1. A Fixed-key Blockcipher
Efficient Garbling
from
A Fixed-key Blockcipher
Mihir Bellare
UC San Diego
Viet Tung Hoang
UC San Diego
Sriram Keelveedhi
UC San Diego
Phillip Rogaway
UC Davis
Applied MPC workshop
February 20, 2014

2. [Yao 82, 86]
Conventional circuit
Garbled circuit 1 1 1 1 1

3. [Yao 82, 86]
Garbled gate X Y Y 1 X 2 X 3 X 4 A C B D

4. Garble circuits  Garbling schemes
Traditionally viewed as a technique for 2-party SFE
private function evaluation
Optimizations (free xor, garbled-row reduction) are only proved for SFE setting.
verifiable computation
KDM-secure encryption
secure database mining
privacy-preserving auctions
Garbled circuits used in tens of applications
mobile oblivious computing
worry-free encryption
[BHR12]: Formalize garbled circuits as
a primitive ‒ garbling scheme
semi-private function evaluation
server-aided SFE
privacy-preserving credit checking

5. Contributions Faster realization Better circuit representation
Design new garbling schemes
- proofs
- concrete security
Attack prior implementations
[KS08, PSSW09]
Implement schemes – JustGarble
~100x speedup
Faster realization
for doubly-locked boxes
Better circuit representation

6. Syntax f x y X Y conceptual f : {0,1}n® {0,1} m f = e F d ° Gb e d F
[BHR12]
Syntax
conceptual ev
f : {0,1}n® {0,1} m
initial
function
f = e F d f
input
output x Gb y e d F X Y
encoding
function
decoding
function
garbled
input
garbled
output
garbled
function En De Ev
Should distinguish functions ( f, e, F, d )
and strings ( f, e, F, d )

7. Syntax F 1k Y e X y f x d f y x [BHR12]
A garbling scheme is a 5-tuple = (Gb, En, De, Ev, ev) Gb F Ev 1k Y De e En X y f x d
(" f, x, k), if
(F, e, d) ¬ Gb(1k, f),
X ¬ En(e, x),
Y ¬ Ev (F, X),
y ¬ De(d, Y) then
y = ev(f, x) f ev y x
Correctness

8. Privacy very informally …ev f x y Ev En De Gb 1k e F d X Y
Privacy
very informally …
Intuition: Given (F, X, d ), you learn nothing but y = f (x) = d(F ( X ))
A garbled function F will leak information about f
©( f ) = topo ( f )
reveal topology of f
side information
reveal the size of f
©( f ) = size ( f )
reveal topology of f
+ which gates are XOR
reveal all of f
©( f ) = f

9. Privacy Adv A (1k ) If f0(x0) ¹ f1(x1) or ©(f0) ¹ ©(f1) ret
indistinguishability
or ©(f0) ¹ ©(f1)
If f0(x0) ¹ f1(x1)
ret
(F,e,d ) ¬ Gb(1k, f0)
X ¬ En(e, x0)
(F,e,d) ¬ Gb(1k, f1)
X ¬ En(e, x1)
b=1
b=0
GARBLE
f0 f1
x0 x1
F X d
Adv
(A, k) = 2Pr[b=b’] -1
prv, ©
A (1k ) b’
is prv secure wrt © if
(" PPT A ) Adv is negligible

10. Privacy Adv A (1k) (F, e, d ) ¬ Gb(1k, f) X ¬ En(e, x) y¬ ev( f, x)
simulation
(F, e, d ) ¬ Gb(1k, f)
X ¬ En(e, x)
y¬ ev( f, x)
(F, X, d) ¬ S(1k, y, ©(f ))
b=0
b=1
GARBLE
f x
F X d
Adv
(A, k) = 2Pr[b=b’]-1
prv.sim, © S
A (1k) b’
is prv.sim secure wrt © if
(" PPT A ) ($ PPT S) s.t. Adv is negligible

11. Achieving prv ( ) ( ) ( ) ( ) Scheme Ga Dual-key cipherX Y
Gate 3
( ) Y
Dual-key cipher
: {0,1}2k ´ {0,1}t ´ {0,1}k ® {0,1}k
( ) X
keys
tweak
input
output
( ) X
( ) X
LSBs used to identify row of gate
k bits A B C D

12. AES DKC How to make the DKC? p
[HEKM11]:
AES
DKC
Intel AES-NI
AESENC, AESDEC, etc.
[KSS12]:
RPM
Today: Permutation-based DKCs like p
Theorem: Ga[ ] is prv-secure over ©topo in the RPM
# of oracle queries
# of gates
Adv (A)  (48Qq + 84q2 + 30Q + 84q) / 2k Ga
prv, ©
topo

13. Free-xor optimization
[KS08] $
Choose a secret global string R
{0, 1}k – 11 A D Z B E Y C

14. Free-xor helps
[KS08]
Real-world circuits can be made to be rich in XORs
Basic AES circuit :
~28K gates, 56% xor-gates
Refactor
Optimized AES circuit :
~37K gates, 82% xor-gates
 Free-xor
Free-xor
Size: ~ 1.75 MB
Garbling: ~ 112 K enc
~5x
Size : ~ 430 KB
Garbling: ~ 24 K enc

15. Attacks
on [KS08, PSSW09]
= H(A[1: k – 1] || T ) © H(B [1: k – 1] || T ) © X
Modeled as a
random oracle
To avoid problems: a gate’s incoming wires must be distinct
Otherwise, A = B 
 No security
With free-xor, distinct wires might have the same keys!

16. Attacks
on [KS08, PSSW09] 1

17. Incompatibility of with free-xor
= ¼ (K ) © K © X with K = A © B © T
A = A1
B = B0 X
½ (A © B © R ) © X
½ (A © B ) © X © R
½ (A © B ) © X
A © R
B © R
X © R
AND
½(x) = ¼ (x) © x 1

18. Breaking the symmetry Multiply in GF(2k) by element x = 0k-210
= ¼ (K ) © K © X with K = A © 2B © T
Compute
R = ¼-1(V © A © 2B © X) © A © 2B
A © 2B = (A © R) © 2(B © R)
A © 2B © 3R
A = A1
B = B0 X
¼(A © 2B © R ) © A © 2B © X
¼(A © 2B © 3R ) © A © 2B © X © 2R
¼(A © 2B ) © A © 2B © X
¼(A © 2B © 2R ) © A © 2B © X © 3R
A © R
B © R
X © R OR 1
= V

19. A DKC that works Theorem. GaX[ ] is prv-secure over ©xor in RPM
Multiply in GF(2k) by element x2 = 0k-3100
= ¼ (K ) © K © X with K = 2A © 4B © T
2A © X = 2(A © R) © (X © R)
2A © X © 3R
Scheme GaX = Ga + Free-xor
Theorem. GaX[ ] is prv-secure over ©xor in RPM
# of oracle queries
Adv (A)  (54Qq + 99q2 + 36Q + 108q) / 2k
GaX
prv, ©
# of gates
xor
Other “doubling” methods work: logical shift, SIMD shift
(left half >> 1) || (right half >> 1)

20. Garbled-row reduction
[PSSW09]
Ga +
free-xor
garbled-row reduction
Th: GaXR[ ] is prv-secure over ©xor in the RPM
# of oracle queries
Adv (A)  (58Qq + 114q2 + 36Q + 123q) / 2k
GaXR
prv, ©
# of gates
xor

21. Experimental results AES Circuit ~37K gates, ~82% xor-gates
Unit: cycles / gate Ga
GaX
GaXR
Evaluating 52 23 24
Garbling
221 56 57
Garbling time of [KSS12] : 5750 cycles per gate
EDT-255 Circuit ~16M gates, ~59% xor-gates
Garbling time (GaXR): 101 cycles per gate
Evaluating time (GaXR): 48 cycles per gate
Garbling time of [KSS12] : 6400 cycles per gate

22. Better circuit representation
[KSS12]: spends most time in non-cryptographic operations
One reason: complex data structure to represent circuits
[BHR12]: Formalize circuits C = (n, m, q, A, B, G)
integers
integer arrays
Implement a simple circuit representation to programmatically realize [BHR12]

23. Concluding remarks Good Foundations  Good Schemes As with
authenticated encryption
entity authentication
message authentication codes …
Good Foundations  Good Schemes