MPC, rewrite GC stuff

easy/src/mpc2.typ

@@ -87,18 +87,124 @@ from its encryption.
 The next step to combine a bunch of garbled gates into a circuit.
 We'll need to make two changes to the protocol.
 
-To chain garbled gates together,
-we need to modify the output of each gate:
-In addition to outputting the bit $z = G_i (x, y)$,
-the $i$-th gate $G_i$ 
-will also output a password $P_z$ that Bob can use at the next step.
-#todo[Introduce Bob]
-
-Now there's a problem here!
-We said before that each gate should require four passwords
-$
-  P_(0, 0), P_(0, 1), P_(1, 0), P_(1, 1),
-$
-one for each possible input pair of bits.
+1. To chain garbled gates together,
+  we need to modify the output of each gate:
+  In addition to outputting the bit $z = G_i (x, y)$,
+  the $i$-th gate $G_i$ 
+  will also output a password $P_z$ that Bob can use at the next step.
+  #todo[Introduce Bob]
+
+  Now Bob has one bit coming in for the left-hand input $x$, 
+  and it came with some password $P_x^(text("left"))$ --
+  and then another bit coming in for $y$,
+  that came with some password $P_y^(text("right"))$.
+  To get the combined password $P_(x, y)$,
+  Bob will just concatenate the two passwords
+  $P_x^(text("left"))$ and $P_y^(text("right"))$.
+
+2. To keep the functionality of the circuit hidden,
+  we don't want Bob to learn anything about the structure of
+  the individual gates --
+  even the single bit he gets as output.
+
+  This is an easy fix:
+  Instead of having the gate output 
+  both the bit $z$ and the password $P_z$,
+  we'll just have the gate output the password $P_z$.
+
+  But now how does Bob know what values to feed into the next gate?
+  The left-hand column of the "gate table" 
+  needs to be indexed by the passwords 
+  $P_x^(text("left"))$ and $P_y^(text("right"))$,
+  not by the bits $(x, y)$.
+  But we don't want Bob to learn the other passwords from the table!
+
+  Let's say this again.  We want:
+  - If Bob knows both passwords $P_x^(text("left"))$ and $P_y^(text("right"))$,
+    Bob can find the row of the table for the input $(x, y)$.
+  - If Bob doesn't know the passwords, he can't learn them by looking at the table.
+
+  Of course, the solution is to use a hash function!
+  So here is the new version of our garbled gate.
+  For simplicity, I'll assume it's an AND gate -- 
+  so the outputs will be (the passwords encoding) 0, 0, 0, 1.
+  #table(
+  columns: 2,
+  [$sha(P_0^(text("left")), P_0^(text("right")))$], [$Enc_(P_0^(text("left")), P_0^(text("right"))) (P_0^(text("out")))$],
+  [$sha(P_0^(text("left")), P_1^(text("right")))$], [$Enc_(P_0^(text("left")), P_1^(text("right"))) (P_0^(text("out")))$],
+  [$sha(P_1^(text("left")), P_0^(text("right")))$], [$Enc_(P_1^(text("left")), P_0^(text("right"))) (P_0^(text("out")))$],
+  [$sha(P_1^(text("left")), P_1^(text("right")))$], [$Enc_(P_1^(text("left")), P_1^(text("right"))) (P_1^(text("out")))$],
+)
+
+== How Bob uses one gate
+
+Let's play through one round of Bob's gate-using protocol.
+
+0. Suppose Bob's input bits are 0 (on the left) and 1 (on the right).
+  Bob doesn't know he has 0 and 1 (but we do!).
+  Bob knows his left password is some value 
+  $
+    P_0^(text("left")),
+  $
+  and his right password is some other value 
+  $
+    P_1^(text("right")).
+  $
+
+1. Bob takes the two passwords, concatenates them, and computes a hash.
+  Now Bob has 
+  $
+    sha(P_0^(text("left")), P_1^(text("right"))).
+  $
+
+2. Bob finds the row of the table indexed by 
+  $sha(P_0^(text("left")), P_1^(text("right")))$,
+  and he uses it to look up
+  $
+    Enc_(P_0^(text("left")), P_1^(text("right"))) (P_0^(text("out"))).
+  $
+
+3. Bob uses the concatenation of the two passwords
+  $P_0^(text("left")), P_1^(text("right"))$
+  to decrypt
+  $
+    P_0^(text("out")).
+  $
+
+4. Now Bob has the password for the bit 0, to feed into the next gate --
+  but he doesn't know his bit is 0.
+
+So Bob is exactly where he started: 
+he knows the password for his bit, but he doesn't know his bit.
+So we can chain together as many of these garbled gates as we like
+to make a full garbled circuit.
+
+== How the circuit ends
+
+At the end of the computation,
+Bob needs to learn the final result.
+How?
+
+Easy!
+The final output gates are different from the intermediate gates.
+Instead of outputting a password, 
+they will just output the resulting bit in plain text.
+
+== How the circuit starts
+
+This is trickier.
+At the beginning of the computation, 
+Bob needs to learn the passwords for all of his input bits.
+
+Let's just tackle the problem for a single bit.
+#todo[Introduce Alice.  She cooked up the garbled circuit.]
+- Alice has two passwords, $P_0$ and $P_1$.
+- Bob has a bit $b$, either $0$ or $1$.
+- Bob wants to learn one of the passwords, $P_b$, from Alice.
+- Bob does not want Alice to learn the value of $b$.
+- Alice does not want Bob to learn the other password.
+
+Alice sends the password to Bob 
+using a protocol called oblivious transfer @ot.
 
 

easy/src/ot.typ

@@ -1,6 +1,7 @@
 #import "preamble.typ":*
 
 = Oblivious Transfer
+<ot>
 
 Alice has $n$ messages $x_1, dots, x_n$. 
 Bob wants to request the $i$-th message,