DEAP updated

book.toml

@@ -7,7 +7,7 @@ title = "tlsn-docs"
 
 [output.html]
 default-theme = "ayu"
-additional-css = ["src/css/katex.css"]
+additional-css = ["src/css/katex.css", "src/css/global.css"]
 
 [output.katex]
 

src/css/global.css

@@ -0,0 +1,3 @@
+:root {
+  --content-max-width: 1000px;
+}

src/protocol/2pc/deap.md

@@ -26,65 +26,69 @@ We assume that it is acceptable for either party to cause the protocol to abort
 
 In the last phase of our protocol Bob must open all oblivious transfers he sent to Alice. To achieve this, we require a very relaxed flavor of committed oblivious transfer. For more detail on these relaxations see section 2 of [Zero-Knowledge Using Garbled Circuits [JKO13]](https://eprint.iacr.org/2013/073.pdf).
 
-### Privacy-free Garbling
-
-Bob's inputs will be revealed in their entirety at the end of the protocol, and because of this Bob can garble his circuit using a privacy-free garbling scheme. This is quite convenient as this substantially reduces the cost of the second execution.
-
-Our implementation uses the [Half-gate garbling scheme [ZRE15]](https://eprint.iacr.org/2014/756.pdf) which enjoys a 50% reduction in cost for both garbling and evaluating a circuit in privacy-free mode.
-
 ### Notation
 
 * $x$ and $y$ are Alice and Bob's inputs, respectively.
-* $[x]$ and $[y]$ are Alice and Bob's encoded active inputs, respectively.
-* $[x]_A$ denotes an encoding of $x$ chosen by Alice
-* $\mathsf{com}_x$ denotes a binding commitment to the value $x$
-* $G$ denotes a garbled circuit for computing $f(x, y) = v$
+* $[X]_A$ denotes an encoding of $x$ chosen by Alice.
+* $[x]$ and $[y]$ are Alice and Bob's encoded _active_ inputs, respectively, ie $\mathsf{Enc}(x, [X]) = [x]$.
+* $\mathsf{com}_x$ denotes a binding commitment to $x$
+* $G$ denotes a garbled circuit for computing $f(x, y) = v$, where:
+  *  $\mathsf{Gb}([X], [Y]) = G$
+  *  $\mathsf{Ev}([x], [y]) = [v]$.
 * $d$ denotes output decoding information where $\mathsf{De}(d, [v]) = v$
 * $\Delta$ denotes the global offset of a garbled circuit where $\forall i: [x]^{1}_i = [x]^{0}_i \oplus \Delta$
 * $\mathsf{PRG}$ denotes a secure pseudo-random generator
 * $\mathsf{H}$ denotes a secure hash function
 
-### Ideal Functionality
-
-todo..
-
 ## Protocol
 
-The protocol can be thought of as three distinct phases: The setup phase, semi-honest phase, and the zero-knowledge phase.
+The protocol can be thought of as three distinct phases: The setup phase, execution, and equality-check.
 
 ### Setup
 
-1. Alice creates a garbled circuit $G_A$ and output label commitments $\mathsf{com}_{[v]_A}$. She sends $G_A$, $[x]_A$, $d_A$ and $\mathsf{com}_{[v]_A}$ to Bob.
-2. Bob creates a garbled circuit $G_B$ using privacy-free garbling and sends it to Alice.
+1. Alice creates a garbled circuit $G_A$ with corresponding input labels $([X]_A, [Y]_A)$, and output label commitment $\mathsf{com}_{[V]_A}$.
+2. Bob creates a garbled circuit $G_B$ with corresponding input labels $([X]_B, [Y]_B)$.
 3. For committed OT, Bob picks a seed $\rho$ and uses it to generate all random-tape for his OTs with $\mathsf{PRG}(\rho)$. Bob sends $\mathsf{com}_{\rho}$ to Alice.
 4. Alice retrieves her active input labels $[x]_B$ from Bob using OT[^1].
 5. Bob retrieves his active input labels $[y]_A$ from Alice using OT.
+6. Alice sends $G_A$, $[x]_A$, $d_A$ and $\mathsf{com}_{[V]_A}$ to Bob.
+7. Bob sends $G_B$, $[y]_B$, and $d_B$ to Alice.
 
-[^1]: It is necessary that Alice retrieves her active input labels $[x]_B$ before any evaluation takes place. This protects against adaptive attacks by Alice. See the [section below](#malicious-alice) for more detail.
+### Execution
 
-### Semi-honest
+Both Alice and Bob can execute this phase of the protocol in parallel as described below:
 
-6. Bob evaluates $G_A$ using $[x]_A$ and $[y]_A$ to acquire $[v]_A$. He checks $[v]_A$ against the commitment $\mathsf{com}_{[v]_A}$ which Alice sent earlier, aborting if it is invalid.
-7. Bob sends $[v]_A$ to Alice.
-8. Bob decodes $[v]_A$ to $v^A$ using $d_A$ which he received earlier. He computes $\mathsf{H}([v^A]_B)$ which we'll call $\mathsf{check}_B$, and stores it for the equality check later.
-9. Alice checks that $[v]_A$ is authentic, aborting if not, then decodes it to acquire $v$.
+#### Alice
+
+8. Evaluates $G_B$ using $[x]_B$ and $[y]_B$ to acquire $[v]_B$.
+9. Decodes $[v]_B$ to $v^B$ using $d_B$ which she received earlier. She computes $\mathsf{H}([v^B]_A, [v]_B)$ which we will call $\mathsf{check}_A$.
+10. Computes a commitment $\mathsf{Com}(\mathsf{check}_A, r) = \mathsf{com}_{\mathsf{check}_A}$ where $r$ is a key only known to Alice. She sends this commitment to Bob.
+11. Waits to receive $[v]_A$ from Bob[^1].
+12. Checks that $[v]_A$ is authentic, aborting if not, then decodes $[v]_A$ to $v^A$ using $d_A$.
+
+At this stage, if Bob is malicious, Alice could detect that $v^A \ne v^B$. However, Alice must not react in this case. She proceeds with the protocol regardless, having the authentic output $v^A$.
+
+#### Bob
+
+13. Evaluates $G_A$ using $[x]_A$ and $[y]_A$ to acquire $[v]_A$. He checks $[v]_A$ against the commitment $\mathsf{com}_{[V]_A}$ which Alice sent earlier, aborting if it is invalid.
+14. Decodes $[v]_A$ to $v^A$ using $d_A$ which he received earlier. He computes $\mathsf{H}([v]_A, [v^A]_B)$ which we'll call $\mathsf{check}_B$, and stores it for the equality check later.
+15. Sends $[v]_A$ to Alice[^1].
+16. Receives $\mathsf{com}_{\mathsf{check}_A}$ from Alice and stores it for the equality check later.
 
 Bob, even if malicious, has learned nothing except the purported output $v^A$ and is not convinced it is correct. In the next phase Alice will attempt to convince Bob that it is.
 
 Alice, if honest, has learned the correct output $v$ thanks to the authenticity property of garbled circuits. Alice, if malicious, has potentially learned Bob's entire input $y$.
 
-### ZK
+[^1]: This is a significant deviation from standard DualEx protocols such as [MF06](https://www.iacr.org/archive/pkc2006/39580468/39580468.pdf). Typically the output labels are _not_ returned to the Generator, instead, output authenticity is established during a secure equality check at the end. See the [section below](#malicious-alice) for more detail.
 
-10.  Bob reveals his input by sending both $y$ and $[y]_B$ to Alice.
-11.  Alice evaluates $G_B$ using $[x]_B$ and $[y]_B$ to acquire $[v]_B$. She computes $\mathsf{H}([v]_B)$ which we will call $\mathsf{check}_A$.
-12.  Alice computes a commitment $\mathsf{Com}(\mathsf{check}_A, r) = \mathsf{com}_{\mathsf{check}_A}$ where $r$ is a key only known to Alice. She sends this commitment to Bob.
-13.  Bob receives $\mathsf{com}_{\mathsf{check}_A}$ and stores it for the equality check later.
-14.  Bob opens his garbled circuit and OT by sending $\Delta_B$ and $\rho$ to Alice.
-15.  Alice, now knowing all inputs and $\Delta_B$, derives the full input labels of $G_B$.
-16.  Alice opens all of Bob's OTs for $[x]_B$ and verifies that they were performed honestly. Otherwise she aborts.
-17.  Alice verifies that $G_B$ was garbled honestly. Otherwise she aborts.
-18.  Alice now opens $\mathsf{com}_{\mathsf{check}_A}$ by sending $\mathsf{check}_A$ and $r$ to Bob.
-19. Bob verifies $\mathsf{com}_{\mathsf{check}_A}$ then asserts $\mathsf{check}_A == \mathsf{check}_B$, aborting otherwise.
+### Equality Check
+
+1. Bob opens his garbled circuit and OT by sending $\Delta_B$, $y$ and $\rho$ to Alice.
+2. Alice, can now derive the _purported_ input labels to Bob's garbled circuit $([X]^{\\*}_B, [Y]^{\\*}_B)$.
+3. Alice uses $\rho$ to open all of Bob's OTs for $[x]_B$ and verifies that they were performed honestly. Otherwise she aborts.
+4. Alice verifies that $G_B$ was garbled honestly by checking $\mathsf{Gb}([X]^{\\*}_B, [Y]^{\\*}_B) == G_B$. Otherwise she aborts.
+5. Alice now opens $\mathsf{com}_{\mathsf{check}_A}$ by sending $\mathsf{check}_A$ and $r$ to Bob.
+6. Bob verifies $\mathsf{com}_{\mathsf{check}_A}$ then asserts $\mathsf{check}_A == \mathsf{check}_B$, aborting otherwise.
 
 Bob is now convinced that $v^A$ is correct, ie $f(x, y) = v^A$. Bob is also assured that Alice only learned up to k bits of his input prior to revealing, with a probability of $2^{-k}$ of it being undetected.
 
@@ -94,9 +98,9 @@ Bob is now convinced that $v^A$ is correct, ie $f(x, y) = v^A$. Bob is also assu
 
 [On the Leakage of Corrupted Garbled Circuits [DPB18]](https://eprint.iacr.org/2018/743.pdf) is recommended reading on this topic.
 
-During the semi-honest phase, Alice has some degrees of freedom in how she garbles $G_A$. According to [DPB18], when using a modern garbling scheme such as [ZRE15], these corruptions boil down to two classes: detectable and undetectable.
+During the first execution, Alice has some degrees of freedom in how she garbles $G_A$. According to [DPB18], when using a modern garbling scheme such as [ZRE15], these corruptions can be analyzed as two distinct classes: detectable and undetectable.
 
-Recall that our scheme assumes Bob's input is an ephemeral secret which can be revealed in the final stage. For this reason, we are entirely unconcerned about the detectable variety. Simply providing Bob with the output label commitments $\mathsf{com}_{[v]_A}$ is sufficient to detect many different types of corruptions. In this context, our primary concern is regarding the _correctness_ of the output of $G_A$.
+Recall that our scheme assumes Bob's input is an ephemeral secret which can be revealed at the end. For this reason, we are entirely unconcerned about the detectable variety. Simply providing Bob with the output labels commitment $\mathsf{com}_{[V]_A}$ is sufficient to detect these types of corruptions. In this context, our primary concern is regarding the _correctness_ of the output of $G_A$.
 
 [DPB18] shows that any undetectable corruption made to $G_A$ is constrained to the arbitrary insertion of NOT gates into the circuit, such that $G_A$ computes $f_A$ instead of $f$. Note that any corruption of $d_A$ has an equivalent effect. [DPB18] also shows that Alice's ability to exploit this is constrained by the topology of the circuit.