ciphertext lower bound for linear garbling schemes Carmen Kempka Ryo Kikuchi Koutarou Suzuki NTT Corporation Agenda Lower bound and our result Garbling single AND gate Garbling multiple ID: 531338
Download Presentation The PPT/PDF document "How to circumvent the two-" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
How to circumvent the two-ciphertext lower bound for linear garbling schemes
Carmen
Kempka
,
Ryo Kikuchi
,
Koutarou
Suzuki
@NTT CorporationSlide2
AgendaLower bound and our resultGarbling single AND gateGarbling multiple
gates and
other
typesEfficiency comparison
2Slide3
Evaluate the circuit w/o knowing truth values
Garbling scheme
garbled circuit
AND
(plain) circuit
0,1
3
0,1
0,1
Slide4
Evaluate the circuit w/o knowing truth values
Garbling scheme
garbled circuit
AND
(plain) circuit
0
4
1
0
Slide5
Reducing the size of garbled circuitClassical [Yao86]:
5
Technique
Size per AND gate
Size per XOR gate
Classical [Yao86]
4k
GRR3 [NPS99]
3k
GRR2 [PSSW09]
2k
Free-XOR [KS08]+GRR33k
0fleXOR [KMR14]2k{0,1,2}kHalf gates [ZRE15]2k0
k-bit elementSlide6
Linear garbling scheme and lower bound [ZRE15]A linear garbling scheme captures all practically efficient garbling schemesThe lower bound saysa linear garbling scheme must have two k-bit
ciphertexts
per AND gate
Half gates achieves the bound
6
Half-gates seems to be optimalSlide7
Our resultWe propose a “linear” garbling schemerequires strictly less than two k-bit ciphertexts
per AND gate
The scheme does not contradict but rather circumvents the lower bound
Proof of the lower bound assumes each ciphertext is k-bit
Our scheme requires one k-bit and four
2-bit
ciphertexts per AND gate
Five cipertexts in total7Slide8
AgendaLower bound and our resultGarbling single AND gateGarbling
multiple
gates and
other types
Efficiency comparison
8Slide9
Observationk-bit element can be regarded as an element in not only
but also
Operation in
is bit-wise
XOR
Operation in
is
integer
addition
9Slide10
Setting10
Trying to gable single AND gate with single k-bit
ciphertext
Operations consist of
,
, and
g
arbled
c
ircuit
(plain) circuit AND0,1
0,1
0,1
Slide11
Evaluation on garbled AND gate
11
Input
Out
put
Evaluation
Eval
(
)
Eval
(
)
Eval
(
)
Eval
(
)
Slide12
Evaluation on garbled AND gate
12
Input
Out
put
Evaluation
Eval
(
)
Eval
(
)
Eval
(
)
Eval
(
)
Define the input/outpu
t keys and
Eval
() satisfying this!Slide13
Idea 1: Free-XOR-like definition13
Input
Out
put
Evaluation
Slide14
Idea 1: Free-XOR-like definition14
Input
Out
put
Evaluation
Both
output keys can be generated
from
since
Slide15
Idea 2: Use instead of
in hash
15
Input
Out
put
Evaluation
Slide16
Idea 2: Use instead of
in hashing
16
Input
Out
put
Evaluation
Using
leaks information
Slide17
Idea 3: Use with probability 1/2
17
Choice bit:
Input
Out
put
Evaluation
Choice bit of another case should be kept secretSlide18
Classical garbling scheme requires four ciphertextsEach of them is not k-bit but 2-bitEach
ciphetext
contains
(and permute bit
)
Idea 4: Garbling
and
by classical technique
18Slide19
Garbling algorithm for single AND gate19
Set input keys and permute bits:
1
.
2
.
3.
Define
,
, and
: 1.
2.
3.
4.
Encrypt
,
and (next) permute bit:
1.
2.
3. For
,
Output all keys and
Slide20
AgendaLower bound and our resultGarbling single AND gate
Garbling multiple gates and other types
Efficiency comparison
20Slide21
Handling multiple gates21
AND
AND
AND
AND
ANDSlide22
Handling multiple gatesFor input AND gatesWe can choose
-> Single
k-bit ciphertext
per AND gates
22
AND
AND
AND
AND
ANDSlide23
Handling multiple gatesFor input AND gatesWe can choose
and apply as single AND gate
-> one k-bit
ciphertext per input AND gate
23
AND
AND
1
1
1Slide24
Handling multiple gatesFor mid AND gatesWe cannot choose
We adjust
to
using another
ciphertext
-> Two k-bit
ciphertexts
per mid AND gate
24
ANDAND
1
1
1
Slide25
Handling multiple gatesFor mid AND gatesWe cannot choose
We adjust
to
using another
ciphertext
-> Two k-bit
ciphertexts
per mid AND gate
25
2
2
1
1
1
Slide26
Garbling other types of gateOR, XOR, NAND, and other standard gates can be garbled in a similar wayWe can further reduce the ciphertext when garbling an XOR gate:
No
ciphertext
per input XOR gateSingle k-bit ciphertext per mid XOR gate
26Slide27
SecuritySimulation-based privacy [BHR12]proved in the random oracle modelA variant of correlation
robustness is sufficient but complicated and artificial
27Slide28
AgendaLower bound and our resultGarbling single AND gate
Garbling multiple
gates and
other
types
Efficiency comparison
28Slide29
Comparison (in plain setting)
: number of gates
number of AND gates
,
: number of input AND, mid AND, and mid XOR gates
Our scheme is more efficient than half gates if
Half gates may still be the most efficient in most realistic circuits
29
Technique
# of k-bit
ciphertext/gatetotal bits of garbled circuitXORANDClassicalhalf gates
This work
Technique
# of k-bit
ciphertext
/gate
total
bits of garbled circuit
XOR
AND
Classical
half
gates
This workSlide30
Comparison in semi-private function (SPF) settingSPF hides the type of gates:Only circuit topology is public
NOTE: An identity gate cannot be garbled in this work
30
Technique
# of k-bit
ciphertext
/gate
total
bits of garbled circuit
Classical
GRR3
This workTechnique# of k-bit ciphertext/gatetotal bits of garbled circuitClassicalGRR3This workSlide31
SummaryWe show a garbling scheme that circumvents the lower bound:Garbled AND gate contains less than two k-bit ciphertext
Instead, contains additional four 2-bit
ciphertexts
Efficiency depends on the structure of circuit In plain setting, half-gates may still be the most efficient
In SPF setting, ours is the most efficient
31Slide32
Why we can circumvent the lower boundCiphertexts in our scheme consist of k-bit and 2-bit parts
Not two “k-bit”
ciphertexts
but two ciphertexts are necessaryThe lower bound (implicitly) assumes that
e
ach element is k-bit
evaluation depends on permute bit
In the first claim in [ZHE15], each ciphertext should be distinct according to
It does not hold in k-bit part
is independent of
It holds in 2-bit part
The lower bound may hold in this part
32Slide33
Identity gate
Input A
Input B
Output
0
0
0
01
1
1001
1
133
Input AInput BOutput000010101110Slide34
Strategy of evaluationHash the input keys in each gateFor input
,
, and
, evaluator computes
for some
34
Evaluation:
1. Compute
.
.
.
.
.
Fin. Output
Slide35
Requirement of
, where
Two of
are the same
35
Procedure:
1. Compute
Fin. output
Slide36
Garbling AND gate with one ciphertextAt least, we require:
, where
for security
Two of
are the same
Evaluator should be able to obtain
from
every
values
One value can be adjusted as
At
least two of them should be the same 36Slide37
Intuition: Garbling AND with one ciph.We employ “+” as
Set
,
Evaluator obtains
If
:
If
:
If
:
If
:
37Slide38
Define
by
For some operation
,
must satisfy
We employ “
” as
, and
is defined as follows:
If
,
If
,
38Slide39
Define
Evaluator should perform
w/ probability ½ even if the input is (1,1)
Oblivious procedure as
is defined as follows:
If
,
If
,
39Slide40
Garbling input XOR gate
Choose
as
Use free-XOR technique
requires no
ciphertext
40Slide41
Garbling mid XOR gate
Adjust
s.t.
Use free-XOR technique
requires 1 k-bit
ciphertext
per XOR gate
41Slide42
Zahur et al. [ZRE15] showed the lower boundIn linear garbling scheme, garbled AND gate contains at least two k-bit ciphertextsWe show a “linear” garbling scheme
circumvents
G
arbled AND gate contains less than two k-bit ciphertexts
It does not contradict but rather circumvents the lower bound
Summary
42Slide43
Similar to classical garbling schemeAdditionally contain four 2-bit ciphertextsThe order of the
ciphertexts
should be permuted by permute bit
Encrypt
and
43
permuted
according to