feat: breaking change (unstable) (#198)

* [PUBLISHER] upload files #175 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryption.md * [PUBLISHER] upload files #177 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-19-symmetric-key-encryptio.md * [PUBLISHER] upload files #178 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #179 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #180 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #181 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #182 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * [PUBLISHER] upload files #183 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #184 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #185 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #186 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * [PUBLISHER] upload files #187 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 14. Secure Multiparty Computation.md * DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-19-symmetric-key-encryption.md * DELETE FILE : _posts/lecture-notes/modern-cryptography/2023-09-18-symmetric-key-cryptography-2.md * [PUBLISHER] upload files #188 * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH NOTE : 14. Secure Multiparty Computation.md * DELETE FILE : _posts/Lecture Notes/Modern Cryptography/2023-09-19-symmetric-key-encryption.md * chore: remove files * [PUBLISHER] upload files #197 * PUSH NOTE : 수학 공부에 대한 고찰.md * PUSH NOTE : 09. Lp Functions.md * PUSH ATTACHMENT : mt-09.png * PUSH NOTE : 08. Comparison with the Riemann Integral.md * PUSH ATTACHMENT : mt-08.png * PUSH NOTE : 04. Measurable Functions.md * PUSH ATTACHMENT : mt-04.png * PUSH NOTE : 06. Convergence Theorems.md * PUSH ATTACHMENT : mt-06.png * PUSH NOTE : 07. Dominated Convergence Theorem.md * PUSH ATTACHMENT : mt-07.png * PUSH NOTE : 05. Lebesgue Integration.md * PUSH ATTACHMENT : mt-05.png * PUSH NOTE : 03. Measure Spaces.md * PUSH ATTACHMENT : mt-03.png * PUSH NOTE : 02. Construction of Measure.md * PUSH ATTACHMENT : mt-02.png * PUSH NOTE : 01. Algebra of Sets and Set Functions.md * PUSH ATTACHMENT : mt-01.png * PUSH NOTE : Rules of Inference with Coq.md * PUSH NOTE : 블로그 이주 이야기.md * PUSH NOTE : Secure IAM on AWS with Multi-Account Strategy.md * PUSH ATTACHMENT : separation-by-product.png * PUSH NOTE : You and Your Research, Richard Hamming.md * PUSH NOTE : 10. Digital Signatures.md * PUSH ATTACHMENT : mc-10-dsig-security.png * PUSH ATTACHMENT : mc-10-schnorr-identification.png * PUSH NOTE : 9. Public Key Encryption.md * PUSH ATTACHMENT : mc-09-ss-pke.png * PUSH NOTE : 8. Number Theory.md * PUSH NOTE : 7. Key Exchange.md * PUSH ATTACHMENT : mc-07-dhke.png * PUSH ATTACHMENT : mc-07-dhke-mitm.png * PUSH ATTACHMENT : mc-07-merkle-puzzles.png * PUSH NOTE : 6. Hash Functions.md * PUSH ATTACHMENT : mc-06-merkle-damgard.png * PUSH ATTACHMENT : mc-06-davies-meyer.png * PUSH ATTACHMENT : mc-06-hmac.png * PUSH NOTE : 5. CCA-Security and Authenticated Encryption.md * PUSH ATTACHMENT : mc-05-ci.png * PUSH ATTACHMENT : mc-05-etm-mte.png * PUSH NOTE : 1. OTP, Stream Ciphers and PRGs.md * PUSH ATTACHMENT : mc-01-prg-game.png * PUSH ATTACHMENT : mc-01-ss.png * PUSH NOTE : 4. Message Authentication Codes.md * PUSH ATTACHMENT : mc-04-mac.png * PUSH ATTACHMENT : mc-04-mac-security.png * PUSH ATTACHMENT : mc-04-cbc-mac.png * PUSH ATTACHMENT : mc-04-ecbc-mac.png * PUSH NOTE : 3. Symmetric Key Encryption.md * PUSH ATTACHMENT : is-03-ecb-encryption.png * PUSH ATTACHMENT : is-03-cbc-encryption.png * PUSH ATTACHMENT : is-03-ctr-encryption.png * PUSH NOTE : 2. PRFs, PRPs and Block Ciphers.md * PUSH ATTACHMENT : mc-02-block-cipher.png * PUSH ATTACHMENT : mc-02-feistel-network.png * PUSH ATTACHMENT : mc-02-des-round.png * PUSH ATTACHMENT : mc-02-DES.png * PUSH ATTACHMENT : mc-02-aes-128.png * PUSH ATTACHMENT : mc-02-2des-mitm.png * PUSH NOTE : 18. Bootstrapping & CKKS.md * PUSH NOTE : 17. BGV Scheme.md * PUSH NOTE : 16. The GMW Protocol.md * PUSH ATTACHMENT : mc-16-beaver-triple.png * PUSH NOTE : 15. Garbled Circuits.md * PUSH NOTE : 14. Secure Multiparty Computation.md * PUSH NOTE : 13. Sigma Protocols.md * PUSH ATTACHMENT : mc-13-sigma-protocol.png * PUSH ATTACHMENT : mc-13-okamoto.png * PUSH ATTACHMENT : mc-13-chaum-pedersen.png * PUSH ATTACHMENT : mc-13-gq-protocol.png * PUSH NOTE : 12. Zero-Knowledge Proofs (Introduction).md * PUSH ATTACHMENT : mc-12-id-protocol.png * PUSH NOTE : 11. Advanced Topics.md * PUSH NOTE : 0. Introduction.md * PUSH NOTE : 02. Symmetric Key Cryptography (1).md * PUSH NOTE : 09. Transport Layer Security.md * PUSH ATTACHMENT : is-09-tls-handshake.png * PUSH NOTE : 08. Public Key Infrastructure.md * PUSH ATTACHMENT : is-08-certificate-validation.png * PUSH NOTE : 07. Public Key Cryptography.md * PUSH NOTE : 06. RSA and ElGamal Encryption.md * PUSH NOTE : 05. Modular Arithmetic (2).md * PUSH NOTE : 03. Symmetric Key Cryptography (2).md * PUSH ATTACHMENT : is-03-feistel-function.png * PUSH ATTACHMENT : is-03-cfb-encryption.png * PUSH ATTACHMENT : is-03-ofb-encryption.png * PUSH NOTE : 04. Modular Arithmetic (1).md * PUSH NOTE : 01. Security Introduction.md * PUSH ATTACHMENT : is-01-cryptosystem.png * PUSH NOTE : Search Time in Hash Tables.md * PUSH NOTE : 랜덤 PS일지 (1).md * chore: rearrange articles * feat: fix paths * feat: fix all broken links * feat: title font to palatino
2025-12-06 14:53:50 +00:00 · 2024-11-13 14:28:45 +09:00
parent c9f7af5f3d
commit 23aeb29ad8
78 changed files with 2105 additions and 2030 deletions
--- a/_posts/lecture-notes/modern-cryptography/2023-11-14-garbled-circuits.md
+++ b/_posts/lecture-notes/modern-cryptography/2023-11-14-garbled-circuits.md
@@ -35,20 +35,20 @@ A **garbled circuit** is an *encrypted circuit*, with a pair of keys for each wi

 The garbler first encrypts the circuit. First, assign two keys, called **garbled values**, to each wire of the circuit.

-Suppose we have an AND gate, where $C = \rm{AND}(A, B)$. For the wire $A$, the garbler assigns $A_0, A_1$, each for representing the bit $0$ and $1$. Note that this mapping is known only to the garbler. Similar process is done for wires $B$ and $C$.
+Suppose we have an AND gate, where $C = \rm{AND}(A, B)$. For the wire $A$, the garbler assigns $A _ 0, A _ 1$, each for representing the bit $0$ and $1$. Note that this mapping is known only to the garbler. Similar process is done for wires $B$ and $C$.

 Then we have the following garbled values, as in columns 1 to 3. Now, encrypt the values of $C$ with a semantically secure scheme $E$, and obtain the $4$th column. Then, permute the rows in random order so that it is indistinguishable.

 |$A$|$B$|$C$|$C = \rm{AND}(A, B)$|
 |:-:|:-:|:-:|:-:|
-|$A_0$|$B_0$|$C_0$|$E(A_0 \parallel B_0, C_0)$|
-|$A_0$|$B_1$|$C_0$|$E(A_0 \parallel B_1, C_0)$|
-|$A_1$|$B_0$|$C_0$|$E(A_1 \parallel B_0, C_0)$|
-|$A_1$|$B_1$|$C_1$|$E(A_1 \parallel B_1, C_1)$|
+|$A _ 0$|$B _ 0$|$C _ 0$|$E(A _ 0 \parallel B _ 0, C _ 0)$|
+|$A _ 0$|$B _ 1$|$C _ 0$|$E(A _ 0 \parallel B _ 1, C _ 0)$|
+|$A _ 1$|$B _ 0$|$C _ 0$|$E(A _ 1 \parallel B _ 0, C _ 0)$|
+|$A _ 1$|$B _ 1$|$C _ 1$|$E(A _ 1 \parallel B _ 1, C _ 1)$|

-For evaluation, the **last column** will be given to the other party as the representation of the **garbled gate**. The inputs will be given as $A_x$ and $B_y$, but the evaluator will have no idea about the actual value of $x$ and $y$, hiding the actual input value. Although he doesn't know the underlying bit values, the evaluator is able to compute $C_z$ where $z = x \land y$. Similarly, the evaluator will not know whether $z$ is $0$ or $1$, hiding the output or intermediate values.
+For evaluation, the **last column** will be given to the other party as the representation of the **garbled gate**. The inputs will be given as $A _ x$ and $B _ y$, but the evaluator will have no idea about the actual value of $x$ and $y$, hiding the actual input value. Although he doesn't know the underlying bit values, the evaluator is able to compute $C _ z$ where $z = x \land y$. Similarly, the evaluator will not know whether $z$ is $0$ or $1$, hiding the output or intermediate values.

-The above *garbling* process is done for all gates. For the last output gate, the garbler keeps a **output translation table** to himself, that maps $0$ to $C_0$ and $1$ to $C_1$. This is used for recovering the bit, when the evaluation is done and the evaluator sends the final garbled value.
+The above *garbling* process is done for all gates. For the last output gate, the garbler keeps a **output translation table** to himself, that maps $0$ to $C _ 0$ and $1$ to $C _ 1$. This is used for recovering the bit, when the evaluation is done and the evaluator sends the final garbled value.

 > In summary, given a boolean circuit,
 > 1. Assign garbled values to all wires in the circuit.
@@ -60,13 +60,13 @@ Note that the evaluator learns nothing during the evaluation.

 There is a slight problem here. In some encryption schemes, a ciphertext can be decrypted by an incorrect key. If the above encryptions are in arbitrary order, how does the evaluator know if he decrypted the correct one?

-One method is to add **redundant zeros** to the $C_k$. Then the last column would contain $E\big( A_i \pll B_j, C_k \pll 0^n \big)$. Then when the evaluator decrypts these ciphertexts, the probability of getting redundant zeros with an incorrect key would be negligible. But with this method, all four ciphertexts have to be decrypted in the worst case.
+One method is to add **redundant zeros** to the $C _ k$. Then the last column would contain $E\big( A _ i \pll B _ j, C _ k \pll 0^n \big)$. Then when the evaluator decrypts these ciphertexts, the probability of getting redundant zeros with an incorrect key would be negligible. But with this method, all four ciphertexts have to be decrypted in the worst case.

-Another method is adding a bit to signal which ciphertext to decrypt. This method is called **point-and-permute**. The garbler chooses a random bit $b_A$ for each wire $A$. Then when drawing $A_0, A_1$, set the first bit (MSB) to $b_A$ and $1 - b_A$, respectively. Next, the ciphertexts are sorted in the order of $b_A$ and $b_B$. Then the evaluator can exploit this information during evaluation.
+Another method is adding a bit to signal which ciphertext to decrypt. This method is called **point-and-permute**. The garbler chooses a random bit $b _ A$ for each wire $A$. Then when drawing $A _ 0, A _ 1$, set the first bit (MSB) to $b _ A$ and $1 - b _ A$, respectively. Next, the ciphertexts are sorted in the order of $b _ A$ and $b _ B$. Then the evaluator can exploit this information during evaluation.

 For example, if the evaluator has $X$ and $Y$ such that $\rm{MSB}(X) = 0$ and $\rm{MSB}(Y) = 1$, then choose the second ($01$ in binary) ciphertext entry to decrypt.

-This method does not reduce security, since the bits $b_A$, $b_B$ are random. Also, now the evaluator doesn't have to decrypt all four ciphertexts, reducing the evaluation load.
+This method does not reduce security, since the bits $b _ A$, $b _ B$ are random. Also, now the evaluator doesn't have to decrypt all four ciphertexts, reducing the evaluation load.

 ## Protocol Description

@@ -75,8 +75,8 @@ This method does not reduce security, since the bits $b_A$, $b_B$ are random. Al
 > 1. Alice garbles the circuit, generating garbled values and gates.
 > 2. Garbled gate tables and the garbled values of Alice's inputs are sent to Bob.
 > 3. For Bob's input wire $B$, Alice and Bob run an 1-out-of-2 OT protocol.
-> 	- Alice provides $B_0$ and $B_1$ to the OT.
-> 	- Bob inputs his input bit $b$ to the OT, and Bob now has $B_b$.
+> 	- Alice provides $B _ 0$ and $B _ 1$ to the OT.
+> 	- Bob inputs his input bit $b$ to the OT, and Bob now has $B _ b$.
 > 4. Bob has garbled values for all input wires, so evaluates the circuit.
 > 5. Bob sends the final garbled output to Alice.
 > 6. Alices uses the output translation table to recover the final result bit.
@@ -85,9 +85,9 @@ Note that OT can be done in *parallel*, reducing the round complexity.

 ### Why is OT Necessary?

-Suppose Alice gave both $B_0$ and $B_1$ to Bob. Bob doesn't know which one represents $0$ or $1$, but he can just run the evaluation for both inputs.
+Suppose Alice gave both $B _ 0$ and $B _ 1$ to Bob. Bob doesn't know which one represents $0$ or $1$, but he can just run the evaluation for both inputs.

-Suppose we have a $2$-input AND gate $C = \rm{AND}(A, B)$. Bob already has $A_x$ from Alice, so he evaluates for both $B_0$ and $B_1$, obtaining $C_{x\land 0}$ and $C_{x \land 1}$. If these are the same, Bob learns that $x = 0$. If different, $x = 1$.
+Suppose we have a $2$-input AND gate $C = \rm{AND}(A, B)$. Bob already has $A _ x$ from Alice, so he evaluates for both $B _ 0$ and $B _ 1$, obtaining $C _ {x\land 0}$ and $C _ {x \land 1}$. If these are the same, Bob learns that $x = 0$. If different, $x = 1$.

 So we need an OT to make sure that Bob only learns one of the garbled values.

@@ -106,11 +106,11 @@ So we need an OT to make sure that Bob only learns one of the garbled values.

 ## Summary of Yao's Protocol

-Let $f$ be a given public function that Alice and Bob want to compute, in circuit representation. Let $(x_1, \dots, x_n)$ and $(y_1, \dots, y_m)$ be inputs provided by Alice and Bob, respectively.
+Let $f$ be a given public function that Alice and Bob want to compute, in circuit representation. Let $(x _ 1, \dots, x _ n)$ and $(y _ 1, \dots, y _ m)$ be inputs provided by Alice and Bob, respectively.

 Alice generates a garbled circuit $G(f)$ by assigning garbled values for each wire. Then gives Bob $G(f)$ and the garbled values of her inputs. Then Alice and Bob run several OTs in parallel for the garbled values of Bob's inputs.

-Bob computes $G(f)$ and obtains a key of $f(x_1, \dots, x_n, y_1, \dots, y_m)$, which is sent to Alice and Alice recovers the final result.
+Bob computes $G(f)$ and obtains a key of $f(x _ 1, \dots, x _ n, y _ 1, \dots, y _ m)$, which is sent to Alice and Alice recovers the final result.

 ## Proof of Security (Semi-honest)

@@ -126,9 +126,9 @@ In the OT-hybrid model, we assume an ideal OT. In this case, Alice receives no m

 This case is harder to show. The simulator must construct a fake garbled circuit that is indistinguishable to the real one. But the simulator doesn't know the inputs of Alice, so it cannot generate a real circuit.

-Bob's view contains his inputs $(y_1, \dots, y_m)$ and the final output $z = (z_1, \dots, z_k)$. Thus, the simulator generates a fake garbled circuit that **always** outputs $z$. To do this, the garbled values for the wires can be chosen randomly, and use them for encryption keys. But the encrypted message is fixed to the (intermediate) output. For instance, make the gate table consists of $E\big( A_i \pll B_j, C_0 \big)$ for fixed $C_0$. In this way, the simulator can control the values of output wires and get $z$ for the final output.
+Bob's view contains his inputs $(y _ 1, \dots, y _ m)$ and the final output $z = (z _ 1, \dots, z _ k)$. Thus, the simulator generates a fake garbled circuit that **always** outputs $z$. To do this, the garbled values for the wires can be chosen randomly, and use them for encryption keys. But the encrypted message is fixed to the (intermediate) output. For instance, make the gate table consists of $E\big( A _ i \pll B _ j, C _ 0 \big)$ for fixed $C _ 0$. In this way, the simulator can control the values of output wires and get $z$ for the final output.

-The output translation tables can be generated using this method. An entry of the table would be $(z_i, C_0)$ where $C_0$ is the garbled value used for generating the gate table. As for $1-z_i$, any random garbled value can be used.
+The output translation tables can be generated using this method. An entry of the table would be $(z _ i, C _ 0)$ where $C _ 0$ is the garbled value used for generating the gate table. As for $1-z _ i$, any random garbled value can be used.

 Lastly for communicating garbled values, Alice's input wires can be set to any two garbled values of the wire. Bob's input wires should be simulated by the simulator of the OT, which will result in any one of the two values on the wire.

@@ -141,15 +141,15 @@ For each wire of the circuit, two random *super-seeds* (garbled values) are used
 For example, for input wire $A$, let

 $$
-A_0 = a_0^1 \pll \cdots \pll a_0^n, \quad A_1 = a_1^1 \pll \cdots \pll a_1^n,
+A _ 0 = a _ 0^1 \pll \cdots \pll a _ 0^n, \quad A _ 1 = a _ 1^1 \pll \cdots \pll a _ 1^n,
 $$

-where $a_0^k, a_1^k$ are seeds generated by party $P_k$.
+where $a _ 0^k, a _ 1^k$ are seeds generated by party $P _ k$.

-Then for garbling gates, the super-seeds of the output wire is encrypted by the super-seeds of the input wires. As an example, suppose that we use $A_b = a_b^1 \pll \cdots \pll a_b^n$ to encrypt an output value $B$. Then we could use a secure PRG $G$ and set
+Then for garbling gates, the super-seeds of the output wire is encrypted by the super-seeds of the input wires. As an example, suppose that we use $A _ b = a _ b^1 \pll \cdots \pll a _ b^n$ to encrypt an output value $B$. Then we could use a secure PRG $G$ and set

 $$
-B \oplus G(a_b^1) \oplus \cdots \oplus G(a_b^n)
+B \oplus G(a _ b^1) \oplus \cdots \oplus G(a _ b^n)
 $$

 as the garbled value.