Welcome to the lecture Secure Multi-Party Computation.

We are now at Lecture number 6 and my name is Dominik Schröder.

So let me briefly recall what we did in the last lecture and then I will give an outline

what we are going to cover in this part of the lecture.

In the previous lecture we essentially took a look at the simpler definition.

And the simpler definition in fact covered the case of deterministic functionalities.

Simpler definitions are very useful for many reasons because first of all if they cover

many functionalities then they are much easier to work with and also in many cases they are

in fact easier to understand.

So deterministic functionalities are actually functionalities that are quite common.

So if you essentially think about oblivious transfer, right once you fix the inputs then

the functionality itself is deterministic.

Next we introduced the very beautiful and amazing protocol of Yaw called Yaw Scabbard

circuit.

And the amazing idea of Yaw Scabbard circuit of course is first of all to transfer the

algorithm that you would like to compute in a circuit.

I mean that's not his idea but his idea was to work on circuits.

And then essentially his observation that if you look at Boolean circuits, something

like an OR or an AND for example, then if we basically look at the corresponding truth

table, then his idea was essentially to transform this truth table into something that loses

the connection to its inputs and that was essentially the step of replacing the input

with random values which means we then get also truth table but for example with keys

k00, k01 and k10, k11.

And then the observation was to essentially use these keys as an encryption key and then

to encrypt the resulting value which is a 0 or 1 that was also interpreted as a key

and to perform this double encryption of this value.

And this you are then repeating for all of the entries.

And then the main question was now how can this circuit be evaluated and that was essentially

done in two steps.

Just let me very briefly write a very simplified version.

We have the sender and the receiver.

The sender is the one that gobbles the circuit and the basic idea was that he essentially

sends the gobbled version and the keys corresponding to its own inputs k0, ks1 until ksn.

And afterwards they are essentially running an oblivious transfer protocol where the sender

inputs the remaining keys and the receiver gets the keys corresponding to its own inputs.

So this was a very rough description of course of the protocol.

So what we are going to do in this lecture is essentially take a look again at Yaw's

protocol.

And in particular we are looking at the security proof.

So the security proof that you see in this lecture was given in the previous lecture

and I essentially combined the two videos.

So I hope you like the topic so far.

I look forward to seeing you in the question and answer session and thank you for your

attention.

I mean a short version of Yaw's protocol.

Of course if you look at the foundations of gobbled circuit paper you can do this way

more formal but I think for the intuition what is really going on this is totally fine.

So the sender has the input x and the receiver has the input y.

And the auxiliary input is the Boolean circuit that they would like to compute.

So this is known to both parties.