New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of Texas Technion Technion Benny Applebaum Tel Aviv University
Feb 25, 2016
New Advances in Garbling Circuits
Based on joint works withYuval Ishai Eyal Kushilevitz Brent Waters
University of TexasTechnion Technion
Benny ApplebaumTel Aviv University
Garbled Circuit
Yao, 80’s
“Encryption of a function”
Garbled Circuit Construction
x1 x2 x3 x4
K1,1 K2,1 K3,1 K4,1
0110101101010011111101010010111111010101001110101001011001010110
0110111010010011111110010110111001011001110110110001101010110111
1110101010100110011101010010111101010100111110111001001010110111
01101101010011001101110101001001110101010011011101110010101010010111
K1,0 K2,0 K3,0 K4,0
Boolean circuit C Garbled circuit C’
Pairs of short keys
𝐶 (𝑥 )𝐶 ′ ,𝐾 𝑖 ,𝑥 𝑖simulatordecoder
• Can be based on any pseudorandom generator[BM82,Yao82] (or one-way function [HILL90])
C’
Input X “Simple & Short”
Applications• Constant-round secure computation
[Yao82,BMR90...]– Related to: computing on encrypted data [SYY99]– Alternative technique: FHE [Gentry09,…]
• Parallel cryptography [AIK05]
• One-time programs [GKR08]
• Verifiable computation [GGP10,…]
• KDM-secure encryption [BHHI10,...]
• Functional Encryption [SS10,…]
Non-Interactive Delegation
x C(x)
offline: C’
online: Kx
Yao’s Construction• Each wire w has 0-key and 1-key
– Colored “blue” and “green” at random
1-keyw w
0-key
Yao’s Construction• Each wire w has 0-key and 1-key
– Colored “blue” and “green” at random
• Ki,b= b-key of input wire i • C’ = color code for output wires
+ “garbled gates”
1-keyw w
0-key
0110101101010011111101010010111111010101001110101001011001010110
0110111010010011111110010110111001011001110110110001101010110111
1110101010100110011101010010111101010100111110111001001010110111
01101101010011001101110101001001110101010011011101110010101010010111
0 1 0 0
0 1
0
0
Garbled Gates
a b
c
b
a
b
a
a
a
b
b
c
c
c
c
Post-Yao Constructions ? • A lot of progress wrt implementation
– E.g., Fair-Play [MNPS04] …• Better concrete efficiency
– Free XOR gates [KS08]…– 3 ciphertexts per gate [PSSW09]
• Little theoretical progress– Info-theoretic variants for restricted classes [IK00-2]– Rerandomizable GC [GHV10]
• No asymptotic improvements !
x1 x2 x3 x4
Random
K1,1 K2,1 K3,1 K4,1
0110101101010011111101010010111111010101001110101001011001010110
0110111010010011111110010110111001011001110110110001101010110111
1110101010100110011101010010111101010100111110111001001010110111
01101101010011001101110101001001110101010011011101110010101010010111
K1,0 K2,0 K3,0 K4,0
Boolean circuit C
Random
C(X) C’, X’
Simulator
Decoder
(public)
Abstraction (Randomized Encoding [IK00])
Input X Garbled Input X’
Garbled circuit C’
Boolean circuit C
Random
(public)
Abstraction (Randomized Encoding [IK00])
Input X Garbled Input X’
Garbled circuit C’
n bits“Simple”
Decomposable Affine K1(X1) … Kn(Xn)
where Ki is affine over F2
“Short” n bits
Q1: Can we shorten the garbled input X’?Q2: Can we garble arithmetic circuits?
“Simple”
Decomposable Affine K1(X1) … Kn(Xn)
where Ki is affine over F2
Affine
X’=K(X)
where K is affine
How short can X’ be? [AIKW12]
Input X Garbled Input X’n bits
Constant Online-Rate?Thm. Impossible if X’ is decomposableObservation: Typically Affinity suffices
X’
O(n) + ?“Short” n bits
n + [This work]
Thm. Affine GC with online-rate 1 under DDH, RSA, LWE.
Cn C4 C3 C2 C1Mn C4 C3 M2 C1
Gadget: Online/Offline EncryptionAlice Bob
subset s{1,…,n}
EncK
Key length = Independent of the number of plaintexts
Mn M4 M3 M2 M1
1 0 0 1 0
KS
Gadget Succinct GC
Boolean circuit C Garbled circuit C’
Yao Gadget
Random
Garbled circuit C’
Input X Subset
KS
C(x)
Decoder
Simulator
Implementing the GadgetTool: Symmetric Encryption with
Additive Homomorphism for Keys/Message
EK1(M1)+…+EKn(Mn)= EK1+…+Kn(M1+…+Mn)
• One-Time Security suffices• Can be implemented under DDH• Close variants under LWE, RSA
M1
M3
C1
C2
C3
C4
From Homomorphism to Online/Offline Encryption
Alice C1 C2 C3 C4
Ci=Enc(Ki,Mi)Mn M4 M3 M2 M1
0 1 0 1KS
M1
M2
M3
M4
C1+C3
Application 1: Verifiable ComputationOptimal online complexity using [GGP10,AIK10]Previous works: multiplicative overhead in
output
Offline |f| bits
n+ bit
m+ bit
x
f:{0,1}n{0,1}m
Weak Client Untrusted Server
Semi-Honest MPC for f:{0,1}n{0,1}m
Application 2: MPC with preprocessing
bA B
Alice Bob
f(A,B)
Semi-Honest MPC for f:{0,1}n{0,1}m
Offline |f| bits
n bits
n+ bits
Application 2: MPC with preprocessing
b
Garbled circuit C’
rA rB
ArA A
BrB B
Decoder
Alice Bob
• 1 online round• Online Communication does not grow with m• Additive dependency in
f(A,B)
Malicious MPC ? Adaptive choice of inputs ?
Offline |f| bits
n bits
n+ bits
Application 2: MPC with preprocessing
b
Garbled circuit C’
rA rB
A B
Decoder
Alice Bob
Homomorphic MACs [BDOZ11]
f(A,B)
• No succinct GC with adaptive security
• Can be achieved with Random Oracle
• Not needed in some applications – offline private inputs (Shares of signing
key)– Independent online public inputs (Docs to be signed)
Adaptive Choice of Inputs?
Garbling Arithmetic Circuits? [AIK11]
• Gates perform addition or multiplication • Operations over a large domain (e.g., field F)
Garbling arithmetic circuits? [AIK11]
Boolean circuit C
Random
Input X Garbled Input X’
Garbled circuit C’
“Simple”
Decomposable Affine K1(X1) … Kn(Xn)
Ki :F2F2 is affine
Arithmetic circuit C
• Extends applications to arithmetic setting • Non-trivial if the field is large ! • Requires new approach
Thm. Arithmetic GC (over large integers) under LWE (or OWF less efficiently).
Ki:FF
Garbling arithmetic formulas [IK02]
Boolean circuit C
Random
Input X Garbled Input X’
Garbled circuit C’
“Simple”
Decomposable Affine K1(X1) … Kn(Xn)
Ki :F2F2 is affine
Arithmetic Formula C
Problem 1: Limited to Formulas Problem 2: Large blow-upKey Idea: Solving 2 Solving 1
Ki:FF
|C|2
Key-Shrinking Gadget
• a,b,W can depend on c,d and randomness• Special type of “functional encryption”• Implementation over the integers from LWE
y +c d y +a b Wdecoder
simulator
xx + x
y1i-1 y2
i-1 y3i-1 y4
i-1 +a1
Wi-1
Ci-1
C1
Ci+1
……… … …
……… … …
y1i-1
y1i y2
i y3i y4
i
b1…
AGC for C1… Ci-1
Garbling the Circuit Layer-by-Layer
xx + x
y1i-1 y2
i-1 y3i-1 y4
i-1 +a1
Wi-1
Ci-1
C1
Ci+1
……… … …
……… … …
y1iy2
i
y1i y2
i y3i y4
i
b1…
Substitution
Garbling the Circuit Layer-by-Layer
Garbling the Circuit Layer-by-Layer
xx + x
y1i-1 y2
i-1 y3i-1 y4
i-1 +c1
Wi-1
Ci-1
C1
Ci+1
……… … …
……… … …
y1i
y1i y2
i y3i y4
i
d1…+c2 d2
y2i
Affinization [IK02]
xx + x
y1i-1 y2
i-1 y3i-1 y4
i-1 +
Wi
Ci-1
C1
Ci+1
……… … …
……… … …
y1i
y1i y2
i y3i y4
i
…+y2ia1 b1 a2 b2
Key shrinking
Garbling the Circuit Layer-by-Layer
Conclusion• GC with optimal online-rate for Boolean circuits
– Applications with optimal online communication
• General approach for arithmetic garbled circuits– Alternative to Yao’s “garbled tables” approach– Instantiated using LWE– Extends applications to arithmetic setting– New modular, simplified proof for Boolean case
• Constant online-rate for arithmetic formulas
Open QuestionsArithmetic setting• circuits over finite fields?• arithmetic decoder?
Efficiency• Shorten the offline part? |C’|=O(|C|)?• Can get it for natural class of arithmetic functions• Less computational overhead ? (online/offline)
Take-Home Message: What are Garble Circuits?
FHE for the poor
Just
ItPowerful tool superior
to FHE in some aspects (Asymptotically & Concretely)