CS 355 – Topics in Cryptography April 18, 2018

Lecture 6: Oblivious Transfer and Yao’s Garbled Circuits

Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu

1 Introduction
In the last few lectures, we have been discussing proof systems. A proof system is an interactive
protocol between two parties: a prover and a verifier. At the end of the protocol, the prover
convinces the verifier whether some statement is true or not. In the next few lectures, we are going
to consider a more general setting of multiparty computation (MPC). Today, we are going to restrict
ourselves to just two-party computation (2PC).
Setting. A two party protocol is defined with respect to some joint function f : {0, 1}∗ × {0, 1}∗ →
{0, 1}∗ called the functionality. Let’s refer to the two parties that are involved in the protocol as
Alice and Bob.

• Start of the protocol: Alice holds some private input x, and Bob holds some private input y.

• End of the protocol: Both Alice and Bob learns the output f (x, y).1

For security, we want each of the parties in the protocol to not learn any information about the
other party’s private input other than what can be inferred from the output f (x, y).
Examples.

• Yao’s millionaire problem: We have two millionaires Mark and Oprah. The two parties want
to find out who is richer between the two. However, both parties do not want to reveal to
each other how much money they actually have.

• Online advertising: Google and some Business want to find out how effective Google ads are.

– Google’s input: List of users who were shown Business’s Ad.

– Business’s input: List of people who bought their product.

At the end of the two party protocol, Google and Business can learn how many people actually
bought Business’s product via Google’s ad.

• Private contact discovery: At the start of the protocol, a client has a list of contacts and a
Signal server has a list of all users for the Signal app. At the end of the protocol, the client
learns the set of Signal users in its contacts who use Signal while the Signal server learns
nothing.

• Zero-Knowledge: At the start of the protocol, prover has input (x, w) and verifier has input x.
At the end of the protocol, both parties learn R(x, w).
1
More generally, we can consider the functionality to consist of two different functions f1 , f2 . We can require that at
the end of the protocol, Alice learn f1 (x, y) and Bob learns f2 (x, y).

6-1
Security models. For 2PC (and MPC in general), there are two main models of security that we
can consider.
• Semi-honest: Both Alice and Bob are guaranteed to follow the protocol specification exactly.
At the end of the protocol, they look at the transcript of the protocol and try to extract more
information about the other party’s private input. This is analogous to the honest verifier
zero-knowledge (HVZK) that we studied in the problem set 1.

• Malicious: Both Alice and Bob can deviate from the protocol specification at any time to fool
the other party in providing more information about its own private input. This is analogous
to the standard zero-knowledge (ZK) definition.
For this lecture, we will restrict ourselves to the semi-honest security model.
Semi-formal Definition. An interactive protocol hA, Bi for a functionality f : {0, 1}∗ × {0, 1}∗ →
{0, 1}∗ must satisfy the following properties:
• Correctness: For all inputs x, y ∈ {0, 1}∗ ,

Pr[output hA(x), B(y)i = f (x, y)] = 1.

• Privacy: There exist efficient algorithms (simulators) SimA , SimB such that for all inputs
x, y ∈ {0, 1}∗ ,
SimA (x, f (x, y)) ≈c viewA (hA(x), B(x)i)
SimB (y, f (x, y)) ≈c viewB (hA(x), B(x)i)

2 Oblivious Transfer
There is a two-party computation functionality that is especially very useful called oblivious transfer.
In an oblivious transfer (OT) protocol, there are two parties: a receiver S and a sender R.

• Start of the protocol: At the start of the protocol, the sender S holds a pair of messages
(m0 , m1 ), and the receiver R holds some bit b ∈ {0, 1}.

• End of the protocol: At the end of the protocol, the sender S learns nothing, while the
receiver R learns mb .

S(m0 , m1 ) R(b)
−−−−−−−−−−−−−−→
←−−−−−−−−−−−−−−
..
.
−−−−−−−−−−−−−−→
⊥ ←−−−−−−−−−−−−−− mb
What are the security properties that we want from an OT protocol?
• Sender Privacy: At the end of the OT protocol, the receiver learns only mb , and nothing
else about m1−b .

6-2
 • Receiver Privacy: At the end of the OT protocol, the sender does not learn any information
about the receiver’s bit b.
Definition 2.1 (Oblivious Transfer). A two party protocol hS, Ri between a sender S and a receiver
R is an oblivious transfer (OT) protocol if it satisfies the following properties:
• Correctness: For any input m0 , m1 ∈ {0, 1}∗ ,

Pr[outputR hS(m0 , m1 ), R(b)i = mb ] = 1.

• Privacy:

– Sender Privacy: There exists an efficient simulator SimR such that for all pairs of
messages (m0 , m1 ) and b ∈ {0, 1}:

viewR ((m0 , m1 ), b) ≈c SimR (b, mb ).

– Receiver Privacy: There exists an efficient simulator SimS such that for all pairs of
message (m0 , m1 ) and b ∈ {0, 1}:

viewS ((m0 , m1 ), b) ≈c SimS (m0 , m1 ).

2.1 Bellare-Micali Oblivious Transfer Construction [1]

Let G be a group of prime order p with generator g. Let H be a hash function G → {0, 1}` (modeled
as a random oracle). We let m0 and m1 be the sender’s messages and let b ∈ {0, 1} be the receiver’s
input. Then, the protocol proceeds as follows:
R
1. The sender S chooses c ← G and sends c to the receiver R.

2. The receiver R chooses a random key k ← R

Zp and computes two ElGamal public keys yb ← g k
c
and y1−b ← gk , and sends y0 , y1 to the sender.

3. If y0 · y1 6= c, then the sender S immediately aborts. Otherwise, S chooses r0 , r1 ← Zp and

computes ElGamal ciphertexts c0 ← (g r0 , H(y0r0 ) ⊕ m0 ) and c1 ← (g r1 , H(y1r1 ) ⊕ m1 ). The
sender sends c0 , c1 to the receiver.

4. The receiver R parses the ciphertext cb = (v0 , v1 ) and then decrypts using knowledge of k:

mb = H(v0k ) ⊕ v1 .

It outputs mb .
Correctness of the scheme is by inspection. Let’s reason about why this protocol is secure.
• Sender Privacy. Sender privacy follows from the CDH assumption.
Intuition:

1. The receiver R sends two ElGamal public keys y0 , y1 to the sender S, and S uses
y0 , y1 to encrypt each message m0 and m1 . Therefore, as long as the receiver knows a
corresponding decryption key for one of y0 , y1 and not both, then R can only recover one
of m0 or m1 .

6-3
 2. Since c ∈ G is generated by S, the receiver R cannot generate decryption keys for both
y0 , y1 without solving the discrete log of c.

• Receiver Privacy. Receiver privacy follows information-theoretically.

Intuition: The elements yb and y1−b are uniformly generated given that yb · y1−b = c.
(semi-)formal proof : We can construct a simulator Sim, which on input (m0 , m1 ), works as
follows:
R
– Sample c ← G uniformly (as in the real protocol).
– Sample y0 , y1 ← G uniformly under the condition that y0 · y1 = c.
– Sample r0 , r1 , and compute (g r0 , H(y0r0 ) ⊕ m0 ) and (g r1 , H(y1r1 ) ⊕ m1 ) (as in the real
protocol).

Sim outputs the whole transcript (c, y0 , y1 , (g r0 , H(y0r0 ) ⊕ m0 ), (g r1 , H(y1r1 ) ⊕ m1 ). It is easy

to see that this is identically distributed as in the real protocol.

3 Garbled Circuits
A very useful tool for constructing two-party protocols is Yao’s garbled circuits construction.2 At a
high level, garbling a circuits is a way of encoding a circuit C into “codes”.

3.1 Warm-Up
For warm-up, let’s consider a simple scenario where Alice holds a bit b0 and Bob holds a bit b1 .
They want to jointly compute the AND of their private bits b0 ∧ b1 . How can they do this privately?

A(b0 ) B(b1 )
−−−−−−−−−−−−−−→
←−−−−−−−−−−−−−−
..
.
−−−−−−−−−−−−−−→
b0 ∧ b1 ←−−−−−−−−−−−−−− b0 ∧ b1
Let E : K × M → C, D : K × C → M be an encryption scheme. Then, using garbling, let’s construct
the following protocol:

1. For each input variable to an AND gate, Alice samples a pair of keys (kL0 , kL1 ), (kR
0 , k 1 ).
R

2. Then, Alice generates 4 ciphertexts according to the truth table of the AND gate.

α β AND α β AND
0 0 0 kL0 kR0 c00 = E(kL0 , E(kR
0 , 0))

0 1 0 =========⇒ kL0 kR1 c01 0

= E(kL , E(kR1 , 0))

1 0 0 kL1 kR0 c10 1

= E(kL , E(kR0 , 0))

1 1 1 kL1 kR1 c11 = E(kL1 , E(kR

1 , 1))

2
Yao’s garbled circuits is a very useful tool not only for two-party computation, but for all of cryptography in general.

6-4
 3. Alice sends over the 4 ciphertexts c00 , c01 , c10 , c11 in permuted order to Bob.

4. Alice also sends the corresponding key for its own input bit kLb0 to Bob.

5. Alice and Bob proceeds in an oblivious transfer protocol where Alice plays the sender and
Bob plays the receiver.
0 , k1 )
• Alice’s input: (kR R
• Bob’s input: b1
b1
6. At the end of the OT protocol, Bob receives kR .

7. Now Bob has 4 ciphertexts c00 , c01 , c10 , c11 (in permuted order) and a pair of keys kLb0 , kR
b1
.
b1 b0
Bob tries to decrypt each ciphertext D(kR , D(kL , c)). Then, 3 out of the 4 ciphertexts should
decrypt to some random garbage. 1 ciphertext should decrypt to either 0 or 1.

8. Bob sends back the bit he decrypted to Alice.

Correctness of the protocol is by inspection. Let’s intuitively reason about why this protocol is
actually secure by looking at each of Alice’s view and Bob’s view.

• Alice’s view: The only messages that Alice actually receives from Bob throughout the protocol
are (i) the OT protocol messages and (ii) the resulting bit b0 ∧ b1 . The information b0 ∧ b1 is
something that Alice is supposed to learn, so this is not a problem. Also, by security of the
OT protocol, Alice does not learn any information about Bob’s input b1 . Hence, for the whole
protocol, Alice does not learn any more information about b1 other than what can already be
inferred from b0 ∧ b1 .

• Bob’s view: Let’s consider all the messages that Bob receives from Alice

– c00 , c01 , c10 , c11 : These are ciphertexts, which means that by semantic security, they don’t
provide any useful information to Bob as long as Bob is not provided the set of keys that
can decrypt them.
– kLb0 : This is a randomly generated key, and Bob does not know whether it corresponds to
kL0 or kL1 .
b1
– OT messages: By the security of OT, the only information that Bob learns is kR .

Hence, with access to only kLb0 , kR

b1
, Bob only learns b0 ∧ b1 and nothing else.

3.2 General 2PC

Now let’s extend the protocol from warm-up to general 2PC protocol for arbitrary functionality f .
Instead of garbling a single gate, we are going to garble the whole circuit representation of f . How
do we garble f ?
0 , k 1 ).
• For each input wires and internal wires w of the circuit, assign a pair of keys (kw w

6-5
 • For each gate of the circuit, generate 4 ciphertexts which encrypts the corresponding key
associated with the output wire according to the truth table of the gate.

α β AND α β AND
0 0 0 kL0 kR0 c00 = E(kL0 , E(kR
0 , k 0 ))
out
0 1 0 =========⇒ kL0 kR1 c01 0
= E(kL , E(kR1 , k 0 ))
out
1 0 0 kL1 kR0 c10 = E(kL1 , E(kR
0 , k 0 ))
out
1 1 1 kL1 kR1 c11 = E(kL1 , E(kR
1 , k 1 ))
out

• For each gate connected to an output wire of the circuit, we encrypt 0/1 according to the
truth table as before.

• Invariant: Given the 4 ciphertexts associated with a gate and a pair of keys corresponding
to each input wire to the gate, one can compute a corresponding key for the output wire by
decrypting each of the 4 ciphertexts (for the output wires, one decrypts 0/1).3
Using the above garbling method, we can construct a general two-party protocol. Without loss of
generality, let’s say x, y ∈ {0, 1}n and f : {0, 1}n × {0, 1}n → {0, 1}∗ .
1. Alice represents the function f as a circuit and garbles f using the method above. f has a
total of 2n input wires corresponding to x1 , . . . , xn , y1 , . . . , yn .

2. Alice sends over all of the ciphertexts that are generated for each gate to Bob (there are 4 · |G|
number of ciphertexts where |G| represents the total number of gates in f ).

3. Alice sends over the corresponding keys for its own input wires k1x1 , . . . , knxn .

4. Alice and Bob proceeds in a total of n oblivious transfer protocol where Alice plays the sender
and Bob plays the receiver. For i = 1, . . . , n, the inputs to the ith OT is as follows:
0 , k1 )
• Alice’s input: (kn+i n+i
• Bob’s input: yi
y1 yn
At the end of the protocol, Bob learns the keys kn+1 , . . . , k2n .

5. At this point, Bob knows a single key for each of the 2n input wires of the circuit. Bob
evaluates the circuit using these keys (using the invariant condition above).

6. In the end, Bob learns the output f (x, y).

7. Bob sends over f (x, y) to Alice.

At the end of the protocol, both Alice and Bob learns the value f (x, y).
Note on round complexity. The Bellare-Micali OT construction that we discussed in a 3-round
protocol. There exists OT constructions that are 2-round (i.e. Naor-Pinkas [2]). Combining Yao’s
garbled circuit trick with OT in parallel, we can get a total of 3-round protocol for general 2PC (for
semi-honest security model).
3
Slight technicality: we must encode the output wire keys kout such that a successful decryption is detectable. One
easy way of doing this is just appending a bunch of zero string when encrypting. So you would actually encrypt
0 0 0
E(kL , E(kR , kout |00 · · · 0)) for example.

6-6
References
[1] Mihir Bellare and Silvio Micali. Non-interactive oblivious transfer and applications. In Conference
on the Theory and Application of Cryptology, pages 547–557. Springer, 1989.

[2] Moni Naor and Benny Pinkas. Efficient oblivious transfer protocols. In Proceedings of the twelfth
annual ACM-SIAM symposium on Discrete algorithms, pages 448–457. Society for Industrial
and Applied Mathematics, 2001.

6-7