is Practical gnes Kiss Thomas Schneider TU Darmstadt Eurocrypt - - PowerPoint PPT Presentation

β–Ά
is practical
SMART_READER_LITE
LIVE PREVIEW

is Practical gnes Kiss Thomas Schneider TU Darmstadt Eurocrypt - - PowerPoint PPT Presentation

Dec 28, 2022 582 likes β€’1.26k views

Valiant s Universal Circuit is Practical gnes Kiss Thomas Schneider TU Darmstadt Eurocrypt 2016 May 11, 2016 Universal Circuit (UC) There is a Boolean circuit of size O log for which it holds that for any Boolean

slide-1
SLIDE 1

Valiant’s Universal Circuit is Practical

Ágnes Kiss Thomas Schneider TU Darmstadt Eurocrypt 2016 May 11, 2016

slide-2
SLIDE 2

Leslie G. Valiant 1976

Universal Circuit (UC) There is a Boolean circuit 𝑉𝐷 of size O π‘œ log π‘œ for which it holds that for any Boolean function 𝑔 of size π‘œ 𝑉𝐷 can be made to compute 𝑔.

𝑔

𝑉𝐷

2

slide-3
SLIDE 3

Universal Circuit (UC) There is a Boolean circuit 𝑉𝐷 of size O π‘œ log π‘œ for which it holds that for any Boolean function 𝑔 of size π‘œ there exists a programming π‘ž such that for any input 𝑦: 𝑉𝐷 π‘ž, 𝑦 = 𝑔 𝑦 .

𝑔(𝑦) 𝑦 𝑦 π‘ž

𝑉𝐷(π‘ž, 𝑦)

Leslie G. Valiant 1976

2

slide-4
SLIDE 4

UC Applications

Verifiable computation Program obfuscation Attribute-based encryption Private function evaluation

3

slide-5
SLIDE 5

𝑔(𝑦, 𝑧) 𝑧 𝑦

Secure Function Evaluation

4

𝑔

slide-6
SLIDE 6

SFE

𝑔

𝑔(𝑦, 𝑧) 𝑧 𝑦

Secure Function Evaluation

4

slide-7
SLIDE 7

SFE

𝑔

𝑔(𝑦, 𝑧) 𝑧 𝑦

Secure Function Evaluation

4

slide-8
SLIDE 8

SFE 𝑔(𝑦, 𝑧) 𝑧 𝑦

Secure Function Evaluation

𝑔

4

slide-9
SLIDE 9

𝑔(𝑦, 𝑧) 𝑧 𝑦

Secure Function Evaluation

βžͺ Yao’s Garbled Circuit Protocol βžͺ Goldreich-Micali-Wigderson Protocol

𝐷

Boolean circuit

4

slide-10
SLIDE 10

PFE 𝑦

Private Function Evaluation

𝑔 𝑔(𝑦) 𝑔(𝑦)

5

slide-11
SLIDE 11

𝑦

Private Function Evaluation

𝐷𝑣, 𝑀, 𝑙 𝑔(𝑦) 𝑔(𝑦) PFE

5

slide-12
SLIDE 12

𝑦

Private Function Evaluation

π‘ž 𝑔(𝑦) 𝑔(𝑦) 𝑉𝐷(π‘ž, 𝑦) 𝑉𝐷(π‘ž, 𝑦)

𝑉𝐷𝑣,𝑀,𝑙

5

slide-13
SLIDE 13

PFE Applications

Software diagnostics Medical diagnostics Private databases Private search queries

6

slide-14
SLIDE 14

C (size: π‘œ = 𝑣 + 𝑀 + 𝑙)

UC Construction

7

slide-15
SLIDE 15

C (size: π‘œ = 𝑣 + 𝑀 + 𝑙)

UC Construction

UC Generation

7

slide-16
SLIDE 16

C (size: π‘œ = 𝑣 + 𝑀 + 𝑙) Universal Circuit UC Programming bits p

UC Construction

UC Generation

7

slide-17
SLIDE 17

Existing UC Constructions [Val76] [KS08] Size O(π‘œ log π‘œ) O(π‘œ log2 π‘œ) Depth O(π‘œ) O(π‘œ log π‘œ) Implemented

[Val76] L. G. Valiant: Universal circuits (preliminary report). In STOC 1976. [KS08] V. Kolesnikov, T. Schneider: A practical universal circuit construction and secure evaluation of private functions. In FC 2008.

8

slide-18
SLIDE 18

Valiant’s UC Construction

π‘œ Universal Graph UG Universal Circuit UC

GENERATION

[Val76] L. G. Valiant: Universal circuits (preliminary report). In STOC 1976.

9

slide-19
SLIDE 19

Valiant’s UC Construction

C size ≀ π‘œ π‘œ Universal Graph UG Universal Circuit UC

C

GENERATION PROGRAMMING

[Val76] L. G. Valiant: Universal circuits (preliminary report). In STOC 1976.

9

slide-20
SLIDE 20

Valiant’s UC Construction

C size ≀ π‘œ Graph GC

[Val76] L. G. Valiant: Universal circuits (preliminary report). In STOC 1976.

π‘œ Universal Graph UG Universal Circuit UC

GC C

GENERATION PROGRAMMING

9

slide-21
SLIDE 21

Valiant’s UC Construction

C size ≀ π‘œ Graph GC π‘œ Universal Graph UG Universal Circuit UC

GENERATION PROGRAMMING

Edge-embedding E

GC

[Val76] L. G. Valiant: Universal circuits (preliminary report). In STOC 1976.

9

slide-22
SLIDE 22

Valiant’s UC Construction

C size ≀ π‘œ Graph GC π‘œ Universal Graph UG Universal Circuit UC

GENERATION PROGRAMMING

Edge-embedding E

GC

[Val76] L. G. Valiant: Universal circuits (preliminary report). In STOC 1976.

9

slide-23
SLIDE 23

Valiant’s UC Construction

C size ≀ π‘œ Graph GC π‘œ Universal Graph UG Universal Circuit UC

GENERATION PROGRAMMING

Edge-embedding E

GC

[Val76] L. G. Valiant: Universal circuits (preliminary report). In STOC 1976.

9

slide-24
SLIDE 24

Valiant’s UC Construction

C size ≀ π‘œ Graph GC π‘œ Universal Graph UG Universal Circuit UC

GENERATION PROGRAMMING

Edge-embedding E

GC

[Val76] L. G. Valiant: Universal circuits (preliminary report). In STOC 1976.

9

slide-25
SLIDE 25

Valiant’s UC Construction

C size ≀ π‘œ Graph GC π‘œ Universal Graph UG Universal Circuit UC

GENERATION PROGRAMMING

Edge-embedding E

GC

[Val76] L. G. Valiant: Universal circuits (preliminary report). In STOC 1976.

9

slide-26
SLIDE 26

Valiant’s UC Construction

C size ≀ π‘œ Graph GC Universal Graph UG Edge-embedding E Universal Circuit UC Programming bits p π‘œ

GENERATION PROGRAMMING

[Val76] L. G. Valiant: Universal circuits (preliminary report). In STOC 1976.

9

slide-27
SLIDE 27

Valiant’s UC Construction

C size ≀ π‘œ Graph GC Universal Graph UG Edge-embedding E Universal Circuit UC Programming bits p π‘œ

GENERATION PROGRAMMING

[Val76] L. G. Valiant: Universal circuits (preliminary report). In STOC 1976.

9

slide-28
SLIDE 28

Embedding algorithm Refined size of construction UC compiler

Our Contributions Valiant’s universal circuit is practical.

10

slide-29
SLIDE 29

UG Embedding Algorithm

Graph GC Universal Graph UG Edge-embedding E

PROGRAMMING

11

slide-30
SLIDE 30

Recursive UG Construction

π‘‰π»π‘œ 𝑉𝐻

π‘œ 2 1

𝑉𝐻

π‘œ 2 2

...

12

slide-31
SLIDE 31

Recursive UG Construction

π‘‰π»π‘œ 𝑉𝐻

π‘œ 2 1

𝑉𝐻

π‘œ 2 2

𝑉𝐻

π‘œ 4 11

𝑉𝐻

π‘œ 4 12

𝑉𝐻

π‘œ 4 22

𝑉𝐻

π‘œ 4 21

...

... ... ... ...

12

slide-32
SLIDE 32

Recursive UG Construction

π‘‰π»π‘œ 𝑉𝐻

π‘œ 2 1

𝑉𝐻

π‘œ 2 2

𝑉𝐻

π‘œ 4 11

𝑉𝐻

π‘œ 4 12

𝑉𝐻

π‘œ 4 21

𝑉𝐻

π‘œ 4 22

𝑉𝐻

π‘œ 8 111 𝑉𝐻 π‘œ 8 112

𝑉𝐻

π‘œ 8 121 𝑉𝐻 π‘œ 8 122

𝑉𝐻

π‘œ 8 211 𝑉𝐻 π‘œ 8 212

𝑉𝐻

π‘œ 8 221 𝑉𝐻 π‘œ 8 222

12

slide-33
SLIDE 33

Recursive UG Construction

π‘‰π»π‘œ 𝑉𝐻

π‘œ 2 1

𝑉𝐻

π‘œ 2 2

𝑉𝐻

π‘œ 4 11

𝑉𝐻

π‘œ 4 12

𝑉𝐻

π‘œ 4 21

𝑉𝐻

π‘œ 4 22

𝑉𝐻

π‘œ 8 111 𝑉𝐻 π‘œ 8 112

𝑉𝐻

π‘œ 8 121 𝑉𝐻 π‘œ 8 122

𝑉𝐻

π‘œ 8 211 𝑉𝐻 π‘œ 8 212

𝑉𝐻

π‘œ 8 221 𝑉𝐻 π‘œ 8 222

12

slide-34
SLIDE 34

GC

Edge-Embedding

13

slide-35
SLIDE 35

H2

Edge-Embedding

H1 GC

13

slide-36
SLIDE 36

H2

Edge-Embedding

G2 G1 H1 GC

13

slide-37
SLIDE 37

H2

Edge-Embedding

G2 G1 H1 GC H11 H12 H21 H22

13

slide-38
SLIDE 38

H2

Edge-Embedding

H1 H11 H12 H21 H22

13

slide-39
SLIDE 39

H2

Edge-Embedding

H1 H11 H12 H21 H22 G11 G12 G21 G22

13

slide-40
SLIDE 40

H2

Edge-Embedding

H1 H11 H12 H21 H22 H111 H112 H121 H122 H211 H212 H221 H222

13

slide-41
SLIDE 41

H2

Edge-Embedding

H1 H11 H12 H21 H22 H111 H112 H121 H122 H211 H212 H221 H222

13

slide-42
SLIDE 42

H2

Edge-Embedding

H1 H11 H12 H21 H22 H111 H112 H121 H122 H211 H212 H221 H222

13

slide-43
SLIDE 43

H2

Edge-Embedding

H1 H11 H12 H21 H22 H111 H112 H121 H122 H211 H212 H221 H222 GC

14

slide-44
SLIDE 44

Recursive UG Construction

π‘‰π»π‘œ 𝑉𝐻

π‘œ 2 1

𝑉𝐻

π‘œ 2 2

𝑉𝐻

π‘œ 4 11

𝑉𝐻

π‘œ 4 12

𝑉𝐻

π‘œ 4 21

𝑉𝐻

π‘œ 4 22

𝑉𝐻

π‘œ 8 111 𝑉𝐻 π‘œ 8 112

𝑉𝐻

π‘œ 8 121 𝑉𝐻 π‘œ 8 122

𝑉𝐻

π‘œ 8 211 𝑉𝐻 π‘œ 8 212

𝑉𝐻

π‘œ 8 221 𝑉𝐻 π‘œ 8 222

15

slide-45
SLIDE 45

Embedding algorithm Refined size of construction UC compiler

Our Contributions Valiant’s universal circuit is practical.

16

slide-46
SLIDE 46

Size of Universal Graph

Our upper bound Our lower bound

Size of the universal graph Size of original graph

Exact number of nodes 𝐺 π‘œ = 2𝐺

π‘œβˆ’2 2

+ 5 π‘œβˆ’2

2

, if π‘œ is even 𝐺 π‘œ = 𝐺

π‘œβˆ’1 2

+ 𝐺

π‘œβˆ’3 2

+ 5 π‘œβˆ’3

2

+ 3, if π‘œ is odd

17

slide-47
SLIDE 47

Size of Universal Graph

Our upper bound: 2.5π‘œ log2 π‘œ βˆ’ 9π‘œ + 5 log2 π‘œ + 10 Our lower bound: 2.5π‘œ log2 π‘œ βˆ’ 4π‘œ + 2.5 log2 π‘œ + 5

Size of the universal graph Size of original graph

Exact number of nodes

17

slide-48
SLIDE 48

Deviation of Estimated Size and Exact Size

Devination in percentage Size of original graph

2.5π‘œ log2 π‘œ βˆ’ 6.5π‘œ + 3.75 log2 π‘œ + 7.5 𝐺 π‘œ = 2𝐺

π‘œβˆ’2 2

+ 5 π‘œβˆ’2

2

, if π‘œ is even 𝐺 π‘œ = 𝐺

π‘œβˆ’1 2

+ 𝐺

π‘œβˆ’3 2

+ 5 π‘œβˆ’3

2

+ 3, if π‘œ is odd

18

slide-49
SLIDE 49

Size of the UC Constructions [KS08]

Size of the universal circuit Number of gates

2860

19

slide-50
SLIDE 50

Revised size of the UC Constructions

Size of the universal circuit Number of gates

1070 2860

19

slide-51
SLIDE 51

PFE Comparison – Symmetric-Key Operations [KS08] construction Valiant’s construction (revised) [MS13] OT-based protocol

Symmetric-key operations

19 656 (DES) 27 429 (AES) 43 874 (MD5) 7 103 (MULT32)

20

slide-52
SLIDE 52

PFE Comparison – Symmetric-Key Operations [KS08] construction Valiant’s construction (revised) [MS13] OT-based protocol

Symmetric-key operations

(size)

7 103 (MULT32) 19 656 (DES) 27 429 (AES) 43 874 (MD5) [MS13]: P. Mohassel, S. S. Sadeghian. How to hide circuits in MPC an efficient framework for private function evaluation. In Eurocrypt 2013.

20

slide-53
SLIDE 53

Embedding algorithm Refined size of construction UC compiler

Our Contributions Valiant’s universal circuit is practical.

21

slide-54
SLIDE 54

UC Implementation

C0 𝑔 SHDL

[MNPS04] D. Malkhi, N. Nisan, B. Pinkas, Y. Sella. Fairplay-Secure Two-Party Computation

  • System. In USENIX Security Symposium 2004.

22

slide-55
SLIDE 55

UC Implementation

C0 𝑔 C size ≀ π‘œ

3 1 1 2 2 3

ID

22

slide-56
SLIDE 56

UC Implementation

C0 𝑔 C size ≀ π‘œ Graph GC

GC C

22

slide-57
SLIDE 57

UC Implementation

Graph GC Universal Graph UG π‘œ C0 𝑔 C size ≀ π‘œ

22

slide-58
SLIDE 58

UC Implementation

Graph GC Universal Graph UG Edge-embedding E π‘œ

UC Compiler

C0 𝑔 C size ≀ π‘œ

22

slide-59
SLIDE 59

UC Implementation

C0 𝑔 C size ≀ π‘œ Graph GC Universal Graph UG Edge-embedding E Universal Circuit UC Programming bits p

UC Compiler

π‘œ

22

slide-60
SLIDE 60

PFE Implementation

UC Compiler

C size ≀ π‘œ C0 f Universal Circuit UC Programming bits p

23

slide-61
SLIDE 61

PFE Implementation

ABY Framework

[DSZ15] D. Demmler, T. Schneider, M. Zohner. ABY–a framework for efficient mixed-protocol secure two-party computation. In NDSS 2015.

x

UC Compiler

UC(p, x) = f(x) Universal Circuit UC Programming bits p C size ≀ π‘œ C0 f

23

slide-62
SLIDE 62

Experimental Results – UC Compiler

Private function (circuit size) UC Compile (ms) UC I/O (ms) PFE (GMW) (ms) PFE (Yao) (ms) MULT32 7 103 329 1443 1092 540 DES 19 656 1596 4174 2695 1311 AES 27 429 2104 5064 5522 2349 MD5 43 874 4043 8785 7041 3548

UC Compiler

ABY Framework

24

slide-63
SLIDE 63

Embedding algorithm Refined size of construction UC compiler

Conclusion Valiant’s universal circuit is practical.

25

slide-64
SLIDE 64

Conclusion Valiant’s universal circuit is practical.

25

Thank you for your attention!

Embedding algorithm Refined size of construction UC compiler

slide-65
SLIDE 65

References

[Val76] L. G. Valiant: Universal circuits (preliminary report). In STOC 1976. [KS08] V. Kolesnikov, T. Schneider: A practical universal circuit construction and secure evaluation of private functions. In FC 2008. [MNPS04] D. Malkhi, N. Nisan, B. Pinkas, Y. Sella. Fairplay-Secure Two- Party Computation System. In USENIX Security Symposium 2004. [MS13]: P. Mohassel, S. S. Sadeghian. How to hide circuits in MPC an efficient framework for private function evaluation. In Eurocrypt 2013. [DSZ15] D. Demmler, T. Schneider, M. Zohner. ABY–a framework for efficient mixed-protocol secure two-party computation. In NDSS 2015.