CS670_lecture1 on garbled circuits , method of privacy preservation
- 1. CS714: Secure Computation Adithya Vadapalli Indian Institute of Technology, Kanpur July, 2024
- 2. Yao’s Garbled Circuits The Setting 1. P1 holds x1; Goal is to learn y1. 2. P2 holds x2; Goal is to learn y2. 3. P1 should not learn x2. 4. P2 should not learn x1.
- 3. Function F as a circuit x y x̄ + ȳ Two Main Entities 1. Garbler: encrypts the circuit. 2. Evaluator: Who evaluates the “encrypted” circuit.
- 4. Wire Values Wire Labels 1. Each wire wi the circuit can have to values: 0 or 1. Garbler picks two symmetric keys corresponding to each input wire. 2. A0 corresponds to the False wire label of the first input, A1 corresponds to the True wire label of the first input 3. B0 corresponds to the False wire label of the second input, B1 corresponds to the True wire label of the second input 4. C0 corresponds to the False wire label of the output wire, C1 corresponds to the True wire label of the output wire 5. Every gate G can be represented by a function with two input wires and one output wire. A0, A1 B0, B1 C0, C1
- 5. AND Gate Encryption A B A ∧ B 0 0 0 0 1 0 1 0 0 1 1 1
- 6. AND Gate Encryption A B A ∧ B c 0 0 0 EA0,B0 (C0) 0 1 0 EA1,B0 (C0) 1 0 0 EA0,B1 (C0) 1 1 1 EA1,B1 (C1)
- 7. The Garbled Gate c EA0,B0 (C0) EA1,B0 (C0) EA0,B1 (C0) EA1,B1 (C1)
- 8. Evaluating the Garbled Gate Suppose the Evaluator wants to evaluate the function at (0, 1) 1. If somehow the evaluator can learn A0 and B1 respectively, we are done. 2. Using this they can only decrypt one row from the Garbled Table. 3. Therefore, they try all rows.
- 9. Garbled Circuit Consider a function, y = F(x) The Gabled Circuit consists of: 1. The garbled table for every gate in F. 2. The wire table for every possible input bit. 3. The wire table for every possible output bit. The Wire Table The wire table consists of values (i, k0 i , k1 i )
- 10. Oblivious Transfer OT x1 x2 xb b Oblivious Transfer 1. Sender holds: (x1, x2) 2. Receiver holds: b ∈ {1, 2} 3. Sender gets: xb
- 11. Oblivious Transfer in Garbled Circuits Transporting the right keys for evaluation 1. The Garbler can handover one of the keys directly to the evaluator. 2. For the second key, they have to use OT.
- 12. The Garbled Gate c EA0,B0 (C0) EA1,B0 (C0) EA0,B1 (C0) EA1,B1 (C1) However there is still a problem!! Which decryption succeeds gives us information about the inputs! Simple Solution Just permute the rows! c EA1,B1 (C1) EA1,B0 (C0) EA0,B1 (C0) EA0,B0 (C0)
- 13. Optimizations in Garbled Circuits Parameters to Optimize 1. Communication (Number of Cipher Texts) 2. Garbler’s Computation 3. Evaluators’ Computation
- 14. Point and Permute (P&P) • A0, • A1 • B0, • B1 • C0, • C1 c ••EA0,B1 (C0) ••EA0,B0 (C0) ••EA1,B1 (C1) ••EA1,B0 (C0)
- 15. Point and Permute (P&P) Decrypting exactly one cipher text 1. The color labels are encoded in the wire labels. 2. Since the cipher texts now have the color labels, the evaluator need not try decrypting all four cipher texts. 3. This reduces the size of the cipher texts, since now we do not require any padding with 0s. 4. We can now use a simple One-Time-Pad.
- 16. Garbled Row Reduction (GRR3) Reducing one row The Garbler can choose the wire labels such that one of the cipher texts is 0n. c 0n ← Ek0 i ,k0 j (k0 k ) Ek0 i ,k0 j (k0 k ) Ek0 i ,k0 j (k0 k ) Ek0 i ,k0 j (k1 k )
- 17. Free XOR A, A ⊕ ∆ B, B ⊕ ∆ C, ⊕∆ Choose the wire labels strategically 1. Choose an offset ∆ 2. Set one of the input wire labels as A (true label) and A ⊕ ∆ (false label) and the other input label as B (true label) and B ⊕ ∆ (false label). 3. Set the output wires labels as C (true label) and C ⊕ ∆ (false label). Also, set C ← A ⊕ B
- 18. Garbled Row Reduction ++ (GRR2) XORs are no longer free!!! We have lost the ability to pick the output labels as we wish! They are determined by the polynomial.
- 19. Half Gates What if the garbler knew one of the input labels? We can get away with one cipher text. A, A ⊕ ∆ B, B ⊕ ∆ C, C ⊕ ∆ Suppose that garbler knew that: a = 0 Then, the gate becomes a unary gate that always outputs 0. The two ciphers texts would be: H(B) ⊕ C and H(B ⊕ ∆) ⊕ C Suppose that garbler knew that: a = 1 Then, the gate becomes an identity gate that always outputs 0. The two ciphers texts would be: H(B) ⊕ C and H(B ⊕ ∆) ⊕ (C ⊕ ∆)
- 20. Half Gates What if the evaluator knew one of the input labels? We can get away with one cipher text. A, A ⊕ ∆ B, B ⊕ ∆ C, C ⊕ ∆ Suppose that evaluator has B and knew that: b = 0 Then the cipher text would be H(B) ⊕ C Suppose that evaluator has B ⊕ ∆ and knew that: b = 1 1. It would suffice for the evaluator to learn A ⊕ C. 2. Why? (A ⊕ C) ⊕ A = C, which is the correct output when the Garbler’s input is a = 0. Similarly, when the garbler’s input is a = 1, then; (A ⊕ C ⊕ ∆) ⊕ A = C ⊕ ∆ is the correct output.
- 21. Two halves make a whole! Rewriting a ∧ b 1. a ∧ b = (a ⊕ r ⊕ r) ∧ b 2. a ∧ b = (a ⊕ r ∧ b) ⊕ (r ∧ b) 3. We are done if the Garbler can: - pick a random r - and can arrange for the Evaluator to learn a ⊕ r Choosing the random r In fact, the Garbler need not actually pick r. 1. Set r as the color corresponding to the False label of Garbler’s input wire. 2. Also note that, a ⊕ r is the color of the the label that the Evaluator received from the Garbler.