(@ ) Bob (evaluator) Picks random values for <,? . <,? , <,? Evaluates circuit, decrypting one row of each garbled gate Decodes output Generates garbled tables 16 BC,DC (< ) BC,DE (< ) BE,DC (< ) BE,DE (? ) How does the Bob learn his own input wire labels?
discrete function! < < or ? < < < or ? < < ? or ? ? < ? or ? ? < < or ? < < ? or ? ? < L or ? L BC C,DC C(< <) BE C,DC C(< <) BC C,DE C(< <) BE C,DE C(? <) BC E,DC E(< ?) BE E,DC E(< ?) BC E,DE E(< ?) BE E,DE E(? ?) MC C,MC E(< L) ME C,MC E(< L) MC C,ME E(< L) ME C,ME E(? L)
known data Operate on encrypted wire labels 32-bit logical operation requires moving some electrons a few nm One-bit AND requires four encryptions Reuse is great! Reuse is not allowed! MC C,MC E(< L) ME C,MC E(< L) … 20
) Enca1,b1 (c1 ) Input wire labels (with selection bits) Output wire label Beaver, Micali and Rogaway [STOC 1990] 26 Select random bit for each wire: Set last bit of 0 to , 1 to ¬ Order table canonically: 00/01/10/11
generated circuit (5) If okay, evaluate rest and select majority output (4) checks all revealed circuits (2) Challenge: choose a random subset (3) Keys for selected circuits Provides security against active attacker, but for reasonable security > 100 49
Leaks one (extra) bit on average adversarial circuit fails on ½ of inputs 54 Malicious generator can decrease likelihood of being caught, and increase information leaked when caught (but decreases average information leaked): at extreme, circuit fails on just one input.
safety High-level Languages Little control High-level programming Strong type safety High-level programming Low-level customizability Helpful, escapable type checking Tools for Building Secure Computations 62 oblivc.org