practical garbled circuit optimizations
play

Practical Garbled Circuit Optimizations Mike Rosulek Collaborators: - PowerPoint PPT Presentation

Jan 27, 2023 •573 likes •2.19k views

Practical Garbled Circuit Optimizations Mike Rosulek Collaborators: David Evans / Vlad Kolesnikov / Payman Mohassel / Samee Zahur Garbled circuit framework [Yao86] Garbled circuit framework [Yao86] 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1 1 0 1 1

  1. Average bits per garbled gate [ZahurRosulekEvans] [Yao,GoldreichMicaliWigderson] [NaorPinkasSumner] [KolesnikovMohasselRosulek] 5 λ [BeaverMicaliRogaway] [PinkasSchneiderSmartWilliams] 4 λ [KolesnikovSchneider] 3 λ 2 λ DES SHA256 1 λ SHA1 AES 1986 1990 1999 2008 2009 2014 2015 Prediction: by 2026, all garbled circuits will have zero size.

  2. Murky beginnings [Yao86] A 0 , A 1 C 0 , C 1 B 0 , B 1 E A 0 , B 0 ( C 0 ) E A 0 , B 1 ( C 1 ) E A 1 , B 0 ( C 0 ) E A 1 , B 1 ( C 0 ) ◮ Position in this list leaks semantic value

  3. Murky beginnings [Yao86] A 0 , A 1 C 0 , C 1 B 0 , B 1 E A 0 , B 0 ( C 0 ) E A 0 , B 1 ( C 1 ) E A 1 , B 0 ( C 0 ) E A 1 , B 1 ( C 0 ) ◮ Position in this list leaks semantic value

  4. Murky beginnings [Yao86] A 0 , A 1 C 0 , C 1 B 0 , B 1 E A 0 , B 0 ( C 0 ) E A 0 , B 1 ( C 1 ) E A 1 , B 0 ( C 0 ) E A 1 , B 1 ( C 0 ) ◮ Position in this list leaks semantic value = ⇒ permute ciphertexts

  5. Murky beginnings [Yao86] A 0 , A 1 C 0 , C 1 B 0 , B 1 E A 0 , B 0 ( C 0 ) E A 0 , B 1 ( C 1 ) E A 1 , B 0 ( C 0 ) E A 1 , B 1 ( C 0 ) ◮ Position in this list leaks semantic value = ⇒ permute ciphertexts ◮ Need to detect [in]correct decryption

  6. Murky beginnings [Yao86] A 0 , A 1 C 0 , C 1 B 0 , B 1 E A 0 , B 0 ( C 0 ) E A 0 , B 1 ( C 1 ) E A 1 , B 0 ( C 0 ) E A 1 , B 1 ( C 0 ) ◮ Position in this list leaks semantic value = ⇒ permute ciphertexts ◮ Need to detect [in]correct decryption ◮ (Apparently) no one knows exactly what Yao had in mind: ◮ E K 0 , K 1 ( M ) = � E ( K 0 , S 0 ) , E ( K 1 , S 1 ) � where S 0 ⊕ S 1 = M [GoldreichMicaliWigderson87] ◮ E K 0 , K 1 ( M ) = E ( K 1 , E ( K 0 , M )) [LindellPinkas09]

  7. Permute-and-Point [BeaverMicaliRogaway90] A 0 , A 1 C 0 , C 1 B 0 , B 1 E A 0 , B 0 ( C 0 ) E A 0 , B 1 ( C 1 ) E A 1 , B 0 ( C 0 ) E A 1 , B 1 ( C 0 )

  8. Permute-and-Point [BeaverMicaliRogaway90] ◮ Randomly assign ( • , • ) or ( • , • ) A • 0 , A • C • 0 , C • 1 1 to each pair of wire labels B • 0 , B • ◮ Include color in the wire label 1 (e.g., as last bit) 0 ( C • 0 ) E A • 0 , B • 1 ( C • E A • 1 ) 0 , B • 0 ( C • E A • 0 ) 1 , B • 1 ( C • 0 ) E A • 1 , B •

  9. Permute-and-Point [BeaverMicaliRogaway90] ◮ Randomly assign ( • , • ) or ( • , • ) A • 0 , A • C • 0 , C • 1 1 to each pair of wire labels B • 0 , B • ◮ Include color in the wire label 1 (e.g., as last bit) •• E A 0 , B 0 ( C • 0 ) ◮ Order the 4 ciphertexts •• E A 0 , B 1 ( C • 1 ) canonically, by color of keys •• E A 1 , B 0 ( C • 0 ) •• E A 1 , B 1 ( C • 0 )

  10. Permute-and-Point [BeaverMicaliRogaway90] ◮ Randomly assign ( • , • ) or ( • , • ) A • 0 , A • C • 0 , C • 1 1 to each pair of wire labels B • 0 , B • ◮ Include color in the wire label 1 (e.g., as last bit) •• E A 0 , B 1 ( C • 1 ) ◮ Order the 4 ciphertexts •• E A 0 , B 0 ( C • 0 ) canonically, by color of keys •• E A 1 , B 1 ( C • 0 ) •• E A 1 , B 0 ( C • 0 )

  11. Permute-and-Point [BeaverMicaliRogaway90] ◮ Randomly assign ( • , • ) or ( • , • ) A 0 , A • C 0 , C 1 1 to each pair of wire labels B 0 , B • ◮ Include color in the wire label 1 (e.g., as last bit) •• E A 0 , B 1 ( C 1 ) ◮ Order the 4 ciphertexts •• E A 0 , B 0 ( C 0 ) canonically, by color of keys •• E A 1 , B 1 ( C 0 ) ◮ Evaluate by decrypting •• E A 1 , B 0 ( C 0 ) ciphertext indexed by your colors

  12. Permute-and-Point [BeaverMicaliRogaway90] ◮ Randomly assign ( • , • ) or ( • , • ) A 0 , A • C • 0 , C 1 1 to each pair of wire labels B 0 , B • ◮ Include color in the wire label 1 (e.g., as last bit) •• E A 0 , B 1 ( C 1 ) ◮ Order the 4 ciphertexts •• E A 0 , B 0 ( C 0 ) canonically, by color of keys •• E A 1 , B 1 ( C • 0 ) ◮ Evaluate by decrypting •• E A 1 , B 0 ( C 0 ) ciphertext indexed by your colors

  13. Permute-and-Point [BeaverMicaliRogaway90] ◮ Randomly assign ( • , • ) or ( • , • ) A 0 , A • C • 0 , C 1 1 to each pair of wire labels B 0 , B • ◮ Include color in the wire label 1 (e.g., as last bit) •• E A 0 , B 1 ( C 1 ) ◮ Order the 4 ciphertexts •• E A 0 , B 0 ( C 0 ) canonically, by color of keys •• E A 1 , B 1 ( C • 0 ) ◮ Evaluate by decrypting •• E A 1 , B 0 ( C 0 ) ciphertext indexed by your colors Can use one-time-secure symmetric encryption!

  14. Computational cost of garbling E A , B ( C ) : cost to garble AES PRF ( A , gateID ) ⊕ PRF ( B , gateID ) ⊕ C ∼ 6s [extrapolated] [NaorPinkasSumner99] time from Fairplay [MNPS04] : PRF = SHA256

  15. Computational cost of garbling 2 hash ≫ 1 hash E A , B ( C ) : cost to garble AES PRF ( A , gateID ) ⊕ PRF ( B , gateID ) ⊕ C ∼ 6s [extrapolated] [NaorPinkasSumner99] time from Fairplay [MNPS04] : PRF = SHA256 H ( A � B � gateID ) ⊕ C 0.15s [LindellPinkasSmart08] time from [sS12] ; H = SHA256

  16. Computational cost of garbling 2 hash ≫ 1 hash ≫ 1 block cipher E A , B ( C ) : cost to garble AES PRF ( A , gateID ) ⊕ PRF ( B , gateID ) ⊕ C ∼ 6s [extrapolated] [NaorPinkasSumner99] time from Fairplay [MNPS04] : PRF = SHA256 H ( A � B � gateID ) ⊕ C 0.15s [LindellPinkasSmart08] time from [sS12] ; H = SHA256 AES256 ( A � B , gateID ) ⊕ C 0.12s [shelatShen12]

  17. Computational cost of garbling 2 hash ≫ 1 hash ≫ 1 block cipher ≫ 1 block cipher w/o key schedule E A , B ( C ) : cost to garble AES PRF ( A , gateID ) ⊕ PRF ( B , gateID ) ⊕ C ∼ 6s [extrapolated] [NaorPinkasSumner99] time from Fairplay [MNPS04] : PRF = SHA256 H ( A � B � gateID ) ⊕ C 0.15s [LindellPinkasSmart08] time from [sS12] ; H = SHA256 AES256 ( A � B , gateID ) ⊕ C 0.12s [shelatShen12] AES ( const , K ) ⊕ K ⊕ C 0.0003s where K = 2 A ⊕ 4 B ⊕ gateID [BellareHoangKeelveedhiRogaway13]

  18. Scoreboard size ( × λ ) garble cost eval cost assumption Classical large? 8 5 PKE P&P 4 4/8 1/2 hash/PRF

  19. Garbled Row Reduction [NaorPinkasSumner99] A • 0 , A • C • 0 C • 1 1 B • 0 B • 1 •• E A 0 , B 1 ( C • 1 ) •• E A 0 , B 0 ( C • 0 ) •• E A 1 , B 1 ( C • 0 ) •• E A 1 , B 0 ( C • 0 )

  20. Garbled Row Reduction [NaorPinkasSumner99] C 0 ← { 0 , 1 } n C 1 ← { 0 , 1 } n A • 0 , A • C • 0 C • 1 1 B • 0 B • 1 •• E A 0 , B 1 ( C • 1 ) •• E A 0 , B 0 ( C • 0 ) •• E A 1 , B 1 ( C • 0 ) •• E A 1 , B 0 ( C • 0 )

  21. Garbled Row Reduction [NaorPinkasSumner99] C 0 ← { 0 , 1 } n C 1 ← { 0 , 1 } n A • 0 , A • C • 0 C • 1 1 B • 0 B • 1 •• E A 0 , B 1 ( C • 1 ) •• E A 0 , B 0 ( C • 0 ) •• E A 1 , B 1 ( C • 0 ) •• E A 1 , B 0 ( C • 0 ) ◮ What wire label will be payload of 1st ( •• ) ciphertext?

  22. Garbled Row Reduction [NaorPinkasSumner99] C 0 ← { 0 , 1 } n C 1 = E − 1 A 0 , B 1 ( 0 n ) A • 0 , A • C • 0 C • 1 1 B • 0 B • 1 •• E A 0 , B 1 ( C • 1 ) •• E A 0 , B 0 ( C • 0 ) •• E A 1 , B 1 ( C • 0 ) •• E A 1 , B 0 ( C • 0 ) ◮ What wire label will be payload of 1st ( •• ) ciphertext? ◮ Choose that label so that 1st ciphertext is 0 n

  23. Garbled Row Reduction [NaorPinkasSumner99] C 0 ← { 0 , 1 } n C 1 = E − 1 A 0 , B 1 ( 0 n ) A • 0 , A • C • 0 C • 1 1 B • 0 B • 1 0 n •• •• E A 0 , B 0 ( C • 0 ) •• E A 1 , B 1 ( C • 0 ) •• E A 1 , B 0 ( C • 0 ) ◮ What wire label will be payload of 1st ( •• ) ciphertext? ◮ Choose that label so that 1st ciphertext is 0 n

  24. Garbled Row Reduction [NaorPinkasSumner99] C 0 ← { 0 , 1 } n C 1 = E − 1 A 0 , B 1 ( 0 n ) A • 0 , A • C • 0 C • 1 1 B • 0 B • 1 •• E A 0 , B 0 ( C • 0 ) •• E A 1 , B 1 ( C • 0 ) •• E A 1 , B 0 ( C • 0 ) ◮ What wire label will be payload of 1st ( •• ) ciphertext? ◮ Choose that label so that 1st ciphertext is 0 n ◮ No need to include 1st ciphertext in garbled gate

  25. Garbled Row Reduction [NaorPinkasSumner99] C 0 ← { 0 , 1 } n C 1 = E − 1 A 0 , B 1 ( 0 n ) A • 0 , A • C • 0 C • 1 1 B • 0 B • 1 •• E A 0 , B 0 ( C • 0 ) •• E A 1 , B 1 ( C • 0 ) •• E A 1 , B 0 ( C • 0 ) ◮ What wire label will be payload of 1st ( •• ) ciphertext? ◮ Choose that label so that 1st ciphertext is 0 n ◮ No need to include 1st ciphertext in garbled gate ◮ Evaluate as before, but imagine ciphertext 0 n if you got •• .

  26. Scoreboard size ( × λ ) garble cost eval cost assumption Classical large? 8 5 PKE P&P 4 4/8 1/2 hash/PRF GRR3 3 4/8 1/2 hash/PRF

  27. Free XOR [KolesnikovSchneider08] A 0 , A 1 C 0 , C 1 B 0 , B 1

  28. Free XOR [KolesnikovSchneider08] A , A ⊕ ∆ A C , C ⊕ ∆ C B , B ⊕ ∆ B ◮ Wire’s offset ≡ XOR of its two labels

  29. Free XOR [KolesnikovSchneider08] A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ ◮ Wire’s offset ≡ XOR of its two labels ◮ Choose all wires to have same (secret) offset ∆

  30. Free XOR [KolesnikovSchneider08] C ← { 0 , 1 } n A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ ◮ Wire’s offset ≡ XOR of its two labels ◮ Choose all wires to have same (secret) offset ∆

  31. Free XOR [KolesnikovSchneider08] C : = A ⊕ B A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ A ⊕ B = A ⊕ B � ������ �� ������ � ���� ���� false false false ◮ Wire’s offset ≡ XOR of its two labels ◮ Choose all wires to have same (secret) offset ∆ ◮ Choose false output = false input ⊕ false input

  32. Free XOR [KolesnikovSchneider08] C : = A ⊕ B A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ A ⊕ B ⊕ ∆ = A ⊕ B ⊕ ∆ � ������ �� ������ � ���� ���� false true true ◮ Wire’s offset ≡ XOR of its two labels ◮ Choose all wires to have same (secret) offset ∆ ◮ Choose false output = false input ⊕ false input ◮ Evaluate by xor ing input wire labels (no crypto)

  33. Free XOR [KolesnikovSchneider08] C : = A ⊕ B A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ A ⊕ ∆ ⊕ B = A ⊕ B ⊕ ∆ � ������ �� ������ � ���� ���� false true true ◮ Wire’s offset ≡ XOR of its two labels ◮ Choose all wires to have same (secret) offset ∆ ◮ Choose false output = false input ⊕ false input ◮ Evaluate by xor ing input wire labels (no crypto)

  34. Free XOR [KolesnikovSchneider08] C : = A ⊕ B A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ A ⊕ ∆ ⊕ B ⊕ ∆ = A ⊕ B � ������ �� ������ � ���� ���� true true false ◮ Wire’s offset ≡ XOR of its two labels ◮ Choose all wires to have same (secret) offset ∆ ◮ Choose false output = false input ⊕ false input ◮ Evaluate by xor ing input wire labels (no crypto)

  35. Freedom at a cost . . . A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ ( C ) E A , B E A , B ⊕ ∆ ( C ⊕ ∆) E A ⊕ ∆ , B ( C ) E A ⊕ ∆ , B ⊕ ∆ ( C ) ◮ Still need to garble and gates

  36. Freedom at a cost . . . C ← { 0 , 1 } n A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ ( C ) E A , B E A , B ⊕ ∆ ( C ⊕ ∆) E A ⊕ ∆ , B ( C ) E A ⊕ ∆ , B ⊕ ∆ ( C ) ◮ Still need to garble and gates ◮ Compatible with garbled row-reduction

  37. Freedom at a cost . . . C : = E − 1 A , B ( 0 n ) A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ ( C E A ) , B , B ⊕ ∆ ( C ⊕ ∆) E A ( C ) E A ⊕ ∆ , B E A ⊕ ∆ , B ⊕ ∆ ( C ) ◮ Still need to garble and gates ◮ Compatible with garbled row-reduction

  38. Freedom at a cost . . . A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ ( C E A ) , B , B ⊕ ∆ ( C ⊕ ∆) E A ( C ) E A ⊕ ∆ , B E A ⊕ ∆ , B ⊕ ∆ ( C ) ◮ Still need to garble and gates ◮ Compatible with garbled row-reduction ◮ Secret ∆ used in key and payload of ciphertexts!

  39. Freedom at a cost . . . A , A ⊕ ∆ C , C ⊕ ∆ B , B ⊕ ∆ ( C E A ) , B , B ⊕ ∆ ( C ⊕ ∆) E A ( C ) E A ⊕ ∆ , B E A ⊕ ∆ , B ⊕ ∆ ( C ) ◮ Still need to garble and gates ◮ Compatible with garbled row-reduction ◮ Secret ∆ used in key and payload of ciphertexts! ◮ Requires related-key + circularity assumption [ChoiKatzKumaresanZhou12]

  40. Scoreboard size ( × λ ) garble cost eval cost assumption XOR AND XOR AND XOR AND Classical large? 8 5 PKE P&P 4 4 4/8 4/8 1/2 1/2 PRF/hash GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash Free XOR 0 3 0 4 0 1 circ. hash

  41. Row reduction ++ [PinkasSchneiderSmartWilliams09] Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 B 0 , B 1

  42. Row reduction ++ [PinkasSchneiderSmartWilliams09] Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) K 2 = E − 1 A 0 , B 1 ( 0 n ) K 3 = E − 1 A 1 , B 0 ( 0 n ) K 4 = E − 1 A 1 , B 1 ( 0 n )

  43. Row reduction ++ [PinkasSchneiderSmartWilliams09] Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0

  44. Row reduction ++ [PinkasSchneiderSmartWilliams09] Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 ( 3 , K 3 ) ( 4 , K 4 ) ( 1 , K 1 ) ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 )

  45. Row reduction ++ [PinkasSchneiderSmartWilliams09] Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 ( 3 , K 3 ) ( 4 , K 4 ) ( 1 , K 1 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 )

  46. Row reduction ++ [PinkasSchneiderSmartWilliams09] Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 ( 2 , K 2 ) K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 P ( 5 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  47. Row reduction ++ [PinkasSchneiderSmartWilliams09] Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 ( 2 , K 2 ) K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 P ( 5 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  48. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 P ( 0 ) K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 Q ( 0 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  49. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 P ( 5 ) P ( 6 ) K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 P ( 0 ) K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 P ( 5 ) Q ( 0 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  50. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 P ( 5 ) P ( 6 ) K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 P ( 5 ) ◮ Evaluate by interpolating poly thru K i , P ( 5 ) and P ( 6 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  51. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 P ( 5 ) P ( 6 ) K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 P ( 5 ) ◮ Evaluate by interpolating poly thru K i , P ( 5 ) and P ( 6 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  52. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 P ( 5 ) P ( 6 ) K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 ( 3 , K 3 ) P ( 5 ) ◮ Evaluate by interpolating poly thru K i , P ( 5 ) and P ( 6 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  53. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 P ( 5 ) P ( 6 ) K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 ( 3 , K 3 ) P ( 5 ) ◮ Evaluate by interpolating poly thru K i , P ( 5 ) and P ( 6 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  54. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 P ( 5 ) P ( 6 ) K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 P ( 0 ) K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 ( 3 , K 3 ) P ( 5 ) ◮ Evaluate by interpolating poly thru K i , P ( 5 ) and P ( 6 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  55. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 P ( 5 ) P ( 6 ) K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 ( 2 , K 2 ) K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 P ( 5 ) ◮ Evaluate by interpolating poly thru Q ( 0 ) K i , P ( 5 ) and P ( 6 ) P = uniq deg-2 poly thru ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  56. Row reduction ++ [PinkasSchneiderSmartWilliams09] C 0 = P ( 0 ) ; C 1 = Q ( 0 ) Garbled gates with only 2 ciphertexts! A 0 , A 1 C 0 , C 1 ◮ Evaluator can know exactly one of: B 0 , B 1 K 1 = E − 1 A 0 , B 0 ( 0 n ) � learn C 0 P ( 5 ) P ( 6 ) K 2 = E − 1 A 0 , B 1 ( 0 n ) � learn C 1 P ( 0 ) ( 2 , K 2 ) K 3 = E − 1 A 1 , B 0 ( 0 n ) � learn C 0 P ( 6 ) K 4 = E − 1 A 1 , B 1 ( 0 n ) � learn C 0 ( 3 , K 3 ) P ( 5 ) ( 4 , K 4 ) ◮ Evaluate by interpolating poly thru ( 1 , K 1 ) Q ( 0 ) K i , P ( 5 ) and P ( 6 ) P = uniq deg-2 poly thru ◮ Incompatible with Free-XOR: can’t ( 1 , K 1 ) , ( 3 , K 3 ) , ( 4 , K 4 ) ensure C 0 ⊕ C 1 = ∆ Q = uniq deg-2 poly thru ( 2 , K 2 ) , ( 5 , P ( 5 )) , ( 6 , P ( 6 ))

  57. Scoreboard size ( × λ ) garble cost eval cost assumption XOR AND XOR AND XOR AND Classical large? 8 5 PKE P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash Free XOR 0 3 0 4 0 1 circ. hash GRR2 2 2 4/8 4/8 1/2 1/2 PRF/hash

  58. FleXOR [KolesnikovMohasselRosulek14] A , A ⊕ ∆ 1

  59. FleXOR [KolesnikovMohasselRosulek14] A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 ◮ Translate to a new wire offset

  60. FleXOR [KolesnikovMohasselRosulek14] A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 0 0 1 1 ◮ Translate to a new wire offset (unary a �→ a gate)

  61. FleXOR [KolesnikovMohasselRosulek14] A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 A ∗ A A ⊕ ∆ 1 A ∗ ⊕ ∆ 2 ◮ Translate to a new wire offset (unary a �→ a gate)

  62. FleXOR [KolesnikovMohasselRosulek14] A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 ( A ∗ ) E A E A ⊕ ∆ 1 ( A ∗ ⊕ ∆ 2 ) ◮ Translate to a new wire offset (unary a �→ a gate)

  63. FleXOR [KolesnikovMohasselRosulek14] A ∗ ← { 0 , 1 } n A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 ( A ∗ ) E A E A ⊕ ∆ 1 ( A ∗ ⊕ ∆ 2 ) ◮ Translate to a new wire offset (unary a �→ a gate)

  64. FleXOR [KolesnikovMohasselRosulek14] A ∗ : = E − 1 A ( 0 n ) A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 ( A ∗ ) E A E A ⊕ ∆ 1 ( A ∗ ⊕ ∆ 2 ) ◮ Translate to a new wire offset (unary a �→ a gate)

  65. FleXOR [KolesnikovMohasselRosulek14] A ∗ : = E − 1 A ( 0 n ) A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 0 n E A ⊕ ∆ 1 ( A ∗ ⊕ ∆ 2 ) ◮ Translate to a new wire offset (unary a �→ a gate)

  66. FleXOR [KolesnikovMohasselRosulek14] A ∗ : = E − 1 A ( 0 n ) A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 E A ⊕ ∆ 1 ( A ∗ ⊕ ∆ 2 ) ◮ Translate to a new wire offset (unary a �→ a gate) using 1 ciphertext

  67. FleXOR [KolesnikovMohasselRosulek14] A ∗ : = E − 1 A ( 0 n ) ∆ 1 → ∆ 2 A ∗ , A ∗ ⊕ ∆ 2 A , A ⊕ ∆ 1 E A ⊕ ∆ 1 ( A ∗ ⊕ ∆ 2 ) ◮ Translate to a new wire offset (unary a �→ a gate) using 1 ciphertext

  68. FleXOR [KolesnikovMohasselRosulek14] A , A ⊕ ∆ A C , C ⊕ ∆ C B , B ⊕ ∆ B

  69. FleXOR [KolesnikovMohasselRosulek14] A , A ⊕ ∆ A ∆ A → ∆ C C , C ⊕ ∆ C B , B ⊕ ∆ B ∆ B → ∆ C ◮ Adjust inputs to target offset ∆ C (1 ciphertext each)

  70. FleXOR [KolesnikovMohasselRosulek14] A , A ⊕ ∆ A ∆ A → ∆ C C , C ⊕ ∆ C free B , B ⊕ ∆ B ∆ B → ∆ C ◮ Adjust inputs to target offset ∆ C (1 ciphertext each), then XOR is free

  71. FleXOR [KolesnikovMohasselRosulek14] A , A ⊕ ∆ A ∆ A → ∆ C C , C ⊕ ∆ C free B , B ⊕ ∆ C ◮ Adjust inputs to target offset ∆ C (1 ciphertext each), then XOR is free ◮ If input wire already suitable, no need to adjust

  72. FleXOR [KolesnikovMohasselRosulek14] A , A ⊕ ∆ A ∆ A → ∆ C C , C ⊕ ∆ C free B , B ⊕ ∆ C ◮ Adjust inputs to target offset ∆ C (1 ciphertext each), then XOR is free ◮ If input wire already suitable, no need to adjust ◮ Total cost: 0, 1 or 2 depending on how many { ∆ A , ∆ B , ∆ C } distinct.

  73. FleXOR [KolesnikovMohasselRosulek14] A , A ⊕ ∆ A ∆ A → ∆ C C , C ⊕ ∆ C free B , B ⊕ ∆ C ◮ Adjust inputs to target offset ∆ C (1 ciphertext each), then XOR is free ◮ If input wire already suitable, no need to adjust ◮ Total cost: 0, 1 or 2 depending on how many { ∆ A , ∆ B , ∆ C } distinct. Combinatorial optimization problem: Choose an offset for each wire, minimizing total cost of XOR gates ◮ Subj. to compatibility with 2-ciphertext row-reduction of AND gates ◮ (or) Subj. to removing circularity property of free-XOR

  74. Scoreboard size ( × λ ) garble cost eval cost assumption XOR AND XOR AND XOR AND Classical large? 8 5 PKE P&P 4 4 4/8 4/8 1/2 1/2 hash/PRF GRR3 3 3 4/8 4/8 1/2 1/2 PRF/hash Free XOR 0 3 0 4 0 1 circ. hash GRR2 2 2 4/8 4/8 1/2 1/2 PRF/hash { 0 , 1 , 2 } { 0 , 1 , 2 } { 0 , 1 , 2 } FleXOR 2 4 1 circ. hash

Recommend

SFE: Yaos Garbled Circuit Oblivious Transfer IDEAL World Pick one out of two, without

SFE: Yaos Garbled Circuit Oblivious Transfer IDEAL World Pick one out of two, without

SFE: Yaos Garbled Circuit Oblivious Transfer IDEAL World Pick one out of two, without revealing which Intuitive property: OT transfer partial A:up, B:down A up I need just information All 2 of one them! But cant

432 views • 20 slides
FREE IF : HOW TO OMIT INACTIVE BRANCHES AND IMPLEMENT S-UNIVERSAL GARBLED CIRCUIT ALMOST FOR

FREE IF : HOW TO OMIT INACTIVE BRANCHES AND IMPLEMENT S-UNIVERSAL GARBLED CIRCUIT ALMOST FOR

FREE IF : HOW TO OMIT INACTIVE BRANCHES AND IMPLEMENT S-UNIVERSAL GARBLED CIRCUIT ALMOST FOR FREE V L A D KO L E S N I KO V G E O R G I A T E C H HIGH-LEVEL OVERVIEW OF THE RESULT f 1 (x,y) f 2 (x,y) f 3 (x,y) f 30 (x,y) c Sel In GC,

559 views • 18 slides
THE CIRCUIT PATTERN Slide 2- The Circuit Pattern Circuit training is the first stage of practical

THE CIRCUIT PATTERN Slide 2- The Circuit Pattern Circuit training is the first stage of practical

Noise Liaison Group PANLG Presentation on Circuits THE CIRCUIT PATTERN Slide 2- The Circuit Pattern Circuit training is the first stage of practical pilot training focused on take-offs and landings. It involves the pilot making approaches to the

649 views • 17 slides
Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F proto proto iface iface Secure (and correct) if: s.t. output of is distributed Env Env identically in REAL IDEAL REAL and

1.33k views • 102 slides
Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F proto proto iface iface Secure (and correct) if: s.t. output of is distributed Env Env identically in REAL IDEAL REAL and

1.28k views • 126 slides
Stronger Security for Reusable Garbled Circuits, General Definitions and Attacks Shweta Agrawal

Stronger Security for Reusable Garbled Circuits, General Definitions and Attacks Shweta Agrawal

Stronger Security for Reusable Garbled Circuits, General Definitions and Attacks Shweta Agrawal IIT Madras Garbled Circuits (Yao 86) Garble Circuit C: Garble(C; R) Encode Input x: Encode(x; R) Decode: ( ) = ( ) C x C x

884 views • 23 slides
Loop Optimizations Important because lots of execution Loop Optimizations Loop Optimizations

Loop Optimizations Important because lots of execution Loop Optimizations Loop Optimizations

Loop Optimizations Important because lots of execution Loop Optimizations Loop Optimizations time occurs in loops First, we will identify loops We will study three optimizations Loop-invariant code motion This lecture is

249 views • 5 slides
Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols

Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols

Secure Multi-Party Computation Lecture 17 GMW & BGW Protocols MPC Protocols MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against passive adversaries MPC Protocols Yao s Garbled Circuit : 2-Party SFE secure against

2.07k views • 85 slides
Adaptive Garbled RAM from Adaptive Garbled RAM from Laconic Oblivious Transfer Sanjam Garg

Adaptive Garbled RAM from Adaptive Garbled RAM from Laconic Oblivious Transfer Sanjam Garg

Adaptive Garbled RAM from Adaptive Garbled RAM from Laconic Oblivious Transfer Sanjam Garg Sanjam Garg Rafail Ostrovsky Rafail Ostrovsky Akshayaram Srinivasan Akshayaram Srinivasan UC Berkeley UCLA UC Berkeley Crypto 2018 Garbled RAM

323 views • 20 slides
Concepts Introduced in Chapter 9 introduction to compiler optimizations basic blocks and

Concepts Introduced in Chapter 9 introduction to compiler optimizations basic blocks and

Concepts Introduced in Chapter 9 introduction to compiler optimizations basic blocks and control flow graphs local optimizations global optimizations 1 EECS 665 Compiler Construction Compiler Optimizations Compiler

454 views • 24 slides
Sequential Circuit Test Generation 1 Introduction Almost all practical digital systems are

Sequential Circuit Test Generation 1 Introduction Almost all practical digital systems are

Sequential Circuit Test Generation 1 Introduction Almost all practical digital systems are sequential circuits. Their testing is more complex than that of combinational circuits, due to two reasons: Internal memory states 1.

619 views • 35 slides
Verifying Optimizations using SMT Solvers Nuno Lopes technology Why verify optimizations? from

Verifying Optimizations using SMT Solvers Nuno Lopes technology Why verify optimizations? from

technology from seed Verifying Optimizations using SMT Solvers Nuno Lopes technology Why verify optimizations? from seed Catch bugs before they even exist Corner cases are hard to debug Time spent in additional verification step

1.34k views • 44 slides
Hashing Garbled Circuits for Free Xiong Fan, Chaya Ganesh and Vladimir Kolesnikov Motivation

Hashing Garbled Circuits for Free Xiong Fan, Chaya Ganesh and Vladimir Kolesnikov Motivation

Hashing Garbled Circuits for Free Xiong Fan, Chaya Ganesh and Vladimir Kolesnikov Motivation Garbled circuits (GC) main technique for secure computation Motivation Garbled circuits (GC) main technique for secure computation Primitive in

2k views • 188 slides
is Practical gnes Kiss Thomas Schneider TU Darmstadt Eurocrypt 2016 May 11, 2016 Universal

is Practical gnes Kiss Thomas Schneider TU Darmstadt Eurocrypt 2016 May 11, 2016 Universal

Valiant s Universal Circuit is Practical gnes Kiss Thomas Schneider TU Darmstadt Eurocrypt 2016 May 11, 2016 Universal Circuit (UC) There is a Boolean circuit of size O log for which it holds that for any Boolean

1.25k views • 65 slides
Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo

Better Concrete Security for Half-Gates Garbling (in the Multi-Instance Setting) Chun Guo Jonathan Katz Xiao Wang Chenkai Weng Yu Yu Yaos garbled circuits Two-party computation (2PC) Multiple optimizations

376 views • 20 slides
Science Olympiad Circuit Lab Key Concepts Circuit Lab Overview Circuit Elements &

Science Olympiad Circuit Lab Key Concepts Circuit Lab Overview Circuit Elements &

Science Olympiad Circuit Lab Key Concepts Circuit Lab Overview Circuit Elements & Tools Basic Relationships (I, V, R, P) Resistor Network Configurations (Series & Parallel) Kirchhoffs Laws Examples Glossary of

106 views • 9 slides
Khem Raj Embedded Linux Conference 2014, San Jose, CA } What is GCC } General Optimizations

Khem Raj Embedded Linux Conference 2014, San Jose, CA } What is GCC } General Optimizations

Khem Raj Embedded Linux Conference 2014, San Jose, CA } What is GCC } General Optimizations } GCC specific Optimizations } Embedded Processor specific Optimizations } Approaches to speed up compile time } Additional tools }

419 views • 29 slides
Density Estimation Optimizations for Global Illumination Rub en Garc a, Carlos Ure na,

Density Estimation Optimizations for Global Illumination Rub en Garc a, Carlos Ure na,

Introduction New optimizations Theoretical study Future Work Conclusion Density Estimation Optimizations for Global Illumination Rub en Garc a, Carlos Ure na, Jorge Revelles, Miguel Lastra, Rosana Montes Thursday, February 2,

383 views • 14 slides
Daydream: Accurately Estimating the Efficacy of Optimizations for DNN Training Hongyu Zhu 1,2 ,

Daydream: Accurately Estimating the Efficacy of Optimizations for DNN Training Hongyu Zhu 1,2 ,

Daydream: Accurately Estimating the Efficacy of Optimizations for DNN Training Hongyu Zhu 1,2 , Amar Phanishayee 3 , Gennady Pekhimenko 1,2 1 2 3 1 Executive Summary Motivation: Benefits of many DNN optimizations are not easy to exploit

449 views • 27 slides
Multiple Access garbled garbled what if the moderator what if the moderator s connection

Multiple Access garbled garbled what if the moderator what if the moderator s connection

What is it all about? Some simple solutions Consider an audioconference where Consider an audioconference where Use a moderator Use a moderator if one person speaks, all can hear if one person speaks, all can hear a speaker must

451 views • 10 slides
On Garbled Circuits Ignacio Navarro Imperial College London Department of Computing Supervisor:

On Garbled Circuits Ignacio Navarro Imperial College London Department of Computing Supervisor:

On Garbled Circuits Ignacio Navarro Imperial College London Department of Computing Supervisor: Mahdi Cheraghchi June 2018 Abstract A very useful cryptographic tool is to allow distrusting parties to jointly compute a function revealing the

1.03k views • 84 slides
Some Practical Applications of Con- straints planning, scheduling, timetabling (see

Some Practical Applications of Con- straints planning, scheduling, timetabling (see

Some Practical Applications of Con- straints planning, scheduling, timetabling (see Outline ILOG solver esp ecially) conguration what is a constraint electrical circuit analysis, synthesis, and di-

155 views • 14 slides
Compiler Construction Lecture 16: Introduction to optimizations 2020-03-03 Michael Engel

Compiler Construction Lecture 16: Introduction to optimizations 2020-03-03 Michael Engel

Compiler Construction Lecture 16: Introduction to optimizations 2020-03-03 Michael Engel Overview Optimizations Definition, objectives, location in the compiler tool flow Obtaining and applying evaluation criteria Common vs.

537 views • 18 slides
k -Round Multiparty Computation from k -Round Oblivious Transfer via Garbled Interactive Circuits

k -Round Multiparty Computation from k -Round Oblivious Transfer via Garbled Interactive Circuits

k -Round Multiparty Computation from k -Round Oblivious Transfer via Garbled Interactive Circuits Fabrice Benhamouda Huijia (Rachel) Lin IBM Research / Columbia University, US University of California, Santa Barbara, US Eurocrypt 2018, May 1,

1.03k views • 85 slides

More recommend