1 / 23 Efficient Garbling from A Fixed-key Blockcipher Applied MPC workshop February 20, 2014 Mihir Bellare UC San Diego Viet Tung Hoang UC San Diego Phillip Rogaway UC Davis Sriram Keelveedhi UC San Diego

2 / 23 Garbled circuit [Yao 82, 86] Conventional circuit

3 / 23 A C D X Y B XXX Y [Yao 82, 86] Garbled gate

4 / 23 Garble circuits  Garbling schemes Traditionally viewed as a technique for 2-party SFE Optimizations (free xor, garbled-row reduction) are only proved for SFE setting. Garbled circuits used in tens of applications [BHR12]: Formalize garbled circuits as a primitive ‒ garbling scheme private function evaluation verifiable computation KDM-secure encryption worry-free encryption mobile oblivious computing privacy-preserving auctions secure database mining semi-private function evaluation server-aided SFE privacy-preserving credit checking

5 / 23 Contributions Design new garbling schemes Faster realization for doubly-locked boxes Better circuit representation - concrete security - proofs Attack prior implementations [KS08, PSSW09] Implement schemes – JustGarble ~100x speedup

6 / 23 xy X Y inputoutput garbled input garbled output initial function encoding function decoding function garbled function f : {0,1} n  {0,1} m Should distinguish functions ( f, e, F, d ) and strings ( f, e, F, d ) f Gb e F d ev Ev En De f = e F d ° ° Syntax conceptual [BHR12]

7 / 23 ev f x y Ev En De Gb f 1k1k e F d x X Y y A garbling scheme is a 5-tuple = ( Gb, En, De, Ev, ev ) Syntax [BHR12] Correctness  f, x, k), if (F, e, d)  Gb (1 k, f), X  En (e, x), Y  Ev (F, X), y  De (d, Y) then y = ev (f, x)

8 / 23 ev f x y Ev En De Gb f 1k1k e F d x X Y y Privacy very informally … Intuition: Given (F, X, d ), you learn nothing but y = f (x) = d ( F ( X )) A garbled function F will leak information about f side information reveal all of f © ( f ) = f © ( f ) = topo ( f ) reveal topology of f reveal the size of f © ( f ) = size ( f )  reveal topology of f + which gates are XOR

9 / 23 A ( 1 k ) f 0 f 1 x 0 x 1 F X d b’b’ Privacy G ARBLE or © (f 0 )  © (f 1 ) If f 0 (x 0 )  f 1 (x 1 ) ret (F,e,d )  Gb (1 k, f 0 ) X  En (e, x 0 ) (F,e,d)  Gb (1 k, f 1 ) X  En (e, x 1 ) b=1b=0 Adv ( A, k ) = 2Pr[b=b ’ ]  1 prv, © is prv secure wrt © if  PPT A ) Adv is negligible indistinguishability

10 / 23 A ( 1 k ) f x y  ev ( f, x) (F, X, d)  S(1 k, y, © (f )) F X d b’b’ (F, e, d )  Gb (1 k, f) X  En (e, x) Privacy simulation G ARBLE b=0 b=1 Adv ( A, k ) = 2Pr[b=b ’ ]  1 prv.sim, © S is prv.sim secure wrt © if  PPT A ) (  PPT S) s.t. Adv is negligible

11 / 23 Achieving prv ( ) Y X A Y B X X X C D Gate 3 k bits Scheme Ga LSBs used to identify row of gate Dual-key cipher : {0,1} 2 k   {0,1}   {0,1} k   {0,1} k keys tweakinput output

12 / 23 How to make the DKC? AES DKC [HEKM11]: [KSS12]: Today: Permutation-based DKCs like Intel AES-NI AESENC, AESDEC, etc. Theorem: Ga[ ] is prv-secure over © topo in the RPM # of gates # of oracle queries Adv (A)  (48Q q + 84 q Q + 84 q ) / 2 k Ga prv, © topo  RPM

13 / 23 Free-xor optimization Choose a secret global string R {0, 1} k – 1 1 $ [KS08] D A B C E Y Z

14 / 23 Free-xor helps Real-world circuits can be made to be rich in XORs Basic AES circuit : ~28K gates, 56% xor-gates  Free-xor Free-xor Size: ~ 1.75 MB Garbling: ~ 112 K enc Size : ~ 430 KB Garbling: ~ 24 K enc [KS08] Optimized AES circuit : ~37K gates, 82% xor-gates Refactor ~5x

15 / 23 = H ( A [1: k – 1]  T ) ©  H ( B [1: k – 1]  T ) ©  X Modeled as a random oracle To avoid problems: a gate’s incoming wires must be distinct Otherwise, A = B   No security With free-xor, distinct wires might have the same keys! Attacks on [KS08, PSSW09]

16 / 23 Attacks on [KS08, PSSW09] 1 0 0

17 / 23 A = A1 B = B0 X ½  ( A © B © R ) © X ½  ( A © B ) © X © R ½  ( A © B ) © X ½  ( A © B © R ) © X A © RA © R B © RB © R X © RX © R AND ½ ( x ) = ¼ ( x ) © x 1 0 Incompatibility of with free-xor = ¼ (K )  ©  K  ©  X with K = A  ©  B  ©  T

18 / 23 A = A1 B = B0 X ¼ ( A © 2 B © R ) © A © 2 B © X ¼ ( A © 2 B © 3 R ) © A © 2 B © X © 2 R ¼ ( A © 2 B ) © A © 2 B © X ¼ ( A © 2 B © 2 R ) © A © 2 B © X © 3 R A © RA © R B © RB © R X © RX © R OR 1 0 Breaking the symmetry Multiply in GF(2 k ) by element x = 0 k A © 2 B = ( A © R ) © 2( B © R ) A © 2 B © 3 R = V Compute R = ¼ -1 ( V © A © 2 B © X ) © A © 2 B = ¼ (K )  ©  K  ©  X with K = A  ©  B  ©  T

19 / 23 A DKC that works = ¼ (K )  ©  K  ©  X with K = 2A  ©  B  ©  T Multiply in GF(2 k ) by element x 2 = 0 k A © X = 2( A © R ) © ( X © R ) 2 A © X © 3 R Other “doubling” methods work: logical shift, SIMD shift Theorem. GaX[ ] is prv-secure over © xor in RPM Adv (A)  (54Q q + 99 q Q q ) / 2 k GaX prv, © # of gates # of oracle queries Scheme GaX = Ga + Free-xor (left half >> 1)  (right half >> 1) xor

20 / 23 Garbled-row reduction Th: GaXR[ ] is prv-secure over © xor in the RPM # of gates # of oracle queries Adv (A)  (58Q q q Q q ) / 2 k GaXR prv, © xor [PSSW09] Ga + free-xor garbled-row reduction

21 / 23 Experimental results AES Circuit ~37K gates, ~82% xor-gates Garbling time of [KSS12] : 5750 cycles per gate GaGaXGaXR Evaluating Garbling Unit: cycles / gate EDT-255 Circuit ~16M gates, ~59% xor-gates Garbling time (GaXR): 101 cycles per gate Evaluating time (GaXR): 48 cycles per gate Garbling time of [KSS12] : 6400 cycles per gate

22 / 23 [KSS12]: spends most time in non-cryptographic operations Better circuit representation One reason: complex data structure to represent circuits [BHR12]: Formalize circuits C = (n, m, q, A, B, G) Implement a simple circuit representation to programmatically realize [BHR12] integersinteger arrays

23 / 23 Concluding remarks Good Foundations  Good Schemes As with authenticated encryption entity authentication message authentication codes …