Oblivious Transfer and Secure Multiparty Computationnadiah/courses/cis800-02-f13/...The...

211
Oblivious Transfer and Secure Multiparty Computation Brett Hemenway September 11th 2013

Transcript of Oblivious Transfer and Secure Multiparty Computationnadiah/courses/cis800-02-f13/...The...

  • Oblivious Transfer and Secure MultipartyComputation

    Brett Hemenway

    September 11th 2013

  • Introduction

    Oblivious Transfer

    Circuit Garbling

    Secure Computation from Secret Sharing

    Applications of MPCThe Satellite Problem

    Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely

    ExtrasCryptographic AssumptionsConstructing Oblivious Transfer

  • The Millionaire’s ProblemAn example of secure two-party computation

    I Two Millionaires want to determine who is richer, withoutrevealing their wealth [Yao82]

    I They want a secure computation of a comparison (

  • Solving the Millionaire’s Problem

    I If there is a family of one-way trapdoor permutations, F ,f : X → Y for f ∈ Fe.g. f (x) = xe mod N (the RSA function)

    I and a hash function H : X → ZI Then there is a simple solution to the Millionaire’s Problem

    I We assume Alice’s wealth is a, Bob’s is b, and there is an apriori upper bound m > max(a, b).

  • Solving the Millionaire’s Problem

    Alice

    a

    f , f −1$← F

    f

    Bob

    bf

    x$← X

    y = f (x)− b

    y

    Alice

    a

    xbx0 . . . . . . xm−1

    xi = f−1(y + i) for i = 0, . . . ,m − 1 y

    xb = f−1(y + b) = f −1((f (x)− b) + b) = x

    ri =

    {H(xi + 1) for i = 0, . . . , aH(xi ) for i = a + 1, . . . ,m − 1

    rbr0 . . . . . . rm−1

    a > b ⇒ rb = H(x)

    Alice

    a

    {ri}m−1i=0

    Bob

    b{ri}m−1i=0 x $← X

    y = f (x)− b

    if H(x) = rb then a > b

    if H(x) 6= rb then a ≤ b

  • Solving the Millionaire’s Problem

    Alice

    a

    f , f −1$← F

    f

    Bob

    bf

    x$← X

    y = f (x)− b

    y

    Alice

    a

    xbx0 . . . . . . xm−1

    xi = f−1(y + i) for i = 0, . . . ,m − 1 y

    xb = f−1(y + b) = f −1((f (x)− b) + b) = x

    ri =

    {H(xi + 1) for i = 0, . . . , aH(xi ) for i = a + 1, . . . ,m − 1

    rbr0 . . . . . . rm−1

    a > b ⇒ rb = H(x)

    Alice

    a

    {ri}m−1i=0

    Bob

    b{ri}m−1i=0 x $← X

    y = f (x)− b

    if H(x) = rb then a > b

    if H(x) 6= rb then a ≤ b

  • Solving the Millionaire’s Problem

    Alice

    a

    f , f −1$← F

    f

    Bob

    bf

    x$← X

    y = f (x)− b

    y

    Alice

    a

    xbx0 . . . . . . xm−1

    xi = f−1(y + i) for i = 0, . . . ,m − 1 y

    xb = f−1(y + b) = f −1((f (x)− b) + b) = x

    ri =

    {H(xi + 1) for i = 0, . . . , aH(xi ) for i = a + 1, . . . ,m − 1

    rbr0 . . . . . . rm−1

    a > b ⇒ rb = H(x)

    Alice

    a

    {ri}m−1i=0

    Bob

    b{ri}m−1i=0 x $← X

    y = f (x)− b

    if H(x) = rb then a > b

    if H(x) 6= rb then a ≤ b

  • Solving the Millionaire’s Problem

    Alice

    a

    f , f −1$← F

    f

    Bob

    bf

    x$← X

    y = f (x)− b

    y

    Alice

    a

    xbx0 . . . . . . xm−1

    xi = f−1(y + i) for i = 0, . . . ,m − 1 y

    xb = f−1(y + b) = f −1((f (x)− b) + b) = x

    ri =

    {H(xi + 1) for i = 0, . . . , aH(xi ) for i = a + 1, . . . ,m − 1

    rbr0 . . . . . . rm−1

    a > b ⇒ rb = H(x)

    Alice

    a

    {ri}m−1i=0

    Bob

    b{ri}m−1i=0 x $← X

    y = f (x)− b

    if H(x) = rb then a > b

    if H(x) 6= rb then a ≤ b

  • Solving the Millionaire’s Problem

    Alice

    a

    f , f −1$← F

    f

    Bob

    bf

    x$← X

    y = f (x)− b

    y

    Alice

    a

    xbx0 . . . . . . xm−1

    xi = f−1(y + i) for i = 0, . . . ,m − 1 y

    xb = f−1(y + b) = f −1((f (x)− b) + b) = x

    ri =

    {H(xi + 1) for i = 0, . . . , aH(xi ) for i = a + 1, . . . ,m − 1

    rbr0 . . . . . . rm−1

    a > b ⇒ rb = H(x)

    Alice

    a

    {ri}m−1i=0

    Bob

    b{ri}m−1i=0 x $← X

    y = f (x)− b

    if H(x) = rb then a > b

    if H(x) 6= rb then a ≤ b

  • Solving the Millionaire’s Problem

    Alice

    a

    f , f −1$← F

    f

    Bob

    bf

    x$← X

    y = f (x)− b

    y

    Alice

    a

    xbx0 . . . . . . xm−1

    xi = f−1(y + i) for i = 0, . . . ,m − 1 y

    xb = f−1(y + b) = f −1((f (x)− b) + b) = x

    ri =

    {H(xi + 1) for i = 0, . . . , aH(xi ) for i = a + 1, . . . ,m − 1

    rbr0 . . . . . . rm−1

    a > b ⇒ rb = H(x)

    Alice

    a

    {ri}m−1i=0

    Bob

    b{ri}m−1i=0 x $← X

    y = f (x)− b

    if H(x) = rb then a > b

    if H(x) 6= rb then a ≤ b

  • Solving the Millionaire’s Problem

    Alice

    a

    f , f −1$← F

    f

    Bob

    bf

    x$← X

    y = f (x)− b

    y

    Alice

    a

    xbx0 . . . . . . xm−1

    xi = f−1(y + i) for i = 0, . . . ,m − 1 y

    xb = f−1(y + b) = f −1((f (x)− b) + b) = x

    ri =

    {H(xi + 1) for i = 0, . . . , aH(xi ) for i = a + 1, . . . ,m − 1

    rbr0 . . . . . . rm−1

    a > b ⇒ rb = H(x)

    Alice

    a

    {ri}m−1i=0

    Bob

    b{ri}m−1i=0 x $← X

    y = f (x)− b

    if H(x) = rb then a > b

    if H(x) 6= rb then a ≤ b

  • Secure Multiparty Computation

    I Cryptographic tools exist that allow a group of participants tosecurely calculate any function of their joint inputs.

    I Cryptography removes the need for a trusted third party

  • Privacy is defined in a simulation paradigm

    I A protocol is secure if there is a simulator that, when givenonly the output of the protocol can simulate an execution ofthe protocol that is indistinguishable from the real protocol.

    I This ensures that nothing beyond the output of the protocolis learned

    I In the Millionaire’s Problem revealing whose salary is higherleaks information. A secure protocol should leak nothing more.

  • Security Models

    Definition (Semi-Honest Adversaries)

    Semi-Honest (Honest-But-Curious) adversaries

    I always follow whatever protocol they are asked to perform

    I always send well-formed messages

    I try to learn other participants’ secrets by looking at their owntranscript in the protocol

    Definition (Malicious Adversaries)

    Malicious adversaries are:

    I allowed to deviate from the protocol

    I allowed to send mal-formed messages

    I allowed to behave in any way

    Standard technique: first build protocols in the Semi-Honestmodel. Then use standard tools (e.g. Zero-Knowledge proofs) toforce participants to follow the protocol

  • Security Models

    Definition (Semi-Honest Adversaries)

    Semi-Honest (Honest-But-Curious) adversaries

    I always follow whatever protocol they are asked to perform

    I always send well-formed messages

    I try to learn other participants’ secrets by looking at their owntranscript in the protocol

    Definition (Malicious Adversaries)

    Malicious adversaries are:

    I allowed to deviate from the protocol

    I allowed to send mal-formed messages

    I allowed to behave in any way

    Standard technique: first build protocols in the Semi-Honestmodel. Then use standard tools (e.g. Zero-Knowledge proofs) toforce participants to follow the protocol

  • Methods of Secure MPC

    Protocol Assumption Players Reference

    Yao’s Garbled Circuit OT 2 [Yao82, Yao86]

    GMW OT 2+ [GMW87]

    BGW/CCD Honest Majority 3+ [BOGW88, CCD88]

    FHE Lattice Problems 2+ [Gen09]

  • Methods of Secure MPC

    Protocol Assumption Players Reference

    Yao’s Garbled Circuit OT 2 [Yao82, Yao86]

    GMW OT 2+ [GMW87]

    BGW/CCD Honest Majority 3+ [BOGW88, CCD88]

    FHE Lattice Problems 2+ [Gen09]

  • Introduction

    Oblivious Transfer

    Circuit Garbling

    Secure Computation from Secret Sharing

    Applications of MPCThe Satellite Problem

    Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely

    ExtrasCryptographic AssumptionsConstructing Oblivious Transfer

  • Oblivious Transfer

    OT

    Sender Receiver

    x0

    x1

    b

    xb

    I S learns nothing about b

    I R learns nothing about X1−b

  • Oblivious Transfer

    OT

    Sender Receiver

    x0

    x1

    b

    xb

    I S learns nothing about b

    I R learns nothing about X1−b

  • Facts About OT

    I Introduced by Rabin [Rab81], Even, Goldreich and Lempel [EGL85]I OT is equivalent to random OT [Cré88]I OT is symmetric [WW06]I OT is “complete” for secure multiparty computation [Kil88, IPS08]I Black-box construction of OT from one-way permutations implies

    P 6= NP [IR89]I Perfect OT cannot be constructed using quantum mechanics [Lo97]I OTs can be extended under computational assumptions [IKNP03]I OTs cannot be extended using quantum mechanics [SSS09, WW10]I OT impies PKE, but not vice-versa [GKM+00]I Constructions:

    I PIR [CMO00]I DDH [NP01]I Projective hash proofs [Kal05, HK07]I Blind signatures (requires RO) [CNS07]I Bilinear assumptions [GH07]I Dual-mode encryption [PVW08]I Noisy Channels [IKO+11]

  • OT From The DDH AssumptionBlind Generation of El-Gamal Public-keys

    (g , ga, gb, gab) ≈c (g , ga, gb, g c)

    x0, x1 b

    Sender Receiver

    w$← [|G|]

    βb = gw

    β1−b = r

    (β0, β1)k0, k1

    $← [|G|]α0 = g

    k0

    α1 = gk1

    γ0 = hk00 g

    x0

    γ1 = hk11 g

    x1

    ((α0, γ0), (α1, γ1))

    xb = 1 iff γb · α−wb = g

  • OT From The DDH AssumptionBlind Generation of El-Gamal Public-keys

    (g , ga, gb, gab) ≈c (g , ga, gb, g c)

    x0, x1 b

    Sender Receiver

    w$← [|G|]

    βb = gw

    β1−b = r

    (β0, β1)

    k0, k1$← [|G|]

    α0 = gk0

    α1 = gk1

    γ0 = hk00 g

    x0

    γ1 = hk11 g

    x1

    ((α0, γ0), (α1, γ1))

    xb = 1 iff γb · α−wb = g

  • OT From The DDH AssumptionBlind Generation of El-Gamal Public-keys

    (g , ga, gb, gab) ≈c (g , ga, gb, g c)

    x0, x1 b

    Sender Receiver

    w$← [|G|]

    βb = gw

    β1−b = r

    (β0, β1)k0, k1

    $← [|G|]α0 = g

    k0

    α1 = gk1

    γ0 = hk00 g

    x0

    γ1 = hk11 g

    x1

    ((α0, γ0), (α1, γ1))

    xb = 1 iff γb · α−wb = g

  • OT From The DDH AssumptionBlind Generation of El-Gamal Public-keys

    (g , ga, gb, gab) ≈c (g , ga, gb, g c)

    x0, x1 b

    Sender Receiver

    w$← [|G|]

    βb = gw

    β1−b = r

    (β0, β1)k0, k1

    $← [|G|]α0 = g

    k0

    α1 = gk1

    γ0 = hk00 g

    x0

    γ1 = hk11 g

    x1

    ((α0, γ0), (α1, γ1))

    xb = 1 iff γb · α−wb = g

  • Oblivious Transfer

    OT

    Sender Receiver

    x0

    x1

    b

    xb

    I S learns nothing about b

    I R learns nothing about X1−b

  • Random Oblivious Transfer

    OT

    Sender Receiver

    x0

    x1

    b

    xb

    I S learns nothing about b

    I R learns nothing about X1−b

  • Random OT + 3 Bits Communication = OTPrecomputing OT

    Sender Receiver

    x0

    x1

    b

    xb

    OT

    ROT

    ReceiverSender

    y0

    y1

    c

    yc

    b ⊕ cd

    z0 = x0 ⊕ ydz1 = x1 ⊕ y1−d

    (z0, z1)

    zb ⊕ yc

    y0, y1 generated at random

    Idea: use Random OT onrandom values as a one-time

    pad to blind real OT

    if b = 0 then d = c , so receiver knows ydif b = 1 then d = 1− c , so receiver knows y1−d

  • Random OT + 3 Bits Communication = OTPrecomputing OT

    Sender Receiver

    x0

    x1

    b

    xb

    OT

    ROT

    ReceiverSender

    y0

    y1

    c

    yc

    b ⊕ cd

    z0 = x0 ⊕ ydz1 = x1 ⊕ y1−d

    (z0, z1)

    zb ⊕ yc

    y0, y1 generated at random

    Idea: use Random OT onrandom values as a one-time

    pad to blind real OT

    if b = 0 then d = c , so receiver knows ydif b = 1 then d = 1− c , so receiver knows y1−d

  • Random OT + 3 Bits Communication = OTPrecomputing OT

    Sender Receiver

    x0

    x1

    b

    xb

    OT

    ROT

    ReceiverSender

    y0

    y1

    c

    yc

    b ⊕ cd

    z0 = x0 ⊕ ydz1 = x1 ⊕ y1−d

    (z0, z1)

    zb ⊕ yc

    y0, y1 generated at random

    Idea: use Random OT onrandom values as a one-time

    pad to blind real OT

    if b = 0 then d = c , so receiver knows ydif b = 1 then d = 1− c , so receiver knows y1−d

  • Random OT + 3 Bits Communication = OTPrecomputing OT

    Sender Receiver

    x0

    x1

    b

    xb

    OT

    ROT

    ReceiverSender

    y0

    y1

    c

    yc

    b ⊕ cd

    z0 = x0 ⊕ ydz1 = x1 ⊕ y1−d

    (z0, z1)

    zb ⊕ yc

    y0, y1 generated at random

    Idea: use Random OT onrandom values as a one-time

    pad to blind real OT

    if b = 0 then d = c , so receiver knows ydif b = 1 then d = 1− c , so receiver knows y1−d

  • Random OT + 3 Bits Communication = OTPrecomputing OT

    Sender Receiver

    x0

    x1

    b

    xb

    OT

    ROT

    ReceiverSender

    y0

    y1

    c

    yc

    b ⊕ cd

    z0 = x0 ⊕ ydz1 = x1 ⊕ y1−d

    (z0, z1)

    zb ⊕ yc

    y0, y1 generated at random

    Idea: use Random OT onrandom values as a one-time

    pad to blind real OT

    if b = 0 then d = c , so receiver knows ydif b = 1 then d = 1− c , so receiver knows y1−d

  • Random OT + 3 Bits Communication = OTPrecomputing OT

    Sender Receiver

    x0

    x1

    b

    xb

    OT

    ROT

    ReceiverSender

    y0

    y1

    c

    yc

    b ⊕ cd

    z0 = x0 ⊕ ydz1 = x1 ⊕ y1−d

    (z0, z1)

    zb ⊕ yc

    y0, y1 generated at random

    Idea: use Random OT onrandom values as a one-time

    pad to blind real OT

    if b = 0 then d = c , so receiver knows ydif b = 1 then d = 1− c , so receiver knows y1−d

  • Random OT + 3 Bits Communication = OTPrecomputing OT

    Sender Receiver

    x0

    x1

    b

    xb

    OT

    ROT

    ReceiverSender

    y0

    y1

    c

    yc

    b ⊕ cd

    z0 = x0 ⊕ ydz1 = x1 ⊕ y1−d

    (z0, z1)

    zb ⊕ yc

    y0, y1 generated at random

    Idea: use Random OT onrandom values as a one-time

    pad to blind real OT

    if b = 0 then d = c , so receiver knows ydif b = 1 then d = 1− c , so receiver knows y1−d

  • Precomputing OT

    I Offline: before inputs are known, run many OT protocols

    I This generates many OT “triples” (y0, y1) and (c , yc)

    I Online: once inputs are known, OT triples can be consumed

    I Online phase is cheap (in computation and communication)

  • Introduction

    Oblivious Transfer

    Circuit Garbling

    Secure Computation from Secret Sharing

    Applications of MPCThe Satellite Problem

    Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely

    ExtrasCryptographic AssumptionsConstructing Oblivious Transfer

  • Yao’s Garbled Circuit Overview

    Two parties, Alice and Bob, want to compute a public function onprivate inputs.High-Level Approach

    I Public function is written as a circuit

    I Alice will “garble” the circuit

    I Alice will send the “garbled” circuit to Bob

    I Alice and Bob will engage in OT to get Bob his “garbled”inputs

    I Bob will use the garbled inputs to compute circuitgate-by-gate

  • Garbling a Gate

    x0 x1

    y = x0 · x1

    x0 x1 x0 · x10 0 0

    0 1 0

    1 0 0

    1 1 1

    0 1 0 1

    0 1

    0 1 0 1

    u0 u1

    s0 s1 0 1

    u0 u1

    s0 s1 t0 t1

    u0 u1

    Sample u0, u1 randomly from {0, 1}λ

    Replace output values with random strings

    u0

    u0

    u0

    u1

    s0

    s0

    s1

    s1

    Sample s0, s1 randomly from {0, 1}λSample t0, t1 randomly from {0, 1}λ

    Replace input values with random strings

    t0

    t1

    t0

    t1

    u0

    u0

    u0

    u1

    Encrypt output values under input keys

    (Encryption is symmetric-key, e.g. AES)

    Es0(Et0(u0))

    Es0(Et1(u0))

    Es1(Et0(u0))

    Es1(Et1(u1))s0

    s0

    s1

    s1

    t0

    t1

    t0

    t1

    Es0(Et0(u0))

    Es0(Et1(u0))

    Es1(Et0(u0))

    Es1(Et1(u1))

    Shuffle rows of tableI This is a “garbled gate”I Input secrets s, t allow

    decryption of output secret u

    I Garbled truth-table canbe made public

    I Knowing one of {s0, s1}and one of {t0, t1} allowscomputation of garbledoutput

  • Garbling a Gate

    x0 x1

    y = x0 · x1

    x0 x1 x0 · x10 0 0

    0 1 0

    1 0 0

    1 1 1

    0 1 0 1

    0 1

    0 1 0 1

    u0 u1

    s0 s1 0 1

    u0 u1

    s0 s1 t0 t1

    u0 u1

    Sample u0, u1 randomly from {0, 1}λ

    Replace output values with random strings

    u0

    u0

    u0

    u1

    s0

    s0

    s1

    s1

    Sample s0, s1 randomly from {0, 1}λSample t0, t1 randomly from {0, 1}λ

    Replace input values with random strings

    t0

    t1

    t0

    t1

    u0

    u0

    u0

    u1

    Encrypt output values under input keys

    (Encryption is symmetric-key, e.g. AES)

    Es0(Et0(u0))

    Es0(Et1(u0))

    Es1(Et0(u0))

    Es1(Et1(u1))s0

    s0

    s1

    s1

    t0

    t1

    t0

    t1

    Es0(Et0(u0))

    Es0(Et1(u0))

    Es1(Et0(u0))

    Es1(Et1(u1))

    Shuffle rows of tableI This is a “garbled gate”I Input secrets s, t allow

    decryption of output secret u

    I Garbled truth-table canbe made public

    I Knowing one of {s0, s1}and one of {t0, t1} allowscomputation of garbledoutput

  • Garbling a Gate

    x0 x1

    y = x0 · x1

    x0 x1 x0 · x10 0 0

    0 1 0

    1 0 0

    1 1 1

    0 1 0 1

    0 1

    0 1 0 1

    u0 u1

    s0 s1 0 1

    u0 u1

    s0 s1 t0 t1

    u0 u1

    Sample u0, u1 randomly from {0, 1}λ

    Replace output values with random strings

    u0

    u0

    u0

    u1

    s0

    s0

    s1

    s1

    Sample s0, s1 randomly from {0, 1}λ

    Sample t0, t1 randomly from {0, 1}λ

    Replace input values with random strings

    t0

    t1

    t0

    t1

    u0

    u0

    u0

    u1

    Encrypt output values under input keys

    (Encryption is symmetric-key, e.g. AES)

    Es0(Et0(u0))

    Es0(Et1(u0))

    Es1(Et0(u0))

    Es1(Et1(u1))s0

    s0

    s1

    s1

    t0

    t1

    t0

    t1

    Es0(Et0(u0))

    Es0(Et1(u0))

    Es1(Et0(u0))

    Es1(Et1(u1))

    Shuffle rows of tableI This is a “garbled gate”I Input secrets s, t allow

    decryption of output secret u

    I Garbled truth-table canbe made public

    I Knowing one of {s0, s1}and one of {t0, t1} allowscomputation of garbledoutput

  • Garbling a Gate

    x0 x1

    y = x0 · x1

    x0 x1 x0 · x10 0 0

    0 1 0

    1 0 0

    1 1 1

    0 1 0 1

    0 1

    0 1 0 1

    u0 u1

    s0 s1 0 1

    u0 u1

    s0 s1 t0 t1

    u0 u1

    Sample u0, u1 randomly from {0, 1}λ

    Replace output values with random strings

    u0

    u0

    u0

    u1

    s0

    s0

    s1

    s1

    Sample s0, s1 randomly from {0, 1}λ

    Sample t0, t1 randomly from {0, 1}λ

    Replace input values with random strings

    t0

    t1

    t0

    t1

    u0

    u0

    u0

    u1

    Encrypt output values under input keys

    (Encryption is symmetric-key, e.g. AES)

    Es0(Et0(u0))

    Es0(Et1(u0))

    Es1(Et0(u0))

    Es1(Et1(u1))s0

    s0

    s1

    s1

    t0

    t1

    t0

    t1

    Es0(Et0(u0))

    Es0(Et1(u0))

    Es1(Et0(u0))

    Es1(Et1(u1))

    Shuffle rows of tableI This is a “garbled gate”I Input secrets s, t allow

    decryption of output secret u

    I Garbled truth-table canbe made public

    I Knowing one of {s0, s1}and one of {t0, t1} allowscomputation of garbledoutput

  • Garbling a Gate

    x0 x1

    y = x0 · x1

    x0 x1 x0 · x10 0 0

    0 1 0

    1 0 0

    1 1 1

    0 1 0 1

    0 1

    0 1 0 1

    u0 u1

    s0 s1 0 1

    u0 u1

    s0 s1 t0 t1

    u0 u1

    Sample u0, u1 randomly from {0, 1}λ

    Replace output values with random strings

    u0

    u0

    u0

    u1

    s0

    s0

    s1

    s1

    Sample s0, s1 randomly from {0, 1}λSample t0, t1 randomly from {0, 1}λ

    Replace input values with random strings

    t0

    t1

    t0

    t1

    u0

    u0

    u0

    u1

    Encrypt output values under input keys

    (Encryption is symmetric-key, e.g. AES)

    Es0(Et0(u0))

    Es0(Et1(u0))

    Es1(Et0(u0))

    Es1(Et1(u1))s0

    s0

    s1

    s1

    t0

    t1

    t0

    t1

    Es0(Et0(u0))

    Es0(Et1(u0))

    Es1(Et0(u0))

    Es1(Et1(u1))

    Shuffle rows of tableI This is a “garbled gate”I Input secrets s, t allow

    decryption of output secret u

    I Garbled truth-table canbe made public

    I Knowing one of {s0, s1}and one of {t0, t1} allowscomputation of garbledoutput

  • Garbling a Gate

    x0 x1

    y = x0 · x1

    x0 x1 x0 · x10 0 0

    0 1 0

    1 0 0

    1 1 1

    0 1 0 1

    0 1

    0 1 0 1

    u0 u1

    s0 s1 0 1

    u0 u1

    s0 s1 t0 t1

    u0 u1

    Sample u0, u1 randomly from {0, 1}λ

    Replace output values with random strings

    u0

    u0

    u0

    u1

    s0

    s0

    s1

    s1

    Sample s0, s1 randomly from {0, 1}λSample t0, t1 randomly from {0, 1}λ

    Replace input values with random strings

    t0

    t1

    t0

    t1

    u0

    u0

    u0

    u1

    Encrypt output values under input keys

    (Encryption is symmetric-key, e.g. AES)

    Es0(Et0(u0))

    Es0(Et1(u0))

    Es1(Et0(u0))

    Es1(Et1(u1))

    s0

    s0

    s1

    s1

    t0

    t1

    t0

    t1

    Es0(Et0(u0))

    Es0(Et1(u0))

    Es1(Et0(u0))

    Es1(Et1(u1))

    Shuffle rows of tableI This is a “garbled gate”I Input secrets s, t allow

    decryption of output secret u

    I Garbled truth-table canbe made public

    I Knowing one of {s0, s1}and one of {t0, t1} allowscomputation of garbledoutput

  • Garbling a Gate

    x0 x1

    y = x0 · x1

    x0 x1 x0 · x10 0 0

    0 1 0

    1 0 0

    1 1 1

    0 1 0 1

    0 1

    0 1 0 1

    u0 u1

    s0 s1 0 1

    u0 u1

    s0 s1 t0 t1

    u0 u1

    Sample u0, u1 randomly from {0, 1}λ

    Replace output values with random strings

    u0

    u0

    u0

    u1

    s0

    s0

    s1

    s1

    Sample s0, s1 randomly from {0, 1}λSample t0, t1 randomly from {0, 1}λ

    Replace input values with random strings

    t0

    t1

    t0

    t1

    u0

    u0

    u0

    u1

    Encrypt output values under input keys

    (Encryption is symmetric-key, e.g. AES)

    Es0(Et0(u0))

    Es0(Et1(u0))

    Es1(Et0(u0))

    Es1(Et1(u1))

    s0

    s0

    s1

    s1

    t0

    t1

    t0

    t1

    Es0(Et0(u0))

    Es0(Et1(u0))

    Es1(Et0(u0))

    Es1(Et1(u1))

    Shuffle rows of table

    I This is a “garbled gate”I Input secrets s, t allow

    decryption of output secret u

    I Garbled truth-table canbe made public

    I Knowing one of {s0, s1}and one of {t0, t1} allowscomputation of garbledoutput

  • Garbling a Gate

    x0 x1

    y = x0 · x1

    x0 x1 x0 · x10 0 0

    0 1 0

    1 0 0

    1 1 1

    0 1 0 1

    0 1

    0 1 0 1

    u0 u1

    s0 s1 0 1

    u0 u1

    s0 s1 t0 t1

    u0 u1

    Sample u0, u1 randomly from {0, 1}λ

    Replace output values with random strings

    u0

    u0

    u0

    u1

    s0

    s0

    s1

    s1

    Sample s0, s1 randomly from {0, 1}λSample t0, t1 randomly from {0, 1}λ

    Replace input values with random strings

    t0

    t1

    t0

    t1

    u0

    u0

    u0

    u1

    Encrypt output values under input keys

    (Encryption is symmetric-key, e.g. AES)

    Es0(Et0(u0))

    Es0(Et1(u0))

    Es1(Et0(u0))

    Es1(Et1(u1))

    s0

    s0

    s1

    s1

    t0

    t1

    t0

    t1

    Es0(Et0(u0))

    Es0(Et1(u0))

    Es1(Et0(u0))

    Es1(Et1(u1))

    Shuffle rows of table

    I This is a “garbled gate”I Input secrets s, t allow

    decryption of output secret u

    I Garbled truth-table canbe made public

    I Knowing one of {s0, s1}and one of {t0, t1} allowscomputation of garbledoutput

  • Garbling a Circuit

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉

    0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1

    0 1 0 1 0 1 0 1

    0 1 0 1

    0 1

    Each wire carries aboolean value

    s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

    s9,0 s9,1 s10,0 s10,1 s11,0 s11,1 s12,0 s12,1

    s13,0 s13,1 s14,0 s14,1

    s15,0 s15,1I Each wire carries a stringI Strings on input wires

    allow decryption of stringon output wire

    Es9,1(Es10,1(s13,0))

    Es9,0(Es10,1(s13,1))

    Es9,0(Es10,0(s13,0))

    Es9,1(Es10,0(s13,1))

    XOR gate

  • Garbling a Circuit

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉

    0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1

    0 1 0 1 0 1 0 1

    0 1 0 1

    0 1

    Each wire carries aboolean value

    s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

    s9,0 s9,1 s10,0 s10,1 s11,0 s11,1 s12,0 s12,1

    s13,0 s13,1 s14,0 s14,1

    s15,0 s15,1I Each wire carries a stringI Strings on input wires

    allow decryption of stringon output wire

    Es9,1(Es10,1(s13,0))

    Es9,0(Es10,1(s13,1))

    Es9,0(Es10,0(s13,0))

    Es9,1(Es10,0(s13,1))

    XOR gate

  • Garbling a Circuit

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉

    0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1

    0 1 0 1 0 1 0 1

    0 1 0 1

    0 1

    Each wire carries aboolean value

    s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

    s9,0 s9,1 s10,0 s10,1 s11,0 s11,1 s12,0 s12,1

    s13,0 s13,1 s14,0 s14,1

    s15,0 s15,1I Each wire carries a stringI Strings on input wires

    allow decryption of stringon output wire

    Es9,1(Es10,1(s13,0))

    Es9,0(Es10,1(s13,1))

    Es9,0(Es10,0(s13,0))

    Es9,1(Es10,0(s13,1))

    XOR gate

  • Garbling a Circuit

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉

    0 1 0 1 0 1 0 1 0 1 0 1 0 1 0 1

    0 1 0 1 0 1 0 1

    0 1 0 1

    0 1

    Each wire carries aboolean value

    s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

    s9,0 s9,1 s10,0 s10,1 s11,0 s11,1 s12,0 s12,1

    s13,0 s13,1 s14,0 s14,1

    s15,0 s15,1I Each wire carries a stringI Strings on input wires

    allow decryption of stringon output wire

    Es9,1(Es10,1(s13,0))

    Es9,0(Es10,1(s13,1))

    Es9,0(Es10,0(s13,0))

    Es9,1(Es10,0(s13,1))

    XOR gate

  • Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product

    I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =

    ∑4i=1 xiyi is public

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉Alice Generates the circuit

    s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

    s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

    s13,0s13,1 s14,0s14,1

    0 1

    Alice generates tworandom strings for eachwire (called “wire keys”)

    Output wire hasstandard 0/1 values

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉

    Alice generates garbledtruth tables for eachgate using wire keys

    Alice gives Bob thegarbled gates (but not

    the wire keys)

    Alice gives Bob the keyscorresponding to her

    inputs (1, 0, 1, 0)

    s1,1 s3,0 s5,1 s7,0

    Alice and Bob use OTto get Bob the keys he

    needs for his inputs(1, 1, 0, 1)

    Now Bob has one wirekey for each input wire

    s2,1 s4,1 s6,0 s8,1

    s9,1 s10,0 s11,0 s12,0

    Bob uses wire keys andgarbled truth-table to

    decrypt the wire keys atthe next level

    s13,1 s14,0

    1

  • Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product

    I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =

    ∑4i=1 xiyi is public

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉Alice Generates the circuit

    s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

    s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

    s13,0s13,1 s14,0s14,1

    0 1

    Alice generates tworandom strings for eachwire (called “wire keys”)

    Output wire hasstandard 0/1 values

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉

    Alice generates garbledtruth tables for eachgate using wire keys

    Alice gives Bob thegarbled gates (but not

    the wire keys)

    Alice gives Bob the keyscorresponding to her

    inputs (1, 0, 1, 0)

    s1,1 s3,0 s5,1 s7,0

    Alice and Bob use OTto get Bob the keys he

    needs for his inputs(1, 1, 0, 1)

    Now Bob has one wirekey for each input wire

    s2,1 s4,1 s6,0 s8,1

    s9,1 s10,0 s11,0 s12,0

    Bob uses wire keys andgarbled truth-table to

    decrypt the wire keys atthe next level

    s13,1 s14,0

    1

  • Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product

    I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =

    ∑4i=1 xiyi is public

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉

    Alice Generates the circuit

    s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

    s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

    s13,0s13,1 s14,0s14,1

    0 1

    Alice generates tworandom strings for eachwire (called “wire keys”)

    Output wire hasstandard 0/1 values

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉

    Alice generates garbledtruth tables for eachgate using wire keys

    Alice gives Bob thegarbled gates (but not

    the wire keys)

    Alice gives Bob the keyscorresponding to her

    inputs (1, 0, 1, 0)

    s1,1 s3,0 s5,1 s7,0

    Alice and Bob use OTto get Bob the keys he

    needs for his inputs(1, 1, 0, 1)

    Now Bob has one wirekey for each input wire

    s2,1 s4,1 s6,0 s8,1

    s9,1 s10,0 s11,0 s12,0

    Bob uses wire keys andgarbled truth-table to

    decrypt the wire keys atthe next level

    s13,1 s14,0

    1

  • Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product

    I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =

    ∑4i=1 xiyi is public

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉

    Alice Generates the circuit

    s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

    s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

    s13,0s13,1 s14,0s14,1

    0 1

    Alice generates tworandom strings for eachwire (called “wire keys”)

    Output wire hasstandard 0/1 values

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉

    Alice generates garbledtruth tables for eachgate using wire keys

    Alice gives Bob thegarbled gates (but not

    the wire keys)

    Alice gives Bob the keyscorresponding to her

    inputs (1, 0, 1, 0)

    s1,1 s3,0 s5,1 s7,0

    Alice and Bob use OTto get Bob the keys he

    needs for his inputs(1, 1, 0, 1)

    Now Bob has one wirekey for each input wire

    s2,1 s4,1 s6,0 s8,1

    s9,1 s10,0 s11,0 s12,0

    Bob uses wire keys andgarbled truth-table to

    decrypt the wire keys atthe next level

    s13,1 s14,0

    1

  • Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product

    I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =

    ∑4i=1 xiyi is public

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉Alice Generates the circuit

    s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

    s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

    s13,0s13,1 s14,0s14,1

    0 1

    Alice generates tworandom strings for eachwire (called “wire keys”)

    Output wire hasstandard 0/1 values

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉

    Alice generates garbledtruth tables for eachgate using wire keys

    Alice gives Bob thegarbled gates (but not

    the wire keys)

    Alice gives Bob the keyscorresponding to her

    inputs (1, 0, 1, 0)

    s1,1 s3,0 s5,1 s7,0

    Alice and Bob use OTto get Bob the keys he

    needs for his inputs(1, 1, 0, 1)

    Now Bob has one wirekey for each input wire

    s2,1 s4,1 s6,0 s8,1

    s9,1 s10,0 s11,0 s12,0

    Bob uses wire keys andgarbled truth-table to

    decrypt the wire keys atthe next level

    s13,1 s14,0

    1

  • Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product

    I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =

    ∑4i=1 xiyi is public

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉Alice Generates the circuit

    s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

    s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

    s13,0s13,1 s14,0s14,1

    0 1

    Alice generates tworandom strings for eachwire (called “wire keys”)

    Output wire hasstandard 0/1 values

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉

    Alice generates garbledtruth tables for eachgate using wire keys

    Alice gives Bob thegarbled gates (but not

    the wire keys)

    Alice gives Bob the keyscorresponding to her

    inputs (1, 0, 1, 0)

    s1,1 s3,0 s5,1 s7,0

    Alice and Bob use OTto get Bob the keys he

    needs for his inputs(1, 1, 0, 1)

    Now Bob has one wirekey for each input wire

    s2,1 s4,1 s6,0 s8,1

    s9,1 s10,0 s11,0 s12,0

    Bob uses wire keys andgarbled truth-table to

    decrypt the wire keys atthe next level

    s13,1 s14,0

    1

  • Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product

    I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =

    ∑4i=1 xiyi is public

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉Alice Generates the circuit

    s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

    s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

    s13,0s13,1 s14,0s14,1

    0 1

    Alice generates tworandom strings for eachwire (called “wire keys”)

    Output wire hasstandard 0/1 values

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉

    Alice generates garbledtruth tables for eachgate using wire keys

    Alice gives Bob thegarbled gates (but not

    the wire keys)

    Alice gives Bob the keyscorresponding to her

    inputs (1, 0, 1, 0)

    s1,1 s3,0 s5,1 s7,0

    Alice and Bob use OTto get Bob the keys he

    needs for his inputs(1, 1, 0, 1)

    Now Bob has one wirekey for each input wire

    s2,1 s4,1 s6,0 s8,1

    s9,1 s10,0 s11,0 s12,0

    Bob uses wire keys andgarbled truth-table to

    decrypt the wire keys atthe next level

    s13,1 s14,0

    1

  • Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product

    I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =

    ∑4i=1 xiyi is public

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉Alice Generates the circuit

    s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

    s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

    s13,0s13,1 s14,0s14,1

    0 1

    Alice generates tworandom strings for eachwire (called “wire keys”)

    Output wire hasstandard 0/1 values

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉

    Alice generates garbledtruth tables for eachgate using wire keys

    Alice gives Bob thegarbled gates (but not

    the wire keys)

    Alice gives Bob the keyscorresponding to her

    inputs (1, 0, 1, 0)

    s1,1 s3,0 s5,1 s7,0

    Alice and Bob use OTto get Bob the keys he

    needs for his inputs(1, 1, 0, 1)

    Now Bob has one wirekey for each input wire

    s2,1 s4,1 s6,0 s8,1

    s9,1 s10,0 s11,0 s12,0

    Bob uses wire keys andgarbled truth-table to

    decrypt the wire keys atthe next level

    s13,1 s14,0

    1

  • Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product

    I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =

    ∑4i=1 xiyi is public

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉Alice Generates the circuit

    s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

    s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

    s13,0s13,1 s14,0s14,1

    0 1

    Alice generates tworandom strings for eachwire (called “wire keys”)

    Output wire hasstandard 0/1 values

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉

    Alice generates garbledtruth tables for eachgate using wire keys

    Alice gives Bob thegarbled gates (but not

    the wire keys)

    Alice gives Bob the keyscorresponding to her

    inputs (1, 0, 1, 0)

    s1,1 s3,0 s5,1 s7,0

    Alice and Bob use OTto get Bob the keys he

    needs for his inputs(1, 1, 0, 1)

    Now Bob has one wirekey for each input wire

    s2,1 s4,1 s6,0 s8,1

    s9,1 s10,0 s11,0 s12,0

    Bob uses wire keys andgarbled truth-table to

    decrypt the wire keys atthe next level

    s13,1 s14,0

    1

  • Secure Function Evaluation Using Garbled CircuitsAn Example: Secure dot-product

    I Alice has an input x = (x1, x2, x3, x4) = (1, 0, 1, 0) (Private)I Bob has an input y = (y1, y2, y3, y4) = (1, 1, 0, 1) (Private)I The inner-product function f (x, y) =

    ∑4i=1 xiyi is public

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉Alice Generates the circuit

    s1,0 s1,1 s2,0 s2,1 s3,0 s3,1 s4,0 s4,1 s5,0 s5,1 s6,0 s6,1 s7,0 s7,1 s8,0 s8,1

    s9,0 s9,1 s10,0s10,1 s11,0s11,1 s12,0s12,1

    s13,0s13,1 s14,0s14,1

    0 1

    Alice generates tworandom strings for eachwire (called “wire keys”)

    Output wire hasstandard 0/1 values

    x1 y1 x2 y2 x3 y3 x4 y4

    〈x, y〉

    Alice generates garbledtruth tables for eachgate using wire keys

    Alice gives Bob thegarbled gates (but not

    the wire keys)

    Alice gives Bob the keyscorresponding to her

    inputs (1, 0, 1, 0)

    s1,1 s3,0 s5,1 s7,0

    Alice and Bob use OTto get Bob the keys he

    needs for his inputs(1, 1, 0, 1)

    Now Bob has one wirekey for each input wire

    s2,1 s4,1 s6,0 s8,1

    s9,1 s10,0 s11,0 s12,0

    Bob uses wire keys andgarbled truth-table to

    decrypt the wire keys atthe next level

    s13,1 s14,0

    1

  • Garbled Circuit Review

    I Alice and Bob want to compute a public function(a circuit of size |C | with n inputs)

    I Alice will generate key pairs for every wireI Alice will generate garbled truth tables for every gate

    (Calculate: 8 symmetric encryptions per gate)I Alice will give Bob the entire garbled circuit

    (Communicate: 4 symmetric encryptions per gate)I Alice will give secrets corresponding to her inputsI They will use OT to get Bob secrets corresponding to his inputs

    (One OT per input)I Bob will evaluate the entire garbled circuit gate by gate

    (Calculate: 2 symmetric decryptions per gate)I Overall

    I Calculation: O(|C |) symmetric encryptions for each partyI Communication: O(|C |) symmetric ciphertextsI OT: n parallel oblivious transfersI Entire protocol is only two rounds

  • Implementing Garbled Circuits

    I Fairplay: a garbled circuit compiler [MNPS04]

    I Garbled circuits for malicious adversaries [LPS08]Computation of > for 16-bit integers takes 135-360 secondson Intel Core 2 2.13Ghz where running time increases assecurity parameter increases

    I TASTY: a compiler which compiles into a mix of garbledcircuits and homomorphic encryption [HOS+10]

    I 900-bit hamming distance calculation in .051s on Inter CoreDuo 3Ghz [HEKM11, HSE+11](.019s online time, approximately 10µs per gate)

    I Billion-gate circuits against malicious adversaries [KSS12]

    I Garble time: 64,000 - 84,000 gates / secI Secure evaluation of AES (50K gates): 29.4s on 4 cores, 1.3s

    on 256 coresI 4095-bit edit distance (5.9B gates) in 8.2 hours (82K

    gates/sec)

  • Introduction

    Oblivious Transfer

    Circuit Garbling

    Secure Computation from Secret Sharing

    Applications of MPCThe Satellite Problem

    Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely

    ExtrasCryptographic AssumptionsConstructing Oblivious Transfer

  • Overview of MPCThe GMW/BGW Approach

    I The (public) function being computed is written as a circuit

    I Each participant secret-shares their private input

    I The circuit is evaluated gate-by-gate on the shares(this requires communication between participants)

    I Answer is reconstructed from final shares

  • Secret Sharing [Sha79]Simple linear sharing scheme

    I To share s ∈ F2, among twoplayers

    I Pick a random r ∈ F2I Create the shares s + r and r

    I Keep s + r , send r to otherplayer

    s

    s = (s + r) + r

    r

  • Linear sharing schemes can compute linear functions

    a b

    a = a0 + a1

    a1

    b = b0 + b1

    b0

    c0 = a0 + b0 c1 = a1 + b1

    c0 + c1 = a + b

    Given shares of private inputs, parties cancompute shares of any linear function of

    the inputs

  • Linear sharing schemes can compute linear functions

    a b

    a = a0 + a1

    a1

    b = b0 + b1

    b0

    c0 = a0 + b0 c1 = a1 + b1

    c0 + c1 = a + b

    Given shares of private inputs, parties cancompute shares of any linear function of

    the inputs

  • Linear sharing schemes can compute linear functions

    a b

    a = a0 + a1

    a1

    b = b0 + b1

    b0

    c0 = a0 + b0 c1 = a1 + b1

    c0 + c1 = a + b

    Given shares of private inputs, parties cancompute shares of any linear function of

    the inputs

  • Linear sharing schemes can compute linear functions

    a b

    a = a0 + a1

    a1

    b = b0 + b1

    b0

    c0 = a0 + b0 c1 = a1 + b1

    c0 + c1 = a + b

    Given shares of private inputs, parties cancompute shares of any linear function of

    the inputs

  • Linear sharing schemes can compute linear functions

    a b

    a = a0 + a1

    a1

    b = b0 + b1

    b0

    c0 = a0 + b0 c1 = a1 + b1

    c0 + c1 = a + b

    Given shares of private inputs, parties cancompute shares of any linear function of

    the inputs

  • Linear sharing schemes can compute linear functions

    a b

    a = a0 + a1

    a1

    b = b0 + b1

    b0

    c0 = a0 + b0 c1 = a1 + b1

    c0 + c1 = a + b

    Given shares of private inputs, parties cancompute shares of any linear function of

    the inputs

  • Multiplying Shares

    I We can add shares to get shares of the sum

    I How do we multiply shares?

  • Multiplying Shares

    a b

    a = a0 + a1

    a1

    b = b0 + b1

    b0

    Goal:Alice calculates c0,Bob calculates c1

    such that

    c0 + c1 = a · b

  • Multiplying Shares

    a b

    a = a0 + a1

    a1

    b = b0 + b1

    b0

    Goal:Alice calculates c0,Bob calculates c1

    such that

    c0 + c1 = a · b

  • Evaluating a circuit on shares

    I Idea: each player secret-shares their input, then perform entirecomputation on the shares

    I If each player secret-shares their inputs, addition gates can becomputed locally (each player locally adds their shares)

    I How do we compute multiplication gates?I Method 1: Oblivious Transfer (OT) [GMW87]I Method 2: Honest Majority [BOGW88, CCD88]

  • Evaluating a circuit on shares

    I Idea: each player secret-shares their input, then perform entirecomputation on the shares

    I If each player secret-shares their inputs, addition gates can becomputed locally (each player locally adds their shares)

    I How do we compute multiplication gates?I Method 1: Oblivious Transfer (OT) [GMW87]I Method 2: Honest Majority [BOGW88, CCD88]

  • Multiplying Shares

    Alice

    a

    Bob

    b

    a = a0 + a1

    a1

    b = b0 + b1

    b0

    Goal: Compute shares of a · b

    a · b = (a0 + a1)(b0 + b1) = a0b0 + a1b0 + a0b1 + a1b1

    Alice can compute a0b0, Bob can compute a1b1

  • Multiplying Shares

    Alice

    a

    Bob

    b

    a = a0 + a1

    a1

    b = b0 + b1

    b0

    Goal: Compute shares of a · b

    a · b = (a0 + a1)(b0 + b1) = a0b0 + a1b0 + a0b1 + a1b1

    Alice can compute a0b0, Bob can compute a1b1

  • Multiplying Shares

    Alice

    a

    Bob

    b

    a = a0 + a1

    a1

    b = b0 + b1

    b0

    Goal: Compute shares of a · b

    a · b = (a0 + a1)(b0 + b1) = a0b0 + a1b0 + a0b1 + a1b1

    Alice can compute a0b0, Bob can compute a1b1

  • Multiplying Shares

    Alice

    a

    Bob

    b

    a = a0 + a1

    a1

    b = b0 + b1

    b0

    Goal: Compute shares of a · b

    a · b = (a0 + a1)(b0 + b1) = a0b0 + a1b0 + a0b1 + a1b1

    Alice can compute a0b0, Bob can compute a1b1

  • GMW Multiplication

    Goal: c0 + c1 = (a0 + a1)(b0 + b1) = a0b0 + a0b1 + b0a1 + a1b1

    Alice chooses a random c0, and creates the table

    OT input Bob’s Inputs

    c0 + (a0b0) a1 = 0, b1 = 0

    c0 + (a0b0 + a0) a1 = 0, b1 = 1

    c0 + (a0b0 + b0) a1 = 1, b1 = 0

    c0 + (a0b0 + b0 + a0 + 1) a1 = 1, b1 = 1

    Participant 0 acts as the sender in an OT, with the 4 values in theleft column as inputs.

  • OT for MultiplicationUsing 1 out out 4 OT to implement 1-bit multiplication

    OT

    Alice

    a0, b0 a1, b1

    Bob

    c0 + a0b0

    c0 + a0b0 + a0

    c0 + a0b0 + b0

    c0 + a0b0 + a0 + b0 + 1

    a1b1

    c1

    If a1b1 = 00, then(a0 + a1)(b0 + b1) = a0b0

    If a1b1 = 01, then(a0 + a1)(b0 + b1) = a0b0 + a0

    If a1b1 = 10, then(a0 + a1)(b0 + b1) = a0b0 + b0

    If a1b1 = 11, then(a0+a1)(b0+b1) = a0b0+a0+b0+1

    c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1

  • OT for MultiplicationUsing 1 out out 4 OT to implement 1-bit multiplication

    OT

    Alice

    a0, b0 a1, b1

    Bob

    c0 + a0b0

    c0 + a0b0 + a0

    c0 + a0b0 + b0

    c0 + a0b0 + a0 + b0 + 1

    a1b1

    c1

    If a1b1 = 00, then(a0 + a1)(b0 + b1) = a0b0

    If a1b1 = 01, then(a0 + a1)(b0 + b1) = a0b0 + a0

    If a1b1 = 10, then(a0 + a1)(b0 + b1) = a0b0 + b0

    If a1b1 = 11, then(a0+a1)(b0+b1) = a0b0+a0+b0+1

    c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1

  • OT for MultiplicationUsing 1 out out 4 OT to implement 1-bit multiplication

    OT

    Alice

    a0, b0 a1, b1

    Bob

    c0 + a0b0

    c0 + a0b0 + a0

    c0 + a0b0 + b0

    c0 + a0b0 + a0 + b0 + 1

    a1b1

    c1

    If a1b1 = 00, then(a0 + a1)(b0 + b1) = a0b0

    If a1b1 = 01, then(a0 + a1)(b0 + b1) = a0b0 + a0

    If a1b1 = 10, then(a0 + a1)(b0 + b1) = a0b0 + b0

    If a1b1 = 11, then(a0+a1)(b0+b1) = a0b0+a0+b0+1

    c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1

  • OT for MultiplicationUsing 1 out out 4 OT to implement 1-bit multiplication

    OT

    Alice

    a0, b0 a1, b1

    Bob

    c0 + a0b0

    c0 + a0b0 + a0

    c0 + a0b0 + b0

    c0 + a0b0 + a0 + b0 + 1

    a1b1

    c1

    If a1b1 = 00, then(a0 + a1)(b0 + b1) = a0b0

    If a1b1 = 01, then(a0 + a1)(b0 + b1) = a0b0 + a0

    If a1b1 = 10, then(a0 + a1)(b0 + b1) = a0b0 + b0

    If a1b1 = 11, then(a0+a1)(b0+b1) = a0b0+a0+b0+1

    c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1

  • OT for MultiplicationUsing 1 out out 4 OT to implement 1-bit multiplication

    OT

    Alice

    a0, b0 a1, b1

    Bob

    c0 + a0b0

    c0 + a0b0 + a0

    c0 + a0b0 + b0

    c0 + a0b0 + a0 + b0 + 1

    a1b1

    c1

    If a1b1 = 00, then(a0 + a1)(b0 + b1) = a0b0

    If a1b1 = 01, then(a0 + a1)(b0 + b1) = a0b0 + a0

    If a1b1 = 10, then(a0 + a1)(b0 + b1) = a0b0 + b0

    If a1b1 = 11, then(a0+a1)(b0+b1) = a0b0+a0+b0+1

    c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1

  • OT for MultiplicationUsing 1 out out 4 OT to implement 1-bit multiplication

    OT

    Alice

    a0, b0 a1, b1

    Bob

    c0 + a0b0

    c0 + a0b0 + a0

    c0 + a0b0 + b0

    c0 + a0b0 + a0 + b0 + 1

    a1b1

    c1

    If a1b1 = 00, then(a0 + a1)(b0 + b1) = a0b0

    If a1b1 = 01, then(a0 + a1)(b0 + b1) = a0b0 + a0

    If a1b1 = 10, then(a0 + a1)(b0 + b1) = a0b0 + b0

    If a1b1 = 11, then(a0+a1)(b0+b1) = a0b0+a0+b0+1

    c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1

  • OT for MultiplicationUsing 1 out out 4 OT to implement 1-bit multiplication

    OT

    Alice

    a0, b0 a1, b1

    Bob

    c0 + a0b0

    c0 + a0b0 + a0

    c0 + a0b0 + b0

    c0 + a0b0 + a0 + b0 + 1

    a1b1

    c1

    If a1b1 = 00, then(a0 + a1)(b0 + b1) = a0b0

    If a1b1 = 01, then(a0 + a1)(b0 + b1) = a0b0 + a0

    If a1b1 = 10, then(a0 + a1)(b0 + b1) = a0b0 + b0

    If a1b1 = 11, then(a0+a1)(b0+b1) = a0b0+a0+b0+1

    c1 = c0 + a0b0 + a0b1 + b0a1 + a1b1

  • Evaluating Circuits with GMW

    I Inputs are secret-shared between participants

    I The circuit is evaluated gate-by-gate

    I Each gate acts only on shares, so no information is revealed

    I Addition gates can be computed locally (no communicationbetween participants)

    I Multiplication requires a 1-out-of-4 OTI OT requires public-key operations

    I Public-key operations are computationally expensiveI Computation requires a number of rounds equal to the

    multiplicative depth of the circuit

  • Introduction

    Oblivious Transfer

    Circuit Garbling

    Secure Computation from Secret Sharing

    Applications of MPCThe Satellite Problem

    Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely

    ExtrasCryptographic AssumptionsConstructing Oblivious Transfer

  • Secure Auctions

    I A secure double auction was executed by Danish sugar beetfarmers and Danisco [BCD+08]

    I Danisco is the sole processor of sugar beets in DenmarkI 30% of the world’s sugar comes from sugar beets

    I Each participant indicated how much they would buy/sell at agiven price (private input)

    I The market clearing price is computed (securely)

    I The quantities bought and sold by each bidder was revealed(public output)

    I The auction had 1200 bidders, and 25,000 tons of productionrights changed hands

    http://eprint.iacr.org/2008/068/http://eprint.iacr.org/2008/068/

  • Secure Elections

    I Implemented by Helios Voting [Adi08]I Used to elect the president of the Université Catholique de

    Louvain [UCL09]I Student government representatives at PrincetonI President of the IACR

    I Scantegrity Election in Takoma Park [CCC+10]

    I Each participant has a vote (private input)

    I The winner is tallied (securely)

    I The winner is made public (public output)

    I Voting systems allow another level of functionality: auditing

    http:www.heliosvoting.orghttp://www.iacr.org

  • Examples of MPC

    I Practical demonstrations of MPC have been limited toextremely simple functionalities

    I Auctions: (maximum, minimum, threshold functions)

    I Elections: (sum, threshold)

  • Introduction

    Oblivious Transfer

    Circuit Garbling

    Secure Computation from Secret Sharing

    Applications of MPCThe Satellite Problem

    Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely

    ExtrasCryptographic AssumptionsConstructing Oblivious Transfer

  • Preventing Satellite Collisions

  • The “Iridium Incident” Renews Interest in Collisions

    Source: bbc.co.uk

    http://news.bbc.co.uk/2/hi/7885051.stm

  • Collisions in SpaceThese objects are moving fast!

  • Improving Space Situational Awareness

    I What are the risks to current satellites?

    I What are the possible mitigation techniques?

    I What are the costs / benefits of various techniques?

  • One Problem in Space

    How do you prevent collisionsbetween active satellites?

  • The Problem with SatellitesOperators won’t share information

    I Satellite operators have high fidelity data about theirsatellite’s location

    I This information is necessary for computing collisionprobabilities

    I Operators are unwilling to share this information

  • Data sharing could solve the problem

    I Data sharing between operators would increase spacesituational awareness [Fou10, KVCB08]

    I Operators have tried banding together and sharing their data[LNW09, Cho10]

    I This solution is extremely limited because most operators areunwilling to share their data [Cho10]

  • Motivating Question

    How can satellite operatorscoordinate operations withoutrevealing private information?

  • Current Situation

    I The JSpOC tracks 22,000 objects in space

    I Low fidelity data are made available in the form of Two-LineElements (TLEs) via space-track.org

    I Operators maintain high-accuracy positional information

    I High-accuracy should be used to calculate collisionprobabilities (This calculation is called a Conjunction Analysis)

    I Conjunction analyses are always performed pair-wise

  • JSpOC data are not accurate enough

  • Conjunction Analyses

    I Some private operators have entered into data sharingagreements

    I Private data are provided to a trusted party

    I The trusted party performs the conjunction analyses andnotifies the operators of potential threats

  • Trusted Party ImplementationsCurrent trusted third party implementations

    CSSI (a subsidiary of AGI) runs 300conjunctions twice per day from its 20participating operators [Kel10]

    USSTRATCOM performs conjunctionanalyses for SSA Sharing ProgramPartners

  • Prefiltering

    I Public (low-fidelity) data are used to prefilter orbits

    I Full conjunction analyses are only performed on potentiallyhazardous orbits

    I “the problems with the accuracy of the existing TLE data setshave been well documented, and relying on them for CApre-filtering is seen as problematic.” [HAO10]

  • PrefilteringPrefiltering in practice

    The public dataset can be used to prefilter potential threats

    I For 22,000 objects there are approximately 240,000,000 pairsI Using the public catalog to prefilter results in 53,000

    hazardous orbits were identified [HAO10]I 5 day windowI 50 km threshold for GEOI 5 km threshold for all other orbitsI To test all these requires one CA every 8 seconds

  • Secure Function Evaluation

    I How quickly can conjunction analyses be performed usingtechniques from Secure Function Evaluation (SFE), SecureMultiparty Computation (MPC) or Fully HomomorphicEncryption (FHE)?

  • How Secure is MPC?

    I Securely calculating a conjunction probability always leaks theconjunction probability

    I Protocols provably leak nothing else

  • Conjunction AnalysisHigh Level Overview

    I Two parties have private orbital information

    I They wish to calculate the probability of collision

  • Operator Inputs

    Each operator has the following (private) inputs:

    I Position (A vector in R3)I Velocity (A vector in R3)I Positional Error (A vector in R3)I Object Radius (A scalar in R)

  • Simplifying Assumptions

    I Objects are modeled as spheres

    I Their relative motion is assumed to be linear

    I Velocity information is assumed to be exactI Their positional errors are assumed to

    I have normal distribution with mean zeroI be uncorrelated

    I These assumptions are made in the insecure setting

  • Conjunction Analysis Calculation

    I A conjunction analysis calculation is the three dimensionalintegral over the product of the probability density functionsof the objects

    I The assumptions allow this calculation to be greatly simplified

  • Modeling Objects

    I Each object is modeled a normal (Gaussian) distribution, i.e.,it has probability density

    f (x , y , z) =1(√

    2πσxσyσz)3 e− 12

    (x2

    σx+ y

    2

    σy+ z

    2

    σz

    )

    (where this has made use of the fact that the errors areindependent in different directions)

    I Truncate gaussian after 8 standard deviations [Alf07]

    I This results in a probability ellipsoid

  • Simplifying the Calculations

    Because the errors are independent, andthe sum of independent Gaussians is

    Gaussian, all error can be shifted to onebody.

    The full radius is shifted to the other body.

    Integrate Gaussian in “collision tube”

  • Simplifying the Calculations

    Because the errors are independent, andthe sum of independent Gaussians is

    Gaussian, all error can be shifted to onebody.

    The full radius is shifted to the other body.

    Integrate Gaussian in “collision tube”

  • Simplifying the Calculations

    Because the errors are independent, andthe sum of independent Gaussians is

    Gaussian, all error can be shifted to onebody.

    The full radius is shifted to the other body.

    Integrate Gaussian in “collision tube”

  • Simplifying the Calculations

    Because the errors are independent, andthe sum of independent Gaussians is

    Gaussian, all error can be shifted to onebody.

    The full radius is shifted to the other body.

    Integrate Gaussian in “collision tube”

  • The Encounter Plane

    I Slice the three dimensional pdf at the point of nearestapproach, perpendicular to relative velocity

    Cross section of pdfCross section ofcollision tube

    Encounter Plane

  • Reducing to Two Dimensions

    I The 3D integral along the collision tube is made of 2D slices

    I Because the variances are independent, the 2D integral in theencounter plane can be done first, then this can be integratedalong the length of the collision tube, weighted by the pdf inthe third dimension

    I Integrating along a single dimension, is like integrating aone-dimensional Gaussian, so we get a number that is almostone

    I Thus we can approximate the 3D integral by the 2D integral

  • The Calculation

    Thus a conjunction analysis is the calculation of the following twodimensional integral

    P =1

    2πσxσy

    ∫ R−R

    ∫ √R2−x2−√R2−x2

    exp

    [−12

    [(x − xmσx

    )2+

    (y − ymσy

    )2]]dydx .

    I R is the combined radius (the sum of the two radii)I σx , σy are the combined standard deviations in the encounter

    planeI (xm, ym) is the location of the center of the collision tube in

    the encounter plane

  • What’s the Most Efficient Way to Compute This Securely?

    Secure Computation Techniques

    I Additively Homomorphic Encryption

    I MPC over binary circuits (GMW)

    I MPC over arithmetic circuits [AIK12]

    I Fully Homomorphic Encryption [Gen09]

  • Complexity of Calculation

    These MPC applications are orders of magnitudemore complex than any prior applications

  • The Double Integral

    After projecting into the encounter plane, we must compute the doubleintegral

    P =1

    2πσxσy

    ∫ R−R

    ∫ √R2−x2−√R2−x2

    exp

    [−12

    [(x − xmσx

    )2+

    (y − ymσy

    )2]]dydx .

    xm, ym, σx , σy ,R are values that depend on both users’s inputs.

  • Outline of Alfano’s Method

    Convert the double integral

    P =1

    2πσxσy

    ∫ R−R

    ∫ √R2−x2−√R2−x2

    exp

    [−12

    [(x − xmσx

    )2+

    (y − ymσy

    )2]]dydx .

    to the single integral

    P =1√

    8πσx

    ∫ R−R

    [erf

    (ym +

    √R2 − x2√

    2σy

    )+ erf

    (−ym +

    √R2 − x2√

    2σy

    )]exp

    (−(x + xm)2

    2σ2x

    )dx

    Where erf(·) is the error function

    erf(z) =2√π

    ∫ z0

    e−t2dt

  • The Error Function erf(·)

    erf(x) =2√π

    ∫ x0

    e−t2dt

    x

    f (x)

    f (x) = erf(x)

  • Approximating the single integral

    We want to approximate the single integral that depends on erf(·)and exp(·)

    I Taylor expand erf(·) as

    erf x =2√π

    ∞∑n=0

    (−1)nx2n+1

    n!(2n + 1),

    which, by [CR08] has error∣∣∣∣∣erf x − 2√πN∑

    n=0

    (−1)nx2n+1

    n!(2n + 1)

    ∣∣∣∣∣ ≤ 2√π x2N+1N!(2N + 1) .I Taylor expand exp(·) as ex =

    ∑∞n=0

    xn

    n!

    I Use Simpson’s rule to approximate the integral

  • Simpson’s RuleSimpson’s rule says:∫ ba

    f (x)dx ≈ ∆x3

    (f (a)+4f (a+∆x)+2f (a+2∆x)+4f (a+3∆x)+· · ·+4f (b−∆x)+f (b))

    In our situation, this is:∫ R0

    f (x)dx ≈ ∆x3

    [f (0) + f (R) +

    n∑i=1

    4f (x2i−1) +n−1∑i=1

    2f (x2i )]

    ]

    where ∆x = R/2n, and xi = i∆x . The integrand is:

    f (x) =

    [erf

    (ym +

    √R2 − x2√

    2σy

    )+ erf

    (−ym +

    √R2 − x2√

    2σy

    )]·[

    exp

    (−(x + xm)2

    2σ2x

    )+ exp

    (−(−x + xm)2

    2σ2x

    )]

  • Difficulties in Secure Computation

    I Securely computing this function raises many techicalchallenges

    I What is the most “MPC-friendly” circuit for this function?

  • Problem: Taylor Approximations fare poorly

    1.0e–10

    1.0e+10

    –5 5x

    ∣∣∣∣∣erf(x)−50∑n=0

    (−1)nx2n+1

    n!(2n + 1)

    ∣∣∣∣∣

    This shows the absolute error between erf and its 50 term Taylorexpansion on a logarithmic scale

  • Using Taylor Expansion in a Window

    Possible Solution

    I If |x | < 5 use 100 term Taylor expansionI If x > 5 return 1

    I If x < −5 return −1

    This is very accurate, but it requires comparisons

  • Using Taylor Expansion in a Window

    Possible Solution

    I If |x | < 5 use 100 term Taylor expansionI If x > 5 return 1

    I If x < −5 return −1This is very accurate, but it requires comparisons

  • Approximating Erf

    erf(x) ≈ 1− 1(1 + a1x + a2x2 + a3x3 + a4x4 + a5x5 + a6x6)16

    Where

    a1 = .3275911 a4 = .0001520143a2 = .254829592 a5 = .0002765672a3 = .0092705272 a6 = .0000430638

    When x > 0. This has an absolute error less than 10−7 across theentire range [AS65].

  • Adapting Calculations

    Problem:

    I Taylor approximations are only accurate in certain windows

    I Secure comparison gates are inefficient

    I Redesign calculation to avoid branching

    I Similar problems come up in many natural calculations

    I The most efficient insecure calculation may not create themost efficient secure calculation

  • Changing Variables

    P =1√

    8πσx

    ∫ R−R

    [erf

    (ym +

    √R2 − x2√

    2σy

    )+ erf

    (−ym +

    √R2 − x2√

    2σy

    )]exp

    (−(x + xm)2

    2σ2x

    )dx

    each term in sum requires calculating√R2 − x2 where R , x are secret

    Set z = xR .

    P =R√

    8πσx

    ∫ 1−1

    [erf

    (ym + R

    √1− z2√

    2σy

    )+ erf

    (−ym + R

    √1− z2√

    2σy

    )]exp

    (−(Rz + xm)2

    2σ2x

    )dz

    I Now square roots are only calculated on public values!I Big performance gains in the secure setting (no gains in the public

    setting)

  • Changing Variables

    P =1√

    8πσx

    ∫ R−R

    [erf

    (ym +

    √R2 − x2√

    2σy

    )+ erf

    (−ym +

    √R2 − x2√

    2σy

    )]exp

    (−(x + xm)2

    2σ2x

    )dx

    each term in sum requires calculating√R2 − x2 where R , x are secret

    Set z = xR .

    P =R√

    8πσx

    ∫ 1−1

    [erf

    (ym + R

    √1− z2√

    2σy

    )+ erf

    (−ym + R

    √1− z2√

    2σy

    )]exp

    (−(Rz + xm)2

    2σ2x

    )dz

    I Now square roots are only calculated on public values!I Big performance gains in the secure setting (no gains in the public

    setting)

  • Summary

    I This project is still ongoing

    I We are developing new theoretical cryptographic tools basedon the problems that arise as part of this project

    I We are continuing to optimize our calculations to improve theperformance of this specific use-case

  • Other Applications of MPCDARPA program

    I DARPA is developing four applications of MPCI Numerical Analysis: Secure Conjunction AnalysisI Text Processing: Secure spam filterI Signal Processing: Secure voice processingI Graph Algorithms: Secure mapping

  • Introduction

    Oblivious Transfer

    Circuit Garbling

    Secure Computation from Secret Sharing

    Applications of MPCThe Satellite Problem

    Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely

    ExtrasCryptographic AssumptionsConstructing Oblivious Transfer

  • Introduction

    Oblivious Transfer

    Circuit Garbling

    Secure Computation from Secret Sharing

    Applications of MPCThe Satellite Problem

    Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely

    ExtrasCryptographic AssumptionsConstructing Oblivious Transfer

  • The Discrete Log Problem

    Definition (Discrete-Log Problem)

    Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If k

    $← N, then finding k given (g , gk) is called the discrete-logproblem in G.

    I If G = Zp (the additive group) then the discrete-log problemis easy in G.

    I If G = Z∗P (the multiplicative group) then the discrete-logproblem is assumed to be hard.(“hard” means no probabilistic polynomial-time algorithmexists to solve it)

    I If G is the group of points of finite order on a suitable chosenelliptic curve, then the discrete-log problem is assumed to behard.

  • The Discrete Log Problem

    Definition (Discrete-Log Problem)

    Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If k

    $← N, then finding k given (g , gk) is called the discrete-logproblem in G.

    I If G = Zp (the additive group) then the discrete-log problemis easy in G.

    I If G = Z∗P (the multiplicative group) then the discrete-logproblem is assumed to be hard.(“hard” means no probabilistic polynomial-time algorithmexists to solve it)

    I If G is the group of points of finite order on a suitable chosenelliptic curve, then the discrete-log problem is assumed to behard.

  • The Discrete Log Problem

    Definition (Discrete-Log Problem)

    Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If k

    $← N, then finding k given (g , gk) is called the discrete-logproblem in G.

    I If G = Zp (the additive group) then the discrete-log problemis easy in G.

    I If G = Z∗P (the multiplicative group) then the discrete-logproblem is assumed to be hard.(“hard” means no probabilistic polynomial-time algorithmexists to solve it)

    I If G is the group of points of finite order on a suitable chosenelliptic curve, then the discrete-log problem is assumed to behard.

  • The Computational Diffie-Hellman (CDH) Problem

    Definition (Computational Diffie-Hellman Problem)

    Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If a, b

    $← N, then finding gab given (g , ga, gb) is called theComputational Diffie-Hellman problem in G.

    I If G = Zp (the additive group) then the CDH problem is easyin G.

    I If G = Z∗P (the multiplicative group) then the CDH problem isassumed to be hard.

    I If G is the group of points of finite order on a suitable chosenelliptic curve, then the CDH problem is assumed to be hard.

  • The Computational Diffie-Hellman (CDH) Problem

    Definition (Computational Diffie-Hellman Problem)

    Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If a, b

    $← N, then finding gab given (g , ga, gb) is called theComputational Diffie-Hellman problem in G.

    I If G = Zp (the additive group) then the CDH problem is easyin G.

    I If G = Z∗P (the multiplicative group) then the CDH problem isassumed to be hard.

    I If G is the group of points of finite order on a suitable chosenelliptic curve, then the CDH problem is assumed to be hard.

  • The Computational Diffie-Hellman (CDH) Problem

    Definition (Computational Diffie-Hellman Problem)

    Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If a, b

    $← N, then finding gab given (g , ga, gb) is called theComputational Diffie-Hellman problem in G.

    I If G = Zp (the additive group) then the CDH problem is easyin G.

    I If G = Z∗P (the multiplicative group) then the CDH problem isassumed to be hard.

    I If G is the group of points of finite order on a suitable chosenelliptic curve, then the CDH problem is assumed to be hard.

  • The Decisional Diffie-Hellman (DDH) Problem

    Definition (The Decisional Diffie-Hellman (DDH) Problem)

    Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If a, b, c

    $← N, then distinguishing (g , ga, gb, gab) from(g , ga, gb, g c) is called the Decisional Diffie-Hellman problem in G.

    I If G = Zp (the additive group) then the DDH problem is easyin G.

    I If G = Z∗P (the multiplicative group) then the DDH problemis assumed to be hard.

    I If G is the group of points of finite order on a suitable chosenelliptic curve, then the DDH problem is assumed to be hard.

    I If G is the group of points of finite order on an elliptic curvewith a pairing the DDH problem is easy

  • The Decisional Diffie-Hellman (DDH) Problem

    Definition (The Decisional Diffie-Hellman (DDH) Problem)

    Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If a, b, c

    $← N, then distinguishing (g , ga, gb, gab) from(g , ga, gb, g c) is called the Decisional Diffie-Hellman problem in G.

    I If G = Zp (the additive group) then the DDH problem is easyin G.

    I If G = Z∗P (the multiplicative group) then the DDH problemis assumed to be hard.

    I If G is the group of points of finite order on a suitable chosenelliptic curve, then the DDH problem is assumed to be hard.

    I If G is the group of points of finite order on an elliptic curvewith a pairing the DDH problem is easy

  • The Decisional Diffie-Hellman (DDH) Problem

    Definition (The Decisional Diffie-Hellman (DDH) Problem)

    Let G be a cyclic group of order N generated by g . ThusG = {g0, g1, . . . , gN−1}.If a, b, c

    $← N, then distinguishing (g , ga, gb, gab) from(g , ga, gb, g c) is called the Decisional Diffie-Hellman problem in G.

    I If G = Zp (the additive group) then the DDH problem is easyin G.

    I If G = Z∗P (the multiplicative group) then the DDH problemis assumed to be hard.

    I If G is the group of points of finite order on a suitable chosenelliptic curve, then the DDH problem is assumed to be hard.

    I If G is the group of points of finite order on an elliptic curvewith a pairing the DDH problem is easy

  • Discrete-Log Type Problems

    The Discrete-Logproblem is hard in G

    The ComputationalDiffie-Hellman

    (CDH) problem ishard in G

    The DecisionalDiffie-Hellman

    (DDH) problem ishard in G

    DDH is easy inelliptic curve groups

    with a bilinearpairing, but CDH isassumed to be hard

    in those groups

    If DL is hard, thenusually CDH is hard

    [MW99]

  • Discrete-Log Type Problems

    The Discrete-Logproblem is hard in G

    The ComputationalDiffie-Hellman

    (CDH) problem ishard in G

    The DecisionalDiffie-Hellman

    (DDH) problem ishard in G

    DDH is easy inelliptic curve groups

    with a bilinearpairing, but CDH isassumed to be hard

    in those groups

    If DL is hard, thenusually CDH is hard

    [MW99]

  • Discrete-Log Type Problems

    The Discrete-Logproblem is hard in G

    The ComputationalDiffie-Hellman

    (CDH) problem ishard in G

    The DecisionalDiffie-Hellman

    (DDH) problem ishard in G

    DDH is easy inelliptic curve groups

    with a bilinearpairing, but CDH isassumed to be hard

    in those groups

    If DL is hard, thenusually CDH is hard

    [MW99]

  • Quadratic Residues

    DefinitionAn element y ∈ ZN is called a quadratic residue modulo N if thereexists an x ∈ ZN such that x2 = y mod N.

  • Legendre Symbol

    Definition (Legendre Symbol)

    If p is a prime and x ∈ Z∗p, then(x

    p

    )=

    {1 if x is a quadratic residue modulo p−1 if x is not a quadratic residue modulo p

    The

    Gauss’s law of quadratic reciprocity gives an efficient method forcalculating the Legendre symbol.

  • Jacobi Symbol

    Definition (Jacobi Symbol)

    If N = pe11 · · · perr is a positive integer and x ∈ Z∗N , then( xN

    )=

    (x

    p1

    )e1· · ·(

    x

    pr

    )er

    I Gauss’s law of quadratic reciprocity gives an efficient methodfor calculating the Jacobi symbol

    I If(xN

    )= −1 then x is not a quadratic residue modulo N

    I If(xN

    )= 1 then x may or may not be a quadratic residue

    modulo N

  • The Quadratic Residuosity Problem

    Definition (The Quadratic Residuosity (QR) Problem)

    Let N = pq, then given a random element y ∈ Z∗N such that( yN

    )= 1, determining if y is a quadratic residue, i.e., determining

    if there exists an x such that x2 = y mod N is called thequadratic residuosity problem.

    I Recall:( yN

    )=(yp

    )(yq

    )I if

    (yN

    )= −1, then y is not a quadratic residue modulo N

    I if(yN

    )= 1, then

    (yp

    )=(

    yq

    )I Given the factorization of N, it is easy to calculate

    (yp

    )and(

    yq

    ).

  • Quadratic Residuosity Problem

    Factoring is hardThe quadratic

    residuosity problem ishard

    Using only genericring operations

    [JS08]

  • Quadratic Residuosity Problem

    Factoring is hardThe quadratic

    residuosity problem ishard

    Using only genericring operations

    [JS08]

  • Introduction

    Oblivious Transfer

    Circuit Garbling

    Secure Computation from Secret Sharing

    Applications of MPCThe Satellite Problem

    Conjunction Analysis: OverviewSpecific CalculationsIntegrationDoing The Computation Securely

    ExtrasCryptographic AssumptionsConstructing Oblivious Transfer

  • Oblivious Transfer is SymmetricReversing OT [WW06]

    Sender Receiver

    x0

    x1

    b

    xb

    OT

    OT

    Receiver Sender

    r

    r ⊕ b

    x0 ⊕ x1

    a

    m = x0 + am xb = r ⊕m

  • Oblivious Transfer is SymmetricReversing OT [WW06]

    Sender Receiver

    x0

    x1

    b

    xb

    OT

    OT

    Receiver Sender

    r

    r ⊕ b

    x0 ⊕ x1

    a

    m = x0 + am xb = r ⊕m

  • Oblivious Transfer is SymmetricReversing OT [WW06]

    Sender Receiver

    x0

    x1

    b

    xb

    OT

    OT

    Receiver Sender

    r

    r ⊕ b

    x0 ⊕ x1

    a

    m = x0 + am

    xb = r ⊕m

  • Oblivious Transfer is SymmetricReversing OT [WW06]

    Sender Receiver

    x0

    x1

    b

    xb

    OT

    OT

    Receiver Sender

    r

    r ⊕ b

    x0 ⊕ x1

    a

    m = x0 + am xb = r ⊕m

  • OT From The Quadratic Residuosity (QR) Assumption

    QR(N) ={

    x2 mod N : x ∈ Z∗N}≈c{

    x ∈ Z∗N :( x

    N

    )= 1}

    = QNR(N)

    x0, x1 b

    Sender Receiver

    N = pq

    gb$← QNR(N)

    g1−b$← QR(N)

    g0, g1,N

    ri$← ZN

    yi = r2i g

    xii mod N

    }(y0, y1)

    xb = 1 iff yb ∈ QNR(N)

  • OT From The Quadratic Residuosity (QR) Assumption

    QR(N) ={

    x2 mod N : x ∈ Z∗N}≈c{

    x ∈ Z∗N :( x

    N

    )= 1}

    = QNR(N)

    x0, x1 b

    Sender Receiver

    N = pq

    gb$← QNR(N)

    g1−b$← QR(N)

    g0, g1,N

    ri$← ZN

    yi = r2i g

    xii mod N

    }(y0, y1)

    xb = 1 iff yb ∈ QNR(N)

  • OT From The Quadratic Residuosity (QR) Assumption

    QR(N) ={

    x2 mod N : x ∈ Z∗N}≈c{

    x ∈ Z∗N :( x

    N

    )= 1}

    = QNR(N)

    x0, x1 b

    Sender Receiver

    N = pq

    gb$← QNR(N)

    g1−b$← QR(N)

    g0, g1,N

    ri$← ZN

    yi = r2i g

    xii mod N

    }(y0, y1)

    xb = 1 iff yb ∈ QNR(N)

  • OT From The Quadratic Residuosity (QR) Assumption

    QR(N) ={

    x2 mod N : x ∈ Z∗N}≈c{

    x ∈ Z∗N :( x

    N

    )= 1}

    = QNR(N)

    x0, x1 b

    Sender Receiver

    N = pq

    gb$← QNR(N)

    g1−b$← QR(N)

    g0, g1,N

    ri$← ZN

    yi = r2i g

    xii mod N

    }(y0, y1)

    xb = 1 iff yb ∈ QNR(N)

  • OT From Trapdoor Permutations

    F is a family of trapdoor permutations from {0, 1}n to {0, 1}n

    x0, x1 b

    Sender Receiver

    f , f −1$← F

    r$← {0, 1}n

    (f , r)w

    $← {0, 1}n

    yb = f (w)

    y1−b$← {0, 1}n

    (y0, y1)

    z0 = f−1(y0)

    z1 = f−1(y1)

    c0 = x0 ⊕ 〈r, z0〉c1 = x1 ⊕ 〈r, z1〉

    (c0, c1)

    xb = 〈w, r〉 ⊕ cb

  • OT From Trapdoor Permutations

    F is a family of trapdoor permutations from {0, 1}n to {0, 1}n

    x0, x1 b

    Sender Receiverf , f −1

    $← F

    r$← {0, 1}n

    (f , r)

    w$← {0, 1}n

    yb = f (w)

    y1−b$← {0, 1}n

    (y0, y1)

    z0 = f−1(y0)

    z1 = f−1(y1)

    c0 = x0 ⊕ 〈r, z0〉c1 = x1 ⊕ 〈r, z1〉

    (c0, c1)

    xb = 〈w, r〉 ⊕ cb

  • OT From Trapdoor Permutations

    F is a family of trapdoor permutations from {0, 1}n to {0, 1}n

    x0, x1 b

    Sender Receiverf , f −1

    $← F

    r$← {0, 1}n

    (f , r)w

    $← {0, 1}n

    yb = f (w)

    y1−b$← {0, 1}n

    (y0, y1)

    z0 = f−1(y0)

    z1 = f−1(y1)

    c0 = x0 ⊕ 〈r, z0〉c1 = x1 ⊕ 〈r, z1〉

    (c0, c1)

    xb = 〈w, r〉 ⊕ cb

  • OT From Trapdoor Permutations

    F is a family of trapdoor permutations from {0, 1}n to {0, 1}n

    x0, x1 b

    Sender Receiverf , f −1

    $← F

    r$← {0, 1}n

    (f , r)w

    $← {0, 1}n

    yb = f (w)

    y1−b$← {0, 1}n

    (y0, y1)

    z0 = f−1(y0)

    z1 = f−1(y1)

    c0 = x0 ⊕ 〈r, z0〉c1 = x1 ⊕ 〈r, z1〉

    (c0, c1)

    xb = 〈w, r〉 ⊕ cb

  • OT From Trapdoor Permutations

    F is a family of trapdoor permutations from {0, 1}n to {0, 1}n

    x0, x1 b

    Sender Receiverf , f −1

    $← F

    r$← {0, 1}n

    (f , r)w

    $← {0, 1}n

    yb = f (w)

    y1−b$← {0, 1}n

    (y0, y1)

    z0 = f−1(y0)

    z1 = f−1(y1)

    c0 = x0 ⊕ 〈r, z0〉c1 = x1 ⊕ 〈r, z1〉

    (c0, c1)

    xb = 〈w, r〉 ⊕ cb

  • OT From The DDH AssumptionFrom Universal Hash Proofs [HK07]

    (g0, g1, gk00 , g

    k11 ) ≈c (g0, g1, g

    k0 , g

    k1 )

    x0, x1 b

    Sender Receiver

    w$← [|G|]

    (βb, γb) = (gw1 , g

    w2 )

    (β1−b, γ1−b) = (r1, r2)

    (β0, γ0), (β1, γ1)k0, k1

    $← [|G|]α = gk00 · g

    k11 mod p

    y0 = βk00 · γ

    k10 · g

    s00

    y1 = βk01 · γ

    k11 · g

    s10

    (y0, y1)

    xb = 1 iff yb · α−w = g

  • OT From The DDH AssumptionFrom Universal Hash Proofs [HK07]

    (g0, g1, gk00 , g

    k11 ) ≈c (g0, g1, g

    k0 , g

    k1 )

    x0, x1 b

    Sender Receiver

    w$← [|G|]

    (βb, γb) = (gw1 , g

    w2 )

    (β1−b, γ1−b) = (r1, r2)

    (β0, γ0), (β1, γ1)

    k0, k1$← [|G|]

    α = gk00 · gk11 mod p

    y0 = βk00 · γ

    k10 · g

    s00

    y1 = βk01 · γ

    k11 · g

    s10

    (y0, y1)

    xb = 1 iff yb · α−w = g

  • OT From The DDH AssumptionFrom Universal Hash Proofs [HK07]

    (g0, g1, gk00 , g

    k11 ) ≈c (g0, g1, g

    k0 , g

    k1 )

    x0, x1 b

    Sender Receiver

    w$← [|G|]

    (βb, γb) = (gw1 , g

    w2 )

    (β1−b, γ1−b) = (r1, r2)

    (β0, γ0), (β1, γ1)k0, k1

    $← [|G|]α = gk00 · g

    k11 mod p

    y0 = βk00 · γ

    k10 · g

    s00

    y1 = βk01 · γ

    k11 · g

    s10

    (y0, y1)

    xb = 1 iff yb · α−w = g

  • OT From The DDH AssumptionFrom Universal Hash Proofs [HK07]

    (g0, g1, gk00 , g

    k11 ) ≈c (g0, g1, g

    k0 , g

    k1 )

    x0, x1 b

    Sender Receiver

    w$← [|G|]

    (βb, γb) = (gw1 , g

    w2 )

    (β1−b, γ1−b) = (r1, r2)

    (β0, γ0), (β1, γ1)k0, k1

    $← [|G|]α = gk00 · g

    k11 mod p

    y0 = βk00 · γ

    k10 · g

    s00

    y1 = βk01 · γ

    k11 · g

    s10

    (y0, y1)

    xb = 1 iff yb · α−w = g

  • String OT

    OTm`

    Sender Receiver

    (x1,0, . . . , xm,0)

    (x1,1, . . . , xm,1)

    (b1, . . . , bm)

    (x1,b1 , . . . , xm,bm)

    I Sender has 2m strings of length `

    I Receiver chooses m of them

  • The [IKNP03] Extension ProtocolOTm` from OT

    λm

    fj(·) are random oracle hash funtions fj : {0, 1}λ → {0, 1}m

    Sender Receiver

    (x1,0, . . . , xm,0)

    (x1,1, . . . , xm,1)

    r = (r1, . . . , rm)

    x1,r1 , . . . , xm,rm

    OT

    Receiver generates a random m × λ matrix

    T =

    | |t1 · · · tλ| |

    = − t1 −...− tm −

    Sender generates λ random bits s1, . . . , sλ

    OTλm

    Receiver Sender

    (t1, . . . , tλ)

    (t1 ⊕ r, . . . , tλ ⊕ r)

    s1, . . . , sλ{t i ⊕ (si · r)

    }λi=1

    Q =

    | |(s1 · r) + t1 · · · (sk · r) + tλ| |

    = − (s · r1) + t1 −...− (s · rm) + tm −

    = − q1 −...− qm −

    Q ∈ {0, 1}m×λ

    yj ,0 = xj ,0 + fj(qj)

    yj ,1 = xj ,1 + fj(qj ⊕ s)

    {yj ,0, yj ,1}mj=1xj ,rj = yj ,rj ⊕ fj(tj)

    Receiver’s real input r is blinded bycolumns t i

    Sender’s real input {xi ,j} is blinded by hashes of rows of QIf ri = 0 then qi = ti

    If ri = 1 then qi = ti + s

    This method of OTm` requires:

    I OTλm (we will have m� λ)I m calls to the Random Oracle (in practice: AES)I 2`m bits of communication

    Benefit: reduces the number of public-key operations since λ� m.

  • The [IKNP03] Extension ProtocolOTm` from OT

    λm

    fj(·) are random oracle hash funtions fj : {0, 1}λ → {0, 1}m

    Sender Receiver

    (x1,0, . . . , xm,0)

    (x1,1, . . . , xm,1)

    r = (r1, . . . , rm)

    x1,r1 , . . . , xm,rm

    OT

    Receiver generates a random m × λ matrix

    T =

    | |t1 · · · tλ| |

    = − t1 −...− tm −

    Sender generates λ random bits s1, . . . , sλ

    OTλm

    Receiver Sender

    (t1, . . . , tλ)

    (t1 ⊕ r, . . . , tλ ⊕ r)

    s1, . . . , sλ{t i ⊕ (si · r)

    }λi=1

    Q =

    | |(s1 · r) + t1 · · · (sk · r) + tλ| |

    = − (s · r1) + t1 −...− (s · rm) + tm −

    = − q1 −...− qm −

    Q ∈ {0, 1}m×λ

    yj ,0 = xj ,0 + fj(qj)

    yj ,1 = xj ,1 + fj(qj ⊕ s)

    {yj ,0, yj ,1}mj=1xj ,rj = yj ,rj ⊕ fj(tj)

    Receiver’s real input r is blinded bycolumns t i

    Sender’s real input {xi ,j} is blinded by hashes of rows of QIf ri = 0 then qi = ti

    If ri = 1 then qi = ti + s

    This method of OTm` requires:

    I OTλm (we will have m� λ)I m calls to the Random Oracle (in practice: AES)I 2`m bits of communication

    Benefit: reduces the number of public-key operations since λ� m.

  • The [IKNP03] Extension ProtocolOTm` from OT

    λm

    fj(·) are random oracle hash funtions fj : {0, 1}λ → {0, 1}m

    Sender Receiver

    (x1,0, . . . , xm,0)

    (x1,1, . . . , xm,1)

    r = (r1, . . . , rm)

    x1,r1 , . . . , xm,rm

    OT

    Receiver generates a random m × λ matrix

    T =

    | |t1 · · · tλ| |

    = − t1 −...− tm −

    Sender generates λ random bits s1, . . . , sλ

    OTλm

    Receiver Sender

    (t1, . . . , tλ)

    (t1 ⊕ r, . . . , tλ ⊕ r)

    s1, . . . , sλ

    {t i ⊕ (si · r)

    }λi=1

    Q =

    | |(s1 · r) + t1 · · · (sk · r) + tλ| |

    = − (s · r1) + t1 −...− (s · rm) + tm −

    = − q1 −...− qm −

    Q ∈ {0, 1}m×λ

    yj ,0 = xj ,0 + fj(qj)

    yj ,1 = xj ,1 + fj(qj ⊕ s)

    {yj ,0, yj ,1}mj=1xj ,rj = yj ,rj ⊕ fj(tj)

    Receiver’s real input r is blinded bycolumns t i

    Sender’s real input {xi ,j} is blinded by hashes of rows of QIf ri = 0 then qi = ti

    If ri = 1 then qi = ti + s

    This method of OTm` requires:

    I OTλm (we will have m� λ)I m calls to the Random Oracle (in practice: AES)I 2`m bits of communication

    Benefit: reduces the number of public-key operations since λ� m.

  • The [IKNP03] Extension ProtocolOTm` from OT

    λm

    fj(·) are random oracle hash funtions fj : {0, 1}λ → {0, 1}m