Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of Texas Technion Technion Benny Applebaum Tel Aviv University Garbled Circuit Construction ID: 541899
Download Presentation The PPT/PDF document " New Advances in" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
New Advances in Garbling Circuits
Based on joint works withYuval Ishai Eyal Kushilevitz Brent Waters
University of Texas
Technion
Technion
Benny ApplebaumTel Aviv UniversitySlide2
Garbled Circuit Construction
Yao, 1986Slide3
Garbled Circuit Construction
x
1
x
2
x
3
x
4
K
1,1
K
2,1
K
3,1
K
4,1
0110101101010011
1111010100101111
1101010100111010
1001011001010110
0110111010010011
1111100101101110
0101100111011011
0001101010110111
1110101010100110
0111010100101111
0101010011111011
1001001010110111
01101101010011001
10111010100100111
01010100110111011
10010101010010111
K
1,0
K
2,0
K
3,0
K
4,0
Boolean circuit C
Garbled circuit C’
Pairs of short keys
simulator
decoder
Can be based on any pseudorandom generator
[BM82,Yao82]
(or one-way function
[HILL90]
)
C’
Input X
“Simple & Short” Slide4
ApplicationsConstant-round secure computation [Yao82,BMR90...]
Related problem: computing on encrypted data [SYY99]Alternative technique: FHE [Gentry09,…]Parallel cryptography [AIK05]
One-time programs [GKR08]KDM-secure encryption [BHHI10,...]Verifiable computation [GGP10,…]Functional Encryption [SS10,…]Slide5
Non-Interactive Delegation
x
C(x)offline: C’
online: KxSlide6
Yao’s ConstructionEach wire w has 0-key and 1-keyColored “blue” and “green” at random
1-key
w
w
0-keySlide7
Yao’s ConstructionEach wire w has 0-key and 1-keyColored “blue” and “green” at random
Ki,b= b-key of input wire i C’ = color code for output wires + “garbled gates”
1-key
w
w
0-key
0110101101010011
1111010100101111
1101010100111010
1001011001010110
0110111010010011
1111100101101110
0101100111011011
0001101010110111
1110101010100110
0111010100101111
0101010011111011
1001001010110111
01101101010011001
10111010100100111
01010100110111011
10010101010010111
0
1
0
0
0
1
0
0Slide8
Garbled Gates
a
b
c
b
a
b
a
a
a
b
b
c
c
c
cSlide9
Post-Yao Constructions ? A lot of progress wrt implementation
E.g., Fair-Play [MNPS04] …Better concrete efficiencyFree XOR gates [KS08]…3 ciphertexts per gate [PSSW09]Little theoretical progressInfo-theoretic variants for restricted classes
[IK00-2]Rerandomizable GC [GHV]No asymptotic improvements !Slide10
x
1
x
2
x
3
x
4
Random
K
1,1
K
2,1
K
3,1
K
4,1
0110101101010011
1111010100101111
1101010100111010
1001011001010110
0110111010010011
1111100101101110
0101100111011011
0001101010110111
1110101010100110
0111010100101111
0101010011111011
1001001010110111
01101101010011001
10111010100100111
01010100110111011
10010101010010111
K
1,0
K
2,0
K
3,0
K
4,0
Boolean circuit C
Random
C(X) C’, X’
Simulator
Decoder
(public)
Abstraction
(Randomized Encoding
[IK00]
)
Input X
Garbled
Input X’
Garbled circuit C’Slide11
Boolean circuit C
Random
(public)
Abstraction (Randomized Encoding [IK00])
Input X Garbled Input X’Garbled circuit C’
n bits
“Simple” Decomposable Affine
K
1
(X
1
)
…
K
n
(
X
n
)
where
K
i
is affine over F
2
“Short”
n
bits
Q1
: Can we shorten the garbled input X’
?Q2
: Can we garble arithmetic circuits?Slide12
“Simple”
Decomposable Affine K1(X1) … Kn(Xn) where K
i is affine over F2 Affine X’=K(X) where K is affine
How short can X’ be? [AIKW12]
Input X Garbled Input X’
n bits
Constant Online-Rate?
Thm
.
Impossible
if X’ is decomposable
Observation: Typically
Affinity
suffices
X’
O(n) +
?
“Short”
n
bits
n +
[This work]
Thm
. Affine GC with online-rate 1 under DDH, RSA, LWE. Slide13
C
n
C4C3C2C1
MnC4C3
M2C1Gadget: Online/Offline EncryptionAliceBob
subset s{1,…,n}EncKKey length = Independent of the number of plaintexts
Mn
M
4
M
3
M
2
M
1
1
0
0
1
0
K
SSlide14
Gadget
Succinct GCBoolean circuit C
Garbled circuit C’YaoGadget
Random
Garbled circuit C’
Input X
Subset
K
S
C(x)
Decoder
SimulatorSlide15
Implementing the Gadget
Tool: Symmetric Encryption with Additive Homomorphism for Keys/Message
EK1(M1)+…+EKn(Mn) = EK1+…+Kn(M1+…+Mn)One-Time Security sufficesCan be implemented under DDHClose variants under LWE, RSASlide16
M
1M3C1C2
C3C4From Homomorphism to Online/Offline EncryptionAliceC
1 C2 C3 C4Ci=Enc(Ki,Mi)
MnM4M3M2
M
1
0
1
0
1
K
S
M
1
M
2
M
3
M
4
C
1
+C
3Slide17
Application 1: Verifiable ComputationOptimal
online complexity using [GGP10,AIK10]Previous works: multiplicative overhead in
outputOffline |f| bits
n+ bitm+ bitxf:{0,1}n{0,1}m
Weak ClientUntrusted ServerSlide18
Semi-Honest MPC for f:{0,1}n{0,1}
m
f(a,b)Offline |f| bitsn bits
n+ bitsApplication 2: MPC with preprocessingbGarbled circuit C’
rArB
A
r
A
A
B
r
B
B
Decoder
Alice
Bob
1 online round
Online Communication does not grow with m
Additive dependency in
Slide19
Malicious MPC ?
Adaptive choice of inputs ?
f(a,b)Offline |f| bits
n bitsn+ bitsApplication 2: MPC with preprocessingbGarbled circuit C’
rArB
A
B
Decoder
Alice
Bob
Homomorphic
MACs
[BDOZ11]Slide20
No succinct GC with adaptive securityCan be achieved with Random Oracle
Not needed in some applications offline private inputs (Shares of signing key)Independent online public inputs (Docs to be signed)Adaptive Choice of Inputs?Slide21
Garbling Arithmetic Circuits? [AIK11]
Gates perform addition or multiplication Operations over a large domain (e.g., field F) Slide22
Garbling arithmetic circuits?
[AIK11]
Boolean circuit CRandom
Input X Garbled Input X’
Garbled circuit C’
“Simple” Decomposable Affine K1(X1) … Kn(Xn) Ki :F2F2 is affine
Arithmetic circuit C
Extends applications to arithmetic setting
Non-trivial if the field is large !
Requires new approach
Thm
. Arithmetic
GC (over
large integers)
under LWE (or OWF less efficiently).
K
i
:F
F
Slide23
Garbling arithmetic Formulas
[IK02]
Boolean circuit CRandom
Input X Garbled Input X’
Garbled circuit C’
“Simple” Decomposable Affine K1(X1) … Kn(Xn) Ki :F2F2 is affine
Arithmetic
Formula
C
Problem 1: Limited to Formulas
Problem 2: Large blow-up
Key Idea: Solving 2
Solving 1
K
i
:F
F
|C|
2Slide24
Key-Shrinking Gadgeta,b,W can depend on c,d
and randomnessSpecial type of “functional encryption”Implementation over the integers from LWEy+
cd
y+a
bW
decodersimulatorSlide25
x
x
+
x
y
1i-1y2i-1y3i-1y
4i-1
+
a
1
W
i-1
C
i-1
C
1
C
i+1
…
…
…
…
…
…
…
…
…
…
y
1
i-1
y
1
i
y
2
i
y
3
i
y
4
i
b
1…
AGC for C1… Ci-1Garbling the Circuit Layer-by-LayerSlide26
x
x
+
x
y
1i-1y2i-1y3i-1y
4i-1
+
a
1
W
i-1
C
i-1
C
1
C
i+1
…
…
…
…
…
…
…
…
…
…
y
1
i
y
2
i
y
1
i
y
2
i
y
3
i
y
4ib1
…Substitution Garbling the Circuit Layer-by-LayerSlide27
Garbling the Circuit Layer-by-Layer
x
x
+x
y
1i-1y2i-1y3i-1
y4
i-1
+
c
1
W
i-1
C
i-1
C
1
C
i+1
…
…
…
…
…
…
…
…
…
…
y
1
i
y
1
i
y
2
i
y
3
i
y
4
i
d
1…+
c2
d2y2i
Affinization [IK02]
Slide28
x
x
+
x
y
1i-1y2i-1y3i-1y
4i-1
+
W
i
C
i-1
C
1
C
i+1
…
…
…
…
…
…
…
…
…
…
y
1
i
y
1
i
y
2
i
y
3
i
y
4
i
…
+
y
2ia1
b1a2
b2Key shrinking Garbling the Circuit Layer-by-LayerSlide29
ConclusionGC with optimal online-rate for Boolean circuitsApplications with optimal online communication
General approach for arithmetic garbled circuitsAlternative to Yao’s “garbled tables” approachInstantiated using LWEExtends applications to arithmetic settingNew modular, simplified proof for Boolean caseConstant online-rate for arithmetic formulasSlide30
Open QuestionsArithmetic settingcircuits over finite fields?arithmetic decoder?
EfficiencyShorten the offline part? |C’|=O(|C|)?Can get it for natural class of arithmetic functionsLess computational overhead ? (online/offline)Slide31
Take-Home Message: What are Garble Circuits?
FHE for the poor
JustItPowerful tool superior to FHE in some aspects (Asymptotically & Concretely)