Secure Multi-Party Computation

Yi LIU
2024.12.04
Outline
• Zero-knowledge proofs (special case of secure multi-party computation)
• What is zero-knowledge proofs?
• How to realize zero-knowledge proofs?
• What is secure multi-party computation?
• How to realize general two-party computation? (if have time)
• Garbled Circuits + Oblivious Transfer
Zero-Knowledge Proofs
Scenario: Where is Waldo?

Alice Bob

A “Hey Bob, I found Waldo!”

B “That was way too fast, I don’t believe you.”
 The goal of Sudoku is to fill in a 9 × 9 grid with digits so that each
Scenario: Sudoku column, row, and 3 × 3 block contain the numbers between 1 to 9.

Alice Bob

A “Hey Bob, check out this Sudoku puzzle!”

B “Last week you gave me a puzzle with no solution. I wasted 3 hours.”
A “This one has a solution, trust me.”
Scenario: Authentication

Alice Bob

A “Can I have access to the database? It’s me, Alice.”

B “OK, send me your password so I know it’s you.”

A Problem of Trust and Information
Alice wants to convince Bob of something
• Waldo is in the picture
• Sudoku puzzle has a solution
• Alice is not an imposter

Bob should not learn “too much”

• Waldo’s location
• Sudoku solution
• Alice’s password
What might a possible solution look like?
Where is Waldo? Solution

Alice Bob

Solution
Where is Waldo? Solution

Alice Bob

Solution
1. Alice places opaque cardboard with hole over picture, revealing Waldo
Where is Waldo? Solution

？
Alice Bob

Solution
1. Alice places opaque cardboard with hole over picture, revealing Waldo
Bob gets no information about Waldo’s location within picture!
Where is Waldo? Solution

Alice
？ Bob

Solution
1. Alice places opaque cardboard with hole over picture, revealing Waldo
Bob gets no information about Waldo’s location within picture!
Where is Waldo? Solution

Alice Bob

Solution
1. Alice places opaque cardboard with hole over picture, revealing Waldo
Bob gets no information about Waldo’s location within picture!
Philosophy
Fuzzy Definition
A zero-knowledge proof is a way to prove and convince someone of a
fact without giving out “any additional information/knowledge”

What does it mean to

• prove something?
• give out information/knowledge?

Classical Definition of proofs

A proof is a list of logical steps. Something that Alice can write down
and send to Bob.
A Lady Testing Tea

Muriel Ronald

A true story [R. Fisher, Mathematics of a Lady Testing Tea, 1956]:

M “Tea poured into milk tastes different than milk poured into tea.”
R “Interesting. Can you prove it?”
M “Prove??”
Fisher’s Smart Idea: Interactive Proof

M
Muriel Ronald

Random challenge In private, flip a coin to decide which to pour first

(tea or milk).
Fisher’s Smart Idea: Interactive Proof
M

Muriel “milk first” Ronald

Random challenge In private, flip a coin to decide which to pour first

(tea or milk). Give cup to Muriel.
Response Muriel guesses.
• If Muriel can really tell, she gets it right.
• If no difference in two kinds of teas, she has chance of guessing correctly.
Fisher’s Smart Idea: Interactive Proof
M T T M

Muriel M, T, T, M Ronald

Random challenge In private, flip a coin to decide which to pour first

(tea or milk). Give cup to Muriel.
Response Muriel guesses.
• If Muriel can really tell, she gets it right.
• If no difference in two kinds of teas, she has chance of guessing correctly.

Repeat Repeat times. If no difference in two kinds of teas, she has

chance of guessing all correctly.
Epistemology: What is Knowledge?
Bad situation I wonder
is true what is

Alice Bob “Aha, ”

• This situation is bad if Bob couldn’t have computed

before the interaction
• Interaction transcript gives him computational power
Want to say:
Everything Bob can compute after seeing the transcript, he could
have computed before seeing the transcript.
Transcript Simulation
Clever Definition
Interaction is zero-knowledge if Bob could generate transcripts without
interacting with Alice:

Alice Bob Bob

Whatever Bob could compute ... there is a way to compute

after seeing the transcript ... without interaction!
Apparent Paradox
Paradox?
• Transcript should convince Bob of something new
• Bob could have generated transcript himself

Bob Charlie

B “Alice can drink a gallon of milk in an hour!”

C “Oh really?”
B “Yes, see this empty milk jug and stopwatch?”
C “You dummy, anyone can find an empty milk jug and stopwatch!”
B “But I saw her drink it while I timed her!”
 Apparent Paradox
M T
M T M
Bob Charlie

B “Alice can tell whether tea is poured into milk or vice-versa!”

C “Oh really?”
B “Yes, see all these correctly identified tea cups??”
C “You dummy, anyone can fill a tea cup and label it!”
B “But I picked the kind of pouring at random, and she was able to
answer every time!”
Bob already knew the correct responses to challenges
• Convinced by how the transcript was generated (in response to his challenges)
Formal Definition
Definition [GMR 1985]
A zero-knowledge proof is an interactive protocol satisfying:
• Completeness: The prover can always convince the verifier of any
true statement
• Soundness: The verifier can’t be convinced of a false statement (even
by a cheating prover), except with very low probability
• Zero-knowledge: There is an efficient procedure to output “same-
looking” protocol transcripts
Sudoku Zero-Knowledge Proof
5 3 7
5 3 4 6 7 8 9 1 2 1 5
6 7 2 1 9 5 3 4 8 8 6
1 9 8 3 4 2 5 6 7
8 3
8 1
8 5 9 7 6 1 4 2 3
7 2
4 2 6 8 5 3 7 9 1
7 1 3 9 2 4 8 5 6 6 2
4 1
9 6 1 5 3 7 2 8 4 8 7

2 8 7 4 1 9 6 3 5
3 4 5 2 8 6 1 7 9 Bob, try it! There exists a
solution, trust me.
Alice Bob
A Tool for Sudoku Zero-Knowledge Proof
Scratch cards (commitment scheme
in cryptography)
• Hide the information
• Information is bound to the card
• cannot be modified after production

Suppose that Alice can produce scratch cards

• In crypto world, this can be realized by computing , is the
hidden information, is a random string
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:

Alice Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:

5 3 4 6 7 8 9 1 2
6 7 2 1 9 5 3 4 8
1 9 8 3 4 2 5 6 7

8 5 9 7 6 1 4 2 3
4 2 6 8 5 3 7 9 1
7 1 3 9 2 4 8 5 6

9 6 1 5 3 7 2 8 4
2 8 7 4 1 9 6 3 5
3 4 5 2 8 6 1 7 9 Alice Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
1. Alice randomly relabels
5 3 4 6 7 8 9 1 2 9 4 6 7 2 1 5 3 8
1⟶3
6 7 2 1 9 5 3 4 8 7 2 8 3 5 9 4 6 1
2⟶8
1 9 8 3 4 2 5 6 7 3 5 1 4 6 8 9 7 2
3⟶4
8 5 9 7 6 1 4 2 3 4⟶6 1 9 5 2 7 3 6 8 4
4 2 6 8 5 3 7 9 1 5⟶9
6 8 7 1 9 4 2 5 3
6⟶7
7 1 3 9 2 4 8 5 6 2 3 4 5 8 6 1 9 7
7⟶2
9 6 1 5 3 7 2 8 4 8⟶1 5 7 3 9 4 2 8 1 6
2 8 7 4 1 9 6 3 5 9⟶5 8 1 2 6 3 5 7 4 9
3 4 5 2 8 6 1 7 9 Alice 4 6 9 8 1 7 3 2 5 Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
1. Alice randomly relabels
9 4 6 7 2 1 5 3 8
7 2 8 3 5 9 4 6 1
3 5 1 4 6 8 9 7 2

1 9 5 2 7 3 6 8 4
6 8 7 1 9 4 2 5 3
2 3 4 5 8 6 1 9 7

5 7 3 9 4 2 8 1 6
8 1 2 6 3 5 7 4 9
Alice 4 6 9 8 1 7 3 2 5 Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
1. Alice randomly relabels
2. Alice writes relabeled solution on
9 4 6 7 2 1 5 3 8
scratch card, shows to Bob
7 2 8 3 5 9 4 6 1
3 5 1 4 6 8 9 7 2

1 9 5 2 7 3 6 8 4
6 8 7 1 9 4 2 5 3
2 3 4 5 8 6 1 9 7

5 7 3 9 4 2 8 1 6
8 1 2 6 3 5 7 4 9
Alice 4 6 9 8 1 7 3 2 5 Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
1. Alice randomly relabels
2. Alice writes relabeled solution on
9 4 6 7 2 1 5 3 8
scratch card, shows to Bob
7 2 8 3 5 9 4 6 1
3. Bob asks Alice to scratch off either: 3 5 1 4 6 8 9 7 2

1 9 5 2 7 3 6 8 4
6 8 7 1 9 4 2 5 3
2 3 4 5 8 6 1 9 7

5 7 3 9 4 2 8 1 6
8 1 2 6 3 5 7 4 9
Alice 4 6 9 8 1 7 3 2 5 Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
1. Alice randomly relabels
2. Alice writes relabeled solution on
9 4 6 7 2 1 5 3 8
scratch card, shows to Bob
7 2 8 3 5 9 4 6 1
3. Bob asks Alice to scratch off either: 3 5 1 4 6 8 9 7 2
• A particular row
• A particular column 1 9 5 2 7 3 6 8 4

• A particular block 6 8 7 1 9 4 2 5 3
Row 2
2 3 4 5 8 6 1 9 7
• Initial positions
and checks consistency 5 7 3 9 4 2 8 1 6
8 1 2 6 3 5 7 4 9
Alice 4 6 9 8 1 7 3 2 5 Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
1. Alice randomly relabels
2. Alice writes relabeled solution on
9 4 6 7 2 1 5 3 8
scratch card, shows to Bob
7 2 8 3 5 9 4 6 1
3. Bob asks Alice to scratch off either: 3 5 1 4 6 8 9 7 2
• A particular row
• A particular column 1 9 5 2 7 3 6 8 4

• A particular block 6 8 7 1 9 4 2 5 3
Col 7
2 3 4 5 8 6 1 9 7
• Initial positions
and checks consistency 5 7 3 9 4 2 8 1 6
8 1 2 6 3 5 7 4 9
Alice 4 6 9 8 1 7 3 2 5 Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
1. Alice randomly relabels
2. Alice writes relabeled solution on
9 4 6 7 2 1 5 3 8
scratch card, shows to Bob
7 2 8 3 5 9 4 6 1
3. Bob asks Alice to scratch off either: 3 5 1 4 6 8 9 7 2
• A particular row
• A particular column 1 9 5 2 7 3 6 8 4

• A particular block 6 8 7 1 9 4 2 5 3
BLK 8
2 3 4 5 8 6 1 9 7
• Initial positions
and checks consistency 5 7 3 9 4 2 8 1 6
8 1 2 6 3 5 7 4 9
Alice 4 6 9 8 1 7 3 2 5 Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
1. Alice randomly relabels
2. Alice writes relabeled solution on
9 4 6 7 2 1 5 3 8
scratch card, shows to Bob
7 2 8 3 5 9 4 6 1
3. Bob asks Alice to scratch off either: 3 5 1 4 6 8 9 7 2
• A particular row
• A particular column 1 9 5 2 7 3 6 8 4

• A particular block 6 8 7 1 9 4 2 5 3
2 3 4 5 8 6 1 9 7
• Initial positions + relabeling rule
and checks consistency 5 7 3 9 4 2 8 1 6
4. Repeat times 8 1 2 6 3 5 7 4 9
Alice 4 6 9 8 1 7 3 2 5 Bob
Sudoku Zero-Knowledge Proof, Analysis
Observation (Completeness)
If Alice can answer all challenges successfully, her scratch card satisfies:
• Every row, column, block is permutation of
• Initial positions consistent with relabeling of in original
puzzle
Then the original puzzle has a solution.

What if Alice is cheating (there really is no solution)?

No scratch card can correctly answer all challenges.
Sudoku Zero-Knowledge Proof, Analysis
Suppose Alice tries to prove an incorrect statement. Let be a challenge
that is bad for Alice’s scratch card.
• Bob picks random challenge ( choices)
• With probability , Bob chooses and Alice is caught!
• With probability , Alice’s cheating undetected
Key Idea
Repeat protocol times. Alice cheats undetected in all rounds with
.
probability

When , Alice will be caught with 99% probability. (Soundness)

Sudoku Zero-Knowledge Proof, Analysis

If Alice follows protocol (there is a solution), then each round transcript is:
• Random permutation of in random row,
Sudoku Zero-Knowledge Proof, Analysis

If Alice follows protocol (there is a solution), then each round transcript is:
• Random permutation of in random row,
• Random permutation of in random column,
Sudoku Zero-Knowledge Proof, Analysis

If Alice follows protocol (there is a solution), then each round transcript is:
• Random permutation of in random row,
• Random permutation of in random column,
• Random permutation of in random block, or
 Sudoku Zero-Knowledge Proof, Analysis

If Alice follows protocol (there is a solution), then each round transcript is:
• Random permutation of in random row,
• Random permutation of in random column,
• Random permutation of in random block, or
• Random relabeling of original puzzle’s initial positions
Each of these Bob can generated himself (without the solution)! (Zero-knowledge)
Zero-Knowledge Proofs for Everything?
We have a zero-knowledge proof protocol for Sudoku, so what?

Theorem [Yato 2003] Sudoku is NP-complete.

Every (practical) statement can be expressed in terms of the solvability
of a (generalized) Sudoku instance.
• Given statement , can compute puzzle
• is true is a solvable Sudoku puzzle
• To prove , use Sudoku ZK on
Theorem Every NP statement can be proven in zero-knowledge.
What are they good for?
ZK Proof of Identity
Public Key DB:
Alice: 583ffb4b3..
Bob: 0fae6535d..
Charlie: 0dd1dd8de..

Please give access

Alice Bob
ZK Proof of Identity
Public Key DB:
Alice: 583ffb4b3..
Bob: 0fae6535d..
Charlie: 0dd1dd8de..
ZK proof: I know the
secret key corresponding
to 583ffb4b3..
Alice Bob
ZK Proof of Identity
Public Key DB:
Alice: 583ffb4b3..
Bob: 0fae6535d..
Charlie: 0dd1dd8de..

Ok, Alice

Alice Bob
ZK Proof of Identity
Public Key DB:
Alice: 583ffb4b3..
Bob: 0fae6535d..
Charlie: 0dd1dd8de..

Alice Bob

• Alice has her PK published anyway

• No one else knows/can compute corresponding secret key
Security “Compiler”
Problem
• Want protocols that give security guarantee, even against malicious
parties who deviate from protocol
• This is hard!
• It’s easier to assume that all parties follow the protocol

Clever Idea: Security Compiler [GMW 1987]

1. Design a protocol that is secure if everyone follows protocol (not too
hard)
2. Parties must prove that they follow protocol at each step
Security “Compiler”
protocol msg 1

ZK proof: msg 1 is consistent with my (secret)

input and protocol
protocol msg 2
ZK proof: msg 2 is consistent with my (secret)
Alice Bob
input and protocol
…

• ZK proofs leak no further information about secret inputs

• If proofs succeed, then parties ran protocol honestly
• Security is guaranteed
• If proof fails, abort the protocol!
Other applications
• Blockchain
• Hide the senders
• Hide the receivers
• Hide transaction amounts
• Voting
• ……
Think about it…
• Can you tell the difference between Coca and Pepsi?
• Two bottles of cola are given (one is Coca; one is Pepsi), prove that
you can tell the difference
• How to design the zero-knowledge proof protocol?
Secure Multi-Party Computation
Secure Multi-Party Computation
Premise:
• Mutually distrusting parties, each
with a private input
Secure Multi-Party Computation
Premise:
• Mutually distrusting parties, each
with a private input
• Learn the result of agreed-upon
computation
• Eg: election, auction, etc.
Secure Multi-Party Computation
Premise:
• Mutually distrusting parties, each
with a private input
• Learn the result of agreed-upon
computation
• Eg: election, auction, etc.

Security guarantees:
• Privacy (“learn no more than”
prescribed output)
• Input independence
• Output consistency, etc..
Secure Multi-Party Computation
Premise:
• Mutually distrusting parties, each
with a private input
• Learn the result of agreed-upon
computation
• Ex: election, auction, etc.

Security guarantees:
• Privacy (“learn no more than”
prescribed output)
• Input independence
• Output consistency, etc..
..even if some parties cheat, collude!
The Goal of Secure Multi-Party Computation
• Design a protocol to emulate the existence of a trusted third party
Zero-Knowledge Proofs ——Special Case
• # of parties: 2
• One party does not have input!
• Length of output is bit!
Zero-Knowledge Proofs ——Special Case
• # of parties: 2
• One party does not have input!
• Length of output is bit!
 Secure Multi-Party Computation

Andrew Chi-Chih Yao

Turing Award (2000)

Protocols for secure computations, FOCS 82 How to Generate and Exchange Secrets, FOCS 86
Yao’s Millionaires’ Problem

Is ?
Examples: Ad Conversion
• Tesla launches ads on Google, two companies want to know ad conversion
Ad impressions In-store purchases
[email protected] [email protected] $80k
[email protected] [email protected] $160k
[email protected] [email protected] $99k
[email protected] [email protected] $85k
[email protected] [email protected] $77k
…… ……
SELECT SUM(amount)
FROM ads, purchases
WHERE ads.email = purchases.email
Examples: Ad Conversion
• Tesla launches ads on Google, two companies want to know ad conversion
Ad impressions In-store purchases
[email protected] [email protected] $80k
[email protected] [email protected] $160k
[email protected] [email protected] $99k
[email protected] [email protected] $85k
[email protected] [email protected] $77k
…… ……
SELECT SUM(amount)
FROM ads, purchases
WHERE ads.email = purchases.email

Computed with secure computation by Google and its customers

Examples: Wage Equity Study
Examples: Dating
• Alice and Bob
• If they like each other, they can date; if no, no dating.
• If one does not like the other, this person should not know the other
party’s attitude

Alice Bob Can date?

0 0 0
0 1 0
1 0 0
1 1 1
General Two-Party Computation
Garbled Circuits + Oblivious Transfer
Protocols for two parties
Warm-up: garbled truth table
• Alice’s input:
• Bob’s input:
• They want to securely compute a function
 1 1 𝑓 1,1
Warm-up: garbled truth table 1 2 𝑓 1,2
1 3 𝑓 1,3
1 4 𝑓 1,4
Alice does the following:
2 1 𝑓 2,1
1. Write truth table of function 2 2 𝑓 2,2
2 3 𝑓 2,3
2 4 𝑓 2,4
3 1 𝑓 3,1
3 2 𝑓 3,2
3 3 𝑓 3,3
3 4 𝑓 3,4
4 1 𝑓 4,1
4 2 𝑓 4,2
4 3 𝑓 4,3
4 4 𝑓 4,4
 𝐴 𝐵 𝑓 1,1
Warm-up: garbled truth table 𝐴 𝐵 𝑓 1,2
𝐴 𝐵 𝑓 1,3
𝐴 𝐵 𝑓 1,4
Alice does the following:
𝐴 𝐵 𝑓 2,1
1. Write truth table of function 𝐴 𝐵 𝑓 2,2
2. For each possible input, choose random cryptographic key 𝐴 𝐵 𝑓 2,3
𝐴 𝐵 𝑓 2,4
𝐴 𝐵 𝑓 3,1
𝐴 𝐵 𝑓 3,2
𝐴 𝐵 𝑓 3,3
𝐴 𝐵 𝑓 3,4
𝐴 𝐵 𝑓 4,1
𝐴 𝐵 𝑓 4,2
𝐴 𝐵 𝑓 4,3
𝐴 𝐵 𝑓 4,4
 𝔼 , (𝑓 1,1 )
Warm-up: garbled truth table 𝔼 , (𝑓 1,2 )
𝔼 , (𝑓 1,3 )
𝔼 (𝑓 1,4 )
Alice does the following: ,

𝔼 , (𝑓 2,1 )
1. Write truth table of function 𝔼 (𝑓 2,2 )
,

2. For each possible input, choose random cryptographic key 𝔼 , (𝑓 2,3 )

𝔼 (𝑓 2,4 )
3. Encrypt each output with corresponding keys ,

𝔼 , (𝑓 3,1 )
𝔼 , (𝑓 3,2 )
𝔼 , (𝑓 3,3 )
𝔼 , (𝑓 3,4 )
𝔼 , (𝑓 4,1 )
𝔼 , (𝑓 4,2 )
𝔼 , (𝑓 4,3 )
𝔼 , (𝑓 4,4 )
 𝔼 , (𝑓 3,4 )
Warm-up: garbled truth table 𝔼 , (𝑓 4,3 )
𝔼 , (𝑓 3,3 )
𝔼 (𝑓 2,3 )
Alice does the following: ,

𝔼 , (𝑓 4,2 )
1. Write truth table of function 𝔼 (𝑓 2,4 )
,

2. For each possible input, choose random cryptographic key 𝔼 , (𝑓 4,4 )

𝔼 (𝑓 1,4 )
3. Encrypt each output with corresponding keys ,

𝔼 , (𝑓 2,2 )
4. Randomly permute ciphertexts, send to Bob 𝔼 (𝑓 1,2 )
,

𝔼 , (𝑓 2,1 )
⁇ Somehow Bob obtains “correct” , ⁇
𝔼 , (𝑓 1,3 )
If Alice’s input is , Bob’s input is . 𝔼 , (𝑓 4,1 )
𝔼 , (𝑓 3,1 )
𝔼 , (𝑓 1,1 )
𝔼 , (𝑓 3,2 )
 𝔼 , (𝑓 3,4 )
Warm-up: garbled truth table 𝔼 , (𝑓 4,3 )
𝔼 , (𝑓 3,3 )
𝔼 (𝑓 2,3 )
Alice does the following: ,

𝔼 , (𝑓 4,2 )
1. Write truth table of function 𝔼 (𝑓 2,4 )
,

2. For each possible input, choose random cryptographic key 𝔼 , (𝑓 4,4 )

𝔼 (𝑓 1,4 )
3. Encrypt each output with corresponding keys ,

𝔼 , (𝑓 2,2 )
4. Randomly permute ciphertexts, send to Bob 𝔼 (𝑓 1,2 )
,

𝔼 , (𝑓 2,1 )
⁇ Somehow Bob obtains “correct” , ⁇
𝔼 , (𝑓 1,3 )
𝔼 , (𝑓 4,1 )
𝔼 , (𝑓 3,1 )
Through trial decryption, Bob learns only
𝔼 , (𝑓 1,1 )
𝔼 , (𝑓 3,2 )
Extending warm-up protocol
• Problem: Cost scales with the truth table size of !
• Idea: instead of encrypting outputs, encrypt keys to yet more garbled tables
𝔼 , (𝐶 ) 𝔼 , (⋯ )
𝔼 , (𝐶 ) 𝔼 , (⋯ )
𝔼 , (𝐶 ) 𝔼 , (⋯ )
𝔼 , (𝐶 ) 𝔼 , (⋯ )
𝔼 , (𝐶 ) 𝔼 , (⋯ )
⋮ ⋮

• Problem: How does Bob magically learn “correct” , ?

• Discuss later (oblivious transfer)
Garbled circuit framework
Garbled circuit framework

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 1 1 0 1 1 0 1 1 0 1 1 0 1 1
1 0 0 1 0 1 1 0 0 1 0 0 1 0 1
1 1 0 1 1 0 1 1 0 1 1 0 1 1 1
Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸

𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹

𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 1 1 0 1 1 0 1 1 0 1 1 0 1 1
1 0 0 1 0 1 1 0 0 1 0 0 1 0 1
1 1 0 1 1 0 1 1 0 1 1 0 1 1 1

Garbling a circuit:
• Pick random labels , on each wire
Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸

𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹

𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝐴 𝐵 𝐸 𝐴 𝐵 𝐹 𝐶 𝐷 𝐺 𝐹 𝐺 𝐻 𝐸 𝐻 𝐼
𝐴 𝐵 𝐸 𝐴 𝐵 𝐹 𝐶 𝐷 𝐺 𝐹 𝐺 𝐻 𝐸 𝐻 𝐼
𝐴 𝐵 𝐸 𝐴 𝐵 𝐹 𝐶 𝐷 𝐺 𝐹 𝐺 𝐻 𝐸 𝐻 𝐼
𝐴 𝐵 𝐸 𝐴 𝐵 𝐹 𝐶 𝐷 𝐺 𝐹 𝐺 𝐻 𝐸 𝐻 𝐼

Garbling a circuit:
• Pick random labels , on each wire
 Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸

𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹

𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )

Garbling a circuit:
• Pick random labels , on each wire
• “Encrypt” truth table of each gate (permute!)
 Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸

𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹

𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )

Garbling a circuit:
• Pick random labels , on each wire
• “Encrypt” truth table of each gate (permute!)
• Garbled circuit ≡ all encrypted gates
 Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸

𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹

𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )

Garbling a circuit:
• Pick random labels , on each wire
• “Encrypt” truth table of each gate (permute!)
• Garbled circuit ≡ all encrypted gates
• Garbled encoding ≡ one label per wire
Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸

𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹

𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )

Garbling a circuit: Garbled evaluation:

• Pick random labels , on each wire • Only one ciphertext per gate is
• “Encrypt” truth table of each gate (permute!) decryptable
• Garbled circuit ≡ all encrypted gates • Result of decryption = value on
• Garbled encoding ≡ one label per wire outgoing wire
Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸

𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹

𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )

Garbling a circuit: Garbled evaluation:

• Pick random labels , on each wire • Only one ciphertext per gate is
• “Encrypt” truth table of each gate (permute!) decryptable
• Garbled circuit ≡ all encrypted gates • Result of decryption = value on
• Garbled encoding ≡ one label per wire outgoing wire
Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸

𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹

𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )

Garbling a circuit: Garbled evaluation:

• Pick random labels , on each wire • Only one ciphertext per gate is
• “Encrypt” truth table of each gate (permute!) decryptable
• Garbled circuit ≡ all encrypted gates • Result of decryption = value on
• Garbled encoding ≡ one label per wire outgoing wire
Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸

𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹

𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )

Garbling a circuit: Garbled evaluation:

• Pick random labels , on each wire • Only one ciphertext per gate is
• “Encrypt” truth table of each gate (permute!) decryptable
• Garbled circuit ≡ all encrypted gates • Result of decryption = value on
• Garbled encoding ≡ one label per wire outgoing wire
Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸

𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹

𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )

Garbling a circuit: Garbled evaluation:

• Pick random labels , on each wire • Only one ciphertext per gate is
• “Encrypt” truth table of each gate (permute!) decryptable
• Garbled circuit ≡ all encrypted gates • Result of decryption = value on
• Garbled encoding ≡ one label per wire outgoing wire
 Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸

𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹

𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )

Key idea: Given garbled circuit + garbled input . . .

• . . . Only thing you can do is (blindly) evaluate circuit on that input
• Learn only 1 label per wire: hard to guess “complementary” label
• Seeing a single label hides logical value on wire
• Revealing both labels on output wires leaks only circuit output
Oblivious transfer
• How does evaluator (Bob) get the garbled input?
Oblivious transfer
• How does evaluator (Bob) get the garbled input?
𝐴 ,𝐴

Alice
𝐵 ,𝐵
𝐶 ,𝐶
Bob
𝐷 ,𝐷

Garbler’s inputs: She knows both , , and which one is correct just
send correct one to Bob
Evaluator’s inputs: We need the following “gadget” (oblivious transfer):
• Bob learns only 𝑊 , learns
OT nothing about 𝑊
• Alice does not know which
input is retrieved by Bob
How to construct OT? OT
How to construct OT? OT

If 𝑐 = 0: 𝐵 = 𝑔
If 𝑐 = 1: 𝐵 = 𝐴𝑔
𝑘 = 𝐻(𝐵 )
𝐵 𝑒 ←𝔼 (𝑊 )
𝑘 =𝐻
𝐴 𝑒 ←𝔼 (𝑊 )
 Thank you!

Secure Multi-Party Computation

Yi LIU
2024.12.04