Score:1

Crypto

SHA-256 in binary-circuit-based MPC

Willi

7/14/23, 1:38 PM

For a binary-circuit-based MPC, the multiparty will provide its inputs to calculate the result, which indicated the function $f(x_1, x_2, \dots,x_n)$ needs to accept $2$ or more inputs.

1. Why do there exist circuits e.g, SHA-$256$, which takes only one input?
1. When I check the SHA-256.txt files, it takes $2$ inputs, one input for $512$ bits and the other input for $256$ bits, I assume the first one is the message, how about the other? What does it stand for?

This is the link where I check the SHA-256.txt file.

0 + 0

multiparty-computation

sha-256

Score:1

Crypto

Mikero

7/15/23, 2:35 PM

I don't see any SHA circuit there with only one input.
It explains right there on the page:

For SHA-256 and SHA-512 we give a circuit which maps an input buffer and an input chaining state to the next chaining state.

The SHA-256 round function takes a 512-bit block of the input data and a 256-bit chaining value, and outputs a new 256-bit chaining value. This allows the creators of this page to just give one SHA circuit (which otherwise would not be possible since SHA takes in strings of any length but a circuit has a single fixed input length). This also means that in order to use these circuits you must orchestrate the rest of the Merkle-Damgård chaining yourself and invoke this circuit possibly many times.

edit: SHA-256 is a Merkle-Damgård hash function, so its hashes are computed in the following way (image from Wikipedia):

The entire picture shows the SHA-256 computation on a long input of $n$ blocks (a block is 512 bits in SHA-256). The circuit files you found describe a circuit only for the yellow box labeled "$f$". The "chaining value" is the horizontal arrow connecting $f$-boxes.

0 + 0

Willi

7/15/23, 4:55 PM

For 1st point, I'm not clear what is a chainning value (chaning state)? So far as I know, the input is always the input data no matter long the text is. Could you please elaborate a little bit about changing aluemore or give some references?

Mikero

7/15/23, 9:50 PM

Please see my edits and let me know if things are still unclear.

Willi

7/16/23, 9:20 AM

thanks! It's clear for me now.

Willi

7/18/23, 9:57 AM

A follow-up question: from the entire picture, the compression function f should have 2 inputs. The chaining value has 256 bits and the message block has 512 bits. However, the SHA-256.txt provides only 1 input with 512 bits. Why?

Willi

7/18/23, 10:07 AM

If a circuit takes only one input, it seems that there is no need to have 2 parties participating in the computation since one party can finish the computation.

Mikero

7/18/23, 2:12 PM

All of the SHA circuits on that site have 2 inputs (see the first number on the second line of those files).

Willi

7/18/23, 2:32 PM

I copy one value from SHA-256 [files](https://homes.esat.kuleuven.be/~nsmart/MPC/sha-256.txt) as an example, which has values 512 0 256. It indicates that party two has 0 inputs and party one has only 1 input with 512 bits instead of 2 inputs.

Willi

7/18/23, 2:39 PM

A message block has 512 bits, how is it possible to pass extra 256 bits for IV/chaining input state?

Mikero

7/18/23, 5:09 PM

I have no idea how you are getting to that file. The 4 SHA files linked from https://homes.esat.kuleuven.be/~nsmart/MPC/ all take 2 inputs.

Willi

7/18/23, 6:10 PM

I got that file from this [link](https://homes.esat.kuleuven.be/~nsmart/MPC/old-circuits.html). It violates my intuition.

Mikero

7/18/23, 6:21 PM

Well, read the comment on that page: they only implement 1 block of SHA with fixed IV and not the general SHA round function. The circuit indeed only has one formal input, but it would be a trivial matter to modify this circuit so that each party has half of the input bits, or they have xor shares of the input bits, etc.

Willi

7/18/23, 6:54 PM

Thanks. I noticed that comment previously. However, it still didn't solve my question. Since the input of party one is 512 bits, there is no way for party two to provide their inputs. How can they xor shares of the input bits? Does it mean that they can not use such SHA-256 directly in a 2PC? Does it need to add some other gates which have only one outputs before this SHA-256 circuit?

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: SHA-256 in binary-circuit-based MPC

TH: SHA-256 ใน MPC ที่ใช้วงจรไบนารี

RO: SHA-256 în MPC bazat pe circuit binar

RU: SHA-256 в MPC на основе двоичной схемы

VI: SHA-256 trong MPC dựa trên mạch nhị phân

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.