A “Fisher-Price” explanation of Yao’s garbled
circuits in secure computation
Ted Dokos
March 17, 2014
1
Acknowledgements
This document draws heavily on the lecture notes for Yao’s garbled circuits by
Rafail Ostrowsky and similar lecture notes by Rafael Pass.
2
Introduction
I found Yao’s garbled circuits confusing when I first encountered them, and the
material on them I was able to find had many details missing that I would have
liked to see. The goal of this document is to lay out their description in a more
“hand-holdy” way, both for the benefit of my understanding and future readers.
3
Motivation
Yao’s garbled circuits provide a method for secure computation, where several
parties wish to compute a function such that no party learns the inputs of any
other. Consider the classical example: two millionaires Alice and Bob wish to
determine who has more money. However, Alice and Bob are both very secretive,
and don’t want the other to learn their exact wealth. Can they do it? Yao’s
garbled circuits say yes! Furthermore, the garbled circuits satisfy a variety of
nice properties, including that the number of communications is bounded and
that the protocol is practical for real world computers.
Obviously, some knowledge must be gained here. If f is the function
1 if x ≤ y,
f (x, y) =
0 otherwise,
and Alice has a net worth of 10 million USD, then Alice will be able to tell from
the output of f whether Bob’s net worth is more or less than 10 million dollars.
The goal then is for Alice to learn nothing more than what she can infer from
her input and the output of f . The same must hold for Bob as well.
1
4
Ingredients
We will need several common cryptographic tools in order to describe the protocol for Yao’s garbled circuits (from now on abbreviated to YGC).
4.1
Pseudorandom number generation
For the rest of these notes, we blindly assume that all computers can generate random numbers. In practice, pseudorandom number generation provides
“random enough” numbers to make this assumption innocuous.
4.2
One-time pads via XOR
Suppose that Alice wishes to encrypt a message M that is n bits long. One
way to do so is by creating a random bitstring K of length n, and computing
C = K ⊕ M , where ⊕ is the XOR operation. Since C could be decrypted to
any message of length n, the only hope an attacker has is finding K.
The main disadvantage of a one-time pad is that if Alice wants to let someone
else see M , she has to find a way of securely transmitting K. However the YGC
provides an example where this disadvantage is irrelevant.
The XOR operation has some nice properties that will be useful here.
• It is involutive: K ⊕ K = 0, where 0 is the length n bitstring of all 0’s.
Put another way, K is a symmetric encryption key: to invert C = K ⊕ M ,
we compute M = K ⊕ C.
• It is associative and commutative. In particular we have K1 ⊕ K2 ⊕ M =
K2 ⊕ K1 ⊕ M .
4.3
Oblivious transfer
In oblivious transfer, the sender A offers the receiver B a choice of two messages
to receive. B then selects and receives one of the messages, so that the following
are satisfied.
• B knows nothing about the other unselected message.
• A does not know which message B selected.
The name “oblivious transfer” is appropriate, as A has no idea which message
B received and B has no idea what the other unchosen message was. For the
rest of these notes, we assume that oblivious transfer is possible.
4.4
Message authentication code
A common problem is ensuring that we got the correct message. When we
download a file, how can we be sure it didn’t get corrupted by accident? A
message authentication code is a function auth that returns a bitstring we can
use to check if our file is the same. Thus, if Alice provides a message M and
the authentication string auth(M ), we can check if our version M 0 is correct by
seeing if auth(M ) = auth(M 0 ).
2
In practice, authentication codes typically have collisions. We merely require
that such collisions are very unlikely. We also want it to be difficult for us to
determine M from auth(M ). One such mechanism that accomplishes this is a
cryptographic hash function.
5
Yao’s garbled circuits
We are now ready to describe the protocol for creating a garbled circuit. Let
n be a security parameter, and let f (x1 , . . . , xa ; y1 , . . . , yb ) be a function that
Alice and Bob wish to compute, with the xi representing Alice’s inputs and the
yj Bob’s. We are of course assuming that f can be run on a computer.
5.1
Hard-coding
The first thing Alice does to f is hard-code her inputs A1 , . . . , Aa into f , creating
the function
g(y1 , . . . , yb ) = f (A1 , . . . , Aa ; y1 , . . . , yb ).
We now want to ensure that Bob cannot intuit what this function does.
5.2
Circuit diagrams
Since g can be written as a computer program, we can write down a circuit
diagram for g, consisting of wires and logic gates. We assume without loss of
generality that every logic gate takes two wires as inputs and has one output
wire (nota bene: if a wire branches in order to provide input to multiple gates,
we still consider this to be one wire).
5.3
Garbling the circuit
We will now obfuscate the circuit using one-time pads. For each wire wi of the
circuit, Alice creates two random keys Ki0 , Ki1 of length n. The idea is that Ki0
will correspond to the wire wi being assigned a value of 0, and likewise for Ki1 .
These keys are what Bob will actually see in the final protocol. In fact, we
will ensure that for each wire wi , Bob is only able to see one of the two values
Ki0 , Ki1 . But before that, how can Bob evaluate logic gates using these keys?
The answer is to use our XOR operation.
Let’s start with an example: suppose Bob has the keys Ki1 , Kj0 and is confronted with an AND gate, with wires wi , wj as its inputs and wk as its output.
Since the inputs are “1” and “0,” we want Bob to extract the key Kk0 from this
gate. We also want Bob to not know Kk0 until he possesses the keys Ki1 , Kj0 , so
Alice can’t just hand Kk0 to him. So what do we do? Alice instead hands him
the encrypted version:
X = Ki1 ⊕ Kj0 ⊕ Kk0 .
Since Bob is in possesion of both Ki1 and Kj0 , he can retrieve Kk0 by evaluating
Ki1 ⊕ Kj0 ⊕ X. Here’s the important bit: if Bob didn’t have those two keys to
3
start, there’s no way he could retrieve Kk0 from X! This little fact is critical to
our construction for a gate.
We now describe an AND gate in full; other gates are similar. If the gate has
input wires wi , wj and output wire wk , Alice hands Bob the following values:
X0,0 = Ki0 ⊕ Kj0 ⊕ Kk0
X0,1 = Ki0 ⊕ Kj1 ⊕ Kk0
X1,0 = Ki1 ⊕ Kj0 ⊕ Kk0
X1,1 = Ki1 ⊕ Kj1 ⊕ Kk1
Now if Bob knows only one key for wi and one for wj , only one of the above
X-values will correctly decrypt to a key for wk .1
5.3.1
Problems
There are two problems with handing these X-values to Bob that we must
address.
1. If we present them in the order we have above every time, Bob might
be able to guess some of the behavior of the gates. This is easily fixed:
Alice shuffles the X-values before giving them to Bob. And of course,
she labels them a little less obviously than X0,0 , X0,1 , etc.
2. Bob can (and should) attempt to decrypt all four of the above values.
Only one of them will be correct, but how is Bob to tell which one that
is?
The answer is to use authentication: Alice provides Bob with the codes
auth(Kk0 ), auth(Kk1 ) (without, of course, telling him which is which).
After decrypting each X-value, Bob then calculates the authentication
code for each. When he sees a match with the codes Alice provided, he
knows he’s actually found a key.
5.4
Initial inputs
There is one final obstacle to the protocol. In order to start running the program,
Bob needs to provide initial input keys to evaluate the gates he has received.
There are two problems with this: Bob can’t see any input keys except the ones
he needs, for otherwise he will learn more about how the program runs, and
thus more about Alice’s inputs. Meanwhile, Alice cannot find out what input
keys Bob wants to receive, for then she will know what his input values are.
Luckily, this situation is exactly the setup for an oblivious transfer! Therefore, Alice sets up an oblivious transfer of the input keys to Bob. Bob receives
only one key for each wire corresponding to his input, without Alice knowing
which ones he picked. Now Bob simply starts plugging away, using the gate
tables Alice gave him.
1 Technically
there could be collisions, but everything’s true with high probability anyway.
4
Once Bob is done calculating, he finishes with a final key K. He then hands
this key back to Alice, who can interpret whether K corresponds to an output
of 0 or 1.
6
Limitations
We are forced to assume that Alice and Bob are both trying to keep secrets, but
are honest in all their interactions. For example, Alice could always lie about
the final answer to Bob. There are of course ways this could be improved to
account for partial dishonesty.
7
Proof of correctness
Coming after the final!
5