Chapter 2 Basics of Efficient Secure Function Evaluation

Transcription

1 Chapter 2 Bascs of Effcent Secure Functon Evaluaton 2.1 Common Notaton and Defntons In ths secton we ntroduce common notaton (Sect ), cryptographc prmtves (Sect ), functon representatons (Sect ), the adversary model (Sect ), and the Random Oracle (RO) model (Sect ) used n ths book Notaton We use the followng standard notatons Bascs Btstrngs. {0, 1} l denotes the space of bnary strngs of length l. a b denotes the concatenaton of strngs a and b. a, b s a vector wth two components a and b, and ts representaton as a bt strng s a b. For strngs s, t {0, 1} l, s t denotes ther btwse exclusve-or (XOR). Random Choce. Unform random choce s denoted by the R operator, e.g., r R D reads draw r unformly at random from D. Protocol Partcpants. We call the two Secure Functon Evaluaton (SFE) partcpants clent C (Alce) and server S (Bob). Ths namng choce s nfluenced by the asymmetry n the SFE protocols, whch fts nto the clent server model. We want to pont out that we do not lmt ourselves to ths settng even though ths clent server relatonshp n fact exsts n most real-lfe two-party SFE scenaros Securty and Correctness Parameters Our securty and correctness parameters are named as shown n Table 2.1. Table 2.2 contans current recommendatons by ECRYPT II [74] for the sze of thesymmetrc securty parameter t and the asymmetrc securty parameter T. T. Schneder, Engneerng Secure Two-Party Computaton Protocols, 5 DOI: / _2, Sprnger-Verlag Berln Hedelberg 2012

2 6 2 Bascs of Effcent Secure Functon Evaluaton Table 2.1 Securty and correctness parameters Symbol t T σ κ Name Symmetrc securty parameter (bt length of symmetrc keys) Asymmetrc securty parameter (bt length of RSA modul) Statstcal securty parameter Correctness parameter Table 2.2 Securty parameters: recommended szes [74] Securty level Recommended use untl t (bt) T (bt) Ultra-short ,248 Short ,776 Medum ,432 Long ,248 An overvew and comparson of dfferent recommendatons s avalable at [96]. In mplementatons, the statstcal securty parameter σ and the correctness parameter κ can be chosen as σ = κ = Cryptographc Prmtves Pseudo-Random Functon (PRF) keyed wth k and evaluated on x s denoted by PRF k (x). PRF can be nstantated wth a block cpher, e.g., AES, or a cryptographc hash functon, e.g., SHA-256. AES s preferable f PRF s run repeatedly wth the same key k as n ths case the key schedule of AES needs to be run only once and hence amortzes. Message Authentcaton Code (MAC) keyed wth k and evaluated on message m s denoted by MAC k (m). In our token-based protocols n Chap. 4 we use a MAC algorthm that does not need to store the entre message, but can operate onlne on small blocks, e.g., AES-CMAC [204] or HMAC [146] Functon Representatons We use several standard representatons for functons whch are partcularly useful for SFE protocols as shown n Fg. 2.1: boolean crcuts (Sect ) and arthmetc crcuts (Sect ).

3 2.1 Common Notaton and Defntons 7 Fg. 2.1 Functon representatons. a Boolean crcut. b Arthmetc crcut (a) (b) Boolean Crcuts Boolean crcuts are a classcal representaton of functons n engneerng and computer scence. Defnton 1 (Boolean Crcut) A boolean crcut wth u nputs, v outputs and n gates s a Drected Acyclc Graph (DAG) wth V =u + v + n vertces (nodes) and E edges. Each node corresponds to ether a gate, annput or an output. The edges are called wres. For smplcty, the nput and output nodes are often omtted n the graphcal representaton of a boolean crcut as shown n Fg. 2.1a. For a more detaled defnton see [225]. Defnton 2 (Gate) Ad-nput gate G d s a boolean functon whch maps d 0 nput bts to one output bt,.e., G d : (n 1,...,n d ) {0, 1} d {0, 1}. Typcal gates are XOR ( ), XNOR (=), AND ( ), OR ( ). Topologc Order. Gates of a boolean crcut can be evaluated n any order, as long as all of the current gate s nputs are known. Ths property s ensured by sortng (and evaluatng) the gates topologcally, whch can be done effcently n O( V + E ) [64, Topologcal sort, pp ]. The topologc order of a boolean crcut ndexes the gates wth labels G 1,...,G n and ensures that the th gate G has no nputs that are outputs of a successve gate G j>. In complexty theory, a crcut wth such a topologc order s called a straght-lne program [6]. Gven the values of the nputs, the output of the boolean crcut can be evaluated by evaluatng the gates one-byone n topologc order. A vald topologc order for the example boolean crcut n Fg. 2.1a wouldbe,,, =. The topologc order s not necessarly unque, e.g.,,, =, would be possble as well. Throughout ths book we assume that boolean crcuts are ordered topologcally Arthmetc Crcuts Arthmetc crcuts are a more compact functon representaton than boolean crcuts. An arthmetc crcut over a rng R and the set of varables x 1,...,x n s a DAG. Fgure 2.1a llustrates an example. Each node wth n-degree zero s called an nput

4 8 2 Bascs of Effcent Secure Functon Evaluaton gate labeled by ether a varable x or an element n R. Every other node s called a gate and labeled by ether + or denotng addton or multplcaton n R. Any boolean crcut can be expressed as an arthmetc crcut over R = Z 2. However, f we use R = Z m for suffcently large modulus m, the arthmetc crcut can be much smaller than ts correspondng boolean crcut, as nteger addton and multplcaton can be expressed as sngle operatons n Z m. Number Representaton. We note that arthmetc crcuts can smulate computatons on both postve and negatve ntegers x by mappng them nto elements of Z m : x x mod m. As wth all fxed precson arthmetcs, over- and underflows must be avoded Adversary Model The standard approach for formalzng and provng securty of cryptographc protocols s to consder adversares wth dfferent capabltes. In the followng we gve ntuton for the capabltes of malcous, covert, and sem-honest adversares. We refer to [99] for formal defntons and to [145, 152] for more detaled dscussons. Malcous adversares, also called actve adversares, are the strongest type of adversares and are allowed to arbtrarly devate from the protocol, amng to learn prvate nputs of the other partes and/or to nfluence the outcome of the computaton. Not surprsngly, protecton aganst such attacks s relatvely expensve, as dscussed n Sect Covert adversares are smlar to malcous adversares, but wth the restrcton that they must avod beng caught cheatng. That s, a protocol n whch an actve attacker may gan advantage may stll be consdered secure f attacks are dscovered wth certan fxed probablty (e.g., 1/2). It s reasonable to assume that n many socal, poltcal and busness scenaros the consequences of beng caught overweght the gan from cheatng. At the same tme, protocols secure aganst covert adversares can be substantally more effcent than those secure aganst malcous players, as shown n Sect Sem-honest adversares, also called passve adversares, do not devate from the protocol but try to nfer addtonal nformaton from the transcrpt of messages seen n the protocol. Far from trval, ths model covers many typcal practcal settngs such as protecton aganst nsder attacks. Further, desgnng and evaluatng the performance of protocols n the sem-honest model s a frst step towards protocols wth stronger securty guarantees (cf. Sect ). Indeed, most protocols and mplementatons of protocols for practcal prvacy-preservng applcatons focus on the sem-honest model [19, 76, 164, 173, 189].

5 2.1 Common Notaton and Defntons Random Oracle Model Some of our constructons n ths book make use of ROs [24], a relatvely strong assumpton. In fact, t has been shown n [57] that some (contrved) uses of RO cannot be securely nstantated wth any hash functon. Therefore, proofs n the RO model cannot be seen as proofs n the strctest mathematcal sense. However, we beleve that modelng cryptographc hash functons, such as SHA-256, as RO s well-justfed n many practcal settngs because of the followng reasons: Frstly, to date, no attacks explotng the RO assumpton are known on practcal systems. Ths holds true even n the academc context: Important attacks on SHA-1 [226] that explot the structure of the functons were far from beng practcal, and smply accelerated mgraton to stronger prmtves, whch are beleved secure today. Whle some attacks, such as the attack on MD5 [209], are n fact practcal, the use of MD5 had long been consdered unsafe, and [209] broke poorly managed systems. Thus we do not consder [209] an attack on properly mplemented protocols. In fact, [209] and the prelmnary work that led to t only support the hstorc fact that users of hash functons do receve weakness warnngs years ahead of possble real breaks. Further, even n well-understood and deployed real-lfe systems, the crypto core (whch ncludes the employed hash functons) s almost never targeted for attacks, n favor of much easer to explot mplementaton flaws. In sum, we beleve that makng the RO assumpton on the employed hash functon s practcally justfed n our and many other settngs. 2.2 Cryptographc Prmtves for Secure Two-Party Computaton In ths secton we descrbe essental buldng blocks used n SFE protocols: Homomorphc Encrypton (HE) n Sect , Garbled Crcuts (GCs) n Sect , and Oblvous Transfer (OT) n Sect Homomorphc Encrypton HE schemes are semantcally secure encrypton schemes whch allow computaton of specfc operatons on cphertexts and hence can be used for secure evaluaton of arthmetc crcuts as descrbed next. Let (Gen, Enc, Dec) be a semantcally secure encrypton scheme wth plantext space P, cphertext space C, and algorthms for key generaton Gen, encrypton Enc and decrypton Dec. We wrte [[m]] for Enc(m, r), where r s random.

6 10 2 Bascs of Effcent Secure Functon Evaluaton Table 2.3 Addtvely homomorphc encrypton schemes Scheme P Cphertext sze Enc(m, r) Paller [176] Z N 2T g m r N mod N 2 Damgård Jurk [65] Z N s (s + 1)T g m r N s mod N s+1 Damgård Gesler Krøgaard [66] Z u T g m h r mod N Lfted EC-ElGamal [75] Z p 4t + 2 (g r, g m h r ) N RSA modulus; s 1; u smallprme; p 2t-bt prme; g, h generators Addtvely Homomorphc Encrypton An addtvely HE scheme allows addton under encrypton as follows. It defnes an operaton + on plantexts and a correspondng operaton on cphertexts, satsfyng x, y P :[[x]] [[ y]] = [[x + y]]. Ths naturally allows for multplcaton wth a plantext constant a usng repeated doublng and addng: a N, x P : a[[x]] = [[ax]]. Popular nstantatons for addtvely HE schemes are summarzed n Table 2.3:The Paller cryptosystem [176] provdes a T -bt plantext space and 2T -bt cphertexts, where T s the sze of the RSA modulus N, and s suffcent for most applcatons (detals see below). The Damgård Jurk cryptosystem [65] s a generalzaton of the Paller cryptosystem whch provdes a larger plantext space of sze st-bt for (s + 1)T -bt cphertexts for arbtrary s 1. The Damgård Gesler Krøgaard cryptosystem [66 68] has smaller cphertexts of sze T -bt, but can only be used wth a small plantext space Z u, where u s a small prme, as decrypton requres computaton of a dscrete logarthm. Fnally, the lfted ElGamal [75] cryptosystem has addtvely homomorphc propertes and very small cphertexts. However, decrypton s only possble f the plantext s known to be n a small subset of the plantext space, as the dscrete logarthm of a generator wth large order has to be brute-forced. Lfted ElGamal mplemented over an EC group (Lfted EC-ElGamal) provdes a 2tbt plantext space and very small cphertexts of sze 2(2t + 1) bts 4t bts when usng pont compresson. The Paller Cryptosystem. The most wdely used addtvely HE system s that of Paller [176] where the publc key s an RSA modulus N and the secret key s the factorzaton of N. The extenson of [65, Sect. 6] allows one to pre-compute expensve modular exponentatons of the form r N mod N 2 n a setup phase, s.t. only two modular multplcatons per encrypton are needed n the tme-crtcal onlne phase. The party whch knows the factorzaton of N (.e., the secret key), can use Chnese remanderng to effcently pre-compute these exponentatons and to decrypt.

7 2.2 Cryptographc Prmtves for Secure Two-Party Computaton Fully Homomorphc Encrypton Some HE systems allow both addton and multplcaton under encrypton. For ths, a separate operaton for multplcaton of plantexts and a correspondng operaton on cphertexts s defned satsfyng x, y P :[[x]] [[ y]] = [[x y]]. Cryptosystems wth such a property are called fully homomorphc. Untl recently, t was wdely beleved that such cryptosystems do not exst. Several works provded partal solutons: [34] and [95] allow for polynomally many addtons and one multplcaton, and cphertexts of [193] grow exponentally n the number of multplcatons. Recent schemes [92, 93, 201, 223] are fully homomorphc. Even f the sze of the cphertexts of these fully HE schemes s ndependent of the number of multplcatons, the sze and computatonal cost of fully HE schemes are substantally larger than those of addtvely HE schemes. Frst mplementaton results of [201] show that even for almost fully HE schemes wth conservatvely chosen securty parameters that allow for multplcatve depth d = 2.5 of the evaluated crcut,.e., at most two multplcatons, encryptng a sngle bt takes 3.7 s on a 2.4 GHz Intel Core2 (6600) CPU. Most recent mplementaton results of [148] ndcate that the performance of somewhat homomorphc encrypton schemes mght be suffcent for outsourcng certan types of computatons, whereas fully HE s stll very neffcent as shown n [94] whose mplementaton requres n the order of Ggabytes of communcaton and mnutes of computaton on hgh-end IBM System 3500 servers. Although sgnfcant effort s underway n the theoretcal communty to mprove ts performance, t seems unlkely that fully HE wll reach the effcency of current publc-key encrypton schemes. Intutvely, ths s because a fully HE cryptosystem must provde both the same strong securty guarantees (semantc securty) and extra algebrac structure to allow for homomorphc operatons. The extra structure weakens securty, and countermeasures (costng performance) are necessary Computng on Encrypted Data Homomorphc encrypton naturally allows for secure evaluaton of arthmetc crcuts over P, called computng on encrypted data, as follows. The clent C generates a key par for an HE cryptosystem and sends her nputs encrypted under the publc key to the server S together wth the publc key. Wth a fully HE scheme, S can smply evaluate the arthmetc crcut by computng on the encrypted data and send back the (encrypted) result to C, who then decrypts t to obtan the output. 1 If the HE scheme only supports addton, one round of nteracton between C and S s needed to evaluate each multplcaton gate (or layer of multplcaton gates) as descrbedbelow. Today, 1 If S s malcous, t must addtonally be ensured that he ndeed computed the ntended functonalty by means of verfable computng (cf. Sect ).

8 12 2 Bascs of Effcent Secure Functon Evaluaton usng addtvely HE and nteracton for multplcaton results n much faster SFE protocols than usng fully HE schemes. Packng. Often the plantext space P of the HE scheme s substantally larger than the sze of the encrypted numbers. Ths allows one to pack multple numbers nto one cphertext (before or after addtve blndng) and send back only a sngle cphertext from S to C. Ths optmzaton substantally decreases the sze of the messages sent from S to C as well as the number of decryptons performed by C. The computatonal overhead for S s small as packng the cphertexts [[x 1 ]],...,[[x n ]] nto one cphertext [[ X]] = [[x n... x 1 ]] costs less than one full-range modular exponentaton by usng Horner s scheme: [[ X]] = [[x n ]]; for = n 1downto1:[[X]] = 2 x +1 [[ X]] [[x ]]. Interactve Multplcaton wth Addtvely Homomorphc Encrypton. To multply two l-bt values encrypted under addtvely HE and held by S, [[x]] and [[y]], the followng standard protocol requres one sngle round of nteracton between S and C: S randomly chooses r x, r y R {0, 1} l+σ, where σ s the statstcal securty parameter, computes the blnded values [[ x]] = [[x + r x ]], [[ ȳ]] = [[ y + r y ]] and sends these to C. C decrypts, multples and sends back [[z]] = [[ x ȳ]]. S obtans [[xy]] by computng [[xy]] = [[z]] ( r x )[[ y]] ( r y )[[x]] [[ r x r y ]]. Effcency of sngle or multple multplcatons n parallel can be mproved by packng the blnded cphertexts together nstead of sendng them to C separately. Securty. We note that n SFE protocols based on HE, the securty of the party who knows the secret key (C n our settng) s computatonal as t s computatonally hard for the other party to break the semantc securty of the HE scheme. The securty of the party who computes under HE (S n our settng) s statstcal as ths party always statstcally blnds all ntermedate values before sendng them back. Effcency. As SFE based on addtvely HE requres nteracton for multplyng two cphertexts, the round complexty of such protocols s determned by the multplcatve depth of the evaluated functon,.e., the number of successve multplcatons. When the publc key s known to both partes, encryptons and re-randomzaton values can be pre-computed n a setup phase. Stll, the onlne phase requres computatonally expensve publc key operatons such as modular exponentatons for multplyng wth constants, or decryptons Garbled Crcut Constructons Another effcent method for computng under encrypton s based on Garbled Crcuts (GCs). The fundamental dea of GCs gong back to Yao [231], s to represent the functon f to be evaluated as a boolean crcut C and encrypt (garble) each wre wth a symmetrc encrypton scheme. In contrast to HE (cf. Sect ), the encryptons here cannot be operated on drectly, but requre helper nformaton whch s generated and exchanged n a setup phase n the form of a garbled table for each gate.

9 2.2 Cryptographc Prmtves for Secure Two-Party Computaton 13 In ths secton we summarze exstng schemes for constructng and evaluatng GCs and gve applcatons n Sect We gve an algorthmc descrpton of GCs and refer to the orgnal papers on GCs constructons for detals and proofs of securty Components of GC Constructons We start by brefly ntroducng the man components of GC constructons: garbled values and garbled tables to compute thereon. Garbled Values. Computatons n a GC are not performed on plan values 0 or 1, but on random-lookng secrets, called garbled values. Durng constructon of the GC, two random-lookng garbled values w 0, w1 are assgned to each wre w of C. The garbled value w j corresponds to the plan value j, but, as t looks random, does not reveal ts correspondng plan value j. In effcent GC constructons, each garbled value s composed of a symmetrc t-bt key and a random-lookng permutaton bt (see Pont-and-Permute below): w 0 = k 0,π0, w 1 = k 1,π1 wth k 0, k1 {0, 1} t,π 0 {0, 1} (2.1) and π 1 = 1 π 0. (2.2) The exact method for choosng the values k 0, k1,π0 s determned by the specfc GC constructon (cf. Sect ). Garbled Tables. To allow computatons on garbled values, for each gate G ( = 1,...,n) of the crcut C, a garbled table G s constructed. Gven the garbled values correspondng to G s nput wres, G allows one to decrypt only the correspondng garbled value of G s output wre. Formally, let n 1,...,n d be the nput wres of gate G and out be ts output wre. Then, for any nput combnaton b j {0, 1} ( j = 1,...,d), gven the correspondng garbled nputs ĩn b 1 1,...,ĩnb d d,thegarbled table G allows one to decrypt only õut G(b 1,...,b d ). In partcular, no nformaton about the other garbled output value, the plan nput bts b j, or the plan output bt G(b 1,...,b d ) s revealed. The general dea for constructng garbled tables s to use for all possble nput combnatons b j the garbled nput keys ĩn b j j to symmetrcally encrypt the correspondng output key õut G(b 1,...,b d ). The entres of the garbled table are the cphertexts for all possble nput combnatons. The poston of the entres n the garbled table must be such that t does not reveal any nformaton about the correspondng plan nput values b j. To acheve ths, the orgnal GC constructon proposed by Yao [231] randomly permutes the entres n the garbled table. In order to fnd the rght entry to decrypt, the symmetrc encrypton functon requres an effcently verfable range to determne whch entry was decrypted successfully, as descrbed n [151]. However, ths method

10 14 2 Bascs of Effcent Secure Functon Evaluaton has a large overhead as multple tral-decrypton need to be performed and cphertext sze ncreases. In the followng we brefly dscuss the state-of-the-art for effcently nstantatng the used symmetrc encrypton functon. Pont-and-Permute. The pont-and-permute technque descrbed n [164] allows one to mmedately fnd the rght entry for decrypton n the garbled table as follows: The entres of the garbled table are permuted such that the permutaton bts of the garbled nput wres π 1,...,π d are used to pont drectly to the entry of the garbled table whch needs to be decrypted. As the permutaton bts look random, the poston of the entres n the garbled table appears random as well and hence reveals no nformaton about the nput bts b 1,...,b d. By applyng the pont-and-permute technque, the employed symmetrc encrypton scheme no longer needs to have an effcently verfable range. Encrypton Functon. The encrypton functon for encryptng garbled table entres s E s k 1,...,k d (m) wth nputs d keys of length t, a message m, and some addtonal nformaton s. The addtonal nformaton s must be unque per nvocaton of the encrypton functon,.e., t s used only once for any choce of keys. Indeed, t s crucal that n the GC constructons s contans a unque and ndependent gate dentfer (cf. [213]). As proposed n [154, 180], E can be nstantated effcently wth a Key Dervaton Functon KDF l (k 1,...,k d, s) whose l bts of output are ndependent of the nput keys k 1,...,k d n solaton, and whch depends on the value of s: E s k 1,...,k d (m) = m KDF m (k 1,...,k d, s). (2.3) KDF can be nstantated wth a cryptographc hash functon H: The most effcent mplementaton of KDF s a sngle nvocaton of H, KDF l (k 1,...,k d, s) = H(k 1... k d s) 1...l. (2.4) Alternatvely, KDF could also be mplemented by d separate calls to H, KDF l (k 1,...,k d, s) = H(k 1 s) 1...l H(k d s) 1...l. (2.5) In practcal mplementatons, H can be chosen for example from the SHA-famly. For provable securty of the GC constructon, H s modeled as RO, crcular correlaton robust, or PRF, dependng on the specfc GC constructon used as descrbed later n Sect

11 2.2 Cryptographc Prmtves for Secure Two-Party Computaton 15 Fg. 2.2 Interface of GC constructons. a creategc. b evalgc (a) (b) Interfaces and Structure of GC Constructons GC constructons can be seen as algorthms wth clean nterfaces and a common general structure as descrbed next. Interface of GC Constructons. Each GC constructon conssts of two randomzed algorthms: creategc generates a GC and evalgc evaluates t, as shown n Fg. 2.2: creategc takes a boolean crcut C as nput and outputs the correspondng GC C (consstng of a garbled table for each of ts gates), and pars of garbled values for each of C s nput and output wres. evalgc gets as nputs C, C and one garbled value for each of C s nputs, ĩn 1,...,ĩn u and returns the correspondng garbled output values õut 1,...,õut v. We note that the nputs and outputs of both algorthms can be streams of data,.e., gven pece-by-pece wthout ever storng the entre objects. Completeness and Correctness. Each GC constructon must be complete and correct. Completeness requres that for all boolean crcuts C, creategc creates agc C, pars of garbled nputs and garbled outputs. Correctness requres that afterwards for all possble nput bts x {0, 1}, = 1,...,u, gven the correspondng garbled values ĩn = ĩn x as nputs, evalgc outputs the garbled values õut j = õut z j j, j = 1,...,v whch correspond to C evaluated on the nput values: (z 1,...,z v ) = C(x 1,...,x u ). One-tme use. We stress that for securty reasons, C cannot be evaluated more than once (otherwse, multple runs of evalgc can leak nformaton about nput or output values). evalgc must always be run on freshly generated outputs of creategc. General Structure of GC Constructons. The effcent GC constructons presented next have the followng general structure: creategc starts by assgnng random-lookng garbled values (ĩn 0, ĩn1 ) to all nput wres of C and outputs these. Afterwards, for each gate G of C n topologc order (cf. assumpton n Sect ), two random-lookng garbled values are assgned to the gate s output wre and afterwards ts garbled table G s created and output

12 16 2 Bascs of Effcent Secure Functon Evaluaton as part of C. Fnally, the garbled outputs (õut 0 j, õut1 j ) for each of C s output wres are output. evalgc evaluates the GC C on the garbled nputs ĩn by evaluatng each garbled gate G of C n the topologc order determned by C. Fnally, the garbled values of C s output wres õut j are output Effcent GC Constructons In the followng we descrbe effcent GC constructons whch are suted well for effcent mplementaton [180]. All GC constructons presented next start wth choosng the garbled nput values. The garbled zero values ĩn 0 are chosen randomly,.e., k0 R {0, 1} t and π 0 R {0, 1} n Eq. (2.1). The correspondng garbled values for one ĩn 1 are chosen randomly as k 1 R {0, 1} t, or accordng to Eq. (2.8) n the case of free XOR as descrbed below. The followng GC technques successvely fx the garbled output values of each gate n order to decrease the sze of the garbled tables. Pont-and-Permute. The pont-and-permute GC constructon was frst descrbed n [164], mplemented n Farplay [157], and also used n [142, 154]. 2 Ths technque chooses both garbled output values of a d-nput gate G at random and results n a garbled table wth 2 d table entres. For each of the 2 d possble nput combnatons b 1,...,b d, the garbled table entry at poston π 1,...,π d s constructed by usng the keys of G s garbled nputs to encrypt the correspondng garbled output: π 1,...,π d : E π 1... π d G(b (õut ) 1,...,b d ). (2.6) k b 1 1,...,kb d d Garbled Row Reducton. The GC constructon of [164], called Garbled Row Reducton, extends the pont-and-permute GC constructon by fxng one of the garbled output values resultng n a garbled table of 2 d 1 table entres. The frst entry of each garbled table s forced to be zero and hence does not need to be transferred. By substtutng nto Eq. (2.6), ths fxes one of the two garbled output values to be pseudo-randomly derved from the garbled nput values. The other garbled output value s chosen at random satsfyng Eq. (2.2). For detals we refer to the descrpton n [180]. Secret-Sharng. The GC constructon of Pnkas et al. [180] uses Shamr s secretsharng [197] to fx both garbled output values resultng n a garbled table wth 2 d 2 entres. In the followng we summarze the general dea of ths constructon and refer to [180, Sect. 5] for detals. The constructon explots the fact that both keys of a gate s garbled output values can be chosen ndependently and pseudo-randomly. The basc dea s to 2 We note that the GC constructon of Yu et al. [233, Sect. 3.3] s less effcent as garbled tables are larger and requre slghtly more computaton.

13 2.2 Cryptographc Prmtves for Secure Two-Party Computaton 17 pseudo-randomly derve keys K r {0, 1} t and bt masks M r {0, 1} for all combnatons of garbled nputs as ( ) K r M r = KDF t+1 k b kb d d s. (2.7) The keys K r are nterpreted as elements n F 2 t and used as supportng ponts of two polynomals P(X), Q(X) of the same degree: P(X) s defned by those keys whch should map to the garbled output value õut 1 := P(0). Smlarly, Q(X) maps to the garbled output value õut 0 := Q(0). Overall, 2 d 2 ponts are stored as part of the garbled table, where some ponts are on both and some on only one of the polynomals. The bts M r are used to encrypt the permutaton bts of the garbled outputs as n the pont-and-permute GC constructon resultng n an addtonal 2 d encrypted bts n the garbled table. Durng evaluaton of the garbled gate, the garbled nputs are used to derve K r, M r accordng to Eq. (2.7). Then, M r s used to decrypt the output permutaton bt whch defnes through whch of the supportng ponts n the garbled table to nterpolate the polynomal. Fnally, the garbled output key s determned by evaluatng the polynomal at X = 0. Generalzaton to arbtrary d. We note that the Secret-Sharng GC constructon can be generalzed from d = 2 (as descrbed n [180, Sect. 5]) to arbtrary d-nput gates as follows: Assume that n 1 of the 2 d entres n the gate s functon table equal one and the remanng n 0 := 2 d n 1 entres equal zero. In the followng we assume that n 1 n 0 (otherwse we nvert the role of zero and one). The polynomal P, nterpolated through those keys K r that should map to the garbled output value for one, has degree n 1.Westoren 1 1 extra ponts P(2 d + 1),...,P(2 d + n 1 1) n the garbled table. Afterwards, we nterpolate polynomal Q of degree n 1 through the n 0 keys K r that should map to the garbled output value for zero and the common n 1 n 0 extra ponts P(2 d + 1),..., P(2 d + n 1 n 0 ). Now, we create n 0 1extra ponts Q(2 d + n 1 n 0 + 1),...,Q(2 d + n 1 1). The order of the extra ponts on P and Q n the garbled table s such that the output permutaton bt can be used to oblvously ndex whch extra ponts to use for nterpolaton. The garbled table conssts of n 1 n 0 common extra ponts and n 0 1 extra ponts on P resp. Q, n total n 1 n 0 + 2(n 0 1) = n 1 + n 0 2 = 2 d 2 keys. The overall sze of the garbled table hence s (2 d 2)t + 2 d bts. Free XOR. As observed n [142], a fxed dstance between correspondng garbled values allows free evaluaton of XOR gates,.e., garbled XOR gates requre no garbled table and allow very effcent creaton and evaluaton (XOR of the garbled values). The man dea s to choose a fxed relaton between the two garbled values for each garbled wre: k 1 := k 0 Δ, (2.8) where Δ R {0, 1} t s the randomly chosen global key dstance. Durng creaton of a garbled XOR gate, the garbled output value s set toõut 0 = ĩn 0 1 ĩn0 2. Smlarly,

14 18 2 Bascs of Effcent Secure Functon Evaluaton Table 2.4 Effcent GC constructons for d-nput gates GC technque Sze of garbled table (bts) Free XOR [142] Pont-and-permute [164] 2 d t + 2 d Garbled row reducton (2 d 1)t + (2 d 1) [164] Secret-sharng [180] (2 d 2)t + 2 d t: symmetrc securty parameter evaluaton of a garbled XOR gate s done by computng õut = ĩn 0 1 ĩn0 2. Garbled non-xor gates can be constructed wth any GC constructon whch fxes at most one of the garbled outputs of a gate,.e., from the GC technques descrbed above Pontand-Permute and Garbled Row Reducton allow combnaton wth free XORs, but not the Secret-Sharng technque (cf. Table 2.4) Complexty of Effcent GC Constructons The complexty of the GC constructons presented n Sect s summarzed n Table 2.4. When usng free XORs, XOR gates requre no communcaton and only neglgble computaton (XOR of btstrngs). We compare the complexty for other gates next. Computaton Complexty. Interestngly, all GC constructons have almost the same computaton complexty, whch s domnated by nvocatons of a cryptographc hash functon H: for each d-nput gate, creategc requres 2 d nvocatons of KDF and evalgc requres one nvocaton. As descrbed n Sect , each nvocaton of KDF needs one or d nvocatons of H dependng on whether H s modeled as RO or not. The Secret-Sharng GC constructon requres slghtly more computatons as t also requres nterpolaton of two polynomals of degree at most 2 d 1 over F 2 t. On the other hand, the computaton complexty to randomly choose the garbled output values of the gates decreases as follows: Pont-and-Permute chooses both garbled values (one wth free XOR), Garbled Row Reducton one (none wth free XOR), and Secret-Sharng none. Communcaton Complexty. As shown n Table 2.4, the sze of each garbled table decreases by approxmately t bts per gate from Pont-and-Permute to Garbled Row Reducton and from there to Secret-Sharng. Especally for gates wth low degree d these savngs can be qute sgnfcant,.e., up to 25 % for Garbled Row Reducton and 50 % for Secret-Sharng for the common case of d = 2. However, the Secret-Sharng constructon, whch cannot be combned wth Free XOR, results only n better communcaton complexty than Garbled Row Reducton f the evaluated crcuts do not have many XOR gates. Indeed, we show n Chap. 3that

15 2.2 Cryptographc Prmtves for Secure Two-Party Computaton 19 most commonly used crcut buldng blocks can be transformed such that most of the gates are XOR gates and hence Garbled Row Reducton s more effcent than Secret-Sharng w.r.t. both computaton and communcaton Securty of Effcent GC Constructons The frst full proof of securty of the orgnal verson of Yao s GC protocol [231] was gven n [151]. Ths proof was later adapted to show the securty of varous effcent GC constructons that dffer n how the underlyng KDF s composed from calls to H (cf. Eqs. 2.4 vs. 2.5) and how H needs to be modeled. For practcal applcatons, modelng H as a RO and nstantatng t wth a call to a cryptographc hash functon, e.g., chosen from the SHA famly, should provde reasonable securty guarantees for all effcent GC constructons presented above. In more detal, the current stuaton s as follows: The GC constructon that uses Pont-and-Permute together wth free XORs and nstantates KDF wth a sngle nvocaton of H (cf. Eq. 2.4) was proven secure when H s modeled as RO [142]. As proven n [60], ths assumpton can be relaxed to crcular correlaton robustness, but not to correlaton robustness alone. Accordng to [154], for Pont-and-Permute wthout free XORs, H can be modeled as RO for one nvocaton of H (cf. Eq. 2.4), and as PRF for several nvocatons of H (cf. Eq. 2.5). As sketched n [180], for Garbled Row Reducton and Secret-Sharng, that use several nvocatons of H (cf. Eq. 2.5), H can be modeled to be some varant of correlaton robust or as PRF, dependng on whether free XORs are used or not Oblvous Transfer Parallel 1-out-of-2 OT of nt -bt strngs, denoted as OT n t, s a two-party protocol run between a chooser (clent C) and a sender (server S) as shown n Fg. 2.3: For = 1,...,n, S nputs n pars of t -bt strngs s 0, s1 {0, 1} t and C nputs n choce bts b {0, 1}. At the end of the protocol, C learns the chosen strngs s b, but nothng about the other strngs s 1 b, whle S learns nothng about C s choces b. In the followng, we assume that OT s used n the context of SFE protocols (as descrbed later n Sect ),.e., the transferred strngs are garbled values wth length t = t + 1 t where t s the symmetrc securty parameter (cf. Sect ). We descrbe technques to effcently mplement OT next.

16 20 2 Bascs of Effcent Secure Functon Evaluaton Fg. 2.3 Parallel 1-out-of-2 OT of nt -bt strngs (OT n t ) Effcent OT Protocols OT n t can be nstantated effcently wth dfferent protocols, e.g., [3, 163]. For example the protocol of Naor and Pnkas [163] mplemented over a sutably chosen EC conssts of three messages (S C S C) n whch 2n + 1EC ponts and 2nt encrypted bts are sent. Usng pont compresson, each pont can be represented wth 2t + 1 bts and hence the overall communcaton complexty of ths protocol s (2n + 1) (2t + 1) + 2nt bts 6nt bts. As a computaton, S performs 2n + 1 pont multplcatons and 2n nvocatons of a cryptographc hash functon H, modeled as RO, and C performs 2n pont multplcatons and n nvocatons of H. Ths protocol s provably secure aganst malcous C and sem-honest S n the RO model. Smlarly, the protocol of Aello et al. [3] mplemented over a sutably chosen EC usng pont compresson has communcaton complexty n(6(2t +1))+(2t +1) bts 12nt bts and s secure aganst malcous C and sem-honest S n the standard model as descrbed n [144] Extendng OT Effcently The extensons of Isha et al. [121] can be used to reduce the number of computatonally expensve publc-key operatons of OT n t to be ndependent of n.3 The transformaton for sem-honest C reduces OT n t to OTt t (wth roles of C and S swapped) and a small addtonal overhead: one addtonal message, 2n(t +t) bts of addtonal communcaton, and O(n) nvocatons of a correlaton robust hash functon H (2n for S and n for C) whch s substantally cheaper than O(n) publc-key operatons. A slghtly less effcent OT extenson for malcous C s gven n [121] and mproved n [166] Pre-Computng OT All computatonally expensve operatons for OT can be shfted nto a setup phase by pre-computng OT as descrbed n Beaver [23]: In the setup phase, the parallel OT protocol s run on randomly chosen values r R {0, 1} by C and m j {0, 1} t by S. In the onlne phase, C uses her random bts r to mask her prvate nputs b, 3 Ths s the reason for our choce of notaton OT n t nstead of n OTt.

17 2.2 Cryptographc Prmtves for Secure Two-Party Computaton 21 Table 2.5 Complexty of OT n t n the RO model Complexty Setup phase Onlne phase For n t: Beaver [23] + Naor and Pnkas [163] Communcaton Moves 3 2 Data [bts] 6nt 2nt Computaton Clent C H n EC mult 2n Server S H 2n EC mult 2n + 1 For n>t: Beaver [23] + Isha et al. [121] + Naor and Pnkas [163] Communcaton Moves 4 2 Data [bts] 4nt + 6t 2 2nt Computaton Clent C H n + 2t EC mult 2t + 1 Server S H 2n + t EC mult 2t and sends the masked bts to S. S reples wth encryptons of hs prvate nputs s j usng hs random masks m j from the setup phase. Whch nput of S s masked wth whch random value s determned by C s message. Fnally, C apples the masks m she receved from the OT protocol n the setup phase to decrypt the correct output values s b. More precsely, the setup phase worksasfollows:for = 1,...,n, C chooses random bts r R {0, 1} and S chooses random masks m 0, m1 R {0, 1} t.both partes run an OT n t protocol on these randomly chosen values, where S nputs the pars m 0, m1 and C nputs r and obtans the masks m = m r as output. In the onlne phase, for each = 1,...,n, C masks ts nput bts b wth r as b = b r and sends these masked bts to S. S responds wth the masked par of t -bt strngs s 0, s 1 = m 0 s 0, m1 s 1 f b = 0or s 0, s1 = m 0 s 1, m1 s 0 otherwse. C obtans s 0, s1 and decrypts s b = s r m. Overall, the onlne phase conssts of two messages of sze n bts and 2nt bts and neglgble computaton (XOR of btstrngs) OT Complexty Combnng the prevously descrbed mprovements for pre-computng and extendng OT wth the effcent OT protocol of Naor and Pnkas [163] yelds a hghly effcent mplementaton of OT n t n the RO model as summarzed n Table 2.5. Smlarly, an effcent mplementaton n the standard model usng correlaton robust hashng can be obtaned by combnng wth the protocol of Aello et al. [3] nstead.

18 22 2 Bascs of Effcent Secure Functon Evaluaton 2.3 Garbled Crcut Protocols In ths secton we show how GCs are used n several protocols for secure computaton n the two-party (Sect ) and mult-party (Sect ) settngs. Further applcatons of GC such as OTP (Sect. 4.2) or verfable computng (Sect. 4.3) are descrbed later n ths book Two-Party Secure Functon Evaluaton SFE allows two partes to mplement a jont computaton wthout usng a TTP. One classcal example s the Mllonares Problem [231] where two mllonares want to know who s rcher, wthout ether of them revealng ther net worth to the other or a TTP. More formally, SFE s a cryptographc protocol that allows two players, clent C wth prvate nput n C and server S wth prvate nput n S, to evaluate a functon f on ther prvate nputs: (out C, out S ) = f (n C, n S ). (2.9) The SFE protocol ensures that both partes learn only ther respectve output,.e., C learns out C and S learns out S, but nothng else about the other party s prvate nput. In SFE, the functon f s known to both partes. 4 Intutvely, accordng to the real/deal world paradgm (e.g., [55]), an SFE protocol executed n the real world s secure f and only f an adversary wth defned capabltes can do no more harm to the protocol executed n the real world than n an deal world where each party submts ts nput to a TTP whch computes the results accordng to Eq. (2.9) and returns them to the respectve party. In Sect we start wth the descrpton of the classcal SFE protocol of Yao [231] whch s secure aganst sem-honest adversares and summarze how ths protocol can be secured aganst more powerful covert and malcous adversares n Sect Afterwards, we show how the evaluated functon tself can be hdden n Sect SFE wth Sem-Honest Adversares (Yao s Protocol) Yao s protocol [145, 151, 231] for SFE of a functon f represented as a boolean crcut (cf. Sect ) works as follows: 4 If needed, SFE can be extended s.t. the functon s known to only one of the partes and hdden from the other as descrbed n Sect

19 2.3 Garbled Crcut Protocols Create GC: Inthesetup phase, theconstructor (servers) generates a GC f usng algorthm creategc as descrbed n Sect and sends f to the evaluator (clent C). 2. Encrypt Inputs: Afterwards, n the onlne phase, the nputs of the two partes n C, n S are converted nto the correspondng garbled nput ĩn ={ĩn C, ĩn S } provded to C:ForS s nputs n S, S smply sends the garbled values correspondng to hs nputs to C,.e., ĩn S, = ĩn n S, S,. Smlarly, C must obtan the garbled values ĩn C, correspondng to her nputs ĩn C,, but wthout S learnng n C,. Ths can be acheved by runnng (n parallel for each bt n C, of n C ) a 1-out-of-2 OT protocol as descrbed n Sect Evaluate Functon Under Encrypton: Now, C can evaluate the GC f on the garbled nputs ĩn usng algorthm evalgc as descrbed n Sect and obtans the garbled outputs õut ={õut C, õut S }. 4. Decrypt Outputs: Fnally, the garbled outputs are converted nto plan outputs for the respectve party: For C s outputs õut C, S reveals ther permutaton bts to C (ths can be done already n the setup phase). For S s outputs õut S, C sends the obtaned permutaton bts to S. Securty. As proven n detal n [152], Yao s protocol s secure aganst sem-honest adversares. We observe that n Yao s protocol the securty of GC constructor S s computatonal as GC evaluator C can break the GC by guessng garbled nput values, verfy f they decrypt correctly and match them wth the garbled nputs provded by S. When nstantatng OT wth a protocol whch provdes statstcal securty for recever C (e.g., usng the OT protocol of Naor and Pnkas [163]), the securty of GC evaluator C s statstcal. Effcency. The effcency of Yao s protocol s domnated by the effcency of the GC constructon and OT for each nput bt of C. As descrbed n Sect , OT requres only a constant number of publc-key operatons and allows one to shft most communcaton and computaton nto the setup phase. The resultng setup phase requres one to pre-compute n C OTs (cf. Sect ), create the GC f (cf. Sect ), and transfer f to C (cf. Table 2.4). The onlne phase s hghly effcent as t requres only symmetrc-key operatons for evaluatng f (cf. Sect ), and three moves (two for the onlne phase of precomputed OT and one for sendng the output to S) wth about t(2 n C + n S ) + out S bts of communcaton n total SFE wth Stronger Adversares GC-based SFE protocols can easly be protected aganst a covert or malcous clent C by usng an OT protocol wth correspondng securty propertes. Effcent SFE protocols based on GC whch addtonally protect aganst a covert [12, 103] or malcous [150] server S rely on the followng cut-and-choose technque: S creates multple GCs, determnstcally derved from random seeds s, and commts

20 24 2 Bascs of Effcent Secure Functon Evaluaton to each, e.g., by sendng f or Hash( f ) to C. In the covert case, C asks S to open all but one GC f I by revealng the correspondng seeds s =I. For all opened functons, C computes f and checks that they match the commtments. The malcous case s smlar, but C asks S to open half of the functons, evaluates the remanng ones and chooses the majorty of ther results. Addtonally, t must be guaranteed that S s nput nto OT s consstent wth the GCs as ponted out n [138], e.g., usng commtted or commttng OT. The most recent constructon of [153] mproves over prevous protocols (smaller number of GCs, completely removng the commtments, and also removng the need to ncrease the sze of the nputs) by usng a new prmtve called cut-and-choose OT, an extenson of parallel 1-out-of-2 OT wth a cut-and-choose functonalty. The practcal performance of cut-and-choose-based GC protocols has been nvestgated expermentally n [154, 180]: Secure evaluaton of the AES functonalty (a boolean crcut wth 33,880 gates) between two Intel Core 2 Duos runnng at 3.0 GHz, wth 4 GB of RAM connected by a Ggabt ethernet takes approxmately 0.5 MB data transfer and 7 s for sem-honest, 8.7 MB/1 mn for covert, and 400 MB/19 mn for malcous adversares [180]. Ths shows that protectng GC protocols aganst stronger adversares comes at a relatvely hgh prze. For completeness, note that cut-and-choose may be avoded wth SFE schemes such as [125] whch prove n zero-knowledge that the GC was computed correctly and the nputs are consstent wth commtted nputs [88]. However, ther elementary steps nvolve publc-key operatons. As estmated n [180], such protocols whch apply publc-key operatons per gate [125, 168] often requre substantally more computaton than cut-and-choose-based protocols. We further note that there are yet other approaches to malcous securty such as the approach of [123] whch acheves malcous securty by smulatng a SMPC protocol nsde a secure two-party computaton protocol wth sem-honest securty. Ther precse performance comparson s a desrable but complcated undertakng, snce there are several performance measures, and some schemes may work well only for certan classes of functons SFE wth Prvate Functons In some applcaton scenaros of SFE, the evaluated functon tself needs to be hdden, e.g., as t represents ntellectual property of a servce provder. Ths can be acheved by securely evaluatng a Unversal Crcut (UC) whch can be programmed to smulate any crcut C and hence entrely hdes C (besdes an upper bound on the number of nputs, number of gates and number of outputs). Effcent UC constructons to smulate crcuts consstng of up to k two-nput gates are gven n [143, 221]. Generalzed UCs of [184] can smulate crcuts consstng of d-nput gates. Whch UC constructon s favorable depends on the sze of the smulated functonalty: Small crcuts can be smulated wth the UC constructon of [184, 194] wth overhead O(k 2 ) gates, medum-sze crcuts beneft from the constructon of [143] wth overhead O(k log 2 k) gates and for very large crcuts the

21 2.3 Garbled Crcut Protocols 25 constructon of [221] wth overhead O(k log k) gates s most effcent. Explct szes and a detaled analyss of the break-even ponts between these constructons are gven n [184]. The alternatve approach of [136] for evaluatng prvate functons wthout usng UCs has complexty lnear n k, but requres O(k) publc-key operatons. Whle UCs entrely hde the structure of the evaluated functonalty f, t s sometmes suffcent to hde f only wthn a class of topologcally equvalent functonaltes F, called secure evaluaton of a sem-prvate functon f F [177]. The crcuts for many standard functonaltes are topologcally equvalent and dffer only n the specfc functon tables, e.g., comparson (<, >, =,...) or addton/subtracton, as descrbed later n Sect When no cut-and-choose s used for GCs, t s possble to drectly evaluate the crcut and avod the overhead of a UC for sem-prvate functons, as GC constructons of [157] and [164] (cf. Sect ) completely hde the type of the gates from the GC evaluator. These technques were used for example n [83 86, 177] Garbled Crcut Protocols wth Multple Partes GCs can also be used for SMPC,.e., secure computaton wth more than two partes. In the followng we descrbe applcatons of GCs to SMPC n Sect and secure moble agents n Sect In the mult-party settng, one party, the GC creator, whch s assumed to behave correctly, creates the GC (cf. algorthm creategc n Sect ); another party, the GC evaluator, oblvously obtans the correspondng garbled nputs and evaluates the GC (cf. algorthm evalgc n Sect ). The other partes provde nputs to or obtan outputs from the protocol. We wll show later n Chap. 4 that the GC creator can be mplemented wth constant-sze memory, e.g., wthn a tamper-proof HW token. Verfablty of GC. As dscussed n detal n Chap. 4, the GC evaluator, who evaluates the GC on the garbled nputs, need not be trusted at all. Indeed, GC evaluaton can be performed by one or more untrusted partes as the garbled outputs allow verfcaton that the GC evaluaton was done correctly [164]: For each garbled output z, the GC creator provdes the output decrypton nformaton 0, G( z 0), 1, G( z 1), where G s a one-way functon (e.g., a cryptographc hash functon). Ths allows one to check whether z s correct,.e., ether z = z 0 or z = z 1, and whch s the correspondng plan value wthout revealng the values z 0 and z 1. As the GC evaluator s unable to guess a correct z (except wth neglgble probablty), she must have obtaned t by honestly evaluatng the GC SMPC wth Two Servers As proposed n [164], Yao s GC protocol (cf. Sect ) can be turned nto a SMPC protocol wth multple nput players, multple output players, and two

22 26 2 Bascs of Effcent Secure Functon Evaluaton non-colludng computaton players who perform the secure computaton: the GC creator s trusted by the output players to behave sem-honestly and the GC evaluator can even be malcous. For multple nput players, the parallel 1-out-of-2 OT protocol (cf. Sect ) s replaced wth a parallel 1-out-of-2 proxy OT protocol. The proxy OT protocol splts the role of the chooser n the OT protocol nto two partes: the chooser (nput player) provdes the secret nput bt b, and the proxy (the GC evaluator) learns the chosen output strng s b, but nether b nor s 1 b. As descrbed n [164, Appendx A], effcent OT protocols (e.g., the protocols of Aello et al. [3], Naor and Pnkas [163] descrbed n Sect ) can be naturally converted nto a proxy OT protocol as follows: The chooser sends the two publc keys, of whch she knows the trapdoor to exactly one, to the sender. The sender apples an error-correctng code to each of the two strngs s 0, s 1 and sends ther encryptons under the respectve publc key to the proxy. The proxy uses the trapdoor obtaned by the chooser to decrypt both cphertexts obtaned from the sender and uses the error correctng code to compute s b. For multple output players, the GC evaluator forwards the garbled outputs to the respectve output player who can decrypt and verfy the correctness of the output usng the output decrypton nformaton obtaned from the GC creator Secure Moble Agents In the moble agents scenaro, the orgnator creates SW agents that can perform tasks on behalf of the orgnator. After creatng the agents for some specfc purpose, the orgnator sends them out to vst varous remote hosts, where the agents perform computatons on behalf of the orgnator. When the agents return home, the orgnator retreves the results of these computatons from the agents. The utlty of ths paradgm s based on the ablty of the orgnator to go offlne after sendng the agents out, and, deally, no further nteracton between the agent and the orgnator or the host should be requred. A possble applcaton would be an agent whch travels through the web to select, dependng on a polcy of the orgnator, an offer for the most sutable product at the lowest prce. Secure moble agents extend the moble agents scenaro wth securty features. Here, the vsted hosts are not trusted by the orgnator and vce versa. When an agent vsts a host, t carres along some state from prevous computatons and uses ths together wth nput from the host to compute the new agent state possbly along wth an output provded to the host. The agent state (both old and new) s owned by the agent, and should be protected from potentally malcous hosts, whereas the host nput and output are owned by the host and should lkewse be protected from potentally malcous agents. The code evaluated by the agent (polcy) can be hdden as well by evaluatng a UC (cf. Sect ). The concept of secure moble agents was ntroduced n [192] who gve partal solutons based on HE (Sect ). More practcal constructons for secure moble agents proposed afterwards are based on GCs: An agent can securely mgrate from one host to the next by runnng a (slghtly modfed) GC-based SFE protocol