PV-GC TLDR;

In this research we aim at combining Authenticated Garbling and VOLE-in-the-Head techniques to make Garbled Circuit publicly verifiable.

We are working on a prototype of our protocol in C++ which put together the code base of emp-ag2pc (Authenticated Garbling) and faest (VOLE-in-the-Head).

Introduction to Garbled Circuit

Garbled Circuit (GC) protocol consists of two parties called Garbler (G) and Evaluator (E). In GC-based MPC the Garbler G will encrypt (garble) the circuit and send the encrypted circuit C along with its decryption keys (that correspond to G's private inputs but look random to the Evaluator E) and let the Evaluator E obtain its decryption keys (via Oblivious Transfer, that correspond to the Evaluator E's private input but without the Garbler G learning which keys are obtained). Then the Evaluator E can decrypt the garbled circuit C to obtain the final result (and send it back to the Garbler G if necessary). GC-based MPC is constant round so network latency is not an important factor here. The bottleneck in this approach is the size of the garbled circuit C and thus network bandwidth is key to scalability of GC-based MPC.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

For more information also see an in-depth description of Garbled Circuit: Primer to GC and Optimizations + (Generalized) Half-Gate Optimization.

Authenticated Garbling

Authenticated Garbling is a technique in which the Evaluator can "authenticate" the garbled circuit sent by the Garbler such that it can detect any deviation from the protocol and abort if necessary.

  • Authenticated shared bits: 2 instances of VOLE (between A and B) for

    v=aβ+c (A sender), and
    w=bα+d
    (B sender); during evalaution of
    i
    -th wire (output
    zi=xiyi
    ), B learns
    ai+bi+zi

  • Authenticated parallel AND (*) (circuit independent): use the VOLE instances to come up with

    Image Not Showing Possible Reasons
    • The image was uploaded to a note which you don't have access to
    • The note which the image was originally uploaded to has been deleted
    Learn More →

    Image Not Showing Possible Reasons
    • The image was uploaded to a note which you don't have access to
    • The note which the image was originally uploaded to has been deleted
    Learn More →

  • Authenticated circuit wires (circuit dependent) via Authenticated Garbling:

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

  • For XOR: trivial just XOR the authenticated bits (also done locally by evaluator without communication)

  • For AND:

    • Gate
      G(i,j,k,)
      where i and j are indice of inputs and k is index of output
    • a^k,b^k
      are authenticated bit SHARES of
      (ai+bi)(aj+bj)
    • λk=ak+bk
    • λ^k=a^k+b^k
    • Both parties need know
      λi+zi
      then can compute
      zizj+λk=λk+λk^+(zi+λi)λj+(zj+λj)λi+(zi+λi)+(zj+λj)
    • B can evaluate and then A sends
      zizj+λk
      and B verifies that equals to
      zk+λk
  • How to compute

    λi+zi

    • WRK (base version focus on authentication)
      • A computes a table for all four cases of (
        λi+zi
        ,
        λj+zj
        ,
        zizj+λk
        )
      • two GCs, one for evaluation (normal GC) and one for authentication (use mask
        λ
        and hide only
        zi+λi
        and
        zizj+λk
        )
    • KKRW
      • use half gate for 1st GC
      • add one communication round to enable batching of correct garbling (less communication in total)

On how to generate the VOLE instances

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

See more at
Authenticated Garbling for Active Secure Garbled (Boolean Circuit)

VOLE-in-the-Head

Paper

VOLE-in-the-Head is a technique that allows generation of public verifiable VOLE instances. VOLEitH makes use of All-but-One Vector Commitment.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

To open one seed

sdi one can simply send its path sibblings.

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Image Not Showing Possible Reasons
  • The image was uploaded to a note which you don't have access to
  • The note which the image was originally uploaded to has been deleted
Learn More →

Public Verifiable Garbled Circuit

We simply generate VOLE instances of Authenticated Garbling using VOLE-in-the-Head technique to make the Garbled Circuit not only authenticated to the Evaluator but also to the public verifier.