Garbled Circuits Frederic Naumann Betreuer: Marcel von Maltitz Seminar Innovative Internet-Technologien und Mobilkommunikation SS2016 Lehrstuhl Netzarchitekturen und Netzdienste Fakultät für Informatik, Technische Universität München Email: [email protected] ABSTRACT putation is the Garbled Circuit Protocol (GCP), where a In 1982, Andrew Yao published a paper which described function is transformed into a boolean circuit modelling the possible ways of handling Secure Multi-Party Computation, same function, which is then altered in a way that no infor- but only in a very theoretical manner. In the following years, mation can be extracted from the resulting circuit. Note Yao developed a conceptual implementation approach to this that this protocol has been developed explicitly for Two subject which he titled as ”Garbled Circuits”, although he Party Computation, i.e. a SMC with N = 2. In the fol- never actually published any of his work on Garbled Cir- lowing sections, we will define the basic terms and concepts cuits but only mentioned and explained the idea behind the that are needed for the protocol, in section 4 we will present algorithm in several talks. At the time this concept was and evaluate Yao’s original GCP, and in section 5 we will presented, it was deemed more of a theoretical concept than discuss a few modern extensions to the GCP that seek to en- an actual implementation due to the limited computation hance performance and security. In section 6, we will briefly power. But over the years, the computational possibilities present a couple of different working implementations for grew and actual implementations became feasible. the GCP, and in section 7 we conclude. This paper is set out to explain the function of Yao’s original algorithm in detail and also evaluate it under various aspects 2. DEFINITIONS such as performance and resistance to certain attacks. We This section defines the security terminology we will use in will also talk about improvements to Yao’s algorithm that this paper, it will mostly rely on the terms introduced by have been proposed during the last nearly thirty years, and [17]. finally get into some actual implementation of these algo- rithms. 2.1 Security requirements When one wishes to evaluate some function f using SMC, Keywords one needs to cover some requirements in order to make the Secure Multi-Party Computation, Secure Function Evalua- securely computed function f a correct secure computa- tion, Garbled Circuit Protocol s tion for f. In [19], Yao introduced the concept of com- paring a protocol to an ”ideal-oracle” that fulfills the three 1. INTRODUCTION requirements listed below, and that a Secure Function Eval- The general Secure Multi-Party Computation (SMC) prob- uation (SFE) is correct if it performs exactly like this ideal- lem is defined as the situation where N parties wish to se- oracle[17]. curely compute the value of a function f(x1, ..., xN ), where The ideal-oracle evaluates a function f with inputs x1, x2 each party i delivers exactly one input xi. During execu- that are delivered by two parties and outputs the value to tion, no information about the xi must be leaked to any both parties without revealing the inputs. party j = i, at least no information that can not be derived 6 from the computation result [20, 4]. 2.1.1 Validity A simple example for a two-party application of this problem The most obvious requirement is that the evaluation of f is the so called ”Millionaires’ Problem”[20]. In this problem, s must always deliver a correct result just as f would. So two millionaires want to find out who of them is richer, but f(x) = f (x) must hold true for all x for f to be a valid neither of them wants the other one to know their exact s s evaluation function for f. wealth. So this problem can be formulated using the termi- nology introduced above with N = 2 and f(x1, x2) = 1, if x1 > x2 and 0 else. Yao presented a simple protocol solv- 2.1.2 Privacy ing this specific problem in [20], along with the theoretical The privacy definition for the ideal-oracle forces a SFE sys- foundations for the development of an extended protocol. tem to prevent any party from learning the other party’s A more practical example where SMC can be applied is se- input like the ideal-oracle would, provided that the proto- cret voting[20], where N parties wish to secretly and securely col is carried out correctly. It is interesting to note that host a voting. The result is to be computed in private with- this does only guarantee that there are no unwanted val- out a third party that handles the voting evaluation, and ues leaked during protocol execution and that this privacy without any party learning how some other party voted. definition does not account for any party trying reverse en- Yao’s approach to a functional protocol for Two Party Com- gineering methods on the result, e.g. an addition could be Seminars FI / IITM SS 16, 71 doi: 10.2313/NET-2016-09-1_10 Network Architectures and Services, September 2016 computed privately complying with this definition of pri- 3.1.1 1-out-of-2 Oblivious Transfer vacy, but a participant would still be able to learn the other 1-out-of-2 Oblivious Transfer (1-2 OT) is a special case for participant’s input by subtracting his own input. the concept described above, where N = 2 and the receiver may only choose i 0, 1 . An original protocol version ∈ { } 2.1.3 Fairness for 1-2-OT has been proposed by Rabin [16] in 1981, the protocol presented here has originally been introduced by A protocol is called fair when it securely computes the func- Lindell[10]. It is secure against semi-honest adversaries, and tion value and then correctly transmits the output to all provides an easy understanding which will be needed in the parties that participated in the computation. In contrary, upcoming protocol execution. In the following section, we an unfair protocol is one that refrains from actually sending will call the sending party S and the receiving party R. the output to all parties, but holds back the information for Assume that S holds a pair of strings (s , s ) one of which is certain (or all) parties. 0 1 to be sent to R. R selects i 0, 1 , depending on whether ∈ { } she wants to learn s0 or s1. She then generates a pair of 2.2 Adversary Models asymmetric cryptography keys (kpriv, kpub), and in addition In the evaluation section, we will evaluate our protocol with to that another value k⊥ that looks like a public key to S, but respect to different adversary models. In SMC, we do not to which R has no private key. Then, R chooses the working pub pub deal with classic ”Man-in-the-Middle” or side channel at- public key to be ki and k⊥ as ki 1, and advertises them − tacks. In SMC, we are communicating and cooperating with to S as keys for s0 and s1, respectively. S then encrypts s0 pub pub a possible attacker, so we need to take into account different with the received k0 and s1 with k1 and transmits the levels of protocol obedience for our possible attacker. resulting c0 and c1 to R, who will then decrypt her desired priv value ci with the corresponding ki , which then results in the correct si. R will not be able to decrypt the ci 1 − 2.2.1 Semi-Honest Adversaries because she has not generated a corresponding private key An adversary is said to be semi-honest, or honest-but-curious, for k⊥, and S will not know which value R has actually seen. when it is not willing to deviate from the protocol at any Therefore, the proposed protocol guarantees a working 1-2- time but tries to gather as much information about the other OT. parties as possible by using data that is leaked during proto- This protocol is only secure against semi-honest adversaries. col execution and by the output [17]. For example, in a SFE It is easy to observe that one party could obtain additional protocol a semi-honest participant might try to deduce the information by deviating from the protocol, e.g. R could other participants’ inputs from the output, e.g. by assum- just generate two public/private key pairs and advertise both ing a uniform distribution of values and then guessing the public keys, then she would be able to receive both s0 and s1. right value with a certain probability. Also, an adversary An OT protocol that is secure against malicious adversaries that is semi-honest will take any protocol conforming step will be discussed later. that it can take profit from, as long as it doesn’t make the adversary’s position any worse. 3.2 Cryptographic Hash Functions 1 2.2.2 Malicious Adversaries A cryptographic hash function is a one-way function where, in addition to the one-way property, there is also no pos- In contrary to semi-honest adversaries, a malicious adver- sibility to draw conclusions from the way the values are sary will violate the protocol in an arbitrary manner, which distributed, i.e. the values of the function are uniformly means that the adversary might deviate from the protocol at distributed over the function’s image space. Also, a crypto- any point of the execution to gather information about the graphic hash function prevents collisions of hash values.