Efficient MPC Optimizations for Garbled Circuits

Size: px

Start display at page:

Download "Efficient MPC Optimizations for Garbled Circuits"

Stephen Parrish
5 years ago
Views:

1 CIS 2018 Efficient MPC Optimizations for Garbled Circuits Claudio Orlandi, Aarhus University

2 Part 3: Garbled Circuits GC: Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active security 101: simple-cut-and choose, dual-execution

3 Garbled Circuit Cryptographic primitive that allows to evaluate encrypted functions on encrypted inputs

4 r Garbled Circuits d Values in a box are garbled f x Gb e En [F] [X] Ev [Z] De z Correct if z=f(x)

5 Alice Application 1: One-time Delegation via GC Bob(x) [F] ([F],e,d) Gb( f,r ) preprocessing online [X] [X] En(e,x) [Z] Ev([F],[X]) [Z] z=de(d,[z])

6 Alice Application 1: One-time Delegation via GC Bob(x) [F] ([F],e,d) Gb( f,r ) Authenticity: If A is corrupted and [Z*] A([F],[X]), then De([Z*],d) is f(x) or preprocessing online [X] [Z*] [X] En(e,x) z*=de(d,[z*])

7 Garbled Circuits: Authenticity r d f x Gb e En [F] [X] Ev [Z*] De z* z*=f(x) OR z*= abort

8 Application 2: Passive Constant Round 2PC (Yao) Alice(x) Bob(y) x [X] 2PC (OT) e ([F],e,d) Gb( f,r ) [Y] En(e,y) [Z] Ev([F],[X],[Y]) [F], [Y], d z=de(d,[z])

9 Application 2: Passive Constant Round 2PC (Yao) Alice(x) Bob(y) x [X] 2PC (OT) e ([F],e,d) Gb( f,r ) [Y] En(e,y) [Z] Ev([F],[X],[Y]) [F], [Y], d z=de(d,[z]) Bob learns nothing about x!

10 Application 2: Passive Constant Round 2PC (Yao) Alice(x) Bob(y) x [X] 2PC (OT) e ([F],e,d) Gb( f,r ) [Y] En(e,y) [Z] Ev([F],[X],[Y]) [F], [Y], d z=de(d,[z]) How much information is leaked by GC?

11 Garbled Circuits: Privacy r d f x Gb e e.g., ϕ(f)=f or ϕ(f)= f En [F] [X] Ev [Z] Exist Sim s.t. ([F],[X],d) ~ Sim(ϕ(f),f(x)) De z

12 Part 3: Garbled Circuits Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active security 101: simple-cut-and choose, dual-execution

13 Garbling: Gate-by-gate [x 1 ] [y 1 ] [x 2 ] [y 2 ] [x 3 ] [y 3 ] [x 4 ] [y 4 ] [x 5 ] [y 5 ] [w] w +e z * [w+e] 13

14 PROJECTIVE SCHEMES: CIRCUIT BASED GARBLING/EVALUATIONS

15 Garbling a Circuit : ([F],e,d) Gb(f) K 1 0,K 1 1 K 2 0,K 2 1 L 0,L 1 R 0,R 1 K 0,K 1 Z 0,Z 1 Choose 2 random keys K i 0,K i 1 for each wire in the circuit Input, internal and, output wires For each gate g compute gg Gb(g,L 0,L 1,R 0,R 1,K 0,K 1 ) Output e=(k i 0,K i 1) for all input wires d=(z 0,Z 1 ) [F]=(gg i ) for all gates i

16 Encoding and Decoding [X] = En(e,x) e={ K i 0, K i 1} x= { x 1,,x n } [X]={K 1 x1,,k n xn} z=de(d,[z]) d = { Z 0,Z 1 } [Z] = { K } z= 0 if K=Z 0, 1 if K=Z 1, abort else

17 Evaluating a GC : [Z] Ev([F],[X]) K 1 Parse [X]={K 1,,K n } K 2 gg 1 gg i gg i gg i gg i Parse [F]={gg i } L gg 2 K R gg i gg i gg i gg i For each gate i compute K Ev(gg i,l,r) gg n Output Z Z

18 INDIVIDUAL GATES GARBLING/EVALUATION

19 Notation L 0,L 1 R 0,R 1 gg A garbled gate is a gadget that given two inputs keys gives you the right output key (and nothing else) gg Gb(g,L 0,L 1,R 0,R 1,Z 0,Z 1 ) Z g(a,b) Ev(gg,L a,r b ) Z 0,Z 1 //and not Z 1-g(a,b)

20 Yao Gate Garbling (1) L R Z AND gate L Z R 20

21 Yao Gate Garbling (2) L R Z L 0 R 0 Z 0 L 0 R 1 Z 0 L 1 R 0 Z 0 L R L 1 R 1 Z 1 Z Choose labels (e.g., 128 bits strings) for every value on every wire 21

22 Yao Gate Garbling (3) C L R C 1 = G(L 0,R 0 ) Z 0 C 2 = G(L 0,R 1 ) Z 0 C 3 = G(L 1,R 0 ) Z 0 C 4 = G(L 1,R 1 ) Z 1 Z Encrypt the output key with the input keys G is some key derivation function so that the encryption is secure 22

23 Yao Gate Garbling (4) C C 1 = G(L 0,R 0 ) (Z 0,0 k ) C 2 = G(L 0,R 1 ) (Z 0,0 k ) C 3 = G(L 1,R 0 ) (Z 0,0 k ) L R C 4 = G(L 1,R 1 ) (Z 1,0 k ) K Add redundancy (later used to check if decryption is successful) 23

24 Yao Gate Garbling (5) C C 1 = G(L 0,R 0 ) (Z 0,0 k ) C 2 = G(L 0,R 1 ) (Z 0,0 k ) C 3 = G(L 1,R 0 ) (Z 0,0 k ) C 4 = G(L 1,R 1 ) (Z 1,0 k ) L R C 1,C 2,C 3,C 4 = perm(c 1,C 2,C 3,C 4 ) Z Permute the order of the ciphertexts (to hide information about inputs/outputs) 24

25 Yao Gate Evaluation (1) Eval(gg, L a, R b ) //not a,b For i=1..4 (K,t)=C i G(L a,r b ) If t=0 k output K Output is correct: t=0 k only for right row Evaluator learns nothing else: Encryption + permutation gg (permuted) C 1 = G(L 0,R 0 ) (K 1,0 k ) C 2 = G(L 0,R 1 ) (K 1,0 k ) C 3 = G(L 1,R 0 ) (K 1,0 k ) C 4 = G(L 1,R 1 ) (K 0,0 k ) 25

26 Efficiency gg G/Gb G/Eval Assumption on G Classic 8k 4 4 Standard

27 Point-and-permute Problem: Evaluator needs to try to decrypt all 4 rows Solution: add permutation bits to keys (L 0, p) (L 1,!p) (R 0, q) (R 1,!q) gg Gb(g,L 0,L 1,p,R 0,R 1,q,Z 0,Z 1,r) gg (Z 0, r) (Z 1,!r) (Z g(a,b),r ab) Ev(gg,L a,a p,r b,b q)

28 Point-and-permute Garbling (4) C C 1 = G(L 0,R 0 ) (Z 0, r 0 ) C 2 = G(L 0,R 1 ) (Z 0, r 0 ) C 3 = G(L 1,R 0 ) (Z 0, r 0 ) L R C 4 = G(L 1,R 1 ) (Z 1, r 1 ) Z Remove redundancy Add random permutation bit 28

29 Point-and-permute Garbling (5) C 0 = G(L p,r q ) (Z p q, r p q ) C 1 = G(L p,r!q ) (Z p!q, r p!q ) C 2 = G(L!p,R q ) (Z!p q, r!p q ) C 3 = G(L!p,R!q ) (Z p!q, r!p!q ) C Permute rows using p,q 29

30 Point-and-permute Evaluation Eval(gg, L, u, R, v) //not a,b (Z,r)=C 2u+v G(L,R) C C 0 = G(L p,r q ) (Z p q, r p q ) C 1 = G(L p,r!q ) (Z p!q, r p!q ) Output is correct: (Check permutation) Privacy: u=p a, v=q b p,q are one time pads for a,b C 2 = G(L!p,R q ) (Z! p q, r!p q ) C 3 = G(L!p,R!q ) (Z!p!q, r!p!q ) 30

31 Efficiency gg G/Gb G/Eval Assumption on G Classic 8k 4 4 Standard P&P 4k 4 1 Standard

32 GARBLING OPTIMIZATIONS: SIMPLE GARBLED ROW REDUCTION

33 Changing the syntax Problem: each gg is 4 ciphertexts Solution: define output key pseudorandomly as functions of input keys, reduce comm. complexity L 0 L 1 R 0 R 1 (gg, Z 0,Z 1 ) Gb(g,L 0,L 1,R 0,R 1 ) (Z g(a,b) ) Ev(gg,L a,r b ) gg Z 0 Z 1 Note, now garbling cannot be done in parallel anymore!

34 Garbling a Circuit : ([F],e,d) Gb(f) K 1 0,K 1 1 K 2 0,K 2 1 L 0,L 1 R 0,R 1 K 0,K 1 Z 0,Z 1 Choose 2 random keys K i 0,K i 1 for each wire in the circuit Input wire only! For each gate g compute (gg,k 0,K 1 ) Gb(g,L 0,L 1,R 0,R 1 ) Output e=(k i 0,K i 1) for all input wires d=(z 0,Z 1 ) [F]=(gg i ) for all gates i

35 Yao Gate Garbling (3) C C 1 = G(L 0,R 0 ) Z 0 L R C 2 = G(L 0,R 1 ) Z 0 C 3 = G(L 1,R 0 ) Z 0 C 4 = G(L 1,R 1 ) Z 1 K Encrypt the output key with the input keys 35

36 Garbled Row Reduction Garbling C Z 0 = G(L 0,R 0 ) (C 1 =0 k ) L R C 2 = G(L 0,R 1 ) Z 0 C 3 = G(L 1,R 0 ) Z 0 C 4 = G(L 1,R 1 ) Z 1 K Define output keys as function of input keys (compatible with p&p) Can reduce 2 rows, but 1 is compatible with Free-XOR (coming up!) 36

37 Efficiency gg G/Gb G/Eval Assumption on G Classic 8k 4 4 Standard P&P 4k 4 1 Standard +GRR 3k/2k 4 1 Standard

38 GARBLING OPTIMIZATIONS: FREE XOR

39 Free-XOR Problem: with secret sharing linear gates are for free. What about GC? Solution: introduce correlation between keys, make XOR computation free L 0 L 1 =L 0 Δ XOR R 0 R 1 =R 0 Δ (gg,z 0 ) Gb(g,L 0,R 0,Δ) (Z g(a,b) ) Ev(gg,L a,r b ) Z 0 Z 1 =Z 0 Δ

40 Changing syntax, again! K 1 0 K 2 0 Choose 1 random key K i 0 for each input wire in the circuit And global difference Δ L 0 R 0 K 0 Z 0 For each gate g compute (gg,k 0 ) Gb(g,L 0,R 0,Δ) Output e=(k i 0,K i 1) for all input wires d=(z 0,Z 1 ) [F]=(gg i ) for all gates i

41 What about AND Gates? Like before, but requires circular security assumption Evaluator sees L 0, R 0, Z 0, and G(L 0 Δ, R 0 Δ) Z 0 Δ And should not be able to compute Δ! Effectively an encryption of Δ under Δ!

42 Garbling/Evaluating XOR Gates L 0 L 1 =L 0 Δ XOR R 0 R 1 =R 0 Δ Gb(XOR,L 0,R 0,Δ) Output Z 0 =L 0 R 0 (gg is empty) Z 0 Z 1 =Z 0 Δ Ev(XOR,L a,r b,δ) (gg,z 0 ) Gb(g,L 0,R 0,Δ) Z a b Ev(gg,L a,r b ) Output Z a b =L a R b L a R b = L 0 aδ R 0 bδ = Z 0 (a b)δ = Z a b

43 Efficiency AND XOR gg G/Gb G/Eval gg G/Gb G/Eval Assumption on G Classic 8k 4 4 8k 4 4 Standard P&P 4k 4 1 4k 4 1 Standard +GRR 3k/2k 4 1 3k/2k 4 1 Standard +Free-XOR 3k Circular

44 Privacy Free Garbing In some application (example, the delegation of computation from the first slide) we don t care about hiding the input/output of the circuit to the evaluator. Can we construct more efficient garbling if we don t care about privacy, but only authenticity?

45 Privacy Free with Free XOR For XOR-gates it is hard to do better than free-xor What about AND gates? Let c=and(a,b) then If a = 0 c = 0 If a =1 c = b

46 Privacy-Free AND gates L 0 L 1 =L 0 Δ AND R 0 R 1 =R 0 Δ Gb(AND,L 0,R 0,Δ) Z 0 =G(L 0 ) // GRR C=G(L 1 ) Z 0 R 0 Z 0 Z 1 =Z 0 Δ (gg,z 0 ) Gb(g,L 0,R 0,Δ) Z ab Ev(gg,L a,a,r b,b) Ev(gg,L a,a,r b,b,δ) If a=0 : output Z 0 = G(L 0 ) If a=1 : output Z b =C G(L 1 ) R b Z b = C G(L 1 ) = Z 0 R 0 (R 0 Δ) = Z b

47 Efficiency AND XOR gg G/Gb G/Eval gg G/Gb G/Eval Assumption on G Classic 8k 4 4 8k 4 4 Standard P&P 4k 4 1 4k 4 1 Standard +GRR 3k/2k 4 1 3k/2 4 1 Standard +Free-XOR 3k Circular Privacy-Free* k Circular

48 Privacy-Free Garbling: Extension? Can the same trick help us also in garbling for 2PC? Can we let the evaluator learn the bit of some internal wires? No! Can we let the evalutor learn a one-time pad encryption of some internal wire? Sure, why not!

49 Half-Gate (Two Halves Make a Whole) Note that we can write: a b = (a r) (a (r b)) r known to garbler How to garble efficiently? r b known to evaluator can use PF garbling 1 AND 2 ANDs. How is this better? The garbled can choose a random r at garbling time Make sure that the evaluator learns (r b) How? Use the permutation bits from point&permute!

50 How to garble with hidden constant The garbled knows r and wants to garble c = a r If r = 0 c=0 If r = 1 c=a How to garble an unary gate, which is either the 0 gate or the identity gate depending on r?

51 Garbling AND with hidden-constant L 0 L 1 =L 0 Δ AND(a,r) Z 0 Z 1 =Z 0 Δ (gg,z 0 ) Gb(g,L 0,r,Δ) Z ar Ev(gg,L a ) Gb(AND,L 0,p,Δ) Z p =G(L p ) //GRR C 0 =0 k C 1 =G(L!p ) Z p rδ Ev(gg,L a,a p,δ) Output Z ar = C a p G(L a ) Let p=0 for simplicity C a G(L a ) = Z 0 a(rδ) = Z ar

52 Efficiency AND XOR gg G/Gb G/Eval gg G/Gb G/Eval Assumption on G Classic 8k 4 4 8k 4 4 Standard P&P 4k 4 1 4k 4 1 Standard +GRR 3k/2k 4 1 3k/2k 4 1 Standard +Free-XOR 3k Circular Privacy-Free* k Circular Half-Gate 2k Circular GLP 2k Standard GLP : Fast Garbling of Circuits Under Standard Assumptions (Gueron, Lindell, Pinkas) (The measure of G in this table is somehow arbitrary, in practice the size of the input to G makes a difference in runtime)

53 Part 3: Garbled Circuits Definitions and Applications Garbling gate-by-gate: Basic and optimizations Active security 101: simple-cut-and choose, dual-execution

54 ACTIVE ATTACKS VS YAO

55 Yao s protocol Alice Bob x [X] OT e ([F],e,d) Gb( f,r ) [Y] En(e,y) [Z] Ev([F],[X],[Y]) [F], [Y], d z=de(d,[z]) Passive Security Only 1 GC! Constant round! Very fast!

56 Active security of Yao Alice Bob x [X] OT e ([F],e,d) Gb( f,r ) [Y] En(e,y) [F], [Y], d Cannot really cheat!

57 Alice Active security of Yao (v2, Bob gets output) Bob x [X] OT e ([F],e,d) Gb( f,r ) [Y] En(e,y) [F], [Y], d [Z*] z*=de(d,[z*]) Still can t cheat, authenticity!

58 Garbled Circuits: Authenticy r d f x Gb e En [F] [X] Ev [Z*] De z* For all corrupt Ev z*=f(x) or z*=abort

59 Active security of Yao Alice(x) Bob(y) x [X] OT e ([F],e,d) Gb( f,r ) [Y] En(e,y) [Z] Ev([F],[X],[Y]) [F], [Y], d z=de(d,[z]) What if B is corrupted?

60 Insecurity 1 (wrong f) Alice(x) Bob(y) x [X] OT e ([G],e,d) Gb( g,r ) [Y] En(e,y) [Z] Ev([G],[X],[Y]) [G], [Y], d z=de(d,[z]) g!= f z!= f(x,y)

61 Insecurity 2 (selective failure) Alice(x) [Z] Ev([G],[X],[Y]) z=de(d,[z]) x (K 0,K 1 ) ([F],e,d) Gb( f,r ) [X]=K x OT [G], [Y], d Bob(y) [Y] En(e,y)

62 Insecurity 2 (selective failure) Alice(x) Bob(y) x [X*] OT (K 0,K*) ([F],e,d) Gb( f,r ) [Y] En(e,y) [Z*] Ev([G],[X*],[Y]) [G], [Y], d z*=de(d,[z*]) x=0 z*=f(x,y) x=1 z*=abort

63 SIMPLE TRICKS FOR ACTIVE SECURITY

64 ZKGC (Alice proves f(x)=z) Alice(x) Bob( ) x [X] OT e ([F],e,d) Gb( f,r ) [F] [Z] Ev([F],[X]) [Z] z=de(d,[z]) Bob has no input!

65 ZKGC (Alice proves f(x)=z) Alice(?) Bob( ) x [X] OT e ([F],e,d) Gb( f,r ) [F] [Z*] z*=de(d,[z*]) Authenticity!

66 ZKGC (Alice proves f(x)=z) Alice Bob x [X] OT e ([F],e,d) Gb( f,r ) [F] [Z] Ev([F],[X]) [Z] z=de(d,[z]) Corrupt B can change f with g. Break privacy!

67 ZKGC (Alice proves f(x)=z) Alice Bob Commitment x [X] OT e ([F],e,d) Gb( f,r ) [F] [Z] Ev([F],[X]) [Z] If [F]!=Gb(f,r) abort else r [Z] Opening z=de(d,[z]) Active security! Only 1 GC!

68 Cut-And-Choose

69 2PC, simple cut-and-choose Alice x e 1,e 2 OT Bob [X 1 ],[X 2 ] ([F] i,e i,d i ) Gb( f,r i ) If Gb(f,r -j )!= [F] -j abort else [Z] j Ev([F] j,[x] j,[y] j ) [F] 1,[F] 2,d 1,d 2 rand j r -j, [Y] j [Y] j En(e j,y) z=de(d j,[z] j )

70 2PC, simple cut-and-choose Alice If Gb(f,r -j )!= [F] -j abort else [Z] j Ev([F] j,[x] j,[y] j ) x e 1,e 2 [X 1 ],[X 2 ] OT [F] 1,[F] 2,d 1,d 2 rand j r -j, [Y] j Bob z=de(d j,[z] j ) Corrupt Bob only wins with probability 1/2

71 2PC, cut-and-choose Simple cut-and-choose Garble k, check k-1, evaluate 1. Security 1-1/k Advanced cut-and-choose (see references) Garble 2k, check k, evaluate k Output majority result Security with 2 -O(k) (Need mechanisms to ensure the same input is used!)

72 Dual Execution

73 Alice [Z 1 ] Ev([F 1 ],[X 1 ],[Y 1 ]) x e Bob 1 [X 1 ] OT ([F 1 ],e 1,d 1 ) Gb(f,r 1 ) [Y [F 1 ], [Y 1 ] 1 ] En(e 1,y) ([F 2 ],e 2,d 2 ) Gb(f,r 2 ) [X 2 ] En(e 2,x) e 2 OT [F 2 ], [X 2 ] y [Y 2 ] [Z 2 ] Ev([F 2 ],[X 2 ],[Y 2 ]) [Z 1 ],d 2 [Z 2 ],d 1 z/abort De(d,[Z]) == De(d,[Z]) z/abort

74 Alice x e Bob 1 [X 1 ] OT ([F 1 ],e 1,d 1 ) Gb(f,r 1 ) [Y [F 1 ], [Y 1 ] 1 ] En(e 1,y) Authenticity [Z 1 ] is the right output! e 2 OT [F * ], [X 2 ] y [Y 2 ] [Z * ] Ev([F 2 ],[X 2 ],[Y 2 ]) [Z 1 ],d 2 [Z * ],d 1 z/abort De(d,[Z]) == De(d,[Z]) z/abort f(x,y) or abort

75 Alice x e Bob 1 [X 1 ] OT ([F 1 ],e 1,d 1 ) Gb(f,r 1 ) [Y [F 1 ], [Y 1 ] 1 ] En(e 1,y) e 2 OT [F * ], [X 2 ] y [Y 2 ] [Z * ] Ev([F 2 ],[X 2 ],[Y 2 ]) [Z 1 ],d 2 [Z * ],d 1 z/abort De(d,[Z]) == De(d,[Z]) z/abort Selective failure [Z*]=[Z] iff y=0 1 bit leakage

76 Forge And Lose

77 2PC, forge-and-lose (idea) Alice x OT e i Bob [X i ] ([F] i,e i,d i ) Gb( f,r i ) { [F] i } i Cut-and-Choose Generate k, check k/2 [Y i ] [Y] i En(e i,y) [Z] i Ev([F] i,[x] i,[y] i ) [Z] i y SMAC Punish Bob If exist i, j De(d i,[z] i )!= De(d j,[z] j ) y,d i

78 2PC, forge-and-lose (idea) Alice x OT e i Bob [X i ] ([F] i,e i,d i ) Gb( f,r i ) { [F] i } i Cut-and-Choose Generate k, check k/2 [Y i ] [Y] i En(e i,y) [Z] i Ev([F] i,[x] i,[y] i ) [Z] i y SMAC Punish Bob If exist i, j De(d i,[z] i )!= De(d j,[z] j ) y,d i Whp at least one unchecked circuit is correct real output will be used in SMAC

79 2PC, forge-and-lose (idea) Alice x OT e i Bob [X i ] ([F] i,e i,d i ) Gb( f,r i ) Cut-and-Choose Generate k, check k/2 [Y i ] [Y] i En(e i,y) Authenticity Corrupt Alice cannot blame honest Bob [Z] i y SMAC Punish Bob If exist i, j De(d i,[z] i )!= De(d j,[z] j ) y,d i

80 Summary Garbling Schemes Definitions and Applications Efficient Garbling Techniques Point&Permute, Garbled Row Reduction, Free- XOR, Half-Gate, Privacy-Free, How to use Garbled Circuits with active corruptions

81 Primary References Cryptographic Computing, lecture notes, (with theory and programming exercises) A Brief History of Practical Garbled Circuit Optimizations (Rosulek) Fast Cut-and-Choose-Based Protocols for Malicious and Covert Adversaries (Lindell) Two Halves Make a Whole - Reducing Data Transfer in Garbled Circuits Using Half Gates (Zahur et al.) Privacy-Free Garbled Circuits with Applications to Efficient Zero- Knowledge (Frederiksen et al.) Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently (Jawurek et al.) Improved Garbled Circuit: Free XOR Gates and Applications (Kolesnikov et al.) Foundations of Garbled Circuits (Bellare et al.)

82 Other References Fast Garbling of Circuits Under Standard Assumptions (Gueron et al.) Garbling Gadgets for Boolean and Arithmetic Circuits (Ball et al.) FleXOR: Flexible Garbling for XOR Gates That Beats Free-XOR (Kolesnikov et al.) MiniLEGO: Efficient Secure Two-Party Computation From General Assumptions (Frederiksen et al.) Secure Two-Party Computation with Reusable Bit-Commitments, via a Cutand-Choose with Forge-and-Lose Technique (Brandao) Secure Two-Party Computation via Cut-and-Choose Oblivious Transfer (Lindell, Pinkas) An Efficient Protocol for Secure Two-Party Computation in the Presence of Malicious Adversaries (Lindell, Pinkas) Efficiency Tradeoffs for Malicious Two-Party Computation (Mohassel et al.)

Multi-Party 2 Computation Part 3

ECRYPT.NET Cloud Summer School Multi-Party 2 Computation Part 3 Claudio Orlandi, Aarhus University Plan for the next 3 hours Part 1: Secure Computation with a Trusted Dealer Warmup: One-Time Truth Tables