Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptographic protocols 2015, Lecture 14 Garbled Circuits

Published byHannah Jackson Modified over 6 years ago

Similar presentations

Presentation on theme: "Cryptographic protocols 2015, Lecture 14 Garbled Circuits"— Presentation transcript:

1 Cryptographic protocols 2015, Lecture 14 Garbled Circuits
helger lipmaa, university of tartu

2 Up to now We saw secure computation protocols with tradeoffs Rounds
Communication Computation BDD-based MPC

3 This lecture We saw secure computation protocols with tradeoffs
This time: another tradeoff Rounds Communication Computation BDD-based Multi-round Garbled circuits

4 Recall: Boolean circuits
A computation model Every node evaluates a Boolean function on its inputs Output of circuit: top value Complexity class of all Boolean functions that can be evaluated by circuits = class of efficient Boolean functions (P/poly) x y z

5 Boolean circuits Gate implements a function f:{0, 1}² → {0, 1}
Circuit implements a function C: {0, 1}ⁿ → {0, 1} x y z

6 Boolean circuits Fix values of input gates
0,1 Fix values of input gates Each wire w obtains recursively a value V[w]∈{0, 1} Circuit outputs the value of the output wire V[output] 0,1 0,1 0,1 0,1 0,1 0,1 0,1 0,1 x y z

7 Boolean circuits Fix values of input gates
0,1 Fix values of input gates Each wire w obtains recursively a value V[w]∈{0, 1} Circuit outputs the value of the output wire V[output] 0,1 0,1 0,1 0,1 0,1 0,1 0,1 0,1 x y z

8 Boolean circuits Fix values of input gates
0,1 Fix values of input gates Each wire w obtains recursively a value V[w]∈{0, 1} Circuit outputs the value of the output wire V[output] 0,1 0,1 0,1 0,1 0,1 0,1 0,1 0,1 x y z

9 Boolean circuits Fix values of input gates
0,1 Fix values of input gates Each wire w obtains recursively a value V[w]∈{0, 1} Circuit outputs the value of the output wire V[output] 0,1 0,1 0,1 0,1 0,1 0,1 0,1 0,1 x y z

10 Boolean circuits 0,1 Let wᵢ (m) be the value of wᵢ, given input assignment m Thus for m = 010, C (m) = 1 0,1 0,1 0,1 0,1 0,1 0,1 0,1 0,1 x y z

11 Boolean circuits 16 Boolean functions, so 16 possible gate types
Possible basis: {∧,⊕} ¬x = 1⊕x x∨y = ¬(¬x∧¬y) = 1⊕((1⊕x)∧(1⊕y)) = x⊕y⊕(x∧y) x y z

12 Garbled circuits: Goal
0,1 Alice knows input a Bob knows input b Bob will get to know C (a, b) ... without learning anything about Alice's input and the intermediate wire values 0,1 0,1 0,1 0,1 0,1 0,1 0,1 0,1 x y z

13 Garbled circuits: idea
0,1 "Garble" all wire values for wire w, 0 → Kw0, 1 → Kw1 except for output wire where Kwj=j Main idea: Allow Bob to obtain only one Kwj of two garbled values corresponding to each wire for random keys, chosen by Alice 0,1 0,1 0,1 0,1 0,1 0,1 0,1 0,1 x y z

14 More Details ∧ ⊕ ∨ ∧ ∨ ∧ x y z For each Alice's input wᵢ:
K₉₀,K₉₁ For each Alice's input wᵢ: Alice sends to Bob Kwᵢaᵢ For each Bob's input wᵢ: Alice generates and helps Bob to privately obtain Kwᵢbᵢ For each internal wire w: Alice helps Bob to obtain Kwᵢbᵢ K₇₀,K₇₁ K₈₀,K₈₁ K₄₀,K₄₁ K₅₀,K₅₁ K₆₀,K₆₁ K₁₀,K₁₁ K₃₀,K₃₁ K₂₀,K₂₁ x y z

15 More Details ∧ ⊕ ∨ ∧ ∨ ∧ x y z For each Alice's input wᵢ:
K₉₀,K₉₁ For each Alice's input wᵢ: Alice sends to Bob Kwᵢaᵢ For each Bob's input wᵢ: Alice generates and helps Bob to privately obtain Kwᵢbᵢ For each internal wire w: Alice helps Bob to obtain Kwᵢbᵢ K₇₀,K₇₁ K₈₀,K₈₁ K₄₀,K₄₁ K₅₀,K₅₁ K₆₀,K₆₁ K₁₀,K₁₁ K₃₀,K₃₁ K₂₀,K₂₁ x y z

16 More Details ∧ ⊕ ∨ ∧ ∨ ∧ x y z For each Alice's input wᵢ:
K₉₀=0,K₉₁=1 For each Alice's input wᵢ: Alice sends to Bob Kwᵢaᵢ For each Bob's input wᵢ: Alice generates and helps Bob to privately obtain Kwᵢbᵢ For each internal wire w: Alice helps Bob to obtain Kwᵢbᵢ K₇₀,K₇₁ K₈₀,K₈₁ Protocol 1 K₄₀,K₄₁ K₅₀,K₅₁ K₆₀,K₆₁ K₁₀,K₁₁ K₃₀,K₃₁ K₂₀,K₂₁ x y z Protocol 2

17 Quiz: Protocol 1 j K₀,K₁ Kj Let w be one of Bob's input wires
Alice has K₀, K₁ Bob has j Quiz: how to transfer Kj to Bob? Answer: oblivious transfer. CPIR with extra privacy: Bob obtains only one database element j K₀,K₁ Kj

18 d← c^(f₁ - f₀) · Enc(f₀; r')
(2, 1)-OT protocol Protocol r←ℤn* c←Enc(x; r) r'←ℤn* d← c^(f₁ - f₀) · Enc(f₀; r') c pk,sk x∈{0,1} pk f = (f₀,f₁) fᵢ∈{0,1}ᴸ M←Dec(d) d This is oblivious transfer in semihonest model. Honest Bob only obtains M = fx

19 remarks: OT Computation: small number of PK ops
As we saw, Paillier is quite expensive, though Communication: 2 ciphertexts Note: |key| is short, say 128 bits Can use any OT protocol that works with such data

20 Quiz: Protocol 2 Ku0,...,Kw1 Kui,Kvj Kwk ∧
Let w be one of intermediate wires Alice has keys Ku0, Ku1, Kv0, Kv1, Kw0, Kw1 Bob has Kui, Kvj Quiz: how to transfer Kwk, k = i ∧ j, to Bob? Kw₀,Kw₁ Other gates are similar Ku₀,Ku₁ Kv₀,Kv₁ Ku0,...,Kw1 Kui,Kvj Answer: garbled gate. Alice sends to Bob {Enc(Kui;Enc(Kvj;Kwk))} Kwk

21 Note 2: Other gate types can be garbled similarly
Garbled AND-gate G₀₀ ← AES (Ku₀, AES (Kv₀, 0²⁰ || Kw₀)) G₀₁ ← AES (Ku₀, AES (Kv₁, 0²⁰ || Kw₀)) G₁₀ ← AES (Ku₁, AES (Kv₀, 0²⁰ || Kw₀)) G₁₁ ← AES (Ku₁, AES (Kv₁, 0²⁰ || Kw₁)) G[w] ← random perm. of Gij Protocol For i' ∈ {0, 1}, j' ∈ {0, 1} K' ← AES⁻¹ (Kui, AES⁻¹ (Kvj, Gi'j')) If K' == 0²⁰ || K'' Kwk ← K''; break Return Kwk G[w] Ku0, Ku1 Kv0, Kv1 Kw0, Kw1 Kui, Kvj Note 1: this protocol is non-interactive. Alice can transfer G[w] to Bob before Bob knows Kui, Kvj. Note 2: Other gate types can be garbled similarly

22 Remarks: garbled gate Computation: Alice: 8 AES encryptions
Bob: 4 AES decryptions in average AES is much (1000×?) faster than PK encryption! Communication: < 500 bits Can replace AES with arbitrary faster but secure block cipher

23 Full Garbled Circuit protocol
Generate new pk for OT For all Bob's input wires i: Prepare OT query Q (bᵢ) c ← (pk, (Q (bᵢ)) for all i) Protocol For all wires w of the circuit: Generate random Kw0, Kw1 Construct G[w] if w is internal d ← (G [w]) for all internal wires w e ← (Kiaᵢ) for all Alice's input wires i For all Bob's input wires i: Let Rᵢ ← Reply (Q (bᵢ), (Ki0, Ki1)) f ← (Rᵢ) for all Bob's input wires i For all Bob's input wires i: Kibᵢ ← Answer (Rᵢ) For all internal wires w of the circuit: Kwk←GarbledGate(Kui,Kvj,G[w]) Return the key of last gate c C, a C, b (d,e,f)

24 security Bob's privacy:
Alice sees only OT queries, so guaranteed by OT security Alice's privacy: Bob sees AES encryptions and OT replies Security guaranteed by AES security, OT security, and correctness of Alice's operation Will omit formal proof of security

25 Efficiency Round-complexity:
2 msg (one msg by Bob, one by Alice) --- optimal # of rounds Computation: |Bob inputs| OT-s, 8*|circuit size| AES-s Very good, since AES is fast except when circuit size is really large Communication: < 500 bits per gate, thus large Communication is linear in |circuit|, not in |size| :(

26 Garbled circuits Rounds: 2
Computation: |Bob's input| OT, 8*|circuit size| AES Communication: Θ (|circuit size|) Rounds Communication Computation BDD-based MPC Garbled circuits

27 Example: Eq Alice's input: a ∈ {0, 1}ⁿ Bob's input: b ∈ {0, 1}ⁿ
= a₁ a₀ b₂ b₁ b₀ a₂ Alice's input: a ∈ {0, 1}ⁿ Bob's input: b ∈ {0, 1}ⁿ Bob's output: [b = a] Circuit size: 2n - 1 Cost: n OT, 8(2n - 1) AES Comp. dominated by OT-s

28 Non-cryptographic task. Will not elaborate
how to optimize? Communication: linear in |circuit size| Task 1: minimize circuit size Computation is dominated, depending on circuit size, by OT-s or GarbledGate's Task 2: minimize complexity of OT-s Task 3: minimize complexity of GarbledCircuit's Non-cryptographic task. Will not elaborate Cryptographic task. Will elaborate

29 OT complexity minimization
Use more efficient (2, 1)-OT Paillier → Elgamal, but can't go much faster OT extension: we need many expensive OT-s need to reduce the number expensive operations

30 Recall: κ is the security parameter
ot extension If input length n is large: need to implement n >> κ expensive OT-s Question: Can we implement n OT-s by using n "cheap operations" and << n OT-s? Recall: κ is the security parameter

31 Recall: n OTᴸ protocols
For i = 1 to n: cᵢ←Q(xᵢ) Protocol For i = 1 to n: Rᵢ ← Reply (cᵢ, (fᵢ₀, fᵢ₁)) For i = 1 to n: Mᵢ←Answer(Rᵢ) (c₁, ..., cn) (fᵢ₀, fᵢ₁)∈{0,1}ᴸ xᵢ∈{0,1} (R₁, ..., Rn)

32 idea: oT extension Alice obtains from Bob, by using κ << n OT protocols, a number of random bits Alice masks her input by so obtained random bits and her own random input s, and sends the masked values to Bob Bob can "unmask" only 1 / 2 of the transferred values since the rest depends on s

33 n OTᴸ via OT extension t¹⊕0x t²⊕0x t³⊕0x t₁₁ t₁₂ t₁₃ t₂₁ t₂₂ t₂₃ t₃₁
For i = 1 to n: For j = 1 to κ: tij← {0, 1} For i = 1 to κ: Write tⁱ = (t1i, ..., tni) Compute tⁱ ⊕ x x∈{0,1}ⁿ For i ∈ {1,...,n}: (fᵢ₀, fᵢ₁)∈{0,1}ᴸ t¹⊕0x t²⊕0x t³⊕0x t₁₁ t₁₂ t₁₃ t₂₁ t₂₂ t₂₃ t₃₁ t₃₂ t₃₃ t₄₁ t₄₂ t₄₃ t₅₁ t₅₂ t₅₃ t₆₁ t₆₂ t₆₃

34 Alice obtains {Aⁱ = tⁱ⊕sᵢx} by using κ OTᵐ-s
n OTᴸ via OT extension For i = 1 to n: For j = 1 to κ: tij← {0, 1} For i = 1 to κ: Write tⁱ = (t1i, ..., tni) Compute tⁱ ⊕ x x∈{0,1}ⁿ For i ∈ {1,...,n}: (fᵢ₀, fᵢ₁)∈{0,1}ᴸ s ← {0, 1}^κ Alice obtains {Aⁱ = tⁱ⊕sᵢx} by using κ OTᵐ-s OT(s₁) OT(s₂) OT(s3) t¹⊕0x t¹⊕1x t²⊕0x t²⊕1x t³⊕0x t³⊕1x t₁₁ t₁₁⊕x₁ t₁₂ t₁₂⊕x₁ t₁₃ t₁₃⊕x₁ t₂₁ t₂₁⊕x₂ t₂₂ t₂₂⊕x₂ t₂₃ t₂₃⊕x₂ t₃₁ t₃₁⊕x₃ t₃₂ t₃₂⊕x₃ t₃₃ t₃₃⊕x₃ t₄₁ t₄₁⊕x₄ t₄₂ t₄₂⊕x₄ t₄₃ t₄₃⊕x₄ t₅₁ t₅₁⊕x₅ t₅₂ t₅₂⊕x₅ t₅₃ t₅₃⊕x₅ t₆₁ t₆₁⊕x₆ t₆₂ t₆₂⊕x₆ t₆₃ t₆₃⊕x₆

35 n OTᴸ via OT extension t¹⊕0x t¹⊕1x t²⊕0x t²⊕1x t³⊕0x t³⊕1x t₁₁ t₁₁⊕x₁
For i = 1 to n: For j = 1 to κ: tij← {0, 1} For i = 1 to κ: Write tⁱ = (t1i, ..., tni) Compute tⁱ ⊕ x x∈{0,1}ⁿ For i ∈ {1,...,n}: (fᵢ₀, fᵢ₁)∈{0,1}ᴸ s ← {0, 1}^κ Alice obtains {Aⁱ = tⁱ⊕sᵢx} by using κ OTᵐ-s OT(s₁) OT(s₂) OT(s3) Bob knows this if xᵢ = 0. Mask fᵢ₀ by it t¹⊕0x t¹⊕1x t²⊕0x t²⊕1x t³⊕0x t³⊕1x t₁₁ t₁₁⊕x₁ t₁₂ t₁₂⊕x₁ t₁₃ t₁₃⊕x₁ t₂₁ t₂₁⊕x₂ t₂₂ t₂₂⊕x₂ t₂₃ t₂₃⊕x₂ t₃₁ t₃₁⊕x₃ t₃₂ t₃₂⊕x₃ t₃₃ t₃₃⊕x₃ t₄₁ t₄₁⊕x₄ t₄₂ t₄₂⊕x₄ t₄₃ t₄₃⊕x₄ t₅₁ t₅₁⊕x₅ t₅₂ t₅₂⊕x₅ t₅₃ t₅₃⊕x₅ t₆₁ t₆₁⊕x₆ t₆₂ t₆₂⊕x₆ t₆₃ t₆₃⊕x₆ Aᵢ = tᵢ⊕xᵢs Aᵢ⊕s = tᵢ⊕(1⊕xᵢ)s Bob knows this if xᵢ = 1. Mask fᵢ₁ by it

36 full OT extension (q₁, ..., qκ) (R₁, ..., Rκ) Protocol
For i = 1 to n: For j = 1 to κ: tij← {0, 1} For i = 1 to κ: Write tⁱ = (t1i, ..., tni) Rᵢ ← Reply (qᵢ, (tⁱ, tⁱ⊕x)) s ← {0, 1}^κ For i = 1 to κ: qᵢ ← Q (sᵢ) (q₁, ..., qκ) Protocol (R₁, ..., Rκ) (y₁₀,y₁₁, ..., yn₀,yn₁) For i = 1 to κ: Aⁱ ←Answer(Rᵢ) // = tⁱ⊕sᵢx // Aᵢ = tᵢ⊕xᵢs, Aᵢ⊕s = tᵢ⊕(1⊕xᵢ)s For i = 1 to n: yᵢ₀ ← fᵢ₀ ⊕ H (Aᵢ) yᵢ₁ ← fᵢ1 ← H (Aᵢ ⊕ s) For i = 1 to n: mᵢ← yi,xi⊕H (tᵢ) Return m x∈{0,1}ⁿ For i ∈ {1,...,n}: (fᵢ₀, fᵢ₁)∈{0,1}ᴸ

37 security Alice's privacy: Bob sees qᵢ and mᵢ = ... + H (...)
Alice's privacy guaranteed by OT privacy and security of H (will not elaborate on latter) Bob's privacy: Alice sees {tⁱ⊕sᵢx}ᵢ - no information revealed about x since tⁱ is random

38 efficiency ⇒ Alice: κ OT-s of n-bit strings, 2n H-s
Bob: κ OT-s of n-bit strings, n H-s If κ << n and Cost(H) << Cost(OT): huge benefit If κ << n ≈ |circuit size|: OT dominates the cost of GC OT extension makes GC many times faster

39 G.Gate optimization, 1 Use a more efficient symmetric encryption scheme gives speedup, but not certain how much AES is implemented in Intel hardware Replace AES with a hash function use Bitcoin hardware

40 G.Gate optimization, 2 Can we reduce the overhead of GarbledGate?
G₀₀ ← AES (Ku₀, AES (Kv₀, 0²⁰ || Kw₀)) G₀₁ ← AES (Ku₀, AES (Kv₁, 0²⁰ || Kw₀)) G₁₀ ← AES (Ku₁, AES (Kv₀, 0²⁰ || Kw₀)) G₁₁ ← AES (Ku₁, AES (Kv₁, 0²⁰ || Kw₁)) G[w] ← random perm. of Gij Can we reduce the overhead of GarbledGate? Alice: from 8 AES to smaller number? Bob: from 8 AES⁻¹ to smaller number? For i ∈ {0, 1}, j ∈ {0, 1} K' ← AES⁻¹ (Kui, AES⁻¹ (Kvj, Gij)) If K' == 0²⁰ || K'' Kwk ← K'' break Return Kwk

41 FreeXOR technique Alice generates random, secret "global difference" Δ She always sets Kw1 ← Kw0⊕Δ For each XOR gate w ← u⊕v: set Kw0 ← Ku0⊕Kv0 The rest of the protocol is unchanged Security ok: since Bob never obtains both Kw0, Kw1, then Δ stays secret Ku₀,Ku₀⊕Δ Kv₀,Kv₀⊕Δ Kw₀,Kw₀⊕Δ

42 FreeXOR technique For each XOR gate: set Kw0 ← Ku0 ⊕ Kv0 Ku0⊕Kv0 = Kw0
Ku1⊕Kv0 = Kw0⊕Δ = Kw1 Ku0⊕Kv1 = Kw0⊕Δ = Kw1 Ku1⊕Kv1 = Kw0⊕Δ⊕Δ = Kw0 No need to transfer G[w] for XOR gates Computation: AES * O(|non-XOR gates|) + XOR * O(|XOR gates|)

43 Why relevant? {XOR, AND} is a basis of all possible gates
Boolean versions of + and · On "average": garbled circuits twice more efficient For many circuits, XOR gates dominate strongly garbled circuits become many times more efficient

44 Simplifying "aND" + ∧ Idea: AND is a symmetric operation
Similar optimization possible with all symmetric gates Idea: AND is a symmetric operation x ∧ y is a function of x + y, not of x and y individually (0 ∧ 0) = 0, (0 ∧ 1) = (1 ∧ 0) = 0, (1 ∧ 1) = 1 Thus x ∧ y = f₀₀₁ (x + y) FreeAdd: use a random Δ in all + gates + Ku₀,Ku₁=Ku₀+Δ Kv₀,Kv₁=Kv₀+Δ Kw₀=Ku₀+Kv₀,Kw₁=Kw₀+Δ,Kw₂=Kw₀+2Δ f₀₀₁ Kz₀,Kz₁ symmetric FreeSym G₀ ← AES (Kw₀, 0²⁰ || Kz₀) G₁ ← AES (Kw₁, 0²⁰ || Kz₀) G₂ ← AES (Kw₂, 0²⁰ || Kz₁) G[w] ← random shuffle of Gᵢ Ku₀,Ku₁ Kv₀,Kv₁ Kw₀,Kw₁ Local computation 8 AES → 3 AES

45 Comparison: FreeXOr etc
AND Classical 8 FreeXOR FreeSym 2 3 (not covered) 0-2

46 not covering in this course - just not enough time
and more and more Highly parallel: after keys are computed, Alice can compute all garbled gates G [w] in parallel Many more optimizations than fit to the margins Very active research area especially active: efficiency in malicious model A GPU implementation can process hundreds/thousands of gates in parallel not covering in this course - just not enough time

47 GC: OUTRO Computationally very efficient
Main problem: huge communication Another problem: circuit optimization In many cases, it is more natural to work in some other computational model For example: circuit for integer multiplication is large

48 next lecture Pairings: algebraically "one step up" from exponentiation
instead of linear functions, allow to compute quadratic functions on ciphertexts, non- interactively Many, many applications - incl. efficient NIZK

Download ppt "Cryptographic protocols 2015, Lecture 14 Garbled Circuits"

Similar presentations

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Computer Security Set of slides 4 Dr Alexei Vernitski.

Computer Security Set of slides 4 Dr Alexei Vernitski.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Oblivious Transfer based on the McEliece Assumptions

Oblivious Transfer based on the McEliece Assumptions
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.

Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.

Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.

Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.

Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Slide 1 Yao’s Protocol. slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.

Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005.

Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005.

Similar presentations

Ads by Google