Secure Computation
Lecture 19-20
Arpita Patra
Recap and Roadmap
>> i.t (perfect) MPC in malicious Setting
> VSS (four round sharing + RS code based Reconstruction)
> Multiplication Protocol with perfect secrecy.
>> Yao in malicious Setting: LindellPinkas11
> Identify the problems
> Fix the problems
Yao’s 2 Party Protocol
GC Constructor
P0
GC Evaluator
Y = (y1,y2,…yk )
X = (x1,x2,…xk )
P1
Construct a Garbled Circuit GC
for Circuit C
Problem 1: P0 may not
construct GC for the Keys corresponding to X = (x1,x2,…xk ) and GC
agreed function.
y1
k0w1
OT
1
k1w1
ky1w1
k0wk
k1wk
OTk
Z
yk
kykwk
Evaluate GC with the
given input keys and
interpret the output Z
using output decryption
tables
Fix for Problem 1
GC Constructor
GC Evaluator
P1
P0
Construct many Garbled Circuits
for Circuit C
Cut and Choose Paradigm:
Classical Technique used against
malicious adversary
Check some of them. Abort if there
is a problem
How to check?
Get both keys for
all input wires for
those circuits
How many to
check?
Need to ensure
that the
probability of
escape is negligible
Fix for Problem 1
GC Constructor
GC Evaluator
P1
P0
Construct s Garbled Circuits for
Circuit C: GC1,…,GCs
Check half (s/2) of them. Abort if
there is a problem
Clue: tweak one GC such that it outputs correct
value if first bit of P1 is 0, else garbage
Cut-and-choose security Parameter:
s
How to check?
Get both keys for
all input wires for
those circuits
How many to
check?
s/2. Check circuits
How many to
Evaluate?
s/2. Evaluation
circuits
How to
calculate
output?
If all the evaluation
Majority
of thethe
circuits output
outputs
of Evaluation
same, output
that
circuits
value; else output bot
Fix for Problem 1
noAbort: P1 does not abort
badMaj: Majority of the circuits are bad
Claim: Cheating Probability = Pr(noAbort ∧ badMaj) =
Partial Proof (on
the broad).
Cut-and-choose security Parameter:
s
Rest on the board