/
 New Advances in
 New Advances in

 New Advances in - PowerPoint Presentation

min-jolicoeur
min-jolicoeur . @min-jolicoeur
Follow
136 views | Public

 New Advances in - Description

Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of Texas Technion Technion Benny Applebaum Tel Aviv University Garbled Circuit Construction ID: 541899 Download Presentation

Tags :

garbled circuit input arithmetic circuit garbled arithmetic input online key bits affine offline random boolean layer circuits garbling decoder

Please download the presentation from below link :


Download Presentation - The PPT/PDF document " New Advances in" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Share:

Link:

Embed:

Presentation on theme: " New Advances in"— Presentation transcript

Slide1

 New Advances in Garbling Circuits

Based on joint works withYuval Ishai Eyal Kushilevitz Brent Waters

University of Texas

Technion

Technion

Benny ApplebaumTel Aviv UniversitySlide2

Garbled Circuit Construction

Yao, 1986Slide3

Garbled Circuit Construction

x

1

x

2

x

3

x

4

K

1,1

K

2,1

K

3,1

K

4,1

0110101101010011

1111010100101111

1101010100111010

1001011001010110

0110111010010011

1111100101101110

0101100111011011

0001101010110111

1110101010100110

0111010100101111

0101010011111011

1001001010110111

01101101010011001

10111010100100111

01010100110111011

10010101010010111

K

1,0

K

2,0

K

3,0

K

4,0

Boolean circuit C

Garbled circuit C’

Pairs of short keys

 

simulator

decoder

Can be based on any pseudorandom generator

[BM82,Yao82]

(or one-way function

[HILL90]

)

C’

Input X

“Simple & Short” Slide4

ApplicationsConstant-round secure computation [Yao82,BMR90...]

Related problem: computing on encrypted data [SYY99]Alternative technique: FHE [Gentry09,…]Parallel cryptography [AIK05]

One-time programs [GKR08]KDM-secure encryption [BHHI10,...]Verifiable computation [GGP10,…]Functional Encryption [SS10,…]Slide5

Non-Interactive Delegation

x

C(x)offline: C’

online: KxSlide6

Yao’s ConstructionEach wire w has 0-key and 1-keyColored “blue” and “green” at random

1-key

w

w

0-keySlide7

Yao’s ConstructionEach wire w has 0-key and 1-keyColored “blue” and “green” at random

Ki,b= b-key of input wire i C’ = color code for output wires + “garbled gates”

1-key

w

w

0-key

0110101101010011

1111010100101111

1101010100111010

1001011001010110

0110111010010011

1111100101101110

0101100111011011

0001101010110111

1110101010100110

0111010100101111

0101010011111011

1001001010110111

01101101010011001

10111010100100111

01010100110111011

10010101010010111

0

1

0

0

0

1

0

0Slide8

Garbled Gates

a

b

c

b

a

b

a

a

a

b

b

c

c

c

cSlide9

Post-Yao Constructions ? A lot of progress wrt implementation

E.g., Fair-Play [MNPS04] …Better concrete efficiencyFree XOR gates [KS08]…3 ciphertexts per gate [PSSW09]Little theoretical progressInfo-theoretic variants for restricted classes

[IK00-2]Rerandomizable GC [GHV]No asymptotic improvements !Slide10

x

1

x

2

x

3

x

4

Random

K

1,1

K

2,1

K

3,1

K

4,1

0110101101010011

1111010100101111

1101010100111010

1001011001010110

0110111010010011

1111100101101110

0101100111011011

0001101010110111

1110101010100110

0111010100101111

0101010011111011

1001001010110111

01101101010011001

10111010100100111

01010100110111011

10010101010010111

K

1,0

K

2,0

K

3,0

K

4,0

Boolean circuit C

Random

C(X) C’, X’

Simulator

Decoder

(public)

Abstraction

(Randomized Encoding

[IK00]

)

Input X

Garbled

Input X’

Garbled circuit C’Slide11

Boolean circuit C

Random

(public)

Abstraction (Randomized Encoding [IK00])

Input X Garbled Input X’Garbled circuit C’

n bits

“Simple” Decomposable Affine

K

1

(X

1

)

K

n

(

X

n

)

where

K

i

is affine over F

2

“Short”

n

bits

Q1

: Can we shorten the garbled input X’

?Q2

: Can we garble arithmetic circuits?Slide12

“Simple”

Decomposable Affine K1(X1) … Kn(Xn) where K

i is affine over F2 Affine X’=K(X) where K is affine

How short can X’ be? [AIKW12]

Input X Garbled Input X’

n bits

Constant Online-Rate?

Thm

.

Impossible

if X’ is decomposable

Observation: Typically

Affinity

suffices

X’

O(n) +

?

“Short”

n

bits

n +

[This work]

Thm

. Affine GC with online-rate 1 under DDH, RSA, LWE. Slide13

C

n

C4C3C2C1

MnC4C3

M2C1Gadget: Online/Offline EncryptionAliceBob

subset s{1,…,n}EncKKey length =  Independent of the number of plaintexts

Mn

M

4

M

3

M

2

M

1

1

0

0

1

0

K

SSlide14

Gadget

 Succinct GCBoolean circuit C

Garbled circuit C’YaoGadget

Random

Garbled circuit C’

Input X

Subset

K

S

C(x)

Decoder

SimulatorSlide15

Implementing the Gadget

Tool: Symmetric Encryption with Additive Homomorphism for Keys/Message

EK1(M1)+…+EKn(Mn) = EK1+…+Kn(M1+…+Mn)One-Time Security sufficesCan be implemented under DDHClose variants under LWE, RSASlide16

M

1M3C1C2

C3C4From Homomorphism to Online/Offline EncryptionAliceC

1 C2 C3 C4Ci=Enc(Ki,Mi)

MnM4M3M2

M

1

0

1

0

1

K

S

M

1

M

2

M

3

M

4

C

1

+C

3Slide17

Application 1: Verifiable ComputationOptimal

online complexity using [GGP10,AIK10]Previous works: multiplicative overhead in 

outputOffline |f| bits

n+ bitm+ bitxf:{0,1}n{0,1}m

Weak ClientUntrusted ServerSlide18

Semi-Honest MPC for f:{0,1}n{0,1}

m

f(a,b)Offline |f| bitsn bits

n+ bitsApplication 2: MPC with preprocessingbGarbled circuit C’

rArB

A

r

A

 A

B

r

B

 B

Decoder

Alice

Bob

1 online round

Online Communication does not grow with m

Additive dependency in

Slide19

Malicious MPC ?

Adaptive choice of inputs ?

f(a,b)Offline |f| bits

n bitsn+ bitsApplication 2: MPC with preprocessingbGarbled circuit C’

rArB

A

B

Decoder

Alice

Bob

Homomorphic

MACs

[BDOZ11]Slide20

No succinct GC with adaptive securityCan be achieved with Random Oracle

Not needed in some applications offline private inputs (Shares of signing key)Independent online public inputs (Docs to be signed)Adaptive Choice of Inputs?Slide21

Garbling Arithmetic Circuits? [AIK11]

Gates perform addition or multiplication Operations over a large domain (e.g., field F) Slide22

Garbling arithmetic circuits?

[AIK11]

Boolean circuit CRandom

Input X Garbled Input X’

Garbled circuit C’

“Simple” Decomposable Affine K1(X1) … Kn(Xn) Ki :F2F2 is affine

Arithmetic circuit C

Extends applications to arithmetic setting

Non-trivial if the field is large !

Requires new approach

Thm

. Arithmetic

GC (over

large integers)

under LWE (or OWF less efficiently).

K

i

:F

F

Slide23

Garbling arithmetic Formulas

[IK02]

Boolean circuit CRandom

Input X Garbled Input X’

Garbled circuit C’

“Simple” Decomposable Affine K1(X1) … Kn(Xn) Ki :F2F2 is affine

Arithmetic

Formula

C

Problem 1: Limited to Formulas

Problem 2: Large blow-up

Key Idea: Solving 2

Solving 1

K

i

:F

F

|C|

2Slide24

Key-Shrinking Gadgeta,b,W can depend on c,d

and randomnessSpecial type of “functional encryption”Implementation over the integers from LWEy+

cd

y+a

bW

decodersimulatorSlide25

x

x

+

x

y

1i-1y2i-1y3i-1y

4i-1

+

a

1

W

i-1

C

i-1

C

1

C

i+1

y

1

i-1

y

1

i

y

2

i

y

3

i

y

4

i

b

1…

AGC for C1… Ci-1Garbling the Circuit Layer-by-LayerSlide26

x

x

+

x

y

1i-1y2i-1y3i-1y

4i-1

+

a

1

W

i-1

C

i-1

C

1

C

i+1

y

1

i

y

2

i

y

1

i

y

2

i

y

3

i

y

4ib1

…Substitution Garbling the Circuit Layer-by-LayerSlide27

Garbling the Circuit Layer-by-Layer

x

x

+x

y

1i-1y2i-1y3i-1

y4

i-1

+

c

1

W

i-1

C

i-1

C

1

C

i+1

y

1

i

y

1

i

y

2

i

y

3

i

y

4

i

d

1…+

c2

d2y2i

Affinization [IK02]

Slide28

x

x

+

x

y

1i-1y2i-1y3i-1y

4i-1

+

W

i

C

i-1

C

1

C

i+1

y

1

i

y

1

i

y

2

i

y

3

i

y

4

i

+

y

2ia1

b1a2

b2Key shrinking Garbling the Circuit Layer-by-LayerSlide29

ConclusionGC with optimal online-rate for Boolean circuitsApplications with optimal online communication

General approach for arithmetic garbled circuitsAlternative to Yao’s “garbled tables” approachInstantiated using LWEExtends applications to arithmetic settingNew modular, simplified proof for Boolean caseConstant online-rate for arithmetic formulasSlide30

Open QuestionsArithmetic settingcircuits over finite fields?arithmetic decoder?

EfficiencyShorten the offline part? |C’|=O(|C|)?Can get it for natural class of arithmetic functionsLess computational overhead ? (online/offline)Slide31

Take-Home Message: What are Garble Circuits?

FHE for the poor

JustItPowerful tool superior to FHE in some aspects (Asymptotically & Concretely)