1 / 23

Efficient Garbling from

A Fixed-key Blockcipher

Applied MPC workshopFebruary 20, 2014

Mihir BellareUC San Diego

Viet Tung HoangUC San Diego

Phillip RogawayUC Davis

Sriram KeelveedhiUC San Diego

2 / 23

Garbled circuit

01 01

0 1

01

01

[Yao 82, 86]Conventional circuit

3 / 23

A C D

X Y

B

X

X

X

Y 1

2

3

4

[Yao 82, 86]Garbled gate

4 / 23

Garble circuits Garbling schemes

Traditionally viewed as a technique for 2-party SFE

Optimizations (free xor, garbled-row

reduction) are only proved for SFE setting.

Garbled circuits used in tens of applications

[BHR12]: Formalize garbled circuits as

a primitive ‒ garbling scheme

private function evaluation

verifiable computation

KDM-secure encryption

worry-free encryption

mobile oblivious computing

privacy-preserving auctions

secure database mining

semi-private function evaluation

server-aided SFE

privacy-preserving credit checking

5 / 23

Contributions

• Design new garbling schemes

Faster realization for doubly-locked boxes

Better circuit representation

- concrete security - proofs

• Attack prior implementations

[KS08, PSSW09]

• Implement schemes – JustGarble~100x speedup

6 / 23

x y

X Y

input output

garbledinput

garbledoutput

initialfunction

encodingfunction

decodingfunctiongarbled

function

f : {0,1}n® {0,1} m

Should distinguish functions ( f, e, F, d ) and strings ( f, e, F, d )

f

Gb

eF

d

ev

EvEn De

f = e F d° °

Syntax conceptual

[BHR12]

7 / 23

evf

xy

EvEn

DeGbf

1k

e

F

d

xX

Yy

A garbling scheme is a 5-tuple = (Gb, En, De, Ev, ev)

Syntax[BHR12]

Correctness

(" f, x, k), if(F, e, d) ¬ Gb(1k, f),X ¬ En(e, x),Y ¬ Ev (F, X),y ¬ De(d, Y) then y = ev(f, x)

8 / 23

evfx

y

EvEn DeGbf

1k

e

F

dx X

Yy

Privacy very informally …

Intuition: Given (F, X, d ), you learn nothing but y = f (x) = d(F

( X )) A garbled function F will leak information about f

side information

• reveal all of f ©( f ) = f

©( f ) = topo ( f )

• reveal topology of f

reveal the size of f©( f ) = size ( f )

·

• reveal topology of f + which gates are XOR

9 / 23

A (1k )

f0 f1 x0 x1 F X d

b’

Privacy

GARBLE

or ©(f0) ¹ ©(f1)If f0(x0) ¹ f1(x1) ret

(F,e,d ) ¬ Gb(1k, f0)

X ¬ En(e, x0)

(F,e,d) ¬ Gb(1k, f1)

X ¬ En(e, x1) b=1b=0

Adv (A, k) = 2Pr[b=b’] -1prv, ©

is prv secure wrt © if(" PPT A ) Adv is negligible

indistinguishability

10 / 23

A (1k)

f x

y¬ ev( f, x)(F, X, d) ¬ S(1k, y, ©(f ))

F X d

b’

(F, e, d ) ¬ Gb(1k, f) X ¬ En(e, x)

Privacysimulation

GARBLE

b=0

b=1

Adv (A, k) = 2Pr[b=b’]-1prv.sim, ©

S

is prv.sim secure wrt © if

(" PPT A ) ($ PPT S) s.t. Adv is negligible

11 / 23

Achieving prv

( )

Y

X

A

Y

B

( )X

( )X

( )X

C D

Gate 3

k bits

Scheme Ga

LSBs used to identify row of gate

Dual-key cipher

: {0,1}2k ´ {0,1}t ´ {0,1}k ® {0,1}k

keys tweak input output

12 / 23

How to make the DKC?

AES DKC

[HEKM11]:

[KSS12]:

Today: Permutation-based DKCs like

Intel AES-NI AESENC, AESDEC, etc.

Theorem: Ga[ ] is prv-secure over ©topo in the RPM

# of gates# of oracle queries

Adv (A) (48Qq + 84q2 + 30Q + 84q) / 2k

Gaprv, ©topo

pRPM

13 / 23

Free-xor optimization

Choose a secret global string R {0, 1}k – 11$

[KS08]

DA

B

C

E

Y

Z

14 / 23

Free-xor helps

Real-world circuits can be made to be rich in XORs

Basic AES circuit : ~28K gates, 56% xor-gates

Free-xor Free-xor

Size: ~ 1.75 MBGarbling: ~ 112 K enc

Size : ~ 430 KBGarbling: ~ 24 K enc

[KS08]

Optimized AES circuit :~37K gates, 82% xor-gates

Refactor

~5x

15 / 23

= H(A[1: k – 1] || T ) © H(B [1: k – 1] || T ) © X

Modeled as a random oracle

To avoid problems: a gate’s incoming wires must be distinct

Otherwise, A = B No security

With free-xor, distinct wires might have the same keys!

Attacks on [KS08, PSSW09]

16 / 23

Attacks on [KS08, PSSW09]

1

0

0

17 / 23

A = A1

B = B0

X½ (A © B © R ) © X ½ (A © B ) © X © R½ (A © B ) © X ½ (A © B © R ) © X

A © R

B © R

X © R

AND

½(x) = ¼ (x) © x

1

0

Incompatibility of with free-xor

= ¼ (K ) © K © X with K = A © B © T

18 / 23

A = A1

B = B0

X¼(A © 2B © R ) © A © 2B © X ¼(A © 2B © 3R ) © A © 2B © X © 2R¼(A © 2B ) © A © 2B © X¼(A © 2B © 2R ) © A © 2B © X © 3R

A © R

B © R

X © R

OR1

0

Breaking the symmetryMultiply in GF(2k) by

element x = 0k-210

A © 2B = (A © R) © 2(B © R)

A © 2B © 3R

= V

Compute

R = ¼-1(V © A © 2B © X) © A © 2B

= ¼ (K ) © K © X with K = A © 2B © T

19 / 23

A DKC that works

= ¼ (K ) © K © X with K = 2A © 4B © T

Multiply in GF(2k) by

element x2 = 0k-3100

2A © X = 2(A © R) © (X © R)

2A © X © 3R

Other “doubling” methods work: logical shift, SIMD shift

Theorem. GaX[ ] is prv-secure over ©xor in

RPM Adv (A) (54Qq + 99q2 + 36Q + 108q) / 2k

GaXprv, © # of gates

# of oracle queries

Scheme GaX = Ga + Free-xor

(left half >> 1) || (right half >> 1)

xor

20 / 23

Garbled-row reduction

Th: GaXR[ ] is prv-secure over ©xor in the RPM

# of gates# of oracle queries

Adv (A) (58Qq + 114q2 + 36Q + 123q) / 2k

GaXRprv, ©xor

[PSSW09]

Ga +• free-xor • garbled-row reduction

21 / 23

Experimental results

AES Circuit ~37K gates, ~82% xor-gates

Garbling time of [KSS12] : 5750 cycles per gate

Ga GaX GaXR

Evaluating 52 23 24

Garbling 221 56 57

Unit: cycles / gate

EDT-255 Circuit ~16M gates, ~59% xor-gates

• Garbling time (GaXR): 101 cycles per gate• Evaluating time (GaXR): 48 cycles per gate• Garbling time of [KSS12] : 6400 cycles per gate

22 / 23

[KSS12]: spends most time in non-cryptographic operations

Better circuit representation

One reason: complex data structure to represent circuits

[BHR12]: Formalize circuits C = (n, m, q, A, B, G)

Implement a simple circuit representation to programmatically realize [BHR12]

integers integer arrays

23 / 23

Concluding remarks

Good Foundations Good Schemes

As with• authenticated encryption• entity authentication• message authentication codes• …