 So, today I will be talking on circuit garbling, one of the most fundamental concept in multiparty computation and then we will talk about Yao's two-party protocol, two-party computation protocol based on Yao's garble circuit. So, here is the roadmap. So, we will start with Yao's million years problem, the famous problem that triggered the fundamental area of secure multiparty computation. Then we will move on and we will discuss the generic secure two-party computation or 2PC problem. So, Yao's million years problem is actually a special case of generic secure two-party computation problem. We will briefly see the security goal, but you probably would have already seen a detailed discussion on the security definition in the in Manoj's talk. Once we are done with the security goal, then we will discuss Yao's proposal for the two-party computation protocol, which is based on the fundamental concept called garble circuit and oblivious transfer. So, in this talk, we are going to elaborate on garble circuits and we will take oblivious transfer as a black box and use it in our protocol, in the Yao's protocol. In my next lecture tomorrow, we will talk in details about the second primitive, which is oblivious transfer. And in the end, we will trace the fabulous journey of garble circuits a bit and then we will conclude with some very interesting open questions in the domain. So, here goes the problem, the Yao's million year problem. So, this is introduced by Turing Award winner Andrew Yao back in 1982 in his foundational work called Protocols for Secure Computation. And here is the problem. So, to be consistent with the pictures in the slide, we can as well call it as Yao's billion years problem instead of billion years. So, here is the problem. So, the problem is that we have two billion years and they would like to know who is richer between them, but without disclosing their exact asset to each other. So, of course, if they make their asset public or let the other guy know, then both of them can compute who is richer between them. So, the challenge is that they want to find out who is richer between them, but without disclosing the exact asset they have. Generalizing the problem that you have seen in the previous slide, what we get is a secure two-party computation problem. So, here we have two parties, they do not trust each other and they have their private inputs x and y. Now, they want to compute a function f on their private inputs x and y and at the end they would like to know just f of x, y and nothing beyond. And all that is implied from this function output which is f of x, y, but nothing beyond that. Now, the problem of secure two-party computation can be further generalized in terms of number of parties. So, instead of two parties, we can make it n parties and what we get is actually secure multi-party computation, where we have n parties n can be two or more. And the parties do not trust each other, the distrust is modeled by having an adversary who is a centralized adversary and who can corrupt some of these parties. Now, every party p i has some private input x i and there is a commonly agreed function n input function f that they want to compute on their private inputs. So, the goal is that they want to compute this function f, f of x 1, x 2 up to x n. They would like to know the function output correctly, but with the constraint that nothing beyond the function output must be leaked in that process. Now, there is humongous amount of applications of MPC, some of them you have already seen probably. So, if the applications I mean it starts I mean ranges of applications are there starting from preventing satellite collision, then evoting, then electronic election, outsourcing, privacy preserving machine learning, then privacy preserving data analytics and so on and so forth. So, what is common among all the problems is that in all of them you need data privacy and data usability or computing on the data at the same time. So, you want to keep your data private, but at the same time you want to do some computation on your private data. In fact, MPC is since it is it captures almost anything in cryptography it is arguably called as the holy grail problem of cryptography. Anyway, so in this talk our goal is to discuss two party computation which is a special case of MPC where the number of parties are restricted to 2. So, I will just I think you have already seen the number of applications of it, but I will just give one example and with that I will conclude the application part of it. So, think of two medical two hospitals in the country Ames and Apollo hospital for instance. So, they have their own medical records of their patients and let us say they want to together want to compute some statistics on their private database. So, this databases cannot be made public or they cannot be disclosed to some other hospital. So, they are binded by law. So, this hospitals they cannot make it public. So, if they want to find out some statistics some interesting statistics on their joint database right then they have to then MPC or 2PC can be a solution for it. Now, that we are motivated. So, let us ask the question how we can solve the problem of 2PC. So, the problem can be very straightforwardly handled if you can trust someone. So, if you have some trusted third party for instance who you can trust then what can the parties do is they can simply let us say that these parties are connected to the trusted third party through a secure channel each one of them. Then they can send across their private inputs to the trusted guy. The trusted guy can compute the function f on x and y and then he can hand over the output to the individual parties very simple. Since the channels are private everything is fine. So, the parties gets to know only the function output and all that is implied from it but nothing beyond it. So, this is called ideal world secure 2 party computation protocol but TTPs exist only in fair tales. So, we are in the practical world where we do not have such TTPs to help us out. So, we still have to find a way out and that is exactly 2PC protocols does. So, it suggests to distribute our trust. So, we will have a protocol that is run between the parties themselves and at the end they would know only the function output and nothing else. In a sense this protocol is going to simulate the effect of a trusted third party between them. So, this is basically the goal of any 2PC protocol. We want to have a protocol that would emulate the effect of having a TTP between the 2 parties. So, with that let us now. So, now we will we have seen the security goal. We will now proceed to see the protocol proposed by Yao which is based on Gavel circuit approach. So, what Yao suggests is that we do for solving the 2 party computation problem we do secure function evaluation. So, we will evaluate the function securely which is in a sense same as secure circuit evaluation. So, there is a connection between function and circuit and here is that you get it from complexity theory that for any function that is polynomially computable there is a circuit representation for it. So, it can be Boolean or arithmetic both actually, but for Yao solution we need the Boolean circuit representation of the function. So, any polynomially computable function you have for that you have a corresponding Boolean circuit representation. So, basically the circuit is nothing but DAG with varieties of gates for instance. So, if it is a Boolean circuit then you have this AND gate OR gate NOT gate and so on and so forth. So, this is from this is from here the 2 party protocols gets its generality that it can compute it can handle any function in general. So, you take any general function for that you have a corresponding circuit representation which we are going to evaluate in a secure way. So, I will elaborate what we mean by secure circuit evaluation in next few slides, but before that let me just quickly demonstrate you that we can actually find circuit representation for polynomially computable functions. So, here I have taken the example that we have got from Yao's Millennial problem. So, remember that there the function that we wanted to compute is nothing but greater than equal to. So, two guys they have their own private asset and then they want to find out who is richer between them. So, essentially we wanted to compute greater than equal to function for the x and y inputs that the individual part is had. So, I am going to show you very quickly how you can get a circuit representation of this greater than equal to function. So, let us assume that x and y are L bit non-negative integers. These are the bit representations of x and y. Now, assume that we have a bit comparator. So, it compares 2 bits x i and y i and then it outputs c. So, it has it takes another input which is c i. So, c i is given as 1 just to indicate that x i I mean with the assumption that x i is greater than equal to y i and it outputs c i plus 1. So, this circuit basically implements this logic. So, c i plus 1 this 1 will be 1 if and only if this bit x i is greater than y i that is 1 case or these 2 bits are equal and c i equal to 1. It is clear what this c i plus 1 computes. Now, you can easily go back and find out the representation of c i plus 1 in terms of x i, y i and c i. It is actually this. So, there is nothing no magic about it. You can go back and solve the truth table and you can come up with this expression. So, as you can see that this c i plus 1 can be represented in terms of x i, y i and c i and essentially you need 3 XOR gates and 2 AND gates that is it. Now, I can use this bit comparator to design a Boolean circuit for this function which is the greater than equal to. Do you see it already? So, you actually need L copies of this circuit to come up with the circuit for greater than equal to. So, this is what you do. So, the first bit comparator takes x 1, y 1 as the input and c 1 is said to 1. So, this c 2 will tell you whether so far x is so far in the sense that whether x 1 is greater than equal to y 1 or not. You can easily check that c 2 will be equal to 1 if and only if x 1 is greater than equal to y 1 and then to the next bit comparator you feed c 2, x 2 and y 2 so on and so forth. And finally, you get C L plus 1 and you can see that x this the whole x is greater than equal to 1 if and only if the final bit which is C L plus 1 if this is equal to 1. So, x will be greater than equal to 1 if and only if C of L plus 1 is equal to 1. So, this is the Boolean circuit representation of the greater than equal to function. So, this is just in demonstration, but in principle any a polynomially computable function f can be represented by a Boolean circuit. Now, we will move forward. Now, the idea that Yaw proposed is the following. He says that do secure circuit evaluation, what that means is that the parties will jointly evaluate the circuit securely. So, that only the final outcome of the circuit will be known, but no intermediate values will be leaked including the inputs. And the way he suggested to do is through circuit gubbling. So, what does circuit gubbling do and what is the goal of doing it? So, they are stated as follows. So, in circuit gubbling we first gubble or encode the circuit and then we encode the input to the circuit. Then we evaluate the encoded circuit on the encoded input to get encoded output. And then finally, if you disclose the decoding information with that you can just find out the output, but nothing else. So, a circuit is encoded or gubbled and then input to the circuit is encoded. Then the circuit the encoded or the gubble circuit is evaluated on an encoded input to get encoded output. Finally, when we give some decoding information that gives or leaks just the output and nothing else. Now, what is the goal of gubbling? So, the goal of gubbling is that nothing beyond the function output should be or the circuit output should be leaked. So, that includes that we preserve the privacy of the input that is fed to the circuit. Secondly, we do not leak any intermediate gate output values. And lastly, we will also not leak output if the decoding information is withheld. So, if I give you the decoding information with that you can decode the function output or the circuit output and that is all you can do. So, intuitively this is what we do in circuit gubbling and this is what we want to achieve. So, of course, I have not stated these properties formally. These are stated in formal level, but I think it makes sense to you. So, with this goal now we will see how we can gubble circuit. So, to make the presentation easy I have taken a very simple circuit. So, this is a 3 input circuit it takes A, B and C as the input and it has just 2 gates. This is an AND gate and this is an OR gate that is all. Now, if you want to let us say evaluate this circuit on. So, you want to evaluate this circuit on clear with these inputs let us say. So, A takes 0 value, B takes value 1 and C takes 0. So, how would you go about evaluating the circuit on clear? So, first of all you will have some topological ordering of your circuit. So, for instance for this gate it is very simple. So, you can start with this gate for instance. So, you have 0 and 0 you look of the truth table. So, you have to go to the second row. So, it is for 0 and 1 and you should get 0 as the output. So, that means that you can this output where of this gate gets 0 value for these 2 inputs. Now, with 0 and 0 you again look of the table this time for OR gate and it corresponds to the first row corresponds to the first row and you get 0 as the final output. So, if you want to evaluate this circuit on clear let us say on this specific inputs then this is how you go about doing it right. Now, my first goal is to gavel this circuit. So, that I can evaluate the circuit, evaluate the gavel circuit in a encoded way. So, the first step of the gaveling is to gavel the wares and then I will gavel the gates. So, to gavel the wares we will associate 2 keys with everywhere. So, let us start with this wire. So, we associate 2 keys which are this is very important which are identically looking. So, although they are not looking identical. So, this is for your advantage I have given 2 different colors, but we are associating 2 keys which are identical looking 1 key is given the meaning 0 the other key is given the meaning 1. So, for simplicity we can say the key that is associated with 0 we call it as left key and the other key is called as the right key right. So, they are identical that means that if I would have associated the meaning right and then you do not know anything about it and I give you just 1 key out of those 2 you will not be able to tell apart which bit value it corresponds to whether it corresponds to 0 or it corresponds to 1 that you will not be able to tell apart. So, we do that with everywhere in the circuit we do it with this we do it with this wire, this wire and this wire that is it. So, we are done with gaveling the wares. Next we have to gavel the gates. So, for that we will associate 4 boxes with every gate. So, let us start with this gate. So, we have associated 4 gates corresponding to 4 rows of the truth table. Now, in the first box. So, the first box corresponds to the first row. So, we basically want to encode the output of that row in this encoder lock in this box. So, look at this row. So, the output is 0. So, we want to hide the left key or the output where in the first box. The second row the output is 0. So, we are again going to put the left key or the output where in this and same for the third row, but for the last one the output is 1. So, we will put the right key of the output where in the last box. Then we are going to lock this boxes. Now each of this box will be locked with 2 keys. Now which keys we are going to use to lock these boxes is very interesting. So, the first box is locked with the left key of the input where A and the left key of the input where B. So, what we want to capture here is that if someone has 0 and 0 on these 2 wares, then he should be able to open this box and similarly for the other boxes. So, if someone has left key for A and the right key for B, then he should be able to open this box. So, this box we are going to lock with left key of A and the right key of B. So, this is how I. So, these 2 keys are used to lock the first box, then the left key and the right key here is used to lock the second box, then the right key on A and the left key on B is used to lock the third box and lastly the right key on A and B are used to lock the last box. So, you see the intention. So, if someone has this 2 keys that means it has 1 and 1, then he should be able to open this box and in this box we have kept the key which corresponds to 1 in the output where. So, he will be getting that particular key. So, that is the intuition that we capture here and in a very similar way you would construct 4 locked boxes, doubly locked boxes for the second gate and then we are done and this is what. So, the pack of 4 boxes for every gate if you put together all such 4 boxes what you get is the garble circuit. So, my garble circuit means the set of these 4 boxes for every gate in the circuit. So, we have seen how to evaluate a circuit on clear. We will now see how we can evaluate a garble circuit. So, this is the garble circuit on encoder input. So, let us take the same example. So, let us say you want to evaluate this circuit with 0 on the wire A. The encoding of that input here will be nothing but the left key corresponding to wire A. So, why do I say that this is an encoding because by seeing this key as I said that they are identical looking. So, for everywhere we have associated 2 identical looking keys. So, just by seeing this key, you can see that this is the circuit. No one will be able to tell apart whether it corresponds to 0 or 1. So, in the right side we are doing a garble circuit evaluation whereas, on the left side we are doing evaluation of a circuit on clear. So, given 0 here you get the left key, then if your input where B takes value 1 there, then you will be giving out the right key here. Similarly, if C has got the value 0, then here you are going to give the evaluator a left key. Now, with these 2 keys the evaluator of the garble circuit is going to do the following. So, he has got 2 keys with that he is going to try to open the 4 boxes that are available to him. And definitely 1 box will open and which one is that? So, if it is 0 and 0, these 2 keys correspond to 0 and 1 respectively, then basically the evaluator can open the second box. So, he will open the second box and inside he will find a key and that key he will associate with the output wire of that gate. So, he got this key. Now, he has got both the keys for the input wires of this gate with that he is again going to try out and try to open the 4 boxes corresponding to this gate. So, going back. So, this is basically you can see that this is this part of it is actually simulating as if on the clear as if you have 0 and 1 and you have looked at the table and you have got the value 0 here. And then now coming back to this domain. So, now you are again trying to open and you will be able to open the first box and then you will get the left key. This is same as if in the clear wall they are looking at the table and then they have got the output bit 0. But here you have got just the key. So, by seeing the key you would not know whether it correspond to 0 or 1. So, we need to give out some information which we call as the decoding information. Once we give that then this guy who is evaluating this will be able to tell what output he has got. So, the decoding information can be nothing but the 2 keys that you had associated with the output wire. So, if I give this 2 keys then this guy can check whether this key is equal to this or this and then based on that he would know whether it is 0 or 1. But that is all he is going to know. So, by comparing he would finally get to know whether it is 0 or not. So, do you think everything is here I am able to gobble and I am able to satisfy the goal that we had set that is nothing beyond the output is linked. Do you find some problem in it? So, I have how? So, how do you get to know the intermediate gate values exactly. So, right now I have not done anything with the boxes. So, the boxes are as per the truth table. So, let us say you have got some key here and some key here and with that you have opened let us say the second box. Then you can tell apart I mean you can easily you know that this box actually corresponds to the second row which means the key that you have got here is definitely the left key and the key that you have got over here is the right key and the key that you have got here by opening this is the left key corresponding to the output wire. So, you need to do something. So, the solution is that we just need to do suckling random suckling of the boxes the lock boxes that you have created. So, once you create the four lock boxes you just suffer it you randomly permute the boxes right and then the after suckling what you get that is actually called your gubble circuit. So, this four suffered ciphertext boxes corresponding to the gates gives you your gubble circuit. So, then you cannot tell the meaning of the input keys or the output keys that you have got. So, so far so good. So, now I am going to replace the physical keys and boxes with cryptographic mechanisms. So, what we are going to use is a symmetric key encryption or SKE which has three algorithms gen the key generation algorithm which is represented by G and then encryption algorithm which is represented by E and then we have the decryption algorithm which is represented by D. So, this is what we are going to do. So, instead of picking two physical keys you are going to pick two random keys, two keys uniformly at random from the key space of this secret key encryption and that you are going to associate with your let us say the first way and this you keep on doing for all the ways in your circuit. So, that is the first thing associate two random looking keys to keys uniformly random from the key space of the secret key encryption. So, we do this with the second wire and so on and so forth fine. Now, you know how the doubly locked boxes would look like. So, again we will have four ciphertext corresponding to the four rows of the truth table. The first ciphertext we are going to encrypt the left key because 0 is the output here using the left key of A and the left key of B right double encryption. Then in the second encryption we are going to hide K3 of 0 again by this time with the left key of A and the right key of B. Then for the third ciphertext we are going to hide again K3 of 0 because 0 is the output here and this time we are encrypting it using the right key on A and the left key on B. And the last ciphertext will hide the right key which is K3 of 1 using the right key and the right key on A and B respectively. So, this is how we are going to create the four ciphertext and as we have mentioned we have to suffer it. And finally, what you get is four ciphertext, but you do not know which ciphertext has gone where. In a similar way you have to construct four ciphertext and you suffer it and finally, this pack of four ciphertext for every gate gives you the garble circuit. So, again let us do the evaluation on clear in the left and in the garble domain in the right side. So, you have 0 here the corresponding to that the evaluator of a garble circuit would be given the left key of A. You have 1 here on B. So, the evaluator in this domain gets the right key. Here a c takes value 0. So, here you are going to give the left key. Now, in this domain you can see that. So, now with these two keys again you have to do some trial and error. You are going to try out the decrypting the four ciphertext at hand. Now, something can go wrong here which was not there in the physical key and lock domain. Because there if you would have locked with some particular key that key itself you have to use to open it. If you use some other key that lock is not going to open for you. But something can go wrong here in the secret key domain. So, we have other usually the SKE is the secret key encryptions that we see. If you encrypt some message with a key and later you try to decrypt with a different key it will probably give you something. It of course, it is not the same message that you have encrypted, but something else. But here how do the evaluator know that whether that is what is intended or not. What do you do? So, we need some extra properties from our secret key encryption. So, this is basically the four ciphertext in some order hidden in this four ciphertext. So, this is the format. So, if we have a pair of keys here we do not know which ciphertext to decrypt from this four. So, what we will do is we will try to decrypt all the ciphertext. But what if in all the cases you get something. So, all the decryption gives you some value. So, which value is to go for? And this can be solved by having a special key that secret key encryption which has special correctness property. And this is what actually we need from our SKE. So, we will say that our SKE has the special correctness. If for two distinct keys k1 and k2 encryption under k1 will result in bot when you decrypt under k2. And this happens with overwhelming probability. So, if you encrypt something with key k1 and later try to decrypt it with using some other key k2 then very likely you are going to fail. You will not get any valid message. You will get bot and that way you will get to know that this is probably not the ciphertext that I wanted to decrypt. So, mathematically this is what I want and fortunately we have such SKEs. We can plug those kind of SKEs in and then the problem will be sorted out. So, now we can complete it because now we know that with this pair of keys you are going to open just one box out of those four boxes the rest will not open. With very high probability you will get bot when you try to open other three boxes. So, you know what value to go forward with. So, that way you get this key k3 0 and with these two keys again you will try out all possibilities, but yes. No, so the decryption will give you the key. So, the ciphertext are hiding the it is one of the two keys that you are hiding in those ciphertext. It is not binary. Nothing is coming out from the domain of the messages. So, probably it will be clear when you see an instantiation of such things, but for now you can assume that we have such SKEs where you will know whether the decryption has resulted in the correct decrypted value or not. So, we do not get anything. We can somehow detect that the encryption has been done using some other key. You can detect that. You have no idea about these things. You are going to get it by decrypting these things. So, you cannot verify that. All you get is the four things. These four ciphertexts for every gate. So, done. So, finally, in order to decrypt the output value, in order to know the final output, we have to give the decoding information and the decoding information is nothing but the pair of keys that you had associated with the your output where. In this case, these are two keys. So, once you get this key, then you can check which key it is and then you can find out that this key actually corresponds to zero, which means that your circuit output is zero. So, do you see that we have already kind of achieved what we aimed for? That we want to encode a circuit and then we want to encode its input and we want to evaluate the encoded or the garbled circuit using encoded input and finally, we will get the encoded output and by giving out the decoding information, all I enable the garbled circuit evaluator is to get the final output value and nothing else. So, the input information remains secret, none of the intermediate gate output values are leaked, only the final thing is leaked, the final output is leaked. So, to ensure that so we need some security property from the underlying secret key encryption. For instance, so we want that a bad evaluator should have no information about what the three unopened ciphertexts contain. So, he will be able to open one of those four ciphertexts. So, remaining three unopened ones should not give any information, I mean what value they contain, what values are hidden in those three ciphertexts should not be leaked to the evaluator. For instance, if he can guess, for instance that the three unopened ciphertexts encrypts the same value. So, he does not actually need to know what exactly is encrypted in those unopened ones, if he can somehow guess that they are same, that itself is enough to leak a lot of information. So, think of an AND gate and let us say that the evaluator has opened the box corresponding to the right key of the output wire. So, the three remaining unopened ones, they would have encrypted the left key. So, if he can somehow guess that those three unopened ones contains the same thing, that itself is enough to tell him the meaning of the key that he has got. He definitely knows that for an AND gate in three of the ciphertexts, it will be the left key, which will be encrypted in the last one, it will be the right key. So, if he has got the right, so whatever he gets is basically the right key meaning that it has the meaning 1. You are even fresh randomness. Yes, taking randomness is yeah, that is true, but so I am not, but if you have a good enough machine, a laptop, I think this is not a bad thing to do. So, basically this is something that we want to prevent the bad evaluator to do, that is he should not be able to even guess whether the remaining three unopened ciphertexts contain the same message or not, even that should not be allowed. So, this is captured by introducing a game. So, if you are not familiar with the language of experiment or games for defining security, you can skip this part, but you probably have got the intuitive idea that I have explained so far. So, basically what we want is that the adversary who is the bad evaluator here. So, he knows two of the keys for each where. So, we allow the adversary here to pick two keys k 0 and k 1. These two keys basically signifies the two keys that he would know. For instance, for this where he would know this key and this key. So, he gets to, that is why he gets to pick those keys, adversary. So, he gives those keys to the challenger and he also gives two pairs of three messages. So, this actually corresponds to the three messages corresponding to the unopened ciphertext. Now, this challenger is going to pick two keys which he is going to keep it with himself. He is not going to leak it to the adversary and these two keys actually correspond to the two keys. For instance, here this one and this one which the adversary has no information about. Now, this challenger is going to pick a bit that will tell him that which three messages he is going to encrypt and give a challenge to the adversary. So, if the beat is 0, then he is going to pick this three message. If beat is 1, then he is going to pick this three message and then he is going to create three ciphertext in the following way. The first ciphertext encrypts x p using k 0 from here and k 1 prime from here. So, notice that one key is known to him, the other key is not known to him because it is picked by the challenger. The second one is created this way. So, here this key is the unknown one and this key is the known one and the last one is encrypting the third message which is z v. But this time the both the keys are actually unknown to the adversary. Do you see that this three ciphertext actually correspond to the three unopened ciphertext? Because for the three unopened ciphertext here, the adversary will be missing either one key or both keys. So, that exactly is captured here. So, now if I create if the challenger creates this three ciphertext and gives it to the adversary and if the adversary is not able to tell apart whether the challenger has picked this set of three messages to encrypt or this set of three messages to encrypt here, then we should be fine. Because what it captures is that even though the adversary who is actually a bad evaluator here, even though he gets to know one pair of keys which is this, let us say this and this and he does not know the other pair. He has no way of telling apart whether two sets of messages or I mean which out of these two sets of messages are encrypted. Where notice that these two sets are also picked by the adversary. We give the adversary to choose the three messages, I mean the pair of three messages from which we want to encrypt, still he is not able to tell apart. It is very strong property. So, we call it as, so if no polynomial time adversary is able to win in this game, meaning that he is able to correctly guess the bit B that is which set of three messages are picked and they are encrypted in this three ciphertext, then we say that we are fine meaning that our scheme is fine. So, if for a secret key encryption there exists no PPT adversary which can guess this bit with probability which is exponentially I mean which is overwhelmingly more than half of course with half probability anyone can guess it, it is just a bit. So, anyone can you do not need any fancy mechanism you just can guess a flip a coin and you can answer it you will be right with half probability. So, the thing is that if there is no PPT adversary who can win this game with probability which is overwhelmingly more than half then we are fine. And we say that that the secret key encryption has this property called chosen double ciphertext security. So, basically yeah oh chosen yeah you are right I think yeah this is yeah chosen double plaintext security. So, finally this is what we want. So, we want a secret symmetry or secret key encryption SKD with special correctness and chosen double plaintext security. In fact, it has been shown that this particular security can be obtained from a CPS security. So, if your scheme satisfies CPS security then it also satisfies this notion good. So, that is it. So, we have seen how to gubble a circuit and how to evaluate a gubble circuit on encoded input and how to get an encoded output at the end and how by giving a decoding information we can just leak the output and nothing else. So, with that we are ready to discuss the Yao's two-party computation protocol, but before that we need another primitive which is called oblivious transfer. So, we are going to take it as a black box I am going to just define it in a very simple way and then in tomorrow's lecture we are going to elaborate on this particular primitive. So, in oblivious transfer primitive you have two parties a sender and the receiver. In this basic form the sender has two inputs let us say M0 and M1 and the receiver has a bit R which indicates which out of these two messages he wants. So, this indicates which out of these two messages he wants. So, if it is a bit right. So, if it is 0 then that means that he wants we can call it as M0 and M1. So, if it is 0 that means that he wants M0 and if this bit is 1 that means that he wants M1. Now, the oblivious transfer protocol allows the sender to send the message of receiver's choice while hiding the input of the choice bit of the receiver on one hand and hiding the other message of the sender on the other. So, this guy will not know what R is and on the other hand the receiver will not know what M minus M of 1 minus R is. So, his choice is MR and that is all he will know he will have no information about the other message of the sender. So, this is what oblivious transfer does. So, we are going to represent the oblivious transfer with this box which has two input ports in the left for the sender. So, the sender can input two messages here oops sorry. So, this is this arrow will be the other way around. So, and then it has one input port here where the receiver can input its bit and it has an output port here through which the output that is the chosen input of the receiver will come out. So, you can think the oblivious transfer as this box simple box. So, we are going to use this primitive for Yau's two-party computation protocol. So, in Yau's two-party computation protocol as the name suggests we have two parties P0 and P1. One party is going to act as garble circuit constructor. So, one guy will construct the garble circuit whereas, the other guy he is going to evaluate that circuit. So, he is going to act as the garble circuit evaluator. So, the first guy has input let us say X and the second guy has input Y and at the end they would like to compute f of X, Y. So, first let us take a very simple example. So, what they want to compute is an AND gate let us say. So, that this X is P0's input and Y is P1's input and they want to find out what is X dot Y the product of the two bits that is all they want to find out. So, let us discuss this first and then we can generalize to it for any general function f. So, let us take this interesting evaluation where P0's input is actually 0 which means that X takes 0 value and Y also takes 0 value that means that at the end they will have 0 as the output. Since the first guy has 0 and at the end he will get 0 right. So, he should have no information about the input of the other guy because if his input is 0 no matter what input P1 has whether it is 0 or 1 the output should be 0. So, just by seeing the output he should not know anything about the input of P1 and the same holds for P12 because P1's input is 0 2 right. So, if P1 also has 0 as the input he should not know whether the input of P0 is 0 or 1. So, when you discuss the protocol we will see that these properties are they hold good. Since, so this is the AND function and then they together want to compute it fine. So, and this guy acts as the gubbler circuit constructor. So, what he does is he takes the circuit which is nothing but a plane AND gate here in this case and remember how the gubbling works. So, you have to associate a pair of identical looking keys with everywhere and with the help of the keys we are going to create four ciphertext right. So, those four ciphertext and then you do suffling and all that is there. Now finally, this is what you get four ciphertext. Now the gubbler circuit construction is done. Now he is going to send the following to the other party. So, he is going to send the gubbler circuit which is nothing but this pack of four ciphertext right and plus the decoding information which will allow this guy to learn the function output and the decoding information is nothing but the pair of output keys in this case. Now since this guy is acting as the gubbler circuit evaluator he needs to know the encoded inputs. In this case it will be the key corresponding to 0 which is this guy's input and also the key corresponding to 0 for the where y right. So, when he gets both the keys only then he can start evaluating. He will have the encoded full encoded input and only then he can start evaluating. So, since this guy has gubbled himself he has constructed the gubbler circuit himself and he wants to evaluate this gate on 0 right. He knows which key to send. So, for this where he would simply send this key because this is the one which corresponds to 0 and this is the encoded input of the 0. So, he is going to send k1 of 0 the left key on this where because that corresponds to 0. Now how does so in order to start evaluating as I said this guy has to get the key corresponding to 0 to corresponding to where y here. How does he get? He cannot simply give his input to this guy right then it reveals the input. So, what do we do? Do you have any suggestion? Oblivious transfer. So, we are going to use one oblivious transfer where the gubbler circuit constructor that is P 0 is going to input these two keys and this guy is going to input the arrows are in the wrong order. So, he is going to input the his input 0 as the choice bit and correspondingly he will get the key corresponding to his input. So, in this case since his input is 0 he is going to get the left key right. So, he puts 0 here and then he will get the left key. So, he has got the left key on this where and he has also got the left key from here of course he does not know whether they are left or right right. So, he has got this one and just by seeing this he will not know what bit it corresponds to that comes from the fact that the keys are identical looking and for this so for this he even knows. So, find now with these two keys he goes ahead and he evaluates the circuit and then one of the boxes will open because of the special correctness property and then you are going to get K 3 0. He is going to get K 3 0. Now, he has got the decoding information. So, he uses that and then he finds out the meaning which is that means that the output is actually 0 because this one matches with this key and that is it he sends back the output to the this guy and then you can see that this person will also not know about the input of this of P 1 P 1 and why is that do you know the reason why P 0 will not know anything about the input of P 1 what prevents him from getting that information comes from the security of the oblivious transfer right. So, oblivious transfer ensures that the sender so this guy is acting as a sender for this oblivious transfer he will have absolutely no information about the choice bit of the receiver. So, the choice bit here is nothing but the input of P 1. So, it comes from the security of the oblivious transfer. Right. So, that is a very interesting question. So, what I say is that in 2 PC you will get to know the output and all that is implied from the output. So, in this case it is implied from the output if your input is 1 and you get 0 as the output the output itself implies that the other guy's input is 0. So, that is not a yeah. So, the function output itself if it leaks something that we cannot prevent even by having a protocol. So, that is it. So, that is the specific instantiation for a particular function which is the and function you can easily generalize it for any function that you want. So, now this guy can have a long input which consists of let us say k bits and similarly here k bits and the function is known. So, this guy construct a garble circuit for this big circuit and then he sends the garble circuit plus the decoding information and along with that he also sends the keys for his input. Right. And then they run a set of k OTs in this case it is k because the number of input bits of p1 is k. So, we run k OTs and then this guy will get the corresponding keys corresponding to his input bits and that is it with that he will evaluate the garble circuit, decode it, get the output finally he sends across the final output back to the garble circuit constructor and both of them now knows the function output that is it. So, we are almost there. So, I just want to tell you something about some recent progresses that has been done in the context of garbling. So, first of all there is a very nice technique which is called point and permute right which removes the need of this special correctness property that we wanted from our SKE. So, it is a very simple and clean trick which you can use and once you use that trick you actually no longer need that special correctness property any CPS secure encryption scheme will be fine. And also with this technique you do not need to go and try out decrypting all the four ciphertext. It will actually point you to a particular ciphertext without leaking all that we have discussed and you can just decrypt that particular ciphertext and go ahead with the decrypted key. Then there had been lot of interest in bringing down the number of ciphertext corresponding to the garble circuits because as you garble gates. So, as you have seen in the Yao's two party protocol you basically have to send across the entire garble circuit to the other guy. So, if you can reduce the number of ciphertext that you need to garble a gate then it will be very good. For instance if you can probably garble with two ciphertext right. So, that will bring down the communication cost by huge amount by half for instance. So, these techniques are called garble row reduction. So, we had so long back we had a procedure that can give that can garble a and gate using three ciphertext instead of four. Then there are very interesting set of works which actually tells us how to garble and gates with two ciphertext instead of four. And it has been also proved that two is kind of the minimum that you can achieve. So, you cannot go beyond two. Then actually instead of so the ciphertext are actually k bit long at least where k is the security parameter. We can break that bound and we can actually do with four bits to garble and gate. But this is for a specific class of circuits. So, these are called formulaic circuits where the fan out of every gate is one. So, a particular gate output any gate output cannot go to multiple gate input. It cannot act as input to many gates. So, that is the restriction you have. If you have that kind of circuit then you can actually garble a gate with just four bits. And then we have result which says that you actually do not need any ciphertext to garble a gate. You can do with zero bits, but there are some restrictions. So, first of all this also applies to formulaic circuits. And secondly, so the technique that I have discussed so far there we assume that the keys are of equal length. So, they are of size which is security parameter. Yeah, almost yes. So, there will be some small differences, but yes. And here the second thing is that the key length will be dependent on the circuit depth. Right now what we discussed it is independent of the circuit depth. So, everywhere for all ways we are choosing keys which are of length the security parameter. Then we have techniques for improving the XOR gates. So, these are very special kind of gates. So, we have technique which we call as free XOR flexor. So, the motivation here is to garble the XOR gates with zero ciphertext. And also the cost of garbling as well as cost of evaluating will be zero in the sense that you will not need any cryptographic operations. All you need is some bit XORs which are very cheap. No, but then this is if it is an intermediate gate then some intuition it is a special kind of gate we exploit that and then it can be done with zero ciphertext. And then you do not need any cryptographic operation it can be done with just plain XOR operations which are very, very cheap. And lastly these are some very interesting paper that came up in 2012. So, that elevated the garble circuit from technique to primitive. Then they define very nice set of features which we call as privacy, obliviousness, authenticity and verifiability. And since then people have started working on garble circuits alone. So, irrespective of the application. So, they try to give new garble circuits which of course would try to optimize in terms of the number of ciphertext or computation of garbler and the constructor and so on and so forth. Then we have seen some very interesting application of garble circuits in the domain of for instance zero knowledge then outsourcing computation. So, we have already seen how garble circuit can be used for two-party computation and also multi-party computation. So, these are apart from that. So, we see that garble circuit can also be used in zero knowledge and outsourcing of computation. So, for zero knowledge specifically and also for outsourcing of computation we can actually do with special kind of garble circuits which are called privacy free garble circuits. So, basically here you would know the meaning of the keys. What we want to hide is the key which you are not supposed to get in the output where. So, let us say you have some inputs and at the end you are supposed to get one key. So, this is privacy free, but it has this authenticity property which means that you should not know the other key meaning that which corresponds to the other bit I mean which you are not supposed to get. So, you have got one particular keys corresponding to one input. You should get the output key which corresponds to that output alone. You should not be able to get the other thing. So, that is all and yeah. So, we are actually running a very interesting study group or reading group just on garbling. If you are interested stay tuned to this page. So, you will find lot of interesting references which are relevant to garbling. So, if you want you can follow and yeah that is it and I just want to update about update you about some of the recent things that we have done just in one line. So, we have got something which is very interesting which we. So, if we are given a form like circuits and we want to construct circuits which are privacy free that means we need only authenticity. We saw that how we can do with zero ciphertext. So, basically our garble circuit is a null spring. We do not have anything. It is very interesting. And we also studied zero knowledge from garble circuits. We basically we studied the round complexity of zero knowledge. So, these are all works that are under submission and not elaborate much. And we also have constructed some non-interactive secure computation from garble circuits. So, that is all I wanted to say and it is fine right. Thank you. So, I am just I want to say that I am totally exhausted. I got up at 4 in the morning and then I have a very small kid. So, I could not even sleep in the last night and I am still awake. I am just surprised that I am still awake. You can probably catch. So, all the authors the works that I have mentioned in my previous slides. So, all the authors are here. So, Pratik Yas and Divya. So, they are yeah. So, they are all working on garbling. So, if you want to know more about garbling you should catch one of us. Yeah, they are some of them are here for the workshop. Maybe this is I do not know. This is too late for them. I do not know. Anyway. So, if you have questions you can still ask me. I think I will be fine since I have. Yeah. So, basically you will be able to. So, when you run the recording algorithm you will know that nothing is coming out of it. So, you will not get any. What basically represents that you will not get any. But, like you said, the point is of you know. Yeah. Which piece that you will need. So, that is the way to go. So, we already know and taking where you can bypass the need of the special characters. You just need any escape that is the security. Is there any. Is there range which can be. The range is not in between the same. No, nothing of such kind is need now. So, any escape that has security is good enough for us. With that point and for the. Which I have not. So, the point and for new technique. So, as you say that there is maybe some technique that will point you to one particular cyber tech which we need to. But, what prevents an active adversary from checking all the decryption. So, that would be something for passive guarantees. So, what I mean to say is a point and for new only is for passive security. Right. So, no, no, no. So, the point and target technique will allow you to go and find out the particular cyber tech that you need to open. So, you have one pair of keys right. So, anyway you cannot open the other three. I can try to open. You can try, but you know that you are not getting anything. That's one of the keys. But, even if passive. Doing other things are regular. Here is the passive. It's important to consider that you can get something by doing decryption we are not asked to do. For instance, it just makes it more efficient to. And one more question. It is the double cyber tech security. So, does it. So, as you said like from a CBA we can compile that to a double CPS security. We can prove that. If a scheme has CPS security then the scheme also has. Yeah. So, does it hold for symmetric inclusion in general for all public equipments also? So, this is at least this has been proven in the context of SK. I am not sure if it has been. So, there was first of all no need of doing that. So, I don't think anyone has ever tried. Because we need SK for the double circuit. So, people have tried to.