Secure Arithmetic Computation with Constant Computational Overhead
 18 Citations
 3.2k Downloads
Abstract
We study the complexity of securely evaluating an arithmetic circuit over a finite field \(\mathbb {F}\) in the setting of secure twoparty computation with semihonest adversaries. In all existing protocols, the number of arithmetic operations per multiplication gate grows either linearly with \(\log \mathbb {F}\) or polylogarithmically with the security parameter. We present the first protocol that only makes a constant (amortized) number of field operations per gate. The protocol uses the underlying field \(\mathbb {F}\) as a black box, and its security is based on arithmetic analogues of wellstudied cryptographic assumptions.
Our protocol is particularly appealing in the special case of securely evaluating a “vectorOLE” function of the form \(\varvec{a}x+\varvec{b}\), where \(x\in \mathbb {F}\) is the input of one party and \(\varvec{a},\varvec{b}\in \mathbb {F}^w\) are the inputs of the other party. In this case, which is motivated by natural applications, our protocol can achieve an asymptotic rate of 1/3 (i.e., the communication is dominated by sending roughly 3w elements of \(\mathbb {F}\)). Our implementation of this protocol suggests that it outperforms competing approaches even for relatively small fields \(\mathbb {F}\) and over fast networks.
Our technical approach employs two new ingredients that may be of independent interest. First, we present a general way to combine any linear code that has a fast encoder and a cryptographic (“LPNstyle”) pseudorandomness property with another linear code that supports fast encoding and erasuredecoding, obtaining a code that inherits both the pseudorandomness feature of the former code and the efficiency features of the latter code. Second, we employ local arithmetic pseudorandom generators, proposing arithmetic generalizations of boolean candidates that resist all known attacks.
1 Introduction
There are many situations in which computations are performed on sensitive numerical data. A computation on numbers can usually be expressed as a sequence of arithmetic operations such as addition, subtraction, and multiplication.^{1}
In cases where the sensitive data is distributed among multiple parties, this calls for secure arithmetic computation, namely secure computation of functions defined by arithmetic operations. It is convenient to represent such a function by an arithmetic circuit, which is similar to a standard boolean circuit except that gates are labeled by addition, subtraction, or multiplication. It is typically sufficient to consider such circuits that evaluate the operations over a large finite field \(\mathbb {F}\), since arithmetic computations over the integers or (bounded precision) reals can be reduced to this case. Computing over finite fields (as opposed to integers or reals) can also be a feature, as it is useful for applications in threshold cryptography (see, e.g., [15, 26]). In the present work we are mainly interested in the case of secure arithmetic twoparty computation in the presence of semihonest adversaries.^{2} From here on, the term “secure computation” will refer specifically to this case.
Oblivious LinearFunction Evaluation. A natural complete primitive for secure arithmetic computation is Oblivious Linearfunction Evaluation (OLE). OLE is a twoparty functionality that receives a field element \(x\in \mathbb {F}\) from Alice and field elements \(a,b\in \mathbb {F}\) from Bob and delivers \(ax+b\) to Alice. OLE can be viewed as the arithmetic analogue of 1outof2 Oblivious Transfer of bits (bitOT) [22]. In the binary case, every boolean circuit C can be securely evaluated with perfect security by using O(C) invocations of an ideal bitOT oracle via the “GMW protocol” [27, 30]. A simple generalization of this protocol can be used to evaluate any arithmetic circuit C over \(\mathbb {F}\) using O(C) invocations of OLE and O(C) field operations [35].
The Complexity of Secure Arithmetic Computation. The goal of this work is to minimize the complexity of secure arithmetic computation. In light of the above, this reduces to efficiently realizing multiple instances of OLE. We start by surveying known approaches. The most obvious is a straightforward reduction to standard secure computation methods by emulating field operations using bit operations. This approach is quite expensive both asymptotically and in terms of concrete efficiency. In particular, it typically requires many “cryptographic” operations for securely emulating each field operation.
A more direct approach is via homomorphic encryption. Since OLE is a degree1 function, it can be directly realized by using “linearhomomorphic” encryption schemes (that support addition and scalar multiplication). This approach can be instantiated using Paillier encryption [18, 26, 48] or using encryption schemes based on (ring)LWE [19, 43]. While these techniques can be optimized to achieve good communication complexity, their concrete computational cost is quite high. In asymptotic terms, the best instantiations of this approach have computational overhead that grows polylogarithmically with the security parameter k. That is, the computational complexity of such secure computation protocols (in any standard computational model) is bigger than the computational complexity of the insecure computation by at least a polylogarithmic factor in k.
Another approach, first suggested by Gilboa [26] and recently implemented by Keller et al. [37], is to use a simple informationtheoretic reduction of OLE to stringOT. By using a bitdecomposition of Alice’s input x, an OLE over a field \(\mathbb {F}\) with \(\ell \)bit elements can be perfectly reduced to \(\ell \) instances of OT, where in each OT one of two field elements is being transferred from Bob to Alice. Using fast methods for OT extension [12, 31], the OTs can be implemented quite efficiently. However, even when neglecting the cost of OTs, the communication involves \(2\ell \) field elements and the computation involves \(O(\ell )\) field operations per OLE. This overhead can be quite large for big fields \(\mathbb {F}\) that are often useful in applications.
A final approach, which is the most relevant to our work, uses a computationally secure reduction from OLE to stringOT that assumes the peudorandomness of noisy random codewords in a linear code. This approach was first suggested by Naor and Pinkas [46] and was further developed by Ishai et al. [35]. The most efficient instantiation of these protocols relies on the assumption that a noisy random codeword of a ReedSolomon code is pseudorandom, provided that the noise level is sufficiently high to defeat known listdecoding algorithms. In the best case scenario, this approach has polylogarithmic computational overhead (using asymptotically fast FFTbased algorithms for encoding and decoding ReedSolomon codes). See Sect. 1.3 for a more detailed overview of existing approaches and [35] for further discussion of secure arithmetic computation and its applications.
To be a bit more precise, by “constant computational overhead” we mean that there is a protocol which can securely evaluate any arithmetic circuit C over any finite field \(\mathbb {F}\), with a computational cost (on a RAM machine) that is only a constant times bigger than the cost of performing C field operations with no security at all. Here we make the standard convention of viewing the size of C also as a security parameter, namely the view of any adversary running in time \(\mathrm {poly}(C)\) can be simulated up to a negligible error (in C). In the boolean case, Ishai et al. [34] showed that secure computation with constant computational overhead can be based on the conjectured existence of a local polynomialstretch pseudorandom generator (PRG). In contrast, in all known protocols for the arithmetic case the computational overhead either grows linearly with \(\log \mathbb {F}\) or polylogarithmically with the security parameter.Is it possible to realize secure arithmetic computation with constant computational overhead?
1.1 Our Contribution
We improve both the asymptotic and the concrete efficiency of secure arithmetic computation. On the asymptotic efficiency front, we settle the above open question in the affirmative under plausible cryptographic assumptions. More concretely, our main result is a protocol that securely evaluates any arithmetic circuit C over \(\mathbb {F}\) using only O(C) field operations, independently of the size of \(\mathbb {F}\). The protocol uses the underlying field \(\mathbb {F}\) as a black box, where the number of field operations depends only on the security parameter and not on the field size.^{3} The security of the protocol is based on arithmetic analogues of wellstudied cryptographic assumptions: concretely, an arithmetic version of an assumption due to Alekhnovich [1] (or similar kinds of “LPNstyle” assumptions) and an arithmetic version of a local polynomialstretch PRG [4, 11, 34].^{4}
On the concrete efficiency front, our approach is particularly appealing for a useful subclass of arithmetic computations that efficiently reduce to a multioutput extension of OLE that we call vectorOLE. A vectorOLE of width w is a twoparty functionality that receives a field element \(x\in \mathbb {F}\) from Alice and a pair of vectors \({\varvec{a}},{\varvec{b}}\in \mathbb {F}^w\) from Bob and delivers \({\varvec{a}}x+{\varvec{b}}\) to Alice. We obtain a secure protocol for vectorOLE with constant computational overhead and with an asymptotic communication rate of 1/3 (i.e., the communication is dominated by sending roughly 3w elements of \(\mathbb {F}\)). Our implementation of this protocol suggests that it outperforms competing approaches even for relatively small fields \(\mathbb {F}\) and over fast networks. The protocol is also based on more conservative assumptions, namely it can be based only on the first of the two assumptions on which our more general result is based. This assumption is arguably more conservative than the assumption on noisy ReedSolomon codes used in [35, 46], since the underlying codes do not have an algebraic structure that gives rise to efficient (list)decoding algorithms.
VectorOLE can be viewed as an arithmetic analogue of stringOT. Similarly to the usefulness of stringOT for garbling schemes [54], vectorOLE is useful for arithmetic garbling [5, 10] (see Sect. 4). Moreover, there are several natural secure computation tasks that can be directly and efficiently realized using vectorOLE. One class of such tasks are in the domain of secure linear algebra [17]. As a simple example, the secure multiplication of an \(n\times n\) matrix by a lengthn vector easily reduces to n instances of vectorOLE of width n. Another class of applications is in the domain of securely searching for nearest neighbors, e.g., in the context of secure face recognition [21]. The goal is to find in a database of n vectors of dimension d the vector which is closest in Euclidean distance to a given target vector. This task admits a simple reduction to d instances of widthn vector OLE, followed by nonarithmetic secure computation of a simple function (minimum) of n integers whose size is independent of d. The cost of such a protocol is dominated by the cost of vectorOLE. See Sect. 5 for a more detailed discussion of these applications.
1.2 Overview of Techniques
Our constantoverhead protocol for a general circuit C is obtained in three steps. The first step is a reduction of the secure computation of C to \(n=O(C)\) instances of OLE via an arithmetic version of the GMW protocol.
The second step is a reduction of n instances of OLE to roughly \(\sqrt{n}\) instances of vectorOLE of width \(w=O(\sqrt{n})\). This step mimics the approach for constantoverhead secure computation of boolean circuits taken in [34], which combines a local polynomialstretch PRGs with an informationtheoretic garbling scheme [32, 54]. To extend this approach from the boolean to the arithmetic case, two changes are made. First, the informationtheoretic garbling scheme for NC\(^0\) is replaced by an arithmetic analogue [10]. More interestingly, the polynomialstretch PRGs in NC\(^0\) needs to be replaced by an arithmetic analogue. We propose candidates for such arithmetic PRGs that generalize the boolean candidates from [11, 28] and can be shown to resist known classes of attacks. While the security of these PRG candidates remains to be further studied, there are no apparent weaknesses that arise from increasing the field size.
The final, and most interesting, step is a constantoverhead protocol for vectorOLE. As noted above, the protocol obtained in this step is independently useful for applications, and our implementation of this protocol beats competing approaches not only asymptotically but also in terms of its concrete efficiency.
Our starting point is the codebased OLE protocol from [35, 46]. This protocol can be based on any randomized linear encoding scheme E over \(\mathbb {F}\) that has a the following “LPNstyle” pseudorandomness property: If we encode a message \(x\in \mathbb {F}\) and replace a small random subset of the symbols by uniformly random field elements, the resulting noisy codeword is pseudorandom. For most linear encoding schemes this appears to be a conservative assumption, since there are very few linear codes for which efficient decoding techniques are known. The OLE protocol proceeds by having Alice compute a random encoding \({\varvec{y}}=E(x)\) and send a noisy version \({\varvec{y}}'\) of \({\varvec{y}}\) to Bob. Bob returns \({\varvec{c}'} = a{\varvec{y}}'+{\varvec{b}}\) to Alice, where \({\varvec{b}}=E(b)\) is a random linear encoding of b. Knowing the noise locations, Alice can decode \(c=ax+b\) from \({\varvec{c}'}\) via erasuredecoding in the linear code defined by E. If we ignore the noise coordinates, \({\varvec{c}'}\) does not reveal to Alice any additional information about (a, b) except the output \(ax+b\). However, the noise coordinates can reveal more information. To prevent this information from being leaked, Alice uses oblivious transfer (OT) to selectively learn only the nonnoisy coordinates of \({\varvec{c}'}\).
An attempt to extend the above protocol to the case of vectorOLE immediately encounters a syntactic difficulty. If the single value a is replaced by a vector \(\varvec{a}\), it is not clear how to “multiply” \({\varvec{y}}'\) by \(\varvec{a}\). A workaround taken in [35] is to use a “multiplicative” encoding scheme E based on ReedSolomon codes. The encoding and decoding of these codes incurs a polylogarithmic computational overhead, and the high noise level required for defeating known listdecoding algorithms results in a poor concrete communication rate. The algebraic nature of the codes also makes the underlying intractability assumption look quite strong. It is therefore desirable to base a similar protocol on other types of linear codes.
Our first idea for using general linear codes is to apply “vectorOLE reversal.” Concretely, we apply a simple protocol for reducing vectorOLE to the computation of \({\varvec{a}}x+{\varvec{b}}\) where \({\varvec{a}}\) is the input of Bob, x and \({\varvec{b}}\) the are the inputs of Alice, and the output is delivered to Bob. Now a general linear encoding E can be used by Bob to encode its input \({\varvec{a}}\), and since x is a scalar Alice can multiply the encoding by x and add an encoding of \({\varvec{b}}\). If we base E on a lineartime encodable and decodable code, such as the code of Spielman [51], the protocol can be implemented using only O(w) field operations. The problem with this approach the is that the pseudorandomness assumption looks questionable in light of the existence of an efficient decoding algorithm for E. Even if the noise level can chosen in a way that still respects lineartime erasuredecoding but makes errorcorrection intractable (which is not at all clear), this would require a high noise rate and hurt the concrete efficiency.
Our final idea, which may be of independent interest, is that instead of requiring a single encoding E to simultaneously satisfy both “hardness” and “easiness” properties, we can combine two types of encoding to enjoy the best of both worlds. Concretely, we present a general way to combine any linear code \(C_1\) that has a fast encoder and a cryptographic (“LPNstyle”) pseudorandomness property with another linear code \(C_2\) that supports fast encoding and erasuredecoding (but has no useful hardness properties) to get a randomized linear encoding E that inherits the pseudorandomness feature from \(C_1\) and the efficiency features from \(C_2\). This is achieved by using a noisy output of \(C_1\) to mask the output of \(C_2\), which we pad with a sufficient number of 0s. Given the knowledge of the noise locations in the padding zone, the entire \(C_1\) component can be recovered in a “bruteforce” way via Gaussian elimination, and one can then compute and decode the output of \(C_2\). When the expansion of E is sufficiently large, the Gaussian elimination is only applied to a short part of the encoding length and hence does not form an efficiency bottleneck. Using these ideas, we obtain a constantoverhead vectorOLE protocol under a seemingly conservative assumption, namely a natural arithmetic analogue of an assumption due to Alekhnovich [1] or a similar assumption for other lineartime encodable codes that do not have the special structure required for fast erasuredecoding.
1.3 Related Work
We first give an overview of known techniques for OLE (with semihonest security) and compare to what can be obtained using our approach.
First, the work of Gilboa [26] (see also [37]) implements OLE in a field with nbit elements using n oblivious transfers of field elements. The asymptotic communication complexity of this approach is larger than ours by a factor \(\varOmega (n)\).
In particular, if the goal is to implement vectorOLE, we can say something more concrete. Our vectorOLE implementation sends n/r bits to do 1 OLE on nbit field elements, where r is the rate, which is between 1/5 and 1/10 for our implementation. The OT based approach will need to send at least \(n^2\) bits to do the same. So in cases where network bandwidth is the bottleneck, we can expect to be faster than the OT based approach by a factor nr. Our experiments indicate that this happens for network speeds around 20–50 Mbits/sec. Actually, also at large network speeds, our vectorOLE implementation outperforms the OT based approach: The latest timings for semihonest string OT on the type of architecture we used (2 desktop computers connected by a LAN) are from [12] (see also [37]) and indicate that one OT can be done in amortised time about 0.2 \(\upmu \)s, so that 0.2 n\(\upmu \)s would an estimate for the time needed for one OLE. In contrast, our times (for 100bit security) are much smaller, even for the smallest case we considered (\(n=32\)) we have 0.7 \(\upmu \)s amortised time per OLE. For larger fields, the picture is similar, for instance for \(n=1024\), we obtain 19.5 \(\upmu \)s per OLE, where the estimate for the OT based technique is about 200 \(\upmu \)s.
A second class of OLE protocols can be obtained from homomorphic encryption schemes: one party encrypts his input under his own key and sends the ciphertext to the other party. He can now multiply his input “into the ciphertext” and randomize it appropriately before returning it for decryption. This will work based on Paillier encryption (see, e.g., [21] for an application of this) but will be very slow because exponentiation is required for the plaintext multiplication. A more efficient approach is to use (ring)LWE based schemes, as worked out in [19] by Damgård et al. Here the asymptotic communication overhead is worse than ours by a polylogarithmic factor, at least for prime fields if one uses the socalled SIMD variant where the plaintext is a vector of field elements. However, the approach becomes very problematic for extension fields of large degree because key generation requires that we find a cyclotomic polynomial that splits in a very specific way modulo the characteristic, and one needs to go to very large keys before this happens. Quantifying this precisely is nontrivial and was not done in [19], but as an example, the overhead in ciphertext size is a factor of about 7 for a 64bit prime fields, but is 1850 for \(\mathbb {F}_{2^8}\). Also, the computational overhead for ringLWE based schemes is much higher than ours: even if we pack as many field elements, say \(\lambda \), into a ciphertext as possible, the overhead involved in encryption and decryption is superlinear in \(\lambda \). Further \(\lambda \) needs to grow with the field size, again the asymptotic growth is hard to quantify exactly, but it is definitely super logarithmic. In more concrete terms, the computational overhead of homomorphic encryption makes these protocols slower in practice than the pure OTbased approach (see [37]), which is in turn generally slower than our approach for the case of vectorOLE.
A final class of protocols is more closely related to ours, namely the codebased approach of Naor and Pinkas [46] and its generalizations from [35]. The most efficient instantiation of these protocols is based on an assumption on pseudorandomness of noisy ReedSolomon codewords, whereas we use codes generated from sparse matrices. Because encoding and decoding ReedSolomon codes is not known to be in linear time, these protocols are asymptotically slower that ours by a polylogarithmic factor. As for the communication, we obtain an asymptotic rate of 1/3 and can obtain a practical rate of around 1/4. The rate of the protocol from [35] is also constant but much smaller: one loses a factor 2 because the protocol involves pointwise multiplication of codewords, so codewords need to be long enough to allow decoding of a ReedSolomon code based on polynomials of double degree. Even more significantly, on top of the above, the distance needs to be increased (so the rate decreases) to protect against attacks that rely on efficient listdecoding algorithms for ReedSolomon codes. This class of attacks does not apply to our approach, since it does not require the code for which the pseudorandomness assumption holds to have any algebraic structure.
2 Preliminaries
2.1 The Arithmetic Setting
Our formalization of secure arithmetic computation follows the one from [35], but simplifies it to account for the simpler setting of security against semihonest adversaries. We also refine the computational model to allow for a more concrete complexity analysis. We refer the reader to [35] for more details.
Functionalities. We represent the functionalities that we want to realize securely via a multiparty variant of arithmetic circuits.
Definition 1
(Arithmetic circuits). An arithmetic circuit C has the same syntax as a standard boolean circuit, except that the gates are labeled by ‘+’ (addition), ‘−’ (subtraction) or ‘*’ (multiplication). Each input wire can be labeled by an input variable \(x_i\) or a constant \(c\in \{0,1\}\). Given a finite field \(\mathbb {F}\), an arithmetic circuit C with n inputs and m outputs naturally defines a function \(C^\mathbb {F}:\mathbb {F}^n\rightarrow \mathbb {F}^m\). An arithmetic functionality circuit is an arithmetic circuit whose inputs and outputs are labeled by party identities. In the twoparty case, such a circuit C naturally defines a twoparty functionality \(C^\mathbb {F}:\mathbb {F}^{n_1}\times \mathbb {F}^{n_2}\rightarrow \mathbb {F}^{m_1}\times \mathbb {F}^{m_2}\). We denote by \(C^\mathbb {F}(x_1,x_2)_P\) the output of Party P on inputs \((x_1,x_2)\).
Protocols and Complexity. To allow for a concrete complexity analysis, we view a protocol as a finite object that is generated by a protocol compiler (defined below). We assume that field elements have an adversarially chosen representation by \(\ell \)bit strings, where the protocol can depend on \(\ell \) (but not on the representation). The representation is needed for realizing our protocols in the plain model. When considered as protocols in the OThybrid model, our protocols can be cast in the more restrictive arithmetic model of Applebaum et al. [5], where the parties do not have access to the bitlength of field elements or their representation, but can still perform field operations and communicate field elements over the OT channel. Protocols in this model have the feature that the number of field operations is independent of the field size.
By default, we model a protocol by a RAM program.^{5} The choice of computational model does not change the number of field operations, which anyway dominates the overall cost as the field grows. In our theorem statements we will only refer to the number of field operations T, with the implicit understanding that all other computations can be implemented using \(O(T\ell )\) bit operations. (Note that \(T\ell \) bit operations are needed just for writing the outputs of T field operations.)
Protocol Compiler. A protocol compiler \(\mathcal P\) takes a security parameter \(1^k\), an arithmetic (twoparty) functionality circuit C and bitlength parameter \(\ell \) as inputs, and outputs a protocol \(\varPi \) that realizes C given an oracle to any field \(\mathbb {F}\) whose elements are represented by \(\ell \)bit strings. It should satisfy the following correctness and security requirements.

Correctness: For every choice of \(k,C,\mathbb {F},\ell \), any representation of elements of \(\mathbb {F}\) by \(\ell \)bit strings, and every possible pair of inputs \((x_1,x_2)\) for C, the execution of \(\varPi \) on \((x_1,x_2)\) ends with the parties outputting \(C(x_1,x_2)\), except with negligible probability in k.
 Security: For every polynomialsize nonuniform \(\mathcal {A}\) there is a negligible function \(\epsilon \) such that the success probability of \(\mathcal {A}\) in the following game is bounded by \(1/2+\epsilon (k)\):

On input \(1^k\), the adversary \(\mathcal {A}\) picks a functionality circuit C, positive integer \(\ell \) and field \(\mathbb {F}\) whose elements are represented by \(\ell \)bit strings. The representation of field elements and field operations are implemented by a circuit \(\mathcal F\) output by \(\mathcal A\). (Note that all of the above parameters, including the complexity of the field operations, are effectively restricted to be polynomial in k.)

Let \(\varPi ^{\mathcal F}\) be the protocol returned by the compiler \(\mathcal P\) on \(1^k,C,\ell \), instantiating the field oracle \(\mathbb {F}\) using \(\mathcal F\).

\(\mathcal {A}\) picks a corrupted party \(P\in \{1,2\}\) and two input pairs \(x^0=(x^0_1,x^0_2)\), \(x^1=(x^1_1,x^1_2)\) such that \(C^\mathbb {F}(x^0)_P=C^\mathbb {F}(x^1)_P\).

Challenger picks a random bit b.

\(\mathcal {A}\) is given the view of Party P in \(\varPi ^{\mathcal F}(x^b)\) and outputs a guess for b.

2.2 Decomposable Affine Randomized Encoding (DARE)
 1.(Correctness) There exists a decoding algorithm \(\mathsf {Dec}\) such that for every \(x\in \mathbb {F}^{\ell }\) it holds that
 2.(Privacy) There exists a randomized algorithm \(\mathcal {S}\) such that for every \(x\in \mathbb {F}^{\ell }\) and uniformly chosen Open image in new window it holds that$$\begin{aligned} \mathcal {S}(f(x)) \quad \text {is distributed identically to } \quad \hat{f}(x;r). \end{aligned}$$
We say that \(\hat{f}(x;r)\) is decomposable and affine if \(\hat{f}\) can be written as \(\hat{f}(x;r)=(\hat{f}_0(r),\hat{f}_1(x_1;r),\ldots ,\hat{f}_n(x_{\ell };r))\) where \(\hat{f}_i\) is linear in \(x_i\), i.e., it can be written as \(\varvec{a}_i x_i+\varvec{b}_i\) where the vectors \(\varvec{a}_i\) and \(\varvec{b}_i\) arbitrarily depend on the randomness r.
It follows from [33] (cf. [10]) that every singleoutput function \(f:\mathbb {F}^d \rightarrow \mathbb {F}\) which can be computed by constantdepth circuit (aka \(\mathbf {{NC^0}}\) function) admits a decomposable encoding which can be encoded and decoded by an arithmetic circuit of finite complexity D which depends only in the circuit depth. Note that any multioutput function can be encoded by concatenating independent randomized encodings of the functions defined by its output bits. Thus, we have the following:
Fact 1
Let \(f:\mathbb {F}^{\ell }\rightarrow \mathbb {F}^{m}\) be an \(\mathbf {{NC^0}}\) function. Then, f has a DARE \(\hat{f}\) which can be encoded, decoded and simulated by an arithmetic circuit of size O(m) where the constant in the bigO notation depends on the circuit depth.^{7}
We mention that the circuits for the encoding, decoder, and simulator can be all constructed efficiently given the circuit for f.
3 Vector OLE of Large Width
In this section, our goal is to construct a semihonest secure protocol for Vector OLE of width w over the field \(\mathbb {F}=\mathbb {F}_p\) for parties Alice and Bob.
As a stepping stone, we will first implement a “reversed” version of this that can easily be turned into what we actually want: for the Reverse vector OLE functionality, Bob has input \(\varvec{a}\in \mathbb {F}^w\), while Alice has input \(x\in \mathbb {F}, \varvec{b}\in \mathbb {F}^w\), and the functionality outputs nothing to Alice and \(\varvec{a}\cdot x + \varvec{b}\) to Bob. The latter will be based on a special gadget (referred to as fast hard/easy code) that allows fast encoding and decoding under erasures but semantically hides the encoded messages in the presence of noise. We describe first this gadget and then give the protocol.
3.1 Ingredients
The main ingredient we need is a public matrix M over \(\mathbb {F}\) with the following pseudorandomness property: If we take a random vector \(\varvec{y}\) in the image of M, and perturb it with “noise”, the resulting vector \(\hat{\varvec{y}}\) is computationally indistinguishable from a truly random vector over \(\mathbb {F}\). Our noise distribution corresponds to the pary symmetric channel with crossover over probability \(\mu \), that is, \(\hat{\varvec{y}}=\varvec{y}+\varvec{e}\) where for each coordinate of \(\varvec{e}\) we assign independently the value zero with probability \(1\mu \) and a uniformly chosen nonzero element from \(\mathbb {F}\) with probability \(1\mu \). We let \({\mathcal D}(\mathbb {F})_{\mu }^{t}\) denote the corresponding noise distributions for vectors of length t (and occasionally omit the parameters \(\mathbb {F},\mu \) and t when they are clear from the context). For concreteness, the reader may think of \(\mu \) as 1/4. The properties needed for our protocol are summarized in the following assumption, that will be discussed in Sect. 7.
Assumption 2
 1.
(Lineartime computation) The mapping \(f_M:\varvec{x}\mapsto M \varvec{x}\) can be computed in lineartime in the output length. Formally, we assume that the sampler outputs a description of an \(O(k^3)\)size arithmetic circuit over \(\mathbb {F}\) for computing \(f_M\).
 2.(Pseudorandomness) The following ensembles (indexed by k) are computationally indistinguishable for \(\mathrm {poly}(k)\) adversarieswhere Open image in new window , Open image in new window , Open image in new window and Open image in new window .$$\begin{aligned} (M, M\varvec{r} + \varvec{e}) \qquad \text {and} \qquad (M, \varvec{z}), \end{aligned}$$
 3.
(Linear independence) If we sample Open image in new window and keep each of the first \(k \log ^2 k\) rows independently with probability \(\mu \) (and remove all other rows), then, except with negligible probability in k, the resulting matrix has full rank.
We will also need a linear error correcting code \(\mathsf {Ecc}\) over \(\mathbb {F}\) with constant rate R and linear time encoding and decoding, where we only need decoding from a constant fraction of erasures \(\mu '\) which is slightly larger than the noise rate \(\mu \). (For \(\mu =1/4\) we can take \(\mu '=1/3\).) Such codes are known to exist (cf. [51]) and can be efficiently constructed given a blackbox access to \(\mathbb {F}\).
Fast Hard/Easy Code. We combine the “fast code” \(\mathsf {Ecc}\) and the “fast pseudorandom code” \({\mathcal M}\) into a single gadget that provides fast encoding and decoding under erasures, but hides the encoded message when delivered through a noisy channel. The gadget supports messages of length \(w=\varTheta (k^3)\). Our gadget is initialized by sampling a \(k^3 \times k\) matrix M over \(\mathbb {F}\) using the randomized algorithm \({\mathcal M}\) promised in Assumption 2. We view the matrix M as being composed of two matrices \(M^{\mathsf {top}}\) with \(u=2k \log ^2 k\) rows and k columns, placed above \(M^{\mathsf {bottom}}\) which has \(v=k^3u\) rows and k columns. Let \(w=Rv=\varTheta (k^3)\) be a message length parameter (corresponding to the width of the vectorOLE). Note that our \(\mathsf {Ecc}\) encodes vectors of length w into vectors of length v.
 1.
(Fast and Linear) The mapping \(E_{\varvec{r}}(\varvec{a})\) can be computed by making only \(O(k^3)\) arithmetic operations. Moreover, it is a linear function of \((\varvec{r},\varvec{a})\) and so \(E_{\varvec{r}}(\varvec{a})+E_{\varvec{r'}}(\varvec{a'})=E_{\varvec{r}+\varvec{r'}}(\varvec{a}+\varvec{a'})\).
 2.
(Hiding under errors) For any message \(\varvec{a}\) and Open image in new window Open image in new window , the vector \(E_{\varvec{r}}(\varvec{a}) + \varvec{e}\) is pseudorandom and, in particular, it computationally hides \(\varvec{a}\).
 3.
(Fast decoding under erasures) Given a random \((1\mu )\)subset I of the coordinates of \(\varvec{z}=E_{\varvec{r}}(\varvec{a})\) (i.e., each coordinate is erased with independently probability \(\mu \)) it is possible to recover the vector \(\varvec{a}\), with negligible error probability, by making only \(O(\varvec{z})=O(k^3)\) arithmetic operations. Indeed, letting \(I_0\) (resp., \(I_1\)) denote the coordinates received from the uprefix of \(\varvec{z}\) (resp., vsuffix of \(\varvec{z}\)), we first recover \(\varvec{r}\) by solving the linear system \(\varvec{z}_{I_0}=(M^{\mathsf {top}} \varvec{r})_{I_0}\) via Gaussian elimination in \(O(k^3)\) arithmetic operations. By Assumption 2 (property 3) the system is likely to have a unique solution. Then we compute \((M^{\mathsf {bottom}}\varvec{r})_{I_1}\) in time \(O(k^3)\), subtract from \((E_{\varvec{r}}(\varvec{a}))_{I_1}\) to get \(\mathsf {Ecc}(\varvec{a})_{I_1}\), from which \(\varvec{a}\) can be recovered by erasure decoding in time \(O(k^3)\).
3.2 From Fast Hard/Easy Code to Reverse VectorOLE
Our protocol uses the gadget E to implement a reversed vectorOLE. In the following we assume that the parties have access to a variant Oblivious Transfer of field elements which we assume (for now) is given as an ideal functionality. To be precise, the variant we need is one where Alice sends a field element f, Bob chooses to receive f, or to receive nothing, while Alice learns nothing new.
We describe the protocol under the assumption that the width w is taken to be \(\varTheta (k^3)\). A general value of w will be treated either by padding or by partitioning into smaller blocks of size \(O(k^3)\) each. (See the proof of Theorem 3.)
Construction 1
(Reverse Vector OLE protocol). To initialize the protocol one of the parties samples the matrix Open image in new window and publish it. The gadget E (and the parameters u, v and w) are now defined based on M and k as described above.
 1.
Bob has input \(\varvec{a}\in \mathbb {F}^w\). He selects random \(\varvec{r}\in \mathbb {F}^k\), chooses \(\varvec{e}\) according to \({\mathcal D}(\mathbb {F})^{u+v}_{\mu }\) and sends to Alice the vector \(\varvec{c} = E_{\varvec{r}}(\varvec{a}) + \varvec{e} \).
 2.
Alice has input \(x, \varvec{b}\). She chooses \(\varvec{r'}\in \mathbb {F}^k\) at random and computes \(\varvec{d} = x\cdot \varvec{c} + E_{\varvec{r'}}(\varvec{b}) \).
 3.
Let I be an index set that contain those indices i for which \(\varvec{e}_i =0\). These are called the noise free positions in the following. The parties now execute, for each entry i in \(\varvec{d}\), an OT where Alice sends \(\varvec{d}_i\). If \(i\in I\), Bob chooses to receive \(\varvec{d}_i\), otherwise he chooses to receive nothing.
 4.Notice that, since the function E is linear, we haveUsing subscriptI to denote restriction to the noisefree positions, what Bob has just received is$$\varvec{d} = E_{x\varvec{r} +\varvec{r'}}(x\varvec{a} + \varvec{b}) + x\varvec{e}.$$where \(\varvec{s}= x\varvec{r} +\varvec{r'}\). Using the fastdecoding property of E (property 3), Bob recovers the vector \(x\varvec{a}+\varvec{b}\) (by making \(O(k^3)\) arithmetic operations) and outputs \(x\varvec{a} + \varvec{b}\).$$\begin{aligned} \varvec{d}_I= (E_{\varvec{s}}(x\varvec{a}+\varvec{b}))_I, \end{aligned}$$
We are now ready to show that the reverse vector OLE protocol works:
Lemma 1
Suppose that Assumption 2 holds. Then Construction 1 implements the Reverse VectorOLE functionality of width \(w=\varTheta (k)\) over \(\mathbb {F}\) with semihonest and computational security in the OThybrid model. Furthermore, ignoring the cost of initialization, the arithmetic complexity of the protocol is O(w).
Proof
The running time follows easily by inspection of the protocol. We prove correctness. By Assumption 2 (property 3), except with negligible probability Bob recovers the vector \(\varvec{s}\) correctly. Also, by a Chernoff bound, the vsuffix of the error vector \(\varvec{e}\) contains at most \(\mu ' v\) nonzero coordinates. Therefore, the decoding procedure of the errorcorrecting code succeeds.
As for privacy, consider first the case where Alice is corrupt. We can then simulate Bob’s message with a random vector in \(\mathbb {F}^{u+v}\) which will be computationally indistinguishable by Assumption 2. If Bob is corrupt, we can simulate what Bob receives in OTs given Bob’s output \(x\varvec{a} + \varvec{b}\), namely we compute \(\varvec{f}= E_{\varvec{s}}(x\varvec{a} + \varvec{b})\) for a random \(\varvec{s}\) and sample a set I as in the protocol (each coordinate \(i\in [k^3]\) is chosen with probability \(1\mu \)). Then for the OT in position i, we let Bob receive \(\varvec{f}_i\) if \(i\in I\) and nothing otherwise. This simulates Bob’s view perfectly, since in the real protocol \(\varvec{s}= x\varvec{r} +\varvec{r'}\) is indeed uniformly random, and the received values for positions in I do not depend on x or \(\varvec{e}\), only on \(\varvec{s}\) and Bob’s output. \(\square \)
3.3 From Reverse VectorOLE to VectorOLE
Finally, to get a protocol for the vector OLE Functionality, note that we can get such a protocol from the Reverse vector OLE functionality:
Construction 2
 1.
Call the Reverse VectorOLE functionality, where Bob uses input \(\varvec{a}\) and Alice uses input x and a randomly chosen Open image in new window . As a result, Bob will receive \(x\varvec{a} + \varvec{b'}\).
 2.
Bob sends \(\varvec{b} + (x\varvec{a} + \varvec{b'})\) to Alice. Now, Alice outputs \((\varvec{b} + (x\varvec{a} + \varvec{b'})  \varvec{b'} = x\varvec{a} + \varvec{b}\).
It is trivial to show that this implements the vectorOLE functionality with perfect security. Combining the above with Lemma 1, we derive the following theorem.
Theorem 3
Suppose that Assumption 2 holds. Then, there exists a protocol that implements the vectorOLE functionality of width w over \(\mathbb {F}\) with semihonest computational security in the OThybrid model with arithmetic complexity of \(O(w)+\mathrm {poly}(k)\).
Proof
For \(w<k^3\), the theorem follows directly from Construction 2 and Lemma 1 (together with standard composition theorem for secure computation). The more general case (where w is larger) follows by reducing long wvector OLE’s into t calls to \(w_0\)vector OLE for \(w_0=\varTheta (k^3)\) and \(t=w/w_0\). Since initialization is only performed once (with a onetime \(\mathrm {poly}(k)\) cost) and M is reused, the overall complexity is \(\mathrm {poly}(k)+O(tw_0)=\mathrm {poly}(k)+O(w)\) as claimed. \(\square \)
Remark 1
(Implementing the OTs). First, note that the OT variant we need can be implemented efficiently for large fields as follows: Alice chooses a short seed for a PRG and to send field element f, she sends \(f \oplus PRG(seed)\) and then does an OT where she offers Bob seed and a random value. If Bob wants to receive f, he chooses to get seed, otherwise he choose the random value.
Our protocol employs O(w) such OTs on field elements, or equivalently, on strings of length \(\log \mathbb {F}\) bits. For sufficiently long strings (i.e., \(w=\mathrm {poly}(k)\) for sufficiently large polynomial) one can get these OT very cheaply both practically and theoretically.
Indeed, the implementation we described (which is similar to an observation from [34]), can be done with optimal asymptotic complexity of \(O(w \log \mathbb {F})\) bit operations assuming the existence of a linearstretch pseudorandom generator \(G:\{0,1\}^k \rightarrow \{0,1\}^{2k}\) which is computable in lineartime O(k). Moreover, such a generator can be based on the binary version of Assumption 2, as follows from [9]. In practice, we can get the OT’s very efficiently via OT extension and perhaps (for very large fields) using a PRG based on AES which is extremely efficient on modern Intel CPUs.
Remark 2
(On the achievable rate). Note that the full vector OLE protocol communicates \(u+v\) field elements, does \(u+v\) OTs and finally sends w field elements. The rate is defined as the size of the output (w) divided by the communication complexity. Now, asymptotically, we can ignore u since it is o(v). Furthermore, v is the length of the code \(\mathsf {Ecc}\), which needs to be about \(w/(1\mu )\) to allow for erasure decoding w values from a fraction of \(\mu \) random erasures. By the previous remark, an OT can be done at rate 1, so it counts as 1 field element. So we find that the rate asymptotically at best approaches \((1\mu )/(3\mu )\) (i.e., \(3/11\approx 1/4\) for \(\mu =1/4\)). If we are willing to believe that Assumption 2 holds for any constant error rate (and large enough code length k) then we can obtain rate approaching \(1/3\epsilon \) for any constant \(\epsilon > 0\).
4 BatchOLEs
In this section we implement n copies of OLE (of width 1) with constant computational overhead based on vectorOLE with constant computational overhead and a polynomialstretch arithmetic pseudorandom generator of constant depth. The transformation is similar to the one described in [34] for the binary setting, and is based on a combination Beaver’s OT extension [13] with a decomposable randomized encoding.
4.1 From VectorOLE to \(\mathbf {{NC^0}}\) Functionalities
We begin by observing that local functionalities can be reduced to vectorOLE with constant computational overhead. This follows from an arithmetic variant of Yao’s protocol [54] where the garbled circuit is replaced with fullydecomposable randomized encoding. For simplicity, we restrict our attention to functionalities in which only the first party Alice gets the input.
Lemma 2
Let \(\mathbb {F}\) be a finite field and let f be a twoparty \(\mathbf {{NC^0}}\) functionality that takes \(\ell _1\) field elements from the sender, \(\ell _2\) field elements from the receiver, and delivers m field elements to the receiver. Then, we can securely compute f with an informationtheoretic security in the semihonest model with arithmetic complexity of O(m) and by making \(O(\ell _2)\) calls to ideal \(O(m/\ell _2)\)width OLE.
The constant in the bigO notation depends on the circuit depth of f.
Proof

Bob selects randomness Open image in new window for the encoding and sends \(\hat{f}_0(r)\) together with \((\hat{f}_{i}(x_i;r))_{i \in B}\).

For every \(i\in A\) the parties invoke width wOLE where Alice uses \(x_i\) as her input and Bob uses \((\varvec{a}_i(r), \varvec{b}_i(r))\) as his inputs. If the length \(W_i\) of \(\varvec{a}_i(r)\) and \(\varvec{b}_i(r)\) is larger than w, the vectors are partitioned to wsize blocks and the parties use \(\lceil (W_i/w) \rceil \) calls to wwidth OLE. (In the jth call Bob uses the jth block of \((\varvec{a}_i(r), \varvec{b}_i(r))\) as his input and Alice uses \(x_i\) as her input.)

Finally, Alice aggregates the encoding \(\hat{f}(x;r)\), applies the decoder and recovers the output f(x).
It is not hard to verify that both parties can be implemented by making at most \(O(\ell )\) arithmetic operations. (In fact, they can be implemented by \(O(\ell )\)size arithmetic circuits). Moreover, the number of call to the w vectorOLE is \(\sum _{i\in A} \lceil W_i/w \rceil =O(m/w)=O(\ell _2)\). The correctness of the protocol follows from the correctness of the DARE. Assuming perfect OLE, the protocol provides perfect security for Bob (who gets no message during the protocol) and for Alice (whose view can be trivially simulated using the perfect simulator of the DARE). \(\square \)
4.2 From PseudorandomOLE to OLE
The following lemma is an arithmetic variant of Beaver’s reduction from batchOT to OT with “pseudorandom” selection bits.
Lemma 3
Let \(G:\mathbb {F}^k \rightarrow \mathbb {F}^n\) be a pseudorandom generator. Consider the twoparty functionality g that takes a seed \(\varvec{s}\in \mathbb {F}^k\) from Alice and n pairs of field elements \((a_i,b_i), i\in [n]\) from Bob and delivers to Alice the value \(y_ia_i+b_i\) where \(\varvec{y}=G(\varvec{s})\). Then, in the ghybrid model it is possible to securely compute n copies of OLE of width 1 with semihonest computational security and complexity of O(n) arithmetic operations and a single call to g.
Proof
Let \(\varvec{x}=(x_i)_{i\in [n]}\) be Alice’s input and let \((a_i,b_i), i\in [n]\) be Bob’s input.
 1.
Alice and Bob call the protocol for g where Alice uses a random seed Open image in new window as an input and Bob uses the pairs \((a_i,c_i), i\in [n]\) where Open image in new window are chosen uniformly at random. Alice gets back the value \(u_i=y_i a_i+c_i\) for \(i\in [n]\).
 2.
Alice sends to Bob the values \(\varDelta _i=x_iy_i\), for every \(i\in [n]\).
 3.
Bob responds with \(v_i=\varDelta _i a_i+(b_ic_i)\) for every \(i\in [n]\).
 4.
Alice outputs \(z_i=u_i+v_i\) for every \(i\in [n]\).
It is not hard to verify that correctness holds, i.e., \(z_i=x_i a_i+b_i\). To prove security, observe that Alice’s view, which consists of \((\varvec{x},\varvec{s},\varvec{u},\varvec{v})\), can be perfectly simulated. Indeed, given an input \(\varvec{x}\) and an output \(\varvec{z}\): Sample Open image in new window together with Open image in new window and set \(\varvec{v}=\varvec{z}\varvec{u}\). As for Bob, his view consists of \(\varvec{a},\varvec{b},\varvec{c}\) and a pseudorandom string \(\varvec{\varDelta }\). We can therefore simulate Bob’s view by sampling \(\varvec{\varDelta }\) (and \(\varvec{c}\)) uniformly at random. \(\square \)
4.3 From \(\mathbf {{NC^0}}\) PRG to BatchOLE
To get our final result, we need a polynomialstretch \(\mathbf {{NC^0}}\) arithmetic pseudorandom generator. In fact, it suffices to have a collection of such PRG’s.
Assumption 4
(polynomialstretch \(\varvec{\mathbf {{NC^0}}}\) PRG (arithmetic version)). There exists a polynomialtime algorithm that given \(1^k\) and a field representation \(\mathbb {F}\) samples an \(\mathbf {{NC^0}}\) mapping \(G:\mathbb {F}^k\rightarrow \mathbb {F}^{k^2}\) (represented by a circuit) such that with all but negligible probability G is a pseudorandom generator against \(\mathrm {poly}(k)\) adversaries.
Assumption 4 is discussed in Sect. 7. For now, let us mention that similar assumptions were made in the binary setting and known binary candidates have natural arithmetic variants.
Combining Lemmas 2 with 3, we get the following theorem.
Theorem 5
Suppose that Assumption 4 holds. Then, it is possible to securely compute n copies of OLE over \(\mathbb {F}\) in the semihonest model by making O(n / k) calls to ideal O(k)width OLE and \(O(n)+\mathrm {poly}(k)\) additional arithmetic operations.
Proof
Let \(t=n/k^2\). Implement the OLE’s using t batches each of size \(k^2\). By Lemmas 2 and 3, each such batch can be implemented by making k calls to ideal O(k)width OLE and \(O(k^2)\) additional arithmetic operations. Since the initialization of the pseudorandom generator has a onetime \(\mathrm {poly}(k)\) cost, we get the desired complexity. \(\square \)
Combining Theorems 3 and 5, together with an optimal OT implementation (which by Remark 1 follows from standard OT), and plugging in standard composition theorem for secure computation, we derive the following theorem.
5 Applications of VectorOLE
In the previous section we used vectorOLE only as a tool to obtain OLE. However, there are applications where vectorOLE is precisely what we need.
First, it is easy to see that a secure multiplication of an \(n\times n\) matrix by a lengthn vector reduces to n instances of widthn vectorOLE. Therefore, using our implementation of vectorOLE, it is straightforward to multiply a matrix by a vector with \(O(n^2)\) field operations, which is asymptotically optimal, and with a small concrete overhead. This can be used as a building block for other natural secure computation tasks, such as matrix multiplication and other instances of secure linear algebra; see [17, 44] for other examples and motivating applications.
Once we have additive shares of the square distances, the comparisons can be done using standard Yaogarbling. Since this only requires small circuits whose size is independent of the dimension m, this can be expected to add negligible overhead.
We note that the secure face recognition problem was considered in [21], where a solution based on Paillier encryption was proposed (see [50] for optimizations). This adds a very large computational overhead compared our solution, since an exponentiation is required for each product \(2x_iy^j_i\).
Similar applications of vectorOLE can apply in many other contexts of securely computing on numerical data that involve computations of lowdegree polynomials. See, e.g., [16, 24] and references therein for some recent relevant works in the context of secure machine learning.
6 Implementation
We have implemented the vectorOLE protocol. This is the most practical of our constructions and, as we explained in the previous section, it has applications of its own, even without the conversion to OLEs of width 1.
6.1 Choice of the Matrix M
For the vector OLE protocol, we need a fast pseudorandom matrix M (see Assumption 2). For this, we have chosen to use a random dsparse matrix for a suitable constant d. This means we are basing ourselves on Assumption 6 from Sect. 7, which essentially just says that a random dsparse matrix is likely to satisfy a good “expansion” property which leads to pseudorandomness (i.e., satisfy Assumption 2). In particular, to get b bits of security, we select the size of M, such that, except with tiny probability, every set S of at most b rows have joint support which is larger than S (i.e., S is nonshrinking). This level of expansion is somewhat optimistic, but still seems to defend against known attacks. (See the discussion in Sect. 7.)
In the earlier theory sections we have assumed that the number rows in M is \(\varTheta (k^3)\). This was because we wanted to amortize away the \(O(k^3)\) amount of work needed to do Gaussian elimination using the top part of the matrix. However, to achieve this number of rows in the concrete security analysis we would need to go to rather large values of k, and this would create some issues with memory management. Hence, to get a more practical version with a relatively small footprint, we chose to settle for \(O(k^2)\) rows. Then, for 80bit security and \(d=10\) it turns out that we will need approximately \(k=182\) columns and \(k^2\) rows, while for 100bit security we need \(k=240\).
Note that once the number of rows and columns is fixed, this also fixes the parameters u, v from the vector OLE protocol.
6.2 ECC: Using Luby Transform Codes
It remains to consider the erasure correcting code ECC. For this, we want to use Luby Transform (LT) codes [42]. LT codes have extremely simple and efficient en and decoding algorithms, using only field addition and subtraction, no multiplications or inversions are needed. On the other hand, LT codes were designed for a streaming scenario, where one continues the stream until the receiver has enough data to decode. In our case, we must stop at some finite codeword size, and this means we will have a nonnegligible probability that decoding fails. In practice, one can think of this as a small but constant error probability, say 1%. On the other hand, this be detected, and the event that decoding fails only depends on the concrete choice of LT code and the choice of the noiseless positions.
Since the player A knows the LT code to be used and is also the one who chooses the noise pattern, he can simply choose a random noise pattern subject to the condition that decoding succeeds.
The protocol will then always terminate successfully, but we need to make a slightly stronger computational assumption to show that the protocol is secure: the pseudorandomness condition for the matrix M must hold even if we exclude, say 1% of the possible noise patterns. It turns out that, given the known attacks, excluding any 1% of the noise patterns makes no significant difference.^{8}
More concretely we instantiate the encoding function \(\mathsf {Ecc}: \mathbb {F}^w \rightarrow \mathbb {F}^v\) over the Robust Soliton distribution also defined in [42]. One generates a output symbol by sampling a degree dec from that distribution and defining the symbol as the sum of dec input symbols chosen uniformly among alle the input symbols. This distribution is defined over two constant parameters \(\delta \) and c. Here \(\delta \) denotes the probability of failed decoding, which together with c adds extra weight to the probability of smaller degree encoding symbols. The two parameters also determine a constant \(\beta \) for which \(v=w\beta \), but since v and w is fixed in our construction, \(\beta \) is also fixed, and we have one degree of freedom less. Thus we instantiate the distribution with parameters w, v and \(\delta \) and let those determine c such that \(\beta =v/w\).
Implementation parameters
k  u  v  w  \({\delta }\)  \({\lambda }\) 

182  244  33.124  5.000  0.001  0.0017 
10.000  0.01  0.016  
14.000  0.1  0.095  
240  320  57.600  10.000  0.001  0.0003 
20.000  0.01  0.015  
23.000  0.1  0.069 
6.3 Doing Oblivious Transfers
In the vector OLE protocol we need 1 OT for each row of M. It is natural to implement this via OT extension which can be done very efficiently in a situation like ours where we need a substantial number of OTs. For instance, in [12, 36], an amortised time of about 0.2 \(\upmu \)s per semihonestly secure string OT was obtained, when generating enough of them in one go. Note that in the protocol specification, we required a special OT variant where one message is sent and the receiver chooses to get it or not. But this can of course be implemented using standard 1–2 string OT where the sender offers the message in question and a dummy.
In order to not require a specific relation between the number of OTs produced by one run of an OT extension and what our protocol requires, we have assumed that we precompute a number of random OTs, which we then adjust to the actual values using standard techniques. The adjustment requires one message in both directions where the first one can be sent in parallel with the message in the Vector OLE protocol, so we get a protocol with a total of 3 messages.
We have not implemented the OT extension itself, instead we simulate the data and communication needed when using the preprocessed OTs. The hypothesis is that that time required to create the random OTs in the first place is insignificant compared to the rest of the computation required. We discuss below the extent to which this turned out to be true.
6.4 Communication Overhead
Having fixed the parameter choices, we can already compute the communication we will need: we can ignore the communication relating to the top part of the matrix M as this is responsible for less than 1% of the communication. Then, by simple inspection of the protocol, one sees that we need to send \(v+w\) field element and do v OTs. We implement the OTs directly from 1–2 OT which means an OT costs communication of 2 field elements and 1 bit. So we get a total of \(3v +w\) field elements (plus v bits, which we can ignore when the field is large). With our choice of LT code, v is roughly 3w, so we have 10w field elements to send. Hence the rate is indeed constant, as expected, namely 1/10. Accepting a larger failure probability for LT decoding, we could get a rate of roughly 1/7. As explained in Remark 2, the best we can hope for asymptotically is about 1/4 when the noise rate is 1/4.
There are two reasons why we do not reach this goal: first, we chose to use LT codes for erasure correction to optimize the computational overhead, but this comes at the price of a suboptimal rate. Second we implement the OTs at rate 1/2. As explained in Remark 1, rate (almost) 1 is possible, but only for large fields. So for fields of size 1000 bits or more, we believe the rate of our implementation can be pushed to about 1/5 without significantly affecting its concrete computational overhead.
6.5 Test SetUp and Results
Our setup consists of two identical machines, each with 32 GB RAM and a 64bit i73770K CPU running at 3.5 GHz. The machines are connected on a 1 GbE network with 0.15 ms delay.
A bbit field is instantiated by choosing \(\mathbb {F}_p\) for the largest prime \(p<2^b\). All matrix operations are optimized to that of sparse matrices except for the Gaussian elimination, where we construct an augmented matrix and do standard row reduction. All parameters are loaded into memory prior to the protocol execution including the matrix M, the LT code and a finite set of test vectors.
First a version is implemented using the GNU Multiple Precision Arithmetic Library for finite field arithmetic. We benchmark this version with bbit field for \(b\in \{32,64,\dots ,2048\}\). In this setting we allocate 2b bits for each element once, such that we never have to allocate more e.g. at multiplication operations, which consists of a mul and mod GMP call. We further replace the mod call after addition and subtraction with a conditional sum.
Since most computation in the protocol includes field operations, we optimized the finite field for 32bit and 64bit versions. Here the 32bit version only use half of the machine’s word size, but offers fast modulo operation after a multiplication with the div instruction. The 64bit version utilizes the full word size, but relies on the compiler’s implementation of the modulo operation for uint128_t as supported in GCCbased compilers. For random number generation, we use the Mersenne Twister SFMT variant instead of GMP.
Benchmark of the vectorOLE protocol for \(k=182\)
Field size  Version  OLE time  Latency  Network 

32 bit  Optimized  0.56 \(\upmu \)s  0.04 s  45.53 MB/s 
64 bit  Optimized  1.00 \(\upmu \)s  0.14 s  50.83 MB/s 
32 bit  GMP  3.65 \(\upmu \)s  0.26 s  6.98 MB/s 
64 bit  GMP  3.66 \(\upmu \)s  0.27 s  13.92 MB/s 
128 bit  GMP  4.24 \(\upmu \)s  0.31 s  24.03 MB/s 
256 bit  GMP  6.37 \(\upmu \)s  0.47 s  31.98 MB/s 
512 bit  GMP  9.58 \(\upmu \)s  0.64 s  42.50 MB/s 
1024 bit  GMP  18.29 \(\upmu \)s  1.15 s  44.53 MB/s 
2048 bit  GMP  50.85 \(\upmu \)s  2.87 s  32.04 MB/s 
Benchmark of the vectorOLE protocol for \(k=240\)
Field size  Version  OLE time  Latency  Network 

32 bit  Optimized  0.70 \(\upmu \)s  0.12 s  31.70 MB/s 
64 bit  Optimized  1.14 \(\upmu \)s  0.25 s  38.86 MB/s 
32 bit  GMP  3.96 \(\upmu \)s  0.48 s  5.57 MB/s 
64 bit  GMP  3.97 \(\upmu \)s  0.48 s  11.12 MB/s 
128 bit  GMP  4.52 \(\upmu \)s  0.56 s  19.56 MB/s 
256 bit  GMP  6.61 \(\upmu \)s  0.82 s  26.75 MB/s 
512 bit  GMP  9.93 \(\upmu \)s  1.15 s  35.59 MB/s 
1024 bit  GMP  19.48 \(\upmu \)s  2.22 s  36.29 MB/s 
2048 bit  GMP  51.73 \(\upmu \)s  5.45 s  27.34 MB/s 
We note the protocol latency for 100bit security is about 2–3 times that of 80bit security. But for the amortized times the increase in security parameter comes cheaply because we double w in going from 80 to 100bit security.
In our setup, we need to execute between 2 and 3 OTs per single OLE. Given the results from [12] which were obtained on an architecture similar to ours, we can expect these to take an amortised time of 0.6 \(\upmu \)s, which as expected becomes insignificant as the field size grows, but cannot be ignored for the optimized version on smaller fields.
Timing of computation
Operation  Index 

Gauss elimination  100 
Luby decoding  22 
Luby encoding (\(\mathsf {Ecc}\))  3 
Encode \(c=M\cdot r\)  13 
Since the Gaussian elimination costs more than other parts of the protocol, this means that one would need to increase w for the amortization to work. However one could replace this step with any algorithm for solving linear systems, in particular algorithms taking advantage of matrix sparsity such as [53]. Finally one may take advantage of specific constructions of finite fields allowing for even faster arithmetic operations.
7 About the Assumptions
Our results rely on two types of assumptions, both of which can be viewed as natural arithmetic analogues of assumptions that have been studied in the boolean case. We discuss our instantiations of these assumptions below. In Sect. 7.1 we discuss the assumption we use for instantiating our constantoverhead vectorOLE protocol, whereas in Sect. 7.2 we discuss the additional assumption used for obtaining constantoverhead protocol for general arithmetic computations.
7.1 Instantiating Assumption 2 (Fast Pseudorandom Matrix)
An distribution ensemble \({\mathcal M}=\{ {\mathcal M}_k \}\) over \(m(k)\times k\) matrices is pseudorandom for noise rate \(\mu \) if it satisfies property 2 of Assumption 2. It is natural to assume that, for every \(m=\mathrm {poly}(k)\), a random \(m\times k\) matrix is pseudorandom over any finite field. (This is the arithmetic analogue of the DecisionalLearningParitywithNoise assumption [14, 29, 49]). However, Assumption 2 requires the corresponding linear map to be computable in O(m) arithmetic operations (together with an additional linearindependency condition). We suggest two possible instantiations for this assumption.
The DrukIshai Ensemble. Druk and Ishai [20] constructed, for any finite field \(\mathbb {F}\) and any code length \(m\in \mathrm {poly}(k)\), an ensemble \({\mathcal M}\) of lineartime computable (m, k) errorcorrecting code over \(\mathbb {F}\) whose distance approaches the GilbertVarshamov bound [25, 52] with overwhelming probability. It was further conjectured that, over the binary field, the ensemble is pseudorandom for arbitrary polynomial m(k).^{9} The assumption seems to hold for arbitrary finite fields as well. Moreover, the ensemble satisfies Condition 3 of Assumption 2 since, by [20, Theorem 5], every subset of \(m'=\omega (k)\) rows of the code generates, except with negligible probability, a code of distance \(11/\mathbb {F}o(1)\).
Alechnovich’s Ensemble. Alekhnovich [1, Remark 1] conjectured that sparse binary matrices which are “well expanding” are pseudorandom for constant noise rate. We will use the arithmetic version of this assumption. For this we will need the following definition.
Definition 2
Let \(G=(S_1,\ldots ,S_m)\) as a duniform hypergraph with m hyperedges over k nodes (hereafter referred to as (k, m, d)hypergraph). We say that G is expanding with threshold r and expansion factor c (in short G is (r, c)expanding) if the union of every set of \(\ell \le r\) hyperedges \(S_{i_1},\ldots , S_{i_{\ell }}\) contains at least \(c \ell \) nodes. For a field \(\mathbb {F}\) and (k, m, d)hypergraph G we define a probability distribution \({\mathcal M}(G,\mathbb {F})\) over \(m\times k\) matrices as follows: Take \(M_{i,j}\) to be a fresh random nonzero field element if j appears in the ith hyperedge of G; otherwise, set \(M_{i,j}\) to zero.
Assumption 6
(Arithmetic version of Alekhnovich’s assumption). For every constant \(d>3\), \(m=\mathrm {poly}(k)\), real \(\mu \in (0,1/2)\) and finite field \(\mathbb {F}\), the following holds for all sufficiently large k’s. If G is a (k, m, d)hypergraph which is (t, 2d / 3)expanding then any circuit of size \(T=\exp (\varOmega (t))\) cannot distinguish with advantage better than 1/T between \((M, \varvec{v})\) and \((M,M\varvec{r}+\varvec{e})\) where Open image in new window , Open image in new window , Open image in new window and Open image in new window .
 1.
(Expansion vs. Security) The assumption says that the level of security is exponential in the size of the smallest expanding set. In particular, an expansion threshold of \((k^{\epsilon })\) guarantees subexponential hardness.^{10} This bound is consistent with the best known attacks, and, over the binary field, can be analytically established for a large family of algorithms including myopic algorithms, semidefinite programs, lineartests, lowdegree polynomials, and constant depth circuits (see [6] and references therein). Many of these results can be established for the arithmetic setting as well. The constant 2d/3 (and the hidden constant in the Omega notation), determine the exact relation between expansion and security. The choice of 2d/3 is somewhat arbitrary, and it may be the case that an absolute expansion factor (which does not grow with d) suffice. For our practical implementation, we take an “optimistic” estimate and require an expansion factor slightly larger than 1, which guarantees that the support of rsize sets do not shrink.
 2.
(Variants) One may conjecture that the assumption holds with probability 1 over the choice of M. That is, any matrix (including 0–1 matrix) whose underlying graph is expanding is pseudorandom.
 3.
(Efficiency) Observe that since G is (k, m, d)hypergraph any matrix in the support of \({\mathcal M}(G,\mathbb {F}_p)\) is dsparse in the sense that each of its rows has exactly d nonzero elements. The linear mapping \(f_M:\varvec{x}\mapsto M\varvec{x}\) can be therefore computed by performing \(O(d m)=O(m)\) arithmetic operations.
 4.
(Linear Independency) Recall that Assumption 2 requires that a random subset of \(k \log ^2 k\) of the rows of M have, except with negligible probability, full rank. In Lemma 5 we show that this condition holds as long as G is semiregular in the sense that each of its nodes participates in at least \(\varOmega (m/k)\) hyperedges.
 5.
(Different noise distributions) The choice of i.i.d based noise is somewhat arbitrary and it seems likely that other noise distributions can be used. In fact, it seems plausible that one can use any noise distribution which has high entropy and cannot be approximated by a lowdegree function of few fresh variables (and thus is not subject to linearization attacks).
Given the above discussion, Assumption 2 now follows from Assumption 6 and the existence of an explicit family of expanders. The latter point is discussed in Sect. 7.2.
7.2 Instantiating Assumption 4 (\(\mathbf {{NC^0}}\) PolynomialStretch PRG)
In the binary setting, the existence of locallycomputable polynomialstretch PRG was extensively studied in the last decade. (See [4] and references therein.) Let \(f:\mathbb {F}^k\rightarrow \mathbb {F}^m\) be a dlocal function which maps a klong vector x into an mlong vector \((P_1(x_{S_1}),\ldots ,P(x_{S_m}))\) where \(S_i\in [k]^d\) is a dtuple and \(P_i\) is a dvariate multilinear polynomial. Over the binary field, it is conjectured that as long as the (k, m, d) hypergraph \(G=(S_1,\ldots ,S_m)\) is expanding and the \(P_i\)’s are sufficiently “nondegenerate” the function forms a good pseudorandom generator. (This is an extension of Goldreich’s original onewayness conjecture [28].) In fact, this is conjectured to be the case even if all the polynomials \(P_1,\ldots ,P_m\) are taken to be the same polynomial P. We denote the resulting function by \(f_{G,P}\) and make the analog arithmetic assumption. In the following we say that a function \(f:\mathbb {F}^k\rightarrow \mathbb {F}^m\) is Tpseudorandom if every circuit of size at most T cannot distinguish Open image in new window from Open image in new window with advantage better than 1/T.
Assumption 7
For every finite field \(\mathbb {F}\) and every polynomial m(k) there exists a constant d and a dvariate multilinear polynomial \(P:\mathbb {F}^d\rightarrow \mathbb {F}\) such that for every (k, m, d) hypergraph G which is (t, 2d / 3)expanding the function \(f_{G,P}:\mathbb {F}^k\rightarrow \mathbb {F}^m\) is \(\exp (\varOmega (t))\)pseudorandom over \(\mathbb {F}\).
As in the case of Alechnovich’s assumption, the constant 2/3 is somewhat arbitrary and a smaller constant may suffice. (A lowerbound of 1/d can be established.) In the binary setting, security was reduced to onewayness assumption [3] and was analytically established for a large family of algorithms including myopic algorithms, linear tests, statistical algorithms, semidefinite programs and algebraic attacks [6, 7, 11, 23, 38, 47]. Some of these results can be extended to the arithmetic setting as well.
On Explicit Unbalanced ConstantDegree Expanders. In order to employ Assumptions 6 and 7 one needs an explicit family of \((k,m=k^{1+\delta },d=O(1))\) hypergraphs which are \((k^{\epsilon },(1+\varOmega (1))d)\)expanding.^{11} This assumption is known to be necessary for the existence of dlocal (binary) PRG that stretches k bits to m bits [9], and so it was used (either explicitly or implicitly) in previous works who employed such a local PRG (e.g., [2, 34, 39, 40, 41]).
While recent advances in the theory of pseudorandomness have come close to generating such explicit highlyexpanding hypergraphs, in our regime of parameters (\(m=\omega (k)\) and \(d=O(1)\)), an explicit provable construction is still unknown. It is important to mention that, by a standard calculation (cf. [45]), a uniformly chosen hypergraph G (i.e., each hyperedge contains a random dsubset of the nodes) is likely to be \((r=\mathrm {poly}(k),2d/3)\)expanding except with some inverse polynomial failure probability \(\epsilon (k)\). Moreover, we can reduce the failure probability to \(1/k^c\) for an arbitrary (predetermined) constant c at the expense of increasing the sampling complexity to \(k^{b_c}\), where the constant b grows with c. (This can be done by rejecting hypergraphs which fail to expand for sets of size at most \(b_c\), and resampling the hypergraph if needed). As a result one gets a protocol that fails with “tunable” inverse polynomial probability which is independent of the runningtime of the adversary. Moreover, the failure event is restricted to a onetime setup phase and its probability does not increase with the number of times the protocol is executed. Such a guarantee seems to be satisfactory in most practical scenarios. Finally, we mention that there are several heuristic approaches for constructing unbalanced constantdegree expanding hypergraphs. For example, by using some fixed sequence of bits (e.g., the binary expansion of \(\pi \)) and interpreting it as an (k, m, d)hypergraph via some fixed translation. Assuming such a heuristic to give an explicit construction can be viewed as being a conservative “combinatorial” assumption, in the spirit of standard cryptographic assumptions.
Footnotes
 1.
More complex numerical computations can typically be efficiently reduced to these simple ones, e.g., by using suitable lowdegree approximations.
 2.
Our results extend naturally to the case of secure multiparty computation with no honest majority. We restrict the attention to the twoparty case for simplicity.
 3.
The protocol additionally uses standard “bitoperations,” but their complexity is dominated by the field operations for every field size.
 4.
More precisely, we need a polynomialstretch PRG with constant locality and constant degree, or equivalently, a polynomialstretch PRG which can be computed by a constantdepth (\(\mathbf {{NC^0}}\)) arithmetic circuit. For brevity, through the introduction we refer to such a PRG as being local and implicitly assume the additional constantdegree requirement.
 5.
This choice is related to our use of the lineartime decoding algorithm of Spielman [51], which can only be implemented in linear time in the RAM model (and requires quasilinear circuit size).
 6.
The following actually holds even for the case of general rings.
 7.
This hidden constant corresponds to the maximal complexity of encoding an output of f. The latter is at most cubic in the size of the branching program that computes \(f_i\) (and can be even smaller for some concrete useful special cases).
 8.
Indeed, since we remove a small subset of all possible noise patterns, the remaining patterns cannot be linearized, i.e., cannot be written as a lowdegree function of few fresh variables, and so known attacks do not seem to apply. Of course, one should make sure that the excluded noise patterns do not correlate somehow with the choice of the “pseudorandom” matrix M (say in a way that leaves few “special” coordinates of the secret random seed, r, uncovered). However, in our case, the matrix M is chosen at random independently of the choice of the LTcode (which determines the excluded noise patterns). See also the discussion in Sect. 7.
 9.
The basic construction is described for codes with codeword of length \(m=O(k)\); however, one can extend it for codes with codeword of polynomial length m(k), by independently sampling polynomially many \(O(k)\times k\) generating matrixes and placing them one on top of the other to get a \(\mathrm {poly}(k)\times k\) matrix. The pseudorandomness assumption of [20, Sect. 5.1] applies to this variant for arbitrary polynomial number of samples.
 10.
An exponential level of security requires expansion threshold of \(\varOmega (k)\) which can be achieved only when the number of rows is linearly larger than the number of columns.
 11.
One can always increase the number of hyperedges to arbitrary polynomial \(m=k^a\) at the expense of a minor loss in the other parameters. This can be done by taking a sequence of hypergraphs \(G_1,\ldots , G_c\) where \(G_i\) is a \((k^{(1+\delta )^{i1}},k^{(1+\delta )^{i}},d)\)hypergraphs which is (r, bd)expanding and compose them together (by treating the hyperedges of the ith graph as the nodes of the \((i+1)\)th hypergraph) and get a \((k,k^{(1+\delta )^i},D=d^c)\)hypergraph which is \((r/(bd)^{c1},bD)\)expanding. Taking c to be a sufficiently large constant (i.e., \(\log _{1+\delta } a)\), yields the required result.
Notes
Acknowledgements
The first and fifth authors were supported by the European Union’s Horizon 2020 Programme (ERCStG20142020) under grant agreement no. 639813 ERCCLC, by an ICRC grant and by the Check Point Institute for Information Security. The third author was supported in part by NSFBSF grant 2015782, BSF grant 2012366, ISF grant 1709/14, DARPA/ARL SAFEWARE award, NSF Frontier Award 1413955, NSF grants 1619348, 1228984, 1136174, and 1065276, a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation Research Grant. This material is based upon work supported by the DARPA through the ARL under Contract W911NF15C0205. The views expressed are those of the authors and do not reflect the official policy or position of the DoD, the NSF, or the U.S. Government. The second and forth author were supported by the advanced ERC grant MPCPRO.
References
 1.Alekhnovich, M.: More on average case vs approximation complexity. Comput. Complex. 20(4), 755–786 (2011)MathSciNetCrossRefzbMATHGoogle Scholar
 2.Ananth, P., Sahai, A.: Projective arithmetic functional encryption and indistinguishability obfuscation from degree5 multilinear maps. IACR Cryptology ePrint Archive 2016:1097 (2016)Google Scholar
 3.Applebaum, B.: Pseudorandom generators with long stretch and low locality from random local oneway functions. SIAM J. Comput. 42(5), 2008–2037 (2013)MathSciNetCrossRefzbMATHGoogle Scholar
 4.Applebaum, B.: Cryptographic hardness of random local functions  survey. Comput. Complex. 25(3), 667–722 (2016)CrossRefzbMATHGoogle Scholar
 5.Applebaum, B., Avron, J., Brzuska, C.: Arithmetic cryptography: extended abstract. In: Proceedings of the 2015 Conference on Innovations in Theoretical Computer Science, ITCS 2015, Rehovot, Israel, 11–13 January 2015, pp. 143–151 (2015)Google Scholar
 6.Applebaum, B., Barak, B., Wigderson, A.: Publickey cryptography from different assumptions. In: STOC, pp. 171–180 (2010)Google Scholar
 7.Applebaum, B., Bogdanov, A., Rosen, A.: A dichotomy for local smallbias generators. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 600–617. Springer, Heidelberg (2012). doi: 10.1007/9783642289149_34 CrossRefGoogle Scholar
 8.Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC\(^{0}\). SIAM J. Comput. 36(4), 845–888 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
 9.Applebaum, B., Ishai, Y., Kushilevitz, E.: On pseudorandom generators with linear stretch in NC\(^{0}\). Comput. Complex. 17(1), 38–69 (2008)MathSciNetCrossRefzbMATHGoogle Scholar
 10.Applebaum, B., Ishai, Y., Kushilevitz, E.: How to garble arithmetic circuits. SIAM J. Comput. 43(2), 905–929 (2014)MathSciNetCrossRefzbMATHGoogle Scholar
 11.Applebaum, B., Lovett, S.: Algebraic attacks against random local functions and their countermeasures. In: STOC, pp. 1087–1100 (2016)Google Scholar
 12.Asharov, G., Lindell, Y., Schneider, T., Zohner, M.: More efficient oblivious transfer extensions. Cryptology ePrint Archive, Report 2016/602 (2016). http://eprint.iacr.org/2016/602
 13.Beaver, D.: Correlated pseudorandomness and the complexity of private computations. In: STOC, pp. 479–488 (1996)Google Scholar
 14.Blum, A., Furst, M., Kearns, M., Lipton, R.J.: Cryptographic primitives based on hard learning problems. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 278–291. Springer, Heidelberg (1994). doi: 10.1007/3540483292_24 CrossRefGoogle Scholar
 15.Boneh, D., Franklin, M.K.: Efficient generation of shared RSA keys. J. ACM 48(4), 702–722 (2001)MathSciNetCrossRefzbMATHGoogle Scholar
 16.Bost, R., Popa, R.A., Tu, S., Goldwasser, S.: Machine learning classification over encrypted data. In: 22nd Annual Network and Distributed System Security Symposium, NDSS 2015, San Diego, California, USA, 8–11 February 2015Google Scholar
 17.Cramer, R., Damgård, I.: Secure distributed linear algebra in a constant number of rounds. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 119–136. Springer, Heidelberg (2001). doi: 10.1007/3540446478_7 CrossRefGoogle Scholar
 18.Damgård, I., Jurik, M.: A generalisation, a simplification and some applications of Paillier’s probabilistic publickey system. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 119–136. Springer, Heidelberg (2001). doi: 10.1007/3540445862_9 CrossRefGoogle Scholar
 19.Damgård, I., Pastro, V., Smart, N., Zakarias, S.: Multiparty computation from somewhat homomorphic encryption. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 643–662. Springer, Heidelberg (2012). doi: 10.1007/9783642320095_38 CrossRefGoogle Scholar
 20.Druk, E., Ishai, Y.: Lineartime encodable codes meeting the GilbertVarshamov bound and their cryptographic applications. In: ITCS, pp. 169–182 (2014)Google Scholar
 21.Erkin, Z., Franz, M., Guajardo, J., Katzenbeisser, S., Lagendijk, I., Toft, T.: Privacypreserving face recognition. In: Goldberg, I., Atallah, M.J. (eds.) PETS 2009. LNCS, vol. 5672, pp. 235–253. Springer, Heidelberg (2009). doi: 10.1007/9783642031687_14 CrossRefGoogle Scholar
 22.Even, S., Goldreich, O., Lempel, A.: A randomized protocol for signing contracts. CACM 28(6), 637–647 (1985)MathSciNetCrossRefzbMATHGoogle Scholar
 23.Feldman, V., Perkins, W., Vempala, S.: On the complexity of random satisfiability problems with planted solutions. In: STOC, pp. 77–86 (2015)Google Scholar
 24.GiladBachrach, R., Dowlin, N., Laine, K., Lauter, K.E., Naehrig, M., Wernsing, J.: Cryptonets: applying neural networks to encrypted data with high throughput and accuracy. In: Proceedings of the 33rd International Conference on Machine Learning, ICML 2016, New York, NY, USA, 19–24 June 2016, pp. 201–210 (2016)Google Scholar
 25.Gilbert, E.N.: A comparison of signalling alphabets. Bell Syst. Tech. J. 31(3), 504–522 (1952)CrossRefGoogle Scholar
 26.Gilboa, N.: Two party RSA key generation. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 116–129. Springer, Heidelberg (1999). doi: 10.1007/3540484051_8 CrossRefGoogle Scholar
 27.Goldreich, O.: Foundations of Cryptography: Basic Applications, vol. 2. Cambridge University Press, Cambridge (2004)CrossRefzbMATHGoogle Scholar
 28.Goldreich, O.: Candidate oneway functions based on expander graphs. In: Goldreich, O. (ed.) Studies in Complexity and Cryptography. Miscellanea on the Interplay between Randomness and Computation. LNCS, vol. 6650, pp. 76–87. Springer, Heidelberg (2011). doi: 10.1007/9783642226700_10 CrossRefGoogle Scholar
 29.Goldreich, O., Krawczyk, H., Luby, M.: On the existence of pseudorandom generators. SIAM J. Comput. 22(6), 1163–1175 (1993)MathSciNetCrossRefzbMATHGoogle Scholar
 30.Goldreich, O., Micali, S., Wigderson, A.: How to play any mental game or a completeness theorem for protocols with honest majority. In: Proceedings of the 19th Annual ACM Symposium on Theory of Computing, New York, NY, USA, pp. 218–229 (1987)Google Scholar
 31.Ishai, Y., Kilian, J., Nissim, K., Petrank, E.: Extending oblivious transfers efficiently. In: Boneh, D. (ed.) CRYPTO 2003. LNCS, vol. 2729, pp. 145–161. Springer, Heidelberg (2003). doi: 10.1007/9783540451464_9 CrossRefGoogle Scholar
 32.Ishai, Y., Kushilevitz, E.: Randomizing polynomials: a new representation with applications to roundefficient secure computation. In: FOCS (2000)Google Scholar
 33.Ishai, Y., Kushilevitz, E.: Perfect constantround secure computation via perfect randomizing polynomials. In: Widmayer, P., Eidenbenz, S., Triguero, F., Morales, R., Conejo, R., Hennessy, M. (eds.) ICALP 2002. LNCS, vol. 2380, pp. 244–256. Springer, Heidelberg (2002). doi: 10.1007/3540454659_22 CrossRefGoogle Scholar
 34.Ishai, Y., Kushilevitz, E., Ostrovsky, R., Sahai, A.: Cryptography with constant computational overhead. In: STOC, pp. 433–442 (2008)Google Scholar
 35.Ishai, Y., Prabhakaran, M., Sahai, A.: Secure arithmetic computation with no honest majority. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 294–314. Springer, Heidelberg (2009). doi: 10.1007/9783642004575_18 CrossRefGoogle Scholar
 36.Keller, M., Orsini, E., Scholl, P.: Actively secure OT extension with optimal overhead. Cryptology ePrint Archive, Report 2015/546 (2015). http://eprint.iacr.org/2015/546
 37.Keller, M., Orsini, E., Scholl, P.: MASCOT: faster malicious arithmetic secure computation with oblivious transfer. In: Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016, pp. 830–842 (2016)Google Scholar
 38.Kothari, P.K., Mori, R., O’Donnell, R., Witmer, D.: Sum of squares lower bounds for refuting any CSP (2017). CoRR, abs/1701.04521Google Scholar
 39.Lin, H.: Indistinguishability obfuscation from constantdegree graded encoding schemes. In: Fischlin, M., Coron, J.S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 28–57. Springer, Heidelberg (2016). doi: 10.1007/9783662498903_2 CrossRefGoogle Scholar
 40.Lin, H.: Indistinguishability obfuscation from DDH on 5linear maps and locality5 PRGs. IACR Cryptology ePrint Archive 2016:1096 (2016)Google Scholar
 41.Lin, H., Vaikuntanathan, V.: Indistinguishability obfuscation from DDHlike assumptions on constantdegree graded encodings. In: FOCS, pp. 11–20 (2016)Google Scholar
 42.Luby, M.: LT codes. In: FOCS, p. 271. IEEE Computer Society (2002)Google Scholar
 43.Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010). doi: 10.1007/9783642131905_1 CrossRefGoogle Scholar
 44.Mohassel, P., Weinreb, E.: Efficient secure linear algebra in the presence of covert or computationally unbounded adversaries. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 481–496. Springer, Heidelberg (2008). doi: 10.1007/9783540851745_27 CrossRefGoogle Scholar
 45.Mossel, E., Shpilka, A., Trevisan, L.: On epsilonbiased generators in NC\(^{0}\). Random Struct. Algorithms 29(1), 56–81 (2006)CrossRefzbMATHGoogle Scholar
 46.Naor, M., Pinkas, B.: Oblivious polynomial evaluation. SIAM J. Comput. 35(5), 1254–1281 (2006)MathSciNetCrossRefzbMATHGoogle Scholar
 47.O’Donnell, R., Witmer, D.: Goldreich’s PRG: evidence for nearoptimal polynomial stretch. In: CCC, pp. 1–12 (2014)Google Scholar
 48.Paillier, P.: Publickey cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). doi: 10.1007/354048910X_16 CrossRefGoogle Scholar
 49.Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009)MathSciNetCrossRefzbMATHGoogle Scholar
 50.Sadeghi, A.R., Schneider, T., Wehrenberg, I.: Efficient privacypreserving face recognition. In: Lee, D., Hong, S. (eds.) ICISC 2009. LNCS, vol. 5984, pp. 229–244. Springer, Heidelberg (2010). doi: 10.1007/9783642144233_16 CrossRefGoogle Scholar
 51.Spielman, D.A.: Lineartime encodable and decodable errorcorrecting codes. IEEE Trans. Inf. Theory 42(6), 1723–1731 (1996)MathSciNetCrossRefzbMATHGoogle Scholar
 52.Varshamov, R.R.: Estimate of the number of signals in error correcting codes. In: Doklady Akademii Nauk SSSR, no. 117, pp. 739–741 (1957)Google Scholar
 53.Wiedemann, D.H.: Solving sparse linear equations over finite fields. IEEE Trans. Inf. Theory 32(1), 54–62 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
 54.Yao, A.C.C.: How to generate and exchange secrets (extended abstract). In: FOCS, pp. 162–167 (1986)Google Scholar