CircuitGarblingandYao’s2-partyComputation

ArpitaPatra

©Arpita Patra

SchoolonSecureMultipartyComputation

Roadmap

o Yao’smillionaire’sproblem- triggeredfundamentalareaofsecurecomputation

o Genericsecure2-partycomputation(2PC)

o Yao’s2PC

- Garbledcircuit

- Securitygoal

- ObliviousTransfer

o Tracingthejourneyofgarbledcircuitsandsomeopenquestions

Yao’sMillionaires’Problem

ProtocolsforSecureComputations(ExtendedAbstract).FOCS1982:160-164

Yao’smillionaires’problem

₹X ₹Y

?

<

=

>

Findthericherwithoutdisclosingexactvalueofindividualassets

TuringawardwinnerAndrewYao

Secure2-PC

P1 :x P2 :y

f(x ,y )

f(x,y) f(x,y)

- Mutuallydistrustingentitieswithindividualprivatedata

- Wanttocomputeajointfunctionoftheirinputswithoutrevealinganythingbeyond

SecureMultipartyComputation(MPC)

– Setup:- n partiesP1,....,Pn;‘some’are corrupted

- Acommonn-inputfunctionf- Pi hasprivateinputxi

Goals:o Correctness:Computef(x1,x2,..xn)

o Privacy:Nothingbeyondfunctionoutputmustbeleaked

MPC– holygrail

E-voting

E-auction DataAnalytics

Outsourcing

Privacy-preservingML

PreventingSatelliteCollision

Applications:(Dualneedofdataprivacy&datausability)

Applicationof2PC- Privacy-preservingDatamining

• HowmanypatientssufferingfromAIDSintotal?

• ArethereanycommonpatientregisteredfordiseaseXinallthehospitals?

• Varietiesofotherstatistics…

Howtosolve2PC?

x y

TTP

IDEALworldsecure2PCprotocol

f(x,y)f(x,y)f(x,y)

• Trustedthirdparty(TTP)® solutionforsecure2PC

Ø SendinputtoTTP,obtainfunctionoutput:Idealsolution

x y

TTPsexistonlyinfairytales!!

• Goalofasecure2PCprotocol:emulate theroleofaTTP

Securitygoalof2PC

x y

REALworld

2PCprotocol

f(x,y) f(x,y)TTP

f(x,y)

x y

IDEALworld

»

f(x,y)

Ø De-centralizingthetrust

Circuit Representation of function

• Circuitabstraction

Ø f:representedasa BooleancircuitC

Ø AnyefficientlycomputablefcanberepresentedasaC

Ø C:DAG withinputgates,outputgatesandinternalBooleangates((AND,OR,NOT),(NAND),(NOR):universalgates)

• X,Y:L-bit non-negativeintegers

xL xL-1 … x2 x1 yL yL-1 … y2 y1X Y

>xi yi

ci

ci+1

• ci+1 =1« (xi >yi)OR([xi =yi]AND[ci =1])

• ci+1 =xiÅ [(xiÅ ci)Ù (yiÅ ci)]

x1 > y1

c1 =1

x2 > y2

>xL yL

cL

c2

cL+1

• X³ Y« cL+1 =1

1-bitcomparator

CircuitGarbling

o Encode/Garble thecircuit

o Encode input

o Evaluateencoded circuitonencodedinputandgetencoded output

o Decode outputusingdecodinginformation

o Nothingbeyondfunctionoutputisleaked

ü Preservesinputprivacy

ü Noleakingofintermediategateoutputs

Whatwedo? Whatisthegoal?

ü Noleakingofoutputifdecodinginfoiswithheld

Yao:securecircuitevaluationØ PartiesjointlyevaluatethecircuitsecurelyØ OnlyfinaloutcomerevealedduringevaluationØ Intermediatevaluesremainprivate

ThemakingofGarbledCircuita b

c

0 0 0

0 1 0

1 0 0

1 1 1

0 0 0

0 1 1

1 0 1

1 1 1

0 1

0 0

0

a b

c

10 1 0

0 1 10

0 1

EvaluatingaGarbledcircuitvs.Evaluatingacircuit

a b

c

0

a b

c

0 0 0

0 1 0

1 0 0

1 1 1

0 0 0

0 1 1

1 0 1

1 1 1

0 1

0 0

0

IsallOkay?a b

c

a b

c

0 0 0

0 1 0

1 0 0

1 1 1

0 0 0

0 1 1

1 0 1

1 1 1

0 1

0 0

0

Whathappensiftheciphertextsaregivenintheorder?

Replacingkey-boxwithCryptographicMechanisms

a b

c

k10 k1

1 k20 k2

1

k30 k3

1 k40 k4

1

k50 k5

1

C1C2C3C4

C5C6C7C8

a b

c

0 0 0

0 1 0

1 0 0

1 1 1

0 0 0

0 1 1

1 0 1

1 1 1

0 1

0 0

0

EvaluatingaGarbledcircuitvs.Evaluatingacircuit

a b

c

k10 k2

1

k40

C1C2C3C4

C5C6C7C8

a b

c

0 1

0

Somethingmaybewrong…a b

c

k10 k1

1 k20 k2

1

k30 k3

1 k40 k4

1

k50 k5

1

C1C2C3C4

C5C6C7C8

a b

c

0 1

0

0

- Whichciphertexttodecrypt?

- Tryall

- Whichdecryptedvaluetogofor?

- SKEwith`specialcorrectness’

Makingthingsallright…a b

c

k10 k1

1 k20 k2

1

k30 k3

1 k40 k4

1

k50 k5

1

C1C2C3C4

C5C6C7C8

(G,E,D)has`specialcorrectness’

EvaluatingGarbledcircuitvs.Evaluatingacircuita b

c

k10 k2

1

k40

C1C2C3C4

C5C6C7C8

a b

c

0 1

0 k30

k50

k50 k5

1

WhatsecurityfromSKEisneeded?a b

c

k10 k2

1

k40

C1C2C3C4

C5C6C7C8

k30

k50

k50 k5

1

- anbad evaluatorshouldhavenoinfoaboutwhatthethreeunopenedciphertextcontain

- ifitcanguesstheunopenedmessagearesameforanAND gate,thenitknowsthemeaningofthekeyitdecrypted!

c0¬ Enck0(Enck’1(xb))

b’Î {0,1}

k0,k1 (x0,y0,z0),(x1,y1,z1)

k’0,k’1

c1¬ Enck’0 (Enck1 (yb))c2¬ Enck’0 (Enck’1 (zb))

+`chosendoubleciphertextsecurity’

b

ObliviousTransfer

S Rm1

m2

r

mr

r=? m1-r =?

Yao’s2-PartyProtocol

y

P0 P1

x

GCConstructor GCEvaluator

- GC:(C1,C2,C3,C4)+decodinginfo:( )

OTk02k12

0

k02

0

z z

x y

0 0

z=xy0

k10 k1

1 k20 k2

1

k30 k3

1

C1C2C3C4

- Thekeysforx:k30 k3

1

k10

k10 k2

0

k30

C1C2C3C4

k30 k3

1

0

Yao’s2-PartyProtocol

Y=(y1,y2,…yk)

P0 P1

X=(x1,x2,…xk)

GCConstructor GCEvaluator

- GarbledCircuit+decodinginformation- ThekeysforX

OT1k01k11

y1

OTk

ky11

k0kk1k

ykkykk

Z

Z Z

CircuitGarbling- Tracingthehistory

- FreeXOR/FleXOR[KS08,KMR14]:NociphertextandnocryptooperationsforXORgates

- GarbledRowReduction:

o [NPS99]:4-to-3ciphertexts

o [PSSW09,GNLP15,ZRE15]:4-to-2ciphertexts (optimalforAND)

- Point-and-permute[NPS99]: - No`specialcorrectness’needed- Onlyoneciphertext needstobedecrypted

- Fromtechniquetoprimitive[BHR12a,BHR12b]:Privacy,Obliviousness,Authenticityandverifiability

o [KKKS15]:4bits(forformulaiccircuits)o [Kol05]:0bits(forformulaiccircuits+keylengthdependentondepth)

- ApplicationsinZK,outsourcingcomputation[JKO13]:Privacy-freeGC

Staytunedtoourreadinggroup

CircuitGarbling- RecentResults- Size-zeroPrivacy-freeGarbledcircuitsforFormulas[KP17]:Undersubmission

- ZeroknowledgeProtocolsfromGarbledcircuits[GKPS17]:Undersubmission

o 3,2and1roundprotocols

o Anyprivategarbledcircuitsisalsoauthentic

- Non-interactiveSecureComputation[PS17]:Undersubmission