Practical Garbled Circuit Optimizations

Mike Rosulek

Collaborators: David Evans / Vlad Kolesnikov / Payman Mohassel / Samee Zahur

Garbled circuit framework [Yao86]

I0, I1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EA0,B0 (E0)EA0,B1 (E1)EA1,B0 (E0)EA1,B1 (E0)

EA0,B0 (F0)EA0,B1 (F1)EA1,B0 (F1)EA1,B1 (F0)

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

I Pick random labelsW0,W1 on each wire

I “Encrypt” truth table of each gate

I Garbled circuit ≡ all encrypted gates

I Garbled encoding ≡ one label per wire

Garbled evaluation:

I Only one ciphertext per

gate is decryptable

I Result of decryption =

value on outgoing wire

I0, I1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

Garbled evaluation:

gate is decryptable

I0, I1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

Garbled evaluation:

gate is decryptable

I0, I1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

Garbled evaluation:

gate is decryptable

I0, I1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

Garbled evaluation:

gate is decryptable

I0, I1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

Garbled evaluation:

gate is decryptable

I0, I1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

Garbled evaluation:

gate is decryptable

I0, I1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

Garbled evaluation:

gate is decryptable

I0, I1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

Garbled evaluation:

gate is decryptable

I0, I1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

Garbled evaluation:

gate is decryptable

I0, I1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

Garbled evaluation:

gate is decryptable

I0, I1

A0 B0 E0A0 B1 E1A1 B0 E0A1 B1 E0

A0 B0 F0A0 B1 F1A1 B0 F1A1 B1 F0

C0 D0 G0

C0 D1 G1

C1 D0 G0

C1 D1 G0

F0 G0 H0

F0 G1 H1

F1 G0 H0

F1 G1 H0

E0 H0 I0E0 H1 I1E1 H0 I1E1 H1 I1

EC0,D0(G0)

EC0,D1(G1)

EC1,D0(G0)

EC1,D1(G0)

EF0,G0(H0)

EF0,G1(H1)

EF1,G0(H0)

EF1,G1(H0)

EE0,H0(I0)

EE0,H1(I1)

EE1,H0(I1)

EE1,H1(I1)

Garbling a circuit:

Garbled evaluation:

gate is decryptable

Applications: 2PC and more

garbled circuit f

garbled input x ,output wire labels

wire labels

garbled y

f (x ,y )

Private function evaluation, zero-knowledge proofs, encryption with

key-dependent message security, randomized encodings, secure

outsourcing, one-time programs, . . .

Garbling is a fundamental primitive [BellareHoangRogaway12]

garbled circuit f

wire labels

garbled y

f (x ,y )

garbled circuit f

wire labels

garbled y

f (x ,y )

garbled circuit f

wire labels

garbled y

f (x ,y )

garbled circuit f

wire labels

garbled y

f (x ,y )

garbled circuit f

wire labels

garbled y

f (x ,y )

Syntax [BellareHoangRogaway12]

Garble Encode

Decode

garbled circuit

decoding info

garbled

output

encoding

x f (x )

Security properties:

Privacy: (F ,X ,d ) reveals nothing beyond f (x )

Obliviousness: (F ,X ) reveals nothing

Authenticity: given (F ,X ), hard to find Y that decodes < {f (x ),⊥}

Garble Encode

Decode

garbled circuit F

decoding info d

garbled

input X

garbled

output Y

encoding

info e

x f (x )

Garble Encode

Decode

garbled circuit F

decoding info d

garbled

input X

garbled

output Y

encoding

info e

x f (x )

Parameters to optimize

computation

hardness assumption

Parameters to optimize

computation

hardness assumption

Average bits per garbled gate

1986 1990 1999 2008 2009 2014 2015

[BeaverMicaliRogaway]

[NaorPinkasSumner]

[KolesnikovSchneider]

[PinkasSchneiderSmartWilliams]

[KolesnikovMohasselRosulek]

[ZahurRosulekEvans]

[Yao,GoldreichMicaliWigderson]

SHA256

Prediction: by 2026, all garbled circuits will have zero size.

1986 1990 1999 2008 2009 2014 2015

[NaorPinkasSumner]

[ZahurRosulekEvans]

SHA256

1986 1990 1999 2008 2009 2014 2015

[NaorPinkasSumner]

[ZahurRosulekEvans]

SHA256

Murky beginnings [Yao86]

EA0,B0 (C0)EA0,B1 (C1)EA1,B0 (C0)EA1,B1 (C0)

I Position in this list leaks semantic value

=⇒ permute ciphertexts

I Need to detect [in]correct decryptionI (Apparently) no one knows exactly what Yao had in mind:

I EK0,K1(M) = 〈E (K0,S0),E (K1,S1)〉 where S0 ⊕ S1 = M

[GoldreichMicaliWigderson87]

I EK0,K1(M) = E (K1,E (K0,M)) [LindellPinkas09]

I Position in this list leaks semantic value

=⇒ permute ciphertexts

I Position in this list leaks semantic value =⇒ permute ciphertexts

I Need to detect [in]correct decryption

I (Apparently) no one knows exactly what Yao had in mind:

Permute-and-Point [BeaverMicaliRogaway90]

••

•• EA

I Randomly assign (•,•) or (•,•)to each pair of wire labels

I Include color in the wire label

(e.g., as last bit)

I Order the 4 ciphertexts

canonically, by color of keys

I Evaluate by decrypting

ciphertext indexed by your

colors

Can use one-time-secure symmetric encryption!

A•0,A•

B•0,B•

C•0,C•

••

EA•0,B•

(C•0)

••

EA•0,B•

(C•1)

••

EA•1,B•

(C•0)

••

EA•1,B•

(C•0)

•• EA•0,B•

(C•1)

•• EA•0,B•

(C•0)

•• EA•1,B•

(C•0)

•• EA•1,B•

(C•0)

(e.g., as last bit)

colors

A•0,A•

B•0,B•

C•0,C•

•• EA

(C•0)

•• EA

(C•1)

•• EA

(C•0)

•• EA

(C•0)

•• EA

(C•1)

•• EA

(C•0)

•• EA

(C•0)

•• EA

(C•0)

(e.g., as last bit)

colors

A•0,A•

B•0,B•

C•0,C•

•• EA

(C•0)

•• EA

(C•1)

•• EA

(C•0)

•• EA

(C•0)

•• EA

(C•1)

•• EA

(C•0)

•• EA

(C•0)

•• EA

(C•0)

(e.g., as last bit)

colors

0,A•

0,B•

•• EA

(C•0)

•• EA

(C•1)

•• EA

(C•0)

•• EA

(C•0)

•• EA

(e.g., as last bit)

colors

0,A•

0,B•

C•0,C

•• EA

(C•0)

•• EA

(C•1)

•• EA

(C•0)

•• EA

(C•0)

•• EA

(C•0)

•• EA

(e.g., as last bit)

colors

0,A•

0,B•

C•0,C

•• EA

(C•0)

•• EA

(C•1)

•• EA

(C•0)

•• EA

(C•0)

•• EA

(C•0)

•• EA

(e.g., as last bit)

colors

Computational cost of garbling

2 hash� 1 hash � 1 block cipher � 1 block cipher w/o key schedule

EA,B (C): cost to garble AES

PRF(A,gateID) ⊕ PRF(B,gateID) ⊕ C ∼6s [extrapolated]

[NaorPinkasSumner99] time from Fairplay [MNPS04]: PRF = SHA256

H(A‖B‖gateID) ⊕ C 0.15s

[LindellPinkasSmart08] time from [sS12]; H = SHA256

AES256(A‖B,gateID) ⊕ C 0.12s

[shelatShen12]

AES(const,K ) ⊕ K ⊕ C 0.0003s

where K = 2A ⊕ 4B ⊕ gateID[BellareHoangKeelveedhiRogaway13]

2 hash� 1 hash

� 1 block cipher � 1 block cipher w/o key schedule

[shelatShen12]

2 hash� 1 hash � 1 block cipher

� 1 block cipher w/o key schedule

[shelatShen12]

2 hash� 1 hash � 1 block cipher � 1 block cipher w/o key schedule

[shelatShen12]

Scoreboard

size (×λ) garble cost eval cost assumption

Classical large? 8 5 PKE

P&P 4 4/8 1/2 hash/PRF

Garbled Row Reduction [NaorPinkasSumner99]

A•0,A•

B•0B•1

C•0C•1

C0 ← {0,1}n

C1 ← {0,1}n

•• EA0,B1 (C•1)

•• EA0,B0 (C•0)

•• EA1,B1 (C•0)

•• EA1,B0 (C•0)

I What wire label will be payload of 1st (••) ciphertext?

I Choose that label so that 1st ciphertext is 0n

I No need to include 1st ciphertext in garbled gate

I Evaluate as before, but imagine ciphertext 0nif you got ••.

A•0,A•

B•0B•1

C•0C•1

C0 ← {0,1}n

C1 ← {0,1}n

•• EA0,B1 (C•1)

•• EA0,B0 (C•0)

•• EA1,B1 (C•0)

•• EA1,B0 (C•0)

A•0,A•

B•0B•1

C•0C•1

C0 ← {0,1}n

C1 ← {0,1}n

•• EA0,B1 (C•1)

•• EA0,B0 (C•0)

•• EA1,B1 (C•0)

•• EA1,B0 (C•0)

A•0,A•

B•0B•1

C•0C•1

C0 ← {0,1}n

C1 = E−1A0,B1

•• EA0,B1 (C•1)

•• EA0,B0 (C•0)

•• EA1,B1 (C•0)

•• EA1,B0 (C•0)

A•0,A•

B•0B•1

C•0C•1

C0 ← {0,1}n

C1 = E−1A0,B1

•• 0n

•• EA0,B0 (C•0)

•• EA1,B1 (C•0)

•• EA1,B0 (C•0)

A•0,A•

B•0B•1

C•0C•1

C0 ← {0,1}n

C1 = E−1A0,B1

•• EA0,B0 (C•0)

•• EA1,B1 (C•0)

•• EA1,B0 (C•0)

A•0,A•

B•0B•1

C•0C•1

C0 ← {0,1}n

C1 = E−1A0,B1

•• EA0,B0 (C•0)

•• EA1,B1 (C•0)

•• EA1,B0 (C•0)

Scoreboard

P&P 4 4/8 1/2 hash/PRF

GRR3 3 4/8 1/2 hash/PRF

Free XOR [KolesnikovSchneider08]

C ← {0,1}n

A︸︷︷︸false

⊕ B︸︷︷︸false

= A ⊕ B︸︷︷︸false

I Wire’s o�set ≡ XOR of its two labels

I Choose all wires to have same (secret) o�set ∆

I Choose false output = false input ⊕ false input

I Evaluate by xoring input wire labels (no crypto)

A,A ⊕ ∆A

B,B ⊕ ∆B

C,C ⊕ ∆C

C ← {0,1}n

A︸︷︷︸false

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

A︸︷︷︸false

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

A︸︷︷︸false

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := A ⊕ B

A︸︷︷︸false

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := A ⊕ B

A︸︷︷︸false

⊕ B ⊕ ∆︸︷︷︸true

= A ⊕ B ⊕ ∆︸︷︷︸true

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := A ⊕ B

A ⊕ ∆︸︷︷︸true

= A ⊕ B ⊕ ∆︸︷︷︸true

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := A ⊕ B

A ⊕ ∆︸︷︷︸true

⊕ B ⊕ ∆︸︷︷︸true

Freedom at a cost. . .

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EA ,B (C )EA ,B⊕∆ (C ⊕ ∆)EA⊕∆,B (C )EA⊕∆,B⊕∆ (C )

I Still need to garble and gates

I Compatible with garbled row-reduction

I Secret ∆ used in key and payload of ciphertexts!

I Requires related-key + circularity assumption [ChoiKatzKumaresanZhou12]

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := E−1A,B (0n)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := E−1A,B (0n)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := E−1A,B (0n)

Scoreboard

XOR AND XOR AND XOR AND

P&P 4 4 4/8 4/8 1/2 1/2 PRF/hash

GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash

Free XOR 0 3 0 4 0 1 circ. hash

Row reduction ++ [PinkasSchneiderSmartWilliams09]

Garbled gates with only 2 ciphertexts!

I Evaluator can know exactly one of:

K1 = E−1A0,B0 (0

{ learn C0

K2 = E−1A0,B1 (0

{ learn C1

K3 = E−1A1,B0 (0

{ learn C0

K4 = E−1A1,B1 (0

{ learn C0

I Evaluate by interpolating poly thru

Ki , P (5) and P (6)I Incompatible with Free-XOR: can’t

ensure C0 ⊕ C1 = ∆

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

P = uniq deg-2 poly thru

(1,K1), (3,K3), (4,K4)

Q = uniq deg-2 poly thru

(2,K2), (5,P (5)), (6,P (6))

K1 = E−1A0,B0 (0

{ learn C0

K2 = E−1A0,B1 (0

{ learn C1

K3 = E−1A1,B0 (0

{ learn C0

K4 = E−1A1,B1 (0

{ learn C0

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

(1,K1), (3,K3), (4,K4)

(2,K2), (5,P (5)), (6,P (6))

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

(1,K1), (3,K3), (4,K4)

(2,K2), (5,P (5)), (6,P (6))

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

(1, K1)

(2, K2)

(3, K3)

(4, K4)

(1,K1), (3,K3), (4,K4)

(2,K2), (5,P (5)), (6,P (6))

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

(1, K1)

(2, K2)

(3, K3)

(4, K4)

(1,K1), (3,K3), (4,K4)

(2,K2), (5,P (5)), (6,P (6))

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

(1,K1), (3,K3), (4,K4)

(2,K2), (5,P (5)), (6,P (6))

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

(1,K1), (3,K3), (4,K4)

(2,K2), (5,P (5)), (6,P (6))

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

C0 = P (0);C1 = Q (0)

P (5)P (6)

(1, K1)

(2, K2)

(3, K3)

(4, K4)

(1,K1), (3,K3), (4,K4)

(2,K2), (5,P (5)), (6,P (6))

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

(1, K1)

(2, K2)

(3, K3)

(4, K4)

(1,K1), (3,K3), (4,K4)

(2,K2), (5,P (5)), (6,P (6))

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

Ki , P (5) and P (6)

I Incompatible with Free-XOR: can’t

C0 = P (0);C1 = Q (0)

P (5)P (6)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

(1,K1), (3,K3), (4,K4)

(2,K2), (5,P (5)), (6,P (6))

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

Ki , P (5) and P (6)

C0 = P (0);C1 = Q (0)

P (5)P (6)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

(1,K1), (3,K3), (4,K4)

(2,K2), (5,P (5)), (6,P (6))

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

Ki , P (5) and P (6)

C0 = P (0);C1 = Q (0)

P (5)P (6)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

(1,K1), (3,K3), (4,K4)

(2,K2), (5,P (5)), (6,P (6))

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

Ki , P (5) and P (6)

C0 = P (0);C1 = Q (0)

P (5)P (6)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

(1,K1), (3,K3), (4,K4)

(2,K2), (5,P (5)), (6,P (6))

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

Ki , P (5) and P (6)

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

(1,K1), (3,K3), (4,K4)

(2,K2), (5,P (5)), (6,P (6))

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

Ki , P (5) and P (6)

C0 = P (0);C1 = Q (0)

P (5)P (6)

(1, K1)

(2, K2)

(3, K3)

(4, K4)

(1,K1), (3,K3), (4,K4)

(2,K2), (5,P (5)), (6,P (6))

K1 = E−1A0,B0 (0

n) { learn C0

K2 = E−1A0,B1 (0

n) { learn C1

K3 = E−1A1,B0 (0

n) { learn C0

K4 = E−1A1,B1 (0

n) { learn C0

C0 = P (0);C1 = Q (0)

P (5)P (6)P (0)

Q (0) (1, K1)

(2, K2)

(3, K3)

(4, K4)

(1,K1), (3,K3), (4,K4)

(2,K2), (5,P (5)), (6,P (6))

Scoreboard

P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF

GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash

GRR2 2 2 4/8 4/8 1/2 1/2 PRF/hash

FleXOR [KolesnikovMohasselRosulek14]

A,A ⊕ ∆1

A∗,A∗ ⊕ ∆2

∆1→ ∆

A∗ ← {0,1}n

I Translate to a new wire o�set

(unary a 7→ a gate)

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

A∗ ← {0,1}n

I Translate to a new wire o�set

(unary a 7→ a gate)

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

A∗ ← {0,1}n

I Translate to a new wire o�set (unary a 7→ a gate)

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

A A∗

A ⊕ ∆1 A∗ ⊕ ∆2

A∗ ← {0,1}n

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

EA (A∗ )EA⊕∆1

(A∗ ⊕ ∆2)

A∗ ← {0,1}n

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

EA (A∗ )EA⊕∆1

(A∗ ⊕ ∆2)

A∗ ← {0,1}n

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

EA (A∗ )EA⊕∆1

(A∗ ⊕ ∆2)

A∗ := E−1A (0n)

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

EA⊕∆1(A∗ ⊕ ∆2)

A∗ := E−1A (0n)

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

EA⊕∆1(A∗ ⊕ ∆2)

A∗ := E−1A (0n)

I Translate to a new wire o�set (unary a 7→ a gate) using 1 ciphertext

A,A ⊕ ∆1 A∗,A∗ ⊕ ∆2

∆1→ ∆

EA⊕∆1(A∗ ⊕ ∆2)

A∗ := E−1A (0n)

I Translate to a new wire o�set (unary a 7→ a gate) using 1 ciphertext

A,A ⊕ ∆A

B,B ⊕ ∆B

C,C ⊕ ∆C

∆A → ∆C

∆B → ∆C

I Adjust inputs to target o�set ∆C (1 ciphertext each)

, then XOR is free

I If input wire already suitable, no need to adjust

I Total cost: 0, 1 or 2 depending on how many {∆A,∆B,∆C } distinct.

Combinatorial optimization problem: Choose an o�set for each wire,

minimizing total cost of XOR gates

I Subj. to compatibility with 2-ciphertext row-reduction of AND gates

I (or) Subj. to removing circularity property of free-XOR

A,A ⊕ ∆A

B,B ⊕ ∆B

C,C ⊕ ∆C∆A → ∆C

∆B → ∆C

I Adjust inputs to target o�set ∆C (1 ciphertext each)

, then XOR is free

A,A ⊕ ∆A

B,B ⊕ ∆B

C,C ⊕ ∆C∆A → ∆C

∆B → ∆C

I Adjust inputs to target o�set ∆C (1 ciphertext each), then XOR is free

A,A ⊕ ∆A

B,B ⊕ ∆C

C,C ⊕ ∆C∆A → ∆C

∆B → ∆C

A,A ⊕ ∆A

B,B ⊕ ∆C

C,C ⊕ ∆C∆A → ∆C

∆B → ∆C

A,A ⊕ ∆A

B,B ⊕ ∆C

C,C ⊕ ∆C∆A → ∆C

∆B → ∆C

Scoreboard

P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF

GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash

GRR2 2 2 4/8 4/8 1/2 1/2 PRF/hash

FleXOR {0,1,2} 2 {0,1,2} 4 {0,1,2} 1 circ. hash

Half Gates [ZahurRosulekEvans15]

What if garbler knows in advance the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

if a = 0:

unary gate b 7→ 0

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

Fine print: permute ciphertexts with permute-and-point.

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

if a = 0:

unary gate b 7→ 0

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

if a = 0:

unary gate b 7→ 0

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

B CB ⊕ ∆ C

if a = 0:

unary gate b 7→ 0

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

B CB ⊕ ∆ C ⊕ ∆

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

EB (C )EB⊕∆ (C ⊕ ∆)

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

EB (C )EB⊕∆ (C ⊕ ∆)

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

EB (C )EB⊕∆ (C ⊕ ∆)

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C ← {0,1}n

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

EB (C )EB⊕∆ (C ⊕ ∆)

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := E−1B (0n)

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

EB (C )EB⊕∆ (C ⊕ ∆)

if a = 1:

unary gate b 7→ b

EB (C )EB⊕∆ (C ⊕ a∆)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := E−1B (0n)

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

EB (C )EB⊕∆ (C ⊕ ∆)

if a = 1:

unary gate b 7→ b

EB⊕∆ (C ⊕ a∆)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

C := E−1B (0n)

EB (C)EB⊕∆ (C)

if a = 0:

unary gate b 7→ 0

EB (C )EB⊕∆ (C ⊕ ∆)

if a = 1:

unary gate b 7→ b

EB⊕∆ (C ⊕ a∆)

What if evaluator knows the truth value on one input wire?

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C)

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n

Evaluator has B (knows false):

⇒ should obtain C (false)

Evaluator has B ⊕ ∆ (knows true):

⇒ should be able to transfer truthvalue from “a” wire to “c” wire

I Su�ices to learn A ⊕ C

Fine print: no need for permute-and-point here

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C)

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C)

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C)

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C)

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C)

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C )EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C )EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ CC ← {0,1}n

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C )EB⊕∆ (A ⊕ C)

⊕ A ⊕ C

⊕ A ⊕ CC ← {0,1}n

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C )EB⊕∆ (A ⊕ C)

⊕ A ⊕ C

C ← {0,1}n

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C )EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ C

C ← {0,1}n

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB (C )EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ C

C := E−1B (0n)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ C

C := E−1B (0n)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ C

C := E−1B (0n)

A,A ⊕ ∆

B,B ⊕ ∆

C,C ⊕ ∆

EB⊕∆ (A ⊕ C)

⊕ A ⊕ C⊕ A ⊕ C

C := E−1B (0n)

Two halves make a whole!

a ∧ b

= (a ⊕ r ⊕ r ) ∧ b= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]= [(a ⊕ r ) ∧ b]︸︷︷︸one input known to evaluator

⊕[r ∧ b]= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸︷︷︸one input known to garbler

I Garbler chooses random bit r

I r = color bit of false wire label A

I Arrange for evaluator to learn a ⊕ r in the clear

I a ⊕ r = color bit of wire label evaluator gets (A or A ⊕ ∆)

I Total cost = 2 “half gates” + 1 XOR gate = 2 ciphertexts

a ∧ b = (a ⊕ r ⊕ r ) ∧ b

= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]= [(a ⊕ r ) ∧ b]︸︷︷︸one input known to evaluator

I r = color bit of false wire label AI Arrange for evaluator to learn a ⊕ r in the clear

a ∧ b = (a ⊕ r ⊕ r ) ∧ b= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]

= [(a ⊕ r ) ∧ b]︸︷︷︸one input known to evaluator

I r = color bit of false wire label AI Arrange for evaluator to learn a ⊕ r in the clear

a ∧ b = (a ⊕ r ⊕ r ) ∧ b= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]

a ∧ b = (a ⊕ r ⊕ r ) ∧ b

= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]

⊕[r ∧ b]

= [(a ⊕ r ) ∧ b] ⊕ [r ∧ b]︸︷︷︸one input known to garbler

a ∧ b = (a ⊕ r ⊕ r ) ∧ b

⊕[r ∧ b]

a ∧ b = (a ⊕ r ⊕ r ) ∧ b

⊕[r ∧ b]

a ∧ b = (a ⊕ r ⊕ r ) ∧ b

⊕[r ∧ b]

I Garbler chooses random bit rI r = color bit of false wire label A

Scoreboard

P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF

GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash

GRR2 2 2 4/8 4/8 1/2 1/2 PRF/hash

FleXOR {0,1,2} 2 {0,1,2} 4 {0,1,2} 1 circ. symm

HalfGates 0 2 0 4 0 2 circ. hash

[XYZ26]? 0 < 2? ? ? ? ? ?

Scoreboard

P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF

GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash

GRR2 2 2 4/8 4/8 1/2 1/2 PRF/hash

FleXOR {0,1,2} 2 {0,1,2} 4 {0,1,2} 1 circ. symm

HalfGates 0 2 0 4 0 2 circ. hash[XYZ26]? 0 < 2? ? ? ? ? ?

Optimality

Every practical garbling scheme is combination of:

I Calls to symmetric primitive (can be modeled as random oracle)

I GF (2λ )-linear operations (xor, polynomial interpolation)

�eorem ([ZahurRosulekEvans15])Garbling a single and gate requires 2 ciphertexts (2λ bits), if garbling schemeis “linear” in this sense.

Half-gates construction is size-optimal among schemes that:

. . . use “known techniques”

. . . work gate-by-gate in {xor,and,not} basis

Optimality

Ways forward?

1:Consider larger “chunks” of circuit, beyond {xor,and,not} basis?

2:Discover some clever non-linear approach to garbling?

3:Wait for break-even point for asymptotically superior methods?

4:Use weaker security when situation calls for it.

Ways forward?

ZK via garbled circuits [JawurekKerschbaumOrlandi13]

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

wire labels

garbled w

commit(garbled output)contains true wire label

⇒ prover knows valid wopen garbled circuit

correct GC⇒ garbled

output leaks nothing

about w open garbled output

Prover knows entire input to garbled circuit!

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

wire labels

garbled w

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

wire labels

garbled w

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

wire labels

garbled w

commit(garbled output)

contains true wire label

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

wire labels

garbled w

⇒ prover knows valid w

open garbled circuitcorrect GC⇒ garbled

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

wire labels

garbled w

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

wire labels

garbled w

about w

open garbled output

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

wire labels

garbled w

x ,w x

“∃w : R(x ,w ) = 1 ”

garbled R(x , ·)

wire labels

garbled w

Privacy-free garbling [FrederiksenNielsenOrlandi15]

For this ZK protocol, garbled circuit does not require privacy property

I Only authenticity is needed

I Garbled circuits can be significantly smaller in this case

P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF

GRR3 3 3 4/8 4/8 1/2 1/2 hash/PRF

GRR2 2 2 4/8 4/8 1/2 1/2 hash/PRF

FleXOR {0,1,2} 2 {0,1,2} 4 {0,1,2} 1 circ. hash

PrivFree * 0 1 0 2 0 1 circ. hash

Privacy-free garbling [FrederiksenNielsenOrlandi15]

For this ZK protocol, garbled circuit does not require privacy property

I Only authenticity is needed

I Garbled circuits can be significantly smaller in this case

P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF

GRR3 3 3 4/8 4/8 1/2 1/2 hash/PRF

GRR2 2 2 4/8 4/8 1/2 1/2 hash/PRF

FleXOR {0,1,2} 2 {0,1,2} 4 {0,1,2} 1 circ. hash

PrivFree * 0 1 0 2 0 1 circ. hash

A success story!

1986 1990 1999 2008 2009 2014 2015

SHA256

I Reduction in size by 10x

I Reduction in computation by 10000x

the end!

Practical Garbled Circuit Optimizations

Documents

Transcript of Practical Garbled Circuit Optimizations

PrivPy: General and Scalable Privacy-Preserving Data Miningnas.iiis.tsinghua.edu.cn/~weixu/Krvdro9c/kdd19-li.pdfprimitives, such as garbled circuit [48] and secret sharing [42], with

Efficiency Optimizations on Yao's Garbled Circuits …the parties receive their outputs. For detailed information about how to achieve eﬃcientfairMPC,wereferthereaderto[19,20]. Lindell

GARBLED CIRCUITS CHECKING GARBLED CIRCUITS MORE EFFICIENT AND SECURE TWO-PARTY COMPUTATION Payman Mohassel Ben Riva University of Calgary Tel Aviv University.

Bytecode Optimizations

Intraprocedural Optimizations

A Gentle Introduction to Yao's Garbled Circuitsweb.mit.edu/sonka89/www/papers/2017ygc.pdf · A Gentle Introduction to Yao’s Garbled Circuits SophiaYakoubov BostonUniveristy Abstract.

Device aging simulations enabling circuit optimizations€¦ · Katja Puschkarsky 8.11.2017 – MOS AK 13.3.2018 Device aging simulations enabling circuit optimizations - restricted

Interprocedural Optimizations

Foundations of Garbled CircuitsFoundations of Garbled Circuits Mihir Bellare1 Viet Tung Hoang2 Phillip Rogaway2 1 Dept. of Computer Science and Engineering, University of California,

Improving compiler optimizations using Machine Learningudspace.udel.edu/bitstream/handle/19716/13442/2014_Kulkarni_Sameer_PhD.pdf · Some compiler optimizations are binary optimizations,

Interconnect Optimizations

Local Optimizations

Global optimizations

Adaptive Garbled RAM from Laconic Oblivious …Adaptive Garbled RAM from Laconic Oblivious Transfer Sanjam Garg University of California, Berkeley sanjamg@berkeley.edu Rafail Ostrovskyy

Feb 9, 2011 - NDSS Symposium...Vladimir Kolesnikov and Thomas Schneider. Improved Garbled Circuit: Free XOR Gates and Applications. In International Colloquium on Automata, Languages

Optimizing CUDA. 2 © NVIDIA Corporation 2008 Outline Overview Hardware Memory Optimizations Execution Configuration Optimizations Instruction Optimizations.

rdt2.1: sender, handles garbled ACK/NAKs

Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond

Two Halves Make a Whole - Springer...Two Halves Make a Whole 223 Table 2. Optimizations of privacy-free garbled circuits. Size is number of cipher-texts (multiples of k bits). The

Oblivious Data Structures - Crypto 2014 rump session€¦ · Compared with Path ORAM; data size 230. Open source implementation on a garbled circuit backend coming soon Stack / Queue