CircuitGarblingandYao’s2-partyComputation
ArpitaPatra
©Arpita Patra
SchoolonSecureMultipartyComputation
Roadmap
o Yao’smillionaire’sproblem- triggeredfundamentalareaofsecurecomputation
o Genericsecure2-partycomputation(2PC)
o Yao’s2PC
- Garbledcircuit
- Securitygoal
- ObliviousTransfer
o Tracingthejourneyofgarbledcircuitsandsomeopenquestions
Yao’sMillionaires’Problem
ProtocolsforSecureComputations(ExtendedAbstract).FOCS1982:160-164
Yao’smillionaires’problem
₹X ₹Y
?
<
=
>
Findthericherwithoutdisclosingexactvalueofindividualassets
TuringawardwinnerAndrewYao
Secure2-PC
P1 :x P2 :y
f(x ,y )
f(x,y) f(x,y)
- Mutuallydistrustingentitieswithindividualprivatedata
- Wanttocomputeajointfunctionoftheirinputswithoutrevealinganythingbeyond
SecureMultipartyComputation(MPC)
– Setup:- n partiesP1,....,Pn;‘some’are corrupted
- Acommonn-inputfunctionf- Pi hasprivateinputxi
Goals:o Correctness:Computef(x1,x2,..xn)
o Privacy:Nothingbeyondfunctionoutputmustbeleaked
MPC– holygrail
E-voting
E-auction DataAnalytics
Outsourcing
Privacy-preservingML
PreventingSatelliteCollision
Applications:(Dualneedofdataprivacy&datausability)
Applicationof2PC- Privacy-preservingDatamining
• HowmanypatientssufferingfromAIDSintotal?
• ArethereanycommonpatientregisteredfordiseaseXinallthehospitals?
• Varietiesofotherstatistics…
Howtosolve2PC?
x y
TTP
IDEALworldsecure2PCprotocol
f(x,y)f(x,y)f(x,y)
• Trustedthirdparty(TTP)® solutionforsecure2PC
Ø SendinputtoTTP,obtainfunctionoutput:Idealsolution
x y
TTPsexistonlyinfairytales!!
• Goalofasecure2PCprotocol:emulate theroleofaTTP
Securitygoalof2PC
x y
REALworld
2PCprotocol
f(x,y) f(x,y)TTP
f(x,y)
x y
IDEALworld
»
f(x,y)
Ø De-centralizingthetrust
Circuit Representation of function
• Circuitabstraction
Ø f:representedasa BooleancircuitC
Ø AnyefficientlycomputablefcanberepresentedasaC
Ø C:DAG withinputgates,outputgatesandinternalBooleangates((AND,OR,NOT),(NAND),(NOR):universalgates)
• X,Y:L-bit non-negativeintegers
xL xL-1 … x2 x1 yL yL-1 … y2 y1X Y
>xi yi
ci
ci+1
• ci+1 =1« (xi >yi)OR([xi =yi]AND[ci =1])
• ci+1 =xiÅ [(xiÅ ci)Ù (yiÅ ci)]
x1 > y1
c1 =1
x2 > y2
>xL yL
cL
c2
cL+1
• X³ Y« cL+1 =1
1-bitcomparator
CircuitGarbling
o Encode/Garble thecircuit
o Encode input
o Evaluateencoded circuitonencodedinputandgetencoded output
o Decode outputusingdecodinginformation
o Nothingbeyondfunctionoutputisleaked
ü Preservesinputprivacy
ü Noleakingofintermediategateoutputs
Whatwedo? Whatisthegoal?
ü Noleakingofoutputifdecodinginfoiswithheld
Yao:securecircuitevaluationØ PartiesjointlyevaluatethecircuitsecurelyØ OnlyfinaloutcomerevealedduringevaluationØ Intermediatevaluesremainprivate
ThemakingofGarbledCircuita b
c
0 0 0
0 1 0
1 0 0
1 1 1
0 0 0
0 1 1
1 0 1
1 1 1
0 1
0 0
0
a b
c
10 1 0
0 1 10
0 1
EvaluatingaGarbledcircuitvs.Evaluatingacircuit
a b
c
0
a b
c
0 0 0
0 1 0
1 0 0
1 1 1
0 0 0
0 1 1
1 0 1
1 1 1
0 1
0 0
0
IsallOkay?a b
c
a b
c
0 0 0
0 1 0
1 0 0
1 1 1
0 0 0
0 1 1
1 0 1
1 1 1
0 1
0 0
0
Whathappensiftheciphertextsaregivenintheorder?
Replacingkey-boxwithCryptographicMechanisms
a b
c
k10 k1
1 k20 k2
1
k30 k3
1 k40 k4
1
k50 k5
1
C1C2C3C4
C5C6C7C8
a b
c
0 0 0
0 1 0
1 0 0
1 1 1
0 0 0
0 1 1
1 0 1
1 1 1
0 1
0 0
0
EvaluatingaGarbledcircuitvs.Evaluatingacircuit
a b
c
k10 k2
1
k40
C1C2C3C4
C5C6C7C8
a b
c
0 1
0
Somethingmaybewrong…a b
c
k10 k1
1 k20 k2
1
k30 k3
1 k40 k4
1
k50 k5
1
C1C2C3C4
C5C6C7C8
a b
c
0 1
0
0
- Whichciphertexttodecrypt?
- Tryall
- Whichdecryptedvaluetogofor?
- SKEwith`specialcorrectness’
Makingthingsallright…a b
c
k10 k1
1 k20 k2
1
k30 k3
1 k40 k4
1
k50 k5
1
C1C2C3C4
C5C6C7C8
(G,E,D)has`specialcorrectness’
EvaluatingGarbledcircuitvs.Evaluatingacircuita b
c
k10 k2
1
k40
C1C2C3C4
C5C6C7C8
a b
c
0 1
0 k30
k50
k50 k5
1
WhatsecurityfromSKEisneeded?a b
c
k10 k2
1
k40
C1C2C3C4
C5C6C7C8
k30
k50
k50 k5
1
- anbad evaluatorshouldhavenoinfoaboutwhatthethreeunopenedciphertextcontain
- ifitcanguesstheunopenedmessagearesameforanAND gate,thenitknowsthemeaningofthekeyitdecrypted!
c0¬ Enck0(Enck’1(xb))
b’Î {0,1}
k0,k1 (x0,y0,z0),(x1,y1,z1)
k’0,k’1
c1¬ Enck’0 (Enck1 (yb))c2¬ Enck’0 (Enck’1 (zb))
+`chosendoubleciphertextsecurity’
b
ObliviousTransfer
S Rm1
m2
r
mr
r=? m1-r =?
Yao’s2-PartyProtocol
y
P0 P1
x
GCConstructor GCEvaluator
- GC:(C1,C2,C3,C4)+decodinginfo:( )
OTk02k12
0
k02
0
z z
x y
0 0
z=xy0
k10 k1
1 k20 k2
1
k30 k3
1
C1C2C3C4
- Thekeysforx:k30 k3
1
k10
k10 k2
0
k30
C1C2C3C4
k30 k3
1
0
Yao’s2-PartyProtocol
Y=(y1,y2,…yk)
P0 P1
X=(x1,x2,…xk)
GCConstructor GCEvaluator
- GarbledCircuit+decodinginformation- ThekeysforX
OT1k01k11
y1
OTk
ky11
k0kk1k
ykkykk
Z
Z Z
CircuitGarbling- Tracingthehistory
- FreeXOR/FleXOR[KS08,KMR14]:NociphertextandnocryptooperationsforXORgates
- GarbledRowReduction:
o [NPS99]:4-to-3ciphertexts
o [PSSW09,GNLP15,ZRE15]:4-to-2ciphertexts (optimalforAND)
- Point-and-permute[NPS99]: - No`specialcorrectness’needed- Onlyoneciphertext needstobedecrypted
- Fromtechniquetoprimitive[BHR12a,BHR12b]:Privacy,Obliviousness,Authenticityandverifiability
o [KKKS15]:4bits(forformulaiccircuits)o [Kol05]:0bits(forformulaiccircuits+keylengthdependentondepth)
- ApplicationsinZK,outsourcingcomputation[JKO13]:Privacy-freeGC
Staytunedtoourreadinggroup
CircuitGarbling- RecentResults- Size-zeroPrivacy-freeGarbledcircuitsforFormulas[KP17]:Undersubmission
- ZeroknowledgeProtocolsfromGarbledcircuits[GKPS17]:Undersubmission
o 3,2and1roundprotocols
o Anyprivategarbledcircuitsisalsoauthentic
- Non-interactiveSecureComputation[PS17]:Undersubmission