New Advances in Garbling Circuits

Based on joint works withYuval Ishai Eyal Kushilevitz Brent Waters

University of TexasTechnion Technion

Benny ApplebaumTel Aviv University

Garbled Circuit

Yao, 80’s

“Encryption of a function”

Garbled Circuit Construction

x1 x2 x3 x4

K1,1 K2,1 K3,1 K4,1

0110101101010011111101010010111111010101001110101001011001010110

0110111010010011111110010110111001011001110110110001101010110111

1110101010100110011101010010111101010100111110111001001010110111

01101101010011001101110101001001110101010011011101110010101010010111

K1,0 K2,0 K3,0 K4,0

Boolean circuit C Garbled circuit C’

Pairs of short keys

𝐶 (𝑥 )𝐶 ′ ,𝐾 𝑖 ,𝑥 𝑖simulatordecoder

• Can be based on any pseudorandom generator[BM82,Yao82] (or one-way function [HILL90])

C’

Input X “Simple & Short”

Applications• Constant-round secure computation

[Yao82,BMR90...]– Related to: computing on encrypted data [SYY99]– Alternative technique: FHE [Gentry09,…]

• Parallel cryptography [AIK05]

• One-time programs [GKR08]

• Verifiable computation [GGP10,…]

• KDM-secure encryption [BHHI10,...]

• Functional Encryption [SS10,…]

Non-Interactive Delegation

x C(x)

offline: C’

online: Kx

Yao’s Construction• Each wire w has 0-key and 1-key

– Colored “blue” and “green” at random

1-keyw w

0-key

Yao’s Construction• Each wire w has 0-key and 1-key

– Colored “blue” and “green” at random

• Ki,b= b-key of input wire i • C’ = color code for output wires

+ “garbled gates”

1-keyw w

0-key

0110101101010011111101010010111111010101001110101001011001010110

0110111010010011111110010110111001011001110110110001101010110111

1110101010100110011101010010111101010100111110111001001010110111

01101101010011001101110101001001110101010011011101110010101010010111

0 1 0 0

0 1

0

0

Garbled Gates

a b

c

b

a

b

a

a

a

b

b

c

c

c

c

Post-Yao Constructions ? • A lot of progress wrt implementation

– E.g., Fair-Play [MNPS04] …• Better concrete efficiency

– Free XOR gates [KS08]…– 3 ciphertexts per gate [PSSW09]

• Little theoretical progress– Info-theoretic variants for restricted classes [IK00-2]– Rerandomizable GC [GHV10]

• No asymptotic improvements !

x1 x2 x3 x4

Random

K1,1 K2,1 K3,1 K4,1

0110101101010011111101010010111111010101001110101001011001010110

0110111010010011111110010110111001011001110110110001101010110111

1110101010100110011101010010111101010100111110111001001010110111

01101101010011001101110101001001110101010011011101110010101010010111

K1,0 K2,0 K3,0 K4,0

Boolean circuit C

Random

C(X) C’, X’

Simulator

Decoder

(public)

Abstraction (Randomized Encoding [IK00])

Input X Garbled Input X’

Garbled circuit C’

Boolean circuit C

Random

(public)

Abstraction (Randomized Encoding [IK00])

Input X Garbled Input X’

Garbled circuit C’

n bits“Simple”

Decomposable Affine K1(X1) … Kn(Xn)

where Ki is affine over F2

“Short” n bits

Q1: Can we shorten the garbled input X’?Q2: Can we garble arithmetic circuits?

“Simple”

Decomposable Affine K1(X1) … Kn(Xn)

where Ki is affine over F2

Affine

X’=K(X)

where K is affine

How short can X’ be? [AIKW12]

Input X Garbled Input X’n bits

Constant Online-Rate?Thm. Impossible if X’ is decomposableObservation: Typically Affinity suffices

X’

O(n) + ?“Short” n bits

n + [This work]

Thm. Affine GC with online-rate 1 under DDH, RSA, LWE.

Cn C4 C3 C2 C1Mn C4 C3 M2 C1

Gadget: Online/Offline EncryptionAlice Bob

subset s{1,…,n}

EncK

Key length = Independent of the number of plaintexts

Mn M4 M3 M2 M1

1 0 0 1 0

KS

Gadget Succinct GC

Boolean circuit C Garbled circuit C’

Yao Gadget

Random

Garbled circuit C’

Input X Subset

KS

C(x)

Decoder

Simulator

Implementing the GadgetTool: Symmetric Encryption with

Additive Homomorphism for Keys/Message

EK1(M1)+…+EKn(Mn)= EK1+…+Kn(M1+…+Mn)

• One-Time Security suffices• Can be implemented under DDH• Close variants under LWE, RSA

M1

M3

C1

C2

C3

C4

From Homomorphism to Online/Offline Encryption

Alice C1 C2 C3 C4

Ci=Enc(Ki,Mi)Mn M4 M3 M2 M1

0 1 0 1KS

M1

M2

M3

M4

C1+C3

Application 1: Verifiable ComputationOptimal online complexity using [GGP10,AIK10]Previous works: multiplicative overhead in

output

Offline |f| bits

n+ bit

m+ bit

x

f:{0,1}n{0,1}m

Weak Client Untrusted Server

Semi-Honest MPC for f:{0,1}n{0,1}m

Application 2: MPC with preprocessing

bA B

Alice Bob

f(A,B)

Semi-Honest MPC for f:{0,1}n{0,1}m

Offline |f| bits

n bits

n+ bits

Application 2: MPC with preprocessing

b

Garbled circuit C’

rA rB

ArA A

BrB B

Decoder

Alice Bob

• 1 online round• Online Communication does not grow with m• Additive dependency in

f(A,B)

Malicious MPC ? Adaptive choice of inputs ?

Offline |f| bits

n bits

n+ bits

Application 2: MPC with preprocessing

b

Garbled circuit C’

rA rB

A B

Decoder

Alice Bob

Homomorphic MACs [BDOZ11]

f(A,B)

• No succinct GC with adaptive security

• Can be achieved with Random Oracle

• Not needed in some applications – offline private inputs (Shares of signing

key)– Independent online public inputs (Docs to be signed)

Adaptive Choice of Inputs?

Garbling Arithmetic Circuits? [AIK11]

• Gates perform addition or multiplication • Operations over a large domain (e.g., field F)

Garbling arithmetic circuits? [AIK11]

Boolean circuit C

Random

Input X Garbled Input X’

Garbled circuit C’

“Simple”

Decomposable Affine K1(X1) … Kn(Xn)

Ki :F2F2 is affine

Arithmetic circuit C

• Extends applications to arithmetic setting • Non-trivial if the field is large ! • Requires new approach

Thm. Arithmetic GC (over large integers) under LWE (or OWF less efficiently).

Ki:FF

Garbling arithmetic formulas [IK02]

Boolean circuit C

Random

Input X Garbled Input X’

Garbled circuit C’

“Simple”

Decomposable Affine K1(X1) … Kn(Xn)

Ki :F2F2 is affine

Arithmetic Formula C

Problem 1: Limited to Formulas Problem 2: Large blow-upKey Idea: Solving 2 Solving 1

Ki:FF

|C|2

Key-Shrinking Gadget

• a,b,W can depend on c,d and randomness• Special type of “functional encryption”• Implementation over the integers from LWE

y +c d y +a b Wdecoder

simulator

xx + x

y1i-1 y2

i-1 y3i-1 y4

i-1 +a1

Wi-1

Ci-1

C1

Ci+1

……… … …

……… … …

y1i-1

y1i y2

i y3i y4

i

b1…

AGC for C1… Ci-1

Garbling the Circuit Layer-by-Layer

xx + x

y1i-1 y2

i-1 y3i-1 y4

i-1 +a1

Wi-1

Ci-1

C1

Ci+1

……… … …

……… … …

y1iy2

i

y1i y2

i y3i y4

i

b1…

Substitution

Garbling the Circuit Layer-by-Layer

Garbling the Circuit Layer-by-Layer

xx + x

y1i-1 y2

i-1 y3i-1 y4

i-1 +c1

Wi-1

Ci-1

C1

Ci+1

……… … …

……… … …

y1i

y1i y2

i y3i y4

i

d1…+c2 d2

y2i

Affinization [IK02]

xx + x

y1i-1 y2

i-1 y3i-1 y4

i-1 +

Wi

Ci-1

C1

Ci+1

……… … …

……… … …

y1i

y1i y2

i y3i y4

i

…+y2ia1 b1 a2 b2

Key shrinking

Garbling the Circuit Layer-by-Layer

Conclusion• GC with optimal online-rate for Boolean circuits

– Applications with optimal online communication

• General approach for arithmetic garbled circuits– Alternative to Yao’s “garbled tables” approach– Instantiated using LWE– Extends applications to arithmetic setting– New modular, simplified proof for Boolean case

• Constant online-rate for arithmetic formulas

Open QuestionsArithmetic setting• circuits over finite fields?• arithmetic decoder?

Efficiency• Shorten the offline part? |C’|=O(|C|)?• Can get it for natural class of arithmetic functions• Less computational overhead ? (online/offline)

Take-Home Message: What are Garble Circuits?

FHE for the poor

Just

ItPowerful tool superior

to FHE in some aspects (Asymptotically & Concretely)