Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cryptography Lecture 13 Arpita Patra

Published byTyler Baldwin Modified over 6 years ago

Similar presentations

Presentation on theme: "Cryptography Lecture 13 Arpita Patra"— Presentation transcript:

1 Cryptography Lecture 13 Arpita Patra
Disclaimer: Most of the slides are borrowed from Ashish Choudhury

2 Today’s Goal Yao’s millionaire’s problem- triggered fundamental area of secure computation Generic secure 2-party computation (2PC) - Security goal Yao’s 2PC - Garbled circuit approach - Special SKE

3 Yao’s Millionaires’ Problem
Formulated by Turing award winner Andrew Yao Protocols for Secure Computations (Extended Abstract). FOCS 1982: Yao’s millionaires’ problem ? < = > ₹ X ₹ Y Find the richer without disclosing exact value of individual assets

4 Secure 2PC f( x , y ) P1 : x P2 : y f(x, y) f(x, y)
Mutually distrusting entities with individual private data - Want to compute a joint function of their inputs without revealing anything beyond

5 Secure 2-PC f(x, y) No additional information to be revealed beyond f(x, y) P1 : x P2 : y f(x, y) f(x, y) A very powerful abstraction - Models almost all real-world distributed computing applications

6 Applications of 2PC - I Privacy-preserving data mining
How many patients suffering from AIDS in total ? Are there any common patient registered for disease X in all the hospitals ? Varieties of other statistics … Privacy of individual databases needs to be preserved

7 Applications of 2PC - II Secure e-auction Only the highest bid should be revealed No “additional” information about individual bids to be revealed Bid1 Bid2 Loosing bidder will always learn its bid is less than the winner Is this a privacy breach ?

8 How to solve 2PC? Trusted third party (TTP)  solution for secure 2PC
Send input to TTP, obtain function output : Ideal solution x x y y f(x,y) f(x,y) f(x,y) TTP IDEAL world secure 2PC protocol TTPs exist only in fairy tales!!

9 Security goal of 2PC Goal of a secure 2PC protocol : emulate the role of a TTP De-centralizing the trust TTP f(x,y) x y IDEAL world x y REAL world 2PC protocol f(x, y)

10 Today’s Goal Yao’s millionaire’s problem- triggered fundamental area of secure computation Generic secure 2-party computation (2PC) - Security goal Yao’s 2PC - Garbled circuit approach - Special SKE

11 Circuit Abstraction f(x, y) P2 : y P1 : x Circuit abstraction
f : represented as a publicly known Boolean circuit C Any efficiently computable f can be represented as a C C: DAG with input gates, output gates and internal Boolean gates ((AND, OR, NOT), (NAND), (NOR): universal gates)

12 Circuit Abstraction Example
X, Y: L-bit non-negative integers ₹ X ₹ Y ? > = xL xL-1 x2 x1 X yL yL-1 y2 y1 Y x1 > y1 c1 = 1 x2 y2 xL yL cL c2 cL+1 1-bit comparator > xi yi ci ci+1 ci+1 = 1  (xi > yi) OR ([xi = yi] AND [ci = 1]) ci+1 = xi  [(xi  ci)  (yi  ci)] X  Y  cL+1 = 1

13 Secure Circuit Evaluation
Yao: secure circuit evaluation Parties jointly evaluate the circuit securely Only final outcome revealed during evaluation Intermediate values remain private x1 > y1 c1 = 1 x2 y2 xL yL cL c2 f(X, Y) X Y Circuit Garbling Encode the circuit Encode input Evaluate encoded circuit on encoded input and get encoded output Decode output using decoding information

14 Oblivious Transfer (OT)
Will be used as a tool in Yao’s garbled circuits Michael O. Rabin. How to exchange secrets with oblivious transfer. Technical Report TR-81, Aiken Computation Lab, Harvard University, 1981. Formulated by Turing award winner Michael O. Rabin Required security properties : m1-b = ? b = ? b  {0, 1} 1-out-of-2 OT {m0, m1} mb S R

15 Garbled Circuit : Illustration of the Idea
Let P1 and P2 want to securely compute AND function --- c = f(a, b) Security requirement for P1: if c = 0, b = 0 then a should remain private Security requirement for P2: if c = 0, a = 0 then b should remain private a b a b a = 0 a = 1 b = 0 b = 1 c = 0 c = 1 P1 garbles the circuit as follows : Associate 2 indistinguishable keys with a, corresponding to a = 0 and a = 1 Given only a key, P2 cannot find whether it corresponds to a = 0 or a = association known only to P1 Similarly associate 2 indistinguishable keys with b and c

16 Garbled Circuit : Illustration of the Idea
B2 c = 0 c = 1 B3 P1 garbles the circuit as follows : Take 4 double-locked boxes B0, B1, B2, B3 B0 locked with keys for a = 0, b = inside B0 the key for c = 0 kept B1 locked with keys for a = 0, b = inside B1 the key for c = 0 kept B2 locked with keys for a = 1, b = inside B2 the key for c = 0 kept B3 locked with keys for a = 1, b = inside B3 the key for c = 1 kept i = 2a+b  Bi locked with keys for a and b and c-key for AND(a, b) kept inside

17 Garbled Circuit : Illustration of the Idea
B2 Random c = 0 c = 1 B3 P1 shuffles the boxes randomly and sends them to P2

18 Garbled Circuit : Illustration of the Idea
Let a = 0 Let b = 1 a b OT b b = 1 b = 0 a b a = 0 b = 1 a = 1 b = 0 c = 0 c = 1 From the key, P2 cant tell if a = 0 or a = 1 P1 sends its garbled input to P2: Sends the key corresponding to its bit a P2 obliviously obtains its garbled input P2 receives the key corresponding to its bit b How to do ? P1 should not learn which key received by P2 Oblivious transfer (OT) P2 should not learn the key for 1 - b

19 Garbled Circuit : Illustration of the Idea
Let a = 0 Let b = 1 a b a b a = 0 b = 1 a = 1 b = 0 c = 0 c = 1 Assuming a box can be opened only by the right pair of keys P2 has two keys : one for unknown a and for its b Privacy of mutual input bits P1 does not know b P2 will not know the association of the key in the opened box P2 evaluates the garbled circuit Tries opening the four boxes using available pair of keys Only one box will be opened --- corresponding to a = 0, b = 1 P2 will not know the “label” of opened box --- boxes are randomly shuffled The opened box will have the key corresponding to c = 0

20 Garbled Circuit : Illustration of the Idea
Let a = 0 Let b = 1 a b a b a = 0 b = 1 a = 1 b = 0 c = 0 c = 1 c = 0 c = 0 P2 sends the key in the opened box to P1 to find its label P1 on receiving the key cannot find which box was opened at P2’s end P1 on receiving the key identifies the corresponding label The corresponding label is the output of AND --- communicated to P2

21 Garbled Circuit : The Actual Protocol
ka ka 1 kb kb 1 kc kc 1 c  {0, 1}n : random keys for a symmetric encryption scheme ka 1 kb kc The symmetric key encryption scheme needs to have special properties

22 Garbled Circuit : The Actual Protocol
ka ka 1 kb kb 1 kc kc 1 c c00 = Enc (Enc ( )) ka kb kc c01 = Enc (Enc ( )) 1 c10 = Enc (Enc ( )) c11 = Enc (Enc ( )) c00 = Enc (Enc ( )) ka kb kc c01 = Enc (Enc ( )) 1 c10 = Enc (Enc ( )) c11 = Enc (Enc ( )) Random shuffling Garbled AND truth table

23 Garbled Circuit : The Actual Protocol
Let a = 0 Let b = 1 a b a b ka ka ka 1 kb kb 1 kb b 1 kc kc 1 OT kb 1 c kb 1 kb b c00, c01, c10, c11 c11, c00, c10, c01 P1 sends to P2 garbled a --- the key corresponding to bit a P2 obliviously receives its garbled b from P1 --- the key corresponding to bit b

24 Garbled Circuit : The Actual Protocol
ka Let a = 0 Let b = 1 kb 1 a b a b ka ka 1 kb kb 1 kc kc 1 c c00, c01, c10, c11 c11, c00, c10, c01 P2 does not learn the value of a from indistinguishability of keys ka P1 does not learn the value of b during OT receiver’s security of OT P2 does not learn the other key sender’s security of OT kb

25 Garbled Circuit : The Actual Protocol
ka Let a = 0 Let b = 1   Dec (Dec ( )) ka kb 1 c11 kb 1 a b   Dec (Dec ( )) ka kb 1 c00 a b ka ka 1 kb kb 1   Dec (Dec ( )) ka kb 1 c10 kc kc 1 kc Dec (Dec ( )) ka kb 1 c01 c c00, c01, c10, c11 c11, c00, c10, c01 P2 decrypts each of the four available ciphertexts using available pair of keys P2 will be able to decrypt the correct ciphertext if the encryption scheme has: Elusive range: encryption under a random key k1 cannot be an encryption under another random key k2  k1 with high probability Verifiable range: given a ciphertext c and a key k, one can efficiently verify whether c is a valid encryption of some message m, under the key k

26 Garbled Circuit : The Actual Protocol
ka Let a = 0 Let b = 1   Dec (Dec ( )) ka kb 1 c11 kb 1 a b   Dec (Dec ( )) ka kb 1 c00 a b ka ka 1 kb kb 1   Dec (Dec ( )) ka kb 1 c10 kc kc 1 kc kc Dec (Dec ( )) ka kb 1 c01 c c00, c01, c10, c11 c = 0 c = 0 c11, c00, c10, c01 P2 will not be able to identify the label of the correctly decrypted ciphertext It could be c01 as well as c11 with equal probability P2 sends the decrypted message to P1 to identify its label P1 does not learn which ciphertext out of (c01, c11) decrypted correctly by P2 P1 identifies the label of the decrypted message and sends the result to P2

27 Yao’s 2 Party Protocol P1 P0 GC Constructor GC Evaluator
Y = (y1,y2,…yk ) X = (x1,x2,…xk ) Construct a Garbled Circuit GC for Circuit C Keys corresponding to X = (x1,x2,…xk ) and GC k0w1 y1 OT1 k1w1 ky1w1 k0wk yk OTk k1wk kykwk Evaluate GC with the given input keys and interpret the output Z using output decryption tables Z

28 Yao’s Garbled Circuit from “Special” SKE
Garbled AND Gate R1: K = M = C >> Recall that one pair opens one and only one box >> In usual SKE, a wrong key lead to a wrong message, but the decryption does not fail (SKEs are usually use OTP principle). >> Consequence in Yao 2PC: How does the circuit evaluator know which decrypted value is the intended output key? Correctness of 2PC will fail!! SKE with elusive range and efficiently verifiable range Drawbacks: Multiple trial-decryption + Huge Ciphertext size for SKEs with above security property + Involved Correctness proof

29 Yao’s Garbled Circuit from “Special” SKE
Point & Permute [NPS99]: k0w1|p1 k1w1|1-p1 k0w2|p2 k1w2|1-p2 k0w3|p3 k1w3|1-p3 k0w4|p4 k1w4|1-p4 >> A random bit called permutation bit will be associated with every wire >> The permutation bits corresponding to input wires of a gate are used to permute the ciphertexts k0w5|p5 k1w5|1-p5 k0w6|p6 k1w6|1-p6 + >> will be placed at (p1p2)th row k0w7|p7 k1w7|1-p7 >> assuming p1 = p2 = 1 Garbled AND Gate >> given just one of the permutation bits for each wire, the row where the ciphertext is placed will look random and will not leak any information about the meaning of the input and output keys! >> No requirement from SKE! Correctness of 2PC from GC taken care !

30 Yao’s Garbled Circuit from “Special” SKE
R1: K|{0,1} = M = C >> SKE must be such that an bad evaluator should have no information about what the three unopened ciphertext contains >> E.g. if it can guess the unopened message are same and the gate is AND, then it knows the meaning of the key it decrypted! >> Very subtle security definition is required! >> Double encryption security

31 Chosen Double Encryption (CDE) Security
PrivK (k) A,  cde  = (Gen, Enc, Dec), , k k0, k1 (x0,y0,z0), (x1,y1,z1) c0  Enck0 (Enck’1(xb)) PPT Attacker A k’0, k’1 c1  Enck’0 (Enck1 (yb)) Gen c2  Enck’0 (Enck’1 (zb)) b  {0, 1} Post-challenge Training with oracles Enc**(Enck’1(**)) Enck’0(Enc** (**)) Let me verify I can break  b’  {0, 1} b = b’ Game Output b  b’ 0 --- attacker lost 1 --- attacker won  is CDE-secure if for every PPT A, there is a negligible function negl, such that: ½ + negl(n) Pr PrivK (k) A,  cde = 1

32 Chosen Plain-text Attack (CPA) Security
PrivK (k) A,  cpa  = (Gen, Enc, Dec), , k b  {0, 1} Training Phase PPT Attacker A m0, m1 , |m0| = |m1| c  Enck(mb) k Post-challenge Training Let me verify Gen(1n) I can break  b’  {0, 1} b = b’ Game Output b  b’ 0 --- attacker lost 1 --- attacker won  is CPA-secure if for every PPT A, there is a negligible function negl, such that: ½ + negl(n) Pr PrivK (n) A,  cpa = 1 Every CPA-secure scheme is also CDE-secure!

33 Completing the Picture
k0w1|p1 k1w1|1-p1 k0w2|p2 k1w2|1-p2 k0w3|p3 k1w3|1-p3 k0w4|p4 k1w4|1-p4 Garbled Circuit: Garbled gates + output decryption tables k0w5|p5 k1w5|1-p5 k0w6|p6 k1w6|1-p6 + k0w7|p7 k1w7|1-p7 1. Give input keys corresponding to the inputs and the garbled circuit. 2. For every gate, decrypt the encryption pointed by permutation bits of the input keys of a gate, get the output key and its permutation bit 3. For the output gate, the key corresponding to the output value for given inputs is obtained and is translated to correct output using the decryption tables.

34 Yao’s 2 Party Protocol P1 P0 GC Constructor GC Evaluator
Y = (y1,y2,…yk ) X = (x1,x2,…xk ) Construct a Garbled Circuit GC for Circuit C Keys corresponding to X = (x1,x2,…xk ) and GC k0w1 y1 OT1 k1w1 ky1w1 k0wk yk OTk k1wk kykwk Evaluate GC with the given input keys and interpret the output Z using output decryption tables Z

35 Yao’s 2 Party Protocol- Security for P1
GC Constructor GC Evaluator P1 P0 Y = (y1,y2,…yk ) X = (x1,x2,…xk ) Construct a Garbled Circuit GC for Circuit C Keys corresponding to X = (x1,x2,…xk ) and GC k0w1 y1 OT1 k1w1 Security will reduce to the OT security for the receiver ky1w1 k0wk yk OTk k1wk kykwk Evaluate GC with the given input keys and interpret the output Z using output decryption tables Z

36 Yao’s 2 Party Protocol- Security for P0
GC Constructor GC Evaluator P1 P0 Y = (y1,y2,…yk ) X = (x1,x2,…xk ) Construct a Garbled Circuit GC for Circuit C Security will reduce to the OT security for the sender Keys corresponding to X = (x1,x2,…xk ) and GC k0w1 y1 OT1 Three unopened ciphertext must not leak info- CDE security k1w1 ky1w1 k0wk yk OTk k1wk kykwk Evaluate GC with the given input keys and interpret the output Z using output decryption tables Z

37 Scribe?

38 Yao’s 2-party Protocol P1 does the following: Garbling the circuit :
Associate two random indistinguishable keys with each wire Construct the garbled truth table for each gate Randomly permute the garbled truth tables and send to P2 Sending garbled inputs : P1 sends the keys associated with its inputs to P2 P1 obliviously sends the keys associated with the inputs of P2 P2 does the following: Evaluating the garbled circuit : Decrypts the correct ciphertext from each garbled truth table using the pair of keys associated with the gate input wires Sends to P1 the keys obtained corresponding to the output wires and obtain their labels to know the function output

39 Take-home Message Future directions Not possible to list down here
2-PC: fundamental problem in distributed cryptography Extensively studied theoretically over the past three decades Recently grabbed attention of practitioners Future directions Not possible to list down here Will require an entire lecture to list them down !! See the proceedings of any flagship crypto/security conference --- dedicated sessions for 2-PC

40 Yao’s Protocol Demonstration : A Larger Circuit
(a, b) (c) a b c k1 k2 ki b ki 1-b w1 w2 k1 1 k2 1 G1 =  Random n-bit keys associated with wire wi k3 w3 k4 k3 1 w4 k4 1 G2 =  k5 w5 k5 1

41 Yao’s Protocol Demonstration : A Larger Circuit
b c k1 k2 (a, b) (c) w1 w2 k1 1 k2 1 G1 =  k3 w3 Garbled G1 k4 k3 1 w4 k4 1 k1 c00 = Enc (Enc ( )) G1 k2 k4 G2 =  k1 c01 = Enc (Enc ( )) G1 k2 1 k4 k5 w5 k1 1 c10 = Enc (Enc ( )) G1 k2 k4 k5 1 k1 1 c11 = Enc (Enc ( )) G1 k2 k4 k4 c00 = Enc (Enc ( )) G2 k3 k5 k4 c01 = Enc (Enc ( )) G2 k3 1 k5 k4 1 c10 = Enc (Enc ( )) G2 k3 k5 Garbled G2 k4 1 c11 = Enc (Enc ( )) G2 k3 k5

42 Yao’s Protocol Demonstration : A Larger Circuit
b c k1 k2 (a, b) (c) w1 w2 k1 1 k2 1 G1 =  k3 w3 k1 c00 = Enc (Enc ( )) G1 k2 k4 k4 k1 1 c10 = Enc (Enc ( )) G1 k2 k4 k3 1 w4 k4 1 k1 c01 = Enc (Enc ( )) G1 k2 1 k4 k1 c00 = Enc (Enc ( )) G1 k2 k4 G2 =  k1 1 c10 = Enc (Enc ( )) G1 k2 k4 k1 1 c11 = Enc (Enc ( )) G1 k2 k4 k5 w5 k1 1 c11 = Enc (Enc ( )) G1 k2 k4 k1 c01 = Enc (Enc ( )) G1 k2 1 k4 k5 1 k4 c00 = Enc (Enc ( )) G2 k3 k5 k4 c01 = Enc (Enc ( )) G2 k3 1 k5 k4 c01 = Enc (Enc ( )) G2 k3 1 k5 k4 c00 = Enc (Enc ( )) G2 k3 k5 k4 1 c10 = Enc (Enc ( )) G2 k3 k5 k4 1 c10 = Enc (Enc ( )) G2 k3 k5 Random shuffling k4 1 c11 = Enc (Enc ( )) G2 k3 k5 k4 1 c11 = Enc (Enc ( )) G2 k3 k5

43 Yao’s Protocol Demonstration : A Larger Circuit
b c k1 k1 k2 (a, b) (c) w1 w2 k1 1 k2 1 k2 1 Let a = 0, b = 1 Let c = 1 G1 =  k3 w3 k1 c00 = Enc (Enc ( )) G1 k2 k4 k4 k1 1 c10 = Enc (Enc ( )) G1 k2 k4 k3 1 w4 k4 1 k1 c01 = Enc (Enc ( )) G1 k2 1 k4 k1 c00 = Enc (Enc ( )) G1 k2 k4 G2 =  k1 1 c10 = Enc (Enc ( )) G1 k2 k4 k1 1 c11 = Enc (Enc ( )) G1 k2 k4 k5 w5 k1 1 c11 = Enc (Enc ( )) G1 k2 k4 k1 c01 = Enc (Enc ( )) G1 k2 1 k4 k5 1 k4 c00 = Enc (Enc ( )) G2 k3 k5 k3 k4 c01 = Enc (Enc ( )) G2 k3 1 k5 c 1 OT k4 c01 = Enc (Enc ( )) G2 k3 1 k5 k3 1 k3 1 k3 c k4 c00 = Enc (Enc ( )) G2 k3 k5 k4 1 c10 = Enc (Enc ( )) G2 k3 k5 k4 1 c10 = Enc (Enc ( )) G2 k3 k5 k4 1 c11 = Enc (Enc ( )) G2 k3 k5 k4 1 c11 = Enc (Enc ( )) G2 k3 k5

44 Yao’s Protocol Demonstration : A Larger Circuit
b c k1 k3 1 (a, b) (c) k1 w1 k2 1 w2 k2 1 k4 1 Let a = 0, b = 1 Let c = 1 G1 =  w3 k1 c00 = Enc (Enc ( )) G1 k2 k4 k1 1 c10 = Enc (Enc ( )) G1 k2 k4 k4 1 k3 1 w4 k1 c01 = Enc (Enc ( )) G1 k2 1 k4 k1 c00 = Enc (Enc ( )) G1 k2 k4 G2 =  k1 1 c10 = Enc (Enc ( )) G1 k2 k4 k1 1 c11 = Enc (Enc ( )) G1 k2 k4 w5 k1 1 c11 = Enc (Enc ( )) G1 k2 k4 k1 c01 = Enc (Enc ( )) G1 k2 1 k4 Dec (Dec ( )) k1 k2 1 c10 G1   k4 c00 = Enc (Enc ( )) G2 k3 k5 k4 c01 = Enc (Enc ( )) G2 k3 1 k5 Dec (Dec ( )) k1 k2 1 c00 G1   k4 c01 = Enc (Enc ( )) G2 k3 1 k5 k4 c00 = Enc (Enc ( )) G2 k3 k5 Dec (Dec ( )) k1 k2 1 c11 G1 k4 1 c10 = Enc (Enc ( )) G2 k3 k5   k4 1 c10 = Enc (Enc ( )) G2 k3 k5 k4 1 Dec (Dec ( )) k1 k2 1 c01 G1 k4 1 c11 = Enc (Enc ( )) G2 k3 k5 k4 1 c11 = Enc (Enc ( )) G2 k3 k5

45 Yao’s Protocol Demonstration : A Larger Circuit
b c k1 k3 1 (a, b) (c) k1 w1 k2 1 w2 k2 1 k5 k4 1 Let a = 0, b = 1 Let c = 1 G1 =  w3 k1 c00 = Enc (Enc ( )) G1 k2 k4 k1 1 c10 = Enc (Enc ( )) G1 k2 k4 k4 1 k3 1 w4 k1 c01 = Enc (Enc ( )) G1 k2 1 k4 k1 c00 = Enc (Enc ( )) G1 k2 k4 G2 =  k1 1 c10 = Enc (Enc ( )) G1 k2 k4 k1 1 c11 = Enc (Enc ( )) G1 k2 k4 k5 w5 k1 1 c11 = Enc (Enc ( )) G1 k2 k4 k1 c01 = Enc (Enc ( )) G1 k2 1 k4 k4 c00 = Enc (Enc ( )) G2 k3 k5 Dec (Dec ( )) k4 1 k3 c01 G2   k4 c01 = Enc (Enc ( )) G2 k3 1 k5 k4 c01 = Enc (Enc ( )) G2 k3 1 k5 Dec (Dec ( )) k4 1 k3 c00 G2 k4 c00 = Enc (Enc ( )) G2 k3 k5   k4 1 c10 = Enc (Enc ( )) G2 k3 k5 k4 1 c10 = Enc (Enc ( )) G2 k3 k5 Dec (Dec ( )) k4 1 k3 c10 G2   k4 1 c11 = Enc (Enc ( )) G2 k3 k5 k4 1 c11 = Enc (Enc ( )) G2 k3 k5 k5 Dec (Dec ( )) k4 1 k3 c11 G2

46 Yao’s Protocol Demonstration : A Larger Circuit
b c k1 k3 1 (a, b) (c) k1 w1 k2 1 w2 k2 1 k4 1 Let a = 0, b = 1 Let c = 1 G1 =  k5 w3 k1 1 { , } k2 1 { , } k4 1 k3 1 k3 1 { , } k4 1 { , } w4 Obtained by P2 by evaluating the circuit k5 1 { , } G2 =  k5 k5 w5 Selected by P1 a  b  c = 0 a  b  c = 0 If P1 is corrupted Will anyhow learn c from a, b and a  b  c If P2 is corrupted Will learn nothing more than that a  b = 1

47 Yao’s 2-party Protocol : Complexity
Number of rounds : P1  P2 : garbled truth table + garbled input of P1 P1  P2 : parallel instances of OT to enable P2 get its garbled input OT instances can start simultaneously with P1 communicating its garbled input Total = number of rounds for an instance of OT ( = 2) P2  P1 : values obtained along the output gate Garbling scheme can be modified so that in the garbled output table, the output value is encrypted instead of output key 1 round of communication Round complexity = = 3

48 Yao’s 2-party Protocol : Complexity
Communication complexity : P1  P2 : garbled truth table + garbled input of P1 Each garbled input  O(n) bit symmetric key Each garbled circuit  4 ciphertexts, each of O(n) bits P1  P2 : OT instances to enable P2 get its garbled input P2  P1 : bits along the output wires If z = f(x, y), where P1 has input x and P2 has input y and circuit for f has C gates then : Communication complexity = O(|x| n) + O(|C| n) + O(|y| ComOT) + O(|z|) ComOT : communication complexity of one instance of OT

49 Yao’s 2-party Protocol : Complexity
Computation complexity : P1: Associating 2 n-bit symmetric keys with each wire Computing 4 |C| double encryptions Participating in |y| instances of OT with pairs of n-bit inputs P2: Participating in |y| instances of OT with choice bits Decrypting 4 ciphertexts in each garbled table to find the correct decryption Overall the computation has mostly symmetric-key operations except the OT instances

50 Yao’s 2-party Protocol : Various Optimizations
Reducing the size of the garbled table: P1 associates keys with the wires in a special way so that each garbled table has less than 4 ciphertexts Free-XOR technique : no garbled table required for XOR gates V. Kolesnikov and T. Schneider: Improved Garbled Circuit: Free XOR Gates and Applications. ICALP (2) 2008: Garbled row reduction (GRR): garbled table for non-XOR gates consisting of only two ciphertexts B. Pinkas, T. Schneider, N. P. Smart, S. C. Williams: Secure Two-Party Computation Is Practical. ASIACRYPT 2009: Free-XOR and GRR are incompatible Tradeoff : more XOR gates then use Free-XOR technique Try to “introduce” as many number of XOR gates as possible without changing the functionality

51 Yao’s 2-party Protocol : Various Optimizations
Enabling P2 to correctly identify the right entry in the garbled circuit to decrypt without trying all the 4 ciphertexts in the table Even though P2 will identify the correct entry to decrypt, it should not be able to learn the label of the decrypted ciphertext Point-and-Permute technique : randomly permute the ciphertexts and give a pointer to the ciphertext to decrypt M. Naor, B. Pinkas, R. Sumner: Privacy preserving auctions and mechanism design. EC 1999:

Download ppt "Cryptography Lecture 13 Arpita Patra"

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.

Lecturer: Moni Naor Foundations of Cryptography Lecture 15: Oblivious Transfer and Secure Function Evaluation.
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.

Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot.

Privacy Preserving Auctions and Mechanism Design Moni Naor Benny Pinkas Reuben Sumner Presented by: Raffi Margaliot.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
How to play ANY mental game

How to play ANY mental game
Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.

Cryptography Lecture 10 Arpita Patra. Quick Recall and Today’s Roadmap >> CPA & CPA-mult security >> Equivalence of CPA and CPA-mult security >> El Gamal.
Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.

Slide 1 Vitaly Shmatikov CS 380S Introduction to Secure Multi-Party Computation.
Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.

Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.

Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Slide 1 Yao’s Protocol. slide 2 1 00 0 Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.

Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.

Cryptography Lecture 2 Arpita Patra. Summary of Last Class  Introduction  Secure Communication in Symmetric Key setting >> SKE is the required primitive.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.

1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.

Secure Computation (Lecture 2) Arpita Patra. Vishwaroop of MPC.
Secure Computation Lecture 13-14 Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

Similar presentations

Ads by Google