Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Many Faces of Garbled Circuits MIT Vinod Vaikuntanathan.

Published byGillian Day Modified over 8 years ago

Similar presentations

Presentation on theme: "The Many Faces of Garbled Circuits MIT Vinod Vaikuntanathan."— Presentation transcript:

1 The Many Faces of Garbled Circuits MIT Vinod Vaikuntanathan

2 Garbled Circuits [Yao’86, refined by BMR’90, AIK’04, BHR’12] Garble Circuit C: Encode Input x: Garble(C; R) Encode(x; R) Simplicity: Garbling and Encoding are “simple” (e.g., Garble: small depth, Encode: affine)

3 The Swiss-army Knife of Crypto Secure Two-party Computation [Yao86] (Constant Round) MPC [BMR90, IK00] Parallel Cryptography [AIK05] One-time Programs [GKR08] KDM-Security [BHHI09, A11] Verifiable Outsourcing [GGP10,AIK10] Circuit-private Homomorphic Encryption [GHV10] Functional Encryption [SS10, GVW12] And many others: [AF90, FKN94, NPS99, KO04, FM06, AL07, LP07, GKR08, GMS08, BFK+09, PSS09, BHHI10, GGP10, HS10, KM10, SS10, A11, KMR11, LP11, GVW12, …]

4 Powerful Theorems Theorem: [Yao’86, LP’04] Assuming one-way functions, there is a garbling scheme for the class of all poly-size circuits. Theorem: [IK’00, AIK’04] Assuming nothing, there is a garbling scheme for the class of logspace computable functions.

5 Much Work, Many Constructions Better Efficiency: Variants [BMR90, NPS99] Free XOR [KS08, CKKZ12, A13], Garbled Circuits with Short Input Encoding [AIKW13] Several practical efficiency improvements [MNPS04, BNP08, HSEKS11, KSS12, BHKR13] Better Security: Adaptive vs. Static Security [BHR12a, BHR12b, JSW16] New Goals, New Models: Re-randomizable Garbled Circuits [GHV10], Arithmetic Garbled Circuits [AIK11], Garbling RAM machines [LO13, GHLORW14, GLOS15, GLO15] and so on…

6 This Talk: “Cryptopia through the Garbled Circuit Lens” Fully Homomorphic Encryption Functional Encryption Indistinguishability Obfuscation Attribute-based encryption

7 Yao’s Garbled Circuits [A. Yao 1986] AND-filter

8 Yao’s Garbled Circuits [A. Yao 1986] garbled gate

9 The Reusability Problem No Reusability! “Mix-and-match” attack

10 This Talk: Fully Homomorphic Encryption Functional Encryption Indistinguishability Obfuscation Attribute-based encryption “Cryptopia through the reusable Garbled Circuit Lens”

11 Functional Encryption (FE) [Sahai-Waters’05, refined by BSW’12, O’neill’12] Secret Key for Circuit C: SK C Encrypt Input x: CT SK C, C, CT → C(x) Decrypt: KeyGen(SK, C) Enc(PK, x)  No circuit hiding: SK C does not hide the circuit C  Public-key: many-input security for free  Many-key Security: Can release many SK C_i revealing only C i (x)  Succinctness: Encryption time (and size) independent of |C|

12 Attribute-based Encryption (ABE) [Sahai-Waters’05, Goyal-Pandey-Sahai-Waters’06] Secret Key for Circuit C: SK C Encrypt Input x, Message M: CT SK C, C, CT, x → M C(x) KeyGen(SK, C) Enc(PK, x, M0, M1) Decrypt:  No circuit or input hiding: only messages M0 and M1 hidden  Public-key: many-input security for free  Many-key Security: If C i (x) = b for all i, M 1-b hidden  Succinctness: Encryption time (and size) independent of |C| (either M0 or M1 not both)

13 Garbled Circuits, FE & Friends Size non-succinct succinct Garbled circuits + Public-key encryption Single-key Security Many-key [Sahai-Seyalioglu’11] (Sub-exp.) LWE [Gorbunov-V-Wee’13, Goldwasser-KPVZ’13, Boneh-GGHNSVV’14] → “Reusable” GC for single-bit fns. = [Bitansky-V’15, Ananth-Jain-Sahai’15] [Bitansky-V’15, Ananth-Jain’15, Lin-Pass-Seth-Telang’16] Many-key FE for NC1 → Reusable GC for many-bit fns. → Indistinguishability Obfuscation [Bitansky-V’15, Ananth-Jain’15]

14 First Try: FE from Garbled Circuits Many key, single input, secret key FE Many input, single key, secret key FE: use the universal circuit (and thus, lose succinctness) Single key (public key) FE: use public-key encryption and the “decomposability” of Yao’s garbled circuits Secret Key for Circuit C = Garbled Input for C Secret Key for Circuit C = SK i,Ci [Sahai-Seyalioglu’11]

15 Garbled Circuits, FE & Friends Size non-succinct succinct Garbled circuits + Public-key encryption Single-key Security Many-key [Sahai-Seyalioglu’11] (Sub-exp.) LWE [Gorbunov-V-Wee’13, Goldwasser-KPVZ’13, Boneh-GGHNSVV’14] → “Reusable” GC for single-bit fns. = [Bitansky-V’15, Ananth-Jain-Sahai’15] [Bitansky-V’15, Ananth-Jain’15, Lin-Pass-Seth-Telang’16] Many-key FE for NC1 → Reusable GC for many-bit fns. → Indistinguishability Obfuscation [Bitansky-V’15, Ananth-Jain’15]

16 Theorem 1.1: [Gorbunov-V.-Wee’13, Boneh-Gentry- Gorbunov-Halevi-Nikolaenko-Segev-V.-Vinayagamurthy’14]] Assuming “sub-exponential LWE”, there is an ABE scheme for the class of all poly-size circuits (of a-priori bounded depth). Theorem 1.2: [Goldwasser-Kalai-Popa-V.-Zeldovich’13] 1.FHE for P 2.ABE for (bounded depth) P 3.(One-time) garbling FE for (bounded depth) P Compiler from ABE to (single key, succinct) FE +

17 Theorem 1.1 + 1.2 = FE from Subexp. LWE ABE Subexp. LWE FHE Yao garbling + + LWE Theorem 1.1 [GSW13, BV14] Single-key Succinct FE and LWE Reusable Garbled Circuits Theorem 1.2

18 (Recall Yao’s garbled circuits) Labels = Strings: single-use Labels = Functions: many-use KEY IDEA

19 ABE Construction (e.g., x=0101) ? NEED: Family of trapdoor functions

20 ABE Construction (e.g., x=0011) Reusable filter

21 ABE Construction (e.g., x=0011) Reusable filter NO MIX-and-MATCH

22 ABE Construction (e.g., x=0011) = “Two-to-one Recoding” Keys

23 What are these Trapdoor Functions? Learning with errors [BFKL’93, Regev’05] [Ajtai’99,Micciancio-Peikert’13] Trapdoor function (Sample uniformly random A with trapdoor)

24 How to “Recode”? reusable AND-filter A1A1 A2A2 A3A3 (Let’s start with no noise) SUCH THAT A 3 = R 1 A 1 + R 2 A 2 FIND matrices (R 1, R 2 ) R1R1 R2R2 Recoding key: Matrices (R 1,R 2 ) Key Idea: Linearity! With noise: need R’s to be low-weight Use “GPV Theorem”: Find low-weight R s.t. R A = B, given trapdoor for A

25 Theorem 1.1: [Gorbunov-V.-Wee’13, Boneh-Gentry- Gorbunov-Halevi-Nikolaenko-Segev-V.-Vinayagamurthy’14]] Assuming “sub-exponential LWE”, there is an ABE scheme for the class of all poly-size circuits (of a-priori bounded depth). Theorem 1.2: [Goldwasser-Kalai-Popa-V.-Zeldovich’13] 1.FHE for P 2.ABE for (bounded depth) P 3.(One-time) garbling FE for (bounded depth) P Compiler from ABE to (single key, succinct) FE +

26 ABE + FHE + Yao = Single-key Succinct FE FE Secret Key for C: ABE.SK C FE Encryption of x: ABE.Enc(x, L 0, L 1 ) Idea 1. To hide x, encrypt it with FHE. Generate keys for the FHE evaluation circuit for C. FE Secret Key for C: ABE.SK EvalC FE Encryption of x: ABE.Enc(FHE.Enc(x), L 0, L 1 ) FE Encryption of x: ABE.Enc(FHE.Enc(x), L i,0, L i,1 ) ABE decryption results in L i,fhe.ct_i where fhe.ct is the encryption of C(x). Idea 2. Yao-Garble the FHE decryption circuit with input labels L i,b. Yao = single-use → FE = single-key. + Yao.Garble(FHE.Dec SK ) w/ input labels L i,b

27 Reusable Garbled Circuits Garble C: FE.SK C Encode x: FE.Enc(x) Problem. Hides x but not C. Solution. Use a universal circuit and encrypt C (using a simple secret-key encryption) Garble C: FE.SK for U(SymEnc(symsk,C), ∙, ∙) Encode x: FE.Enc(symsk, x) Garble once. Encode many times (using the same symsk) One-time garblingABE (single key) FE Reusable Garbling

28 Garbled Circuits, FE & Friends Size non-succinct succinct Garbled circuits + Public-key encryption Single-key Security Many-key [Sahai-Seyalioglu’11] (Sub-exp.) LWE [Gorbunov-V-Wee’13, Goldwasser-KPVZ’13, Boneh-GGHNSVV’14] → “Reusable” GC for single-bit fns. [Bitansky-V’15, Ananth-Jain’15, Lin-Pass-Seth-Telang’16] Many-key FE for NC1 → Reusable GC for many-bit fns. → Indistinguishability Obfuscation

29 Obfuscation = Public-key Garbling Obfuscation of Circuit C: Obf(C) Eval on Input x: C(x) Same as reusable garbling except for public evaluation. = Public-key (and therefore, reusable) garbling Indistinguishability obfuscation: for C 0 ≣ C 1, Obf(C 0 ) ≈ Obf(C 1 ). Obfuscation [BGIRSVY’01, GR’07, GGHRSW’13, SW’14]

30 Theorem: Reusable Garbling++ to IO [Bitansky-V.’15, Ananth-Jain’15, simplified by Lin-Pass-Seth-Telang’16] If there is a compact reusable garbled circuit + sub- exponentially secure OWF, then there is an IO scheme. Many-key FE Compact Reusable GC IO easy [GGHRSW’13] this theorem Succinct: garbled input size ind. of |C| for one-bit functions ++ = Compact: garbled input size ind. of |C| for many-bit functions

31 Theorem: Reusable Garbling++ to IO Idea in a nutshell: Encodings that output (two) encodings Garble(П n ) Enc(0 n-1 ) Enc(0 n-2 1) Enc(1 n-1 ) П n takes as input an n-1 bit string x and outputs encodings of x0 and x1 Enc(0 n-2 ) Enc(0 n-3 )Enc(1 n-3 ) Enc(ε) Enc(0 n )Enc(0 n-1 1) Enc(1 n ) Garble(C) … Need compactness to avoid exponential blowup. Obf(C) = Enc(1 n-2 ) Garble(П n-1 ) Garble(П n-2 ) Garble(П 1 ) (more in Rafael’s talk Wed.)

32 “Cryptopia” through the Garbling Lens Fully Homomorphic Encryption Functional Encryption Indistinguishability Obfuscation Attribute-based encryption (Key Property: Reusability)

33 Many Open Questions Many-key FE (and thus, IO) from LWE. ($300 from Amit + $100 from me) Unconditional Garbled Circuits for all of P. Yao: one-way functions Applebaum-Ishai-Kushilevitz’04: unconditional for Logspace Ishai-Kushilevitz-Paskin’12: “degree-2” impossible ($100 to resolve this one way or the other)

34 Thank You!

Download ppt "The Many Faces of Garbled Circuits MIT Vinod Vaikuntanathan."

Similar presentations

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.
Lattices, Cryptography and Computing with Encrypted Data

Lattices, Cryptography and Computing with Encrypted Data
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
How to Use Indistinguishability Obfuscation

How to Use Indistinguishability Obfuscation
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana.

Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana.
Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.

Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.

Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.

CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.
ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.

ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.
Two Round MPC via Multi-Key FHE Daniel Wichs (Northeastern University) Joint work with Pratyay Mukherjee.

Two Round MPC via Multi-Key FHE Daniel Wichs (Northeastern University) Joint work with Pratyay Mukherjee.

Similar presentations

Ads by Google