The Many Faces of Garbled Circuits MIT Vinod Vaikuntanathan.

Slides:

Advertisements

Similar presentations

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Advertisements

Quantum Money from Hidden Subspaces Scott Aaronson and Paul Christiano.

Lattices, Cryptography and Computing with Encrypted Data

Secure Evaluation of Multivariate Polynomials

1 Vipul Goyal Abhishek Jain UCLA On the Round Complexity of Covert Computation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

How to Use Indistinguishability Obfuscation

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Bar-Ilan University Gilad Asharov UCLA Abhishek Jain NYU Adriana.

Garbled RAM, Revisited Daniel Wichs (Northeastern University) Joint work with: Craig Gentry, Shai Halevi, Seteve Lu, Rafail Ostrovsky, Mariana Raykova.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

Outsourcing Private RAM Computation Daniel Wichs Northeastern University with: Craig Gentry, Shai Halevi, Mariana Raykova.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

New Advances in Garbling Circuits Based on joint works with Yuval Ishai Eyal Kushilevitz Brent Waters University of TexasTechnion Benny Applebaum Tel Aviv.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

CRYPTOGRAPHY WHAT IS IT GOOD FOR? Andrej Bogdanov Chinese University of Hong Kong CMSC 5719 | 6 Feb 2012.

ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.

Two Round MPC via Multi-Key FHE Daniel Wichs (Northeastern University) Joint work with Pratyay Mukherjee.

Simons Institute, Cryptography Boot Camp

Black-Box Garbled RAM Sanjam Garg UC Berkeley Based on join works with

1 eill Adam O’Neill Georgetown University Joint work with Dana Dachman-Soled (Univ. of Maryland), Georg Fuchsbauer (IST Austria), and Payman Mohassel (Univ.

Homomorphic Encryption: WHAT, WHY, and HOW

Multi-Client Non-Interactive Verifiable Computation Seung Geol Choi (Columbia U.) Jonathan Katz (U. Maryland) Ranjit Kumaresan (Technion) Carlos Cid (Royal.

Functional Encryption: An Introduction and Survey Brent Waters.

1 Attribute-Based Encryption for Fine-Grained Access Control of Encrypted Data Vipul Goyal Omkant Pandey Amit Sahai Brent Waters UCLA SRI.

1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits (cont.), fully homomorphic encryption Eran Tromer.

On the Communication Complexity of SFE with Long Output Daniel Wichs (Northeastern) joint work with Pavel Hubáček.

1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.

Succinct Functional Encryption: d Reusable Garbled Circuits and Beyond

1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits and obfuscation Eran Tromer Slides credit: Boaz.

Non-Interactive Verifiable Computing August 5, 2009 Bryan Parno Carnegie Mellon University Rosario Gennaro, Craig Gentry IBM Research.

Polynomially Homomorphic Signatures Dan Boneh Stanford University Joint work with David Freeman.

PROTECTING CIRCUITS from LEAKAGE IBM T. J. Watson Vinod Vaikuntanathan the computationally bounded and noisy cases Joint with S. Faust (KU Leuven), L.

Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.

FHE Introduction Nigel Smart Avoncrypt 2015.

China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 4, 2014 Homomorphic Encryption over Polynomial Rings.

Witness Encryption and Indistinguishability Obfuscation from the Multilinear Subgroup Elimination Assumption Craig Gentry IBM Allison Lewko Columbia Amit.

Obfuscation of Probabilistic Circuits Ran Canetti, Huijia Lin Stefano Tessaro, Vinod Vaikuntanathan.

1 Information Security – Theory vs. Reality , Winter Lecture 11: Fully homomorphic encryption Lecturer: Eran Tromer Including presentation.

Based on work with: Sergey Gorbunov and Vinod Vaikuntanathan Homomorphic Commitments & Signatures Daniel Wichs Northeastern University.

NIR BITANSKY, OMER PANETH, ALON ROSEN ON THE CRYPTOGRAPHIC HARDNESS OF FINDING A NASH EQUILIBRIUM.

Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---

CRYPTOGRAPHIC HARDNESS OTHER FUNCTIONALITIES Andrej Bogdanov Chinese University of Hong Kong MACS Foundations of Cryptography| January 2016.

China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 3, 2014 Fully Homomorphic Encryption and Bootstrapping.

Secure Computation with Minimal Interaction, Revisited Yuval Ishai (Technion) Ranjit Kumaresan (MIT) Eyal Kushilevitz (Technion) Anat Paskin-Cherniavsky.

Keyword search on encrypted data. Keyword search problem  Linux utility: grep  Information retrieval Basic operation Advanced operations – relevance.

China Summer School on Lattices and Cryptography Craig Gentry and Shai Halevi June 3, 2014 Somewhat Homomorphic Encryption.

1 / 23 Efficient Garbling from A Fixed-key Blockcipher Applied MPC workshop February 20, 2014 Mihir Bellare UC San Diego Viet Tung Hoang UC San Diego Phillip.

The Power of Negations in Cryptography

1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.

Fully Homomorphic Encryption (FHE) By: Matthew Eilertson.

Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.

Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.

Bounded key-dependent message security

A Fixed-key Blockcipher

The Exact Round Complexity of Secure Computation

Lower Bounds on Assumptions behind Indistinguishability Obfuscation

Adaptively Secure Multi-Party Computation from LWE (via Equivocal FHE)

iO with Exponential Efficiency

Laconic Oblivious Transfer and its Applications

Background: Lattices and the Learning-with-Errors problem

Verifiable Oblivious Storage

Maliciously Secure Two-Party Computation

Four-Round Secure Computation without Setup

Cryptography for Quantum Computers

Rishab Goyal Venkata Koppula Brent Waters

Identity Based Encryption from the Diffie-Hellman Assumption

Compact Adaptively Secure ABE for NC1 from k-Lin

Presentation transcript:

The Many Faces of Garbled Circuits MIT Vinod Vaikuntanathan

Garbled Circuits [Yao’86, refined by BMR’90, AIK’04, BHR’12] Garble Circuit C: Encode Input x: Garble(C; R) Encode(x; R) Simplicity: Garbling and Encoding are “simple” (e.g., Garble: small depth, Encode: affine)

The Swiss-army Knife of Crypto Secure Two-party Computation [Yao86] (Constant Round) MPC [BMR90, IK00] Parallel Cryptography [AIK05] One-time Programs [GKR08] KDM-Security [BHHI09, A11] Verifiable Outsourcing [GGP10,AIK10] Circuit-private Homomorphic Encryption [GHV10] Functional Encryption [SS10, GVW12] And many others: [AF90, FKN94, NPS99, KO04, FM06, AL07, LP07, GKR08, GMS08, BFK+09, PSS09, BHHI10, GGP10, HS10, KM10, SS10, A11, KMR11, LP11, GVW12, …]

Powerful Theorems Theorem: [Yao’86, LP’04] Assuming one-way functions, there is a garbling scheme for the class of all poly-size circuits. Theorem: [IK’00, AIK’04] Assuming nothing, there is a garbling scheme for the class of logspace computable functions.

Much Work, Many Constructions Better Efficiency: Variants [BMR90, NPS99] Free XOR [KS08, CKKZ12, A13], Garbled Circuits with Short Input Encoding [AIKW13] Several practical efficiency improvements [MNPS04, BNP08, HSEKS11, KSS12, BHKR13] Better Security: Adaptive vs. Static Security [BHR12a, BHR12b, JSW16] New Goals, New Models: Re-randomizable Garbled Circuits [GHV10], Arithmetic Garbled Circuits [AIK11], Garbling RAM machines [LO13, GHLORW14, GLOS15, GLO15] and so on…

This Talk: “Cryptopia through the Garbled Circuit Lens” Fully Homomorphic Encryption Functional Encryption Indistinguishability Obfuscation Attribute-based encryption

Yao’s Garbled Circuits [A. Yao 1986] AND-filter

Yao’s Garbled Circuits [A. Yao 1986] garbled gate

The Reusability Problem No Reusability! “Mix-and-match” attack

This Talk: Fully Homomorphic Encryption Functional Encryption Indistinguishability Obfuscation Attribute-based encryption “Cryptopia through the reusable Garbled Circuit Lens”

Functional Encryption (FE) [Sahai-Waters’05, refined by BSW’12, O’neill’12] Secret Key for Circuit C: SK C Encrypt Input x: CT SK C, C, CT → C(x) Decrypt: KeyGen(SK, C) Enc(PK, x)  No circuit hiding: SK C does not hide the circuit C  Public-key: many-input security for free  Many-key Security: Can release many SK C_i revealing only C i (x)  Succinctness: Encryption time (and size) independent of |C|

Attribute-based Encryption (ABE) [Sahai-Waters’05, Goyal-Pandey-Sahai-Waters’06] Secret Key for Circuit C: SK C Encrypt Input x, Message M: CT SK C, C, CT, x → M C(x) KeyGen(SK, C) Enc(PK, x, M0, M1) Decrypt:  No circuit or input hiding: only messages M0 and M1 hidden  Public-key: many-input security for free  Many-key Security: If C i (x) = b for all i, M 1-b hidden  Succinctness: Encryption time (and size) independent of |C| (either M0 or M1 not both)

Garbled Circuits, FE & Friends Size non-succinct succinct Garbled circuits + Public-key encryption Single-key Security Many-key [Sahai-Seyalioglu’11] (Sub-exp.) LWE [Gorbunov-V-Wee’13, Goldwasser-KPVZ’13, Boneh-GGHNSVV’14] → “Reusable” GC for single-bit fns. = [Bitansky-V’15, Ananth-Jain-Sahai’15] [Bitansky-V’15, Ananth-Jain’15, Lin-Pass-Seth-Telang’16] Many-key FE for NC1 → Reusable GC for many-bit fns. → Indistinguishability Obfuscation [Bitansky-V’15, Ananth-Jain’15]

First Try: FE from Garbled Circuits Many key, single input, secret key FE Many input, single key, secret key FE: use the universal circuit (and thus, lose succinctness) Single key (public key) FE: use public-key encryption and the “decomposability” of Yao’s garbled circuits Secret Key for Circuit C = Garbled Input for C Secret Key for Circuit C = SK i,Ci [Sahai-Seyalioglu’11]

Garbled Circuits, FE & Friends Size non-succinct succinct Garbled circuits + Public-key encryption Single-key Security Many-key [Sahai-Seyalioglu’11] (Sub-exp.) LWE [Gorbunov-V-Wee’13, Goldwasser-KPVZ’13, Boneh-GGHNSVV’14] → “Reusable” GC for single-bit fns. = [Bitansky-V’15, Ananth-Jain-Sahai’15] [Bitansky-V’15, Ananth-Jain’15, Lin-Pass-Seth-Telang’16] Many-key FE for NC1 → Reusable GC for many-bit fns. → Indistinguishability Obfuscation [Bitansky-V’15, Ananth-Jain’15]

Theorem 1.1: [Gorbunov-V.-Wee’13, Boneh-Gentry- Gorbunov-Halevi-Nikolaenko-Segev-V.-Vinayagamurthy’14]] Assuming “sub-exponential LWE”, there is an ABE scheme for the class of all poly-size circuits (of a-priori bounded depth). Theorem 1.2: [Goldwasser-Kalai-Popa-V.-Zeldovich’13] 1.FHE for P 2.ABE for (bounded depth) P 3.(One-time) garbling FE for (bounded depth) P Compiler from ABE to (single key, succinct) FE +

Theorem = FE from Subexp. LWE ABE Subexp. LWE FHE Yao garbling + + LWE Theorem 1.1 [GSW13, BV14] Single-key Succinct FE and LWE Reusable Garbled Circuits Theorem 1.2

(Recall Yao’s garbled circuits) Labels = Strings: single-use Labels = Functions: many-use KEY IDEA

ABE Construction (e.g., x=0101) ? NEED: Family of trapdoor functions

ABE Construction (e.g., x=0011) Reusable filter

ABE Construction (e.g., x=0011) Reusable filter NO MIX-and-MATCH

ABE Construction (e.g., x=0011) = “Two-to-one Recoding” Keys

What are these Trapdoor Functions? Learning with errors [BFKL’93, Regev’05] [Ajtai’99,Micciancio-Peikert’13] Trapdoor function (Sample uniformly random A with trapdoor)

How to “Recode”? reusable AND-filter A1A1 A2A2 A3A3 (Let’s start with no noise) SUCH THAT A 3 = R 1 A 1 + R 2 A 2 FIND matrices (R 1, R 2 ) R1R1 R2R2 Recoding key: Matrices (R 1,R 2 ) Key Idea: Linearity! With noise: need R’s to be low-weight Use “GPV Theorem”: Find low-weight R s.t. R A = B, given trapdoor for A

Theorem 1.1: [Gorbunov-V.-Wee’13, Boneh-Gentry- Gorbunov-Halevi-Nikolaenko-Segev-V.-Vinayagamurthy’14]] Assuming “sub-exponential LWE”, there is an ABE scheme for the class of all poly-size circuits (of a-priori bounded depth). Theorem 1.2: [Goldwasser-Kalai-Popa-V.-Zeldovich’13] 1.FHE for P 2.ABE for (bounded depth) P 3.(One-time) garbling FE for (bounded depth) P Compiler from ABE to (single key, succinct) FE +

ABE + FHE + Yao = Single-key Succinct FE FE Secret Key for C: ABE.SK C FE Encryption of x: ABE.Enc(x, L 0, L 1 ) Idea 1. To hide x, encrypt it with FHE. Generate keys for the FHE evaluation circuit for C. FE Secret Key for C: ABE.SK EvalC FE Encryption of x: ABE.Enc(FHE.Enc(x), L 0, L 1 ) FE Encryption of x: ABE.Enc(FHE.Enc(x), L i,0, L i,1 ) ABE decryption results in L i,fhe.ct_i where fhe.ct is the encryption of C(x). Idea 2. Yao-Garble the FHE decryption circuit with input labels L i,b. Yao = single-use → FE = single-key. + Yao.Garble(FHE.Dec SK ) w/ input labels L i,b

Reusable Garbled Circuits Garble C: FE.SK C Encode x: FE.Enc(x) Problem. Hides x but not C. Solution. Use a universal circuit and encrypt C (using a simple secret-key encryption) Garble C: FE.SK for U(SymEnc(symsk,C), ∙, ∙) Encode x: FE.Enc(symsk, x) Garble once. Encode many times (using the same symsk) One-time garblingABE (single key) FE Reusable Garbling

Garbled Circuits, FE & Friends Size non-succinct succinct Garbled circuits + Public-key encryption Single-key Security Many-key [Sahai-Seyalioglu’11] (Sub-exp.) LWE [Gorbunov-V-Wee’13, Goldwasser-KPVZ’13, Boneh-GGHNSVV’14] → “Reusable” GC for single-bit fns. [Bitansky-V’15, Ananth-Jain’15, Lin-Pass-Seth-Telang’16] Many-key FE for NC1 → Reusable GC for many-bit fns. → Indistinguishability Obfuscation

Obfuscation = Public-key Garbling Obfuscation of Circuit C: Obf(C) Eval on Input x: C(x) Same as reusable garbling except for public evaluation. = Public-key (and therefore, reusable) garbling Indistinguishability obfuscation: for C 0 ≣ C 1, Obf(C 0 ) ≈ Obf(C 1 ). Obfuscation [BGIRSVY’01, GR’07, GGHRSW’13, SW’14]

Theorem: Reusable Garbling++ to IO [Bitansky-V.’15, Ananth-Jain’15, simplified by Lin-Pass-Seth-Telang’16] If there is a compact reusable garbled circuit + sub- exponentially secure OWF, then there is an IO scheme. Many-key FE Compact Reusable GC IO easy [GGHRSW’13] this theorem Succinct: garbled input size ind. of |C| for one-bit functions ++ = Compact: garbled input size ind. of |C| for many-bit functions

Theorem: Reusable Garbling++ to IO Idea in a nutshell: Encodings that output (two) encodings Garble(П n ) Enc(0 n-1 ) Enc(0 n-2 1) Enc(1 n-1 ) П n takes as input an n-1 bit string x and outputs encodings of x0 and x1 Enc(0 n-2 ) Enc(0 n-3 )Enc(1 n-3 ) Enc(ε) Enc(0 n )Enc(0 n-1 1) Enc(1 n ) Garble(C) … Need compactness to avoid exponential blowup. Obf(C) = Enc(1 n-2 ) Garble(П n-1 ) Garble(П n-2 ) Garble(П 1 ) (more in Rafael’s talk Wed.)

“Cryptopia” through the Garbling Lens Fully Homomorphic Encryption Functional Encryption Indistinguishability Obfuscation Attribute-based encryption (Key Property: Reusability)

Many Open Questions Many-key FE (and thus, IO) from LWE. ($300 from Amit + $100 from me) Unconditional Garbled Circuits for all of P. Yao: one-way functions Applebaum-Ishai-Kushilevitz’04: unconditional for Logspace Ishai-Kushilevitz-Paskin’12: “degree-2” impossible ($100 to resolve this one way or the other)

Thank You!