Smoothing Codes and Lattices: Systematic Study and New Bounds

In this article we revisit smoothing bounds in parallel between lattices and codes. Initially introduced by Micciancio and Regev, these bounds were instantiated with Gaussian distributions and were crucial for arguing the security of many lattice-based cryptosystems. Unencumbered by direct application concerns, we provide a systematic study of how these bounds are obtained for both lattices and codes, transferring techniques between both areas. We also consider multiple choices of spherically symmetric noise distribution. We found that the best strategy for a worst-case bound combines Parseval's Identity, the Cauchy-Schwarz inequality, and the second linear programming bound, and this holds for both codes and lattices and all noise distributions at hand. For an average-case analysis, the linear programming bound can be replaced by a tight average count. This alone gives optimal results for spherically uniform noise over random codes and random lattices. This also improves previous Gaussian smoothing bound for worst-case lattices, but surprisingly this provides even better results with uniform ball noise than for Gaussian (or Bernouilli noise for codes). This counter-intuitive situation can be resolved by adequate decomposition and truncation of Gaussian and Bernouilli distributions into a superposition of uniform noise, giving further improvement for those cases, and putting them on par with the uniform cases

On list recovery of high-rate tensor codes

We continue the study of list recovery properties of high-rate tensor codes, initiated by Hemenway, Ron-Zewi, and Wootters (FOCS’17). In that work it was shown that the tensor product of an efficient (poly-time) high-rate globally list recoverable code is approximately locally list recoverable, as well as globally list recoverable in probabilistic near-linear time. This was used in turn to give the first capacity-achieving list decodable codes with (1) local list decoding algorithms, and with (2) probabilistic near-linear time global list decoding algorithms. This also yielded constant-rate codes approaching the Gilbert-Varshamov bound with probabilistic near-linear time global unique decoding algorithms. In the current work we obtain the following results: 1. The tensor product of an efficient (poly-time) high-rate globally list recoverable code is globally list recoverable in deterministic near-linear time. This yields in turn the first capacity-achieving list decodable codes with deterministic near-linear time global list decoding algorithms. It also gives constant-rate codes approaching the Gilbert-Varshamov bound with deterministic near-linear time global unique decoding algorithms. 2. If the base code is additionally locally correctable, then the tensor product is (genuinely) locally list recoverable. This yields in turn (non-explicit) constant-rate codes approaching the Gilbert- Varshamov bound that are locally correctable with query complexity and running time No(1). This improves over prior work by Gopi et. al. (SODA’17; IEEE Transactions on Information Theory’18) that only gave query complexity N" with rate that is exponentially small in 1/". 3. A nearly-tight combinatorial lower bound on output list size for list recovering high-rate tensor codes. This bound implies in turn a nearly-tight lower bound of N (1/ log logN) on the product of query complexity and output list size for locally list recovering high-rate tensor codes.</p

Oblivious Transfer with constant computational overhead

The computational overhead of a cryptographic task is the asymptotic ratio between the computational cost of securely realizing the task and that of realizing the task with no security at all. Ishai, Kushilevitz, Ostrovsky, and Sahai (STOC 2008) showed that secure two-party computation of Boolean circuits can be realized with constant computational overhead, independent of the desired level of security, assuming the existence of an oblivious transfer (OT) protocol and a local pseudorandom generator (PRG). However, this only applies to the case of semi-honest parties. A central open question in the area is the possibility of a similar result for malicious parties. This question is open even for the simpler task of securely realizing many instances of a constant-size function, such as OT of bits. We settle the question in the affirmative for the case of OT, assuming: (1) a standard OT protocol, (2) a slightly stronger “correlation-robust" variant of a local PRG, and (3) a standard sparse variant of the Learning Parity with Noise (LPN) assumption. An optimized version of our construction requires fewer than 100 bit operations per party per bit-OT. For 128-bit security, this improves over the best previous protocols by 1–2 orders of magnitude. We achieve this by constructing a constant-overhead pseudorandom correlation generator (PCG) for the bit-OT correlation. Such a PCG generates N pseudorandom instances of bit-OT by locally expanding short, correlated seeds. As a result, we get an end-to-end protocol for generating N pseudorandom instances of bit-OT with o(N) communication, O(N) computation, and security that scales sub-exponentially with N. Finally, we present applications of our main result to realizing other secure computation tasks with constant computational overhead. These include protocols for general circuits with a relaxed notion of security against malicious parties, protocols for realizing N instances of natural constant-size functions, and reducing the main open question to a potentially simpler question about fault-tolerant computation

Lossless dimension expanders via linearized polynomials and subspace designs

For a vector space Fn over a field F, an (η, β)-dimension expander of degree d is a collection of d linear maps Γj: Fn→ Fn such that for every subspace U of Fn of dimension at most ηn, the image of U under all the maps, ∑j=1dΓj(U), has dimension at least α dim(U). Over a finite field, a random collection of d = O(1) maps Γj offers excellent “lossless” expansion whp: β≈d for η ≥ Ω(1/d). When it comes to a family of explicit constructions (for growing n), however, achieving even modest expansion factor β = 1+ ε with constant degree is a non-trivial goal. We present an explicit construction of dimension expanders over finite fields based on linearized polynomials and subspace designs, drawing inspiration from recent progress on list decoding in the rank metric. Our approach yields the following:Lossless expansion over large fields; more precisely β ≥ (1 − ε)d and η≥1−εd with d = Oε(1), when | F| ≥ Ω(n).Optimal up to constant factors

Bounds for list-decoding and list-recovery of random linear codes

A family of error-correcting codes is listdecodable from error fraction p if, for every code in the family, the number of codewords in any Hamming ball of fractional radius p is less than some integer L. It is said to be list-recoverable for input list size &#x2113; if for every sufficiently large subset of at least L codewords, there is a coordinate where the codewords take more than &#x2113; values. In this work, we study the list size of random linear codes for both list-decoding and list-recovery as the rate approaches capacity. We show the following claims hold with high probability over the choice of the code (below q is the alphabet size, and &#x03B5; &#x003E; 0 is the gap to capacity). (1) A random linear code of rate 1 - logq(&#x2113;)-&#x03B5; requires list size L &#x2265; &#x2113;&#x03A9;(1/&#x03B5;) for list-recovery from input list size &#x2113;. (2) A random linear code of rate 1 - hq(p) - &#x03B5; requires list size L &#x2265; &#x230A;hq(p)/&#x03B5; + 0.99&#x230B; for list-decoding from error fraction p. (3) A random binary linear code of rate 1 - h2(p) - &#x03B5; is list-decodable from average error fraction p with list size with L &#x2264; &#x230A;h2(p)/&#x03B5;&#x230B; + 2. Our lower bounds follow by exhibiting an explicit subset of codewords so that this subset&#x2014;or some symbol-wise permutation of it&#x2014;lies in a random linear code with high probability. Our upper bound follows by strengthening a result of (Li, Wootters, 2018)

Correlated pseudorandomness from expand-accumulate codes

A pseudorandom correlation generator (PCG) is a recent tool for securely generating useful sources of correlated randomness, such as random oblivious transfers (OT) and vector oblivious linear evaluations (VOLE), with low communication cost. We introduce a simple new design for PCGs based on so-called expand-accumulate codes, which first apply a sparse random expander graph to replicate each message entry, and then accumulate the entries by computing the sum of each prefix. Our design offers the following advantages compared to state-of-the-art PCG constructions: Competitive concrete efficiency backed by provable security against relevant classes of attacks; An offline-online mode that combines near-optimal cache-friendliness with simple parallelization; Concretely efficient extensions to pseudorandom correlation functions, which enable incremental generation of new correlation instances on demand, and to new kinds of correlated randomness that include circuit-dependent correlations. To further improve the concrete computational cost, we propose a method for speeding up a full-domain evaluation of a puncturable pseudorandom function (PPRF). This is independently motivated by other cryptographic applications of PPRFs