530 likes | 849 Views
Cryptography. Lecture 13 Arpita Patra. Disclaimer: Most of the slides are borrowed from Ashish Choudhury. Today’s Goal. Yao’s millionaire’s problem- triggered fundamental area of secure computation. Generic secure 2-party computation (2PC). - Security goal. Yao’s 2PC.
E N D
Cryptography Lecture 13 ArpitaPatra Disclaimer: Most of the slides are borrowed from Ashish Choudhury
Today’s Goal • Yao’s millionaire’s problem- triggered fundamental area of secure computation • Generic secure 2-party computation (2PC) - Security goal • Yao’s 2PC - Garbled circuit approach - Special SKE
Yao’s Millionaires’ Problem • Formulated by Turing award winner Andrew Yao Protocols for Secure Computations (Extended Abstract). FOCS 1982: 160-164 • Yao’s millionaires’ problem ? < = > ₹ X ₹ Y Find the richer without disclosing exact value of individual assets
Secure 2PC f( x , y ) P2 : y P1 : x f(x, y) f(x, y) • Mutually distrusting entities with individual private data - Want to compute a joint function of their inputs without revealing anything beyond
Secure 2-PC f(x, y) No additional information to be revealed beyond f(x, y) P2 : y P1 : x f(x, y) f(x, y) • A very powerful abstraction - Models almost all real-world distributed computing applications
Applications of 2PC - I • Privacy-preserving data mining • How many patients suffering from AIDS in total ? • Are there any common patient registered for disease X in all the hospitals ? • Varieties of other statistics … • Privacy of individual databases needs to be preserved
Applications of 2PC - II • Secure e-auction • Only the highest bid should be revealed • No “additional” information about individual bids to be revealed Bid1 Bid2 • Loosing bidder will always learn its bid is less than the winner • Is this a privacy breach ?
How to solve 2PC? • Trusted third party (TTP) solution for secure 2PC • Send input to TTP, obtain function output : Ideal solution x y x y f(x,y) f(x,y) f(x,y) TTP IDEAL world secure 2PC protocol TTPs exist only in fairy tales!!
Security goal of 2PC • Goal of a secure 2PC protocol : emulate the role of a TTP • De-centralizing the trust y y x x f(x,y) f(x,y) TTP f(x, y) f(x, y) 2PC protocol IDEAL world REAL world
Today’s Goal • Yao’s millionaire’s problem- triggered fundamental area of secure computation • Generic secure 2-party computation (2PC) - Security goal • Yao’s 2PC - Garbled circuit approach - Special SKE
Circuit Abstraction f(x, y) P2 : y P1 : x • Circuit abstraction • f : represented as a publicly known Boolean circuit C • Any efficiently computable f can be represented as a C • C: DAG with input gates, output gates and internal Boolean gates ((AND, OR, NOT), (NAND), (NOR): universal gates)
Circuit Abstraction Example • X, Y: L-bit non-negative integers ? > = X Y ₹ X ₹ Y c1 = 1 1-bit comparator x1 y1 ci > > > … … y1 x1 x2 y2 xL-1 yL-1 x2 y2 yL xL c2 > xi yi cL ci+1 yL • ci+1 = 1 (xi > yi) OR ([xi = yi] AND [ci = 1]) xL cL+1 • ci+1 = xi [(xi ci) (yi ci)] • X Y cL+1 = 1
Secure Circuit Evaluation Yao: secure circuit evaluation • Parties jointly evaluate the circuit securely • Only final outcome revealed during evaluation • Intermediate values remain private Y X c1 = 1 Circuit Garbling • Encode the circuit > > > y1 x2 y2 x1 • Encode input c2 • Evaluate encoded circuit on encoded input and get encoded output • Decode output using decoding information cL yL xL f(X, Y)
Oblivious Transfer (OT) Will be used as a tool in Yao’s garbled circuits • Formulated by Turing award winner Michael O. Rabin Michael O. Rabin. How to exchange secrets with oblivious transfer. Technical Report TR-81, Aiken Computation Lab, Harvard University, 1981. Required security properties : m1-b = ? b = ? b {0, 1} mb {m0, m1} 1-out-of-2 OT S R
Garbled Circuit : Illustration of the Idea • Let P1 and P2 want to securely compute AND function --- c = f(a, b) • Security requirement for P1: if c = 0, b = 0 then a should remain private a = 0 a = 1 • Security requirement for P2: if c = 0, a = 0 then b should remain private b = 0 b b a a b = 1 c = 0 c = 1 • P1 garbles the circuit as follows : Associate 2 indistinguishable keys with a, corresponding to a = 0 and a = 1 Given only a key, P2 cannot find whether it corresponds to a = 0 or a = 1 --- association known only to P1 • Similarly associate 2 indistinguishable keys with b and c
Garbled Circuit : Illustration of the Idea B0 a = 0 a = 0 a = 0 a = 1 a = 1 a = 1 B1 b = 0 b = 0 b = 0 B2 b b a a B3 b = 1 b = 1 b = 1 • P1 garbles the circuit as follows : c = 0 c = 1 Take 4 double-locked boxes B0, B1, B2, B3 • B0locked with keys for a = 0, b = 0 --- inside B0 the key for c = 0 kept • B1 locked with keys for a = 0, b = 1 --- inside B1 the key for c = 0 kept • B2 locked with keys for a = 1, b = 0 --- inside B2 the key for c = 0 kept • B3 locked with keys for a = 1, b = 1 --- inside B3 the key for c = 1 kept • i = 2a+b Bi locked with keys for a and b and c-key for AND(a, b) kept inside
Garbled Circuit : Illustration of the Idea B0 a = 0 a = 1 B1 b = 0 B2 Random b b a a B3 b = 1 • P1shuffles the boxes randomly and sends them to P2 c = 0 c = 1
Garbled Circuit : Illustration of the Idea Let a = 0 Let b = 1 a = 0 a = 1 OT b = 0 b = 0 b b a a b = 1 b = 1 b c = 0 c = 1 From the key, P2 cant tell if a = 0 or a = 1 • P1 sends its garbled input to P2: • Sends the key corresponding to its bit a • P2obliviously obtains its garbled input • P2receives the key corresponding to its bit b How to do ? • P1 should not learn which key received by P2 Oblivious transfer (OT) • P2 should not learn the key for 1 - b
Garbled Circuit : Illustration of the Idea Let a = 0 Let b = 1 a = 0 a = 1 b = 0 b b a a b = 1 • P2 has two keys : one for unknown a and for its b Privacy of mutual input bits P2 will not know the association of the key in the opened box Assuming a box can be opened only by the right pair of keys • P1 does not know b c = 0 c = 1 • P2evaluates the garbled circuit • Tries opening the four boxes using available pair of keys • Only one box will be opened --- corresponding to a = 0, b = 1 • P2 will not know the “label” of opened box --- boxes are randomly shuffled • The opened box will have the key corresponding to c = 0
Garbled Circuit : Illustration of the Idea Let a = 0 Let b = 1 a = 0 a = 1 b = 0 b b a a b = 1 c = 0 c = 0 c = 0 c = 1 • P2 sends the key in the opened box to P1 to find its label • P1 on receiving the key cannot find which box was opened at P2’s end • P1 on receiving the key identifies the corresponding label • The corresponding label is the output of AND --- communicated to P2
Garbled Circuit : The Actual Protocol b b a a c 0 1 1 1 0 0 0 1 1 0 1 0 ka kc kc kb kb ka ka kc kc ka kb kb • {0, 1}n : random keys for a symmetric encryption scheme • The symmetric key encryption scheme needs to have special properties
Garbled Circuit : The Actual Protocol b b a a c 1 0 0 0 0 1 0 1 0 1 0 0 1 0 0 1 0 1 1 0 1 1 0 1 0 0 0 1 1 0 kc kc kc kb kb ka kc ka kc kb kc kc ka ka ka kb ka kb kb ka ka kb kc kb kb ka kc kc ka kb c11 = Enc (Enc ( )) c01 = Enc (Enc ( )) c01 = Enc (Enc ( )) c00 = Enc (Enc ( )) c00 = Enc (Enc ( )) c11 = Enc (Enc ( )) c10 = Enc (Enc ( )) c10 = Enc (Enc ( )) Random shuffling Garbled AND truth table
Garbled Circuit : The Actual Protocol Let a = 0 Let b = 1 OT b b a a 1 b c 1 1 0 1 0 0 0 1 b 0 1 kb kc kc ka kb ka kb kb kb ka kb c00, c01, c10, c11 c11, c00, c10, c01 • P1 sends to P2garbled a --- the key corresponding to bit a • P2obliviously receives its garbled b from P1 --- the key corresponding to bit b
Garbled Circuit : The Actual Protocol Let a = 0 Let b = 1 b b a a c 1 0 1 0 0 1 0 0 0 1 kc kb kc kb ka kb kb ka ka ka c00, c01, c10, c11 c11, c00, c10, c01 • P2 does not learn the value of a from --- indistinguishability of keys • P1 does not learn the value of b during OT --- receiver’s security of OT • P2 does not learn the other key --- sender’s security of OT
Garbled Circuit : The Actual Protocol Let a = 0 Let b = 1 c11 c00 c10 c01 Dec (Dec ( )) Dec (Dec ( )) Dec (Dec ( )) Dec (Dec ( )) b b a a c 1 0 1 0 1 0 0 0 1 1 0 1 1 0 1 0 0 kc kc kb ka ka kb kb ka ka kb ka kb kb ka ka kc kb c00, c01, c10, c11 c11, c00, c10, c01 • P2decrypts each of the four available ciphertexts using available pair of keys • P2 will be able to decrypt the correct ciphertextif the encryption scheme has: • Elusive range: encryption under a random key k1cannot be an encryption under another random key k2 k1with high probability • Verifiable range: given a ciphertext c and a key k, one can efficiently verify whether c is a valid encryption of some message m, under the key k
Garbled Circuit : The Actual Protocol Let a = 0 Let b = 1 c11 c00 c10 c01 Dec (Dec ( )) Dec (Dec ( )) Dec (Dec ( )) Dec (Dec ( )) b b a a c 0 1 1 0 1 0 1 0 0 1 0 0 1 1 0 0 0 1 ka kb kb ka kc kb ka kb kc kc ka kb kb kb ka kc ka ka c = 0 c00, c01, c10, c11 c = 0 c11, c00, c10, c01 • P2 will not be able to identify the label of the correctly decrypted ciphertext • It could be c01 as well as c11 with equal probability • P2 sends the decrypted message to P1 to identify its label • P1 does not learn which ciphertext out of (c01, c11) decrypted correctly by P2 • P1 identifies the label of the decrypted message and sends the result to P2
Yao’s 2 Party Protocol GC Constructor GC Evaluator P1 P0 Y = (y1,y2,…yk) X = (x1,x2,…xk) Construct a Garbled Circuit GC for Circuit C Keys corresponding to X = (x1,x2,…xk)and GC y1 k0w1 OTk OT1 k1w1 ky1w1 yk k0wk k1wk kykwk Evaluate GC with the given input keys and interpret the output Z using output decryption tables Z
Yao’s Garbled Circuit from “Special” SKE Garbled AND Gate R1: K = M = C >> Recall that one pair opens one and only one box >> In usual SKE, a wrong key lead to a wrong message, but the decryption does not fail (SKEs are usually use OTP principle). >> Consequence in Yao 2PC: How does the circuit evaluator know which decrypted value is the intended output key? Correctness of 2PC will fail!! SKE with elusive range and efficiently verifiable range Drawbacks: Multiple trial-decryption + Huge Ciphertext size for SKEs with above security property + Involved Correctness proof
Yao’s Garbled Circuit from “Special” SKE Point & Permute [NPS99]: k0w1|p1 k1w1|1-p1 k0w4|p4 k1w4|1-p4 k0w3|p3 k1w3|1-p3 k0w2|p2 k1w2|1-p2 >> A random bitcalled permutation bit will be associated with every wire >> The permutation bits corresponding to input wires of a gate are used to permute the ciphertexts k0w5|p5 k1w5|1-p5 k0w6|p6 k1w6|1-p6 + >> will be placed at (p1p2)th row k0w7|p7 k1w7|1-p7 >> assuming p1 =p2 = 1 Garbled AND Gate >> given just one of the permutation bits for each wire, the row where the ciphertext is placed will look random and will not leak any information about the meaning of the input and output keys! >> No requirement from SKE! Correctness of 2PC from GC taken care !
Yao’s Garbled Circuit from “Special” SKE R1: K|{0,1} = M = C >> SKE must be such that an bad evaluator should have no information about what the three unopened ciphertext contains >> E.g. if it can guess the unopened message are same and the gate is AND, then it knows the meaning of the key it decrypted! >> Very subtle security definition is required! >> Double encryption security
Chosen Double Encryption (CDE) Security b = b’ cde k0, k1 (x0,y0,z0), (x1,y1,z1) = (Gen, Enc, Dec), , k b b’ b {0, 1} PrivK (k) Post-challenge Training with oracles Enc**(Enck’1(**)) Enck’0(Enc** (**)) A, c0 Enck0 (Enck’1(xb)) PPT Attacker A k’0, k’1 c1 Enck’0(Enck1 (yb)) c2 Enck’0(Enck’1 (zb)) Let me verify I can break b’ {0, 1} Game Output 0 --- attacker lost 1 --- attacker won cde Pr = 1 Gen PrivK (k) is CDE-secure if for every PPT A, there is a negligible function negl, such that: A, ½ + negl(n)
Chosen Plain-text Attack (CPA) Security b {0, 1} m0, m1 , |m0| = |m1| b = b’ cpa b b’ PrivK (k) Post-challenge Training Training Phase A, = (Gen, Enc, Dec), , k PPT Attacker A c Enck(mb) k Let me verify I can break b’ {0, 1} Game Output 0 --- attacker lost 1 --- attacker won cpa Pr = 1 Gen(1n) PrivK (n) is CPA-secure if for every PPT A, there is a negligible function negl, such that: A, Every CPA-secure scheme is also CDE-secure! ½ + negl(n)
Completing the Picture k0w1|p1 k1w1|1-p1 k0w4|p4 k1w4|1-p4 k0w3|p3 k1w3|1-p3 k0w2|p2 k1w2|1-p2 Garbled Circuit: Garbled gates + output decryption tables k0w5|p5 k1w5|1-p5 k0w6|p6 k1w6|1-p6 + k0w7|p7 k1w7|1-p7 1. Give input keys corresponding to the inputs and the garbled circuit. 2. For every gate, decrypt the encryption pointed by permutation bits of the input keys of a gate, get the output key and its permutation bit 3. For the output gate, the key corresponding to the output value for given inputs is obtainedand is translated to correct output using the decryption tables.
Yao’s 2 Party Protocol GC Constructor GC Evaluator P1 P0 Y = (y1,y2,…yk) X = (x1,x2,…xk) Construct a Garbled Circuit GC for Circuit C Keys corresponding to X = (x1,x2,…xk)and GC y1 k0w1 OTk OT1 k1w1 ky1w1 yk k0wk k1wk kykwk Evaluate GC with the given input keys and interpret the output Z using output decryption tables Z
Yao’s 2 Party Protocol- Security for P1 GC Constructor GC Evaluator P1 P0 Y = (y1,y2,…yk) X = (x1,x2,…xk) Construct a Garbled Circuit GC for Circuit C Keys corresponding to X = (x1,x2,…xk)and GC y1 k0w1 OTk OT1 k1w1 ky1w1 Security will reduce to the OT security for the receiver yk k0wk k1wk kykwk Evaluate GC with the given input keys and interpret the output Z using output decryption tables Z
Yao’s 2 Party Protocol- Security for P0 GC Constructor GC Evaluator P1 P0 Y = (y1,y2,…yk) X = (x1,x2,…xk) Construct a Garbled Circuit GC for Circuit C Security will reduce to the OT security for the sender Keys corresponding to X = (x1,x2,…xk)and GC y1 k0w1 OTk Three unopened ciphertext must not leak info- CDE security OT1 k1w1 ky1w1 yk k0wk k1wk kykwk Evaluate GC with the given input keys and interpret the output Z using output decryption tables Z
Yao’s 2-party Protocol • P1 does the following: • Garbling the circuit : • Associate two random indistinguishable keys with each wire • Construct the garbled truth table for each gate • Randomly permute the garbled truth tables and send to P2 • Sending garbled inputs : • P1 sends the keys associated with its inputs to P2 • P1 obliviously sends the keys associated with the inputs of P2 • P2 does the following: • Evaluating the garbled circuit : • Decrypts the correct ciphertext from each garbled truth table using the pair of keys associated with the gate input wires • Sends to P1 the keys obtained corresponding to the output wires and obtain their labels to know the function output
Take-home Message • 2-PC: fundamental problem in distributed cryptography • Extensively studied theoretically over the past three decades • Recently grabbed attention of practitioners • Future directions • Not possible to list down here • Will require an entire lecture to list them down !! • See the proceedings of any flagship crypto/security conference --- dedicated sessions for 2-PC
Yao’s Protocol Demonstration : A Larger Circuit (a, b) (c) w1 w2 Random n-bit keys associated with wire wi w3 b c a G2 = G1 = w4 b 1-b 1 0 1 0 0 0 1 0 1 1 k3 ki ki k1 k5 k5 k4 k4 k2 k3 k2 k1 w5
Yao’s Protocol Demonstration : A Larger Circuit (a, b) (c) w1 w2 w3 Garbled G1 w4 b c a G1 = G2 = 0 1 1 0 1 1 1 1 1 0 0 1 0 0 1 0 1 1 1 0 0 0 0 0 0 0 0 1 1 0 1 1 0 1 k1 k4 k4 k1 k2 k1 k5 k4 k2 k2 k4 k4 k4 k3 k2 k3 k5 k5 k2 k3 k2 k5 k5 k4 k5 k1 k3 k4 k4 k4 k3 k3 k1 k1 w5 G2 G2 G2 G1 G1 G2 G1 G1 Garbled G2 c10 = Enc (Enc ( )) c10 = Enc (Enc ( )) c11 = Enc (Enc ( )) c11 = Enc (Enc ( )) c00 = Enc (Enc ( )) c00 = Enc (Enc ( )) c01 = Enc (Enc ( )) c01 = Enc (Enc ( ))
Yao’s Protocol Demonstration : A Larger Circuit (a, b) (c) w1 w2 w3 w4 b c a G1 = G2 = 1 1 0 0 0 0 0 1 1 1 0 1 1 1 0 1 1 0 1 0 1 0 0 0 1 0 0 0 0 1 1 1 1 1 0 0 1 0 0 0 1 1 0 0 1 1 1 0 1 0 0 0 1 1 1 1 0 0 k4 k1 k1 k1 k4 k4 k1 k4 k1 k4 k4 k4 k3 k3 k2 k2 k5 k4 k3 k1 k1 k2 k3 k5 k4 k5 k2 k5 k3 k5 k4 k5 k5 k3 k2 k1 k4 k4 k1 k5 k2 k4 k2 k4 k5 k3 k5 k3 k2 k2 k2 k4 k3 k1 k4 k4 k3 k4 w5 G2 G1 G1 G2 G1 G1 G2 G2 G1 G2 G2 G1 G1 G2 G1 G2 Random shuffling c10 = Enc (Enc ( )) c11 = Enc (Enc ( )) c11 = Enc (Enc ( )) c10 = Enc (Enc ( )) c11 = Enc (Enc ( )) c11 = Enc (Enc ( )) c10 = Enc (Enc ( )) c10 = Enc (Enc ( )) c01 = Enc (Enc ( )) c00 = Enc (Enc ( )) c00 = Enc (Enc ( )) c00 = Enc (Enc ( )) c01 = Enc (Enc ( )) c01 = Enc (Enc ( )) c00 = Enc (Enc ( )) c01 = Enc (Enc ( ))
Yao’s Protocol Demonstration : A Larger Circuit (a, b) (c) w1 w2 Let a = 0, b = 1 OT Let c = 1 w3 w4 b c a G2 = G1 = c 1 0 1 1 1 1 1 0 0 0 1 1 1 0 0 0 1 1 1 1 1 1 0 0 0 0 1 1 1 0 0 0 0 0 0 0 0 0 1 0 1 0 1 1 0 1 1 1 0 1 1 0 1 0 0 0 0 1 1 1 0 1 0 k4 k1 k1 k1 k1 k4 k4 k4 k4 k4 k5 k5 k2 k2 k1 k4 k2 k4 k3 k1 k3 k4 k4 k3 k2 k5 k1 k2 k3 k3 k5 k5 k3 k4 k2 k2 k3 k2 k4 k4 k2 k3 k3 k4 k4 k2 k2 k3 k1 k5 k4 k4 k3 k5 k1 k4 k5 k1 k1 k5 k3 k5 k3 k3 w5 c 1 G1 G1 G2 G1 G2 G2 G2 G1 G2 G1 G1 G2 G1 G2 G1 G2 c11 = Enc (Enc ( )) c11 = Enc (Enc ( )) c11 = Enc (Enc ( )) c10 = Enc (Enc ( )) c11 = Enc (Enc ( )) c10 = Enc (Enc ( )) c10 = Enc (Enc ( )) c10 = Enc (Enc ( )) c01 = Enc (Enc ( )) c00 = Enc (Enc ( )) c00 = Enc (Enc ( )) c01 = Enc (Enc ( )) c01 = Enc (Enc ( )) c01 = Enc (Enc ( )) c00 = Enc (Enc ( )) c00 = Enc (Enc ( ))
Yao’s Protocol Demonstration : A Larger Circuit (a, b) (c) c00 c11 c01 c10 w1 w2 Dec (Dec ( )) Dec (Dec ( )) Dec (Dec ( )) Dec (Dec ( )) Let a = 0, b = 1 Let c = 1 w3 w4 b c a G2 = G1 = 0 0 0 0 0 1 1 0 1 0 1 0 0 0 0 0 1 1 0 1 1 1 1 1 0 0 1 0 0 0 0 1 0 1 0 1 0 1 1 1 0 1 1 0 1 1 1 1 0 0 1 0 1 1 1 0 1 0 0 1 1 1 1 1 1 k4 k1 k4 k1 k1 k4 k1 k4 k3 k4 k5 k1 k2 k2 k4 k1 k4 k2 k4 k2 k2 k5 k4 k4 k3 k4 k4 k4 k3 k3 k4 k5 k2 k4 k2 k5 k3 k4 k3 k5 k3 k4 k5 k1 k5 k2 k1 k1 k4 k1 k1 k2 k1 k1 k2 k3 k2 k3 k1 k4 k3 k2 k5 k2 k2 w5 G1 G1 G1 G2 G1 G2 G2 G1 G1 G1 G1 G2 G2 G1 G2 G2 G1 G2 c11 = Enc (Enc ( )) c11 = Enc (Enc ( )) c10 = Enc (Enc ( )) c11 = Enc (Enc ( )) c10 = Enc (Enc ( )) c11 = Enc (Enc ( )) c10 = Enc (Enc ( )) c10 = Enc (Enc ( )) c00 = Enc (Enc ( )) c01 = Enc (Enc ( )) c00 = Enc (Enc ( )) c01 = Enc (Enc ( )) c00 = Enc (Enc ( )) c00 = Enc (Enc ( )) c01 = Enc (Enc ( )) c01 = Enc (Enc ( )) G1 G1
Yao’s Protocol Demonstration : A Larger Circuit (a, b) (c) c00 c10 c11 c01 w1 w2 Dec (Dec ( )) Dec (Dec ( )) Dec (Dec ( )) Dec (Dec ( )) Let a = 0, b = 1 Let c = 1 w3 w4 b c a G2 = G1 = 0 0 0 0 0 1 1 0 1 0 0 1 0 1 1 0 1 1 0 1 1 0 1 0 0 0 1 0 0 0 0 1 0 1 1 0 1 1 1 0 1 1 0 1 1 1 1 0 0 0 1 1 1 1 1 1 1 1 1 0 1 1 0 0 1 1 1 k1 k4 k1 k4 k4 k1 k4 k1 k4 k4 k2 k3 k5 k2 k5 k4 k2 k1 k5 k4 k4 k4 k2 k3 k4 k2 k4 k4 k4 k5 k2 k5 k3 k4 k1 k3 k2 k3 k3 k2 k5 k4 k3 k5 k3 k1 k5 k5 k4 k4 k4 k2 k1 k3 k4 k2 k5 k1 k3 k4 k3 k3 k5 k1 k3 k4 k3 w5 G2 G2 G2 G1 G1 G1 G2 G1 G2 G2 G1 G1 G1 G2 G2 G1 G2 G2 c10 = Enc (Enc ( )) c10 = Enc (Enc ( )) c11 = Enc (Enc ( )) c11 = Enc (Enc ( )) c10 = Enc (Enc ( )) c10 = Enc (Enc ( )) c11 = Enc (Enc ( )) c11 = Enc (Enc ( )) c00 = Enc (Enc ( )) c00 = Enc (Enc ( )) c01 = Enc (Enc ( )) c01 = Enc (Enc ( )) c00 = Enc (Enc ( )) c01 = Enc (Enc ( )) c01 = Enc (Enc ( )) c00 = Enc (Enc ( )) G2 G2
Yao’s Protocol Demonstration : A Larger Circuit (a, b) (c) w1 w2 Let a = 0, b = 1 Let c = 1 w3 w4 c b a G2 = G1 = Obtained by P2 by evaluating the circuit { , } { , } { , } { , } { , } 1 0 0 1 1 1 1 0 0 0 1 0 0 1 1 1 1 1 0 0 0 k1 k3 k4 k1 k4 k2 k3 k2 k4 k3 k1 k5 k2 k5 k5 k3 k5 k5 k4 k2 k1 w5 Selected by P1 a b c = 0 a b c = 0 • If P1 is corrupted • Will anyhow learn c from a, b and a b c • If P2 is corrupted • Will learn nothing more than that a b = 1
Yao’s 2-party Protocol : Complexity • Number of rounds : • P1 P2 : garbled truth table + garbled input of P1 • P1 P2 : parallel instances of OT to enable P2 get its garbled input • OT instances can start simultaneously with P1 communicating its garbled input • Total = number of rounds for an instance of OT ( = 2) • P2 P1 : values obtained along the output gate • Garbling scheme can be modified so that in the garbled output table, the output value is encrypted instead of output key • 1 round of communication • Round complexity = 2 + 1 = 3
Yao’s 2-party Protocol : Complexity • Communication complexity : • P1 P2 : garbled truth table + garbled input of P1 • Each garbled input O(n) bit symmetric key • Each garbled circuit 4 ciphertexts, each of O(n) bits • P1 P2 : OT instances to enable P2 get its garbled input • P2 P1 : bits along the output wires • If z = f(x, y), where P1 has input x and P2 has input y and circuit for f has C gates then : • Communication complexity = O(|x| n) + O(|C| n) + O(|y| ComOT) + O(|z|) • ComOT : communication complexity of one instance of OT
Yao’s 2-party Protocol : Complexity • Computation complexity : • P1: • Associating 2 n-bit symmetric keys with each wire • Computing 4 |C| double encryptions • Participating in |y| instances of OT with pairs of n-bit inputs • P2: • Participating in |y| instances of OT with choice bits • Decrypting 4 ciphertexts in each garbled table to find the correct decryption • Overall the computation has mostly symmetric-key operations except the OT instances
Yao’s 2-party Protocol : Various Optimizations • Reducing the size of the garbled table: • P1 associates keys with the wires in a special way so that each garbled table has less than 4 ciphertexts • Free-XOR technique : no garbled table required for XOR gates V. Kolesnikov and T. Schneider: Improved Garbled Circuit: Free XOR Gates and Applications. ICALP (2) 2008: 486-498 • Garbled row reduction (GRR): garbled table for non-XOR gates consisting of only two ciphertexts B. Pinkas, T. Schneider, N. P. Smart, S. C. Williams: Secure Two-Party Computation Is Practical. ASIACRYPT 2009: 250-267 • Free-XOR and GRR are incompatible • Tradeoff : more XOR gates then use Free-XOR technique • Try to “introduce” as many number of XOR gates as possible without changing the functionality