(DRAFT) Garbled Circuits for Three-Party Computation

Imagine a group of people have some private data, and they want to jointly compute a function of their private data, without sharing any of the data. Maybe they want to know the median of their salaries, without anyone revealing their own. Maybe a group of doctors wants to collaborate on a statistical study, without sharing any data about individual patients. This is the problem that multiparty computation solves.

If you haven't thought about this before, you'll want to start with the special case of two-party computation, which rests on Yao's garbled circuits protocol and a technique called oblivious transfer. This post by Gubsheep walks you through understanding how you would discover the protocol on your own. If you just want to see the protocol, Vitalik's post is also very good.

In this post I'm going to explain how to upgrade two-party computation to handle computations between three (or more) people, still using the basic idea of garbled circuits.

For this post, we're going to assume that all three parties carry out the protocol honestly… One could ask for stronger security guarantees. There are lots of different 3PC protocols, with different tradeoffs among security and complexity. There are also lots of good ideas that we won't get into in this blog post – for example, "cut-and-choose".

A three-party version of oblivious transfer

Alice has 4 messages:

m_{00}, m_{01}, m_{10}, m_{11}

. Bob and Carol each have a private bit – call them

b

and

c

. Alice wants to transmit

m_{b c}

to Carol, in such a way that:

Alice learns neither
$b$ nor
$c$
Bob learns neither
$c$ nor any information about the messages, and
Carol learns neither
$b$ nor any information about the other three messages.

If you've seen plain vanilla two-party oblivious transfer, it's not hard to come up with a protocol. Here's one:

Alice randomly generates four symmetric encryption keys – two for Bob (
${Bobkey}_{0}$ and
${Bobkey}_{1}$ ) and two for Carol (
${Carkey}_{0}$ and
${Carkey}_{1}$ ).
Alice performs a classical (two-party) oblivious transfer with Bob, sending him
${Bobkey}_{b}$ ; Alice performs another OT with Carol, sending her
${Carkey}_{c}$ .
Alice sends Bob this table.

(b, c)
(0, 0)	${Enc}_{{Bobkey}_{0}} ({Enc}_{{Carkey}_{0}} (m_{00}))$
(0, 1)	${Enc}_{{Bobkey}_{0}} ({Enc}_{{Carkey}_{1}} (m_{01}))$
(1, 0)	${Enc}_{{Bobkey}_{1}} ({Enc}_{{Carkey}_{0}} (m_{10}))$
(1, 1)	${Enc}_{{Bobkey}_{1}} ({Enc}_{{Carkey}_{1}} (m_{11}))$

Bob uses
${Bobkey}_{b}$ to decrypt the two messages
${Enc}_{{Carkey}_{0}} (m_{b 0})$ and
${Enc}_{{Carkey}_{1}} (m_{b 1})$ , and sends them both to Carol.
Carol uses
${Carkey}_{c}$ to decrypt the one message
$m_{b c}$ .

Why is this secure?

Alice doesn't learn anything about
$b$ and
$c$ because nobody sends her any messages (except as part of the original OT protocol, which we know is secure).
Bob doesn't learn anything about
$c$ because Carol never sends him any messages. He doesn't learn anything about any of the encrypted messages
$m_{i j}$ because he doesn't know
${Carkey}_{0}$ or
${Carkey}_{1}$ .
Carol doesn't learn anything about
$b$ because she only sees
${Enc}_{{Carkey}_{0}} (m_{b 0})$ and
${Enc}_{{Carkey}_{1}} (m_{b 1})$ . She doesn't learn anything about the two messages
$m_{i 0}$ and
$m_{i 1}$ for
$i \neq b$ because she never sees them, even in encrypted form; she doesn't learn the third message
$m_{b k}$ for
$k \neq c$ because she doesn't have the key to decrypt it.

Toward a 3PC Protocol

Let's make a couple of observations.

What if Bob and Carol each have 2 bits (
$b_{0}, b_{1}, c_{0}, c_{1}$ ), Alice has
$2^{4} = 16$ messages (
$m_{0000}, m_{0001}, \dots, m_{1111}$ ), and Alice wants to send Carol only the single message
$m_{b_{0}, b_{1}, c_{0}, c_{1}}$ determined by Bob's 2 bits and Carol's 2 bits?

To make this work, Alice needs to give Bob (and Carol, but we'll focus on Bob for now) a

Bobkey

for each of his two bits. So Alice chooses at random 4 symmetric keys,

{Bobkey}_{0, 0}, {Bobkey}_{0, 1}, {Bobkey}_{1, 0}, {Bobkey}_{1, 1}

. Using two OTs, Alice transfers to Bob the key

{Bobkey}_{0, b_{0}}

corresponding to his first bit and the key

{Bobkey}_{1, b_{1}}

corresponding to his second bit. Now Bob computes a symmetric key

Bobkey = Hash ({Bobkey}_{0, b_{0}}, {Bobkey}_{1, b_{1}})

. Alice does the same with Carol.

Now there are four possibilities for

Bobkey

and four possibilities for

Carkey

, and Alice knows all of them. So Alice can publish a table – just like the table above, but with 16 rows – and at the end of the protocol, Carol learns only the one value she's supposed to.

In the actual protocol, Bob has 3 bits

(b_{0}, b_{1}, b_{2})

, Carol has 2 bits

(c_{0}, c_{1})

, and Alice's table has

2^{5} = 32

rows.

Secret shares

Just like in the 2PC protocol, each bit

x_{i}

– each "wire" in the circuit – will be jointly held by Alice, Bob, and Carol, in the form of "secret shares". In other words: Alice will hold a bit

a_{i}

, Bob

b_{i}

, and Carol

c_{i}

, with the property that

a_{i} \oplus b_{i} \oplus c_{i} = x_{i}

In our protocol, Alice and Bob will choose her bit

a_{i}

at random. We might as well as choose Bob's shares

b_{i}

of gate output bits by simply setting them all equal to

b_{1}

, Bob's first input bit. (This lets Alice send Bob his keys without using extra oblivious transfers.) And then

c_{i}

will be determined from the inputs to the gate,

a_{i}

and

b_{i}

, by the rule

c_{i} = a_{i} \oplus b_{i} \oplus x_{i}

The Protocol

Just as in the usual 2PC garbled circuits protocol, Alice sets up the initial "garbling" of the circuit.

We set up some notation first. Number Bob's inputs

b_{1}, \dots, b_{m}

and

c_{m + 1}, \dots, c_{m + r}

. Number the gates

G_{m + r + 1}, \dots, G_{m + r + n}

, in some order (so that the inputs to each

G_{i}

are either inputs to the circuit, or outputs of previous gates).

Let's call all the bits (wires) in the circuit

x_{1}, \dots, x_{m + r + n}

. So

x_{1}, \dots, x_{m}

is just another name for Bob's inputs

b_{1}, \dots, b_{m}

, and similarly for Carol's inputs. We'll call

a_{i}, b_{i}, c_{i}

the three parties' shares of the bit

x_{i}

For each gate
$G_{i}$ , Alice chooses at random her share
$a_{i}$ of the output bit
$x_{i}$ .
For each bit to be held by either Bob or Carol (this includes both their input bits to the circuit, and their shares of intermediate bits
$x_{i}$ ), Alice chooses at random two keys, one for each value of the bit. So: for each
$b_{i}$ , Alice chooses
${Bobkey}_{i, 0}$ and
${Bobkey}_{i, 1}$ . Similarly for Carol's bits
$c_{i}$ .
- For Bob's shares of output bits, since we know
  $b_{i} = b_{1}$ , we'll just use the same keys for Bob. So
  ${Bobkey}_{i, b} = {Bobkey}_{1, b}$ .
For each gate
$G_{i}$ , Alice makes a 32-row table. Let
$x_{j}$ and
$x_{k}$ be the inputs to gate
$G_{i}$ . Then the table has the form:

(b_i, b_j, b_k, c_j, c_k)	${Enc}_{Hash ({Bobkey}_{i, b_{i}}, {Bobkey}_{j, b_{j}}, {Bobkey}_{k, b_{k}})} ({Enc}_{Hash ({Carkey}_{j, c_{j}}, {Carkey}_{k, c_{k}})} (c_{i} := x_{i} \oplus a_{i} \oplus b_{i}, {Carkey}_{i, c_{i}})) .$

For each of Bob's and Carol's inputs
$b_{i}$ and
$c_{i}$ , Alice sends Bob and Carol the keys
${Bobkey}_{i, b_{i}}$ and
${Carkey}_{i, c_{i}}$ by oblivious transfer – this is one OT per input bit to the circuit. (Note that Bob knows his keys for the whole circuit now, since they are all the same as his key
${Bobkey}_{1, b_{1}}$ .)
Bob goes through each gate
$G_{i}$ in order and uses his known key to decrypt the 4 rows of the table with his known values
$b_{i}, b_{j}, b_{k}$ . Bob then sends to Carol the 4 encrypted values
${Enc}_{Hash ({Carkey}_{j, c_{j}}, {Carkey}_{k, c_{k}})} (c_{i} := x_{i} \oplus a_{i} \oplus b_{i}, {Carkey}_{i, c_{i}}) .$
Carol goes through the gates in order. For each gate
$i$ , she uses the known keys
${Carkey}_{j, c_{j}}, {Carkey}_{k, c_{k}}$ to decrypt both
$c_{i}$ and
${Carkey}_{i, c_{i}}$ .
In the end, Carol computes her output bit
$c_{n}$ . She, Alice and Bob share their three bits
$a_{n}, b_{n}, c_{n}$ to determine the final output
$x_{n} = a_{n} \oplus b_{n} \oplus c_{n}$ .

Security

First of all, notice that until the very last step information only ever travels from Alice –> Bob –> Carol. So (if the three parties don't communicate outside the protocol) Alice can't learn anything about Bob's or Carol's inputs, and Bob can't learn anything about Carol's.

Bob doesn't learn anything about Alice's inputs, either, since he only ever sees encrypted messages. And Carol only ever learns the bits

c_{i}

, which are guaranteed to be uniformly random, because they are computed by

c_{i} = a_{i} \oplus stuff

, and

a_{i}

is chosen uniformly at random.

But there's a more interesting question: If two of Alice, Bob and Carol team up, can they learn the third person's inputs?

Alice and Bob can't learn anything about Carol's inputs, because Carol never sends them any messages.

What can Bob and Carol learn? Even if they collaborate, they can't possibly learn more than the one row from each table. So they can learn

b_{i}

and

c_{i}

for each

i

, but again that tells them nothing they didn't already know, because Bob chose

b_{i}

and

a_{i}

is random.

Alice and Carol can learn something, though. If Carol tells Alice which row of the table Bob sent her, Alice can work out Bob's bit

b_{i}

. But

b_{i}

was the same as Bob's input bit

b_{1}

. Even worse, once they know

b_{1}

, they can figure out

x_{i}

for every

i

Things get even worse if the players don't carry out the protocol honestly. Bob and Carol are constrained by the encryption: they only ever find out one key per bit, so they can only read the "correct" row of the table. But our protocol relies on Alice to garble the circuit correctly in the first place. Nothing stops a malicious Alice from writing any circuit she pleases.

We'll leave this as an example of a 3PC protocol and the level of security it affords – but if you want to know more, read about the "cut and choose" method.

(DRAFT) Garbled Circuits for Three-Party Computation

A three-party version of oblivious transfer

Toward a 3PC Protocol

Secret shares

The Protocol

Security

Read more

Folding for Arbitrary Polynomial Custom Gates and Lookups

Origami -- A Folding Scheme for Halo2 Lookups