-
Notifications
You must be signed in to change notification settings - Fork 37
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Identity gate feature #4
Comments
Does this approach affect the DualEx equality check? Do both parties still need to hold the decoded circuit's output? |
Im still confused how this interplays with DEAP as described in https://docs.tlsnotary.org/protocol/2pc/deap.html |
The decryption process is almost the same:
Separately, Alice still has Bob's active encoding for
During DEAP finalization Alice verifies that You can think of this as an oblivious transfer, where Bob is the Sender and Alice the Receiver. Bob sends the full encoding The key point is this: The only choice Alice can make is We do not need to perform a ZKP to prove that In our current method Alice can choose a different |
Thanks for explaining. Makes sense now. Yes, this approach seems sound. |
In our garbled circuit protocols, we have two variants of encoded values: Values which have been encoded directly via the encoder, and values generated by computing the garbling algorithm (aka output labels). Recomputing a computed value can be quite expensive depending on the complexity of the circuit they come from.
We avoid this expense in our transcript commitment protocol by making sure that the encodings for the plaintext values are always generated directly via the encoder. This introduces some extra complexity during decryption, as we have to perform an additional oblivious transfer and ZKP to prove the chosen plaintext encrypts to the expected ciphertext.
There is a fairly simple alternative to our current approach: identity gates. A gate which encrypts a label using an output label as the key.
This process need not be coupled to the garbled circuit execution, it can be pretty neatly encapsulated into a new trait:
Using this, our decryption protocol can be simplified. We would simply decrypt the ciphertext in the VM, clone the plaintext so the labels are generated via the encoder, then the Prover would commit to these labels instead. Eliminating the need for additional OT + ZKP process.
The text was updated successfully, but these errors were encountered: