/
How to circumvent the two- How to circumvent the two-

How to circumvent the two- - PowerPoint Presentation

marina-yarberry
marina-yarberry . @marina-yarberry
Follow
370 views
Uploaded On 2017-03-30

How to circumvent the two- - PPT Presentation

ciphertext lower bound for linear garbling schemes Carmen Kempka Ryo Kikuchi Koutarou Suzuki NTT Corporation Agenda Lower bound and our result Garbling single AND gate Garbling multiple ID: 531338

gate bit gates input bit gate input gates garbling ciphertext xor garbled bound circuit scheme evaluation multiple eval ciphertexts

Share:

Link:

Embed:

Download Presentation from below link

Download Presentation The PPT/PDF document "How to circumvent the two-" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.


Presentation Transcript

Slide1

How to circumvent the two-ciphertext lower bound for linear garbling schemes

Carmen

Kempka

,

Ryo Kikuchi

,

Koutarou

Suzuki

@NTT CorporationSlide2

AgendaLower bound and our resultGarbling single AND gateGarbling multiple

gates and

other

typesEfficiency comparison

2Slide3

Evaluate the circuit w/o knowing truth values

Garbling scheme

 

garbled circuit

AND

(plain) circuit

0,1

 

3

0,1

0,1

 

 Slide4

Evaluate the circuit w/o knowing truth values

Garbling scheme

 

garbled circuit

AND

(plain) circuit

0

 

4

1

0

 

 Slide5

Reducing the size of garbled circuitClassical [Yao86]:

5

Technique

Size per AND gate

Size per XOR gate

Classical [Yao86]

4k

GRR3 [NPS99]

3k

GRR2 [PSSW09]

2k

Free-XOR [KS08]+GRR33k

0fleXOR [KMR14]2k{0,1,2}kHalf gates [ZRE15]2k0

 

 

 

 

k-bit elementSlide6

Linear garbling scheme and lower bound [ZRE15]A linear garbling scheme captures all practically efficient garbling schemesThe lower bound saysa linear garbling scheme must have two k-bit

ciphertexts

per AND gate

Half gates achieves the bound

6

Half-gates seems to be optimalSlide7

Our resultWe propose a “linear” garbling schemerequires strictly less than two k-bit ciphertexts

per AND gate

The scheme does not contradict but rather circumvents the lower bound

Proof of the lower bound assumes each ciphertext is k-bit

Our scheme requires one k-bit and four

2-bit

ciphertexts per AND gate

Five cipertexts in total7Slide8

AgendaLower bound and our resultGarbling single AND gateGarbling

multiple

gates and

other types

Efficiency comparison

8Slide9

Observationk-bit element can be regarded as an element in not only

but also

Operation in

is bit-wise

XOR

Operation in

is

integer

addition

 9Slide10

Setting10

Trying to gable single AND gate with single k-bit

ciphertext

Operations consist of

,

, and

 

g

arbled

c

ircuit

(plain) circuit AND0,1 

0,1

0,1

 

 Slide11

Evaluation on garbled AND gate

11

 

 

 

Input

Out

put

Evaluation

 

Eval

(

)

 

Eval

(

)

 

Eval

(

)

 

Eval

(

)

 

 

 

 Slide12

Evaluation on garbled AND gate

12

 

 

 

Input

Out

put

Evaluation

 

 

 

Eval

(

)

 

Eval

(

)

 

Eval

(

)

 

Eval

(

)

 

Define the input/outpu

t keys and

Eval

() satisfying this!Slide13

Idea 1: Free-XOR-like definition13

 

 

Input

Out

put

Evaluation

 

 

 

 

 

 

 

 

 Slide14

Idea 1: Free-XOR-like definition14

 

 

Input

Out

put

Evaluation

 

 

 

 

 

 

 

 

 

Both

output keys can be generated

from

since

 Slide15

Idea 2: Use instead of

in hash

 

15

 

 

 

 

Input

Out

put

Evaluation

 

 

 

 

 

 

 Slide16

Idea 2: Use instead of

in hashing

 

16

 

 

 

 

Input

Out

put

Evaluation

 

 

 

 

 

 

 

Using

leaks information

 Slide17

Idea 3: Use with probability 1/2

 

17

Choice bit:

 

 

 

 

Input

Out

put

Evaluation

 

 

 

 

 

 

 

 Choice bit of another case should be kept secretSlide18

Classical garbling scheme requires four ciphertextsEach of them is not k-bit but 2-bitEach

ciphetext

contains

(and permute bit

)

 

Idea 4: Garbling

and

by classical technique

 

18Slide19

Garbling algorithm for single AND gate19

Set input keys and permute bits:

1

.

2

.

3.

Define

,

, and

: 1.

2.

3.

4.

Encrypt

,

and (next) permute bit:

1.

2.

3. For

,

Output all keys and

 Slide20

AgendaLower bound and our resultGarbling single AND gate

Garbling multiple gates and other types

Efficiency comparison

20Slide21

Handling multiple gates21

AND

AND

AND

AND

ANDSlide22

Handling multiple gatesFor input AND gatesWe can choose

-> Single

k-bit ciphertext

per AND gates

 

22

AND

AND

AND

AND

ANDSlide23

Handling multiple gatesFor input AND gatesWe can choose

and apply as single AND gate

-> one k-bit

ciphertext per input AND gate

 

23

AND

AND

1

1

1Slide24

Handling multiple gatesFor mid AND gatesWe cannot choose

We adjust

to

using another

ciphertext

-> Two k-bit

ciphertexts

per mid AND gate

 

24

ANDAND 

 

1

1

1

 Slide25

Handling multiple gatesFor mid AND gatesWe cannot choose

We adjust

to

using another

ciphertext

-> Two k-bit

ciphertexts

per mid AND gate

 

25

  

2

2

1

1

1

 Slide26

Garbling other types of gateOR, XOR, NAND, and other standard gates can be garbled in a similar wayWe can further reduce the ciphertext when garbling an XOR gate:

No

ciphertext

per input XOR gateSingle k-bit ciphertext per mid XOR gate

26Slide27

SecuritySimulation-based privacy [BHR12]proved in the random oracle modelA variant of correlation

robustness is sufficient but complicated and artificial

27Slide28

AgendaLower bound and our resultGarbling single AND gate

Garbling multiple

gates and

other

types

Efficiency comparison

28Slide29

Comparison (in plain setting)

: number of gates

number of AND gates

,

: number of input AND, mid AND, and mid XOR gates

Our scheme is more efficient than half gates if

Half gates may still be the most efficient in most realistic circuits

 

29

Technique

# of k-bit

ciphertext/gatetotal bits of garbled circuitXORANDClassicalhalf gates

This work

Technique

# of k-bit

ciphertext

/gate

total

bits of garbled circuit

XOR

AND

Classical

half

gates

This workSlide30

Comparison in semi-private function (SPF) settingSPF hides the type of gates:Only circuit topology is public

NOTE: An identity gate cannot be garbled in this work

30

Technique

# of k-bit

ciphertext

/gate

total

bits of garbled circuit

Classical

GRR3

This workTechnique# of k-bit ciphertext/gatetotal bits of garbled circuitClassicalGRR3This workSlide31

SummaryWe show a garbling scheme that circumvents the lower bound:Garbled AND gate contains less than two k-bit ciphertext

Instead, contains additional four 2-bit

ciphertexts

Efficiency depends on the structure of circuit In plain setting, half-gates may still be the most efficient

In SPF setting, ours is the most efficient

31Slide32

Why we can circumvent the lower boundCiphertexts in our scheme consist of k-bit and 2-bit parts

Not two “k-bit”

ciphertexts

but two ciphertexts are necessaryThe lower bound (implicitly) assumes that

e

ach element is k-bit

evaluation depends on permute bit

In the first claim in [ZHE15], each ciphertext should be distinct according to

It does not hold in k-bit part

is independent of

It holds in 2-bit part

The lower bound may hold in this part

 32Slide33

Identity gate

Input A

Input B

Output

0

0

0

01

1

1001

1

133

Input AInput BOutput000010101110Slide34

Strategy of evaluationHash the input keys in each gateFor input

,

, and

, evaluator computes

for some

 

34

 

 

 

 

Evaluation:

1. Compute

.

.

.

.

.

Fin. Output

 

 

 

 Slide35

Requirement of

 

, where

Two of

are the same

 

35

 

 

 

 

Procedure:

1. Compute

Fin. output

 

 Slide36

Garbling AND gate with one ciphertextAt least, we require:

, where

for security

Two of

are the same

Evaluator should be able to obtain

from

every

values

One value can be adjusted as

At

least two of them should be the same 36Slide37

Intuition: Garbling AND with one ciph.We employ “+” as

Set

,

Evaluator obtains

If

:

If

:

If

:

If

:

 

37Slide38

Define

by

 

For some operation

,

must satisfy

We employ “

” as

, and

is defined as follows:

If

,

If

,

 

38Slide39

Define

 

Evaluator should perform

w/ probability ½ even if the input is (1,1)

Oblivious procedure as

is defined as follows:

If

,

If

,

 

39Slide40

Garbling input XOR gate

Choose

as

Use free-XOR technique

requires no

ciphertext

 

40Slide41

Garbling mid XOR gate

Adjust

s.t.

Use free-XOR technique

requires 1 k-bit

ciphertext

per XOR gate

 

41Slide42

Zahur et al. [ZRE15] showed the lower boundIn linear garbling scheme, garbled AND gate contains at least two k-bit ciphertextsWe show a “linear” garbling scheme

circumvents

G

arbled AND gate contains less than two k-bit ciphertexts

It does not contradict but rather circumvents the lower bound

Summary

42Slide43

Similar to classical garbling schemeAdditionally contain four 2-bit ciphertextsThe order of the

ciphertexts

should be permuted by permute bit

 

Encrypt

and

 

43

 

 

 

 

permuted

according to