Secure Computation and Yao's Protocol

Questions and Answers

What foundational premise underlies secure computation?

• Parties fully trust a central authority to manage their data.
• Parties rely on external auditors to verify computational results.
• Parties openly share their data to achieve computational efficiency.
• Parties engage in computation while maintaining the privacy of their inputs. (correct)

Which of the following is a typical security guarantee provided by secure computation protocols?

• Complete transparency of all parties' inputs to each other.
• Privacy, ensuring that parties learn nothing more than the prescribed output. (correct)
• Guaranteed computational efficiency, even at the cost of some data leakage.
• Unconditional trust in at least one of the participating parties.

In the context of secure computation, what does 'input independence' refer to?

• The ability of parties to modify their inputs during the computation.
• The requirement that all inputs be statistically independent of each other.
• The guarantee that parties can choose their inputs without knowledge of others' inputs. (correct)
• The assurance that parties' inputs do not influence each other's computational steps.

What is the main purpose of the 'real-ideal paradigm' in defining security for secure computation?

To compare the security of a real protocol execution with an ideal, secure execution. (B)

According to the real-ideal paradigm, what must be true for a real-world secure computation protocol to be considered secure?

For every potential attack in the real protocol, there must be an equivalent effect achievable in the ideal world. (D)

What is the role of a 'simulator' in the context of defining security for secure computation?

To mimic the actions of a real-world adversary in an ideal-world setting. (A)

In the simplified security definition presented, what is a key responsibility of the simulator?

To generate protocol messages that appear as though they originate from honest parties. (B)

What is a key assumption about adversaries in the 'semi-honest' security model?

Adversaries always follow the protocol but may try to learn extra information. (C)

How does a semi-honest adversary's behavior differ from a malicious adversary's behavior in secure computation?

A semi-honest adversary follows the protocol honestly but tries to learn extra information, while a malicious adversary may arbitrarily deviate from the protocol. (B)

What simplification does the semi-honest model allow in the design of secure computation protocols?

The simulator only needs to simulate the transcript, given the ideal input and output, without needing to 'extract' the adversary's input. (A)

What is the primary purpose of garbling a circuit in Yao's protocol?

To hide the structure and function of the circuit from the evaluator. (B)

In Yao's garbled circuit protocol, how are the truth tables of each gate handled?

Each output is encrypted with corresponding keys. (C)

What does Alice do after encrypting each output with corresponding keys in Yao's protocol?

Randomly permutes the ciphertexts and sends them to Bob. (C)

In Yao's protocol, how does Bob learn the 'correct' keys corresponding to his input?

Somehow Bob obtains it through oblivious transfer. (D)

What security property is achieved through trial decryption in the garbled truth table?

Bob learns only $f(x, y)$. (B)

When using garbled tables, if outputs are encrypted, what does Alice encrypt to extend the protocol idea?

Alice encrypts keys. (C)

How do you describe the garbled circuit framework?

A framework where circuits are obfuscated with garbled labels. (B)

What must you pick on each wire when Garbling a circuit?

Pick random labels Wo, W₁ on each wire. (D)

What is used to encrypt the truth table of each gate, when garbling a circuit?

Random Labels. (D)

What does a garbled circuit represent?

All encrypted gates. (D)

What does garbled encoding represent?

One label per wire. (A)

What happens during a garbled evaluation

Only one ciphertext per gate is decryptable (D)

During decryption, what does the result of decryption equal to?

value on outgoing wire (D)

What is the only thing you can do with security, once given a garbled circuit and garbled input?

Blindly evaluate circuit (A)

After you learn a garbled circuit label, what is difficult to guess?

Hard to guess what the 'complementary' label might be. (B)

If both labels outputs were revealed at the end of the protocol, what would be leaked?

the circuit output (A)

What does Obliviousness reveal nothing beyond?

f (C)

What is an alternative term for Oblivious Transfer

Information Hidding (C)

How do we describe Garbler's inputs?

she knows both $A_0, A_1$, and which one is correct $=>$ just send correct one to Bob (A)

How does Bob know the Garbler's inputs?

We need a gadget. (A)

In the summary so far, what is the main goal withy secure computation?

learning only the output. (D)

How do we describe Yao's protocol?

Uses a garbled lookup table for each gate of boolean circuit (C)

What can be faster than Yao's protocol in the next lectures?

Special-purpose protocols. (D)

What can an adversary do in the ideal world?

Choose any input y, independent of x. (A)

What security properties can we garuantee for the honest output?

There must exist an ideal adversary for output (HonestOutput, AdvOutput) that are indistinguishable (C)

As specified in the security definitions, what message do the participants see?

Protocol messages look like they came from the honest party. (C)

What is used when extracting the f-input?

adversarys protocol messages (D)

How does Yao's protocol ensure that computation is secure?

By garbling lookup tables and oblivious transformations. (C)

Flashcards

Secure Computation

A setting where mutually distrusting parties each with private input, want to learn the result of some agreed-upon computation.

Market Clearing Price (MCP)

A price at which the total supply of goods or services equals the total demand.

Real-Ideal Paradigm

The goal that the real protocol interaction is as secure as ideal-world interaction.

Effect of a generic attack

What the adversary learns or can compute about an honest party, or some influence on an honest party's output.

Semi-Honest Security

A simpler security model where the adversary follows the protocol but tries to learn more information.

Garbled truth table

Method where Alice writes a truth table, encrypts outputs, and Bob decrypts the relevant entry.

Garbled circuit

A framework where a circuit is encrypted using random labels and truth tables of the gates.

Oblivious Transfer

Algorithm to let Bob obtain Ax or Ay, Without Alice knowing which one

Yao's Protocol

A protocol where garbled circuit f + garbled inputs + all output labels => Bob learns only f(x, y).

Privacy

A property where (F, X, d) reveals nothing beyond f and f(x)

Security definition

A real-world adversary A, there exists an ideal adversary A' s.t. joint distribution (HonestOutput,AdvOutput) is indistinguishable

Obliviousness

A property where (F, X) reveals nothing beyond f

Authenticity

Having the property that given (F, X), its hard to find Y that decodes & {f(x), 1}

Study Notes

• Explores secure computation and Yao's protocol.
• Focuses on concepts, definitions, and semi-honest secure computation for boolean circuits.

Secure Computation

• This involves mutually distrusting parties, each holding private inputs.
• Parties aim to learn the outcome of an agreed-upon computation without revealing their private inputs.
• Examples include elections and auctions.
• Security guarantees include privacy, input independence, and output consistency.
• These guarantees must hold even if some parties cheat or collude.

Examples of Secure Computation

• Sugar beet farmers and purchasers submit bids to determine a market-clearing price (MCP).
• In 2009, secure computation was used to compute the MCP and associated bids.
• Google and its customers use secure computation to compute ad conversions.
• Wage equity studies, such as the Boston Women's Workforce Council Report 2017, utilize secure multi-party computation for data submission to ensure individual compensation data remains private.

Defining Security

• Security risks need to be addressed, for example, adversaries learning more than f(x, y), preventing an honest party from learning, causing inconsistent outputs, or influencing input choices based on an honest party's input.
• In the ideal world, a corrupt party can choose any input (independent of others), learn only f(x, y), and ensure the honest party also learns f(x, y).
• The real-ideal paradigm aims for real protocol interactions to be as secure as ideal-world interactions, ensuring that for every "attack" on a real protocol, there's an equivalent effect achievable in the ideal world.
• A generic attack results in the adversary learning something about the honest party or influencing the honest party’s output.

Defining Security

• For every real-world adversary, there should exist an ideal adversary such that the joint distribution of honest and adversarial outputs is indistinguishable.
• Without loss of generality (WLOG), a simulator exists that mimics real-world interactions in the ideal world.
• The role of the simulator is to send protocol messages that appear authentic and extract an f-input by examining the adversary's protocol messages.
• The simulator also "explains" the impact on the honest party's output using the ideal world concept.

Semi-Honest Security

• This is security against passive adversaries who follow the protocol but may try to learn information.
• In this scenario, there's no need to extract information; the simulator only needs to simulate the transcript given the ideal input and output.

Garbled Truth Table

• Alice writes a truth table for function f, then chooses a random cryptographic key for each possible input.
• Alice encrypts each output with the corresponding keys.
• Alice randomly permutes the ciphertexts and sends the result to Bob.
• Bob somehow obtains correct keys, then decrypts to learn f(x,y) through trial decryption.
• Bob’s view in the protocol needs to be simulated given Bob's ideal input/output.
• Simulation is indistinguishable as long as encryption satisfies this requirement: EA,B(C) ≈ EA',B'(C'), if at least one A,B is random and unknown to distinguisher.
• The cost scales with the size of the truth table.
• Instead of encrypting outputs, encrypt keys to yet more garbled tables using oblivious transfer.

Garbled Circuit Framework

• Pick random labels W0, W1 on each wire.
• Encrypt the truth table of each gate.
• Garbled circuit includes all encrypted gates, and garbled encoding involves one label per wire.
• In garbled evaluation, only one ciphertext per gate is decryptable, meaning the result of decryption equals value on outgoing wire.
• Only (blindly) evaluating the circuit with input is possible.
• It's hard to guess the "complementary" label if you only know one label.
• Hiding logical value on wire is possible with a single label, but revealing output wire labels leaks only circuit output.
• Security means garbled evaluations remain secure.

Syntax and Security

• Garble encodes function f into garbled circuit F, encoding info e, and encodes input x into garbled input X in encode.
• Eval evaluates the inputs and encodes into garbled output Y, finally decoded to the function f(x).
• Privacy means (F, X, d) reveals nothing beyond f and f(x).
• Obliviousness means (F, X) reveals nothing beyond f.
• Authenticity is guaranteed if, given (F, X), it's hard to find Y that doesn't decode to f(x)
• Gate-hiding means (F, X, d) reveals nothing beyond the topology of f and f(x).

Oblivious Transfer

• Oblivious Transer shows how Bob gets the garbled output
• Alice knows both A0 and A1, and must transfer the correct one
• Evaluator inputs require oblivious transfer.
• Need public-key encryption that supports blind key generation.
• Sample a public key without knowledge of secret key
• ElGamal satisfies this requirement (sample group element without knowing discrete log).

Yao's Protocol Overview

• Alice sends the garbled circuit and output wire labels.
• Bob inputs his wire labels garbled by OT (xn), and receives f(x, y).
• Bob learns only f(x, y) given garbled inputs and outputs.

Summary

• Secure Computation facilitates computation on private inputs, revealing only the output.
• Security is achieved by simulating attacks in an ideal world interaction.
• Yao's protocol uses garbled lookup tables for each gate, plus oblivious transfer for each input wire

Moving Forward

• Ways to reduce the large size of Garbled circuits.
• The standard Yao protocols are insecure against malicious attacks and how to protect against them
• More efficient ways of Oblivious Transfer, for example how to "amplify" OT instances using cheap crypto
• Faster secure Special-purpose protocols, instead of standard Yao's, and using secure set intersection.