# Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

## Presentation on theme: "Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto"— Presentation transcript:

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto vlad@cs.utoronto.ca

Input: x 2 D 1 Input: y 2 D 2 Secure Function Evaluation f: D 1 £ D 2  D 3 f(x,y) f(x,y) One-Round … ?

SFE Models Semi-honest  Both players follow the protocol  Observe communication, try to learn additional info Malicious  Players can freely cheat  Solutions can be obtained by “compilation” of a semi- honest protocol

Approaches to SFE SFE for specific functions  Greater Than, Auctions, Voting SFE for arbitrary functions  Functions given as a circuit, branching program, etc. This work: SFE of any boolean formula

Input: b Input: secrets s 0, s 1 Learn: Learn: nothing Oblivious Transfer (OT) sbsb

Reduction of SFE to OT OT is a fundamental primitive  Rabin ’81, Kilian ‘88 Unconditional reductions are possible OT is implementable under a variety of computational and physical assumptions

Previous Work Yao’s Garbled circuit Sander, Young and Yung ’99 Kilian ’88 + Cleve ’90 (also CFIK ’03)  Based on Permutation Branching Programs Ishai and Kushilevitz ’00, ’02  Based on Branching Programs

Secure Gate Evaluation x 2 {0,1}y 2 {0,1} G(x,y)? G:{0,1} 2  {0,1} s 0 ’,s 0 ’’  G(0,0) s 0 ’,s 1 ’’  G(0,1) s 1 ’,s 0 ’’  G(1,0) s 1 ’,s 1 ’’  G(1,1) s y ’’ OT (x, (s 0 ’,s 1 ’)) G(x,y) s x ’,s y ’’ ?

Composition x 2 {0,1}y 2 {0,1} …… … s 0 3,s 0 4  s’ G 1 (0,0) s 00 s 0 3,s 1 4  s’ G 1 (0,1) s 01 s 1 3,s 0 4  s’ G 1 (1,0) s 10 s 1 3,s 1 4  s’ G 1 (1,1) s 11 Gate Evaluation Secret Sharing (GESS ) s 00 s 01 s 10 s 11 I

GESS for Gates with Binary Inputs s 00 s 01 s 10 s 11 R0R0 R1R1 R 0 © s 00 R 0 © s 01 R 1 © s 10 R 1 © s 11 Wire 1Wire 2Output wire b b 2 R {0,1} :b:b Permute if b=1 Reconstruction: (c r, r 0 r 1 )  r © r c For OR and AND gates either left or right columns of wire 2 are equal! Exponential growth with depth  0 1

GESS for AND/OR gates Key: view secrets as being equal, except for one column of blocks. share column-wise.  2 R ( {1..n+1}  {1..n+1})   1)  2)  3)  4) n blocks of size k example: n = 3 Shares have the same block equality properties

GESS Performance Given a boolean formula F  Cost ¼  d i 2 ( d i – depth of leaf i)  F is balanced  quazilinear in |F|  Rebalance F to log depth (Bonet-Buss, Spira) Previous best  exponential in depth directly for circuits  quadratic in |F| via Branching Programs

GESS Performance Cost of SFE of boolean NC 1 circuit of depth d  This workO(2 d d 2 )  Previous best  (2 d 2 d 1/2 ) (Kilian-Cleve, Cramer-Fehr-Ishai-Kushilevitz ‘03)

Other results Lower Bounds New Efficient Protocol for GT Generalization of Yao’s Garbled Circuit

Lower Bounds S 00 S 01 S 10 S 11 Wire 1Wire 2Output wire 0 1 A0A0 A1A1 B0B0 B1B1 When secrets are independent H(A i ) + H(B j ) ¸ 3 H(S)