Score:1

SHA-256 in binary-circuit-based MPC

fr flag

For a binary-circuit-based MPC, the multiparty will provide its inputs to calculate the result, which indicated the function $f(x_1, x_2, \dots,x_n)$ needs to accept $2$ or more inputs.

    1. Why do there exist circuits e.g, SHA-$256$, which takes only one input?
    1. When I check the SHA-256.txt files, it takes $2$ inputs, one input for $512$ bits and the other input for $256$ bits, I assume the first one is the message, how about the other? What does it stand for?

This is the link where I check the SHA-256.txt file.

Score:1
us flag
  1. I don't see any SHA circuit there with only one input.

  2. It explains right there on the page:

    For SHA-256 and SHA-512 we give a circuit which maps an input buffer and an input chaining state to the next chaining state.

    The SHA-256 round function takes a 512-bit block of the input data and a 256-bit chaining value, and outputs a new 256-bit chaining value. This allows the creators of this page to just give one SHA circuit (which otherwise would not be possible since SHA takes in strings of any length but a circuit has a single fixed input length). This also means that in order to use these circuits you must orchestrate the rest of the Merkle-Damgård chaining yourself and invoke this circuit possibly many times.


edit: SHA-256 is a Merkle-Damgård hash function, so its hashes are computed in the following way (image from Wikipedia):

enter image description here

The entire picture shows the SHA-256 computation on a long input of $n$ blocks (a block is 512 bits in SHA-256). The circuit files you found describe a circuit only for the yellow box labeled "$f$". The "chaining value" is the horizontal arrow connecting $f$-boxes.

Willi avatar
fr flag
For 1st point, I'm not clear what is a chainning value (chaning state)? So far as I know, the input is always the input data no matter long the text is. Could you please elaborate a little bit about changing aluemore or give some references?
us flag
Please see my edits and let me know if things are still unclear.
Willi avatar
fr flag
thanks! It's clear for me now.
Willi avatar
fr flag
A follow-up question: from the entire picture, the compression function f should have 2 inputs. The chaining value has 256 bits and the message block has 512 bits. However, the SHA-256.txt provides only 1 input with 512 bits. Why?
Willi avatar
fr flag
If a circuit takes only one input, it seems that there is no need to have 2 parties participating in the computation since one party can finish the computation.
us flag
All of the SHA circuits on that site have 2 inputs (see the first number on the second line of those files).
Willi avatar
fr flag
I copy one value from SHA-256 [files](https://homes.esat.kuleuven.be/~nsmart/MPC/sha-256.txt) as an example, which has values 512 0 256. It indicates that party two has 0 inputs and party one has only 1 input with 512 bits instead of 2 inputs.
Willi avatar
fr flag
A message block has 512 bits, how is it possible to pass extra 256 bits for IV/chaining input state?
us flag
I have no idea how you are getting to that file. The 4 SHA files linked from https://homes.esat.kuleuven.be/~nsmart/MPC/ all take 2 inputs.
Willi avatar
fr flag
I got that file from this [link](https://homes.esat.kuleuven.be/~nsmart/MPC/old-circuits.html). It violates my intuition.
us flag
Well, read the comment on that page: they only implement 1 block of SHA with fixed IV and not the general SHA round function. The circuit indeed only has one formal input, but it would be a trivial matter to modify this circuit so that each party has half of the input bits, or they have xor shares of the input bits, etc.
Willi avatar
fr flag
Thanks. I noticed that comment previously. However, it still didn't solve my question. Since the input of party one is 512 bits, there is no way for party two to provide their inputs. How can they xor shares of the input bits? Does it mean that they can not use such SHA-256 directly in a 2PC? Does it need to add some other gates which have only one outputs before this SHA-256 circuit?
mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.