Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa - - PowerPoint PPT Presentation

batched non interactive 2pc
SMART_READER_LITE
LIVE PREVIEW

Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa - - PowerPoint PPT Presentation

May 14, 2023 1.75k likes •2.32k views

Batched Non-interactive 2PC Payman Mohassel Mike Rosulek Visa Research OSU Secure Two-Party Computation 2 1 (, ) Secure Two-Party Computation 2 1 (, ) Non-Interactive Secure

slide-1
SLIDE 1

Batched Non-interactive 2PC

Payman Mohassel Mike Rosulek

OSU Visa Research

slide-2
SLIDE 2

Secure Two-Party Computation

𝑄

1

𝑄2

𝒚 𝒛

𝑔(𝑦, 𝑧)

slide-3
SLIDE 3

Secure Two-Party Computation

𝑄

1

𝑄2

𝒚 𝒛

𝑔(𝑦, 𝑧)

slide-4
SLIDE 4

Non-Interactive Secure Computation (NISC)

𝑄

1

𝑄2

𝒚 𝒛

𝑁1 𝑁2

slide-5
SLIDE 5

Non-Interactive Secure Computation (NISC)

𝑄

1

𝑄2

𝒚 𝒛

𝑁1 𝑁2

  • Over the internet
  • Without coordination
  • Email
  • Bulletin boards
slide-6
SLIDE 6

Non-Interactive Secure Computation (NISC)

𝑄

1

𝑄2

𝒚 𝒛

𝑁1 𝑁2

Comparable to best 2PC [AMPR14]

  • Over the internet
  • Without coordination
  • Email
  • Bulletin boards
slide-7
SLIDE 7

Batched 2PC

𝑄

1

𝑄2

𝒚𝟐 𝒛𝟐 𝒚𝟑 𝒛𝟑 𝒚𝑶 𝒛𝑶

slide-8
SLIDE 8

Batched 2PC

𝑄

1

𝑄2

𝒚𝟐 𝒛𝟐 𝒚𝟑 𝒛𝟑 𝒚𝑶 𝒛𝑶

  • Better amortized efficiency
  • 𝑚𝑝𝑕𝑂 improvement
  • [NO09,FJNNO13, LR14,HKKKM14, …]
slide-9
SLIDE 9

Batched 2PC

𝑄

1

𝑄2

𝒚𝟐 𝒛𝟐 𝒚𝟑 𝒛𝟑 𝒚𝑶 𝒛𝑶

  • Better amortized efficiency
  • 𝑚𝑝𝑕𝑂 improvement
  • [NO09,FJNNO13, LR14,HKKKM14, …]

4 rounds

slide-10
SLIDE 10

Best of Both Worlds

𝑵𝟐 𝑵𝟑

𝑄

1

𝑄2

𝑦1 ⋮ 𝑦𝑂 𝑧1 ⋮ 𝑧𝑂

  • 𝑈𝑥𝑝 𝑠𝑝𝑣𝑜𝑒𝑡
  • 𝑚𝑝𝑕𝑂 𝑗𝑛𝑞𝑠𝑝𝑤𝑓𝑛𝑓𝑜𝑢
slide-11
SLIDE 11

Yao’s Garbled Circuits

Garbler

𝒚

Evaluator

𝒛

𝐷 𝑦, 𝑧 = 𝑔(𝑦, 𝑧)

𝐻𝐷 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒) 𝐻𝐽𝑦 ← 𝐻𝐽𝑜(𝑦, 𝑡𝑒)

Oblivious Transfer 𝐻𝐷 𝐻𝐽𝑧 𝐻𝐽𝑦

𝒈(𝒚, 𝒛) AND 𝑙0

1, 𝑙1 1

𝑑0,0 = 𝐹 𝑙0

1,𝑙0 2 (𝑙0

3)

𝑙0

3, 𝑙1 3

𝑑0,1 = 𝐹 𝑙0

1,𝑙1 2 (𝑙0

3)

𝑑1,0 = 𝐹 𝑙1

1,𝑙0 2 (𝑙0

3)

𝑑1,1 = 𝐹 𝑙1

1,𝑙1 2 (𝑙1

3)

𝑙0

2, 𝑙1 2

slide-12
SLIDE 12

𝐻𝐷1

Cut-and-Choose 2PC (majority)

𝐻𝐷1 𝐻𝐷2 𝐻𝐷4 𝐻𝐷5 𝐻𝐷5 𝐻𝐷3 𝐻𝐷6 𝐻𝐷3 𝐻𝐷2 𝐻𝐷4 𝐻𝐷6 𝑨2 𝑨4 𝑨6 𝑨 = 𝑔(𝑦, 𝑧)

𝑦 𝑦 𝑦

𝑄

1

𝒚

slide-13
SLIDE 13

𝐻𝐷1

Cut-and-Choose 2PC (Forge and Lose)

𝐻𝐷1 𝐻𝐷2 𝐻𝐷4 𝐻𝐷5 𝐻𝐷5 𝐻𝐷3 𝐻𝐷6 𝐻𝐷3 𝐻𝐷2 𝐻𝐷4 𝐻𝐷6 𝑨2 𝑨4 𝑨6

𝑦 𝑦 𝑦

𝑄

1

𝒚

Cheating Recovery 2PC 𝑦 𝑨 𝑨′ 𝑦

slide-14
SLIDE 14

Homomorphic Commitments

  • Hiding and Binding
  • 𝐼𝐷𝑃𝑁 𝑏, 𝑒𝑏 , 𝐼𝐷𝑃𝑁 𝑐, 𝑒𝑐
  • Open to 𝑏 ⊕ 𝑐, using opening 𝑒𝑏 ⊕ 𝑒𝑐
  • Pedersen commitments
  • OT-based Commitments [LR15]
  • Non-interactive, rate 1/𝜇
  • (OT+ code)-based commitments [FJNT16]
  • Constant rate, interactive setup
  • Fiat-Shamir
slide-15
SLIDE 15

Single NISC

𝐻𝐷𝑗 𝐻𝐽𝑦 𝐿𝑗

𝐻𝐷𝑗 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒𝑗)

slide-16
SLIDE 16

Single NISC

𝐻𝐷𝑗 𝐻𝐽𝑦 𝐿𝑗

Input OT

𝐻𝐷𝑗 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒𝑗)

0/1 𝑗𝑜0

𝑗

𝑗𝑜1

𝑗

Probe-resistant encoding Evaluator input

slide-17
SLIDE 17

Single NISC

𝐻𝐷𝑗 𝐻𝐽𝑦

Circuit OT

Open/evaluate 𝑡𝑒𝑗 𝐿𝑗 𝐿𝑗

Input OT

𝐻𝐷𝑗 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒𝑗)

0/1 𝑗𝑜0

𝑗

𝑗𝑜1

𝑗

Probe-resistant encoding Evaluator input Cut and choose

slide-18
SLIDE 18

Single NISC

𝐻𝐷𝑗 𝐻𝐽𝑦

Circuit OT

Open/evaluate 𝑡𝑒𝑗 𝐿𝑗 𝐿𝑗

Input OT

𝐻𝐷𝑗 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒𝑗)

0/1 𝑗𝑜0

𝑗

𝑗𝑜1

𝑗

Probe-resistant encoding Evaluator input Cut and choose

𝐷𝑃𝑁 𝑗𝑜0⊕𝑡𝑗

𝑗

,

permutation bit

𝐼𝐷𝑃𝑁 𝑡𝑗 , 𝐼𝐷𝑃𝑁 𝑦 𝐷𝑃𝑁(𝑗𝑜1⊕𝑡𝑗

𝑗

)

Garbler input

slide-19
SLIDE 19

Single NISC

𝐻𝐷𝑗 𝐻𝐽𝑦

Circuit OT

Open/evaluate 𝑡𝑒𝑗 𝐿𝑗 𝐿𝑗

Input OT

𝐻𝐷𝑗 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒𝑗)

0/1 𝑗𝑜0

𝑗

𝑗𝑜1

𝑗

Probe-resistant encoding Evaluator input Cut and choose

𝐷𝑃𝑁 𝑗𝑜0⊕𝑡𝑗

𝑗

,

permutation bit

𝐼𝐷𝑃𝑁 𝑡𝑗 , 𝐼𝐷𝑃𝑁 𝑦

𝒕𝒋

𝐷𝑃𝑁(𝑗𝑜1⊕𝑡𝑗

𝑗

)

𝒚 ⊕ 𝒕𝒋 Garbler input

slide-20
SLIDE 20

Single NISC

𝐻𝐷𝑗 𝐻𝐽𝑦

Circuit OT

Open/evaluate 𝑡𝑒𝑗 𝐿𝑗 𝐿𝑗

Input OT

𝐻𝐷𝑗 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒𝑗)

0/1 𝑗𝑜0

𝑗

𝑗𝑜1

𝑗

Probe-resistant encoding Evaluator input Cut and choose

𝐷𝑃𝑁 𝑗𝑜0⊕𝑡𝑗

𝑗

,

permutation bit

𝐼𝐷𝑃𝑁 𝑡𝑗 , 𝐼𝐷𝑃𝑁 𝑦

𝒕𝒋

𝐷𝑃𝑁(𝑗𝑜1⊕𝑡𝑗

𝑗

)

𝒚 ⊕ 𝒕𝒋 Garbler input

𝐼𝐷𝑃𝑁 𝑥0

𝑗

𝐼𝐷𝑃𝑁 𝑥1

𝑗

𝐼𝐷𝑃𝑁 𝑝𝑣𝑢0

𝑗

𝑥0

𝑗 ⊕ 𝑥1 𝑗 = 𝑦

𝐼𝐷𝑃𝑁 𝑝𝑣𝑢1

𝑗

Cheating recovery

slide-21
SLIDE 21

Single NISC

𝐻𝐷𝑗 𝐻𝐽𝑦

Circuit OT

Open/evaluate 𝑡𝑒𝑗 𝐿𝑗 𝐿𝑗

Input OT

𝐻𝐷𝑗 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒𝑗)

0/1 𝑗𝑜0

𝑗

𝑗𝑜1

𝑗

Probe-resistant encoding Evaluator input Cut and choose

𝐷𝑃𝑁 𝑗𝑜0⊕𝑡𝑗

𝑗

,

permutation bit

𝐼𝐷𝑃𝑁 𝑡𝑗 , 𝐼𝐷𝑃𝑁 𝑦

𝒕𝒋

𝐷𝑃𝑁(𝑗𝑜1⊕𝑡𝑗

𝑗

)

𝒚 ⊕ 𝒕𝒋 Garbler input

𝐼𝐷𝑃𝑁 𝑥0

𝑗

𝐼𝐷𝑃𝑁 𝑥1

𝑗

𝐼𝐷𝑃𝑁 𝑝𝑣𝑢0

𝑗

𝑥0

𝑗 ⊕ 𝑥1 𝑗 = 𝑦

𝐼𝐷𝑃𝑁 𝑝𝑣𝑢1

𝑗

Cheating recovery

  • pen to zero
slide-22
SLIDE 22

Single NISC

𝐻𝐷𝑗 𝐻𝐽𝑦

Circuit OT

Open/evaluate 𝑡𝑒𝑗 𝐿𝑗 𝐿𝑗

Input OT

𝐻𝐷𝑗 ← 𝐻𝑏𝑠𝑐(𝐷, 𝑡𝑒𝑗)

0/1 𝑗𝑜0

𝑗

𝑗𝑜1

𝑗

Probe-resistant encoding Evaluator input Cut and choose

𝐷𝑃𝑁 𝑗𝑜0⊕𝑡𝑗

𝑗

,

permutation bit

𝐼𝐷𝑃𝑁 𝑡𝑗 , 𝐼𝐷𝑃𝑁 𝑦

𝒕𝒋

𝐷𝑃𝑁(𝑗𝑜1⊕𝑡𝑗

𝑗

)

𝒚 ⊕ 𝒕𝒋 Garbler input

𝐼𝐷𝑃𝑁 𝑥0

𝑗

𝐼𝐷𝑃𝑁 𝑥1

𝑗

𝐼𝐷𝑃𝑁 𝑝𝑣𝑢0

𝑗

𝑥0

𝑗 ⊕ 𝑥1 𝑗 = 𝑦

𝐼𝐷𝑃𝑁 𝑝𝑣𝑢1

𝑗 𝒑𝒗𝒖𝟏

𝒋 , 𝒑𝒗𝒖𝟐 𝒋

𝒑𝒗𝒖𝟏

𝒋 ⊕ 𝒙𝟏 𝒋

𝒑𝒗𝒖𝟐

𝒋 ⊕ 𝒙𝟐 𝒋

Cheating recovery

  • pen to zero
slide-23
SLIDE 23

Batch 2PC

slide-24
SLIDE 24

Batch 2PC

𝐻𝐷1 𝐻𝐷2 𝐻𝐷3 𝐻𝐷4 𝐻𝐷5 𝐻𝐷6 𝐻𝐷7

slide-25
SLIDE 25

Batch 2PC

𝐻𝐷1 𝐻𝐷2 𝐻𝐷3 𝐻𝐷4 𝐻𝐷5 𝐻𝐷6 𝐻𝐷7

𝑂 𝐶 𝐶 𝐶

𝒚𝟐, 𝒛𝟐 𝒚𝟑, 𝒛𝟑 𝒚𝟒, 𝒛𝟒

slide-26
SLIDE 26

Batch 2PC

𝐻𝐷1 𝐻𝐷2 𝐻𝐷3 𝐻𝐷4 𝐻𝐷5 𝐻𝐷6 𝐻𝐷7 𝐻𝐷4 𝐻𝐷1 𝐻𝐷5 𝐻𝐷7 𝐻𝐷6 𝐻𝐷2 𝐻𝐷3

𝑂 𝐶 𝐶 𝐶

𝒚𝟐, 𝒛𝟐 𝒚𝟑, 𝒛𝟑 𝒚𝟒, 𝒛𝟒

slide-27
SLIDE 27

Batch 2PC

𝐻𝐷1 𝐻𝐷2 𝐻𝐷3 𝐻𝐷4 𝐻𝐷5 𝐻𝐷6 𝐻𝐷7 𝐻𝐷4 𝐻𝐷1 𝐻𝐷5 𝐻𝐷7 𝐻𝐷6 𝐻𝐷2 𝐻𝐷3

𝑂 = 𝑂𝜇 𝑚𝑝𝑕𝑂 𝑂 𝐶 𝑂 − 𝑂𝐶 𝐶 𝐶

𝒚𝟐, 𝒛𝟐 𝒚𝟑, 𝒛𝟑 𝒚𝟒, 𝒛𝟒

slide-28
SLIDE 28

Batch 2PC

𝐻𝐷1 𝐻𝐷2 𝐻𝐷3 𝐻𝐷4 𝐻𝐷5 𝐻𝐷6 𝐻𝐷7 𝐻𝐷4 𝐻𝐷1 𝐻𝐷5 𝐻𝐷7 𝐻𝐷6 𝐻𝐷2 𝐻𝐷3

𝑂 = 𝑂𝜇 𝑚𝑝𝑕𝑂 𝑂 𝐶 𝑂 − 𝑂𝐶 𝐶 𝐶

  • 1. Obliviously assign circuits to open/evaluate buckets

𝒚𝟐, 𝒛𝟐 𝒚𝟑, 𝒛𝟑 𝒚𝟒, 𝒛𝟒

slide-29
SLIDE 29

Batch 2PC

𝐻𝐷1 𝐻𝐷2 𝐻𝐷3 𝐻𝐷4 𝐻𝐷5 𝐻𝐷6 𝐻𝐷7 𝐻𝐷4 𝐻𝐷1 𝐻𝐷5 𝐻𝐷7 𝐻𝐷6 𝐻𝐷2 𝐻𝐷3

𝑂 = 𝑂𝜇 𝑚𝑝𝑕𝑂 𝑂 𝐶 𝑂 − 𝑂𝐶 𝐶 𝐶

  • 1. Obliviously assign circuits to open/evaluate buckets
  • 2. Garble inputs before knowing assignment

𝒚𝟐, 𝒛𝟐 𝒚𝟑, 𝒛𝟑 𝒚𝟒, 𝒛𝟒

slide-30
SLIDE 30

Batch 2PC

𝐻𝐷1 𝐻𝐷2 𝐻𝐷3 𝐻𝐷4 𝐻𝐷5 𝐻𝐷6 𝐻𝐷7 𝐻𝐷4 𝐻𝐷1 𝐻𝐷5 𝐻𝐷7 𝐻𝐷6 𝐻𝐷2 𝐻𝐷3

𝑂 = 𝑂𝜇 𝑚𝑝𝑕𝑂 𝑂 𝐶 𝑂 − 𝑂𝐶 𝐶 𝐶

  • 1. Obliviously assign circuits to open/evaluate buckets
  • 2. Garble inputs before knowing assignment

𝒚𝟐, 𝒛𝟐 𝒚𝟑, 𝒛𝟑 𝒚𝟒, 𝒛𝟒

  • 3. Input consistency before knowing assignment
slide-31
SLIDE 31

Batch 2PC

𝐻𝐷1 𝐻𝐷2 𝐻𝐷3 𝐻𝐷4 𝐻𝐷5 𝐻𝐷6 𝐻𝐷7 𝐻𝐷4 𝐻𝐷1 𝐻𝐷5 𝐻𝐷7 𝐻𝐷6 𝐻𝐷2 𝐻𝐷3

𝑂 = 𝑂𝜇 𝑚𝑝𝑕𝑂 𝑂 𝐶 𝑂 − 𝑂𝐶 𝐶 𝐶

  • 1. Obliviously assign circuits to open/evaluate buckets
  • 2. Garble inputs before knowing assignment

𝒚𝟐, 𝒛𝟐 𝒚𝟑, 𝒛𝟑 𝒚𝟒, 𝒛𝟒

  • 3. Input consistency before knowing assignment
  • 4. Output recovery before knowing assignment
slide-32
SLIDE 32

Batch 2PC

𝐻𝐷1 𝐻𝐷2 𝐻𝐷3 𝐻𝐷4 𝐻𝐷5 𝐻𝐷6 𝐻𝐷7 𝐻𝐷4 𝐻𝐷1 𝐻𝐷5 𝐻𝐷7 𝐻𝐷6 𝐻𝐷2 𝐻𝐷3

𝑂 = 𝑂𝜇 𝑚𝑝𝑕𝑂 𝑂 𝐶 𝑂 − 𝑂𝐶 𝐶 𝐶

  • 1. Obliviously assign circuits to open/evaluate buckets
  • 2. Garble inputs before knowing assignment

𝒚𝟐, 𝒛𝟐 𝒚𝟑, 𝒛𝟑 𝒚𝟒, 𝒛𝟒

  • 3. Input consistency before knowing assignment
  • 4. Output recovery before knowing assignment

Naive Solution: Prepare garbled inputs and gadgets for all N possibilities Perform 1-out-of-N OT for each circuit

slide-33
SLIDE 33

Oblivious Switching Networks (OSN)

𝒀𝟐 𝒀𝟑 𝒀𝟒 𝒀𝟓 𝒀𝟔 𝑺𝟐, 𝑺𝟑, … , 𝑺𝟔 𝝆 𝒀𝝆 𝟐 ⊕ 𝑺𝟐 𝒀𝝆 𝟔 ⊕ 𝑺𝟔 𝒀𝝆 𝟓 ⊕ 𝑺𝟓 𝒀𝝆 𝟑 ⊕ 𝑺𝟑 𝒀𝝆 𝟒 ⊕ 𝑺𝟒

slide-34
SLIDE 34

Oblivious Switching Networks (OSN)

𝒀𝟐 𝒀𝟑 𝒀𝟒 𝒀𝟓 𝒀𝟔 𝑺𝟐, 𝑺𝟑, … , 𝑺𝟔 𝝆 𝒀𝝆 𝟐 ⊕ 𝑺𝟐 𝒀𝝆 𝟔 ⊕ 𝑺𝟔 𝒀𝝆 𝟓 ⊕ 𝑺𝟓 𝒀𝝆 𝟑 ⊕ 𝑺𝟑 𝒀𝝆 𝟒 ⊕ 𝑺𝟒

[MS13]: 𝑷 𝒐𝒎𝒑𝒉𝒐 𝒒𝒃𝒔𝒃𝒎𝒎𝒇𝒎 𝑷𝑼𝒕

slide-35
SLIDE 35

Cut and Choose

𝒕𝒆𝟐 𝒕𝒆𝟑 𝒕𝒆𝟒 𝒕𝒆𝟓 𝒕𝒆𝟔 𝑺𝟐, 𝑺𝟑, … , 𝟏 𝝆 ∶= 𝒄𝒗𝒅𝒍𝒇𝒖 𝒃𝒕𝒕𝒋𝒉𝒐𝒏𝒇𝒐𝒖 𝒕𝒆𝝆 𝟐 ⊕ 𝑺𝟐 𝒕𝒆𝝆 𝟔 = 𝒕𝒆𝟐 𝒕𝒆𝝆 𝟓 ⊕ 𝑺𝟓 𝒕𝒆𝝆 𝟑 ⊕ 𝑺𝟑 𝒕𝒆𝝆 𝟒 ⊕ 𝑺𝟒 𝐻𝐷𝑗

slide-36
SLIDE 36

Garbler Input

𝝆 ∶= 𝒄𝒗𝒅𝒍𝒇𝒖 𝒃𝒕𝒕𝒋𝒉𝒐𝒏𝒇𝒐𝒖

𝐷𝑃𝑁 𝑙𝑐⊕𝑡𝑗

𝑗

, 𝑒𝑐⊕𝑡𝑗

𝑗

𝑔𝑝𝑠 𝑐 ∈ {0,1}

slide-37
SLIDE 37

Garbler Input

𝒚𝟐𝚬, 𝒚𝟑𝚬, … , 𝒚𝟓𝚬 𝝆 ∶= 𝒄𝒗𝒅𝒍𝒇𝒖 𝒃𝒕𝒕𝒋𝒉𝒐𝒏𝒇𝒐𝒖

𝐷𝑃𝑁 𝑙𝑐⊕𝑡𝑗

𝑗

, 𝑒𝑐⊕𝑡𝑗

𝑗

𝑔𝑝𝑠 𝑐 ∈ {0,1}

slide-38
SLIDE 38

Garbler Input

𝒔𝟐 ⊕ 𝒕𝟐𝚬 𝒚𝟐𝚬, 𝒚𝟑𝚬, … , 𝒚𝟓𝚬 𝝆 ∶= 𝒄𝒗𝒅𝒍𝒇𝒖 𝒃𝒕𝒕𝒋𝒉𝒐𝒏𝒇𝒐𝒖

𝐷𝑃𝑁 𝑙𝑐⊕𝑡𝑗

𝑗

, 𝑒𝑐⊕𝑡𝑗

𝑗

𝑔𝑝𝑠 𝑐 ∈ {0,1}

𝒔𝟑 ⊕ 𝒕𝟑𝚬 𝒔𝟒 ⊕ 𝒕𝟒𝚬 𝒔𝟓 ⊕ 𝒕𝟓𝚬 𝒔𝟔 ⊕ 𝒕𝟔𝚬

slide-39
SLIDE 39

Garbler Input

𝒔𝟐 ⊕ 𝒕𝟐𝚬 𝒚𝟐𝚬, 𝒚𝟑𝚬, … , 𝒚𝟓𝚬 𝝆 ∶= 𝒄𝒗𝒅𝒍𝒇𝒖 𝒃𝒕𝒕𝒋𝒉𝒐𝒏𝒇𝒐𝒖 𝒔𝝆 𝟐 ⊕ (𝒕𝝆 𝟐 ⊕ 𝒚𝟐) 𝚬

𝐷𝑃𝑁 𝑙𝑐⊕𝑡𝑗

𝑗

, 𝑒𝑐⊕𝑡𝑗

𝑗

𝑔𝑝𝑠 𝑐 ∈ {0,1}

𝒔𝟑 ⊕ 𝒕𝟑𝚬 𝒔𝟒 ⊕ 𝒕𝟒𝚬 𝒔𝟓 ⊕ 𝒕𝟓𝚬 𝒔𝟔 ⊕ 𝒕𝟔𝚬

slide-40
SLIDE 40

Garbler Input

𝒔𝟐 ⊕ 𝒕𝟐𝚬 𝒚𝟐𝚬, 𝒚𝟑𝚬, … , 𝒚𝟓𝚬 𝝆 ∶= 𝒄𝒗𝒅𝒍𝒇𝒖 𝒃𝒕𝒕𝒋𝒉𝒐𝒏𝒇𝒐𝒖 𝒔𝝆 𝟐 ⊕ (𝒕𝝆 𝟐 ⊕ 𝒚𝟐) 𝚬

𝐷𝑃𝑁 𝑙𝑐⊕𝑡𝑗

𝑗

, 𝑒𝑐⊕𝑡𝑗

𝑗

𝑔𝑝𝑠 𝑐 ∈ {0,1}

𝒔𝟑 ⊕ 𝒕𝟑𝚬 𝒔𝟒 ⊕ 𝒕𝟒𝚬 𝒔𝟓 ⊕ 𝒕𝟓𝚬 𝒔𝟔 ⊕ 𝒕𝟔𝚬

𝑭 𝒔𝒋 ⊕ 𝒕𝒋 ⊕𝒄 𝚬 (𝒆𝟏⊕𝒕𝒋

𝒋

)

slide-41
SLIDE 41

Garbler Input Consistency

𝝆 ∶= 𝒄𝒗𝒅𝒍𝒇𝒖 𝒃𝒕𝒕𝒋𝒉𝒐𝒏𝒇𝒐𝒖

𝐼𝐷𝑃𝑁 𝑦𝑘, 𝑒𝑦𝑘 , 𝐼𝐷𝑃𝑁 𝑡𝑗, 𝑒𝑡𝑗 , 𝐼𝐷𝑃𝑁(𝑙𝑐⊕𝑡𝑗

𝑗

, 𝑒𝑐⊕𝑡𝑗

𝑗

)

𝒆𝒕𝝆 𝟔

slide-42
SLIDE 42

Garbler Input Consistency

𝒆𝒚𝟐, … , 𝒆𝒚𝟓, 𝟏 𝝆 ∶= 𝒄𝒗𝒅𝒍𝒇𝒖 𝒃𝒕𝒕𝒋𝒉𝒐𝒏𝒇𝒐𝒖

𝐼𝐷𝑃𝑁 𝑦𝑘, 𝑒𝑦𝑘 , 𝐼𝐷𝑃𝑁 𝑡𝑗, 𝑒𝑡𝑗 , 𝐼𝐷𝑃𝑁(𝑙𝑐⊕𝑡𝑗

𝑗

, 𝑒𝑐⊕𝑡𝑗

𝑗

)

𝒆𝒕𝝆 𝟔

slide-43
SLIDE 43

Garbler Input Consistency

𝒆𝒚𝟐, … , 𝒆𝒚𝟓, 𝟏 𝝆 ∶= 𝒄𝒗𝒅𝒍𝒇𝒖 𝒃𝒕𝒕𝒋𝒉𝒐𝒏𝒇𝒐𝒖

𝐼𝐷𝑃𝑁 𝑦𝑘, 𝑒𝑦𝑘 , 𝐼𝐷𝑃𝑁 𝑡𝑗, 𝑒𝑡𝑗 , 𝐼𝐷𝑃𝑁(𝑙𝑐⊕𝑡𝑗

𝑗

, 𝑒𝑐⊕𝑡𝑗

𝑗

)

𝑒𝑡1 𝑒𝑡2 𝑒𝑡3 𝑒𝑡4 𝑒𝑡5 𝒆𝒕𝝆 𝟔

slide-44
SLIDE 44

Garbler Input Consistency

𝒆𝒚𝟐, … , 𝒆𝒚𝟓, 𝟏 𝝆 ∶= 𝒄𝒗𝒅𝒍𝒇𝒖 𝒃𝒕𝒕𝒋𝒉𝒐𝒏𝒇𝒐𝒖

𝐼𝐷𝑃𝑁 𝑦𝑘, 𝑒𝑦𝑘 , 𝐼𝐷𝑃𝑁 𝑡𝑗, 𝑒𝑡𝑗 , 𝐼𝐷𝑃𝑁(𝑙𝑐⊕𝑡𝑗

𝑗

, 𝑒𝑐⊕𝑡𝑗

𝑗

)

𝑒𝑡1 𝑒𝑡2 𝑒𝑡3 𝑒𝑡4 𝑒𝑡5 𝒆𝒚𝟐 ⊕ 𝒆𝒕𝝆 𝟐 𝒆𝒕𝝆 𝟔

slide-45
SLIDE 45

Evaluator input Cheating recovery Sending decommitments through the OSN

slide-46
SLIDE 46

Summary

slide-47
SLIDE 47

Summary

𝜇: 𝑡𝑢𝑏𝑢𝑗𝑡𝑢𝑗𝑑𝑏𝑚 𝑡𝑓𝑑. 𝜆: 𝑑𝑝𝑛𝑞𝑣𝑢𝑏𝑢𝑗𝑝𝑜 𝑡𝑓𝑑. 𝑂: 𝑝𝑔 𝑓𝑦𝑓𝑑𝑢𝑣𝑢𝑗𝑝𝑜𝑡 𝑜𝑝𝑣𝑢: 𝑝𝑔 𝑝𝑣𝑢𝑞𝑣𝑢𝑡 𝑜𝑗𝑜: # 𝑝𝑔 𝑗𝑜𝑞𝑣𝑢𝑡

slide-48
SLIDE 48

Open Questions

  • Two-round OT extension
  • Non-interactive RAM 2PC
  • ??? Some other nice problems …