Cryptography CS 555 Digital Signatures Continued Week 14: Digital Signatures Continued Multiparty Computation Yao’s Garbled Circuits Readings: Katz and Lindell Chapter 10 & Chapter 11.1-11.2, 11.4 Fall 2018

Recap: Identification Scheme Interactive protocol that allows one party to prove its identify (authenticate itself) to another Two Parties: Prover and Verifier Prover has secret key sk and Verifier has public key pk Prover runs P1(sk) to obtain (I,st) ---- initial message I, state st Sends I to Verifier Verifier picks random message r from distribution Ω 𝑝𝑘 and sends r to Prover Prover runs P2(sk,st,r) to obtain s and sends s to verifier Verifier checks if V(pk,r,s)=I

Recap: Fiat-Shamir Transform Identification Schemes can be transformed into signatures Signsk(m) First compute (I,st)= P1(sk) (as prover) Next compute the challenge 𝒓=𝑯(𝑰,𝒎) (as verifier) Compute the response s = P2(sk,st,r) Output signature (r,s) Vrfypk(m,(r,s)) Compute I := V(pk,r,s) Check that H(I,m)=r Theorem 12.10: If the identification scheme is secure and H is a random oracle then the above signature scheme is secure.

Schnorr Identification Scheme Verifier knows h=gx Prover knows x such that h=gx Prover runs P1(x) to obtain 𝑘∈ℤ q ,𝐼= 𝑔 𝑘 and sends initial message I to verifier Verifier picks random 𝑟∈ℤ q (q is order of the group) and sends r to prover Prover runs P2(x,k,r) to obtain s≔ 𝑟𝑥+𝑘 𝑚𝑜𝑑 𝑞 and sends s to Verifier Verifier checks if 𝑔 𝑠 ∗ ℎ −1 𝑟 =𝐼= 𝑔 𝑘

Schnorr Identification Scheme Verifier knows h=gx Prover knows x such that h=gx Prover runs P1(x) to obtain 𝑘∈ℤ q ,𝐼= 𝑔 𝑘 and sends initial message I to verifier Verifier picks random 𝑟∈ℤ q (q is order of the group) and sends r to prover Prover runs P2(x,k,r) to obtain s≔ 𝑟𝑥+𝑘 𝑚𝑜𝑑 𝑞 and sends s to Verifier Verifier checks if 𝑔 𝑠 ∗ ℎ −1 𝑟 =𝐼= 𝑔 𝑘 𝑔 𝑠 ∗ ℎ −1 𝑟 = 𝑔 𝑟𝑥+𝑘 𝑚𝑜𝑑 𝑞 ∗ 𝑔 −𝑥𝑟 = 𝑔 𝑘

Schnorr Identification Scheme Verifier knows h=gx Prover knows x such that h=gx Prover runs P1(x) to obtain 𝑘∈ℤ q ,𝐼= 𝑔 𝑘 and sends initial message I to verifier Verifier picks random 𝑟∈ℤ q (q is order of the group) and sends r to prover Prover runs P1(x,k,r) to obtain s≔ 𝑟𝑥+𝑘 mod 𝑞 and sends s to Verifier Verifier checks if 𝑔 𝑠 ∗ ℎ −1 𝑟 =𝐼= 𝑔 𝑘 Theorem 12.11: If the discrete-logarithm problem is hard (relative to group generator) then Schnorr identification scheme is secure.

Schnorr Signatures via Fiat-Shamir Public Key: h=gx in cyclic group 𝑔 of order q. Secret Key: x 𝑆𝑖𝑔𝑛 𝑠𝑘 𝑚 Select random 𝑘∈ℤ q and set 𝐼= 𝑔 𝑘 . 𝒓=𝑯 𝑰,𝒎 Return σ= 𝑟,𝑠 where s≔ 𝑟𝑥+𝑘 𝑚𝑜𝑑 𝑞 𝑉𝑒𝑟𝑖𝑓𝑦 𝑝𝑘 𝑚,σ= 𝑟,𝑠 Compute 𝑔 𝑠 ∗ ℎ −1 𝑟 = 𝑔 𝑠−𝑟𝑥 and check if r=𝐻 𝑔 𝑠−𝑟𝑥 ,𝑚

Schnorr Signatures 𝑆𝑖𝑔𝑛 𝑠𝑘 𝑚 𝑉𝑒𝑟𝑖𝑓𝑦 𝑝𝑘 𝑚,σ= 𝑟,𝑠 𝑆𝑖𝑔𝑛 𝑠𝑘 𝑚 Select random 𝑘∈ℤ q and set 𝐼= 𝑔 𝑘 . 𝒓=𝑯 𝑰,𝒎 Return σ= 𝑟,𝑠 where s≔ 𝑟𝑥+𝑘 𝑚𝑜𝑑 𝑞 𝑉𝑒𝑟𝑖𝑓𝑦 𝑝𝑘 𝑚,σ= 𝑟,𝑠 Compute 𝑔 𝑠 ∗ ℎ −1 𝑟 = 𝑔 𝑠−𝑟𝑥 and check if r=𝐻 𝑔 𝑠−𝑟𝑥 ,𝑚 Corollary (of Thms 12.10 + 12.11): If the discrete-logarithm problem is hard (relative to group generator) then Schnorr Signatures are secure in the random oracle model.

Schnorr Signatures Independent of size of original group (rth residue subgroup). Independent of #bits to represent group element (Elliptic Curve Pairs) Depends only on order of the subgroup q! DLOG 128 bit security: log 2 𝑞 ≈256 Schnorr Signatures 𝑆𝑖𝑔𝑛 𝑠𝑘 𝑚 Select random 𝑘∈ℤ q and set 𝐼= 𝑔 𝑘 . 𝒓=𝑯 𝑰,𝒎 Return σ= 𝑟,𝑠 where s≔ 𝑟𝑥+𝑘 𝑚𝑜𝑑 𝑞 𝑉𝑒𝑟𝑖𝑓𝑦 𝑝𝑘 𝑚,σ= 𝑟,𝑠 Compute 𝑔 𝑠 ∗ ℎ −1 𝑟 = 𝑔 𝑠−𝑟𝑥 and check if r=𝐻 𝑔 𝑠−𝑟𝑥 ,𝑚 Advantages: Short Signatures σ = 𝑟 + 𝑠 =2 log 2 𝑞 bits Fast and Efficient Patent Expired: February 2008

Digital Signature Algorithm (DSA) DSA: 𝒈 is subgroup of ℤ 𝑝 ∗ of order q ECDSA: 𝒈 is order q subgroup of elliptic curve Secret key is x, public key is h=gx along with generator g (of order q) Signsk(m) Pick random 𝑘∈ℤ q and set 𝑟=𝐹 𝑔 𝑘 ∈ ℤ 𝑞 Compute s≔ 𝑘 −1 𝑥𝑟+𝐻(𝑚) 𝑚𝑜𝑑 𝑞 Output signature (r,s) Vrfypk(m,(r,s)) check to make sure that 𝑟=𝐹 𝑔 𝐻(𝑚) 𝑠 −1 ℎ 𝑟 𝑠 −1 𝐹 𝑔 𝐻(𝑚) 𝑠 −1 ℎ 𝑟 𝑠 −1 =𝐹 𝑔 𝐻 𝑚 𝑘 (𝑥𝑟+𝐻(𝑚)) −1 𝑔 𝑥𝑟𝑘 (𝑥𝑟+𝐻(𝑚)) −1 =𝐹 𝑔 (𝐻 𝑚 +𝑥𝑟)𝑘 (𝑥𝑟+𝐻(𝑚)) −1 =𝐹 𝑔 𝑘 =𝑟

Digital Signature Algorithm (DSA) Signsk(m) Pick random 𝑘∈ℤ q and set 𝑟=𝐹 𝑔 𝑘 = 𝑔 𝑘 𝑚𝑜𝑑 𝑞 Compute s≔ 𝑘 −1 𝑥𝑟+𝐻(𝑚) 𝑚𝑜𝑑 𝑞 Output signature (r,s) Vrfypk(m,(r,s)) check to make sure that 𝑟=𝐹 𝑔 𝐻(𝑚) 𝑠 −1 ℎ 𝑟 𝑠 −1 =𝐹 𝑔 𝐻 𝑚 𝑘 𝑥𝑟+𝐻(𝑚) −1 𝑔 𝑥𝑟𝑘 𝑥𝑟+𝐻(𝑚) −1 =𝐹 𝑔 (𝐻 𝑚 +𝑥𝑟)𝑘 𝑥𝑟+𝐻(𝑚) −1 =𝐹 𝑔 𝑘 ≔𝑟

Digital Signature Algorithm (DSA) Secret key is x, public key is h=gx along with generator g (of order q) Signsk(m) Pick random 𝑘∈ℤ q and set 𝑟=𝐹 𝑔 𝑘 = 𝑔 𝑘 𝑚𝑜𝑑 𝑞 Compute s≔ 𝑘 −1 𝑥𝑟+𝐻(𝑚) 𝑚𝑜𝑑 𝑞 Output signature (r,s) Vrfypk(m,(r,s)) check to make sure that 𝑟=𝐹 𝑔 𝐻(𝑚) 𝑠 −1 ℎ 𝑟 𝑠 −1 Theorem: If H and F are modeled as random oracles then DSA is secure. Weird Assumption for F(.)? Theory: DSA Still lack compelling proof of security from standard crypto assumptions Practice: DSA has been used/studied for decades without attacks 𝐹 𝑔 𝐻(𝑚) 𝑠 −1 ℎ 𝑟 𝑠 −1 =𝐹 𝑔 𝐻 𝑚 𝑘 𝑥𝑟+𝐻(𝑚)−1 𝑔 𝑥𝑟𝑘 𝑥𝑟+𝐻(𝑚)−1 =𝐹 𝑔 (𝐻 𝑚 +𝑥𝑟)𝑘 𝑥𝑟+𝐻(𝑚)−1 =𝐹 𝑔 𝑘 =𝑟

Digital Signature Algorithm (DSA) Secret key is x, public key is h=gx Signsk(m) Pick random 𝑘∈ℤ q and set 𝑟=𝐹 𝑔 𝑘 = 𝑔 𝑘 𝑚𝑜𝑑 𝑞 Compute s≔ 𝑘 −1 𝑥𝑟+𝐻(𝑚) 𝑚𝑜𝑑 𝑞 Output signature (r,s) Vrfypk(m,(r,s)) check to make sure that 𝑟=𝐹 𝑔 𝐻(𝑚) 𝑠 −1 ℎ 𝑟 𝑠 −1 Remark: If signer signs two messages with same random 𝑘∈ℤ q then attacker can find secret key sk! Theory: Negligible Probability this happens Practice: Will happen if a weak PRG is used Sony PlayStation (PS3) hack in 2010. s1≔ 𝑘 −1 𝑥𝑟+𝐻(𝑚1) 𝑚𝑜𝑑 𝑞 s2≔ 𝑘 −1 𝑥𝑟+𝐻(𝑚2) 𝑚𝑜𝑑 𝑞 s1−s2= 𝑘 −1 𝐻 𝑚1 −𝐻(𝑚2) 𝑚𝑜𝑑 𝑞 𝑆𝑜𝑙𝑣𝑒 𝑓𝑜𝑟 𝑘

Certificate Authority Trusted Authority (CA) 𝑚 𝐶𝐴→𝐴𝑚𝑎𝑧𝑜𝑛 =“Amazon’s public key is 𝑝𝑘 𝐴𝑚𝑎𝑧𝑜𝑛 (date,expiration,###)” 𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴𝑚𝑎𝑧𝑜𝑛 = 𝑆𝑖𝑔𝑛 𝑆𝐾 𝐶𝐴 𝑚 Delegate Authority to other CA1 Root CA signs m= “CA1 public key is 𝑝𝑘 𝐶𝐴1 (date,expiration,###) can issue certificates” Verifier can check entire certification chain Revocation List Signed Daily Decentralized Web of Trust (PGP)

Secure Multiparty Computation z H(x,y,z) x y F(x,y,z) G(x,y,z) Bob only learns G(x,y,z) Alice only learns F(x,y,z) Mickey only learns H(x,y,z) Cryptography: What if we don’t have a trusted third party?

Secure Multiparty Computation (Crushes) Z=“Alice” H(x,y,z)=“no match” x=“Bob” F(x,y,z)=“match Bob” Y=“Alice” G(x,y,z)=“match Alice” Bob only learns G(x,y,z) Alice only learns F(x,y,z) Mickey only learns H(x,y,z) Alice can infer Y from F(x,y,z) and Bob can infer X from G(x,y,z). But Alice/Bob cannot infer anything about Z. Mickey cannot infer y, and learns that x≠ “Mickey”

Secure Multiparty Computation (Crushes) Key Point: The output H(x,y,z) may leak info about inputs. Thus, we cannot prevent Mickey from learning anything about x,y but Mickey should not learn anything else besides H(x,y,z)! Z=“Alice” H(x,y,z)=“no match” x=“Bob” F(x,y,z)=“match Bob” Y=“Alice” G(x,y,z)=“match Alice” Bob only learns G(x,y,z) Alice only learns F(x,y,z) Mickey only learns H(x,y,z) Though Question: How can we formalize this property? Alice can infer Y from F(x,y,z) and Bob can infer X from G(x,y,z). But Alice/Bob cannot infer anything about Z. Mickey cannot infer y, and learns that x≠ “Mickey”

Adversary Models Semi-Honest (“honest, but curious”) All parties follow protocol instructions, but… dishonest parties may be curious to violate privacy of others when possible Fully Malicious Model Adversarial Parties may deviate from the protocol arbitrarily Quit unexpectedly Send different messages It is much harder to achieve security in the fully malicious model Convert Secure Semi-Honest Protocol into Secure Protocol in Fully Malicious Mode? Tool: Zero-Knowledge Proofs

Computational Indistinguishability Definition: We say that an ensemble of distributions 𝑋𝑛 𝑛∈ℕ and 𝑌𝑛 𝑛∈ℕ are computationally indistinguishable if for all PPT distinguishers D, there is a negligible function negl(n), such that we have 𝐴𝑑𝑣 𝐷,𝑛 = 𝑃𝑟 𝑠←Xℓ 𝐷 𝑠 =1 − 𝑃𝑟 𝑠←Yℓ 𝐷 𝑠 =1 ≤𝑛𝑒𝑔𝑙(𝑛) Notation: 𝑋𝑛 𝑛∈ℕ ≡ 𝐶 𝑌𝑛 𝑛∈ℕ means that the ensembles are computationally indistinguishable.

Security (Semi-Honest Model) Let 𝐵 𝑛 = 𝑡𝑟𝑎𝑛𝑠 𝐵 (𝑛,𝑥,𝑦) (resp. 𝐴 𝑛 = 𝑡𝑟𝑎𝑛𝑠 𝐴 (𝑛,𝑥,𝑦) ) be the protocol transcript from Bob’s perspective (resp. Alice’s perspective) when his input is y and Alice’s input is x (assuming that Alice follows the protocol). Security: Assuming that Alice and Bob are both semi-honest (follow the protocol) then there exist PPT simulators 𝑆 𝐴 and 𝑆 𝐵 s.t. 𝐴𝑛 𝑛∈ℕ ≡ 𝐶 𝑆 𝐴 𝑛,𝑥, 𝑓 𝐴 𝑥,𝑦 𝑛∈ℕ 𝐵𝑛 𝑛∈ℕ ≡ 𝐶 𝑆 𝐵 𝑛,𝑦, 𝑓 𝐵 𝑥,𝑦 𝑛∈ℕ Remark: Simulator 𝑆 𝐴 is only shown Alice’s input y and Alice’s output 𝑓 𝐴 𝑥,𝑦 (similarly, 𝑆 𝐵 is only shown Bob’s input x and Bob’s output 𝑓 𝐵 𝑥,𝑦 )

Building Block: Oblivious Transfer (OT) 1 out of 2 OT Alice has two messages m0 and m1 At the end of the protocol Bob gets exactly one of m0 and m1 Alice does not know which one, and Bob learns nothing about other message Oblivious Transfer with a Trusted Third Party b m0 1 out of 2 OT m1 mb

Bellare-Micali 1-out-of-2-OT protocol Oblivious Transfer without a Trusted Third Party g is a generator for a prime order group Gq in which CDH problem is hard m0 b c m1 𝑧0,𝑧1 𝐶 0 = 𝑔 𝑟 0 ,𝐻 𝑧 0 𝑟 0 ⊕ 𝑚 0 𝐶 1 = 𝑔 𝑟 1 ,𝐻 𝑧 1 𝑟 1 ⊕ 𝑚 1 c R Gq k R Zq 𝑧 𝑏 = 𝑔 𝑘 , 𝑧 1−𝑏 =𝑐 𝑔 −𝑘 Bob can decrypt Cb 𝑧 𝑏 𝑟 𝑏 = 𝑔 𝑘 𝑟 𝑏

Bellare-Micali 1-out-of-2-OT protocol Oblivious Transfer without a Trusted Third Party g is a generator for a prime order group Gq in which CDH is Hard m0 b c m1 𝑧0,𝑧1 𝐶 0 = 𝑔 𝑟 0 ,𝐻 𝑧 0 𝑟 0 ⊕ 𝑚 0 𝐶 1 = 𝑔 𝑟 1 ,𝐻 𝑧 1 𝑟 1 ⊕ 𝑚 1 c R Gq k R Zq 𝑧 𝑏 = 𝑔 𝑘 , 𝑧 1−𝑏 =𝑐 𝑔 −𝑘 =𝑐 𝑧 𝑏 −1 Alice must check that 𝑧 1 =𝑐 𝑧 0 −1 Bob can decrypt Cb 𝑧 𝑏 𝑟 𝑏 = 𝑔 𝑘 𝑟 𝑏

Bellare-Micali 1-out-of-2-OT protocol Alice does not learn b because 𝑧 1 =𝑐 𝑧 0 −1 and 𝑧 0 =𝑐 𝑧 1 −1 and 𝑧 1 , 𝑧 0 are distributed uniformly at random subject to these condition. This is an information theoretic guarantee! Oblivious Transfer without a Trusted Third Party g is a generator for a prime order group Gq in which Discrete Log Problem is Hard m0 b c m1 𝑧0,𝑧1 𝐶 0 = 𝑔 𝑟 0 ,𝐻 𝑧 0 𝑟 0 ⊕ 𝑚 0 𝐶 1 = 𝑔 𝑟 1 ,𝐻 𝑧 1 𝑟 1 ⊕ 𝑚 1 c R Gq k R Zq 𝑧 𝑏 = 𝑔 𝑘 , 𝑧 1−𝑏 =𝑐 𝑔 −𝑘 =𝑐 𝑧 𝑏 −1 Alice must check that 𝑧 1 =𝑐 𝑧 0 −1 Bob can decrypt Cb 𝑧 𝑏 𝑟 𝑏 = 𝑔 𝑘 𝑟 𝑏

Bellare-Micali 1-out-of-2-OT protocol Bob cannot decrypt C1-b Unless he queries random oracle at 𝑐 𝑟 1−𝑏 𝑔 −𝑘 𝑟 1−𝑏 Given this value we can obtain 𝑐 𝑟 1−𝑏 Thus, we can break CDH assumption given random 𝒄=𝒈 𝒎 and 𝒈 𝒓 𝟏−𝒃 it is hard to find 𝒄 𝒓 𝟏−𝒃 = 𝒈 𝒎𝒓 𝟏−𝒃 Oblivious Transfer without a Trusted Third Party g is a generator for a prime order group Gq in which Discrete Log Problem is Hard m0 b c m1 𝑧0,𝑧1 𝐶 0 = 𝑔 𝑟 0 ,𝐻 𝑧 0 𝑟 0 ⊕ 𝑚 0 𝐶 1 = 𝑔 𝑟 1 ,𝐻 𝑧 1 𝑟 1 ⊕ 𝑚 1 c R Gq k R Zq 𝑧 𝑏 = 𝑔 𝑘 , 𝑧 1−𝑏 =𝑐 𝑔 −𝑘 =𝑐 𝑧 𝑏 −1 Alice must check that 𝑧 1 =𝑐 𝑧 0 −1 Bob can decrypt Cb 𝑧 𝑏 𝑟 𝑏 = 𝑔 𝑘 𝑟 𝑏

CS 380S Yao’s Protocol Vitaly Shmatikov

Yao’s Protocol Compute any function securely … in the semi-honest model First, convert the function into a boolean circuit AND AND Alice’s inputs NOT Bob’s inputs AND OR OR z z x y z x y z AND OR Truth table: 1 Truth table: 1 1 x y 1 x y 1 1 1 1 1 1 1 1

Alice prepares “garbled” version C’ of C AND AND Alice’s inputs NOT Bob’s inputs AND OR OR Overview: Alice prepares “garbled” version C’ of C Sends “encrypted” form x’ of her input x Allows Bob to obtain “encrypted” form y’ of his input y via OT Bob can compute from C’,x’,y’ the “encryption” z’ of z=C(x,y) Bob sends z’ to Alice and she decrypts and reveals to him z Crucial properties: Bob never sees Alice’s input x in unencrypted form. Bob can obtain encryption of y without Alice learning y. Neither party learns intermediate values. Remains secure even if parties try to cheat.

Intuition c AND a b

Intuition a b c AND b a a b

1: Pick Random Keys For Each Wire Next, evaluate one gate securely Later, generalize to the entire circuit Alice picks two random keys for each wire One key corresponds to “0”, the other to “1” 6 keys in total for a gate with 2 input wires k0z, k1z z AND Alice x y Bob k0x, k1x k0y, k1y

2: Encrypt Truth Table Alice encrypts each row of the truth table by encrypting the output-wire key with the corresponding pair of input-wire keys z k0z, k1z AND Alice x y Bob k0x, k1x k0y, k1y Ek0x(Ek0y(k0z)) x y z Ek0x(Ek1y(k0z)) Encrypted truth table: Original truth table: 1 Ek1x(Ek0y(k0z)) 1 1 1 1 Ek1x(Ek1y(k1z))

3: Send Garbled Truth Table Alice randomly permutes (“garbles”) encrypted truth table and sends it to Bob Does not know which row of garbled table corresponds to which row of original table z k0z, k1z AND Alice x y Bob k0x, k1x k0y, k1y Ek1x(Ek0y(k0z)) Ek0x(Ek0y(k0z)) Ek0x(Ek1y(k0z)) Ek0x(Ek1y(k0z)) Garbled truth table: Ek1x(Ek0y(k0z)) Ek1x(Ek1y(k1z)) Ek1x(Ek1y(k1z)) Ek0x(Ek0y(k0z))

4: Send Keys For Alice’s Inputs Alice sends the key corresponding to her input bit Keys are random, so Bob does not learn what this bit is k0z, k1z z Learns Kb’x where b’ is Alice’s input bit, but not b’ (why?) AND Alice x y Bob k0x, k1x If Alice’s bit is 1, she simply sends k1x to Bob; if 0, she sends k0x k0y, k1y Ek1x(Ek0y(k0z)) Ek0x(Ek1y(k0z)) Garbled truth table: Ek1x(Ek1y(k1z)) Ek0x(Ek0y(k0z))

5: Use OT on Keys for Bob’s Input Alice and Bob run oblivious transfer protocol Alice’s input is the two keys corresponding to Bob’s wire Bob’s input into OT is simply his 1-bit input on that wire z Knows Kb’x where b’ is Alice’s input bit and Kby where b is his own input bit k0z, k1z AND Alice x y Bob k0x, k1x Run oblivious transfer Alice’s input: k0y, k1y Bob’s input: his bit b Bob learns kby What does Alice learn? k0y, k1y Ek1x(Ek0y(k0z)) Ek0x(Ek1y(k0z)) Garbled truth table: Ek1x(Ek1y(k1z)) Ek0x(Ek0y(k0z))

6: Evaluate Garbled Gate Using the two keys that he learned, Bob decrypts exactly one of the output-wire keys Bob does not learn if this key corresponds to 0 or 1 Why is this important? z Knows Kb’x where b’ is Alice’s input bit and Kby where b is his own input bit k0z, k1z AND Alice x y Bob k0x, k1x Suppose b’=0, b=1 Ek1x(Ek0y(k0z)) k0y, k1y This is the only row Bob can decrypt. He learns K0z Ek0x(Ek1y(k0z)) Garbled truth table: Ek1x(Ek1y(k1z)) Ek0x(Ek0y(k0z))

7: Evaluate Entire Circuit In this way, Bob evaluates entire garbled circuit For each wire in the circuit, Bob learns only one key It corresponds to 0 or 1 (Bob does not know which) Therefore, Bob does not learn intermediate values (why?) Bob tells Alice the key for the final output wire and she tells him if it corresponds to 0 or 1 Bob does not tell her intermediate wire keys (why?) AND OR NOT Alice’s inputs Bob’s inputs

Security (Semi-Honest Model) Security: Assuming that Alice and Bob are both semi-honest (follow the protocol) then there exist PPT simulators 𝑆 𝐴 and 𝑆 𝐵 s.t. 𝐴𝑛 𝑛∈ℕ ≡ 𝐶 𝑆 𝐴 𝑛,𝑥, 𝑓 𝐴 𝑥,𝑦 𝑛∈ℕ 𝐵𝑛 𝑛∈ℕ ≡ 𝐶 𝑆 𝐵 𝑛,𝑦, 𝑓 𝐵 𝑥,𝑦 𝑛∈ℕ Remark: Simulator 𝑆 𝐴 is only shown Alice’s output 𝑓 𝐴 𝑥,𝑦 (similarly, 𝑆 𝐵 is only shown Bob’s output 𝑓 𝐵 𝑥,𝑦 ) Theorem (informal): If the oblivious transfer protocol is secure, and the underlying encryption scheme is CPA-secure then Yao’s protocol is secure in the semi-honest adversary model.

Brief Discussion of Yao’s Protocol Function must be converted into a circuit For many functions, circuit will be huge If m gates in the circuit and n inputs from Bob, then need 4m encryptions and n oblivious transfers Oblivious transfers for all inputs can be done in parallel Yao’s construction gives a constant-round protocol for secure computation of any function in the semi-honest model Number of rounds does not depend on the number of inputs or the size of the circuit!

Fully Malicious Security? Alice could initially garble the wrong circuit C(x,y)=y. Given output of C(x,y) Alice can still send Bob the output f(x,y). Can Bob detect/prevent this? Fix: Assume Alice and Bob have both committed to their input: cA=com(x,rA) and cB=com(y,rB). Alice and Bob can use zero-knowledge proofs to convince other party that they are behaving honestly. Example: After sending a message A Alice proves that the message she just sent is the same message an honest party would have sent with input x s.t. cA=com(x,rA) Here we assume that Alice and Bob have both committed to correct inputs (Bob might use y which does not represent his real vote etc… but this is not a problem we can address with cryptography)

Fully Malicious Security Assume Alice and Bob have both committed to their input: cA=com(x,rA) and cB=com(y,rB). Here we assume that Alice and Bob have both committed to correct inputs (Bob might use y which does not represent his real vote etc… but this is not a problem we can address with cryptography) Alice has cB and can unlock cA Bob has cA and can unlock cB Alice sets Cf = GarbleCircuit(f,r). Alice sends to Bob. Alice convinces Bob that Cf = GarbleCircuit(f,r) for some r (using a zero-knowledge proof) For each original oblivious transfer if Alice’s inputs were originally x0,x1 Alice and Bob run OT with y0,y1 where yi=EncK(xi) Bob uses a zero-knowledge proof to convince Alice that he received the correct yi (e.g. matching his previous commitment cB) Alice sends K to Bob who decrypts yi to obtain xi