The first Few Slides stolen from Boaz Barak

Slides:



Advertisements
Similar presentations
Polylogarithmic Private Approximations and Efficient Matching
Advertisements

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Joe Kilian NEC Laboratories, America Aladdin Workshop on Privacy in DATA March 27, 2003.
Secure Computation Slides stolen from Joe Kilian & Vitali Shmatikov Boaz Barak.
Secure Computation of Linear Algebraic Functions
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Yan Huang, David Evans, Jonathan Katz
Secure Multiparty Computations on Bitcoin
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Oblivious Transfer based on the McEliece Assumptions
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
CSEP 590tv: Quantum Computing
Lecture 20: April 12 Introduction to Randomized Algorithms and the Probabilistic Method.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
How to play ANY mental game
CS573 Data Privacy and Security
Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
Based on Schneier Chapter 5: Advanced Protocols Dulal C. Kar.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
Network Security – Special Topic on Skype Security.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Hidden Access Control Policies with Hidden Credentials Keith Frikken, Mikhail Atallah, Jiangtao Li CERIAS and Department of Computer Sciences Purdue University.
Slide 1 Many thanks to Vitaly Shmatikov of the University of Texas, Austin for providing these slides. Introduction to Secure Multi-Party Computation.
Software Security Seminar - 1 Chapter 4. Intermediate Protocols 발표자 : 이장원 Applied Cryptography.
1 Cryptography Troy Latchman Byungchil Kim. 2 Fundamentals We know that the medium we use to transmit data is insecure, e.g. can be sniffed. We know that.
Efficient Oblivious Transfer with Stateless Secure Tokens Alcatel-Lucent Bell Labs Vlad Kolesnikov.
 5.1 Zero-Knowledge Proofs  5.2 Zero-Knowledge Proofs of Identity  5.3 Identity-Based Public-Key Cryptography  5.4 Oblivious Transfer  5.5 Oblivious.
David Evans CS588: Security and Privacy University of Virginia Computer Science Lecture 15: From Here to Oblivion.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Secure Computation Basics Yan Huang Indiana University May 9, 2016.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Cryptography Lecture 13 Arpita Patra
Garbling Techniques David Evans
Topic 36: Zero-Knowledge Proofs
The Exact Round Complexity of Secure Computation
Introduction to Randomized Algorithms and the Probabilistic Method
Network Security.
Some slides borrowed from Philippe Golle, Markus Jacobson
Course Business I am traveling April 25-May 3rd
Cryptography CS 555 Lecture 22
Gate Evaluation Secret Sharing and Secure Two-Party Computation
Improved Private Set Intersection against Malicious Adversaries
Maliciously Secure Two-Party Computation
CS 154, Lecture 6: Communication Complexity
Cryptography for Quantum Computers
Comparison Networks Sorting Sorting binary values
Multi-Party Computation: Second year
Cryptography CS 555 Digital Signatures Continued
Achieving Fairness in Private Contract Negotiation
Course Business Homework 5 Extended Practice Final Released Next Week
Malicious-Secure Private Set Intersection via Dual Execution
CS21 Decidability and Tractability
Interactive Proofs and Secure Multi-Party Computation
Oblivious Transfer.
Path Oram An Extremely Simple Oblivious RAM Protocol
Cryptography Lecture 8 Arpita Patra © Arpita Patra.
ITIS 6200/8200 Chap 5 Dr. Weichao Wang.
Presentation transcript:

The first Few Slides stolen from Boaz Barak Garbled Circuits The first Few Slides stolen from Boaz Barak Joe Kilian Vitali Shmatikov

The Love Game (AKA the AND game) He loves me, he loves me not… She loves me, she loves me not… Want to know if both parties are interested in each other. But… Do not want to reveal unrequited love. Input = 1 : I love you Input = 0: I love you Must compute F(X,Y)=XÆY, giving F(X,Y) to both players. … as a friend Can we reveal the answer without revealing the inputs?

The Spoiled Children Problem (AKA The Millionaires Problem [Yao]) Who has more toys? Who Cares? Pearl wants to know whether she has more toys than Gersh, Doesn’t want to tell Gersh anything. Gersh is willing for Pearl to find out who has more toys, Doesn’t want Pearl to know how many toys he has. Pearl wants to know whether she has more toys than Gersh, Doesn’t want to tell Gersh anything. Gersh is willing for Pearl to find out who has more toys, Doesn’t want Pearl to know how many toys he has. Can we give Pearl the information she wants, and nothing else, without giving Gersh any information at all?

Yao’s Protocol Andrew Yao Turing award winner Theoretical CS, crypto, quantum computing… In crypto PRG, Yao’s Garbled Circuit, one-way function …

Yao’s Protocol Compute any function securely First, convert the function into a boolean circuit AND AND Alice’s inputs NOT Bob’s inputs AND OR OR z z x y z x y z AND OR Truth table: 1 Truth table: 1 1 x y 1 x y 1 1 1 1 1 1 1 1

Alice prepares “garbled” version C’ of C AND AND Alice’s inputs NOT Bob’s inputs AND OR OR Overview: Alice prepares “garbled” version C’ of C Sends “encrypted” form x’ of her input x Allows bob to obtain “encrypted” form y’ of his input y Bob can compute from C’,x’,y’ the “encryption” z’ of z=C(x,y) Bob sends z’ to Alice and she decrypts and reveals to him z Crucial properties: Bob never sees Alice’s input x in unencrypted form. Bob can obtain encryption of y without Alice learning y. Neither party learns intermediate values. Remains secure even if parties try to cheat.

Intuition c AND a b

Intuition a b c AND b a a b

1: Pick Random Keys For Each Wire Next, evaluate one gate securely Later, generalize to the entire circuit Alice picks two random keys for each wire One key corresponds to “0”, the other to “1” 6 keys in total for a gate with 2 input wires k0z, k1z z AND Alice x y Bob k0x, k1x k0y, k1y

2: Encrypt Truth Table Alice encrypts each row of the truth table by encrypting the output-wire key with the corresponding pair of input-wire keys z k0z, k1z AND Alice x y Bob k0x, k1x k0y, k1y Ek0x(Ek0y(k0z)) x y z Ek0x(Ek1y(k0z)) Encrypted truth table: Original truth table: 1 Ek1x(Ek0y(k0z)) 1 1 1 1 Ek1x(Ek1y(k1z))

3: Send Garbled Truth Table Alice randomly permutes (“garbles”) encrypted truth table and sends it to Bob Does not know which row of garbled table corresponds to which row of original table z k0z, k1z AND Alice x y Bob k0x, k1x k0y, k1y Ek1x(Ek0y(k0z)) Ek0x(Ek0y(k0z)) Ek0x(Ek1y(k0z)) Ek0x(Ek1y(k0z)) Garbled truth table: Ek1x(Ek0y(k0z)) Ek1x(Ek1y(k1z)) Ek1x(Ek1y(k1z)) Ek0x(Ek0y(k0z))

4: Send Keys For Alice’s Inputs Alice sends the key corresponding to her input bit Keys are random, so Bob does not learn what this bit is k0z, k1z z Learns Kb’x where b’ is Alice’s input bit, but not b’ (why?) AND Alice x y Bob k0x, k1x If Alice’s bit is 1, she simply sends k1x to Bob; if 0, she sends k0x k0y, k1y Ek1x(Ek0y(k0z)) Ek0x(Ek1y(k0z)) Garbled truth table: Ek1x(Ek1y(k1z)) Ek0x(Ek0y(k0z))

5: Use OT on Keys for Bob’s Input Alice and Bob run oblivious transfer protocol Alice’s input is the two keys corresponding to Bob’s wire Bob’s input into OT is simply his 1-bit input on that wire z Knows Kb’x where b’ is Alice’s input bit and Kby where b is his own input bit k0z, k1z AND Alice x y Bob k0x, k1x Run oblivious transfer Alice’s input: k0y, k1y Bob’s input: his bit b Bob learns kby What does Alice learn? k0y, k1y Ek1x(Ek0y(k0z)) Ek0x(Ek1y(k0z)) Garbled truth table: Ek1x(Ek1y(k1z)) Ek0x(Ek0y(k0z))

6: Evaluate Garbled Gate Using the two keys that he learned, Bob decrypts exactly one of the output-wire keys Bob does not learn if this key corresponds to 0 or 1 Why is this important? z Knows Kb’x where b’ is Alice’s input bit and Kby where b is his own input bit k0z, k1z AND Alice x y Bob k0x, k1x Suppose b’=0, b=1 Ek1x(Ek0y(k0z)) k0y, k1y This is the only row Bob can decrypt. He learns K0z Ek0x(Ek1y(k0z)) Garbled truth table: Ek1x(Ek1y(k1z)) Ek0x(Ek0y(k0z))

7: Evaluate Entire Circuit In this way, Bob evaluates entire garbled circuit For each wire in the circuit, Bob learns only one key It corresponds to 0 or 1 (Bob does not know which) Therefore, Bob does not learn intermediate values (why?) Bob tells Alice the key for the final output wire and she tells him if it corresponds to 0 or 1 Bob does not tell her intermediate wire keys (why?) AND OR NOT Alice’s inputs Bob’s inputs

8: Making it robust So far, protocol is only secure for honest-but-curious (aka semi-honest) adversaries: Alice can prepare faulty circuit (e.g. C(x,y)=y). Bob can give Alice wrong output. Solutions: Alice proves in zero knowledge that garbled circuit is correct. (Need also proofs of knowledge for inputs.) “cut and choose” – Alice prepares several copies of garbled circuit. Bob asks to “open up” some of them, and then they use an unopened one to compute.

Garbled Circuit Implemetations Y. Huang et al. ObliVM TinyGarble

Garbled Circuit Implementations Y. Huang et al. (Java, building block based) https://yhuangpress.files.wordpress.com/2014/02/dissertation.pdf JustGarble (AES based) ObliVM (PL based; oblivious RAM too) TinyGarble (uses industry synthesis tools)

Some Designing Principles XOR is free! Use as many xors as possible Design your own circuit-efficient oblivious algorithms Sorting? Insertion? Set intersection? Max, min? What about arithmetic operations?

Sorting Networks

Sorting Networks Various algorithms exist to construct simple, yet efficient sorting networks of depth O(log2 n) (hence size O(n log2 n)) such as Batcher odd–even mergesort, bitonic sort, Shell sort, and the Pairwise sorting network.  Batcher’s turn out to give the best one for practical n, in general. We use it..

Sorting Networks

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.