jaseg/phd-thesis
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

SMPC: Add Yao's GC section

Browse source
This commit is contained in:
jaseg 2025-08-14 14:52:19 +02:00
parent 6dc1c0d8ff
commit 3a9457e5bf
3 changed files with 108 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

2
chapter-qkd/figures/ihsm-secondary-mesh

@ -1 +1 @@
Subproject commit 3a7edbd1127cacc8f4c90376595b894105f3d479
Subproject commit 601159904f4269366e29d85c2e90cbf000157f4f

39
chapter-smpc/chapter.tex
View file

@ -80,7 +80,7 @@ such as AES or hash functions such as the SHA-2 series. Secret Sharing-based tec
arithmetic circuit made from components such as arithmetic operations. While they can also work in binary, they often
support operations on larger finite fields. Secret sharing-based techniques are efficient processing integer numbers,
but can have higher overhead in processing using many bitwise operations such as ciphers or cryptographic hash
functions.
functions\cite{evansPragmaticIntroductionSecure}.
\subsection{Security Models in MPC}
@ -104,6 +104,43 @@ side-channel leakage is a concern.
\subsection{Boolean MPC}
% Yao's Garbled Circuits
Yao's Garbled Circuits (GC) protocol is one of the oldest Multiparty Computation protocols, dating back to the 1980ies.
In Yao's GC, two parties jointly compute a function that is represented as a circuit of binary logic gates by evaluating
the circuit gate by gate. In Yao's GC, one party, generator, creates a random \emph{garbled} representation of the
circuit and sends it to the other party, the evaluator, who computes its output. The core idea in Yao's GC is that every
wire $w_i$ in the circuit is assigned two random cryptographic secret keys $w_i^b$, called wire labels, one $w_i^0$ for
the logical value $0$ and one $w_i^1$ for the value $1$. The mapping from logic values to these keys is assigned
randomly by the generator, and unknown to the evaluator~\cite{
yaoHowGenerateExchange1986,
beaverComplexitySecureProtocols1990
}.
Gates are represented in Yao's GC as truth tables with one row for every combination of input wire values. Each row of
these truth tables contains the output wire label (i.e. secret key) corresponding to the gate's logical output value for
the row's combination of input values. The output wire label in each row is encrypted with \emph{both} input wire labels
corresponding to this row as keys.
The generator must indicate to the evaluator which row of a gate's truth table to decrypt, while also avoiding leaking
the logical value of the output wire to the evaluator. This is commonly done in a technique called
\emph{point-and-permute} where a random pointer bit $p_i^b$ is appended to each wire $w_i^b$ label such that $p_i^b =
\neg p_i^{\neg b}$. The rows in the gate's truth table are ordered according to the combination of the two input wire
labels' pointer bits. When the evaluator obtains the two input wire labels, they obtain their pointer bits, which
combined are the index of the row to decrypt in the following gate's truth table.
It is clear how the protocol described above can be used to compute any binary circuit, but there are two questions
remaining: How do the two parties provide input into the circuit, and how do they decode the circuit's output? Output is
handled in Yao's GC by creating an output decoding table for every output wire of the circuit. The output decoding table
contains two rows, one for a logical $0$ output value and one for a logical $1$ output value. Each row contains the hash
of the output wire's label corresponding to the row's logical output value. This way, the evaluator can identify the
logical value knowing the output wire label, but is unable to deduce the output wire label from the output decoding
table.
Inputs are a bit more difficult to handle. While the generator can easily provide secret inputs by simply providing the
evaluator with the input wire labels corresponding to its input, inputs from the evaluator require oblivious transfer to
avoid leaking the evaluator's input to the generator. To input the logic bit $b$ on wire $w_i$, the generator and the
evaluator perform an 1-out-of-2 oblivious transfer with the generator assuming the Sender role and providing the two
input wire labels $w_i^0$ and $w_i^1$ as the two choices, and the evaluator submitting its chosen input bit $b$ as the
OT's choice bit.
\subsection{Arithmetic MPC}
% BGW

84
main.bib
View file

@ -278,7 +278,7 @@
isbn = {978-1-4503-4139-4}
}
@inproceedings{arpPrivacyThreatsUltrasonic2017,
@inproceedings{arpPrivacyThreatsUltrasonic2017a,
title = {Privacy {{Threats}} through {{Ultrasonic Side Channels}} on {{Mobile Devices}}},
booktitle = {2017 {{IEEE European Symposium}} on {{Security}} and {{Privacy}} ({{EuroS}}\&{{P}})},
author = {Arp, Daniel and Quiring, Erwin and Wressnegger, Christian and Rieck, Konrad},
@ -548,6 +548,24 @@
isbn = {0-340-64580-6}
}
@inproceedings{beaverComplexitySecureProtocols1990,
title = {The Round Complexity of Secure Protocols},
booktitle = {Proceedings of the Twenty-Second Annual {{ACM}} Symposium on {{Theory}} of Computing - {{STOC}} '90},
author = {Beaver, D. and Micali, S. and Rogaway, P.},
date = {1990},
pages = {503--513},
publisher = {ACM Press},
location = {Baltimore, Maryland, United States},
doi = {10.1145/100216.100287},
url = {http://portal.acm.org/citation.cfm?doid=100216.100287},
urldate = {2025-08-14},
abstract = {In a network of n players, each player i having private input zi, we show how the players can collaboratively evaluate a function f(zl, ..., zn) in a way that does not compromise the privacy of the players' inputs, and yet requires only a constant number of rounds of interaction.},
eventtitle = {The Twenty-Second Annual {{ACM}} Symposium},
isbn = {978-0-89791-361-4},
langid = {english},
file = {/home/jaseg/Zotero/storage/YAIBCBYY/Beaver et al. - 1990 - The round complexity of secure protocols.pdf}
}
@inproceedings{beckFuzzyMessageDetection2021,
title = {Fuzzy {{Message Detection}}},
booktitle = {Proceedings of the 2021 {{ACM SIGSAC Conference}} on {{Computer}} and {{Communications Security}}},
@ -1385,7 +1403,7 @@
file = {/home/jaseg/Sync/Research/Zotero/Couteau et al_2021_Silver.pdf}
}
@article{cuellarStaticFatigueLifetime1987a,
@article{cuellarStaticFatigueLifetime1987,
title = {Static Fatigue Lifetime of Optical Fibers in Bending},
author = {Cuellar, E. and Roberts, D. and Middleman, L.},
date = {1987-01-01},
@ -2233,10 +2251,11 @@
file = {/home/jaseg/Zotero/storage/PSGQDYRQ/Grisafi et al. - PISTIS Trusted Computing Architecture for Low-end.pdf}
}
@article{GrobkonzeptEPAFuer2023,
@standard{GrobkonzeptEPAFuer2023,
title = {Grobkonzept ePA für alle},
date = {2023-12-13},
langid = {ngerman},
version = {1.0.0},
file = {/home/jaseg/Zotero/storage/XRXV6BY6/Grobkonzept ePA für alle.pdf}
}
@ -2703,16 +2722,16 @@
@online{IEEEXploreFullTexta,
title = {{{IEEE Xplore Full-Text PDF}}:},
url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8558378},
url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6520632},
urldate = {2024-09-10},
file = {/home/jaseg/Zotero/storage/HJJK32NF/stamp.html}
file = {/home/jaseg/Zotero/storage/PQYCW7K7/stamp.html}
}
@online{IEEEXploreFullTextb,
title = {{{IEEE Xplore Full-Text PDF}}:},
url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=6520632},
url = {https://ieeexplore.ieee.org/stamp/stamp.jsp?arnumber=8558378},
urldate = {2024-09-10},
file = {/home/jaseg/Zotero/storage/PQYCW7K7/stamp.html}
file = {/home/jaseg/Zotero/storage/HJJK32NF/stamp.html}
}
@www{ika2002,
@ -3380,11 +3399,11 @@
issn = {2511-9044, 2511-9044},
doi = {10.1002/qute.201800011},
url = {http://arxiv.org/abs/1703.09278},
urldate = {2024-05-02},
urldate = {2024-05-27},
abstract = {Quantum key distribution using weak coherent states and homodyne detection is a promising candidate for practical quantum-cryptographic implementations due to its compatibility with existing telecom equipment and high detection efficiencies. However, despite the actual simplicity of the protocol, the security analysis of this method is rather involved compared to discrete-variable QKD. In this article we review the theoretical foundations of continuous-variable quantum key distribution (CV-QKD) with Gaussian modulation and rederive the essential relations from scratch in a pedagogical way. The aim of this paper is to be as comprehensive and self-contained as possible in order to be well intelligible even for readers with little pre-knowledge on the subject. Although the present article is a theoretical discussion of CV-QKD, its focus lies on practical implementations, taking into account various kinds of hardware imperfections and suggesting practical methods to perform the security analysis subsequent to the key exchange. Apart from a review of well known results, this manuscript presents a set of new original noise models which are helpful to get an estimate of how well a given set of hardware will perform in practice.},
langid = {english},
keywords = {Quantum Physics},
file = {/home/jaseg/Zotero/storage/A2BQHUUW/Laudenbach et al. - 2018 - Continuous-Variable Quantum Key Distribution with .pdf}
file = {/home/jaseg/Zotero/storage/I7UL2SKX/Laudenbach et al. - 2018 - Continuous-Variable Quantum Key Distribution with .pdf}
}
@article{laudenbachContinuousVariableQuantumKey2018a,
@ -3402,11 +3421,11 @@
issn = {2511-9044, 2511-9044},
doi = {10.1002/qute.201800011},
url = {http://arxiv.org/abs/1703.09278},
urldate = {2024-05-27},
urldate = {2024-05-02},
abstract = {Quantum key distribution using weak coherent states and homodyne detection is a promising candidate for practical quantum-cryptographic implementations due to its compatibility with existing telecom equipment and high detection efficiencies. However, despite the actual simplicity of the protocol, the security analysis of this method is rather involved compared to discrete-variable QKD. In this article we review the theoretical foundations of continuous-variable quantum key distribution (CV-QKD) with Gaussian modulation and rederive the essential relations from scratch in a pedagogical way. The aim of this paper is to be as comprehensive and self-contained as possible in order to be well intelligible even for readers with little pre-knowledge on the subject. Although the present article is a theoretical discussion of CV-QKD, its focus lies on practical implementations, taking into account various kinds of hardware imperfections and suggesting practical methods to perform the security analysis subsequent to the key exchange. Apart from a review of well known results, this manuscript presents a set of new original noise models which are helpful to get an estimate of how well a given set of hardware will perform in practice.},
langid = {english},
keywords = {Quantum Physics},
file = {/home/jaseg/Zotero/storage/I7UL2SKX/Laudenbach et al. - 2018 - Continuous-Variable Quantum Key Distribution with .pdf}
file = {/home/jaseg/Zotero/storage/A2BQHUUW/Laudenbach et al. - 2018 - Continuous-Variable Quantum Key Distribution with .pdf}
}
@article{laudenbachContinuousVariableQuantumKey2018b,
@ -3490,7 +3509,7 @@
file = {/home/jaseg/Zotero/storage/QSDA9K48/Hall - (72) Inventors Alan Henry Leek, Frisco, TX (US);.pdf}
}
@article{leePrintedSpiralWinding2011,
@article{leePrintedSpiralWinding2011a,
title = {Printed {{Spiral Winding Inductor With Wide Frequency Bandwidth}}},
author = {Lee, Chi Kwan and Su, Y. P. and Ron Hui, S. Y.},
date = {2011-10},
@ -3692,7 +3711,7 @@
file = {/home/jaseg/Zotero/storage/WBSKAYAN/Long et al. - 2024 - EM Eye Characterizing Electromagnetic Side-channe.pdf}
}
@article{lopeFirstSelfresonantFrequency2021,
@article{lopeFirstSelfResonant2021,
title = {First Selfresonant Frequency of Power Inductors Based on Approximated Corrected Stray Capacitances},
author = {Lope, Ignacio and Carretero, Claudio and Acero, Jesus},
date = {2021-02},
@ -4880,7 +4899,18 @@
file = {/home/jaseg/Zotero/storage/CCJFZZ34/Paving the Way to Full Security in eHealth Ensur.pdf}
}
@misc{pcisecuritystandardscouncilPaymentCardIndustry2021,
@standard{pcisecuritystandardscouncilPaymentCardIndustry2021,
title = {Payment {{Card Industry PIN Transaction Security Hardware Security Module Modular Security Requirements}}},
author = {{PCI Security Standards Council}},
date = {2021-12},
url = {https://docs-prv.pcisecuritystandards.org/PTS/Standard/PCI_HSM_Security_Requirements_v4.pdf},
urldate = {2025-04-08},
abstract = {HSMs (Hardware Security Modules) play a critical role in helping to ensure the confidentiality and/or data integrity of financial transactions. Therefore, to help engender trust in the legitimacy of the financial transactions being supported, it is imperative that HSMs are appropriately secure during their entire lifecycle. This includes manufacturing, shipment, use, and decommissioning. The purpose of this document is to provide guidance and direction for appropriately designing HSMs to meet the security needs of the financial payments industry, and for protecting those HSMs up to the point of initial deployment. Other security requirements apply at the point of deployment for the management of HSMs involved with financial payments industry. This document provides vendors with a list of all the security requirements against which their products will be evaluated in order to obtain Payment Card Industry (PCI) PIN Transaction Security (PTS) Hardware Security Module (HSM) device approval. HSMs may support a variety of payment-processing and cardholder-authentication applications and processes. The processes relevant to the full set of requirements outlined in this document are: ▪ PIN processing ▪ 3-D Secure ▪ Card verification ▪ Card production and personalization ▪ EFTPOS ▪ ATM interchange ▪ Cash-card reloading ▪ Data integrity ▪ Chip-card transaction processing ▪ Key generation ▪ Key injection There are many other applications and processes that may utilize general-purpose HSMs, and which may necessitate the adoption of all or a subset of the requirements listed in this document. However, this document does not aim to develop a standard for general-purpose HSMs for use outside of applications such as those listed above that are in support of a variety of payment-processing and cardholder- authentication applications and processes for the financial payments industry.},
version = {4.0},
file = {/home/jaseg/Zotero/storage/CZF34DDM/PCI_HSM_Security_Requirements_v4.pdf}
}
@misc{pcisecuritystandardscouncilPaymentCardIndustry2021a,
title = {Payment {{Card Industry PIN Transaction Security Hardware Security Module Modular Derived Test Requirements}}},
author = {{PCI Security Standards Council}},
date = {2021-12},
@ -5891,6 +5921,14 @@ Archive 2: https://web.archive.org/web/20250510104017/https://de.linkedin.com/pu
file = {/home/jaseg/Sync/Research/Zotero/2021_Sozio et al_Patchable Hardware Security Module (PHaSM) for Extending FPGA Root-of-Trust.pdf;/home/jaseg/Zotero/storage/D5BLNRV7/9707698.html}
}
@standard{SpezifikationFachmodulEPA2023,
title = {Spezifikation Fachmodul ePA},
date = {2023-04-03},
langid = {ngerman},
version = {1.53.0},
file = {/home/jaseg/Zotero/storage/J79W78KS/Spezifikation Fachmodul ePA.pdf}
}
@article{sproHighVoltageInsulationDesign2021,
title = {High-{{Voltage Insulation Design}} of {{Coreless}}, {{Planar PCB Transformers}} for {{Multi-MHz Power Supplies}}},
author = {Spro, Ole Christian and Mauseth, Frank and Peftitsis, Dimosthenis},
@ -6013,7 +6051,7 @@ Archive 2: https://web.archive.org/web/20250510104017/https://de.linkedin.com/pu
file = {/home/jaseg/Zotero/storage/XURXLX9C/Takeoka et al. - 2014 - Fundamental rate-loss tradeoff for optical quantum.pdf}
}
@incollection{TamperResistance2020,
@incollection{TamperResistance2020a,
title = {Tamper {{Resistance}}},
booktitle = {Security {{Engineering}}},
date = {2020},
@ -7007,6 +7045,22 @@ Archive 2: https://web.archive.org/web/20250510104017/https://de.linkedin.com/pu
file = {/home/jaseg/Zotero/storage/9BBJ86AQ/Yang et al. - 2018 - Quantum key distribution network Optimal secret-k.pdf}
}
@inproceedings{yaoHowGenerateExchange1986,
title = {How to Generate and Exchange Secrets},
booktitle = {27th {{Annual Symposium}} on {{Foundations}} of {{Computer Science}} (Sfcs 1986)},
author = {Yao, Andrew Chi-Chih},
date = {1986-10},
pages = {162--167},
issn = {0272-5428},
doi = {10.1109/SFCS.1986.25},
url = {https://ieeexplore.ieee.org/document/4568207},
urldate = {2025-08-14},
abstract = {In this paper we introduce a new tool for controlling the knowledge transfer process in cryptographic protocol design. It is applied to solve a general class of problems which include most of the two-party cryptographic problems in the literature. Specifically, we show how two parties A and B can interactively generate a random integer N = p·q such that its secret, i.e., the prime factors (p, q), is hidden from either party individually but is recoverable jointly if desired. This can be utilized to give a protocol for two parties with private values i and j to compute any polynomially computable functions f(i,j) and g(i,j) with minimal knowledge transfer and a strong fairness property. As a special case, A and B can exchange a pair of secrets sA, sB, e.g. the factorization of an integer and a Hamiltonian circuit in a graph, in such a way that sA becomes computable by B when and only when sB becomes computable by A. All these results are proved assuming only that the problem of factoring large intergers is computationally intractable.},
eventtitle = {27th {{Annual Symposium}} on {{Foundations}} of {{Computer Science}} (Sfcs 1986)},
keywords = {Circuits,Computer science,Cryptographic protocols,Cryptography,History,Knowledge transfer,Polynomials,Privacy,Probability distribution,Turing machines},
file = {/home/jaseg/Zotero/storage/TCEMMDWR/4568207.html}
}
@inproceedings{yetisInvestigationNoiseEffects2021,
title = {Investigation of {{Noise Effects}} for {{Different Quantum Computing Architectures}} in {{IBM-Q}} at {{NISQ Level}}},
booktitle = {2021 25th {{International Conference}} on {{Information Technology}} ({{IT}})},