Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond Yael Kalai Microsoft Research Joint work with: Shafi Goldwasser Raluca Ada Popa Vinod Vaikuntanathan Nickolai Zeldovich MIT U Toronto * Thanks to Raluca and Vinod for the slides.

Example: Spam Filters Sender Receiver Spam filter 𝐸[𝑒𝑚𝑎𝑖𝑙] FHE.Eval of filter 𝐸[𝑒𝑚𝑎𝑖𝑙] E[spam?] FHE is not enough! Need to decrypt computation result but nothing else!

Desired: Functional Encryption (FE) [Boneh-Sahai-Waters11, O’Neill11] Allows evaluator to decrypt computation result Client 𝐸 𝑥 1 ,..,𝐸[ 𝑥 𝑛 ] Evaluator 𝑠 𝑘 𝑓 compute 𝒇 𝒙 𝟏 , …, 𝒇 𝒙 𝒏 Syntax: 𝑀𝑆𝐾, 𝑀𝑃𝐾 ←FE.Setup 1 𝑘 𝑐𝑡←FE.Enc 𝑀𝑃𝐾, 𝑥 𝑠 𝑘 𝑓 ←FE.KeyGen 𝑀𝑆𝐾, 𝑓 f 𝑥 ←FE.Dec 𝑠 𝑘 𝑓 , 𝑐𝑡 Can release only one function key [Agrawal-Gorbunov-Vaikuntanathan-Wee12]

Outline Example: Spam filters Problem we solve: Functional Encryption (under LWE assumption) Prior work Main Application: Reusable Garbled Circuits Application 2: FHE for Turing machines Application 3: Publicly Verifiable and Secret Delegation Our constructions

Prior Work Functional encryption for inner product functions [Katz-Sahai-Waters’08, Shen-Shi-Waters’09] Public-index functional encryption (also known as ABE or predicate encryption) [Sahai-Waters’05, Goyal-Pandey-Sahai-Waters’06, Bethencourt-Sahai-Waters’07, Goyal-Jain- Pandey-Sahai’08, Lewko-Okamoto-Sahai-Takashima-Waters’10, Waters’11, Lewko- Waters’12, Waters’12, Sahai-Waters’12, Gorbunov-Vaikuntanathan-Wee’13,…] [Gorbunov-Vaikuntanathan-Wee’12]: Functional encryption for general functions, where |𝐸 𝑥 | grows with circuit size (e.g. size of email encryption depends on spam filter program size)

Open question: Is there a FE scheme for general functions with ciphertext size << circuit size? succinct

Our contribution: Succinct functional encryption Theorem. A FE scheme with succinct ciphertexts for general functions can be constructed from FHE scheme public-index functional encryption scheme Corollary. Under the sub-exp. LWE assumption, for any depth d, there is a FE scheme with succinct ciphertexts (whose size grows with d) for general functions computable by circuits of depth d.

Main Application: Reusable Garbled Circuits Yao garbled circuits [Yao82] Secure two-party computation [Yao86], (Constant round) multi-party computation [BMR90], Parallel cryptography [AIK05], One-time programs [GKR08], Key-dependent message (KDM) security [BHHI09, A11], Outsourcing computation [GGP10], Circuit-private homomorphic encryption [GHV10], and many others

Yao Garbled Circuits [Yao 82] Boolean Circuit C Garbled Circuit GC 01010010 01110110 11010010 01010011 11100010 11111101 + x Garble(C) Input 𝒙 Garbled Input 𝒈𝒙 Garble(x) L2,1 L1,0 L1,1 L2,0 L3,1 L3,0 L4,1 L4,0 𝒙= 1

Yao Garbled Circuits (Cont.) Garbled Circuit GC Correctness: Given GC and 𝒈𝒙, can compute C(x). 01010010 01110110 11010010 01010011 11100010 11111101 Security (Input & Circuit privacy) Given C(x) and 1|C|, can simulate (GC, 𝒈𝒙). Efficiency: |GC| = p(|C|) and |𝒈𝒙| = p(|x|) Garbled Input 𝒈𝒙 L2,1 L1,0 L1,1 L2,0 L3,1 L3,0 L4,1 L4,0

Yao Garbled Circuits (Cont.) Garbled Circuit GC 01010010 01110110 11010010 01010011 11100010 11111101 Theorem: [Yao86] If one-way functions exist, any polynomial-size circuit family can be garbled. Garbled Input 𝒈𝒙 L2,1 L1,0 L1,1 L2,0 L3,1 L3,0 L4,1 L4,0

Drawback: One-time Garbled Circuit GC 01010010 01110110 11010010 01010011 11100010 11111101 insecure to release two encodings 𝒈𝒙 and 𝒈𝒙′ L1,1 L3,0 L4,1 L2,0 L1,0 𝒙=𝟎𝟏𝟏𝟎 L4,0 𝒈𝒙 No input or circuit privacy guarantees! Can compute C(x) for unintended inputs x! L2,1 L3,1 𝒙′=𝟏𝟎𝟎𝟏 𝒈𝒙

Main Application: Reusable Garbling 01010010 11010010 01010011 Theorem: Under the sub-exp. LWE, there is a reusable circuit garbling scheme for poly size circuits such that: 𝐺𝐶 =poly(𝑛,|C|) 𝑔𝑥 =poly(𝑛,|𝑥|,𝑑) where 𝑑 is the depth of 𝐶 (𝑛: security parameter)

Application 2: FHE for Turing machines Evaluator 𝐸[input] Program Client 𝐸[result] circuit size ≥ worst-case running time of program Decrypt only the runtime of the instance, to avoid worst-case!

Application 3: Publicly-verifiable delegation with secrecy [Gennaro-Gentry-Parno’10]: Yao + FHE secret privately-verifiable delegation [Parno-Raikova-Vaikuntanathan’12]: public-index FE non-secret publicly-verifiable delegation succinct FE publicly-verifiable delegation with secrecy

Outline succinct functional encryption LWE public-index FE + FHE + Yao garbling 1 succinct functional encryption Not today 2 Not today reusable garbled circuits & FHE with input-specific efficiency publicly-verifiable delegation with secrecy implication to obfuscation

Construction of FE

Public-Index Functional Encryption (also known as ABE or predicate encryption) leaks input to the computation 𝑐𝑡←Enc 𝑚𝑝𝑘, 𝑥, 𝑚 Dec 𝑠 𝑘 𝑓 , 𝑐𝑡 = 𝑚 ,𝑖𝑓 𝑓 𝑥 =1 ⊥ , 𝑖𝑓 𝑓 𝑥 =0 Variant: 𝑐𝑡←Enc 𝑚𝑝𝑘, 𝑥, 𝑚 0 , 𝑚 1 Dec 𝑠 𝑘 𝑓 , 𝑐𝑡 = 𝑚 0 ,𝑖𝑓 𝑓 𝑥 =1 𝑚 1 , 𝑖𝑓 𝑓 𝑥 =0 [Borgunov-Vaikuntanathan-Wee13]: Public-index functional encryption for any (a priori fixed) depth d circuit, based on sub-exp. LWE assumption.

Intuition IDEA: Start with FHE   𝑥 ←FHE.Enc 𝑥 𝑠 𝑘 𝑓 ←𝑓 𝑓(𝑥) ←FHE.Eval(𝑓, 𝑥 ) Not f(𝒙)! IDEA: Start with FHE IDEA: Use (one-time) Yao garbled for decryption

Intuition FE.Enc of input 𝑥: FE.KeyGen for circuit f: 1. 𝑥 ←FHE.Enc 𝑥 2. Generate garbled circuit Γ and labels 𝐿 0 𝑖 , 𝐿 1 𝑖 𝑖 for Dec 𝑠𝑘 Output 𝑥 , Γ FE.KeyGen for circuit f: 𝑠 𝑘 𝑓 ←𝑓 FE.Dec(𝑠 𝑘 𝑓 , 𝑐𝑡) should obtain 𝑓(𝑥): 1. 𝑐𝑡= 𝑓(𝑥) ←FHE.Eval(𝑓, 𝑥 ) 2. Obtain labels {𝐿 𝑖 𝑐 𝑡 𝑖 } for 𝑓(𝑥) 3. Compute Gb.Eval Γ, 𝐿 𝑖 𝑒 𝑖 and get 𝑓(𝑥) How??

We need.. IDEA: The variant of public-index FE provides exactly this! if FHE. Eval i (𝑓, 𝑥 ) = 0, get label 𝐿 0 𝑖 , else gets 𝐿 1 𝑖 keep one secret public predicate public input IDEA: The variant of public-index FE provides exactly this! 𝑐𝑡←PI.Enc 𝑥 , 𝐿 0 𝑖 , 𝐿 1 𝑖 ) 𝑠 𝑘 𝑓 ←PI.KeyGen 𝑔 𝑖 PI.Dec 𝑠 𝑘 𝑓 , 𝑐𝑡 = 𝐿 0 𝑖 ,𝑖𝑓 𝑔 𝑖 𝑥 =0 𝐿 1 𝑖 , 𝑖𝑓 𝑔 𝑖 𝑥 =1

Intuition FE.Enc of input 𝑥: FE.KeyGen for circuit f: 1. 𝑥 ←FHE.Enc 𝑥 2. Generate garbled circuit Γ and labels 𝐿 0 𝑖 , 𝐿 1 𝑖 𝑖 for Dec 𝑠𝑘 3. c 𝑡 𝑖 ←PI.Enc 𝑥 , 𝐿 0 𝑖 , 𝐿 1 𝑖 ) Output 𝑥 , Γ, ct i FE.KeyGen for circuit f: 𝑠 𝑘 𝑔 𝑖 ←PI.KeyGen 𝑔 𝑖 , where 𝑔 𝑖 =FHE. Eval i (𝑓,⋅) FE.Dec(𝑠 𝑘 𝑓 , 𝑐𝑡) should obtain 𝑓(𝑥): 1. 𝑐𝑡= 𝑓(𝑥) ←FHE.Eval(𝑓, 𝑥 ) 2. Obtain labels {𝐿 𝑖 𝑐 𝑡 𝑖 } for 𝑓(𝑥) 3. Compute Gb.Eval Γ, 𝐿 𝑖 𝑒 𝑖 and get 𝑓(𝑥)

Outline succinct functional encryption public-index FE + FHE + Yao garbling succinct functional encryption 2 reusable garbled circuits & FHE with input-specific efficiency publicly-verifiable delegation with secrecy implication to obfuscation

Intuition Garble(C): Γ← 𝐹𝐸.𝐾𝑒𝑦𝐺𝑒𝑛(𝐶) Garble(x): 𝑐𝑡←𝐹𝐸.𝐸𝑛𝑐(𝑥) Leaks C! IDEA: leverage secrecy of input to hide circuit

Intuition Garble(C): Γ← 𝐹𝐸.𝐾𝑒𝑦𝐺𝑒𝑛(𝐸𝑛 𝑐 𝑠𝑘 𝐶 ) Garble(x): 𝑐𝑡←𝐹𝐸.𝐸𝑛𝑐(𝑥,𝑠𝑘)

Intuition Garble(C): Γ← 𝐹𝐸.𝐾𝑒𝑦𝐺𝑒𝑛( 𝑈 𝐸𝑛 𝑐 𝑠𝑘 (𝐶) ) Garble(x): 𝑐𝑡←𝐹𝐸.𝐸𝑛𝑐(𝑥,𝑠𝑘) Correctness? 𝑈 𝐸 on input 𝑠𝑘 and 𝑥: Decrypt E to obtain C Run 𝐶(𝑥) Security? Reusability?

Summary succinct functional encryption LWE public-index FE + FHE + Yao garbling 1 succinct functional encryption Not today 2 Not today reusable garbled circuits & FHE with input-specific efficiency publicly-verifiable delegation with secrecy implication to obfuscation

Thank you! + public-index FE succinct functional encryption FHE LWE succinct functional encryption FHE Yao garbling reusable garbled circuits & FHE with input-specific efficiency publicly-verifiable delegation with secrecy + 1 2 implication to obfuscation