[PUBLISHER] upload files #143

* PUSH NOTE : 16. The GMW Protocol.md * PUSH ATTACHMENT : mc-16-beaver-triple.png
[PUBLISHER] upload files #142
2025-12-06 14:53:50 +00:00 · 2024-01-21 22:07:28 +09:00 · 2024-01-21 22:06:41 +09:00 · 2024-01-21 22:06:21 +09:00 · 2024-01-21 22:05:57 +09:00
9 changed files with 1111 additions and 0 deletions
--- a/Cryptography/2023-11-07-sigma-protocols.md
+++ b/Cryptography/2023-11-07-sigma-protocols.md
@@ -0,0 +1,476 @@
 ---
 share: true
 toc: true
 math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 tags:
  - lecture-note
  - cryptography
  - security
 title: 13. Sigma Protocols
 date: 2023-11-07
 github_title: 2023-11-07-sigma-protocols
 image:
  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-13-sigma-protocol.png
 attachment:
  folder: assets/img/posts/Lecture Notes/Modern Cryptography
 ---
 The previous [3-coloring example](./2023-11-02-zkp-intro.md#example-3-coloring) certainly works as a zero knowledge proof, but is quite slow, and requires a lot of interaction. There are efficient protocols for interactive proofs, we will study sigma protocols.
 ## Sigma Protocols
 ### Definition
 > **Definition.** An **effective relation** is a binary relation $\mc{R} \subset \mc{X} \times \mc{Y}$, where $\mc{X}$, $\mc{Y}$, $\mc{R}$ are efficiently recognizable finite sets. Elements of $\mc{Y}$ are called **statements**. If $(x, y) \in \mc{R}$, then $x$ is called a **witness for** $y$.
 ![mc-13-sigma-protocol.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-sigma-protocol.png)
 > **Definition.** Let $\mc{R} \subset \mc{X} \times \mc{Y}$ be an effective relation. A **sigma protocol** for $\mc{R}$ is a pair of algorithms $(P, V)$ satisfying the following.
 > 
 > - The **prover** $P$ is an interactive protocol algorithm, which takes $(x, y) \in \mc{R}$ as input.
 > - The **verifier** $V$ is an interactive protocol algorithm, which takes $y \in \mc{Y}$ as input, and outputs $\texttt{accept}$ or $\texttt{reject}$.
 > 
 > The interaction goes as follows.[^1]
 > 
 > 1. $P$ computes a **commitment** message $t$ and sends it to $V$.
 > 2. $V$ chooses a random **challenge** $c \la \mc{C}$ from a **challenge space** and sends it to $P$.
 > 3. $P$ computes a **response** $z$ and sends it to $V$.
 > 4. $V$ outputs either $\texttt{accept}$ or $\texttt{reject}$, computed strictly as a function of the statement $y$ and the **conversation** $(t, c, z)$.
 > 
 > For all $(x, y) \in \mc{R}$, at the end of the interaction between $P(x, y)$ and $V(y)$, $V(y)$ always outputs $\texttt{accept}$.
 - The verifier is deterministic except for choosing a random challenge $c \la \mc{C}$.
 - If the output is $\texttt{accept}$, then the conversation $(t, c, z)$ is an **accepting conversation for** $y$.
 - In most cases, the challenge space has to be super-poly. We say that the protocol has a **large challenge space**.
 ## Soundness
 The **soundness** property says that it is infeasible for any prover to make the verifier accept a statement that is false.
 > **Definition.** Let $\Pi = (P, V)$ be a sigma protocol for $\mc{R} \subset \mc{X}\times \mc{Y}$. For a given adversary $\mc{A}$, the security game goes as follows.
 > 
 > 1. The adversary chooses a statement $y^{\ast} \in \mc{Y}$ and gives it to the challenger.
 > 2. The adversary interacts with the verifier $V(y^{\ast})$, where the challenger plays the role of verifier, and the adversary is a possibly *cheating* prover.
 > 
 > The adversary wins if $V(y^{\ast})$ outputs $\texttt{accept}$ but $y^{\ast} \notin L_\mc{R}$. The advantage of $\mc{A}$ with respect to $\Pi$ is denoted $\rm{Adv}_{\rm{Snd}}[\mc{A}, \Pi]$ and defined as the probability that $\mc{A}$ wins the game.
 > 
 > If the advantage is negligible for all efficient adversaries $\mc{A}$, then $\Pi$ is **sound**.
 ### Special Soundness
 For sigma protocols, it suffices to require **special soundness**.
 > **Definition.** Let $(P, V)$ be a sigma protocol for $\mc{R} \subset \mc{X} \times \mc{Y}$. $(P, V)$ provides **special soundness** if there is an efficient deterministic algorithm $\rm{Ext}$, called a **knowledge extractor** with the following property.
 > 
 > Given a statement $y \in \mc{Y}$ and two accepting conversations $(t, c, z)$ and $(t, c', z')$ with $c \neq c'$, $\rm{Ext}$ outputs a **witness** (proof) $x \in \mc{X}$ such that $(x, y) \in \mc{R}$.
 The extractor efficiently finds a proof $x$ for $y \in \mc{Y}$. This means, if a possibly cheating prover $P^{\ast}$ makes $V$ accept $y$ with non-negligible probability, then $P^{\ast}$ must have known a proof $x$ for $y$. **Thus $P^{\ast}$ isn't actually a dishonest prover, he already has a proof.**
 Note that the commitment $t$ is the same for the two accepting conversations. The challenge $c$ and $c'$ are chosen after the commitment, so if the prover can come up with $z$ and $z'$ so that $(t, c, z)$ and $(t, c', z')$ are accepting conversations for $y$, then the prover must have known $x$.
 We also require that the challenge space is large, the challenger shouldn't be accepted by luck.
 ### Special Soundness $\implies$ Soundness
 > **Theorem.** Let $\Pi$ be a sigma protocol with a large challenge space. If $\Pi$ provides special soundness, then $\Pi$ is sound.
 > 
 > For every efficient adversary $\mc{A}$,
 > 
 > $$
 > \rm{Adv}_{\rm{Snd}}[\mc{A}, \Pi] \leq \frac{1}{N}
 > $$
 > 
 > where $N$ is the size of the challenge space.
 *Proof*. Suppose that $\mc{A}$ chooses a false statement $y^{\ast}$ and a commitment $t^{\ast}$. It suffices to show that there exists at most one challenge $c$ such that $(t^{\ast}, c, z)$ is an accepting conversation for some response $z$.
 If there were two such challenges $c, c'$, then there would be two accepting conversations for $y^{\ast}$, which are $(t^{\ast}, c, z)$ and $(t^{\ast}, c', z')$. Now by special soundness, there exists a witness $x$ for $y^{\ast}$, which is a contradiction.
 ## Special Honest Verifier Zero Knowledge
 The conversation between $P$ and $V$ must not reveal anything.
 > **Definition.** Let $(P, V)$ be a sigma protocol for $\mc{R} \subset \mc{X} \times \mc{Y}$. $(P, V)$ is **special honest verifier zero knowledge** (special HVZK) if there exists an efficient probabilistic algorithm $\rm{Sim}$ (**simulator**) that satisfies the following.
 > 
 > - For all inputs $(y, c) \in \mc{Y} \times \mc{C}$, $\rm{Sim}(y, c)$ outputs a pair $(t, z)$ such that $(t, c, z)$ is always an accepting conversation for $y$.
 > - For all $(x, y) \in \mc{R}$, let $c \la \mc{C}$ and $(t, z) \la \rm{Sim}(y, c)$. Then $(t, c, z)$ has the same distribution as the conversation between $P(x, y)$ and $V(y)$.
 The difference is that the simulator takes an additional input $c$. Also, the simulator produces an accepting conversation even if the statement $y$ does not have a proof.
 Also note that **the simulator is free to generate the messages in any convenient order**.
 ## The Schnorr Identification Protocol Revisited
 The Schnorr identification protocol is actually a sigma protocol. Refer to [Schnorr identification protocol (Modern Cryptography)](./2023-10-26-digital-signatures.md#the-schnorr-identification-protocol) for the full description.
 ![mc-10-schnorr-identification.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-10-schnorr-identification.png)
 > The pair $(P, V)$ is a sigma protocol for the relation $\mc{R} \subset \mc{X} \times \mc{Y}$ where
 > 
 > $$
 > \mc{X} = \bb{Z}_q, \quad \mc{Y} = G, \quad \mc{R} = \left\lbrace (\alpha, u) \in \bb{Z}_q \times G : g^\alpha = u \right\rbrace.
 > $$
 > 
 > The challenge space $\mc{C}$ is a subset of $\bb{Z}_q$.
 The protocol provides **special soundness**. If $(u_t, c, \alpha_z)$ and $(u_t, c', \alpha_z')$ are two accepting conversations with $c \neq c'$, then we have
 $$
 g^{\alpha_z} = u_t \cdot u^c, \quad g^{\alpha_z'} = u_t \cdot u^{c'},
 $$
 so we have $g^{\alpha_z - \alpha_z'} = u^{c - c'}$. Setting $\alpha^{\ast} = (\alpha_z - \alpha_z') /(c - c')$ satisfies $g^{\alpha^{\ast}} = u$, solving the discrete logarithm and $\alpha^{\ast}$ is a proof.
 As for HVZK, the simulator chooses $\alpha_z \la \bb{Z}_q$, $c \la \mc{C}$ randomly and sets $u_t = g^{\alpha_z} \cdot u^{-c}$. Then $(u_t, c, \alpha_z)$ will be accepted. *Note that the order doesn't matter.* Also, the distribution is same, since $c$ and $\alpha_z$ are uniform over $\mc{C}$ and $\bb{Z}_q$ and the choice of $c$ and $\alpha_z$ determines $u_t$ uniquely. This is identical to the distribution in the actual protocol.
 ### Dishonest Verifier
 In case of dishonest verifiers, $V$ may not follow the protocol. For example, $V$ may choose non-uniform $c \in \mc{C}$ depending on the commitment $u_t$. In this case, the conversation from the actual protocol and the conversation generated by the simulator will have different distributions.
 We need a different distribution. The simulator must also take the verifier's actions as input, to properly simulate the dishonest verifier.
 ### Modified Schnorr Protocol
 The original protocol can be modified so that the challenge space $\mc{C}$ is smaller. Completeness property is obvious, and the soundness error grows, but we can always repeat the protocol.
 As for zero knowledge, the simulator $\rm{Sim}_{V^{\ast}}(u)$ generates a verifier's view $(u, c, z)$ as follows.
 - Guess $c' \la \mc{C}$. Sample $z' \la \bb{Z}_q$ and set $u' = g^{z'}\cdot u^{-c'}$. Send $u'$ to $V^{\ast}$.
 - If the response from the verifier $V^{\ast}(u')$ is $c$ and $c \neq c'$, restart.
 	- $c = c'$ holds with probability $1 / \left\lvert \mc{C} \right\lvert$, since $c'$ is uniform.
 - Otherwise, output $(u, c, z) = (u', c', z')$.
 Sending $u'$ to $V^{\ast}$ is possible because the simulator also takes the actions of $V^{\ast}$ as input. The final output conversation has distribution identical to the real protocol execution.
 Overall, this modified protocol works for dishonest verifiers, at the cost of efficiency because of the increased soundness error. We have a security-efficiency tradeoff.
 But in most cases, it is enough to assume honest verifiers, as we will see soon.
 ## Other Sigma Protocol Examples
 ### Okamoto's Protocol
 This one is similar to Schnorr protocol. This is used for proving the representation of a group element.
 Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$, let $h \in G$ be some arbitrary group element, fixed as a system parameter. A **representation** of $u$ relative to $g$ and $h$ is a pair $(\alpha, \beta) \in \bb{Z}_q^2$ such that $g^\alpha h^\beta = u$.
 **Okamoto's protocol** for the relation
 $$
 \mc{R} = \bigg\lbrace \big( (\alpha, \beta), u \big) \in \bb{Z}_q^2 \times G : g^\alpha h^\beta = u \bigg\rbrace
 $$
 goes as follows.
 ![mc-13-okamoto.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-okamoto.png)
 > 1. $P$ computes random $\alpha_t, \beta_t \la \bb{Z}_q$ and sends commitment $u_t \la g^{\alpha_t}h^{\beta_t}$ to $V$.
 > 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
 > 3. $P$ computes $\alpha_z \la \alpha_t + \alpha c$, $\beta_z \la \beta_t + \beta c$ and sends $(\alpha_z, \beta_z)$ to $V$.
 > 4. $V$ outputs $\texttt{accept}$ if and only if $g^{\alpha_z} h^{\beta_z} = u_t \cdot u^c$.
 Completeness is obvious.
 > **Theorem**. Okamoto's protocol provides special soundness and is special HVZK.
 *Proof*. Very similar to the proof of Schnorr. Refer to Theorem 19.9.[^2]
 ### The Chaum-Pedersen Protocol for DH-Triples
 The **Chaum-Pederson protocol** is for convincing a verifier that a given triple is a DH-triple.
 Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. $(g^\alpha, g^\beta, g^\gamma)$ is a DH-triple if $\gamma = \alpha\beta$. Then, the triple $(u, v, w)$ is a DH-triple if and only if $v = g^\beta$ and $w = u^\beta$ for some $\beta \in \bb{Z}_q$.
 The Chaum-Pederson protocol for the relation
 $$
 \mc{R} = \bigg\lbrace \big( \beta, (u, v, w) \big) \in \bb{Z}_q \times G^3 : v = g^\beta \land w = u^\beta \bigg\rbrace
 $$
 goes as follows.
 ![mc-13-chaum-pedersen.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-chaum-pedersen.png)
 > 1. $P$ computes random $\beta_t \la \bb{Z}_q$ and sends commitment $v_t \la g^{\beta_t}$, $w_t \la u^{\beta_t}$ to $V$.
 > 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
 > 3. $P$ computes $\beta_z \la \beta_t + \beta c$, and sends it to $V$.
 > 4. $V$ outputs $\texttt{accept}$ if and only if $g^{\beta_z} = v_t \cdot v^c$ and $u^{\beta_z} = w_t \cdot w^c$.
 Completeness is obvious.
 > **Theorem.** The Chaum-Pedersen protocol provides special soundness and is special HVZK.
 *Proof*. Also similar. See Theorem 19.10.[^2]
 This can be used to prove that an ElGamal ciphertext $c = (u, v) = (g^k, h^k \cdot m)$ is an encryption of $m$ with public key $h = g^\alpha$, without revealing the private key or the ephemeral key $k$. If $(g^k, h^k \cdot m)$ is a valid ciphertext, then $(h, u, vm^{-1}) = (g^\alpha, g^k, g^{\alpha k})$ is a valid DH-triple.
 ### Sigma Protocol for Arbitrary Linear Relations
 Schnorr, Okamoto, Chaum-Pedersen protocols look similar. They are special cases of a generic sigma protocol for proving a linear relation among group elements. Read more in Section 19.5.3.[^2]
 ### Sigma Protocol for RSA
 Let $(n, e)$ be an RSA public key, where $e$ is prime. The **Guillou-Quisquater** (GQ) protocol is used to convince a verifier that he knows an $e$-th root of $y \in \bb{Z}_n^{\ast}$.
 The Guillou-Quisquater protocol for the relation
 $$
 \mc{R} = \bigg\lbrace (x, y) \in \big( \bb{Z}_n^{\ast} \big)^2 : x^e = y \bigg\rbrace
 $$
 goes as follows.
 ![mc-13-gq-protocol.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-13-gq-protocol.png)
 > 1. $P$ computes random $x_t \la \bb{Z}_n^{\ast}$ and sends commitment $y_t \la x_t^e$ to $V$.
 > 2. $V$ computes challenge $c \la \mc{C}$ and sends it to $P$.
 > 3. $P$ computes $x_z \la x_t \cdot x^c$ and sends it to $V$.
 > 4. $V$ outputs $\texttt{accept}$ if and only if $x_z^e = y_t \cdot y^c$.
 Completeness is obvious.
 > **Theorem.** The GQ protocol provides special soundness and is special HVZK.
 *Proof*. Also similar. See Theorem 19.13.[^2]
 ## Combining Sigma Protocols
 Using the basic sigma protocols, we can build sigma protocols for complex statements.
 ### AND-Proof Construction
 The construction is straightforward, since we can just prove both statements.
 Given two sigma protocols $(P_0, V_0)$ for $\mc{R}_0 \subset \mc{X}_0 \times \mc{Y}_0$ and $(P_1, V_1)$ for $\mc{R}_1 \subset \mc{X}_1 \times \mc{Y}_1$, we construct a sigma protocol for the relation $\mc{R}_\rm{AND}$ defined on $(\mc{X}_0 \times \mc{X}_1) \times (\mc{Y}_0 \times \mc{Y}_1)$ as
 $$
 \mc{R}_\rm{AND} = \bigg\lbrace \big( (x_0, x_1), (y_0, y_1) \big) : (x_0, y_0) \in \mc{R}_0 \land (x_1, y_1) \in \mc{R}_1 \bigg\rbrace.
 $$
 Given a pair of statements $(y_0, y_1) \in \mc{Y}_0 \times \mc{Y}_1$, the prover tries to convince the verifier that he knows a proof $(x_0, x_1) \in \mc{X}_0 \times \mc{X}_1$. This is equivalent to proving the AND of both statements.
 > 1. $P$ runs $P_i(x_i, y_i)$ to get a commitment $t_i$. $(t_0, t_1)$ is sent to $V$.
 > 2. $V$ computes challenge $c \la C$ and sends it to $P$.
 > 3. $P$ uses the challenge for both $P_0, P_1$, obtains response $z_0$, $z_1$, which is sent to $V$.
 > 4. $V$ outputs $\texttt{accept}$ if and only if $(t_i, c, z_i)$ is an accepting conversation for $y_i$.
 Completeness is clear.
 > **Theorem.** If $(P_0, V_0)$ and $(P_1, V_1)$ provide special soundness and are special HVZK, then the AND protocol $(P, V)$ defined above also provides special soundness and is special HVZK.
 *Proof*. For special soundness, let $\rm{Ext}_0$, $\rm{Ext}_1$ be the knowledge extractor for $(P_0, V_0)$ and $(P_1, V_1)$, respectively. Then the knowledge extractor $\rm{Ext}$ for $(P, V)$ can be constructed straightforward. For statements $(y_0, y_1)$, suppose that $\big( (t_0, t_1), c, (z_0, z_1) \big)$ and $\big( (t_0, t_1), c', (z_0', z_1') \big)$ are two accepting conversations. Feed $\big( y_0, (t_0, c, z_0), (t_0, c', z_0') \big)$ to $\rm{Ext}_0$, and feed $\big( y_1, (t_1, c, z_1), (t_1, c', z_1') \big)$ to $\rm{Ext}_1$.
 For special HVZK, let $\rm{Sim}_0$ and $\rm{Sim}_1$ be simulators for each protocol. Then the simulator $\rm{Sim}$ for $(P, V)$ is built by using $(t_0, z_0) \la \rm{Sim}_0(y_0, c)$ and $(t_1, z_1) \la \rm{Sim}_1(y_1, c)$. Set
 $$
 \big( (t_0, t_1), (z_0, z_1) \big) \la \rm{Sim}\big( (y_0, y_1), c \big).
 $$
 We have used the fact that the challenge is used for both protocols.
 ### OR-Proof Construction
 However, OR-proof construction is difficult. The prover must convince the verifier that either one of the statement is true, but **should not reveal which one is true.**
 If the challenge is known in advance, the prover can cheat. We exploit this fact. For the proof of $y_0 \lor y_1$, do the real proof for $y_b$ and cheat for $y_{1-b}$.
 Suppose we are given two sigma protocols $(P_0, V_0)$ for $\mc{R}_0 \subset \mc{X}_0 \times \mc{Y}_0$ and $(P_1, V_1)$ for $\mc{R}_1 \subset \mc{X}_1 \times \mc{Y}_1$. We assume that these both use the same challenge space, and both are special HVZK with simulators $\rm{Sim}_0$ and $\rm{Sim}_1$.
 We combine the protocols to form a sigma protocol for the relation $\mc{R}_\rm{OR}$ defined on ${} \big( \braces{0, 1} \times (\mc{X}_0 \cup \mc{X}_1) \big) \times (\mc{Y}_0\times \mc{Y}_1) {}$ as
 $$
 \mc{R}_\rm{OR} = \bigg\lbrace \big( (b, x), (y_0, y_1)  \big): (x, y_b) \in \mc{R}_b\bigg\rbrace.
 $$
 Here, $b$ denotes the actual statement $y_b$ to prove. For $y_{1-b}$, we cheat.
 > $P$ is initialized with $\big( (b, x), (y_0, y_1) \big) \in \mc{R}_\rm{OR}$ and $V$ is initialized with $(y_0, y_1) \in \mc{Y}_0 \times \mc{Y}_1$. Let $d = 1 - b$.
 > 
 > 1. $P$ computes $c_d \la \mc{C}$ and $(t_d, z_d) \la \rm{Sim}_d(y_d, c_d)$.
 > 2. $P$ runs $P_b(x, y_b)$ to get a real commitment $t_b$ and sends $(t_0, t_1)$ to $V$.
 > 3. $V$ computes challenge $c \la C$ and sends it to $P$.
 > 4. $P$ computes $c_b \la c \oplus c_d$, feeds it to $P_b(x, y_b)$ obtains a response $z_b$.
 > 5. $P$ sends $(c_0, z_0, z_1)$ to $V$.
 > 6. $V$ computes $c_1 \la c \oplus c_0$, and outputs $\texttt{accept}$ if and only if $(t_0, c_0, z_0)$ is an accepting conversation for $y_0$ and $(t_1, c_1, z_1)$ is an accepting conversation for $y_1$.
 Step $1$ is the cheating part, where the prover chooses a challenge, and generates a commitment and a response from the simulator.
 Completeness follows from the following.
 - $c_b = c \oplus c_{1-b}$, so $c_1 = c \oplus c_0$ always holds.
 - Both conversations $(t_0, c_0, z_0)$ and $(t_1, c_1, z_1)$ are accepted.
 	- An actual proof is done for statement $y_b$.
 	- For statement $y_{1-b}$, the simulator always outputs an accepting conversation.
 $c_b = c \oplus c_d$ is random, so $P$ cannot manipulate the challenge. Also, $V$ checks $c_1 = c \oplus c_0$.
 > **Theorem.** If $(P_0, V_0)$ and $(P_1, V_1)$ provide special soundness and are special HVZK, then the OR protocol $(P, V)$ defined above also provides special soundness and is special HVZK.
 *Proof*. For special soundness, suppose that $\rm{Ext}_0$ and $\rm{Ext}_1$ are knowledge extractors. Let
 $$
 \big( (t_0, t_1), c, (c_0, z_0, z_1) \big), \qquad \big( (t_0, t_1), c', (c_0', z_0', z_1') \big)
 $$
 be two accepting conversations with $c \neq c'$. Define $c_1 = c \oplus c_0$ and $c_1' = c' \oplus c_0'$. Since $c \neq c'$, it must be the case that either $c_0 \neq c_0'$ or $c_1 \neq c_1'$. Now $\rm{Ext}$ will work as follows.
 - If $c_0 \neq c_0'$, output $\bigg( 0, \rm{Ext}_0\big( y_0, (t_0, c_0, z_0), (t_0, c_0', z_0') \big) \bigg)$.
 - If $c_1 \neq c_1'$, output $\bigg( 1, \rm{Ext}_1\big( y_1, (t_1, c_1, z_1), (t_1, c_1', z_1') \big) \bigg)$.
 Then $\rm{Ext}$ will extract the knowledge.
 For special HVZK, define $c_0 \la \mc{C}$, $c_1 \la c \oplus c_0$. Then run each simulator to get
 $$
 (t_0, z_0) \la \rm{Sim}_0(y_0, c_0), \quad (t_1, z_1) \la \rm{Sim}_1(y_1, c_1).
 $$
 Then the simulator for $(P, V)$ outputs
 $$
 \big( (t_0, t_1), (c_0, z_0, z_1) \big) \la \rm{Sim}\big( (y_0, y_1), c \big).
 $$
 The simulator just simulates for both of the statements and returns the messages as in the protocol. $c_b$ is random, and the remaining values have the same distribution since the original two protocols were special HVZK.
 ### Example: OR of Sigma Protocols with Schnorr Protocol
 Let $G = \left\langle g \right\rangle$ be a cyclic group of prime order $q$. The prover wants to convince the verifier that he knows the discrete logarithm of either $h_0$ or $h_1$ in $G$.
 Suppose that the prover knows $x_b \in \bb{Z}_q$ such that $g^{x_b} = h_b$.
 > 1. Choose $c_{1-b} \la \mc{C}$ and call simulator of $1-b$ to obtain $(u_{1-b}, z_{1-b}) \la \rm{Sim}_{1-b}$.
 > 2. $P$ sends two commitments $u_0, u_1$.
 > 	- For $u_b$, choose random $y \la \bb{Z}_q$ and set $u_b = g^y$.
 > 	- For $u_{1-b}$, use the value from the simulator.
 > 3. $V$ sends a single challenge $c \la \mc{C}$.
 > 4. Using $c_{1-b}$, split the challenge into $c_0$, $c_1$ so that they satisfy $c_0 \oplus c_1 = c$. Then send $(c_0, c_1, z_0, z_1)$ to $V$.
 > 	- For $z_b$, calculate $z_b \la y + c_b x$.
 > 	- For $z_{1-b}$, use the value from the simulator.
 > 5. $V$ checks if $c = c_0 \oplus c_1$. $V$ accepts if and only if $(u_0, c_0, z_0)$ and $(u_1, c_1, z_1)$ are both accepting conversations.
 - Since $c, c_{1-b}$ are random, $c_b$ is random. Thus one of the proofs must be valid.
 ### Generalized Constructions
 See Exercise 19.26 and 19.28.[^2]
 ## Non-interactive Proof Systems
 Sigma protocols are interactive proof systems, but we can convert them into **non-interactive proof systems** using the **Fiat-Shamir transform**.
 First, the definition of non-interactive proof systems.
 > **Definition.** Let $\mc{R} \subset \mc{X} \times \mc{Y}$ be an effective relation. A **non-interactive proof system** for $\mc{R}$ is a pair of algorithms $(G, V)$ satisfying the following.
 > 
 > - $G$ is an efficient probabilistic algorithm that generates the proof as $\pi \la G(x, y)$ for $(x, y) \in \mc{R}$. $\pi$ belongs to some proof space $\mc{PS}$.
 > - $V$ is an efficient deterministic algorithm that verifies the proof as $V(y, \pi)$ where $y \in \mc{Y}$ and $\pi \in \mc{PS}$. $V$ outputs either $\texttt{accept}$ or $\texttt{reject}$. If $V$ outputs $\texttt{accept}$, $\pi$ is a **valid proof** for $y$.
 > 
 > For all $(x, y) \in \mc{R}$, the output of $G(x, y)$ must be a valid proof for $y$.
 ### Non-interactive Soundness
 Intuitively, it is hard to create a valid proof of a false statement.
 > **Definition.** Let $\Phi = (G, V)$ be a non-interactive proof system for $\mc{R} \subset \mc{X} \times \mc{Y}$ with proof space $\mc{PS}$. An adversary $\mc{A}$ outputs a statement $y^{\ast} \in \mc{Y}$ and a proof $\pi^{\ast} \in \mc{PS}$ to attack $\Phi$.
 > 
 > The adversary wins if $V(y^{\ast}, \pi^{\ast}) = \texttt{accept}$ and $y^{\ast} \notin L_\mc{R}$. The advantage of $\mc{A}$ with respect to $\Phi$ is defined as the probability that $\mc{A}$ wins, and is denoted as $\rm{Adv}_{\rm{niSnd}}[\mc{A}, \Phi]$.
 > 
 > If the advantage is negligible for all efficient adversaries $\mc{A}$, $\Phi$ is **sound**.
 ### Non-interactive Zero Knowledge
 Omitted.
 ## The Fiat-Shamir Transform
 The basic idea is **using a hash function to derive a challenge**, instead of a verifier. Now the only job of the verifier is checking the proof, requiring no interaction for the proof.
 > **Definition.** Let $\Pi = (P, V)$ be a sigma protocol for a relation $\mc{R} \subset \mc{X} \times \mc{Y}$. Suppose that conversations $(t, c, z) \in \mc{T} \times \mc{C} \times \mc{Z}$. Let $H : \mc{Y} \times \mc{T} \rightarrow \mc{C}$ be a hash function.
 > 
 > Define the **Fiat-Shamir non-interactive proof system** $\Pi_\rm{FS} = (G_\rm{FS}, V_\rm{FS})$ with proof space $\mc{PS} = \mc{T} \times \mc{Z}$ as follows.
 > 
 > - For input $(x, y) \in \mc{R}$, $G_\rm{FS}$ runs $P(x, y)$ to obtain a commitment $t \in \mc{T}$. Then computes the challenge $c = H(y, t)$, which is fed to $P(x, y)$, obtaining a response $z \in \mc{Z}$. $G_\rm{FS}$ outputs $(t, z) \in \mc{T} \times \mc{Z}$.
 > - For input $\big( y, (t, z) \big) \in \mc{Y} \times (\mc{T} \times \mc{Z})$, $V_\rm{FS}$ verifies that $(t, c, z)$ is an accepting conversation for $y$, where $c = H(y, t)$.
 Any sigma protocol can be converted into a non-interactive proof system. Its completeness is automatically given by the completeness of the sigma protocol.
 By modeling the hash function as a random oracle, we can show that:
 - If the sigma protocol is sound, then so is the non-interactive proof system.[^3]
 - If the sigma protocol is special HVZK, then running the non-interactive proof system does not reveal any information about the secret.
 ### Implications
 - No interactions are required, resulting in efficient protocols with lower round complexity.
 - No need to consider dishonest verifiers, since prover chooses the challenge. The verifier only verifies.
 - In distributed systems, a single proof can be used multiple times.
 ### Soundness of the Fiat-Shamir Transform
 > **Theorem.** Let $\Pi$ be a sigma protocol for a relation $\mc{R} \subset \mc{X} \times \mc{Y}$, and let $\Pi_\rm{FS}$ be the Fiat-Shamir non-interactive proof system derived from $\Pi$ with hash function $H$. If $\Pi$ is sound and $H$ is modeled as a random oracle, then $\Pi_\rm{FS}$ is also sound.
 > 
 > Let $\mc{A}$ be a $q$-query adversary attacking the soundness of $\Pi_\rm{FS}$. There exists an adversary $\mc{B}$ attacking the soundness of $\Pi$ such that
 > 
 > $$
 > \rm{Adv}_{\rm{niSnd^{ro}}}[\mc{A}, \Pi_\rm{FS}] \leq (q + 1) \rm{Adv}_{\rm{Snd}}[\mc{B}, \Pi].
 > $$
 *Proof Idea*. Suppose that $\mc{A}$ produces a valid proof $(t^{\ast}, z^{\ast})$ on a false statement $y^{\ast}$. Without loss of generality, $\mc{A}$ queries the random oracle at $(y^{\ast}, t^{\ast})$ within $q+1$ queries. Then $\mc{B}$ guesses which of the $q+1$ queries is the relevant one. If $\mc{B}$ guesses the correct query, the conversation $(t^{\ast}, c, z^{\ast})$ will be accepted and $\mc{B}$ succeeds. The factor $q+1$ comes from the choice of $\mc{B}$.
 ### Zero Knowledge of the Fiat-Shamir Transform
 Omitted. Works...
 ### The Fiat-Shamir Signature Scheme
 Now we understand why the [Schnorr signature scheme](./2023-10-26-digital-signatures.md#schnorr-digital-signature-scheme) used hash functions. In general, the Fiat-Shamir transform can be used to convert sigma protocols into signature schemes.
 We need $3$ building blocks.
 - A sigma protocol $(P, V)$ with conversations of the form $(t, c, z)$.
 - A key generation algorithm $G$ for $\mc{R}$, that outputs $pk = y$, $sk = (x, y) \in \mc{R}$.
 - A hash function $H : \mc{M} \times \mc{T} \rightarrow \mc{C}$, modeled as a random oracle.
 > **Definition.** The **Fiat-Shamir signature scheme** derived from $G$ and $(P, V)$ works as follows.
 > 
 > - Key generation: invoke $G$ so that $(pk, sk) \la G()$.
 > 	- $pk = y \in \mc{Y}$ and $sk = (x, y) \in \mc{R}$.
 > - Sign: for message $m \in \mc{M}$
 > 	1. Start the prover $P(x, y)$ and obtain the commitment $t \in \mc{T}$.
 > 	2. Compute the challenge $c \la H(m, t)$.
 > 	3. $c$ is fed to the prover, which outputs a response $z$.
 > 	4. Output the signature $\sigma = (t, z) \in \mc{T} \times \mc{Z}$.
 > - Verify: with the public key $pk = y$, compute $c \la H(m, t)$ and check that $(t, c, z)$ is an accepting conversation for $y$ using $V(y)$.
 If an adversary can come up with a forgery, then the underlying sigma protocol is not secure.
 ### Example: Voting Protocol
 $n$ voters are casting a vote, either $0$ or $1$. At the end, all voters learn the sum of the votes, but we want to keep the votes secret for each party.
 We can use the [multiplicative ElGamal encryption](./2023-10-19-public-key-encryption.md#the-elgamal-encryption) scheme in this case. Assume that a trusted vote tallying center generates a key pair, keeps $sk = \alpha$ to itself and publishes $pk = g^\alpha$.
 Each voter encrypts the vote $b_i$ and the ciphertext is
 $$
 (u_i, v_i) = (g^{\beta_i}, h^{\beta_i} \cdot g^{b_i})
 $$
 where $\beta_i \la\bb{Z}_q$. The vote tallying center aggregates all ciphertexts my multiplying everything. No need to decrypt yet. Then
 $$
 (u^{\ast}, v^{\ast}) = \left( \prod_{i=1}^n g^{\beta_i}, \prod_{i=1}^n h^{\beta_i} \cdot g^{b_i} \right) = \big( g^{\beta^{\ast}}, h^{\beta^{\ast}} \cdot g^{b^{\ast}} \big),
 $$
 where $\beta^{\ast} = \sum_{i=1}^n \beta_i$ and $b^{\ast} = \sum_{i=1}^n b_i$. Now decrypt $(u^{\ast}, v^{\ast})$ and publish the result $b^{\ast}$.[^4]
 Since the ElGamal scheme is semantically secure, the protocol is also secure if all voters follow the protocol. But a dishonest voter can encrypt $b_i = -100$ or some arbitrary value.
 To fix this, we can make each voter prove that the vote is valid. Using the [Chaum-Pedersen protocol for DH-triples](2023-11-07-sigma-protocols.md#the-chaum-pedersen-protocol-for-dh-triples) and the [OR-proof construction](2023-11-07-sigma-protocols.md#or-proof-construction), the voter can submit a proof that the ciphertext is either a encryption of $b_i = 0$ or $1$. We can also apply the Fiat-Shamir transform here for efficient protocols, resulting in non-interactive proofs.
 [^1]: The message flows in a shape that resembles the greek letter $\Sigma$, hence the name *sigma protocol*.
 [^2]: A Graduate Course in Applied Cryptography.
 [^3]: The challenge is chosen after the commitment, making it random.
 [^4]: To find $b^{\ast}$, one has to solve the discrete logarithm, but for realistic $n$, we can brute force this.
--- a/Cryptography/2023-11-09-secure-mpc.md
+++ b/Cryptography/2023-11-09-secure-mpc.md
@@ -0,0 +1,188 @@
 ---
 share: true
 toc: true
 math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 tags:
  - lecture-note
  - cryptography
  - security
 title: 14. Secure Multiparty Computation
 date: 2023-11-09
 github_title: 2023-11-09-secure-mpc
 ---
 ## Secure Multiparty Computation (MPC)
 Suppose we have a function $f$ that takes $n$ inputs and produces $m$ outputs.
 $$
 (y_1, \dots, y_m) = f(x_1, \dots, x_n).
 $$
 $N$ parties $P_1, \dots, P_N$ are trying to evaluate this function with a protocol. Each $x_i$ is submitted by one of the parties, and each output $y_j$ will be given to one or more parties.
 In **secure multiparty computation** (MPC), we wish to achieve some security functionalities.
 - **Privacy**: no party learns anything about any other party's inputs, except for the information in the output.
 - **Soundness**: honest parties compute correct outputs.
 - **Input independence**: all parties must choose their inputs independently of other parties' inputs.
 Security must hold even if there is any adversarial behavior in the party.
 ### Example: Secure Summation
 Suppose we have $n$ parties $P_1, \dots, P_n$ with private values $x_1, \dots, x_n$. We would like to *securely* compute the sum $s = x_1 + \cdots + x_n$.
 > 1. Choose $M$ large enough so that $M > s$.
 > 2. $P_1$ samples $r \la \Z_M$ and computes $s_1 = r + x_1 \pmod M$ and sends it to $P_2$.
 > 3. In the same manner, $P_i$ computes $s_i = s_{i-1} + x_i \pmod M$ and sends it to $P_{i+1}$.
 > 4. As the final step, $s_n$ is returned to $P_1$, where he outputs $s = s_n - r \pmod M$.
 This protocol seems secure since $r$ is a random noise added to the actual partial sum. But the security actually depends on how we model adversarial behavior.
 Consider the case where parties $P_2$ and $P_4$ team up (collusion). These two can share information between them. They have the following:
 - $P_2$ has $s_1$, $s_2$, $x_2$.
 - $P_4$ has $s_3$, $s_4$, $x_4$.
 Using $s_2$ and $s_3$, they can compute $x_3 = s_3 - s_2$ and obtain the input of $P_3$. This violates privacy. Similarly, if $P_i$ and $P_j$ team up, the can compute the partial sum
 $$
 s_{j - 1} - s_{i} = x_{i+1} + \cdots + x_{j-1}
 $$
 which leaks information about the inputs of $P_{i+1}, \dots, P_{j-1}$.
 ## Modeling Adversaries for Multiparty Computation
 The adversary can decide not to follow the protocol and perform arbitrarily.
 - **Semi-honest** adversaries follows the protocol and tries to learn more information by inspecting the communication.
 - **Malicious** adversaries can behave in any way, unknown to us.
 Semi-honest adversaries are similar to *passive* adversaries, whereas malicious adversaries are similar to *active* adversaries.
 We can also model the **corruption strategy**. Some parties can turn into an adversary during the protocol.
 - In **static** corruptions, the set of adversarial parties is fixed throughout the execution.
 - In **adaptive** corruptions, the adversary corrupts parties during the execution, based on the information gained from the protocol execution.
 We can decide how much computational power to give to the adversary. For *computational security*, an adversary must be efficient, only polynomial time strategies are allowed. For *information-theoretic security*, an adversary has unbounded computational power.
 We will only consider **semi-honest** adversaries with **static** corruptions.
 ## Defining Security for Multiparty Computation
 The idea is the following.
 > An attack on the protocol in the **real world** is equivalent to some attack on the protocol in an **ideal world** in which no damage can be done.
 In the **ideal world**, we use a trusted party to implement a protocol. All parties, both honest and corrupted, submit their input to the trusted party. Since the trusted party is not corrupted, the protocol is safe.
 In the **real world**, there is no trusted party and parties must communicate with each other using a protocol.
 Thus, a secure protocol must provide security in the real world that is equivalent to that in the ideal world. The definition is saying the following: **there is no possible attack in the ideal world, so there is no possible attack in the real world**. This kind of definition implies privacy, soundness and input independence.
 > For every efficient adversary $\mc{A}$ in the real world, there exists an *equivalent* efficient adversary $\mc{S}$ (usually called a **simulator**) in the ideal world.
 ### Semi-Honest & Static Corruption
 - The *view* of a party consists of its input, random tape and the list of messages obtained from the protocol.
 	- The view of an adversary is the union of views of corrupted parties.
 	- If an adversary learned anything from the protocol, it must be efficiently computable from its view.
 - If a protocol is secure, it must be possible in the ideal world to generate something indistinguishable from the real world adversary's view.
 	- In the ideal world, the adversary's view consists of inputs/outputs to and from the trusted party.
 	- An adversary in the ideal world must be able to generate a view equivalent to the real world view. We call this ideal world adversary a **simulator**.
 	- If we show the existence of a simulator, a real world adversary's ability is the same as an adversary in the ideal world.
 > **Definition.** Let $\mc{A}$ be the set of parties that are corrupted, and let $\rm{Sim}$ be a simulator algorithm.
 > - $\rm{Real}(\mc{A}; x_1, \dots, x_n)$: each party $P_i$ runs the protocol with private input $x_i$. Let $V_i$ be the final view of $P_i$. Output $\braces{V_i : i \in \mc{A}}$.
 > - $\rm{Ideal}_\rm{Sim}(x_1, \dots, x_n)$: output $\rm{Sim}(\mc{A}; \braces{(x_i, y_i) : i \in \mc{A}})$.
 > 
 > A protocol is **secure against semi-honest adversaries** if there exists a simulator such that for every subset of corrupted parties $\mc{A}$, its views in the real and ideal worlds are indistinguishable.
 ## Oblivious Transfer (OT)
 This is a building block for building any MPC.
 Suppose that the sender has data $m_1, \dots, m_n \in \mc{M}$, and the receiver has an index $i \in \braces{1, \dots, n}$. The sender wants to send exactly one message and hide others. Also, the receiver wants to hide which message he received.
 This problem is called 1-out-of-$n$ **oblivious transfer** (OT).
 ### 1-out-of-2 OT Construction from ElGamal Encryption
 We show an example of 1-out-of-2 OT using the ElGamal encryptions scheme. We use a variant where a hash function is used in encryption.
 It is known that $k$-out-of-$n$ OT is constructible from 1-out-of-2 OTs.
 > Suppose that the sender Alice has messages $x_0, x_1 \in \braces{0, 1}\conj$, and the receiver Bob has a choice $\sigma \in \braces{0, 1}$.
 > 
 > 1. Bob chooses $sk = \alpha \la \Z_q$ and computes ${} h = g^\alpha {}$, and chooses $h' \la G$.
 > 2. Bob sets $pk_\sigma = h$ and $pk_{1-\sigma} = h'$ and sends $(pk_0, pk_1)$ to Alice.
 > 3. Alice encrypts each $x_i$ using $pk_i$, obtains two ciphertexts.
 > 	- $\beta_0, \beta_1 \la \Z_q$.
 > 	- $c_0 = \big( g^{\beta_0}, H(pk_0^{\beta_0}) \oplus x_0 \big)$, $c_1 = \big( g^{\beta_1}, H(pk_1^{\beta_1}) \oplus x_1 \big)$.
 > 4. Alice sends $(c_0, c_1)$ to Bob.
 > 5. Bob decrypts $c_\sigma$ with $sk$ to get $x_\sigma$.
 Correctness is obvious.
 Alice's view contains the following: $x_0, x_1, pk_0, pk_1, c_0, c_1$. Among these, $pk_0, pk_1$ are the received values from Bob. But these are random group elements, so she learns nothing about $\sigma$. The simulator can choose two random group elements to simulate Alice.
 Bob's view contains the following: $\sigma, \alpha, g^\alpha, h', c_0, c_1, x_\sigma$. He only knows one private key, so he only learns $x_\sigma$, under the DL assumption. (He doesn't have the discrete logarithm for $h'$) The simulator must simulate $c_0, c_1$, so it encrypts $x_\sigma$ with $pk_\sigma$, and as for $x_{1-\sigma}$, a random message is encrypted with $pk_{1-\sigma}$. This works because the encryption scheme is semantically secure, meaning that it doesn't reveal any information about the underlying message.
 The above works for **semi-honest** parties. To prevent malicious behavior, we fix the protocol a bit.
 > 1. Alice sends a random $w \la G$ first.
 > 2. Bob must choose $h$ and $h'$ so that $hh' = w$. $h$ is chosen the same way, and $h' = wh\inv$ is computed.
 > 
 > The remaining steps are the same, except that Alice checks if $pk_0 \cdot pk_1 = w$.
 Bob must choose $h, h'$ such that $hh' = w$. If not, Bob can choose ${} \alpha' \la \Z_q {}$ and set $h' = g^{\alpha'}$, enabling him to decrypt both $c_0, c_1$, revealing $x_0, x_1$. Under the DL assumption, Bob cannot find the discrete logarithm of $h'$, which prevents malicious behavior.
 ### 1-out-of-$n$ OT Construction from ElGamal Encryption
 Let $m_1, \dots, m_n \in \mc{M}$ be the messages to send, and let $i$ be an index. We will use ElGamal encryption on a cyclic group $G = \span{g}$ of prime order, with a hash function and a semantically secure symmetric cipher $(E_S, D_S)$.
 > 1. Alice chooses $\beta \la \Z_q$, computes $v \la g^\beta$ and sends $v$ to Bob.
 > 2. Bob chooses $\alpha \la \Z_q$, computes $u \la g^\alpha v^{-i}$ and sends $u$ to Alice.
 > 3. For $j = 1, \dots, n$, Alice computes the following.
 > 	- Compute $u_j \la u \cdot v^j = g^\alpha v^{j-i}$ as the public key for the $j$-th message.
 > 	- Encrypt $m_j$ as $(g^\beta, c_j)$, where $c_j \la E_S\big( H(g^\beta, u_j^\beta), m_j \big)$.
 > 4. Alice sends $(c_1, \dots, c_n)$ to Bob.
 > 5. Bob decrypts $c_i$ as follows.
 > 	- Compute symmetric key $k \la H(v, v^\alpha)$ where $v = g^\beta$ from step $1$.
 > 	- $m_i \la D_S(k, c_i)$.
 Note that all ciphertexts $c_j$ were created from the same ephemeral key $\beta \in \Z_q$.
 For correctness, we check that Bob indeed receives $m_i$ from the above protocol. Check that $u_i = u\cdot v^i = g^\alpha v^0 = g^\alpha$, then $u_i^\beta = g^{\alpha\beta} = v^\alpha$. Since $c_i = E_S\big( H(g^\beta, u_i^\beta), m_i \big) = E_S\big( H(v, v^\alpha), m_i \big)$, the decryption gives ${} m_i {}$.
 Now is this oblivious? All that Alice sees is $u = g^\alpha v^{-i}$ from Bob. Since $\alpha \la \Z_q$, $u$ is uniformly distributed over elements of $G$. Alice learns no information about $i$.
 As for Bob, we need the **CDH assumption**. Suppose that Bob can query $H$ on two different ciphertexts $c_{j_1}, c_{j_2}$. Then he knows
 $$
 u_{j_1}^\beta/u_{j_2}^\beta = v^{\beta(j_1 - j_2)},
 $$
 and by raising both to the $(j_1 - j_2)\inv$ power (inverse in $\Z_q$), he can compute $v^\beta = g^{\beta^2}$. Thus, Bob has computed $g^{\beta^2}$ from $g^\beta$, and this breaks the CDH assumption.[^1] Thus Bob cannot query $H$ on two points, and is unable to decrypt two ciphertexts. He only learns $m_i$.
 ### OT for Computing $2$-ary Function with Finite Domain
 We can use an OT for computing a $2$-ary function with finite domain.
 Let $f : X_1 \times X_2 \ra Y$ be a deterministic function with $X_1$, $X_2$ both finite. There are two parties ${} P_1, P_2 {}$ with inputs $x_1, x_2$, and they want to compute $f(x_1, x_2)$ without revealing their input.
 Then we can use $1$-out-of-$\abs{X_2}$ OT to securely compute $f(x_1, x_2)$. Without loss of generality, suppose that $P_1$ is the sender.
 ${} P_1$ computes $y_x =f(x_1, x)$ for all $x \in X_2$, resulting in $\abs{X_2}$ messages. Then $P_1$ performs 1-out-of-$\abs{X_2}$ OT with $P_2$. The value of $x_2$ will be used as the choice of $P_2$, which will be oblivious to $P_1$.[^2]
 This method is inefficient, so we have better methods!
 [^1]: Given $g^\alpha, g^\beta$, compute $g^{\alpha + \beta}$. Then compute $g^{\alpha^2}, g^{\beta^2}, g^{(\alpha+\beta)^2}$, and obtain $g^{2\alpha\beta}$. Exponentiate by $2\inv \in \Z_q$ to find $g^{\alpha\beta}$.
 [^2]: Can $P_1$ learn the value of $x_2$ from the final output $y_{x_2} = f(x_1, x_2)$?
--- a/Cryptography/2023-11-14-garbled-circuits.md
+++ b/Cryptography/2023-11-14-garbled-circuits.md
@@ -0,0 +1,157 @@
 ---
 share: true
 toc: true
 math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 tags:
  - lecture-note
  - cryptography
  - security
 title: 15. Garbled Circuits
 date: 2023-11-14
 github_title: 2023-11-14-garbled-circuits
 ---
 A simple solution for two party computation would be to use oblivious transfers as noted [here](./2023-11-09-secure-mpc.md#ot-for-computing-14-secure-multiparty-computationot-for-computing-dollar2dollar-ary-function-with-finite-domaindollar-ary-function-with-finite-domain). However, this method is inefficient. We will look at **Yao's protocol**, presented in 1986, for secure two-party computation.
 The term **garbled circuit** was used by Beaver-Micali-Rogaway (BMR), presenting a multiparty protocol using a similar approach to Yao's protocol.
 ## Yao's Protocol
 This protocol is for **general secure two party computation**. By general, it means that the protocol can securely compute any functionality. The protocol works on boolean circuits using AND/OR gates, which can be extended to arbitrary circuits, such as addition, multiplication, etc. This protocol takes **constant number of rounds**, and is secure for semi-honest parties.
 A plain circuit would be evaluated by giving raw values $0/1$ to the input wires. These inputs will be evaluated through the gates, and the output is fed to another gate, and so on. But for *secure computation*, we require that **no party learns the values of any internal wires**.
 **Yao's protocol** is a compiler which transforms a circuit so that all information is hidden except for the final output.
 ## Garbled Circuits
 A **garbled circuit** is an *encrypted circuit*, with a pair of keys for each wire. For each gate, a key is given for each of the input wires. Using the keys, it is possible to compute the key of the gate output, but nothing else can be learned. For this process, we will use **oblivious transfer**.
 ### Constructing a Garbled Circuit
 The garbler first encrypts the circuit. First, assign two keys, called **garbled values**, to each wire of the circuit.
 Suppose we have an AND gate, where $C = \rm{AND}(A, B)$. For the wire $A$, the garbler assigns $A_0, A_1$, each for representing the bit $0$ and $1$. Note that this mapping is known only to the garbler. Similar process is done for wires $B$ and $C$.
 Then we have the following garbled values, as in columns 1 to 3. Now, encrypt the values of $C$ with a semantically secure scheme $E$, and obtain the $4$th column. Then, permute the rows in random order so that it is indistinguishable.
 |$A$|$B$|$C$|$C = \rm{AND}(A, B)$|
 |:-:|:-:|:-:|:-:|
 |$A_0$|$B_0$|$C_0$|$E(A_0 \parallel B_0, C_0)$|
 |$A_0$|$B_1$|$C_0$|${} E(A_0 \parallel B_1, C_0) {}$|
 |$A_1$|$B_0$|$C_0$|$E(A_1 \parallel B_0, C_0)$|
 |$A_1$|$B_1$|$C_1$|$E(A_1 \parallel B_1, C_1)$|
 For evaluation, the **last column** will be given to the other party as the representation of the **garbled gate**. The inputs will be given as $A_x$ and $B_y$, but the evaluator will have no idea about the actual value of $x$ and $y$, hiding the actual input value. Although he doesn't know the underlying bit values, the evaluator is able to compute $C_z$ where $z = x \land y$. Similarly, the evaluator will not know whether $z$ is $0$ or $1$, hiding the output or intermediate values.
 The above *garbling* process is done for all gates. For the last output gate, the garbler keeps a **output translation table** to himself, that maps $0$ to $C_0$ and $1$ to $C_1$. This is used for recovering the bit, when the evaluation is done and the evaluator sends the final garbled value.
 > In summary, given a boolean circuit,
 > 1. Assign garbled values to all wires in the circuit.
 > 2. Construct garbled gates using the garbled values.
 Note that the evaluator learns nothing during the evaluation.
 ### Evaluating a Garbled Circuit
 There is a slight problem here. In some encryption schemes, a ciphertext can be decrypted by an incorrect key. If the above encryptions are in arbitrary order, how does the evaluator know if he decrypted the correct one?
 One method is to add **redundant zeros** to the $C_k$. Then the last column would contain $E\big( A_i \pll B_j, C_k \pll 0^n \big)$. Then when the evaluator decrypts these ciphertexts, the probability of getting redundant zeros with an incorrect key would be negligible. But with this method, all four ciphertexts have to be decrypted in the worst case.
 Another method is adding a bit to signal which ciphertext to decrypt. This method is called **point-and-permute**. The garbler chooses a random bit $b_A$ for each wire $A$. Then when drawing $A_0, A_1$, set the first bit (MSB) to $b_A$ and $1 - b_A$, respectively. Next, the ciphertexts are sorted in the order of $b_A$ and $b_B$. Then the evaluator can exploit this information during evaluation.
 For example, if the evaluator has $X$ and $Y$ such that $\rm{MSB}(X) = 0$ and $\rm{MSB}(Y) = 1$, then choose the second ($01$ in binary) ciphertext entry to decrypt.
 This method does not reduce security, since the bits $b_A$, $b_B$ are random. Also, now the evaluator doesn't have to decrypt all four ciphertexts, reducing the evaluation load.
 ## Protocol Description
 > Suppose we have garbler Alice and evaluator Bob.
 > 
 > 1. Alice garbles the circuit, generating garbled values and gates.
 > 2. Garbled gate tables and the garbled values of Alice's inputs are sent to Bob.
 > 3. For Bob's input wire $B$, Alice and Bob run an 1-out-of-2 OT protocol.
 > 	- Alice provides $B_0$ and $B_1$ to the OT.
 > 	- Bob inputs his input bit $b$ to the OT, and Bob now has $B_b$.
 > 4. Bob has garbled values for all input wires, so evaluates the circuit.
 > 5. Bob sends the final garbled output to Alice.
 > 6. Alices uses the output translation table to recover the final result bit.
 Note that OT can be done in *parallel*, reducing the round complexity.
 ### Why is OT Necessary?
 Suppose Alice gave both $B_0$ and $B_1$ to Bob. Bob doesn't know which one represents $0$ or $1$, but he can just run the evaluation for both inputs.
 Suppose we have a $2$-input AND gate $C = \rm{AND}(A, B)$. Bob already has $A_x$ from Alice, so he evaluates for both $B_0$ and $B_1$, obtaining $C_{x\land 0}$ and $C_{x \land 1}$. If these are the same, Bob learns that $x = 0$. If different, $x = 1$.
 So we need an OT to make sure that Bob only learns one of the garbled values.
 ### Performance
 - We need about $2$ to $4$ rounds.
 	- Depends on the implementation of the OT.
 	- Need additional rounds if the final output should be sent to a party.
 	- Anyways, takes constant number of rounds.
 - Need $m$ oblivious transfers, where $m$ is the number of inputs of Bob.
 	- These can be carried out in parallel.
 - Suppose that there are $N$ gates.[^1]
 	- $8N$ symmetric encryptions are required to build a garbled circuit.
 	- $2N$ decryptions are required to compute the circuit.
 	- We need to communicate the data of $\mc{O}(N)$ gates.
 ## Summary of Yao's Protocol
 Let $f$ be a given public function that Alice and Bob want to compute, in circuit representation. Let $(x_1, \dots, x_n)$ and $(y_1, \dots, y_m)$ be inputs provided by Alice and Bob, respectively.
 Alice generates a garbled circuit $G(f)$ by assigning garbled values for each wire. Then gives Bob $G(f)$ and the garbled values of her inputs. Then Alice and Bob run several OTs in parallel for the garbled values of Bob's inputs.
 Bob computes $G(f)$ and obtains a key of $f(x_1, \dots, x_n, y_1, \dots, y_m)$, which is sent to Alice and Alice recovers the final result.
 ## Proof of Security (Semi-honest)
 We show that if the underlying OT is secure, then Yao's protocol is secure. If both parties are honest or corrupted, there is nothing to show, so we only show for the cases where one party is corrupted.
 ### Alice is Corrupted
 Alice's view only consists of the messages it receives during the oblivious transfers. Since the OT is secure, OT will have its own simulator $\mc{S}$ for the sender of the OT. To simulate Alice, we can use the same simulator $\mc{S}$.
 In the OT-hybrid model, we assume an ideal OT. In this case, Alice receives no messages during the oblivious transfers. Then to simulate Alice, an empty transcript will be sufficient.
 ### Bob is Corrupted
 This case is harder to show. The simulator must construct a fake garbled circuit that is indistinguishable to the real one. But the simulator doesn't know the inputs of Alice, so it cannot generate a real circuit.
 Bob's view contains his inputs $(y_1, \dots, y_m)$ and the final output $z = (z_1, \dots, z_k)$. Thus, the simulator generates a fake garbled circuit that **always** outputs $z$. To do this, the garbled values for the wires can be chosen randomly, and use them for encryption keys. But the encrypted message is fixed to the (intermediate) output. For instance, make the gate table consists of $E\big( A_i \pll B_j, C_0 \big)$ for fixed $C_0$. In this way, the simulator can control the values of output wires and get $z$ for the final output.
 The output translation tables can be generated using this method. An entry of the table would be $(z_i, C_0)$ where $C_0$ is the garbled value used for generating the gate table. As for $1-z_i$, any random garbled value can be used.
 Lastly for communicating garbled values, Alice's input wires can be set to any two garbled values of the wire. Bob's input wires should be simulated by the simulator of the OT, which will result in any one of the two values on the wire.
 ## The BMR Protocol
 This is a multiparty variant of Yao's protocol.
 For each wire of the circuit, two random *super-seeds* (garbled values) are used. Each party generates a seed, and the super-seed of the wire is the concatenation of all seeds generated by the parties.
 For example, for input wire $A$, let
 $$
 A_0 = a_0^1 \pll \cdots \pll a_0^n, \quad A_1 = a_1^1 \pll \cdots \pll a_1^n,
 $$
 where $a_0^k, a_1^k$ are seeds generated by party $P_k$.
 Then for garbling gates, the super-seeds of the output wire is encrypted by the super-seeds of the input wires. As an example, suppose that we use $A_b = a_b^1 \pll \cdots \pll a_b^n$ to encrypt an output value $B$. Then we could use a secure PRG $G$ and set
 $$
 B \oplus G(a_b^1) \oplus \cdots \oplus G(a_b^n)
 $$
 as the garbled value.
 [^1]: Why???
--- a/Cryptography/2023-11-16-gmw-protocol.md
+++ b/Cryptography/2023-11-16-gmw-protocol.md
@@ -0,0 +1,290 @@
 ---
 share: true
 toc: true
 math: true
 categories:
  - Lecture Notes
  - Modern Cryptography
 tags:
  - lecture-note
  - cryptography
  - security
 title: 16. The GMW Protocol
 date: 2023-11-16
 github_title: 2023-11-16-gmw-protocol
 image:
  path: assets/img/posts/Lecture Notes/Modern Cryptography/mc-16-beaver-triple.png
 attachment:
  folder: assets/img/posts/Lecture Notes/Modern Cryptography
 ---
 There are two types of MPC protocols, **generic** and **specific**. Generic protocols can compute arbitrary functions. [Garbled circuits](./2023-11-14-garbled-circuits.md#garbled-circuits) were generic protocols, since it can be used to compute any boolean circuits. In contrast, the [summation protocol](./2023-11-09-secure-mpc.md#example-secure-summation) is a specific protocol that can only be used to compute a specific function. Note that generic protocols are not necessarily better, since specific protocols are much more efficient.
 ## GMW Protocol
 The **Goldreich-Micali-Wigderson** (GMW) **protocol** is a designed for evaluating boolean circuits. In particular, it can be used for XOR and AND gates, which corresponds to addition and multiplication in $\Z_2$. Thus, the protocol can be generalized for evaluating arbitrary arithmetic circuits.
 We assume semi-honest adversaries and static corruption. The GMW protocol is known to be secure against any number of corrupted parties. We also assume that any two parties have private channels for communication.
 The idea is **secret sharing**, where each party shares its input with other parties. The actual input is not revealed, and after the computation, each party holds a *share* of the final result.
 The protocol can be broken down into $3$ phases.
 - **Input phase**: each party shares its input with the other parties.
 - **Evaluation phase**: each party computes gate by gate, using the shared values.
 - **Output phase**: each party publishes their output.
 ### Input Phase
 Suppose that we have $n$ parties $P_1, \dots, P_n$ with inputs $x_1, \dots, x_n \in \braces{0, 1}$. The inputs are bits but they can be generalized to inputs over $\Z_q$ where $q$ is prime.
 > Each party $P_i$ shares its input with other parties as follows.
 > 
 > 1. Choose random ${} r_{i, j} \la \braces{0, 1} {}$ for all $j \neq i$ and send $r_{i, j}$ to $P_j$.
 > 2. Set ${} r_{i, i} = x_i + \sum_{i \neq j} r_{i, j} {}$.
 Then we see that $x_i = \sum_{j = 1}^n r_{i, j} {}$. Each party has a **share** of $x_i$, which is $r_{i, j}$. We have a notation for this,
 $$
 [x_i] = (r_{i, 1}, \dots, r_{i, n}).
 $$
 It means that $r_{i, 1}, \dots, r_{i, n}$ are shares of $x_i$.
 After this phase, each party $P_j$ has $n$ shares $r_{1, j}, \dots, r_{n,j}$, where each is a share of $x_i$.
 ### Evaluation Phase
 Now, each party computes each gate using the shares received from other parties. We describe how the XOR and AND gate are computed.
 #### Evaluating XOR Gates
 Suppose we want to compute a share of ${} c = a + b {}$. Then, since
 $$
 [c] = [a] + [b],
 $$
 each party can simply add all the input shares.
 If ${} {} y = x_1 + \cdots + x_n {} {}$, then party $P_j$ will compute ${} y_j = \sum_{i=1}^n r_{i, j} {}$, which is a share of $y$, $[y] = (y_1, \dots, y_n)$. It can be checked that
 $$
 y = \sum_{j=1}^n y_j = \sum_{j=1}^n \sum_{i=1}^n r_{i, j}.
 $$
 #### Evaluating AND Gates
 AND gates are not as simple as XOR gates. If $c = ab$,
 $$
 c = \paren{\sum_{i=1}^n a_i} \paren{\sum_{j=1}^n b_j} = \sum_{i=1}^n a_ib_i + \sum_{1 \leq i < j \leq n} (a_ib_j + a_j b_i).
 $$
 The first term can be computed internally by each party. The problem is the second term. $P_i$ doesn't know the values of $a_j$ and $b_j$. Therefore, we need some kind of interaction between $P_i$ and $P_j$, but no information should be revealed. We can use an OT for this.
 > For every pair of parties $(P_i, P_j)$, perform the following.
 > 
 > 1. $P_i$ chooses a random bit $s_{i, j}$ and computes all possible values of $a_ib_j + a_jb_i + s_{i, j}$. These values are used in the OT.
 > 2. $P_i$ and $P_j$ run a $1$-out-of-$4$ OT.
 > 3. $P_i$ keeps $s_{i, j}$ and $P_j$ receives $a_ib_j + a_jb_i + s_{i, j}$.
 - If $a_ib_j + a_jb_i$ is exposed to any party, it reveals information about other party's share.
 - These are bits, so $P_i$ and $P_j$ get to keep a share of $a_ib_j + a_jb_i$. If these aren't bits, then $s_{i, j} - a_ib_j - a_jb_i$ must be computed for inputs to the OT.
 - Since $a_j, b_j \in \braces{0, 1}$, it is possible to compute all possible values, and use them in the OT. $(a_j, b_j)$ will be used as the choice of $P_j$.
 ### Output Phase
 After evaluation, each party has a share of the final output, so the share is sent to the parties that will learn the output. These shares can be summed to obtain the final output value.
 ### Performance
 Addition is easy, but multiplication gates require $n \choose 2$ OTs. Thus the protocol requires a communication round among the parties for every multiplication gate. Also, the multiplication gates on the same level can be processed in parallel.
 Overall, the round complexity is $\mc{O}(d)$, where $d$ is the depth of the circuit, including only the multiplication gates.
 A shallow circuit is better for GMW protocols. However, shallow circuits may end up using more gates depending on the function.
 ## Security Proof
 We show the case when there are $n-1$ corrupted parties.[^1] Let $P_i$ be the honest party and assume that all others are corrupted. We will construct a simulator.
 Let $(x_1, \dots, x_n)$ be inputs to the function, and let $[y] = (y_1, \dots, y_n)$ be output shares. The adversary's view contains $y$, and all $x_j$, $y_j$ values except for $x_i$ and $y_i$.
 To simulate the input phase, choose random shares to be communicated, both for $P_i \ra P_j$ and $P_j \ra P_i$. The shares were chosen randomly, so they are indistinguishable to the real protocol execution.
 For the evaluation phase, XOR gates can be computed internally, so we only consider AND gates.
 - When $P_j$ is the receiver, choose a random bit as the value learned from the OT. Since the OT contains possible values of $a_ib_j + a_jb_i + s_{i, j}$ and they are random, the random bit is equivalent.
 - When $P_j$ is the sender, choose $s_{i, j}$ randomly and compute all $4$ possible values following the protocol.
 Lastly, for the output phase, the simulator has to simulate the message $y_i$ from $P_i$. Since the final output $y$ is known and $y_j$ ($j \neq i$) is known, $y_i$ can be computed from the simulator.
 We see that the distribution of the values inside the simulator is identical to the view in the real protocol execution.
 ## Beaver Triples
 **Beaver triple sharing** is an offline optimization method for multiplication (AND) gates in the GMW protocol. Before actual computation, Beaver triples can be shared to speed up multiplication gates, reducing the running time in the online phase. Note that the overall complexity is the same.
 > **Definition.** A **Beaver triple** is a triple $(x, y, z)$ such that $z = xy$.
 ### Beaver Triple Sharing
 When Beaver triples are shared, $[x] = (x_1, x_2)$ and $[y] = (y_1, y_2)$ are chosen so that
 $$
 \tag{$\ast$}
 z = z_1 + z _2 = (x_1 + x_2)(y_1 + y_2) = x_1y_1 + x_1y_2 + x_2y_1 + x_2y_2.
 $$
 > 1. Each party $P_i$ chooses random bits $x_i, y_i$. Now they must generate $z_1, z_2$ so that the values satisfy equation $(\ast)$ above.
 > 2. $P_1$ chooses a random bit $s$ and computes all $4$ possible values of $s + x_1y_2 + x_2y_1$.
 > 3. $P_1$ and $P_2$ run a $1$-out-of-$4$ OT.
 > 4. $P_1$ keeps $z_1 = s + x_1y_1$, $P_2$ keeps $z_2 = (s + x_1y_2 + x_2y_1) + x_2y_2$.
 Indeed, $z_1, z_2$ are shares of $z$.[^2] See also Exercise 23.5.[^3]
 ### Evaluating AND Gates with Beaver Triples
 Now, in the actual computation of AND gates, proceed as follows.
 ![mc-16-beaver-triple.png](../../../assets/img/posts/Lecture%20Notes/Modern%20Cryptography/mc-16-beaver-triple.png)
 > Each $P_i$ has a share of inputs $a_i, b_i$ and a Beaver triple $(x_i, y_i, z_i)$.
 > 1. Each $P_i$ computes $u_i = a_i + x_i$, $v_i = b_i + y_i$.
 > 2. $P_i$ shares $u_i, v_i$ to $P_{3-i}$ and receives $u_{3-i}, v_{3-i}$ from $P_{3-i}$.
 > 3. Each party now can compute $u = u_1 + u_2$, $v = v_1 + v_2$.
 > 4. $P_1$ computes $c_1 = uv + uy_1 + vx_1 + z_1$, $P_2$ computes $c_2 = uy_2 + vx_2 + z_2$.
 Note that
 $$
 \begin{aligned}
 c = c_1 + c_2 &= uv + u(y_1 + y_2) + v(x_1 + x_2) + (z_1 + z_2) \\
 &= uv + uy + vx + xy \qquad (\because z = xy)  \\
 &= u(v + y) + x(v + y) \\
 &= (u + x)(v + y) = ab
 \end{aligned}
 $$
 The last equality comes from the fact that $u = a + x$ and $v = b+y$ from step $1$. The equation was derived from the following observation.
 $$
 c = ab = (a + x)(b + y) - x(b + y) - y(a + x) + xy.
 $$
 Substitute $u = a +x$ and $v = b + y$, since $z = xy$, we have
 $$
 c = uv - xv - yu + z.
 $$
 Thus
 $$
 [c] = uv - [x]v - [y]u + [z],
 $$
 and $uv$ is public, so any party can include it in its share.
 Also note that $u_i, v_i$ does not reveal any information about $x_i, y_i$. Essentially, they are *one-time pad* encryptions of $x_i$ and ${} y_i {}$ since $a_i, b_i$ were chosen randomly. No need for OTs during actual computation.
 ### Reusing Beaver Triples?
 **Beaver triples are to be used only once!** If $u_1 = a_1 + x_1$ and ${} u_1' = a_1' + x_1 {}$, then $u_1 + u_1' = a_1 + a_1'$, revealing information about $a_1 + a_1'$.
 Thus, before the online phase, a huge amount of Beaver triples are shared to speed up the computation. This can be done efficiently using [OT extension](2023-11-16-gmw-protocol.md#ot-extension) described below.
 ## Comparison of Yao and GMW
 |Protocol|Yao|GMW|
 |:-:|:-:|:-:|
 |Metaphor|Apple: bite-by-bite|Orange: peel and eat|
 |Pros|Constant round complexity|Circuit evaluation is simple|
 |Cons|Requires symmetric cipher in the online phase|High overhead in AND gates|
 |Good In|High latency networks|Low latency networks|
 |Round Complexity|$\mc{O}(1)$|Depends on circuit depth. $n$ OTs per AND gates per party.|
 Yao's protocol computes gates bite-by-bite, whereas GMW protocol is peel-and-eat. Most of the effort is required in the preprocessing phase, by sharing many Beaver triples, but the evaluation phase is easy.
 ## OT Extension
 Both Yao's and GMW protocol use OTs. Depending on the computation, one may end up performing thousands of OTs, which can be inefficient.
 There is a technique called **OT extension**, that allows us to obtain many OT instances from a small number of OT instances. OT extension only uses small number of base OTs, and uses symmetric cipher to extend it to many OTs.
 ### Protocol Description
 This protocol will extend $n$ OTs to $m$ OTs, where $m \gg n$.
 - Sender has inputs $\paren{x_i^0, x_i^1}$ for $i = 1, \dots, m$.
 - Receiver has choice vector $\sigma = (\sigma_1, \dots, \sigma_m) \in \braces{0, 1}^m$.
 	- After the protocol, the receiver will get $x_i^{\sigma_i}$ for $i = 1, \dots, m$.
 > **First phase.**
 > 
 > 1. The receiver samples $n$ random strings $T_1, \dots, T_n \la \braces{0, 1}^m$ of length $m$.
 > 2. The receiver prepares pairs $\paren{T_i, T_i \oplus \sigma}$ for $i = 1, \dots, n$ and plays *sender in base OT*.
 > 3. The sender chooses random $s = (s_1, \dots, s_n) \in \braces{0, 1}^n$.
 > 4. The sender plays *receiver in base OT* with input $s_i$ for $i = 1, \dots, n$.
 In the first phase, the roles are temporarily switched.
 - The receiver chose $n$ random $m$-bit vectors, now has a $m\times n$ bit matrix $T$.
 - For the $i$-th base OT, the receiver inputs $T_i$ or $T_i \oplus \sigma$. Therefore, if $s_i = 0$, the sender gets $T_i$. If $s_i = 1$, then sender gets $T_i \oplus \sigma$.
 - Suppose that the sender gets $Q_i \in \braces{0, 1}^m$ in the $i$-th base OT. The sender will also have a $m \times n$ bit matrix $Q$.
 $$
 Q_i = \begin{cases} T_i  & (s_i = 0)  \\
 	T_i \oplus \sigma  & (s_i = 1).
 \end{cases}
 $$
 **Now consider each row separately!** Let ${} A[k]$ be the $k$-th row of matrix $A$.
 If $\sigma_j = 0$, the XOR operation in $T_i \oplus \sigma$ has no effect on the $j$-th element (row), so the $j$-th element of $T_i \oplus \sigma$ and $T_i$ are the same. Thus, we have $Q[j] = T[j]$.
 On the other hand, suppose that $\sigma_j = 1$ and consider each element of $Q[j]$. The $i$-th element is the $j$-th element of $Q_i$. If $s_i = 0$, then $Q_i = T_i$, so the $j$-th element (row) is the same as the $j$-th element of $T_i$. If $s_i = 1$, then $Q_i = T_i \oplus \sigma$, so the $j$-th element is flipped. Thus, $Q[j] = T[j] \oplus s$.
 $$
 Q[j] = \begin{cases} T[j] & (\sigma_j = 0)  \\
 T[j] \oplus s & (\sigma_j = 1).
 \end{cases}
 $$
 > **Second phase.** To perform the $j$-th transfer $(j = 1, \dots, m)$,
 > 
 > 1. The sender sends $y_j^0 = H(j, Q[j]) \oplus x_j^0$ and $y_j^1 = H(j, Q[j] \oplus s) \oplus x_j^1$.
 > 2. The receiver computes $H(j, T[j]) \oplus y_j^{\sigma_j}$.
 If $\sigma_j = 0$, then the sender gets
 $$
 H(j, T[j]) \oplus y_j^0 = H(j, T[j]) \oplus H(j, Q[j]) \oplus x_j^0 = x_j^0.
 $$
 If $\sigma_j = 1$,
 $$
 H(j, T[j]) \oplus y_j^1 = H(j, T[j]) \oplus H(j, Q[j] \oplus s) \oplus x_j^1 = x_j^1.
 $$
 We have just shown correctness.
 ### Security Proof of OT Extension
 Intuitively, the sender receives either $T_i$ or $T_i \oplus \sigma$. But $T_i$ are chosen randomly, so it hides $\sigma$, revealing no information.
 As for the receiver, the values $(x_j^0, x_j^1)$ are masked by a hash function, namely $H(j, Q[j])$ and $H(j, Q[j] \oplus s)$. The receiver can compute $H(j, T[j])$, which equals *only one of them* but since receiver has no information about $s$, prohibiting the receiver from computing the other mask.
 ### Performance of OT Extension
 The extension technique allows us to run $n$ base OT instances to obtain $m$ OT instances. For each of the $m$ OT transfers, only a few hash operations are required, resulting in very efficient OT.
 One may concern that we have to send a lot of information for each of the $n$ OT instances, since we have to send $m$ bit data for each OT. But this of not much concern. For example, if we used [OT based on ElGamal](./2023-11-09-secure-mpc.md#1-out-of-2-ot-construction-from-elgamal-encryption), we can choose primes large enough $> 2^m$ to handle $m$-bit data.
 Hence, with OT extensions, we can perform millions of OTs efficiently, which can be used especially for computing many Beaver triples during preprocessing.
 [^1]: Intuitively, it may seem that proving security for $n-1$ corrupted parties would be the hardest. However, security for $n-1$ corrupted parties does not imply security for $n-2$ corrupted parties, in general.
 [^2]: There is a variant of sharing Beaver triples, where a dealer generates all $x_i, y_i, z_i$ and gives them to each party.
 [^3]: A Graduate Course in Applied Cryptography.
--- a/Cryptography/mc-13-chaum-pedersen.png
+++ b/Cryptography/mc-13-chaum-pedersen.png
--- a/Cryptography/mc-13-gq-protocol.png
+++ b/Cryptography/mc-13-gq-protocol.png
--- a/Cryptography/mc-13-okamoto.png
+++ b/Cryptography/mc-13-okamoto.png
--- a/Cryptography/mc-13-sigma-protocol.png
+++ b/Cryptography/mc-13-sigma-protocol.png
--- a/Cryptography/mc-16-beaver-triple.png
+++ b/Cryptography/mc-16-beaver-triple.png
Author	SHA1	Message	Date
Sungchan Yi	76ec29ee14	[PUBLISHER] upload files #143 * PUSH NOTE : 16. The GMW Protocol.md * PUSH ATTACHMENT : mc-16-beaver-triple.png	2024-01-21 22:07:28 +09:00
Sungchan Yi	ac4fea80e0	[PUBLISHER] upload files #142	2024-01-21 22:06:41 +09:00
Sungchan Yi	4c1105d413	[PUBLISHER] upload files #141	2024-01-21 22:06:21 +09:00
Sungchan Yi	67f1fc465c	[PUBLISHER] upload files #140 * PUSH NOTE : 13. Sigma Protocols.md * PUSH ATTACHMENT : mc-13-sigma-protocol.png * PUSH ATTACHMENT : mc-13-okamoto.png * PUSH ATTACHMENT : mc-13-chaum-pedersen.png * PUSH ATTACHMENT : mc-13-gq-protocol.png	2024-01-21 22:05:57 +09:00