ANTECEDENTES DE LA INVESTIGACIÓN

In this section, we describe an algorithm that computes a proof, which is just composed of Groth-Sahai proofs, to verify whether a given garbled circuit is as computed by the garbled circuit generation algorithm from Section B.2.1.

Building over the tools built in the previous section, we will now express the garbled circuit construc- tion as a system of bilinear equations. Before that, we will describe the main variables used in the equations.

1. For every i ∈ {1, . . . , m}, b ∈ {0,1}, we have XL_wi,b denote a vector of variables of length l. We

denote byXpk_wi,b, a matrix of variables of sizel×l.

2. For every gateG,i, j∈ {0,1}andk= 1,2, we have matrices of variables namelyX_cG,k (i,j) of dimension (l+ 1)×l,X_ctG,k (i,j) of dimension (l+ 1)×l,X_∆G,k (i,j) of dimension 1×land X_rG,k i,j of dimensionl ×l. 3. For every gate G, i, j ∈ {0,1} and k = 1,2, we have matrices of variables namely X_ctreRand,G,k

(i,j)

of dimension (l+1)×landX_rreRand,G,k

i,j of dimensionl

×land a vector of variablesX_∆reRand,G,k

i,j of dimension

1×l.

4. For every gate G and i, j ∈ {0,1}, we have X_δG

i,j and XµGi,j, where XδGi,j and XµGi,j are vectors of

variables of length 2l.

We now describe the system of bilinear equations that captures the garbled circuit construction by Gentry et. al. We denote the system of equations byGCktEq(C).

GCktEq(C):

For every i∈ {1, . . . , m}, b∈ {0,1}:

PKEq(XLpk_wi,b, XL_wi,b) VecBitEq(XL_wi,b)

For every gateGwith input wires w1, w2 and output wire w3, for all i, j∈ {0,1}:

VecCTEq(X_cG,1 (i,j) , X_L w₁,i2, XrG,1_i,j , XδG i,j),VecCTEq X_cG,2 i,j , X_L2 w₂,j, XrG,2i,j ,(X_µG i,j, XL2w3,G(i,j)) VecreRandCTEq(X_ctG,1 i,j , X_ctreRand,G,1 i,j , X_∆reRand,G,1 i,j , X_rreRand,G,1 i,j ) VecreRandCTEq(X_ctG,2 i,j , Xct reRand,G,2 i,j , X∆ reRand,G,2 i,j , Xr reRand,G,2 i,j ), VecBitEq(Xδi,j), VecBitEq(X_µG i,j) VecBitEq(X_∆reRand,G,1 i,j ) , VecBitEq(X_∆reRand,G,2 i,j ), For every gateG:

PermEq(X_ctG

1, XctG2, XctG3, XctG4,(XcG1, XcG2, XcG3, XcG4)),

wherectG₁ = (ctG,1_0,0,ct_0,0G,2),. . . , ctG₄ = (ctG,1_1,1,ct_1,1G,2)) andcG₁ = (cG,1_0,0, cG,2_0,0),. . . ,ctG₄ = (cG,1_1,1, cG,2_1,1)). Letmbe the index of the output wire, we have

We now describe the procedure ProverMalGCwhich takes as input a garbled circuit along with the wire

keys and the randomness (used to generate the ciphertexts) and produces a proof that the garbled circuit is correctly computed. Additionally it also takes as input a CRS produced from theGSSetupphase, Before we describeProverMalGC, we describe the garbled circuit generation phase mainly to fix the notation to be

used inProverMalGC algorithm.

The garbled circuit generation phase, which we term asInpGen, takes as input a circuitC, an input to the circuit wand then does the following. It computes a garbled circuit corresponding to C according to the construction given in Section B.2.1. It first picks wire keysLwi,b for alli= 1, . . . , mandb= 0,1. Con-

struct the table of ciphertexts as follows as given in Section B.2. Each entry of the table, denoted by cG_(i,j) corresponding to the gateG consists of two ciphertexts cG,1_(i,j) =EncL(w₁,i)(δ

G i,j) andc G,2 (i,j) =EncL(w₂,j)(µ G i,j)

fori, j∈ {0,1} whereµG_i,j = (L(w3,G(i,j))|0

l_)⊕δG

i,j. Letc G,1 (i,j) andc

G,2

(i,j) be encrypted using randomness r G,1 i,j

andrG,2_i,j respectively. For each gate in the circuit, the table of ciphertexts constructed need to be permuted. Consider a table corresponding to gateG. After permuting the table, we denote the entries in the table, in order, by

(ctG,1_0,0,ctG,2_0,0),(ctG,1_0,1,ctG,2_0,1),(ctG,1_1,0,ctG,2_1,0),(ctG,1_1,1,ctG,2_1,1)

. ForctG,k_i,j , fori, j ∈ {0,1}, compute the following. For everya, bthciphertext inctG,j_i , denoted byca,b, compute ∆(ca,b+ri,jG,kΦ)+(1−∆)(r

G,k

i,j Φ+ca,b)

to obtainc0_a,b, which is (a, b)thciphertext inctreRand_i,j ,G,k, by settingrG_i,j,k = 0 (here 0 is interpreted as a vec- tor of zeroes of length 2l) and ∆(ctG,k_i,j to be 1. For every gateG, we represent the table of ciphertexts, by TG, the vector

(ctreRand_(0,0) ,G,1,ctreRand_(0,0) ,G,2), . . . ,(ctreRand_(1,1) ,G,1,ctreRand_(1,1) ,G,2)

. Now, this completes the execution of the garbled circuit construction. Denote byGC, the set of the tablesTG, for every gate Gin the circuit.

Further, denote byinw, the input wires corresponding tow. More precisely, ifwis represented asb1· · ·bn,

wherebiis a bit, theninwis (Lw1,b1, . . . , Lwn,bn). We denote the garbled circuit byGC, with the wire keysinw

embedded into it, and the wire keys along with the randomness used to generate the ciphertexts to bew_GC0 .

Procedure ProverMalGC((C,GC), w0GC, CRS):

1. It computes a system of bilinear equations GCktEq(C). It then assigns values to the variables in the equations so as to satisfy all the equations in GCktEq(C). Whenever we say that a tuple of elements A is assigned to a vector of variables XA, we mean that theith element in A is assigned to the ith

variable inXA 17.

(a) For every i ∈ {1, . . . , m}, b ∈ {0,1}, we assign pk0_wi,b to XLpk_wi,b, where pk 0

wi,b is the matrix pk_wi,b, without the last column. Similarly, we assign Lwi,b to the variable XL_wi,b.

(b) For everyi∈ {1, . . . , m}, b∈ {0,1}, we assign the lastl2+lbits ofL2_w

i,bto the variable XL2_wi,b.

(c) For every gate G, i, j ∈ {0,1} and k = 1,2, we assign cG,1_(i,j),ctG,1_(i,j) and rk_i,j to the variables X_cG,1 (i,j) , X_ctG,1 (i,j) and X_rk i,j respectively.

(d) For every gate G, i, j∈ {0,1} and k= 1,2, we assign ct_(i,j)reRand,G,k,∆reRand_(i,j) ,G,k and r_i,jreRand,G,k to the variablesX_ctreRand,G,k

(i,j) , X_∆reRand,G,k (i,j) andX_rreRand,G,k i,j respectively.

(e) For every gate G and i, j ∈ {0,1}, we assign δ_i,jG and µG_i,j to the variables X_δG

i,j and XµGi,j

respectively.

ProverMalGC then generates a proof Π by executing GSProveron input GCktEq(C), CRS and assign-

ment to the variables as described before.

17

We sometimes abuse the notation and assign a matrix of values to a vector of variables in the following way, where that the size of the matrix and the length of the vector is the same. LetAbe a matrix of sizem×n(mis the number of columns andnis the number of rows) and letXAbe a tuple of variables of sizeN, whereN =m×n. When we sayAis assigned to XA we mean that the (i, j)thvalue inAis assigned to (ni+j)thvariable inXA.

The procedure ProverMalGC finally outputs (comm,ΠGC).