A Fixed-key Blockcipher Efficient Garbling from A Fixed-key Blockcipher Mihir Bellare UC San Diego Viet Tung Hoang UC San Diego Sriram Keelveedhi UC San Diego Phillip Rogaway UC Davis Applied MPC workshop February 20, 2014
[Yao 82, 86] Conventional circuit Garbled circuit 1 1 1 1 1
[Yao 82, 86] Garbled gate X Y Y 1 X 2 X 3 X 4 A C B D
Garble circuits Garbling schemes Traditionally viewed as a technique for 2-party SFE private function evaluation Optimizations (free xor, garbled-row reduction) are only proved for SFE setting. verifiable computation KDM-secure encryption secure database mining privacy-preserving auctions Garbled circuits used in tens of applications mobile oblivious computing worry-free encryption [BHR12]: Formalize garbled circuits as a primitive ‒ garbling scheme semi-private function evaluation server-aided SFE privacy-preserving credit checking
Contributions Faster realization Better circuit representation Design new garbling schemes - proofs - concrete security Attack prior implementations [KS08, PSSW09] Implement schemes – JustGarble ~100x speedup Faster realization for doubly-locked boxes Better circuit representation
Syntax f x y X Y conceptual f : {0,1}n® {0,1} m f = e F d ° Gb e d F [BHR12] Syntax conceptual ev f : {0,1}n® {0,1} m initial function f = e F d ° f input output x Gb y e d F X Y encoding function decoding function garbled input garbled output garbled function En De Ev Should distinguish functions ( f, e, F, d ) and strings ( f, e, F, d )
Syntax F 1k Y e X y f x d f y x [BHR12] A garbling scheme is a 5-tuple = (Gb, En, De, Ev, ev) Gb F Ev 1k Y De e En X y f x d (" f, x, k), if (F, e, d) ¬ Gb(1k, f), X ¬ En(e, x), Y ¬ Ev (F, X), y ¬ De(d, Y) then y = ev(f, x) f ev y x Correctness
Privacy very informally … ev f x y Ev En De Gb 1k e F d X Y Privacy very informally … Intuition: Given (F, X, d ), you learn nothing but y = f (x) = d(F ( X )) A garbled function F will leak information about f ©( f ) = topo ( f ) reveal topology of f side information reveal the size of f ©( f ) = size ( f ) · reveal topology of f + which gates are XOR reveal all of f ©( f ) = f
Privacy Adv A (1k ) If f0(x0) ¹ f1(x1) or ©(f0) ¹ ©(f1) ret indistinguishability or ©(f0) ¹ ©(f1) If f0(x0) ¹ f1(x1) ret (F,e,d ) ¬ Gb(1k, f0) X ¬ En(e, x0) (F,e,d) ¬ Gb(1k, f1) X ¬ En(e, x1) b=1 b=0 GARBLE f0 f1 x0 x1 F X d Adv (A, k) = 2Pr[b=b’] -1 prv, © A (1k ) b’ is prv secure wrt © if (" PPT A ) Adv is negligible
Privacy Adv A (1k) (F, e, d ) ¬ Gb(1k, f) X ¬ En(e, x) y¬ ev( f, x) simulation (F, e, d ) ¬ Gb(1k, f) X ¬ En(e, x) y¬ ev( f, x) (F, X, d) ¬ S(1k, y, ©(f )) b=0 b=1 GARBLE f x F X d Adv (A, k) = 2Pr[b=b’]-1 prv.sim, © S A (1k) b’ is prv.sim secure wrt © if (" PPT A ) ($ PPT S) s.t. Adv is negligible
Achieving prv ( ) ( ) ( ) ( ) Scheme Ga Dual-key cipher X Y Gate 3 ( ) Y Dual-key cipher : {0,1}2k ´ {0,1}t ´ {0,1}k ® {0,1}k ( ) X keys tweak input output ( ) X ( ) X LSBs used to identify row of gate k bits A B C D
AES DKC How to make the DKC? p [HEKM11]: AES DKC Intel AES-NI AESENC, AESDEC, etc. [KSS12]: RPM Today: Permutation-based DKCs like p Theorem: Ga[ ] is prv-secure over ©topo in the RPM # of oracle queries # of gates Adv (A) (48Qq + 84q2 + 30Q + 84q) / 2k Ga prv, © topo
Free-xor optimization [KS08] $ Choose a secret global string R {0, 1}k – 11 A D Z B E Y C
Free-xor helps [KS08] Real-world circuits can be made to be rich in XORs Basic AES circuit : ~28K gates, 56% xor-gates Refactor Optimized AES circuit : ~37K gates, 82% xor-gates Free-xor Free-xor Size: ~ 1.75 MB Garbling: ~ 112 K enc ~5x Size : ~ 430 KB Garbling: ~ 24 K enc
Attacks on [KS08, PSSW09] = H(A[1: k – 1] || T ) © H(B [1: k – 1] || T ) © X Modeled as a random oracle To avoid problems: a gate’s incoming wires must be distinct Otherwise, A = B No security With free-xor, distinct wires might have the same keys!
Attacks on [KS08, PSSW09] 1
Incompatibility of with free-xor = ¼ (K ) © K © X with K = A © B © T A = A1 B = B0 X ½ (A © B © R ) © X ½ (A © B ) © X © R ½ (A © B ) © X A © R B © R X © R AND ½(x) = ¼ (x) © x 1
Breaking the symmetry Multiply in GF(2k) by element x = 0k-210 = ¼ (K ) © K © X with K = A © 2B © T Compute R = ¼-1(V © A © 2B © X) © A © 2B A © 2B = (A © R) © 2(B © R) A © 2B © 3R A = A1 B = B0 X ¼(A © 2B © R ) © A © 2B © X ¼(A © 2B © 3R ) © A © 2B © X © 2R ¼(A © 2B ) © A © 2B © X ¼(A © 2B © 2R ) © A © 2B © X © 3R A © R B © R X © R OR 1 = V
A DKC that works Theorem. GaX[ ] is prv-secure over ©xor in RPM Multiply in GF(2k) by element x2 = 0k-3100 = ¼ (K ) © K © X with K = 2A © 4B © T 2A © X = 2(A © R) © (X © R) 2A © X © 3R Scheme GaX = Ga + Free-xor Theorem. GaX[ ] is prv-secure over ©xor in RPM # of oracle queries Adv (A) (54Qq + 99q2 + 36Q + 108q) / 2k GaX prv, © # of gates xor Other “doubling” methods work: logical shift, SIMD shift (left half >> 1) || (right half >> 1)
Garbled-row reduction [PSSW09] Ga + free-xor garbled-row reduction Th: GaXR[ ] is prv-secure over ©xor in the RPM # of oracle queries Adv (A) (58Qq + 114q2 + 36Q + 123q) / 2k GaXR prv, © # of gates xor
Experimental results AES Circuit ~37K gates, ~82% xor-gates Unit: cycles / gate Ga GaX GaXR Evaluating 52 23 24 Garbling 221 56 57 Garbling time of [KSS12] : 5750 cycles per gate EDT-255 Circuit ~16M gates, ~59% xor-gates Garbling time (GaXR): 101 cycles per gate Evaluating time (GaXR): 48 cycles per gate Garbling time of [KSS12] : 6400 cycles per gate
Better circuit representation [KSS12]: spends most time in non-cryptographic operations One reason: complex data structure to represent circuits [BHR12]: Formalize circuits C = (n, m, q, A, B, G) integers integer arrays Implement a simple circuit representation to programmatically realize [BHR12]
Concluding remarks Good Foundations Good Schemes As with authenticated encryption entity authentication message authentication codes … Good Foundations Good Schemes