Two Party Computing
With Encrypted Data
Seung Geol Choi
Ariel Elbaz
Ari Juels
Tal Malkin
Moti Yung
1
Motivation
 The notion of computing with encrypted
data [RAD78]




Bob encrypts and publishes his data
Alice performs the computation
Single encrypted message from Alice to
Bob
Bob decrypts to get the result
 Equated with doubly homomorphic
encryption, which we don’t have!
2
Model for Computing with Doubly
Homomorphic Encryption
Offline
 Bob publishes her public key
 Anybody can encrypt data
Online: Given a circuit C
 Alice performs the computation
 Alice sends the encrypted output to Bob
 Bob decrypts to get the result
3
Our Model for Two Party
Computing with Encrypted Data
Offline
 Alice and Bob publish their public keys
 Anybody can encrypt data
Online: Given a circuit C
 Alice performs the computation
 Alice sends the encrypted message
(garbled circuit) to Bob
 Bob computes the circuit to get the
result
4
Road map
 Yao’s Garbled Circuit
 Conditional Exposure primitive (CODE)
 Our Garbled Circuit
 The Malicious Case
5
Yao’s Garbled Circuit
k0 k1
NAND
l0
El0,r0(k1)
El1,r0(k1)
El0,r1(k1)
El1,r1(k0)
l1
r0
r1
NAND(0,1) = 1
6
Yao’s Garbled Circuit
k0 k1
Ekl0,0r0(k
k11)
El1,r0(k1)
NAND El0,r1(k1)
E
r0(k
1)
Ell0,
(k
)
1,r1 0
El1,r0(k1)
El0,r1(k1)
l0
l1
r
El1,r1(k0) 0
l0
l1
r0
k0 k1
El0,r0(k1)
El1,r0(k1)
El0,r1(k1)
El1,r1(k0)
r1
r1
l0
l1
r0
r1
7
Yao’s Garbled Circuit : Getting the input random strings
k0 k1
El0,r0(k1)
El1,r0(k1)
El0,r1(k1)
El1,r1(k0)
l0
l0
l0
Alice’s inputs:
r0 r1
k0 k1
k0 k1
El0,r0(k1)
El1,r0(k1)
El0,r1(k1)
El1,r1(k0)
El0,r0(k1)
El1,r0(k1)
El0,r1(k1)
El1,r1(k0)
l1
r0 r1
l0
l1
r0 r1
k0 k1
k0 k1
k0 k1
k0 k1
El0,r0(k1)
El1,r0(k1)
El0,r1(k1)
El1,r1(k0)
El0,r0(k1)
El1,r0(k1)
El0,r1(k1)
El1,r1(k0)
El0,r0(k1)
El1,r0(k1)
El0,r1(k1)
El1,r1(k0)
El0,r0(k1)
El1,r0(k1)
El0,r1(k1)
El1,r1(k0)
l1
r0 r1
l0
l1
r0 r1
l0
l1
r0 r1
l0
l1
r0 r1
random string r’n
random string r’1
random string r’0
random string rn
random string r1
a0, a1,…,an b0, b1,…,bn
random string r0
Alice sends
l1
Bob’s inputs
OT(bi, (r0i, r1i))
8
Conditional Oblivious
Decryption Exposure (CODE)
CODE Specification
CODE( E(m1), E(m2), E(m3) )


If (m1 == m2)  m3
If (m1  m2)  random
9
Where to Use CODE
 Replace OT(b, (m0,m1)) with
CODE(E(b), E(0), E(m0))
CODE(E(b), E(1), E(m1))
 Connect output of one gate to possible
inputs of another gate
 Non interactive: Alice sends one
message to Bob, Bob completes the
computation
10
Garbled Gate (1)
E(0)
NAND
E(1)
E(0), E(0), E(1)
E(1), E(1), E(0)
E(0), E(1), E(1)
E(1), E(0), E(1)
E(l)
E(r)
Step 1: Encrypt and Shuffle the Truth Table
11
Garbled Gate (2)
E(0)
E(1)
NAND
E(0), E(l0), E(0), E(r0), E(1)
E(1), E(l1), E(1), E(r1), E(0)
E(0), E(l0), E(1), E(r1), E(1)
E(1), E(l1), E(0), E(r0), E(1)
E(0)
E(1)
Step 2: Use CODE to connect inputs to
correct entry in truth table
12
Computing CODE
 c1 =(a,b) = ( gr1 ,m1yr1 )
m1yr1/m2yr2
c2 =(g,d) = ( gr2 ,m2yr2 )
r1 r1 x
r3
r3
(g
/g )
c3 =(l,m) = ( g ,m3y )
CODE( E(m1), E(m2), E(m3) )
= (m1/m2)
(m1 ==
m2) 
m3e=g(r1-r2)e
e
e
 Alice sends e=(a/g) , z=(b/d)
If (m1  m2)  random
e ¢ y(r1-r2)e
x
x
A
A
z=(m
/m
)
 Alice sends D =(e l)
1
2
If
 Bob computes DxB=(e l)xB
DxA=(g(r1-r2)e+r3)xA
DxADxB=(y(r1-r2)e+r3)
 Bob computes zm/DxADxB =(m1/m2)em3
14
Garbling a Circuit
 Shuffled and Encrypted truth tables
 CODE at the input level
 Matching entry in truth table reveals encrypted
output value and two secret keys
 CODE transcripts that connect the matching
output value to the next gate are encrypted with
the secret keys
 Garbled circuit is one message
 Compute gate by gate
15
Advantages of CODE
 Input separability: circuit can be built
from anyone’s encrypted inputs
 Non interactive: one message to open all
CODEs
 Suitable to adding efficient ZK proofs on
top of it
16
2PC – Malicious Case
Malicious party may..
 Abort
 Give malicious input, based on honest
party’s input
 Encrypt “garbage” / conditioned on the
honest party’s bit
 Have a different gate computed
17
Previous Works - 2PC with
Malicious Adversaries
 [LP07] cut and choose technique
 [JS07] computing on encrypted data
 [KH07] Running two copies of Yao in
parallel
18
Malicious CODE
 Alice can sent malformed messages
 Alice sends e=(a/g)e, z=(b/d)e
 Alice sends DxA=(e l)xA
 Add ZK proofs
 ZK { e : e=(a/g)e, z=(b/d)e }
 ZK { xA : D=(e l)xA , yA = gxA }
19
Our Protocol – Malicious Case
Protect against possible attacks of a malicious
adversary, using non-interactive ZK proofs
 Parties prove their public keys were chosen
correctly
 Input contributors commit to inputs, prove they
know the plaintext
 Alice proves the shuffled truth tables are equal
to the original ones
 Alice proves each CODE transcript is valid
20
Our Results
 Input separability: anybody can contribute
inputs
 Off-line/On-line model

On-line stage only one message from Alice to Bob
as in the Computing with Encrypted Data model
 Computing Servers can compute many on-line
sessions after a single off-line stage – lower
amortized round complexity
 Computing with Encrypted Data with both
parties’ public keys loses the strong relation to
doubly homomorphic encryption!
21
THE END
22