Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Yao’s Protocol. slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.

Similar presentations


Presentation on theme: "Slide 1 Yao’s Protocol. slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean."— Presentation transcript:

1 slide 1 Yao’s Protocol

2 slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean circuit AND xy z Truth table: xyz 0 10 1 00 11 1 00 0 OR xy z Truth table: xyz 0 11 1 01 11 ANDORAND NOT ORAND Alice’s inputs Bob’s inputs

3 slide 3 1: Pick Random Keys For Each Wire uNext, evaluate one gate securely Later, generalize to the entire circuit uAlice picks two random keys for each wire One key corresponds to “0”, the other to “1” 6 keys in total for a gate with 2 input wires AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y

4 slide 4 2: Encrypt Truth Table uAlice encrypts each row of the truth table by encrypting the output-wire key with the corresponding pair of input-wire keys AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y 1 00 0 Original truth table: xyz 0 10 1 00 11 Encrypted truth table: E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z ))

5 slide 5 3: Send Garbled Truth Table uAlice randomly permutes (“garbles”) encrypted truth table and sends it to Bob AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y Garbled truth table: E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z )) E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z )) Does not know which row of garbled table corresponds to which row of original table

6 slide 6 4: Send Keys For Alice’s Inputs uAlice sends the key corresponding to her input bit Keys are random, so Bob does not learn what this bit is AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y If Alice’s bit is 1, she simply sends k 1x to Bob; if 0, she sends k 0x Learns K b’x where b’ is Alice’s input bit, but not b’ (why?) Garbled truth table: E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z ))

7 slide 7 5: Use OT on Keys for Bob’s Input uAlice and Bob run oblivious transfer protocol Alice’s input is the two keys corresponding to Bob’s wire Bob’s input into OT is simply his 1-bit input on that wire AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y Run oblivious transfer Alice’s input: k 0y, k 1y Bob’s input: his bit b Bob learns k by What does Alice learn? Knows K b’x where b’ is Alice’s input bit and K by where b is his own input bit Garbled truth table: E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z ))

8 slide 8 6: Evaluate Garbled Gate uUsing the two keys that he learned, Bob decrypts exactly one of the output-wire keys Bob does not learn if this key corresponds to 0 or 1 –Why is this important? AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y Knows K b’x where b’ is Alice’s input bit and K by where b is his own input bit Garbled truth table: E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z )) Suppose b’=0, b=1 This is the only row Bob can decrypt. He learns K 0z

9 An Important Aside uWhy is it that Bob can only decrypt one row of the garbled circuit? Use encryption scheme that has an elusive range and Use encryption scheme that has an efficiently verifiable range uElusive Range: Roughly, the probability that an encryption under one key is in the range of an encryption under another key is negligible. uEfficiently Verifiable Range: A user, given a key, can efficiently verify whether ciphertext is in the range of that key. slide 9

10 Example (Lindell, Pinkas paper) uF = {f k } a family of psuedorandom functions with f k : {0,1} n -> {0,1} 2n for k in {0,1} n uFor x in {0,1} n, r a random n bit string, define E k (x) = (r, f k (r) XOR x0 n ) x0 n is the concatenation of x and n bit string of 0s uElusive range: the low order n bits of f k (r) are revealed (and fixed) by the XOR. The odds of having two keys giving that same low order n bits is 1/2 n uVerifiable range: Given r and a key k, it is trivial to verify that ciphertext is in the range of E k. slide 10

11 slide 11 uIn this way, Bob evaluates entire garbled circuit For each wire in the circuit, Bob learns only one key It corresponds to 0 or 1 (Bob does not know which) –Therefore, Bob does not learn intermediate values (why?) uBob tells Alice the key for the final output wire and she tells him if it corresponds to 0 or 1 Bob does not tell her intermediate wire keys (why?) 7: Evaluate Entire Circuit ANDOR AND NOT OR AND Alice’s inputs Bob’s inputs

12 slide 12 Brief Discussion of Yao’s Protocol uFunction must be converted into a circuit For many functions, circuit will be huge uIf m gates in the circuit and n inputs, then need 4m encryptions and n oblivious transfers Oblivious transfers for all inputs can be done in parallel uYao’s construction gives a constant-round protocol for secure computation of any function in the semi-honest model Number of rounds does not depend on the number of inputs or the size of the circuit!


Download ppt "Slide 1 Yao’s Protocol. slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean."

Similar presentations


Ads by Google