Abstract
In this chapter, we present the seminal secure two-party computation (secure 2PC) protocol due to Yao [138]. The striking feature of the protocol is that unlike all the protocols discussed till now where the number of interactions among the parties is proportional to the multiplicative depth of the underlying circuit, Yao’s protocol requires only a constant number of interactions among the parties, irrespective of the circuit size. Thus the protocol can be deployed in high-latency networks, where the round-trip delay between the parties is high.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Without loss of generality, we can assume that if \(w_x\) serves as the gate-input wire for any other gate, then it serves as the left gate-input wire for those gates. If this is not the case, then it is always possible to re-assign the wire labels to ensure that the above holds.
- 2.
Without loss of generality, we can assume that if \(w_y\) serves as the gate-input wire for any other gate, then it serves as the right gate-input wire for those gates. If this is not the case, then it is always possible to re-assign the wire labels to ensure that the above holds.
- 3.
This means that for every key k and message x, \(\textsf{Dec}_k(\textsf{Enc}_k(x)) = x\) holds.
- 4.
While presenting \(\mathcal {G}_{\textsf{Yao}}\) in Fig. 12.6, we used \((k_{i}^{0}, k_{i}^{1})\) to denote the key-pair associated with \(w_i\). Moreover, \(\textsf{GC}, X\) and d represented the garbled circuit, garbled input and decoding information respectively. We change these notations here to ensure notational consistency across all the hybrids.
- 5.
Hence \(k'_0 = \widetilde{\textbf{k}_{\textbf{a}}^{\textbf{1} - \alpha }}\) and \(k'_1 = \widetilde{\textbf{k}_{\textbf{b}}^{\textbf{1} - \beta }}\) in the CDE experiment.
- 6.
As mentioned in footnote 4, we used \(\widetilde{\textsf{GC}}, \widetilde{X}\) and \(\widetilde{d}\) to denote the output of the experiment \(H_0(x, \textsf{cir})\) for the sake of notational consistency; the actual output is denoted as \(\textsf{GC}, X\) and d, namely the one used while presenting \(\mathcal {G}_{\textsf{Yao}}\).
- 7.
Since \((\textsf{Gen}, \textsf{Enc}, \textsf{Dec})\) is CPA-secure, it implies that it is CDE-secure as well.
- 8.
For the sake of consistency, we denote the simulated keys as \(k_{}^{}\) instead of \(\widetilde{k_{}^{}}\).
- 9.
For this, the adversary has to decrypt the first ciphertext in the challenge ciphertext using the key-pair \((k_{a}^{\alpha }, k_{b}^{\beta })\) and see if the output is \({k_{g}^{G_g(\alpha , \beta )}}\) or \({k_{g}^{0}}\).
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
Copyright information
© 2022 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this chapter
Cite this chapter
Choudhury, A., Patra, A. (2022). Yao’s Protocol for Secure 2-party Computation. In: Secure Multi-Party Computation Against Passive Adversaries. Synthesis Lectures on Distributed Computing Theory. Springer, Cham. https://doi.org/10.1007/978-3-031-12164-7_12
Download citation
DOI: https://doi.org/10.1007/978-3-031-12164-7_12
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-12163-0
Online ISBN: 978-3-031-12164-7
eBook Packages: Synthesis Collection of Technology (R0)eBColl Synthesis Collection 11