Presentation is loading. Please wait.

Presentation is loading. Please wait.

The first Few Slides stolen from Boaz Barak

Published bySukarno Tan Modified over 6 years ago

Similar presentations

Presentation on theme: "The first Few Slides stolen from Boaz Barak"— Presentation transcript:

1 The first Few Slides stolen from Boaz Barak
Garbled Circuits The first Few Slides stolen from Boaz Barak Joe Kilian Vitali Shmatikov

2 The Love Game (AKA the AND game)
He loves me, he loves me not… She loves me, she loves me not… Want to know if both parties are interested in each other. But… Do not want to reveal unrequited love. Input = 1 : I love you Input = 0: I love you Must compute F(X,Y)=XÆY, giving F(X,Y) to both players. … as a friend Can we reveal the answer without revealing the inputs?

3 The Spoiled Children Problem (AKA The Millionaires Problem [Yao])
Who has more toys? Who Cares? Pearl wants to know whether she has more toys than Gersh, Doesn’t want to tell Gersh anything. Gersh is willing for Pearl to find out who has more toys, Doesn’t want Pearl to know how many toys he has. Pearl wants to know whether she has more toys than Gersh, Doesn’t want to tell Gersh anything. Gersh is willing for Pearl to find out who has more toys, Doesn’t want Pearl to know how many toys he has. Can we give Pearl the information she wants, and nothing else, without giving Gersh any information at all?

4 Yao’s Protocol Andrew Yao Turing award winner
Theoretical CS, crypto, quantum computing… In crypto PRG, Yao’s Garbled Circuit, one-way function …

5 Yao’s Protocol Compute any function securely
First, convert the function into a boolean circuit AND AND Alice’s inputs NOT Bob’s inputs AND OR OR z z x y z x y z AND OR Truth table: 1 Truth table: 1 1 x y 1 x y 1 1 1 1 1 1 1 1

6 Alice prepares “garbled” version C’ of C
AND AND Alice’s inputs NOT Bob’s inputs AND OR OR Overview: Alice prepares “garbled” version C’ of C Sends “encrypted” form x’ of her input x Allows bob to obtain “encrypted” form y’ of his input y Bob can compute from C’,x’,y’ the “encryption” z’ of z=C(x,y) Bob sends z’ to Alice and she decrypts and reveals to him z Crucial properties: Bob never sees Alice’s input x in unencrypted form. Bob can obtain encryption of y without Alice learning y. Neither party learns intermediate values. Remains secure even if parties try to cheat.

7 Intuition c AND a b

8 Intuition a b c AND b a a b

9 1: Pick Random Keys For Each Wire
Next, evaluate one gate securely Later, generalize to the entire circuit Alice picks two random keys for each wire One key corresponds to “0”, the other to “1” 6 keys in total for a gate with 2 input wires k0z, k1z z AND Alice x y Bob k0x, k1x k0y, k1y

10 2: Encrypt Truth Table Alice encrypts each row of the truth table by encrypting the output-wire key with the corresponding pair of input-wire keys z k0z, k1z AND Alice x y Bob k0x, k1x k0y, k1y Ek0x(Ek0y(k0z)) x y z Ek0x(Ek1y(k0z)) Encrypted truth table: Original truth table: 1 Ek1x(Ek0y(k0z)) 1 1 1 1 Ek1x(Ek1y(k1z))

11 3: Send Garbled Truth Table
Alice randomly permutes (“garbles”) encrypted truth table and sends it to Bob Does not know which row of garbled table corresponds to which row of original table z k0z, k1z AND Alice x y Bob k0x, k1x k0y, k1y Ek1x(Ek0y(k0z)) Ek0x(Ek0y(k0z)) Ek0x(Ek1y(k0z)) Ek0x(Ek1y(k0z)) Garbled truth table: Ek1x(Ek0y(k0z)) Ek1x(Ek1y(k1z)) Ek1x(Ek1y(k1z)) Ek0x(Ek0y(k0z))

12 4: Send Keys For Alice’s Inputs
Alice sends the key corresponding to her input bit Keys are random, so Bob does not learn what this bit is k0z, k1z z Learns Kb’x where b’ is Alice’s input bit, but not b’ (why?) AND Alice x y Bob k0x, k1x If Alice’s bit is 1, she simply sends k1x to Bob; if 0, she sends k0x k0y, k1y Ek1x(Ek0y(k0z)) Ek0x(Ek1y(k0z)) Garbled truth table: Ek1x(Ek1y(k1z)) Ek0x(Ek0y(k0z))

13 5: Use OT on Keys for Bob’s Input
Alice and Bob run oblivious transfer protocol Alice’s input is the two keys corresponding to Bob’s wire Bob’s input into OT is simply his 1-bit input on that wire z Knows Kb’x where b’ is Alice’s input bit and Kby where b is his own input bit k0z, k1z AND Alice x y Bob k0x, k1x Run oblivious transfer Alice’s input: k0y, k1y Bob’s input: his bit b Bob learns kby What does Alice learn? k0y, k1y Ek1x(Ek0y(k0z)) Ek0x(Ek1y(k0z)) Garbled truth table: Ek1x(Ek1y(k1z)) Ek0x(Ek0y(k0z))

14 6: Evaluate Garbled Gate
Using the two keys that he learned, Bob decrypts exactly one of the output-wire keys Bob does not learn if this key corresponds to 0 or 1 Why is this important? z Knows Kb’x where b’ is Alice’s input bit and Kby where b is his own input bit k0z, k1z AND Alice x y Bob k0x, k1x Suppose b’=0, b=1 Ek1x(Ek0y(k0z)) k0y, k1y This is the only row Bob can decrypt. He learns K0z Ek0x(Ek1y(k0z)) Garbled truth table: Ek1x(Ek1y(k1z)) Ek0x(Ek0y(k0z))

15 7: Evaluate Entire Circuit
In this way, Bob evaluates entire garbled circuit For each wire in the circuit, Bob learns only one key It corresponds to 0 or 1 (Bob does not know which) Therefore, Bob does not learn intermediate values (why?) Bob tells Alice the key for the final output wire and she tells him if it corresponds to 0 or 1 Bob does not tell her intermediate wire keys (why?) AND OR NOT Alice’s inputs Bob’s inputs

16 8: Making it robust So far, protocol is only secure for honest-but-curious (aka semi-honest) adversaries: Alice can prepare faulty circuit (e.g. C(x,y)=y). Bob can give Alice wrong output. Solutions: Alice proves in zero knowledge that garbled circuit is correct. (Need also proofs of knowledge for inputs.) “cut and choose” – Alice prepares several copies of garbled circuit. Bob asks to “open up” some of them, and then they use an unopened one to compute.

17 Garbled Circuit Implemetations
Y. Huang et al. ObliVM TinyGarble

18 Garbled Circuit Implementations
Y. Huang et al. (Java, building block based) JustGarble (AES based) ObliVM (PL based; oblivious RAM too) TinyGarble (uses industry synthesis tools)

19 Some Designing Principles
XOR is free! Use as many xors as possible Design your own circuit-efficient oblivious algorithms Sorting? Insertion? Set intersection? Max, min? What about arithmetic operations?

20 Sorting Networks

21 Sorting Networks Various algorithms exist to construct simple, yet efficient sorting networks of depth O(log2 n) (hence size O(n log2 n)) such as Batcher odd–even mergesort, bitonic sort, Shell sort, and the Pairwise sorting network.  Batcher’s turn out to give the best one for practical n, in general. We use it..

22 Sorting Networks

Download ppt "The first Few Slides stolen from Boaz Barak"

Similar presentations

Polylogarithmic Private Approximations and Efficient Matching

Polylogarithmic Private Approximations and Efficient Matching
Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Joe Kilian NEC Laboratories, America Aladdin Workshop on Privacy in DATA March 27, 2003.

Joe Kilian NEC Laboratories, America Aladdin Workshop on Privacy in DATA March 27, 2003.
Secure Computation Slides stolen from Joe Kilian & Vitali Shmatikov Boaz Barak.

Secure Computation Slides stolen from Joe Kilian & Vitali Shmatikov Boaz Barak.
Secure Computation of Linear Algebraic Functions

Secure Computation of Linear Algebraic Functions
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Yan Huang, David Evans, Jonathan Katz

Yan Huang, David Evans, Jonathan Katz
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.

Polling With Physical Envelopes A Rigorous Analysis of a Human–Centric Protocol Tal Moran Joint work with Moni Naor.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.

Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
CSEP 590tv: Quantum Computing

CSEP 590tv: Quantum Computing

Similar presentations

Ads by Google