mpc
mpc
Yi LIU
2024.12.04
Outline
• Zero-knowledge proofs (special case of secure multi-party computation)
• What is zero-knowledge proofs?
• How to realize zero-knowledge proofs?
• What is secure multi-party computation?
• How to realize general two-party computation? (if have time)
• Garbled Circuits + Oblivious Transfer
Zero-Knowledge Proofs
Scenario: Where is Waldo?
Alice Bob
Alice Bob
Alice Bob
Alice Bob
Solution
Where is Waldo? Solution
Alice Bob
Solution
1. Alice places opaque cardboard with hole over picture, revealing Waldo
Where is Waldo? Solution
?
Alice Bob
Solution
1. Alice places opaque cardboard with hole over picture, revealing Waldo
Bob gets no information about Waldo’s location within picture!
Where is Waldo? Solution
Alice
? Bob
Solution
1. Alice places opaque cardboard with hole over picture, revealing Waldo
Bob gets no information about Waldo’s location within picture!
Where is Waldo? Solution
Alice Bob
Solution
1. Alice places opaque cardboard with hole over picture, revealing Waldo
Bob gets no information about Waldo’s location within picture!
Philosophy
Fuzzy Definition
A zero-knowledge proof is a way to prove and convince someone of a
fact without giving out “any additional information/knowledge”
Muriel Ronald
M
Muriel Ronald
Muriel M, T, T, M Ronald
Bob Charlie
2 8 7 4 1 9 6 3 5
3 4 5 2 8 6 1 7 9 Bob, try it! There exists a
solution, trust me.
Alice Bob
A Tool for Sudoku Zero-Knowledge Proof
Scratch cards (commitment scheme
in cryptography)
• Hide the information
• Information is bound to the card
• cannot be modified after production
Alice Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
5 3 4 6 7 8 9 1 2
6 7 2 1 9 5 3 4 8
1 9 8 3 4 2 5 6 7
8 5 9 7 6 1 4 2 3
4 2 6 8 5 3 7 9 1
7 1 3 9 2 4 8 5 6
9 6 1 5 3 7 2 8 4
2 8 7 4 1 9 6 3 5
3 4 5 2 8 6 1 7 9 Alice Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
1. Alice randomly relabels
5 3 4 6 7 8 9 1 2 9 4 6 7 2 1 5 3 8
1⟶3
6 7 2 1 9 5 3 4 8 7 2 8 3 5 9 4 6 1
2⟶8
1 9 8 3 4 2 5 6 7 3 5 1 4 6 8 9 7 2
3⟶4
8 5 9 7 6 1 4 2 3 4⟶6 1 9 5 2 7 3 6 8 4
4 2 6 8 5 3 7 9 1 5⟶9
6 8 7 1 9 4 2 5 3
6⟶7
7 1 3 9 2 4 8 5 6 2 3 4 5 8 6 1 9 7
7⟶2
9 6 1 5 3 7 2 8 4 8⟶1 5 7 3 9 4 2 8 1 6
2 8 7 4 1 9 6 3 5 9⟶5 8 1 2 6 3 5 7 4 9
3 4 5 2 8 6 1 7 9 Alice 4 6 9 8 1 7 3 2 5 Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
1. Alice randomly relabels
9 4 6 7 2 1 5 3 8
7 2 8 3 5 9 4 6 1
3 5 1 4 6 8 9 7 2
1 9 5 2 7 3 6 8 4
6 8 7 1 9 4 2 5 3
2 3 4 5 8 6 1 9 7
5 7 3 9 4 2 8 1 6
8 1 2 6 3 5 7 4 9
Alice 4 6 9 8 1 7 3 2 5 Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
1. Alice randomly relabels
2. Alice writes relabeled solution on
9 4 6 7 2 1 5 3 8
scratch card, shows to Bob
7 2 8 3 5 9 4 6 1
3 5 1 4 6 8 9 7 2
1 9 5 2 7 3 6 8 4
6 8 7 1 9 4 2 5 3
2 3 4 5 8 6 1 9 7
5 7 3 9 4 2 8 1 6
8 1 2 6 3 5 7 4 9
Alice 4 6 9 8 1 7 3 2 5 Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
1. Alice randomly relabels
2. Alice writes relabeled solution on
9 4 6 7 2 1 5 3 8
scratch card, shows to Bob
7 2 8 3 5 9 4 6 1
3. Bob asks Alice to scratch off either: 3 5 1 4 6 8 9 7 2
1 9 5 2 7 3 6 8 4
6 8 7 1 9 4 2 5 3
2 3 4 5 8 6 1 9 7
5 7 3 9 4 2 8 1 6
8 1 2 6 3 5 7 4 9
Alice 4 6 9 8 1 7 3 2 5 Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
1. Alice randomly relabels
2. Alice writes relabeled solution on
9 4 6 7 2 1 5 3 8
scratch card, shows to Bob
7 2 8 3 5 9 4 6 1
3. Bob asks Alice to scratch off either: 3 5 1 4 6 8 9 7 2
• A particular row
• A particular column 1 9 5 2 7 3 6 8 4
• A particular block 6 8 7 1 9 4 2 5 3
Row 2
2 3 4 5 8 6 1 9 7
• Initial positions
and checks consistency 5 7 3 9 4 2 8 1 6
8 1 2 6 3 5 7 4 9
Alice 4 6 9 8 1 7 3 2 5 Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
1. Alice randomly relabels
2. Alice writes relabeled solution on
9 4 6 7 2 1 5 3 8
scratch card, shows to Bob
7 2 8 3 5 9 4 6 1
3. Bob asks Alice to scratch off either: 3 5 1 4 6 8 9 7 2
• A particular row
• A particular column 1 9 5 2 7 3 6 8 4
• A particular block 6 8 7 1 9 4 2 5 3
Col 7
2 3 4 5 8 6 1 9 7
• Initial positions
and checks consistency 5 7 3 9 4 2 8 1 6
8 1 2 6 3 5 7 4 9
Alice 4 6 9 8 1 7 3 2 5 Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
1. Alice randomly relabels
2. Alice writes relabeled solution on
9 4 6 7 2 1 5 3 8
scratch card, shows to Bob
7 2 8 3 5 9 4 6 1
3. Bob asks Alice to scratch off either: 3 5 1 4 6 8 9 7 2
• A particular row
• A particular column 1 9 5 2 7 3 6 8 4
• A particular block 6 8 7 1 9 4 2 5 3
BLK 8
2 3 4 5 8 6 1 9 7
• Initial positions
and checks consistency 5 7 3 9 4 2 8 1 6
8 1 2 6 3 5 7 4 9
Alice 4 6 9 8 1 7 3 2 5 Bob
Sudoku Zero-Knowledge Proof
Zero-knowledge protocol:
1. Alice randomly relabels
2. Alice writes relabeled solution on
9 4 6 7 2 1 5 3 8
scratch card, shows to Bob
7 2 8 3 5 9 4 6 1
3. Bob asks Alice to scratch off either: 3 5 1 4 6 8 9 7 2
• A particular row
• A particular column 1 9 5 2 7 3 6 8 4
• A particular block 6 8 7 1 9 4 2 5 3
2 3 4 5 8 6 1 9 7
• Initial positions + relabeling rule
and checks consistency 5 7 3 9 4 2 8 1 6
4. Repeat times 8 1 2 6 3 5 7 4 9
Alice 4 6 9 8 1 7 3 2 5 Bob
Sudoku Zero-Knowledge Proof, Analysis
Observation (Completeness)
If Alice can answer all challenges successfully, her scratch card satisfies:
• Every row, column, block is permutation of
• Initial positions consistent with relabeling of in original
puzzle
Then the original puzzle has a solution.
If Alice follows protocol (there is a solution), then each round transcript is:
• Random permutation of in random row,
Sudoku Zero-Knowledge Proof, Analysis
If Alice follows protocol (there is a solution), then each round transcript is:
• Random permutation of in random row,
• Random permutation of in random column,
Sudoku Zero-Knowledge Proof, Analysis
If Alice follows protocol (there is a solution), then each round transcript is:
• Random permutation of in random row,
• Random permutation of in random column,
• Random permutation of in random block, or
Sudoku Zero-Knowledge Proof, Analysis
If Alice follows protocol (there is a solution), then each round transcript is:
• Random permutation of in random row,
• Random permutation of in random column,
• Random permutation of in random block, or
• Random relabeling of original puzzle’s initial positions
Each of these Bob can generated himself (without the solution)! (Zero-knowledge)
Zero-Knowledge Proofs for Everything?
We have a zero-knowledge proof protocol for Sudoku, so what?
Alice Bob
ZK Proof of Identity
Public Key DB:
Alice: 583ffb4b3..
Bob: 0fae6535d..
Charlie: 0dd1dd8de..
ZK proof: I know the
secret key corresponding
to 583ffb4b3..
Alice Bob
ZK Proof of Identity
Public Key DB:
Alice: 583ffb4b3..
Bob: 0fae6535d..
Charlie: 0dd1dd8de..
Ok, Alice
Alice Bob
ZK Proof of Identity
Public Key DB:
Alice: 583ffb4b3..
Bob: 0fae6535d..
Charlie: 0dd1dd8de..
Alice Bob
Security guarantees:
• Privacy (“learn no more than”
prescribed output)
• Input independence
• Output consistency, etc..
Secure Multi-Party Computation
Premise:
• Mutually distrusting parties, each
with a private input
• Learn the result of agreed-upon
computation
• Ex: election, auction, etc.
Security guarantees:
• Privacy (“learn no more than”
prescribed output)
• Input independence
• Output consistency, etc..
..even if some parties cheat, collude!
The Goal of Secure Multi-Party Computation
• Design a protocol to emulate the existence of a trusted third party
Zero-Knowledge Proofs ——Special Case
• # of parties: 2
• One party does not have input!
• Length of output is bit!
Zero-Knowledge Proofs ——Special Case
• # of parties: 2
• One party does not have input!
• Length of output is bit!
Secure Multi-Party Computation
Protocols for secure computations, FOCS 82 How to Generate and Exchange Secrets, FOCS 86
Yao’s Millionaires’ Problem
Is ?
Examples: Ad Conversion
• Tesla launches ads on Google, two companies want to know ad conversion
Ad impressions In-store purchases
[email protected] [email protected] $80k
[email protected] [email protected] $160k
[email protected] [email protected] $99k
[email protected] [email protected] $85k
[email protected] [email protected] $77k
…… ……
SELECT SUM(amount)
FROM ads, purchases
WHERE ads.email = purchases.email
Examples: Ad Conversion
• Tesla launches ads on Google, two companies want to know ad conversion
Ad impressions In-store purchases
[email protected] [email protected] $80k
[email protected] [email protected] $160k
[email protected] [email protected] $99k
[email protected] [email protected] $85k
[email protected] [email protected] $77k
…… ……
SELECT SUM(amount)
FROM ads, purchases
WHERE ads.email = purchases.email
𝔼 , (𝑓 2,1 )
1. Write truth table of function 𝔼 (𝑓 2,2 )
,
𝔼 , (𝑓 3,1 )
𝔼 , (𝑓 3,2 )
𝔼 , (𝑓 3,3 )
𝔼 , (𝑓 3,4 )
𝔼 , (𝑓 4,1 )
𝔼 , (𝑓 4,2 )
𝔼 , (𝑓 4,3 )
𝔼 , (𝑓 4,4 )
𝔼 , (𝑓 3,4 )
Warm-up: garbled truth table 𝔼 , (𝑓 4,3 )
𝔼 , (𝑓 3,3 )
𝔼 (𝑓 2,3 )
Alice does the following: ,
𝔼 , (𝑓 4,2 )
1. Write truth table of function 𝔼 (𝑓 2,4 )
,
𝔼 , (𝑓 2,2 )
4. Randomly permute ciphertexts, send to Bob 𝔼 (𝑓 1,2 )
,
𝔼 , (𝑓 2,1 )
⁇ Somehow Bob obtains “correct” , ⁇
𝔼 , (𝑓 1,3 )
If Alice’s input is , Bob’s input is . 𝔼 , (𝑓 4,1 )
𝔼 , (𝑓 3,1 )
𝔼 , (𝑓 1,1 )
𝔼 , (𝑓 3,2 )
𝔼 , (𝑓 3,4 )
Warm-up: garbled truth table 𝔼 , (𝑓 4,3 )
𝔼 , (𝑓 3,3 )
𝔼 (𝑓 2,3 )
Alice does the following: ,
𝔼 , (𝑓 4,2 )
1. Write truth table of function 𝔼 (𝑓 2,4 )
,
𝔼 , (𝑓 2,2 )
4. Randomly permute ciphertexts, send to Bob 𝔼 (𝑓 1,2 )
,
𝔼 , (𝑓 2,1 )
⁇ Somehow Bob obtains “correct” , ⁇
𝔼 , (𝑓 1,3 )
𝔼 , (𝑓 4,1 )
𝔼 , (𝑓 3,1 )
Through trial decryption, Bob learns only
𝔼 , (𝑓 1,1 )
𝔼 , (𝑓 3,2 )
Extending warm-up protocol
• Problem: Cost scales with the truth table size of !
• Idea: instead of encrypting outputs, encrypt keys to yet more garbled tables
𝔼 , (𝐶 ) 𝔼 , (⋯ )
𝔼 , (𝐶 ) 𝔼 , (⋯ )
𝔼 , (𝐶 ) 𝔼 , (⋯ )
𝔼 , (𝐶 ) 𝔼 , (⋯ )
𝔼 , (𝐶 ) 𝔼 , (⋯ )
⋮ ⋮
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 1 1 0 1 1 0 1 1 0 1 1 0 1 1
1 0 0 1 0 1 1 0 0 1 0 0 1 0 1
1 1 0 1 1 0 1 1 0 1 1 0 1 1 1
Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸
𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹
𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
0 1 1 0 1 1 0 1 1 0 1 1 0 1 1
1 0 0 1 0 1 1 0 0 1 0 0 1 0 1
1 1 0 1 1 0 1 1 0 1 1 0 1 1 1
Garbling a circuit:
• Pick random labels , on each wire
Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸
𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹
𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝐴 𝐵 𝐸 𝐴 𝐵 𝐹 𝐶 𝐷 𝐺 𝐹 𝐺 𝐻 𝐸 𝐻 𝐼
𝐴 𝐵 𝐸 𝐴 𝐵 𝐹 𝐶 𝐷 𝐺 𝐹 𝐺 𝐻 𝐸 𝐻 𝐼
𝐴 𝐵 𝐸 𝐴 𝐵 𝐹 𝐶 𝐷 𝐺 𝐹 𝐺 𝐻 𝐸 𝐻 𝐼
𝐴 𝐵 𝐸 𝐴 𝐵 𝐹 𝐶 𝐷 𝐺 𝐹 𝐺 𝐻 𝐸 𝐻 𝐼
Garbling a circuit:
• Pick random labels , on each wire
Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸
𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹
𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
Garbling a circuit:
• Pick random labels , on each wire
• “Encrypt” truth table of each gate (permute!)
Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸
𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹
𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
Garbling a circuit:
• Pick random labels , on each wire
• “Encrypt” truth table of each gate (permute!)
• Garbled circuit ≡ all encrypted gates
Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸
𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹
𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
Garbling a circuit:
• Pick random labels , on each wire
• “Encrypt” truth table of each gate (permute!)
• Garbled circuit ≡ all encrypted gates
• Garbled encoding ≡ one label per wire
Garbled circuit framework
𝐴 ,𝐴 𝐸 ,𝐸
𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹
𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹
𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹
𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹
𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹
𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝐼 ,𝐼
𝐵 ,𝐵 𝐹 ,𝐹
𝐶 ,𝐶 𝐻 ,𝐻
𝐺 ,𝐺
𝐷 ,𝐷
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
𝔼 , (𝐸 ) 𝔼 , (𝐹 ) 𝔼 , (𝐺 ) 𝔼 , (𝐻 ) 𝔼 , (𝐼 )
Alice
𝐵 ,𝐵
𝐶 ,𝐶
Bob
𝐷 ,𝐷
Garbler’s inputs: She knows both , , and which one is correct just
send correct one to Bob
Evaluator’s inputs: We need the following “gadget” (oblivious transfer):
• Bob learns only 𝑊 , learns
OT nothing about 𝑊
• Alice does not know which
input is retrieved by Bob
How to construct OT? OT
How to construct OT? OT
If 𝑐 = 0: 𝐵 = 𝑔
If 𝑐 = 1: 𝐵 = 𝐴𝑔
𝑘 = 𝐻(𝐵 )
𝐵 𝑒 ←𝔼 (𝑊 )
𝑘 =𝐻
𝐴 𝑒 ←𝔼 (𝑊 )
Thank you!
Yi LIU
2024.12.04