Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond
description
Transcript of Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond
![Page 1: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/1.jpg)
Succinct Functional Encryption:d
Reusable Garbled Circuits and Beyond
Joint work with:
Yael Kalai Microsoft Research
Shafi GoldwasserRaluca Ada PopaVinod Vaikuntanathan Nickolai Zeldovich
MITMITU TorontoMIT
* Thanks to Raluca and Vinod for the slides.
![Page 2: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/2.jpg)
Example: Spam Filters
𝐸 [𝑒𝑚𝑎𝑖𝑙 ]Spam filter
𝐸 [𝑒𝑚𝑎𝑖𝑙 ]E[spam?]
Need to decrypt computation result but nothing else!
Sender Receiver
FHE.Eval of filter
FHE is not enough!
![Page 3: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/3.jpg)
Desired: Functional Encryption (FE)[Boneh-Sahai-Waters11, O’Neill11]
Allows evaluator to decrypt computation result
𝐸 [𝑥1 ] , .. ,𝐸 [𝑥𝑛]
𝑠𝑘 𝑓
ClientEvaluator
compute
Can release only one function key [Agrawal-Gorbunov-Vaikuntanathan-Wee12]
Syntax:
![Page 4: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/4.jpg)
Outline
• Example: Spam filters• Problem we solve: Functional Encryption (under
LWE assumption)• Prior work• Main Application: Reusable Garbled Circuits• Application 2: FHE for Turing machines• Application 3: Publicly Verifiable and Secret
Delegation • Our constructions
![Page 5: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/5.jpg)
Functional encryption for inner product functions [Katz-Sahai-Waters’08, Shen-Shi-Waters’09]
Public-index functional encryption (also known as ABE or predicate encryption)
Prior Work
[Sahai-Waters’05, Goyal-Pandey-Sahai-Waters’06, Bethencourt-Sahai-Waters’07, Goyal-Jain-Pandey-Sahai’08, Lewko-Okamoto-Sahai-Takashima-Waters’10, Waters’11, Lewko-Waters’12, Waters’12, Sahai-Waters’12, Gorbunov-Vaikuntanathan-Wee’13,…]
[Gorbunov-Vaikuntanathan-Wee’12]: Functional encryption for general functions, where grows with circuit size
(e.g. size of email encryption depends on spam filter program size)
![Page 6: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/6.jpg)
Open question: Is there a FE scheme for general functions
with ciphertext size << circuit size?
succinct
![Page 7: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/7.jpg)
Our contribution:Succinct functional encryption
Theorem. A FE scheme with succinct ciphertexts for general functions can be constructed from1. FHE scheme 2. public-index functional encryption scheme
Corollary. Under the sub-exp. LWE assumption, for any depth d, there is a FE scheme with succinct ciphertexts (whose size grows with d) for general functions computable by circuits of depth d.
![Page 8: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/8.jpg)
Main Application: Reusable Garbled Circuits
Yao garbled circuits [Yao82]– Secure two-party computation [Yao86], – (Constant round) multi-party computation [BMR90], – Parallel cryptography [AIK05], – One-time programs [GKR08], – Key-dependent message (KDM) security [BHHI09, A11], – Outsourcing computation [GGP10], – Circuit-private homomorphic encryption [GHV10], – and many others
![Page 9: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/9.jpg)
Yao Garbled Circuits[Yao 82]
Boolean Circuit C
0 1 1 0
+
xx
+
Garbled Circuit GC
0101001001110110
1101001001010011
0101001011100010
0101001111111101
Garble(C)
Garble(x)
𝒙=¿L2,1
L1,0
L1,1
L2,0
L3,1
L3,0
L4,1
L4,0
Garbled Input Input
![Page 10: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/10.jpg)
Correctness: Given GC and , can compute C(x).
Security (Input & Circuit privacy)Given C(x) and 1|C|, can simulate (GC, ).
Efficiency: |GC| = p(|C|) and || = p(|x|)
Garbled Circuit GC
0101001001110110
1101001001010011
0101001011100010
0101001111111101
L2,1
L1,0
L1,1
L2,0
L3,1
L3,0
L4,1
L4,0
Garbled Input
Yao Garbled Circuits (Cont.)
![Page 11: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/11.jpg)
Garbled Circuit GC
0101001001110110
1101001001010011
0101001011100010
0101001111111101
L2,1
L1,0
L1,1
L2,0
L3,1
L3,0
L4,1
L4,0
Garbled Input
Theorem: [Yao86]
If one-way functions exist, any polynomial-size circuit family can be garbled.
Yao Garbled Circuits (Cont.)
![Page 12: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/12.jpg)
Drawback: One-time
Garbled Circuit GC
0101001001110110
1101001001010011
0101001011100010
0101001111111101
𝒈𝒙
insecure to release two encodings and
𝒈𝒙𝒙=𝟎𝟏𝟏𝟎𝒙 ′=𝟏𝟎𝟎𝟏 L2,1
L1,0
L3,1
L4,0
L1,1
L3,0
L4,1
L2,0 Can compute C(x) for unintended inputs x!No input or circuit privacy guarantees!
![Page 13: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/13.jpg)
Main Application:Reusable Garbling
Theorem:
Under the sub-exp. LWE, there is a reusable circuit garbling scheme for poly size circuits such that:
– poly(,|C|)
– poly(where is the depth of
01010010
11010010 01010010
01010011
(: security parameter)
![Page 14: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/14.jpg)
Application 2: FHE for Turing machines
𝐸 [result ]
Client
Program
Decrypt only the runtime of the instance, to avoid worst-case!
𝐸 [input ]
circuit size worst-case running time of program
Evaluator
![Page 15: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/15.jpg)
Application 3: Publicly-verifiable delegation with secrecy
[Gennaro-Gentry-Parno’10]: Yao + FHE secret privately-verifiable delegation
[Parno-Raikova-Vaikuntanathan’12]: public-index FE non-secret publicly-verifiable delegation
succinct FE publicly-verifiable delegation with secrecy
![Page 16: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/16.jpg)
Outline
public-index FE
LWE
succinct functional encryption
FHE Yao garbling
reusable garbled circuits
&
FHE with input-specific efficiency
publicly-verifiable delegation with
secrecy
+ +
1
2
implication to obfuscation
Not today
Not today
![Page 17: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/17.jpg)
Construction of FE
![Page 18: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/18.jpg)
Public-Index Functional Encryption (also known as ABE or predicate encryption)
𝑚 , 𝑖𝑓 𝑓 (𝑥 )=1⊥ , 𝑖𝑓 𝑓 (𝑥 )=0
leaks input to the computation
[Borgunov-Vaikuntanathan-Wee13]: Public-index functional encryption for any (a priori fixed) depth d circuit, based on sub-exp. LWE assumption.
Variant:
𝑚0 , 𝑖𝑓 𝑓 (𝑥 )=1𝑚1 ,𝑖𝑓 𝑓 (𝑥 )=0
![Page 19: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/19.jpg)
Intuition
IDEA: Start with FHE
�̂�←FHE. Enc (𝑥 )
𝑠𝑘 𝑓← 𝑓
Not f!
IDEA: Use (one-time) Yao garbled for decryption
![Page 20: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/20.jpg)
Intuition
1. �̂�←FHE .Enc (𝑥 )
𝑠𝑘 𝑓← 𝑓
FE.Enc of input :
FE.KeyGen for circuit f:
FE.Dec(should obtain :
2. Generate garbled circuit and labels for
2. Obtain labels for 3. Compute and get
Output
How??
![Page 21: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/21.jpg)
=
We need..
𝐿1𝑖 , 𝑖𝑓 𝑔𝑖 (𝑥 )=1
IDEA: The variant of public-index FE provides exactly this!
if , ) = 0, get label else gets
public predicate public inputkeep one secret
![Page 22: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/22.jpg)
Intuition
1. �̂�←FHE .Enc (𝑥 )
, where
FE.Enc of input :
FE.KeyGen for circuit f:
FE.Dec(should obtain :
2. Generate garbled circuit and labels for
2. Obtain labels for 3. Compute and get
Output
3.
![Page 23: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/23.jpg)
Outline
reusable garbled circuits
&
FHE with input-specific efficiency
publicly-verifiable delegation with
secrecy
2
implication to obfuscation
public-index FE
succinct functional encryption
FHE Yao garbling+ +
![Page 24: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/24.jpg)
Intuition
Garble(C):
Garble(x):
Leaks C!
IDEA: leverage secrecy of input to hide circuit
![Page 25: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/25.jpg)
Intuition
Garble(C):
Garble(x):
![Page 26: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/26.jpg)
Intuition
Garble(C):
Garble(x):
on input and : - Decrypt to obtain - Run
Correctness?
Security?
Reusability?
![Page 27: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/27.jpg)
Summary
public-index FE
LWE
succinct functional encryption
FHE Yao garbling
reusable garbled circuits
&
FHE with input-specific efficiency
publicly-verifiable delegation with
secrecy
+ +
1
2
implication to obfuscation
Not today
Not today
![Page 28: Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond](https://reader035.fdocuments.in/reader035/viewer/2022062323/56816312550346895dd38a3d/html5/thumbnails/28.jpg)
Thank you!public-index FE
LWE
succinct functional encryption
FHE Yao garbling
reusable garbled circuits &
FHE with input-specific efficiency
publicly-verifiable delegation with secrecy
+ +1
2
implication to obfuscation