Worldsof HSS

Algo C Minicrypt LaplandLCryptomaniacaentriatrivial Spook

Branchingpoint fusttprograms

xconstantdegMultivariate polynomials

Relatednotion Pseudorandom

forrelationEenerators

p

What are correlations here

Recall 2 PC

Alice a or Bob L

c

fca.hr

ZPC with correlated randomness

BobbAliciaFa

rat ruter

c

fearr is cheaper than MI 1

informationtheoretic public keycrypto

Classic example Oblivion TransferOT

OI Twoparities

Simo un Ri b C oil

oTIMu

OT is complete for secure computationcrayptomania object i.e requires public key

operations1123

But information theoretic wpreprocessing

Beaver 40

R b S mom

i m a.mn

f hot PmonotonyM Mitohits

eMo i Uf

output mutomiMr

Correctness By inspection

Security I is OTP for frin j is OTPforMi r

0T correlation

f nip Cui in'D

D OT correlation Ik NP03 OT

bi wi bi 4 ic.eu C wit wi A ic.eu

Ro R

Ro R F GenConCit n

i compress Ro R into short seedssuccinct generation of correlations

Pca Two algorithms

Ko dg no

Gen

Esrk

Correctness

Ko ro Ro

i nen Ic

JordenEsrK R

Security

Tricky to define Simulation based

definition not possible

Intuition due to Yao incompressible

entropy of protocol thats Rock

by expandin

Reverse sampleability U rEE.nlRo R Corben la

Rt RSample G Rrl r

RI RrRo Ri Ic RE Rf

For OT RSample

Given WiWitold sample to on

output ftp.witobD

Given Cbimini sample D oil

set each Mitti Mili

output Mio mi

Paasecyrity fr Eloi

World 0 World1

KoikeGersch KoikeGench

Rr ExpanderKr Rrr Expanctrki r

output ki r Rr Rr RSampleGR

output Ko Rr

Distributions 2

Intuition captures that other party'scorrelation as good as sampled Cohen

even when given one key

Turns out to be good enough when setuporacle distributes expanded randomness

Relation to Hss

Given a Pca for general additive degreedcorrelations for constant d we can

construct our HSS scheme for degdn variate polynomials guare size

is linear in n

Not going to cover transformation or

Pch for deg d correlations but willcover core idea applications to OT PCU

Recall 0T correlation

Roz iiwitODieeny.R ti wi bid.eeHe HeSender Receiver

Define functions

fsci _wifr i witobia

Ofs Ro CI fr R

Combining them

flit fsciltof.ci 10 it til0 ifbi 0

Looks likeLook familiar Multi point functionBut it's not sparse unclear how to compress

D DN i specific instantiation used here

Fix integers mm t based on X

Itwon t set of 41 bit vectors of size miand Hamming Weight t

C probabilistic generation algorithm

that outputs Mxn binary matrix H

Assumption

World 0 World1

withoutput Hib output H b

Wo I Wc I

c m s n s

F Metsecret sparse binary H c 1vector

uniform u bitvectorpublic matrix

Each hi e HiSpate app public weights

cotupressible via FSSLocal evaluation

Pch Gen0 elo.ite Awtset fe.ca foitei i

0 otherwise

n n r

fo f MPFSS feoOutput Koffo Ll K ft e

Tear

Expand Cr Krif T o sender Cfo Ko

set I s t CJ foG He.wsntldon.eraDww.H CEwiHiu7 icLug

Ro wi wi Dieter

else 5 1 cream ft e K

Set L e H Kei Hi7 ices

J f fig tempT H Gi Hi i een

R b v

Correctness i

Vi IT Hi 7 2 fig Hi 24 7toe D Hijtenz

EfigsHi DIE HiTi Ti

Vi wi to b D

Need to argue Ic Ro R Corben

wi ears D ti item i i0bi0Jic.eu

uniform

peu

wi c us D ti item i i0bi0Jic.eu

si Hiqui's LPN

MPFSS pseudorandomness

Fc 24 HiiH must be full rank

woverwhelming probIs UX for LPN

Security

Receiver given K bi wi 4D

Ideal RsampleCRD i Redx i

Delon i O elo.it

Rio Wi Wi D ic.eu I By correctness R wi wi 0

Identicalconditioned on Ki Ro is set by A

Sender i given Ko 5Cwi wi D ic.eu

Ideal Rsamplecro i Realn i

b e oil ee HWt.nu b EHI i

fo t Inness TeoR bi Oi biblical i

R bi wi biotitesdepends on e

Hybrid f Simes P

Efficiency seed size

Pay to transmit FSS rigs for t pt fu

t X tog m E 0 Ilg Xxx x

Correlation size X y 0 Xt

yo

Protocol for setup IDs173 Oct tog m OTSs 0 Floyd

Comm