DOCSLIB.ORG

Garbled Circuits Boolean Circuit

Garbled Circuits Boolean Circuit

Optimizations of Generic Protocols for Semi-Honest Adversaries Thomas Schneider (TU Darmstadt) 5th Bar-Ilan Winter School on Cryptography, Feb 2015 Secure Two-Party Computation x y f(x,y) f This Lecture: Semi-Honest (Passive) Adversaries 2 Secure Two-Party Computation Auctions [NaorPS99], ... Remote Diagnostics [BrickellPSW07], ... DNA Searching [Troncoso-PastorizaKC07], ... Biometric Identification [ErkinFGKLT09], ... Medical Diagnostics [BarniFKLSS09], ... 3 Oblivious Transfer (OT) (x0, x1) r OT xr 1-out-of-2 OT is an essential building block for secure computation. 4 How to Measure Efficiency of a Protocol? ✓ Runtime (depends on implementation & scenario) 5 How to Measure Efficiency of a Protocol? ✓ Runtime (depends on implementation & scenario) ✓ Communication • # bits sent (important for networks with low bandwidth) • # rounds (important for networks with high latency) 5 How to Measure Efficiency of a Protocol? ✓ Runtime (depends on implementation & scenario) ✓ Communication • # bits sent (important for networks with low bandwidth) • # rounds (important for networks with high latency) ? Computation • Usually: count # crypto operations, e.g., • # modular exponentiations • # point multiplications • # hash function evaluations (SHA) • # block cipher evaluations (AES) faster • # One-Time Pad evaluations • But also non-cryptographic operations do matter! 5 Overview of this Lecture Public Key Crypto >> Symmetric Crypto >> One-Time Pad 6 Overview of this Lecture Generic Protocols Boolean Circuit Yao GMW OT Public Key Crypto >> Symmetric Crypto >> One-Time Pad 6 Overview of this Lecture Generic Protocols Part 1: Efficient Garbled Circuits Boolean Circuit Yao GMW OT Public Key Crypto >> Symmetric Crypto >> One-Time Pad 6 Overview of this Lecture Generic Protocols Part 1: Efficient Garbled Circuits Boolean Circuit Yao GMW Part 2: Efficient OTs OT Public Key Crypto >> Symmetric Crypto >> One-Time Pad 6 Overview of this Lecture Generic Protocols Part 3: Efficient Circuits and Yao vs. GMW Part 1: Efficient Garbled Circuits Boolean Circuit Yao GMW Part 2: Efficient OTs OT Public Key Crypto >> Symmetric Crypto >> One-Time Pad 6 Yao’s Garbled Circuits Protocol [Yao86] f( , ) e.g., x < y · · private data x = x1, .., xn private data y = y1, .., yn 7 Yao’s Garbled Circuits Protocol [Yao86] f( , ) e.g., x < y · · private data x = x1, .., xn private data y = y1, .., yn xn yn x2 y2 x1 y1 Circuit < ... c2 < c1 < z 7 Yao’s Garbled Circuits Protocol [Yao86] f( , ) e.g., x < y · · private data x = x1, .., xn private data y = y1, .., yn xn yn x2 y2 x1 y1 Circuit < ... c2 < c1 < z xn yn x2 y2 x1 y1 Garbled ... c2 c1 Circuit C z 7 Yao’s Garbled Circuits Protocol [Yao86] f( , ) e.g., x < y · · private data x = x1, .., xn private data y = y1, .., yn xn yn x2 y2 x1 y1 Circuit < ... c2 < c1 < z xn yn x2 y2 x1 y1 Garbled ... c2 c1 Circuit C z 0 1 c1, c1 Garbled Values e e 7 Yao’s Garbled Circuits Protocol [Yao86] f( , ) e.g., x < y · · private data x = x1, .., xn private data y = y1, .., yn xn yn x2 y2 x1 y1 Circuit < ... c2 < c1 < z xn yn x2 y2 x1 y1 Garbled ... c2 c1 Circuit C z 0 0 g(0,0) E(x1, y1; c1 ) 0 1 g(0,1) c0, c1 E(x1, y1; c1 ) 1 1 e1 e0 eg(1,0) Garbled E(x1, y1; c1 ) e1 e1 eg(1,1) Values E(x1, y1; c1 ) e e Garblede e eTable e e e 7 Yao’s Garbled Circuits Protocol [Yao86] f( , ) e.g., x < y · · private data x = x1, .., xn private data y = y1, .., yn xn yn x2 y2 x1 y1 Circuit < ... c2 < c1 < z xn yn x2 y2 x1 y1 Garbled ... c2 c1 Circuit C C z 0 0 g(0,0) E(x1, y1; c1 ) 0 1 g(0,1) e c0, c1 E(x1, y1; c1 ) 1 1 e1 e0 eg(1,0) Garbled E(x1, y1; c1 ) e1 e1 eg(1,1) Values E(x1, y1; c1 ) e e Garblede e eTable e e e 7 Yao’s Garbled Circuits Protocol [Yao86] f( , ) e.g., x < y · · private data x = x1, .., xn private data y = y1, .., yn xn yn x2 y2 x1 y1 Circuit < ... c2 < c1 < z xn yn x2 y2 x1 y1 Garbled ... c2 c1 Circuit C C z 0 0 g(0,0) E(x1, y1; c1 ) y 0 1 g(0,1) e c0, c1 E(x1, y1; c1 ) 1 1 e1 e0 eg(1,0) Garbled E(x1, y1; c1 ) e e1 e1 eg(1,1) Values E(x1, y1; c1 ) e e Garblede e eTable e e e 7 Yao’s Garbled Circuits Protocol [Yao86] f( , ) e.g., x < y · · private data x = x1, .., xn private data y = y1, .., yn xn yn x2 y2 x1 y1 Circuit < ... c2 < c1 < z xn yn x2 y2 x1 y1 Garbled ... c2 c1 Circuit C C z 0 0 g(0,0) E(x1, y1; c1 ) y 0 1 g(0,1) e c0, c1 E(x1, y1; c1 ) (x; ) OT(x;(x0, x1)) 1 1 e1 e0 eg(1,0) Garbled E(x1, y1; c1 ) ? e e1 e1 eg(1,1) Values E(x1, y1; c1 ) e e e e e Garblede e eTable e e e 7 Yao’s Garbled Circuits Protocol [Yao86] f( , ) e.g., x < y · · private data x = x1, .., xn private data y = y1, .., yn xn yn x2 y2 x1 y1 Circuit < ... c2 < c1 < z xn yn x2 y2 x1 y1 Garbled ... c2 c1 Circuit C C z 0 0 g(0,0) E(x1, y1; c1 ) y 0 1 g(0,1) e c0, c1 E(x1, y1; c1 ) (x; ) OT(x;(x0, x1)) 1 1 e1 e0 eg(1,0) Garbled E(x1, y1; c1 ) ? e e1 e1 eg(1,1) Values E(x1, y1; c1 ) f(x, y)=C(x, y) e e e e e Garblede e eTable e e e 7 e e e Yao’s Garbled Circuits Protocol [Yao86] f( , ) e.g., x < y · · private data x = x1, .., xn private data y = y1, .., yn xn yn x2 y2 x1 y1 Circuit < ... c2 < c1 < z xn yn x2 y2 x1 y1 Part 1: Efficient Garbled Circuits Garbled ... c2 c1 Circuit C C z 0 0 g(0,0) E(x1, y1; c1 ) y 0 1 g(0,1) e c0, c1 E(x1, y1; c1 ) (x; ) OT(x;(x0, x1)) 1 1 e1 e0 eg(1,0) Garbled E(x1, y1; c1 ) ? e e1 e1 eg(1,1) Values E(x1, y1; c1 ) f(x, y)=C(x, y) e e e e e Garblede e eTable e e e 7 e e e Yao’s Garbled Circuits Protocol [Yao86] f( , ) e.g., x < y · · private data x = x1, .., xn private data y = y1, .., yn xn yn x2 y2 x1 y1 Circuit < ... c2 < c1 < z xn yn x2 y2 x1 y1 Part 1: Efficient Garbled Circuits Garbled ... c2 c1 Circuit C C z 0 0 g(0,0) E(x1, y1; c1 ) y 0 1 g(0,1) e c0, c1 E(x1, y1; c1 ) (x; ) OT(x;(x0, x1)) 1 1 e1 e0 eg(1,0) Garbled E(x1, y1; c1 ) ? e e1 e1 eg(1,1) Values E(x1, y1; c1 ) f(x, y)=C(x, y) e e e Part 2: Efficiente OTe Garblede e eTable e e e 7 e e e Yao’s Garbled Circuits Protocol [Yao86] f( , ) e.g., x < y · · private data x = x1, .., xn private data y = y1, .., yn xn yn x2 y2 x1 y1 c c Part 3: Efficient Circuits Circuit < ... 2 < 1 < z xn yn x2 y2 x1 y1 Part 1: Efficient Garbled Circuits Garbled ... c2 c1 Circuit C C z 0 0 g(0,0) E(x1, y1; c1 ) y 0 1 g(0,1) e c0, c1 E(x1, y1; c1 ) (x; ) OT(x;(x0, x1)) 1 1 e1 e0 eg(1,0) Garbled E(x1, y1; c1 ) ? e e1 e1 eg(1,1) Values E(x1, y1; c1 ) f(x, y)=C(x, y) e e e Part 2: Efficiente OTe Garblede e eTable e e e 7 e e e The GMW Protocol [GMW87] a b ⊕ c ^ d 8 The GMW Protocol [GMW87] Secret share inputs: a = a1 ⊕ a2 a b b = b1 ⊕ b2 ⊕ c ^ d 8 The GMW Protocol [GMW87] Secret share inputs: a = a1 ⊕ a2 a b b = b1 ⊕ b2 ⊕ Non-Interactive XOR gates: c1 = a1 ⊕ b1 ; c2 = a2 ⊕ b2 c ^ d 8 The GMW Protocol [GMW87] Secret share inputs: a = a1 ⊕ a2 a b b = b1 ⊕ b2 ⊕ Non-Interactive XOR gates: c1 = a1 ⊕ b1 ; c2 = a2 ⊕ b2 c Interactive AND gates: c1,b1 c2,b2 ^ AND d1 ∧ d2 d 8 The GMW Protocol [GMW87] Secret share inputs: a = a1 ⊕ a2 a b b = b1 ⊕ b2 ⊕ Non-Interactive XOR gates: c1 = a1 ⊕ b1 ; c2 = a2 ⊕ b2 c Interactive AND gates: c1,b1 c2,b2 ^ AND d1 ∧ d2 d Recombine outputs: d = d1 ⊕ d2 8 The GMW Protocol [GMW87] Secret share inputs: a = a1 ⊕ a2 a b b = b1 ⊕ b2 ⊕ Non-Interactive XOR gates: c1 = a1 ⊕ b1 ; c2 = a2 ⊕ b2 c Interactive AND gates: c1,b1 c2,b2 ^ AND d1 ∧ d2 d Part 3: Efficient Circuits Recombine outputs: d = d1 ⊕ d2 8 Evaluating ANDs via Multiplication Triples [Beaver91] 9 Evaluating ANDs via Multiplication Triples [Beaver91] The Aim: Generate a multiplication triple (a1⊕a2) (b1⊕b2) = c1⊕c2 9 Evaluating ANDs via Multiplication Triples [Beaver91] The Aim: Generate a multiplication triple (a1⊕a2) (b1⊕b2) = c1⊕c2 • P1’s output: a1,b1,c1 9 Evaluating ANDs via Multiplication Triples [Beaver91] The Aim: Generate a multiplication triple (a1⊕a2) (b1⊕b2) = c1⊕c2 • P1’s output: a1,b1,c1 • P2’s output: a2,b2,c2 9 Evaluating ANDs via Multiplication Triples [Beaver91] The Aim: Generate a multiplication triple (a1⊕a2) (b1⊕b2) = c1⊕c2 • P1’s output: a1,b1,c1 • P2’s output: a2,b2,c2 • Property: (a1⊕a2) (b1⊕b2) = c1⊕c2 9 Evaluating ANDs via Multiplication Triples [Beaver91] The Aim: Generate a multiplication triple (a1⊕a2) (b1⊕b2) = c1⊕c2 • P1’s output: a1,b1,c1 • P2’s output: a2,b2,c2 • Property: (a1⊕a2) (b1⊕b2) = c1⊕c2 • Observe that c1⊕c2= a1b1⊕a2b1⊕a1b2⊕a2b2 9 Evaluating ANDs via Multiplication Triples [Beaver91] The Aim: Generate a multiplication triple (a1⊕a2) (b1⊕b2) = c1⊕c2 • P1’s output: a1,b1,c1 • P2’s output: a2,b2,c2 • Property: (a1⊕a2) (b1⊕b2) = c1⊕c2 • Observe that c1⊕c2= a1b1⊕a2b1⊕a1b2⊕a2b2 The Protocol: 9 Evaluating ANDs via Multiplication Triples [Beaver91] The Aim: Generate a multiplication triple (a1⊕a2) (b1⊕b2) = c1⊕c2 • P1’s output: a1,b1,c1 • P2’s output: a2,b2,c2 • Property: (a1⊕a2) (b1⊕b2) = c1⊕c2 • Observe that c1⊕c2= a1b1⊕a2b1⊕a1b2⊕a2b2 The Protocol: 1.

View Full Text

Details

  • File Type
    pdf
  • Upload Time
    -
  • Content Languages
    English
  • Upload User
    Anonymous/Not logged-in
  • File Pages
    170 Page
  • File Size
    -

Download

Channel Download Status
Express Download Enable

Copyright

We respect the copyrights and intellectual property rights of all users. All uploaded documents are either original works of the uploader or authorized works of the rightful owners.

  • Not to be reproduced or distributed without explicit permission.
  • Not used for commercial purposes outside of approved use cases.
  • Not used to infringe on the rights of the original creators.
  • If you believe any content infringes your copyright, please contact us immediately.

Support

For help with questions, suggestions, or problems, please contact us