practical garbled circuit optimizations
play

Practical Garbled Circuit Optimizations Mike Rosulek Collaborators: - PowerPoint PPT Presentation

Practical Garbled Circuit Optimizations Mike Rosulek Collaborators: David Evans / Vlad Kolesnikov / Payman Mohassel / Samee Zahur Garbled circuit framework [Yao86] Garbled circuit framework [Yao86] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1


  1. Average bits per garbled gate [ZahurRosulekEvans] [Yao,GoldreichMicaliWigderson] [NaorPinkasSumner] [KolesnikovMohasselRosulek] 5 λ [BeaverMicaliRogaway] [PinkasSchneiderSmartWilliams] 4 λ [KolesnikovSchneider] 3 λ 2 λ DES SHA256 1 λ SHA1 AES 1986 1990 1999 2008 2009 2014 2015 Prediction: by 2026, all garbled circuits will have zero size.

  2. Murky beginnings [Yao86] A 0 , A 1 C 0 , C 1 B 0 , B 1 E A 0 , B 0 ( C 0 ) E A 0 , B 1 ( C 1 ) E A 1 , B 0 ( C 0 ) E A 1 , B 1 ( C 0 ) ◮ Position in this list leaks semantic value

  3. Murky beginnings [Yao86] A 0 , A 1 C 0 , C 1 B 0 , B 1 E A 0 , B 0 ( C 0 ) E A 0 , B 1 ( C 1 ) E A 1 , B 0 ( C 0 ) E A 1 , B 1 ( C 0 ) ◮ Position in this list leaks semantic value

  4. Murky beginnings [Yao86] A 0 , A 1 C 0 , C 1 B 0 , B 1 E A 0 , B 0 ( C 0 ) E A 0 , B 1 ( C 1 ) E A 1 , B 0 ( C 0 ) E A 1 , B 1 ( C 0 ) ◮ Position in this list leaks semantic value = ⇒ permute ciphertexts

  5. Murky beginnings [Yao86] A 0 , A 1 C 0 , C 1 B 0 , B 1 E A 0 , B 0 ( C 0 ) E A 0 , B 1 ( C 1 ) E A 1 , B 0 ( C 0 ) E A 1 , B 1 ( C 0 ) ◮ Position in this list leaks semantic value = ⇒ permute ciphertexts ◮ Need to detect [in]correct decryption

  6. Murky beginnings [Yao86] A 0 , A 1 C 0 , C 1 B 0 , B 1 E A 0 , B 0 ( C 0 ) E A 0 , B 1 ( C 1 ) E A 1 , B 0 ( C 0 ) E A 1 , B 1 ( C 0 ) ◮ Position in this list leaks semantic value = ⇒ permute ciphertexts ◮ Need to detect [in]correct decryption ◮ (Apparently) no one knows exactly what Yao had in mind: ◮ E K 0 , K 1 ( M ) = � E ( K 0 , S 0 ) , E ( K 1 , S 1 ) � where S 0 ⊕ S 1 = M [GoldreichMicaliWigderson87] ◮ E K 0 , K 1 ( M ) = E ( K 1 , E ( K 0 , M )) [LindellPinkas09]

  7. Permute-and-Point [BeaverMicaliRogaway90] A 0 , A 1 C 0 , C 1 B 0 , B 1 E A 0 , B 0 ( C 0 ) E A 0 , B 1 ( C 1 ) E A 1 , B 0 ( C 0 ) E A 1 , B 1 ( C 0 )

  8. Permute-and-Point [BeaverMicaliRogaway90] ◮ Randomly assign ( • , • ) or ( • , • ) A • 0 , A • C • 0 , C • 1 1 to each pair of wire labels B • 0 , B • ◮ Include color in the wire label 1 (e.g., as last bit) 0 ( C • 0 ) E A • 0 , B • 1 ( C • E A • 1 ) 0 , B • 0 ( C • E A • 0 ) 1 , B • 1 ( C • 0 ) E A • 1 , B •

  9. Permute-and-Point [BeaverMicaliRogaway90] ◮ Randomly assign ( • , • ) or ( • , • ) A • 0 , A • C • 0 , C • 1 1 to each pair of wire labels B • 0 , B • ◮ Include color in the wire label 1 (e.g., as last bit) •• E A 0 , B 0 ( C • 0 ) ◮ Order the 4 ciphertexts •• E A 0 , B 1 ( C • 1 ) canonically, by color of keys •• E A 1 , B 0 ( C • 0 ) •• E A 1 , B 1 ( C • 0 )

  10. Permute-and-Point [BeaverMicaliRogaway90] ◮ Randomly assign ( • , • ) or ( • , • ) A • 0 , A • C • 0 , C • 1 1 to each pair of wire labels B • 0 , B • ◮ Include color in the wire label 1 (e.g., as last bit) •• E A 0 , B 1 ( C • 1 ) ◮ Order the 4 ciphertexts •• E A 0 , B 0 ( C • 0 ) canonically, by color of keys •• E A 1 , B 1 ( C • 0 ) •• E A 1 , B 0 ( C • 0 )

  11. Permute-and-Point [BeaverMicaliRogaway90] ◮ Randomly assign ( • , • ) or ( • , • ) A 0 , A • C 0 , C 1 1 to each pair of wire labels B 0 , B • ◮ Include color in the wire label 1 (e.g., as last bit) •• E A 0 , B 1 ( C 1 ) ◮ Order the 4 ciphertexts •• E A 0 , B 0 ( C 0 ) canonically, by color of keys •• E A 1 , B 1 ( C 0 ) ◮ Evaluate by decrypting •• E A 1 , B 0 ( C 0 ) ciphertext indexed by your colors

  12. Permute-and-Point [BeaverMicaliRogaway90] ◮ Randomly assign ( • , • ) or ( • , • ) A 0 , A • C • 0 , C 1 1 to each pair of wire labels B 0 , B • ◮ Include color in the wire label 1 (e.g., as last bit) •• E A 0 , B 1 ( C 1 ) ◮ Order the 4 ciphertexts •• E A 0 , B 0 ( C 0 ) canonically, by color of keys •• E A 1 , B 1 ( C • 0 ) ◮ Evaluate by decrypting •• E A 1 , B 0 ( C 0 ) ciphertext indexed by your colors

  13. Permute-and-Point [BeaverMicaliRogaway90] ◮ Randomly assign ( • , • ) or ( • , • ) A 0 , A • C • 0 , C 1 1 to each pair of wire labels B 0 , B • ◮ Include color in the wire label 1 (e.g., as last bit) •• E A 0 , B 1 ( C 1 ) ◮ Order the 4 ciphertexts •• E A 0 , B 0 ( C 0 ) canonically, by color of keys •• E A 1 , B 1 ( C • 0 ) ◮ Evaluate by decrypting •• E A 1 , B 0 ( C 0 ) ciphertext indexed by your colors Can use one-time-secure symmetric encryption!

  14. Computational cost of garbling E A , B ( C ) : cost to garble AES PRF ( A , gateID ) ⊕ PRF ( B , gateID ) ⊕ C ∼ 6s [extrapolated] [NaorPinkasSumner99] time from Fairplay [MNPS04] : PRF = SHA256

  15. Computational cost of garbling 2 hash ≫ 1 hash E A , B ( C ) : cost to garble AES PRF ( A , gateID ) ⊕ PRF ( B , gateID ) ⊕ C ∼ 6s [extrapolated] [NaorPinkasSumner99] time from Fairplay [MNPS04] : PRF = SHA256 H ( A � B � gateID ) ⊕ C 0.15s [LindellPinkasSmart08] time from [sS12] ; H = SHA256

  16. Computational cost of garbling 2 hash ≫ 1 hash ≫ 1 block cipher E A , B ( C ) : cost to garble AES PRF ( A , gateID ) ⊕ PRF ( B , gateID ) ⊕ C ∼ 6s [extrapolated] [NaorPinkasSumner99] time from Fairplay [MNPS04] : PRF = SHA256 H ( A � B � gateID ) ⊕ C 0.15s [LindellPinkasSmart08] time from [sS12] ; H = SHA256 AES256 ( A � B , gateID ) ⊕ C 0.12s [shelatShen12]

  17. Computational cost of garbling 2 hash ≫ 1 hash ≫ 1 block cipher ≫ 1 block cipher w/o key schedule E A , B ( C ) : cost to garble AES PRF ( A , gateID ) ⊕ PRF ( B , gateID ) ⊕ C ∼ 6s [extrapolated] [NaorPinkasSumner99] time from Fairplay [MNPS04] : PRF = SHA256 H ( A � B � gateID ) ⊕ C 0.15s [LindellPinkasSmart08] time from [sS12] ; H = SHA256 AES256 ( A � B , gateID ) ⊕ C 0.12s [shelatShen12] AES ( const , K ) ⊕ K ⊕ C 0.0003s where K = 2 A ⊕ 4 B ⊕ gateID [BellareHoangKeelveedhiRogaway13]

  18. Scoreboard size ( × λ ) garble cost eval cost assumption Classical large? 8 5 PKE P&P 4 4/8 1/2 hash/PRF

  19. Garbled Row Reduction [NaorPinkasSumner99] A • 0 , A • C • 0 C • 1 1 B • 0 B • 1 •• E A 0 , B 1 ( C • 1 ) •• E A 0 , B 0 ( C • 0 ) •• E A 1 , B 1 ( C • 0 ) •• E A 1 , B 0 ( C • 0 )

  20. Garbled Row Reduction [NaorPinkasSumner99] C 0 ← { 0 , 1 } n C 1 ← { 0 , 1 } n A • 0 , A • C • 0 C • 1 1 B • 0 B • 1 •• E A 0 , B 1 ( C • 1 ) •• E A 0 , B 0 ( C • 0 ) •• E A 1 , B 1 ( C • 0 ) •• E A 1 , B 0 ( C • 0 )

  21. Garbled Row Reduction [NaorPinkasSumner99] C 0 ← { 0 , 1 } n C 1 ← { 0 , 1 } n A • 0 , A • C • 0 C • 1 1 B • 0 B • 1 •• E A 0 , B 1 ( C • 1 ) •• E A 0 , B 0 ( C • 0 ) •• E A 1 , B 1 ( C • 0 ) •• E A 1 , B 0 ( C • 0 ) ◮ What wire label will be payload of 1st ( •• ) ciphertext?

  22. Garbled Row Reduction [NaorPinkasSumner99] C 0 ← { 0 , 1 } n C 1 = E − 1 A 0 , B 1 ( 0 n ) A • 0 , A • C • 0 C • 1 1 B • 0 B • 1 •• E A 0 , B 1 ( C • 1 ) •• E A 0 , B 0 ( C • 0 ) •• E A 1 , B 1 ( C • 0 ) •• E A 1 , B 0 ( C • 0 ) ◮ What wire label will be payload of 1st ( •• ) ciphertext? ◮ Choose that label so that 1st ciphertext is 0 n

  23. Garbled Row Reduction [NaorPinkasSumner99] C 0 ← { 0 , 1 } n C 1 = E − 1 A 0 , B 1 ( 0 n ) A • 0 , A • C • 0 C • 1 1 B • 0 B • 1 0 n •• •• E A 0 , B 0 ( C • 0 ) •• E A 1 , B 1 ( C • 0 ) •• E A 1 , B 0 ( C • 0 ) ◮ What wire label will be payload of 1st ( •• ) ciphertext? ◮ Choose that label so that 1st ciphertext is 0 n

  24. Garbled Row Reduction [NaorPinkasSumner99] C 0 ← { 0 , 1 } n C 1 = E − 1 A 0 , B 1 ( 0 n ) A • 0 , A • C • 0 C • 1 1 B • 0 B • 1 •• E A 0 , B 0 ( C • 0 ) •• E A 1 , B 1 ( C • 0 ) •• E A 1 , B 0 ( C • 0 ) ◮ What wire label will be payload of 1st ( •• ) ciphertext? ◮ Choose that label so that 1st ciphertext is 0 n ◮ No need to include 1st ciphertext in garbled gate

  25. Garbled Row Reduction [NaorPinkasSumner99] C 0 ← { 0 , 1 } n C 1 = E − 1 A 0 , B 1 ( 0 n ) A • 0 , A • C • 0 C • 1 1 B • 0 B • 1 •• E A 0 , B 0 ( C • 0 ) •• E A 1 , B 1 ( C • 0 ) •• E A 1 , B 0 ( C • 0 ) ◮ What wire label will be payload of 1st ( •• ) ciphertext? ◮ Choose that label so that 1st ciphertext is 0 n ◮ No need to include 1st ciphertext in garbled gate ◮ Evaluate as before, but imagine ciphertext 0 n if you got •• .

  26. Scoreboard size ( × λ ) garble cost eval cost assumption Classical large? 8 5 PKE P&P 4 4/8 1/2 hash/PRF GRR3 3 4/8 1/2 hash/PRF

  27. Free XOR [KolesnikovSchneider08] A 0 , A 1 C 0 , C 1 B 0 , B 1

  28. Free XOR [KolesnikovSchneider08] A , A ⊕ ∆ A C , C ⊕ ∆ C B , B ⊕ ∆ B ◮ Wire’s offset ≡ XOR of its two labels

  29. Free XOR [KolesnikovSchneider08] A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ ◮ Wire’s offset ≡ XOR of its two labels ◮ Choose all wires to have same (secret) offset ∆

  30. Free XOR [KolesnikovSchneider08] C ← { 0 , 1 } n A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ ◮ Wire’s offset ≡ XOR of its two labels ◮ Choose all wires to have same (secret) offset ∆

  31. Free XOR [KolesnikovSchneider08] C : = A ⊕ B A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ A ⊕ B = A ⊕ B � ������ �� ������ � ���� ���� false false false ◮ Wire’s offset ≡ XOR of its two labels ◮ Choose all wires to have same (secret) offset ∆ ◮ Choose false output = false input ⊕ false input

  32. Free XOR [KolesnikovSchneider08] C : = A ⊕ B A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ A ⊕ B ⊕ ∆ = A ⊕ B ⊕ ∆ � ������ �� ������ � ���� ���� false true true ◮ Wire’s offset ≡ XOR of its two labels ◮ Choose all wires to have same (secret) offset ∆ ◮ Choose false output = false input ⊕ false input ◮ Evaluate by xor ing input wire labels (no crypto)

  33. Free XOR [KolesnikovSchneider08] C : = A ⊕ B A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ A ⊕ ∆ ⊕ B = A ⊕ B ⊕ ∆ � ������ �� ������ � ���� ���� false true true ◮ Wire’s offset ≡ XOR of its two labels ◮ Choose all wires to have same (secret) offset ∆ ◮ Choose false output = false input ⊕ false input ◮ Evaluate by xor ing input wire labels (no crypto)

  34. Free XOR [KolesnikovSchneider08] C : = A ⊕ B A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ A ⊕ ∆ ⊕ B ⊕ ∆ = A ⊕ B � ������ �� ������ � ���� ���� true true false ◮ Wire’s offset ≡ XOR of its two labels ◮ Choose all wires to have same (secret) offset ∆ ◮ Choose false output = false input ⊕ false input ◮ Evaluate by xor ing input wire labels (no crypto)

  35. Freedom at a cost . . . A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ ( C ) E A , B E A , B ⊕ ∆ ( C ⊕ ∆) E A ⊕ ∆ , B ( C ) E A ⊕ ∆ , B ⊕ ∆ ( C ) ◮ Still need to garble and gates

  36. Freedom at a cost . . . C ← { 0 , 1 } n A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ ( C ) E A , B E A , B ⊕ ∆ ( C ⊕ ∆) E A ⊕ ∆ , B ( C ) E A ⊕ ∆ , B ⊕ ∆ ( C ) ◮ Still need to garble and gates ◮ Compatible with garbled row-reduction

  37. Freedom at a cost . . . C : = E − 1 A , B ( 0 n ) A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ ( C E A ) , B , B ⊕ ∆ ( C ⊕ ∆) E A ( C ) E A ⊕ ∆ , B E A ⊕ ∆ , B ⊕ ∆ ( C ) ◮ Still need to garble and gates ◮ Compatible with garbled row-reduction

  38. Freedom at a cost . . . A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ ( C E A ) , B , B ⊕ ∆ ( C ⊕ ∆) E A ( C ) E A ⊕ ∆ , B E A ⊕ ∆ , B ⊕ ∆ ( C ) ◮ Still need to garble and gates ◮ Compatible with garbled row-reduction ◮ Secret ∆ used in key and payload of ciphertexts!

  39. Freedom at a cost . . . A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ ( C E A ) , B , B ⊕ ∆ ( C ⊕ ∆) E A ( C ) E A ⊕ ∆ , B E A ⊕ ∆ , B ⊕ ∆ ( C ) ◮ Still need to garble and gates ◮ Compatible with garbled row-reduction ◮ Secret ∆ used in key and payload of ciphertexts! ◮ Requires related-key + circularity assumption [ChoiKatzKumaresanZhou12]

  40. Scoreboard size ( × λ ) garble cost eval cost assumption XOR AND XOR AND XOR AND Classical large? 8 5 PKE P&P 4 4 4/8 4/8 1/2 1/2 PRF/hash GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash Free XOR 0 3 0 4 0 1 circ. hash

  41. Row reduction ++ [PinkasSchneiderSmartWilliams09] Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 B 0 , B 1

  42. Row reduction ++ [PinkasSchneiderSmartWilliams09] Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) K 2 = E − 1 A 0 , B 1 ( 0 n ) K 3 = E − 1 A 1 , B 0 ( 0 n ) K 4 = E − 1 A 1 , B 1 ( 0 n )

  43. Row reduction ++ [PinkasSchneiderSmartWilliams09] Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0

  44. Row reduction ++ [PinkasSchneiderSmartWilliams09] Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 ( 3 , K 3 ) ( 4 , K 4 ) ( 1 , K 1 ) ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 )

  45. Row reduction ++ [PinkasSchneiderSmartWilliams09] Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 ( 3 , K 3 ) ( 4 , K 4 ) ( 1 , K 1 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 )

  46. Row reduction ++ [PinkasSchneiderSmartWilliams09] Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 ( 2 , K 2 ) K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 P ( 5 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  47. Row reduction ++ [PinkasSchneiderSmartWilliams09] Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 ( 2 , K 2 ) K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 P ( 5 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  48. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 P ( 0 ) K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 Q ( 0 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  49. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 P ( 5 ) P ( 6 ) K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 P ( 0 ) K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 P ( 5 ) Q ( 0 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  50. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 P ( 5 ) P ( 6 ) K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 P ( 5 ) ◮ Evaluate by interpolating poly thru K i , P ( 5 ) and P ( 6 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  51. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 P ( 5 ) P ( 6 ) K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 P ( 5 ) ◮ Evaluate by interpolating poly thru K i , P ( 5 ) and P ( 6 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  52. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 P ( 5 ) P ( 6 ) K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 ( 3 , K 3 ) P ( 5 ) ◮ Evaluate by interpolating poly thru K i , P ( 5 ) and P ( 6 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  53. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 P ( 5 ) P ( 6 ) K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 ( 3 , K 3 ) P ( 5 ) ◮ Evaluate by interpolating poly thru K i , P ( 5 ) and P ( 6 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  54. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 P ( 5 ) P ( 6 ) K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 P ( 0 ) K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 ( 3 , K 3 ) P ( 5 ) ◮ Evaluate by interpolating poly thru K i , P ( 5 ) and P ( 6 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  55. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 P ( 5 ) P ( 6 ) K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 ( 2 , K 2 ) K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 P ( 5 ) ◮ Evaluate by interpolating poly thru Q ( 0 ) K i , P ( 5 ) and P ( 6 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  56. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 P ( 5 ) P ( 6 ) K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 P ( 0 ) ( 2 , K 2 ) K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 ( 3 , K 3 ) P ( 5 ) ( 4 , K 4 ) ◮ Evaluate by interpolating poly thru ( 1 , K 1 ) Q ( 0 ) K i , P ( 5 ) and P ( 6 ) P = uniq deg-2 poly thru ◮ Incompatible with Free-XOR: can’t ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) ensure C 0 ⊕ C 1 = ∆ Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  57. Scoreboard size ( × λ ) garble cost eval cost assumption XOR AND XOR AND XOR AND Classical large? 8 5 PKE P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash Free XOR 0 3 0 4 0 1 circ. hash GRR2 2 2 4/8 4/8 1/2 1/2 PRF/hash

  58. FleXOR [KolesnikovMohasselRosulek14] A , A ⊕ ∆ 1

  59. FleXOR [KolesnikovMohasselRosulek14] A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 ◮ Translate to a new wire offset

  60. FleXOR [KolesnikovMohasselRosulek14] A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 0 0 1 1 ◮ Translate to a new wire offset (unary a �→ a gate)

  61. FleXOR [KolesnikovMohasselRosulek14] A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 A ∗ A A ⊕ ∆ 1 A ∗ ⊕ ∆ 2 ◮ Translate to a new wire offset (unary a �→ a gate)

  62. FleXOR [KolesnikovMohasselRosulek14] A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 ( A ∗ ) E A E A ⊕ ∆ 1 ( A ∗ ⊕ ∆ 2 ) ◮ Translate to a new wire offset (unary a �→ a gate)

  63. FleXOR [KolesnikovMohasselRosulek14] A ∗ ← { 0 , 1 } n A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 ( A ∗ ) E A E A ⊕ ∆ 1 ( A ∗ ⊕ ∆ 2 ) ◮ Translate to a new wire offset (unary a �→ a gate)

  64. FleXOR [KolesnikovMohasselRosulek14] A ∗ : = E − 1 A ( 0 n ) A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 ( A ∗ ) E A E A ⊕ ∆ 1 ( A ∗ ⊕ ∆ 2 ) ◮ Translate to a new wire offset (unary a �→ a gate)

  65. FleXOR [KolesnikovMohasselRosulek14] A ∗ : = E − 1 A ( 0 n ) A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 0 n E A ⊕ ∆ 1 ( A ∗ ⊕ ∆ 2 ) ◮ Translate to a new wire offset (unary a �→ a gate)

  66. FleXOR [KolesnikovMohasselRosulek14] A ∗ : = E − 1 A ( 0 n ) A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 E A ⊕ ∆ 1 ( A ∗ ⊕ ∆ 2 ) ◮ Translate to a new wire offset (unary a �→ a gate) using 1 ciphertext

  67. FleXOR [KolesnikovMohasselRosulek14] A ∗ : = E − 1 A ( 0 n ) ∆ 1 → ∆ 2 A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 E A ⊕ ∆ 1 ( A ∗ ⊕ ∆ 2 ) ◮ Translate to a new wire offset (unary a �→ a gate) using 1 ciphertext

  68. FleXOR [KolesnikovMohasselRosulek14] A , A ⊕ ∆ A C , C ⊕ ∆ C B , B ⊕ ∆ B

  69. FleXOR [KolesnikovMohasselRosulek14] A , A ⊕ ∆ A ∆ A → ∆ C C , C ⊕ ∆ C B , B ⊕ ∆ B ∆ B → ∆ C ◮ Adjust inputs to target offset ∆ C (1 ciphertext each)

  70. FleXOR [KolesnikovMohasselRosulek14] A , A ⊕ ∆ A ∆ A → ∆ C C , C ⊕ ∆ C free B , B ⊕ ∆ B ∆ B → ∆ C ◮ Adjust inputs to target offset ∆ C (1 ciphertext each), then XOR is free

  71. FleXOR [KolesnikovMohasselRosulek14] A , A ⊕ ∆ A ∆ A → ∆ C C , C ⊕ ∆ C free B , B ⊕ ∆ C ◮ Adjust inputs to target offset ∆ C (1 ciphertext each), then XOR is free ◮ If input wire already suitable, no need to adjust

  72. FleXOR [KolesnikovMohasselRosulek14] A , A ⊕ ∆ A ∆ A → ∆ C C , C ⊕ ∆ C free B , B ⊕ ∆ C ◮ Adjust inputs to target offset ∆ C (1 ciphertext each), then XOR is free ◮ If input wire already suitable, no need to adjust ◮ Total cost: 0, 1 or 2 depending on how many { ∆ A , ∆ B , ∆ C } distinct.

  73. FleXOR [KolesnikovMohasselRosulek14] A , A ⊕ ∆ A ∆ A → ∆ C C , C ⊕ ∆ C free B , B ⊕ ∆ C ◮ Adjust inputs to target offset ∆ C (1 ciphertext each), then XOR is free ◮ If input wire already suitable, no need to adjust ◮ Total cost: 0, 1 or 2 depending on how many { ∆ A , ∆ B , ∆ C } distinct. Combinatorial optimization problem: Choose an offset for each wire, minimizing total cost of XOR gates ◮ Subj. to compatibility with 2-ciphertext row-reduction of AND gates ◮ (or) Subj. to removing circularity property of free-XOR

  74. Scoreboard size ( × λ ) garble cost eval cost assumption XOR AND XOR AND XOR AND Classical large? 8 5 PKE P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash Free XOR 0 3 0 4 0 1 circ. hash GRR2 2 2 4/8 4/8 1/2 1/2 PRF/hash { 0 , 1 , 2 } { 0 , 1 , 2 } { 0 , 1 , 2 } FleXOR 2 4 1 circ. hash

Recommend


More recommend