{aux}}_1,{\textsf{aux}}_2),y) = {\mathcal {S}}_1({\textsf{aux}}_1,{\mathcal {S}}_2({\textsf{aux}}_2,y))\). Let \(h \in {\mathcal {H}}\) be a tampering function. We get that

$$\begin{aligned} \begin{aligned}&(h({\textsf {AR}}_1.{\textsf {Encode}}_{s_1}({\textsf {AR}}_2.{\textsf {Encode}}_{s_2}(x))),{\textsf {aux}}_1,{\textsf {aux}}_2) \\ {}&\quad \approx ({\mathcal {S}}_1({s_1},{\textsf {aux}}_1,g({\textsf {AR}}_2.{\textsf {Encode}}_{s_2}(x))),{\textsf {aux}}_1,{\textsf {aux}}_2)\\ {}&\quad \approx ({\mathcal {S}}_1({s_1},{\textsf {aux}}_1,{\mathcal {S}}_2({s_2},{\textsf {aux}}_2,f(x))),{\textsf {aux}}_1,{\textsf {aux}}_2)\\ {}&\quad \approx ({\mathcal {S}}_3(({s_1},{s_2}),({\textsf {aux}}_1,{\textsf {aux}}_2),y),{\textsf {aux}}_1,{\textsf {aux}}_2). \end{aligned} \end{aligned}$$

\(\square \)

While Lemma 6 provides a general concatenation theorem for AR codes, in our applications we will rely on a slight variant for specific function classes where \({\textsf{AR}}_1\) is a \({\mathcal {H}}-{\mathcal {G}}\) AR code and \({\textsf{AR}}_2\) is a \({\mathcal {G}}'-{\mathcal {F}}\) AR code for which the classes \({\mathcal {G}}\) and \({\mathcal {G}}'\) are not identical, but rather \({\mathcal {G}}'\) is a subclass of \({\mathcal {G}}\). In the following, we will identify the extension field \({\mathbb {F}}_{q^k}\) with \({\mathbb {F}}_q^k\) as a vector space.

Lemma 7

Let \({\mathbb {F}}_q\) be a finite field and let \({\mathbb {F}}_{q^k}\) be its extension field of degree k. Let \({\mathcal {G}}\) be the class of functions \({\mathbb {F}}_{q^k} \times {\mathbb {F}}_{q^k} \rightarrow {\mathbb {F}}_{q^k}\) of the form \((x,y) \mapsto a x + b y\) (for \(a,b \in {\mathbb {F}}_{q^k}\)), and let \({\mathcal {H}}\) be a class of functions containing \({\mathcal {G}}\). Let \({\mathcal {G}}'\) be the class of functions \({\mathbb {F}}_q^k \times {\mathbb {F}}_q^k \rightarrow {\mathbb {F}}_q^k\) of the form \((\textbf{x},\textbf{y}) \mapsto \textbf{A} \textbf{x} + \textbf{y}\) (for \(\textbf{A} in {\mathbb {F}}_q^{k \times k}\)). Finally, let \({\mathcal {F}}\) be the class of functions \({\mathbb {F}}_q^n \times {\mathbb {F}}_q^n \rightarrow {\mathbb {F}}_q^n\) which are either of the form \((\textbf{x},\textbf{y}) \mapsto \alpha \cdot \textbf{x} + \textbf{y}\) (for \(\alpha \in {\mathbb {F}}_q\)) or \((\textbf{x},\textbf{y}) \mapsto \textbf{x}\). If \({\textsf{AR}}_1\) is a \({\mathcal {H}}-{\mathcal {G}}\) AR code and \({\textsf{AR}}_2\) is a \({\mathcal {G}}'-{\mathcal {F}}\) AR code, then the concatenation of \({\textsf{AR}}_1\) and \({\textsf{AR}}_2\) is a \({\mathcal {H}}-{\mathcal {F}}\) AR code \({\textsf{AR}}_3\).

Proof

Let \({\mathcal {E}}_1\) and \({\mathcal {S}}_1\) be the extractor and simulator for \({\textsf{AR}}_1\), and let \({\mathcal {E}}_2\) and \({\mathcal {S}}_2\) be the extractor and simulator for \({\textsf{AR}}_2\). We start by constructing the extractor \({\mathcal {E}}_3\) for \({\textsf{AR}}_3\). On input \(h \in {\mathcal {H}}\), \({\mathcal {E}}_3\) proceeds as follows:

  • Compute \((g,{\textsf{aux}}_1) \leftarrow {\mathcal {E}}_1(h)\), and parse g as a function \((\textbf{x},\textbf{y}) \mapsto a x + b y\) for \(a,b \in {\mathbb {F}}_{q^k}\).

  • If \(b = 0\), set f to be the function \((\textbf{x},\textbf{y}) \mapsto \textbf{x}\) and set \({\textsf{aux}}_2 = \emptyset \).

  • Otherwise:

    • Let \(\textbf{A},\textbf{B} \in {\mathbb {F}}_q^{k \times k}\) be the multiplication matrices corresponding to \(a,b \in {\mathbb {F}}_{q^k}\) (Notice that \(\textbf{B}\) is invertible as \(b \ne 0\)) and set \(g'\) to be the function \((\textbf{x},\textbf{y}) \mapsto \textbf{B}^{-1} \textbf{A} \textbf{x} + \textbf{y}\).

    • Compute \((f,{\textsf{aux}}_2) \leftarrow {\mathcal {E}}_2(g')\)

  • Set \({\textsf{aux}}_3 = ({\textsf{aux}}_1,{\textsf{aux}}_2)\)

  • Output \((f,{\textsf{aux}}_3)\).

Now the simulator \({\mathcal {S}}_3\) is given as follows. On input \((s = (s_1,s_2),{\textsf{aux}}_3,z)\), \({\mathcal {S}}_3\) proceeds as follows:

  • If \({\textsf{aux}}_2 = \emptyset \), set \(z' \leftarrow {\textsf{AR}}_2.{\textsf{Encode}}_{s_2}(z,0)\). Otherwise, compute \(z' \leftarrow b \cdot {\mathcal {S}}_2(s_2,{\textsf{aux}}_2,z)\).

  • Compute and output \(z'' \leftarrow {\mathcal {S}}_1(s_1,{\textsf{aux}}_1,z')\).

Now fix a function \(h \in {\mathcal {H}}\) and let \((g,{\textsf{aux}}_1) \leftarrow {\mathcal {E}}_1(h)\), where we parse g as a function \((\textbf{x},\textbf{y}) \mapsto a x + b y\) for \(a,b \in {\mathbb {F}}_{q^k}\). We will distinguish two cases, \(b = 0\) and \(b \ne 0\).

  1. 1.

    In the first case, conditioned on \(b = 0\) it holds that

    $$\begin{aligned}&((s_1,s_2),h({\textsf{AR}}_1.{\textsf{Encode}}_{s_1}({\textsf{AR}}_2.{\textsf{Encode}}_{s_2}(\textbf{x},\textbf{y}))),{\textsf{aux}}_1,{\textsf{aux}}_2) \\&\quad \approx ((s_1,s_2),{\mathcal {S}}_1(s_1,{\textsf{aux}}_1,g({\textsf{AR}}_2.{\textsf{Encode}}_{s_2}(\textbf{x},\textbf{y}))),{\textsf{aux}}_1,{\textsf{aux}}_2)\\&\quad \equiv ((s_1,s_2),{\mathcal {S}}_1(s_1,{\textsf{aux}}_1,g({\textsf{AR}}_2.{\textsf{Encode}}_{s_2}(\textbf{x},0))),{\textsf{aux}}_1,{\textsf{aux}}_2)\\&\quad \approx ((s_1,s_2),{\mathcal {S}}_3((s_1,s_2),({\textsf{aux}}_1,{\textsf{aux}}_2),f(\textbf{x},\textbf{y})),{\textsf{aux}}_1,{\textsf{aux}}_2). \end{aligned}$$
  2. 2.

    In the second case, conditioned on \(b \ne 0\) it holds that

    $$\begin{aligned}&((s_1,s_2),h({\textsf{AR}}_1.{\textsf{Encode}}_{s_1}({\textsf{AR}}_2.{\textsf{Encode}}_{s_2}(\textbf{x},\textbf{y}))),{\textsf{aux}}_1,{\textsf{aux}}_2)\\&\quad \approx ((s_1,s_2),{\mathcal {S}}_1(s_1,{\textsf{aux}}_1,g({\textsf{AR}}_2.{\textsf{Encode}}_{s_2}(\textbf{x},\textbf{y}))),{\textsf{aux}}_1,{\textsf{aux}}_2)\\&\quad \equiv ((s_1,s_2),{\mathcal {S}}_1(s_1,{\textsf{aux}}_1,b \cdot g'({\textsf{AR}}_2.{\textsf{Encode}}_{s_2}(\textbf{x},\textbf{y}))),{\textsf{aux}}_1,{\textsf{aux}}_2)\\&\quad \approx ((s_1,s_2),{\mathcal {S}}_1(s_1,{\textsf{aux}}_1,b \cdot {\mathcal {S}}_2(s_2,{\textsf{aux}}_2,f(\textbf{x},\textbf{y}))),{\textsf{aux}}_1,{\textsf{aux}}_2)\\&\quad \approx ((s_1,s_2),{\mathcal {S}}_3((s_1,s_2),({\textsf{aux}}_1,{\textsf{aux}}_2),f(\textbf{x},\textbf{y})),{\textsf{aux}}_1,{\textsf{aux}}_2). \end{aligned}$$

Overall, we conclude that

$$\begin{aligned}&((s_1,s_2),h({\textsf{AR}}_1.{\textsf{Encode}}_{s_1}({\textsf{AR}}_2.{\textsf{Encode}}_{s_2}(\textbf{x},\textbf{y}))),{\textsf{aux}}_1,{\textsf{aux}}_2)\\&\quad \approx ((s_1,s_2),{\mathcal {S}}_3((s_1,s_2),({\textsf{aux}}_1,{\textsf{aux}}_2),f(\textbf{x},\textbf{y})),{\textsf{aux}}_1,{\textsf{aux}}_2), \end{aligned}$$

which concludes the proof. \(\square \)

6 From Arbitrary Linear to Simple Linear Functions

In this section, we will show a simple construction of AR codes which constrain an adversary from arbitrary linear functions to simple linear functions. Specifically, we consider the following two classes of functions:

  • The class \({\mathcal {F}}\) consists of all functions \(f: {\mathbb {F}}_q^n \times {\mathbb {F}}_q^n \rightarrow {\mathbb {F}}_q^n\) of the form \(f(\textbf{x},\textbf{y}) = a \textbf{x} + \textbf{y}\), where \(a \in {\mathbb {F}}_q\)

  • The class \({\mathcal {G}}\) consists of all functions \(g: {\mathbb {F}}_q^m \times {\mathbb {F}}_q^m \rightarrow {\mathbb {F}}_q^m\) of the form \(g(\textbf{x},\textbf{y}) = \textbf{A} \textbf{x} + \textbf{y}\), where \(\textbf{A} \in {\mathbb {F}}_q^{m \times m}\).

Note that the functions in the class the class \({\mathcal {F}}\) have two degrees of freedom, whereas the functions in class \({\mathcal {G}}\) have \(2 m^2\) degrees of freedom.

Let \(s = \textbf{R} \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\mathbb {F}}_q^{n \times m}\) be a uniformly random matrix. The AR code \({\textsf{AR}}_1\) is given as follows.

  • \({\textsf{Encode}}(s,\textbf{x}_1,\textbf{x}_2)\):

  • Choose \(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2 \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\mathbb {F}}_q^m\) uniformly at random under the restriction that \(\textbf{R} \hat{\textbf{x}}_1 = \textbf{x}_1\) and \(\textbf{R} \hat{\textbf{x}}_2 = \textbf{x}_2\).

  • Output \(c \leftarrow (\hat{\textbf{x}}_1,\hat{\textbf{x}}_2)\)

  • \({\textsf{Eval}}(c,a_1,a_2)\):

  • Parse \(c = (\hat{\textbf{x}}_1,\hat{\textbf{x}}_2)\)

  • Compute and output \(\hat{\textbf{y}} \leftarrow \hat{\textbf{x}}_1 a_1 + \hat{\textbf{x}}_2 a_2\)

  • \({\textsf{Decode}}(s,\hat{\textbf{y}})\):

  • Compute and output \(\textbf{y} \leftarrow \textbf{R} \hat{\textbf{y}}\).

The technical core of this section is Lemma 8.

Lemma 8

Let \(q > 0\) be a modulus and \(n > 0\). Let \(\textbf{A} \in {\mathbb {F}}_q^{m \times m}\) be a square matrix. Let \(a \in {\mathbb {F}}_q\) be the eigenvalue of \(\textbf{A}\) for which the dimension of the corresponding eigenspace \({{\textsf{V}}}_a\) is maximal. Let \(\textbf{x}_1,\textbf{x}_2,\textbf{u} \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\mathbb {F}}_q^m\) be chosen uniformly at random. Let further \(\textbf{R} \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\mathbb {F}}_q^{n \times m}\) be chosen uniformly at random. Given that \(m \ge 2n + 2 + 2t\) it holds that

$$\begin{aligned} (\textbf{R},\textbf{R} \textbf{x}_1,\textbf{R} \textbf{x}_2,\textbf{A} \textbf{x}_1 + \textbf{x}_2 ) \equiv (\textbf{R},\textbf{R}\textbf{x}_1, \textbf{R}\textbf{x}_2, a \textbf{x}_1 + \textbf{x}_2 + (\textbf{A} - a \cdot \textbf{I}) \textbf{u} ), \end{aligned}$$
(1)

except with probability \(2q^{-t}\) over the choice of \(\textbf{R}\).

Using Lemma 8, we will establish the main result of this section, Theorem 4.

Theorem 4

Let \({\mathcal {F}}\), \({\mathcal {G}}\) be the two classes defined above. The AR code \({\textsf{AR}}_1\) restricts \({\mathcal {G}}\) to \({\mathcal {F}}\).

Proof of Theorem 4

Let \(g(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2) = \textbf{A} \hat{\textbf{x}}_1 + \hat{\textbf{x}}_2\), and let \(a \in {\mathbb {F}}_q\) be the eigenvalue of \(\textbf{A}\) for which the corresponding eigenspace has the largest dimension, if no non-zero eigenvalue exists set \(a = 0\). By Lemma 1 the matrix \(\textbf{R}\) has full rank, except with negligible probability \(2^{-(m - n)}\). By Lemma 8, for uniformly random \(\hat{\textbf{x}}_1\) and \(\hat{\textbf{x}}_2\) it holds that

$$\begin{aligned} (\textbf{R},\textbf{R} \hat{\textbf{x}}_1,\textbf{R} \hat{\textbf{x}}_2,\textbf{A} \hat{\textbf{x}}_1 + \hat{\textbf{x}}_2 ) \equiv (\textbf{R},\textbf{R}\hat{\textbf{x}}_1, \textbf{R}\hat{\textbf{x}}_2, a \hat{\textbf{x}}_1 + \hat{\textbf{x}_2} + (\textbf{A} - a \cdot \textbf{I}) \textbf{u} ), \end{aligned}$$
(2)

except with negligible probability over the choice of \(\textbf{R}\). Thus fix a \(\textbf{R}\) which has both full rank and for which (2) holds, and fix two vectors \(\textbf{x}_1,\textbf{x}_2 \in {\mathbb {F}}_q^n\). Since \(\textbf{R}\) has full rank, we can condition on \(\textbf{R}\hat{\textbf{x}}_1 = \textbf{x}_1\) and \(\textbf{R}\hat{\textbf{x}}_2 = \textbf{x}_2\) and obtain that

$$\begin{aligned} \textbf{A} \hat{\textbf{x}}_1 + \hat{\textbf{x}}_2 \equiv a \hat{\textbf{x}}_1 + \hat{\textbf{x}_2} + (\textbf{A} - a \cdot \textbf{I}) \textbf{u}. \end{aligned}$$
(3)

This implies that for all but a negligible fraction of the \(\textbf{R}\) we can simulate \(g(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2)\) from \(\textbf{y} = a \textbf{x}_1 + \textbf{x}_2\) by choosing a uniformly random random \(\hat{\textbf{y}}\) with \(\textbf{R} \hat{\textbf{y}} = \textbf{y}\), and a uniformly random \(\textbf{u} \in {\mathbb {F}}_q^m\) and outputting \(\textbf{z} = \hat{\textbf{y}} + (\textbf{A} - a \cdot \textbf{I}) \textbf{u}\). By (3) it holds that \(\textbf{z}\) and \(g(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2)\) are identically distributed. \(\square \)

Proof of Lemma 8

First note that leaving out \(\textbf{R}\), the lefthandside of (1) can be written as \(\textbf{M}_0 \cdot (\textbf{x}_1, \textbf{x}_2)^\top \) where

$$\begin{aligned} \textbf{M}_0 = \left( \begin{array}{cc} \textbf{R} &{} \\ &{} \textbf{R} \\ \textbf{A} &{} \textbf{I} \end{array} \right) , \end{aligned}$$

whereas the righthandside of (1) (again leaving out \(\textbf{R}\)) can be written as \(\textbf{M}_1 \cdot (\textbf{x}_1,\textbf{x}_2,\textbf{u})^\top \) where

$$\begin{aligned} \textbf{M}_1 = \left( \begin{array}{ccc} \textbf{R} &{} &{} \\ &{} \textbf{R} &{} \\ a \textbf{I} &{} \textbf{I} &{} \textbf{A} - a\textbf{I} \end{array} \right) . \end{aligned}$$

Consequently, since \(\textbf{x}_1,\textbf{x}_2\) and \(\textbf{u}\) are chosen uniformly random from \({\mathbb {F}}_q^m\), it holds that the two distributions on the lefthand side and the righthand side are identically distributed, if and only if the columns of \(\textbf{M}_0\) and \(\textbf{M}_1\) span the same space. First observe that \({\textsf{span}}(\textbf{M}_0) \subseteq {\textsf{span}}(\textbf{M}_1)\), as \(\textbf{M}_0 \cdot (\textbf{x}_1,\textbf{x}_2)^\top = \textbf{M}_1 (\textbf{x}_1,\textbf{x}_2,\textbf{x}_1)^\top \).

To show the other inclusion, note that \({\textsf{span}}(\textbf{M}_1) \subseteq {\textsf{span}}(\textbf{M}_0)\), if and only if \({\textsf{LKer}}(\textbf{M}_0) \subseteq {\textsf{LKer}}(\textbf{M}_1)\). Therefore, let \((\textbf{v}_1,\textbf{v}_2,\textbf{w})\) be a vector in \({\textsf{LKer}}(\textbf{M}_0)\), i.e. it holds that \(\textbf{v}_1 \textbf{R} + \textbf{w}\textbf{A} = 0\) and \(\textbf{v}_2 \textbf{R} + \textbf{w} = 0\). This immediately implies that \(\textbf{v}_1 \textbf{R} = \textbf{v}_2 \textbf{R} \textbf{A}\). We will show that this implies that \(\textbf{v}_2 \textbf{R}\) is an eigenvector of \(\textbf{A}\). As \(\textbf{R}\) is chosen uniformly from \({\mathbb {F}}_q^{n \times m}\), it holds by Theorem 4 that \(\textbf{R}\) has full rank, except with negligible probability \(2^{-(m-n)}\). Now recall that a is the eigenvalue of \(\textbf{A}\) with the eigenspace of highest dimension and recall that \(\textbf{v}_2\textbf{R} \textbf{A} = \textbf{v}_1\textbf{R}\). We will show that this implies that \(\textbf{v}_1 \textbf{R} \textbf{A} = a \cdot \textbf{v}_2 \textbf{R}\), except with negligible probability over the choice of \(\textbf{R}\). That is, we will show that

$$\begin{aligned} \Pr _{\textbf{R}}[ \exists \textbf{v}_1,\textbf{v}_2 \ne 0 \text { s.t. } \textbf{v}_2\textbf{R}\textbf{A} = \textbf{v}_1 \textbf{R} \text { and } \textbf{v}_2\textbf{R}\textbf{A} \ne a \textbf{v}_2 \textbf{R} ] \le {\textsf{negl}}. \end{aligned}$$
(4)

In other words, it holds for all \(\textbf{v}_1,\textbf{v}_2 \ne 0\) that \(\textbf{v}_2 \textbf{R}\textbf{A} = \textbf{v}_1 \textbf{R}\) implies \(\textbf{v}_2\textbf{R}\textbf{A} \ne a \textbf{v}_2 \textbf{R}\), except with negligible probability over the choice of \(\textbf{R}\). From this is follows immediately that \({\textsf{LKer}}(\textbf{M}_0) \subseteq {\textsf{LKer}}(\textbf{M}_1)\), as \(\textbf{w} = -\textbf{v}_2 \textbf{R}\) and therefore \(\textbf{w} (\textbf{A} - a \textbf{I}) = -a \textbf{v}_2 \textbf{R} + a\textbf{v}_2 \textbf{R} = 0\). We will establish (4) via a union-bound over the \(\textbf{v}_1,\textbf{v}_2\), and towards this goal we will distinguish two cases.

  1. 1.

    In the first case, \(\textbf{v}_1\) and \(\textbf{v}_2\) are linearly dependent, i.e. there exists an \(\alpha \in {\mathbb {F}}_q\) such that \(\textbf{v}_1 = \alpha \textbf{v}_2\). If \(\alpha = a\) then the probability of the event is 0. Thus consider \(\alpha \ne a\), and let \({{\textsf{V}}}_\alpha \) be the eigenspace of \(\textbf{A}\) corresponding to the eigenvalue \(\alpha \), where \({{\textsf{V}}}_\alpha = \{0\}\) if \(\alpha \) is not an eigenvalue of \(\textbf{A}\). Observe that it must hold that the dimension of \({{\textsf{V}}}_\alpha \) is at most m/2, as otherwise \(\alpha \) would be the eigenvalue with the eigenspace of the largest dimension and therefore \(\alpha = a\). Consequently, it holds that

    $$\begin{aligned} \Pr [\textbf{v}_1\textbf{R} = \textbf{v}_2\textbf{R}\textbf{A}]&= \Pr [\alpha \textbf{v}_2 \textbf{R} = \textbf{v}_2 \textbf{R}\textbf{A}]\\&= \Pr [\textbf{v}_2\textbf{R} \in {{\textsf{V}}}_\alpha ] \le q^{-m/2}, \end{aligned}$$

    as \(\textbf{v}_2\textbf{R}\) is distributed uniformly random over \({\mathbb {F}}_q^m\) and the dimension of \({{\textsf{V}}}_\alpha \) is at most m/2.

    We further note that there are at most \(q^n\) choices for \(\textbf{v}_2\) and q choices for \(\alpha \), thus in this case there are are \(q^{n+1}\) possible choices for the pair \((\textbf{v}_1,\textbf{v}_2)\).

  2. 2.

    In the second case, \(\textbf{v}_1\) and \(\textbf{v}_2\) are linearly independent. In this case \(\textbf{v}_1\textbf{R}\) and \(\textbf{v}_2\textbf{R}\) are distributed independently and uniformly random. Consequently, it holds that

    $$\begin{aligned} \Pr _\textbf{R}[\textbf{v}_1\textbf{R} = \textbf{v}_2\textbf{R}\textbf{A} \text { and } \textbf{v}_2\textbf{R}\textbf{A} \ne a \textbf{v}_2\textbf{R}] \le \Pr _\textbf{R}[\textbf{v}_1\textbf{R} = \textbf{v}_2\textbf{R}\textbf{A} ] \le 1 / q^m. \end{aligned}$$

    Note that in this case there are less than \(q^{2n}\) choices for the pair \(\textbf{v}_1,\textbf{v}_2\).

We can conclude that

$$\begin{aligned} \Pr _\textbf{R}[\exists \textbf{v}_1,\textbf{v}_2 \text { s.t. } \textbf{v}_1\textbf{R} = \textbf{v}_2 \textbf{R}\textbf{A} \text { and } \textbf{v}_2 \textbf{R} \textbf{A} \ne a \textbf{v}_2\textbf{R}] \le q^{n+1} q^{-m/2} + q^{2n} q^{-m}. \end{aligned}$$

As \(m \ge 2n + 2 + 2t\), we can bound this probability by \(2 q^{-t}\). \(\square \)

7 From Output-Bounded Functions to Linear Combinations

In this section, we will show that the AR code induced by the inner product extractor restricts arbitrary functions of bounded output length to linear functions. Specifically, consider the following two classes of functions:

  • The class \({\mathcal {F}}\) consists of all functions \(f: ({\mathbb {F}}_q)^t \rightarrow {\mathbb {F}}_q\) of the form \(f(x_1,\dots ,x_t) = \sum _{i = 1}^t a_i x_i\), where \(a_1,\dots ,a_t \in {\mathbb {F}}_q\)

  • The class \({\mathcal {G}}\) consists of all functions \(g: ({\mathbb {F}}_q^n)^t \rightarrow \{0,1\}^{n \log (q) + l}\) (for some \( l< n \log (q)\)).

Let \(s = \textbf{s} \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\mathbb {F}}_q^n\) be a uniformly random vector. The AR code \({\textsf{AR}}_2\) is given as follows.

  • \({\textsf{Encode}}(s,x_1,\dots ,x_t)\):

  • Choose \(\textbf{x}_1,\dots ,\textbf{x}_t \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\mathbb {F}}_q^n\) uniformly at random under the restriction that \(\langle \textbf{x}_i,\textbf{s} \rangle = x_i\) for all \(i \in [t]\).

  • Output \(c = (\textbf{x}_1,\dots ,\textbf{x}_t)\)

  • \({\textsf{Eval}}(c,\textbf{a})\):

  • Parse \(c = (\textbf{x}_1,\dots ,\textbf{x}_t)\) and \(\textbf{a} = (a_1,\dots ,a_t)\).

  • Compute and output \(\textbf{y} \leftarrow \sum _{i = 1}^t a_i \textbf{x}_i\)

  • \({\textsf{Decode}}(s,\textbf{y})\):

  • Compute and output \(y \leftarrow \langle \textbf{y},\textbf{s} \rangle \).

Restriction security of this construction follows immediately from Corollary 1 at the end of this section.

7.1 A Conditional XOR Lemma

The following is straightforward from a Markov-like argument.

Lemma 9

  • For any \(\varepsilon >0\), and any correlated random variables \(X \in S\) and E if

    $$\begin{aligned} \Delta (X, E \;; \; U, E) \le \varepsilon , \end{aligned}$$

    then for any \(\delta > 0\), with probability at least \(1-\frac{\varepsilon }{\delta }\) over the choice of \(i\leftarrow E\),

    $$\begin{aligned} \Delta (X\vert _{E=i} \;; \; U) \le \delta . \end{aligned}$$

  • For any \(\delta > 0\), if

    $$\begin{aligned} \Delta (X\vert _{E=i} \;; \; U) \le \delta \end{aligned}$$

    holds with probability at least p over the choice of \(i\leftarrow E\), then

    $$\begin{aligned} \Delta (X, E \;; \; U, E) \le \delta + (1-\delta ) \cdot (1-p) . \end{aligned}$$

Lemma 10

Let \(X \in S\) be a random variable for some set S. Assume that \(\Delta (X \; \ U_{S}) = \varepsilon \). Then if \(X'\) is an i.i.d copy of X then

$$\begin{aligned} 4 \varepsilon ^2 \ge \Pr [X=X'] - \frac{1}{\vert S\vert } \ge \frac{4 \varepsilon ^2}{\vert S\vert }. \end{aligned}$$

Proof

Let \(p_x = \Pr [X=x]\) for \(x \in S\). Then

$$\begin{aligned} \Pr [X=X'] - \frac{1}{\vert S\vert }= \sum _{x \in S} \left( p_x-\frac{1}{\vert S\vert }\right) ^2 \ge \frac{1}{\vert S\vert } \left( \sum _{x \in S} \left| p_x-\frac{1}{\vert S\vert }\right| \right) ^2 = \frac{4 \varepsilon ^2}{\vert S\vert }. \end{aligned}$$

Also,

$$\begin{aligned} \Pr [X=X'] - \frac{1}{\vert S\vert }= \sum _{x \in {\mathbb {F}}} \left( p_x-\frac{1}{\vert S\vert }\right) ^2 \le \left( \sum _{x \in S} \left| p_x-\frac{1}{\vert S\vert }\right| \right) ^2 = {4 \varepsilon ^2}. \end{aligned}$$

\(\square \)

Lemma 11

Let \(X \in S\), \(Z \in T\) be correlated random variables for some sets ST. Assume that \(\Delta (X, Z \; \ U_{S}, Z) = \varepsilon \). Then if \((X', Z')\) is an i.i.d copy of (XZ) then

$$\begin{aligned} 4 \varepsilon ^2 \ge \Pr [X=X', Z=Z'] - \frac{1}{\vert S\vert } \Pr [Z=Z'] \ge \frac{4 \varepsilon ^2}{\vert S\vert \cdot \vert T\vert }. \end{aligned}$$

Proof

Let \(p_z = \Pr [Z=z]\), and let \(p_{x,z} = \Pr [X=x, Z=z]\). Then

$$\begin{aligned} \Pr [X=X',Z=Z'] - \frac{1}{\vert S\vert } \cdot \Pr [Z=Z']= & {} \sum _{x \in S, z \in T} \left( p_{x,z}-\frac{p_z}{\vert S\vert }\right) ^2 \\\ge & {} \frac{1}{\vert S\vert \cdot \vert T\vert } \left( \sum _{x \in S} \left| p_{x, z}-\frac{p_z}{\vert S\vert }\right| \right) ^2 \\= & {} \frac{4 \varepsilon ^2}{\vert S\vert \cdot \vert T\vert }. \end{aligned}$$

Also,

$$\begin{aligned} \Pr [X=X',Z=Z'] - \frac{1}{\vert S\vert } \cdot \Pr [Z=Z']= & {} \sum _{x \in S, z \in T} \left( p_{x,z}-\frac{p_z}{\vert S\vert }\right) ^2 \\\le & {} \left( \sum _{x \in S} \left| p_{x, z}-\frac{p_z}{\vert S\vert }\right| \right) ^2 \\= & {} 4 \varepsilon ^2. \end{aligned}$$

\(\square \)

The following is a variant of the well known Vazirani’s XOR lemma. This was proved in [35] in the quantum setting.

Lemma 12

Let \(\textbf{x}=(x_1, \ldots , x_t) \in {\mathbb {F}}^t\) be a random variable, and E be some correlated random variable. Assume that for all \(\alpha _1, \ldots , \alpha _t \in {\mathbb {F}}\) not all zero, \(\Delta (\sum _{i=1}^t \alpha _i x_i, E \;; \; u_{{\mathbb {F}}}, E) \le \varepsilon \). Then

$$\begin{aligned} \Delta (\textbf{x}, E \; \ \textbf{u}_{{\mathbb {F}}^t}, E) \le 3 p^{3t/4} \sqrt{\varepsilon }. \end{aligned}$$

Proof

We start by choosing E and fixing it. By Lemma 9 and the union bound, we have that with probability at least \(1 - p^t \frac{\varepsilon }{\delta }\) over the choice of E, we have that for all \(\alpha _1, \ldots , \alpha _t \in {\mathbb {F}}\) not all zero,

$$\begin{aligned} \Delta \left( \sum _{i=1}^t \alpha _i x_i \;; \; u_{{\mathbb {F}}}\right) \le \delta , \end{aligned}$$

where the distribution of \(x_i\)’s is conditioned on the choice of E. Let \(\textbf{x}' = (x_1', \ldots , x_t')\) be i.i.d. as \(\textbf{x}\) conditioned on the choice of E. By Lemma 10, we have that for all \(\alpha _1, \ldots ,\alpha _t \in {\mathbb {F}}\) not all zero,

$$\begin{aligned} \Pr \left( \sum _{i=1}^t \alpha _i (x_i - x_i') = 0\right) \le \frac{1}{p} + 4 \delta ^2 . \end{aligned}$$

Let \(\textbf{a} = (a_1, \ldots , a_t)\) be uniform in \({\mathbb {F}}^t\) and independent of \(\textbf{x}, \textbf{x}'\). Then,

$$\begin{aligned}{} & {} \Pr \left[ \sum _{i=1}^t a_i (x_i- x_i') = 0\right] \\{} & {} \quad = \Pr \left[ \sum _{i=1}^t a_i (x_i- x_i') = 0 \vert \textbf{a} \ne 0\right] \cdot \Pr [\textbf{a} \ne 0] + \Pr [\textbf{a} = 0] \\{} & {} \quad \le \left( \frac{1}{p} + 4 \delta ^2\right) \cdot \left( 1- \frac{1}{p^t}\right) + \frac{1}{p^t}. \end{aligned}$$

Thus,

$$\begin{aligned}{} & {} \left( \frac{1}{p} + 4 \delta ^2\right) \cdot \left( 1- \frac{1}{p^t}\right) + \frac{1}{p^t} \\{} & {} \quad \ge \Pr \left[ \sum _{i=1}^t a_i (x_i- x_i') = 0\right] \\{} & {} \quad = \Pr \left[ \sum _{i=1}^t a_i (x_i- x_i') = 0 \vert \textbf{x} \ne \textbf{x}'\right] \cdot \Pr [\textbf{x} \ne \textbf{x}'] + \Pr [\textbf{x} = \textbf{x}'] \\{} & {} \quad = \Pr [\textbf{x} = \textbf{x}'] + \frac{1}{p} \cdot (1 - \Pr [\textbf{x} = \textbf{x}']) . \end{aligned}$$

Simplifying, we get,

$$\begin{aligned} \Pr [\textbf{x} = \textbf{x}'] \le \frac{1}{p^t} + 4 \delta ^2 \frac{1-1/p^t}{1-1/p} \le \frac{1}{p^t} + 8 \delta ^2 . \end{aligned}$$

Using the inequality in Lemma 10, we get that

$$\begin{aligned} \Delta (\textbf{x}\;; \; \textbf{u}_{{\mathbb {F}}^t}) \le \sqrt{2 \delta ^2 p^t} \le 2\delta \cdot p^{t/2} . \end{aligned}$$

Recall that this is conditioned on the correct choice of E which we have with probability at least \(1 - p^t \frac{\varepsilon }{\delta }\). Using Lemma 9 with \(\delta = p^{t/4} \sqrt{\varepsilon }\), we have that

$$\begin{aligned} \Delta (\textbf{x}, E\;; \; \textbf{u}_{{\mathbb {F}}^t}, E) \le 2\delta \cdot p^{t/2} + p^t \frac{\varepsilon }{\delta } = 3 p^{3t/4} \sqrt{\varepsilon } . \end{aligned}$$

\(\square \)

We remark here that if there is no side information E, then there is no union bound in the first step, and \(\delta = \varepsilon \) so that the statistical distance is \(2 p^{t/2} \varepsilon \).

7.2 Combinatorial Simulator

We now prove our main technical result, which yields algebraic restriction codes for functions of bounded output length.

Theorem 5

Let q be a prime power, let nts be positive integers and \(\varepsilon > 0\) such that

$$\begin{aligned} n \log q - (9t+3) \log q - s - 2 \log t -28 \ge 16 \log \frac{1}{\varepsilon }. \end{aligned}$$

Let \(\textbf{x}_1, \ldots , \textbf{x}_t\) be uniform in \( {\mathbb {F}}_q^{n}\) and \(\textbf{s}\) is uniform in \({\mathbb {F}}_q^n\) and independent of the \(\textbf{x}_i\). For any \(f:{\mathbb {F}}_q^{tn} \rightarrow \{0,1\}^{n \log q + s}\), there exists a simulator \({\textsf{Sim}}\) and random variables \(a_1, \ldots , a_t \in {\mathbb {F}}_q\) such that

$$\begin{aligned}&\textbf{s}, f(\textbf{x}_1,\ldots , \textbf{x}_t), \langle \textbf{x}_1,\textbf{s} \rangle , \ldots , \langle \textbf{x}_t,\textbf{s} \rangle , a_1, \ldots , a_t\\&\quad \approx _{2\varepsilon }\;\textbf{s}, {\textsf{Sim}}\left( \textbf{s},a_1,\ldots , a_t, \sum _{i=1}^t a_i u_i \right) ,u_1, \ldots , u_t, a_1, \ldots , a_t \end{aligned}$$

where \(u_1, \ldots , u_t\) are uniform and independent random variables in \({\mathbb {F}}_q\), independent of \((a_1, \ldots , a_t)\).

We will use the XOR lemma (Lemma 12) to prove this theorem. We will begin by showing that if we start with \(\textbf{x}_1, \ldots , \textbf{x}_t\) being uniform in any large enough set \({{\mathcal {T}}}\), then there exists a large subset \({{\mathcal {T}}}' \subseteq {{\mathcal {T}}}\) and some fixed \(a_1, \ldots , a_t\) in \({\mathbb {F}}_q\) such that conditioned on \((\textbf{x}_1, \ldots , \textbf{x}_t)\) being in this subset, the only information about \(\langle \textbf{x}_1,\textbf{s} \rangle , \ldots , \langle \textbf{x}_t,\textbf{s} \rangle \) obtained by learning \(f(\textbf{x}_1, \ldots , \textbf{x}_t)\) and S is \(\sum _{i=1}^t a_i \langle \textbf{x}_i, \textbf{s} \rangle \). More formally,

Lemma 13

Let q be a prime power, let nts be positive integers and \(\varepsilon > 0\) such that

$$\begin{aligned} n \log q - (9t+3) \log q - s - 2 \log t -28 \ge 16 \log \frac{1}{\varepsilon }. \end{aligned}$$

Let \({{\mathcal {T}}}\subseteq {\mathbb {F}}_q^{tn}\) such that \(\vert {{\mathcal {T}}}\vert \ge \varepsilon \cdot q^{tn}\). For any \(f:{\mathbb {F}}_q^{tn} \rightarrow \{0,1\}^{n \log q + s}\), there exist \(a_1, \ldots , a_t \in {\mathbb {F}}_q\), non-empty set \({{\mathcal {T}}}' \subseteq {{\mathcal {T}}}\), and a simulator \({\textsf{Sim}}\), such that for the tuple \((\textbf{x}_1, \ldots , \textbf{x}_t)\) distributed uniformly in \({{\mathcal {T}}}'\) and \(\textbf{s}\) uniformly and independently in in \({\mathbb {F}}_q^n\),

$$\begin{aligned} \Delta \left( \textbf{s}, f(\textbf{x}_1,\ldots , \textbf{x}_t), \langle \textbf{x}_1,\textbf{s} \rangle , \ldots , \langle \textbf{x}_t,\textbf{s} \rangle \;\;; \;\; \textbf{s}, {\textsf{Sim}}\left( \textbf{s}, \sum _{i=1}^t a_i u_i \right) ,u_1, \ldots , u_t\right) \le \varepsilon , \end{aligned}$$

where \(u_1, \ldots , u_t\) are uniform and independent random variables in \({\mathbb {F}}_q\).

Proof

Let \(\textbf{x}_1, \ldots , \textbf{x}_t\) be uniform in \({{\mathcal {T}}}\). Consider the following cases.

  • CASE 1: \(\Delta (\textbf{x},f(\textbf{x}_1, \ldots ,\textbf{x}_t),\langle \textbf{x}_1,\textbf{s} \rangle , \ldots , \langle \textbf{x}_t,\textbf{s} \rangle ;\textbf{s},f(\textbf{x}_1, \ldots , \textbf{x}_t), u_1, \ldots ,u_t) \le \varepsilon \). In this case, let \({{\mathcal {T}}}_1 = {{\mathcal {T}}}\). The simulator \({\textsf{Sim}}\) ignores the inputs and just samples \(\textbf{s}, \textbf{x}_1, \ldots , \textbf{x}_t\) according to the given input distribution, and outputs \(\textbf{s}, f(\textbf{x}_1,\ldots , \textbf{x}_t)\). Thus, the given statement implies

    $$\begin{aligned}{} & {} \Delta \left( \textbf{s}, f(\textbf{x}_1,\ldots , \textbf{x}_t), \langle \textbf{x}_1,\textbf{s} \rangle , \ldots , \langle \textbf{x}_t,\textbf{s} \rangle \;\;; \;\; \textbf{s},{\textsf{Sim}}\left( \textbf{s},\sum _{i=1}^t a_i u_i \right) ,u_1, \ldots , u_t\right) \\{} & {} \quad \le \varepsilon , \end{aligned}$$

    Notice that since the simulator ignores the input, the above statement holds for any choice of \(a_1, \ldots , a_t\).

  • CASE 2: \(\Delta (\textbf{s},f(\textbf{x}_1, \ldots , \textbf{x}_t),\langle \textbf{x}_1,\textbf{s} \rangle , \ldots , \langle \textbf{x}_t,\textbf{s} \rangle \; \;;\; \; \textbf{s},f(\textbf{x}_1, \ldots , \textbf{x}_t), u_1, \ldots ,u_t) > \varepsilon \). Lemma 12 shows that if all non-trivial linear combinations of \(\langle \textbf{x}_i, \textbf{s} \rangle \) are close to uniform given \(E=(\textbf{s}, f(\textbf{x}_1, \ldots , \textbf{s}_t))\), then the joint distribution \(\langle \textbf{x}_1, \textbf{s} \rangle , \ldots , \langle \textbf{x}_t,\textbf{s} \rangle \) is close to uniform given E. Applying the contrapositive, we get that there exists \(a_1, \ldots , a_t \in {\mathbb {F}}_q\), not all 0, such that

    $$\begin{aligned} \Delta \left( \left\langle \sum _{i=1}^t a_i \textbf{x}_i,\textbf{s} \right\rangle , \textbf{s}, f(\textbf{x}_1, \ldots , \textbf{x}_t) \;; \; u, \textbf{s}, f(\textbf{x}_1, \ldots , \textbf{x}_t)\right) > \frac{\varepsilon ^2}{9q^{3t/2}} . \end{aligned}$$

Notice that this implies that there is a non-trivial correlation between \(\sum _{i=1}^t a_i \langle \textbf{x}_i,\textbf{s} \rangle \) and \((\textbf{s}, f(\textbf{x}_1, \ldots , \textbf{x}_t))\). We will show that for this choice of \(a_1, \ldots , a_t\), and an appropriate choice of the subset \({{\mathcal {T}}}'\), this correlation is essentially the only correlation between the joint distribution \((\langle \textbf{x}_1, \textbf{s} \rangle , \ldots , \langle \textbf{x}_t, \textbf{s} \rangle )\) and \((\textbf{s}, f(\textbf{x}_1, \ldots , \textbf{x}_t))\).

By the Markov inequality, with probability at least \(\frac{\varepsilon ^2}{18q^{3t/2}}\) over the choice of \(y \leftarrow f(\textbf{x}_1, \ldots , \textbf{x}_t)\) iy holds that

$$\begin{aligned} \Delta \left( \left\langle \sum _{i=1}^t a_i \textbf{x}_i,\textbf{s} \right\rangle , \textbf{s}\vert _{f(\textbf{x}_1, \ldots , \textbf{x}_t) = y} \;; \; u, \textbf{s}\right) > \frac{\varepsilon ^2}{18q^{3t/2}} . \end{aligned}$$
(5)

Let \({{\mathcal {Y}}}\) be the set of all y which satisfy the above. For all \(y \in {{\mathcal {Y}}}\), let \({{\mathcal {T}}}_y\) be the preimage of y for the function f, i.e., the set of all \((\textbf{x}_1, \ldots ,\textbf{x}_t)\) such that \(f(\textbf{x}_1, \ldots , \textbf{x}_t) = y\). We have that an element chosen uniformly at random from \({{\mathcal {T}}}\) is in \({{\mathcal {T}}}_y\) for some \(y \in {{\mathcal {Y}}}\) with probability at least \(\frac{\varepsilon ^2}{18q^{3t/2}}\). This implies that

$$\begin{aligned} \left| \bigcup _{y \in {{\mathcal {Y}}}} {{\mathcal {T}}}_y\right| \ge \frac{\varepsilon ^2}{18q^{3t/2}} \cdot \vert {{\mathcal {T}}}\vert \ge \frac{\varepsilon ^3}{18q^{3t/2}} \cdot q^{tn} . \end{aligned}$$

Let y be some element in \({{\mathcal {Y}}}\). By the contrapositive of the leftover hash lemma (Lemma 2), we have that the min-entropy of \(\sum _{i=1}^t a_i \textbf{x}_i\) conditioned on \(f(\textbf{x}_1, \ldots , \textbf{x}_t) = y\) is at most \(\log q + 2 \log \frac{1}{\Delta }\), where

$$\begin{aligned} \Delta := \Delta \left( \left\langle \sum _{i=1}^t a_i \textbf{x}_i,\textbf{s}\right\rangle , \textbf{s}\vert _{f(\textbf{x}_1, \ldots , \textbf{x}_t) = y} \;; \; u, \textbf{s} \right) > \frac{\varepsilon ^2}{18q^{3t/2}} , \end{aligned}$$

using the inequality in 5. Thus

$$\begin{aligned} {\textbf{H}}_\infty \left( \sum _{i=1}^t a_i \textbf{x}_i\vert f(\textbf{x}_1, \ldots , \textbf{x}_t) = y\right) \le \log q + 4\log \frac{1}{\varepsilon }+ 3t \log q + 2 \log 18 . \end{aligned}$$
(6)

This implies that for each \(y \in {{\mathcal {Y}}}\), there is a large number of elements \((\textbf{x}_1, \ldots , \textbf{x}_t) \in {{\mathcal {T}}}_y\) such that \(\sum _{i=1}^t a_i \textbf{x}_i\) is fixed. We now select only those elements from \({{\mathcal {T}}}_y\) which correspond \(\sum _{i=1}^t a_i \textbf{x}_i\) being fixed. For each \(y\in {{\mathcal {Y}}}\), let \(\phi (y)\) be the most frequently occurring value of \(\sum _{i=1}^t a_i \textbf{x}_i\) for \((\textbf{x}_1,\ldots , \textbf{x}_t) \in {{\mathcal {T}}}_y\), and let

$$\begin{aligned} {{\mathcal {T}}}_y'=\left\{ (\textbf{x}_1,\ldots , \textbf{x}_t) \in {{\mathcal {T}}}_y \;\; \bigg \vert \;\; \sum _{i=1}^t a_i \textbf{x}_i = \phi (y)\right\} . \end{aligned}$$

By the inequality in 6, we have that

$$\begin{aligned} \vert {{\mathcal {T}}}_y'\vert \ge \vert {{\mathcal {T}}}_y\vert \cdot \frac{\varepsilon ^4}{324q^{3t+1}} , \end{aligned}$$

which implies that

$$\begin{aligned} \left| \bigcup _{y \in {{\mathcal {Y}}}} {{\mathcal {T}}}_y'\right| \ge \frac{\varepsilon ^3}{18q^{3t/2}} \cdot q^{tn} \cdot \frac{\varepsilon ^4}{324q^{3t+1}} \ge \frac{\varepsilon ^7}{2^{13}q^{9t/2+1}} \cdot q^{tn} . \end{aligned}$$
(7)

Notice that for any \((\textbf{x}_1, \ldots , \textbf{x}_t)\) in \(\bigcup _{y \in {{\mathcal {Y}}}} {{\mathcal {T}}}_y'\), it holds that \(\sum _{i=1}^t a_i \textbf{x}_i\) is equal to \(\phi (f(\textbf{x}_1, \ldots , \textbf{x}_t))\), i.e., it is uniquely determined given \(f(\textbf{x}_1, \ldots , \textbf{x}_t)\).

Intuitively, since \(\sum _{i=1}^t a_i \textbf{x}_i\) carries roughly \(n \log p\) bits of information, and it is a deterministic function of \(f(\textbf{x}_1, \ldots , \textbf{x}_t)\), we expect that \(f(\textbf{x}_1, \ldots , \textbf{x}_t)\) can be uniquely determined with (a little more than an) additional s bits of information. We will now remove those elements for which it requires a large number of bits to determine \(f(\textbf{x}_1, \ldots , \textbf{x}_t)\) given \(\sum _{i=1}^t a_i \textbf{x}_i\).

Let \({{\mathcal {Y}}}'\) be the set of all y such that

$$\begin{aligned} \vert \phi ^{-1}(\phi (y))\vert \le \frac{2q^{tn}}{\vert \bigcup _{y \in {{\mathcal {Y}}}} {{\mathcal {T}}}_y'\vert } \cdot 2^s . \end{aligned}$$

For \(y \in {{\mathcal {Y}}}\setminus {{\mathcal {Y}}}'\)

$$\begin{aligned} \vert \phi ^{-1}(\phi (y))\vert > \frac{2q^{tn}}{\vert \bigcup _{y \in {{\mathcal {Y}}}} {{\mathcal {T}}}_y'\vert } \cdot 2^s . \end{aligned}$$

The total number of elements in \({{\mathcal {Y}}}\setminus {{\mathcal {Y}}}'\) is at most the size of the image of f, i.e., \(q^n \cdot 2^s\). Hence the number of distinct values of \(\phi (y)\) for \(y \in {{\mathcal {Y}}}{\setminus } {{\mathcal {Y}}}'\) is at most

$$\begin{aligned} \frac{q^n \cdot 2^s \cdot \vert \bigcup _{y \in {{\mathcal {Y}}}} {{\mathcal {T}}}_y'\vert }{2 q^{tn} \cdot 2^s} = \frac{\vert \bigcup _{y \in {{\mathcal {Y}}}} {{\mathcal {T}}}_y'\vert }{2 q^{(t-1)n}} . \end{aligned}$$

Notice that for any element \(\textbf{z}\in {\mathbb {F}}_q^n\), there are at most \(q^{(t-1)n}\) values of \((\textbf{x}_1, \ldots , \textbf{x}_t)\) such that \(\sum _{i=1}^t a_i \textbf{x}_i = \textbf{z}\). Thus, the number of elements in \(\bigcup _{y \in \phi ^{-1}(\textbf{z})} {{\mathcal {T}}}_y\) is at most \(q^{(t-1)n}\). This implies that

$$\begin{aligned} \left| \bigcup _{y \in {{\mathcal {Y}}}\setminus {{\mathcal {Y}}}'} {{\mathcal {T}}}_y'\right| \le q^{(t-1)n} \cdot \frac{\vert \bigcup _{y \in {{\mathcal {Y}}}} {{\mathcal {T}}}_y'\vert }{2 q^{(t-1)n}} = \frac{\vert \bigcup _{y \in {{\mathcal {Y}}}} {{\mathcal {T}}}_y'\vert }{2} . \end{aligned}$$

Thus,

$$\begin{aligned} \left| \bigcup _{y \in {{\mathcal {Y}}}'} {{\mathcal {T}}}_y'\right| \ge \frac{\vert \bigcup _{y \in {{\mathcal {Y}}}} {{\mathcal {T}}}_y'\vert }{2} . \end{aligned}$$

We let the set \({{\mathcal {T}}}'\) be \(\bigcup _{y \in {{\mathcal {Y}}}'} {{\mathcal {T}}}_y'\), and let \(\textbf{x}_1, \textbf{x}_2, \ldots , \textbf{x}_t\) be uniform in \({{\mathcal {T}}}'\). We have the following two properties satisfied by \((\textbf{x}_1, \ldots , \textbf{x}_t)\):

  • The random variable \(\sum _{i=1}^t a_i \textbf{x}_i\) is a deterministic function of \(f(\textbf{x}_1, \ldots , \textbf{x}_t)\).

  • The random variable \(f(\textbf{x}_1, \ldots , \textbf{x}_t)\) is uniquely determined given

    $$\begin{aligned} \phi (f(\textbf{x}_1, \ldots , \textbf{x}_t)) = \sum _{i=1}^t a_i \textbf{x}_i\text { and }\psi (\textbf{x}_1, \ldots , \textbf{x}_t) \end{aligned}$$

    for some function \(\psi :{\mathbb {F}}_q^{tn} \rightarrow \{0,1\}^{s+14 + (9t/2+1) \log q + 7 \log \frac{1}{\varepsilon }}\).Footnote 2

Since not all \(a_1, \ldots , a_t\) are 0, we assume without loss of generality that \(a_t \ne 0\). Then, notice that

$$\begin{aligned}&{\textbf{H}}_\infty (\textbf{x}_i\vert \textbf{x}_1, \ldots , \textbf{x}_{i-1}, \textbf{x}_{i+1}, \ldots , \textbf{x}_{t-1}, \sum _{i=1}^t a_i \textbf{x}_i)\\&\quad \ge \log \vert {{\mathcal {T}}}'\vert - (t-1) n \log q\\&\quad \ge \log \vert \bigcup _{y\in {{\mathcal {Y}}}'} {{\mathcal {T}}}_y\vert - 1- (t-1) n \log q\\&\quad \ge tn \log q -7 \log \frac{1}{\varepsilon }- 14 - (9t/2+1) \log q - (t-1)n \log q\\&\quad = n \log q - 7 \log \frac{1}{\varepsilon }- 14 - (9t/2+1) \log q \;, \end{aligned}$$

where we used the inequality (7). Additionally, considering the additional leakage from \(\psi (\textbf{x}_1, \ldots , \textbf{x}_t)\), we get that

$$\begin{aligned}&\widetilde{{\textbf{H}}}_\infty (\textbf{x}_i\vert \textbf{x}_1, \ldots , \textbf{x}_{i-1}, \textbf{x}_{i+1}, \ldots , \textbf{x}_{t-1}, \phi (f(\textbf{x}_1, \ldots , \textbf{x}_t)), \psi (\textbf{x}_1, \ldots , \textbf{x}_t))\\&\quad = n \log q - 14 \log \frac{1}{\varepsilon }- 28 - (9t+2) \log q - s \\&\quad \ge \log q + 2 \log {\frac{t}{\varepsilon }}\;, \end{aligned}$$

where we used the fact that the length of \(\psi (\textbf{x}_1, \ldots , \textbf{x}_t)\) is at most \(s + 14 + (9t/2 + 1)\log q + 7 \log \frac{1}{\varepsilon }\), and also the bound on \(n \log q\) as given in the lemma statement. Restating with \(\phi , \psi \) replaced by the function f, we get the following.

$$\begin{aligned} \widetilde{{\textbf{H}}}_\infty (\textbf{x}_i\vert \textbf{x}_1, \ldots , \textbf{x}_{i-1}, \textbf{x}_{i+1}, \ldots , \textbf{x}_{t-1}, f(\textbf{x}_1, \ldots , \textbf{x}_t))&\ge \log q + 2 \log {\frac{t}{\varepsilon }}\;. \end{aligned}$$

By the leftover hash lemma (Lemma 2), we have that

$$\begin{aligned}&\langle \textbf{x}_1,\textbf{s} \rangle ,\langle \textbf{x}_2, \textbf{s} \rangle , \ldots , \langle \textbf{x}_{t-1}, \textbf{s} \rangle , f(\textbf{x}_1, \ldots , \textbf{x}_t), \textbf{s} \\&\quad \approx _{\varepsilon /t} u_1, \langle \textbf{x}_2, \textbf{s} \rangle , \ldots , \langle \textbf{x}_{t-1}, \textbf{s} \rangle , f(\textbf{x}_1, \ldots , \textbf{x}_t), \textbf{x} \;. \end{aligned}$$

Similarly, for \(i=2, 3, 4, \ldots , t-1\)

$$\begin{aligned}&u_1, \ldots , u_{i-1}, \langle \textbf{x}_i,\textbf{s} \rangle , \langle \textbf{x}_{i+1}, \textbf{s} \rangle , \ldots , \langle \textbf{x}_{t-1}, \textbf{s} \rangle , f(\textbf{x}_1, \ldots , \textbf{x}_t), \textbf{s}\\&\quad \approx _{\varepsilon /t} u_1, \ldots , u_{i-1}, u_i, \langle \textbf{x}_{i+1}, \textbf{s} \rangle , \ldots , \langle \textbf{x}_{t-1}, \textbf{s} \rangle , f(\textbf{x}_1, \ldots , \textbf{x}_t), \textbf{s} \;. \end{aligned}$$

By the triangle inequality, we get that

$$\begin{aligned}&\langle \textbf{x}_1, \textbf{s} \rangle , \ldots , \langle \textbf{x}_{t-1},\textbf{s} \rangle , f(\textbf{x}_1, \ldots , \textbf{x}_t), \textbf{s}\\&\quad \approx _{\varepsilon (t-1)/t} u_1, \ldots , u_{t-1}, f(\textbf{x}_1, \ldots , \textbf{x}_t), \textbf{s} \;. \end{aligned}$$

Let Z be the additional randomness needed to sample \(f(\textbf{x}_1, \ldots , \textbf{x}_t), S\) given \(\langle \sum _{i=1}^t a_i \textbf{x}_i, \textbf{s} \rangle \), i.e., for some \(\sigma \), \(f(\textbf{x}_1, \ldots , \textbf{x}_t), \textbf{s} \equiv \sigma (Z, \langle \sum _{i=1}^t a_i \textbf{x}_i, \textbf{s} \rangle )\). By the leftover hash lemma (Lemma 2), we have that

$$\begin{aligned} \left\langle \sum _{i=1}^t a_i \textbf{x}_i, \textbf{s}\right\rangle , f(\textbf{x}_1, \ldots , \textbf{x}_t), \textbf{s} \approx _{\varepsilon /t} u, {\textsf{Sim}}(u, Z) . \end{aligned}$$

Again by the triangle inequality, we have that

$$\begin{aligned}&\langle \textbf{x}_1, \textbf{s} \rangle , \ldots , \langle \textbf{x}_{t-1},\textbf{s} \rangle , \left\langle \sum _{i=1}^t a_i \textbf{x}_i, \textbf{s}\right\rangle , f(\textbf{x}_1, \ldots , \textbf{x}_t), \textbf{s}\\&\quad \approx _{\varepsilon }\; U_1, \ldots , U_{t-1}, U, \sigma (U, Z) \;. \end{aligned}$$

Writing \(\langle \textbf{x}_t, \textbf{s} \rangle \) as \(\frac{1}{a_t} \left( \langle \sum _{i=1}^t a_i \textbf{x}_i, \textbf{s} \rangle - \sum _{i=1}^{t-1}a_i \langle \textbf{x}_i, \textbf{s} \rangle \right) \) and applying Lemma 4, we have that

$$\begin{aligned}&\langle \textbf{x}_1, \textbf{s} \rangle , \ldots , \langle \textbf{x}_{t},\textbf{s} \rangle , f(\textbf{x}_1, \ldots , \textbf{x}_t), \textbf{s} \\&\quad \approx _{\varepsilon }\; u_1, \ldots , u_{t-1}, \frac{1}{a_t}(u - \sum _{i=1}^{t-1} a_i u_i), {\textsf{Sim}}(\textbf{s},u, Z), \textbf{s} \;. \end{aligned}$$

Notice that \(u_t:=\frac{1}{a_t} \left( u - \sum _{i=1}^{t-1} a_i u_i\right) \) is uniform in \({\mathbb {F}}_q\) and independent of \(u_1, \ldots , u_{t-1}\). Rearranging, we have that \(u = \sum _{i=1}^t a_i u_i\). Thus, we obtain

$$\begin{aligned} \langle \textbf{x}_1, \textbf{s} \rangle , \ldots , \langle \textbf{x}_{t},\textbf{s} \rangle , f(\textbf{x}_1, \ldots , \textbf{x}_t), \textbf{s} \approx _{\varepsilon } u_1, \ldots , u_{t-1}, u_t, {\textsf{Sim}}\left( \textbf{s},\sum _{i=1}^t a_i u_i, Z \right) , \textbf{s} , \end{aligned}$$

as needed. \(\square \)

We are now ready to complete the proof of Theorem 5.

Proof of Theorem 5

From Lemma 1, there exists a set \({{\mathcal {T}}}_1\), simulator \({\textsf{Sim}}_1\) and \(a_1^{(1)}, \ldots , a_t^{(1)}\) such that for \((\textbf{x}_1^{(1)}, \ldots , \textbf{x}_t^{(1)})\) distributed uniformly in \({{\mathcal {T}}}_1\),

$$\begin{aligned}&\textbf{s}, f\left( \textbf{x}_1^{(1)},\ldots , \textbf{x}_t^{(1)}\right\rangle ), \left\langle \textbf{x}_1^{(1)},\textbf{s}\right\rangle , \ldots , \left\langle \textbf{x}_t^{(1)},\textbf{s}\right\rangle \\&\quad \approx _\varepsilon \;\sigma _1\left( \sum _{i=1}^t a_i^{(1)} u_i \right) ,u_1, \ldots , u_t \;. \end{aligned}$$

Since \(a_1^{(1)}, \ldots , a_t^{(1)}\) are fixed and public we can rewrite above as:

$$\begin{aligned}&\textbf{s}, f\left( \textbf{x}_1^{(1)},\ldots , \textbf{x}_t^{(1)}\right) , \left\langle \textbf{x}_1^{(1)},\textbf{s}\right\rangle , \ldots , \left\langle \textbf{x}_t^{(1)},\textbf{s}\right\rangle , a_1^{(1)}, \ldots , a_t^{(1)}\\&\quad \approx _\varepsilon \;\sigma _1\left( \sum _{i=1}^t a_i^{(1)} u_i \right) ,u_1, \ldots , u_t , a_1^{(1)}, \ldots , a_t^{(1)}\;. \end{aligned}$$

If \(\vert {\mathbb {F}}_q^{tn} \setminus {{\mathcal {T}}}_1\vert \ge \varepsilon q^{tn}\), then we again apply Lemma 1 to obtain a set \({{\mathcal {T}}}_2\), simulator \({\textsf{Sim}}_2\) and \(a_1^{(2)}, \ldots , a_t^{(2)}\) such that for \((\textbf{x}_1^{(2)}, \ldots , \textbf{x}_t^{(2)})\) distributed uniformly in \({{\mathcal {T}}}_2\),

$$\begin{aligned}&\textbf{s}, f\left( \textbf{x}_1^{(2)},\ldots , \textbf{x}_t^{(2)}\right) , \left\langle \textbf{x}_1^{(2)},\textbf{s}\right\rangle , \ldots , \left\langle \textbf{x}_t^{(2)},\textbf{s}\right\rangle , a_1^{(2)}, \ldots , a_t^{(2)} \\&\quad \approx _\varepsilon \;\sigma _2\left( \sum _{i=1}^t a_i^{(2)} u_i \right) ,u_1, \ldots , u_t, a_1^{(2)}, \ldots , a_t^{(2)} \;. \end{aligned}$$

We continue to obtain sets \({{\mathcal {T}}}_1, {{\mathcal {T}}}_2, \ldots , {{\mathcal {T}}}_\ell \) by applying Lemma 1, until \(\vert {{\mathcal {T}}}_\ell \vert < \varepsilon q^{tn}\). Let the random variable \((a_1, \ldots , a_t)\) and the simulator \(\sigma \) be the tuple \((a_1^{(j)}, \ldots , a_t^{(j)})\) and \(\sigma _j\) with probability proportional to the size of \({{\mathcal {T}}}_j\), i.e., \(\frac{\vert {{\mathcal {T}}}_j\vert }{\vert {{\mathcal {T}}}\vert }\). Then, by Lemma 3, we obtain the desired result. \(\square \)

Corollary 1

Let q be a prime power, let nts be positive integers and \(\varepsilon > 0\) such that

$$\begin{aligned} n \log q - (25t+3) \log q - s - 2 \log t -60 \ge 16 \log \frac{1}{\varepsilon '} . \end{aligned}$$

Let \(m_1, \ldots , m_t \in {\mathbb {F}}_q\). Let \(\textbf{s}\) be uniform in \({\mathbb {F}}_q^n\) and let \(\textbf{x}_1, \ldots , \textbf{x}_t\) be sampled uniformly in \( {\mathbb {F}}_q^{n}\) conditioned on the event that for all \(i \in [t]\), \(\langle \textbf{x}_i, \textbf{s} \rangle = m_i\). For any \(f:{\mathbb {F}}_q^{tn} \rightarrow \{0,1\}^{n \log q + s}\), there exists a simulator \({\textsf{Sim}}\) and random variables \(a_1, \ldots , a_t \in {\mathbb {F}}_q\) such that

$$\begin{aligned}&\textbf{s}, f(\textbf{x}_1,\ldots , \textbf{x}_t), a_1, \ldots , a_t\\&\quad \approx _{\varepsilon '}\;\textbf{s},{\textsf{Sim}}\left( \textbf{s}, a_1,\ldots , a_t, \sum _{i=1}^t a_i m_i \right) , a_1, \ldots , a_t \end{aligned}$$

where \(u_1, \ldots , u_t\) are uniform and independent random variables in \({\mathbb {F}}_q\), independent of \((a_1, \ldots , a_t)\).

Proof

Applying Lemma 5 to Theorem 5, and conditioning on \(u_1 = m_1, \ldots , u_t = m_t\), we get that if

$$\begin{aligned} n \log q - (9t+3) \log q - s - 2 \log t -28 \ge 16 \log \frac{1}{\varepsilon }, \end{aligned}$$
(8)

then

$$\begin{aligned}&\textbf{s}, f(\textbf{x}_1,\ldots , \textbf{x}_t), a_1, \ldots , a_t\\&\quad \approx _{\varepsilon '}\;\textbf{s}, {\textsf{Sim}}\left( \textbf{s}, a_1,\ldots , a_t, \sum _{i=1}^t a_i m_i \right) , a_1, \ldots , a_t\;, \end{aligned}$$

where \(\varepsilon ' = 4 \varepsilon q^t\), or in other words, \(\varepsilon = \frac{\varepsilon '}{4q^t}\). Substituting \(\varepsilon \) in Equation (8) gives the desired result. \(\square \)

8 Rate-1 SSP OT from DDH

In this section, we discuss the standard definition of rate-1 statistical sender-private oblivious transfer (rate-1 SSP OT) and then go over our construction using algebraic restriction codes. We start by providing the necessary cryptographic definitions.

8.1 Decisional Diffie–Hellman Assumption

These assumptions below are with regard to a group-generator scheme while most protocols just consider the group. This however, is just to make the notation in the protocol easier. Each protocol-participating party just chooses the group \({\mathbb {G}}\) according to the publicly known group-generator scheme \({{\textsf{G}}}\) and security parameter \(\lambda \) and proceeds as detailed in the protocol.

We recall the definition of the decisional Diffie–Hellman assumption [36] (DDH).

Definition 7

(DDH) Let \({{\textsf{G}}}\) be a group-generator scheme, which on input \(1^\lambda \) outputs \(({\mathbb {G}},p,g)\). The decisional Diffie–Hellman assumption holds for group-generator scheme \({{\textsf{G}}}\) if for all polynomial time adversaries \({\mathcal {A}}\)

$$\begin{aligned} \left| \Pr \left[ {\mathcal {A}}(g,g^{a},{b},{ab})=1\right] -\Pr \left[ {\mathcal {A}}(g,g^a,g^b,g^c)=1\right] \right| \end{aligned}$$

is negligible in \(\lambda \) for \(({\mathbb {G}},p,g)\leftarrow {{\textsf{G}}}(1^\lambda )\) and uniformly random \(a,b,c\in {\mathbb {Z}}_p\)

8.2 Public-Key Encryption Schemes

A public-key encryption scheme uses two keys, a public key \({\textsf{pk}}\) and a secret key \({\textsf{sk}}\). We use the public key to encrypt messages, the result of which is called ciphertext. Without knowledge of the secret key, it is virtually impossible to calculate the message from the ciphertext. The secret key, however, enables the holder to reliably retrieve the message from the ciphertext.

Definition 8

(Public-Key Encryption) The following algorithms describe a public-key encryption scheme:

  • \({\textsf{KeyGen}}(1^\lambda )\): The key-generation algorithm takes the security parameter \(\lambda \) as input and outputs a key pair \(({\textsf{pk}},{\textsf{sk}})\).

  • \({\textsf{Enc}}({\textsf{pk}},m)\): The encryption algorithm takes a public key \({\textsf{pk}}\) and a message m as input and outputs a ciphertext c.

  • \({\textsf{Dec}}({\textsf{sk}},c)\): The decryption algorithm takes a secret key \({\textsf{sk}}\) and a ciphertext c as input and outputs a message m. It rarely requires randomness.

In the rest of the document, every encryption scheme will be public key. Therefore we will not mention it again.

Definition 9

(Correctness) An encryption scheme \(({\textsf{KeyGen}},{\textsf{Enc}},{\textsf{Dec}})\) is correct if for all message m and security parameters \(\lambda \)

$$\begin{aligned} \Pr \left[ m={\textsf{Dec}}({\textsf{sk}},{\textsf{Enc}}({\textsf{pk}},m))\big \vert ({\textsf{pk}},{\textsf{sk}})\leftarrow {\textsf{KeyGen}}(1^\lambda )\right] =1 \end{aligned}$$

The most popular notion of security for encryption schemes is IND-CPA security.

Definition 10

(IND-CPA Security) An encryption scheme \(({\textsf{KeyGen}},{\textsf{Enc}},{\textsf{Dec}})\) is ind-cpa secure if for all adversary pairs \(({\mathcal {A}}_1,{\mathcal {A}}_2)\)

$$\begin{aligned} \Pr \left[ b=b'\big \vert \begin{array}{l} ({\textsf{pk}},{\textsf{sk}})\leftarrow {\textsf{KeyGen}}(1^\lambda ) \\ (m_0,m_1,\sigma )\leftarrow {\mathcal {A}}_1(1^\lambda ,{\textsf{pk}}) \\ b\leftarrow _\$\{0,1\} \\ b'\leftarrow {\mathcal {A}}_2(m_b,\sigma ) \\ \end{array} \right] -\frac{1}{2} \end{aligned}$$

is negligible in \(\lambda \)

The rate is trying to capture the size comparison between a ciphertext and its corresponding plaintext.

Definition 11

(Rate) An encryption scheme \(({\textsf{KeyGen}},{\textsf{Enc}},{\textsf{Dec}})\) has rate \(\rho \) if there exists a polynomial \(\mu \) such that for all security parameters \(\lambda \), possible outputs of \({\textsf{KeyGen}}(1^\lambda )\) called \(({\textsf{pk}},{\textsf{sk}})\), and messages m with \(|m|\ge \mu (\lambda )\)

$$\begin{aligned} \frac{|m|}{\vert {\textsf{Enc}}({\textsf{pk}},m)\vert }\ge \rho (\lambda ) \end{aligned}$$

We call an encryption scheme high rate if it has a rate greater than 1/2 and we call it rate-1 if for \(\lambda \rightarrow \infty \) the rate \(\rho (\lambda )\) approaches 1.

8.3 Homomorphic Encryption

In homomorphic encryption the decryption algorithm is a homomorphism. Certain changes on a ciphertext change the underlying plaintext in a structured way.

Definition 12

(Homomorphic Encryption) These four algorithms describe a homomorphic encryption scheme:

  • \({\textsf{KeyGen}}(1^\lambda )\): The key-generation algorithm takes the security parameter \(\lambda \) as input and outputs a key pair \(({\textsf{pk}},{\textsf{sk}})\).

  • \({\textsf{Enc}}({\textsf{pk}},m)\): The encryption algorithm takes a public key \({\textsf{pk}}\) and a message m as inputs and outputs a ciphertext c.

  • \({\textsf{Eval}}(1^\lambda ,{\textsf{pk}},f,c_1,\ldots ,c_n)\): The evaluation algorithm takes a security parameter \(\lambda \), a public key \({\textsf{pk}}\), a string representation of a function f and n where n is the input size of f ciphertexts \(c_1,\dots ,c_n\) as inputs and outputs a new ciphertext c.

  • \({\textsf{Dec}}({\textsf{sk}},c)\): The decryption algorithm takes a secret key \({\textsf{sk}}\) and a ciphertext c as input and outputs a message m. It rarely requires randomness.

Definition 13

(Homomorphic Correctness) Let \({\mathcal {F}}\) be a set of functions and f be an arbitrary element of \({\mathcal {F}}\). An \({\mathcal {F}}\)-homomorphic encryption scheme \(({\textsf{KeyGen}},{\textsf{Enc}},\) \({\textsf{Eval}},\) \({\textsf{Dec}})\) is correct if \(({\textsf{KeyGen}},{\textsf{Enc}},{\textsf{Dec}})\) is a correct encryption scheme, and for all messages m, security parameters \(\lambda \), and \(({\textsf{pk}},{\textsf{sk}})\) from the support of \({\textsf{KeyGen}}(1^\lambda )\)

$$\begin{aligned} \Pr \left[ \begin{array}{l} f(m)= {\textsf{Dec}}({\textsf{sk}},{\textsf{Eval}}(1^\lambda ,{\textsf{pk}},f,{\textsf{Enc}}({\textsf{pk}},m))) \end{array}\right] =1 \end{aligned}$$

8.4 Oblivious Transfer

Two-round oblivious transfer is a protocol in which a receiver encodes a choice bit b and transmits it to a sender. The sender then responds to that transmission using its two messages \(m_0\) and \(m_1\). In the end the receiver learns \(m_b\), but not \(m_{1-b}\) and the sender learns nothing.

Definition 14

(Oblivious Transfer) A (string) 1-out-of-2 OT consists of three algorithms: \({\textsf{OT}}_1\), \({\textsf{OT}}_2\), and \({\textsf{OT}}_3\).

  • \({\textsf{OT}}_1(1^\lambda , b)\): Takes as inputs the security parameter \(\lambda \in {\mathbb {N}}\) and a choice bit \(b\in \{0,1\}\) to produce a request \(ot_1\) and a state st.

  • \({\textsf{OT}}_2(ot_1,(m_0, m_1))\): Uses the request \(ot_1\), and the two sender inputs \(m_0,m_1\in \{0,1\}^*\) of same length to create a response \(ot_2\).

  • \({\textsf{OT}}_3(ot_2,st)\): Calculates a result y from the state st and the response \(ot_2\).

We define correctness in the following.

Definition 15

(Correctness) An OT is correct if for all security parameters \(\lambda \), bits \(b\in \{0,1\}\), and sender inputs \(m_0, m_1\in \{0,1\}^*\) the following holds:

$$\begin{aligned} \Pr \left[ y=s_b~\big \vert \begin{array}{l}ot_1,st \leftarrow {\textsf{OT}}_1(1^\lambda ,b) \\ ot_2 \leftarrow {\textsf{OT}}_2(ot_1,(m_0, m_1)) \\ y\leftarrow {\textsf{OT}}_3(ot_2,st)\end{array}\right] =1. \end{aligned}$$

As standard for 2-round OT, we require that the bit of the receiver is hidden in an indistinguishability sense.

Definition 16

(Receiver Security) An OT is receiver secure if for all security parameters \(\lambda \) and PPT adversaries \({\mathcal {A}}\) the following holds:

$$\begin{aligned} \left| \Pr \left[ {\mathcal {A}}(ot_1)\vert ot_1, st\leftarrow {\textsf{OT}}_1(1^\lambda , 0)\right] -\Pr \left[ {\mathcal {A}}(ot_1)\vert ot_1, st\leftarrow {\textsf{OT}}_1(1^\lambda , 1)\right] \right| \end{aligned}$$

is negligible in \(\lambda \).

We define (malicious) statistical sender privacy for 2-round OT.

Definition 17

(Statistical Sender Privacy) An OT is statistically sender private if the exists a unbounded simulator \({\textsf{Sim}}\) such that for all requests \(ot_1\) and sender inputs \(m_0, m_1\in \{0,1\}^*\) the following holds:

$$\begin{aligned} \Delta ({\textsf{OT}}_2(ot_1,(m_0, m_1));{\textsf{Sim}}^f(1^\lambda , ot_1)) \end{aligned}$$

is negligible in \(\lambda \) with \({\textsf{Sim}}\) having one-time access to an oracle \(f:b\mapsto m_0 \cdot (1-b) + m_1 \cdot b\).

The (download) rate of an OT protocol captures how big the senders response is in comparison to the size of a message \(m_0\).

Definition 18

(Rate) An OT \(({\textsf{OT}}_1,{\textsf{OT}}_2,{\textsf{OT}}_3)\) has rate \(\rho \) if there exists a polynomial \(\mu \) such that for all security parameters \(\lambda \),

$$\begin{aligned} \frac{\vert m_0\vert }{\vert ot_2\vert }\ge \rho (\lambda ) \end{aligned}$$

for all choice bits b, message lengths \(n>\mu (\lambda )\), sender inputs \(m_0,m_1\in \{0,1\}^n\), receiver outputs \((ot_1,st)\leftarrow {\textsf{OT}}_1(1^\lambda ,b)\) and sender outputs \(ot_2\leftarrow {\textsf{OT}}_2(ot_1,(m_0,m_1))\)

8.5 Packed ElGamal

A big component of our OT construction is the packed ElGamal encryption scheme, which we recall here for completeness. As discussed in the introduction, in the ElGamal encryption scheme [26] public keys are of the form gh and messages m are encrypted as \(g^r,h^r \cdot m\). In the packed ElGamal scheme, the same header \(g^r\) is shared across several payload slots \(h_i^r \cdot m_i\), effectively amortizing the cost of the header to encrypt an entire vector \(\textbf{m}\). Now let \({\mathbb {G}}\) be a cyclic group of prime order p, and let g be a generator of \({\mathbb {G}}\). In our description we will provide a decryption algorithm which takes as additional input a matrix \(\textbf{M} \in {\mathbb {Z}}_p^{m \times n}\), which is applied to the secret key before decryption. In this way, we achieve correctness for homomorphic operations across slots.

  • \({\textsf{KeyGen}}(1^\lambda ,n)\):

  • Choose \(\textbf{s} \xleftarrow {\$}{\mathbb {Z}}_p^n\) uniformly at random.

  • Set \(\textbf{h} = g^{\textbf{s}}\).

  • Return secret key \({\textsf{sk}}=\textbf{s}\) and public key \({\textsf{pk}}= \textbf{h}\).

  • \({\textsf{Enc}}({\textsf{pk}},\textbf{m} \in \{0,1\}^n)\):

  • Parse \({\textsf{pk}}= \textbf{h} \in {\mathbb {G}}^n\).

  • Choose \(r \xleftarrow {\$}{\mathbb {Z}}_p\) uniformly at random.

  • Return the ciphertext \(\textbf{c} = (g^r, \textbf{h}^r \cdot g^{\textbf{m}}) \in {\mathbb {G}}\times {\mathbb {G}}^n\).

For a matrix \(\textbf{X} = (\textbf{x}_1,\dots ,\textbf{x}_m) \in \{0,1\}^{n \times m}\), we overload encryption and denote

$$\begin{aligned} {\textsf{Enc}}({\textsf{pk}},\textbf{X}) = ({\textsf{Enc}}({\textsf{pk}},\textbf{x}_1),\dots ,{\textsf{Enc}}({\textsf{pk}},\textbf{x}_m)). \end{aligned}$$

  • \({\textsf{Dec}}({\textsf{sk}},\textbf{M},\textbf{c})\):

  • Parse \({\textsf{sk}}= \textbf{s}\).

  • Compute \(\textbf{s}' = \textbf{M} \textbf{s}\)

  • Parse \(\textbf{c} = (c\in {\mathbb {G}},\textbf{e}\in {\mathbb {G}}^n)\).

  • Return \({\textsf{dlog}}_g(\textbf{e} / c^{\textbf{s}'})\).

  • \({\textsf{Eval}}_1({\textsf{pk}},\textbf{C},\textbf{a} \in {\mathbb {Z}}_p^m,\textbf{b} \in {\mathbb {Z}}_p^n)\)

  • Parse \({\textsf{pk}}= \textbf{h}\)

  • Parse \(\textbf{C} = \textbf{c}_1,\dots ,\textbf{c}_m\).

  • For all \(i \in [m]\) parse \(\textbf{c}_i = (c_i,\textbf{e}_i)\).

  • Choose \(r \xleftarrow {\$}{\mathbb {Z}}_p\) uniformly at random.

  • Set \(c = g^r \cdot \prod _{i = 1}^m c_i^{a_i}\)

  • Set \(\textbf{e} = \textbf{h}^r (\prod _{i = 1}^m \textbf{e}_i^{a_i}) \cdot g^{\textbf{b}}\)

  • Return the ciphertext \(\textbf{c} = (c,\textbf{e})\)

  • \({\textsf{Eval}}_2({\textsf{pk}},\textbf{c},\textbf{M} \in {\mathbb {Z}}_p^{m \times n})\)

  • Parse \(\textbf{M} = (m_{ij})\)

  • Parse \(\textbf{c} = (c,\textbf{e})\) and \(\textbf{e} = (e_1,\dots ,e_n)\)

  • For all \(i \in [m]\) compute \(d_i = \prod _{j = 1}^n e_j^{m_{ij}}\)

  • Return the ciphertext \(\textbf{c}' = (c,\textbf{d})\)

For two ciphertexts \(\textbf{c}_1\) and \(\textbf{c}_2\) we overload \({\textsf{Eval}}_1\) and denote by \({\textsf{Eval}}_1({\textsf{pk}},\textbf{c}_1,\textbf{c}_2,-)\) the homomorphic computation of the difference of \(\textbf{c}_1\) and \(\textbf{c}_2\). Homomorphic correctness of this scheme follows routinely. To analyze the rate of this scheme, note that plaintexts \(\textbf{m} \in {\mathbb {G}}^n\) consist of n group elements, whereas ciphertexts consist of \(n+1\) group elements, i.e. there is an additive overhead of 1 group element and the rate of the scheme comes down to \(1 - 1/n\). Thus the rate of the scheme approaches 1 for a growing n.

Lemma 14

The packed ElGamal encryption scheme as described above is IND-CPA secure, given the DDH problem is hard for group \({\mathbb {G}}\).

Proof

IND-CPA security of the packed ElGamal scheme follows tightly (in n) from the decisional Diffie Hellman assumption in a routine way: A DDH instance \((g,h,g',h')\) can be rerandomized into a pair of vectors \(\textbf{h}\) and \(\textbf{f}\), such that \(\textbf{h}\) is distributed uniformly random in \({\mathbb {G}}^n\) and the following holds for \(\textbf{f}\). If \((g',h')\) is of the form \(r \cdot (g,h)\), then \(\textbf{f}\) is of the form \(r \cdot \textbf{h}\), whereas if \((g',h')\) is uniformly random in \({\mathbb {G}}^2\), then \(\textbf{f}\) is uniformly random in \({\mathbb {G}}^n\). Given such an instance \((\textbf{h},\textbf{f})\), a reduction can set \({\textsf{pk}}= \textbf{h}\) and \(\textbf{c} = \textbf{f} \cdot (1,\textbf{m})\). If \(\textbf{f}\) is of the form \(\textbf{f} = r \cdot \textbf{h}\), then \(\textbf{c}\) is a correctly distributed ciphertext for the public key \({\textsf{pk}}\) and the message \(\textbf{m}\). On the other hand, if \(\textbf{f}\) is uniformly random, then \(\textbf{c}\) is also uniformly random and independent of \(\textbf{m}\). It follows that an adversary with advantage \(\epsilon \) against the IND-CPA security of packed ElGamal can be used to distinguish DDH with advantage \(\epsilon \). \(\square \)

Before presenting our construction we recall a useful pair of algorithms that allow us to compress ciphertexts for the packed ElGamal encryption scheme.

Lemma 15

([37]) There exists a pair of (expected) PPT algorithms \(({\textsf{Shrink}}\), \({\textsf{ShrinkDec}})\) such that if \((c, {\textbf{e}}) = {\textsf{Enc}}({\textsf{pk}}, {\textbf{m}})\) be a packed ElGamal ciphertext encrypting a message \({\textbf{m}}\in \{0,1\}^n\).

  • \({\textsf{Shrink}}(c, {\textbf{e}}) \rightarrow ({\tilde{c}}, K, b_1, \dots , b_n) \in {\mathbb {G}} \times \{0,1\}^{\lambda + n}\).

  • \(\Pr \left[ {\textsf{ShrinkDec}}({\textsf{sk}}, {\textsf{Shrink}}(c, {\textbf{e}}) ) = {\textbf{m}}\right] =1\).

Sketch

Let T be a polynomial in the security parameter and let \({\textsf{PRF}}:\{0,1\}^\lambda \times {\mathbb {G}}\rightarrow \{0,1\}^\tau \), where \(\tau \approx \log (\lambda )\), be a pseudorandom function. On input a ciphertext \((c,({\textbf{e}}_{1},\dots , {\textbf{e}}_{n}))\), the compression algorithm \({\textsf{Shrink}}\) samples the key K for the PRF until the following two conditions are simultaneously satisfied: For all \(i\in [n]\) it holds that

  1. (1)

    \({\textsf{PRF}}(K,{\textbf{e}}_{i}/g)\ne 0\).

  2. (2)

    There exists a \(\delta _i \in [T-1]\) such that \({\textsf{PRF}}(K,{\textbf{e}}_{i}\cdot g^{\delta _i})= 0\).

The compressed ciphertext consists of \((c,K, \delta _1\mod 2,\dots , \delta _n\mod 2)\) where \(\delta _i\) is the smallest integer that satisfies condition (2).

The compressed decryption algorithm \({\textsf{ShrinkDec}}\) finds, for every \(i\in [n]\), the smallest \(\gamma _i\) such that \({\textsf{PRF}}(K,c^{{\textbf{s}}_i}\cdot g^{\gamma _i})=0\) by exhaustive search, where \({\textsf{sk}}=({\textbf{s}}_1, \dots , {\textbf{s}}_n)\). Finally it outputs \(M_i=\delta _i \oplus {\textsf{LSB}}(\gamma _i)\), where \({\textsf{LSB}}\) denotes the least significant bit of an integer. Note that the scheme is correct with probability 1, since condition (1) ensures that there is no ambiguity in the decoding of the bit \(M_i\). By setting the parameters appropriately, we can guarantee that K can always be found in polynomial time, except with negligible probability. \(\square \)

We can straightforwardly modify the algorithm \({\textsf{ShrinkDec}}\) in the same way as we have modified the \({\textsf{Dec}}\) algorithm above to support decryption of ciphertexts produced by \({\textsf{Eval}}_2\). Specifically, we modify it such that it takes as an additional input a matrix \(\textbf{M}\) and transforms the secret key \({\textsf{sk}}\) before decrypting its input ciphertext.

8.6 Construction

We will now provide our construction of rate-1 SSP OT from the packed ElGamal scheme and an additional receiver-secure rate-1 OT. Specifically, let \(({\textsf{OT}}_1, {\textsf{OT}}_2, {\textsf{OT}}_3)\) be a receiver-secure rate-1 OT protocol. We will also use the the packed ElGamal encryption scheme with ciphertext compression discussed above. Finally, let \({\textsf{AR}}= ({\textsf{AR}}.{\textsf{Encode}},{\textsf{AR}}.{\textsf{Eval}},{\textsf{AR}}.{\textsf{Decode}})\) be an AR-code with linear decoding, i.e. decoding of a codeword \(\textbf{y}\) proceeds by computing \(\textbf{R}_s \textbf{y}\) for a matrix \(\textbf{R}_s \in {\mathbb {Z}}_p^{2n \times m}\) specified by a seed s.

Our OT protocol \(({\textsf{OT}}_1^*, {\textsf{OT}}_2^*, {\textsf{OT}}_3^*)\) is given as follows. In the following we assume that the seed s is available to the receiver after the first message \(ot^*_1\) has been sent. Note that since the seed can be reused in an arbitrary number of parallel executions of the protocol, its size can be amortized and does therefore not affect the asymptotic rate of the protocol.

  • \({\textsf{OT}}_1^*(1^\lambda , b)\):

  • Compute \((ot_1, st_{\textsf{OT}}) \leftarrow {\textsf{OT}}_1(1^\lambda , b)\).

  • Compute \(({\textsf{pk}},{\textsf{sk}}) \leftarrow {\textsf{KeyGen}}(1^\lambda ,m)\).

  • Set \(\textbf{A} = b \cdot \textbf{I} \in {\mathbb {Z}}_p^{m \times m}\).

  • Compute \(\textbf{C} = {\textsf{Enc}}({\textsf{pk}},\textbf{A})\)

  • Return \(ot^*_1 = (ot_1, {\textsf{pk}},\textbf{C})\) as the first message and set \((st_{\textsf{OT}}, {\textsf{sk}})\) to be the secret state.

  • \({\textsf{OT}}_2^*(ot^*_1,({\textbf{m}}_0, {\textbf{m}}_1))\):

  • Parse \(ot^*_1 = (ot_1, {\textsf{pk}},\textbf{C})\)

  • Parse \({\textbf{m}}_0\in \{0,1\}^n\) and \({\textbf{m}}_1\in \{0,1\}^n\).

  • Sample two uniform vectors \({\textbf{r}}_0 \xleftarrow {\$}{\mathbb {Z}}_p^n\) and \({\textbf{r}}_1 \xleftarrow {\$}{\mathbb {Z}}_p^n\).

  • Compute \(\textbf{x}_1 = \left( \begin{array}{c} {\textbf{m}}_1 - {\textbf{m}}_0 + {\textbf{r}}_0 \\ {\textbf{m}}_1 - {\textbf{m}}_0 + {\textbf{r}}_1 \end{array}\right) \in {\mathbb {Z}}_p^{2n}\) and \(\textbf{x}_2 = \left( \begin{array}{c} {\textbf{m}}_0 \\ {\textbf{m}}_0 - {\textbf{r}}_1 \end{array}\right) \in {\mathbb {Z}}_p^{2n}\)

  • Compute \((\hat{\textbf{x}}_1,\hat{\textbf{x}}_2) \leftarrow {\textsf{AR}}.{\textsf{Encode}}(s,\textbf{x}_1,\textbf{x}_2)\)

  • Compute \(\textbf{c} = {\textsf{Eval}}_1({\textsf{pk}},\textbf{C},\hat{\textbf{x}}_1,\hat{\textbf{x}}_2)\)

  • Compute \(\textbf{c}^*= {\textsf{Eval}}_2({\textsf{pk}},\textbf{c},\textbf{R}_s)\)

  • Compute \(\tilde{\textbf{c}} = {\textsf{Shrink}}({\textsf{pk}},\textbf{c}^*)\)

  • Parse \(\tilde{\textbf{c}}\) as \(\tilde{\textbf{c}} = ({\tilde{c}},\tilde{\textbf{c}}_0,\tilde{\textbf{c}}_1)\).

  • Compute \(ot_2 \leftarrow {\textsf{OT}}_2(ot_1, (\tilde{\textbf{c}}_0, \tilde{\textbf{c}}_1 ))\).

  • Output \(ot^*_2 \leftarrow ({\tilde{c}},ot_2)\)

  • \({\textsf{OT}}_3^*(ot^*_2,st)\):

  • Parse st as \((st_{\textsf{OT}},{\textsf{sk}})\) and \(ot^*_2\) as \(({\tilde{c}},ot_2)\).

  • Compute \(\tilde{\textbf{c}}' = {\textsf{OT}}_3(ot_2, st_{\textsf{OT}})\)

  • Return \({\textsf{ShrinkDec}}({\textsf{sk}},\textbf{R}_s,({\tilde{c}},\tilde{\textbf{c}}'))\).

Correctness follows routinely from the correctness of the underlying primitives. First observe that in each of the two branches by homomorphic correctness of \({\textsf{Eval}}_1\) and \({\textsf{Eval}}_2\) that \(\textbf{c}^*\) encrypts

$$\begin{aligned} \textbf{R}_s (b \cdot \hat{\textbf{x}}_1 + \hat{\textbf{x}}_2)&= {\textsf{AR}}.{\textsf{Decode}}(s,{\textsf{AR}}.{\textsf{Eval}}(b,{\textsf{AR}}.{\textsf{Encode}}(s,\textbf{x}_1,\textbf{x}_2)))\\&= b \textbf{x}_1 + \textbf{x}_2. \end{aligned}$$

Now observe that

$$\begin{aligned} {\textsf{ShrinkDec}}({\textsf{sk}},\textbf{R}_s,({\tilde{c}},\tilde{\textbf{c}}')))&= {\textsf{ShrinkDec}}({\textsf{sk}}, \textbf{R}_s,({\tilde{c}},\tilde{\textbf{c}_b})) \\&= {\left\{ \begin{array}{ll} ({\textbf{m}}_1 - {\textbf{m}}_0 + {\textbf{r}}_0)\cdot 0 + {\textbf{m}}_0 = {\textbf{m}}_0 &{}\text{ if } b=0\\ ({\textbf{m}}_1 - {\textbf{m}}_0 + {\textbf{r}}_1)\cdot 1 + {\textbf{m}}_0 -{\textbf{r}}_1 = {\textbf{m}}_1 &{}\text{ if } b=1 \end{array}\right. } \end{aligned}$$

We proceed by showing the computational receiver privacy of the resulting OT protocol.

Theorem 6

(Receiver Privacy) The scheme as described above is computationally receiver private, given that \(({\textsf{OT}}_1, {\textsf{OT}}_2, {\textsf{OT}}_3)\) is a computationally receiver private OT and that the packed ElGamal scheme is IND-CPA secure.

Proof

The proof consists in observing that the following distributions

$$\begin{aligned} ({\textsf{OT}}_1(1^\lambda , 0), {\textsf{Enc}}({\textsf{pk}}, 0 \cdot \textbf{I})) \approx ({\textsf{OT}}_1(1^\lambda , 1), {\textsf{Enc}}({\textsf{pk}}, 0 \cdot \textbf{I}))\\ \approx ({\textsf{OT}}_1(1^\lambda , 1), {\textsf{Enc}}({\textsf{pk}}, 1 \cdot \textbf{I})) \end{aligned}$$

are computationally indistinguishable by the receiver privacy of the OT and IND-CPA security of the packed ElGamal scheme, respectively. \(\square \)

8.6.1 Instantiating the AR Code

Finally, we show that our scheme satisfies statistical sender privacy. In the certified group setting, we can directly rely on the AR codes constructed in Sect. 6. In the uncertified group setting, we routinely obtain the required codes by concatenating the AR codes of Sect. 7 over an extension field of \({\mathbb {Z}}_p\) with the AR codes of Sect. 6 via Lemma 7.

Theorem 7

(Sender Privacy) The scheme as described above is statistically sender private, given that the AR code \({\textsf{AR}}\) restricts functions of the form \(h(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2) = {\textsf{Eval}}_1({\textsf{pk}},\textbf{C},\hat{\textbf{x}}_1,\hat{\textbf{x}}_2)\) (for maliciously chosen \({\textsf{pk}}\), \(\textbf{C}\)) to linear functions of the form \(f(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2) = a \hat{\textbf{x}}_1+\hat{\textbf{x}}_2\) or \(f(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2) = \hat{\textbf{x}}_1\).

Proof

We will first provide the description of the (unbounded) simulator \({\textsf{Sim}}\). \({\textsf{Sim}}\) uses the extractor \({\mathcal {E}}\) and the simulator \({\mathcal {S}}\) of the AR code \({\textsf{AR}}\) as a subroutine. Now fix a maliciously chosen receiver message \(ot^*_1 = (ot_1,{\textsf{pk}},\textbf{C})\). On input \(ot^*_1\), \({\textsf{Sim}}\) proceeds as follows. It first defines a function \(h(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2) = {\textsf{Eval}}_1({\textsf{pk}},\textbf{C},\hat{\textbf{x}}_1,\hat{\textbf{x}}_2)\) and runs the extractor \({\mathcal {E}}\) on input h, which outputs a function f and auxiliary information \({\textsf{aux}}\). The simulator now distinguishes the following two cases.

  1. 1.

    The function f is of the form \(f(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2) = \hat{\textbf{x}}_1\)

  2. 2.

    The function f is of the form \(f(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2) = a \cdot \hat{\textbf{x}}_1 + \hat{\textbf{x}}_2\) for an \(a \in {\mathbb {Z}}_p\).

In the first case, the simulator computes \(\textbf{c}\) by running \({\mathcal {S}}\) and on a uniformly sampled \(\textbf{r} \xleftarrow {\$}{\mathbb {Z}}_p^{2n}\). In the second case \({\textsf{Sim}}\) proceeds as follows, where we distinguish 3 sub-cases depending on the value of \(a \in {\mathbb {Z}}_p\).

  • \(a = 0\): In this case, the simulator queries the OT oracle on 0 to receive \(\textbf{m}_0\), and then computes \(\textbf{c} = {\mathcal {S}}\left( {\textsf{aux}},\left( \begin{array}{c} \textbf{m}_0 \\ \textbf{r}'_1\end{array} \right) \right) \) for a uniformly random \(\textbf{r}'_1\).

  • \(a = 1\): This case is similar as the previous one, except that the bit is flipped. More precisely, the simulator queries the OT oracle on 1 and receives \(\textbf{m}_1\), then computes \(\textbf{c} = {\mathcal {S}}\left( {\textsf{aux}},\left( \begin{array}{c} \textbf{r}'_0 \\ \textbf{m}_1 \end{array} \right) \right) \) for a uniformly random \(\textbf{r}'_0\).

  • \(a \notin \{0,1\}\): \(\textbf{c}\) is computed running \({\mathcal {S}}\) and on a uniformly sampled \(\textbf{r} \xleftarrow {\$}{\mathbb {Z}}_p^{2n}\).

The remainder of the algorithm proceeds exactly as in the definition of \({\textsf{OT}}_2^*\). Note that in any of the above cases, the simulator queries the OT oracle at most once. Thus, all we need to argue is that the distribution of the simulated \(\textbf{c}\) is statistically close to the real one.

Our analysis distinguishes the same cases as \({\textsf{Sim}}\), i.e. whether the extracted f is of the form \(f(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2) = \hat{\textbf{x}}_1\) or \(f(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2) = a \cdot \hat{\textbf{x}}_1 + \hat{\textbf{x}}_2\).

  1. 1.

    In the first case, when f is of the form \(f(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2) = \hat{\textbf{x}}_1\), observe that that \(\textbf{x}_1 = \left( \begin{array}{c} \textbf{m}_1 - \textbf{m}_0 + \textbf{r}_0 \\ \textbf{m}_1 - \textbf{m}_0 + \textbf{r}_1 \end{array}\right) = \textbf{r}\) is uniformly random and independent of \(\textbf{m}_0,\textbf{m}_1\), as \(\textbf{r}_0\) and \(\textbf{r}_1\) are uniformly random. Consequently, it holds by the security of \({\textsf{AR}}\) that

    $$\begin{aligned} (s,\textbf{c})&= (s,h(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2))\\&\approx (s,{\mathcal {S}}({\textsf{aux}},f(\textbf{x}_1,\textbf{x}_2)))\\&\equiv (s,{\mathcal {S}}({\textsf{aux}},\textbf{x}_1))\\&= (s,{\mathcal {S}}({\textsf{aux}},\textbf{r})), \end{aligned}$$

    as the information in \({\textsf{OT}}^*_2\) can be computed from s and \(\textbf{c}\), we conclude that \({\textsf{Sim}}\) faithfully simulates the sender message \(ot^*_2\).

  2. 2.

    We now turn to analyzing the second case, where f is of the form \(f(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2) = a \cdot \hat{\textbf{x}}_1 + \hat{\textbf{x}}_2\). In the first two sub-cases, it holds that \(a \in \{0,1\}\). To see why in these sub-cases the output of the simulator is correctly distributed, first observe that for \(a \in \{0,1\}\) it holds that

    $$\begin{aligned} f(\textbf{x}_0,\textbf{x}_1)&= a \cdot \left( \begin{array}{c} \textbf{m}_1 - \textbf{m}_0 + \textbf{r}_0 \\ \textbf{m}_1 - \textbf{m}_0 + \textbf{r}_1 \end{array} \right) + \left( \begin{array}{c} \textbf{m}_0 \\ \textbf{m}_0 - \textbf{r}_1 \end{array}\right) \\ {}&= {\left\{ \begin{array}{ll} \left( \begin{array}{c} \textbf{m}_0 \\ \textbf{m}_0 - \textbf{r}_1 \end{array}\right) &{} \text {if } a = 0 \\ &{} \\ \left( \begin{array}{c} \textbf{m}_1 + \textbf{r}_0 \\ \textbf{m}_1 \end{array}\right)&\text {if } a = 1 \end{array}\right. } \end{aligned}$$

    Note that if \(a = 0\), then \(\textbf{r}'_1 = \textbf{m}_0 - \textbf{r}_1\) is distributed uniformly random. Likewise, if \(a = 1\) then \(\textbf{r}'_0 = \textbf{m}_1 + \textbf{r}_0\) is distributed uniformly random. Consequently, the value \(\textbf{c}\) computed by \({\textsf{Sim}}\) has the correct distribution as it holds by the security of \({\textsf{AR}}\) that

    $$\begin{aligned} (s,\textbf{c})&= (s,h(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2))\\&\approx (s,{\mathcal {S}}({\textsf{aux}},f(\textbf{x}_1,\textbf{x}_2))). \end{aligned}$$

    For the last sub-case (\(a \notin \{0,1\}\)) note that

    $$\begin{aligned} f(\textbf{x}_0,\textbf{x}_1)&= a \cdot \left( \begin{array}{c} \textbf{m}_1 - \textbf{m}_0 + \textbf{r}_0 \\ \textbf{m}_1 - \textbf{m}_0 + \textbf{r}_1 \end{array} \right) + \left( \begin{array}{c} \textbf{m}_0 \\ \textbf{m}_0 - \textbf{r}_1 \end{array}\right) \\&= \left( \begin{array}{c} a \textbf{m}_1 + (1 - a) \textbf{m}_0 \\ a \textbf{m}_1 + (1 - a) \textbf{m}_0 \end{array} \right) + \left( \begin{array}{c} a \cdot \textbf{r}_0 \\ (1-a) \cdot \textbf{r}_1 \end{array}\right) . \end{aligned}$$

    Note that since \(a \notin \{0,1\}\), the term \(\textbf{r} = \left( \begin{array}{c} a \cdot \textbf{r}_0 \\ (1-a) \cdot \textbf{r}_1 \end{array}\right) \) is distributed uniformly random. Consequently, it holds by the security of \({\textsf{AR}}\) that

    $$\begin{aligned} (s,\textbf{c})&= (s,h(\hat{\textbf{x}}_1,\hat{\textbf{x}}_2))\\&\approx (s,{\mathcal {S}}({\textsf{aux}},f(\textbf{x}_1,\textbf{x}_2)))\\&= (s,{\mathcal {S}}({\textsf{aux}},\textbf{r})). \end{aligned}$$

    As above, we conclude that \({\textsf{Sim}}\) faithfully simulates the sender message \(ot^*_2\). This concludes the proof.

\(\square \)

8.6.2 Rate-1

Finally we argue that the scheme achieves rate-1. In the calculation we only consider without loss of generality the size of the OT second message (i.e. the download rate), since the size of the first message can always be amortized to increase the rate arbitrarily [27]. By Lemma 15, we have that for \(b\in \{0,1\}\) it holds that \(\vert {\textsf{Shrink}}({\textsf{pk}},\textbf{c})\vert = \log (\vert {\mathbb {G}}\vert ) + \lambda + n = 2\lambda + n\), which approaches n as n grows. Since the underlying OT scheme has rate-1, then the size of \(ot_2\) asymptotically equals n.

9 Applications of Rate-1 SSP OT

In this section we show that our rate-1 SSP OT allows us to build PIR with server’s statistical security and asymptotically-optimal communication. More generally, by plugging in our rate-1 SSP OT into the construction of [24], we obtain homomorphic encryption for branching programs, with (a) statistical branching-program privacy and (b) semi-compactness: the size of a homomorphically-evaluated ciphertext grows only with the depth, and not the size, of the branching program. For brevity, we will present and analyze the protocol for PIR, and the analysis for branching programs will be similar, referring the reader to [24].

Recall that PIR allows a client with an index \(i \in [K]\) to retrieve the ith element in a database \((m_1, \dots , m_K)\), held by a server. The PIR protocol is given as \(({\textsf{PIR}}_1, {\textsf{PIR}}_2, {\textsf{PIR}}_3)\), where \({\textsf{PIR}}_1\) and \({\textsf{PIR}}_3\) correspond to the two-phase algorithms of the client, and \({\textsf{PIR}}_2\) is run by the sever. We require computational client privacy: for any two indices \(i_1\) and \(i_2\): \({\textsf{pir}}_1 \approx {\textsf{pir}}_2\), where \(({\textsf{pir}}_1, *) \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\textsf{PIR}}_1(1^\lambda , i_1)\) and \(({\textsf{pir}}_2, *) \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\textsf{PIR}}_1(1^\lambda , i_2)\). We require statistical security for the server: there exists a (computationally-unbounded) extraction algorithm \({\textsf {PSim}}\) such that for any \({\textsf{pir}}_1\) and any \({\textbf{m}} = (m_1, \dots , m_K)\), the distribution of \(({\textsf{pir}}_1, {\textsf{PIR}}_2({\textsf{pir}}_1, {\textbf{m}}))\) is statistically indistinguishable from \(({\textsf{pir}}_1, {\textsf{Sim}}^{{{\textsf{O}}}}({\textsf{pir}}_1))\), where \({\textsf{Sim}}\) has one-time access to an oracle \({{\textsf{O}}}\), which on an input index i returns \(m_i\).

In the following we let \(K = 2^k\). The following construction is from [24].

  • \({\textsf{PIR}}_1(1^\lambda , s \in [2^k])\): Parse \(s = s_1 \dots s_k\). Return \({\textsf{pir}}_1:= ({\textsf{otr}}_1, \dots , {\textsf{otr}}_k)\) and \({\textsf{st}}:= ({\textsf{stt}}_1, \dots , {\textsf{stt}}_k)\), where for \(i \in [K]\): \(({\textsf{otr}}_i, {\textsf{stt}}_i) \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\textsf{OT}}_1(1^\lambda , s_i)\).

  • \({\textsf{PIR}}_2 ({\textsf{pir}}_1, (m_1, \dots , m_K))\): Parse \({\textsf{pir}}_1:= ({\textsf{otr}}_1, \dots , {\textsf{otr}}_k)\). For \(i \in [2^k]\), set \({\textsf{ots}}_i^{(0)}:= m_i\). For \(w \in \{1, \dots , k \}\):

    1. 1.

      For \(i \in [2^{k-w}]\), let \({\textsf{ots}}^{(w)}_i \mathop {\longleftarrow }\limits ^{\textrm{pick}}{\textsf{OT}}_2\left( {\textsf{otr}}_w, \left( {\textsf{ots}}_{2i-1}^{(w-1)}, {\textsf{ots}}_{2i}^{(w-1)}\right) \right) \)

    Return \({\textsf{ots}}^{(k)}_1\).

  • \({\textsf{PIR}}_3({\textsf{st}}, {\textsf{pir}}_2)\): Parse \({\textsf{st}}:= ({\textsf{stt}}_1, \dots , {\textsf{stt}}_k)\) and \({\textsf{pir}}_2:= {\textsf{ots}}^{(0)}\). For \(i \in [k]\) let \({\textsf{ots}}^{(i)}:= {\textsf{OT}}_1({\textsf{stt}}_{k-i+1}, {\textsf{ots}}^{(i-1)})\). Return \({\textsf{ots}}^{(k)}\).

Correctness and client’s security follow immediately. To establish statistical server’s security we define the following computationally-unbounded simulation algorithm \({\textsf {PSim}}\), built based on the OT’s simulation algorithm \({\textsf {OSim}}\).

  • \({\textsf {PSim}}^O({\textsf{otr}}_1, \dots , {\textsf{otr}}_k)\): For \(i \in [k]\) extract a bit \(b_i\) from \({\textsf{otr}}_i\) using the OT’s simulation algorithm \({\textsf {OSim}}\) (by observing the bit query that \({\textsf {OSim}}({\textsf{otr}}_i)\) makes). Let \(s = b_k \cdots b_1 \), and query O(s) to get m. Let \({\textsf{ots}}^{(0)}_s = m\), and for all \(i \in [K] {\setminus } \{s\}\), set \({\textsf{ots}}^{(0)}_i\) to an arbitrary value. Continue the procedure of \({\textsf{PIR}}_2\) described above based on these values.

The proof of statistical security for \({\textsf {PSim}}\) follows from that of \({\textsf {OSim}}\) using an inductive argument. We omit the details.

9.1 Server’s communication complexity

For \(r = r(\lambda )\), if the server has \(K = 2^k\) messages each of r bits, then the server’s communication complexity is \(r + {\textsf {poly}}(k, \lambda )\) bits (where \({\textsf {poly}}\) is a fixed polynomial), achieving rate-1 for large enough r.