Please read this blog, if you’ve never heard of GC.
Originally proposed by [Yao82][Yao82] for Secure general 2PC for arbitrary polynomial functions.
a | b | AND |
---|---|---|
0 | 0 | 0 |
0 | 1 | 0 |
1 | 0 | 0 |
1 | 1 | 1 |
AND gate: Two parties involved are Garbler/Evaluator: with individual inputs:
-
Fix an encryption function , where .
-
creates two key pairs
-
Create garbled table:
a b and -
Send and to
-
perform 1-2 OT for for bit of .
-
performs decryption of all ciphertexts, but only one of them is valid.
-
Performs and return output to .
Security against:
- Semi-honest sender: sender only obtains output of OT and final . If OT is secure against malicious sender, then sender can only obtain information about a’s input which can be inferred from output .
- Semi-honest receiver: obtains from . for CPA secure encryption, all ciphertext are indistinguishable to each other. is chosen uniformly, thus, receiver can’t gain any information from input about bit.
General 2PC
Above protocol can be used to perform general computation on boolean circuits. For each input wire, create Key pairs, and a garbled table for each gate as follows:
a | b | AND |
---|---|---|
With ciphertexts and two decryption keys, one can decrypt to obtain key for the next intermediate gate. Final output wire decrypts to .
- Compute: function , with inputs with each party.
- Sender computes key pairs for input wires.
- Garbles each gate and obtains ciphertexts, where denotes number of gates in the function.
- Sends to .
- Perform n OT to obtain .
- decrypts each gate to obtains keys for subsequent intermediate gate.
- learns final output and sends it to .
Refer to above protocol as with as sender’s private input, and as evaluator’s input. Round complexity of above protocol is same as complexity of underlying OT. Using a 2-round OT, one can securely compute any function where the circuit itself is private input to the evaluator.
More generally, a Garbling scheme can be denoted using :
- : circuit , encoding information , decoding information .
- : plaintext circuit evaluator
- : on input encoding information and input gives garbled input .
- : garbled evaluator that on input takes garbled circuit and inputs, and gives garbled output.
- : takes the decoding information and gives plaintext output.
Security
Against semi-honest adversary:
For any given function implemented by a boolean circuit , multi-Encryption CPA secure function, protocol is secure if , PPT adversary , there exists a PPT simulator such that no PPT distinguisher can distinguish between real world and simulated protocol.
Informally, there should exists a simulator which can output the transcript of real world protocol from a circuit output , and evaluator’s input .
First prove for a single gate, then since can be used to build protocol for any polynomial function, the following proof holds.
algorithm:
-
Run of Enc to derive , where is the output key.
-
Run on key to derive from the transcript.
-
Garble the table as follows, and send permuted table.
AND -
send output map as , garbled table, and to .
Run 4 hybrid arguments and prove each’s probability is negligible:
- Substitute OT in to that on input from evaluator outputs , i.e. the output of ideal OT.
- This is secure due to security of OT protocol.
- Substitute one of the three remaining inputs to , i.e. , but the rest of the ciphertexts remain same,
- Substitute next two ciphertexts.
- Above hybrid proofs are secure, and can be proven using reduction proof. Adversary breaks Enc if distinguisher is able to output correct bit.1
Security against malicious adversary:
Authenticity: any PPT adversary on input garbled circuit and garbled input can only output correct plaintext output or aborts. This implies that even an actively corrupted adversary cannot cheat.
- Actively corrupted evaluator: Evaluator performs OT after receiving garbled circuit , i.e. it has access to ciphertexts corresponding to each wire, and wiring information. It can then change the inputs in such a way to receive keys for ciphertexts of its choice, and then aborts the protocol, getting to know about x’s input during this phase.
- How to prevent this? Change the order of ciphertext and OT, i.e perform OT before ciphertext communication.
- Actively corrupted garbler: Garbler can choose circuit such that it either outputs correct information or aborts (revealing partial information about Evaluator’s inputs).
- Can be handled by randomly evaluating multiple encryptions of circuit by garbler, i.e. let be k different encryptions of same circuit. Evaluator chooses either all but one approach, or majority cut-and-choose approach to check if the circuit is same or not.
- Can abort OT such that fails for a wrong key, and garbler learns partial information about Evaluator’s input.
Optimisations
- Point-and-permute: prevent decryption of 4 ciphertext, and pass additional data in keys so that evaluator determines which ciphertext to decrypt.
- Choose a select bit and set as LSB of keys: , similarly for .
- Encrypt as .
- Permute the table canonically by select bits: .
- Evaluator on receiving ciphertexts and key, checks LSB of key and choose the respective ciphertext from the table.
- Free-XOR: select a random difference delta , and create keys as . Using this, XOR gates can be evaluated independently as .
- For Free-XOR to be compatible with Point-and-permute (only when no extra select bit is chosen) .
- Garbled Row-reduction 3: Eliminate one ciphertext by picking one key such that ciphertext for that key is 0.
- Suppose from Free-XOR, first key is . Set this ciphertext to 0, and xor all other ciphertext with .
- Evaluator can directly compute the key, if select bits evaluate to 0.
- Garbled Row-Reduction 2: Use polynomial interpolation instead of one-time decryption to get output keys.
- For odd gates (OR, AND): ciphertexts corresponding to output bit 0 can be used to form a quadratic polynomial . y-intercept of this polynomial gives . And extrapolating the polynomial to get 2 more points . Form a new polynomial , y-intercept of this polynomial .
- For even gates (XOR, NXOR): create a linear polynomial using . Set , set in garbled table as per select permutation bit. Similarly, create polynomial as . Set . set in remaining garbled table row.
- Fle-XOR: have more offset instead of one like Free-XOR. Using this, one can make a xor gate more flexible by converting offset on the fly. For a unary gate, let be the input. To convert this to , set as and send as ciphertext. Evaluator on getting key using OT, can generate the key accordingly.
- This can be generalised to binary gate using ciphertexts depending on whether differences of key pairs match. If none match, then ciphertexts need to be sent for XOR.
- Half gate:
- Garbled Gadgets:
References
- CS355: Lecture 6
- CS498: Lecture 22
- Secure Computation Lecture Series
- Rafail’s Lecture notes: 14
- Orlandi’s CryCom: Lecture 5
- A Gentle Introduction to Yao’s Garbled Circuits
- Ben Lynn notes: Yao’s SFE
- Mina Book: Garbled Circuits
- Mike Rosulek’s talk on GC optimisations