Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Oblivious Transfer and Secure MultipartyComputation
Brett Hemenway
September 11th 2013
Introduction
Oblivious Transfer
Circuit Garbling
Secure Computation from Secret Sharing
Applications of MPCThe Satellite Problem
Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely
ExtrasCryptographic AssumptionsConstructing Oblivious Transfer
The Millionaire’s ProblemAn example of secure two-party computation
I Two Millionaires want to determine who is richer, withoutrevealing their wealth [Yao82]
I They want a secure computation of a comparison (
Solving the Millionaire’s Problem
I If there is a family of one-way trapdoor permutations, F ,f : X → Y for f ∈ Fe.g. f (x) = xe mod N (the RSA function)
I and a hash function H : X → ZI Then there is a simple solution to the Millionaire’s Problem
I We assume Alice’s wealth is a, Bob’s is b, and there is an apriori upper bound m > max(a, b).
Solving the Millionaire’s Problem
Alice
a
f , f −1$← F
f
Bob
bf
x$← X
y = f (x)− b
y
Alice
a
xbx0 . . . . . . xm−1
xi = f−1(y + i) for i = 0, . . . ,m − 1 y
xb = f−1(y + b) = f −1((f (x)− b) + b) = x
ri =
{H(xi + 1) for i = 0, . . . , aH(xi ) for i = a + 1, . . . ,m − 1
rbr0 . . . . . . rm−1
a > b ⇒ rb = H(x)
Alice
a
{ri}m−1i=0
Bob
b{ri}m−1i=0 x $← X
y = f (x)− b
if H(x) = rb then a > b
if H(x) 6= rb then a ≤ b
Solving the Millionaire’s Problem
Alice
a
f , f −1$← F
f
Bob
bf
x$← X
y = f (x)− b
y
Alice
a
xbx0 . . . . . . xm−1
xi = f−1(y + i) for i = 0, . . . ,m − 1 y
xb = f−1(y + b) = f −1((f (x)− b) + b) = x
ri =
{H(xi + 1) for i = 0, . . . , aH(xi ) for i = a + 1, . . . ,m − 1
rbr0 . . . . . . rm−1
a > b ⇒ rb = H(x)
Alice
a
{ri}m−1i=0
Bob
b{ri}m−1i=0 x $← X
y = f (x)− b
if H(x) = rb then a > b
if H(x) 6= rb then a ≤ b
Solving the Millionaire’s Problem
Alice
a
f , f −1$← F
f
Bob
bf
x$← X
y = f (x)− b
y
Alice
a
xbx0 . . . . . . xm−1
xi = f−1(y + i) for i = 0, . . . ,m − 1 y
xb = f−1(y + b) = f −1((f (x)− b) + b) = x
ri =
{H(xi + 1) for i = 0, . . . , aH(xi ) for i = a + 1, . . . ,m − 1
rbr0 . . . . . . rm−1
a > b ⇒ rb = H(x)
Alice
a
{ri}m−1i=0
Bob
b{ri}m−1i=0 x $← X
y = f (x)− b
if H(x) = rb then a > b
if H(x) 6= rb then a ≤ b
Solving the Millionaire’s Problem
Alice
a
f , f −1$← F
f
Bob
bf
x$← X
y = f (x)− b
y
Alice
a
xbx0 . . . . . . xm−1
xi = f−1(y + i) for i = 0, . . . ,m − 1 y
xb = f−1(y + b) = f −1((f (x)− b) + b) = x
ri =
{H(xi + 1) for i = 0, . . . , aH(xi ) for i = a + 1, . . . ,m − 1
rbr0 . . . . . . rm−1
a > b ⇒ rb = H(x)
Alice
a
{ri}m−1i=0
Bob
b{ri}m−1i=0 x $← X
y = f (x)− b
if H(x) = rb then a > b
if H(x) 6= rb then a ≤ b
Solving the Millionaire’s Problem
Alice
a
f , f −1$← F
f
Bob
bf
x$← X
y = f (x)− b
y
Alice
a
xbx0 . . . . . . xm−1
xi = f−1(y + i) for i = 0, . . . ,m − 1 y
xb = f−1(y + b) = f −1((f (x)− b) + b) = x
ri =
{H(xi + 1) for i = 0, . . . , aH(xi ) for i = a + 1, . . . ,m − 1
rbr0 . . . . . . rm−1
a > b ⇒ rb = H(x)
Alice
a
{ri}m−1i=0
Bob
b{ri}m−1i=0 x $← X
y = f (x)− b
if H(x) = rb then a > b
if H(x) 6= rb then a ≤ b
Solving the Millionaire’s Problem
Alice
a
f , f −1$← F
f
Bob
bf
x$← X
y = f (x)− b
y
Alice
a
xbx0 . . . . . . xm−1
xi = f−1(y + i) for i = 0, . . . ,m − 1 y
xb = f−1(y + b) = f −1((f (x)− b) + b) = x
ri =
{H(xi + 1) for i = 0, . . . , aH(xi ) for i = a + 1, . . . ,m − 1
rbr0 . . . . . . rm−1
a > b ⇒ rb = H(x)
Alice
a
{ri}m−1i=0
Bob
b{ri}m−1i=0 x $← X
y = f (x)− b
if H(x) = rb then a > b
if H(x) 6= rb then a ≤ b
Solving the Millionaire’s Problem
Alice
a
f , f −1$← F
f
Bob
bf
x$← X
y = f (x)− b
y
Alice
a
xbx0 . . . . . . xm−1
xi = f−1(y + i) for i = 0, . . . ,m − 1 y
xb = f−1(y + b) = f −1((f (x)− b) + b) = x
ri =
{H(xi + 1) for i = 0, . . . , aH(xi ) for i = a + 1, . . . ,m − 1
rbr0 . . . . . . rm−1
a > b ⇒ rb = H(x)
Alice
a
{ri}m−1i=0
Bob
b{ri}m−1i=0 x $← X
y = f (x)− b
if H(x) = rb then a > b
if H(x) 6= rb then a ≤ b
Secure Multiparty Computation
I Cryptographic tools exist that allow a group of participants tosecurely calculate any function of their joint inputs.
I Cryptography removes the need for a trusted third party
Privacy is defined in a simulation paradigm
I A protocol is secure if there is a simulator that, when givenonly the output of the protocol can simulate an execution ofthe protocol that is indistinguishable from the real protocol.
I This ensures that nothing beyond the output of the protocolis learned
I In the Millionaire’s Problem revealing whose salary is higherleaks information. A secure protocol should leak nothing more.
Security Models
Definition (Semi-Honest Adversaries)
Semi-Honest (Honest-But-Curious) adversaries
I always follow whatever protocol they are asked to perform
I always send well-formed messages
I try to learn other participants’ secrets by looking at their owntranscript in the protocol
Definition (Malicious Adversaries)
Malicious adversaries are:
I allowed to deviate from the protocol
I allowed to send mal-formed messages
I allowed to behave in any way
Standard technique: first build protocols in the Semi-Honestmodel. Then use standard tools (e.g. Zero-Knowledge proofs) toforce participants to follow the protocol
Security Models
Definition (Semi-Honest Adversaries)
Semi-Honest (Honest-But-Curious) adversaries
I always follow whatever protocol they are asked to perform
I always send well-formed messages
I try to learn other participants’ secrets by looking at their owntranscript in the protocol
Definition (Malicious Adversaries)
Malicious adversaries are:
I allowed to deviate from the protocol
I allowed to send mal-formed messages
I allowed to behave in any way
Standard technique: first build protocols in the Semi-Honestmodel. Then use standard tools (e.g. Zero-Knowledge proofs) toforce participants to follow the protocol
Methods of Secure MPC
Protocol Assumption Players Reference
Yao’s Garbled Circuit OT 2 [Yao82, Yao86]
GMW OT 2+ [GMW87]
BGW/CCD Honest Majority 3+ [BOGW88, CCD88]
FHE Lattice Problems 2+ [Gen09]
Methods of Secure MPC
Protocol Assumption Players Reference
Yao’s Garbled Circuit OT 2 [Yao82, Yao86]
GMW OT 2+ [GMW87]
BGW/CCD Honest Majority 3+ [BOGW88, CCD88]
FHE Lattice Problems 2+ [Gen09]
Introduction
Oblivious Transfer
Circuit Garbling
Secure Computation from Secret Sharing
Applications of MPCThe Satellite Problem
Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely
ExtrasCryptographic AssumptionsConstructing Oblivious Transfer
Oblivious Transfer
OT
Sender Receiver
x0
x1
b
xb
I S learns nothing about b
I R learns nothing about X1−b
Oblivious Transfer
OT
Sender Receiver
x0
x1
b
xb
I S learns nothing about b
I R learns nothing about X1−b
Facts About OT
I Introduced by Rabin [Rab81], Even, Goldreich and Lempel [EGL85]I OT is equivalent to random OT [Cré88]I OT is symmetric [WW06]I OT is “complete” for secure multiparty computation [Kil88, IPS08]I Black-box construction of OT from one-way permutations implies
P 6= NP [IR89]I Perfect OT cannot be constructed using quantum mechanics [Lo97]I OTs can be extended under computational assumptions [IKNP03]I OTs cannot be extended using quantum mechanics [SSS09, WW10]I OT impies PKE, but not vice-versa [GKM+00]I Constructions:
I PIR [CMO00]I DDH [NP01]I Projective hash proofs [Kal05, HK07]I Blind signatures (requires RO) [CNS07]I Bilinear assumptions [GH07]I Dual-mode encryption [PVW08]I Noisy Channels [IKO+11]
OT From The DDH AssumptionBlind Generation of El-Gamal Public-keys
(g , ga, gb, gab) ≈c (g , ga, gb, g c)
x0, x1 b
Sender Receiver
w$← [|G|]
βb = gw
β1−b = r
(β0, β1)k0, k1
$← [|G|]α0 = g
k0
α1 = gk1
γ0 = hk00 g
x0
γ1 = hk11 g
x1
((α0, γ0), (α1, γ1))
xb = 1 iff γb · α−wb = g
OT From The DDH AssumptionBlind Generation of El-Gamal Public-keys
(g , ga, gb, gab) ≈c (g , ga, gb, g c)
x0, x1 b
Sender Receiver
w$← [|G|]
βb = gw
β1−b = r
(β0, β1)
k0, k1$← [|G|]
α0 = gk0
α1 = gk1
γ0 = hk00 g
x0
γ1 = hk11 g
x1
((α0, γ0), (α1, γ1))
xb = 1 iff γb · α−wb = g
OT From The DDH AssumptionBlind Generation of El-Gamal Public-keys
(g , ga, gb, gab) ≈c (g , ga, gb, g c)
x0, x1 b
Sender Receiver
w$← [|G|]
βb = gw
β1−b = r
(β0, β1)k0, k1
$← [|G|]α0 = g
k0
α1 = gk1
γ0 = hk00 g
x0
γ1 = hk11 g
x1
((α0, γ0), (α1, γ1))
xb = 1 iff γb · α−wb = g
OT From The DDH AssumptionBlind Generation of El-Gamal Public-keys
(g , ga, gb, gab) ≈c (g , ga, gb, g c)
x0, x1 b
Sender Receiver
w$← [|G|]
βb = gw
β1−b = r
(β0, β1)k0, k1
$← [|G|]α0 = g
k0
α1 = gk1
γ0 = hk00 g
x0
γ1 = hk11 g
x1
((α0, γ0), (α1, γ1))
xb = 1 iff γb · α−wb = g
Oblivious Transfer
OT
Sender Receiver
x0
x1
b
xb
I S learns nothing about b
I R learns nothing about X1−b
Random Oblivious Transfer
OT
Sender Receiver
x0
x1
b
xb
I S learns nothing about b
I R learns nothing about X1−b
Random OT + 3 Bits Communication = OTPrecomputing OT
Sender Receiver
x0
x1
b
xb
OT
ROT
ReceiverSender
y0
y1
c
yc
b ⊕ cd
z0 = x0 ⊕ ydz1 = x1 ⊕ y1−d
(z0, z1)
zb ⊕ yc
y0, y1 generated at random
Idea: use Random OT onrandom values as a one-time
pad to blind real OT
if b = 0 then d = c , so receiver knows ydif b = 1 then d = 1− c , so receiver knows y1−d
Random OT + 3 Bits Communication = OTPrecomputing OT
Sender Receiver
x0
x1
b
xb
OT
ROT
ReceiverSender
y0
y1
c
yc
b ⊕ cd
z0 = x0 ⊕ ydz1 = x1 ⊕ y1−d
(z0, z1)
zb ⊕ yc
y0, y1 generated at random
Idea: use Random OT onrandom values as a one-time
pad to blind real OT
if b = 0 then d = c , so receiver knows ydif b = 1 then d = 1− c , so receiver knows y1−d
Random OT + 3 Bits Communication = OTPrecomputing OT
Sender Receiver
x0
x1
b
xb
OT
ROT
ReceiverSender
y0
y1
c
yc
b ⊕ cd
z0 = x0 ⊕ ydz1 = x1 ⊕ y1−d
(z0, z1)
zb ⊕ yc
y0, y1 generated at random
Idea: use Random OT onrandom values as a one-time
pad to blind real OT
if b = 0 then d = c , so receiver knows ydif b = 1 then d = 1− c , so receiver knows y1−d
Random OT + 3 Bits Communication = OTPrecomputing OT
Sender Receiver
x0
x1
b
xb
OT
ROT
ReceiverSender
y0
y1
c
yc
b ⊕ cd
z0 = x0 ⊕ ydz1 = x1 ⊕ y1−d
(z0, z1)
zb ⊕ yc
y0, y1 generated at random
Idea: use Random OT onrandom values as a one-time
pad to blind real OT
if b = 0 then d = c , so receiver knows ydif b = 1 then d = 1− c , so receiver knows y1−d
Random OT + 3 Bits Communication = OTPrecomputing OT
Sender Receiver
x0
x1
b
xb
OT
ROT
ReceiverSender
y0
y1
c
yc
b ⊕ cd
z0 = x0 ⊕ ydz1 = x1 ⊕ y1−d
(z0, z1)
zb ⊕ yc
y0, y1 generated at random
Idea: use Random OT onrandom values as a one-time
pad to blind real OT
if b = 0 then d = c , so receiver knows ydif b = 1 then d = 1− c , so receiver knows y1−d
Random OT + 3 Bits Communication = OTPrecomputing OT
Sender Receiver
x0
x1
b
xb
OT
ROT
ReceiverSender
y0
y1
c
yc
b ⊕ cd
z0 = x0 ⊕ ydz1 = x1 ⊕ y1−d
(z0, z1)
zb ⊕ yc
y0, y1 generated at random
Idea: use Random OT onrandom values as a one-time
pad to blind real OT
if b = 0 then d = c , so receiver knows ydif b = 1 then d = 1− c , so receiver knows y1−d
Random OT + 3 Bits Communication = OTPrecomputing OT
Sender Receiver
x0
x1
b
xb
OT
ROT
ReceiverSender
y0
y1
c
yc
b ⊕ cd
z0 = x0 ⊕ ydz1 = x1 ⊕ y1−d
(z0, z1)
zb ⊕ yc
y0, y1 generated at random
Idea: use Random OT onrandom values as a one-time
pad to blind real OT
if b = 0 then d = c , so receiver knows ydif b = 1 then d = 1− c , so receiver knows y1−d
Precomputing OT
I Offline: before inputs are known, run many OT protocols
I This generates many OT “triples” (y0, y1) and (c , yc)
I Online: once inputs are known, OT triples can be consumed
I Online phase is cheap (in computation and communication)
Introduction
Oblivious Transfer
Circuit Garbling
Secure Computation from Secret Sharing
Applications of MPCThe Satellite Problem
Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely
ExtrasCryptographic AssumptionsConstructing Oblivious Transfer
Yao’s Garbled Circuit Overview
Two parties, Alice and Bob, want to compute a public function onprivate inputs.High-Level Approach
I Public function is written as a circuit
I Alice will “garble” the circuit
I Alice will send the “garbled” circuit to Bob
I Alice and Bob will engage in OT to get Bob his “garbled”inputs
I Bob will use the garbled inputs to compute circuitgate-by-gate
Garbling a Gate
x0 x1
y = x0 · x1
x0 x1 x0 · x10 0 0
0 1 0
1 0 0
1 1 1
0 1 0 1
0 1
0 1 0 1
u0 u1
s0 s1 0 1
u0 u1
s0 s1 t0 t1
u0 u1
Sample u0, u1 randomly from {0, 1}λ
Replace output values with random strings
u0
u0
u0
u1
s0
s0
s1
s1
Sample s0, s1 randomly from {0, 1}λSample t0, t1 randomly from {0, 1}λ
Replace input values with random strings
t0
t1
t0
t1
u0
u0
u0
u1
Encrypt output values under input keys
(Encryption is symmetric-key, e.g. AES)
Es0(Et0(u0))
Es0(Et1(u0))
Es1(Et0(u0))
Es1(Et1(u1))s0
s0
s1
s1
t0
t1
t0
t1
Es0(Et0(u0))
Es0(Et1(u0))
Es1(Et0(u0))
Es1(Et1(u1))
Shuffle rows of tableI This is a “garbled gate”I Input secrets s, t allow
decryption of output secret u
I Garbled truth-table canbe made public
I Knowing one of {s0, s1}and one of {t0, t1} allowscomputation of garbledoutput
Garbling a Gate
x0 x1
y = x0 · x1
x0 x1 x0 · x10 0 0
0 1 0
1 0 0
1 1 1
0 1 0 1
0 1
0 1 0 1
u0 u1
s0 s1 0 1
u0 u1
s0 s1 t0 t1
u0 u1
Sample u0, u1 randomly from {0, 1}λ
Replace output values with random strings
u0
u0
u0
u1
s0
s0
s1
s1
Sample s0, s1 randomly from {0, 1}λSample t0, t1 randomly from {0, 1}λ
Replace input values with random strings
t0
t1
t0
t1
u0
u0
u0
u1
Encrypt output values under input keys
(Encryption is symmetric-key, e.g. AES)
Es0(Et0(u0))
Es0(Et1(u0))
Es1(Et0(u0))
Es1(Et1(u1))s0
s0
s1
s1
t0
t1
t0
t1
Es0(Et0(u0))
Es0(Et1(u0))
Es1(Et0(u0))
Es1(Et1(u1))
Shuffle rows of tableI This is a “garbled gate”I Input secrets s, t allow
decryption of output secret u
I Garbled truth-table canbe made public
I Knowing one of {s0, s1}and one of {t0, t1} allowscomputation of garbledoutput
Garbling a Gate
x0 x1
y = x0 · x1
x0 x1 x0 · x10 0 0
0 1 0
1 0 0
1 1 1
0 1 0 1
0 1
0 1 0 1
u0 u1
s0 s1 0 1
u0 u1
s0 s1 t0 t1
u0 u1
Sample u0, u1 randomly from {0, 1}λ
Replace output values with random strings
u0
u0
u0
u1
s0
s0
s1
s1
Sample s0, s1 randomly from {0, 1}λ
Sample t0, t1 randomly from {0, 1}λ
Replace input values with random strings
t0
t1
t0
t1
u0
u0
u0
u1
Encrypt output values under input keys
(Encryption is symmetric-key, e.g. AES)
Es0(Et0(u0))
Es0(Et1(u0))
Es1(Et0(u0))
Es1(Et1(u1))s0
s0
s1
s1
t0
t1
t0
t1
Es0(Et0(u0))
Es0(Et1(u0))
Es1(Et0(u0))
Es1(Et1(u1))
Shuffle rows of tableI This is a “garbled gate”I Input secrets s, t allow
decryption of output secret u
I Garbled truth-table canbe made public
I Knowing one of {s0, s1}and one of {t0, t1} allowscomputation of garbledoutput
Garbling a Gate
x0 x1
y = x0 · x1
x0 x1 x0 · x10 0 0
0 1 0
1 0 0
1 1 1
0 1 0 1
0 1
0 1 0 1
u0 u1
s0 s1 0 1
u0 u1
s0 s1 t0 t1
u0 u1
Sample u0, u1 randomly from {0, 1}λ
Replace output values with random strings
u0
u0
u0
u1
s0
s0
s1
s1
Sample s0, s1 randomly from {0, 1}λ
Sample t0, t1 randomly from {0, 1}λ
Replace input values with random strings
t0
t1
t0
t1
u0
u0
u0
u1
Encrypt output values under input keys
(Encryption is symmetric-key, e.g. AES)
Es0(Et0(u0))
Es0(Et1(u0))
Es1(Et0(u0))
Es1(Et1(u1))s0
s0
s1
s1
t0
t1
t0
t1
Es0(Et0(u0))
Es0(Et1(u0))
Es1(Et0(u0))
Es1(Et1(u1))
Shuffle rows of tableI This is a “garbled gate”I Input secrets s, t allow
decryption of output secret u
I Garbled truth-table canbe made public
I Knowing one of {s0, s1}and one of {t0, t1} allowscomputation of garbledoutput
Garbling a Gate
x0 x1
y = x0 · x1
x0 x1 x0 · x10 0 0
0 1 0
1 0 0
1 1 1
0 1 0 1
0 1
0 1 0 1
u0 u1
s0 s1 0 1
u0 u1
s0 s1 t0 t1
u0 u1
Sample u0, u1 randomly from {0, 1}λ
Replace output values with random strings
u0
u0
u0
u1
s0
s0
s1
s1
Sample s0, s1 randomly from {0, 1}λSample t0, t1 randomly from {0, 1}λ
Replace input values with random strings
t0
t1
t0
t1
u0
u0
u0
u1
Encrypt output values under input keys
(Encryption is symmetric-key, e.g. AES)
Es0(Et0(u0))
Es0(Et1(u0))
Es1(Et0(u0))
Es1(Et1(u1))s0
s0
s1
s1
t0
t1
t0
t1
Es0(Et0(u0))
Es0(Et1(u0))
Es1(Et0(u0))
Es1(Et1(u1))
Shuffle rows of tableI This is a “garbled gate”I Input secrets s, t allow
decryption of output secret u
I Garbled truth-table canbe made public
I Knowing one of {s0, s1}and one of {t0, t1} allowscomputation of garbledoutput
Garbling a Gate
x0 x1
y = x0 · x1
x0 x1 x0 · x10 0 0
0 1 0
1 0 0
1 1 1
0 1 0 1
0 1
0 1 0 1
u0 u1
s0 s1 0 1
u0 u1
s0 s1 t0 t1
u0 u1
Sample u0, u1 randomly from {0, 1}λ
Replace output values with random strings
u0
u0
u0
u1
s0
s0
s1
s1
Sample s0, s1 randomly from {0, 1}λSample t0, t1 randomly from {0, 1}λ
Replace input values with random strings
t0
t1
t0
t1
u0
u0
u0
u1
Encrypt output values under input keys
(Encryption is symmetric-key, e.g. AES)
Es0(Et0(u0))
Es0(Et1(u0))
Es1(Et0(u0))
Es1(Et1(u1))
s0
s0
s1
s1
t0
t1
t0
t1
Es0(Et0(u0))
Es0(Et1(u0))
Es1(Et0(u0))
Es1(Et1(u1))
Shuffle rows of tableI This is a “garbled gate”I Input secrets s, t allow
decryption of output secret u
I Garbled truth-table canbe made public
I Knowing one of {s0, s1}and one of {t0, t1} allowscomputation of garbledoutput
Garbling a Gate
x0 x1
y = x0 · x1
x0 x1 x0 · x10 0 0
0 1 0
1 0 0
1 1 1
0 1 0 1
0 1
0 1 0 1
u0 u1
s0 s1 0 1
u0 u1
s0 s1 t0 t1
u0 u1
Sample u0, u1 randomly from {0, 1}λ
Replace output values with random strings
u0
u0
u0
u1
s0
s0
s1
s1
Sample s0, s1 randomly from {0, 1}λSample t0, t1 randomly from {0, 1}λ
Replace input values with random strings
t0
t1
t0
t1
u0
u0
u0
u1
Encrypt output values under input keys
(Encryption is symmetric-key, e.g. AES)
Es0(Et0(u0))
Es0(Et1(u0))
Es1(Et0(u0))
Es1(Et1(u1))
s0
s0
s1
s1
t0
t1
t0
t1
Es0(Et0(u0))
Es0(Et1(u0))
Es1(Et0(u0))
Es1(Et1(u1))
Shuffle rows of table
I This is a “garbled gate”I Input secrets s, t allow
decryption of output secret u
I Garbled truth-table canbe made public
I Knowing one of {s0, s1}and one of {t0, t1} allowscomputation of garbledoutput
Garbling a Gate
x0 x1
y = x0 · x1
x0 x1 x0 · x10 0 0
0 1 0
1 0 0
1 1 1
0 1 0 1
0 1
0 1 0 1
u0 u1
s0 s1 0 1
u0 u1
s0 s1 t0 t1
u0 u1
Sample u0, u1 randomly from {0, 1}λ
Replace output values with random strings
u0
u0
u0
u1
s0
s0
s1
s1
Sample s0, s1 randomly from {0, 1}λSample t0, t1 randomly from {0, 1}λ
Replace input values with random strings
t0
t1
t0
t1
u0
u0
u0
u1
Encrypt output values under input keys
(Encryption is symmetric-key, e.g. AES)
Es0(Et0(u0))
Es0(Et1(u0))
Es1(Et0(u0))
Es1(Et1(u1))
s0
s0
s1
s1
t0
t1
t0
t1
Es0(Et0(u0))
Es0(Et1(u0))
Es1(Et0(u0))
Es1(Et1(u1))
Shuffle rows of table
I This is a “garbled gate”I Input secrets s, t allow
decryption of output secret u
I Garbled truth-table canbe made public
I Knowing one of {s0, s1}and one of {t0, t1} allowscomputation of garbledoutput
Garbling a Circuit
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1
0 1 0 1
0 1
Each wire carries aboolean value
s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1
s9,0 s9,1 s10,0 s10,1 s11,0 s11,1 s12,0 s12,1
s13,0 s13,1 s14,0 s14,1
s15,0 s15,1I Each wire carries a stringI Strings on input wires
allow decryption of stringon output wire
Es9,1(Es10,1(s13,0))
Es9,0(Es10,1(s13,1))
Es9,0(Es10,0(s13,0))
Es9,1(Es10,0(s13,1))
XOR gate
Garbling a Circuit
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1
0 1 0 1
0 1
Each wire carries aboolean value
s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1
s9,0 s9,1 s10,0 s10,1 s11,0 s11,1 s12,0 s12,1
s13,0 s13,1 s14,0 s14,1
s15,0 s15,1I Each wire carries a stringI Strings on input wires
allow decryption of stringon output wire
Es9,1(Es10,1(s13,0))
Es9,0(Es10,1(s13,1))
Es9,0(Es10,0(s13,0))
Es9,1(Es10,0(s13,1))
XOR gate
Garbling a Circuit
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1
0 1 0 1
0 1
Each wire carries aboolean value
s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1
s9,0 s9,1 s10,0 s10,1 s11,0 s11,1 s12,0 s12,1
s13,0 s13,1 s14,0 s14,1
s15,0 s15,1I Each wire carries a stringI Strings on input wires
allow decryption of stringon output wire
Es9,1(Es10,1(s13,0))
Es9,0(Es10,1(s13,1))
Es9,0(Es10,0(s13,0))
Es9,1(Es10,0(s13,1))
XOR gate
Garbling a Circuit
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉
0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1
0 1 0 1 0 1 0 1
0 1 0 1
0 1
Each wire carries aboolean value
s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1
s9,0 s9,1 s10,0 s10,1 s11,0 s11,1 s12,0 s12,1
s13,0 s13,1 s14,0 s14,1
s15,0 s15,1I Each wire carries a stringI Strings on input wires
allow decryption of stringon output wire
Es9,1(Es10,1(s13,0))
Es9,0(Es10,1(s13,1))
Es9,0(Es10,0(s13,0))
Es9,1(Es10,0(s13,1))
XOR gate
Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product
I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =
∑4i=1 xiyi is public
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉Alice Generates the circuit
s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1
s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1
s13,0s13,1 s14,0s14,1
0 1
Alice generates tworandom strings for eachwire (called “wire keys”)
Output wire hasstandard 0/1 values
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉
Alice generates garbledtruth tables for eachgate using wire keys
Alice gives Bob thegarbled gates (but not
the wire keys)
Alice gives Bob the keyscorresponding to her
inputs (1, 0, 1, 0)
s1,1 s3,0 s5,1 s7,0
Alice and Bob use OTto get Bob the keys he
needs for his inputs(1, 1, 0, 1)
Now Bob has one wirekey for each input wire
s2,1 s4,1 s6,0 s8,1
s9,1 s10,0 s11,0 s12,0
Bob uses wire keys andgarbled truth-table to
decrypt the wire keys atthe next level
s13,1 s14,0
1
Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product
I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =
∑4i=1 xiyi is public
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉Alice Generates the circuit
s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1
s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1
s13,0s13,1 s14,0s14,1
0 1
Alice generates tworandom strings for eachwire (called “wire keys”)
Output wire hasstandard 0/1 values
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉
Alice generates garbledtruth tables for eachgate using wire keys
Alice gives Bob thegarbled gates (but not
the wire keys)
Alice gives Bob the keyscorresponding to her
inputs (1, 0, 1, 0)
s1,1 s3,0 s5,1 s7,0
Alice and Bob use OTto get Bob the keys he
needs for his inputs(1, 1, 0, 1)
Now Bob has one wirekey for each input wire
s2,1 s4,1 s6,0 s8,1
s9,1 s10,0 s11,0 s12,0
Bob uses wire keys andgarbled truth-table to
decrypt the wire keys atthe next level
s13,1 s14,0
1
Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product
I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =
∑4i=1 xiyi is public
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉
Alice Generates the circuit
s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1
s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1
s13,0s13,1 s14,0s14,1
0 1
Alice generates tworandom strings for eachwire (called “wire keys”)
Output wire hasstandard 0/1 values
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉
Alice generates garbledtruth tables for eachgate using wire keys
Alice gives Bob thegarbled gates (but not
the wire keys)
Alice gives Bob the keyscorresponding to her
inputs (1, 0, 1, 0)
s1,1 s3,0 s5,1 s7,0
Alice and Bob use OTto get Bob the keys he
needs for his inputs(1, 1, 0, 1)
Now Bob has one wirekey for each input wire
s2,1 s4,1 s6,0 s8,1
s9,1 s10,0 s11,0 s12,0
Bob uses wire keys andgarbled truth-table to
decrypt the wire keys atthe next level
s13,1 s14,0
1
Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product
I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =
∑4i=1 xiyi is public
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉
Alice Generates the circuit
s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1
s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1
s13,0s13,1 s14,0s14,1
0 1
Alice generates tworandom strings for eachwire (called “wire keys”)
Output wire hasstandard 0/1 values
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉
Alice generates garbledtruth tables for eachgate using wire keys
Alice gives Bob thegarbled gates (but not
the wire keys)
Alice gives Bob the keyscorresponding to her
inputs (1, 0, 1, 0)
s1,1 s3,0 s5,1 s7,0
Alice and Bob use OTto get Bob the keys he
needs for his inputs(1, 1, 0, 1)
Now Bob has one wirekey for each input wire
s2,1 s4,1 s6,0 s8,1
s9,1 s10,0 s11,0 s12,0
Bob uses wire keys andgarbled truth-table to
decrypt the wire keys atthe next level
s13,1 s14,0
1
Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product
I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =
∑4i=1 xiyi is public
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉Alice Generates the circuit
s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1
s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1
s13,0s13,1 s14,0s14,1
0 1
Alice generates tworandom strings for eachwire (called “wire keys”)
Output wire hasstandard 0/1 values
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉
Alice generates garbledtruth tables for eachgate using wire keys
Alice gives Bob thegarbled gates (but not
the wire keys)
Alice gives Bob the keyscorresponding to her
inputs (1, 0, 1, 0)
s1,1 s3,0 s5,1 s7,0
Alice and Bob use OTto get Bob the keys he
needs for his inputs(1, 1, 0, 1)
Now Bob has one wirekey for each input wire
s2,1 s4,1 s6,0 s8,1
s9,1 s10,0 s11,0 s12,0
Bob uses wire keys andgarbled truth-table to
decrypt the wire keys atthe next level
s13,1 s14,0
1
Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product
I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =
∑4i=1 xiyi is public
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉Alice Generates the circuit
s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1
s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1
s13,0s13,1 s14,0s14,1
0 1
Alice generates tworandom strings for eachwire (called “wire keys”)
Output wire hasstandard 0/1 values
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉
Alice generates garbledtruth tables for eachgate using wire keys
Alice gives Bob thegarbled gates (but not
the wire keys)
Alice gives Bob the keyscorresponding to her
inputs (1, 0, 1, 0)
s1,1 s3,0 s5,1 s7,0
Alice and Bob use OTto get Bob the keys he
needs for his inputs(1, 1, 0, 1)
Now Bob has one wirekey for each input wire
s2,1 s4,1 s6,0 s8,1
s9,1 s10,0 s11,0 s12,0
Bob uses wire keys andgarbled truth-table to
decrypt the wire keys atthe next level
s13,1 s14,0
1
Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product
I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =
∑4i=1 xiyi is public
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉Alice Generates the circuit
s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1
s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1
s13,0s13,1 s14,0s14,1
0 1
Alice generates tworandom strings for eachwire (called “wire keys”)
Output wire hasstandard 0/1 values
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉
Alice generates garbledtruth tables for eachgate using wire keys
Alice gives Bob thegarbled gates (but not
the wire keys)
Alice gives Bob the keyscorresponding to her
inputs (1, 0, 1, 0)
s1,1 s3,0 s5,1 s7,0
Alice and Bob use OTto get Bob the keys he
needs for his inputs(1, 1, 0, 1)
Now Bob has one wirekey for each input wire
s2,1 s4,1 s6,0 s8,1
s9,1 s10,0 s11,0 s12,0
Bob uses wire keys andgarbled truth-table to
decrypt the wire keys atthe next level
s13,1 s14,0
1
Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product
I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =
∑4i=1 xiyi is public
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉Alice Generates the circuit
s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1
s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1
s13,0s13,1 s14,0s14,1
0 1
Alice generates tworandom strings for eachwire (called “wire keys”)
Output wire hasstandard 0/1 values
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉
Alice generates garbledtruth tables for eachgate using wire keys
Alice gives Bob thegarbled gates (but not
the wire keys)
Alice gives Bob the keyscorresponding to her
inputs (1, 0, 1, 0)
s1,1 s3,0 s5,1 s7,0
Alice and Bob use OTto get Bob the keys he
needs for his inputs(1, 1, 0, 1)
Now Bob has one wirekey for each input wire
s2,1 s4,1 s6,0 s8,1
s9,1 s10,0 s11,0 s12,0
Bob uses wire keys andgarbled truth-table to
decrypt the wire keys atthe next level
s13,1 s14,0
1
Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product
I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =
∑4i=1 xiyi is public
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉Alice Generates the circuit
s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1
s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1
s13,0s13,1 s14,0s14,1
0 1
Alice generates tworandom strings for eachwire (called “wire keys”)
Output wire hasstandard 0/1 values
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉
Alice generates garbledtruth tables for eachgate using wire keys
Alice gives Bob thegarbled gates (but not
the wire keys)
Alice gives Bob the keyscorresponding to her
inputs (1, 0, 1, 0)
s1,1 s3,0 s5,1 s7,0
Alice and Bob use OTto get Bob the keys he
needs for his inputs(1, 1, 0, 1)
Now Bob has one wirekey for each input wire
s2,1 s4,1 s6,0 s8,1
s9,1 s10,0 s11,0 s12,0
Bob uses wire keys andgarbled truth-table to
decrypt the wire keys atthe next level
s13,1 s14,0
1
Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product
I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =
∑4i=1 xiyi is public
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉Alice Generates the circuit
s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1
s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1
s13,0s13,1 s14,0s14,1
0 1
Alice generates tworandom strings for eachwire (called “wire keys”)
Output wire hasstandard 0/1 values
x1 y1 x2 y2 x3 y3 x4 y4
〈x, y〉
Alice generates garbledtruth tables for eachgate using wire keys
Alice gives Bob thegarbled gates (but not
the wire keys)
Alice gives Bob the keyscorresponding to her
inputs (1, 0, 1, 0)
s1,1 s3,0 s5,1 s7,0
Alice and Bob use OTto get Bob the keys he
needs for his inputs(1, 1, 0, 1)
Now Bob has one wirekey for each input wire
s2,1 s4,1 s6,0 s8,1
s9,1 s10,0 s11,0 s12,0
Bob uses wire keys andgarbled truth-table to
decrypt the wire keys atthe next level
s13,1 s14,0
1
Garbled Circuit Review
I Alice and Bob want to compute a public function(a circuit of size |C | with n inputs)
I Alice will generate key pairs for every wireI Alice will generate garbled truth tables for every gate
(Calculate: 8 symmetric encryptions per gate)I Alice will give Bob the entire garbled circuit
(Communicate: 4 symmetric encryptions per gate)I Alice will give secrets corresponding to her inputsI They will use OT to get Bob secrets corresponding to his inputs
(One OT per input)I Bob will evaluate the entire garbled circuit gate by gate
(Calculate: 2 symmetric decryptions per gate)I Overall
I Calculation: O(|C |) symmetric encryptions for each partyI Communication: O(|C |) symmetric ciphertextsI OT: n parallel oblivious transfersI Entire protocol is only two rounds
Implementing Garbled Circuits
I Fairplay: a garbled circuit compiler [MNPS04]
I Garbled circuits for malicious adversaries [LPS08]Computation of > for 16-bit integers takes 135-360 secondson Intel Core 2 2.13Ghz where running time increases assecurity parameter increases
I TASTY: a compiler which compiles into a mix of garbledcircuits and homomorphic encryption [HOS+10]
I 900-bit hamming distance calculation in .051s on Inter CoreDuo 3Ghz [HEKM11, HSE+11](.019s online time, approximately 10µs per gate)
I Billion-gate circuits against malicious adversaries [KSS12]
I Garble time: 64,000 - 84,000 gates / secI Secure evaluation of AES (50K gates): 29.4s on 4 cores, 1.3s
on 256 coresI 4095-bit edit distance (5.9B gates) in 8.2 hours (82K
gates/sec)
Introduction
Oblivious Transfer
Circuit Garbling
Secure Computation from Secret Sharing
Applications of MPCThe Satellite Problem
Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely
ExtrasCryptographic AssumptionsConstructing Oblivious Transfer
Overview of MPCThe GMW/BGW Approach
I The (public) function being computed is written as a circuit
I Each participant secret-shares their private input
I The circuit is evaluated gate-by-gate on the shares(this requires communication between participants)
I Answer is reconstructed from final shares
Secret Sharing [Sha79]Simple linear sharing scheme
I To share s ∈ F2, among twoplayers
I Pick a random r ∈ F2I Create the shares s + r and r
I Keep s + r , send r to otherplayer
s
s = (s + r) + r
r
Linear sharing schemes can compute linear functions
a b
a = a0 + a1
a1
b = b0 + b1
b0
c0 = a0 + b0 c1 = a1 + b1
c0 + c1 = a + b
Given shares of private inputs, parties cancompute shares of any linear function of
the inputs
Linear sharing schemes can compute linear functions
a b
a = a0 + a1
a1
b = b0 + b1
b0
c0 = a0 + b0 c1 = a1 + b1
c0 + c1 = a + b
Given shares of private inputs, parties cancompute shares of any linear function of
the inputs
Linear sharing schemes can compute linear functions
a b
a = a0 + a1
a1
b = b0 + b1
b0
c0 = a0 + b0 c1 = a1 + b1
c0 + c1 = a + b
Given shares of private inputs, parties cancompute shares of any linear function of
the inputs
Linear sharing schemes can compute linear functions
a b
a = a0 + a1
a1
b = b0 + b1
b0
c0 = a0 + b0 c1 = a1 + b1
c0 + c1 = a + b
Given shares of private inputs, parties cancompute shares of any linear function of
the inputs
Linear sharing schemes can compute linear functions
a b
a = a0 + a1
a1
b = b0 + b1
b0
c0 = a0 + b0 c1 = a1 + b1
c0 + c1 = a + b
Given shares of private inputs, parties cancompute shares of any linear function of
the inputs
Linear sharing schemes can compute linear functions
a b
a = a0 + a1
a1
b = b0 + b1
b0
c0 = a0 + b0 c1 = a1 + b1
c0 + c1 = a + b
Given shares of private inputs, parties cancompute shares of any linear function of
the inputs
Multiplying Shares
I We can add shares to get shares of the sum
I How do we multiply shares?
Multiplying Shares
a b
a = a0 + a1
a1
b = b0 + b1
b0
Goal:Alice calculates c0,Bob calculates c1
such that
c0 + c1 = a · b
Multiplying Shares
a b
a = a0 + a1
a1
b = b0 + b1
b0
Goal:Alice calculates c0,Bob calculates c1
such that
c0 + c1 = a · b
Evaluating a circuit on shares
I Idea: each player secret-shares their input, then perform entirecomputation on the shares
I If each player secret-shares their inputs, addition gates can becomputed locally (each player locally adds their shares)
I How do we compute multiplication gates?I Method 1: Oblivious Transfer (OT) [GMW87]I Method 2: Honest Majority [BOGW88, CCD88]
Evaluating a circuit on shares
I Idea: each player secret-shares their input, then perform entirecomputation on the shares
I If each player secret-shares their inputs, addition gates can becomputed locally (each player locally adds their shares)
I How do we compute multiplication gates?I Method 1: Oblivious Transfer (OT) [GMW87]I Method 2: Honest Majority [BOGW88, CCD88]
Multiplying Shares
Alice
a
Bob
b
a = a0 + a1
a1
b = b0 + b1
b0
Goal: Compute shares of a · b
a · b = (a0 + a1)(b0 + b1) = a0b0 + a1b0 + a0b1 + a1b1
Alice can compute a0b0, Bob can compute a1b1
Multiplying Shares
Alice
a
Bob
b
a = a0 + a1
a1
b = b0 + b1
b0
Goal: Compute shares of a · b
a · b = (a0 + a1)(b0 + b1) = a0b0 + a1b0 + a0b1 + a1b1
Alice can compute a0b0, Bob can compute a1b1
Multiplying Shares
Alice
a
Bob
b
a = a0 + a1
a1
b = b0 + b1
b0
Goal: Compute shares of a · b
a · b = (a0 + a1)(b0 + b1) = a0b0 + a1b0 + a0b1 + a1b1
Alice can compute a0b0, Bob can compute a1b1
Multiplying Shares
Alice
a
Bob
b
a = a0 + a1
a1
b = b0 + b1
b0
Goal: Compute shares of a · b
a · b = (a0 + a1)(b0 + b1) = a0b0 + a1b0 + a0b1 + a1b1
Alice can compute a0b0, Bob can compute a1b1
GMW Multiplication
Goal: c0 + c1 = (a0 + a1)(b0 + b1) = a0b0 + a0b1 + b0a1 + a1b1
Alice chooses a random c0, and creates the table
OT input Bob’s Inputs
c0 + (a0b0) a1 = 0, b1 = 0
c0 + (a0b0 + a0) a1 = 0, b1 = 1
c0 + (a0b0 + b0) a1 = 1, b1 = 0
c0 + (a0b0 + b0 + a0 + 1) a1 = 1, b1 = 1
Participant 0 acts as the sender in an OT, with the 4 values in theleft column as inputs.
OT for MultiplicationUsing 1 out out 4 OT to implement 1-bit multiplication
OT
Alice
a0, b0 a1, b1
Bob
c0 + a0b0
c0 + a0b0 + a0
c0 + a0b0 + b0
c0 + a0b0 + a0 + b0 + 1
a1b1
c1
If a1b1 = 00, then(a0 + a1)(b0 + b1) = a0b0
If a1b1 = 01, then(a0 + a1)(b0 + b1) = a0b0 + a0
If a1b1 = 10, then(a0 + a1)(b0 + b1) = a0b0 + b0
If a1b1 = 11, then(a0+a1)(b0+b1) = a0b0+a0+b0+1
c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1
OT for MultiplicationUsing 1 out out 4 OT to implement 1-bit multiplication
OT
Alice
a0, b0 a1, b1
Bob
c0 + a0b0
c0 + a0b0 + a0
c0 + a0b0 + b0
c0 + a0b0 + a0 + b0 + 1
a1b1
c1
If a1b1 = 00, then(a0 + a1)(b0 + b1) = a0b0
If a1b1 = 01, then(a0 + a1)(b0 + b1) = a0b0 + a0
If a1b1 = 10, then(a0 + a1)(b0 + b1) = a0b0 + b0
If a1b1 = 11, then(a0+a1)(b0+b1) = a0b0+a0+b0+1
c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1
OT for MultiplicationUsing 1 out out 4 OT to implement 1-bit multiplication
OT
Alice
a0, b0 a1, b1
Bob
c0 + a0b0
c0 + a0b0 + a0
c0 + a0b0 + b0
c0 + a0b0 + a0 + b0 + 1
a1b1
c1
If a1b1 = 00, then(a0 + a1)(b0 + b1) = a0b0
If a1b1 = 01, then(a0 + a1)(b0 + b1) = a0b0 + a0
If a1b1 = 10, then(a0 + a1)(b0 + b1) = a0b0 + b0
If a1b1 = 11, then(a0+a1)(b0+b1) = a0b0+a0+b0+1
c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1
OT for MultiplicationUsing 1 out out 4 OT to implement 1-bit multiplication
OT
Alice
a0, b0 a1, b1
Bob
c0 + a0b0
c0 + a0b0 + a0
c0 + a0b0 + b0
c0 + a0b0 + a0 + b0 + 1
a1b1
c1
If a1b1 = 00, then(a0 + a1)(b0 + b1) = a0b0
If a1b1 = 01, then(a0 + a1)(b0 + b1) = a0b0 + a0
If a1b1 = 10, then(a0 + a1)(b0 + b1) = a0b0 + b0
If a1b1 = 11, then(a0+a1)(b0+b1) = a0b0+a0+b0+1
c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1
OT for MultiplicationUsing 1 out out 4 OT to implement 1-bit multiplication
OT
Alice
a0, b0 a1, b1
Bob
c0 + a0b0
c0 + a0b0 + a0
c0 + a0b0 + b0
c0 + a0b0 + a0 + b0 + 1
a1b1
c1
If a1b1 = 00, then(a0 + a1)(b0 + b1) = a0b0
If a1b1 = 01, then(a0 + a1)(b0 + b1) = a0b0 + a0
If a1b1 = 10, then(a0 + a1)(b0 + b1) = a0b0 + b0
If a1b1 = 11, then(a0+a1)(b0+b1) = a0b0+a0+b0+1
c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1
OT for MultiplicationUsing 1 out out 4 OT to implement 1-bit multiplication
OT
Alice
a0, b0 a1, b1
Bob
c0 + a0b0
c0 + a0b0 + a0
c0 + a0b0 + b0
c0 + a0b0 + a0 + b0 + 1
a1b1
c1
If a1b1 = 00, then(a0 + a1)(b0 + b1) = a0b0
If a1b1 = 01, then(a0 + a1)(b0 + b1) = a0b0 + a0
If a1b1 = 10, then(a0 + a1)(b0 + b1) = a0b0 + b0
If a1b1 = 11, then(a0+a1)(b0+b1) = a0b0+a0+b0+1
c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1
OT for MultiplicationUsing 1 out out 4 OT to implement 1-bit multiplication
OT
Alice
a0, b0 a1, b1
Bob
c0 + a0b0
c0 + a0b0 + a0
c0 + a0b0 + b0
c0 + a0b0 + a0 + b0 + 1
a1b1
c1
If a1b1 = 00, then(a0 + a1)(b0 + b1) = a0b0
If a1b1 = 01, then(a0 + a1)(b0 + b1) = a0b0 + a0
If a1b1 = 10, then(a0 + a1)(b0 + b1) = a0b0 + b0
If a1b1 = 11, then(a0+a1)(b0+b1) = a0b0+a0+b0+1
c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1
Evaluating Circuits with GMW
I Inputs are secret-shared between participants
I The circuit is evaluated gate-by-gate
I Each gate acts only on shares, so no information is revealed
I Addition gates can be computed locally (no communicationbetween participants)
I Multiplication requires a 1-out-of-4 OTI OT requires public-key operations
I Public-key operations are computationally expensiveI Computation requires a number of rounds equal to the
multiplicative depth of the circuit
Introduction
Oblivious Transfer
Circuit Garbling
Secure Computation from Secret Sharing
Applications of MPCThe Satellite Problem
Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely
ExtrasCryptographic AssumptionsConstructing Oblivious Transfer
Secure Auctions
I A secure double auction was executed by Danish sugar beetfarmers and Danisco [BCD+08]
I Danisco is the sole processor of sugar beets in DenmarkI 30% of the world’s sugar comes from sugar beets
I Each participant indicated how much they would buy/sell at agiven price (private input)
I The market clearing price is computed (securely)
I The quantities bought and sold by each bidder was revealed(public output)
I The auction had 1200 bidders, and 25,000 tons of productionrights changed hands
http://eprint.iacr.org/2008/068/http://eprint.iacr.org/2008/068/
Secure Elections
I Implemented by Helios Voting [Adi08]I Used to elect the president of the Université Catholique de
Louvain [UCL09]I Student government representatives at PrincetonI President of the IACR
I Scantegrity Election in Takoma Park [CCC+10]
I Each participant has a vote (private input)
I The winner is tallied (securely)
I The winner is made public (public output)
I Voting systems allow another level of functionality: auditing
http:www.heliosvoting.orghttp://www.iacr.org
Examples of MPC
I Practical demonstrations of MPC have been limited toextremely simple functionalities
I Auctions: (maximum, minimum, threshold functions)
I Elections: (sum, threshold)
Introduction
Oblivious Transfer
Circuit Garbling
Secure Computation from Secret Sharing
Applications of MPCThe Satellite Problem
Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely
ExtrasCryptographic AssumptionsConstructing Oblivious Transfer
Preventing Satellite Collisions
The “Iridium Incident” Renews Interest in Collisions
Source: bbc.co.uk
http://news.bbc.co.uk/2/hi/7885051.stm
Collisions in SpaceThese objects are moving fast!
Improving Space Situational Awareness
I What are the risks to current satellites?
I What are the possible mitigation techniques?
I What are the costs / benefits of various techniques?
One Problem in Space
How do you prevent collisionsbetween active satellites?
The Problem with SatellitesOperators won’t share information
I Satellite operators have high fidelity data about theirsatellite’s location
I This information is necessary for computing collisionprobabilities
I Operators are unwilling to share this information
Data sharing could solve the problem
I Data sharing between operators would increase spacesituational awareness [Fou10, KVCB08]
I Operators have tried banding together and sharing their data[LNW09, Cho10]
I This solution is extremely limited because most operators areunwilling to share their data [Cho10]
Motivating Question
How can satellite operatorscoordinate operations withoutrevealing private information?
Current Situation
I The JSpOC tracks 22,000 objects in space
I Low fidelity data are made available in the form of Two-LineElements (TLEs) via space-track.org
I Operators maintain high-accuracy positional information
I High-accuracy should be used to calculate collisionprobabilities (This calculation is called a Conjunction Analysis)
I Conjunction analyses are always performed pair-wise
JSpOC data are not accurate enough
Conjunction Analyses
I Some private operators have entered into data sharingagreements
I Private data are provided to a trusted party
I The trusted party performs the conjunction analyses andnotifies the operators of potential threats
Trusted Party ImplementationsCurrent trusted third party implementations
CSSI (a subsidiary of AGI) runs 300conjunctions twice per day from its 20participating operators [Kel10]
USSTRATCOM performs conjunctionanalyses for SSA Sharing ProgramPartners
Prefiltering
I Public (low-fidelity) data are used to prefilter orbits
I Full conjunction analyses are only performed on potentiallyhazardous orbits
I “the problems with the accuracy of the existing TLE data setshave been well documented, and relying on them for CApre-filtering is seen as problematic.” [HAO10]
PrefilteringPrefiltering in practice
The public dataset can be used to prefilter potential threats
I For 22,000 objects there are approximately 240,000,000 pairsI Using the public catalog to prefilter results in 53,000
hazardous orbits were identified [HAO10]I 5 day windowI 50 km threshold for GEOI 5 km threshold for all other orbitsI To test all these requires one CA every 8 seconds
Secure Function Evaluation
I How quickly can conjunction analyses be performed usingtechniques from Secure Function Evaluation (SFE), SecureMultiparty Computation (MPC) or Fully HomomorphicEncryption (FHE)?
How Secure is MPC?
I Securely calculating a conjunction probability always leaks theconjunction probability
I Protocols provably leak nothing else
Conjunction AnalysisHigh Level Overview
I Two parties have private orbital information
I They wish to calculate the probability of collision
Operator Inputs
Each operator has the following (private) inputs:
I Position (A vector in R3)I Velocity (A vector in R3)I Positional Error (A vector in R3)I Object Radius (A scalar in R)
Simplifying Assumptions
I Objects are modeled as spheres
I Their relative motion is assumed to be linear
I Velocity information is assumed to be exactI Their positional errors are assumed to
I have normal distribution with mean zeroI be uncorrelated
I These assumptions are made in the insecure setting
Conjunction Analysis Calculation
I A conjunction analysis calculation is the three dimensionalintegral over the product of the probability density functionsof the objects
I The assumptions allow this calculation to be greatly simplified
Modeling Objects
I Each object is modeled a normal (Gaussian) distribution, i.e.,it has probability density
f (x , y , z) =1(√
2πσxσyσz)3 e− 12
(x2
σx+ y
2
σy+ z
2
σz
)
(where this has made use of the fact that the errors areindependent in different directions)
I Truncate gaussian after 8 standard deviations [Alf07]
I This results in a probability ellipsoid
Simplifying the Calculations
Because the errors are independent, andthe sum of independent Gaussians is
Gaussian, all error can be shifted to onebody.
The full radius is shifted to the other body.
Integrate Gaussian in “collision tube”
Simplifying the Calculations
Because the errors are independent, andthe sum of independent Gaussians is
Gaussian, all error can be shifted to onebody.
The full radius is shifted to the other body.
Integrate Gaussian in “collision tube”
Simplifying the Calculations
Because the errors are independent, andthe sum of independent Gaussians is
Gaussian, all error can be shifted to onebody.
The full radius is shifted to the other body.
Integrate Gaussian in “collision tube”
Simplifying the Calculations
Because the errors are independent, andthe sum of independent Gaussians is
Gaussian, all error can be shifted to onebody.
The full radius is shifted to the other body.
Integrate Gaussian in “collision tube”
The Encounter Plane
I Slice the three dimensional pdf at the point of nearestapproach, perpendicular to relative velocity
Cross section of pdfCross section ofcollision tube
Encounter Plane
Reducing to Two Dimensions
I The 3D integral along the collision tube is made of 2D slices
I Because the variances are independent, the 2D integral in theencounter plane can be done first, then this can be integratedalong the length of the collision tube, weighted by the pdf inthe third dimension
I Integrating along a single dimension, is like integrating aone-dimensional Gaussian, so we get a number that is almostone
I Thus we can approximate the 3D integral by the 2D integral
The Calculation
Thus a conjunction analysis is the calculation of the following twodimensional integral
P =1
2πσxσy
∫ R−R
∫ √R2−x2−√R2−x2
exp
[−12
[(x − xmσx
)2+
(y − ymσy
)2]]dydx .
I R is the combined radius (the sum of the two radii)I σx , σy are the combined standard deviations in the encounter
planeI (xm, ym) is the location of the center of the collision tube in
the encounter plane
What’s the Most Efficient Way to Compute This Securely?
Secure Computation Techniques
I Additively Homomorphic Encryption
I MPC over binary circuits (GMW)
I MPC over arithmetic circuits [AIK12]
I Fully Homomorphic Encryption [Gen09]
Complexity of Calculation
These MPC applications are orders of magnitudemore complex than any prior applications
The Double Integral
After projecting into the encounter plane, we must compute the doubleintegral
P =1
2πσxσy
∫ R−R
∫ √R2−x2−√R2−x2
exp
[−12
[(x − xmσx
)2+
(y − ymσy
)2]]dydx .
xm, ym, σx , σy ,R are values that depend on both users’s inputs.
Outline of Alfano’s Method
Convert the double integral
P =1
2πσxσy
∫ R−R
∫ √R2−x2−√R2−x2
exp
[−12
[(x − xmσx
)2+
(y − ymσy
)2]]dydx .
to the single integral
P =1√
8πσx
∫ R−R
[erf
(ym +
√R2 − x2√
2σy
)+ erf
(−ym +
√R2 − x2√
2σy
)]exp
(−(x + xm)2
2σ2x
)dx
Where erf(·) is the error function
erf(z) =2√π
∫ z0
e−t2dt
The Error Function erf(·)
erf(x) =2√π
∫ x0
e−t2dt
x
f (x)
f (x) = erf(x)
Approximating the single integral
We want to approximate the single integral that depends on erf(·)and exp(·)
I Taylor expand erf(·) as
erf x =2√π
∞∑n=0
(−1)nx2n+1
n!(2n + 1),
which, by [CR08] has error∣∣∣∣∣erf x − 2√πN∑
n=0
(−1)nx2n+1
n!(2n + 1)
∣∣∣∣∣ ≤ 2√π x2N+1N!(2N + 1) .I Taylor expand exp(·) as ex =
∑∞n=0
xn
n!
I Use Simpson’s rule to approximate the integral
Simpson’s RuleSimpson’s rule says:∫ ba
f (x)dx ≈ ∆x3
(f (a)+4f (a+∆x)+2f (a+2∆x)+4f (a+3∆x)+· · ·+4f (b−∆x)+f (b))
In our situation, this is:∫ R0
f (x)dx ≈ ∆x3
[f (0) + f (R) +
n∑i=1
4f (x2i−1) +n−1∑i=1
2f (x2i )]
]
where ∆x = R/2n, and xi = i∆x . The integrand is:
f (x) =
[erf
(ym +
√R2 − x2√
2σy
)+ erf
(−ym +
√R2 − x2√
2σy
)]·[
exp
(−(x + xm)2
2σ2x
)+ exp
(−(−x + xm)2
2σ2x
)]
Difficulties in Secure Computation
I Securely computing this function raises many techicalchallenges
I What is the most “MPC-friendly” circuit for this function?
Problem: Taylor Approximations fare poorly
1.0e–10
1.0e+10
–5 5x
∣∣∣∣∣erf(x)−50∑n=0
(−1)nx2n+1
n!(2n + 1)
∣∣∣∣∣
This shows the absolute error between erf and its 50 term Taylorexpansion on a logarithmic scale
Using Taylor Expansion in a Window
Possible Solution
I If |x | < 5 use 100 term Taylor expansionI If x > 5 return 1
I If x < −5 return −1
This is very accurate, but it requires comparisons
Using Taylor Expansion in a Window
Possible Solution
I If |x | < 5 use 100 term Taylor expansionI If x > 5 return 1
I If x < −5 return −1This is very accurate, but it requires comparisons
Approximating Erf
erf(x) ≈ 1− 1(1 + a1x + a2x2 + a3x3 + a4x4 + a5x5 + a6x6)16
Where
a1 = .3275911 a4 = .0001520143a2 = .254829592 a5 = .0002765672a3 = .0092705272 a6 = .0000430638
When x > 0. This has an absolute error less than 10−7 across theentire range [AS65].
Adapting Calculations
Problem:
I Taylor approximations are only accurate in certain windows
I Secure comparison gates are inefficient
I Redesign calculation to avoid branching
I Similar problems come up in many natural calculations
I The most efficient insecure calculation may not create themost efficient secure calculation
Changing Variables
P =1√
8πσx
∫ R−R
[erf
(ym +
√R2 − x2√
2σy
)+ erf
(−ym +
√R2 − x2√
2σy
)]exp
(−(x + xm)2
2σ2x
)dx
each term in sum requires calculating√R2 − x2 where R , x are secret
Set z = xR .
P =R√
8πσx
∫ 1−1
[erf
(ym + R
√1− z2√
2σy
)+ erf
(−ym + R
√1− z2√
2σy
)]exp
(−(Rz + xm)2
2σ2x
)dz
I Now square roots are only calculated on public values!I Big performance gains in the secure setting (no gains in the public
setting)
Changing Variables
P =1√
8πσx
∫ R−R
[erf
(ym +
√R2 − x2√
2σy
)+ erf
(−ym +
√R2 − x2√
2σy
)]exp
(−(x + xm)2
2σ2x
)dx
each term in sum requires calculating√R2 − x2 where R , x are secret
Set z = xR .
P =R√
8πσx
∫ 1−1
[erf
(ym + R
√1− z2√
2σy
)+ erf
(−ym + R
√1− z2√
2σy
)]exp
(−(Rz + xm)2
2σ2x
)dz
I Now square roots are only calculated on public values!I Big performance gains in the secure setting (no gains in the public
setting)
Summary
I This project is still ongoing
I We are developing new theoretical cryptographic tools basedon the problems that arise as part of this project
I We are continuing to optimize our calculations to improve theperformance of this specific use-case
Other Applications of MPCDARPA program
I DARPA is developing four applications of MPCI Numerical Analysis: Secure Conjunction AnalysisI Text Processing: Secure spam filterI Signal Processing: Secure voice processingI Graph Algorithms: Secure mapping
Introduction
Oblivious Transfer
Circuit Garbling
Secure Computation from Secret Sharing
Applications of MPCThe Satellite Problem
Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely
ExtrasCryptographic AssumptionsConstructing Oblivious Transfer
Introduction
Oblivious Transfer
Circuit Garbling
Secure Computation from Secret Sharing
Applications of MPCThe Satellite Problem
Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely
ExtrasCryptographic AssumptionsConstructing Oblivious Transfer
The Discrete Log Problem
Definition (Discrete-Log Problem)
Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If k
$← N, then finding k given (g , gk) is called the discrete-logproblem in G.
I If G = Zp (the additive group) then the discrete-log problemis easy in G.
I If G = Z∗P (the multiplicative group) then the discrete-logproblem is assumed to be hard.(“hard” means no probabilistic polynomial-time algorithmexists to solve it)
I If G is the group of points of finite order on a suitable chosenelliptic curve, then the discrete-log problem is assumed to behard.
The Discrete Log Problem
Definition (Discrete-Log Problem)
Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If k
$← N, then finding k given (g , gk) is called the discrete-logproblem in G.
I If G = Zp (the additive group) then the discrete-log problemis easy in G.
I If G = Z∗P (the multiplicative group) then the discrete-logproblem is assumed to be hard.(“hard” means no probabilistic polynomial-time algorithmexists to solve it)
I If G is the group of points of finite order on a suitable chosenelliptic curve, then the discrete-log problem is assumed to behard.
The Discrete Log Problem
Definition (Discrete-Log Problem)
Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If k
$← N, then finding k given (g , gk) is called the discrete-logproblem in G.
I If G = Zp (the additive group) then the discrete-log problemis easy in G.
I If G = Z∗P (the multiplicative group) then the discrete-logproblem is assumed to be hard.(“hard” means no probabilistic polynomial-time algorithmexists to solve it)
I If G is the group of points of finite order on a suitable chosenelliptic curve, then the discrete-log problem is assumed to behard.
The Computational Diffie-Hellman (CDH) Problem
Definition (Computational Diffie-Hellman Problem)
Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If a, b
$← N, then finding gab given (g , ga, gb) is called theComputational Diffie-Hellman problem in G.
I If G = Zp (the additive group) then the CDH problem is easyin G.
I If G = Z∗P (the multiplicative group) then the CDH problem isassumed to be hard.
I If G is the group of points of finite order on a suitable chosenelliptic curve, then the CDH problem is assumed to be hard.
The Computational Diffie-Hellman (CDH) Problem
Definition (Computational Diffie-Hellman Problem)
Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If a, b
$← N, then finding gab given (g , ga, gb) is called theComputational Diffie-Hellman problem in G.
I If G = Zp (the additive group) then the CDH problem is easyin G.
I If G = Z∗P (the multiplicative group) then the CDH problem isassumed to be hard.
I If G is the group of points of finite order on a suitable chosenelliptic curve, then the CDH problem is assumed to be hard.
The Computational Diffie-Hellman (CDH) Problem
Definition (Computational Diffie-Hellman Problem)
Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If a, b
$← N, then finding gab given (g , ga, gb) is called theComputational Diffie-Hellman problem in G.
I If G = Zp (the additive group) then the CDH problem is easyin G.
I If G = Z∗P (the multiplicative group) then the CDH problem isassumed to be hard.
I If G is the group of points of finite order on a suitable chosenelliptic curve, then the CDH problem is assumed to be hard.
The Decisional Diffie-Hellman (DDH) Problem
Definition (The Decisional Diffie-Hellman (DDH) Problem)
Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If a, b, c
$← N, then distinguishing (g , ga, gb, gab) from(g , ga, gb, g c) is called the Decisional Diffie-Hellman problem in G.
I If G = Zp (the additive group) then the DDH problem is easyin G.
I If G = Z∗P (the multiplicative group) then the DDH problemis assumed to be hard.
I If G is the group of points of finite order on a suitable chosenelliptic curve, then the DDH problem is assumed to be hard.
I If G is the group of points of finite order on an elliptic curvewith a pairing the DDH problem is easy
The Decisional Diffie-Hellman (DDH) Problem
Definition (The Decisional Diffie-Hellman (DDH) Problem)
Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If a, b, c
$← N, then distinguishing (g , ga, gb, gab) from(g , ga, gb, g c) is called the Decisional Diffie-Hellman problem in G.
I If G = Zp (the additive group) then the DDH problem is easyin G.
I If G = Z∗P (the multiplicative group) then the DDH problemis assumed to be hard.
I If G is the group of points of finite order on a suitable chosenelliptic curve, then the DDH problem is assumed to be hard.
I If G is the group of points of finite order on an elliptic curvewith a pairing the DDH problem is easy
The Decisional Diffie-Hellman (DDH) Problem
Definition (The Decisional Diffie-Hellman (DDH) Problem)
Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If a, b, c
$← N, then distinguishing (g , ga, gb, gab) from(g , ga, gb, g c) is called the Decisional Diffie-Hellman problem in G.
I If G = Zp (the additive group) then the DDH problem is easyin G.
I If G = Z∗P (the multiplicative group) then the DDH problemis assumed to be hard.
I If G is the group of points of finite order on a suitable chosenelliptic curve, then the DDH problem is assumed to be hard.
I If G is the group of points of finite order on an elliptic curvewith a pairing the DDH problem is easy
Discrete-Log Type Problems
The Discrete-Logproblem is hard in G
The ComputationalDiffie-Hellman
(CDH) problem ishard in G
The DecisionalDiffie-Hellman
(DDH) problem ishard in G
DDH is easy inelliptic curve groups
with a bilinearpairing, but CDH isassumed to be hard
in those groups
If DL is hard, thenusually CDH is hard
[MW99]
Discrete-Log Type Problems
The Discrete-Logproblem is hard in G
The ComputationalDiffie-Hellman
(CDH) problem ishard in G
The DecisionalDiffie-Hellman
(DDH) problem ishard in G
DDH is easy inelliptic curve groups
with a bilinearpairing, but CDH isassumed to be hard
in those groups
If DL is hard, thenusually CDH is hard
[MW99]
Discrete-Log Type Problems
The Discrete-Logproblem is hard in G
The ComputationalDiffie-Hellman
(CDH) problem ishard in G
The DecisionalDiffie-Hellman
(DDH) problem ishard in G
DDH is easy inelliptic curve groups
with a bilinearpairing, but CDH isassumed to be hard
in those groups
If DL is hard, thenusually CDH is hard
[MW99]
Quadratic Residues
DefinitionAn element y ∈ ZN is called a quadratic residue modulo N if thereexists an x ∈ ZN such that x2 = y mod N.
Legendre Symbol
Definition (Legendre Symbol)
If p is a prime and x ∈ Z∗p, then(x
p
)=
{1 if x is a quadratic residue modulo p−1 if x is not a quadratic residue modulo p
The
Gauss’s law of quadratic reciprocity gives an efficient method forcalculating the Legendre symbol.
Jacobi Symbol
Definition (Jacobi Symbol)
If N = pe11 · · · perr is a positive integer and x ∈ Z∗N , then( xN
)=
(x
p1
)e1· · ·(
x
pr
)er
I Gauss’s law of quadratic reciprocity gives an efficient methodfor calculating the Jacobi symbol
I If(xN
)= −1 then x is not a quadratic residue modulo N
I If(xN
)= 1 then x may or may not be a quadratic residue
modulo N
The Quadratic Residuosity Problem
Definition (The Quadratic Residuosity (QR) Problem)
Let N = pq, then given a random element y ∈ Z∗N such that( yN
)= 1, determining if y is a quadratic residue, i.e., determining
if there exists an x such that x2 = y mod N is called thequadratic residuosity problem.
I Recall:( yN
)=(yp
)(yq
)I if
(yN
)= −1, then y is not a quadratic residue modulo N
I if(yN
)= 1, then
(yp
)=(
yq
)I Given the factorization of N, it is easy to calculate
(yp
)and(
yq
).
Quadratic Residuosity Problem
Factoring is hardThe quadratic
residuosity problem ishard
Using only genericring operations
[JS08]
Quadratic Residuosity Problem
Factoring is hardThe quadratic
residuosity problem ishard
Using only genericring operations
[JS08]
Introduction
Oblivious Transfer
Circuit Garbling
Secure Computation from Secret Sharing
Applications of MPCThe Satellite Problem
Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely
ExtrasCryptographic AssumptionsConstructing Oblivious Transfer
Oblivious Transfer is SymmetricReversing OT [WW06]
Sender Receiver
x0
x1
b
xb
OT
OT
Receiver Sender
r
r ⊕ b
x0 ⊕ x1
a
m = x0 + am xb = r ⊕m
Oblivious Transfer is SymmetricReversing OT [WW06]
Sender Receiver
x0
x1
b
xb
OT
OT
Receiver Sender
r
r ⊕ b
x0 ⊕ x1
a
m = x0 + am xb = r ⊕m
Oblivious Transfer is SymmetricReversing OT [WW06]
Sender Receiver
x0
x1
b
xb
OT
OT
Receiver Sender
r
r ⊕ b
x0 ⊕ x1
a
m = x0 + am
xb = r ⊕m
Oblivious Transfer is SymmetricReversing OT [WW06]
Sender Receiver
x0
x1
b
xb
OT
OT
Receiver Sender
r
r ⊕ b
x0 ⊕ x1
a
m = x0 + am xb = r ⊕m
OT From The Quadratic Residuosity (QR) Assumption
QR(N) ={
x2 mod N : x ∈ Z∗N}≈c{
x ∈ Z∗N :( x
N
)= 1}
= QNR(N)
x0, x1 b
Sender Receiver
N = pq
gb$← QNR(N)
g1−b$← QR(N)
g0, g1,N
ri$← ZN
yi = r2i g
xii mod N
}(y0, y1)
xb = 1 iff yb ∈ QNR(N)
OT From The Quadratic Residuosity (QR) Assumption
QR(N) ={
x2 mod N : x ∈ Z∗N}≈c{
x ∈ Z∗N :( x
N
)= 1}
= QNR(N)
x0, x1 b
Sender Receiver
N = pq
gb$← QNR(N)
g1−b$← QR(N)
g0, g1,N
ri$← ZN
yi = r2i g
xii mod N
}(y0, y1)
xb = 1 iff yb ∈ QNR(N)
OT From The Quadratic Residuosity (QR) Assumption
QR(N) ={
x2 mod N : x ∈ Z∗N}≈c{
x ∈ Z∗N :( x
N
)= 1}
= QNR(N)
x0, x1 b
Sender Receiver
N = pq
gb$← QNR(N)
g1−b$← QR(N)
g0, g1,N
ri$← ZN
yi = r2i g
xii mod N
}(y0, y1)
xb = 1 iff yb ∈ QNR(N)
OT From The Quadratic Residuosity (QR) Assumption
QR(N) ={
x2 mod N : x ∈ Z∗N}≈c{
x ∈ Z∗N :( x
N
)= 1}
= QNR(N)
x0, x1 b
Sender Receiver
N = pq
gb$← QNR(N)
g1−b$← QR(N)
g0, g1,N
ri$← ZN
yi = r2i g
xii mod N
}(y0, y1)
xb = 1 iff yb ∈ QNR(N)
OT From Trapdoor Permutations
F is a family of trapdoor permutations from {0, 1}n to {0, 1}n
x0, x1 b
Sender Receiver
f , f −1$← F
r$← {0, 1}n
(f , r)w
$← {0, 1}n
yb = f (w)
y1−b$← {0, 1}n
(y0, y1)
z0 = f−1(y0)
z1 = f−1(y1)
c0 = x0 ⊕ 〈r, z0〉c1 = x1 ⊕ 〈r, z1〉
(c0, c1)
xb = 〈w, r〉 ⊕ cb
OT From Trapdoor Permutations
F is a family of trapdoor permutations from {0, 1}n to {0, 1}n
x0, x1 b
Sender Receiverf , f −1
$← F
r$← {0, 1}n
(f , r)
w$← {0, 1}n
yb = f (w)
y1−b$← {0, 1}n
(y0, y1)
z0 = f−1(y0)
z1 = f−1(y1)
c0 = x0 ⊕ 〈r, z0〉c1 = x1 ⊕ 〈r, z1〉
(c0, c1)
xb = 〈w, r〉 ⊕ cb
OT From Trapdoor Permutations
F is a family of trapdoor permutations from {0, 1}n to {0, 1}n
x0, x1 b
Sender Receiverf , f −1
$← F
r$← {0, 1}n
(f , r)w
$← {0, 1}n
yb = f (w)
y1−b$← {0, 1}n
(y0, y1)
z0 = f−1(y0)
z1 = f−1(y1)
c0 = x0 ⊕ 〈r, z0〉c1 = x1 ⊕ 〈r, z1〉
(c0, c1)
xb = 〈w, r〉 ⊕ cb
OT From Trapdoor Permutations
F is a family of trapdoor permutations from {0, 1}n to {0, 1}n
x0, x1 b
Sender Receiverf , f −1
$← F
r$← {0, 1}n
(f , r)w
$← {0, 1}n
yb = f (w)
y1−b$← {0, 1}n
(y0, y1)
z0 = f−1(y0)
z1 = f−1(y1)
c0 = x0 ⊕ 〈r, z0〉c1 = x1 ⊕ 〈r, z1〉
(c0, c1)
xb = 〈w, r〉 ⊕ cb
OT From Trapdoor Permutations
F is a family of trapdoor permutations from {0, 1}n to {0, 1}n
x0, x1 b
Sender Receiverf , f −1
$← F
r$← {0, 1}n
(f , r)w
$← {0, 1}n
yb = f (w)
y1−b$← {0, 1}n
(y0, y1)
z0 = f−1(y0)
z1 = f−1(y1)
c0 = x0 ⊕ 〈r, z0〉c1 = x1 ⊕ 〈r, z1〉
(c0, c1)
xb = 〈w, r〉 ⊕ cb
OT From The DDH AssumptionFrom Universal Hash Proofs [HK07]
(g0, g1, gk00 , g
k11 ) ≈c (g0, g1, g
k0 , g
k1 )
x0, x1 b
Sender Receiver
w$← [|G|]
(βb, γb) = (gw1 , g
w2 )
(β1−b, γ1−b) = (r1, r2)
(β0, γ0), (β1, γ1)k0, k1
$← [|G|]α = gk00 · g
k11 mod p
y0 = βk00 · γ
k10 · g
s00
y1 = βk01 · γ
k11 · g
s10
(y0, y1)
xb = 1 iff yb · α−w = g
OT From The DDH AssumptionFrom Universal Hash Proofs [HK07]
(g0, g1, gk00 , g
k11 ) ≈c (g0, g1, g
k0 , g
k1 )
x0, x1 b
Sender Receiver
w$← [|G|]
(βb, γb) = (gw1 , g
w2 )
(β1−b, γ1−b) = (r1, r2)
(β0, γ0), (β1, γ1)
k0, k1$← [|G|]
α = gk00 · gk11 mod p
y0 = βk00 · γ
k10 · g
s00
y1 = βk01 · γ
k11 · g
s10
(y0, y1)
xb = 1 iff yb · α−w = g
OT From The DDH AssumptionFrom Universal Hash Proofs [HK07]
(g0, g1, gk00 , g
k11 ) ≈c (g0, g1, g
k0 , g
k1 )
x0, x1 b
Sender Receiver
w$← [|G|]
(βb, γb) = (gw1 , g
w2 )
(β1−b, γ1−b) = (r1, r2)
(β0, γ0), (β1, γ1)k0, k1
$← [|G|]α = gk00 · g
k11 mod p
y0 = βk00 · γ
k10 · g
s00
y1 = βk01 · γ
k11 · g
s10
(y0, y1)
xb = 1 iff yb · α−w = g
OT From The DDH AssumptionFrom Universal Hash Proofs [HK07]
(g0, g1, gk00 , g
k11 ) ≈c (g0, g1, g
k0 , g
k1 )
x0, x1 b
Sender Receiver
w$← [|G|]
(βb, γb) = (gw1 , g
w2 )
(β1−b, γ1−b) = (r1, r2)
(β0, γ0), (β1, γ1)k0, k1
$← [|G|]α = gk00 · g
k11 mod p
y0 = βk00 · γ
k10 · g
s00
y1 = βk01 · γ
k11 · g
s10
(y0, y1)
xb = 1 iff yb · α−w = g
String OT
OTm`
Sender Receiver
(x1,0, . . . , xm,0)
(x1,1, . . . , xm,1)
(b1, . . . , bm)
(x1,b1 , . . . , xm,bm)
I Sender has 2m strings of length `
I Receiver chooses m of them
The [IKNP03] Extension ProtocolOTm` from OT
λm
fj(·) are random oracle hash funtions fj : {0, 1}λ → {0, 1}m
Sender Receiver
(x1,0, . . . , xm,0)
(x1,1, . . . , xm,1)
r = (r1, . . . , rm)
x1,r1 , . . . , xm,rm
OT
Receiver generates a random m × λ matrix
T =
| |t1 · · · tλ| |
= − t1 −...− tm −
Sender generates λ random bits s1, . . . , sλ
OTλm
Receiver Sender
(t1, . . . , tλ)
(t1 ⊕ r, . . . , tλ ⊕ r)
s1, . . . , sλ{t i ⊕ (si · r)
}λi=1
Q =
| |(s1 · r) + t1 · · · (sk · r) + tλ| |
= − (s · r1) + t1 −...− (s · rm) + tm −
= − q1 −...− qm −
Q ∈ {0, 1}m×λ
yj ,0 = xj ,0 + fj(qj)
yj ,1 = xj ,1 + fj(qj ⊕ s)
{yj ,0, yj ,1}mj=1xj ,rj = yj ,rj ⊕ fj(tj)
Receiver’s real input r is blinded bycolumns t i
Sender’s real input {xi ,j} is blinded by hashes of rows of QIf ri = 0 then qi = ti
If ri = 1 then qi = ti + s
This method of OTm` requires:
I OTλm (we will have m� λ)I m calls to the Random Oracle (in practice: AES)I 2`m bits of communication
Benefit: reduces the number of public-key operations since λ� m.
The [IKNP03] Extension ProtocolOTm` from OT
λm
fj(·) are random oracle hash funtions fj : {0, 1}λ → {0, 1}m
Sender Receiver
(x1,0, . . . , xm,0)
(x1,1, . . . , xm,1)
r = (r1, . . . , rm)
x1,r1 , . . . , xm,rm
OT
Receiver generates a random m × λ matrix
T =
| |t1 · · · tλ| |
= − t1 −...− tm −
Sender generates λ random bits s1, . . . , sλ
OTλm
Receiver Sender
(t1, . . . , tλ)
(t1 ⊕ r, . . . , tλ ⊕ r)
s1, . . . , sλ{t i ⊕ (si · r)
}λi=1
Q =
| |(s1 · r) + t1 · · · (sk · r) + tλ| |
= − (s · r1) + t1 −...− (s · rm) + tm −
= − q1 −...− qm −
Q ∈ {0, 1}m×λ
yj ,0 = xj ,0 + fj(qj)
yj ,1 = xj ,1 + fj(qj ⊕ s)
{yj ,0, yj ,1}mj=1xj ,rj = yj ,rj ⊕ fj(tj)
Receiver’s real input r is blinded bycolumns t i
Sender’s real input {xi ,j} is blinded by hashes of rows of QIf ri = 0 then qi = ti
If ri = 1 then qi = ti + s
This method of OTm` requires:
I OTλm (we will have m� λ)I m calls to the Random Oracle (in practice: AES)I 2`m bits of communication
Benefit: reduces the number of public-key operations since λ� m.
The [IKNP03] Extension ProtocolOTm` from OT
λm
fj(·) are random oracle hash funtions fj : {0, 1}λ → {0, 1}m
Sender Receiver
(x1,0, . . . , xm,0)
(x1,1, . . . , xm,1)
r = (r1, . . . , rm)
x1,r1 , . . . , xm,rm
OT
Receiver generates a random m × λ matrix
T =
| |t1 · · · tλ| |
= − t1 −...− tm −
Sender generates λ random bits s1, . . . , sλ
OTλm
Receiver Sender
(t1, . . . , tλ)
(t1 ⊕ r, . . . , tλ ⊕ r)
s1, . . . , sλ
{t i ⊕ (si · r)
}λi=1
Q =
| |(s1 · r) + t1 · · · (sk · r) + tλ| |
= − (s · r1) + t1 −...− (s · rm) + tm −
= − q1 −...− qm −
Q ∈ {0, 1}m×λ
yj ,0 = xj ,0 + fj(qj)
yj ,1 = xj ,1 + fj(qj ⊕ s)
{yj ,0, yj ,1}mj=1xj ,rj = yj ,rj ⊕ fj(tj)
Receiver’s real input r is blinded bycolumns t i
Sender’s real input {xi ,j} is blinded by hashes of rows of QIf ri = 0 then qi = ti
If ri = 1 then qi = ti + s
This method of OTm` requires:
I OTλm (we will have m� λ)I m calls to the Random Oracle (in practice: AES)I 2`m bits of communication
Benefit: reduces the number of public-key operations since λ� m.
The [IKNP03] Extension ProtocolOTm` from OT
λm
fj(·) are random oracle hash funtions fj : {0, 1}λ → {0, 1}m