Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Yao’s Protocol. slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.

Published byShanon Barrett Modified over 9 years ago

Similar presentations

Presentation on theme: "Slide 1 Yao’s Protocol. slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean."— Presentation transcript:

1 slide 1 Yao’s Protocol

2 slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean circuit AND xy z Truth table: xyz 0 10 1 00 11 1 00 0 OR xy z Truth table: xyz 0 11 1 01 11 ANDORAND NOT ORAND Alice’s inputs Bob’s inputs

3 slide 3 1: Pick Random Keys For Each Wire uNext, evaluate one gate securely Later, generalize to the entire circuit uAlice picks two random keys for each wire One key corresponds to “0”, the other to “1” 6 keys in total for a gate with 2 input wires AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y

4 slide 4 2: Encrypt Truth Table uAlice encrypts each row of the truth table by encrypting the output-wire key with the corresponding pair of input-wire keys AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y 1 00 0 Original truth table: xyz 0 10 1 00 11 Encrypted truth table: E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z ))

5 slide 5 3: Send Garbled Truth Table uAlice randomly permutes (“garbles”) encrypted truth table and sends it to Bob AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y Garbled truth table: E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z )) E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z )) Does not know which row of garbled table corresponds to which row of original table

6 slide 6 4: Send Keys For Alice’s Inputs uAlice sends the key corresponding to her input bit Keys are random, so Bob does not learn what this bit is AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y If Alice’s bit is 1, she simply sends k 1x to Bob; if 0, she sends k 0x Learns K b’x where b’ is Alice’s input bit, but not b’ (why?) Garbled truth table: E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z ))

7 slide 7 5: Use OT on Keys for Bob’s Input uAlice and Bob run oblivious transfer protocol Alice’s input is the two keys corresponding to Bob’s wire Bob’s input into OT is simply his 1-bit input on that wire AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y Run oblivious transfer Alice’s input: k 0y, k 1y Bob’s input: his bit b Bob learns k by What does Alice learn? Knows K b’x where b’ is Alice’s input bit and K by where b is his own input bit Garbled truth table: E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z ))

8 slide 8 6: Evaluate Garbled Gate uUsing the two keys that he learned, Bob decrypts exactly one of the output-wire keys Bob does not learn if this key corresponds to 0 or 1 –Why is this important? AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y Knows K b’x where b’ is Alice’s input bit and K by where b is his own input bit Garbled truth table: E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z )) Suppose b’=0, b=1 This is the only row Bob can decrypt. He learns K 0z

9 An Important Aside uWhy is it that Bob can only decrypt one row of the garbled circuit? Use encryption scheme that has an elusive range and Use encryption scheme that has an efficiently verifiable range uElusive Range: Roughly, the probability that an encryption under one key is in the range of an encryption under another key is negligible. uEfficiently Verifiable Range: A user, given a key, can efficiently verify whether ciphertext is in the range of that key. slide 9

10 Example (Lindell, Pinkas paper) uF = {f k } a family of psuedorandom functions with f k : {0,1} n -> {0,1} 2n for k in {0,1} n uFor x in {0,1} n, r a random n bit string, define E k (x) = (r, f k (r) XOR x0 n ) x0 n is the concatenation of x and n bit string of 0s uElusive range: the low order n bits of f k (r) are revealed (and fixed) by the XOR. The odds of having two keys giving that same low order n bits is 1/2 n uVerifiable range: Given r and a key k, it is trivial to verify that ciphertext is in the range of E k. slide 10

11 slide 11 uIn this way, Bob evaluates entire garbled circuit For each wire in the circuit, Bob learns only one key It corresponds to 0 or 1 (Bob does not know which) –Therefore, Bob does not learn intermediate values (why?) uBob tells Alice the key for the final output wire and she tells him if it corresponds to 0 or 1 Bob does not tell her intermediate wire keys (why?) 7: Evaluate Entire Circuit ANDOR AND NOT OR AND Alice’s inputs Bob’s inputs

12 slide 12 Brief Discussion of Yao’s Protocol uFunction must be converted into a circuit For many functions, circuit will be huge uIf m gates in the circuit and n inputs, then need 4m encryptions and n oblivious transfers Oblivious transfers for all inputs can be done in parallel uYao’s construction gives a constant-round protocol for secure computation of any function in the semi-honest model Number of rounds does not depend on the number of inputs or the size of the circuit!

Download ppt "Slide 1 Yao’s Protocol. slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean."

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.

Hash Functions A hash function takes data of arbitrary size and returns a value in a fixed range. If you compute the hash of the same data at different.
Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.

Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.

Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.

Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.
C OMPLEXITY - THEORETIC F OUNDATIONS OF S TEGANOGRAPHY AND C OVERT C OMPUTATION Daniel Apon.

C OMPLEXITY - THEORETIC F OUNDATIONS OF S TEGANOGRAPHY AND C OVERT C OMPUTATION Daniel Apon.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Attacks on Digital Signature Algorithm: RSA

Attacks on Digital Signature Algorithm: RSA
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.
ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

ITIS 6200/8200. time-stamping services Difficult to verify the creation date and accurate contents of a digital file Required properties of time-stamping.

Similar presentations

Ads by Google