CMSC 858T—Secure Distributed Computation February 4, 2021

Lecture 4
David Wang
Lecturer: Jonathan Katz Scribe(s):
Georgios Tsimos

1 The GMW Multi-Party Protocol

The GMW protocol that we saw in the last lecture can be extended to the multi-party setting.

Theorem 1 Assuming semi-honest (two-party) OT, for any n-input functionality F there is an
n-party protocol that (n − 1)-securely computes F (for semi-honest adversaries).

We describe the protocol in the OT-hybrid model. Recall we may assume F is deterministic.
The main idea is that the parties share the values on every wire of the circuit in an n-out-of-n
fashion. The protocol proceeds as follows:
Input-sharing phase: A party with input x ∈ {0, 1} chooses uniform bits x1 , . . . , xn subject to
the constraint that x = x1 ⊕ · · · ⊕ xn . It then sends xi to party Pi .
Gate evaluation: As in the last lecture, we consider evaluating a NOT gate, an XOR gate, and
an AND gate. In each case we assume the invariant holds for the input wire(s) to the gate,
and show how the parties can ensure it holds for the output wires.
• Say y = ¬x, and the parties hold x1 , . . . , xn with x1 ⊕ · · · ⊕ xn = x. They can compute
shares of y by having P1 set y1 := ¬x1 and having all other parties set yi := xi .
• Say z = x ⊕ y, and the parties hold x1 , . . . , xn and y1 , . . . , yn with x1 ⊕ · · · ⊕ xn = x and
y1 ⊕ · · · ⊕ yn = y. They can compute shares of z by having every party set zi := xi ⊕ yi .
• Say z = x ∧ y, and the parties hold x1 , . . . , xn and y1 , . . . , yn with x1 ⊕ · · · ⊕ xn = x and
y1 ⊕ · · · ⊕ yn = y. In contrast to the previous two cases, the parties cannot compute
shares of z through local computation alone. Instead, they will rely on oblivious transfer.
The parties want to compute shares of
!  
M M
z = (x1 ⊕ · · · ⊕ xn ) · (y1 ⊕ · · · ⊕ yn ) = x i · yi ⊕  (xi · yj ⊕ xj · yi ) .
i i<j

Each Pi can compute xi · yi locally. But Pi and Pj must cooperate to compute shares
of xi · yj ⊕ xj · yi . They do this using a 1-out-of-4 OT functionality. Specifically, for all
i < j parties Pi , Pj do:
– Pi chooses uniform bit zij . It then sets zji ab := z ⊕ x · b ⊕ a · y for a, b ∈ {0, 1}, and
ij i i
00 , z 01 , z 10 , z 11 to the OT functionality (playing the role of the sender).
sends zji ji ji ji
– Pj , playing the role of the receiver, sends xj yj to the OT functionality, and receives
x y
in return zji := zjij j . Note that zij ⊕ zji = xi · yj ⊕ xj · yi .
L 
Finally, each party Pi computes zi := xi · yi ⊕ j6=i ij . These form shares of z.
z

4-1
Output reconstruction: If party Pi is supposed to learn the value of some output wire z, then
all parties send their shares of z to Pi (who can then reconstruct z).

It is not hard to prove that the above protocol is perfectly secure in the OT-hybrid model.
Just as in the 2-party case, the round complexity of the GMW protocol is high. All AND gates
at the same level can be computed by the parties in parallel, but AND gates at different levels
must be computed sequentially. Thus, the round complexity of the protocol is O(d), where d is the
depth of the circuit computing F . (Depth is measured in terms of AND gates only.)
The number of OTs is O(n2 ) per AND gate, and a natural question is whether this can be
reduced. Some results about this are known but we will not cover them here.

1.1 What’s Next?

We have shown broad feasibility results for secure computation in the semi-honest setting. In the
following lectures we will consider the following questions:

• Can we improve the round complexity of the GMW protocol? In particular, is a constant-
round protocol possible?

• Is it possible to achieve unconditional security?

• How can we achieve security against malicious adversaries?

Summarizing known feasibility results addressing the last two questions (not all of which we will
cover this semester):

Semi-honest setting: The GMW protocol above achieves (n−1)-security based on (semi-honest)
oblivious transfer. The cryptographic assumption here is optimal, since general secure com-
putation for t < n obviously implies the ability to compute OT.
The BGW protocol has perfect security, but only tolerates t < n/2 corrupted parties. This
is known to be optimal, in the sense that there are functions that cannot be computed with
unconditional security (even in the semi-honest setting, and even with statistical security)
when t ≥ n/2.

Malicious setting: Without a broadcast channel and with no prior setup, an extension of the
BGW protocol achieves perfect security for t < n/3 malicious parties. This is optimal, in
the sense that there are functions that cannot be computed even with computational security
(without broadcast or prior setup) when t ≥ n/3. There are also functions that cannot be
computed with perfect security when t ≥ n/3 (even given broadcast).
With a broadcast channel (or prior setup that allows broadcast to be implemented), protocols
by Beaver or Rabin and Ben Or give statistical security for t < n/2. (This is optimal by what
we have already said above in the semi-honest setting.)
The protocols above all achieve full security, in a sense we will define in a later lecture. When
t < n one can consider a relaxed notion called security-with-abort. The GMW protocol can
be extended to the malicious setting by additionally relying on zero-knowledge proofs, where
it achieves security-with-abort for t < n corrupted parties. (In fact, it is possible to achieve
security for t < n parties based on OT alone.)

4-2
2 Garbled Circuits
We give here an introduction to Yao’s garbled circuits. A garbled circuit can informally be viewed as
an “encrypted” version of a boolean circuit for some function f . The basic idea is that one party (the
“garbler”) will act as a garbled-circuit generator, generated a garbled circuit GCf corresponding
to f , and the other (the “evaluator”) will evaluate GCf to get the result. We begin by describing
the idea behind a garbled gate. The garbler will associate each wire with two cryptographic keys,
one for each possible value the wire can take. The evaluator will learn one key per wire. The
garbler ensures that the evaluator can only learn the “correct” key on the output wire, i.e., the key
that corresponds to correct output based on the keys it knows on the input wires.
For example, consider an AND gate with input wires a, b and output wire c. The garbler will
choose keys a0 , a1 , b0 , b1 , c0 , c1 and make sure that if the evaluator knows keys ax and by then it
can (only) learn key cx∧y . This can be done using encryption, by constructing the following table
of ciphertexts:

Enca0 (Encb0 (c0 )), Enca0 (Encb1 (c0 )), Enca1 (Encb0 (c0 )), Enca1 (Encb1 (c1 )).

(We assume for simplicity that the encryption scheme has the property that decryption with the
wrong key yields an error. This is easy to ensure.) A garbled AND gate can be interpreted as the
encryption of cx∧y using ax and by . The evaluator can obtain cx∧y by trying to decrypt each of the
above ciphertexts using by followed by ax .
As described, the circuit evaluator learns which entry of the table decrypts correctly and thus
learns the bits that the different keys correspond to. We can prevent this by having the circuit
evaluator randomly permute the four ciphertexts above before sending them to the evaluator.
Although the above only deals with a single gate, it should be clear that these gates can be
connected to give a garbled circuit. The garbled circuit for a function f : {0, 1}n → {0, 1}n has the
following property: if the evaluator knows the input-wire keys corresponding to x1 , ..., xn ∈ {0, 1},
then it can evaluate the garbled circuit to obtain the output-wire keys corresponding to the values
y1 , . . . , yn = f (x). If the garbler tells the evaluator which keys correspond to which values for the
output wires, then the evaluator can obtain the output y itself.
We will see next time how to extend this to a secure two-party protocol for computing f .

4-3