MPC-primer

Recommendations

Info

A garbled circuit can be constructed by simply applying the above method to all the gates of a circuit, using the labels on a wire as plaintexts (when the wire is an output wire) and as encryption keys (when the wire is an input wire). In Figure 2, we show how a garbled circuit of three gates is constructed. We stress that the garbled circuit consists only of the topology of the circuit and the ciphertexts for each gate. The property of such a circuit is that given a single key on each input wire to the circuit, it is possible to compute the “correct” keys on the output wires of the circuit without learning anything else. For example, in Figure 2, consider the case that the input to the circuit is a = 1, b = 0, c = 1 and d = 1. The output of the circuit on these inputs is f = 0 and g = 1. Now, given k P " , k Q B , k R " , k 6 " , Bob will compute k S B and then k T B , k U " and nothing else. In order to facilitate translating the output garbled labels into plain output, output translation tables are also provided. In Figure 2, observe that k T B , 0 , k T " , 1 are provided. Thus, when Bob receives k T B for output, he will know that this means that the output on that wire is 0. At this point, it is worth noting that although Bob learns that the output of the circuit is 01, he has no way of knowing if this is due to the input being 1011 (as in the above example) or 0001 or 1100 or 1110 and so on, since all of these inputs yield the same output 01. & / ( , 0 , & / * ,1 & - ( , 0 , & - * ,1 ! ". $ ! "+ $ ( & / ! ". $ ! "+ ) ( & / ! ". ) ! "+ $ ( & / ! ". ) ! "+ ) * & / ! $ "# ! "% $ ( & ' ! $ "# ! "% ) ( & ' ! ) "# ! "% $ ( & ' ( * ( * & / & / & - & - AND OR ( * & ' & ' AND ! "+ $ ! $ ", ( & - ! "+ $ ! ) ", ( & - ! "+ ) ! $ ", ( & - ! "+ ) ! ) ", * & - ! "# ) ! "% ) & ' * & 2 ( & 2 * & 4 ( & 4 * & 3 ( & 3 * & 1 ( & 1 * Figure 2: A Garbled Circuit We therefore conclude that Alice can construct the garbled circuit and send it to Bob, who can then evaluate the circuit and obtain the prescribed output (but nothing else). It remains to show how Bob obtains a single key on each input wire, that is associated with his and Alice’s input. Returning to the example of Figure 2, imagine that Alice’s inputs are ab and that Bob’s inputs are cd. (Formally, the function being computed is f a, b, c, d = b ∧ c ∧ a, b ∧ c ∨ d .) Now, since Alice is the one who constructed the garbled circuit in the first place, she can just send Bob the garbled values on wires a and b that are associated with her input; if she has input 10, then Alice just sends Bob the keys k " P , k B Q . Since these are just random keys, Bob has no idea if they represent 0 or 1 values. The challenge of Bob obtaining the garbled values associated with his own input is much more difficult. In particular, if Bob asks for the appropriate keys, then Alice will learn his input. Likewise, if Alice sends both keys on the wires for b and d, then Bob will learn more than allowed (recall that Bob is only allowed to have a single key on each wire). This problem is therefore solved using a cryptographic protocol called 1-out-of-2 Oblivious Transfer (OT). A 1-out-of-2 OT protocol enables Bob to obtain exactly one of two
values held by Alice, without Alice learning which was received by Bob. We do not describe how OT is achieved in this paper, but remark that it can be achieved with very high efficiency. In summary, Alice constructs a garbled circuit and sends it to Bob, along with the keys associated with her own input. Then, oblivious transfer is used for Bob to obtain the keys associated with his own input. Finally, Bob computes the entire circuit obliviously, and uses the output translation table to learn the real output. The result is a computation of an arbitrary function, without revealing anything but the output. MALICIOUS ADVERSARIES The above description informally shows how to achieve security in the presence of semi-honest adversaries. However, when considering malicious adversaries, further mechanisms are required to ensure correct behavior of both parties. For just one example, a malicious Alice may send an incorrect circuit to Bob; since the circuit is garbled, Bob will not be able to detect this cheating behavior (as long as the incorrect circuit has the same topology). This clearly means that correctness can be broken. However, such strategies can also breach the privacy property, since Alice may send a circuit computing a function that reveals all of Bob’s input. Nevertheless, there exists efficient methods for preventing such cheating by Alice. SECURELY COMPUTING COMPLEX CIRCUITS One of the main issues when working with Yao based protocols is that the function to be securely evaluated (which could be an arbitrary program) must be represented as a circuit, usually consisting of XOR and AND gates. Since most real-world programs contain loops and complex data structures, this is a highly non-trivial task. General compilers exist for translating code into Boolean circuits, for the purpose of <strong>MPC</strong> protocols. When considering specific functions (like AES and HMAC-SHA256 with shared keys), it is possible to compile the code once into a Boolean circuit and then (automatically and manually) optimize it to reduce the number of gates as much as possible. As we have mentioned, the AES circuit has approximately 32,000 Boolean gates. It may seem that the work and communication involved in carrying out such a computation can never achieve response times that are suitable for practice. However, there are numerous optimizations to the basic Yao method that make it extremely fast. In particular, secure computation of the AES circuit can be achieved in mere milliseconds (and even less than a millisecond on a fast network). Thus, although Yao’s protocol began as a theoretical construct, it has evolved into an extremely fast method that can be used to solve a wide variety of practical problems. SUMMARY Secure multiparty computation enables parties to compute upon inputs without revealing them. Truly amazing constructions exist that enable parties to securely compute any function. Although these constructions work generically and involve translating the function to a Boolean circuit representation, they work extremely fast (for circuits that are not too large). In some case, like RSA, there are even faster protocols that work directly with the structure of the function and without needing to use a Boolean circuit representation. Importantly, all protocols for secure multiparty computation are mathematically proven secure and therefore provide very clear guarantees.
Page 1 and 2: A PRIMER IN SECURE MULTIPARTY COMPU
Page 3 and 4: Another novel application of secure
Page 5 and 6: ADVERSARIES Unlike in traditional c
Page 7: wires to the gate) the table assign

MPC-primer

Create successful ePaper yourself

Delete template?

Save as template?