New Advances in Garbling Circuits
Based on joint works with
Yuval Ishai Eyal Kushilevitz Brent WatersUniversity of TexasTechnion Technion
Benny ApplebaumTel Aviv University
Garbled Circuit
Yao, 80’s
“Encryption of a function”
Garbled Circuit Construction
x1x2 x3 x4
K1,1 K2,1 K3,1 K4,1
0110101101010011111101010010111111010101001110101001011001010110
0110111010010011111110010110111001011001110110110001101010110111
1110101010100110011101010010111101010100111110111001001010110111
01101101010011001101110101001001110101010011011101110010101010010111
K1,0 K2,0 K3,0 K4,0
Boolean circuit C Garbled circuit C’
Pairs of short keys
𝐶 (𝑥 )𝐶 ′ ,𝐾 𝑖 , 𝑥 𝑖simulatordecoder
• Can be based on any pseudorandom generator[BM82,Yao82] (or one-way function [HILL90])
C’
Input X “Simple & Short”
Applications• Constant-round secure computation
[Yao82,BMR90...]
– Related to: computing on encrypted data [SYY99]
– Alternative technique: FHE [Gentry09,…]
• Parallel cryptography [AIK05]
• One-time programs [GKR08]
• Verifiable computation [GGP10,…]
• KDM-secure encryption [BHHI10,...]
• Functional Encryption [SS10,…]
Non-Interactive Delegation
x C(x)
offline: C’
online: Kx
Yao’s Construction
• Each wire w has 0-key and 1-key– Colored “blue” and “green” at random
1-keyw w
0-key
Yao’s Construction
• Each wire w has 0-key and 1-key– Colored “blue” and “green” at random
• Ki,b= b-key of input wire i
• C’ = color code for output wires
+ “garbled gates”
1-keyw w
0-key
0110101101010011111101010010111111010101001110101001011001010110
0110111010010011111110010110111001011001110110110001101010110111
1110101010100110011101010010111101010100111110111001001010110111
01101101010011001101110101001001110101010011011101110010101010010111
0 1 0 0
0 1
0
0
Garbled Gates
a b
c
b
a
b
a
a
a
b
b
c
c
c
c
Post-Yao Constructions ?
• A lot of progress wrt implementation– E.g., Fair-Play [MNPS04] …
• Better concrete efficiency– Free XOR gates [KS08]…– 3 ciphertexts per gate [PSSW09]
• Little theoretical progress– Info-theoretic variants for restricted classes [IK00-2]– Rerandomizable GC [GHV10]
• No asymptotic improvements !
x1x2 x3 x4
Random
K1,1 K2,1 K3,1 K4,1
0110101101010011111101010010111111010101001110101001011001010110
0110111010010011111110010110111001011001110110110001101010110111
1110101010100110011101010010111101010100111110111001001010110111
01101101010011001101110101001001110101010011011101110010101010010111
K1,0 K2,0 K3,0 K4,0
Boolean circuit C
Random
C(X) C’, X’
Simulator
Decoder
(public)
Abstraction (Randomized Encoding [IK00])
Input X Garbled Input X’
Garbled circuit C’
Boolean circuit C
Random
(public)
Abstraction (Randomized Encoding [IK00])
Input X Garbled Input X’
Garbled circuit C’
n bits“Simple”
Decomposable Affine K1(X1) … Kn(Xn)
where Ki is affine over F2
“Short” n bits
Q1: Can we shorten the garbled input X’?
Q2: Can we garble arithmetic circuits?
“Simple”
Decomposable Affine K1(X1) … Kn(Xn)
where Ki is affine over F2
Affine
X’=K(X)
where K is affine
How short can X’ be? [AIKW12]
Input X Garbled Input X’n bits
Constant Online-Rate?
Thm. Impossible if X’ is decomposable
Observation: Typically Affinity suffices
X’
O(n) + ?“Short” n bits
n + [This work]
Thm. Affine GC with online-rate 1 under DDH, RSA, LWE.
Cn C4 C3 C2 C1Mn C4 C3 M2 C1
Gadget: Online/Offline Encryption
Alice Bob
subset s{1,…,n}
EncK
Key length = Independent of the number of plaintexts
Mn M4 M3 M2 M1
1 0 0 1 0
KS
Gadget Succinct GC
Boolean circuit C Garbled circuit C’
Yao Gadget
Random
Garbled circuit C’
Input X Subset
KS
C(x)
Decoder
Simulator
Implementing the Gadget
Tool: Symmetric Encryption with Additive Homomorphism for Keys/Message
EK1(M1)+…+EKn(Mn)= EK1+…+Kn(M1+…+Mn)
• One-Time Security suffices• Can be implemented under DDH• Close variants under LWE, RSA
M1
M3
C1
C2
C3
C4
From Homomorphism to Online/Offline Encryption
Alice C1 C2 C3 C4
Ci=Enc(Ki,Mi)Mn M4 M3 M2 M1
0 1 0 1
KS
M1
M2
M3
M4
C1+C3
Application 1: Verifiable Computation
Optimal online complexity using [GGP10,AIK10]
Previous works: multiplicative overhead in
output
Offline |f| bits
n+ bit
m+ bit
x
f:{0,1}n{0,1}m
Weak Client Untrusted Server
Semi-Honest MPC for f:{0,1}n{0,1}m
Application 2: MPC with preprocessing
bA B
Alice Bob
f(A,B)
Semi-Honest MPC for f:{0,1}n{0,1}m
Offline |f| bits
n bits
n+ bits
Application 2: MPC with preprocessing
b
Garbled circuit C’
rA rB
ArA A
B
rB B
Decoder
Alice Bob
• 1 online round• Online Communication does not grow with m• Additive dependency in
f(A,B)
Malicious MPC ?
Adaptive choice of inputs ?
Offline |f| bits
n bits
n+ bits
Application 2: MPC with preprocessing
b
Garbled circuit C’
rA rB
A B
Decoder
Alice Bob
Homomorphic MACs [BDOZ11]
f(A,B)
• No succinct GC with adaptive security
• Can be achieved with Random Oracle
• Not needed in some applications – offline private inputs (Shares of signing
key)– Independent online public inputs (Docs to be signed)
Adaptive Choice of Inputs?
Garbling Arithmetic Circuits? [AIK11]
• Gates perform addition or multiplication • Operations over a large domain (e.g., field F)
Garbling arithmetic circuits? [AIK11]
Boolean circuit C
Random
Input X Garbled Input X’
Garbled circuit C’
“Simple”
Decomposable Affine K1(X1) … Kn(Xn)
Ki :F2F2 is affine
Arithmetic circuit C
• Extends applications to arithmetic setting • Non-trivial if the field is large ! • Requires new approach
Thm. Arithmetic GC (over large integers) under LWE (or OWF less efficiently).
Ki:FF
Garbling arithmetic formulas [IK02]
Boolean circuit C
Random
Input X Garbled Input X’
Garbled circuit C’
“Simple”
Decomposable Affine K1(X1) … Kn(Xn)
Ki :F2F2 is affine
Arithmetic Formula C
Problem 1: Limited to Formulas Problem 2: Large blow-upKey Idea: Solving 2 Solving 1
Ki:FF
|C|2
Key-Shrinking Gadget
• a,b,W can depend on c,d and randomness• Special type of “functional encryption”• Implementation over the integers from LWE
y +c d y +a b Wdecoder
simulator
xx + x
y1i-1 y2
i-1 y3i-1 y4
i-1 +a1
Wi-1
Ci-1
C1
Ci+1
……… … …
……… … …
y1i-1
y1i y2
i y3i y4
i
b1…
AGC for C1… Ci-1
Garbling the Circuit Layer-by-Layer
xx + x
y1i-1 y2
i-1 y3i-1 y4
i-1 +a1
Wi-1
Ci-1
C1
Ci+1
……… … …
……… … …
y1iy2
i
y1i y2
i y3i y4
i
b1…
Substitution
Garbling the Circuit Layer-by-Layer
Garbling the Circuit Layer-by-Layer
xx + x
y1i-1 y2
i-1 y3i-1 y4
i-1 +c1
Wi-1
Ci-1
C1
Ci+1
……… … …
……… … …
y1i
y1i y2
i y3i y4
i
d1…+c2 d2
y2i
Affinization [IK02]
xx + x
y1i-1 y2
i-1 y3i-1 y4
i-1 +
Wi
Ci-1
C1
Ci+1
……… … …
……… … …
y1i
y1i y2
i y3i y4
i
…+y2ia1 b1 a2 b2
Key shrinking
Garbling the Circuit Layer-by-Layer
Conclusion• GC with optimal online-rate for Boolean circuits
– Applications with optimal online communication
• General approach for arithmetic garbled circuits– Alternative to Yao’s “garbled tables” approach– Instantiated using LWE– Extends applications to arithmetic setting– New modular, simplified proof for Boolean case
• Constant online-rate for arithmetic formulas
Open QuestionsArithmetic setting• circuits over finite fields?• arithmetic decoder?
Efficiency• Shorten the offline part? |C’|=O(|C|)?• Can get it for natural class of arithmetic functions• Less computational overhead ? (online/offline)
Take-Home Message: What are Garble Circuits?
FHE for the poor
Just
It
Powerful tool superior to FHE in some aspects
(Asymptotically & Concretely)
Top Related