advanced topics in secure function evaluation fileadvanced topics in secure function evaluation ......

Technische Universität Darmstadt System Security LabSystem Security LabTechnische Universität Darmstadt

!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB 6

Advanced Topics inSecure Function Evaluation

Course Secure, Trusted and Trustworthy Computing, Part 1System Security Labhttp://trust.cased.de

Technische Universität Darmstadt

Prof. Dr.-Ing. Ahmad-Reza SadeghiDipl.-Inf. Thomas Schneider

January 21, 2011

Technische Universität Darmstadt System Security Lab

!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

!"#$%"&'$(#)*(&+,-.$-)*(&/!'+0

4

Client C Server S

private data x private data y

z = f(x,y)

?<<C'*"=9+2!)D'CC'9+"',$2)<,9EC$1)FG:)HI"9JKL()MMM)!)?7*=9+2)HN"9,>!OOL()MMM!)>,'@"*:P>,$2$,@'+%")Q$193$)0'"%+92=*2)HR,'*S$CC>!T5UL()MMM

")A"*$)Q$*9%+'=9+)HB,S'+AVWX.5OL()MMM")D$#'*"C)0'"%+92=*2)HR",+'AWX!!5OL()MMM")MMM

!)MMM

public function f(·, ·)

&$,$Y)E93&)<",=$2)1"2345*("16&7&5*("16&8$6&#$%3*$1

Secure Function Evaluation(SFE)


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

+(93(""%3(9&!'+&:%*6*#*.1

Z

."2S)[)>,9EC$1

?C%9,'3&1

!AB)>,939*9C

\1<C$1$+3"=9+

D$"27,$)>$,]9,1"+*$

^91919,<&'*)B+*,:<=9+)_^B`

V",EC$#);',*7'32)_V;`

;*-.1<

=0&>-?323@"&A"%B*%2-(#"

C0&D**.&!$::*%6


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

D531&E"#6$%"

#$>-?323@"&A"%B*%2-(#"&*B&!'+! %&'()*+,-./(01+,-23(45367)_A,$$)abQ`

! 8),51/(-9:;)_V;c^B`

<$ D**.&!$::*%6! =>9=?-_.99C)]9,)?7391"=+%)!$*7,$).89P<",3I)*91<73"=9+2`

d


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

F2:%*,"G&;-%8."G&H3%#$361

e


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

!'+&I365&;-%8."G&H3%#$361&/;H0&JK-*LMN

K

Client C

• GarbledCircuit �C

f(·, ·)

�C�y

f(x,y) = �C(�x, �y)

Server S

• Circuit

z

. . .

�xn �yn �x1 �y1�y2�x2

�c1�c2

Garbled Table

z

. . .

xn yn x1 y1y2x2

<<< c1c2

GarbledValues

e.g., x < y

private data x = x1, .., xn private data y = y1, .., yn

(�x;⊥) ← OT(x; (�x0, �x1))

!$37<>&"2$

b+C'+$>&"2$ �c01,�c11

E(�x01, �y01 ; �c

g(0,0)1 )

E(�x01, �y11 ; �c

g(0,1)1 )

E(�x11, �y01 ; �c

g(1,0)1 )

E(�x11, �y11 ; �c

g(1,1)1 )

C: compute �c = �a⊕�b

S: set �c0 = �a0 ⊕�b0,�c1 = �c0 ⊕∆


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

F2:%*,"G&;-%8."G&H3%#$361&JO*."1(3P*,!QLN

• F2:%*,"G&;H1&:%*,3G"&RB%""&STU&9-6"1V<

–@)-4)&&5@34/A)@-B@)-C/(01+,-6/01+D

–@+C13C301+-4)&'56/A)@-BEFG-)H-03676(3@C7D

• FG"-<&W1"&%".-6"G&9-%8."G&,-.$"1

• '%""&STU<

U

• S chooses fixed key difference ∆ ∈R {0, 1}t (unknown to C)

• S chooses related garbled values satisfying �w0i = �w1

i ⊕∆ ∈R {0, 1}t

�c0�c1

c

�a0�a1

�b0�b1

a b

Secure Multi-Party ComputationHomomorphic Encryption

Oblivious TransferSecure Function Evaluation

IntroductionMultiplicative/Additive Homomorphic SchemesFully Homomorphic Schemes

Further Operations

Additively Homomorphic Encryption allows to multiply a ciphertext

EncAdd(m) with a plaintext constant c > 0 as

EncAdd(c ·m) = EncAdd(m)c .

Similarly, Multiplicatively Homomorphic Encryption allows to

exponentiate a ciphertext EncMul(m) with a constant c > 0 as

EncMul(mc) = EncMul(m)

c .

Both can be computed efficiently with the square-and-multiplyalgorithm which requires on average O(|c |) squarings and O(|c |/2)multiplications on ciphertexts.

Recall the square-and-multiply algorithm.

However, purely additively / multiplicatively homomorphic

encryption does not allow to multiply / exponentiate two ciphertexts.

Sadeghi@TU Darmstadt, Schneider@RUB, 2010 Secure, Trusted and Trustworthy Computing, Part 1 Basics of Secure Computing 16 / 41

Y)@$,']:)*9,,$*3+$22


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

H3%#$361&I365&'%""&STU

J

• X$3.G&#3%#$361&I365&B"I&(*(4STU&9-6"1

x · y =��

i=1 2i−1yi · x


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

Y4836&>$.):.3#-)*(&H3%#$361

O

x = xh2��/2� + xl

y = yh2��/2� + yl

zh = xhyh

zl = xlyl

zd = (xh + xl)(yh + yl)− zh − zl

x · y = (xh2��/2� + xl)(yh2

��/2� + yl)

= zh22��/2� + zd2

��/2� + zl

D"?68**P-8IJ '-16-8IJ-HW","327E"bK4L

TASTY and compare different protocols against each otherand with existing SFE implementations: multiplication cir-cuits and protocols based on GC or HE (§5.1), SFE of anAES circuit generated by the Fairplay compiler (§5.2), andSFE of large GCs (§5.3).

System Setup. All performance measurements are per-formed on two desktop PCs with Intel Core 2 Duo CPU(E6850) running at 3.00GHz and 4GB RAM connected viaGigabit Ethernet. The system runs on 64 bit Gentoo Linuxwith Python version 2.6.5, gmpy version 1.11 and GMP ver-sion 4.3.2. Unless stated otherwise, all measurements wereperformed for short-term security (cf. Table 4) and usingpoint compression for elliptic curves (cf. §4.3).

5.1 Multiplication Circuits and ProtocolsAs arithmetic circuits can express arbitrary computations

as sequence of additions and multiplications, multiplicationis a fundamental basic operation. Indeed, the main differ-ence between SFE protocols based on arithmetic and booleancircuits is the cost for multiplications. We present efficientmultiplication circuits in §5.1.1 and compare the perfor-mance of secure multiplication protocols in §5.1.2.

5.1.1 Multiplication CircuitsTextbook Multiplication. The usual way of multi-

plying two unsigned �-bit integers x and y, called “Text-book Method”, multiplies x with each bit of y and addsup all the properly shifted results according to the formulax · y =

��−1i=0 xyi2

i. This results in a circuit with 2�2 − �non-XOR 2-input gates [28].

Karatsuba Multiplication. As observed by Karatsuba[26], multiplication can be performed more efficiently usingthe following recursive method (details in Algorithm 1): xand y are split into two halves as x = xh2

��/2� + xl andy = yh2

��/2� + yl. Then, the product can be computed asxy = (xh2

��/2�+xl)(yh2��/2�+yl) = zh2

2��/2�+zd2��/2�+zl.

After computing zh = xhyh and zl = xlyl, zd can be com-puted with only one multiplication as zd = (xh + xl)(yh +yl) − zh − zl. This process is continued recursively untilthe numbers are sufficiently small (� = 19 in our case asdescribed below) and multiplied with the classical schoolmethod. Overall, multiplying two � bit numbers with Karat-suba’s method requires three multiplications of �/2 bit num-bers and some additions and subtractions with linear bitcomplexity resulting in costs

TKara(�) = 3TKara (�/2) + c�+ d

for constants c and d. The master theorem [8, §4.3f] yieldsasymptotic complexity TKara(�) ∈ O(�log2 3) ≈ O(�1.585).

Algorithm 1 Karatsuba multiplication

1: function karatsuba(x, y) � x, y are �-bit integers2: xh||xl ← x � x = xh2

��/2� + xl

3: yh||yl ← y � y = yh2��/2� + yl

4: Ph ← KARATSUBA(xh, yh)5: Pl ← KARATSUBA(yl, yl)6: xs ← xh + xl

7: ys ← yh + yl8: Ps ← KARATSUBA(xs, ys)9: Pd ← Ps − Ph − Pl

10: return (Ph22��/2�) + Pd2

��/2� + Pl

11: end function

Circuit Complexity. In TASTY we have implementedboth methods for multiplication based on efficient additionand subtraction circuits of [28]. As shown in Fig. 6 and Ta-ble 5, Karatsuba multiplication is more efficient, i.e., resultsin circuits with less non-XOR gates, than Textbook multipli-cation already for multiplication of 20 bit operands. By in-terpolating through the points for bitlength � ∈ {32, 64, 128}and solving the resulting system of linear equations we ob-tain as approximation for the number of non-XOR gates

TKara(�) ≈ 9.0165�1.585 − 13.375�− 34.

Figure 6: Size of Multiplication Circuits

Table 5: Size of Multiplication Circuits (in number

of 2-input non-XOR gates)

Bitlength � 19 20 32 64 128Textbook 703 780 2,016 8,128 32,640Karatsuba 703 721 1,729 5,683 17,973Improvement 0.0 % 7.6 % 14.2 % 30.1 % 44.9 %

5.1.2 Multiplication ProtocolsUsing TASTY we compare the performance of different

secure multiplication protocols based on homomorphic en-cryption (HE) and garbled circuits (GC). For this we con-structed four basic test cases. For each SFE paradigm, weconsider the case where both inputs are provided by oneparty (S for GC1 and C for HE1), or one by each of theparties (GC2 and HE2). The inputs are Unsigned �-bit val-ues and the output, a 2�-bit Unsigned value is convertedinto a Plain output for C. In the following, we comparethe communication- and the computation complexity of thesetup- and online phase of the protocols.Communication (cf. Fig. 7). Our experiments show

that GC-based multiplication requires a substantial amountof setup communication (for transfer of GCs) whereas theonline communication of GC is better than HE for mul-tiplication of small values. The online communication formultiplying with HE is independent of the bitlength � as a

<K4)"-K-@)@"EFG7 L-MK6MK)"-#NK-"-NO-@)@"EFG7

H^$+$*S"W!!T65L


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

>*G$.-%&!'+

65


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

!'+&I365&Z*2*2*%:53#&+(#%[:)*(&/Z+0

66

Application: SFE by Computing on Encrypted Data

pk, �x��z� �z� = f(�x�, �y�)

HE Schemes:

Property:

+ [Paillier99], [DamgårdJ01], [DamgårdGK07], ...

+, 1* [BonehGN05], [GentryHV10], ...

+, * [Gentry09], [SmartV10], [DijkGHV10], ...

z

ServerClient restricted to

specifichomomorphicoperation(s)private data x private data y

∀x, y ∈ P : �x ◦ y� = �x� � �y�, �x� := Encpk(x)


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

A"%B*%2-(#"&*B&Z*2*2*%:53#&+(#%[:)*(

! :511P-Q;R-&3@3&/1-3@6+(/4A)@-056-(*6&:%-#)#-.&["6

! >,,3A*+1P-Q)&)&)('S34-;@4(P'A)@-37-'(/4A4/1-056-@++,7-3(6"%-#)*(&B*%&2$.):.3#-)*(R

64

�x�, �y�choose random rx, ry�x� = �x� � �rx��y� = �y� � �ry�

�x�, �y�

z = x ∗ y �z��x ∗ y� = �z� − ry�x� − rx�y� − �rx ∗ ry�


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

H*283("&\G,-(6-9"1&*B&;H&-(G&Z+

• Q;-C)),-H)(-13@+/(-)'+(/A)@7-BTUVD

• .2-C)),-H)(-T-/@,-@)@"13@+/(-)'+(/A)@7-BWU&3@U$$$D

• 2)&03@+-Q;T.2-0P-4)@*+(A@C-Q;-⇔-.2

XY(34Z+11[9\]^_U-XY/(@3:`J99]M_U-X`)1+7@3Z)*99]M_U-$$$

#$->R-/,,-(/@,)&-&/7Z-5@,+(-+@4(P'A)@

<$-YR-,+4(P'6-T-+@4(P'6-a36S-@+a-74S+&+

N$->R-6/Z+-)b-(/@,)&-&/7Z-5@,+(-+@4(P'A)@

6Z


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

D5"*%")#-.&'%-2"I*%P<&>*G$.-%&!'+

6d

9:;-c-4)@*+(6-T-4)&'56+-)@-+@4(P'6+,-,/6/-X`)1+7@3Z)*99#]_

#$ +@4(P'6-3@'567

<$ 4)&'56+-5@,+(-+@4(P'A)@

N$ ,+4(P'6-)56'567

Plain Value x

Boolean Circuitsusing Garbled Circuits

Client C

Homomorphic Value �x�

Plain Value x

Server S

Garbled Value �x

Arithmetic Circuits

using Homomorphic Encryption

Inputs/Outputs

Encrypted Values

SFE of


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

D\!DK/D**.&B*%&\$6*2-)(9&!"#$%"&DI*4:-%6K&#*2:$6-)*(10

6e

] 7

Web: http://tastyproject.net


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

D\!DK<&D**.&B*%&\$6*2-)(9&!"#$%"&DI*4:-%6K&#*2:$6-)*(1

6K

0$2'%+)V9"C2Y

• :%*9%-2)!AB)<,939*9C2)"2)2$f7$+*$)9])9<$,"=9+2)9+)$+*,:<3$#)#"3"

• 23(323@"&.-6"(#[)9])9+C'+$)<&"2$)E:)<,$P*91<7=+%)'+)2$37<)<&"2$

• 6"16()8"(#52-%P)c)#*2:-%")<$,]9,1"+*$)9])!AB)<,939*9C2

Client C Server S

Input

Output

Input

Output

Costs

Protocol Descriptionin TASTYL

Analyzation Phase

Setup Phase

Online Phase

Runtime Environment


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

D\!DKE<&D[:"1&-(G&T:"%-6*%1

6U

GarbledVector

min, max, ...Vector

+, -, *, dot

GarbledValue

mux, <, =, ...

Homomorphic

Value

Plain Valuerand, input, output/, <, =, ...

Unsigned ModularSigned

bitlengthValue

+, -, *

N

Homomorphic

VectorPlain Vector

rand, input, output/, =, ...

UnsignedVector

SignedVector

ModularVector


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

D\!DKE<&+?-2:."

6J

))))g)*9+@$,3)7+2'%+$#)39)&91919,<&'*)@$*39,))))*C'$+3M&@)h)^91919,<&'*i$*_@"Ch*C'$+3M@`))))2$,@$,M&@)GGh)*C'$+3M&@

))))g)17C=<C:)@$*39,2)_*91<9+$+3P8'2$`))))2$,@$,M&F)h)2$,@$,M&@)j)2$,@$,M8

))))g)*9+@$,3)&91919,<&'*)39)%",EC$#)@$*39,))))*C'$+3M%F)GGh)V",EC$#i$*_@"Ch2$,@$,M&F`

))))g)*91<73$)1'+'171)@"C7$))))*C'$+3M%1'+)h)*C'$+3M%FM1'+k@"C7$_`

))))g)*9+@$,3)%",EC$#)39)7+2'%+$#)@"C7$)"+#)973<73))))*C'$+3M1'+)h)/+2'%+$#_@"Ch*C'$+3M%1'+`))))*C'$+3M1'+M973<73_#$2*hl1'+'171)@"C7$l`

#$])<,939*9C_*C'$+3()2$,@$,`Y))))N)h)d))))X)h)Z4

))))g)'+<73)9])*C'$+3))))*C'$+3M@)h)/+2'%+$#i$*_E'3C$+hX()#'1hN`))))*C'$+3M@M'+<73_#$2*hl$+3$,)@"C7$2)]9,)@l`

))))g)'+<73)9])2$,@$,))))2$,@$,M8)h)/+2'%+$#i$*_E'3C$+hX()#'1hN`))))2$,@$,M8M'+<73_#$2*hl$+3$,)@"C7$2)]9,)8m`

\+<732Y);)&"2)@$*39,)@)"+#)!)&"2)@$*39,)8)_Nhd)7+2'%+$#)XhZ4PE'3)@"C7$2)$"*&`b73<73Y);)9E3"'+2)

V; ^B

mini=1,..,N (vi · wi)


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

A%3,-#[4A%"1"%,3(9&\::.3#-)*(1&3(&D\!DKE

6O

Typical Application Scenario

Client

ServerClient-Image in database?Standard-Way: Clients sends image to DB

DB compares and sends result back

Ahmad-Reza Sadeghi, Thomas Schneider, Immo Wehrenberg Efficient Privacy Preserving Face Recognition

Typical Application Scenario

Client

ServerClient-Image in database?Standard-Way: Clients sends image to DB

DB compares and sends result back

Ahmad-Reza Sadeghi, Thomas Schneider, Immo Wehrenberg Efficient Privacy Preserving Face Recognition

!"#$%&'!%()*+$"',*-).'/'0$$.1223334$*)#$4*)546%

!"#$%&'($)*+&,-&($./-0&'-$-)11/234

5(/67,%*5()")(6/23$8)9/,71$+/732&"-/,"!"#$%&'()$*+$%(,"-.*/"0#$1*+2"3(-%(45

60417*8947)*:317-7;7(*<04*:/&+(2;4-7=.*';"4&>3-?(41-7=*@02";#.*>3-?(41-7A71174B*CDE.*F&GGHIE*@02";#.*8(4#$3=(&#$-JK*7"0#$1B12"3(-%(4L74;17B4;MB%(

N0-37*O04P*O-7"

Q$;40*@$43-.*R-(4J;-,-*S$-JJ$.*'-22$4%0*T$))(44(77-*U>3-?(41-7=*0<*+-(3$.*:7$J=V*$3%*WJ$%-#-4*X0J(13-P0?*U@(JJ*T$M1.*>+!V

:2-(&9',-/&2! )*;)71-0

! YZ$#[J(1K*800,J(*6($J7".*8(1;3%"(-71P$47(

! <)2)=/-"! T(11*#(%-2$J*(44041! \017*4(%;27-03

! >&2=1/,-$&=$:2-)()"-"! R4-?$2=*0<*;1(4*%$7$! :37(JJ(27;$J*[40[(47=*0<*1(4?-2(*[40?-%(4

!??(&7,0! 8)9/,71$+/732&"-/,"

! >1(4*$1P1*(&%02704*O"(7"(4*70*?-1-7*$*%02704

! 5(/67,%*5()")(6/23! F0*307*4(?($J*$3=*1(31-7-?(*-3<04#$7-03

! !99/-/&271$5(&?)(-/)"! Y<<-2-(37! R40?$MJ=*+(2;4(

5(/67,%*5()")(6/23$>17""/=/,7-/&2$&=$@1),-(&$>7(9/&3(7A$B@>CD$+7-7$EFGHI

*

*

17$=*$7*"0#( ?-1-7*%02704

;1(4 (&%02704

%(24=[7

!??1/)9$>(%?-&3(7?0%! >&A?'-/23$&2$)2,(%?-)9$97-7

! 60#0#04["-2*(324=[7-03*U(B,B.*R$-JJ-(4*]G^V*$JJ0O1*!"#$%&'()$&%*"(#+*;3%(4*(324=[7-03

! >&A?'-/23$./-0$)2,(%?-)9$='2,-/&2"! 8$4MJ(%*2-42;-71*0<*_$0*]D^*$JJ0O*J-3($4*$3%#(#,J-3($4*0[(4$7-031*;3%(4*(324=[7-03

! @==/,/)2-$,&AJ/27-/&2$&=$J&-0

K%"-)A$K),'(/-%L7J

\J$11-<-2$7-03*$22;4$2= I`Bab

\J-(37*4;37-#( CIBH1

+(4?(4*4;37-#( C`Bc1

\0##;3-2$7-03 `G*P@=7(

K/3271$5(&,)""/23! @>C$>17""/=/,7-/&2$!13&(/-0A$&=$EMI

! :#[40?(%*$3%*#$[[(%*70*-37(,(4*$4-7"#(7-21

:A?1)A)2-7-/&2$N)"'1-"! /O0*R\1*Ua*86)*:37(J*\04(*F;0.*G8@*'!QV.*8-,$M-7*Y7"(43(7

$]C^*>B*'B*!2"$4=$.*dB*+;4-.*dB*!B*YB*+[$$3.*$3%*+B*QB*X4-1"3$3B*-./%#0$+'"#'0%&."%0'+"1#%!')&(0$++"#12*+[4-3,(4.*cEEHB]c^*QB*@$43-.*RB*S$-JJ$.*WB*X0J(13-P0?.*'B*T$))(4(77-.*!B&'B*+$%(,"-.*/B*+2"3(-%(4B*3$04&$'$/%!4%*"(#'(5')&"/%*$'!"#$%&'6&%#07"#1')&(1&%8+'9"*7'8$."0%!'%))!"0%*"(#+2''''':3*CG7"*Y;40[($3*+=#[01-;#*03*'(1($42"*-3*\0#[;7(4*+(2;4-7=*UY+e':\+*fEgVB*S;JJ*?(41-03*$?$-J$MJ(*$7*"77[Khh([4-37B-$24B04,hcEEghCgDB]a^*QB*@$43-.*RB*S$-JJ$.*WB*X0J(13-P0?.*'B*T$))(4(77-.*!B*R$;1.*!B&'B*+$%(,"-.*/B*+2"3(-%(4B*:55"0"$#*')&"/%0;,)&$+$&/"#1'0!%++"5"0%*"(#'(5':<='+"1#%!+2*****:3*C17*:YYY*:37(43$7-03$J*i04P1"0[*03*:3<04#$7-03*S04(31-21*$3%*+(2;4-7=*Ui:S+*fEgVB]G^*RB*R$-JJ-(4B*>46!"0,?$;'0&;)*(+;+*$8+'6%+$.'(#'0(8)(+"*$'.$1&$$'&$+".4(+"*;'0!%++$+2':3*CI7"*!%?$32(1*-3*\4=[70J0,=*j*Y>'e\'_R/*CgggB]D^*!B*\B*_$0B*@(9'*('1$#$&%*$'%#.'$A07%#1$'+$0&$*+2':3*cH7"*:YYY*+=#[01-;#*03*S0;3%$7-031*0<*\0#[;7(4*+2-(32(*USe\+*kI`VB

N)=)()2,)"

#($1;4(*Y\8

[402(11*1-,3$J (324=[7(%*l;(4=2J$11-<=*;3%(4*(324=[7-03

(324=[7(%*4(1[031(

9+6-%@6+(7+4A)@X:(++,&/@d[]O_Q;

:/4+"G+4)C@3A)@X9/,+CS39\]M_Q;T.2

8+,34/1-e3/C@)7A47-B;2.DXY/(@3:`J99]M_Q;T.2


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

^31#$113*(<&!"#$%"&H*2:$6-)*(&3(&A%-#)#"

45

• ;f43+@4P

– (+7)5(4+-3@6+@73*+-B4)&'56/A)@T4)&&5@34/A)@D

– '(3*/4P"'(+7+(*3@C-/''134/A)@7U-+$C$U-H/4+"(+4)C@3A)@

• 9+45(36PR-4(3A4/1-B+$C$U-&+,34/1D-/''134/A)@7--@++,– C",%$)2$*7,'3:)<","1$3$,2)_C9+%P3$,1)2$*7,'3:`

– <,93$*=9+)"%"'+23)"*=@$[1"C'*'972)"n"*S$,2

• I7/03136PR-6))1-75'')(6– ;91<73$,)?'#$#);,:<39%,"<&:)B+%'+$$,'+%

– '+37'=@$)72$,)'+3$,]"*$2 &n<Y[[*"*$P<,9o$*3M$7


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

E36"%-6$%"&/=0

46

HR",+'AWX!!5OL DM)R",+'()>M)A"'CC"()iM)W9C$2+'S9@()QM)X"pp$,$q()?MPQM)!"#$%&'().M)!*&+$'#$,M)!$*7,$)$@"C7"=9+)9])<,'@"3$)C'+$",)E,"+*&'+%)<,9%,"12)8'3&)1$#'*"C)"<<C'*"=9+2M)\+)B7,9<$"+)!:1<92'71)9+)Q$2$",*&)'+);91<73$,)!$*7,'3:)_B!bQ\;!r5O`()@9C71$)eUJO)9])XN;!()<"%$2)d4dsdZOM)!<,'+%$,()455OM

HR9+$&VN5eL 0M)R9+$&()BMPtM)V9&()WM)N'22'1M)B@"C7"=+%)4P0NA)]9,17C"2)9+)*'<&$,P)3$F32M)\+).&$9,:)9]);,:<39%,"<&:);9+]$,$+*$)_.;;r5e`()@9C71$)ZZUJ)9])XN;!()<"%$2)Z4esZd6M)!<,'+%$,()455eM

HR9:",>>55L tM)R9:",()QM)>$,"C3"()0M)>9*&7$@M)b+)3&$)17C=<C'*"=@$)*91<C$F'3:)9])R99C$"+)]7+*=9+2)9@$,)3&$)E"2'2)_∧()⊕()6`M).&$9,$=*"C);91<73$,)!*'$+*$()4Ze_6`YdZs)eU()4555M

HR,'*S$CC>!T5UL tM)R,'*S$CC()0M)BM)>9,3$,()iM)!&1"=S9@()BM)T'3*&$CM)>,'@"*:P)<,$2$,@'+%),$193$)#'"%+92=*2M)\+)?;D);91<73$,)"+#);9117+'*"=9+2)!$*7,'3:)_;;!r5U`()<"%$2)dOJse5UM)?;D()455UM

H0"1%u,#VW5UL \M)0"1%",#()DM)V$'2C$,()DM)W,v'%"",#M)Bw*'$+3)"+#)2$*7,$)*91<",'29+)]9,)9+PC'+$)"7*=9+2M)\+)?723,"C"2'"+);9+]$,$+*$)9+)\+]9,1"=9+)!$*7,'3:)"+#)>,'@"*:)_?;\!>r5U`()@9C71$)deJK)9])XN;!()<"%$2)d6KsdZ5M)!<,'+%$,()455UM

H0"1%u,#t56L \M)0"1%",#()DM)t7,'SM)?)%$+$,"C'2"=9+()")2'1<C'x*"=9+)"+#)291$)"<<C'*"=9+2)9])>"'CC'$,r2)<,9E"E'C'2=*)<7EC'*PS$:)2:23$1M)\+)>7EC'*PW$:);,:<39%,"<&:)_>W;r56`()XN;!()<"%$2)66Os6ZKM)!<,'+%$,()4556M

H0'oSV^i65L DM)@"+)0'oS();M)V$+3,:()!M)^"C$@'()iM)i"'S7+3"+"3&"+M)A7CC:)&91919,<&'*)$+*,:<=9+)9@$,)3&$)'+3$%$,2M)\+)?#@"+*$2)'+);,:<39C9%:)s)B/Qb;QI>.r65()@9C71$)K665)9])XN;!()<"%$2)4dsdZM)!<,'+%$,()4565M


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

E36"%-6$%"&/C0

44

HB,S'+AVWX.5OL yM)B,S'+()DM)A,"+p()tM)V7"o",#9()!M)W"3p$+E$'22$,()\M)X"%$+#'oS().M).9zM)>,'@"*:P<,$2$,@'+%)]"*$),$*9%+'=9+M)\+)>,'@"*:)B+&"+*'+%).$*&+9C9%'$2)!:1<92'71)_>B.!r5O`()@9C71$)eKU4)9])XN;!()<"%$2)4Zes4eZM)!<,'+%$,()455OM

HA,$$#1"+N>5dL) DM)tM)A,$$#1"+()WM)N'22'1()RM)>'+S"2M)Bw*'$+3)<,'@"3$)1"3*&'+%)"+#)2$3)'+3$,2$*=9+M)\+)?#@"+*$2)'+);,:<39C9%:)s)B/Qb;QI>.r5d()@9C71$)Z54U)9])XN;!()<"%$2)6s6OM)!<,'+%$,()455dM

HV$+3,:5OL ;M)V$+3,:M)A7CC:)&91919,<&'*)$+*,:<=9+)72'+%)'#$"C)C"q*$2M)\+)?;D)!:1<92'71)9+).&$9,:)9]);91<7=+%)_!.b;r5O`()<"%$2)6KOs6UJM)?;D()455OM

HV$+3,:^i65L ;M)V$+3,:()!M)^"C$@'()iM)i"'S7+3"+"3&"+M)?)2'1<C$)RVNP3:<$)*,:<392:23$1)],91)XTBM)\+)?#@"+*$2)'+);,:<39C9%:)s)B/Qb;QI>.r65()@9C71$)K665)9])XN;!()<"%$2)e5Kse44M)!<,'+%$,()4565M

HW","327E"bK4L ?M)?M)W","327E"()IM)b]1"+M)D7C=<C'*"=9+)9])1"+:P#'%'3"C)+71E$,2)E:)"7391"=*)*91<73$,2M)!!!Q)?*"#$1:)9])!*'$+*$2()6deY4OZs4Od()6OK4M

HW9C$2+'S9@!5JL iM)W9C$2+'S9@().M)!*&+$'#$,M)\1<,9@$#)%",EC$#)*',*7'3Y)A,$$)abQ)%"3$2)"+#)"<<C'*"=9+2M)\+)\+3$,+"=9+"C);9CC9f7'71)9+)?7391"3"()X"+%7"%$2)"+#)>,9%,"11'+%)_\;?X>r5J`()@9C71$)e64K)9])XN;!()<"%$2)dJKsdOJM)!<,'+%$,()455JM

HW9C$2+'S9@!!5OL) iM)W9C$2+'S9@()?MPQM)!"#$%&'().M)!*&+$'#$,M)\1<,9@$#)%",EC$#)*',*7'3)E7'C#'+%)EC9*S2)"+#)"<<C'*"=9+2)39)"7*=9+2)"+#)*91<7=+%)1'+'1"M)\+)\+3$,+"=9+"C);9+]$,$+*$)9+);,:<39C9%:)?+#)N$389,S)!$*7,'3:)_;?N!r5O`()@9C71$)eJJJ)9])XN;!()<"%$2)6s45M)!<,'+%$,()455OM


!"#$%&'()!*&+$'#$,)-)./)0",123"#3)4566 !$*7,$().,723$#)"+#).,72389,3&:);91<7=+%()>",3)6 ?#@"+*$#)!AB

E36"%-6$%"&/_0

4Z

HW9C$2+'S9@!!65L) iM)W9C$2+'S9@()?MPQM)!"#$%&'().M)!*&+$'#$,M)A,91)#723)39)#"8+Y)>,"*=*"CC:)$w*'$+3)389P<",3:)2$*7,$)]7+*=9+)$@"C7"=9+)<,939*9C2)"+#)3&$',)19#7C",)#$2'%+M);,:<39C9%:)$>,'+3)?,*&'@$()Q$<9,3)4565[5UO()4565M

HN"9,>!OOL DM)N"9,()RM)>'+S"2()QM)!71+$,M)>,'@"*:)<,$2$,@'+%)"7*=9+2)"+#)1$*&"+'21)#$2'%+M)\+)?;D);9+]$,$+*$)9+)BC$*3,9+'*);911$,*$()<"%$2)64Os6ZO()6OOOM

H>"'CC'$,OOL >M)>"'CC'$,M)>7EC'*PS$:)*,:<392:23$12)E"2$#)9+)*91<92'3$)#$%,$$),$2'#792'3:)*C"22$2M)\+)?#@"+*$2)'+);,:<39C9%:)s)B/Qb;QI>.rOO()@9C71$)6eO4)9])XN;!()<"%$2)44Zs4ZJM)!<,'+%$,()6OOOM

H!"#$%&'!T5OL ?MPQM)!"#$%&'().M)!*&+$'#$,()\M)T$&,$+E$,%M)Bw*'$+3)<,'@"*:P<,$2$,@'+%)]"*$),$*9%+'=9+M)\+)\+3$,+"=9+"C);9+]$,$+*$)9+)\+]9,1"=9+)!$*7,'3:)"+#);,:<39C9%:)_\;\!;r5O`()@9C71$)eOJd)9])XN;!()<"%$2)44Os4ddM)!<,'+%$,()455OM

H!1",3i65L NM)>M)!1",3()AM)i$,*"73$,$+M)A7CC:)&91919,<&'*)$+*,:<=9+)8'3&),$C"=@$C:)21"CC)S$:)"+#)*'<&$,3$F3)2'p$2M)\+)>7EC'*)W$:);,:<39%,"<&:)_>W;r65`()@9C71$)K5eK)9])XN;!()<"%$2)d45sddZM)!<,'+%$,()4565M

HT"S21"+KJL ?M)T"S21"+M)?)>$,173"=9+)N$389,SM)t97,+"C)9])3&$)?;D()6e_6`Y6eOP6KZ()6OKJM

HI"9JKL ?M);M)I"9M)^98)39)%$+$,"3$)"+#)$F*&"+%$)2$*,$32M)\+)\BBB)!:1<92'71)9+)A97+#"=9+2)9]);91<73$,)!*'$+*$)_Ab;!rJK`()<"%$2)6K4s6KUM)\BBB()6OJKM

advanced topics in secure function evaluation fileadvanced topics in secure function evaluation ......

Documents