The Whole is Greater than the Sum of its Parts: Linear Garbling and - PowerPoint PPT Presentation

The Whole is Greater than the Sum of its Parts: Linear Garbling and Applications Tal Malkin 1 Valerio Pastro 1 abhi shelat 2 1 Columbia University 2 University of Virginia June 10, 2015 Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 1 / 18

Some complex system... The solar system: Geocentric Model – 1400 AD Credit: http://en.wikipedia.org/wiki/Deferent_and_epicycle Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 2 / 18

...can made simple, by changing perspective. The solar system – today Credit: http://history.nasa.gov/SP-4212/p427.html Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 3 / 18

More Context: Our system: linear garbling New perspective: linear garbling seen as linear secret sharing simple properties ⇒ simulation-based security Why? simpler model ⇒ more advanced schemes Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 4 / 18

What is garbling? [BHR12] C Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 5 / 18

� � � What is garbling? [BHR12] C gb gb gb Enc Dec GC Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 5 / 18

� � � � What is garbling? [BHR12] x C gb gb gb Enc Dec GC IN Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 5 / 18

� � � � What is garbling? [BHR12] x C gb gb gb Enc Dec GC � Y IN Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 5 / 18

� � � � � What is garbling? [BHR12] x y C gb gb gb Enc Dec GC � Y IN Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 5 / 18

� � � � � What is garbling? [BHR12] � y x C gb gb gb Enc Dec GC � Y IN Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 5 / 18

� � � � � What is garbling? [BHR12] � y x C gb gb gb Enc Dec GC � Y IN Security: �� GC , Enc , Dec � ← gb ( 1 λ , C ) , IN ← Enc ( x ) : � GC , IN , Dec �� � S ( 1 λ , C , C ( x )) � λ ≈ c λ Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 5 / 18

� � � � � What is garbling? [BHR12] � y x C gb gb gb Enc Dec GC � Y IN Security: �� GC , Enc , Dec � ← gb ( 1 λ , C ) , IN ← Enc ( x ) : � GC , IN , Dec �� � S ( 1 λ , C , C ( x )) � λ ≈ c λ Focus on: boolean circuits, communication complexity (size of GC ) Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 5 / 18

Can we do better? × λ bits Scheme XOR AND Yao [Yao82] 4 4 GRR2 [PSSW09] 2 2 Free-XOR + GRR3 [KS08, NPS99] 0 3 FleXOR [KMR14] 2/1/0 2 Half-gates [ZRE15] 0 2 Table : Per-gate communication complexity. Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 6 / 18

Can we do better? × λ bits Scheme XOR AND Yao [Yao82] 4 4 GRR2 [PSSW09] 2 2 Free-XOR + GRR3 [KS08, NPS99] 0 3 FleXOR [KMR14] 2/1/0 2 Half-gates [ZRE15] 0 2 [ZRE15]: any linear, gate-by-gate scheme ≥ 2 Table : Per-gate communication complexity. Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 6 / 18

How can we circumvent the lowerbound? linear, not gate-by-gate not linear, gate-by-gate Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 7 / 18

How can we circumvent the lowerbound? linear, not gate-by-gate ⇐ this talk not linear, gate-by-gate Approaching “ not gate-by-gate” garbling: slice circuit in small “units” garble unit-by-unit Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 7 / 18

How can we circumvent the lowerbound? linear, not gate-by-gate ⇐ this talk not linear, gate-by-gate Approaching “ not gate-by-gate” garbling: slice circuit in small “units” garble unit-by-unit Note: if units are gates ⇒ our scheme = half-gates Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 7 / 18

How can we circumvent the lowerbound? linear, not gate-by-gate ⇐ this talk not linear, gate-by-gate Approaching “ not gate-by-gate” garbling: slice circuit in small “units” garble unit-by-unit Note: if units are gates ⇒ our scheme = half-gates Large units ⇒ hard proofs ⇒ need for easier framework Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 7 / 18

Linear garbling [ZRE15] Intuition: garbler and evaluator: RO calls and linear functions only $ Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 8 / 18

Linear garbling [ZRE15] Intuition: garbler and evaluator: RO calls and linear functions only $ = � $ → S � Q Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 8 / 18

Linear garbling [ZRE15] Intuition: garbler and evaluator: RO calls and linear functions only � IN $ C 0 = � � $ → S → M S = C 1 � Q GC Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 8 / 18

Linear garbling [ZRE15] Intuition: garbler and evaluator: RO calls and linear functions only � IN $ C 0 = � � $ → S → M S = C 1 � Q GC ↓ IN GC Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 8 / 18

Linear garbling [ZRE15] Intuition: garbler and evaluator: RO calls and linear functions only � IN $ C 0 = � � $ → S → M S = C 1 � Q GC ↓ IN IN � → GC = G S GC Q Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 8 / 18

Linear garbling [ZRE15] Intuition: garbler and evaluator: RO calls and linear functions only � IN $ C 0 = � � $ → S → M S = C 1 � Q GC ↓ T IN IN � � � → GC = G S → E G S = C ∗ GC Q Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 8 / 18

Linear garbling [ZRE15] Intuition: garbler and evaluator: RO calls and linear functions only � IN � IN C 0 $ C 1 C 0 = � � � $ → S → M S = → = F S C 1 � GC Q GC � Q ↓ T IN IN � � � → GC = G S → E G S = C ∗ GC Q Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 8 / 18

Linear garbling [ZRE15] Intuition: garbler and evaluator: RO calls and linear functions only � IN � IN C 0 $ C 1 C 0 = � � � $ → S → M S = → = F S C 1 � GC Q GC � Q ↓ ↓ T IN IN � � � → GC = G S → E G S = C ∗ GC Q Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 8 / 18

Linear garbling [ZRE15] Intuition: garbler and evaluator: RO calls and linear functions only � IN � IN C 0 $ C 1 C 0 = � � � $ → S → M S = → = F S C 1 � GC Q GC � Q ↓ ↓ T IN IN � � � → GC = G S → E G S = C ∗ GC Q Possible interpretation: F : secret sharing scheme for both C 0 , C 1 G : rows corresponding to shares given to evaluator Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 8 / 18

Yao Garbling – gb ( M matrix) A 0 , A 1 C 0 , C 1 B 0 , B 1 G 0 , 0 = H ( A 0 � B 0 ) ⊕ C 0 = Enc A 0 , B 0 ( C 0 ) G 0 , 1 = H ( A 0 � B 1 ) ⊕ C 0 = Enc A 0 , B 1 ( C 0 ) G 1 , 0 = H ( A 1 � B 0 ) ⊕ C 0 = Enc A 1 , B 0 ( C 0 ) G 1 , 1 = H ( A 1 � B 1 ) ⊕ C 1 = Enc A 1 , B 1 ( C 1 ) Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 9 / 18

Yao Garbling – gb ( M matrix) A 0 , A 1 C 0 , C 1 B 0 , B 1 G 0 , 0 = H ( A 0 � B 0 ) ⊕ C 0 = Enc A 0 , B 0 ( C 0 ) G 0 , 1 = H ( A 0 � B 1 ) ⊕ C 0 = Enc A 0 , B 1 ( C 0 ) G 1 , 0 = H ( A 1 � B 0 ) ⊕ C 0 = Enc A 1 , B 0 ( C 0 ) G 1 , 1 = H ( A 1 � B 1 ) ⊕ C 1 = Enc A 1 , B 1 ( C 1 )       A 0 1 0 0 0 0 0 0 0 0 0 A 0 A 1 0 1 0 0 0 0 0 0 0 0 A 1        B 0   0 0 1 0 0 0 0 0 0 0   B 0        B 1 0 0 0 1 0 0 0 0 0 0 B 1             C 0 0 0 0 0 1 0 0 0 0 0 C 0   =     0 0 0 0 0 1 0 0 0 0 C 1 C 1             G 0 , 0 0 0 0 0 1 0 1 0 0 0 H ( A 0 � B 0 )       0 0 0 0 1 0 0 1 0 0 H ( A 0 � B 1 )  G 0 , 1      G 1 , 0 0 0 0 0 1 0 0 0 1 0 H ( A 1 � B 0 ) 0 0 0 0 0 1 0 0 0 1 H ( A 1 � B 1 ) G 1 , 1 Malkin, Pastro, shelat (Columbia, Virginia) New Garbling June 10, 2015 9 / 18