1. Cryptography CS 555 Digital Signatures Continued
Week 14:
Digital Signatures Continued
Multiparty Computation
Yao’s Garbled Circuits
Readings: Katz and Lindell Chapter 10 & Chapter , 11.4
Fall 2018

2. Recap: Identification Scheme
Interactive protocol that allows one party to prove its identify (authenticate itself) to another
Two Parties: Prover and Verifier
Prover has secret key sk and Verifier has public key pk
Prover runs P1(sk) to obtain (I,st) initial message I, state st
Sends I to Verifier
Verifier picks random message r from distribution Ω 𝑝𝑘 and sends r to Prover
Prover runs P2(sk,st,r) to obtain s and sends s to verifier
Verifier checks if V(pk,r,s)=I

3. Recap: Fiat-Shamir Transform
Identification Schemes can be transformed into signatures
Signsk(m)
First compute (I,st)= P1(sk) (as prover)
Next compute the challenge 𝒓=𝑯(𝑰,𝒎) (as verifier)
Compute the response s = P2(sk,st,r)
Output signature (r,s)
Vrfypk(m,(r,s))
Compute I := V(pk,r,s)
Check that H(I,m)=r
Theorem 12.10: If the identification scheme is secure and H is a random oracle then the above signature scheme is secure.

4. Schnorr Identification Scheme
Verifier knows h=gx
Prover knows x such that h=gx
Prover runs P1(x) to obtain 𝑘∈ℤ q ,𝐼= 𝑔 𝑘 and sends initial message I to verifier
Verifier picks random 𝑟∈ℤ q (q is order of the group) and sends r to prover
Prover runs P2(x,k,r) to obtain s≔ 𝑟𝑥+𝑘 𝑚𝑜𝑑 𝑞 and sends s to Verifier
Verifier checks if 𝑔 𝑠 ∗ ℎ −1 𝑟 =𝐼= 𝑔 𝑘

5. Schnorr Identification Scheme
Verifier knows h=gx
Prover knows x such that h=gx
Prover runs P1(x) to obtain 𝑘∈ℤ q ,𝐼= 𝑔 𝑘 and sends initial message I to verifier
Verifier picks random 𝑟∈ℤ q (q is order of the group) and sends r to prover
Prover runs P2(x,k,r) to obtain s≔ 𝑟𝑥+𝑘 𝑚𝑜𝑑 𝑞 and sends s to Verifier
Verifier checks if 𝑔 𝑠 ∗ ℎ −1 𝑟 =𝐼= 𝑔 𝑘
𝑔 𝑠 ∗ ℎ −1 𝑟 = 𝑔 𝑟𝑥+𝑘 𝑚𝑜𝑑 𝑞 ∗ 𝑔 −𝑥𝑟 = 𝑔 𝑘

6. Schnorr Identification Scheme
Verifier knows h=gx
Prover knows x such that h=gx
Prover runs P1(x) to obtain 𝑘∈ℤ q ,𝐼= 𝑔 𝑘 and sends initial message I to verifier
Verifier picks random 𝑟∈ℤ q (q is order of the group) and sends r to prover
Prover runs P1(x,k,r) to obtain s≔ 𝑟𝑥+𝑘 mod 𝑞 and sends s to Verifier
Verifier checks if 𝑔 𝑠 ∗ ℎ −1 𝑟 =𝐼= 𝑔 𝑘
Theorem 12.11: If the discrete-logarithm problem is hard (relative to group generator) then Schnorr identification scheme is secure.

7. Schnorr Signatures via Fiat-Shamir
Public Key: h=gx in cyclic group 𝑔 of order q.
Secret Key: x
𝑆𝑖𝑔𝑛 𝑠𝑘 𝑚
Select random 𝑘∈ℤ q and set 𝐼= 𝑔 𝑘 .
𝒓=𝑯 𝑰,𝒎
Return σ= 𝑟,𝑠 where s≔ 𝑟𝑥+𝑘 𝑚𝑜𝑑 𝑞
𝑉𝑒𝑟𝑖𝑓𝑦 𝑝𝑘 𝑚,σ= 𝑟,𝑠
Compute 𝑔 𝑠 ∗ ℎ −1 𝑟 = 𝑔 𝑠−𝑟𝑥 and check if r=𝐻 𝑔 𝑠−𝑟𝑥 ,𝑚

8. Schnorr Signatures 𝑆𝑖𝑔𝑛 𝑠𝑘 𝑚 𝑉𝑒𝑟𝑖𝑓𝑦 𝑝𝑘 𝑚,σ= 𝑟,𝑠
𝑆𝑖𝑔𝑛 𝑠𝑘 𝑚
Select random 𝑘∈ℤ q and set 𝐼= 𝑔 𝑘 .
𝒓=𝑯 𝑰,𝒎
Return σ= 𝑟,𝑠 where s≔ 𝑟𝑥+𝑘 𝑚𝑜𝑑 𝑞
𝑉𝑒𝑟𝑖𝑓𝑦 𝑝𝑘 𝑚,σ= 𝑟,𝑠
Compute 𝑔 𝑠 ∗ ℎ −1 𝑟 = 𝑔 𝑠−𝑟𝑥 and check if r=𝐻 𝑔 𝑠−𝑟𝑥 ,𝑚
Corollary (of Thms ): If the discrete-logarithm problem is hard (relative to group generator) then Schnorr Signatures are secure in the random oracle model.

9. Schnorr Signatures Independent of size of original group
(rth residue subgroup).
Independent of #bits to represent group element
(Elliptic Curve Pairs)
Depends only on order of the subgroup q!
DLOG 128 bit security:
log 2 𝑞 ≈256
Schnorr Signatures
𝑆𝑖𝑔𝑛 𝑠𝑘 𝑚
Select random 𝑘∈ℤ q and set 𝐼= 𝑔 𝑘 .
𝒓=𝑯 𝑰,𝒎
Return σ= 𝑟,𝑠 where s≔ 𝑟𝑥+𝑘 𝑚𝑜𝑑 𝑞
𝑉𝑒𝑟𝑖𝑓𝑦 𝑝𝑘 𝑚,σ= 𝑟,𝑠
Compute 𝑔 𝑠 ∗ ℎ −1 𝑟 = 𝑔 𝑠−𝑟𝑥 and check if r=𝐻 𝑔 𝑠−𝑟𝑥 ,𝑚
Advantages:
Short Signatures σ = 𝑟 + 𝑠 =2 log 2 𝑞 bits
Fast and Efficient
Patent Expired: February 2008

10. Digital Signature Algorithm (DSA)
DSA: 𝒈 is subgroup of ℤ 𝑝 ∗ of order q
ECDSA: 𝒈 is order q subgroup of elliptic curve
Secret key is x, public key is h=gx along with generator g (of order q)
Signsk(m)
Pick random 𝑘∈ℤ q and set 𝑟=𝐹 𝑔 𝑘 ∈ ℤ 𝑞
Compute s≔ 𝑘 −1 𝑥𝑟+𝐻(𝑚) 𝑚𝑜𝑑 𝑞
Output signature (r,s)
Vrfypk(m,(r,s)) check to make sure that
𝑟=𝐹 𝑔 𝐻(𝑚) 𝑠 −1 ℎ 𝑟 𝑠 −1
𝐹 𝑔 𝐻(𝑚) 𝑠 −1 ℎ 𝑟 𝑠 −1
=𝐹 𝑔 𝐻 𝑚 𝑘 (𝑥𝑟+𝐻(𝑚)) −1 𝑔 𝑥𝑟𝑘 (𝑥𝑟+𝐻(𝑚)) −1
=𝐹 𝑔 (𝐻 𝑚 +𝑥𝑟)𝑘 (𝑥𝑟+𝐻(𝑚)) −1
=𝐹 𝑔 𝑘 =𝑟

11. Digital Signature Algorithm (DSA)
Signsk(m)
Pick random 𝑘∈ℤ q and set 𝑟=𝐹 𝑔 𝑘 = 𝑔 𝑘 𝑚𝑜𝑑 𝑞
Compute s≔ 𝑘 −1 𝑥𝑟+𝐻(𝑚) 𝑚𝑜𝑑 𝑞
Output signature (r,s)
Vrfypk(m,(r,s)) check to make sure that
𝑟=𝐹 𝑔 𝐻(𝑚) 𝑠 −1 ℎ 𝑟 𝑠 −1
=𝐹 𝑔 𝐻 𝑚 𝑘 𝑥𝑟+𝐻(𝑚) −1 𝑔 𝑥𝑟𝑘 𝑥𝑟+𝐻(𝑚) −1
=𝐹 𝑔 (𝐻 𝑚 +𝑥𝑟)𝑘 𝑥𝑟+𝐻(𝑚) −1
=𝐹 𝑔 𝑘 ≔𝑟

12. Digital Signature Algorithm (DSA)
Secret key is x, public key is h=gx along with generator g (of order q)
Signsk(m)
Pick random 𝑘∈ℤ q and set 𝑟=𝐹 𝑔 𝑘 = 𝑔 𝑘 𝑚𝑜𝑑 𝑞
Compute s≔ 𝑘 −1 𝑥𝑟+𝐻(𝑚) 𝑚𝑜𝑑 𝑞
Output signature (r,s)
Vrfypk(m,(r,s)) check to make sure that
𝑟=𝐹 𝑔 𝐻(𝑚) 𝑠 −1 ℎ 𝑟 𝑠 −1
Theorem: If H and F are modeled as random oracles then DSA is secure.
Weird Assumption for F(.)?
Theory: DSA Still lack compelling proof of security from standard crypto assumptions
Practice: DSA has been used/studied for decades without attacks
𝐹 𝑔 𝐻(𝑚) 𝑠 −1 ℎ 𝑟 𝑠 −1
=𝐹 𝑔 𝐻 𝑚 𝑘 𝑥𝑟+𝐻(𝑚)−1 𝑔 𝑥𝑟𝑘 𝑥𝑟+𝐻(𝑚)−1
=𝐹 𝑔 (𝐻 𝑚 +𝑥𝑟)𝑘 𝑥𝑟+𝐻(𝑚)−1
=𝐹 𝑔 𝑘 =𝑟

13. Digital Signature Algorithm (DSA)
Secret key is x, public key is h=gx
Signsk(m)
Pick random 𝑘∈ℤ q and set 𝑟=𝐹 𝑔 𝑘 = 𝑔 𝑘 𝑚𝑜𝑑 𝑞
Compute s≔ 𝑘 −1 𝑥𝑟+𝐻(𝑚) 𝑚𝑜𝑑 𝑞
Output signature (r,s)
Vrfypk(m,(r,s)) check to make sure that
𝑟=𝐹 𝑔 𝐻(𝑚) 𝑠 −1 ℎ 𝑟 𝑠 −1
Remark: If signer signs two messages with same random 𝑘∈ℤ q then attacker can find secret key sk!
Theory: Negligible Probability this happens
Practice: Will happen if a weak PRG is used
Sony PlayStation (PS3) hack in 2010.
s1≔ 𝑘 −1 𝑥𝑟+𝐻(𝑚1) 𝑚𝑜𝑑 𝑞
s2≔ 𝑘 −1 𝑥𝑟+𝐻(𝑚2) 𝑚𝑜𝑑 𝑞
s1−s2= 𝑘 −1 𝐻 𝑚1 −𝐻(𝑚2) 𝑚𝑜𝑑 𝑞
𝑆𝑜𝑙𝑣𝑒 𝑓𝑜𝑟 𝑘

14. Certificate Authority
Trusted Authority (CA)
𝑚 𝐶𝐴→𝐴𝑚𝑎𝑧𝑜𝑛 =“Amazon’s public key is 𝑝𝑘 𝐴𝑚𝑎𝑧𝑜𝑛 (date,expiration,###)”
𝑐𝑒𝑟𝑡 𝐶𝐴→𝐴𝑚𝑎𝑧𝑜𝑛 = 𝑆𝑖𝑔𝑛 𝑆𝐾 𝐶𝐴 𝑚
Delegate Authority to other CA1
Root CA signs m= “CA1 public key is 𝑝𝑘 𝐶𝐴1 (date,expiration,###) can issue certificates”
Verifier can check entire certification chain
Revocation List Signed Daily
Decentralized Web of Trust (PGP)

15. Secure Multiparty Computationz
H(x,y,z) x y
F(x,y,z)
G(x,y,z)
Bob only learns G(x,y,z)
Alice only learns F(x,y,z)
Mickey only learns H(x,y,z)
Cryptography: What if we don’t have a trusted third party?

16. Secure Multiparty Computation (Crushes)
Z=“Alice”
H(x,y,z)=“no match”
x=“Bob”
F(x,y,z)=“match Bob”
Y=“Alice”
G(x,y,z)=“match Alice”
Bob only learns G(x,y,z)
Alice only learns F(x,y,z)
Mickey only learns H(x,y,z)
Alice can infer Y from F(x,y,z) and Bob can infer X from G(x,y,z).
But Alice/Bob cannot infer anything about Z.
Mickey cannot infer y, and learns that x≠ “Mickey”

17. Secure Multiparty Computation (Crushes)
Key Point: The output H(x,y,z) may leak info about inputs. Thus, we cannot prevent Mickey from learning anything about x,y but Mickey should not learn anything else besides H(x,y,z)!
Z=“Alice”
H(x,y,z)=“no match”
x=“Bob”
F(x,y,z)=“match Bob”
Y=“Alice”
G(x,y,z)=“match Alice”
Bob only learns G(x,y,z)
Alice only learns F(x,y,z)
Mickey only learns H(x,y,z)
Though Question: How can we formalize this property?
Alice can infer Y from F(x,y,z) and Bob can infer X from G(x,y,z).
But Alice/Bob cannot infer anything about Z.
Mickey cannot infer y, and learns that x≠ “Mickey”

18. Adversary Models Semi-Honest (“honest, but curious”)
All parties follow protocol instructions, but…
dishonest parties may be curious to violate privacy of others when possible
Fully Malicious Model
Adversarial Parties may deviate from the protocol arbitrarily
Quit unexpectedly
Send different messages
It is much harder to achieve security in the fully malicious model
Convert Secure Semi-Honest Protocol into Secure Protocol in Fully Malicious Mode?
Tool: Zero-Knowledge Proofs

19. Computational Indistinguishability
Definition: We say that an ensemble of distributions 𝑋𝑛 𝑛∈ℕ and 𝑌𝑛 𝑛∈ℕ are computationally indistinguishable if for all PPT distinguishers D, there is a negligible function negl(n), such that we have 𝐴𝑑𝑣 𝐷,𝑛 = 𝑃𝑟 𝑠←Xℓ 𝐷 𝑠 =1 − 𝑃𝑟 𝑠←Yℓ 𝐷 𝑠 =1 ≤𝑛𝑒𝑔𝑙(𝑛)
Notation: 𝑋𝑛 𝑛∈ℕ ≡ 𝐶 𝑌𝑛 𝑛∈ℕ means that the ensembles are computationally indistinguishable.

20. Security (Semi-Honest Model)
Let 𝐵 𝑛 = 𝑡𝑟𝑎𝑛𝑠 𝐵 (𝑛,𝑥,𝑦) (resp. 𝐴 𝑛 = 𝑡𝑟𝑎𝑛𝑠 𝐴 (𝑛,𝑥,𝑦) ) be the protocol transcript from Bob’s perspective (resp. Alice’s perspective) when his input is y and Alice’s input is x (assuming that Alice follows the protocol).
Security: Assuming that Alice and Bob are both semi-honest (follow the protocol) then there exist PPT simulators 𝑆 𝐴 and 𝑆 𝐵 s.t.
𝐴𝑛 𝑛∈ℕ ≡ 𝐶 𝑆 𝐴 𝑛,𝑥, 𝑓 𝐴 𝑥,𝑦 𝑛∈ℕ
𝐵𝑛 𝑛∈ℕ ≡ 𝐶 𝑆 𝐵 𝑛,𝑦, 𝑓 𝐵 𝑥,𝑦 𝑛∈ℕ
Remark: Simulator 𝑆 𝐴 is only shown Alice’s input y and Alice’s output 𝑓 𝐴 𝑥,𝑦 (similarly, 𝑆 𝐵 is only shown Bob’s input x and Bob’s output 𝑓 𝐵 𝑥,𝑦 )

21. Building Block: Oblivious Transfer (OT)
1 out of 2 OT
Alice has two messages m0 and m1
At the end of the protocol
Bob gets exactly one of m0 and m1
Alice does not know which one, and Bob learns nothing about other message
Oblivious Transfer with a Trusted Third Party b m0
1 out of 2 OT m1 mb

22. Bellare-Micali 1-out-of-2-OT protocol
Oblivious Transfer without a Trusted Third Party
g is a generator for a prime order group Gq in which CDH problem is hard m0 b c m1
𝑧0,𝑧1
𝐶 0 = 𝑔 𝑟 0 ,𝐻 𝑧 0 𝑟 0 ⊕ 𝑚 0
𝐶 1 = 𝑔 𝑟 1 ,𝐻 𝑧 1 𝑟 1 ⊕ 𝑚 1
c R Gq
k R Zq
𝑧 𝑏 = 𝑔 𝑘 , 𝑧 1−𝑏 =𝑐 𝑔 −𝑘
Bob can decrypt Cb
𝑧 𝑏 𝑟 𝑏 = 𝑔 𝑘 𝑟 𝑏

23. Bellare-Micali 1-out-of-2-OT protocol
Oblivious Transfer without a Trusted Third Party
g is a generator for a prime order group Gq in which CDH is Hard m0 b c m1
𝑧0,𝑧1
𝐶 0 = 𝑔 𝑟 0 ,𝐻 𝑧 0 𝑟 0 ⊕ 𝑚 0
𝐶 1 = 𝑔 𝑟 1 ,𝐻 𝑧 1 𝑟 1 ⊕ 𝑚 1
c R Gq
k R Zq
𝑧 𝑏 = 𝑔 𝑘 , 𝑧 1−𝑏 =𝑐 𝑔 −𝑘
=𝑐 𝑧 𝑏 −1
Alice must check that
𝑧 1 =𝑐 𝑧 0 −1
Bob can decrypt Cb
𝑧 𝑏 𝑟 𝑏 = 𝑔 𝑘 𝑟 𝑏

24. Bellare-Micali 1-out-of-2-OT protocol
Alice does not learn b because
𝑧 1 =𝑐 𝑧 0 −1 and
𝑧 0 =𝑐 𝑧 1 −1 and
𝑧 1 , 𝑧 0 are distributed uniformly at random subject to these condition.
This is an information theoretic guarantee!
Oblivious Transfer without a Trusted Third Party
g is a generator for a prime order group Gq in which Discrete Log Problem is Hard m0 b c m1
𝑧0,𝑧1
𝐶 0 = 𝑔 𝑟 0 ,𝐻 𝑧 0 𝑟 0 ⊕ 𝑚 0
𝐶 1 = 𝑔 𝑟 1 ,𝐻 𝑧 1 𝑟 1 ⊕ 𝑚 1
c R Gq
k R Zq
𝑧 𝑏 = 𝑔 𝑘 , 𝑧 1−𝑏 =𝑐 𝑔 −𝑘
=𝑐 𝑧 𝑏 −1
Alice must check that
𝑧 1 =𝑐 𝑧 0 −1
Bob can decrypt Cb
𝑧 𝑏 𝑟 𝑏 = 𝑔 𝑘 𝑟 𝑏

25. Bellare-Micali 1-out-of-2-OT protocol
Bob cannot decrypt C1-b
Unless he queries random oracle at
𝑐 𝑟 1−𝑏 𝑔 −𝑘 𝑟 1−𝑏
Given this value we can obtain 𝑐 𝑟 1−𝑏
Thus, we can break CDH assumption
given random 𝒄=𝒈 𝒎 and 𝒈 𝒓 𝟏−𝒃 it is hard to find 𝒄 𝒓 𝟏−𝒃 = 𝒈 𝒎𝒓 𝟏−𝒃
Oblivious Transfer without a Trusted Third Party
g is a generator for a prime order group Gq in which Discrete Log Problem is Hard m0 b c m1
𝑧0,𝑧1
𝐶 0 = 𝑔 𝑟 0 ,𝐻 𝑧 0 𝑟 0 ⊕ 𝑚 0
𝐶 1 = 𝑔 𝑟 1 ,𝐻 𝑧 1 𝑟 1 ⊕ 𝑚 1
c R Gq
k R Zq
𝑧 𝑏 = 𝑔 𝑘 , 𝑧 1−𝑏 =𝑐 𝑔 −𝑘
=𝑐 𝑧 𝑏 −1
Alice must check that
𝑧 1 =𝑐 𝑧 0 −1
Bob can decrypt Cb
𝑧 𝑏 𝑟 𝑏 = 𝑔 𝑘 𝑟 𝑏

26. CS 380S
Yao’s Protocol
Vitaly Shmatikov

27. Yao’s Protocol Compute any function securely
… in the semi-honest model
First, convert the function into a boolean circuit
AND
AND
Alice’s inputs
NOT
Bob’s inputs
AND OR OR z z x y z x y z
AND OR
Truth table: 1
Truth table: 1 1 x y 1 x y 1 1 1 1 1 1 1 1

28. Alice prepares “garbled” version C’ of C
AND
AND
Alice’s inputs
NOT
Bob’s inputs
AND OR OR
Overview:
Alice prepares “garbled” version C’ of C
Sends “encrypted” form x’ of her input x
Allows Bob to obtain “encrypted” form y’ of his input y via OT
Bob can compute from C’,x’,y’ the “encryption” z’ of z=C(x,y)
Bob sends z’ to Alice and she decrypts and reveals to him z
Crucial properties:
Bob never sees Alice’s input x in unencrypted form.
Bob can obtain encryption of y without Alice learning y.
Neither party learns intermediate values.
Remains secure even if parties try to cheat.

29. Intuition c
AND a b

30. Intuition a b c
AND b a a b

31. 1: Pick Random Keys For Each Wire
Next, evaluate one gate securely
Later, generalize to the entire circuit
Alice picks two random keys for each wire
One key corresponds to “0”, the other to “1”
6 keys in total for a gate with 2 input wires
k0z, k1z z
AND
Alice x y
Bob
k0x, k1x
k0y, k1y

32. 2: Encrypt Truth Table
Alice encrypts each row of the truth table by encrypting the output-wire key with the corresponding pair of input-wire keys z
k0z, k1z
AND
Alice x y
Bob
k0x, k1x
k0y, k1y
Ek0x(Ek0y(k0z)) x y z
Ek0x(Ek1y(k0z))
Encrypted truth table:
Original truth table: 1
Ek1x(Ek0y(k0z)) 1 1 1 1
Ek1x(Ek1y(k1z))

33. 3: Send Garbled Truth Table
Alice randomly permutes (“garbles”) encrypted truth table and sends it to Bob
Does not know which row of garbled table corresponds to which row of original table z
k0z, k1z
AND
Alice x y
Bob
k0x, k1x
k0y, k1y
Ek1x(Ek0y(k0z))
Ek0x(Ek0y(k0z))
Ek0x(Ek1y(k0z))
Ek0x(Ek1y(k0z))
Garbled truth table:
Ek1x(Ek0y(k0z))
Ek1x(Ek1y(k1z))
Ek1x(Ek1y(k1z))
Ek0x(Ek0y(k0z))

34. 4: Send Keys For Alice’s Inputs
Alice sends the key corresponding to her input bit
Keys are random, so Bob does not learn what this bit is
k0z, k1z z
Learns Kb’x where b’ is Alice’s input bit, but not b’ (why?)
AND
Alice x y
Bob
k0x, k1x
If Alice’s bit is 1, she
simply sends k1x to Bob;
if 0, she sends k0x
k0y, k1y
Ek1x(Ek0y(k0z))
Ek0x(Ek1y(k0z))
Garbled truth table:
Ek1x(Ek1y(k1z))
Ek0x(Ek0y(k0z))

35. 5: Use OT on Keys for Bob’s Input
Alice and Bob run oblivious transfer protocol
Alice’s input is the two keys corresponding to Bob’s wire
Bob’s input into OT is simply his 1-bit input on that wire z
Knows Kb’x where b’ is Alice’s input bit and Kby where b is his own input bit
k0z, k1z
AND
Alice x y
Bob
k0x, k1x
Run oblivious transfer
Alice’s input: k0y, k1y
Bob’s input: his bit b
Bob learns kby
What does Alice learn?
k0y, k1y
Ek1x(Ek0y(k0z))
Ek0x(Ek1y(k0z))
Garbled truth table:
Ek1x(Ek1y(k1z))
Ek0x(Ek0y(k0z))

36. 6: Evaluate Garbled Gate
Using the two keys that he learned, Bob decrypts exactly one of the output-wire keys
Bob does not learn if this key corresponds to 0 or 1
Why is this important? z
Knows Kb’x where b’ is Alice’s input bit and Kby where b is his own input bit
k0z, k1z
AND
Alice x y
Bob
k0x, k1x
Suppose b’=0, b=1
Ek1x(Ek0y(k0z))
k0y, k1y
This is the only row
Bob can decrypt.
He learns K0z
Ek0x(Ek1y(k0z))
Garbled truth table:
Ek1x(Ek1y(k1z))
Ek0x(Ek0y(k0z))

37. 7: Evaluate Entire Circuit
In this way, Bob evaluates entire garbled circuit
For each wire in the circuit, Bob learns only one key
It corresponds to 0 or 1 (Bob does not know which)
Therefore, Bob does not learn intermediate values (why?)
Bob tells Alice the key for the final output wire and she tells him if it corresponds to 0 or 1
Bob does not tell her intermediate wire keys (why?)
AND OR
NOT
Alice’s inputs
Bob’s inputs

38. Security (Semi-Honest Model)
Security: Assuming that Alice and Bob are both semi-honest (follow the protocol) then there exist PPT simulators 𝑆 𝐴 and 𝑆 𝐵 s.t.
𝐴𝑛 𝑛∈ℕ ≡ 𝐶 𝑆 𝐴 𝑛,𝑥, 𝑓 𝐴 𝑥,𝑦 𝑛∈ℕ
𝐵𝑛 𝑛∈ℕ ≡ 𝐶 𝑆 𝐵 𝑛,𝑦, 𝑓 𝐵 𝑥,𝑦 𝑛∈ℕ
Remark: Simulator 𝑆 𝐴 is only shown Alice’s output 𝑓 𝐴 𝑥,𝑦 (similarly, 𝑆 𝐵 is only shown Bob’s output 𝑓 𝐵 𝑥,𝑦 )
Theorem (informal): If the oblivious transfer protocol is secure, and the underlying encryption scheme is CPA-secure then Yao’s protocol is secure in the semi-honest adversary model.

39. Brief Discussion of Yao’s Protocol
Function must be converted into a circuit
For many functions, circuit will be huge
If m gates in the circuit and n inputs from Bob, then need 4m encryptions and n oblivious transfers
Oblivious transfers for all inputs can be done in parallel
Yao’s construction gives a constant-round protocol for secure computation of any function in the semi-honest model
Number of rounds does not depend on the number of inputs or the size of the circuit!

40. Fully Malicious Security?
Alice could initially garble the wrong circuit C(x,y)=y.
Given output of C(x,y) Alice can still send Bob the output f(x,y).
Can Bob detect/prevent this?
Fix: Assume Alice and Bob have both committed to their input: cA=com(x,rA) and cB=com(y,rB).
Alice and Bob can use zero-knowledge proofs to convince other party that they are behaving honestly.
Example: After sending a message A Alice proves that the message she just sent is the same message an honest party would have sent with input x s.t. cA=com(x,rA)
Here we assume that Alice and Bob have both committed to correct inputs (Bob might use y which does not represent his real vote etc… but this is not a problem we can address with cryptography)

41. Fully Malicious Security
Assume Alice and Bob have both committed to their input: cA=com(x,rA) and cB=com(y,rB).
Here we assume that Alice and Bob have both committed to correct inputs (Bob might use y which does not represent his real vote etc… but this is not a problem we can address with cryptography)
Alice has cB and can unlock cA
Bob has cA and can unlock cB
Alice sets Cf = GarbleCircuit(f,r).
Alice sends to Bob.
Alice convinces Bob that Cf = GarbleCircuit(f,r) for some r (using a zero-knowledge proof)
For each original oblivious transfer if Alice’s inputs were originally x0,x1
Alice and Bob run OT with y0,y1 where yi=EncK(xi)
Bob uses a zero-knowledge proof to convince Alice that he received the correct yi (e.g. matching his previous commitment cB)
Alice sends K to Bob who decrypts yi to obtain xi