Fast Zero-Knowledge Proofs and Post-Quantum Signatures Claudio Orlandi – Aarhus University @claudiorlandi
FastZero-KnowledgeProofsandPost-Quantum
Signatures
ClaudioOrlandi– Aarhus University
@claudiorlandi
Basedonjointworkwith:• Meliisa Chase(Microsoft)• DavidDerler (TUGraz)• ToreFrederiksen (BIU)• IreneGiacomelli (UW-Madison)• StevenGoldfeder (Princeton)• MarekJawurek (SAP)• FlorianKerschbaum (SAP)• Jesper Madsen(AU)• Jesper Buus Nielsen(AU)• SebastianRamacher (TUGraz)• ChristianRechberger (TUGraz,DTU)• DanielSlamanig (TUGraz)• GregZaverucha (Microsoft)
Motivation:Authentication
“Iknowmypassword”
“IamClaudio”
“HereismyPa55w0rD”
P V
Motivation:Authentication
P A“IamClaudio”
“HereismyPa55w0rD”
V
“IamClaudio”
“HereismyPa55w0rD”
Motivation:Zero-Knoweldge Authentication
P V“IamClaudio”
qaq
a
ZK:Definitions
P(x) V“Iknowxs.t. f(x)=1”
qaq
a
Only Pknows x
P,Vknowf
ZK:Definitions
P(x) V“Iknowxs.t. f(x)=1”
qaq
a
• Completeness• P,Vhonestà Vaccepts
ZK:Definitions
P V“Iknowxs.t. f(x)=1”
• Completeness• P,Vhonestà Vaccepts
• Proof-of-Knowledge• IfPdoes notknowxà Vrejects
qa*q
a*
ZK:Definitions
P(x) V“Iknowxs.t. f(x)=1”
• Completeness• P,Vhonestà Vaccepts
• Proof-of-Knowledge• IfPdoes notknowxà Vrejects
• Zero-Knowledge• Vlearns nothing about x
q*aq*
a
What can be proven inZK?Feasability:NP,even PSPACE!
Efficiently:algebraiclanguages(Schnorr,…,Groth-Sahai,…)
SNARKS(generic)• Shortproofs,efficientverificationJ• SlowproverL• Implementations:Pinocchio,libsnark,
Thistalk:Canweconstructefficientproofsfornon-
algebraiclanguagessuchas
“IknowxsuchthatSHA(x)=y”?
Twoprotocols:• ZKGC(fromGarbledCircuits)• ZKBoo (fromMPC)Oneapplication:• Generic(post-quantum)signatures
Example:Schnorr Protocol
GotoExample
More efficient Less efficient
OTP >> SKE >> PKE >> FHE >> Obfuscation
TheCryptoToolbox
12
Weaker assumption Stronger assumption
Zero-KnowledgefromGarbled CircuitsJawurek,Ferschbaum,OrlandiCCS2013
Zero-Knowledgevs Secure2PC
A B
f,x f,y
f(x,y)
P V
f,x
f(x)=1
f
Garbled Circuits
EvDeGb
En
f
x
e [X] [Y]
y
Correctify=f(x)
Valuesinaboxare “garbled”
r[F]
d
Garbled Circuits:Authenticity
EvDeGb
En
f
x
e [y*]
y*
r[F]
d
[X]
y*=f(x)OR
y*=⊥
OT[F]
x e[X]
([F],e,d)ßGb(f,r )
[Y]ßEv([F],[X])
Prover(x) Verifier()
(HV)ZKGCtoprovef(x)=y
[Y]AcceptifDe(d,[Y])=y
OT[F]
x* e[X]
([F],e,d)ßGb(f,r )
(HV)ZKGCtoprovef(x)=y
[Y*]
Authenticity!
Prover(?) Verifier()
De(d,[Y*])={f(x*),⊥}
OT[G]
x e[X]
([G],e,d)ßGb(g,r )
[Y]ßEv([G],[X])
(HV)ZKGCtoprovef(x)=y
[Y]
CorruptVcanchangef withgbreakingZK!
Learng(x)=De(d,[Y])
Prover(x) Verifier()
Garbled circuits withactive security?
Howcan theverifier prove that fwas garbled correctly
(without breaking soundness)?
• Plentyof(costly)solutionsareknownfor2PC• Zero-Knowledge
• Cut-and-choose
• Etc.
• CanwedobetterforZK?
OT[F]
x e[X]
([F],e,d)ßGb(f,r )
[Z]ßEv([F],[X])
ZKGCtoprovef(x)=y
Comm([Y])
rIf[F]!=Gb(f,r)abort
else Open([Y])
Commitment
ActivesecurityUsingonly1GC!
AcceptifDe(d,[Y])=y
Prover(x) Verifier()
Recap:ZKbased onGC
• Themain idea:
• InZKtheverifier (Bob)hasno secrets!
• After theprotocol,Bobcan reveal allhisrandomness.
• AlicecansimplycheckthatBobbehavedhonestly
byredoinghisentirecomputation.
Privacy-Free Garbled CircuitsFrederiksen,Nielsen,OrlandiEUROCRYPT2015
Mainidea
• In2PCthegarblerhassecretinput• GCprivacyà privacyofinput
• InZKVhasnoinputtoprotect• CanwegetmoreefficientGCwithoutprivacy?
Yes!
Example:PrivacyFreeGarbling
GotoPFGC
Runtime(roughestimates)
• Proofof“c=AES(k,m)”forsecretkandpublic(c,m)• AES:35kgates(7kANDs/28kXORs)• Communication:204kB (98%GC)• Runtime:• OT:29.4ms(UsingChou-OrlandiOT)(|w|=128)• Garbling:721µs(UsingJustGarble GaXR)• Eval:273µs• Total (Garble+OT+Eval+Garble)~31.2ms(+network)
Applications
Hu,Mohassel,Rosulek• SublinearZK(viaORAM), Crypto2015Chase,Ganesh,Mohassel,• Privacy-PreservingCredentials,Crypto2016Kolesnikov,Krawczyk,Lindell,Malozemoff,Rabin,• Attribute-BasedKEwithGeneralPolicies,CCS2016Baum; Katz,Malozemoff,Wang;Afshar,Mohassel,Rosulek,• Inputvalidity in2PC,SCN2016;ePrint;ePrint…
ZKBoo:FasterZero-KnowledgeforBoolean CircuitsGiacomelli,Madsen,OrlandiUSENIXSecurity2016
FromZKGCtoZKBoo
• ZKGCisinherentlyinteractive (privatecoin,cannotuseFiat-Shamir)
• IKOS (Ishai,Kushilevitz,Ostrovsky,Sahai)proposedin2007amethodtogetZKfromMPC.PluggingtherightMPCprotocolonecangetZKwithverygoodasymptoticcomplexity.
• ZKBoo canbeseenasageneralization,simplificationandimplementationofIKOSwiththesolegoalofpracticalefficiency.
New approach:
w01 w0
2 w03
Share
x
f 11 f 12 f 13
w11 w1
2 w13
f 21 f 22 f 23
......
...wN
1 wN2 wN
3
......
......
......
Output1 Output2 Output3
Rec
y
y1y2 y3
Instead of MPC protocol, we speak about(2, 3)-decomposition for C :
{Share,Output1,Output2,Output3,Rec}[
{f (j)1 , f (j)2 , f (j)3 }j=1,...,N
• correct: y = C (x)
• 2-private: 8 e 2 [3] 9 a PPT simulatorSe that perfectly simulate thedistribution of ({wi}i2{e,e+1}, ye+2)
12 / 19
TobuildZKBoo,weneedtofindasuitable
New approach:
w01 w0
2 w03
Share
x
f 11 f 12 f 13
w11 w1
2 w13
f 21 f 22 f 23
......
...wN
1 wN2 wN
3
......
......
......
Output1 Output2 Output3
Rec
y
y1y2 y3
Instead of MPC protocol, we speak about(2, 3)-decomposition for C :
{Share,Output1,Output2,Output3,Rec}[
{f (j)1 , f (j)2 , f (j)3 }j=1,...,N
• correct: y = C (x)
• 2-private: 8 e 2 [3] 9 a PPT simulatorSe that perfectly simulate thedistribution of ({wi}i2{e,e+1}, ye+2)
12 / 19
TobuildZKBoo,weneedtofindasuitable
New approach:
w01 w0
2 w03
Share
x
f 11 f 12 f 13
w11 w1
2 w13
f 21 f 22 f 23
......
...wN
1 wN2 wN
3
......
......
......
Output1 Output2 Output3
Rec
y
y1y2 y3
Instead of MPC protocol, we speak about(2, 3)-decomposition for C :
{Share,Output1,Output2,Output3,Rec}[
{f (j)1 , f (j)2 , f (j)3 }j=1,...,N
• correct: y = C (x)
• 2-private: 8 e 2 [3] 9 a PPT simulatorSe that perfectly simulate thedistribution of ({wi}i2{e,e+1}, ye+2)
12 / 19
TobuildZKBoo,weneedtofindasuitable
New approach:
w01 w0
2 w03
Share
x
f 11 f 12 f 13
w11 w1
2 w13
f 21 f 22 f 23
......
...wN
1 wN2 wN
3
......
......
......
Output1 Output2 Output3
Rec
y
y1y2 y3
Instead of MPC protocol, we speak about(2, 3)-decomposition for C :
{Share,Output1,Output2,Output3,Rec}[
{f (j)1 , f (j)2 , f (j)3 }j=1,...,N
• correct: y = C (x)
• 2-private: 8 e 2 [3] 9 a PPT simulatorSe that perfectly simulate thedistribution of ({wi}i2{e,e+1}, ye+2)
12 / 19
TobuildZKBoo,weneedtofindasuitable
New approach:
w01 w0
2 w03
Share
x
f 11 f 12 f 13
w11 w1
2 w13
f 21 f 22 f 23
......
...
wN1 wN
2 wN3
......
......
......
Output1 Output2 Output3
Rec
y
y1y2 y3
Instead of MPC protocol, we speak about(2, 3)-decomposition for C :
{Share,Output1,Output2,Output3,Rec}[
{f (j)1 , f (j)2 , f (j)3 }j=1,...,N
• correct: y = C (x)
• 2-private: 8 e 2 [3] 9 a PPT simulatorSe that perfectly simulate thedistribution of ({wi}i2{e,e+1}, ye+2)
12 / 19
TobuildZKBoo,weneedtofindasuitable
New approach:
w01 w0
2 w03
Share
x
f 11 f 12 f 13
w11 w1
2 w13
f 21 f 22 f 23
......
...
wN1 wN
2 wN3
......
......
......
Output1 Output2 Output3
Rec
y
y1y2 y3
Instead of MPC protocol, we speak about(2, 3)-decomposition for C :
{Share,Output1,Output2,Output3,Rec}[
{f (j)1 , f (j)2 , f (j)3 }j=1,...,N
• correct: y = C (x)
• 2-private: 8 e 2 [3] 9 a PPT simulatorSe that perfectly simulate thedistribution of ({wi}i2{e,e+1}, ye+2)
12 / 19
TobuildZKBoo,weneedtofindasuitable
Example:thelineardecomposition
• Computationinaring(R,+,·)
• Share(x)• Getrandomx1,x2 ß R• Letx3=x- x1 - x2
• Rec(y1,y2,y3)• y=y1+y2+y3
• Add(x1,x2,x3,y1,y2,y3)• z1=x1+y1• z2=x2+y2• z3=z3+y3
•Mul(x1,x2,x3,y1,y2,y3)• z1=x1y1+x1y2+x2y1+r1- r2• z2=x2y2+x2y3+x3y2+r2- r3• z3=x3y3+x3y1+x1y3+r3- r1
Example:thelineardecomposition
• Computationinaring(R,+,·)
• Share(x)• Getrandomx1,x2 ß R• Letx3=x- x1 - x2
• Rec(y1,y2,y3)• y=y1+y2+y3
• Add(x1,x2,x3,y1,y2,y3)• z1=x1+y1• z2=x2+y2• z3=z3+y3
•Mul(x1,x2,x3,y1,y2,y3)• z1=x1y1+x1y2+x2y1+r1- r2• z2=x2y2+x2y3+x3y2+r2- r3• z3=x3y3+x3y1+x1y3+r3- r1
Correctness:z1+z2+z3=
(x1+x2+x3)(y1+y2+y3)
2-privacy:Anypair(zi,zi+1)isuniformrandom(thankstor1,r2,r3)
ZKBoo Protocol
Public data: C : {0, 1}n ! {0, 1}m (boolean circuit) and y 2 {0, 1}m
Input: x s.t. C(x) = y
e 2 {1, 2, 3}
Check consistency
13 / 19
ZKBoo Protocol
Public data: C : {0, 1}n ! {0, 1}m (boolean circuit) and y 2 {0, 1}m
Input: x s.t. C(x) = y
w01 w0
2 w03
x
f 11 f 1
2 f 13
w11 w1
2 w13
f 21 f 2
2 f 23
... ... ...wN
1 wN2 wN
3
y1 y2 y3
y
1
e 2 {1, 2, 3}
Check consistency
13 / 19
ZKBoo Protocol
Public data: C : {0, 1}n ! {0, 1}m (boolean circuit) and y 2 {0, 1}m
Input: x s.t. C(x) = y
w01 w0
2 w03
x
f 11 f 1
2 f 13
w11 w1
2 w13
f 21 f 2
2 f 23
... ... ...wN
1 wN2 wN
3
y1 y2 y3
y
1
w01 w0
2 w03
w11 w1
2 w13
... ... ...
... ... ...w1
1 w12 w1
3
y1 y2 y3
1
e 2 {1, 2, 3}
Check consistency
13 / 19
ZKBoo Protocol
Public data: C : {0, 1}n ! {0, 1}m (boolean circuit) and y 2 {0, 1}m
Input: x s.t. C(x) = y
w01 w0
2 w03
x
f 11 f 1
2 f 13
w11 w1
2 w13
f 21 f 2
2 f 23
... ... ...wN
1 wN2 wN
3
y1 y2 y3
y
1
w01 w0
2 w03
w11 w1
2 w13
... ... ...
... ... ...w1
1 w12 w1
3
y1 y2 y3
1
e 2 {1, 2, 3}
Check consistency
13 / 19
ZKBoo Protocol
Public data: C : {0, 1}n ! {0, 1}m (boolean circuit) and y 2 {0, 1}m
Input: x s.t. C(x) = y
w01 w0
2 w03
x
f 11 f 1
2 f 13
w11 w1
2 w13
f 21 f 2
2 f 23
... ... ...wN
1 wN2 wN
3
y1 y2 y3
y
1
e 2 {1, 2, 3}
w01 w0
2 w03
w11 w1
2 w13
... ... ...
... ... ...wN
1 wN2 w1
3
y1 y2 y3
1
Check consistency
13 / 19
ZKBoo Protocol
Public data: C : {0, 1}n ! {0, 1}m (boolean circuit) and y 2 {0, 1}m
Input: x s.t. C(x) = y
w01 w0
2 w03
x
f 11 f 1
2 f 13
w11 w1
2 w13
f 21 f 2
2 f 23
... ... ...wN
1 wN2 wN
3
y1 y2 y3
y
1
e 2 {1, 2, 3}
w01 w0
2 w03
f 11 f 1
2
w11 w1
2 w13
f 21 f 2
2
... ... ...wN
1 wN2 w1
3
y1 y2 y3
y
1
Check consistency
13 / 19
LinearDecomposition:ConsistencyCheck
•Mul(x1,x2,x3,y1,y2,y3,r1,r2,r3)• z1=x1y1+x1y2+x2y1+r1- r2• z2=x2y2+x2y3+x3y2+r2- r3• z3=x3y3+x3y1+x1y3+r3- r1
• Verify(.,x2,x3,.,y2,y3,.,r2,r3)• ?• z2=x2y2+x2y3+x3y2+r2- r3• ?
ZKBooZKBoo Protocol
Public data: C : {0, 1}n ! {0, 1}m (boolean circuit) and y 2 {0, 1}m
Input: x s.t. C(x) = y
w01 w0
2 w03
x
f 11 f 1
2 f 13
w11 w1
2 w13
f 21 f 2
2 f 23
... ... ...wN
1 wN2 wN
3
y1 y2 y3
y
1
e 2 {1, 2, 3}
w01 w0
2 w03
f 11 f 1
2
w11 w1
2 w13
f 21 f 2
2
... ... ...wN
1 wN2 w1
3
y1 y2 y3
y
1
Check consistency
13 / 19
• Soundness/PoK• Correctnessofdecomposition• Commitmentsarebinding
• Zero-Knowledge• 2-privacyofdecomposition• Commitmentsarehiding
• Efficiency• Comm.andcomp.complexity~#mul• Onlyveryefficientcryptoinvolved(secretsharing,commitments)
Implementation Results
SHA-1 SHA-256
Serial Paral. Serial Paral.
Prover (ms) 31.73 12.73 54.63 15.95
Verifier (ms) 22.85 4.39 67.74 13.20
Proof size (KB) 444.18 835.91
Soundness error: 2�80
SHA-1 SHA-256Serial Paral. Serial Paral.
Prover (ms) 18.98 8.12 30.81 12.45Verifier (ms) 11.68 2.35 34.16 6.77
Proof size (KB) 223.71 421.01
Soundness error: 2�40
Implementation available at https://github.com/Sobuno/ZKBoo
16 / 19
Post-QuantumZero-KnowledgeandSignaturesfromSymmetric-Key PrimitivesChase,Derler,Goldfeder,Orlandi,Ramacher,Rechberger,Slamanig,ZaveruchaACMCCS2017
Fiat-ShamirHeuristic
z=Open(r,x,e)
eß(1..n)
a=Com(r,x)
P(x) V(y)
z=Open(r,x,e)
e=H(a)
a=Com(r,x)
Reject ifVer(a,e,z)=0
Reject ifVer(a,e,z)=0withe=H(a)
“Iknowxs.t. f(x)=y”
SignaturesfromFiat-Shamir
Gen• sk :x• vk :y=OWF(x)
Sig(sk,m)• a =Com(r,x)• z=Open(r,x,H(m,a))•output(a,z)
Ver(vk,m,(a,z))• reject if:
Ver(a,H(m,a),z)=0
SignaturesfromZKB+++LowMC
CandidateforPQsignaturefromsymmetric primitive
only!
LowMCBlockcipher withlowANDComplexity (<1000)
Different instances givedifferenttradeoffs between comp./comm.overhead
PicnicSecurityinQROMusingUnruh’sTransform• Fiat-Shamirisnotprovablysecurevs.quantumadversary• CannotprogramRO• Cannotrewindadversary
• Unruhtransform(EUROCRYPT’15)issecureinQROM• ZKBoo/ZKB++canbeoptimizedforUnruh,only~1.5xlarger!• Insteadof4x
ze
e=H(a)
a
ze
e=H(a’)
a’=(a,G(z0),G(z1),G(z2))
Fiat-Shamir Unruh
Flexibledesign!Ring/GroupSignatures
• Sign(pk0,pk1,skb,m)à s• Ver(pk0,pk1,m,s)à accept
• Indistinguishability:Sign(pk0,pk1,sk0,m)≈Sign(pk0,pk1,sk1,m)
• ProveinZKthat”Iknowsk :pk0=f(sk)orpk1=f(sk)”
• See• PQZKProofsforAccumulatorswithApplicationstoRingSignaturesfromSymmetric-KeyPrimitivesDerler,Ramacher,Slamanig• PQEPIDGroupSignaturesfromSymmetricPrimitivesBoneh,Eskandarian,Fisch• ImprovedNIZKwithApplicationstoPQSignaturesKatz,Kolesnikov,Wang
Youngdesign!ZKproofsareimproving!ZKBoo,ZKB++,Ligero,KKW,…• AnyimprovementsintheZKproofleadstobettersignatures!• Ligero:LightweightSublinearArgumentsWithoutaTrustedSetupAmes, Hazay, Ishai,Venkitasubramaniam:• ImprovedNIZKwithApplicationstoPQSignaturesKatz,Kolesnikov,Wang
FigurefromKKW
NISTSubmission:
PicnicAFamilyofPost-QuantumSecureDigitalSignatureAlgorithms
Projectpage:https://microsoft.github.io/Picnic/
(Next few slidesfromGreg’s talkatNISTWorkshop)
Chase,Derler,Goldfeder,Orlandi,Ramacher,Rechberger,Slamanig,Zaverucha
Also,experimentswithHSMandinclusioninOpenVPN Post-Quantumfork
ConclusionsanddirectionsAfter>30yearsofZKwehavethefirsttrulyefficientprotocols forgenericstatements.
ManyapplicationsareenabledbyefficientZKforarbitrarycircuits.
AndIexpectmanymoretocome!
ZKGCvsZKBoo?• ZKBoo allowsFiat-ShamirJ• ZKBoo doesnotneedOTJ
TheendofZKGC?• Aretherebetterprivacy-freeGCs?
ImprovingMPCbasedZKproofs?• ZKBoo,ZKB++,Ligero,KKW,[yournamehere?]
Example:Schnorr Protocol
Example:Schnorr Protocol
z=xe+r
e
a=gr
P(x) V“Iknowxs.t. gx=h”
rß(1,p)
eß(1,p)
ifhea=gz
else
(Honest Verifier)Zero-Knowledge
Thetranscriptcan be simulatedwithout knowingx(hence,itcontains no informaiton about x)
Simulator1. Pick eß (1,p)2. Pick zß (1,p)3. Compute a=he/gz
4. Output(a,e,z)
Example:Schnorr Protocol
z=xe+r
e
a=gr
P(x) V“Iknowxs.t. gx=h”
rß(1,p)
eß(1,p)
ifhea=gz
else
Example:Schnorr Protocol
z=xe+r
e
a=gr
P(x) V“Iknowxs.t. gx=h”
rß(1,p)
eß(1,p)
ifhea=gz
else
Completeness
gz =gxe+r =hegr =hea
Example:Schnorr Protocol
z=xe+r
e
a=gr
P(x) V“Iknowxs.t. gx=h”
rß(1,p)
eß(1,p)
ifhea=gz
else
Proof-of-KnowledgeSpecialSoundness:Fromtwo accepting transcripts
(a1,e1,z1),(a2,e2,z2)witha1=a2 we can extract x.
Solve:z1=xe1 +r,z2=xe2 +r
(Pcan answer 2different challengesàPknows x)
Example:Schnorr Protocol
GoBack
Example:PrivacyFreeGarbling
GarblingaCircuit:([F],e,d)ß Gb(f)X10,X11 • Choose 2random keys Xi0,Xi1 for
each inputwire
• Foreach gategcompute• (gg,K0,K1)ß Gb(g,L0,L1,R0,R1)
• Output• e=(Xi0,Xi1)forallinputwires• d=(Y0,Y1)• [F]=(ggi)forallgatesi
X20,X21…
Y0,Y1
L0,L1 R0,R1
K0,K1
EncodingandDecoding
[X] =En(e,x)• e={Xi0, Xi1}• x={x1,…,xn }• [X]={X1x1,…,Xnxn}
y=De(d,[Y])• d={Y0,Y1}• [Y]={K}• y=• 0ifK=Y0,• 1 ifK=Y1,• “abort” else
EvaluatingaGC:[Y]ß Ev([F],[X])X1 • Parse[X]={X1,…,Xn}//xisknown
• Parse [F]={ggi}
• Foreach gatei compute• Kg(a,b) ß Ev(ggi,L,a,R,b)//a,b known!
• Output• Y//yisknown!
X2………
Y
L R
K
gg1
gg2
ggn
ggi
ggi ggi ggi ggi
ggi ggi
ggi
Notation• A(privacy-free)garbled gateisagadget that giventwo inputskeysgivesyou therightoutputkey (andnothing else)
• (gg,Z0,Z1)ß Gb(g,L0,L1,R0,R1)• Zg(a,b) ß Ev(gg,L,a,R,b)
• //andnotZ1-g(a,b)
gg
L0,L1 R0,R1
Z0,Z1
YaoGarbling
C
C1=H(L0,R0)⊕ K0
C2=H(L0,R1)⊕ K0
C3=H(L1,R0)⊕ K0
C4=H(L1,R1)⊕ K1
70
L R
K
YaoGarbling
C
C1=H(L0,R0)⊕ K0
C2=H(L0,R1)⊕ K0
C3=H(L1,R0)⊕ K0
C4=H(L1,R1)⊕ K1
71
L R
K
Ifoutputis0theevaluatorshouldnotknowwhy!!!
Privacy-FreeGarbling
C
C1=H(L0,R0)⊕ K0
C2=H(L0,R1)⊕ K0
C3=H(L1,R0)⊕ K0
C4=H(L1,R1)⊕ K1
72
L R
K
Evaluatorknowsplain
inputs/outputs
Privacy-FreeGarbling
C
C1=H(L0)⊕ K0
C2=H(L0)⊕ K0
C3=H(L1,R0)⊕ K0
C4=H(L1,R1)⊕ K1
73
L R
K
C1=C2
Privacy-FreeGarbling
C
C1=H(L0)⊕ K0
C3=H(R0)⊕ K0
C4=H(L1,R1)⊕ K1
74
L R
K
Outputis0Ifeitherinputis0
Privacy-FreeGarbling
C
K0 =H(L0)
C =H(R0)⊕ K0
K1=H(L1,R1)
75
L R
K
Standard”row-reduction”
technique
Only1ciphertext!
Privacy-FreeEvaluation
Eval(gg,L,a,R,b)• Ifa=0• OutputK0 =H(L0)
• Ifb=0• OutputK0 =C ⊕ H(R0)
• else• OutputK1=H(L1,R1)
76
gg
C=H(R0)⊕ K0
Example:PrivacyFreeGarbling
GoBack