Presentation is loading. Please wait.

Presentation is loading. Please wait.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

Published byRandolf Dorsey Modified over 9 years ago

Similar presentations

Presentation on theme: "New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv."— Presentation transcript:

1 New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv University

2 Garbled Circuit Yao, 80’s “Encryption of a function”

3 Garbled Circuit Construction x1x1 x2x2 x3x3 x4x4 K 1,1 K 2,1 K 3,1 K 4,1 0110101101010011 1111010100101111 1101010100111010 1001011001010110 0110111010010011 1111100101101110 0101100111011011 0001101010110111 1110101010100110 0111010100101111 0101010011111011 1001001010110111 01101101010011001 10111010100100111 01010100110111011 10010101010010111 K 1,0 K 2,0 K 3,0 K 4,0 Boolean circuit C Garbled circuit C’ Pairs of short keys simulator decoder Can be based on any pseudorandom generator [BM82,Yao82] (or one-way function [HILL90]) C’ Input X “Simple & Short”

4 Applications Constant-round secure computation [Yao82,BMR90...] –Related to: computing on encrypted data [SYY99] –Alternative technique: FHE [Gentry09,…] Parallel cryptography [AIK05] One-time programs [GKR08] Verifiable computation [GGP10,…] KDM-secure encryption [BHHI10,...] Functional Encryption [SS10,…]

5 Non-Interactive Delegation xC(x) offline: C’ online: K x

6 Yao’s Construction Each wire w has 0-key and 1-key –Colored “blue” and “green” at random 1-key w w 0-key

7 Yao’s Construction Each wire w has 0-key and 1-key –Colored “blue” and “green” at random K i,b = b-key of input wire i C’ = color code for output wires + “garbled gates” 1-key w w 0-key 0110101101010011 1111010100101111 1101010100111010 1001011001010110 0110111010010011 1111100101101110 0101100111011011 0001101010110111 1110101010100110 0111010100101111 0101010011111011 1001001010110111 01101101010011001 10111010100100111 01010100110111011 10010101010010111 0 100 0 1 0 0

8 Garbled Gates ab c b a b a a abb c c c c

9 Post-Yao Constructions ? A lot of progress wrt implementation –E.g., Fair-Play [MNPS04] … Better concrete efficiency –Free XOR gates [KS08]… –3 ciphertexts per gate [PSSW09] Little theoretical progress –Info-theoretic variants for restricted classes [IK00-2] –Rerandomizable GC [GHV10] No asymptotic improvements !

10 x1x1 x2x2 x3x3 x4x4 Random K 1,1 K 2,1 K 3,1 K 4,1 0110101101010011 1111010100101111 1101010100111010 1001011001010110 0110111010010011 1111100101101110 0101100111011011 0001101010110111 1110101010100110 0111010100101111 0101010011111011 1001001010110111 01101101010011001 10111010100100111 01010100110111011 10010101010010111 K 1,0 K 2,0 K 3,0 K 4,0 Boolean circuit C Random C(X) C’, X’ Simulator Decoder (public) Abstraction (Randomized Encoding [IK00] ) Input X Garbled Input X’ Garbled circuit C’

11 Boolean circuit C Random (public) Abstraction (Randomized Encoding [IK00] ) Input X Garbled Input X’ Garbled circuit C’ n bits “Simple” Decomposable Affine K 1 (X 1 ) … K n (X n ) where K i is affine over F 2 “Short” n bits Q1: Can we shorten the garbled input X’? Q2: Can we garble arithmetic circuits?

12 “Simple” Decomposable Affine K 1 (X 1 ) … K n (X n ) where K i is affine over F 2 Affine X’=K(X) where K is affine How short can X ’ be? [AIKW12] Input X Garbled Input X’ n bits Constant Online-Rate? Thm. Impossible if X’ is decomposable Observation: Typically Affinity suffices X’ O(n) + ? “Short” n bits n + [This work] Thm. Affine GC with online-rate 1 under DDH, RSA, LWE.

13 CnCn C4C4 C3C3 C2C2 C1C1 MnMn C4C4 C3C3 M2M2 C1C1 Gadget: Online/Offline Encryption AliceBob subset s  {1,…,n} Enc K Key length = Independent of the number of plaintexts MnMn M4M4 M3M3 M2M2 M1M1 10010 KSKS

14 Gadget  Succinct GC Boolean circuit C Garbled circuit C’ YaoGadget Random Garbled circuit C’ Input XSubset KSKS C(x) Decoder Simulator

15 Implementing the Gadget Tool: Symmetric Encryption with Additive Homomorphism for Keys/Message E K1 (M 1 )+…+E Kn (M n )=E K1+…+Kn (M 1 +…+M n ) One-Time Security suffices Can be implemented under DDH Close variants under LWE, RSA

16 M1M1 M3M3 C1C1 C2C2 C3C3 C4C4 From Homomorphism to Online/Offline Encryption Alice C 1 C 2 C 3 C 4 C i =Enc(K i,M i ) MnMn M4M4 M3M3 M2M2 M1M1 0101 KSKS M1M1 M2M2 M3M3 M4M4 C 1 +C 3

17 Application 1: Verifiable Computation Optimal online complexity using [GGP10,AIK10] Previous works: multiplicative overhead in output Offline |f| bits n+ bit m+ bit x f:{0,1} n  {0,1} m Weak Client Untrusted Server

18 Semi-Honest MPC for f:{0,1} n  {0,1} m Application 2: MPC with preprocessing b AB Alice Bob f(A,B)

19 Semi-Honest MPC for f:{0,1} n  {0,1} m Offline |f| bits n bits n+ bits Application 2: MPC with preprocessing b Garbled circuit C’ rArA rBrB A r A  A B r B  B Decoder Alice Bob 1 online round Online Communication does not grow with m Additive dependency in f(A,B)

20 Malicious MPC ? Adaptive choice of inputs ? Offline |f| bits n bits n+ bits Application 2: MPC with preprocessing b Garbled circuit C’ rArA rBrB AB Decoder Alice Bob Homomorphic MACs [BDOZ11] f(A,B)

21 No succinct GC with adaptive security Can be achieved with Random Oracle Not needed in some applications –offline private inputs (Shares of signing key) –Independent online public inputs (Docs to be signed) Adaptive Choice of Inputs?

22 Garbling Arithmetic Circuits? [AIK11] Gates perform addition or multiplication Operations over a large domain (e.g., field F)

23 Garbling arithmetic circuits? [AIK11] Boolean circuit C Random Input X Garbled Input X’ Garbled circuit C’ “Simple” Decomposable Affine K 1 (X 1 ) … K n (X n ) K i :F 2  F 2 is affine Arithmetic circuit C Extends applications to arithmetic setting Non-trivial if the field is large ! Requires new approach Thm. Arithmetic GC (over large integers) under LWE (or OWF less efficiently). K i :F  F

24 Garbling arithmetic formulas [IK02] Boolean circuit C Random Input X Garbled Input X’ Garbled circuit C’ “Simple” Decomposable Affine K 1 (X 1 ) … K n (X n ) K i :F 2  F 2 is affine Arithmetic Formula C Problem 1: Limited to Formulas Problem 2: Large blow-up Key Idea: Solving 2  Solving 1 K i :F  F |C| 2

25 Key-Shrinking Gadget a,b,W can depend on c,d and randomness Special type of “functional encryption” Implementation over the integers from LWE y + cd y + ab W decoder simulator

26 xx+x y 1 i-1 y 2 i-1 y 3 i-1 y 4 i-1 + a1a1 W i-1 C i-1 C1C1 C i+1 …………… …………… y 1 i-1 y1iy1i y2iy2i y3iy3i y4iy4i b1b1 … AGC for C 1  …  C i-1 Garbling the Circuit Layer-by-Layer

27 xx+x y 1 i-1 y 2 i-1 y 3 i-1 y 4 i-1 + a1a1 W i-1 C i-1 C1C1 C i+1 …………… …………… y1iy2iy1iy2i y1iy1i y2iy2i y3iy3i y4iy4i b1b1 … Substitution  Garbling the Circuit Layer-by-Layer

28 xx+x y 1 i-1 y 2 i-1 y 3 i-1 y 4 i-1 + c1c1 W i-1 C i-1 C1C1 C i+1 …………… …………… y1iy1i y1iy1i y2iy2i y3iy3i y4iy4i d1d1 … + c2c2 d2d2 y2iy2i Affinization [IK02] 

29 xx+x y 1 i-1 y 2 i-1 y 3 i-1 y 4 i-1 + WiWi C i-1 C1C1 C i+1 …………… …………… y1iy1i y1iy1i y2iy2i y3iy3i y4iy4i … + y2iy2i a1a1 b1b1 a2a2 b2b2 Key shrinking  Garbling the Circuit Layer-by-Layer

30 Conclusion GC with optimal online-rate for Boolean circuits –Applications with optimal online communication General approach for arithmetic garbled circuits –Alternative to Yao’s “garbled tables” approach –Instantiated using LWE –Extends applications to arithmetic setting –New modular, simplified proof for Boolean case Constant online-rate for arithmetic formulas

31 Open Questions Arithmetic setting circuits over finite fields? arithmetic decoder? Efficiency Shorten the offline part? |C’|=O(|C|)? Can get it for natural class of arithmetic functions Less computational overhead ?(online/offline)

32 Take-Home Message: What are Garble Circuits? FHE for the poor Just It Powerful tool superior to FHE in some aspects (Asymptotically & Concretely)

Download ppt "New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv."

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.

1 Cryptography: on the Hope for Privacy in a Digital World Omer Reingold VVeizmann and Harvard CRCS.
Revisiting the efficiency of malicious two party computation David Woodruff MIT.

Revisiting the efficiency of malicious two party computation David Woodruff MIT.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
From Secrecy to Soundness: Efficient Verification via Secure Computation Benny Applebaum Weizmann Yuval Ishai Technion/UCLA Eyal KushilevitzTechnion.

From Secrecy to Soundness: Efficient Verification via Secure Computation Benny Applebaum Weizmann Yuval Ishai Technion/UCLA Eyal KushilevitzTechnion.
Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.

Semi-Honest to Malicious Oblivious-Transfer The Black-box Way Iftach Haitner Weizmann Institute of Science.
Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),

Simple, Black-Box Constructions of Adaptively Secure Protocols joint work with Dana Dachman-Soled (Columbia University), Tal Malkin (Columbia University),
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.

Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.

CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.
Cryptography & Number Theory

Cryptography & Number Theory

Similar presentations

Ads by Google