SLIDE 1
Garbled Circuits
[Yao 86, Applebaum-Ishai-Kushilevitz 04, Bellare-Hoang-Rogaway 12]
! " ! GarbleCkt + + # GarbleInp # $ ! " + # $ Eval !(#)
Ad Adapti tive e Garb rbled ed Ci Circuits ts with th Near - - PowerPoint PPT Presentation
Ad Adapti tive e Garb rbled ed Ci Circuits ts with th Near - - PowerPoint PPT Presentation
Ad Adapti tive e Garb rbled ed Ci Circuits ts with th Near Op Ne Optima mal On Online C Comp mplexi xity Sanjam Garg Akshayaram Srinivasan University of California, Berkeley Eurocrypt 2018 Garbled Circuits [Yao 86,
SLIDE 2
SLIDE 3
Security
!, #
- Toss a coin (
- If ( = 0:
- Generate !
", # $ honestly.
- Else:
- Generate !
", # $ as the
- utput of )*+(!(#)).
! ", # $
Selective: Adaptive:
!
- Toss a coin (
- If ( = 0:
- Generate !
" honestly.
- Generate #
$ honestly.
- Else:
- Generate !
" as the output
- f )*+(1|/|).
- Generate #
$ as the output
- f )*+ ! #
.
! " Guess ( # # $ Guess (
Offline Online
SLIDE 4
Why is Adaptive security important?
[Bellare-Hoang-Rogaway 12]
Online/Offline 2PC
[Lindell-Ben Riva 14]
One-Time Programs
[Goldwasser-Kalai-Rothblum 08]
Verifiable Computation
[Gennaro-Gentry-Parno 10]
Adaptive, Compact FE
[Ananth-Sahai 16]
Efficiency of these applications depend
- n the online
complexity
SLIDE 5
Prior Work
- 1. Random Oracle Model [BHR12]
- 2. Incur an exponential loss in security [BGG+14]
- 3. Online cost grows with circuit width or depth
[HJOSW16,JW16,JKKKPW17] Lower Bound: Applebaum et al. showed that online cost must ≥ 2 + +. Can we construct adaptive garbling scheme with better online complexity?
SLIDE 6
Our Result
Theorem: Assuming either CDH/Factoring/LWE, there exists a construction of adaptive garbled circuits with:
- Near Optimal Online Cost: 2 + + + 4567(8)
- Polynomial security loss
- Standard Model
SLIDE 7
Construction
SLIDE 8
Alternate View of a Boolean Circuit
9: 9; 9< #: #; #< #: #; #< )!: )!; )!< 9: 9; 9<
SLIDE 9
Garbling the Database – Use a One-time Pad
#: ⊕ >
:
)!: >
:, > ;, > ?
)!; >
;, > <, > @
)!< >
?, > @, > A
#; ⊕ >
; #< ⊕ > < 9: ⊕ > ?
9; ⊕ >
@ 9< ⊕ > A
SLIDE 10
Garbling Step Circuits
#: ⊕ >
:
)!: B >
:, > ;, > ?
)!; B >
;, > <, > @
)!< B >
?, > @, > A
#; ⊕ >
; #< ⊕ > <
Access the database via Laconic OT
SLIDE 11
Updatable Laconic Oblivious Transfer
[Cho-Dottling-Garg-Gupta-Miao-Polychroniadou 17]
CDEℎ Database D ℎ GHDI(ℎ, *, +J, +:) K>*LH(ℎ, *, () MN ℎ′ +P[R] ≔ UVD6GHDI(W, MN) Theorem[CDG+16,DG17,BLSV18,DGHM18]: Assuming CDH/Factoring/LWE, there exists a construction of updatable laconic OT.
SLIDE 12
Using Laconic OT to access the database
#: ⊕ >
:
)!: B >
:, > ;, > ?
#; ⊕ >
; #< ⊕ > <
ℎ′ GHDI 9: ⊕ >
?
ℎ )!; B >
;, > <, > @
K>*LH
SLIDE 13
Garbling Step Circuits
#: ⊕ >
:
)!: B >
:, > ;, > ?
)!; B >
;, > <, > @
)!< B >
?, > @, > A
#; ⊕ >
; #< ⊕ > <
Access the database via Laconic OT
# $ = (#:⊕ >
:, #; ⊕ > ;, #< ⊕ > <, > A, {6D(R,bc}) ! "
SLIDE 14
Adaptive Security Proof
SLIDE 15
Simulated Distribution
>
:
)!:′ B >
?
)!; B ′ >
@
)!< B ′ >
A
>
;
>
<
>
?
>
@
>
A
SLIDE 16
Hybrid Argument
Real World: Ideal World: Hyb 1: Hyb 2: Hyb 3: . . .
SLIDE 17
Going from Real World to Hyb 1
Real World: Hyb 1: Intermediate:
SLIDE 18
Some More Details about the Proof
- How to garble a step circuit in the “brown” mode in the offline
phase?
- Guess the output of these gates!
- Logarithmic number of step circuits in “brown” mode.
- A combinatorial pebbling argument. (See our paper)
- Optimal strategy for a pebbling game => Sequence of hybrids
SLIDE 19
Conclusion
- We gave a construction of adaptive garbled circuits with near optimal
- nline complexity from standard cryptographic assumptions.
- In a follow-up work [Garg-Ostrovsky-S], we give a construction of
adaptive garbled RAM with near optimal online complexity under the same assumptions.
- Open questions:
- Improving the assumptions?
- Concrete efficiency?
Th Than ank you
- u!