06 - Secure Two-Party Computation

Cryptographic Protocols (CRYPROT)
Lecture 6 – May 20, 2021
Secure Two-Party Computation
Department of Computer Science | ENCRYPTO | Prof. Dr.-Ing. Thomas Schneider

2
Summary from Lecture 1: Secure Two-Party Computation
How can two parties compute on private data?
Data 𝑥 Data 𝑦
𝑓 𝑥, 𝑦 𝑓
Biometric Identification Genomic Computations

3
Structure of Today’s Lecture
- Yao’s Protocol
- The GMW Protocol
- Yao vs. GMW
- Zero-Knowledge Using Garbled Circuits
4
Overview: Secure Two-Party Computation
Generic Protocols
Arithmetic Circuit Boolean Circuit

(Lecture 2 Basics)
Homomorphic Encryption Yao GMW

ABY [DemmlerSZ15]
(Lecture 4 OT) OT
Public Key Crypto >> Symmetric Crypto >> One-Time Pad

5
Secure Two-Party Computation
Public function 𝑓(⋅,⋅) Is S

• compute arbitrary function 𝑓 richer?
• on private data 𝒙, 𝒚 x<y
Client 𝐶 Server 𝑆
• without trusted third party
• reveal nothing but result 𝒛 = 𝑓(𝒙, 𝒚)
Private data 𝒙 Private data 𝒚
x = $1 Mio y = $2 Mio
S2PC
Example: Yao’s Millionaires’ Problem
true
𝒛 = 𝑓(𝒙, 𝒚) 6
Secure Two-Party Computation: Applications (Small Selection)
Auctions [NaorPS99], ...
Remote Diagnostics [BrickellPSW07], ...
DNA Searching [Troncoso-PastorizaKC07], ...
Biometric Identification [ErkinFGKLT09], ...
Medical Diagnostics [BarniFKLSS09], ...

7
YAO’S PROTOCOL
8
Yao’s Garbled Circuit Protocol
Yao’s Garbled Circuit Protocol [Yao86] allows Secure Function Evaluation

- of an arbitrary publicly known function 𝑓 (given as Boolean circuit 𝐶)
- with communication and computation linear in the size of 𝐶
- in a constant number of rounds.
We describe the semi-honest (passively secure) version of Yao‘s protocol next.
9
Garbled Circuit [Yao86]
Conventional circuit Garbled circuit
01
keys look random
01
01
01 01
given input keys, can compute output key only

(Slide from Viet-Tung Hoang) 10
Garbled Gate [Yao86]
X Y
Y 0
X 1 given two input keys,

can compute only output key
X 2
X 3
A B C D
Yao’s Protocol: Boolean Circuit
Yao’s Protocol: Boolean Circuit
The needs
The function to be evaluated function togiven
to be be evaluated needs
as a Boolean to be given as boolean circuit.
circuit.
A boolean circuit is a Directed Acyclic Graph (DAG) with u inputs,
A Boolean circuit is a Directed Acyclic
v outputs andGraph with 𝑢 inputs, 𝑣 outputs, and 𝑘 Boolean
(DAG)gates.
k boolean
gates (nodes). Edges are called wires. x1 x2 x3 x4
wire wi
=
z1 z2
Any efficiently computable function (i.e., in P) can be converted into a Boolean circuit of
All functions relevant in practice can be converted into a boolean
polynomial size: circuit of polynomial size:
- Unroll loops unroll loops
- Execute both branches of ifexecute
statements
both branches of if statements
- ... ...
12
Yao’s Protocol: Boolean Circuit Example
For the Millionaire‘s problem, we need to securely compute 𝑥 < 𝑦 for two 𝑛-bit numbers with bit-
representations 𝑥 = 𝑥! … 𝑥" and 𝑦 = 𝑦! … 𝑦".
- Comparison can be defined recursively as:
- Initial step (𝑖 = 1): 𝑥! < 𝑦! ⇔ 𝑥! = 0 ∧ (𝑦! = 1)
- Inductive step (𝑖 − 1 → 𝑖): 𝑥" … 𝑥! < 𝑦" … 𝑦! ⇔ 𝑥" < 𝑦" ∨ ( 𝑥" = 𝑦" ∧ 𝑥"#! … 𝑥! < 𝑦"#! … 𝑦! ).
- This yields the following Boolean comparison circuit: carry 𝑐#$"
Topology 𝑐$%# 𝑥$ 𝑦$ 𝑐$
Function 0 0 0 0
𝑥! 𝑦! 𝑥" 𝑦" 𝑥# 𝑦# Tables 0 0 1 1
𝑥<𝑦 0 1 0 0
𝑐! ... 𝑐" 𝑐#
< < < x# y# c# 0 1 1 0
0 0 0 1 0 0 1
z 0 1 1 1 0 1 1
1 0 0 1 1 0 0
1 1 0 1 1 1 1 13
Yao’s Protocol: Garbled Values
The basic idea of The
Yao’sbasic
Garbled
idea Circuit
of Yao’sis Garbled
to compute on is
Circuit randomly
to compute on randomly
The basicchosen
idea ofgarbled values
chosen
Yao’s garbled ve instead
circuits is toof
garbled plainvevalues
values
compute v . of plain
instead
on randomly values
chosen v . values 𝑣5
garbled
instead of plainBoolean
values 𝑣.Values v Boolean Values v Garbled Values ve Garbled Values ve
Plain values 𝑣 Garbled values 𝑣"
0 0 0 0 e0
x ye0 e0
x ye0
x y x y e ye
x e ye
x
1 1 1 1 e1
x ye1 e1
x ye1
e e
0 0 ze0 ze0
z z ze ze
1 1 ze1 ze1
A Garbled ValueAveGarbled
can be one Value ve can
of its two be one of its two
corresponding corresponding
garbled values garbled valu
A garbled 0value 1𝑣5 can be one 5 % or 𝑣5 " that correspond to the plain values
1 garbled values 𝑣
0 of two
ve or ve tothat
ve or ve that correspond thecorrespond
plain valuesto0the andplain values 0 and 1, respectively.
1, respectively.
0 and 1, respectively.
ve0 and chosen
ve0 and ve1 are randomly ve1 are t-bit
randomly
keys,chosen t-bit keys,
% "
𝑣5 and 𝑣5 are where
randomt 𝜅-bit keys,where
is a symmetric t𝜅isisathe
wheresecurity symmetricsecurity
symmetric
parameter security
(e.g., parameter
tparameter
= (e.g.,t𝜅==128)
128) (e.g., 128).
⇒ A garbled value
) a 𝑣5garbled
does not reveal
value togarbled
)ve adoeswhich
not plain
valuevalue
reveal it corresponds.
vetodoes
whichnotplain
reveal to which
value it plain value it
corresponds. corresponds.
Sadeghi@TU
Sadeghi@TU Darmstadt, Schneider@RUB, Darmstadt,
2010 Secure,Schneider@RUB, 2010
Trusted and Trustworthy Secure, Trusted
Computing, Partand
1 Trustworthy Basics
Computing, PartComputing
of Secure 1 Basics
27 / 1of Secure Com
14
Yao’s Protocol: Basic Idea (Garbled Gates)
Yao’s Protocol: Garbled Gates
Booleangate
Boolean Gate𝐺 G Garbled
Garbled Gate
gate
e
𝐺$ G
x y z xe ye ze
0 0 0 ye0
x y 0 0 0 e
x e ye
x xe0 ye0 z 0)
Encxe0 ,ey 0 (e
1 1 e1
x ye1 xe0 ye1 z 0)
Encxe0 ,ey 1 (e
0 1 0
e xe1 ye0 z 0)
Encxe1 ,ey 0 (e
1 0 0
0 1 1 1 ze0 xe1 ye1 z 1)
Encxe1 ,ey 1 (e
z ze
1 ze1
Function
Function Table
table 𝑇T Garbled Te 𝑇$
Table table
Garbled
Garbled gates Garbled

𝐺< allow toGates Ge allow
compute to compute
on garbled on garbled
values. For thevalues.garbled Forinput
the values
garbled 𝑥, 5 𝑦5 the
input values xe, ye the garbled table Te allows to recover the corresponding
𝑇< allowsoutput
garbled table garbled to recover
value the nothing else. garbled output value 𝑧̃ but nothing else.
corresponding
ze but
- For each of the 2For & = 4 combinations 𝑥5 # ,input
𝑦5 ' the
each of the 22 = of garbled inputofvalues
4 combinations garbled corresponding
values xei , yej garbled
theisgarbled
output value 𝑧̃ ((#,') output value
symmetrically zeT (i,j)using
encrypted is encrypted using
𝑥5 # , 𝑦5 ' as keys. xei , yej as keys.
The entries of the garbled table are permuted randomly.
- The entries of the garbled table are permuted randomly (to remove leakage from position).
The symmetric encryption scheme Enc() allows to determine
- The symmetric encryption
whether a scheme
decryptionEnc() allows (e.g.,
succeeded to determine
by usingwhether
padding).a decryption succeeded
(e.g., by using padding).
Sadeghi@TU Darmstadt, Schneider@RUB, 2010 Secure, Trusted and Trustworthy Computing, Part 1 Basics of Secure Computing 28 / 1
15
Yao’s Protocol: Basic Idea (Garbled Circuit)
Yao’s Protocol: Garbled Circuit
Boolean Circuit C
Boolean circuit 𝐶 Garbled
Garbled circuit 𝐶' Circuit Ce
x 2 y2 x 1 y1 e2 ye2
x e1 ye1
x Garbledinputs
Garbled Inputs
c1
G2 G1 e2 e
G
c1 e
G1 Garbled
Garbledgates
Gates
z ze Garbled
Garbledoutputs
Outputs
A garbled circuit 𝐶B isAcomposed of garbled
Garbled Circuit Ce is gates 𝐺<# . from Garbled Gates Gei .
composed
follows:of Ce works as follows:
Creation of 𝐶B works asCreation
For each wire wi randomly choose two %garbled " values w ei0 , w
ei1 .
- For each wire 𝑤# randomly choose
For each gate two garbledthe
Gi generate values
garbled 𝑤
D #table
,𝑤
D # .Tei for Gei .
Ce consists of the garbled<tables <Tei (one for each garbled gate Gei ).
- For each gate 𝐺# generate the garbled table 𝑇# for 𝐺# .
Evaluation of Ce: works as follows:
- 𝐶 consists of the garbled tables 𝑇<# (one for each garbled gate 𝐺<# ). e
B
Given the Garbled Inputs (= Garbled Values for C ’s input wires),
Evaluation of 𝐶B works as follows:
the Garbled Gates Gei are evaluated one-by-one using their Tei .
The Garbled Outputs are the Garbled Values of Ce’s output wires.
- B input wires),
Given the garbled inputs (= garbled values for 𝐶’s
ze = Ce(e
x , ye)
- the garbled gates 𝐺<# are evaluated in topological order using their garbled tables 𝑇<# .
- The garbled outputs are the garbledSecure,
Sadeghi@TU Darmstadt, Schneider@RUB, 2010
values of 𝐶’sB output
Trusted and Trustworthy
wires: 𝑧̃ = 𝐶BBasics
Computing, Part 1
𝑥,
5 of𝑦5Secure
. Computing 29 / 1
16
Yao’s Protocol: Summary
In summary, Yao’s garbled circuits protocol works as follows:

1) Create Boolean circuit 𝐶 that computes the function 𝑓.
2) Server 𝑃& creates garbled circuit 𝐶B and sends it to the Client 𝑃".
3) Server obliviously sends garbled inputs 𝑥,
5 𝑦5 that correspond to the plain inputs 𝑥, 𝑦 to Client:
$
§ For Server’s input bits 𝑦" , the corresponding garbled values 𝑦0" ! are sent directly.
&
§ For Client’s input bits 𝑥" , the parties run an oblivious transfer protocol OT: 𝑥" ; 𝑥0"% , 𝑥0"! → 𝑥0" ! ; ⊥ .
4) Client evaluates 𝐶B and obtains the garbled output 𝑧̃ = 𝐶(

B 𝑥,
5 𝑦).
5
5) The garbled output 𝑧̃ = (𝑧"̃ , 𝑧̃&) is converted into plain value 𝑧" for Client and 𝑧& for Server:
§ For Server’s outputs, Client sends the garbled values 𝑧̃' to Server who can determine 𝑧' .
§ For Client’s outputs, Server sends an output decryption table (e.g., hash of each garbled value
𝑧!̃ % , 𝑧!̃ ! ) which allows Client to determine 𝑧! from 𝑧!̃ .
17
Yao’s Protocol: Overview
Client 𝑃# 𝑓(J,J) e.g., x < y Server 𝑃"
private data x = 𝑥", … , 𝑥! private data y = 𝑦", … , 𝑦!

𝑥! 𝑦! 𝑥" 𝑦" 𝑥# 𝑦#
𝑐" 𝑐#
1) Circuit
𝑧
𝑥"! 𝑦"! 𝑥"" 𝑦"" 𝑥"# 𝑦"#
2) Garbled 𝑐"̃ 𝑐#̃

Setup
Circuit 𝐶B
Phase 2) 𝐶0 𝑧̃
/(%,%)
Online 3) y2 Enc-,$%,.,$% (𝑐"̃ )
D #%, 𝑤
𝑤 D #"
permuted
Phase /(%,")
3) n – OT: x; x2 𝟎 , x2 𝟏 → (2x; ⟘) Garbled Enc-,$%,.,$$ (𝑐"̃ )
/(",%)
Values Enc-,$$,.,$% (𝑐"̃ )
4) z2 𝟏 , z2 𝟐 0 x, y2 )
= 𝐶(2 /(",")
Enc-,$$,.,$$ (𝑐"̃ )
z2 𝟐
5) Garbled Table
𝒛𝟏 = 𝑓# (x, y) 𝒛𝟐 = 𝑓" (x, y) 18
Security of Yao’s Protocol
- Yao’s protocol as explained before is provably secure against passive adversaries

[LindellPinkas04].
- It is easy to secure against a malicious client by using maliciously secure oblivious transfers.
- It can be extended for security against covert [AumannLindell07] and malicious
[LindellPinkas07] adversaries.
- These protocols ensure that 𝑃' generates a valid GC using the “cut-and-choose” technique:
- 𝑃" generates multiple GCs and commits to them.
- 𝑃# randomly chooses all-but-one (in covert case) or half of them (in malicious case) to be opened by
𝑃" and verified for correctness by 𝑃# .
- This ensures that the majority of the unopened GCs are well-formed with high probability.
- Additional measures are taken to ensure that 𝑃' inputs consistent values into OT to avoid
selective failure attacks (𝑃' inputs one wrong key and learns one bit of information if 𝑃! aborts).
[KirazSchoenmakers06]
19
Formalization of Garbled Circuits: Garbling Schemes [BellareHR12]
F
1k
Ev Y
e
f Gb En X y
x De
d
f
y
x ev
Correctness
(" f, x, k), if
(F, e, d) ¬ Gb(1k, f),
X ¬ En(e, x),
Y ¬ Ev (F, X), Privacy (informal):
y ¬ De(d, Y) then Given (F, X, d) learn nothing but y = f(x).
y = ev(f, x)

Overview of Efficient Garbled Circuit Constructions
1990 Point-and-Permute [BeaverMR90]
1999 3-row reduction [NaorPS99]
2008 Free-XOR [KolesnikovSchneider08]
2009 2-row reduction [PinkasSSW09]
2012 Garbling via AES [KreuterSS12]
2013 Fixed-key AES [BellareHKR13]
2014 FleXor [KolesnikovMR14]
2015 HalfGates [ZahurRE15]

1) Efficiently Verifiable & Elusive Range Encryption [LindellPinkas04]
Wires:
Assign random keys ki, Ki to all wires i
Garbling:
a, A
For each gate use double-encryption x, X
and randomly permute entries: b, B
Ea(Eb(x))
Ea(EB(x))
EA(Eb(x))
EA(EB(X))
Outputs:
For each output wire i: provide mapping [(0, ki), (1, Ki)]
22
1) Efficiently Verifiable & Elusive Range Encryption [LindellPinkas04]
Evaluator needs to know which entry was decrypted successfully
⇒ use encryption function with efficiently verifiable and elusive range:

Ek(m) = [r, Fk(r) ⊕ (m || 00 )], where F is a pseudo-random function and 𝜎 is the statistical
security parameter (by pseudo-randomness of F, probability of obtaining 00 with incorrect k is
negligible)
⇒ Need to decrypt multiple entries until decryption succeeds

§ Expected number of double-decryptions is (1+2+3+4) / 4 = 2.5
23
2) Point and Permute [BeaverMR90]
For every wire i, choose a random signal bit pi together with the key.
The signal bits of the input wires determine which entry to decrypt.
0 1
1
2*1+0=2
2
3 ⇒ decrypt entry #2
1 0 0 1 24
2) Point and Permute [BeaverMR90]
Advantages of point-and-permute:
• Exactly one entry needs to be decrypted
• Simplifies output decryption
If output permutation pi = 0 then output is permutation bit of output key

0 1
If output permutation pi = 1 then output is negated permutation bit of output key

1 0
⇒ Server simply reveals for each output wire the bit pi to Client.
In the following we always assume usage of point and permute.

p(k) is the permutation bit of key k.
25
3) 3-Row Reduction [NaorPS99]
Encryption function: ET(kl, kr; ko) = ko ⊕ F(kl, T || 0) ⊕ F(kr, T || 1),

where F is a pseudo-random function, e.g., instantiated with AES, and T (tweak) is unique for
each invocation of the encryption function, e.g., T = gate id || p(kl) || p(kr).
Idea: Eliminate first table entry by implicitly fixing it to be 0.

ET(a, b; c) = c ⊕ F(a, T || 0) ⊕ F(b, T || 1) = 0 (no need to send this table entry)
⇒ c = F(a, T || 0) ⊕ F(b, T || 1).
⇒ One of the two output keys is derived from the input keys.
}
ET(a, B; c)
ET(A, b; c) remaining 3 table entries as before
ET(A, B; C)
⇒ Communication is reduced from 4 to 3 table entries.

26
4) Free XOR [KolesnikovSchneider08]
Encryption function: ET(kl, kr; ko) = ko ⊕ H(kl || kr || T),

where H is a random oracle, e.g., instantiated with SHA-2.
Idea: Choose keys s.t. each pair has fixed distance R (unknown to evaluator).
R=a⊕A=b⊕B=c⊕C=…
Garble XOR: set output key c = a ⊕ b
Eval XOR: set output key kc = ka ⊕ kb
Correctness: c = a ⊕ b = (R ⊕ a) ⊕ (R ⊕ b) = A ⊕ B
C=c⊕R=a⊕b⊕R=a⊕B=A⊕b
Security (intuitively): Evaluator knows one key per wire, so never learns R.
§ Requires random oracle or non-standard circularity assumption.
Can be combined with 3-row reduction.

27
5) Garbling via AES
Since 2008 many Intel and AMD CPUs have hardware support for AES:
Advanced Encryption Standard New Instructions (AES-NI)
[KreuterSS12]: ET(kl, kr; ko) = ko ⊕ AES-256(kl || kr; T)

⇒ Needs to run expensive AES key schedule per gate
[BellareHKR13] Fixed-key AES garbling:

Choose fixed key X and run AES key schedule once
ET(kl, kr; ko) = ko ⊕ AES-128(X; K) ⊕ K with K = 2kl ⊕ 4kr ⊕ T
⇒ Needs to model AES as “ideal cipher”
Both can be combined with free XOR and 3-row reduction.
28
The complete scheme. The full garbling procedure for an entire circuit is shown in
Figure 2. The scheme works for any binary gate, but for simplicity of discussion and
proof we assume all gates are either AND or XOR.
6) HalfGates - Today’s Most Efficient Garbling Scheme [ZahurRE15]
procedure Gb(1k , f ): procedure En(ê, x̂):
R ⌘ {0, 1}k 1 1 for ei 2 ê do
for i 2 Inputs(f ) do Xi ei xi R
Wi0 ⌘ {0, 1}k return X̂
Wi1 Wi0 R
ei Wi0 ˆ Ŷ ):
procedure De(d,
for i 2/ Inputs(f ) {in topo. order} do ˆ
for di 2 d do
{a, b} GateInputs(f, i) yi di lsb Yi
if i 2 XorGates(f ) then return ŷ
Free XOR Wi0 Wa0 Wb0
else
procedure Ev(F̂ , X̂):
(Wi0 , TGi , TEi ) GbAnd(Wa0 , Wb0 )
for i 2 Inputs(F̂ ) do
Fi (TGi , TEi )
Wi Xi
end if
Wi1 Wi0 R for i 2/ Inputs(F̂ ) {in topo. order} do
for i 2 Outputs(f ) do {a, b} GateInputs(F̂ , i)
di lsb(Wi0 ) if i 2 XorGates(F̂ ) then
ˆ
return (F̂ , ê, d) Wi Wa Wb
else
private procedure GbAnd(Wa0 , Wb0 ): sa lsb Wa ; sb lsb Wb
pa lsb Wa0 ; pb lsb Wb0 j NextIndex(); j 0 NextIndex()
j NextIndex(); j
{First half gate}
0
NextIndex() (TGi , TEi )
WGi
Fi
H(Wa , j) sa TGi
2 calls of H
TG H(Wa0 , j) H(Wa1 , j) pb R WEi H(Wb , j 0 ) sb (TEi Wa ) for evaluating
4 calls of H WG 0
H(Wa0 , j) pa TG
{Second half gate}
Wi
end if
WGi WEi
AND
for garbling TE H(Wb0 , j 0 ) H(Wb1 , j 0 ) Wa0 for i 2 Outputs(F̂ ) do
WE 0
H(Wb0 , j 0 ) pb (TE Wa0 ) Yi Wi
AND {Combine halves} return Ŷ
W0 WG0 WE0
return (W 0 , TG , TE ) 2 table entries per AND 29
Summary of Garbled Circuit Constructions
size (in bits) garble cost (AES) eval cost (AES)
XOR AND XOR AND XOR AND
Classical 4(𝜅 + 𝜎) 8 5
Point and Permute 4𝜿 4 1
3-Row Reduction 3𝜿 4 1
3-Row Reduction + Free XOR 0 3𝜅 0 4 0 1
HalfGates + Free XOR 0 2𝜿 0 4 0 2
symmetric security parameter 𝜅, statistical security parameter 𝜎 (e.g., 𝜅 = 128, 𝜎 = 40)

30
Summary: Yao - the Apple
How to eat an apple?

bite-by-bite
+ Yao has constant #rounds

- Evaluating a garbled gate requires
symmetric crypto in the online phase
31
THE GMW PROTOCOL
32
The GMW Protocol [GMW87]
Secret share inputs: 𝑎 = 𝑎! ⊕ 𝑎' 𝑎 𝑏

𝑏 = 𝑏! ⊕ 𝑏'
Non-Interactive XOR gates: 𝑐! = 𝑎! ⊕ 𝑏! ; 𝑐' = 𝑎' ⊕ 𝑏' 𝑐
Interactive AND gates: x1c𝑐!1,,,y𝑏b!11 𝑐cx , b y2

'2,2𝑏,'2
<latexit sha1_base64="HHJ1w9f7EzOiWBlFm+Aj2fxlMsQ=">AAADOnicjVLLbtNAFJ2aVzGvFpbdjEiRWKDIrpBgWambLoNE2qJMZI3H18ko87BmxqFm5K9gC3/Cj7Blh9jyAYwTU5EUJK5k6fqcc59z80pw65Lk60504+at23d278b37j94+Ghv//GZ1bVhMGZaaHORUwuCKxg77gRcVAaozAWc54uTjj9fgrFcq7euqWAq6UzxkjPqAvTu8DJLXzRZepjtDZJhsjJ83Ul7Z4B6G2X70QEpNKslKMcEtXaSJpWbemocZwLamNQWKsoWdAYTKqrQ39Tz0jayxc/wyOglL8Biclq7P6V+NVKQBKjApTbhUw6v0A0dlTbkyoNSUje321wH/o2b1K58HRpRVe1AsXWhshbYadztBxfcAHOiCQ5lhodhMJtTQ5kLW9yoYp2kpjFFGFXBe6alpKrwpMs6SaeeCJGHsAU4P0hbYkz/1/5PEl2dtJ7k+pJxs97mJjsKbEetCVBLbrTqnsJ3iaHIuAPJP0DrY5LDjCv/G4gxJhbCnaiZm3vSwaGb1ofH2+YqauyC/5u7Cmu7qYurEm0ch3NKt4/nunN2NEyTYfrmaHD8sj+sXXSAnqLnKEWv0DE6RSM0RgxJ9BF9Qp+jL9G36Hv0Yy2NdvqYJ2jDop+/AKQqEYo=</latexit>
sha1_base64="jJJ0qF4suLSP6yeqT1961YypIMk=">AAADOnicjVLLbtNAFJ2aR4t5tbDsZkSKxAJFdoUEOyp102WQSFuUiaLx+DoZZR7WzDitGfkr2MKf8CNs2SE2LPgAxnGoSAoSV7J0fc65z7lZKbh1SfJlK7px89bt7Z078d179x883N17dGp1ZRgMmRbanGfUguAKho47AeelASozAWfZ/LjlzxZgLNfqratLGEs6VbzgjLoAvTu4nKTP60l6MNntJf1kafi6k66c3usfaGmDyV60T3LNKgnKMUGtHaVJ6caeGseZgCYmlYWSsjmdwoiKMvQ39rywtWzwUzwwesFzsJicVO5PqV+OFCQBynGhTfiUw0t0TUelDbmyoJTUzewm14J/40aVK16FRlRZOVCsK1RUAjuN2/3gnBtgTtTBoczwMAxmM2ooc2GLa1Wsk9TUJg+jKrhgWkqqck/arKN07IkQWQibg/O9tCHGrP6a/0miy+PGk0xfMm66ba6zg8C2VEeAWnCjVfsUvk0M+YQ7kPw9ND4mGUy58r+BGGNiIdyJmrqZJy0cuml8eLxNrqTGzvm/uauwpp06vyrRxHE4p3TzeK47p4f9NOmnbw57Ry+6u0I7aB89Qc9Qil6iI3SCBmiIGJLoA/qIPkWfo6/Rt+h7J422VjGP0ZpFP38BxeESuQ==</latexit>
<latexit sha1_base64="785Ar6Uq5A3SIVyYVheejzkKDeY=">AAADOnicjVLLbhMxFHWHVxleLSy7sUiRWKBoXFWCZaVuugwSaYviKPJ47iRW/BjZnkCw5ivYwp/wI2zZIbZ8AJ5kqEgKElca6c455z5980oK57Ps605y4+at23d276b37j94+Ghv//G5M7XlMORGGnuZMwdSaBh64SVcVhaYyiVc5PPTlr9YgHXC6Dd+WcFYsakWpeDMR+jtIZ+QF/mEHE72elk/Wxm+7pDO6aHOBpP95IAWhtcKtOeSOTciWeXHgVkvuIQmpbWDivE5m8KIySr2Nw6idEvV4Gd4YM1CFOAwPav9n9KwGilKIlTg0tj4aY9X6IaOKRdz5VGpmJ+5ba4F/8aNal++io3oqvag+bpQWUvsDW73gwthgXu5jA7jVsRhMJ8xy7iPW9yo4rxidmmLOKqGd9woxXQRaJt1RMaBSpnHsDn40CMNtbb7a/4nialOm0Bz854Lu97mJjuIbEutCdALYY1unyK0iaGYCA9KfIAmpDSHqdDhN5BiTB3EO9FTPwu0hWM3TYiPt81VzLq5+Dd3Fda0UxdXJZo0jedEto/nunN+1CdZn7w+6p0cd4e1iw7QU/QcEfQSnaAzNEBDxJFCH9En9Dn5knxLvic/1tJkp4t5gjYs+fkLJ+oRXg==</latexit>
sha1_base64="EuFXqZv0XD7LtH4cnvlU32sp5+s=">AAADOnicjVLLbtNAFJ2aVzGvFpbdjEiRWKDIrirBjkrddBkk0hZlIms8vk5GmYc1M04bRv4KtvAn/AhbdogNCz6AcRwqkoLElSxdn3Puc25eCW5dknzZim7cvHX7zvbd+N79Bw8f7ew+PrW6NgyGTAttznNqQXAFQ8edgPPKAJW5gLN8dtzyZ3Mwlmv11i0qGEs6UbzkjLoAvdtnWfoiz9L9bKeX9JOl4etOunJ6r3+gpQ2y3WiPFJrVEpRjglo7SpPKjT01jjMBTUxqCxVlMzqBERVV6G/seWkXssHP8MDoOS/AYnJSuz+lfjlSkASowKU24VMOL9E1HZU25MqDUlI3tZtcC/6NG9WufBUaUVXtQLGuUFkL7DRu94MLboA5sQgOZYaHYTCbUkOZC1tcq2KdpGZhijCqggumpaSq8KTNOkrHngiRh7AZON9LG2LM6q/5nyS6Om48yfUl46bb5jo7CGxLdQSoOTdatU/h28RQZNyB5O+h8THJYcKV/w3EGBML4U7UxE09aeHQTePD421yFTV2xv/NXYU17dTFVYkmjsM5pZvHc905PeinST99c9A7OuzuCm2jPfQUPUcpeomO0AkaoCFiSKIP6CP6FH2Ovkbfou+dNNpaxTxBaxb9/AVJoRKN</latexit>
zd𝑑1!1 <latexit sha1_base64="Gp0kfRWEdWZoLNwU9veo2oxd2Po=">AAADNnicjVLLbtNAFJ2aR4t5tbDsZkSKxCqyKyRYVuqmyyCRtlIcRePxdTLKPKyZ60A68jd0C3/Cr7Bhh9jyCYwTU5EUJK5k6fqcc59z80oKh0nydSe6c/fe/d29B/HDR4+fPN0/eHbuTG05DLmRxl7mzIEUGoYoUMJlZYGpXMJFPj9t+YsFWCeMfo/LCsaKTbUoBWcYoOHR1SQ9muz3kn6yMnrbSTunRzobTA6iw6wwvFagkUvm3ChNKhx7ZlFwCU2c1Q4qxudsCiMmq9Db2IvSLVVDX9KBNQtRgKPZWY1/Sv1qnCAJUEFLY8Onka7QDR1TLuTKg1IxnLltrgX/xo1qLN+GRnRVI2i+LlTWkqKh7W5oISxwlMvgMG5FGIbyGbOMY9jgRhWHitmlLcKoGj5woxTThc/arKN07DMp8xA2B/S9tMms7f6a/0liqtPGZ7n5yIVdb3OTHQS2pdYE6IWwRrdP4dvEUEwEghJX0Pg4y2EqtP8NxJRmDsKN6CnOfNbCoZvGh8fb5ipm3Vz8m7sJa9qpi5sSTRyHc0q3j+e2c37cT5N++u64d/K6O6w9ckhekFckJW/ICTkjAzIknAhyTT6Rz9GX6Fv0PfqxlkY7XcxzsmHRz1+mTBAv</latexit>

sha1_base64="QgqSgbZYnZ42U0FJrU/B796XRcs=">AAADNnicjVLLbtNAFJ2aVzGvFpbdjEiRWEV2hQQ7KnXTZZBIWymOovH4OhllHtbMdSAd+RvYwp/wK2zYIbb9BMZxqEgKEleydH3Ouc+5eSWFwyT5thPdun3n7r3d+/GDh48eP9nbf3rmTG05DLmRxl7kzIEUGoYoUMJFZYGpXMJ5Pj9p+fMFWCeMfo/LCsaKTbUoBWcYoOHh5SQ9nOz1kn6yMnrTSddO7+0VWdlgsh8dZIXhtQKNXDLnRmlS4dgzi4JLaOKsdlAxPmdTGDFZhd7GXpRuqRr6gg6sWYgCHM1Oa/xT6lfjBEmACloaGz6NdIVu6JhyIVcelIrhzG1zLfg3blRj+SY0oqsaQfOuUFlLioa2u6GFsMBRLoPDuBVhGMpnzDKOYYMbVRwqZpe2CKNq+MCNUkwXPmuzjtKxz6TMQ9gc0PfSJrN2/df8TxJTnTQ+y81HLmy3zU12ENiW6gjQC2GNbp/Ct4mhmAgEJS6h8XGWw1Ro/xuIKc0chBvRU5z5rIVDN40Pj7fNVcy6ufg3dx3WtFMX1yWaOA7nlG4fz03n7KifJv303VHv+FV3V2SXHJDn5CVJyWtyTE7JgAwJJ4J8Ip/Jl+hr9D36Ef3spNHOOuYZ2bDo6hfIAxFe</latexit>
<latexit sha1_base64="0KNBn9ubA3X8kSCKAIAOlviCy1c=">AAADNnicjVLLbtNAFJ2aR4t5tbDsZkSKxCqyq0qwrNRNl0EibaVMFI3H18ko4xlr5jo0jPwNbOFP+BU27BBbPoFxYiqSgsSVLF2fc+5zblYp6TBJvu5Ed+7eu7+79yB++Ojxk6f7B88unKmtgKEwytirjDtQUsMQJSq4qizwMlNwmc3PWv5yAdZJo9/hsoJxyadaFlJwDNDwKJ+kR5P9XtJPVkZvO2nn9Ehng8lBdMhyI+oSNArFnRulSYVjzy1KoaCJWe2g4mLOpzDiqgq9jb0s3LJs6Es6sGYhc3CUndf4p9SvxgmSAOW0MDZ8GukK3dDx0oVcWVCWHGdum2vBv3GjGos3oRFd1QharAsVtaJoaLsbmksLAtUyOFxYGYahYsYtFxg2uFHFYcnt0uZhVA3vhSlLrnPP2qyjdOyZUlkImwP6Xtowa7u/5n+SmOqs8Swz10La9TY32UFgW2pNgF5Ia3T7FL5NDPlEIpTyAzQ+ZhlMpfa/gZhS5iDciJ7izLMWDt00PjzeNldx6+by39xNWNNOnd+UaOI4nFO6fTy3nYvjfpr007fHvdOT7rD2yCF5QV6RlLwmp+ScDMiQCCLJR/KJfI6+RN+i79GPtTTa6WKekw2Lfv4CaFYQGQ==</latexit>
sha1_base64="JSNjU/DEeVfd5gs23QExd2QGGuk=">AAADNnicjVLLbtNAFJ2aVzGvFpbdjEiRWEV2VQl2VOqmyyCRtlIcRePxdTLKPKyZ60AY+RvYwp/wK2zYIbb9BMZxqEgKEleydH3Ouc+5eSWFwyT5thPdun3n7r3d+/GDh48eP9nbf3ruTG05DLmRxl7mzIEUGoYoUMJlZYGpXMJFPj9t+YsFWCeMfofLCsaKTbUoBWcYoOFhMUkPJ3u9pJ+sjN500rXTe3NFVjaY7EcHWWF4rUAjl8y5UZpUOPbMouASmjirHVSMz9kURkxWobexF6Vbqoa+oANrFqIAR7OzGv+U+tU4QRKggpbGhk8jXaEbOqZcyJUHpWI4c9tcC/6NG9VYvg6N6KpG0LwrVNaSoqHtbmghLHCUy+AwbkUYhvIZs4xj2OBGFYeK2aUtwqga3nOjFNOFz9qso3TsMynzEDYH9L20yaxd/zX/k8RUp43PcvOBC9ttc5MdBLalOgL0Qlij26fwbWIoJgJBiY/Q+DjLYSq0/w3ElGYOwo3oKc581sKhm8aHx9vmKmbdXPybuw5r2qmL6xJNHIdzSreP56ZzftRPk3769qh3ctzdFdklB+Q5eUlS8oqckDMyIEPCiSCfyGfyJfoafY9+RD87abSzjnlGNiy6+gWKDRFI</latexit>
<latexit sha1_base64="lgjFqMkPVFkmpCFuv5zKPsk0CG8=">AAADOXicjVLLbtNAFJ2aVzGvFpbdjEiRWEV2hQTLSt10GSTSRspE0Xh8nYwynrFmrlPCyD/BFv6EL2HJDrHlBxgnpiIpSFzJ0vU55z7nZpWSDpPk61506/adu/f278cPHj56/OTg8OmFM7UVMBRGGTvKuAMlNQxRooJRZYGXmYLLbHHW8pdLsE4a/Q5XFUxKPtOykIJjgEbH7AryGRxPD3pJP1kbvemkndMjnQ2mh9ERy42oS9AoFHdunCYVTjy3KIWCJma1g4qLBZ/BmKsqtDfxsnCrsqEv6MCapczBUXZe459Sv54oSAKU08LY8Gmka3RLx0sXcmVBWXKcu12uBf/GjWss3oRGdFUjaLEpVNSKoqHtemguLQhUq+BwYWUYhoo5t1xgWOJWFYcltyubh1E1XAlTllznnrVZx+nEM6WyELYA9L20YdZ2f83/JDHVWeNZZt4LaTfb3GYHgW2pDQF6Ka3R7VP4NjHkU4lQyg/Q+JhlMJPa/wZiSpmDcCZ6hnPPWjh00/jweLtcxa1byH9z12FNO3V+XaKJ43BO6e7x3HQuTvpp0k/fnvROX3WHtU+OyHPykqTkNTkl52RAhkQQRT6ST+Rz9CX6Fn2Pfmyk0V4X84xsWfTzF/VREas=</latexit>
<latexit sha1_base64="47gCKgauPNczw+PY3OVeKt5vnNs=">AAADOXicjVLLbtNAFJ2aV2teLSy7GZEisYrsCgl2VOqmyyCRNlImisbja2eUeVgz45Qw8k+whT/hS1iyQ6yQ+AHGcVqRFCSuZOn6nHOfc7NKcOuS5OtOdOv2nbv3dvfi+w8ePnq8f/Dk3OraMBgyLbQZZdSC4AqGjjsBo8oAlZmAi2x+2vIXCzCWa/XOLSuYSFoqXnBGXYBGR+QS8hKOpvu9pJ+sDN900rXTe/MTrWwwPYgOSa5ZLUE5Jqi14zSp3MRT4zgT0MSktlBRNqcljKmoQnsTzwu7lA1+jgdGL3gOFpOz2v0p9auJgiRAOS60CZ9yeIVu6Ki0IVcWlJK6md3mWvBv3Lh2xevQiKpqB4p1hYpaYKdxux6ccwPMiWVwKDM8DIPZjBrKXFjiRhXrJDVLk4dRFVwyLSVVuSdt1nE68USILITNwfle2hBj1n/N/yTR1WnjSabfM266bW6yg8C2VEeAWnCjVfsUvk0M+ZQ7kPwDND4mGZRc+SsgxphYCGeiSjfzpIVDN40Pj7fNVdTYOf83dx3WtFPn1yWaOA7nlG4fz03n/LifJv307XHv5GV3V2gXHaJn6AVK0St0gs7QAA0RQwJ9RJ/Q5+hL9C36Hv3opNHOOuYp2rDo128XFxLa</latexit>
^ <latexit sha1_base64="xgRwrBwxtEy8DVH6nnFEfS+4AMk=">AAADOnicjVLLbtNAFJ2aR4t5tbDsZkSKxAJFdlQJlpW66TJIpC3KRNZ4fJ2MMg9rZhwaRv4KtvAn/AhbdogtH8A4MRVJQeJKlq7POfc5N68Ety5Jvu5Et27fubu7dy++/+Dho8f7B0/Ora4NgxHTQpvLnFoQXMHIcSfgsjJAZS7gIp+ftvzFAozlWr11ywomkk4VLzmjLkDvjlg2eJlng6Nsv5f0k5Xhm07aOT3U2TA7iA5JoVktQTkmqLXjNKncxFPjOBPQxKS2UFE2p1MYU1GF/iael3YpG/wcD41e8AIsJme1+1PqVyMFSYAKXGoTPuXwCt3QUWlDrjwoJXUzu8214N+4ce3K16ERVdUOFFsXKmuBncbtfnDBDTAnlsGhzPAwDGYzaihzYYsbVayT1CxNEUZV8J5pKakqPGmzjtOJJ0LkIWwOzvfShhjT/TX/k0RXp40nub5i3Ky3uckOA9tSawLUghut2qfwbWIoMu5A8g/Q+JjkMOXK/wZijImFcCdq6maetHDopvHh8ba5iho75//mrsOaduriukQTx+Gc0u3juemcD/pp0k/fDHonx91h7aFD9Ay9QCl6hU7QGRqiEWJIoo/oE/ocfYm+Rd+jH2tptNPFPEUbFv38BS2MEWA=</latexit>
dz'22
𝑑
sha1_base64="SjRMecgY3pO9KsB3tlFCR6WDZVo=">AAADOnicjVLLbtNAFJ2aVzGvFpbdjEiRWKDIjirBjkrddBkk0hZlIms8vk5GmYc1Mw6Ekb+CLfwJP8KWHWLDgg9gHIeKpCBxJUvX55z7nJtXgluXJF92omvXb9y8tXs7vnP33v0He/sPz6yuDYMR00Kbi5xaEFzByHEn4KIyQGUu4Dyfn7T8+QKM5Vq9dssKJpJOFS85oy5Abw5ZNniWZ4PDbK+X9JOV4atOunZ6L3+glQ2z/eiAFJrVEpRjglo7TpPKTTw1jjMBTUxqCxVlczqFMRVV6G/ieWmXssFP8NDoBS/AYnJauz+lfjVSkASowKU24VMOr9ANHZU25MqDUlI3s9tcC/6NG9eufBEaUVXtQLGuUFkL7DRu94MLboA5sQwOZYaHYTCbUUOZC1vcqGKdpGZpijCqgrdMS0lV4UmbdZxOPBEiD2FzcL6XNsSY9V/zP0l0ddJ4kut3jJtum5vsMLAt1RGgFtxo1T6FbxNDkXEHkr+HxsckhylX/jcQY0wshDtRUzfzpIVDN40Pj7fNVdTYOf83dxnWtFMXlyWaOA7nlG4fz1XnbNBPk376atA7PuruCu2iA/QYPUUpeo6O0SkaohFiSKIP6CP6FH2Ovkbfou+dNNpZxzxCGxb9/AVPQxKP</latexit>
<latexit sha1_base64="RGeQDpqFQl+kSkyQQXnAumrjVtk=">AAADNnicjVLLbtNAFJ2aVzGvFpbdjEiRWEV2VAmWlbrpMkikrRRH0Xh8nYwyD2vmOhBG/ga28Cf8Cht2iC2fwDgxFUlB4kqWrs859zk3r6RwmCRf96Jbt+/cvbd/P37w8NHjJweHTy+cqS2HETfS2KucOZBCwwgFSriqLDCVS7jMF2ctf7kE64TRb3FVwUSxmRal4AwDNDoupoPj6UEv6SdrozedtHN6pLPh9DA6ygrDawUauWTOjdOkwolnFgWX0MRZ7aBifMFmMGayCr1NvCjdSjX0BR1asxQFOJqd1/in1K/HCZIAFbQ0Nnwa6Rrd0jHlQq48KBXDudvlWvBv3LjG8nVoRFc1guabQmUtKRra7oYWwgJHuQoO41aEYSifM8s4hg1uVXGomF3ZIoyq4R03SjFd+KzNOk4nPpMyD2ELQN9Lm8za7q/5nySmOmt8lpv3XNjNNrfZYWBbakOAXgprdPsUvk0MxVQgKPEBGh9nOcyE9r+BmNLMQbgRPcO5z1o4dNP48Hi7XMWsW4h/c9dhTTt1cV2iieNwTunu8dx0Lgb9NOmnbwa905PusPbJEXlOXpKUvCKn5JwMyYhwIshH8ol8jr5E36Lv0Y+NNNrrYp6RLYt+/gJrJRAa</latexit>
sha1_base64="3EkRZQXY25eFfFUD6NCEywS5TV0=">AAADNnicjVLLbtNAFJ2aVzGvFpbdjEiRWEV2VAl2rdRNl0EibaU4isbjm2SUeVgz16Fh5G9gC3/Cr7Bhh9j2ExjHoSIpSFzJ0vU55z7n5qUUDpPk20505+69+w92H8aPHj95+mxv//m5M5XlMOBGGnuZMwdSaBigQAmXpQWmcgkX+fy04S8WYJ0w+j0uSxgpNtViIjjDAA0Oi3HvcLzXSbrJyuhtJ107neNrsrL+eD86yArDKwUauWTODdOkxJFnFgWXUMdZ5aBkfM6mMGSyDL2NvJi4parpK9q3ZiEKcDQ7q/BPqV+NEyQBKujE2PBppCt0Q8eUC7nyoFQMZ26ba8C/ccMKJ29DI7qsEDRvC00qSdHQZje0EBY4ymVwGLciDEP5jFnGMWxwo4pDxezSFmFUDR+4UYrpwmdN1mE68pmUeQibA/pOWmfWrv/q/0liytPaZ7m54sK229xk+4FtqJYAvRDW6OYpfJMYirFAUOIj1D7OcpgK7X8DMaWZg3AjeooznzVw6Kb24fG2uZJZNxf/5m7C6mbq4qZEHcfhnNLt47ntnPe6adJN3/U6J0ftXZFdckBektckJW/ICTkjfTIgnAjyiXwmX6Kv0ffoR/SzlUY765gXZMOi61+M3BFJ</latexit>
<latexit sha1_base64="s//ml0S3A6LtF+M2F8YlxrWHlhI=">AAADOnicjVLLbtNAFJ2aV2teLSy7GZEisUCRHSHBslI3XQaJtEWZKBqPr5NR5mHNjEPNyF/BFv6EH2HLDrHlAxgnbkVSkLiSpetzzn3OzUrBrUuSbzvRrdt37t7b3YvvP3j46PH+wZMzqyvDYMS00OYioxYEVzBy3Am4KA1QmQk4zxYnLX++BGO5Vu9cXcJE0pniBWfUBej90eV08LKeDo6m+72kn6wM33TSzumhzobTg+iQ5JpVEpRjglo7TpPSTTw1jjMBTUwqCyVlCzqDMRVl6G/ieWFr2eDneGj0kudgMTmt3J9SvxopSAKU40Kb8CmHV+iGjkobcmVBKamb222uBf/GjStXvAmNqLJyoNi6UFEJ7DRu94NzboA5UQeHMsPDMJjNqaHMhS1uVLFOUlObPIyq4APTUlKVe9JmHacTT4TIQtgCnO+lDTGm+2v+J4kuTxpPMn3JuFlvc5MdBral1gSoJTdatU/h28SQT7kDyT9C42OSwYwrfwXEGBML4U7UzM09aeHQTePD421zJTV2wf/NXYc17dT5dYkmjsM5pdvHc9M5G/TTpJ++HfSOX3WHtYsO0TP0AqXoNTpGp2iIRoghiT6hz+hL9DX6Hv2Ifq6l0U4X8xRtWPTrN6nMEYw=</latexit>
sha1_base64="TI8Ui03yFikHc+JGl2avKcOpaNY=">AAADOnicjVLLbtNAFJ2aVzGvFpbdjEiRWKDIjpBgR6VuugwSaYsyUTQeXyejzMOaGYeakb+CLfwJP8KWHWLDgg9gHIeKpCBxJUvX55z7nJuVgluXJF92omvXb9y8tXs7vnP33v0He/sPT62uDIMR00Kb84xaEFzByHEn4Lw0QGUm4CxbHLf82RKM5Vq9cXUJE0lnihecURegt4cX08Gzejo4nO71kn6yMnzVSddO79UPtLLhdD86ILlmlQTlmKDWjtOkdBNPjeNMQBOTykJJ2YLOYExFGfqbeF7YWjb4CR4aveQ5WExOKven1K9GCpIA5bjQJnzK4RW6oaPShlxZUErq5naba8G/cePKFS9DI6qsHCjWFSoqgZ3G7X5wzg0wJ+rgUGZ4GAazOTWUubDFjSrWSWpqk4dRFbxjWkqqck/arON04okQWQhbgPO9tCHGrP+a/0miy+PGk0xfMG66bW6yw8C2VEeAWnKjVfsUvk0M+ZQ7kPw9ND4mGcy48r+BGGNiIdyJmrm5Jy0cuml8eLxtrqTGLvi/ucuwpp06vyzRxHE4p3T7eK46p4N+mvTT14Pe0fPurtAuOkCP0VOUohfoCJ2gIRohhiT6gD6iT9Hn6Gv0LfreSaOddcwjtGHRz1/LgxK7</latexit>
<latexit sha1_base64="N9e/BCaUbNEfRa4IhJULBv1/oBU=">AAADNnicjVLLbtNAFJ2aVzGvFpbdjEiRWEV2hATLSt10GSTSVoqjaDy+TkaZhzVzHUhH/ga28Cf8Cht2iC2fwDgxFUlB4kqWrs859zk3r6RwmCRf96Jbt+/cvbd/P37w8NHjJweHT8+dqS2HETfS2MucOZBCwwgFSrisLDCVS7jIF6ctf7EE64TR73BVwUSxmRal4AwDNDq+mg6Opwe9pJ+sjd500s7pkc6G08PoKCsMrxVo5JI5N06TCieeWRRcQhNntYOK8QWbwZjJKvQ28aJ0K9XQF3RozVIU4Gh2VuOfUr8eJ0gCVNDS2PBppGt0S8eUC7nyoFQM526Xa8G/ceMayzehEV3VCJpvCpW1pGhouxtaCAsc5So4jFsRhqF8zizjGDa4VcWhYnZlizCqhvfcKMV04bM26zid+EzKPIQtAH0vbTJru7/mf5KY6rTxWW4+cGE329xmh4FtqQ0Beims0e1T+DYxFFOBoMQVND7OcpgJ7X8DMaWZg3AjeoZzn7Vw6Kbx4fF2uYpZtxD/5q7Dmnbq4rpEE8fhnNLd47npnA/6adJP3w56J6+6w9onR+Q5eUlS8pqckDMyJCPCiSAfySfyOfoSfYu+Rz820mivi3lGtiz6+QupGxAw</latexit>
sha1_base64="rMjvqVVv4/4iclUnFAqSBYMFZR8=">AAADNnicjVLLbhMxFHWHVxleLSy7sZoisYpmIiTYUambLoNE2kpxFHk8dxIrHntk3wmk1nwDW/gTfoUNO8S2n4AnCVWTgsSVRrpzzrlP36xS0mGSfN+J7ty9d//B7sP40eMnT5/t7T8/c6a2AgbCKGMvMu5ASQ0DlKjgorLAy0zBeTY7afnzOVgnjf6AiwpGJZ9oWUjBMUCDo8tx72i810m6ydLobSddO513V2Rp/fF+dMByI+oSNArFnRumSYUjzy1KoaCJWe2g4mLGJzDkqgq9jbws3KJs6Evat2Yuc3CUndZ4U+qX4wRJgHJaGBs+jXSJbuh46UKuLChLjlO3zbXg37hhjcXb0IiuagQtVoWKWlE0tN0NzaUFgWoRHC6sDMNQMeWWCwwb3KjisOR2YfMwqoaPwpQl17lnbdZhOvJMqSyEzQB9J22Yteu/5n+SmOqk8Swzn4S0q21usv3AttSKAD2X1uj2KXybGPKxRCjlJTQ+ZhlMpPZ/gJhS5iDciJ7g1LMWDt00PjzeNldx62by39x1WNNOnV+XaOI4nFO6fTy3nbNeN0266fte5/j16q7ILjkgh+QVSckbckxOSZ8MiCCSfCZfyNfoW/Qj+hn9WkmjnXXMC7Jh0dVvytIRXw==</latexit>
𝑑
Recombine outputs: 𝑑 = 𝑑! ⊕ 𝑑'
33
Precompute Multiplication Triples via R-OTs [AsharovLSZ13]
Goal: Generate a multiplication triple 𝑐! ⊕ 𝑐' = (𝑎! ⊕ 𝑎' ) (𝑏! ⊕ 𝑏' ) via 2 random OTs
• P1’s output: 𝑎! , 𝑏! , 𝑐!
• P2’s output: 𝑎' , 𝑏' , 𝑐'
• Property: 𝑐! ⊕ 𝑐' = (𝑎! ⊕ 𝑎' ) (𝑏! ⊕ 𝑏' ) = 𝑎! 𝑏! ⊕ 𝑎' 𝑏! ⊕ 𝑎! 𝑏' ⊕ 𝑎' 𝑏'
The Protocol:
1. P2 chooses 𝑎' ∈( {0,1}
2. P1 and P2 run random OT: P1 (sender) obtains (𝑚% , 𝑚! ), P2 (receiver) inputs 𝑎' and gets 𝑢' = 𝑚)"
3. P1 sets 𝑏! = 𝑚% ⊕ 𝑚! and 𝑣! = 𝑚%
§ Observe: v! ⊕ 𝑢' = 𝑚% ⊕ 𝑚)"
§ If 𝑎' = 0 then v! ⊕ 𝑢' = 𝑚% ⊕ 𝑚% = 0 = 𝑎' 𝑏!
§ If 𝑎' = 1 then 𝑣! ⊕ 𝑢' = 𝑚% ⊕ 𝑚! = 𝑏! = 𝑎' 𝑏!
4. P1 and P2 repeat steps 1-3 with reversed roles to obtain (𝑎! , 𝑢! ) and (𝑏' , 𝑣' )
5. Pi sets 𝑐" = (𝑎" 𝑏" ) ⊕ 𝑢" ⊕ 𝑣"
Correctness: 𝑐! ⊕ 𝑐' = 𝑎! 𝑏! ⊕ 𝑢! ⊕ 𝑣! ⊕ 𝑎' 𝑏' ⊕ 𝑢' ⊕ 𝑣' = 𝑎! 𝑏! ⊕ 𝑎' 𝑏! ⊕ 𝑎! 𝑏' ⊕ 𝑎' 𝑏' 34
Evaluate AND gates via Multiplication Triples in Online Phase [Beaver91]
Goal: Compute AND gate using multiplication triple c" ⊕ 𝑐& = 𝑎" ⊕ 𝑎& (𝑏" ⊕ 𝑏& )
P1 sends to P2: 𝑑" = 𝑥" ⊕ 𝑎" and 𝑒" = 𝑦" ⊕ 𝑏" x1𝑥,# ,y𝑦1# 𝑥x" 2
, 𝑦,"y2
P2 sends to P1: 𝑑& = 𝑥& ⊕ 𝑎& and 𝑒& = 𝑦& ⊕ 𝑏&
<latexit sha1_base64="HHJ1w9f7EzOiWBlFm+Aj2fxlMsQ=">AAADOnicjVLLbtNAFJ2aVzGvFpbdjEiRWKDIrpBgWambLoNE2qJMZI3H18ko87BmxqFm5K9gC3/Cj7Blh9jyAYwTU5EUJK5k6fqcc59z80pw65Lk60504+at23d278b37j94+Ghv//GZ1bVhMGZaaHORUwuCKxg77gRcVAaozAWc54uTjj9fgrFcq7euqWAq6UzxkjPqAvTu8DJLXzRZepjtDZJhsjJ83Ul7Z4B6G2X70QEpNKslKMcEtXaSJpWbemocZwLamNQWKsoWdAYTKqrQ39Tz0jayxc/wyOglL8Biclq7P6V+NVKQBKjApTbhUw6v0A0dlTbkyoNSUje321wH/o2b1K58HRpRVe1AsXWhshbYadztBxfcAHOiCQ5lhodhMJtTQ5kLW9yoYp2kpjFFGFXBe6alpKrwpMs6SaeeCJGHsAU4P0hbYkz/1/5PEl2dtJ7k+pJxs97mJjsKbEetCVBLbrTqnsJ3iaHIuAPJP0DrY5LDjCv/G4gxJhbCnaiZm3vSwaGb1ofH2+YqauyC/5u7Cmu7qYurEm0ch3NKt4/nunN2NEyTYfrmaHD8sj+sXXSAnqLnKEWv0DE6RSM0RgxJ9BF9Qp+jL9G36Hv0Yy2NdvqYJ2jDop+/AKQqEYo=</latexit>
P1 and P2 locally compute: 𝑑 = 𝑑" ⊕ 𝑑& and 𝑒 = 𝑒" ⊕ 𝑒&

sha1_base64="jJJ0qF4suLSP6yeqT1961YypIMk=">AAADOnicjVLLbtNAFJ2aR4t5tbDsZkSKxAJFdoUEOyp102WQSFuUiaLx+DoZZR7WzDitGfkr2MKf8CNs2SE2LPgAxnGoSAoSV7J0fc65z7lZKbh1SfJlK7px89bt7Z078d179x883N17dGp1ZRgMmRbanGfUguAKho47AeelASozAWfZ/LjlzxZgLNfqratLGEs6VbzgjLoAvTu4nKTP60l6MNntJf1kafi6k66c3usfaGmDyV60T3LNKgnKMUGtHaVJ6caeGseZgCYmlYWSsjmdwoiKMvQ39rywtWzwUzwwesFzsJicVO5PqV+OFCQBynGhTfiUw0t0TUelDbmyoJTUzewm14J/40aVK16FRlRZOVCsK1RUAjuN2/3gnBtgTtTBoczwMAxmM2ooc2GLa1Wsk9TUJg+jKrhgWkqqck/arKN07IkQWQibg/O9tCHGrP6a/0miy+PGk0xfMm66ba6zg8C2VEeAWnCjVfsUvk0M+YQ7kPw9ND4mGUy58r+BGGNiIdyJmrqZJy0cuml8eLxNrqTGzvm/uauwpp06vyrRxHE4p3TzeK47p4f9NOmnbw57Ry+6u0I7aB89Qc9Qil6iI3SCBmiIGJLoA/qIPkWfo6/Rt+h7J422VjGP0ZpFP38BxeESuQ==</latexit>
z𝑧1#
<latexit sha1_base64="Gp0kfRWEdWZoLNwU9veo2oxd2Po=">AAADNnicjVLLbtNAFJ2aR4t5tbDsZkSKxCqyKyRYVuqmyyCRtlIcRePxdTLKPKyZ60A68jd0C3/Cr7Bhh9jyCYwTU5EUJK5k6fqcc59z80oKh0nydSe6c/fe/d29B/HDR4+fPN0/eHbuTG05DLmRxl7mzIEUGoYoUMJlZYGpXMJFPj9t+YsFWCeMfo/LCsaKTbUoBWcYoOHR1SQ9muz3kn6yMnrbSTunRzobTA6iw6wwvFagkUvm3ChNKhx7ZlFwCU2c1Q4qxudsCiMmq9Db2IvSLVVDX9KBNQtRgKPZWY1/Sv1qnCAJUEFLY8Onka7QDR1TLuTKg1IxnLltrgX/xo1qLN+GRnRVI2i+LlTWkqKh7W5oISxwlMvgMG5FGIbyGbOMY9jgRhWHitmlLcKoGj5woxTThc/arKN07DMp8xA2B/S9tMms7f6a/0liqtPGZ7n5yIVdb3OTHQS2pdYE6IWwRrdP4dvEUEwEghJX0Pg4y2EqtP8NxJRmDsKN6CnOfNbCoZvGh8fb5ipm3Vz8m7sJa9qpi5sSTRyHc0q3j+e2c37cT5N++u64d/K6O6w9ckhekFckJW/ICTkjAzIknAhyTT6Rz9GX6Fv0PfqxlkY7XcxzsmHRz1+mTBAv</latexit>
sha1_base64="QgqSgbZYnZ42U0FJrU/B796XRcs=">AAADNnicjVLLbtNAFJ2aVzGvFpbdjEiRWEV2hQQ7KnXTZZBIWymOovH4OhllHtbMdSAd+RvYwp/wK2zYIbb9BMZxqEgKEleydH3Ouc+5eSWFwyT5thPdun3n7r3d+/GDh48eP9nbf3rmTG05DLmRxl7kzIEUGoYoUMJFZYGpXMJ5Pj9p+fMFWCeMfo/LCsaKTbUoBWcYoOHh5SQ9nOz1kn6yMnrTSddO7+0VWdlgsh8dZIXhtQKNXDLnRmlS4dgzi4JLaOKsdlAxPmdTGDFZhd7GXpRuqRr6gg6sWYgCHM1Oa/xT6lfjBEmACloaGz6NdIVu6JhyIVcelIrhzG1zLfg3blRj+SY0oqsaQfOuUFlLioa2u6GFsMBRLoPDuBVhGMpnzDKOYYMbVRwqZpe2CKNq+MCNUkwXPmuzjtKxz6TMQ9gc0PfSJrN2/df8TxJTnTQ+y81HLmy3zU12ENiW6gjQC2GNbp/Ct4mhmAgEJS6h8XGWw1Ro/xuIKc0chBvRU5z5rIVDN40Pj7fNVcy6ufg3dx3WtFMX1yWaOA7nlG4fz03n7KifJv303VHv+FV3V2SXHJDn5CVJyWtyTE7JgAwJJ4J8Ip/Jl+hr9D36Ef3spNHOOuYZ2bDo6hfIAxFe</latexit>
^ <latexit sha1_base64="s//ml0S3A6LtF+M2F8YlxrWHlhI=">AAADOnicjVLLbtNAFJ2aV2teLSy7GZEisUCRHSHBslI3XQaJtEWZKBqPr5NR5mHNjEPNyF/BFv6EH2HLDrHlAxgnbkVSkLiSpetzzn3OzUrBrUuSbzvRrdt37t7b3YvvP3j46PH+wZMzqyvDYMS00OYioxYEVzBy3Am4KA1QmQk4zxYnLX++BGO5Vu9cXcJE0pniBWfUBej90eV08LKeDo6m+72kn6wM33TSzumhzobTg+iQ5JpVEpRjglo7TpPSTTw1jjMBTUwqCyVlCzqDMRVl6G/ieWFr2eDneGj0kudgMTmt3J9SvxopSAKU40Kb8CmHV+iGjkobcmVBKamb222uBf/GjStXvAmNqLJyoNi6UFEJ7DRu94NzboA5UQeHMsPDMJjNqaHMhS1uVLFOUlObPIyq4APTUlKVe9JmHacTT4TIQtgCnO+lDTGm+2v+J4kuTxpPMn3JuFlvc5MdBral1gSoJTdatU/h28SQT7kDyT9C42OSwYwrfwXEGBML4U7UzM09aeHQTePD421zJTV2wf/NXYc17dT5dYkmjsM5pdvHc9M5G/TTpJ++HfSOX3WHtYsO0TP0AqXoNTpGp2iIRoghiT6hz+hL9DX6Hv2Ifq6l0U4X8xRtWPTrN6nMEYw=</latexit>
𝑧z"2
sha1_base64="TI8Ui03yFikHc+JGl2avKcOpaNY=">AAADOnicjVLLbtNAFJ2aVzGvFpbdjEiRWKDIjpBgR6VuugwSaYsyUTQeXyejzMOaGYeakb+CLfwJP8KWHWLDgg9gHIeKpCBxJUvX55z7nJuVgluXJF92omvXb9y8tXs7vnP33v0He/sPT62uDIMR00Kb84xaEFzByHEn4Lw0QGUm4CxbHLf82RKM5Vq9cXUJE0lnihecURegt4cX08Gzejo4nO71kn6yMnzVSddO79UPtLLhdD86ILlmlQTlmKDWjtOkdBNPjeNMQBOTykJJ2YLOYExFGfqbeF7YWjb4CR4aveQ5WExOKven1K9GCpIA5bjQJnzK4RW6oaPShlxZUErq5naba8G/cePKFS9DI6qsHCjWFSoqgZ3G7X5wzg0wJ+rgUGZ4GAazOTWUubDFjSrWSWpqk4dRFbxjWkqqck/arON04okQWQhbgPO9tCHGrP+a/0miy+PGk0xfMG66bW6yw8C2VEeAWnKjVfsUvk0M+ZQ7kPw9ND4mGcy48r+BGGNiIdyJmrm5Jy0cuml8eLxtrqTGLvi/ucuwpp06vyzRxHE4p3T7eK46p4N+mvTT14Pe0fPurtAuOkCP0VOUohfoCJ2gIRohhiT6gD6iT9Hn6Gv0LfreSaOddcwjtGHRz1/LgxK7</latexit>
<latexit sha1_base64="N9e/BCaUbNEfRa4IhJULBv1/oBU=">AAADNnicjVLLbtNAFJ2aVzGvFpbdjEiRWEV2hATLSt10GSTSVoqjaDy+TkaZhzVzHUhH/ga28Cf8Cht2iC2fwDgxFUlB4kqWrs859zk3r6RwmCRf96Jbt+/cvbd/P37w8NHjJweHT8+dqS2HETfS2MucOZBCwwgFSrisLDCVS7jIF6ctf7EE64TR73BVwUSxmRal4AwDNDq+mg6Opwe9pJ+sjd500s7pkc6G08PoKCsMrxVo5JI5N06TCieeWRRcQhNntYOK8QWbwZjJKvQ28aJ0K9XQF3RozVIU4Gh2VuOfUr8eJ0gCVNDS2PBppGt0S8eUC7nyoFQM526Xa8G/ceMayzehEV3VCJpvCpW1pGhouxtaCAsc5So4jFsRhqF8zizjGDa4VcWhYnZlizCqhvfcKMV04bM26zid+EzKPIQtAH0vbTJru7/mf5KY6rTxWW4+cGE329xmh4FtqQ0Beims0e1T+DYxFFOBoMQVND7OcpgJ7X8DMaWZg3AjeoZzn7Vw6Kbx4fF2uYpZtxD/5q7Dmnbq4rpEE8fhnNLd47npnA/6adJP3w56J6+6w9onR+Q5eUlS8pqckDMyJCPCiSAfySfyOfoSfYu+Rz820mivi3lGtiz6+QupGxAw</latexit>
sha1_base64="rMjvqVVv4/4iclUnFAqSBYMFZR8=">AAADNnicjVLLbhMxFHWHVxleLSy7sZoisYpmIiTYUambLoNE2kpxFHk8dxIrHntk3wmk1nwDW/gTfoUNO8S2n4AnCVWTgsSVRrpzzrlP36xS0mGSfN+J7ty9d//B7sP40eMnT5/t7T8/c6a2AgbCKGMvMu5ASQ0DlKjgorLAy0zBeTY7afnzOVgnjf6AiwpGJZ9oWUjBMUCDo8tx72i810m6ydLobSddO513V2Rp/fF+dMByI+oSNArFnRumSYUjzy1KoaCJWe2g4mLGJzDkqgq9jbws3KJs6Evat2Yuc3CUndZ4U+qX4wRJgHJaGBs+jXSJbuh46UKuLChLjlO3zbXg37hhjcXb0IiuagQtVoWKWlE0tN0NzaUFgWoRHC6sDMNQMeWWCwwb3KjisOR2YfMwqoaPwpQl17lnbdZhOvJMqSyEzQB9J22Yteu/5n+SmOqk8Swzn4S0q21usv3AttSKAD2X1uj2KXybGPKxRCjlJTQ+ZhlMpPZ/gJhS5iDciJ7g1LMWDt00PjzeNldx62by39x1WNNOnV+XaOI4nFO6fTy3nbNeN0266fte5/j16q7ILjkgh+QVSckbckxOSZ8MiCCSfCZfyNfoW/Qj+hn9WkmjnXXMC7Jh0dVvytIRXw==</latexit>
P1 outputs: 𝑧" = 𝑑𝑏" ⊕ 𝑒𝑎" ⊕ 𝑐" ⊕ 𝑑𝑒

P2 outputs: 𝑧& = 𝑑𝑏& ⊕ 𝑒𝑎& ⊕ 𝑐&
Correctness:
𝑧 = 𝑧" ⊕ 𝑧2
= 𝑑𝑏" ⊕ 𝑒𝑎" ⊕ 𝑐" ⊕ 𝑑𝑒 ⊕ 𝑑𝑏& ⊕ 𝑒𝑎& ⊕ 𝑐&
= 𝑑𝑏 ⊕ 𝑒𝑎 ⊕ 𝑐 ⊕ 𝑑𝑒
= (𝑥 ⊕ 𝑎)𝑏 ⊕ (𝑦 ⊕ 𝑏)𝑎 ⊕ 𝑎𝑏 ⊕ (𝑥 ⊕ 𝑎)(𝑦 ⊕ 𝑏)
= 𝑥𝑏 ⊕ 𝑎𝑏 ⊕ 𝑦𝑎 ⊕ 𝑏𝑎 ⊕ 𝑎𝑏 ⊕ 𝑥𝑦 ⊕ 𝑥𝑏 ⊕ 𝑎𝑦 ⊕ 𝑎𝑏
= 𝑥𝑦.
35
Benchmarks of an optimized GMW implementation [SchneiderZohner13]
Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN.
Original implementation by [ChoiHKMR12]
36
Interactive AND gates via Beaver’s multiplication triples [Beaver91]
setup phase: OTs (used 1-out-of-4 OTs instead of 2 random OTs)

online phase: 2 independent 2-bit messages (sent in parallel)
⇒ 1x network latency per layer of AND gates
37
Use AES-based PRF for OT extensions (instead of SHA-1).
38
Load Balancing:
• Run half of the precomputed OTs in each direction (in parallel).
• Run base OTs twice (in parallel).
⇒ Each party has exactly the same workload.
39
Use GMP instead of NTL for base OTs.
40
Process data in online phase in chunks of bytes (instead of bits).
41
Use assembly implementation of OpenSSL for SHA-1

(instead of C implementation of PolarSSL).
42
Single Instruction Multiple Data (SIMD):

Evaluate multiple circuits in parallel, here: 𝑛 = 32.
(inspired by Sharemind)
43
Remaining Bottlenecks for GMW in the LAN Setting
1% 0.1% (Base OTs)

1.4% 0.8% 7% 3% 3%
20%
32%
35% 47%
98% 37%
16%
44
Summary: GMW - the Orange
How to eat an orange?

1) peel (almost all the effort)
Setup phase:
- precompute multiplication triples for each AND
gate using 2 random OTs and constant #rounds
+ function-independent, only max. #ANDs known
2) eat (easy)
Online phase:
+ circuit evaluation uses only very cheap operations
(not even symmetric crypto is needed)
- 2x2 bits of communication per AND gate
(grouped in layers)
45
YAO VS. GMW
46
Yao vs. GMW
Yao GMW
Free XOR
setup: S: 4
symmetric crypto per AND setup: S: 6; R: 6
online: R: 2
setup: S→R:𝜅 || R→S:𝜅

S→R: 2𝜅 communication [bit] per AND
online: S→R:2 || R→S:2
setup: O(1)
O(1) rounds
online: O(ANDdepth(𝑓))
𝜅 memory per wire [bit] 1

𝜅: symmetric security parameter 47
Efficient Circuit Constructions for Secure Computation
Classical circuit design:

- few gates (⇒ small chip area)
- low depth (⇒ high clock frequency)
Circuits for secure computation:

- low ANDsize (#non-XORs ⇒ communication and symmetric crypto)
- low ANDdepth (#rounds in GMW’s online phase)
Automatically generate optimized circuits from high-level description in hardware

description language, e.g., Verilog or VHDL [SonghoriHSSK15,DemmlerGFSSZ15].
48
xi y
Example Circuit: Addition
Ripple-Carry-Adder
ADD
x ` y` x 2 y2 x 1 y1 ci+1 ^
. . . c3 c2
+ + + 0
+
s`+1 s` s2 s1 si
𝑠# = 𝑥# ⊕ 𝑦# ⊕ 𝑐#
𝑐#1" = Fig. 1. Addition Circuit (ADD)
𝑥# ⊕ Fig. 2. Improved 1-bit Adde
𝑦# ∧ 𝑥# ⊕ 𝑐# ⊕ 𝑥# [BoyarPP00]
ANDsize = ℓ, ANDdepth = ℓ
𝑝#,% = is
Ladner-Fischer-Adder Subtraction in two’s complement representation 𝑥#defined
⊕ 𝑦# as x` y` = x` +ȳ` +1.
[LadnerFischer80] circuit (SUB) can be constructed analogously𝑐#,%
to the
= 𝑥addition
# ∧ 𝑦#
circuit from 1-bit subt
in Fig. 3. Each 1-bit subtractor computes the carry-out bit ci+1 = (xi ^ ȳi ) _ (xi
the di↵erence bit di = xi ȳi ci . We instantiate the 1-bit subtractor efficiently a
compute ci+1 = ci ((xi ci ) ^ (yi ci )) with the same size as the 1-bit adder.
𝑝#,' = 𝑝#,'$" ∧ 𝑝2,'$"
𝑐#,' = (𝑝#,'$" ∧ 𝑐2,'$" ) ∨ 𝑐#,'$"
xi y
ANDsize = ℓ + 1.25 ℓ log2 (ℓ), ANDdepth = 1 + 2 log2 (ℓ)

49
ZERO-KNOWLEDGE
USING GARBLED CIRCUITS
50
Proving Non-Algebraic Statements Efficiently
Garbled circuits can be used to prove non-algebraic statements in zero-knowledge

[JaruwekKO13], e.g.,
• 𝑃𝐾{ 𝑥 : 𝑦 = SHA256 𝑥 }
• „In 2010 Julian Assange released a „thermonuclear file insurance“ i.e., a 1.4GB file allegedly
consisting of an AES encryption of highly sensitive information. This encrypted data has been
released as a countermeasure to protect Wiki-Leaks from being shut down by the U.S.
government. The file had been extensively distributed using peer-to-peer application, and
therefore simply releasing the encryption key would allow a great number of people to have
access to this secret information.“ [JaruwekKO13]
One can use the following technique to prove in zero-knowledge properties about this file
without releasing the key.
The protocol is a special case of Yao’s protocol where only the prover has a private input 𝑥,
whereas the verifier’s input 𝑦 is public.
51
The protocol of [JaruwekKO13]
Goal: 𝑃𝐾{ 𝒙 : 𝒚 = 𝐶 𝒙 }
Prover Verifier
Input 𝒙, 𝒚 Input 𝒚
Construct Boolean circuit 𝐶𝒚
that evaluates to 𝑧 = 1 iff 𝒚 = 𝐶(𝒙)
B 𝑥Y
𝐶, % Y " Y% Y"
# , 𝑥# , 𝑧 , 𝑧 = Garble(12 , 𝐶𝒚 )
maliciously secure OT 𝒙; 𝑥Y#%, 𝑥Y#" D, ⊥
→ 𝒙
𝐶0
B 𝒙) Note that this is
𝑧̃ = 𝐶(D
𝑐 = Commit(𝑧,̃ 𝑟) possible here
because Verifier has
Randomness used for garbling and OTs no private inputs!
Abort if verification of
garbling or OTs fails 𝑧,̃ 𝑟
Check that 𝑐 = Commit 𝑧,̃ 𝑟
Accept if 𝑧̃ = 𝑧Y" 52
Bibliography (1)
[AsharovLSZ13]: G. Asharov, Y. Lindell, T. Schneider, M. Zohner: More Efficient Oblivious Transfer and Extensions for
Faster Secure Computation. In ACM CCS’13.
[AumannLindell07] Y. Aumann, Y. Lindell. Security Against Covert Adversaries: Efficient Protocols for Realistic
Adversaries. In TCC‘07.
[BarniFKLSS09] M. Barni, P. Failla, V. Kolesnikov, R. Lazzeretti, A.-R. Sadeghi, T. Schneider. Secure Evaluation of
Private Linear Branching Programs with Medical Applications. In ESORICS’09.
[Beaver91] D. Beaver. Efficient Multiparty Protocols using Circuit Randomization. In CRYPTO’91.
[BeaverMR90] D. Beaver, S. Micali, P. Rogaway. The Round Complexity of Secure Protocols. In STOC'90.
[BellareHKR13] M. Bellare, V. T. Hoang, S. Keelveedhi, P. Rogaway. Efficient Garbling from a Fixed-Key Blockcipher.
In S&P'13.
[BellareHR12] Foundations of Garbled Circuits. In CCS'12.
[BoyarPP00] J. Boyar, R. Peralta, D. Pochuev. On the Multiplicative Complexity of Boolean Functions over the Basis
(\cap, +, 1). In Theor. Comput. Sci. 2000.
[BrickellPSW07] J. Brickell, D. E. Porter, V. Shmatikov, E. Witchel. Privacy-preserving remote diagnostics. In ACM
CCS’07.
[ChoiHKMR12] S. G. Choi, K.-W. Hwang, J. Katz, T. Malkin, D. Rubenstein. Secure Multi-Party Computation of Boolean
Circuits with Applications to Privacy in On-Line Marketplaces. In CT-RSA‘12. 53
Bibliography (2)
[DemmlerSZ15] D. Demmler, T. Schneider, M. Zohner. ABY - A Framework for Efficient Mixed-protocol Secure Two-
party Computation. In NDSS’15.
[DemmlerDKSSZ15] D. Demmler, G. Dessouky, F. Koushanfar, A.-R. Sadeghi, T. Schneider, S. Zeitouni. Automated
Synthesis of Optimized Circuits for Secure Computation. In CCS’15.
[ErkinFGKLT09] Z. Erkin, M. Franz, J. Guajardo, S. Katzenbeisser, I. Lagendijk, T. Toft. Privacy-preserving face
recognition. In PETS’09.
[GMW87] O. Goldreich, S. Micali and A. Wigderson. How to Play any Mental Game. In STOC‘87.
[JaruwekKO13] M. Jawurek, F. Kerschbaum, C. Orlandi. Zero-Knowledge Using Garbled Circuits or How To Prove Non-
Algebraic Statements Efficiently. In CCS’13.
[KirazSchoenmakers06] M. S. Kiraz, B. Schoenmakers. A Protocol Issue for the Malicious Case of Yao’s Garbled Circuit
Construction. In Symposium on Information Theory in the Benelux, 2006.
[KolesnikovMR14] V. Kolesnikov, P. Mohassel, M. Rosulek. FleXOR: Flexible garbling for XOR gates that beats free-
XOR. In CRYPTO'14.
[KolesnikovSchneider08] V. Kolesnikov, T. Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In
ICALP'08.
[KreuterSS12] B. Kreuter, A. Shelat, C.-H. Shen. Billion-Gate Secure Computation with Malicious Adversaries. In
USENIX Security‘12.
54
Bibliography (3)
[LadnerFischer80] R. E. Ladner, M. J. Fischer. Parallel Prefix Computation. In J. ACM’80.
[LindellPinkas04] Y. Lindell, B. Pinkas. A Proof of Security of Yao’s Protocol for Two-Party Computation. In JoC‘09.
[LindellPinkas07] Y. Lindell, B. Pinkas. An Efficient Protocol for Secure Two-Party Computation in the Presence of
Malicious Adversaries. In EUROCRYPT‘07.
[NaorPS99] M. Naor, B. Pinkas, R. Sumner. Privacy Preserving Auctions and Mechanism Design. In EC’99.
[PinkasSSW09] B. Pinkas, T. Schneider, N. P. Smart, S. C. Williams. Secure Two-Party Computation is Practical. In
ASIACRYPT'09.
[SchneiderZohner13] T. Schneider, M. Zohner. GMW vs. Yao? Efficient Secure Two-party Computation with Low Depth
Circuits. In FC'13.
[SonghoriHSSK15] E. M. Songhori, S. U. Hussain, A.-R. Sadeghi, T. Schneider, F. Koushanfar. TinyGarble: Highly
Compressed and Scalable Sequential Garbled Circuits. In S&P’15.
[Troncoso-PastorizaKC07] J. R. Troncoso-Pasoriza, S. Katzenbeisser, M. U. Celik. Privacy preserving error resilient
DNA searching through oblivious automata. In ACM CCS’07.
[Yao86] A. C. Yao. How to Generate and Exchange Secrets. In FOCS‘86.
[ZahurRE15] S. Zahur, M. Rosulek, D. Evans. Two Halves Make a Whole - Reducing Data Transfer in Garbled Circuits
Using Half Gates. In EUROCRYPT'15.
55
THANKS FOR YOUR ATTENTION!
Next Lecture: 27.05.21
56

06 - Secure Two-Party Computation

Uploaded by

Copyright:

Available Formats

You might also like

06 - Secure Two-Party Computation

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

06 - Secure Two-Party Computation

Uploaded by

Copyright:

Available Formats

Cryptographic Protocols (CRYPROT)

Lecture 6 – May 20, 2021

Secure Two-Party Computation

Department of Computer Science | ENCRYPTO | Prof. Dr.-Ing. Thomas Schneider

How can two parties compute on private data?

Biometric Identification Genomic Computations

Arithmetic Circuit Boolean Circuit

Homomorphic Encryption Yao GMW

Public Key Crypto >> Symmetric Crypto >> One-Time Pad

Public function 𝑓(⋅,⋅) Is S

Private data 𝒙 Private data 𝒚

Auctions [NaorPS99], ...

Remote Diagnostics [BrickellPSW07], ...

DNA Searching [Troncoso-PastorizaKC07], ...

Biometric Identification [ErkinFGKLT09], ...

Medical Diagnostics [BarniFKLSS09], ...

Yao’s Garbled Circuit Protocol [Yao86] allows Secure Function Evaluation

We describe the semi-honest (passively secure) version of Yao‘s protocol next.

Conventional circuit Garbled circuit

keys look random

given input keys, can compute output key only

X 1 given two input keys,

Garbled gates Garbled

In summary, Yao’s garbled circuits protocol works as follows:

4) Client evaluates 𝐶B and obtains the garbled output 𝑧̃ = 𝐶(

private data x = 𝑥", … , 𝑥! private data y = 𝑦", … , 𝑦!

2) Garbled 𝑐"̃ 𝑐#̃

- Yao’s protocol as explained before is provably secure against passive adversaries

(Slide from Viet-Tung Hoang) 20

1990 Point-and-Permute [BeaverMR90]

1999 3-row reduction [NaorPS99]

2008 Free-XOR [KolesnikovSchneider08]

2009 2-row reduction [PinkasSSW09]

2012 Garbling via AES [KreuterSS12]

2013 Fixed-key AES [BellareHKR13]

2014 FleXor [KolesnikovMR14]

2015 HalfGates [ZahurRE15]

Evaluator needs to know which entry was decrypted successfully

⇒ use encryption function with efficiently verifiable and elusive range:

⇒ Need to decrypt multiple entries until decryption succeeds

If output permutation pi = 0 then output is permutation bit of output key

If output permutation pi = 1 then output is negated permutation bit of output key

In the following we always assume usage of point and permute.

Encryption function: ET(kl, kr; ko) = ko ⊕ F(kl, T || 0) ⊕ F(kr, T || 1),

Idea: Eliminate first table entry by implicitly fixing it to be 0.

⇒ Communication is reduced from 4 to 3 table entries.

Encryption function: ET(kl, kr; ko) = ko ⊕ H(kl || kr || T),

Can be combined with 3-row reduction.

[KreuterSS12]: ET(kl, kr; ko) = ko ⊕ AES-256(kl || kr; T)

[BellareHKR13] Fixed-key AES garbling:

Both can be combined with free XOR and 3-row reduction.

size (in bits) garble cost (AES) eval cost (AES)

XOR AND XOR AND XOR AND

Point and Permute 4𝜿 4 1

3-Row Reduction + Free XOR 0 3𝜅 0 4 0 1

HalfGates + Free XOR 0 2𝜿 0 4 0 2

symmetric security parameter 𝜅, statistical security parameter 𝜎 (e.g., 𝜅 = 128, 𝜎 = 40)