Presentation is loading. Please wait.

Presentation is loading. Please wait.

Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.

Published byAmberlynn Wright Modified over 8 years ago

Similar presentations

Presentation on theme: "Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert."— Presentation transcript:

1 slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol

2 slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean circuit AND xy z Truth table: xyz 0 10 1 00 11 1 00 0 OR xy z Truth table: xyz 0 11 1 01 11 ANDORAND NOT ORAND Alice’s inputs Bob’s inputs

3 slide 3 1: Pick Random Keys For Each Wire uNext, evaluate one gate securely Later, generalize to the entire circuit uAlice picks two random keys for each wire One key corresponds to “0”, the other to “1” 6 keys in total for a gate with 2 input wires AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y

4 slide 4 2: Encrypt Truth Table uAlice encrypts each row of the truth table by encrypting the output-wire key with the corresponding pair of input-wire keys AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y 1 00 0 Original truth table: xyz 0 10 1 00 11 Encrypted truth table: E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z ))

5 slide 5 3: Send Garbled Truth Table uAlice randomly permutes (“garbles”) encrypted truth table and sends it to Bob AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y Garbled truth table: E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z )) E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z )) Does not know which row of garbled table corresponds to which row of original table

6 slide 6 4: Send Keys For Alice’s Inputs uAlice sends the key corresponding to her input bit Keys are random, so Bob does not learn what this bit is AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y If Alice’s bit is 1, she simply sends k 1x to Bob; if 0, she sends k 0x Learns K b’x where b’ is Alice’s input bit, but not b’ (why?) Garbled truth table: E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z ))

7 slide 7 5: Use OT on Keys for Bob’s Input uAlice and Bob run oblivious transfer protocol Alice’s input is the two keys corresponding to Bob’s wire Bob’s input into OT is simply his 1-bit input on that wire AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y Run oblivious transfer Alice’s input: k 0y, k 1y Bob’s input: his bit b Bob learns k by What does Alice learn? Knows K b’x where b’ is Alice’s input bit and K by where b is his own input bit Garbled truth table: E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z ))

8 slide 8 6: Evaluate Garbled Gate uUsing the two keys that he learned, Bob decrypts exactly one of the output-wire keys Bob does not learn if this key corresponds to 0 or 1 –Why is this important? AND x y z k 0z, k 1z Alice Bob k 0x, k 1x k 0y, k 1y Knows K b’x where b’ is Alice’s input bit and K by where b is his own input bit Garbled truth table: E k 0x (E k 0y (k 0z )) E k 0x (E k 1y (k 0z )) E k 1x (E k 0y (k 0z )) E k 1x (E k 1y (k 1z )) Suppose b’=0, b=1 This is the only row Bob can decrypt. He learns K 0z

9 slide 9 uIn this way, Bob evaluates entire garbled circuit For each wire in the circuit, Bob learns only one key It corresponds to 0 or 1 (Bob does not know which) –Therefore, Bob does not learn intermediate values (why?) uBob tells Alice the key for the final output wire and she tells him if it corresponds to 0 or 1 Bob does not tell her intermediate wire keys (why?) 7: Evaluate Entire Circuit ANDOR AND NOT OR AND Alice’s inputs Bob’s inputs

10 slide 10 Brief Discussion of Yao’s Protocol uFunction must be converted into a circuit For many functions, circuit will be huge uIf m gates in the circuit and n inputs, then need 4m encryptions and n oblivious transfers Oblivious transfers for all inputs can be done in parallel uYao’s construction gives a constant-round protocol for secure computation of any function in the semi-honest model Number of rounds does not depend on the number of inputs or the size of the circuit!

Download ppt "Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert."

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.

Circuit and Communication Complexity. Karchmer – Wigderson Games Given The communication game G f : Alice getss.t. f(x)=1 Bob getss.t. f(y)=0 Goal: Find.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.

Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.

Mental Poker The SRA Protocol. What is Mental Poker? Playing poker without cards (ie over telephone or internet). No Trusted Third Party or source of.
ITIS 6200/8200. 2 Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.

ITIS 6200/ Secure multiparty computation – Alice has x, Bob has y, we want to calculate f(x, y) without disclosing the values – We can only do.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.

Oblivious Transfer (OT) Alice (sender) has n secrets Alice wants to give k secrets to Bob Bob wants the secrets but does not want Alice to know which secrets.
Secure Computation on Mobile Devices Peter Chapman CS 1120 December 2, 2011.

Secure Computation on Mobile Devices Peter Chapman CS 1120 December 2, 2011.
C OMPLEXITY - THEORETIC F OUNDATIONS OF S TEGANOGRAPHY AND C OVERT C OMPUTATION Daniel Apon.

C OMPLEXITY - THEORETIC F OUNDATIONS OF S TEGANOGRAPHY AND C OVERT C OMPUTATION Daniel Apon.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.

What Crypto Can Do for You: Solutions in Search of Problems Anna Lysyanskaya Brown University.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.

General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

Similar presentations

Ads by Google