. Vladimir Kolesnikov . . Payman Mohassel Mike Rosulek . - - PowerPoint PPT Presentation

SLIDE 1

.

.

fleXOR: flexible garbling for XOR gates that beats free-XOR

. .

Vladimir Kolesnikov ≫

• Payman Mohassel ≫

◮

Mike Rosulek ≫ .

SLIDE 2

.

.

background

1

.

SLIDE 3

.

.

background: garbled circuit

.

false: A0 true: A1

.

false: B0 true: B1

.

false: C0 true: C1

.

EncA

B

C EncA

B

C EncA

B

C EncA

B

C

.

SLIDE 4

.

.

background: garbled circuit

.

false: A0 true: A1

.

false: B0 true: B1

.

false: C0 true: C1

.

EncA0,B0(C0) EncA0,B1(C1) EncA1,B0(C1) EncA1,B1(C0)

.

SLIDE 5

.

.

background: garbled circuit

.

false: A0 true: A1

.

false: B0 true: B1

.

false: C0 true: C1

.

EncA0,B0(C0) EncA0,B1(C1) EncA1,B0(C1) EncA1,B1(C0)

.

SLIDE 6

.

.

background: row reduction

.

SLIDE 7

.

.

background: row reduction

.

false: A0 true: A1

.

false: B0 true: B1

.

false: C0 true: C1

.

C DecA

B n

.

EncA0,B0(C0) EncA0,B1(C0) EncA1,B0(C0) EncA1,B1(C1)

.

Garbled row reduction [NaorPinkasSumner99,PinkasSchneiderSmartWilliams09]

. . Fix one of the ciphertexts to be all zeroes Corresponding wire label must be Dec

n , not uniform

Only 3 ciphertexts needed for garbled gate More advanced technique reduces size to 2 ciphertexts .

SLIDE 8

.

.

background: row reduction

.

false: A0 true: A1

.

false: B0 true: B1

.

false: C0 true: C1

.

C DecA

B n

.

EncA0,B0(C0) 0n EncA0,B1(C0) EncA1,B0(C0) EncA1,B1(C1)

.

Garbled row reduction [NaorPinkasSumner99,PinkasSchneiderSmartWilliams09]

. .

◮ Fix one of the ciphertexts to be all zeroes

Corresponding wire label must be Dec

n , not uniform

Only 3 ciphertexts needed for garbled gate More advanced technique reduces size to 2 ciphertexts .

SLIDE 9

.

.

background: row reduction

.

false: A0 true: A1

.

false: B0 true: B1

.

false: C0 true: C1

.

C0 := DecA0,B0(0n)

.

EncA0,B0(C0) 0n EncA0,B1(C0) EncA1,B0(C0) EncA1,B1(C1)

.

Garbled row reduction [NaorPinkasSumner99,PinkasSchneiderSmartWilliams09]

. .

◮ Fix one of the ciphertexts to be all zeroes ◮ Corresponding wire label must be Dec(0n), not uniform

Only 3 ciphertexts needed for garbled gate More advanced technique reduces size to 2 ciphertexts .

SLIDE 10

.

.

background: row reduction

. .

false: A0 true: A1

.

false: B0 true: B1

.

false: C0 true: C1

.

C0 := DecA0,B0(0n)

.

EncA0,B1(C0) EncA1,B0(C0) EncA1,B1(C1)

.

Garbled row reduction [NaorPinkasSumner99,PinkasSchneiderSmartWilliams09]

. .

◮ Fix one of the ciphertexts to be all zeroes ◮ Corresponding wire label must be Dec(0n), not uniform ◮ Only 3 ciphertexts needed for garbled gate ◮ More advanced technique reduces size to 2 ciphertexts

.

SLIDE 11

.

.

background: offsets & free XOR

.

SLIDE 12

.

.

background: offsets & free XOR

. .

false: A0 true: A1

• ffset:

A0 ⊕ A1

.

false: B0 true: B1

• ffset:

B0 ⊕ B1

.

false: C0 true: C1

• ffset:

C0 ⊕ C1

.

Definition

. . Offset of a wire = XOR of its two wire labels .

Free XOR optimization [KolesnikovSchneider08]:

. . all wires have same (secret) offset wire labels for XOR gate satisfy C A B compute output wire label by XOR’ing input wire labels (no crypto!) .

SLIDE 13

.

.

background: offsets & free XOR

. .

false: A true: A ⊕ ∆A

• ffset: ∆A

.

false: B true: B ⊕ ∆B

• ffset: ∆B

.

false: C true: C ⊕ ∆C

• ffset: ∆C

.

Definition

. . Offset of a wire = XOR of its two wire labels .

Free XOR optimization [KolesnikovSchneider08]:

. . all wires have same (secret) offset wire labels for XOR gate satisfy C A B compute output wire label by XOR’ing input wire labels (no crypto!) .

SLIDE 14

.

.

background: offsets & free XOR

. .

false: A true: A ⊕ ∆

• ffset: ∆

.

false: B true: B ⊕ ∆

• ffset: ∆

.

false: C true: C ⊕ ∆

• ffset: ∆

.

Definition

. . Offset of a wire = XOR of its two wire labels .

Free XOR optimization [KolesnikovSchneider08]:

. .

◮ all wires have same (secret) offset ∆

wire labels for XOR gate satisfy C A B compute output wire label by XOR’ing input wire labels (no crypto!) .

SLIDE 15

.

.

background: offsets & free XOR

. .

false: A true: A ⊕ ∆

• ffset: ∆

.

false: B true: B ⊕ ∆

• ffset: ∆

.

false: A ⊕ B true: A ⊕ B ⊕ ∆

• ffset: ∆

.

Definition

. . Offset of a wire = XOR of its two wire labels .

Free XOR optimization [KolesnikovSchneider08]:

. .

◮ all wires have same (secret) offset ∆ ◮ wire labels for XOR gate satisfy C = A ⊕ B

compute output wire label by XOR’ing input wire labels (no crypto!) .

SLIDE 16

.

.

background: offsets & free XOR

. .

false: A true: A ⊕ ∆

• ffset: ∆

.

false: B true: B ⊕ ∆

• ffset: ∆

.

false: A ⊕ B true: A ⊕ B ⊕ ∆

• ffset: ∆

.

Definition

. . Offset of a wire = XOR of its two wire labels .

Free XOR optimization [KolesnikovSchneider08]:

. .

◮ all wires have same (secret) offset ∆ ◮ wire labels for XOR gate satisfy C = A ⊕ B ◮ compute output wire label by XOR’ing input wire labels (no crypto!)

.

SLIDE 17

.

.

free XOR

.

Free XOR limitations:

. .

• 1. Requires strong circularity hardness assumption

[ChoiKatzKumaresanZhou12]

• 2. Incompatible with 4-to-2 row reduction [PinkasSchneiderSmartWilliams09]

.

Motivating Question

. . Can we overcome these limitations, while retaining Free XOR’s benefits (as much as possible)? Hint: yes! .

SLIDE 18

.

.

free XOR

.

Free XOR limitations:

. .

• 1. Requires strong circularity hardness assumption

[ChoiKatzKumaresanZhou12]

• 2. Incompatible with 4-to-2 row reduction [PinkasSchneiderSmartWilliams09]

.

Motivating Question

. . Can we overcome these limitations, while retaining Free XOR’s benefits (as much as possible)? Hint: yes! .

SLIDE 19

.

.

free XOR

.

Free XOR limitations:

. .

• 1. Requires strong circularity hardness assumption

[ChoiKatzKumaresanZhou12]

• 2. Incompatible with 4-to-2 row reduction [PinkasSchneiderSmartWilliams09]

.

Motivating Question

. . Can we overcome these limitations, while retaining Free XOR’s benefits (as much as possible)? Hint: yes! .

SLIDE 20

.

.

fleXOR garbling

2

.

SLIDE 21

.

.

fleXOR garbling

. .

false: A true: A ⊕ ∆A

• ffset: ∆A

.

false: B true: B ⊕ ∆B

• ffset: ∆B

.

false: true:

• ffset: ∆C

.

EncA A EncA

A A

C

.

EncB B EncB

B B

C

.

A DecA

n

.

A A

.

B DecB

n

.

Flexible XOR (fleXOR) technique [this work]:

. .

◮ “adjust” offsets of both input wires to ∆C

, then use free XOR apply row reduction : each “adjustment” requires 1 ciphertext if

A C, no need to “adjust” first wire at all!

garble XOR gate using 0, 1, or 2 ciphertexts

depending on how many of

A B C

are distinct

.

SLIDE 22

.

.

fleXOR garbling

. .

??

.

??

.

false: A∗ true: A∗ ⊕ ∆C

• ffset: ∆C

.

false: A true: A ⊕ ∆A

• ffset: ∆A

.

false: B∗ true: B∗ ⊕ ∆C

• ffset: ∆C

.

false: B true: B ⊕ ∆B

• ffset: ∆B

.

false: true:

• ffset: ∆C

.

EncA A EncA

A A

C

.

EncB B EncB

B B

C

.

A DecA

n

.

A A

.

B DecB

n

.

Flexible XOR (fleXOR) technique [this work]:

. .

◮ “adjust” offsets of both input wires to ∆C

, then use free XOR apply row reduction : each “adjustment” requires 1 ciphertext if

A C, no need to “adjust” first wire at all!

garble XOR gate using 0, 1, or 2 ciphertexts

depending on how many of

A B C

are distinct

.

SLIDE 23

.

.

fleXOR garbling

. .

??

.

??

.

false: A∗ true: A∗ ⊕ ∆C

• ffset: ∆C

.

false: A true: A ⊕ ∆A

• ffset: ∆A

.

false: B∗ true: B∗ ⊕ ∆C

• ffset: ∆C

.

false: B true: B ⊕ ∆B

• ffset: ∆B

.

false: A∗ ⊕ B∗ true: A∗ ⊕ B∗ ⊕ ∆C

• ffset: ∆C

.

EncA A EncA

A A

C

.

EncB B EncB

B B

C

.

A DecA

n

.

A A

.

B DecB

n

.

Flexible XOR (fleXOR) technique [this work]:

. .

◮ “adjust” offsets of both input wires to ∆C, then use free XOR

apply row reduction : each “adjustment” requires 1 ciphertext if

A C, no need to “adjust” first wire at all!

garble XOR gate using 0, 1, or 2 ciphertexts

depending on how many of

A B C

are distinct

.

SLIDE 24

.

.

fleXOR garbling

. .

false: A∗ true: A∗ ⊕ ∆C

• ffset: ∆C

.

false: A true: A ⊕ ∆A

• ffset: ∆A

.

false: B∗ true: B∗ ⊕ ∆C

• ffset: ∆C

.

false: B true: B ⊕ ∆B

• ffset: ∆B

.

false: A∗ ⊕ B∗ true: A∗ ⊕ B∗ ⊕ ∆C

• ffset: ∆C

.

EncA(A∗) EncA⊕∆A(A∗ ⊕ ∆C)

.

EncB B EncB

B B

C

.

A DecA

n

.

A A

.

B DecB

n

.

Flexible XOR (fleXOR) technique [this work]:

. .

◮ “adjust” offsets of both input wires to ∆C, then use free XOR

apply row reduction : each “adjustment” requires 1 ciphertext if

A C, no need to “adjust” first wire at all!

garble XOR gate using 0, 1, or 2 ciphertexts

depending on how many of

A B C

are distinct

.

SLIDE 25

.

.

fleXOR garbling

. .

false: A∗ true: A∗ ⊕ ∆C

• ffset: ∆C

.

false: A true: A ⊕ ∆A

• ffset: ∆A

.

false: B∗ true: B∗ ⊕ ∆C

• ffset: ∆C

.

false: B true: B ⊕ ∆B

• ffset: ∆B

.

false: A∗ ⊕ B∗ true: A∗ ⊕ B∗ ⊕ ∆C

• ffset: ∆C

.

EncA(A∗) EncA⊕∆A(A∗ ⊕ ∆C)

.

EncB(B∗) EncB⊕∆B(B∗ ⊕ ∆C)

.

A DecA

n

.

A A

.

B DecB

n

.

Flexible XOR (fleXOR) technique [this work]:

. .

◮ “adjust” offsets of both input wires to ∆C, then use free XOR

apply row reduction : each “adjustment” requires 1 ciphertext if

A C, no need to “adjust” first wire at all!

garble XOR gate using 0, 1, or 2 ciphertexts

depending on how many of

A B C

are distinct

.

SLIDE 26

.

.

fleXOR garbling

. .

false: A∗ true: A∗ ⊕ ∆C

• ffset: ∆C

.

false: A true: A ⊕ ∆A

• ffset: ∆A

.

false: B∗ true: B∗ ⊕ ∆C

• ffset: ∆C

.

false: B true: B ⊕ ∆B

• ffset: ∆B

.

false: A∗ ⊕ B∗ true: A∗ ⊕ B∗ ⊕ ∆C

• ffset: ∆C

.

EncA(A∗) EncA⊕∆A(A∗ ⊕ ∆C)

.

EncB(B∗) EncB⊕∆B(B∗ ⊕ ∆C)

.

A DecA

n

.

A A

.

B DecB

n

.

Flexible XOR (fleXOR) technique [this work]:

. .

◮ “adjust” offsets of both input wires to ∆C, then use free XOR

apply row reduction : each “adjustment” requires 1 ciphertext if

A C, no need to “adjust” first wire at all!

garble XOR gate using 0, 1, or 2 ciphertexts

depending on how many of

A B C

are distinct

.

SLIDE 27

.

.

fleXOR garbling

. .

false: A∗ true: A∗ ⊕ ∆C

• ffset: ∆C

.

false: A true: A ⊕ ∆A

• ffset: ∆A

.

false: B∗ true: B∗ ⊕ ∆C

• ffset: ∆C

.

false: B true: B ⊕ ∆B

• ffset: ∆B

.

false: A∗ ⊕ B∗ true: A∗ ⊕ B∗ ⊕ ∆C

• ffset: ∆C

.

EncA(A∗) 0n EncA⊕∆A(A∗ ⊕ ∆C)

.

EncB(B∗) 0n EncB⊕∆B(B∗ ⊕ ∆C)

.

A DecA

n

.

A A

.

B DecB

n

.

Flexible XOR (fleXOR) technique [this work]:

. .

◮ “adjust” offsets of both input wires to ∆C, then use free XOR ◮ apply row reduction

: each “adjustment” requires 1 ciphertext if

A C, no need to “adjust” first wire at all!

garble XOR gate using 0, 1, or 2 ciphertexts

depending on how many of

A B C

are distinct

.

SLIDE 28

.

.

fleXOR garbling

. .

false: A∗ true: A∗ ⊕ ∆C

• ffset: ∆C

.

false: A true: A ⊕ ∆A

• ffset: ∆A

.

false: B∗ true: B∗ ⊕ ∆C

• ffset: ∆C

.

false: B true: B ⊕ ∆B

• ffset: ∆B

.

false: A∗ ⊕ B∗ true: A∗ ⊕ B∗ ⊕ ∆C

• ffset: ∆C

.

EncA(A∗) 0n EncA⊕∆A(A∗ ⊕ ∆C)

.

EncB(B∗) 0n EncB⊕∆B(B∗ ⊕ ∆C)

.

A∗ := DecA(0n)

.

A A

.

B∗ := DecB(0n)

.

Flexible XOR (fleXOR) technique [this work]:

. .

◮ “adjust” offsets of both input wires to ∆C, then use free XOR ◮ apply row reduction

: each “adjustment” requires 1 ciphertext if

A C, no need to “adjust” first wire at all!

garble XOR gate using 0, 1, or 2 ciphertexts

depending on how many of

A B C

are distinct

.

SLIDE 29

.

.

fleXOR garbling

. .

false: A∗ true: A∗ ⊕ ∆C

• ffset: ∆C

.

false: A true: A ⊕ ∆A

• ffset: ∆A

.

false: B∗ true: B∗ ⊕ ∆C

• ffset: ∆C

.

false: B true: B ⊕ ∆B

• ffset: ∆B

.

false: A∗ ⊕ B∗ true: A∗ ⊕ B∗ ⊕ ∆C

• ffset: ∆C

.

EncA⊕∆A(A∗ ⊕ ∆C)

.

EncB⊕∆B(B∗ ⊕ ∆C)

.

A∗ := DecA(0n)

.

A A

.

B∗ := DecB(0n)

.

Flexible XOR (fleXOR) technique [this work]:

. .

◮ “adjust” offsets of both input wires to ∆C, then use free XOR ◮ apply row reduction: each “adjustment” requires 1 ciphertext

if

A C, no need to “adjust” first wire at all!

garble XOR gate using 0, 1, or 2 ciphertexts

depending on how many of

A B C

are distinct

.

SLIDE 30

.

.

fleXOR garbling

. .

false: A∗ true: A∗ ⊕ ∆C

• ffset: ∆C

.

false: A true: A ⊕ ∆C

• ffset: ∆C

.

false: B∗ true: B∗ ⊕ ∆C

• ffset: ∆C

.

false: B true: B ⊕ ∆B

• ffset: ∆B

.

false: A∗ ⊕ B∗ true: A∗ ⊕ B∗ ⊕ ∆C

• ffset: ∆C

.

EncA

A A

C

.

EncB⊕∆B(B∗ ⊕ ∆C)

.

A DecA

n

.

A∗ := A

.

B∗ := DecB(0n)

.

Flexible XOR (fleXOR) technique [this work]:

. .

◮ “adjust” offsets of both input wires to ∆C, then use free XOR ◮ apply row reduction: each “adjustment” requires 1 ciphertext ◮ if ∆A = ∆C, no need to “adjust” first wire at all!

garble XOR gate using 0, 1, or 2 ciphertexts

depending on how many of

A B C

are distinct

.

SLIDE 31

.

.

fleXOR garbling

. .

false: A∗ true: A∗ ⊕ ∆C

• ffset: ∆C

.

false: A true: A ⊕ ∆C

• ffset: ∆C

.

false: B∗ true: B∗ ⊕ ∆C

• ffset: ∆C

.

false: B true: B ⊕ ∆B

• ffset: ∆B

.

false: A∗ ⊕ B∗ true: A∗ ⊕ B∗ ⊕ ∆C

• ffset: ∆C

.

EncA

A A

C

.

EncB⊕∆B(B∗ ⊕ ∆C)

.

A DecA

n

.

A∗ := A

.

B∗ := DecB(0n)

.

Flexible XOR (fleXOR) technique [this work]:

. .

◮ “adjust” offsets of both input wires to ∆C, then use free XOR ◮ apply row reduction: each “adjustment” requires 1 ciphertext ◮ if ∆A = ∆C, no need to “adjust” first wire at all! ◮ garble XOR gate using 0, 1, or 2 ciphertexts

· · ·

depending on how many of {∆A, ∆B, ∆C} are distinct

.

SLIDE 32

.

.

wire orderings

.

Wire ordering:

. . Group circuit’s wires into equivalence classes (same class ⇔ same offset) . .

How should we choose wire orderings to minimize total cost of garbling XOR gates?

while avoiding circularity assumption of Free-XOR? keeping compatibility with 2-row-reduction for non-XOR gates? combinatorial constraints of wire ordering .

SLIDE 33

.

.

wire orderings

.

Wire ordering:

. . Group circuit’s wires into equivalence classes (same class ⇔ same offset) . .

∆1

.

∆1

.

∆1

.

How should we choose wire orderings to minimize total cost of garbling XOR gates?

while avoiding circularity assumption of Free-XOR? keeping compatibility with 2-row-reduction for non-XOR gates? combinatorial constraints of wire ordering .

SLIDE 34

.

.

wire orderings

.

Wire ordering:

. . Group circuit’s wires into equivalence classes (same class ⇔ same offset) . .

∆1

.

∆2

.

∆1

.

∆2

.

∆1

.

How should we choose wire orderings to minimize total cost of garbling XOR gates?

while avoiding circularity assumption of Free-XOR? keeping compatibility with 2-row-reduction for non-XOR gates? combinatorial constraints of wire ordering .

SLIDE 35

.

.

wire orderings

.

Wire ordering:

. . Group circuit’s wires into equivalence classes (same class ⇔ same offset) . .

∆1

.

∆3

.

∆2

.

∆1

.

∆3

.

∆2

.

∆1

.

How should we choose wire orderings to minimize total cost of garbling XOR gates?

while avoiding circularity assumption of Free-XOR? keeping compatibility with 2-row-reduction for non-XOR gates? combinatorial constraints of wire ordering .

SLIDE 36

.

.

wire orderings

.

Wire ordering:

. . Group circuit’s wires into equivalence classes (same class ⇔ same offset) . .

∆1

.

∆3

.

∆2

.

∆1

.

∆3

.

∆4

.

∆2

.

∆1

.

∆4

How should we choose wire orderings to minimize total cost of garbling XOR gates?

while avoiding circularity assumption of Free-XOR? keeping compatibility with 2-row-reduction for non-XOR gates? combinatorial constraints of wire ordering .

SLIDE 37

.

.

wire orderings

.

Wire ordering:

. . Group circuit’s wires into equivalence classes (same class ⇔ same offset) . .

∆1

.

∆3

.

∆2

.

∆1

.

∆3

.

∆4

.

∆2

.

∆1

.

∆4

How should we choose wire orderings to minimize total cost of garbling XOR gates?

· · ·

while avoiding circularity assumption of Free-XOR?

· · ·

keeping compatibility with 2-row-reduction for non-XOR gates? combinatorial constraints of wire ordering .

SLIDE 38

.

.

wire orderings

.

Wire ordering:

. . Group circuit’s wires into equivalence classes (same class ⇔ same offset) . .

∆1

.

∆3

.

∆2

.

∆1

.

∆3

.

∆4

.

∆2

.

∆1

.

∆4

How should we choose wire orderings to minimize total cost of garbling XOR gates?

· · ·

while avoiding circularity assumption of Free-XOR?

· · ·

keeping compatibility with 2-row-reduction for non-XOR gates?

• combinatorial constraints of wire ordering

.

SLIDE 39

.

.

removing circularity

3

.

SLIDE 40

.

.

why does free-XOR require circularity assumption?

. .

false: A true: A ⊕ ∆

.

false: B true: B ⊕ ∆

.

false: C true: C ⊕ ∆

.

EncA,B(C) EncA,B⊕∆(C) EncA⊕∆,B(C) EncA⊕∆,B⊕∆(C ⊕ ∆)

.

EncA B C junk junk junk

. EncA

B

C junk, Key cycle: same secret in key and message! .

SLIDE 41

.

.

why does free-XOR require circularity assumption?

. .

false: A true: A ⊕ ∆

.

false: B true: B ⊕ ∆

.

false: C true: C ⊕ ∆

.

EncA,B(C) EncA,B⊕∆(C) EncA⊕∆,B(C) EncA⊕∆,B⊕∆(C ⊕ ∆)

.

EncA B C junk junk junk

. EncA

B

C junk, Key cycle: same secret in key and message! .

SLIDE 42

.

.

why does free-XOR require circularity assumption?

. .

false: A true: A ⊕ ∆

.

false: B true: B ⊕ ∆

.

false: C true: C ⊕ ∆

.

EncA,B(C) EncA,B⊕∆(C) EncA⊕∆,B(C) EncA⊕∆,B⊕∆(C ⊕ ∆)

.

EncA,B(C) junk junk junk

.

≈

EncA⊕∆,B⊕∆(C ⊕ ∆) ≈ junk, Key cycle: same secret in key and message! .

SLIDE 43

.

.

why does free-XOR require circularity assumption?

. .

false: A true: A ⊕ ∆

.

false: B true: B ⊕ ∆

.

false: C true: C ⊕ ∆

.

EncA,B(C) EncA,B⊕∆(C) EncA⊕∆,B(C) EncA⊕∆,B⊕∆(C ⊕ ∆)

.

EncA,B(C) junk junk junk

.

≈

EncA⊕∆,B⊕∆(C ⊕ ∆) ≈ junk,

◮ Key cycle: same secret ∆ in key and message!

.

SLIDE 44

.

.

main idea: removing circularity

.

Recipe: how to avoid a “key cycle”

. .

• 1. Order all the wire-offsets: ∆1, ∆2, . . .
• 2. Enforce: Enc···A⊕∆i···(· · · B ⊕ ∆j · · · ) allowed ⇔ i < j

In FleXOR:

. .

i

.

j

.

k

.

encrypts

.

encrypts

. .

i

.

j

.

k

.

encrypts, if i k

.

encrypts, if j k

.

Definition: monotone wire ordering

. . .

i

.

j

.

k

. k max i j . .

i

.

j

.

k

. k max i j .

SLIDE 45

.

.

main idea: removing circularity

.

Recipe: how to avoid a “key cycle”

. .

• 1. Order all the wire-offsets: ∆1, ∆2, . . .
• 2. Enforce: Enc···A⊕∆i···(· · · B ⊕ ∆j · · · ) allowed ⇔ i < j

In FleXOR:

. .

∆i

.

∆j

.

∆k

.

encrypts

.

encrypts

. .

∆i

.

∆j

.

∆k

.

encrypts, if i k

.

encrypts, if j k

.

Definition: monotone wire ordering

. . .

i

.

j

.

k

. k max i j . .

i

.

j

.

k

. k max i j .

SLIDE 46

.

.

main idea: removing circularity

.

Recipe: how to avoid a “key cycle”

. .

• 1. Order all the wire-offsets: ∆1, ∆2, . . .
• 2. Enforce: Enc···A⊕∆i···(· · · B ⊕ ∆j · · · ) allowed ⇔ i < j

In FleXOR:

. .

∆i

.

∆j

.

∆k

.

encrypts

.

encrypts

. .

∆i

.

∆j

.

∆k

.

encrypts, if i k

.

encrypts, if j k

.

Definition: monotone wire ordering

. . .

i

.

j

.

k

. k max i j . .

i

.

j

.

k

. k max i j .

SLIDE 47

.

.

main idea: removing circularity

.

Recipe: how to avoid a “key cycle”

. .

• 1. Order all the wire-offsets: ∆1, ∆2, . . .
• 2. Enforce: Enc···A⊕∆i···(· · · B ⊕ ∆j · · · ) allowed ⇔ i < j

In FleXOR:

. .

∆i

.

∆j

.

∆k

.

encrypts

.

encrypts

. .

∆i

.

∆j

.

∆k

.

encrypts, if i = k

.

encrypts, if j = k

.

Definition: monotone wire ordering

. . .

i

.

j

.

k

. k max i j . .

i

.

j

.

k

. k max i j .

SLIDE 48

.

.

main idea: removing circularity

.

Recipe: how to avoid a “key cycle”

. .

• 1. Order all the wire-offsets: ∆1, ∆2, . . .
• 2. Enforce: Enc···A⊕∆i···(· · · B ⊕ ∆j · · · ) allowed ⇔ i < j

In FleXOR:

. .

∆i

.

∆j

.

∆k

.

encrypts

.

encrypts

. .

∆i

.

∆j

.

∆k

.

encrypts, if i = k

.

encrypts, if j = k

.

Definition: monotone wire ordering

. . .

∆i

.

∆j

.

∆k

.

⇒ k > max{i, j}

. .

∆i

.

∆j

.

∆k

.

⇒ k ≥ max{i, j}

.

SLIDE 49

.

.

results

.

Results

. .

• 1. FleXOR garbling does not require circularity assumption, when
• ffsets chosen via monotone wire ordering

◮ Same assumption required for OT-extension [Ishai+03]

• 2. NP-hard to find optimal monotone wire ordering

.

SLIDE 50

.

.

finding some monotone ordering

. .

• 1. Input wires get
• 2. For each gate in topological order, assign smallest legal

i

XOR gates: k max i j

• ther gates: k

max i j

.

SLIDE 51

.

.

finding some monotone ordering

. .

∆1

.

∆1

.

∆1

.

∆1

.

• 1. Input wires get ∆1
• 2. For each gate in topological order, assign smallest legal

i

XOR gates: k max i j

• ther gates: k

max i j

.

SLIDE 52

.

.

finding some monotone ordering

. .

∆1

.

∆1

.

∆1

.

∆1

.

∆1

.

• 1. Input wires get ∆1
• 2. For each gate in topological order, assign smallest legal ∆i

◮ XOR gates: k ≥ max{i, j}

• ther gates: k

max i j

.

SLIDE 53

.

.

finding some monotone ordering

. .

∆1

.

∆1

.

∆1

.

∆1

.

∆1

.

∆2

.

• 1. Input wires get ∆1
• 2. For each gate in topological order, assign smallest legal ∆i

◮ XOR gates: k ≥ max{i, j} ◮ other gates: k > max{i, j}

.

SLIDE 54

.

.

finding some monotone ordering

. .

∆1

.

∆1

.

∆1

.

∆1

.

∆1

.

∆2

.

∆3

.

• 1. Input wires get ∆1
• 2. For each gate in topological order, assign smallest legal ∆i

◮ XOR gates: k ≥ max{i, j} ◮ other gates: k > max{i, j}

.

SLIDE 55

.

.

finding some monotone ordering

. .

∆1

.

∆1

.

∆1

.

∆1

.

∆1

.

∆2

.

∆3

.

∆4

.

• 1. Input wires get ∆1
• 2. For each gate in topological order, assign smallest legal ∆i

◮ XOR gates: k ≥ max{i, j} ◮ other gates: k > max{i, j}

.

SLIDE 56

.

.

finding some monotone ordering

. .

∆1

.

∆1

.

∆1

.

∆1

.

∆1

.

∆2

.

∆3

.

∆4

.

∆3

• 1. Input wires get ∆1
• 2. For each gate in topological order, assign smallest legal ∆i

◮ XOR gates: k ≥ max{i, j} ◮ other gates: k > max{i, j}

.

SLIDE 57

.

.

• ptimal solution for formulas

. .

S

.

S := {output gate} i := depth repeat:

• 1. assign i to wires that reach

S via XOR paths

• 2. S := {barrier AND-gates}
• 3. i := i − 1

All XOR gates are free!

.

SLIDE 58

.

.

• ptimal solution for formulas

. .

S

.

S

.

S

.

∆4

.

∆4

.

∆4

.

∆4

.

∆4

.

∆4

.

∆4

.

∆4

.

∆4 S := {output gate} i := depth repeat:

• 1. assign i to wires that reach

S via XOR paths

• 2. S := {barrier AND-gates}
• 3. i := i − 1

All XOR gates are free!

.

SLIDE 59

.

.

• ptimal solution for formulas

. .

S

.

S

.

S

.

∆3

.

∆3

.

∆3

.

∆3

.

∆4

.

∆4

.

∆3

.

∆3

.

∆4

.

∆4

.

∆4

.

∆4

.

∆3

.

∆3

.

∆4

.

∆4

.

∆4 S := {output gate} i := depth repeat:

• 1. assign i to wires that reach

S via XOR paths

• 2. S := {barrier AND-gates}
• 3. i := i − 1

All XOR gates are free!

.

SLIDE 60

.

.

• ptimal solution for formulas

. .

S

.

S

.

∆3

.

∆3

.

∆2

.

∆2

.

∆3

.

∆3

.

∆4

.

∆4

.

∆2

.

∆2

.

∆2

.

∆2

.

∆3

.

∆3

.

∆4

.

∆4

.

∆2

.

∆2

.

∆2

.

∆2

.

∆4

.

∆4

.

∆3

.

∆3

.

∆4

.

∆4

.

∆4 S := {output gate} i := depth repeat:

• 1. assign i to wires that reach

S via XOR paths

• 2. S := {barrier AND-gates}
• 3. i := i − 1

All XOR gates are free!

.

SLIDE 61

.

.

• ptimal solution for formulas

. .

∆3

.

∆3

.

∆2

.

∆2

.

∆3

.

∆3

.

∆4

.

∆4

.

∆1

.

∆1

.

∆1

.

∆1

.

∆2

.

∆2

.

∆2

.

∆2

.

∆3

.

∆3

.

∆4

.

∆4

.

∆2

.

∆2

.

∆2

.

∆2

.

∆4

.

∆4

.

∆3

.

∆3

.

∆4

.

∆4

.

∆4 S := {output gate} i := depth repeat:

• 1. assign i to wires that reach

S via XOR paths

• 2. S := {barrier AND-gates}
• 3. i := i − 1

All XOR gates are free!

.

SLIDE 62

.

.

• ptimal solution for formulas

. .

∆3

.

∆3

.

∆2

.

∆2

.

∆3

.

∆3

.

∆4

.

∆4

.

∆1

.

∆1

.

∆1

.

∆1

.

∆2

.

∆2

.

∆2

.

∆2

.

∆3

.

∆3

.

∆4

.

∆4

.

∆2

.

∆2

.

∆2

.

∆2

.

∆4

.

∆4

.

∆3

.

∆3

.

∆4

.

∆4

.

∆4 S := {output gate} i := depth repeat:

• 1. assign i to wires that reach

S via XOR paths

• 2. S := {barrier AND-gates}
• 3. i := i − 1

All XOR gates are free!

.

SLIDE 63

.

.

heuristic for general circuits

.

Observation

. . [offset given to wire w] + [# AND gates between w and output] = constant . . Smarter heuristic:

• 1. d w

max of # AND gates in a path from w to output

• 2. assign

i to w so that i

d w constant .

SLIDE 64

.

.

heuristic for general circuits

.

Observation

. . [offset given to wire w] + [# AND gates between w and output] = constant . . Smarter heuristic:

• 1. d(w) = max of # AND gates in a path from w to output
• 2. assign

i to w so that i

d w constant .

SLIDE 65

.

.

heuristic for general circuits

.

Observation

. . [offset given to wire w] + [# AND gates between w and output] = constant . .

3

.

3

.

2

.

2

.

2

.

2

.

1

. . Smarter heuristic:

• 1. d(w) = max of # AND gates in a path from w to output
• 2. assign

i to w so that i

d w constant .

SLIDE 66

.

.

heuristic for general circuits

.

Observation

. . [offset given to wire w] + [# AND gates between w and output] = constant . .

∆1

.

∆1

.

∆2

.

∆2

.

∆2

.

∆2

.

∆3

.

∆4

.

∆4

Smarter heuristic:

• 1. d(w) = max of # AND gates in a path from w to output
• 2. assign ∆i to w so that i + d(w) = constant

.

SLIDE 67

.

.

concrete results (using our heuristic)

.

Garbled circuit size (ciphertexts per gate)

. . scheme assump AES DES SHA1 SHA2 HamDst IntMult classical OWF 2.00 2.00 2.00 2.00 2.00 2.00 Free XOR circular 0.64 2.79 1.82 2.05 0.50 . 0.90 FleXOR related-key 0.76 2.84 2.02 2.26 0.67 . 1.15

+19% +2% +11% +10% +34% +28%

. .

SLIDE 68

.

.

concrete results (using our heuristic)

.

Garbled circuit size (ciphertexts per gate)

. . scheme assump AES DES SHA1 SHA2 HamDst IntMult classical OWF 2.00 2.00 2.00 2.00 2.00 2.00 Free XOR circular 0.64 2.79 1.82 2.05 0.50 . 0.90 FleXOR related-key 0.76 2.84 2.02 2.26 0.67 . 1.15

+19% +2% +11% +10% +34% +28%

. .

SLIDE 69

.

.

concrete results (using our heuristic)

.

Garbled circuit size (ciphertexts per gate)

. . scheme assump AES DES SHA1 SHA2 HamDst IntMult classical OWF 2.00 2.00 2.00 2.00 2.00 2.00 Free XOR circular 0.64 2.79 1.82 2.05 0.50 . 0.90 FleXOR related-key 0.76 2.84 2.02 2.26 0.67 . 1.15

+19% +2% +11% +10% +34% +28%

. .

SLIDE 70

.

.

row-reduction compatibility

4

.

SLIDE 71

.

.

why is free-XOR incompatible with 4→2-row-reduction?

. .

false: A0 true: A1

.

false: B0 true: B1

.

false: C0 true: C1

.

C0 := DecA0,B0(0n)

.

C F A A B B

.

C F A A B B

.

EncA0,B0(C0) 0n EncA0,B1(C0) EncA1,B0(C0) EncA1,B1(C1)

.

Row reductions

. .

◮ 4 → 3 reduction

: C set implicitly reduction: both C C set implicitly no control over offset of output wire! .

SLIDE 72

.

.

why is free-XOR incompatible with 4→2-row-reduction?

. .

false: A0 true: A1

.

false: B0 true: B1

.

false: C0 true: C1

.

C0 := F(A0, A1, B0, B1)

.

C F A A B B

.

3κ bits

.

Row reductions

. .

◮ 4 → 3 reduction: C0 set implicitly

reduction: both C C set implicitly no control over offset of output wire! .

SLIDE 73

.

.

why is free-XOR incompatible with 4→2-row-reduction?

. .

false: A0 true: A1

.

false: B0 true: B1

.

false: C0 true: C1

.

C0 := F(A0, A1, B0, B1)

.

C1 := F′(A0, A1, B0, B1)

.

2κ bits

.

Row reductions

. .

◮ 4 → 3 reduction: C0 set implicitly ◮ 4 → 2 reduction: both C0, C1 set implicitly

no control over offset of output wire! .

SLIDE 74

.

.

why is free-XOR incompatible with 4→2-row-reduction?

. .

false: A0 true: A1

.

false: B0 true: B1

.

false: C0 true: C1

.

C0 := F(A0, A1, B0, B1)

.

C1 := F′(A0, A1, B0, B1)

.

2κ bits

.

Row reductions

. .

◮ 4 → 3 reduction: C0 set implicitly ◮ 4 → 2 reduction: both C0, C1 set implicitly

⇒ no control over offset of output wire!

.

SLIDE 75

.

.

compatibility with fleXOR

.

Definition: safe wire ordering

. . .

∆i

& . .

∆j

⇒

i = j

... plus some fine print

.

Results

. .

• 1. Can garble using FleXOR +

row reduction, when offsets chosen via safe wire ordering

XOR gates cost 0, 1, or 2; other gates cost 2

• 2. We suggest a very simple heuristic to find safe orderings:

Output wires of AND-gates get distinct offsets (in topological order) All other wires get offset

.

SLIDE 76

.

.

compatibility with fleXOR

.

Definition: safe wire ordering

. . .

∆i

& . .

∆j

⇒

i = j

... plus some fine print

.

Results

. .

• 1. Can garble using FleXOR +

row reduction, when offsets chosen via safe wire ordering

XOR gates cost 0, 1, or 2; other gates cost 2

• 2. We suggest a very simple heuristic to find safe orderings:

Output wires of AND-gates get distinct offsets (in topological order) All other wires get offset

.

SLIDE 77

.

.

compatibility with fleXOR

.

Definition: safe wire ordering

. . .

∆i

& . .

∆j

⇒

i = j

... plus some fine print

.

Results

. .

• 1. Can garble using FleXOR + 4 → 2 row reduction, when offsets

chosen via safe wire ordering

◮ XOR gates cost 0, 1, or 2; other gates cost 2

• 2. We suggest a very simple heuristic to find safe orderings:

Output wires of AND-gates get distinct offsets (in topological order) All other wires get offset

.

SLIDE 78

.

.

compatibility with fleXOR

.

Definition: safe wire ordering

. . .

∆i

& . .

∆j

⇒

i = j

... plus some fine print

.

Results

. .

• 1. Can garble using FleXOR + 4 → 2 row reduction, when offsets

chosen via safe wire ordering

◮ XOR gates cost 0, 1, or 2; other gates cost 2

• 2. We suggest a very simple heuristic to find safe orderings:

◮ Output wires of AND-gates get distinct offsets (in topological order) ◮ All other wires get offset ∆0

.

SLIDE 79

.

.

concrete results (using our heuristic)

.

Garbled circuit size (ciphertexts per gate)

. . scheme assump AES DES SHA1 SHA2 HamDst IntMult classical OWF 2.00 2.00 2.00 2.00 2.00 2.00 Free XOR circular 0.64 2.79 1.82 2.05 0.50 . 0.90 FleXOR related-key 0.76 2.84 2.02 2.26 0.67 1.15 FleXOR circular 0.72 1.89 1.39 1.56 0.50 . 0.94

+12% -32% -24%

• 24%

+0% +4%

. .

SLIDE 80

.

.

concrete results (using our heuristic)

.

Garbled circuit size (ciphertexts per gate)

. . scheme assump AES DES SHA1 SHA2 HamDst IntMult classical OWF 2.00 2.00 2.00 2.00 2.00 2.00 Free XOR circular 0.64 2.79 1.82 2.05 0.50 . 0.90 FleXOR related-key 0.76 2.84 2.02 2.26 0.67 1.15 FleXOR circular 0.72 1.89 1.39 1.56 0.50 . 0.94

+12% -32% -24%

• 24%

+0% +4%

. .

SLIDE 81

.

.

concrete results (using our heuristic)

.

Garbled circuit size (ciphertexts per gate)

. . scheme assump AES DES SHA1 SHA2 HamDst IntMult classical OWF 2.00 2.00 2.00 2.00 2.00 2.00 Free XOR circular 0.64 2.79 1.82 2.05 0.50 . 0.90 FleXOR related-key 0.76 2.84 2.02 2.26 0.67 1.15 FleXOR circular 0.72 1.89 1.39 1.56 0.50 . 0.94

+12% -32% -24%

• 24%

+0% +4%

. .

SLIDE 82

.

.

extensions

5

.

SLIDE 83

.

.

extensions: wire orderings

• 1. Trivial wire ordering ⇒ collapse to Free-XOR
• 2. Monotone wire ordering ⇒ eliminate circular assumption
• 3. Safe wire ordering ⇒ compatibility with aggressive row reduction
• 4. Monotone + safe wire ordering

both!

• 5. Constrain input/output wires only

compatibility with protocols that break “garbling scheme” abstraction boundary

• 6. Other interesting properties?

.

SLIDE 84

.

.

extensions: wire orderings

• 1. Trivial wire ordering ⇒ collapse to Free-XOR
• 2. Monotone wire ordering ⇒ eliminate circular assumption
• 3. Safe wire ordering ⇒ compatibility with aggressive row reduction
• 4. Monotone + safe wire ordering ⇒ both!
• 5. Constrain input/output wires only

compatibility with protocols that break “garbling scheme” abstraction boundary

• 6. Other interesting properties?

.

SLIDE 85

.

.

extensions: wire orderings

• 1. Trivial wire ordering ⇒ collapse to Free-XOR
• 2. Monotone wire ordering ⇒ eliminate circular assumption
• 3. Safe wire ordering ⇒ compatibility with aggressive row reduction
• 4. Monotone + safe wire ordering ⇒ both!
• 5. Constrain input/output wires only ⇒ compatibility with protocols

that break “garbling scheme” abstraction boundary

• 6. Other interesting properties?

.

SLIDE 86

.

.

extensions: wire orderings

• 1. Trivial wire ordering ⇒ collapse to Free-XOR
• 2. Monotone wire ordering ⇒ eliminate circular assumption
• 3. Safe wire ordering ⇒ compatibility with aggressive row reduction
• 4. Monotone + safe wire ordering ⇒ both!
• 5. Constrain input/output wires only ⇒ compatibility with protocols

that break “garbling scheme” abstraction boundary

• 6. Other interesting properties?

.

SLIDE 87

.

.

wrap-up

6

.

SLIDE 88

.

.

summary

.

FleXOR = Flexible XOR!

. .

◮ New way to garble XOR gates: costs 0, 1, or 2 ciphertexts per gate ◮ Get results competitive with Free-XOR, from weaker assumption ◮ Get results often better than Free-XOR, by leveraging 4 → 2

row-reduction .

SLIDE 89

.

.

• pen problems
• 1. Better FleXOR on existing circuits

◮ better wire-ordering heuristics? guaranteed approximation ratio? ◮ hardness of approximation? ◮ use ideas from approximations of “multi-cut” problem

• 2. Better circuits targeted for FleXOR

instead of simply minimizing # of non-XOR gates

• 3. Implementation

fastest garbling scheme (JustGarble) uses fixed-key AES: need to re-analyze FleXOR security wire orderings computed on the fly, or stored with circuit? revisit row reduction?

.

SLIDE 90

.

.

• pen problems
• 1. Better FleXOR on existing circuits

◮ better wire-ordering heuristics? guaranteed approximation ratio? ◮ hardness of approximation? ◮ use ideas from approximations of “multi-cut” problem

• 2. Better circuits targeted for FleXOR

◮ instead of simply minimizing # of non-XOR gates

• 3. Implementation

fastest garbling scheme (JustGarble) uses fixed-key AES: need to re-analyze FleXOR security wire orderings computed on the fly, or stored with circuit? revisit row reduction?

.

SLIDE 91

.

.

• pen problems
• 1. Better FleXOR on existing circuits

◮ better wire-ordering heuristics? guaranteed approximation ratio? ◮ hardness of approximation? ◮ use ideas from approximations of “multi-cut” problem

• 2. Better circuits targeted for FleXOR

◮ instead of simply minimizing # of non-XOR gates

• 3. Implementation

◮ fastest garbling scheme (JustGarble) uses fixed-key AES: need to

re-analyze FleXOR security

◮ wire orderings computed on the fly, or stored with circuit? ◮ revisit 4 → 2 row reduction?

.

SLIDE 92

.