Cryptology ePrint Archive: Report 2020/970

Efficient Protocols for Oblivious Linear Function Evaluation from Ring-LWE

Carsten Baum and Daniel Escudero and Alberto Pedrouzo-Ulloa and Peter Scholl and Juan Ramón Troncoso-Pastoriza

Abstract: An oblivious linear function evaluation protocol, or OLE, is a two-party protocol for the function $f(x) = ax + b$, where a sender inputs the field elements $a,b$, and a receiver inputs $x$ and learns $f(x)$. OLE can be used to build secret-shared multiplication, and is an essential component of many secure computation applications including general-purpose multi-party computation, private set intersection and more.

In this work, we present several efficient OLE protocols from the ring learning with errors (RLWE) assumption. Technically, we build two new passively secure protocols, which build upon recent advances in homomorphic secret sharing from (R)LWE (Boyle et al., Eurocrypt 2019), with optimizations tailored to the setting of OLE. We upgrade these to active security using efficient amortized zero-knowledge techniques for lattice relations (Baum et al., Crypto 2018), and design new variants of zero-knowledge arguments that are necessary for some of our constructions.

Our protocols offer several advantages over existing constructions. Firstly, they have the lowest communication complexity amongst previous, practical protocols from RLWE and other assumptions; secondly, they are conceptually very simple, and have just one round of interaction for the case of OLE where $b$ is randomly chosen. We demonstrate this with an implementation of one of our passively secure protocols, which can perform more than 1 million OLEs per second over the ring $\mathbb{Z}_m$, for a 120-bit modulus $m$, on standard hardware.

Category / Keywords: Oblivious Linear Evaluation, Two-Party Computation

Original Publication (with major differences): SCN 2020

Date: received 8 Aug 2020

Contact author: escudero at cs au dk

Available format(s): PDF | BibTeX Citation

Version: 20200818:082254 (All versions of this report)

Short URL:

[ Cryptology ePrint archive ]