Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

Slides:



Advertisements
Similar presentations
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Advertisements

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
1 Visual Cryptography: Secret Sharing without a Computer Ricardo Martin GWU Cryptography Group September 2005.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
C OMPLEXITY - THEORETIC F OUNDATIONS OF S TEGANOGRAPHY AND C OVERT C OMPUTATION Daniel Apon.
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Visual Cryptography Jiangyi Hu Jiangyi Hu, Zhiqian Hu2 Visual Cryptography Example Secret sharing Visual cryptography Model Extensions.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Eran Omri, Bar-Ilan University Joint work with Amos Beimel and Ilan Orlov, BGU Ilan Orlov…!??!!
Lect. 18: Cryptographic Protocols. 2 1.Cryptographic Protocols 2.Special Signatures 3.Secret Sharing and Threshold Cryptography 4.Zero-knowledge Proofs.
Receipt-Free Universally-Verifiable Voting With Everlasting Privacy Tal Moran Joint work with Moni Naor.
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
Short course on quantum computing Andris Ambainis University of Latvia.
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Oblivious Transfer based on the McEliece Assumptions
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
How to Share a Secret Amos Beimel. Secret Sharing [Shamir79,Blakley79,ItoSaitoNishizeki87] ? bad.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Blind Vision Shai Avidan, Moshe Butman Yuval Schwartz.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
How to play ANY mental game
CS573 Data Privacy and Security
Overview of Privacy Preserving Techniques.  This is a high-level summary of the state-of-the-art privacy preserving techniques and research areas  Focus.
A Few Simple Applications to Cryptography Louis Salvail BRICS, Aarhus University.
Secure Computation (Lecture 7-8) Arpita Patra. Recap >> (n,t)-Secret Sharing (Sharing/Reconstruction) > Shamir Sharing > Lagrange’s Interpolation for.
On the Practical Feasibility of Secure Distributed Computing A Case Study Gregory Neven, Frank Piessens, Bart De Decker Dept. of Computer Science, K.U.Leuven.
Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.
Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
CS555Topic 251 Cryptography CS 555 Topic 25: Quantum Crpytography.
1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.
Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Homework #1 J. H. Wang Oct. 2, 2013.
Slide 1 Many thanks to Vitaly Shmatikov of the University of Texas, Austin for providing these slides. Introduction to Secure Multi-Party Computation.
Efficient Oblivious Transfer with Stateless Secure Tokens Alcatel-Lucent Bell Labs Vlad Kolesnikov.
A New Approach for Visual Cryptography Wen-Guey Tzeng and Chi-Ming Hu Designs, codes and cryptography, 27, ,2002 Reporter: 李惠龍.
Cryptographic Security Aveek Chakraborty CS5204 – Operating Systems1.
Verifiable Threshold Secret Sharing and Full Fair Secure Two-party Computation YE Jian-wei March 7, 2009.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Secret Sharing Schemes: A Short Survey Secret Sharing 2.
1© Nokia 2016 Overlaying Circuit Clauses for Secure Computation Sean Kennedy Vladimir Kolesnikov Gordon Wilfong Bell Labs.
CMSC 414 Computer and Network Security Lecture 2 Jonathan Katz.
Visual Cryptography Given By: Moni Naor Adi Shamir Presented By: Anil Vishnoi (2005H103017)
Homework #1 J. H. Wang Oct. 9, 2012.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Cryptography Lecture 13 Arpita Patra
Garbling Techniques David Evans
Topic 36: Zero-Knowledge Proofs
Secret Sharing (or, more accurately, “Secret Splitting”)
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
Cryptography CS 555 Lecture 22
Maliciously Secure Two-Party Computation
Oblivious Transfer.
Cryptography Lecture 8 Arpita Patra © Arpita Patra.
Presentation transcript:

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco

Challenging Research Task Design of secure protocols which can be used by people without the aid of a computer without cryptographic knowledge … when computers are not available or, for psycological or social reasons, people feel uncomfortable to interact or trust a computer

In this paper… By merging together in a suitable way Yao’s garbled circuit construction (‘80) Naor and Shamir’s visual cryptography (‘90) we put forward a novel method for performing secure two-party computation through a pure physical process.

Our Main Result Theorem 1. Every two-party computation representable by means of a boolean function f(·,·) can be performed preserving the privacy of the inputs x and y through a pure physical visual evaluation process.

Yao’s Construction [Yao, FOCS 1986]

Computation as a circuit The boolean function f(·,·) is represented through a boolean circuit C(·,·) for which, for each x,y, it holds that C(x,y) = f(x,y) And Or

Computation as a circuit The boolean function f(·,·) is represented through a boolean circuit C(·,·) for which, for each x,y, it holds that C(x,y) = f(x,y) Given the input values, the output is easily obtained by evaluating the circuit gates, i.e., And, OR and Not bit-by-bit operations. And Or

Computation as a circuit The boolean function f(·,·) is represented through a boolean circuit C(·,·) for which, for each x,y, it holds that C(x,y) = f(x,y) Given the input values, the output is easily obtained by evaluating the circuit gates, i.e., And, OR and Not bit-by-bit operations. And Or

Computation as a circuit The boolean function f(·,·) is represented through a boolean circuit C(·,·) for which, for each x,y, it holds that C(x,y) = f(x,y) Given the input values, the output is easily obtained by evaluating the circuit gates, i.e., And, OR and Not bit-by-bit operations. Inputs are in clear. Computations are in clear. No Privacy. And Or

Using random values To the wires are associated random values (cryptographic keys), which secretly represent the bits 0 and 1 K 3,0, K 3,1 K 2,0, K 2,1 K 1,0, K 1,1 Or Yao’s idea is to use the circuit as a conceptual guide for the computation which, instead of And, Or and Not operations on bits, becomes a sequence of decryptions of ciphertexts

w1w1 w2w2 bitsORw3w3 K 1,0 K 2,0 0,00K 3,0 K 1,0 K 2,1 0,11K 3,1 K 1,1 K 2,0 1,01K 3,1 K 1,1 K 2,1 1,11K 3,1 Gate table Enc(K 1,0,Enc(K 2,0, K 3,0 ) ) Enc(K 1,0,Enc(K 2,1, K 3,1 ) ) Enc(K 1,1,Enc(K 2,0, K 3,1 ) ) Enc(K 1,1,Enc(K 2,1, K 3,1 ) ) Gate tables (Enc(K,  ), Dec(K,  )) symmetric encryption algorithm The four double encryptions are stored in a random order. A gate evaluation ends up in a “correct” double decryption.

Garbled Circuit Construction G1G1 G2G2 G3G3 K 6,0, K 6,1 K 5,0, K 5,1 K 4,0, K 4,1 K 0,0, K 0,1 K 1,0, K 1,1 K 2,0, K 2,1 K 3,0, K 3,1 G1G1 Enc(K 0,0,Enc(K 1,0, K 4,0 ) ) Enc(K 0,0,Enc(K 1,1, K 4,0 ) ) Enc(K 0,1,Enc(K 1,0, K 4,0 ) ) Enc(K 0,1,Enc(K 1,1, K 4,1 ) ) G2G2 Enc(K 2,0,Enc(K 3,0, K 5,0 ) ) Enc(K 2,0,Enc(K 3,1, K 5,0 ) ) Enc(K 2,1,Enc(K 3,0, K 5,0 ) ) Enc(K 2,1,Enc(K 3,1, K 5,1 ) ) G3G3 Enc(K 4,0,Enc(K 5,0, K 6,0 ) ) Enc(K 4,0,Enc(K 5,1, K 6,1 ) ) Enc(K 4,1,Enc(K 5,0, K 6,1 )) Enc(K 4,1,Enc(K 5,1, K 6,1 ) )

G1G1 G2G2 G3G3 K 0,0 K 1,0 K 2,0 K 3,1 G1G1 Enc(K 0,0,Enc(K 1,0, K 4,0 ) ) Enc(K 0,0,Enc(K 1,1, K 4,0 ) ) Enc(K 0,1,Enc(K 1,0, K 4,0 ) ) Enc(K 0,1,Enc(K 1,1, K 4,1 ) ) G2G2 Enc(K 2,0,Enc(K 3,0, K 5,0 ) ) Enc(K 2,0,Enc(K 3,1, K 5,0 ) ) Enc(K 2,1,Enc(K 3,0, K 5,0 ) ) Enc(K 2,1,Enc(K 3,1, K 5,1 ) ) G3G3 Enc(K 4,0,Enc(K 5,0, K 6,0 ) ) Enc(K 4,0,Enc(K 5,1, K 6,1 ) ) Enc(K 4,1,Enc(K 5,0, K 6,1 ) ) Enc(K 4,1,Enc(K 5,1, K 6,1 ) ) Circuit evaluation Alice (0,0) Bob (0,1)

G1G1 G2G2 G3G3 K 0,0 K 1,0 K 2,0 K 3,1 G1G1 Enc(K 0,0,Enc(K 1,0, K 4,0 ) ) Enc(K 0,0,Enc(K 1,1, K 4,0 ) ) Enc(K 0,1,Enc(K 1,0, K 4,0 ) ) Enc(K 0,1,Enc(K 1,1, K 4,1 ) ) G2G2 Enc(K 2,0,Enc(K 3,0, K 5,0 ) ) Enc(K 2,0,Enc(K 3,1, K 5,0 ) ) Enc(K 2,1,Enc(K 3,0, K 5,0 ) ) Enc(K 2,1,Enc(K 3,1, K 5,1 ) ) G3G3 Enc(K 4,0,Enc(K 5,0, K 6,0 ) ) Enc(K 4,0,Enc(K 5,1, K 6,1 ) ) Enc(K 4,1,Enc(K 5,0, K 6,1 ) ) Enc(K 4,1,Enc(K 5,1, K 6,1 ) ) Circuit evaluation Alice (0,0) Bob (0,1)

G1G1 G2G2 G3G3 K 5,0 K 4,0 K 0,0 K 1,0 K 2,0 K 3,1 G1G1 Enc(K 0,0,Enc(K 1,0, K 4,0 ) ) Enc(K 0,0,Enc(K 1,1, K 4,0 ) ) Enc(K 0,1,Enc(K 1,0, K 4,0 ) ) Enc(K 0,1,Enc(K 1,1, K 4,1 ) ) G2G2 Enc(K 2,0,Enc(K 3,0, K 5,0 ) ) Enc(K 2,0,Enc(K 3,1, K 5,0 ) ) Enc(K 2,1,Enc(K 3,0, K 5,0 ) ) Enc(K 2,1,Enc(K 3,1, K 5,1 ) ) G3G3 Enc(K 4,0,Enc(K 5,0, K 6,0 ) ) Enc(K 4,0,Enc(K 5,1, K 6,1 ) ) Enc(K 4,1,Enc(K 5,0, K 6,1 ) ) Enc(K 4,1,Enc(K 5,1, K 6,1 ) ) Circuit evaluation Alice (0,0) Bob (0,1)

G1G1 G2G2 K 0,0 K 1,0 K 2,0 K 3,1 G1G1 Enc(K 0,0,Enc(K 1,0, K 4,0 ) ) Enc(K 0,0,Enc(K 1,1, K 4,0 ) ) Enc(K 0,1,Enc(K 1,0, K 4,0 ) ) Enc(K 0,1,Enc(K 1,1, K 4,1 ) ) G2G2 Enc(K 2,0,Enc(K 3,0, K 5,0 ) ) Enc(K 2,0,Enc(K 3,1, K 5,0 ) ) Enc(K 2,1,Enc(K 3,0, K 5,0 ) ) Enc(K 2,1,Enc(K 3,1, K 5,1 ) ) Alice (0,0) Bob (0,1) Circuit evaluation G3G3 K 5,0 K 4,0 G3G3 Enc(K 4,0,Enc(K 5,0, K 6,0 ) ) Enc(K 4,0,Enc(K 5,1, K 6,1 ) ) Enc(K 4,1,Enc(K 5,0, K 6,1 ) ) Enc(K 4,1,Enc(K 5,1, K 6,1 ) )

G1G1 G2G2 G3G3 K 6,0 K 5,0 K 4,0 K 0,0 K 1,0 K 2,0 K 3,1 G1G1 Enc(K 0,0,Enc(K 1,0, K 4,0 ) ) Enc(K 0,0,Enc(K 1,1, K 4,0 ) ) Enc(K 0,1,Enc(K 1,0, K 4,0 ) ) Enc(K 0,1,Enc(K 1,1, K 4,1 ) ) G2G2 Enc(K 2,0,Enc(K 3,0, K 5,0 ) ) Enc(K 2,0,Enc(K 3,1, K 5,0 ) ) Enc(K 2,1,Enc(K 3,0, K 5,0 ) ) Enc(K 2,1,Enc(K 3,1, K 5,1 ) ) G3G3 Enc(K 4,0,Enc(K 5,0, K 6,0 ) ) Enc(K 4,0,Enc(K 5,1, K 6,1 ) ) Enc(K 4,1,Enc(K 5,0, K 6,1 ) ) Enc(K 4,1,Enc(K 5,1, K 6,1 ) ) Circuit evaluation

G1G1 G2G2 G3G3 K 6,0 K 5,0 K 4,0 K 0,0 K 1,0 K 2,0 K 3,1 G1G1 Enc(K 0,0,Enc(K 1,0, K 4,0 ) ) Enc(K 0,0,Enc(K 1,1, K 4,0 ) ) Enc(K 0,1,Enc(K 1,0, K 4,0 ) ) Enc(K 0,1,Enc(K 1,1, K 4,1 ) ) G2G2 Enc(K 2,0,Enc(K 3,0, K 5,0 ) ) Enc(K 2,0,Enc(K 3,1, K 5,0 ) ) Enc(K 2,1,Enc(K 3,0, K 5,0 ) ) Enc(K 2,1,Enc(K 3,1, K 5,1 ) ) G3G3 Enc(K 4,0,Enc(K 5,0, K 6,0 ) ) Enc(K 4,0,Enc(K 5,1, K 6,1 ) ) Enc(K 4,1,Enc(K 5,0, K 6,1 ) ) Enc(K 4,1,Enc(K 5,1, K 6,1 ) ) Circuit evaluation = 0 … the map (circuit-output key, value) is public …

G1G1 G2G2 G3G3 K 6,0 K 5,0 K 4,0 K 0,0 K 1,0 K 2,0 K 3,1 G1G1 Enc(K 0,0,Enc(K 1,0, K 4,0 ) ) Enc(K 0,0,Enc(K 1,1, K 4,0 ) ) Enc(K 0,1,Enc(K 1,0, K 4,0 ) ) Enc(K 0,1,Enc(K 1,1, K 4,1 ) ) G2G2 Enc(K 2,0,Enc(K 3,0, K 5,0 ) ) Enc(K 2,0,Enc(K 3,1, K 5,0 ) ) Enc(K 2,1,Enc(K 3,0, K 5,0 ) ) Enc(K 2,1,Enc(K 3,1, K 5,1 ) ) G3G3 Enc(K 4,0,Enc(K 5,0, K 6,0 ) ) Enc(K 4,0,Enc(K 5,1, K 6,1 ) ) Enc(K 4,1,Enc(K 5,0, K 6,1 ) ) Enc(K 4,1,Enc(K 5,1, K 6,1 ) ) Circuit evaluation = 0 … the map (circuit-output key, value) is public … The evalution does not release any information about the input bits

How to use the garbled circuit? Idea: Alice constructs the garbled circuit. Bob gets it, Alice’s keys and … performs the computation. But … what about Bob’s keys? Bob cannot communicate his input bits … (privacy lost!) Does Alice send all of them? Too much … Bob can compute C(x,y) for all possible y.

Oblivious Transfer Bob gets either K i,0 or K i,1 (according to b) and no information on the other. Alice does not know which secret Bob has obtained. AliceBob INPUT K i,0, K i,1 b (bit choice) OUTPUT nothingK i,b Bob secretly gets the keys for each of his input bits (and only for those bits)

Yao’s Protocol Alice constructs the garbled circuit sends to Bob the garbled circuit (tables) the keys associated to her input-wire bits the correspondence between the keys associated to the circuit-output wires and the bits 0 and 1. run with Bob n instances of the OT protocol to enable Bob to recover the n keys associated to his input-wire bits Bob evaluates the circuit (and communicates the result to Alice)

Kolesnikov’s approach: secret sharing Instead of using a table with four double encryptions, use secret sharing And lsh 0 lsh 1 rsh 0 rsh 1 s0s0 s1s1 Each combination of the shares gives s 0 or s 1 [Asiacrypt 2005] extending the ideas of Ishai&Kushilevitz [ICALP2002]

Gate Equivalent Secret Sharing if b=0if b=1 And bR 0 bR 1 s 0  R 0 |s 0  R 1 s0s0 s1s1 s 0  R 0 |s 1  R 1 s 0  R 1 |s 0  R 0 s 1  R 1 |s 0  R 0  denotes xor bitwise s 0,s 1, R 0, R 1 are bitstrings b is a single bit

Gate Equivalent Secret Sharing And 0R 0 1R 1 s 0  R 0 |s 0  R 1 s0s0 s1s1 s 0  R 0 |s 1  R 1  denotes xor bitwise s 0,s 1, R 0, R 1 are bitstrings b is a single bit

Full Protocol: Recursive sharing And Or s0s0 s1s1 0R 0 1R 1 s 0  R 0 |s 0  R 1 s 0  R 0 |s 1  R 1 0T 0 1T 1 0R 0  T 0 |0R 0  T 1 0R 0  T 0 |1R 1  T 1 1V 0 0V 1 (s 0  R 0 |s 0  R 1 )  V 1 |(s 0  R 0 |s 0  R 1 )  V 0 (s 0  R 0 |s 1  R 1 )  V 1 |(s 0  R 0 |s 0  R 1 )  V 0

An explicit representation (garbled circuit) is not needed anymore, the circuit is implicitly presents in the input shares Observations Kolesnikov uses secret sharing for optimization issues 0T 0 1T 1 0R 0  T 0 |0R 0  T 1 0R 0  T 0 |1R 1  T 1 1V 0 0V 1 (s 0  R 0 |s 0  R 1 )  V 1 |(s 0  R 0 |s 0  R 1 )  V 0 (s 0  R 0 |s 1  R 1 )  V 1 |(s 0  R 0 |s 0  R 1 )  V 0

… but a secret sharing scheme can be realized also through a physical process which represents the secret as an image prints the shares on transparencies and reconstructs the secret by superposing the transparencies and using the human visual system Idea…

Visual Cryptography [Naor&Shamir 1994, Kafri&Karen 1987]

Visual Cryptography (2,2)-VCS secret image share 1 share 2 superposition

Probabilistic Schemes error probability Prob = 1 Prob = 1/2 secret pixel share 2 share 1 share 2 share 1 secret pixel + + superposition (logical or) choosing at random + +

Deterministic Schemes pixel expansion secret pixel superposition share 2 share 1 share 2 share choosing at random + +

… but visual cryptography does not realize xor! … a closer look: all we need is secret reconstructability … Kolesnikov’s construction is a special case of a general construction… And 1R 0 0R 1 s0s0 s1s1 s 0  R 1 |s 0  R 0 s 1  R 1 |s 0  R 0  denotes xor bitwise s 0,s 1, R 0, R 1 are bitstrings b is a single bit … xor!!!

Multisecret sharing schemes And bR 1 … |s 0  R 1 s0s0 s1s1 … |s 1  R 1 R 1  s 0  R 1 = s 0 R 1  s 1  R 1 = s 1 sh 1 sh 2 sh 3 Rec( sh 1, sh 2 ) = s 0 Rec( sh 1, sh 3 ) = s 1 The construction in general form can be described in terms of two multisecret sharing schemes for a set of three participants and two secrets

Gate Equivalent Visual Secret Sharing And vlsh 0 vlsh 1 vrsh 0 vrsh 1 I0I0 I1I1 Each combination of the visual shares visually reconstructs image I 0 or image I 1 e.g., Rec(vlsh 0, vrsh 0 )=I 0... Rec(vlsh 1, vrsh 1 )=I 1 We can do it by using two instances of a visual multi-secret sharing scheme (see the paper for constructions and details …)

An example

Input shares - Circuit representation

Physical Oblivious Transfer Assumption: Indistinguishable envelopes exist

Physical Oblivious Transfer Prepares two envelopes with the visual shares 1 Two-round protocol 10

Physical Oblivious Transfer 1 0 Prepares two envelopes with the visual shares hands to Bob 1 2 Two-round protocol 1 0

Physical Oblivious Transfer Prepares two envelopes with the visual shares hands to Bob Turns his shoulders to Alice Takes the one of interest Removes the post-it from the other keeps gives back Two-round protocol 1 0

Physical Oblivious Transfer Prepares two envelopes with the visual shares hands to Bob Turns his sholders to Alice Takes the one of interest Removes the post-it from the other keeps gives back hands to Alice Two-round protocol 1 0

Physical Oblivious Transfer Prepares two envelopes with the visual shares Destroys it under Bob’s surveillance hands to Bob Turns his sholders to Alice Takes the one of interest Removes the post-it from the other keeps gives back hands to Alice Two-round protocol 1 0

VTPC Protocol Alice constructs the visual shares associated to the input wires Sends to Bob the shares associated to her input bits Run with Bob n instances of the physical OT protocol to enable Bob to recover the n visual shares associated to his input bits Bob visually evaluates the circuit (and communicates the result to Alice)

Visual Evaluation An example

G7G7 G6G6 G3G3 G2G2 G1G1 x1x1 y1y1 x2x2 y2y2 x3x3 y3y3 0 1 f(x,y)=(x 1 +y 1 )  [(x 2  y 2 )  (x 3 +y 3 )] Chosen images for bit representation Boolean function

G7G7 G6G6 G3G3 G2G2 G1G1 x1x1 y1y1 x2x2 y2y2 x3x3 y3y3 Input shares constructed by Alice through the VTPC protocol

G7G7 G6G6 G3G3 G2G2 G1G1 x1x1 y1y1 x2x2 y2y2 x3x3 y3y3 Shares held by Bob after the OT protocols, assuming x=011 and y=110

G7G7 G6G6 G3G3 G2G2 G1G1 x1x1 y1y1 x2x2 y2y2 x3x3 y3y3 Function evaluation performed by Bob.

G7G7 G6G6 G3G3 G2G2 G1G1 Function evaluation performed by Bob.

G7G7 G6G6 G3G3 G2G2 G1G1 Function evaluation performed by Bob.

Conclusions A novel method for privately evaluating any two party boolean function The method is unconditionally secure Visual Cryptography can be also seen as a “computing tool”

Open Problems Applications Two party case: malicious adversary Multi-party case: semi-honest, malicious adversaries Optimizations: tradeoff security vs efficiency Use of other visual cryptography schemes VCS as a tool for crypto-computing in special settings

Thanks!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.