The document discusses multi-party computation techniques, particularly focusing on secure two-party computation protocols like Yao's garbled circuit. It elaborates on the mechanics of these protocols, including how they can process private data without disclosing it and outlines various applications such as personalized medicine and machine learning. Additionally, it presents advancements and efficiency improvements in garbled circuits, addressing security concerns and computational overhead.

1. Multi-Party Computation for the Masses
David Evans
www.cs.virginia.edu/evans
CROSSING – Where
Quantum Physics,
Cryptography, System
Security and Software
Engineering meet
Darmstadt, 1 June
2015

2. (De)Motivating
Application
AliceBob

3. AliceBob
Genome Compatibility
Protocol
“Genetic Dating”
Genetic
Matchr
WARNING!
Reproduction not
recommended
Your offspring
would have
good immune
systems!
processing…Start
[Don’t sue us.]
Genetic
Matchr
WARNING!
Reproduction not
recommended
Your offspring
would have
good immune
systems!
processing…Start
[Don’t sue us.]
(De)Motivating
Application

4. $1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014

5. $1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
Tomorrow: Jean-Pierre Hubaux
“Whole Genome Sequencing:
Revolutionary Medicine or Privacy
Nightmare?”

6. Secure Two-Party Computation
AliceBob
Bob’s Genome Alice’s Genome
Can Alice and Bob compute a function on private data, without
exposing anything about their data besides the result?
r = f(a, b)

7. Bob’s Genome
Secure Two-Party Computation
AliceBob
r = f(a, b)
Alice’s Genome
Can Alice and Bob compute a function on private data, without
exposing anything about their data besides the result?

8. Yao’s Garbled Circuit Protocol
Alice (circuit generator) Bob (circuit evaluator)
Garbled Circuit Protocol
Andrew Yao, 1980s
secret input a secret input b
Agree on function f
r = f(a, b)r = f(a, b)
Learns nothing else about b Learns nothing else about a

9. Regular Logic
Inputs Output
xa b
0 0 0
0 1 0
1 0 0
1 1 1
a b
x
AND

10. “Obfuscated” Logic
Inputs Output
xa b
a1 b0 x0
a0 b1 x0
a1 b1 x1
a1 b0 x0
a0 or a1
x
AND
b0 or b1
ai, bi, xi are random values,
chosen by generator but
meaningless to evaluator.

11. Inputs Output
xa b
a1 b0 x0
a0 b1 x0
a1 b1 x1
a1 b0 x0
a0 or a1
x
AND
b0 or b1
Leaks information!
“Obfuscated” Logic
ai, bi, xi are random values,
chosen by generator but
meaningless to evaluator.

12. Garbled Logic
Inputs Output
xa b
a1 b0 Ea1 || b0
(x0)
a0 b1 Ea0 || b1
(x0)
a1 b1 Ea1 || b1
(x1)
a0 b0 Ea0 || b0
(x0)
a0 or a1
x
AND
b0 or b1

13. Garbled Logic
Inputs Output
xa b
a1 b0 Ea1 || b0
(x0)
a0 b1 Ea0 || b1
(x0)
a1 b1 Ea1 || b1
(x1)
a0 b0 Ea0 || b0
(x0)
a0 or a1
x
AND
b0 or b1
G
Garbled Table

14. GarbledCircuitProtocol Alice (generator)
Sends ai, based
on her input
Bob (evaluator)
Picks random values for a{0, 1}, b{0, 1}, x{0, 1}
Ea1||b0
(x0)
Ea0||b1
(x0)
Ea1||b1
(x1)
Ea0||b0
(x0) Evaluates circuit,
decrypting one
row of each
garbled gate
xrSends hashes to
decode outputs
r

15. GarbledCircuitProtocol Alice (generator)
Sends ai, based
on her input
Bob (evaluator)
Picks random values for a{0, 1}, b{0, 1}, x{0, 1}
Ea1||b0
(x0)
Ea0||b1
(x0)
Ea1||b1
(x1)
Ea0||b0
(x0) Evaluates circuit,
decrypting one
row of each
garbled gate
xrSends hashes to
decode outputs
r
How does the Bob learn his own input values?

16. Primitive: Oblivious Transfer
Alice (generator) Bob (evaluator)
Oblivious Transfer
Protocol
b0, b1 selector i
bi
Learns nothing else about i
Learns nothing about other value
Rabin, 1981; Even, Goldreich, and Lempel, 1985; …

17. a0,0ora0,1
G0
b0,0orb1,0
G1
…
x0 or x1
G2
x1,0 or x1,1
a1,0ora1,1
b1,0orb1,1
Ea0,1||b0,0
(x0,0)
Ea0,0||b0,1
(x0,0)
Ea0,1||b0,1
(x0,1)
Ea0,0||b0,1
(x0,0)
Ea1,1||b1,1
(x1,1)
Ea1,0||b1,1
(x1,0)
Ea1,1||b1,0
(x1,0)
Ea1,0||b1,0
(x1,0)
x2,0 or x2,1
Chain gates to securely compute
any discrete function!
Ex0,0||x1,0
(x2,0)
Ex0,1||x1,1
(x2,1)
Ex0,1||x1,0
(x2,0)
Ex0,0||x1,0
(x2,0)

18. Building Computing Systems
18
Digital Electronic Circuits Garbled Circuits
Operate on known data Operate on encrypted wire labels
One-bit logical operation requires moving
some electrons a few nanometers
One-bit logical operation requires
performing four encryption operations
Reuse is great! Reuse is not allowed!
Ea1||b0
(x0)
Ea0||b1
(x0)
Ea1||b1
(x1)

19. $1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
[Fairplay, USENIX Sec 2004]
>$1M
Estimated cost of 10k x 10k Smith-Waterman, 4T gates

20. for (i = 1; i <= n1; ++i) {
for(j = 1; j <= n2; ++j) {
Accum temp = acMin (dp[i][j-1], dp[i-1][j]);
obliv bool d = true;
obliv if (acLessEq(dp[i-1][j-1], temp)) {
acCopy(&temp, &dp[i-1][j-1]);
d = (s1[i-1] != s2[j-1]);
}
ScalingMPC
Gate Execution
Protocols
Ea0,1||b0,0
(x0,0)
Ea0,0||b0,1
(x0,0)
Ea0,1||b0,1
(x0,1)
Ea0,0,|b0,1
(x0,0)
Circuit Construction
Private Biometrics
[NDSS 2011]
Machine Learning [S&P 2013]
Personalized Medicine,
Medical Research
[USENIX Sec 2011]
Private Set Intersection
[NDSS 2012]
Obliv-C

21. for (i = 1; i <= n1; ++i) {
for(j = 1; j <= n2; ++j) {
Accum temp = acMin (dp[i][j-1], dp[i-1][j]);
obliv bool d = true;
obliv if (acLessEq(dp[i-1][j-1], temp)) {
acCopy(&temp, &dp[i-1][j-1]);
d = (s1[i-1] != s2[j-1]);
}
ScalingMPC
Gate Execution
Protocols
Ea0,1||b0,0
(x0,0)
Ea0,0||b0,1
(x0,0)
Ea0,1||b0,1
(x0,1)
Ea0,0,|b0,1
(x0,0)
Circuit Construction
Private Biometrics
[NDSS 2011]
Machine Learning [S&P 2013]
Personalized Medicine,
Medical Research
[USENIX Sec 2011]
Private Set Intersection
[NDSS 2012]
Obliv-C

22. TalkOutline Gate Execution
Protocols
Enca0,1,b0,0
(x0,0)
Enca0,0,b0,1
(x0,0)
Enca0,1,b0,1
(x0,1)
Enca0,0,b0,1
(x0,0)
Circuit Construction
This Afternoon
Farinaz Koushanfar
“TinyGarble: Synthesis of Highly Compact
Circuits for Secure Computation”
Stefan Katzenbeisser
“Towards Practical Two-Party Computations”
z1
z2

23. Two Halves Make a Whole
Reducing Data Transfer in
Garbled Circuits using Half Gates
Samee Zahur, Mike Rosulek, and David Evans. In EuroCrypt 2015.Samee Zahur
(UVa PhD Student)
+ =

24. Background: Point-and-Permute
Enca0,,b0,
(c0)
Enca0,,b1
(c0)
Enca0,,b0
(c0)
Enca1,b1
(c1)
Encoding garble table entries:
Input wire labels
(with selection bits)
Output wire label
Beaver, Micali and Rogaway [STOC 1990]

25. Background: Garbled Row Reduction
Naor, Pinkas and Sumner [1999]

26. Background: Garbled Row Reduction
Naor, Pinkas and Sumner [1999]

27. Background: Garbled Row Reduction
Naor, Pinkas and Sumner [1999]

28. Background: Free-XOR
Kolesnikov and Schneider [2008]
Global
generator
secret

29. Background: Free-XOR
Kolesnikov and Schneider [2008]
Global
generator
secret

30. Background: Free-XOR
Kolesnikov and Schneider [2008]
Global
generator
secret
XOR are free! No ciphertexts or encryption needed.

31. Half Gates
Yan Huang, David Evans, and Jonathan Katz.
Private Set Intersection: Are Garbled Circuits
Better than Custom Protocols? [NDSS 2012]

32. Yan Huang, David Evans, and Jonathan Katz.
Private Set Intersection: Are Garbled Circuits
Better than Custom Protocols? [NDSS 2012]

33. Yan Huang, David Evans, and Jonathan Katz.
Private Set Intersection: Are Garbled Circuits
Better than Custom Protocols? [NDSS 2012]
Journal of the ACM, January 1968
swap gates, configured (by generator)
to do random permutation

34. Generator Half Gate
Known to generator (but secret to evaluator)

35. Generator Half Gate
Known to generator (but secret to evaluator)

36. Swapper: “Generator Half Gate”
Known to generator (but secret to evaluator)
With Garbled Row Reduction:

37. Evaluator Half-Gate
Known to evaluator (but secret to generator)

38. Evaluator Half-Gate
Known to evaluator (but secret to generator)
But, we need a gate where both inputs are secret…

39. Half + Half = Full Secret Gate
random bit
selected by
generator
“leaked”unknownknownunknown

40. Half + Half = Full Secret Gate
random bit
selected by
generator
“leaked”unknownknownunknown

41. Half + Half = Full Secret Gate
random bit
selected by
generator
“leaked”unknownknownunknown

42. Half + Half = Full Secret Gate
random bit
selected by
generator
generator half gate evaluator half gate
“leaked”unknownknownunknown

43. Standard Gates Half Gates
Generator Encryptions (H) 4 4
Evaluator Encryptions (H) 1 2
Ciphertexts Transmitted 3 2
XORs Free ✓ ✓
Bandwidth 33%
Execution Time (edit distance) 25%
Energy 21%

44. Standard Gates Half Gates
Generator Encryptions (H) 4 4
Evaluator Encryptions (H) 1 2
Ciphertexts Transmitted 3 2
XORs Free ✓ ✓
Bandwidth 33%
Execution Time (edit distance) 25%
Energy 21%

45. Is one ciphertext enough?

46. Is one ciphertext enough?
No, two is minimum at least assuming garbling
schemes use only random oracle and linear operations.

47. for (i = 1; i <= n1; ++i) {
for(j = 1; j <= n2; ++j) {
Accum temp = acMin (dp[i][j-1], dp[i-1][j]);
obliv bool d = true;
obliv if (acLessEq(dp[i-1][j-1], temp)) {
acCopy(&temp, &dp[i-1][j-1]);
d = (s1[i-1] != s2[j-1]);
}
ScalingMPC
Gate Execution
Protocols
Ea0,1||b0,0
(x0,0)
Ea0,0||b0,1
(x0,0)
Ea0,1||b0,1
(x0,1)
Ea0,0,|b0,1
(x0,0)
Circuit Construction
Private Biometrics
[NDSS 2011]
Machine Learning [S&P 2013]
Personalized Medicine,
Medical Research
[USENIX Sec 2011]
Private Set Intersection
[NDSS 2012]
obliv-C

48. Fairplay
48
Malkhi, Nisan, Pinkas and
Sella [USENIX Sec 2004]
SFDL Program
SFDL
Compiler
Circuit
(SHDL)
Alice Bob
Garbled Tables
Generator
Garbled Tables
Evaluator
SFDL
Compiler

49. PipelinedExecution Circuit-Level
Application
GC Framework
(Evaluator)
GC Framework
(Generator)
Circuit StructureCircuit Structure
Yan Huang
(UVa PhD,
U Indiana)
Yan Huang, David Evans, Jonathan Katz, and Lior Malka. Faster Secure
Two-Party Computation Using Garbled Circuits. USENIX Security 2011.
x1
x2
y1
y2
z1
z2

50. $100
$1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
Free-XOR
Pipelining, +
HalfGates
(Estimates for 2PC, 4T gates)
100s gates/second
100k gates/second
~5M gates/second

51. Semi-Honest (“Honest but Curious”)
Alice Bob
generated circuits
generator oblivious transfer
Evaluates
rr
output decoding/sharing
r = f(a, b)
Only provides privacy and correctness guarantees if circuit is generated honestly!

52. StandardFix:
“Cut-and-Choose” Generator
(Alice)
Evaluator
(Bob)
(1) N instances of generated circuit
(5) If okay,
evaluate rest
and select
majority output
(4) checks all
revealed circuits
(2) Challenge: choose a random subset
(3) Keys for selected circuits
Provides security against active attacker,
but for reasonable security N > 300

53. $100
$1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
Semi-Honest
Active
Security
Symmetric
Cut-and-Choose
[HKE 2013]

54. Semi-Honest is Half-Way There
Privacy
Nothing is revealed
other than the output
(Not) Correctness
The output of the
protocol is f(a, b)
Generator Evaluator
As long as evaluator doesn’t send
result (or complaint) back, privacy
for evaluator is guaranteed.

55. Dual Execution Protocols
Yan Huang, Jonathan Katz, David Evans.
[IEEE S&P (Oakland) 2012]
Mohassel and Franklin. [PKC 2006]

56. Dual Execution Protocol
Alice Bob
first round execution (semi-honest)generator evaluator
generatorevaluator
z=f(x, y)
Pass if z = z’ and correct wire labels
z’, learned
output
wire labels
second round execution (semi-honest)
z'=f(x, y)
z, learned
output
wire labels
fully-secure, authenticated equality test

57. Security Properties
Correctness: guaranteed by authenticated,
secure equality test
Privacy: Leaks one (extra) bit on average
adversarial circuit fails on ½ of inputs
Malicious generator can decrease likelihood of being caught, and
increase information leaked when caught (but decreases average
information leaked): at extreme, circuit fails on just one input.

58. Proving Security: Malicious
A B
Ideal World
yx
Adversary
receives:
f (x, y)
TrustedPartyinIdeal
World
Standard Malicious Model: can’t prove this for Dual Execution
Real World
A B
yx
Show equivalence
Corrupted
party behaves
arbitrarily
Secure Computation Protocol

59. Proof of Security: One-Bit Leakage
A B
Ideal World
yx
Controlled by
malicious A
g  R  {0, 1}
g is an arbitrary
Boolean function
selected by adversary
Adversary receives:
f (x, y) and g(x, y)
TrustedPartyinIdeal
World
Can prove equivalence to this for Dual Execution protocols

60. Intuition: 1-bit Leak
Cheating detected
Victim’s Possible Inputs
Inputs where
f (?, y) = r
Broken Circuit for these Inputs

61. Implementation
Alice Bob
first round execution (semi-honest)generator evaluator
z=f(x, y)
Pass if z = z’ and correct wire labels
z’, learned
output
wire labels
generatorevaluator second round execution (semi-honest)
z'=f(x, y)
z, learned
output
wire labels
Recall: work to generate is 2x work to evaluate!
fully-secure, authenticated equality test

62. $100
$1,000
$10,000
$100,000
$1,000,000
$10,000,000
$100,000,000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
Active
Security
Dual Execution

63. Secure Computation for the Masses?
Remarkable progress in past 10 years
Costs reduced by 1012
Beginning to see commercial deployments
Scaling number of parties still very hard
Challenge of End-to-End Trust
Trusting Software
Understanding leaks from output
User-understandable information release policies

64. David Evans
evans@virginia.edu
www.cs.virginia.edu/evans
oblivc.org
mightBeEvil.org
Collaborators (this work):
Yan Huang, Jonathan Katz,
Mike Rosulek, Samee Zahur
Funding: NSF, AFOSR, Google

65. Not Used