Professional Documents
Culture Documents
06 - Secure Two-Party Computation
06 - Secure Two-Party Computation
06 - Secure Two-Party Computation
Data 𝑥 Data 𝑦
𝑓 𝑥, 𝑦 𝑓
- Yao’s Protocol
- The GMW Protocol
- Yao vs. GMW
- Zero-Knowledge Using Garbled Circuits
4
Overview: Secure Two-Party Computation
Generic Protocols
(Lecture 4 OT) OT
x = $1 Mio y = $2 Mio
S2PC
Example: Yao’s Millionaires’ Problem
true
𝒛 = 𝑓(𝒙, 𝒚) 6
Secure Two-Party Computation: Applications (Small Selection)
8
Yao’s Garbled Circuit Protocol
9
Garbled Circuit [Yao86]
01
01
01
01 01
X Y
Y 0
X 2
X 3
A B C D
(Slide from Viet-Tung Hoang) 11
Yao’s Protocol: Boolean Circuit
Yao’s Protocol: Boolean Circuit
The needs
The function to be evaluated function togiven
to be be evaluated needs
as a Boolean to be given as boolean circuit.
circuit.
A boolean circuit is a Directed Acyclic Graph (DAG) with u inputs,
A Boolean circuit is a Directed Acyclic
v outputs andGraph with 𝑢 inputs, 𝑣 outputs, and 𝑘 Boolean
(DAG)gates.
k boolean
gates (nodes). Edges are called wires. x1 x2 x3 x4
wire wi
=
z1 z2
Any efficiently computable function (i.e., in P) can be converted into a Boolean circuit of
All functions relevant in practice can be converted into a boolean
polynomial size: circuit of polynomial size:
- Unroll loops unroll loops
- Execute both branches of ifexecute
statements
both branches of if statements
- ... ...
12
Yao’s Protocol: Boolean Circuit Example
For the Millionaire‘s problem, we need to securely compute 𝑥 < 𝑦 for two 𝑛-bit numbers with bit-
representations 𝑥 = 𝑥! … 𝑥" and 𝑦 = 𝑦! … 𝑦".
- Comparison can be defined recursively as:
- Initial step (𝑖 = 1): 𝑥! < 𝑦! ⇔ 𝑥! = 0 ∧ (𝑦! = 1)
- Inductive step (𝑖 − 1 → 𝑖): 𝑥" … 𝑥! < 𝑦" … 𝑦! ⇔ 𝑥" < 𝑦" ∨ ( 𝑥" = 𝑦" ∧ 𝑥"#! … 𝑥! < 𝑦"#! … 𝑦! ).
- This yields the following Boolean comparison circuit: carry 𝑐#$"
Topology 𝑐$%# 𝑥$ 𝑦$ 𝑐$
Function 0 0 0 0
𝑥! 𝑦! 𝑥" 𝑦" 𝑥# 𝑦# Tables 0 0 1 1
𝑥<𝑦 0 1 0 0
𝑐! ... 𝑐" 𝑐#
< < < x# y# c# 0 1 1 0
0 0 0 1 0 0 1
z 0 1 1 1 0 1 1
1 0 0 1 1 0 0
1 1 0 1 1 1 1 13
Yao’s Protocol: Garbled Values
The basic idea of The
Yao’sbasic
Garbled
idea Circuit
of Yao’sis Garbled
to compute on is
Circuit randomly
to compute on randomly
The basicchosen
idea ofgarbled values
chosen
Yao’s garbled ve instead
circuits is toof
garbled plainvevalues
values
compute v . of plain
instead
on randomly values
chosen v . values 𝑣5
garbled
instead of plainBoolean
values 𝑣.Values v Boolean Values v Garbled Values ve Garbled Values ve
Plain values 𝑣 Garbled values 𝑣"
0 0 0 0 e0
x ye0 e0
x ye0
x y x y e ye
x e ye
x
1 1 1 1 e1
x ye1 e1
x ye1
e e
0 0 ze0 ze0
z z ze ze
1 1 ze1 ze1
A Garbled ValueAveGarbled
can be one Value ve can
of its two be one of its two
corresponding corresponding
garbled values garbled valu
A garbled 0value 1𝑣5 can be one 5 % or 𝑣5 " that correspond to the plain values
1 garbled values 𝑣
0 of two
ve or ve tothat
ve or ve that correspond thecorrespond
plain valuesto0the andplain values 0 and 1, respectively.
1, respectively.
0 and 1, respectively.
ve0 and chosen
ve0 and ve1 are randomly ve1 are t-bit
randomly
keys,chosen t-bit keys,
% "
𝑣5 and 𝑣5 are where
randomt 𝜅-bit keys,where
is a symmetric t𝜅isisathe
wheresecurity symmetricsecurity
symmetric
parameter security
(e.g., parameter
tparameter
= (e.g.,t𝜅==128)
128) (e.g., 128).
⇒ A garbled value
) a 𝑣5garbled
does not reveal
value togarbled
)ve adoeswhich
not plain
valuevalue
reveal it corresponds.
vetodoes
whichnotplain
reveal to which
value it plain value it
corresponds. corresponds.
Sadeghi@TU
Sadeghi@TU Darmstadt, Schneider@RUB, Darmstadt,
2010 Secure,Schneider@RUB, 2010
Trusted and Trustworthy Secure, Trusted
Computing, Partand
1 Trustworthy Basics
Computing, PartComputing
of Secure 1 Basics
27 / 1of Secure Com
14
Yao’s Protocol: Basic Idea (Garbled Gates)
Yao’s Protocol: Garbled Gates
Booleangate
Boolean Gate𝐺 G Garbled
Garbled Gate
gate
e
𝐺$ G
x y z xe ye ze
0 0 0 ye0
x y 0 0 0 e
x e ye
x xe0 ye0 z 0)
Encxe0 ,ey 0 (e
1 1 e1
x ye1 xe0 ye1 z 0)
Encxe0 ,ey 1 (e
0 1 0
e xe1 ye0 z 0)
Encxe1 ,ey 0 (e
1 0 0
0 1 1 1 ze0 xe1 ye1 z 1)
Encxe1 ,ey 1 (e
z ze
1 ze1
Function
Function Table
table 𝑇T Garbled Te 𝑇$
Table table
Garbled
z ze Garbled
Garbledoutputs
Outputs
A garbled circuit 𝐶B isAcomposed of garbled
Garbled Circuit Ce is gates 𝐺<# . from Garbled Gates Gei .
composed
follows:of Ce works as follows:
Creation of 𝐶B works asCreation
For each wire wi randomly choose two %garbled " values w ei0 , w
ei1 .
- For each wire 𝑤# randomly choose
For each gate two garbledthe
Gi generate values
garbled 𝑤
D #table
,𝑤
D # .Tei for Gei .
Ce consists of the garbled<tables <Tei (one for each garbled gate Gei ).
- For each gate 𝐺# generate the garbled table 𝑇# for 𝐺# .
Evaluation of Ce: works as follows:
- 𝐶 consists of the garbled tables 𝑇<# (one for each garbled gate 𝐺<# ). e
B
Given the Garbled Inputs (= Garbled Values for C ’s input wires),
Evaluation of 𝐶B works as follows:
the Garbled Gates Gei are evaluated one-by-one using their Tei .
The Garbled Outputs are the Garbled Values of Ce’s output wires.
- B input wires),
Given the garbled inputs (= garbled values for 𝐶’s
ze = Ce(e
x , ye)
- the garbled gates 𝐺<# are evaluated in topological order using their garbled tables 𝑇<# .
- The garbled outputs are the garbledSecure,
Sadeghi@TU Darmstadt, Schneider@RUB, 2010
values of 𝐶’sB output
Trusted and Trustworthy
wires: 𝑧̃ = 𝐶BBasics
Computing, Part 1
𝑥,
5 of𝑦5Secure
. Computing 29 / 1
16
Yao’s Protocol: Summary
17
Yao’s Protocol: Overview
Client 𝑃# 𝑓(J,J) e.g., x < y Server 𝑃"
𝑐" 𝑐#
1) Circuit
𝑧
𝑥"! 𝑦"! 𝑥"" 𝑦"" 𝑥"# 𝑦"#
permuted
Phase /(%,")
3) n – OT: x; x2 𝟎 , x2 𝟏 → (2x; ⟘) Garbled Enc-,$%,.,$$ (𝑐"̃ )
/(",%)
Values Enc-,$$,.,$% (𝑐"̃ )
4) z2 𝟏 , z2 𝟐 0 x, y2 )
= 𝐶(2 /(",")
Enc-,$$,.,$$ (𝑐"̃ )
z2 𝟐
5) Garbled Table
𝒛𝟏 = 𝑓# (x, y) 𝒛𝟐 = 𝑓" (x, y) 18
Security of Yao’s Protocol
19
Formalization of Garbled Circuits: Garbling Schemes [BellareHR12]
F
1k
Ev Y
e
f Gb En X y
x De
d
f
y
x ev
Correctness
(" f, x, k), if
(F, e, d) ¬ Gb(1k, f),
X ¬ En(e, x),
Y ¬ Ev (F, X), Privacy (informal):
y ¬ De(d, Y) then Given (F, X, d) learn nothing but y = f(x).
y = ev(f, x)
Wires:
Assign random keys ki, Ki to all wires i
Garbling:
a, A
For each gate use double-encryption x, X
and randomly permute entries: b, B
Ea(Eb(x))
Ea(EB(x))
EA(Eb(x))
EA(EB(X))
Outputs:
For each output wire i: provide mapping [(0, ki), (1, Ki)]
22
1) Efficiently Verifiable & Elusive Range Encryption [LindellPinkas04]
23
2) Point and Permute [BeaverMR90]
For every wire i, choose a random signal bit pi together with the key.
The signal bits of the input wires determine which entry to decrypt.
0 1
1
2*1+0=2
2
3 ⇒ decrypt entry #2
1 0 0 1 24
2) Point and Permute [BeaverMR90]
Advantages of point-and-permute:
• Exactly one entry needs to be decrypted
• Simplifies output decryption
⇒ Server simply reveals for each output wire the bit pi to Client.
25
3) 3-Row Reduction [NaorPS99]
}
ET(a, B; c)
ET(A, b; c) remaining 3 table entries as before
ET(A, B; C)
Idea: Choose keys s.t. each pair has fixed distance R (unknown to evaluator).
R=a⊕A=b⊕B=c⊕C=…
Garble XOR: set output key c = a ⊕ b
Eval XOR: set output key kc = ka ⊕ kb
Correctness: c = a ⊕ b = (R ⊕ a) ⊕ (R ⊕ b) = A ⊕ B
C=c⊕R=a⊕b⊕R=a⊕B=A⊕b
Security (intuitively): Evaluator knows one key per wire, so never learns R.
§ Requires random oracle or non-standard circularity assumption.
Since 2008 many Intel and AMD CPUs have hardware support for AES:
Advanced Encryption Standard New Instructions (AES-NI)
28
The complete scheme. The full garbling procedure for an entire circuit is shown in
Figure 2. The scheme works for any binary gate, but for simplicity of discussion and
proof we assume all gates are either AND or XOR.
6) HalfGates - Today’s Most Efficient Garbling Scheme [ZahurRE15]
procedure Gb(1k , f ): procedure En(ê, x̂):
R ⌘ {0, 1}k 1 1 for ei 2 ê do
for i 2 Inputs(f ) do Xi ei xi R
Wi0 ⌘ {0, 1}k return X̂
Wi1 Wi0 R
ei Wi0 ˆ Ŷ ):
procedure De(d,
for i 2/ Inputs(f ) {in topo. order} do ˆ
for di 2 d do
{a, b} GateInputs(f, i) yi di lsb Yi
if i 2 XorGates(f ) then return ŷ
Free XOR Wi0 Wa0 Wb0
else
procedure Ev(F̂ , X̂):
(Wi0 , TGi , TEi ) GbAnd(Wa0 , Wb0 )
for i 2 Inputs(F̂ ) do
Fi (TGi , TEi )
Wi Xi
end if
Wi1 Wi0 R for i 2/ Inputs(F̂ ) {in topo. order} do
for i 2 Outputs(f ) do {a, b} GateInputs(F̂ , i)
di lsb(Wi0 ) if i 2 XorGates(F̂ ) then
ˆ
return (F̂ , ê, d) Wi Wa Wb
else
private procedure GbAnd(Wa0 , Wb0 ): sa lsb Wa ; sb lsb Wb
pa lsb Wa0 ; pb lsb Wb0 j NextIndex(); j 0 NextIndex()
j NextIndex(); j
{First half gate}
0
NextIndex() (TGi , TEi )
WGi
Fi
H(Wa , j) sa TGi
2 calls of H
TG H(Wa0 , j) H(Wa1 , j) pb R WEi H(Wb , j 0 ) sb (TEi Wa ) for evaluating
4 calls of H WG 0
H(Wa0 , j) pa TG
{Second half gate}
Wi
end if
WGi WEi
AND
for garbling TE H(Wb0 , j 0 ) H(Wb1 , j 0 ) Wa0 for i 2 Outputs(F̂ ) do
WE 0
H(Wb0 , j 0 ) pb (TE Wa0 ) Yi Wi
AND {Combine halves} return Ŷ
W0 WG0 WE0
return (W 0 , TG , TE ) 2 table entries per AND 29
Summary of Garbled Circuit Constructions
Classical 4(𝜅 + 𝜎) 8 5
3-Row Reduction 3𝜿 4 1
31
THE GMW PROTOCOL
32
The GMW Protocol [GMW87]
dz'22
𝑑
sha1_base64="SjRMecgY3pO9KsB3tlFCR6WDZVo=">AAADOnicjVLLbtNAFJ2aVzGvFpbdjEiRWKDIjirBjkrddBkk0hZlIms8vk5GmYc1Mw6Ekb+CLfwJP8KWHWLDgg9gHIeKpCBxJUvX55z7nJtXgluXJF92omvXb9y8tXs7vnP33v0He/sPz6yuDYMR00Kbi5xaEFzByHEn4KIyQGUu4Dyfn7T8+QKM5Vq9dssKJpJOFS85oy5Abw5ZNniWZ4PDbK+X9JOV4atOunZ6L3+glQ2z/eiAFJrVEpRjglo7TpPKTTw1jjMBTUxqCxVlczqFMRVV6G/ieWmXssFP8NDoBS/AYnJauz+lfjVSkASowKU24VMOr9ANHZU25MqDUlI3s9tcC/6NG9eufBEaUVXtQLGuUFkL7DRu94MLboA5sQwOZYaHYTCbUUOZC1vcqGKdpGZpijCqgrdMS0lV4UmbdZxOPBEiD2FzcL6XNsSY9V/zP0l0ddJ4kut3jJtum5vsMLAt1RGgFtxo1T6FbxNDkXEHkr+HxsckhylX/jcQY0wshDtRUzfzpIVDN40Pj7fNVdTYOf83dxnWtFMXlyWaOA7nlG4fz1XnbNBPk376atA7PuruCu2iA/QYPUUpeo6O0SkaohFiSKIP6CP6FH2Ovkbfou+dNNpZxzxCGxb9/AVPQxKP</latexit>
<latexit sha1_base64="RGeQDpqFQl+kSkyQQXnAumrjVtk=">AAADNnicjVLLbtNAFJ2aVzGvFpbdjEiRWEV2VAmWlbrpMkikrRRH0Xh8nYwyD2vmOhBG/ga28Cf8Cht2iC2fwDgxFUlB4kqWrs859zk3r6RwmCRf96Jbt+/cvbd/P37w8NHjJweHTy+cqS2HETfS2KucOZBCwwgFSriqLDCVS7jMF2ctf7kE64TRb3FVwUSxmRal4AwDNDoupoPj6UEv6SdrozedtHN6pLPh9DA6ygrDawUauWTOjdOkwolnFgWX0MRZ7aBifMFmMGayCr1NvCjdSjX0BR1asxQFOJqd1/in1K/HCZIAFbQ0Nnwa6Rrd0jHlQq48KBXDudvlWvBv3LjG8nVoRFc1guabQmUtKRra7oYWwgJHuQoO41aEYSifM8s4hg1uVXGomF3ZIoyq4R03SjFd+KzNOk4nPpMyD2ELQN9Lm8za7q/5nySmOmt8lpv3XNjNNrfZYWBbakOAXgprdPsUvk0MxVQgKPEBGh9nOcyE9r+BmNLMQbgRPcO5z1o4dNP48Hi7XMWsW4h/c9dhTTt1cV2iieNwTunu8dx0Lgb9NOmnbwa905PusPbJEXlOXpKUvCKn5JwMyYhwIshH8ol8jr5E36Lv0Y+NNNrrYp6RLYt+/gJrJRAa</latexit>
sha1_base64="3EkRZQXY25eFfFUD6NCEywS5TV0=">AAADNnicjVLLbtNAFJ2aVzGvFpbdjEiRWEV2VAl2rdRNl0EibaU4isbjm2SUeVgz16Fh5G9gC3/Cr7Bhh9j2ExjHoSIpSFzJ0vU55z7n5qUUDpPk20505+69+w92H8aPHj95+mxv//m5M5XlMOBGGnuZMwdSaBigQAmXpQWmcgkX+fy04S8WYJ0w+j0uSxgpNtViIjjDAA0Oi3HvcLzXSbrJyuhtJ107neNrsrL+eD86yArDKwUauWTODdOkxJFnFgWXUMdZ5aBkfM6mMGSyDL2NvJi4parpK9q3ZiEKcDQ7q/BPqV+NEyQBKujE2PBppCt0Q8eUC7nyoFQMZ26ba8C/ccMKJ29DI7qsEDRvC00qSdHQZje0EBY4ymVwGLciDEP5jFnGMWxwo4pDxezSFmFUDR+4UYrpwmdN1mE68pmUeQibA/pOWmfWrv/q/0liytPaZ7m54sK229xk+4FtqJYAvRDW6OYpfJMYirFAUOIj1D7OcpgK7X8DMaWZg3AjeooznzVw6Kb24fG2uZJZNxf/5m7C6mbq4qZEHcfhnNLt47ntnPe6adJN3/U6J0ftXZFdckBektckJW/ICTkjfTIgnAjyiXwmX6Kv0ffoR/SzlUY765gXZMOi61+M3BFJ</latexit>
<latexit sha1_base64="s//ml0S3A6LtF+M2F8YlxrWHlhI=">AAADOnicjVLLbtNAFJ2aV2teLSy7GZEisUCRHSHBslI3XQaJtEWZKBqPr5NR5mHNjEPNyF/BFv6EH2HLDrHlAxgnbkVSkLiSpetzzn3OzUrBrUuSbzvRrdt37t7b3YvvP3j46PH+wZMzqyvDYMS00OYioxYEVzBy3Am4KA1QmQk4zxYnLX++BGO5Vu9cXcJE0pniBWfUBej90eV08LKeDo6m+72kn6wM33TSzumhzobTg+iQ5JpVEpRjglo7TpPSTTw1jjMBTUwqCyVlCzqDMRVl6G/ieWFr2eDneGj0kudgMTmt3J9SvxopSAKU40Kb8CmHV+iGjkobcmVBKamb222uBf/GjStXvAmNqLJyoNi6UFEJ7DRu94NzboA5UQeHMsPDMJjNqaHMhS1uVLFOUlObPIyq4APTUlKVe9JmHacTT4TIQtgCnO+lDTGm+2v+J4kuTxpPMn3JuFlvc5MdBral1gSoJTdatU/h28SQT7kDyT9C42OSwYwrfwXEGBML4U7UzM09aeHQTePD421zJTV2wf/NXYc17dT5dYkmjsM5pdvHc9M5G/TTpJ++HfSOX3WHtYsO0TP0AqXoNTpGp2iIRoghiT6hz+hL9DX6Hv2Ifq6l0U4X8xRtWPTrN6nMEYw=</latexit>
sha1_base64="TI8Ui03yFikHc+JGl2avKcOpaNY=">AAADOnicjVLLbtNAFJ2aVzGvFpbdjEiRWKDIjpBgR6VuugwSaYsyUTQeXyejzMOaGYeakb+CLfwJP8KWHWLDgg9gHIeKpCBxJUvX55z7nJuVgluXJF92omvXb9y8tXs7vnP33v0He/sPT62uDIMR00Kb84xaEFzByHEn4Lw0QGUm4CxbHLf82RKM5Vq9cXUJE0lnihecURegt4cX08Gzejo4nO71kn6yMnzVSddO79UPtLLhdD86ILlmlQTlmKDWjtOkdBNPjeNMQBOTykJJ2YLOYExFGfqbeF7YWjb4CR4aveQ5WExOKven1K9GCpIA5bjQJnzK4RW6oaPShlxZUErq5naba8G/cePKFS9DI6qsHCjWFSoqgZ3G7X5wzg0wJ+rgUGZ4GAazOTWUubDFjSrWSWpqk4dRFbxjWkqqck/arON04okQWQhbgPO9tCHGrP+a/0miy+PGk0xfMG66bW6yw8C2VEeAWnKjVfsUvk0M+ZQ7kPw9ND4mGcy48r+BGGNiIdyJmrm5Jy0cuml8eLxtrqTGLvi/ucuwpp06vyzRxHE4p3T7eK46p4N+mvTT14Pe0fPurtAuOkCP0VOUohfoCJ2gIRohhiT6gD6iT9Hn6Gv0LfreSaOddcwjtGHRz1/LgxK7</latexit>
<latexit sha1_base64="N9e/BCaUbNEfRa4IhJULBv1/oBU=">AAADNnicjVLLbtNAFJ2aVzGvFpbdjEiRWEV2hATLSt10GSTSVoqjaDy+TkaZhzVzHUhH/ga28Cf8Cht2iC2fwDgxFUlB4kqWrs859zk3r6RwmCRf96Jbt+/cvbd/P37w8NHjJweHT8+dqS2HETfS2MucOZBCwwgFSrisLDCVS7jIF6ctf7EE64TR73BVwUSxmRal4AwDNDq+mg6Opwe9pJ+sjd500s7pkc6G08PoKCsMrxVo5JI5N06TCieeWRRcQhNntYOK8QWbwZjJKvQ28aJ0K9XQF3RozVIU4Gh2VuOfUr8eJ0gCVNDS2PBppGt0S8eUC7nyoFQM526Xa8G/ceMayzehEV3VCJpvCpW1pGhouxtaCAsc5So4jFsRhqF8zizjGDa4VcWhYnZlizCqhvfcKMV04bM26zid+EzKPIQtAH0vbTJru7/mf5KY6rTxWW4+cGE329xmh4FtqQ0Beims0e1T+DYxFFOBoMQVND7OcpgJ7X8DMaWZg3AjeoZzn7Vw6Kbx4fF2uYpZtxD/5q7Dmnbq4rpEE8fhnNLd47npnA/6adJP3w56J6+6w9onR+Q5eUlS8pqckDMyJCPCiSAfySfyOfoSfYu+Rz820mivi3lGtiz6+QupGxAw</latexit>
sha1_base64="rMjvqVVv4/4iclUnFAqSBYMFZR8=">AAADNnicjVLLbhMxFHWHVxleLSy7sZoisYpmIiTYUambLoNE2kpxFHk8dxIrHntk3wmk1nwDW/gTfoUNO8S2n4AnCVWTgsSVRrpzzrlP36xS0mGSfN+J7ty9d//B7sP40eMnT5/t7T8/c6a2AgbCKGMvMu5ASQ0DlKjgorLAy0zBeTY7afnzOVgnjf6AiwpGJZ9oWUjBMUCDo8tx72i810m6ydLobSddO513V2Rp/fF+dMByI+oSNArFnRumSYUjzy1KoaCJWe2g4mLGJzDkqgq9jbws3KJs6Evat2Yuc3CUndZ4U+qX4wRJgHJaGBs+jXSJbuh46UKuLChLjlO3zbXg37hhjcXb0IiuagQtVoWKWlE0tN0NzaUFgWoRHC6sDMNQMeWWCwwb3KjisOR2YfMwqoaPwpQl17lnbdZhOvJMqSyEzQB9J22Yteu/5n+SmOqk8Swzn4S0q21usv3AttSKAD2X1uj2KXybGPKxRCjlJTQ+ZhlMpPZ/gJhS5iDciJ7g1LMWDt00PjzeNldx62by39x1WNNOnV+XaOI4nFO6fTy3nbNeN0266fte5/j16q7ILjkgh+QVSckbckxOSZ8MiCCSfCZfyNfoW/Qj+hn9WkmjnXXMC7Jh0dVvytIRXw==</latexit>
𝑑
33
Precompute Multiplication Triples via R-OTs [AsharovLSZ13]
Goal: Generate a multiplication triple 𝑐! ⊕ 𝑐' = (𝑎! ⊕ 𝑎' ) (𝑏! ⊕ 𝑏' ) via 2 random OTs
• P1’s output: 𝑎! , 𝑏! , 𝑐!
• P2’s output: 𝑎' , 𝑏' , 𝑐'
• Property: 𝑐! ⊕ 𝑐' = (𝑎! ⊕ 𝑎' ) (𝑏! ⊕ 𝑏' ) = 𝑎! 𝑏! ⊕ 𝑎' 𝑏! ⊕ 𝑎! 𝑏' ⊕ 𝑎' 𝑏'
The Protocol:
1. P2 chooses 𝑎' ∈( {0,1}
2. P1 and P2 run random OT: P1 (sender) obtains (𝑚% , 𝑚! ), P2 (receiver) inputs 𝑎' and gets 𝑢' = 𝑚)"
3. P1 sets 𝑏! = 𝑚% ⊕ 𝑚! and 𝑣! = 𝑚%
§ Observe: v! ⊕ 𝑢' = 𝑚% ⊕ 𝑚)"
§ If 𝑎' = 0 then v! ⊕ 𝑢' = 𝑚% ⊕ 𝑚% = 0 = 𝑎' 𝑏!
§ If 𝑎' = 1 then 𝑣! ⊕ 𝑢' = 𝑚% ⊕ 𝑚! = 𝑏! = 𝑎' 𝑏!
4. P1 and P2 repeat steps 1-3 with reversed roles to obtain (𝑎! , 𝑢! ) and (𝑏' , 𝑣' )
5. Pi sets 𝑐" = (𝑎" 𝑏" ) ⊕ 𝑢" ⊕ 𝑣"
Correctness: 𝑐! ⊕ 𝑐' = 𝑎! 𝑏! ⊕ 𝑢! ⊕ 𝑣! ⊕ 𝑎' 𝑏' ⊕ 𝑢' ⊕ 𝑣' = 𝑎! 𝑏! ⊕ 𝑎' 𝑏! ⊕ 𝑎! 𝑏' ⊕ 𝑎' 𝑏' 34
Evaluate AND gates via Multiplication Triples in Online Phase [Beaver91]
Goal: Compute AND gate using multiplication triple c" ⊕ 𝑐& = 𝑎" ⊕ 𝑎& (𝑏" ⊕ 𝑏& )
P1 sends to P2: 𝑑" = 𝑥" ⊕ 𝑎" and 𝑒" = 𝑦" ⊕ 𝑏" x1𝑥,# ,y𝑦1# 𝑥x" 2
, 𝑦,"y2
P2 sends to P1: 𝑑& = 𝑥& ⊕ 𝑎& and 𝑒& = 𝑦& ⊕ 𝑏&
<latexit sha1_base64="HHJ1w9f7EzOiWBlFm+Aj2fxlMsQ=">AAADOnicjVLLbtNAFJ2aVzGvFpbdjEiRWKDIrpBgWambLoNE2qJMZI3H18ko87BmxqFm5K9gC3/Cj7Blh9jyAYwTU5EUJK5k6fqcc59z80pw65Lk60504+at23d278b37j94+Ghv//GZ1bVhMGZaaHORUwuCKxg77gRcVAaozAWc54uTjj9fgrFcq7euqWAq6UzxkjPqAvTu8DJLXzRZepjtDZJhsjJ83Ul7Z4B6G2X70QEpNKslKMcEtXaSJpWbemocZwLamNQWKsoWdAYTKqrQ39Tz0jayxc/wyOglL8Biclq7P6V+NVKQBKjApTbhUw6v0A0dlTbkyoNSUje321wH/o2b1K58HRpRVe1AsXWhshbYadztBxfcAHOiCQ5lhodhMJtTQ5kLW9yoYp2kpjFFGFXBe6alpKrwpMs6SaeeCJGHsAU4P0hbYkz/1/5PEl2dtJ7k+pJxs97mJjsKbEetCVBLbrTqnsJ3iaHIuAPJP0DrY5LDjCv/G4gxJhbCnaiZm3vSwaGb1ofH2+YqauyC/5u7Cmu7qYurEm0ch3NKt4/nunN2NEyTYfrmaHD8sj+sXXSAnqLnKEWv0DE6RSM0RgxJ9BF9Qp+jL9G36Hv0Yy2NdvqYJ2jDop+/AKQqEYo=</latexit>
z𝑧1#
<latexit sha1_base64="Gp0kfRWEdWZoLNwU9veo2oxd2Po=">AAADNnicjVLLbtNAFJ2aR4t5tbDsZkSKxCqyKyRYVuqmyyCRtlIcRePxdTLKPKyZ60A68jd0C3/Cr7Bhh9jyCYwTU5EUJK5k6fqcc59z80oKh0nydSe6c/fe/d29B/HDR4+fPN0/eHbuTG05DLmRxl7mzIEUGoYoUMJlZYGpXMJFPj9t+YsFWCeMfo/LCsaKTbUoBWcYoOHR1SQ9muz3kn6yMnrbSTunRzobTA6iw6wwvFagkUvm3ChNKhx7ZlFwCU2c1Q4qxudsCiMmq9Db2IvSLVVDX9KBNQtRgKPZWY1/Sv1qnCAJUEFLY8Onka7QDR1TLuTKg1IxnLltrgX/xo1qLN+GRnRVI2i+LlTWkqKh7W5oISxwlMvgMG5FGIbyGbOMY9jgRhWHitmlLcKoGj5woxTThc/arKN07DMp8xA2B/S9tMms7f6a/0liqtPGZ7n5yIVdb3OTHQS2pdYE6IWwRrdP4dvEUEwEghJX0Pg4y2EqtP8NxJRmDsKN6CnOfNbCoZvGh8fb5ipm3Vz8m7sJa9qpi5sSTRyHc0q3j+e2c37cT5N++u64d/K6O6w9ckhekFckJW/ICTkjAzIknAhyTT6Rz9GX6Fv0PfqxlkY7XcxzsmHRz1+mTBAv</latexit>
sha1_base64="QgqSgbZYnZ42U0FJrU/B796XRcs=">AAADNnicjVLLbtNAFJ2aVzGvFpbdjEiRWEV2hQQ7KnXTZZBIWymOovH4OhllHtbMdSAd+RvYwp/wK2zYIbb9BMZxqEgKEleydH3Ouc+5eSWFwyT5thPdun3n7r3d+/GDh48eP9nbf3rmTG05DLmRxl7kzIEUGoYoUMJFZYGpXMJ5Pj9p+fMFWCeMfo/LCsaKTbUoBWcYoOHh5SQ9nOz1kn6yMnrTSddO7+0VWdlgsh8dZIXhtQKNXDLnRmlS4dgzi4JLaOKsdlAxPmdTGDFZhd7GXpRuqRr6gg6sWYgCHM1Oa/xT6lfjBEmACloaGz6NdIVu6JhyIVcelIrhzG1zLfg3blRj+SY0oqsaQfOuUFlLioa2u6GFsMBRLoPDuBVhGMpnzDKOYYMbVRwqZpe2CKNq+MCNUkwXPmuzjtKxz6TMQ9gc0PfSJrN2/df8TxJTnTQ+y81HLmy3zU12ENiW6gjQC2GNbp/Ct4mhmAgEJS6h8XGWw1Ro/xuIKc0chBvRU5z5rIVDN40Pj7fNVcy6ufg3dx3WtFMX1yWaOA7nlG4fz03n7KifJv303VHv+FV3V2SXHJDn5CVJyWtyTE7JgAwJJ4J8Ip/Jl+hr9D36Ef3spNHOOuYZ2bDo6hfIAxFe</latexit>
<latexit sha1_base64="lgjFqMkPVFkmpCFuv5zKPsk0CG8=">AAADOXicjVLLbtNAFJ2aVzGvFpbdjEiRWEV2hQTLSt10GSTSRspE0Xh8nYwynrFmrlPCyD/BFv6EL2HJDrHlBxgnpiIpSFzJ0vU55z7nZpWSDpPk61506/adu/f278cPHj56/OTg8OmFM7UVMBRGGTvKuAMlNQxRooJRZYGXmYLLbHHW8pdLsE4a/Q5XFUxKPtOykIJjgEbH7AryGRxPD3pJP1kbvemkndMjnQ2mh9ERy42oS9AoFHdunCYVTjy3KIWCJma1g4qLBZ/BmKsqtDfxsnCrsqEv6MCapczBUXZe459Sv54oSAKU08LY8Gmka3RLx0sXcmVBWXKcu12uBf/GjWss3oRGdFUjaLEpVNSKoqHtemguLQhUq+BwYWUYhoo5t1xgWOJWFYcltyubh1E1XAlTllznnrVZx+nEM6WyELYA9L20YdZ2f83/JDHVWeNZZt4LaTfb3GYHgW2pDQF6Ka3R7VP4NjHkU4lQyg/Q+JhlMJPa/wZiSpmDcCZ6hnPPWjh00/jweLtcxa1byH9z12FNO3V+XaKJ43BO6e7x3HQuTvpp0k/fnvROX3WHtU+OyHPykqTkNTkl52RAhkQQRT6ST+Rz9CX6Fn2Pfmyk0V4X84xsWfTzF/VREas=</latexit>
<latexit sha1_base64="47gCKgauPNczw+PY3OVeKt5vnNs=">AAADOXicjVLLbtNAFJ2aV2teLSy7GZEisYrsCgl2VOqmyyCRNlImisbja2eUeVgz45Qw8k+whT/hS1iyQ6yQ+AHGcVqRFCSuZOn6nHOfc7NKcOuS5OtOdOv2nbv3dvfi+w8ePnq8f/Dk3OraMBgyLbQZZdSC4AqGjjsBo8oAlZmAi2x+2vIXCzCWa/XOLSuYSFoqXnBGXYBGR+QS8hKOpvu9pJ+sDN900rXTe/MTrWwwPYgOSa5ZLUE5Jqi14zSp3MRT4zgT0MSktlBRNqcljKmoQnsTzwu7lA1+jgdGL3gOFpOz2v0p9auJgiRAOS60CZ9yeIVu6Ki0IVcWlJK6md3mWvBv3Lh2xevQiKpqB4p1hYpaYKdxux6ccwPMiWVwKDM8DIPZjBrKXFjiRhXrJDVLk4dRFVwyLSVVuSdt1nE68USILITNwfle2hBj1n/N/yTR1WnjSabfM266bW6yg8C2VEeAWnCjVfsUvk0M+ZQ7kPwDND4mGZRc+SsgxphYCGeiSjfzpIVDN40Pj7fNVdTYOf83dx3WtFPn1yWaOA7nlG4fz03n/LifJv307XHv5GV3V2gXHaJn6AVK0St0gs7QAA0RQwJ9RJ/Q5+hL9C36Hv3opNHOOuYp2rDo128XFxLa</latexit>
^ <latexit sha1_base64="s//ml0S3A6LtF+M2F8YlxrWHlhI=">AAADOnicjVLLbtNAFJ2aV2teLSy7GZEisUCRHSHBslI3XQaJtEWZKBqPr5NR5mHNjEPNyF/BFv6EH2HLDrHlAxgnbkVSkLiSpetzzn3OzUrBrUuSbzvRrdt37t7b3YvvP3j46PH+wZMzqyvDYMS00OYioxYEVzBy3Am4KA1QmQk4zxYnLX++BGO5Vu9cXcJE0pniBWfUBej90eV08LKeDo6m+72kn6wM33TSzumhzobTg+iQ5JpVEpRjglo7TpPSTTw1jjMBTUwqCyVlCzqDMRVl6G/ieWFr2eDneGj0kudgMTmt3J9SvxopSAKU40Kb8CmHV+iGjkobcmVBKamb222uBf/GjStXvAmNqLJyoNi6UFEJ7DRu94NzboA5UQeHMsPDMJjNqaHMhS1uVLFOUlObPIyq4APTUlKVe9JmHacTT4TIQtgCnO+lDTGm+2v+J4kuTxpPMn3JuFlvc5MdBral1gSoJTdatU/h28SQT7kDyT9C42OSwYwrfwXEGBML4U7UzM09aeHQTePD421zJTV2wf/NXYc17dT5dYkmjsM5pdvHc9M5G/TTpJ++HfSOX3WHtYsO0TP0AqXoNTpGp2iIRoghiT6hz+hL9DX6Hv2Ifq6l0U4X8xRtWPTrN6nMEYw=</latexit>
𝑧z"2
sha1_base64="TI8Ui03yFikHc+JGl2avKcOpaNY=">AAADOnicjVLLbtNAFJ2aVzGvFpbdjEiRWKDIjpBgR6VuugwSaYsyUTQeXyejzMOaGYeakb+CLfwJP8KWHWLDgg9gHIeKpCBxJUvX55z7nJuVgluXJF92omvXb9y8tXs7vnP33v0He/sPT62uDIMR00Kb84xaEFzByHEn4Lw0QGUm4CxbHLf82RKM5Vq9cXUJE0lnihecURegt4cX08Gzejo4nO71kn6yMnzVSddO79UPtLLhdD86ILlmlQTlmKDWjtOkdBNPjeNMQBOTykJJ2YLOYExFGfqbeF7YWjb4CR4aveQ5WExOKven1K9GCpIA5bjQJnzK4RW6oaPShlxZUErq5naba8G/cePKFS9DI6qsHCjWFSoqgZ3G7X5wzg0wJ+rgUGZ4GAazOTWUubDFjSrWSWpqk4dRFbxjWkqqck/arON04okQWQhbgPO9tCHGrP+a/0miy+PGk0xfMG66bW6yw8C2VEeAWnKjVfsUvk0M+ZQ7kPw9ND4mGcy48r+BGGNiIdyJmrm5Jy0cuml8eLxtrqTGLvi/ucuwpp06vyzRxHE4p3T7eK46p4N+mvTT14Pe0fPurtAuOkCP0VOUohfoCJ2gIRohhiT6gD6iT9Hn6Gv0LfreSaOddcwjtGHRz1/LgxK7</latexit>
<latexit sha1_base64="N9e/BCaUbNEfRa4IhJULBv1/oBU=">AAADNnicjVLLbtNAFJ2aVzGvFpbdjEiRWEV2hATLSt10GSTSVoqjaDy+TkaZhzVzHUhH/ga28Cf8Cht2iC2fwDgxFUlB4kqWrs859zk3r6RwmCRf96Jbt+/cvbd/P37w8NHjJweHT8+dqS2HETfS2MucOZBCwwgFSrisLDCVS7jIF6ctf7EE64TR73BVwUSxmRal4AwDNDq+mg6Opwe9pJ+sjd500s7pkc6G08PoKCsMrxVo5JI5N06TCieeWRRcQhNntYOK8QWbwZjJKvQ28aJ0K9XQF3RozVIU4Gh2VuOfUr8eJ0gCVNDS2PBppGt0S8eUC7nyoFQM526Xa8G/ceMayzehEV3VCJpvCpW1pGhouxtaCAsc5So4jFsRhqF8zizjGDa4VcWhYnZlizCqhvfcKMV04bM26zid+EzKPIQtAH0vbTJru7/mf5KY6rTxWW4+cGE329xmh4FtqQ0Beims0e1T+DYxFFOBoMQVND7OcpgJ7X8DMaWZg3AjeoZzn7Vw6Kbx4fF2uYpZtxD/5q7Dmnbq4rpEE8fhnNLd47npnA/6adJP3w56J6+6w9onR+Q5eUlS8pqckDMyJCPCiSAfySfyOfoSfYu+Rz820mivi3lGtiz6+QupGxAw</latexit>
sha1_base64="rMjvqVVv4/4iclUnFAqSBYMFZR8=">AAADNnicjVLLbhMxFHWHVxleLSy7sZoisYpmIiTYUambLoNE2kpxFHk8dxIrHntk3wmk1nwDW/gTfoUNO8S2n4AnCVWTgsSVRrpzzrlP36xS0mGSfN+J7ty9d//B7sP40eMnT5/t7T8/c6a2AgbCKGMvMu5ASQ0DlKjgorLAy0zBeTY7afnzOVgnjf6AiwpGJZ9oWUjBMUCDo8tx72i810m6ydLobSddO513V2Rp/fF+dMByI+oSNArFnRumSYUjzy1KoaCJWe2g4mLGJzDkqgq9jbws3KJs6Evat2Yuc3CUndZ4U+qX4wRJgHJaGBs+jXSJbuh46UKuLChLjlO3zbXg37hhjcXb0IiuagQtVoWKWlE0tN0NzaUFgWoRHC6sDMNQMeWWCwwb3KjisOR2YfMwqoaPwpQl17lnbdZhOvJMqSyEzQB9J22Yteu/5n+SmOqk8Swzn4S0q21usv3AttSKAD2X1uj2KXybGPKxRCjlJTQ+ZhlMpPZ/gJhS5iDciJ7g1LMWDt00PjzeNldx62by39x1WNNOnV+XaOI4nFO6fTy3nbNeN0266fte5/j16q7ILjkgh+QVSckbckxOSZ8MiCCSfCZfyNfoW/Qj+hn9WkmjnXXMC7Jh0dVvytIRXw==</latexit>
Correctness:
𝑧 = 𝑧" ⊕ 𝑧2
= 𝑑𝑏" ⊕ 𝑒𝑎" ⊕ 𝑐" ⊕ 𝑑𝑒 ⊕ 𝑑𝑏& ⊕ 𝑒𝑎& ⊕ 𝑐&
= 𝑑𝑏 ⊕ 𝑒𝑎 ⊕ 𝑐 ⊕ 𝑑𝑒
= (𝑥 ⊕ 𝑎)𝑏 ⊕ (𝑦 ⊕ 𝑏)𝑎 ⊕ 𝑎𝑏 ⊕ (𝑥 ⊕ 𝑎)(𝑦 ⊕ 𝑏)
= 𝑥𝑏 ⊕ 𝑎𝑏 ⊕ 𝑦𝑎 ⊕ 𝑏𝑎 ⊕ 𝑎𝑏 ⊕ 𝑥𝑦 ⊕ 𝑥𝑏 ⊕ 𝑎𝑦 ⊕ 𝑎𝑏
= 𝑥𝑦.
35
Benchmarks of an optimized GMW implementation [SchneiderZohner13]
Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN.
36
Benchmarks of an optimized GMW implementation [SchneiderZohner13]
Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN.
37
Benchmarks of an optimized GMW implementation [SchneiderZohner13]
Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN.
38
Benchmarks of an optimized GMW implementation [SchneiderZohner13]
Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN.
Load Balancing:
• Run half of the precomputed OTs in each direction (in parallel).
• Run base OTs twice (in parallel).
⇒ Each party has exactly the same workload.
39
Benchmarks of an optimized GMW implementation [SchneiderZohner13]
Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN.
40
Benchmarks of an optimized GMW implementation [SchneiderZohner13]
Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN.
41
Benchmarks of an optimized GMW implementation [SchneiderZohner13]
Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN.
42
Benchmarks of an optimized GMW implementation [SchneiderZohner13]
Runtime in seconds for 512-bit multiplication circuit (800k AND gates, depth 38) over Gigabit LAN.
(inspired by Sharemind)
43
Remaining Bottlenecks for GMW in the LAN Setting
20%
32%
35% 47%
98% 37%
16%
44
Summary: GMW - the Orange
2) eat (easy)
Online phase:
+ circuit evaluation uses only very cheap operations
(not even symmetric crypto is needed)
- 2x2 bits of communication per AND gate
(grouped in layers)
45
YAO VS. GMW
46
Yao vs. GMW
Yao GMW
Free XOR
setup: S: 4
symmetric crypto per AND setup: S: 6; R: 6
online: R: 2
48
xi y
Ripple-Carry-Adder
ADD
x ` y` x 2 y2 x 1 y1 ci+1 ^
. . . c3 c2
+ + + 0
+
s`+1 s` s2 s1 si
𝑠# = 𝑥# ⊕ 𝑦# ⊕ 𝑐#
𝑐#1" = Fig. 1. Addition Circuit (ADD)
𝑥# ⊕ Fig. 2. Improved 1-bit Adde
𝑦# ∧ 𝑥# ⊕ 𝑐# ⊕ 𝑥# [BoyarPP00]
ANDsize = ℓ, ANDdepth = ℓ
𝑝#,% = is
Ladner-Fischer-Adder Subtraction in two’s complement representation 𝑥#defined
⊕ 𝑦# as x` y` = x` +ȳ` +1.
[LadnerFischer80] circuit (SUB) can be constructed analogously𝑐#,%
to the
= 𝑥addition
# ∧ 𝑦#
circuit from 1-bit subt
in Fig. 3. Each 1-bit subtractor computes the carry-out bit ci+1 = (xi ^ ȳi ) _ (xi
the di↵erence bit di = xi ȳi ci . We instantiate the 1-bit subtractor efficiently a
compute ci+1 = ci ((xi ci ) ^ (yi ci )) with the same size as the 1-bit adder.
𝑝#,' = 𝑝#,'$" ∧ 𝑝2,'$"
𝑐#,' = (𝑝#,'$" ∧ 𝑐2,'$" ) ∨ 𝑐#,'$"
xi y
50
Proving Non-Algebraic Statements Efficiently
The protocol is a special case of Yao’s protocol where only the prover has a private input 𝑥,
whereas the verifier’s input 𝑦 is public.
51
The protocol of [JaruwekKO13]
Goal: 𝑃𝐾{ 𝒙 : 𝒚 = 𝐶 𝒙 }
Prover Verifier
Input 𝒙, 𝒚 Input 𝒚
Construct Boolean circuit 𝐶𝒚
that evaluates to 𝑧 = 1 iff 𝒚 = 𝐶(𝒙)
B 𝑥Y
𝐶, % Y " Y% Y"
# , 𝑥# , 𝑧 , 𝑧 = Garble(12 , 𝐶𝒚 )
maliciously secure OT 𝒙; 𝑥Y#%, 𝑥Y#" D, ⊥
→ 𝒙
𝐶0
B 𝒙) Note that this is
𝑧̃ = 𝐶(D
𝑐 = Commit(𝑧,̃ 𝑟) possible here
because Verifier has
Randomness used for garbling and OTs no private inputs!
Abort if verification of
garbling or OTs fails 𝑧,̃ 𝑟
Check that 𝑐 = Commit 𝑧,̃ 𝑟
Accept if 𝑧̃ = 𝑧Y" 52
Bibliography (1)
[AsharovLSZ13]: G. Asharov, Y. Lindell, T. Schneider, M. Zohner: More Efficient Oblivious Transfer and Extensions for
Faster Secure Computation. In ACM CCS’13.
[AumannLindell07] Y. Aumann, Y. Lindell. Security Against Covert Adversaries: Efficient Protocols for Realistic
Adversaries. In TCC‘07.
[BarniFKLSS09] M. Barni, P. Failla, V. Kolesnikov, R. Lazzeretti, A.-R. Sadeghi, T. Schneider. Secure Evaluation of
Private Linear Branching Programs with Medical Applications. In ESORICS’09.
[Beaver91] D. Beaver. Efficient Multiparty Protocols using Circuit Randomization. In CRYPTO’91.
[BeaverMR90] D. Beaver, S. Micali, P. Rogaway. The Round Complexity of Secure Protocols. In STOC'90.
[BellareHKR13] M. Bellare, V. T. Hoang, S. Keelveedhi, P. Rogaway. Efficient Garbling from a Fixed-Key Blockcipher.
In S&P'13.
[BellareHR12] Foundations of Garbled Circuits. In CCS'12.
[BoyarPP00] J. Boyar, R. Peralta, D. Pochuev. On the Multiplicative Complexity of Boolean Functions over the Basis
(\cap, +, 1). In Theor. Comput. Sci. 2000.
[BrickellPSW07] J. Brickell, D. E. Porter, V. Shmatikov, E. Witchel. Privacy-preserving remote diagnostics. In ACM
CCS’07.
[ChoiHKMR12] S. G. Choi, K.-W. Hwang, J. Katz, T. Malkin, D. Rubenstein. Secure Multi-Party Computation of Boolean
Circuits with Applications to Privacy in On-Line Marketplaces. In CT-RSA‘12. 53
Bibliography (2)
[DemmlerSZ15] D. Demmler, T. Schneider, M. Zohner. ABY - A Framework for Efficient Mixed-protocol Secure Two-
party Computation. In NDSS’15.
[DemmlerDKSSZ15] D. Demmler, G. Dessouky, F. Koushanfar, A.-R. Sadeghi, T. Schneider, S. Zeitouni. Automated
Synthesis of Optimized Circuits for Secure Computation. In CCS’15.
[ErkinFGKLT09] Z. Erkin, M. Franz, J. Guajardo, S. Katzenbeisser, I. Lagendijk, T. Toft. Privacy-preserving face
recognition. In PETS’09.
[GMW87] O. Goldreich, S. Micali and A. Wigderson. How to Play any Mental Game. In STOC‘87.
[JaruwekKO13] M. Jawurek, F. Kerschbaum, C. Orlandi. Zero-Knowledge Using Garbled Circuits or How To Prove Non-
Algebraic Statements Efficiently. In CCS’13.
[KirazSchoenmakers06] M. S. Kiraz, B. Schoenmakers. A Protocol Issue for the Malicious Case of Yao’s Garbled Circuit
Construction. In Symposium on Information Theory in the Benelux, 2006.
[KolesnikovMR14] V. Kolesnikov, P. Mohassel, M. Rosulek. FleXOR: Flexible garbling for XOR gates that beats free-
XOR. In CRYPTO'14.
[KolesnikovSchneider08] V. Kolesnikov, T. Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In
ICALP'08.
[KreuterSS12] B. Kreuter, A. Shelat, C.-H. Shen. Billion-Gate Secure Computation with Malicious Adversaries. In
USENIX Security‘12.
54
Bibliography (3)
[LadnerFischer80] R. E. Ladner, M. J. Fischer. Parallel Prefix Computation. In J. ACM’80.
[LindellPinkas04] Y. Lindell, B. Pinkas. A Proof of Security of Yao’s Protocol for Two-Party Computation. In JoC‘09.
[LindellPinkas07] Y. Lindell, B. Pinkas. An Efficient Protocol for Secure Two-Party Computation in the Presence of
Malicious Adversaries. In EUROCRYPT‘07.
[NaorPS99] M. Naor, B. Pinkas, R. Sumner. Privacy Preserving Auctions and Mechanism Design. In EC’99.
[PinkasSSW09] B. Pinkas, T. Schneider, N. P. Smart, S. C. Williams. Secure Two-Party Computation is Practical. In
ASIACRYPT'09.
[SchneiderZohner13] T. Schneider, M. Zohner. GMW vs. Yao? Efficient Secure Two-party Computation with Low Depth
Circuits. In FC'13.
[SonghoriHSSK15] E. M. Songhori, S. U. Hussain, A.-R. Sadeghi, T. Schneider, F. Koushanfar. TinyGarble: Highly
Compressed and Scalable Sequential Garbled Circuits. In S&P’15.
[Troncoso-PastorizaKC07] J. R. Troncoso-Pasoriza, S. Katzenbeisser, M. U. Celik. Privacy preserving error resilient
DNA searching through oblivious automata. In ACM CCS’07.
[Yao86] A. C. Yao. How to Generate and Exchange Secrets. In FOCS‘86.
[ZahurRE15] S. Zahur, M. Rosulek, D. Evans. Two Halves Make a Whole - Reducing Data Transfer in Garbled Circuits
Using Half Gates. In EUROCRYPT'15.
55
THANKS FOR YOUR ATTENTION!
56