Ad Adapti tive e Garb rbled ed Ci Circuits ts with th Near - PowerPoint PPT Presentation

Ad Adapti tive e Garb rbled ed Ci Circuits ts with th Near Op Ne Optima mal On Online C Comp mplexi xity Sanjam Garg Akshayaram Srinivasan University of California, Berkeley Eurocrypt 2018

Garbled Circuits [Yao 86, Applebaum-Ishai-Kushilevitz 04, Bellare-Hoang-Rogaway 12] GarbleCkt " + ! ! GarbleInp # $ # + Eval !(#) # $ + " !

Security Selective: • Toss a coin ( !, # If ( = 0: • " , # Generate ! $ honestly. • " , # • Else: ! $ " , # Generate ! $ as the • output of )*+(!(#)) . Guess ( Adaptive: Toss a coin ( • ! If ( = 0: • Offline " honestly. Generate ! • " ! Generate # $ honestly. • Else: • # " as the output Generate ! Online • of )*+(1 |/| ) . # $ Generate # $ as the output • Guess ( of )*+ ! # .

Why is Adaptive security important? [Bellare-Hoang-Rogaway 12] Online/Offline 2PC [Lindell-Ben Riva 14] Efficiency of these One-Time Programs applications depend [Goldwasser-Kalai-Rothblum 08] on the online complexity Verifiable Computation [Gennaro-Gentry-Parno 10] Adaptive, Compact FE [Ananth-Sahai 16]

Prior Work 1. Random Oracle Model [BHR12] 2. Incur an exponential loss in security [BGG+14] 3. Online cost grows with circuit width or depth [HJOSW16,JW16,JKKKPW17] Lower Bound: Applebaum et al. showed that online cost must ≥ 2 + + . Can we construct adaptive garbling scheme with better online complexity?

Our Result Theorem: Assuming either CDH/Factoring/LWE, there exists a construction of adaptive garbled circuits with: • Near Optimal Online Cost: 2 + + + 4567(8) • Polynomial security loss • Standard Model

Construction

Alternate View of a Boolean Circuit # : # ; 9 : 9 ; 9 < # < 9 < 9 ; 9 : )! : )! ; )! < # : # ; # <

Garbling the Database – Use a One-time Pad @ 9 < ⊕ > 9 ; ⊕ > # : ⊕ > # ; ⊕ > < 9 : ⊕ > ; # < ⊕ > A : ? )! : )! ; )! < > : , > ; , > > ; , > < , > > ? , > @ , > ? @ A

Garbling Step Circuits # : ⊕ > # ; ⊕ > ; # < ⊕ > : < Access the database via Laconic OT B B B )! : )! ; )! < > : , > ; , > > ; , > < , > > ? , > @ , > ? @ A

Updatable Laconic Oblivious Transfer [Cho-Dottling-Garg-Gupta-Miao-Polychroniadou 17] Database D M N GHDI(ℎ, *, + J , + : ) CDEℎ K>*LH(ℎ, *, () ℎ′ + P[R] ≔ UVD6GHDI(W, M N ) ℎ Theorem[CDG+16,DG17,BLSV18,DGHM18]: Assuming CDH/Factoring/LWE, there exists a construction of updatable laconic OT.

Using Laconic OT to access the database # : ⊕ > # ; ⊕ > ; # < ⊕ > 9 : ⊕ > : < ? GHDI K>*LH B )! ; B )! : ℎ′ ℎ > ; , > < , > > : , > ; , > @ ?

Garbling Step Circuits # : ⊕ > # ; ⊕ > ; # < ⊕ > : < Access the database via Laconic OT B B B )! : )! ; )! < " ! > : , > ; , > > ; , > < , > > ? , > @ , > ? @ A # $ = (# : ⊕ > : , # ; ⊕ > ; , # < ⊕ > < , > A , {6D( R,b c })

Adaptive Security Proof

Simulated Distribution > > > > > > : A ; < @ ? B B ′ B ′ )! ; )! : ′ )! < > > > @ ? A

Hybrid Argument Real World: Hyb 1: Hyb 2: Hyb 3: . . . Ideal World:

Going from Real World to Hyb 1 Real World: Intermediate: Hyb 1:

Some More Details about the Proof • How to garble a step circuit in the “brown” mode in the offline phase? • Guess the output of these gates! • Logarithmic number of step circuits in “brown” mode. • A combinatorial pebbling argument. (See our paper) • Optimal strategy for a pebbling game => Sequence of hybrids

Conclusion • We gave a construction of adaptive garbled circuits with near optimal online complexity from standard cryptographic assumptions. • In a follow-up work [Garg-Ostrovsky- S ], we give a construction of adaptive garbled RAM with near optimal online complexity under the same assumptions. • Open questions: • Improving the assumptions? • Concrete efficiency? Th Than ank you ou!