New Advances in Garbling Circuits

 New Advances in Garbling Circuits

Based on joint works withYuval Ishai Eyal Kushilevitz Brent Waters

University of TexasTechnion Technion

Benny ApplebaumTel Aviv University

Garbled Circuit

Yao, 80’s

“Encryption of a function”

Garbled Circuit Construction

x1 x2 x3 x4

K1,1 K2,1 K3,1 K4,1

0110101101010011111101010010111111010101001110101001011001010110

0110111010010011111110010110111001011001110110110001101010110111

1110101010100110011101010010111101010100111110111001001010110111

01101101010011001101110101001001110101010011011101110010101010010111

K1,0 K2,0 K3,0 K4,0

Boolean circuit C Garbled circuit C’

Pairs of short keys

𝐶 (𝑥 )𝐶 ′ ,𝐾 𝑖 ,𝑥 𝑖simulatordecoder

• Can be based on any pseudorandom generator[BM82,Yao82] (or one-way function [HILL90])

C’

Input X “Simple & Short”

Applications• Constant-round secure computation

[Yao82,BMR90...]– Related to: computing on encrypted data [SYY99]– Alternative technique: FHE [Gentry09,…]

• Parallel cryptography [AIK05]

• One-time programs [GKR08]

• Verifiable computation [GGP10,…]

• KDM-secure encryption [BHHI10,...]

• Functional Encryption [SS10,…]

Non-Interactive Delegation

x C(x)

offline: C’

online: Kx

Yao’s Construction• Each wire w has 0-key and 1-key

– Colored “blue” and “green” at random

1-keyw w

0-key

Yao’s Construction• Each wire w has 0-key and 1-key

– Colored “blue” and “green” at random

• Ki,b= b-key of input wire i • C’ = color code for output wires

+ “garbled gates”

1-keyw w

0-key

0110101101010011111101010010111111010101001110101001011001010110

0110111010010011111110010110111001011001110110110001101010110111

1110101010100110011101010010111101010100111110111001001010110111

01101101010011001101110101001001110101010011011101110010101010010111

0 1 0 0

0 1

0

0

Garbled Gates

a b

c

b

a

b

a

a

a

b

b

c

c

c

c

Post-Yao Constructions ? • A lot of progress wrt implementation

– E.g., Fair-Play [MNPS04] …• Better concrete efficiency

– Free XOR gates [KS08]…– 3 ciphertexts per gate [PSSW09]

• Little theoretical progress– Info-theoretic variants for restricted classes [IK00-2]– Rerandomizable GC [GHV10]

• No asymptotic improvements !

x1 x2 x3 x4

Random

K1,1 K2,1 K3,1 K4,1

0110101101010011111101010010111111010101001110101001011001010110

0110111010010011111110010110111001011001110110110001101010110111

1110101010100110011101010010111101010100111110111001001010110111

01101101010011001101110101001001110101010011011101110010101010010111

K1,0 K2,0 K3,0 K4,0

Boolean circuit C

Random

C(X) C’, X’

Simulator

Decoder

(public)

Abstraction (Randomized Encoding [IK00])

Input X Garbled Input X’

Garbled circuit C’

Boolean circuit C

Random

(public)

Abstraction (Randomized Encoding [IK00])

Input X Garbled Input X’

Garbled circuit C’

n bits“Simple”

Decomposable Affine K1(X1) … Kn(Xn)

where Ki is affine over F2

“Short” n bits

Q1: Can we shorten the garbled input X’?Q2: Can we garble arithmetic circuits?

“Simple”

Decomposable Affine K1(X1) … Kn(Xn)

where Ki is affine over F2

Affine

X’=K(X)

where K is affine

How short can X’ be? [AIKW12]

Input X Garbled Input X’n bits

Constant Online-Rate?Thm. Impossible if X’ is decomposableObservation: Typically Affinity suffices

X’

O(n) + ?“Short” n bits

n + [This work]

Thm. Affine GC with online-rate 1 under DDH, RSA, LWE.

Cn C4 C3 C2 C1Mn C4 C3 M2 C1

Gadget: Online/Offline EncryptionAlice Bob

subset s{1,…,n}

EncK

Key length = Independent of the number of plaintexts

Mn M4 M3 M2 M1

1 0 0 1 0

KS

Gadget Succinct GC

Boolean circuit C Garbled circuit C’

Yao Gadget

Random

Garbled circuit C’

Input X Subset

KS

C(x)

Decoder

Simulator

Implementing the GadgetTool: Symmetric Encryption with

Additive Homomorphism for Keys/Message

EK1(M1)+…+EKn(Mn)= EK1+…+Kn(M1+…+Mn)

• One-Time Security suffices• Can be implemented under DDH• Close variants under LWE, RSA

M1

M3

C1

C2

C3

C4

From Homomorphism to Online/Offline Encryption

Alice C1 C2 C3 C4

Ci=Enc(Ki,Mi)Mn M4 M3 M2 M1

0 1 0 1KS

M1

M2

M3

M4

C1+C3

Application 1: Verifiable ComputationOptimal online complexity using [GGP10,AIK10]Previous works: multiplicative overhead in

output

Offline |f| bits

n+ bit

m+ bit

x

f:{0,1}n{0,1}m

Weak Client Untrusted Server

Semi-Honest MPC for f:{0,1}n{0,1}m

Application 2: MPC with preprocessing

bA B

Alice Bob

f(A,B)

Semi-Honest MPC for f:{0,1}n{0,1}m

Offline |f| bits

n bits

n+ bits

Application 2: MPC with preprocessing

b

Garbled circuit C’

rA rB

ArA A

BrB B

Decoder

Alice Bob

• 1 online round• Online Communication does not grow with m• Additive dependency in

f(A,B)

Malicious MPC ? Adaptive choice of inputs ?

Offline |f| bits

n bits

n+ bits

Application 2: MPC with preprocessing

b

Garbled circuit C’

rA rB

A B

Decoder

Alice Bob

Homomorphic MACs [BDOZ11]

f(A,B)

• No succinct GC with adaptive security

• Can be achieved with Random Oracle

• Not needed in some applications – offline private inputs (Shares of signing

key)– Independent online public inputs (Docs to be signed)

Adaptive Choice of Inputs?

Garbling Arithmetic Circuits? [AIK11]

• Gates perform addition or multiplication • Operations over a large domain (e.g., field F)

Garbling arithmetic circuits? [AIK11]

Boolean circuit C

Random

Input X Garbled Input X’

Garbled circuit C’

“Simple”

Decomposable Affine K1(X1) … Kn(Xn)

Ki :F2F2 is affine

Arithmetic circuit C

• Extends applications to arithmetic setting • Non-trivial if the field is large ! • Requires new approach

Thm. Arithmetic GC (over large integers) under LWE (or OWF less efficiently).

Ki:FF

Garbling arithmetic formulas [IK02]

Boolean circuit C

Random

Input X Garbled Input X’

Garbled circuit C’

“Simple”

Decomposable Affine K1(X1) … Kn(Xn)

Ki :F2F2 is affine

Arithmetic Formula C

Problem 1: Limited to Formulas Problem 2: Large blow-upKey Idea: Solving 2 Solving 1

Ki:FF

|C|2

Key-Shrinking Gadget

• a,b,W can depend on c,d and randomness• Special type of “functional encryption”• Implementation over the integers from LWE

y +c d y +a b Wdecoder

simulator

xx + x

y1i-1 y2

i-1 y3i-1 y4

i-1 +a1

Wi-1

Ci-1

C1

Ci+1

……… … …

……… … …

y1i-1

y1i y2

i y3i y4

i

b1…

AGC for C1… Ci-1

Garbling the Circuit Layer-by-Layer

xx + x

y1i-1 y2

i-1 y3i-1 y4

i-1 +a1

Wi-1

Ci-1

C1

Ci+1

……… … …

……… … …

y1iy2

i

y1i y2

i y3i y4

i

b1…

Substitution

Garbling the Circuit Layer-by-Layer

Garbling the Circuit Layer-by-Layer

xx + x

y1i-1 y2

i-1 y3i-1 y4

i-1 +c1

Wi-1

Ci-1

C1

Ci+1

……… … …

……… … …

y1i

y1i y2

i y3i y4

i

d1…+c2 d2

y2i

Affinization [IK02]

xx + x

y1i-1 y2

i-1 y3i-1 y4

i-1 +

Wi

Ci-1

C1

Ci+1

……… … …

……… … …

y1i

y1i y2

i y3i y4

i

…+y2ia1 b1 a2 b2

Key shrinking

Garbling the Circuit Layer-by-Layer

Conclusion• GC with optimal online-rate for Boolean circuits

– Applications with optimal online communication

• General approach for arithmetic garbled circuits– Alternative to Yao’s “garbled tables” approach– Instantiated using LWE– Extends applications to arithmetic setting– New modular, simplified proof for Boolean case

• Constant online-rate for arithmetic formulas

Open QuestionsArithmetic setting• circuits over finite fields?• arithmetic decoder?

Efficiency• Shorten the offline part? |C’|=O(|C|)?• Can get it for natural class of arithmetic functions• Less computational overhead ? (online/offline)

Take-Home Message: What are Garble Circuits?

FHE for the poor

Just

ItPowerful tool superior

to FHE in some aspects (Asymptotically & Concretely)