Difference between silent VOLE and silent OT.

[yyy977]

The silent VOLE procedure contains noisy VOLE, but silent OT not. Is this for security concerns to add noisy VOLE? Or can I find some papers for reference.

[ladnir]

How does silent OT work?

• The sender samples a scaler d in some field F
• The receiver samples a sparse binary vector A'
• The parties use a PPRF to get secret shares of d * A' which we will denote as B',C'. Note that dA'=B-C
• The parties use an LPN friendly matrix G to compute
• A=GA'
• B=GB'
• C=GC'
• We now have uniformly random A,B,C such that dA = B-C. In particular, A is no longer sparse.
• The receiver outputs Choice bits A and messages m_{i,Ai}=H(B_i)
• The sender outputs messages , m_i0=H(C_i), m_i1=H(C_i+d)

Where does this fail for VOLE? Well the definition of VOLE is to have d*A=B-C where all are over the field F. However, the basic protocol for silent OT only works when A is binary.

Why? the functionality of PPRF allows one party to choose a index i and another to choose a value d. They then get to learn two random vector B',C' such that B'-C' is a unit vector with the value d' at position i. e.g.

B'-C' = 0000000000000d0000
                     ^
                     i'th position.                                     

You can repeat this several times, once for each non-zero of A' and add the results together.

Since A' is binary for silent OT, this is exactly what we want. A'_i*d=1*d=d. For VOLE, we need need the A' vector to be a sparse vector over F, not binary. So now A'_i is some random element in F and we want B'-C' to have the value A'_i * d at position i. The idea for doing this is cleaver.

We first perform another VOLE (noisy vole), where the inputs are a vector A'' and the scaler d, where A'' are the t non-zero values of A'. This gives us a secret sharing of A''*d. Instead of using d as the value to be used in the PPRF, this party (sender) will use their jth share of A''*d for the jth PPRF input scaler. The parties then get vectors B'-C' which is sparse and at the non-zero locations holds the sender's shares of A''*d. We can translate these shares to be what we want (i.e. dA'=B'-C') by having the receiver add their shares of A''*d to B' at the positions that they know the non-zeros are at. That is, they chose A' so that know where the non-zeros are.

Hope this help, Peter

[yyy977]

Thanks for your reply! That really helps a lot! And is it unsecured to use subfield VOLE directly in PSI construction?

[ladnir]

Your set would need to be binary or something. Doesn't make much sense.

[ladnir]

You could use subfield but not binary (aka OT).

And when you arent doing binary you need to noisy vole subprotocol for the construction to work. If you did use binary in the vole, the A vector would be binary and would not not be able to use it to securely mask the okvs. Since you need to one time pad encrypt the okvs with A.

So that's what I meant. You need to run psi with a binary okvs. But that doesn't meet the requirements of the psi protocol.

[yyy977]

Got it! Thanks again for your help!