Oblivious Transfer and Secure Multiparty Computation

Brett Hemenway

September 11th 2013 Introduction

Oblivious Transfer

Circuit Garbling

Secure Computation from Secret Sharing

Applications of MPC The Satellite Problem Conjunction Analysis: Overview Speciﬁc Calculations Integration Doing The Computation Securely

Extras Cryptographic Assumptions Constructing Oblivious Transfer The Millionaire’s Problem An example of secure two-party computation

I Two Millionaires want to determine who is richer, without revealing their wealth [Yao82]

I They want a secure computation of a comparison (<) gate

I More generally, how can two (or more) parties compute a function while keeping their inputs private? Solving the Millionaire’s Problem

I If there is a family of one-way trapdoor permutations, F, f : X → Y for f ∈ F e.g. f (x) = xe mod N (the RSA function)

I and a hash function H : X → Z

I Then there is a simple solution to the Millionaire’s Problem

I We assume Alice’s wealth is a, Bob’s is b, and there is an a priori upper bound m > max(a, b). BobAlice {r }m−1 $ i fi=0 −1 x ← X y a xi = f (y + i) for i = 0,..., m − 1 b y = f (x) − b x0 ... xb ... xm−1 if H(x) = rb then a > b $ −1 x ← X−1 xb = f (y + b) = f ((f (x) − b) + b) = x if H(xy)=6=fr(bxthen) − ba ≤ b H(xi + 1) for i = 0,..., a ri = H(xi ) for i = a + 1,..., m − 1 m−1 y {ri }i=0 r0 ... rb ... rm−1

a > b ⇒ rb = H(x)

Solving the Millionaire’s Problem

Alice

f , f −1 ←$ F

f AliceBob {r }m−1 $ i i=0 −1 x ← X y a xi = f (y + i) for i = 0,..., m − 1 b y = f (x) − b x0 ... xb ... xm−1 if H(x) = rb then a > b −1 −−11 $ xb = f (y + b)f =, ff ←((f F(x) − b) + b) = x if H(x) 6= rb then a ≤ b H(xi + 1) for i = 0,..., a ri = H(xi ) for i = a + 1,..., m − 1 m−1 {ri }fi=0 r0 ... rb ... rm−1

a > b ⇒ rb = H(x)

Solving the Millionaire’s Problem

Bob f b

x ←$ X y = f (x) − b

y AliceBob

m−1 $ {ri }fi=0 a x ← X b y = f (x) − b

if H(x) = rb then a > b $ −1 x ←−X−11 $ xb = f (y + b)f =, ff ←((f F(x) − b) + b) = x if H(xy)=6=fr(bxthen) − ba ≤ b H(xi + 1) for i = 0,..., a ri = H(xi ) for i = a + 1,..., m − 1 m−1 y {ri }fi=0 r0 ... rb ... rm−1

a > b ⇒ rb = H(x)

Solving the Millionaire’s Problem

Alice

−1 y a xi = f (y + i) for i = 0,..., m − 1

x0 ... xb ... xm−1 AliceBob

m−1 $ {ri }fi=0 a x ← X b y = f (x) − b

if H(x) = rb then a > b $ xf ,←f −X1 ←$ F if H(xy)=6=fr(bxthen) − ba ≤ b H(xi + 1) for i = 0,..., a ri = H(xi ) for i = a + 1,..., m − 1 m−1 y {ri }fi=0 r0 ... rb ... rm−1

a > b ⇒ rb = H(x)

Solving the Millionaire’s Problem

Alice

−1 y a xi = f (y + i) for i = 0,..., m − 1

x0 ... xb ... xm−1

−1 −1 xb = f (y + b) = f ((f (x) − b) + b) = x AliceBob

m−1 $ {ri }fi=0 a x ← X b y = f (x) − b

if H(x) = rb then a > b $ −1 x ←−X−11 $ xb = f (y + b)f =, ff ←((f F(x) − b) + b) = x if H(xy)=6=fr(bxthen) − ba ≤ b

m−1 y {ri }fi=0

Solving the Millionaire’s Problem

Alice

−1 y a xi = f (y + i) for i = 0,..., m − 1

x0 ... xb ... xm−1

H(xi + 1) for i = 0,..., a ri = H(xi ) for i = a + 1,..., m − 1

r0 ... rb ... rm−1

a > b ⇒ rb = H(x) AliceBob

m−1 $ {ri }fi=0 a x ← X b y = f (x) − b

if H(x) = rb then a > b $ −1 x ←−X−11 $ xb = f (y + b)f =, ff ←((f F(x) − b) + b) = x if H(xy)=6=fr(bxthen) − ba ≤ b

y f

a > b ⇒ rb = H(x)

Solving the Millionaire’s Problem

Alice

−1 y a xi = f (y + i) for i = 0,..., m − 1

x0 ... xb ... xm−1

H(xi + 1) for i = 0,..., a ri = H(xi ) for i = a + 1,..., m − 1 m−1 {ri }i=0 r0 ... rb ... rm−1 AliceBob

f −1 y a xi = f (y + i) for i = 0,..., m − 1 b

x0 ... xb ... xm−1

$ −1 x ←−X−11 $ xb = f (y + b)f =, ff ←((f F(x) − b) + b) = x y = f (x) − b H(xi + 1) for i = 0,..., a ri = H(xi ) for i = a + 1,..., m − 1 m−1 y {ri }fi=0 r0 ... rb ... rm−1

a > b ⇒ rb = H(x)

Solving the Millionaire’s Problem

Bob m−1 {ri } $ i=0 x ← X b y = f (x) − b

if H(x) = rb then a > b

if H(x) 6= rb then a ≤ b Secure Multiparty Computation

I Cryptographic tools exist that allow a group of participants to securely calculate any function of their joint inputs.

I Cryptography removes the need for a trusted third party Privacy is deﬁned in a simulation paradigm

I A protocol is secure if there is a simulator that, when given only the output of the protocol can simulate an execution of the protocol that is indistinguishable from the real protocol.

I This ensures that nothing beyond the output of the protocol is learned

I In the Millionaire’s Problem revealing whose salary is higher leaks information. A secure protocol should leak nothing more. Standard technique: ﬁrst build protocols in the Semi-Honest model. Then use standard tools (e.g. Zero-Knowledge proofs) to force participants to follow the protocol

Security Models Deﬁnition (Semi-Honest Adversaries) Semi-Honest (Honest-But-Curious) adversaries

I always follow whatever protocol they are asked to perform

I always send well-formed messages

I try to learn other participants’ secrets by looking at their own transcript in the protocol

Deﬁnition (Malicious Adversaries) Malicious adversaries are:

I allowed to deviate from the protocol

I allowed to send mal-formed messages

I allowed to behave in any way Security Models Deﬁnition (Semi-Honest Adversaries) Semi-Honest (Honest-But-Curious) adversaries

I always follow whatever protocol they are asked to perform

I always send well-formed messages

I try to learn other participants’ secrets by looking at their own transcript in the protocol

Deﬁnition (Malicious Adversaries) Malicious adversaries are:

I allowed to deviate from the protocol

I allowed to send mal-formed messages

I allowed to behave in any way Standard technique: ﬁrst build protocols in the Semi-Honest model. Then use standard tools (e.g. Zero-Knowledge proofs) to force participants to follow the protocol Methods of Secure MPC

Protocol Assumption Players Reference

Yao’s Garbled Circuit OT 2 [Yao82, Yao86]

GMW OT 2+ [GMW87]

BGW/CCD Honest Majority 3+ [BOGW88, CCD88]

FHE Lattice Problems 2+ [Gen09] Methods of Secure MPC

Protocol Assumption Players Reference

Yao’s Garbled Circuit OT 2 [Yao82, Yao86]

GMW OT 2+ [GMW87]

BGW/CCD Honest Majority 3+ [BOGW88, CCD88]

FHE Lattice Problems 2+ [Gen09] Introduction

Oblivious Transfer

Circuit Garbling

Secure Computation from Secret Sharing

Applications of MPC The Satellite Problem Conjunction Analysis: Overview Speciﬁc Calculations Integration Doing The Computation Securely

Extras Cryptographic Assumptions Constructing Oblivious Transfer I S learns nothing about b

I R learns nothing about X1−b

Oblivious Transfer

Sender Receiver

x0 b OT x1 xb Oblivious Transfer

Sender Receiver

x0 b OT x1 xb

I S learns nothing about b

I R learns nothing about X1−b Facts About OT

I Introduced by Rabin [Rab81], Even, Goldreich and Lempel [EGL85] I OT is equivalent to random OT [Cr´e88] I OT is symmetric [WW06] I OT is “complete” for secure multiparty computation [Kil88, IPS08] I Black-box construction of OT from one-way permutations implies P 6= NP [IR89] I Perfect OT cannot be constructed using quantum mechanics [Lo97] I OTs can be extended under computational assumptions[IKNP03] I OTs cannot be extended using quantum mechanics [SSS09, WW10] + I OT impies PKE, but not vice-versa [GKM 00] I Constructions:

I PIR [CMO00] I DDH [NP01] I Projective hash proofs[Kal05, HK07] I Blind signatures (requires RO) [CNS07] I Bilinear assumptions [GH07] I Dual-mode encryption [PVW08] + I Noisy Channels [IKO 11]  w ←$ [| |]  G (β0, β1)  w βb = g $   k0, k1 ← [|G|]  β1−b = r  k0  α0 = g   k1  ((α0, γ0), (α1, γ1)) α1 = g k0 x0  γ0 = h0 g   k1 x1  γ1 = h g  1 −w xb = 1 iﬀ γb · αb = g

OT From The DDH Assumption Blind Generation of El-Gamal Public-keys

a b ab a b c (g, g , g , g ) ≈c (g, g , g , g )

x0, x1 b

Sender Receiver $  k0, k1 ← [|G|]  k0  α0 = g   k1  ((α0, γ0), (α1, γ1)) α1 = g k0 x0  γ0 = h0 g   k1 x1  γ1 = h g  1 −w xb = 1 iﬀ γb · αb = g

OT From The DDH Assumption Blind Generation of El-Gamal Public-keys

a b ab a b c (g, g , g , g ) ≈c (g, g , g , g )

x0, x1 b

Sender Receiver

 w ←$ [| |]  G (β0, β1)  w βb = g   β1−b = r −w xb = 1 iﬀ γb · αb = g

OT From The DDH Assumption Blind Generation of El-Gamal Public-keys

a b ab a b c (g, g , g , g ) ≈c (g, g , g , g )

x0, x1 b

Sender Receiver

 w ←$ [| |]  G (β0, β1)  w βb = g $   k0, k1 ← [|G|]  β1−b = r  k0  α0 = g   k1  ((α0, γ0), (α1, γ1)) α1 = g k0 x0  γ0 = h0 g   k1 x1  γ1 = h1 g OT From The DDH Assumption Blind Generation of El-Gamal Public-keys

a b ab a b c (g, g , g , g ) ≈c (g, g , g , g )

x0, x1 b

Sender Receiver

 w ←$ [| |]  G (β0, β1)  w βb = g $   k0, k1 ← [|G|]  β1−b = r  k0  α0 = g   k1  ((α0, γ0), (α1, γ1)) α1 = g k0 x0  γ0 = h0 g   k1 x1  γ1 = h g  1 −w xb = 1 iﬀ γb · αb = g Oblivious Transfer

Sender Receiver

x0 b OT x1 xb

I S learns nothing about b

I R learns nothing about X1−b Random Oblivious Transfer

Sender Receiver

x0 b OT x1 xb

I S learns nothing about b

I R learns nothing about X1−b Sender Receiver

y0 c ROT y1 yc

d b ⊕ c Idea: use Random OT on z0 = x0 ⊕ yrandomd values(z0, z as1) a one-time z1 = x1 ⊕ y1−dpad to blind real OT zb ⊕ yc

y0, y1 generated at random if b = 0 then d = c, so receiver knows yd if b = 1 then d = 1 − c, so receiver knows y1−d

Random OT + 3 Bits Communication = OT Precomputing OT

Sender Receiver b x0

xb Sender Receiver

y0 c ROT y1 yc

d b ⊕ c

z0 = x0 ⊕ yd (z0, z1) z1 = x1 ⊕ y1−d zb ⊕ yc

y0, y1 generated at random if b = 0 then d = c, so receiver knows yd if b = 1 then d = 1 − c, so receiver knows y1−d

Random OT + 3 Bits Communication = OT Precomputing OT

Sender Receiver b x0

Idea: use Random OT on random values as a one-time pad to blind real OT xb OT d b ⊕ c Idea: use Random OT on z0 = x0 ⊕ yrandomd values(z0, z as1) a one-time z1 = x1 ⊕ y1−dpad to blind real OT zb ⊕ yc

if b = 0 then d = c, so receiver knows yd if b = 1 then d = 1 − c, so receiver knows y1−d

Random OT + 3 Bits Communication = OT Precomputing OT

Sender Receiver Sender Receiver b x0 y0 c x1 ROT y1 yc

y0, y1 generated at random OT

Idea: use Random OT on z0 = x0 ⊕ yrandomd values(z0, z as1) a one-time z1 = x1 ⊕ y1−dpad to blind real OT zb ⊕ yc

if b = 0 then d = c, so receiver knows yd if b = 1 then d = 1 − c, so receiver knows y1−d

Random OT + 3 Bits Communication = OT Precomputing OT

Sender Receiver Sender Receiver b x0 y0 c x1 ROT y1 yc

d b ⊕ c

y0, y1 generated at random OT

Idea: use Random OT on random values as a one-time pad to blind real OT zb ⊕ yc

if b = 0 then d = c, so receiver knows yd if b = 1 then d = 1 − c, so receiver knows y1−d

Random OT + 3 Bits Communication = OT Precomputing OT

Sender Receiver Sender Receiver b x0 y0 c x1 ROT y1 yc

d b ⊕ c

z0 = x0 ⊕ yd (z0, z1) z = x ⊕ y 1 1 1−d xb

y0, y1 generated at random OT

Idea: use Random OT on random values as a one-time pad to blind real OT

if b = 0 then d = c, so receiver knows yd if b = 1 then d = 1 − c, so receiver knows y1−d

Random OT + 3 Bits Communication = OT Precomputing OT

Sender Receiver Sender Receiver b x0 y0 c x1 ROT y1 yc

d b ⊕ c

z0 = x0 ⊕ yd (z0, z1) z1 = x1 ⊕ y1−d zb ⊕ yc xb

y0, y1 generated at random OT

Idea: use Random OT on random values as a one-time pad to blind real OT

y0, y1 generated at random

Random OT + 3 Bits Communication = OT Precomputing OT

Sender Receiver Sender Receiver b x0 y0 c x1 ROT y1 yc

d b ⊕ c

z0 = x0 ⊕ yd (z0, z1) z1 = x1 ⊕ y1−d zb ⊕ yc xb

if b = 0 then d = c, so receiver knows yd if b = 1 then d = 1 − c, so receiver knows y1−d Precomputing OT

I Oﬄine: before inputs are known, run many OT protocols

I This generates many OT “triples” (y0, y1) and (c, yc ) I Online: once inputs are known, OT triples can be consumed

I Online phase is cheap (in computation and communication) Introduction

Oblivious Transfer

Circuit Garbling

Secure Computation from Secret Sharing

Applications of MPC The Satellite Problem Conjunction Analysis: Overview Speciﬁc Calculations Integration Doing The Computation Securely

Extras Cryptographic Assumptions Constructing Oblivious Transfer Yao’s Garbled Circuit Overview

Two parties, Alice and Bob, want to compute a public function on private inputs. High-Level Approach

I Public function is written as a circuit

I Alice will “garble” the circuit

I Alice will send the “garbled” circuit to Bob

I Alice and Bob will engage in OT to get Bob his “garbled” inputs

I Bob will use the garbled inputs to compute circuit gate-by-gate λλ SampleSample ust0, ust11 randomlyrandomly from from {{00,,11}}

s0 1s1 t0 1t1 s01 t0 Es01 (Eut0 (u0))

s01 t1 Es01 (Eut10(u01))

u0 u1 s10 t01 Es10 (Eut01 (u0))

s10 t10 Es10 (Eut10 (u10))

ReplaceReplaceEncrypt output input outputShuﬄe values values values rows with with of under table random random input strings strings keys I Garbled truth-table can I This is a “garbled gate” be made public (EncryptionI Input is secrets symmetric-key,s, t allow e.g. AES) I Knowing one of {s0, s1} decryption of output secret u and one of {t0, t1} allows computation of garbled output

Garbling a Gate

x0 x1 x0 x1 x0 · x1 0 1 0 1 0 0 0 0 1 0 0 1 1 0 0

y = x0 · x1 1 1 1 λ Sample st0, st1 randomly from {0, 1}

s0 1s1 t0 1t1 s01 t0 Es01 (Et0 (u0))

s01 t1 Es01 (Et1 (u01)) s u0 1u1 10 t01 Es10 (Et01 (u0))

s10 t10 Es10 (Et10 (u10))

ReplaceEncrypt input outputShuﬄe values values rows with of under table random input strings keys I Garbled truth-table can I This is a “garbled gate” be made public (EncryptionI Input is secrets symmetric-key,s, t allow e.g. AES) I Knowing one of {s0, s1} decryption of output secret u and one of {t0, t1} allows computation of garbled output

Garbling a Gate λ Sample u0, u1 randomly from {0, 1}

x0 x1 x0 x1 x0 · x1 0 1 0 1 0 0 u00 0 1 u00

u0 u1 1 0 u00 u1 y = x0 · x1 1 1 1

Replace output values with random strings λλ SampleSample ut0, ut11 randomlyrandomly from from {{00,,11}}

s0 1s1 t0 1t1 s1 t0 Es01 (Et0 (u0))

s1 t1 Es01 (Et1 (u01)) s u0 1u1 0 t01 Es10 (Et01 (u0))

s0 t10 Es10 (Et10 (u10))

ReplaceEncrypt output outputShuﬄe values values rows with of under table random input strings keys I Garbled truth-table can I This is a “garbled gate” be made public (EncryptionI Input is secrets symmetric-key,s, t allow e.g. AES) I Knowing one of {s0, s1} decryption of output secret u and one of {t0, t1} allows computation of garbled output

Garbling a Gate λ Sample s0, s1 randomly from {0, 1}

x0 x1 x0 x1 x0 · x1 s0 s1 0 1 s00 0 u00 s00 1 u00

u0 u1 s11 0 u00 s1 u1 y = x0 · x1 1 1 1

Replace input values with random strings λλ SampleSample us0, us11 randomlyrandomly from from {{00,,11}}

s0 1s1 0 1 s1 t0 Es01 (Et0 (u0))

s1 t1 Es01 (Et1 (u01)) s u0 1u1 0 t1 Es10 (Et01 (u0))

s0 t0 Es10 (Et10 (u10))

Garbling a Gate λ Sample t0, t1 randomly from {0, 1}

x0 x1 x0 x1 x0 · x1 s0 s1 t0 t1 s00 t00 u00

s00 t11 u00

u0 u1 s11 t00 u00 s1 t u1 y = x0 · x1 1 11 1

Replace input values with random strings λλ SampleSample ust0, ust11 randomlyrandomly from from {{00,,11}}

s0 1s1 0 1 s1 t0 Es1 (Et0 (u0))

s1 t1 Es01 (Et1 (u01)) s u0 1u1 0 t1 Es10 (Et01 (u0))

s0 t0 Es10 (Et10 (u10))

ReplaceReplace output inputShuﬄe values values rows with with of table random random strings strings I Garbled truth-table can I This is a “garbled gate” be made public I Input secrets s, t allow I Knowing one of {s0, s1} decryption of output secret u and one of {t0, t1} allows computation of garbled output

Garbling a Gate

x0 x1 x0 x1 x0 · x1 s0 s1 t0 t1 s00 t00 Es0 (Eut00 (u0))

s00 t11 u00

u0 u1 s11 t00 u00 s1 t u1 y = x0 · x1 1 11 1

Encrypt output values under input keys

(Encryption is symmetric-key, e.g. AES) λλ SampleSample ust0, ust11 randomlyrandomly from from {{00,,11}}

s0 1s1 0 1 s1 t0 Es1 (Et0 (u0))

s1 t1 Es1 (Et1 (u1)) s u0 1u1 0 t1 Es0 (Et1 (u0))

s0 t0 Es0 (Et0 (u0))

Garbling a Gate

x0 x1 x0 x1 x0 · x1 s0 s1 t0 t1 s00 t00 Es0 (Eut00 (u0))

s00 t11 Es0 (Eut010(u0))

u0 u1 s11 t00 Es1 (Eut00 (u0)) s1 t E (Eu1(u )) y = x0 · x1 1 11 s1 t11 1 λλ SampleSample ust0, ust11 randomlyrandomly from from {{00,,11}}

s0 1s1 0 1 s0 t0 Es0 (Eut0 (u0))

s0 t1 Es0 (Eut10(u0)) s u u0 1u1 1 t0 Es1 (Et0 (u0))

s1 t1 Es1 (Eut1 (u1))

ReplaceReplaceEncrypt output input output values values values with with under random random input strings strings keys I Garbled truth-table can I This is a “garbled gate” be made public (EncryptionI Input is secrets symmetric-key,s, t allow e.g. AES) I Knowing one of {s0, s1} decryption of output secret u and one of {t0, t1} allows computation of garbled output

Garbling a Gate

x0 x1 x0 x1 x0 · x1 s0 s1 t0 t1 s01 t00 Es1 (Eut00 (u0))

s01 t11 Es1 (Eut010(u1))

u0 u1 s10 t01 Es0 (Eut010(u0)) s0 t E (Eu1(u )) y = x0 · x1 1 10 s0 t10 0

Shuﬄe rows of table λλ SampleSample ust0, ust11 randomlyrandomly from from {{00,,11}}

s0 1s1 0 1 s0 t0 Es0 (Eut0 (u0))

s0 t1 Es0 (Eut10(u0)) s u u0 1u1 1 t0 Es1 (Et0 (u0))

s1 t1 Es1 (Eut1 (u1))

ReplaceReplaceEncrypt output input outputShuﬄe values values values rows with with of under table random random input strings strings keys

(Encryption is symmetric-key, e.g. AES)

Garbling a Gate

x0 x1 x0 x1 x0 · x1 s0 s1 t0 t1 s01 t00 Es1 (Eut00 (u0))

s01 t11 Es1 (Eut010(u1))

u0 u1 s10 t01 Es0 (Eut010(u0)) s0 t E (Eu1(u )) y = x0 · x1 1 10 s0 t10 0

I Garbled truth-table can I This is a “garbled gate” be made public I Input secrets s, t allow I Knowing one of {s0, s1} decryption of output secret u and one of {t0, t1} allows computation of garbled output s1,0 1s1,1 s2,0 1s2,1 s3,0 1s3,1 s4,0 1s4,1 s5,0 1s5,1 s6,0 1s6,1 s7,0 1s7,1 s8,0 1s8,1

s9,0 1s9,1 s10,00 s110,1 s11,00 Es111s9,,1 (Es10,1 (s13s12,0)),00 s112,1

Es9,0 (Es10,1 (s13,1)) XOR gate Es9,0 (Es10,0 (s13,0)) s13,00 s113,1 s14,00 s114,1 Es9,1 (Es10,0 (s13,1))

Each wire carries a I Eachboolean wire carries value a string s15,00 s115,1 I Strings on input wires allow decryption of string on output wire

Garbling a Circuit

x1 y1 x2 y2 x3 y3 x4 y4

hx, yi s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

s9,0 s9,1 s10,0 s10,1 s11,0 Es11s9,,1 (Es10,1 (s13s12,0)),0 s12,1

Es9,0 (Es10,1 (s13,1)) XOR gate Es9,0 (Es10,0 (s13,0)) s13,0 s13,1 s14,0 s14,1 Es9,1 (Es10,0 (s13,1))

I Each wire carries a string s15,0 s15,1 I Strings on input wires allow decryption of string on output wire

Garbling a Circuit

x1 y1 x2 y2 x3 y3 x4 y4 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1

0 1 0 1 0 1 0 1

0 1 0 1

Each wire carries a boolean value 0 1 hx, yi 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1

0 1 0 1 0 E1s9,1 (Es10,1 (s13,0))0 1

Es9,0 (Es10,1 (s13,1)) XOR gate Es9,0 (Es10,0 (s13,0)) 0 1 0 1 Es9,1 (Es10,0 (s13,1))

Each wire carries a boolean value 0 1

Garbling a Circuit

x1 y1 x2 y2 x3 y3 x4 y4 s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

s9,0 s9,1 s10,0 s10,1 s11,0 s11,1 s12,0 s12,1

s13,0 s13,1 s14,0 s14,1

I Each wire carries a string s15,0 s15,1 I Strings on input wires allow decryption of string hx, yi on output wire 0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1

0 1 0 1 0 1 0 1

0 1 0 1

Each wire carries a boolean value 0 1

Garbling a Circuit

x1 y1 x2 y2 x3 y3 x4 y4 s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

s9,0 s9,1 s10,0 s10,1 s11,0 Es11s9,,1 (Es10,1 (s13s12,0)),0 s12,1

Es9,0 (Es10,1 (s13,1)) XOR gate Es9,0 (Es10,0 (s13,0)) s13,0 s13,1 s14,0 s14,1 Es9,1 (Es10,0 (s13,1))

I Each wire carries a string s15,0 s15,1 I Strings on input wires allow decryption of string hx, yi on output wire x1 y1 x2 y2 x3 y3 x4 y4 s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

s13,0s13,1 s14,0s14,1

AliceAlice and generates Bob use two OT randomBobto get uses Bob strings wire the keys for keys each and he AliceAliceAlice gives generates gives Bob Bob the garbled the keys 0 1 wiregarbledneeds (called for truth-table “wirehis inputs keys”) to Alicegarbledcorrespondingtruth Generates tables gates for (butthe to each circuither not decrypt(1 the, 1, wire0, 1) keys at hx, yi gateinputsthe using wire (1, wire0 keys), 1, keys0) NowOutputthe Bob next has wire level one has wire keystandard for each 0/1 input values wire

Secure Function Evaluation Using Garbled Circuits An Example: Secure dot-product

I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private) I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private) P4 I The inner-product function f (x, y) = i=1 xi yi is public x1 y1 x2 y2 x3 y3 x4 y4 s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private) I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private) P4 I The inner-products13,0 functions13,1 f (x, y) = i=1 xi yi is publics14,0s14,1

AliceAlice and generates Bob use two OT randomBobto get uses Bob strings wire the keys for keys each and he AliceAliceAlice gives generates gives Bob Bob the garbled the keys 0 1 wiregarbledneeds (called for truth-table “wirehis inputs keys”) to garbledcorrespondingtruth tables gates for (but to each her not decrypt(1 the, 1, wire0, 1) keys at hx, yi gateinputsthe using wire (1, wire0 keys), 1, keys0) NowOutputthe Bob next has wire level one has wire keystandard for each 0/1 input values wire

Secure Function Evaluation Using Garbled Circuits An Example: Secure dot-product

x1 y1 x2 y2 x3 y3 x4 y4

Alice Generates the circuit hx, yi x1 y1 x2 y2 x3 y3 x4 y4 s1,1 s2,1 s3,0 s4,1 s5,1 s6,0 s7,0 s8,1

s9,1 s10,0 s11,0 s12,0

I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private) I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private) P4 I The inner-product functions13,1 f (x, y) = i=1 xi yi is publics14,0

Alice and Bob use OT Bobto get uses Bob wire the keys keys and he AliceAliceAlice gives generates gives Bob Bob the garbled the keys 1 garbledneeds for truth-table his inputs to Alicegarbledcorrespondingtruth Generates tables gates for (butthe to each circuither not decrypt(1 the, 1, wire0, 1) keys at hx, yi gateinputsthe using wire (1, wire0 keys), 1, keys0) Nowthe Bob next has level one wire key for each input wire

Secure Function Evaluation Using Garbled Circuits An Example: Secure dot-product

x1 y1 x2 y2 x3 y3 x4 y4 s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

s13,0s13,1 s14,0s14,1

Alice generates two random strings for each 0 1 wire (called “wire keys”) hx, yi Output wire has standard 0/1 values s1,1 s2,1 s3,0 s4,1 s5,1 s6,0 s7,0 s8,1

s9,1 s10,0 s11,0 s12,0

AliceAlice and generates Bob use two OT randomBobto get uses Bob strings wire the keys for keys each and he AliceAlice gives gives Bob Bob the the keys 1 wiregarbledneeds (called for truth-table “wirehis inputs keys”) to Alicegarbledcorresponding Generates gates (butthe to circuither not (1, 1, 0, 1) decryptinputsthe the wire (1 wire, 0 keys), 1 keys, 0) at NowOutputthe Bob next has wire level one has wire keystandard for each 0/1 input values wire

Secure Function Evaluation Using Garbled Circuits An Example: Secure dot-product

x1 y1 x2 y2 x3 y3 x4 y4 s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

s13,0s13,1 s14,0s14,1

Alice generates garbled 0 1 truth tables for each hx, yi gate using wire keys x1 y1 x2 y2 x3 y3 x4 y4 s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

AliceAlice and generates Bob use two OT randomBobto get uses Bob strings wire the keys for keys each and he AliceAlice gives generates Bob the garbled keys 0 1 wiregarbledneeds (called for truth-table “wirehis inputs keys”) to Alicecorrespondingtruth Generates tables for the to each circuither decrypt(1 the, 1, wire0, 1) keys at hx, yi gateinputs using (1, wire0, 1, keys0) NowOutputthe Bob next has wire level one has wire keystandard for each 0/1 input values wire

Secure Function Evaluation Using Garbled Circuits An Example: Secure dot-product

x1 y1 x2 y2 x3 y3 x4 y4

Alice gives Bob the garbled gates (but not hx, yi the wire keys) x1 y1 x2 y2 x3 y3 x4 y4 s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

AliceAlice and generates Bob use two OT randomBobto get uses Bob strings wire the keys for keys each and he AliceAlice generates gives Bob garbled the 0 1 wiregarbledneeds (called for truth-table “wirehis inputs keys”) to Alicegarbledtruth Generates tables gates for (butthe each circuit not decrypt(1 the, 1, wire0, 1) keys at hx, yi gatethe using wire wire keys) keys NowOutputthe Bob next has wire level one has wire keystandard for each 0/1 input values wire

Secure Function Evaluation Using Garbled Circuits An Example: Secure dot-product

x1 y1 x2 y2 x3 y3 x4 y4 s1,1 s3,0 s5,1 s7,0

Alice gives Bob the keys corresponding to her hx, yi inputs (1, 0, 1, 0) x1 y1 x2 y2 x3 y3 x4 y4 s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

Alice generates two randomBob uses strings wire keys for each and AliceAliceAlice gives generates gives Bob Bob the garbled the keys 0 1 wiregarbled (called truth-table “wire keys”) to Alicegarbledcorrespondingtruth Generates tables gates for (butthe to each circuither not decrypt the wire keys at hx, yi gateinputsthe using wire (1, wire0 keys), 1, keys0) Outputthe next wire level has standard 0/1 values

Secure Function Evaluation Using Garbled Circuits An Example: Secure dot-product

x1 y1 x2 y2 x3 y3 x4 y4 s1,1 s2,1 s3,0 s4,1 s5,1 s6,0 s7,0 s8,1

Alice and Bob use OT to get Bob the keys he needs for his inputs (1, 1, 0, 1) hx, yi Now Bob has one wire key for each input wire x1 y1 x2 y2 x3 y3 x4 y4 s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

AliceAlice and generates Bob use two OT randomto get Bob strings the for keys each he AliceAliceAlice gives generates gives Bob Bob the garbled the keys 0 1 wireneeds (called for “wirehis inputs keys”) Alicegarbledcorrespondingtruth Generates tables gates for (butthe to each circuither not (1, 1, 0, 1) hx, yi gateinputsthe using wire (1, wire0 keys), 1, keys0) NowOutput Bob has wire one has wire keystandard for each 0/1 input values wire

Secure Function Evaluation Using Garbled Circuits An Example: Secure dot-product

x1 y1 x2 y2 x3 y3 x4 y4 s1,1 s2,1 s3,0 s4,1 s5,1 s6,0 s7,0 s8,1

s9,1 s10,0 s11,0 s12,0

Bob uses wire keys and garbled truth-table to decrypt the wire keys at hx, yi the next level x1 y1 x2 y2 x3 y3 x4 y4 s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

Secure Function Evaluation Using Garbled Circuits An Example: Secure dot-product

x1 y1 x2 y2 x3 y3 x4 y4 s1,1 s2,1 s3,0 s4,1 s5,1 s6,0 s7,0 s8,1

s9,1 s10,0 s11,0 s12,0

s13,1 s14,0

Bob uses wire keys and garbled truth-table to decrypt the wire keys at hx, yi the next level x1 y1 x2 y2 x3 y3 x4 y4 s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

Secure Function Evaluation Using Garbled Circuits An Example: Secure dot-product

x1 y1 x2 y2 x3 y3 x4 y4 s1,1 s2,1 s3,0 s4,1 s5,1 s6,0 s7,0 s8,1

s9,1 s10,0 s11,0 s12,0

s13,1 s14,0

Bob uses wire keys and 1 garbled truth-table to decrypt the wire keys at hx, yi the next level Garbled Circuit Review

I Alice and Bob want to compute a public function (a circuit of size |C| with n inputs) I Alice will generate key pairs for every wire I Alice will generate garbled truth tables for every gate (Calculate: 8 symmetric encryptions per gate) I Alice will give Bob the entire garbled circuit (Communicate: 4 symmetric encryptions per gate) I Alice will give secrets corresponding to her inputs I They will use OT to get Bob secrets corresponding to his inputs (One OT per input) I Bob will evaluate the entire garbled circuit gate by gate (Calculate: 2 symmetric decryptions per gate) I Overall

I Calculation: O(|C|) symmetric encryptions for each party I Communication: O(|C|) symmetric ciphertexts I OT: n parallel oblivious transfers I Entire protocol is only two rounds Implementing Garbled Circuits

I Fairplay: a garbled circuit compiler [MNPS04]

I Garbled circuits for malicious adversaries [LPS08] Computation of > for 16-bit integers takes 135-360 seconds on Intel Core 2 2.13Ghz where running time increases as security parameter increases

I TASTY: a compiler which compiles into a mix of garbled circuits and homomorphic encryption [HOS+10]

I 900-bit hamming distance calculation in .051s on Inter Core Duo 3Ghz [HEKM11, HSE+11] (.019s online time, approximately 10µs per gate)

I Billion-gate circuits against malicious adversaries [KSS12]

I Garble time: 64,000 - 84,000 gates / sec I Secure evaluation of AES (50K gates): 29.4s on 4 cores, 1.3s on 256 cores I 4095-bit edit distance (5.9B gates) in 8.2 hours (82K gates/sec) Introduction

Oblivious Transfer

Circuit Garbling

Secure Computation from Secret Sharing

Applications of MPC The Satellite Problem Conjunction Analysis: Overview Speciﬁc Calculations Integration Doing The Computation Securely

Extras Cryptographic Assumptions Constructing Oblivious Transfer Overview of MPC The GMW/BGW Approach

I The (public) function being computed is written as a circuit

I Each participant secret-shares their private input

I The circuit is evaluated gate-by-gate on the shares (this requires communication between participants)

I Answer is reconstructed from ﬁnal shares Secret Sharing [Sha79] Simple linear sharing scheme

I To share s ∈ F2, among two s players Pick a random r ∈ I F2 r I Create the shares s + r and r

I Keep s + r, send r to other player s = (s + r) + r a1

a = a0 + a1 b = b0 + b1

c0 = a0 + b0 c1 = a1 + b1

c0 + c1 = a + b

Given shares of private inputs, parties can compute shares of any linear function of the inputs

Linear sharing schemes can compute linear functions

a b b0

b = b0 + b1

c0 = a0 + b0 c1 = a1 + b1

c0 + c1 = a + b

Given shares of private inputs, parties can compute shares of any linear function of the inputs

Linear sharing schemes can compute linear functions

a b

a = a0 + a1 c0 = a0 + b0 c1 = a1 + b1

c0 + c1 = a + b

Given shares of private inputs, parties can compute shares of any linear function of the inputs

Linear sharing schemes can compute linear functions

a b

a = a0 + a1 b = b0 + b1 c0 + c1 = a + b

Given shares of private inputs, parties can compute shares of any linear function of the inputs

Linear sharing schemes can compute linear functions

a b

a = a0 + a1 b = b0 + b1

c0 = a0 + b0 c1 = a1 + b1 Given shares of private inputs, parties can compute shares of any linear function of the inputs

Linear sharing schemes can compute linear functions

a b

a = a0 + a1 b = b0 + b1

c0 = a0 + b0 c1 = a1 + b1

c0 + c1 = a + b Linear sharing schemes can compute linear functions

a b

a = a0 + a1 b = b0 + b1

c0 = a0 + b0 c1 = a1 + b1

c0 + c1 = a + b

Given shares of private inputs, parties can compute shares of any linear function of the inputs Multiplying Shares

I We can add shares to get shares of the sum

I How do we multiply shares? Goal: Alice calculates c0, Bob calculates c1 such that

c0 + c1 = a · b

Multiplying Shares

a b

a = a0 + a1 b = b0 + b1 Multiplying Shares

a b

a = a0 + a1 b = b0 + b1

Goal: Alice calculates c0, Bob calculates c1 such that

c0 + c1 = a · b Evaluating a circuit on shares

I Idea: each player secret-shares their input, then perform entire computation on the shares

I If each player secret-shares their inputs, addition gates can be computed locally (each player locally adds their shares) I How do we compute multiplication gates?

I Method 1: Oblivious Transfer (OT) [GMW87] I Method 2: Honest Majority [BOGW88, CCD88] Evaluating a circuit on shares

I Idea: each player secret-shares their input, then perform entire computation on the shares

I If each player secret-shares their inputs, addition gates can be computed locally (each player locally adds their shares) I How do we compute multiplication gates?

I Method 1: Oblivious Transfer (OT)[GMW87] I Method 2: Honest Majority [BOGW88, CCD88] a · b = (a0 + a1)(b0 + b1) = a0b0 + a1b0 + a0b1 + a1b1 Goal: Compute shares of a · b Alice can compute a0b0, Bob can compute a1b1

Multiplying Shares

a b

Alice Bob

a = a0 + a1 b = b0 + b1 Alice can compute a0b0, Bob can compute a1b1

Multiplying Shares

a b

Alice Bob

a = a0 + a1 b = b0 + b1

a · b = (a0 + a1)(b0 + b1) = a0b0 + a1b0 + a0b1 + a1b1 Goal: Compute shares of a · b Alice can compute a0b0, Bob can compute a1b1

Multiplying Shares

a b

Alice Bob

a = a0 + a1 b = b0 + b1

a · b = (a0 + a1)(b0 + b1) = a0b0 + a1b0 + a0b1 + a1b1 Goal: Compute shares of a · b Multiplying Shares

a b

Alice Bob

a = a0 + a1 b = b0 + b1

a · b = (a0 + a1)(b0 + b1) = a0b0 + a1b0 + a0b1 + a1b1 Goal: Compute shares of a · b Alice can compute a0b0, Bob can compute a1b1 GMW Multiplication

Goal: c0 + c1 = (a0 + a1)(b0 + b1) = a0b0 + a0b1 + b0a1 + a1b1

Alice chooses a random c0, and creates the table

OT input Bob’s Inputs

c0 + (a0b0) a1 = 0, b1 = 0

c0 + (a0b0 + a0) a1 = 0, b1 = 1

c0 + (a0b0 + b0) a1 = 1, b1 = 0

c0 + (a0b0 + b0 + a0 + 1) a1 = 1, b1 = 1 Participant 0 acts as the sender in an OT, with the 4 values in the left column as inputs. If a1b1 = 00, then c0 + a0b0 (a0 + a1)(b0 + b1) = a0b0 If a1b1 = 01, then c0 + a0b0 + a0 a1b1 (a0 + a1)(b0 + b1) = a0b0 + a0 If a1b1 = 10, then c0 + a0b0 + b0 c1 (a0 + a1)(b0 + b1) = a0b0 + b0 If a1b1 = 11, then c0 + a0b0 + a0 + b0 + 1 (a0 +a1)(b0 +b1) = a0b0 +a0 +b0 +1

c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1

OT for Multiplication Using 1 out out 4 OT to implement 1-bit multiplication

a0, b0 a1, b1

Alice Bob

OT If a1b1 = 00, then (a0 + a1)(b0 + b1) = a0b0 If a1b1 = 01, then (a0 + a1)(b0 + b1) = a0b0 + a0 If a1b1 = 10, then (a0 + a1)(b0 + b1) = a0b0 + b0 If a1b1 = 11, then (a0 +a1)(b0 +b1) = a0b0 +a0 +b0 +1

c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1

OT for Multiplication Using 1 out out 4 OT to implement 1-bit multiplication

a0, b0 a1, b1

Alice Bob

c0 + a0b0

c0 + a0b0 + a0 OT a1b1

c0 + a0b0 + b0 c1

c0 + a0b0 + a0 + b0 + 1 If a1b1 = 01, then (a0 + a1)(b0 + b1) = a0b0 + a0 If a1b1 = 10, then (a0 + a1)(b0 + b1) = a0b0 + b0 If a1b1 = 11, then (a0 +a1)(b0 +b1) = a0b0 +a0 +b0 +1

c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1

OT for Multiplication Using 1 out out 4 OT to implement 1-bit multiplication

a0, b0 a1, b1

Alice Bob If a1b1 = 00, then c0 + a0b0 (a0 + a1)(b0 + b1) = a0b0 c0 + a0b0 + a0 OT a1b1

c0 + a0b0 + b0 c1

c0 + a0b0 + a0 + b0 + 1 If a1b1 = 00, then (a0 + a1)(b0 + b1) = a0b0

If a1b1 = 10, then (a0 + a1)(b0 + b1) = a0b0 + b0 If a1b1 = 11, then (a0 +a1)(b0 +b1) = a0b0 +a0 +b0 +1

c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1

OT for Multiplication Using 1 out out 4 OT to implement 1-bit multiplication

a0, b0 a1, b1

Alice Bob

c0 + a0b0 If a1b1 = 01, then c0 + a0b0 + a0 OT a1b1 (a0 + a1)(b0 + b1) = a0b0 + a0 c0 + a0b0 + b0 c1

c0 + a0b0 + a0 + b0 + 1 If a1b1 = 00, then (a0 + a1)(b0 + b1) = a0b0 If a1b1 = 01, then (a0 + a1)(b0 + b1) = a0b0 + a0

If a1b1 = 11, then (a0 +a1)(b0 +b1) = a0b0 +a0 +b0 +1

c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1

OT for Multiplication Using 1 out out 4 OT to implement 1-bit multiplication

a0, b0 a1, b1

Alice Bob

c0 + a0b0

c0 + a0b0 + a0 OT a1b1 If a1b1 = 10, then c0 + a0b0 + b0 c1 (a0 + a1)(b0 + b1) = a0b0 + b0 c0 + a0b0 + a0 + b0 + 1 If a1b1 = 00, then (a0 + a1)(b0 + b1) = a0b0 If a1b1 = 01, then (a0 + a1)(b0 + b1) = a0b0 + a0 If a1b1 = 10, then (a0 + a1)(b0 + b1) = a0b0 + b0

c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1

OT for Multiplication Using 1 out out 4 OT to implement 1-bit multiplication

a0, b0 a1, b1

Alice Bob

c0 + a0b0

c0 + a0b0 + a0 OT a1b1

c0 + a0b0 + b0 c1 If a1b1 = 11, then c0 + a0b0 + a0 + b0 + 1 (a0 +a1)(b0 +b1) = a0b0 +a0 +b0 +1 If a1b1 = 00, then (a0 + a1)(b0 + b1) = a0b0 If a1b1 = 01, then (a0 + a1)(b0 + b1) = a0b0 + a0 If a1b1 = 10, then (a0 + a1)(b0 + b1) = a0b0 + b0 If a1b1 = 11, then (a0 +a1)(b0 +b1) = a0b0 +a0 +b0 +1

OT for Multiplication Using 1 out out 4 OT to implement 1-bit multiplication

a0, b0 a1, b1

Alice Bob

c0 + a0b0

c0 + a0b0 + a0 OT a1b1

c0 + a0b0 + b0 c1

c0 + a0b0 + a0 + b0 + 1

c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1 Evaluating Circuits with GMW

I Inputs are secret-shared between participants

I The circuit is evaluated gate-by-gate

I Each gate acts only on shares, so no information is revealed

I Addition gates can be computed locally (no communication between participants)

I Multiplication requires a 1-out-of-4 OT I OT requires public-key operations

I Public-key operations are computationally expensive I Computation requires a number of rounds equal to the multiplicative depth of the circuit Introduction

Oblivious Transfer

Circuit Garbling

Secure Computation from Secret Sharing

Applications of MPC The Satellite Problem Conjunction Analysis: Overview Speciﬁc Calculations Integration Doing The Computation Securely

Extras Cryptographic Assumptions Constructing Oblivious Transfer

Secure Auctions

I A secure double auction was executed by Danish sugar beet farmers and Danisco[BCD +08]

I Danisco is the sole processor of sugar beets in Denmark I 30% of the world’s sugar comes from sugar beets

I Each participant indicated how much they would buy/sell at a given price (private input)

I The market clearing price is computed (securely)

I The quantities bought and sold by each bidder was revealed (public output)

I The auction had 1200 bidders, and 25,000 tons of production rights changed hands Secure Elections

I Implemented by Helios Voting[Adi08]

I Used to elect the president of the Universit´eCatholique de Louvain [UCL09] I Student government representatives at Princeton I President of the IACR + I Scantegrity Election in Takoma Park [CCC 10] I Each participant has a vote (private input) I The winner is tallied (securely) I The winner is made public (public output) I Voting systems allow another level of functionality: auditing Examples of MPC

I Practical demonstrations of MPC have been limited to extremely simple functionalities

I Auctions: (maximum, minimum, threshold functions)

I Elections: (sum, threshold) Introduction

Oblivious Transfer

Circuit Garbling

Secure Computation from Secret Sharing

Applications of MPC The Satellite Problem Conjunction Analysis: Overview Speciﬁc Calculations Integration Doing The Computation Securely

Extras Cryptographic Assumptions Constructing Oblivious Transfer Preventing Satellite Collisions The “Iridium Incident” Renews Interest in Collisions

Source: bbc.co.uk Collisions in Space These objects are moving fast! Improving Space Situational Awareness

I What are the risks to current satellites?

I What are the possible mitigation techniques?

I What are the costs / beneﬁts of various techniques? One Problem in Space

How do you prevent collisions between active satellites? The Problem with Satellites Operators won’t share information

I Satellite operators have high ﬁdelity data about their satellite’s location

I This information is necessary for computing collision probabilities

I Operators are unwilling to share this information Data sharing could solve the problem

I Data sharing between operators would increase space situational awareness [Fou10, KVCB08]

I Operators have tried banding together and sharing their data [LNW09, Cho10]

I This solution is extremely limited because most operators are unwilling to share their data [Cho10] Motivating Question

How can satellite operators coordinate operations without revealing private information? Current Situation

I The JSpOC tracks 22,000 objects in space

I Low ﬁdelity data are made available in the form of Two-Line Elements (TLEs) via space-track.org

I Operators maintain high-accuracy positional information

I High-accuracy should be used to calculate collision probabilities (This calculation is called a Conjunction Analysis)

I Conjunction analyses are always performed pair-wise JSpOC data are not accurate enough Conjunction Analyses

I Some private operators have entered into data sharing agreements

I Private data are provided to a trusted party

I The trusted party performs the conjunction analyses and notiﬁes the operators of potential threats Trusted Party Implementations Current trusted third party implementations

CSSI (a subsidiary of AGI) runs 300 conjunctions twice per day from its 20 participating operators [Kel10]

USSTRATCOM performs conjunction analyses for SSA Sharing Program Partners Preﬁltering

I Public (low-ﬁdelity) data are used to preﬁlter orbits

I Full conjunction analyses are only performed on potentially hazardous orbits

I “the problems with the accuracy of the existing TLE data sets have been well documented, and relying on them for CA pre-filtering is seen as problematic.” [HAO10] Prefiltering Prefiltering in practice

The public dataset can be used to preﬁlter potential threats

I For 22,000 objects there are approximately 240,000,000 pairs I Using the public catalog to preﬁlter results in 53,000 hazardous orbits were identiﬁed [HAO10]

I 5 day window I 50 km threshold for GEO I 5 km threshold for all other orbits I To test all these requires one CA every 8 seconds Secure Function Evaluation

I How quickly can conjunction analyses be performed using techniques from Secure Function Evaluation (SFE), Secure Multiparty Computation (MPC) or Fully Homomorphic Encryption (FHE)? How Secure is MPC?

I Securely calculating a conjunction probability always leaks the conjunction probability

I Protocols provably leak nothing else Conjunction Analysis High Level Overview

I Two parties have private orbital information

I They wish to calculate the probability of collision Operator Inputs

Each operator has the following (private) inputs: 3 I Position (A vector in R ) 3 I Velocity (A vector in R ) 3 I Positional Error (A vector in R ) I Object Radius (A scalar in R) Simplifying Assumptions

I Objects are modeled as spheres

I Their relative motion is assumed to be linear

I Velocity information is assumed to be exact I Their positional errors are assumed to

I have normal distribution with mean zero I be uncorrelated

I These assumptions are made in the insecure setting Conjunction Analysis Calculation

I A conjunction analysis calculation is the three dimensional integral over the product of the probability density functions of the objects

I The assumptions allow this calculation to be greatly simpliﬁed Modeling Objects

I Each object is modeled a normal (Gaussian) distribution, i.e., it has probability density

2 2 2 1 − 1 x + y + z f (x, y, z) = e 2 σx σy σz p 3 2πσx σy σz

(where this has made use of the fact that the errors are independent in diﬀerent directions)

I Truncate gaussian after 8 standard deviations [Alf07]

I This results in a probability ellipsoid Because the errors are independent, and Integratethe Gaussian sum of independent in “collision Gaussians tube” is Gaussian, all error can be shifted to one body. The full radius is shifted to the other body.

Simplifying the Calculations Integrate Gaussian in “collision tube”

Simplifying the Calculations

Because the errors are independent, and the sum of independent Gaussians is Gaussian, all error can be shifted to one body. The full radius is shifted to the other body. Because the errors are independent, and Integratethe Gaussian sum of independent in “collision Gaussians tube” is Gaussian, all error can be shifted to one body. The full radius is shifted to the other body.

Simplifying the Calculations Because the errors are independent, and the sum of independent Gaussians is Gaussian, all error can be shifted to one body. The full radius is shifted to the other body.

Simplifying the Calculations

Integrate Gaussian in “collision tube” The Encounter Plane

I Slice the three dimensional pdf at the point of nearest approach, perpendicular to relative velocity

Cross section of pdf Cross section of collision tube

Encounter Plane Reducing to Two Dimensions

I The 3D integral along the collision tube is made of 2D slices

I Because the variances are independent, the 2D integral in the encounter plane can be done ﬁrst, then this can be integrated along the length of the collision tube, weighted by the pdf in the third dimension

I Integrating along a single dimension, is like integrating a one-dimensional Gaussian, so we get a number that is almost one

I Thus we can approximate the 3D integral by the 2D integral The Calculation Thus a conjunction analysis is the calculation of the following two dimensional integral

√ Z R Z R2−x2 " " 2 2## 1 −1 x − xm y − ym P = √ exp + dydx. 2πσx σy −R − R2−x2 2 σx σy

I R is the combined radius (the sum of the two radii)

I σx , σy are the combined standard deviations in the encounter plane

I (xm, ym) is the location of the center of the collision tube in the encounter plane What’s the Most Eﬃcient Way to Compute This Securely?

Secure Computation Techniques

I Additively Homomorphic Encryption

I MPC over binary circuits (GMW)

I MPC over arithmetic circuits [AIK12]

I Fully Homomorphic Encryption [Gen09] Complexity of Calculation

These MPC applications are orders of magnitude more complex than any prior applications The Double Integral

After projecting into the encounter plane, we must compute the double integral

√ Z R Z R2−x2 " " 2 2## 1 −1 x − xm y − ym P = √ exp + dydx. 2πσx σy −R − R2−x2 2 σx σy

xm, ym, σx , σy , R are values that depend on both users’s inputs. Outline of Alfano’s Method

Convert the double integral √ Z R Z R2−x2 " " 2 2## 1 −1 x − xm y − ym P = √ exp + dydx. 2πσx σy −R − R2−x2 2 σx σy

to the single integral

" √ ! √ !# 1 Z R y + R2 − x2 −y + R2 − x2 −(x + x )2 √ m √ m √ m P = erf + erf exp 2 dx 8πσx −R 2σy 2σy 2σx

Where erf(·) is the error function

z 2 Z 2 erf(z) = √ e−t dt π 0 The Error Function erf(·)

Z x 2 −t2 f (x) erf(x) = √ e dt π 0

f (x) = erf(x)

x Approximating the single integral

We want to approximate the single integral that depends on erf(·) and exp(·)

I Taylor expand erf(·) as

∞ 2 X (−1)nx2n+1 erf x = √ , π n!(2n + 1) n=0 which, by [CR08] has error

N 2 X (−1)nx2n+1 2 x2N+1 erf x − √ ≤ √ . π n!(2n + 1) π N!(2N + 1) n=0

x P∞ xn I Taylor expand exp(·) as e = n=0 n! I Use Simpson’s rule to approximate the integral Simpson’s Rule Simpson’s rule says:

Z b ∆x f (x)dx ≈ (f (a)+4f (a+∆x)+2f (a+2∆x)+4f (a+3∆x)+···+4f (b−∆x)+f (b)) a 3 In our situation, this is:

" n n−1 # Z R ∆x X X f (x)dx ≈ f (0) + f (R) + 4f (x ) + 2f (x )] 3 2i−1 2i 0 i=1 i=1

where ∆x = R/2n, and xi = i∆x. The integrand is: " √ ! √ !# y + R2 − x2 −y + R2 − x2 f (x) = erf m √ + erf m √ · 2σy 2σy 2 2 −(x + xm) −(−x + xm) exp 2 + exp 2 2σx 2σx Diﬃculties in Secure Computation

I Securely computing this function raises many techical challenges

I What is the most “MPC-friendly” circuit for this function? Problem: Taylor Approximations fare poorly

1.0e+10

50 (−1)nx2n+1 X erf(x) − ±5 5 n!(2n + 1) x n=0

1.0e±10

This shows the absolute error between erf and its 50 term Taylor expansion on a logarithmic scale This is very accurate, but it requires comparisons

Using Taylor Expansion in a Window

Possible Solution

I If |x| < 5 use 100 term Taylor expansion

I If x > 5 return 1

I If x < −5 return −1 Using Taylor Expansion in a Window

Possible Solution

I If |x| < 5 use 100 term Taylor expansion

I If x > 5 return 1

I If x < −5 return −1 This is very accurate, but it requires comparisons Approximating Erf

1 erf(x) ≈ 1 − 2 3 4 5 6 16 (1 + a1x + a2x + a3x + a4x + a5x + a6x ) Where

a1 = .3275911 a4 = .0001520143 a2 = .254829592 a5 = .0002765672 a3 = .0092705272 a6 = .0000430638

When x > 0. This has an absolute error less than 10−7 across the entire range [AS65]. Adapting Calculations

Problem:

I Taylor approximations are only accurate in certain windows

I Secure comparison gates are ineﬃcient

I Redesign calculation to avoid branching

I Similar problems come up in many natural calculations

I The most eﬃcient insecure calculation may not create the most eﬃcient secure calculation x Set z = R . " √ ! √ !# R Z 1 y + R 1 − z2 −y + R 1 − z2 −(Rz + x )2 √ m √ m √ m P = erf + erf exp 2 dz 8πσx −1 2σy 2σy 2σx

I Now square roots are only calculated on public values!

I Big performance gains in the secure setting (no gains in the public setting)

Changing Variables

" √ ! √ !# 1 Z R y + R2 − x2 −y + R2 − x2 −(x + x )2 √ m √ m √ m P = erf + erf exp 2 dx 8πσx −R 2σy 2σy 2σx √ each term in sum requires calculating R2 − x 2 where R, x are secret Changing Variables

" √ ! √ !# 1 Z R y + R2 − x2 −y + R2 − x2 −(x + x )2 √ m √ m √ m P = erf + erf exp 2 dx 8πσx −R 2σy 2σy 2σx √ each term in sum requires calculating R2 − x 2 where R, x are secret

x Set z = R . " √ ! √ !# R Z 1 y + R 1 − z2 −y + R 1 − z2 −(Rz + x )2 √ m √ m √ m P = erf + erf exp 2 dz 8πσx −1 2σy 2σy 2σx

I Now square roots are only calculated on public values!

I Big performance gains in the secure setting (no gains in the public setting) Summary

I This project is still ongoing

I We are developing new theoretical cryptographic tools based on the problems that arise as part of this project

I We are continuing to optimize our calculations to improve the performance of this speciﬁc use-case Other Applications of MPC DARPA program

I DARPA is developing four applications of MPC

I Numerical Analysis: Secure Conjunction Analysis I Text Processing: Secure spam ﬁlter I Signal Processing: Secure voice processing I Graph Algorithms: Secure mapping Introduction

Oblivious Transfer

Circuit Garbling

Secure Computation from Secret Sharing

Applications of MPC The Satellite Problem Conjunction Analysis: Overview Speciﬁc Calculations Integration Doing The Computation Securely

Extras Cryptographic Assumptions Constructing Oblivious Transfer Introduction

Oblivious Transfer

Circuit Garbling

Secure Computation from Secret Sharing

Applications of MPC The Satellite Problem Conjunction Analysis: Overview Speciﬁc Calculations Integration Doing The Computation Securely

Extras Cryptographic Assumptions Constructing Oblivious Transfer I If G = Zp (the additive group) then the discrete-log problem is easy in G. ∗ I If G = ZP (the multiplicative group) then the discrete-log problem is assumed to be hard. (“hard” means no probabilistic polynomial-time algorithm exists to solve it) I If G is the group of points of ﬁnite order on a suitable chosen elliptic curve, then the discrete-log problem is assumed to be hard.

The Discrete Log Problem

Definition (Discrete-Log Problem) Let G be a cyclic group of order N generated by g. Thus 0 1 N−1 G = {g , g ,..., g }. If k ←$ N, then finding k given (g, g k ) is called the discrete-log problem in G. I If G = Zp (the additive group) then the discrete-log problem is easy in G. ∗ I If G = ZP (the multiplicative group) then the discrete-log problem is assumed to be hard. (“hard” means no probabilistic polynomial-time algorithm exists to solve it) I If G is the group of points of finite order on a suitable chosen elliptic curve, then the discrete-log problem is assumed to be hard.

The Discrete Log Problem

I If G = Zp (the additive group) then the discrete-log problem is easy in G. ∗ I If G = ZP (the multiplicative group) then the discrete-log problem is assumed to be hard. (“hard” means no probabilistic polynomial-time algorithm exists to solve it) I If G is the group of points of ﬁnite order on a suitable chosen elliptic curve, then the discrete-log problem is assumed to be hard. I If G = Zp (the additive group) then the CDH problem is easy in G. ∗ I If G = ZP (the multiplicative group) then the CDH problem is assumed to be hard. I If G is the group of points of ﬁnite order on a suitable chosen elliptic curve, then the CDH problem is assumed to be hard.

The Computational Diﬃe-Hellman (CDH) Problem

Definition (Computational Diffie-Hellman Problem) Let G be a cyclic group of order N generated by g. Thus 0 1 N−1 G = {g , g ,..., g }. If a, b ←$ N, then finding g ab given (g, g a, g b) is called the Computational Diffie-Hellman problem in G. I If G = Zp (the additive group) then the CDH problem is easy in G. ∗ I If G = ZP (the multiplicative group) then the CDH problem is assumed to be hard. I If G is the group of points of finite order on a suitable chosen elliptic curve, then the CDH problem is assumed to be hard.

The Computational Diﬃe-Hellman (CDH) Problem

I If G = Zp (the additive group) then the CDH problem is easy in G. ∗ I If G = ZP (the multiplicative group) then the CDH problem is assumed to be hard. I If G is the group of points of finite order on a suitable chosen elliptic curve, then the CDH problem is assumed to be hard. I If G = Zp (the additive group) then the DDH problem is easy in G. ∗ I If G = ZP (the multiplicative group) then the DDH problem is assumed to be hard. I If G is the group of points of finite order on a suitable chosen elliptic curve, then the DDH problem is assumed to be hard. I If G is the group of points of finite order on an elliptic curve with a pairing the DDH problem is easy

The Decisional Diﬃe-Hellman (DDH) Problem

Definition (The Decisional Diffie-Hellman (DDH) Problem) Let G be a cyclic group of order N generated by g. Thus 0 1 N−1 G = {g , g ,..., g }. If a, b, c ←$ N, then distinguishing (g, g a, g b, g ab) from a b c (g, g , g , g ) is called the Decisional Diffie-Hellman problem in G. I If G = Zp (the additive group) then the DDH problem is easy in G. ∗ I If G = ZP (the multiplicative group) then the DDH problem is assumed to be hard. I If G is the group of points of finite order on a suitable chosen elliptic curve, then the DDH problem is assumed to be hard. I If G is the group of points of finite order on an elliptic curve with a pairing the DDH problem is easy

The Decisional Diﬃe-Hellman (DDH) Problem

I If G = Zp (the additive group) then the DDH problem is easy in G. ∗ I If G = ZP (the multiplicative group) then the DDH problem is assumed to be hard. I If G is the group of points of ﬁnite order on a suitable chosen elliptic curve, then the DDH problem is assumed to be hard. I If G is the group of points of ﬁnite order on an elliptic curve with a pairing the DDH problem is easy DDH is easy in elliptic curve groups If DL is hard, then with a bilinear usually CDH is hard pairing, but CDH is [MW99] assumed to be hard in those groups

Discrete-Log Type Problems

The Computational The Decisional The Discrete-Log Diﬃe-Hellman Diﬃe-Hellman problem is hard in G (CDH) problem is (DDH) problem is hard in G hard in G If DL is hard, then usually CDH is hard [MW99]

Discrete-Log Type Problems

The Computational The Decisional The Discrete-Log Diﬃe-Hellman Diﬃe-Hellman problem is hard in G (CDH) problem is (DDH) problem is hard in G hard in G

DDH is easy in elliptic curve groups with a bilinear pairing, but CDH is assumed to be hard in those groups Discrete-Log Type Problems

The Computational The Decisional The Discrete-Log Diﬃe-Hellman Diﬃe-Hellman problem is hard in G (CDH) problem is (DDH) problem is hard in G hard in G

DDH is easy in elliptic curve groups If DL is hard, then with a bilinear usually CDH is hard pairing, but CDH is [MW99] assumed to be hard in those groups Quadratic Residues

Deﬁnition An element y ∈ ZN is called a quadratic residue modulo N if there 2 exists an x ∈ ZN such that x = y mod N. Legendre Symbol

Deﬁnition (Legendre Symbol) ∗ If p is a prime and x ∈ Zp, then

x 1 if x is a quadratic residue modulo p = p −1 if x is not a quadratic residue modulo p

The Gauss’s law of quadratic reciprocity gives an eﬃcient method for calculating the Legendre symbol. Jacobi Symbol

Deﬁnition (Jacobi Symbol)

e1 er ∗ If N = p1 ··· pr is a positive integer and x ∈ ZN , then x x e1 x er = ··· N p1 pr

I Gauss’s law of quadratic reciprocity gives an eﬃcient method for calculating the Jacobi symbol x I If N = −1 then x is not a quadratic residue modulo N x I If N = 1 then x may or may not be a quadratic residue modulo N The Quadratic Residuosity Problem

Deﬁnition (The Quadratic Residuosity (QR) Problem) ∗ Let N = pq, then given a random element y ∈ ZN such that y N = 1, determining if y is a quadratic residue, i.e., determining if there exists an x such that x2 = y mod N is called the quadratic residuosity problem.

y y y I Recall: N = p q y I if N = −1, then y is not a quadratic residue modulo N y y y I if N = 1, then p = q y I Given the factorization of N, it is easy to calculate p and y q . Using only generic ring operations [JS08]

Quadratic Residuosity Problem

The quadratic Factoring is hard residuosity problem is hard Quadratic Residuosity Problem

The quadratic Factoring is hard residuosity problem is hard

Using only generic ring operations [JS08] Introduction

Oblivious Transfer

Circuit Garbling

Secure Computation from Secret Sharing

Applications of MPC The Satellite Problem Conjunction Analysis: Overview Speciﬁc Calculations Integration Doing The Computation Securely

Extras Cryptographic Assumptions Constructing Oblivious Transfer Receiver Sender

x0 ⊕ x1 r OT a r ⊕ b

m m = x0 + a xb = r ⊕ m

Oblivious Transfer is Symmetric Reversing OT [WW06]

Sender Receiver b x0

xb OT

m m = x0 + a xb = r ⊕ m

Oblivious Transfer is Symmetric Reversing OT [WW06]

Sender Receiver b x0 Receiver Sender x1

x0 ⊕ x1 r OT a r ⊕ b

xb OT

xb = r ⊕ m

Oblivious Transfer is Symmetric Reversing OT [WW06]

Sender Receiver b x0 Receiver Sender x1

x0 ⊕ x1 r OT a r ⊕ b

m m = x0 + a xb OT

Oblivious Transfer is Symmetric Reversing OT [WW06]

Sender Receiver b x0 Receiver Sender x1

x0 ⊕ x1 r OT a r ⊕ b

m m = x0 + a xb = r ⊕ m xb   N = pq  g0, g1, N  $ gb ← QNR(N)  $  g1−b ← QR(N) $ ) ri ← ZN (y0, y1) 2 xi yi = ri gi mod N

xb = 1 iﬀ yb ∈ QNR(N)

OT From The Quadratic Residuosity (QR) Assumption

n x o QR(N) = x2 mod N : x ∈ ∗ ≈ x ∈ ∗ : = 1 = QNR(N) ZN c ZN N

x0, x1 b

Sender Receiver $ ) ri ← ZN (y0, y1) 2 xi yi = ri gi mod N

xb = 1 iﬀ yb ∈ QNR(N)

OT From The Quadratic Residuosity (QR) Assumption

n x o QR(N) = x2 mod N : x ∈ ∗ ≈ x ∈ ∗ : = 1 = QNR(N) ZN c ZN N

x0, x1 b

Sender Receiver   N = pq  g0, g1, N  $ gb ← QNR(N)  $  g1−b ← QR(N) xb = 1 iﬀ yb ∈ QNR(N)

OT From The Quadratic Residuosity (QR) Assumption

n x o QR(N) = x2 mod N : x ∈ ∗ ≈ x ∈ ∗ : = 1 = QNR(N) ZN c ZN N

x0, x1 b

Sender Receiver   N = pq  g0, g1, N  $ gb ← QNR(N)  $  g1−b ← QR(N) $ ) ri ← ZN (y0, y1) 2 xi yi = ri gi mod N OT From The Quadratic Residuosity (QR) Assumption

n x o QR(N) = x2 mod N : x ∈ ∗ ≈ x ∈ ∗ : = 1 = QNR(N) ZN c ZN N

x0, x1 b

Sender Receiver   N = pq  g0, g1, N  $ gb ← QNR(N)  $  g1−b ← QR(N) $ ) ri ← ZN (y0, y1) 2 xi yi = ri gi mod N

xb = 1 iﬀ yb ∈ QNR(N) −1 $  f , f ← F  (f , r) $ r ← {0, 1}n   w ←$ {0, 1}n  (y0, y1)  yb = f (w)  $  y ← {0, 1}n −1  1−b z0 = f (y ) 0  −1  z1 = f (y1)  (c0, c1) c = x ⊕ hr, z i 0 0 0   c1 = x1 ⊕ hr, z1i 

xb = hw, ri ⊕ cb

OT From Trapdoor Permutations

F is a family of trapdoor permutations from {0, 1}n to {0, 1}n

x0, x1 b

Sender Receiver  w ←$ {0, 1}n  (y0, y1)  yb = f (w)  $  y ← {0, 1}n −1  1−b z0 = f (y ) 0  −1  z1 = f (y1)  (c0, c1) c = x ⊕ hr, z i 0 0 0   c1 = x1 ⊕ hr, z1i 

xb = hw, ri ⊕ cb

OT From Trapdoor Permutations

F is a family of trapdoor permutations from {0, 1}n to {0, 1}n

x0, x1 b

Sender Receiver −1 $  f , f ← F  (f , r) $ r ← {0, 1}n  −1  z0 = f (y ) 0  −1  z1 = f (y1)  (c0, c1) c = x ⊕ hr, z i 0 0 0   c1 = x1 ⊕ hr, z1i 

xb = hw, ri ⊕ cb

OT From Trapdoor Permutations

F is a family of trapdoor permutations from {0, 1}n to {0, 1}n

x0, x1 b

Sender Receiver −1 $  f , f ← F  (f , r) $ r ← {0, 1}n   w ←$ {0, 1}n  (y0, y1)  yb = f (w)  $ n  y1−b ← {0, 1} xb = hw, ri ⊕ cb

OT From Trapdoor Permutations

F is a family of trapdoor permutations from {0, 1}n to {0, 1}n

x0, x1 b

Sender Receiver −1 $  f , f ← F  (f , r) $ r ← {0, 1}n   w ←$ {0, 1}n  (y0, y1)  yb = f (w)  $  y ← {0, 1}n −1  1−b z0 = f (y ) 0  −1  z1 = f (y1)  (c0, c1) c = x ⊕ hr, z i 0 0 0   c1 = x1 ⊕ hr, z1i  OT From Trapdoor Permutations

F is a family of trapdoor permutations from {0, 1}n to {0, 1}n

x0, x1 b

Sender Receiver −1 $  f , f ← F  (f , r) $ r ← {0, 1}n   w ←$ {0, 1}n  (y0, y1)  yb = f (w)  $  y ← {0, 1}n −1  1−b z0 = f (y ) 0  −1  z1 = f (y1)  (c0, c1) c = x ⊕ hr, z i 0 0 0   c1 = x1 ⊕ hr, z1i 

xb = hw, ri ⊕ cb  w ←$ [| |]  G (β0, γ0), (β1, γ1)  w w (βb, γb) = (g1 , g2 )  $  (β1−b, γ1−b) = (r1, r2) k0, k1 ← [|G|]   k0 k1  α = g0 · g1 mod p  (y0, y1) k0 k1 s0 y0 = β0 · γ0 · g0   k0 k1 s1  y1 = β1 · γ1 · g0  −w xb = 1 iﬀ yb · α = g

OT From The DDH Assumption From Universal Hash Proofs [HK07]

k0 k1 k k (g0, g1, g0 , g1 ) ≈c (g0, g1, g0 , g1 )

x0, x1 b

Sender Receiver $  k0, k1 ← [|G|]   k0 k1  α = g0 · g1 mod p  (y0, y1) k0 k1 s0 y0 = β0 · γ0 · g0   k0 k1 s1  y1 = β1 · γ1 · g0  −w xb = 1 iﬀ yb · α = g

OT From The DDH Assumption From Universal Hash Proofs [HK07]

k0 k1 k k (g0, g1, g0 , g1 ) ≈c (g0, g1, g0 , g1 )

x0, x1 b

Sender Receiver

 w ←$ [| |]  G (β0, γ0), (β1, γ1)  w w (βb, γb) = (g1 , g2 )   (β1−b, γ1−b) = (r1, r2) −w xb = 1 iﬀ yb · α = g

OT From The DDH Assumption From Universal Hash Proofs [HK07]

k0 k1 k k (g0, g1, g0 , g1 ) ≈c (g0, g1, g0 , g1 )

x0, x1 b

Sender Receiver

 w ←$ [| |]  G (β0, γ0), (β1, γ1)  w w (βb, γb) = (g1 , g2 )  $  (β1−b, γ1−b) = (r1, r2) k0, k1 ← [|G|]   k0 k1  α = g0 · g1 mod p  (y0, y1) k0 k1 s0 y0 = β0 · γ0 · g0   k0 k1 s1  y1 = β1 · γ1 · g0  OT From The DDH Assumption From Universal Hash Proofs [HK07]

k0 k1 k k (g0, g1, g0 , g1 ) ≈c (g0, g1, g0 , g1 )

x0, x1 b

Sender Receiver

 w ←$ [| |]  G (β0, γ0), (β1, γ1)  w w (βb, γb) = (g1 , g2 )  $  (β1−b, γ1−b) = (r1, r2) k0, k1 ← [|G|]   k0 k1  α = g0 · g1 mod p  (y0, y1) k0 k1 s0 y0 = β0 · γ0 · g0   k0 k1 s1  y1 = β1 · γ1 · g0  −w xb = 1 iﬀ yb · α = g String OT

Sender Receiver

(x ,..., x ) 1,0 m,0 m (b1,..., bm) OT` (x1,1,..., xm,1) (x1,b1 ,..., xm,bm )

I Sender has 2m strings of length `

I Receiver chooses m of them Receiver Sender

s ,..., s m 1 λ This method1 of OTλ ` requires: (t ,..., t ) λ OTm λ λ I OT i (we will have m λ) (t1 ⊕ r,..., tλ ⊕ r) t m⊕ (si · r) i=1 I m  calls      to the      Random   Oracle (in practice: AES) 2`m bits of communication I Q ∈ {0, 1}m×λ m {yj,0, yj,1}j=1 Beneﬁt:yj,0 = reducesxj,0 + fj ( theqj ) number of public-key operationsxj,rj = yj since,rj ⊕ fλj (tj ) m. yj,1 = xj,1 + fj (qj ⊕ s)

Receiver generates a random m × λ matrix Receiver’s real input r is blinded by columns ti      | || |  − (−s · r1t)1 + t−1 − − q1 − 1 T = t1 ···λ tλ  =  ..    .  Q =  (s1 · r) + t ··· (sk· r) + t  =   ..   =  .  | | | | − (s−· rmt)m + t−m − − qm −

Sender generatesIf riλ=random 0 then bitsqi =s1ti,..., sλ Sender’s real input {xi,j } is blinded by hashes of rows of Q If ri = 1 then qi = ti + s

The [IKNP03] Extension Protocol m λ OT` from OTm

λ m fj (·) are random oracle hash funtions fj : {0, 1} → {0, 1}

Sender Receiver

r = (r1,..., rm) (x1,0,..., xm,0)

(x1,1,..., xm,1)

x1,r1 ,..., xm,rm s ,..., s m 1 λ This method1 of OTλ ` requires: (t ,..., t )

λ λ I OT i (we will have m λ) (t1 ⊕ r,..., tλ ⊕ r) t m⊕ (si · r) i=1 I m  calls      to the      Random   OracleOT (in practice: AES) 2`m bits of communication I Q ∈ {0, 1}m×λ m {yj,0, yj,1}j=1 Beneﬁt:yj,0 = reducesxj,0 + fj ( theqj ) number of public-key operationsxj,rj = yj since,rj ⊕ fλj (tj ) m. yj,1 = xj,1 + fj (qj ⊕ s)

Receiver’s real input r is blinded by columns ti     | |  − (s · r1) + t1 − − q1 − 1 λ  .   .  Q =  (s1 · r) + t ··· (sk · r) + t  =  .  =  .  | | − (s · rm) + tm − − qm −

If ri = 0 then qi = ti Sender’s real input {xi,j } is blinded by hashes of rows of Q If ri = 1 then qi = ti + s

The [IKNP03] Extension Protocol m λ OT` from OTm

λ m fj (·) are random oracle hash funtions fj : {0, 1} → {0, 1}

Sender Receiver

Receiver Sender r = (r1,..., rm) (x1,0,..., xm,0)

(x ,..., x ) λ 1,1 m,1 OTm

x1,r1 ,..., xm,rm

Receiver generates a random m × λ matrix    | |  − t1 − 1 λ  .  T =  t ··· t  =  .  | | − tm −

Sender generates λ random bits s1,..., sλ m This method of OT` requires:

λ λ I OT i (we will have m λ) t m⊕ (si · r) i=1 I m  calls      to the      Random   OracleOT (in practice: AES) 2`m bits of communication I Q ∈ {0, 1}m×λ m {yj,0, yj,1}j=1 Beneﬁt:yj,0 = reducesxj,0 + fj ( theqj ) number of public-key operationsxj,rj = yj since,rj ⊕ fλj (tj ) m. yj,1 = xj,1 + fj (qj ⊕ s)

Receiver generates a random m × λ matrix        | || |  − (−s · r1t)1 + t−1 − − q1 − 1 T = t1 ···λ tλ  =  ..    .  Q =  (s1 · r) + t ··· (sk· r) + t  =   ..   =  .  | | | | − (s−· rmt)m + t−m − − qm −

Sender generatesIf riλ=random 0 then bitsqi =s1ti,..., sλ Sender’s real input {xi,j } is blinded by hashes of rows of Q If ri = 1 then qi = ti + s

The [IKNP03] Extension Protocol m λ OT` from OTm

λ m fj (·) are random oracle hash funtions fj : {0, 1} → {0, 1}

Sender Receiver

Receiver Sender r = (r1,..., rm) (x1,0,..., xm,0) s1,..., sλ (t1,..., tλ) (x ,..., x ) λ 1,1 m,1 OTm (t1 ⊕ r,..., tλ ⊕ r)

x1,r1 ,..., xm,rm

Receiver’s real input r is blinded by columns ti m This method of OT` requires:

λ I OTm (we will have m λ)

I m  calls      to the      Random   OracleOT (in practice: AES) 2`m bits of communication I Q ∈ {0, 1}m×λ m {yj,0, yj,1}j=1 Beneﬁt:yj,0 = reducesxj,0 + fj ( theqj ) number of public-key operationsxj,rj = yj since,rj ⊕ fλj (tj ) m. yj,1 = xj,1 + fj (qj ⊕ s)

Sender generatesIf riλ=random 0 then bitsqi =s1ti,..., sλ Sender’s real input {xi,j } is blinded by hashes of rows of Q If ri = 1 then qi = ti + s

The [IKNP03] Extension Protocol m λ OT` from OTm

λ m fj (·) are random oracle hash funtions fj : {0, 1} → {0, 1}

Sender Receiver

Receiver Sender r = (r1,..., rm) (x1,0,..., xm,0) s1,..., sλ (t1,..., tλ) (x ,..., x ) λ 1,1 m,1 OTm i λ (t1 ⊕ r,..., tλ ⊕ r) t ⊕ (si · r) i=1

x1,r1 ,..., xm,rm m This method of OT` requires:

λ I OTm (we will have m λ) I m calls to the Random OracleOT (in practice: AES) I 2`m bits of communication m {yj,0, yj,1}j=1 Beneﬁt:yj,0 = reducesxj,0 + fj ( theqj ) number of public-key operationsxj,rj = yj since,rj ⊕ fλj (tj ) m. yj,1 = xj,1 + fj (qj ⊕ s)

Receiver generates a random m × λ matrix Receiver’s real input r is blinded by columns ti   | |  − t1 − 1 λ  .  T =  t ··· t  =  .  | | − tm −

Sender generatesIf riλ=random 0 then bitsqi =s1ti,..., sλ Sender’s real input {xi,j } is blinded by hashes of rows of Q If ri = 1 then qi = ti + s

The [IKNP03] Extension Protocol m λ OT` from OTm

λ m fj (·) are random oracle hash funtions fj : {0, 1} → {0, 1}

Sender Receiver

Receiver Sender r = (r1,..., rm) (x1,0,..., xm,0) s1,..., sλ (t1,..., tλ) (x ,..., x ) λ 1,1 m,1 OTm i λ (t1 ⊕ r,..., tλ ⊕ r) t ⊕ (si · r) i=1                 

Q ∈ {0, 1}m×λ

x1,r1 ,..., xm,rm

     | |  − (s · r1) + t1 − − q1 − 1 λ  .   .  Q =  (s1 · r) + t ··· (sk · r) + t  =  .  =  .  | | − (s · rm) + tm − − qm − m This method of OT` requires:

λ I OTm (we will have m λ) I m calls to the Random OracleOT (in practice: AES) I 2`m bits of communication

Beneﬁt: reduces the number of public-key operationsxj,rj = yj since,rj ⊕ fλj (tj ) m.

Receiver generates a random m × λ matrix Receiver’s real input r is blinded by columns ti   | |  − t1 − 1 λ  .  T =  t ··· t  =  .  | | − tm −

Sender generatesIf riλ=random 0 then bitsqi =s1ti,..., sλ Sender’s real input {xi,j } is blinded by hashes of rows of Q If ri = 1 then qi = ti + s

The [IKNP03] Extension Protocol m λ OT` from OTm

λ m fj (·) are random oracle hash funtions fj : {0, 1} → {0, 1}

Sender Receiver

Q ∈ {0, 1}m×λ m {yj,0, yj,1}j=1 yj,0 = xj,0 + fj (qj )

yj,1 = xj,1 + fj (qj ⊕ s) x1,r1 ,..., xm,rm

λ I OTm (we will have m λ) I m calls to the Random OracleOT (in practice: AES) I 2`m bits of communication

Beneﬁt: reduces the number of public-key operations since λ m.

Receiver generates a random m × λ matrix Receiver’s real input r is blinded by columns ti   | |  − t1 − 1 λ  .  T =  t ··· t  =  .  | | − tm −

Sender generatesIf riλ=random 0 then bitsqi =s1ti,..., sλ Sender’s real input {xi,j } is blinded by hashes of rows of Q If ri = 1 then qi = ti + s

The [IKNP03] Extension Protocol m λ OT` from OTm

λ m fj (·) are random oracle hash funtions fj : {0, 1} → {0, 1}

Sender Receiver

Q ∈ {0, 1}m×λ m {yj,0, yj,1}j=1 yj,0 = xj,0 + fj (qj ) xj,rj = yj,rj ⊕ fj (tj ) yj,1 = xj,1 + fj (qj ⊕ s) x1,r1 ,..., xm,rm

λ I OTm (we will have m λ) I m calls to the Random OracleOT (in practice: AES) I 2`m bits of communication

Beneﬁt: reduces the number of public-key operations since λ m.

Receiver generates a random m × λ matrix Receiver’s real input r is blinded by columns ti   | |  − t1 − 1 λ  .  T =  t ··· t  =  .  | | − tm −

Sender generatesIf riλ=random 0 then bitsqi =s1ti,..., sλ If ri = 1 then qi = ti + s

The [IKNP03] Extension Protocol m λ OT` from OTm

λ m fj (·) are random oracle hash funtions fj : {0, 1} → {0, 1}

Sender Receiver

Q ∈ {0, 1}m×λ m {yj,0, yj,1}j=1 yj,0 = xj,0 + fj (qj ) xj,rj = yj,rj ⊕ fj (tj ) yj,1 = xj,1 + fj (qj ⊕ s) x1,r1 ,..., xm,rm

     | |  − (s · r1) + t1 − − q1 − 1 λ  .   .  Q =  (s1 · r) + t ··· (sk · r) + t  =  .  =  .  | | − (s · rm) + tm − − qm −

Sender’s real input {xi,j } is blinded by hashes of rows of Q m This method of OT` requires:

λ I OTm (we will have m λ) I m calls to the Random OracleOT (in practice: AES) I 2`m bits of communication

Beneﬁt: reduces the number of public-key operations since λ m.

Receiver generates a random m × λ matrix Receiver’s real input r is blinded by columns ti   | |  − t1 − 1 λ  .  T =  t ··· t  =  .  | | − tm −

Sender generates λ random bits s1,..., sλ Sender’s real input {xi,j } is blinded by hashes of rows of Q

The [IKNP03] Extension Protocol m λ OT` from OTm

λ m fj (·) are random oracle hash funtions fj : {0, 1} → {0, 1}

Sender Receiver

Q ∈ {0, 1}m×λ m {yj,0, yj,1}j=1 yj,0 = xj,0 + fj (qj ) xj,rj = yj,rj ⊕ fj (tj ) yj,1 = xj,1 + fj (qj ⊕ s) x1,r1 ,..., xm,rm

     | |  − (s · r1) + t1 − − q1 − 1 λ  .   .  Q =  (s1 · r) + t ··· (sk · r) + t  =  .  =  .  | | − (s · rm) + tm − − qm −

If ri = 0 then qi = ti If ri = 1 then qi = ti + s OT

Receiver generates a random m × λ matrix Receiver’s real input r is blinded by columns ti   | |  − t1 − 1 λ  .  T =  t ··· t  =  .  | | − tm −

Sender generatesIf riλ=random 0 then bitsqi =s1ti,..., sλ Sender’s real input {xi,j } is blinded by hashes of rows of Q If ri = 1 then qi = ti + s

The [IKNP03] Extension Protocol m λ OT` from OTm

λ m fj (·) are random oracle hash funtions fj : {0, 1} → {0, 1}

Sender Receiver

Receiver Sender r = (r1,..., rm) (x1,0,..., xm,0) s ,..., s m 1 λ This method1 of OTλ ` requires: (t ,..., t ) (x ,..., x ) λ 1,1 m,1 OTm λ λ I OT i (we will have m λ) (t1 ⊕ r,..., tλ ⊕ r) t m⊕ (si · r) i=1 I m  calls      to the      Random   Oracle (in practice: AES) 2`m bits of communication I Q ∈ {0, 1}m×λ m {yj,0, yj,1}j=1 Beneﬁt:yj,0 = reducesxj,0 + fj ( theqj ) number of public-key operationsxj,rj = yj since,rj ⊕ fλj (tj ) m. yj,1 = xj,1 + fj (qj ⊕ s) x1,r1 ,..., xm,rm

     | |  − (s · r1) + t1 − − q1 − 1 λ  .   .  Q =  (s1 · r) + t ··· (sk · r) + t  =  .  =  .  | | − (s · rm) + tm − − qm − 1-out-of-n OT solves the Millionaire’s Problem

I Alice and Bob agree on an interval width w (w could be $1)

I For i = 0,..., n − 1, Alice sets

1 if w · i < a x = i 0 if w · i ≥ a

where a is Alice’s (private) wealth ∗ ∗ ∗ I Bob chooses the index i so that w · i ≤ b < w · (i + 1) where b is Bob’s private wealth n I Alice and Bob engage in a 1 -OT with Alice’s inputs as xi and Bob’s input i ∗

I Bob receives a 1 if a > b + w 0 x0 1 w x1 1 b 2w x2 1

a 1

0 (n − 1)w xn−1 0 nw

1-out-of-n OT solves the Millionaire’s Problem

(n − 1)w

nw 0 x0 1 w x1 1 b 2w x2 1

0 (n − 1)w xn−1 0 nw

1-out-of-n OT solves the Millionaire’s Problem

(n − 1)w

nw 0 x0 w x1 b 2w x2

(n − 1)w xn−1 nw

1-out-of-n OT solves the Millionaire’s Problem

0 1 w 1 2w 1

a 1

0 (n − 1)w 0 nw 0 0

w w b 2w 2w

(n − 1)w (n − 1)w

nw nw

1-out-of-n OT solves the Millionaire’s Problem

x0 1

x1 1

x2 1

xn−1 0 0

w b 2w

(n − 1)w

1-out-of-n OT solves the Millionaire’s Problem

0 x0 1 w x1 1 2w x2 1

0 (n − 1)w xn−1 0 nw 0

(n − 1)w

1-out-of-n OT solves the Millionaire’s Problem

0 x0 1 w x1 1 b 2w x2 1

0 (n − 1)w xn−1 0 nw ReferencesI

Ben Adida. Helios: Web-based open-audit voting. In USENIX ’08, pages 335–348, June 2008. Benny Applebaum, Yuval Ishai, and Eyal Kushilevitz. How to Garble Arithmetic Circuits. In FOCS ’11, May 2012. Salvatore Alfano. Review of Conjunction Probability Methods for Short-term Encounters. In Proceedings of the AAS/AIAA Space Flight Mechanics Meeting, February 2007. Milton Abramowitz and Irene A. Stegun, editors. Handbook of Mathematical Functions with Formulas, Graphs, and Mathematical Tables. Dover, 1965. ReferencesII

Peter Bogetoft, Dan L. Christensen, Ivan Damg˚ard,Martin Geisler, Thomas Jakobsen, Mikkel Krøigaard, Janus D. Nielsen, Jesper B. Nielsen, Kurt Nielsen, Jakob Pagter, Michael Schwartzbach, and Tomas Toft. Multiparty Computation Goes Live. Cryptology ePrint Archive, Report 2008/068, 2008. Michael Ben-Or, Shaﬁ Goldwasser, and Avi Wigderson. Completeness theorems for non-cryptographic fault-tolerant distributed computation. In STOC, STOC ’88, pages 1–10, New York, NY, USA, 1988. ACM. ReferencesIII

Richard Carback, David Chaum, Jeremy Clark, John Conway, Aleksander Essex, Paul S. Herrnson, Travis Mayberry, Stefan Popoveniuc, Ronald L. Rivest, Emily Shen, Alan T. Sherman, and Poorvi L. Vora. Scantegrity II municipal election at Takoma Park: the first E2E binding governmental election with ballot privacy. In Proceedings of the 19th USENIX conference on Security, USENIX Security’10, page 19, Berkeley, CA, USA, 2010. USENIX Association. David Chaum, Claude Crépeau, and Ivan Damg˚ard. Multiparty Unconditionally Secure Protocols. In STOC, pages 11–19, 1988. Tiffany Chow. SSA sharing program swf issue brief. Technical report, Secure World Foundation, November 2010. ReferencesIV

Giovanni D. Crescenzo, Tal Malkin, and Rafail Ostrovsky. Single Database Private Information Retrieval Implies Oblivious Transfer. In Eurocrypt ’00, volume 1807 of Lecture Notes in Computer Science, pages 122–138. Springer Berlin / Heidelberg, 2000. Jan Camenisch, Gregory Neven, and Abhi Shelat. Simulatable Adaptive Oblivious Transfer. In Proceedings of the 26th annual international conference on Advances in Cryptology, EUROCRYPT ’07, pages 573–590, Berlin, Heidelberg, 2007. Springer-Verlag. ReferencesV

Sylvain Chevillard and Nathalie Revol. Computation of the error function erf in arbitrary precision with correct rounding. In J. D. Bruguera and M. Daumas, editors, In RNC 8, the 8th Conference on Real Numbers and Computers, pages 27–36, July 2008. Claude Cr´epeau. Equivalence Between Two Flavours of Oblivious Transfers. In A Conference on the Theory and Applications of Cryptographic Techniques on Advances in Cryptology, CRYPTO ’87, pages 350–354, London, UK, UK, 1988. Springer-Verlag. Shimon Even, Oded Goldreich, and Abraham Lempel. A randomized protocol for signing contracts. Communications of the ACM, 28(6):637–647, 1985. ReferencesVI

Jeﬀ Foust. A new eye in the sky to keep an eye on the sky. The Space Review, Monday May 10th, 2010, May 2010. Craig Gentry. Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st annual ACM symposium on Theory of computing, STOC ’09, pages 169–178, New York, NY, USA, 2009. ACM. Matthew Green and Susan Hohenberger. Blind Identity-Based Encryption and Simulatable Oblivious Transfer Advances in Cryptology ASIACRYPT 2007. In Kaoru Kurosawa, editor, Advances in Cryptology ASIACRYPT 2007, volume 4833 of Lecture Notes in Computer Science, chapter 16, pages 265–282. Springer Berlin / Heidelberg, Berlin, Heidelberg, 2007. ReferencesVII

Yael Gertner, Sampath Kannan, Tal Malkin, Omer Reingold, and Mahesh Viswanathan. The relationship between public key encryption and oblivious transfer. In FOCS ’00, page 325, Washington, DC, USA, 2000. IEEE Computer Society. Oded Goldreich, Sylvio Micali, and Avi Wigderson. How to Play any Mental Game. In STOC ’87, pages 218–229, 1987. Robert Hall, Salvatore Alfano, and Alan Ocampo. Advances in Satellite Conjunction Analysis. In Proceedings of the Advanced Maui Optical and Space Surveillance Technologies Conference, 2010. ReferencesVIII

Yan Huang, David Evans, Jonathan Katz, and Lior Malka. Faster Secure Two-Party Computation Using Garbled Circuits. In In USENIX Security Symposium, 2011. Shai Halevi and Yael T. Kalai. Smooth Projective Hashing and Two-Message Oblivious Transfer. Cryptology ePrint Archive, Report 2007/118, March 2007. Wilko Henecka, Stefan K. Ogl,¨ Ahmad R. Sadeghi, Thomas Schneider, and Immo Wehrenberg. TASTY: tool for automating secure two-party computations. In Proceedings of the 17th ACM conference on Computer and communications security, CCS ’10, pages 451–462, New York, NY, USA, 2010. ACM. ReferencesIX

Yan Huang, Chih H. Shen, David Evans, Jonathan Katz, and Abhi Shelat. Efficient secure computation with garbled circuits. In Proceedings of the 7th international conference on Information Systems Security, ICISS’11, pages 28–48, Berlin, Heidelberg, 2011. Springer-Verlag. Yuval Ishai, Joe Kilian, Kobbi Nissim, and Erez Petrank. Extending Oblivious Transfers Efficiently. In CRYPTO, pages 145–161, 2003. Yuval Ishai, Eyal Kushilevitz, Rafail Ostrovsky, Manoj Prabhakaran, Amit Sahai, and JürgWullschleger. Constant-Rate Oblivious Transfer from Noisy Channels. In Phillip Rogaway, editor, CRYPTO ’11, volume 6841 of Lecture Notes in Computer Science, chapter 38, pages 667–684. Springer Berlin / Heidelberg, Berlin, Heidelberg, 2011. ReferencesX

Yuval Ishai, Manoj Prabhakaran, and Amit Sahai. Founding Cryptography on Oblivious Transfer - Eﬃciently. In CRYPTO ’08, pages 572–591, 2008. Russell Impagliazzo and Steven Rudich. Limits on the Provable Consequences of One-Way Permutations. In STOC ’89, pages 44–61. ACM, 1989. Tibor Jager and J¨orgSchwenk. The Generic Hardness of Subset Membership Problems under the Factoring Assumption. Cryptology ePrint Archive, Report 2008/482, November 2008. Yael T. Kalai. Smooth Projective Hashing and Two-Message Oblivious Transfer. In EUROCRYPT ’05, pages 78–95, 2005. ReferencesXI

T. S. Kelso. How the Space Data Center is Improving Safety of Space Operations. In Proceedings of the Advanced Maui Optical and Space Surveillance Technologies Conference, September 2010. Joe Kilian. Founding cryptography on oblivious transfer. In Proceedings of the twentieth annual ACM symposium on Theory of computing, STOC ’88, pages 20–31, New York, NY, USA, 1988. ACM. Benjamin Kreuter, Abhi Shelat, and Chih H. Shen. Billion-gate secure computation with malicious adversaries. In Proceedings of the 21st USENIX conference on Security symposium, Security’12, page 14, Berkeley, CA, USA, 2012. USENIX Association. ReferencesXII

T. S. Kelso, David A. Vallado, Joseph Chan, and Bjorn Buckwalter. Improved Conjunction Analysis Via Collaborative Space Situational Awareness. In Proceedings of the Advanced Maui Optical and Space Surveillance Technologies Conference, September 2008. Agnieszka Lukaszczyk, Laurence Nardon, and Ray Williamson. Assessing the Current Dynamics of Space Security. Technical report, Institut fran¸caisdes relations internationales, June 2009. Hoi K. Lo. Insecurity of quantum secure computations. Physical Review A, 56:1154–1162, August 1997. ReferencesXIII

Yehuda Lindell, Benny Pinkas, and Nigel P. Smart. Implementing Two-Party Computation Efficiently with Security Against Malicious Adversaries. In SCN ’08, volume 5229, pages 2–20, 2008. Dahlia Malkhi, Noan Nisan, Benny Pinkas, and Yaron Sella. Fairplay – A Secure Two-Party Computation System. In USENIX Security Symposium ’04, 2004. Ueli M. Maurer and Stefan Wolf. The Relationship Between Breaking the Diffie–Hellman Protocol and Computing Discrete Logarithms. SIAM Journal on Computing, 28(5):1689–1721, January 1999. Moni Naor and Benny Pinkas. Efficient Oblivious Transfer Protocols. In SODA ’01, pages 448–457. ACM/SIAM, 2001. References XIV

Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A Framework for Eﬃcient and Composable Oblivious Transfer. In David Wagner, editor, Crypto ’08, volume 5157 of Lecture Notes in Computer Science, pages 554–571. Springer, 2008. Michael Rabin. How to exchange secrets by oblivious transfer. Technical Report TR-81, Harvard University, 1981. Adi Shamir. How to share a secret. Commun. ACM, 22:612–613, November 1979. ReferencesXV

Louis Salvail, Christian Schaffner, and Miroslava Sotáková. On the Power of Two-Party Quantum Cryptography. In Proceedings of the 15th International Conference on the Theory and Application of Cryptology and Information Security: Advances in Cryptology, ASIACRYPT ’09, pages 70–87, Berlin, Heidelberg, 2009. Springer-Verlag. Un systèmede vote inéditàgrande échelle. http://www.uclouvain.be/270428.html, March 2009. Stefan Wolf and JürgWullschleger. Oblivious transfer is symmetric. In In Advances in Cryptology - EUROCRYPT ’06, pages 222–232, 2006. References XVI

Severin Winkler and J¨urgWullschleger. On the Eﬃciency of Classical and Quantum Oblivious Transfer Reductions. In Tal Rabin, editor, CRYPTO ’10, volume 6223 of Lecture Notes in Computer Science, pages 707–723, Berlin, Heidelberg, 2010. Springer Berlin / Heidelberg. Andrew Yao. Protocols for Secure Computations (Extended Abstract). In FOCS ’82, pages 160–164, 1982. Andrew Yao. How to Generate and Exchange Secrets. In FOCS ’86, pages 162–167, 1986.