In
the previous blog we saw the high level
description of the fast cut-and-choose protocol. We will now see how the
protocol works
Inputs: P1 has input x
∈ {0,1}l
and P2 has input y ∈ {0,1}l
Specified output: Party P2 receives f(x,y) and part P1 receives no output. Length of output
is m.
1) Input
Key Choice and Circuit Preparation
a) P1 picks random values a10, a11, …, al0, al1; r1,…,rs ∈R Zq and b10, b11, … , bm0, bm1 ∈R {0,1}n.
b) For each garbled circuit j, P1 sets the keys for its input wires to:
ki,j 0 = H(gai0*rj) and ki,j 1 = H(gai1*rj)
c) The keys for output wire i are bi0 and bi1. This is same for all garbled circuits.
d) P1 constructs GC1, GC2,… GCs - s independent copies of circuit C. The output wire keys in all are the same.
2) Oblivious
Transfers:
a) P1 chooses random values x1,…xs ∈R {0,1}n.
b) P2 chooses a random subset J ⊂ [s] where every j ∈ J with probability exactly ½. P2 sends the set J and his input bits as part of the OT. J is the set of circuits P2 is going to check.
c) P2 receives all keys associated with its input wires in all circuits GCj for j ∈ J. Also receives the keys associated with its input y in all other circuits. Also receives the keys associated with its input y in all other circuits.
d) P2 receives x1,…xs ∈R {0,1}n for every j ∉ J. This acts as proof that P2 chose to evaluate these circuits.
3) Send Circuits and Commitments
a) P1 sends P2 the following
i) The
garbled circuits.
ii) Seed
of the randomness extractor.
iii) Commitment
to the garbled values associated with P1’s input.
iv) Output translation tables.
4)
Send
Cut-And-Choose Challenge
a) P2 sends P1 the set J along with xj for every j ∉ J.
b) If the values received by P1 are incorrect, output ⊥ and abort.
5) P1 Sends Its Garbled Input Values in the Evaluation-Circuits
a) P1 sends the keys associated with its inputs in the evaluation circuits.
6) Circuit Evaluation
a) P2 uses P1’s key from Step 5 and the keys associated with its own input from Step 2c to evaluate all garbled circuits.
b) If P2 receives consistent output across all the garbled circuit and next step doesn’t result in an abort, then this will be the output.
c) Else if P2 receives two valid outputs on one output wire (i.e. both bi0 and bi1), then it uses these in the next step.
d) Else it will abort in Step 8b.
7) Run Secure Computation To Detect Cheating
a) P1 defines a circuit with the output wire labels b10, b11, … , bm0, bm1 hardcoded. The circuit computes the following function
i)
P1’s input is
the same input x as from before and has no output
ii)
P2’s input is a pair of values b0, b1.
iii)
If there exists a hardcoded pair of label such that
bi0 = b0 and bi1 = b1, then P2 receives x.
Otherwise it receives no output
b) The above circuit can be evaluated using any existing secure computation protocol that gives 2-s security.
8) Check Circuits for Computing f(x,y):
a) Send all input garbled values in check-circuits: For every check-circuit, the party P1 sends the randomness used for the commitment in Step 3. Aborts if there is inconsistency.
b) Correctness of Check Circuits: For every j ∈ J, P2 uses the commitment it received in Step 3 and the randomness in previous step to compute both pairs of input keys associated with P1’s input in GCj
c) Using these, P2 decrypts the circuit and verifies that it is a garbled version of C. If there exists a circuit for which it fails, then P2 aborts.
d) If there is exists an output wire for which P2 did not receive a valid value in any evaluation circuit in Step 6, then P2 aborts.
9) Verify Consistency of P1’s Input:
a) For every input wire P1 proves using zero-knowledge proof of knowledge, the correctness of its input.
b) If any of the proofs fail, then P2 aborts.
10)
Output
Evaluation:
a) If P2 received no inconsistent outputs from the evaluation circuits, then it decodes the outputs using the encoded translation tables and outputs the string received.
b) If P2 received inconsistent output, then let x be the output that P2 received from second computation. Then P2 computes f(x,y) and outputs it.
Reference: Blazing Fast 2PC in the Offline/Online Setting with Security for Malicious Adversaries Yehuda Lindell and Ben Riva
No comments:
Post a Comment