Cryptographic protocols 2015, Lecture 14 Garbled Circuits helger lipmaa, university of tartu

Up to now We saw secure computation protocols with tradeoffs Rounds Communication Computation BDD-based MPC

This lecture We saw secure computation protocols with tradeoffs This time: another tradeoff Rounds Communication Computation BDD-based Multi-round Garbled circuits

Recall: Boolean circuits A computation model Every node evaluates a Boolean function on its inputs Output of circuit: top value Complexity class of all Boolean functions that can be evaluated by circuits = class of efficient Boolean functions (P/poly) ∧ ⊕ ∨ ∧ ∨ ∧ x y z

Boolean circuits Gate implements a function f:{0, 1}² → {0, 1} Circuit implements a function C: {0, 1}ⁿ → {0, 1} ∧ ⊕ ∨ ∧ ∨ ∧ x y z

Boolean circuits Fix values of input gates 0,1 Fix values of input gates Each wire w obtains recursively a value V[w]∈{0, 1} Circuit outputs the value of the output wire V[output] ∧ 0,1 0,1 ⊕ ∨ 0,1 0,1 0,1 ∧ ∨ ∧ 0,1 0,1 0,1 x y z

Boolean circuits Fix values of input gates 0,1 Fix values of input gates Each wire w obtains recursively a value V[w]∈{0, 1} Circuit outputs the value of the output wire V[output] ∧ 0,1 0,1 ⊕ ∨ 0,1 0,1 0,1 ∧ ∨ ∧ 0,1 0,1 0,1 x y z

Boolean circuits Fix values of input gates 0,1 Fix values of input gates Each wire w obtains recursively a value V[w]∈{0, 1} Circuit outputs the value of the output wire V[output] ∧ 0,1 0,1 ⊕ ∨ 0,1 0,1 0,1 ∧ ∨ ∧ 0,1 0,1 0,1 x y z

Boolean circuits Fix values of input gates 0,1 Fix values of input gates Each wire w obtains recursively a value V[w]∈{0, 1} Circuit outputs the value of the output wire V[output] ∧ 0,1 0,1 ⊕ ∨ 0,1 0,1 0,1 ∧ ∨ ∧ 0,1 0,1 0,1 x y z

Boolean circuits 0,1 Let wᵢ (m) be the value of wᵢ, given input assignment m Thus for m = 010, C (m) = 1 ∧ 0,1 0,1 ⊕ ∨ 0,1 0,1 0,1 ∧ ∨ ∧ 0,1 0,1 0,1 x y z

Boolean circuits 16 Boolean functions, so 16 possible gate types Possible basis: {∧,⊕} ¬x = 1⊕x x∨y = ¬(¬x∧¬y) = 1⊕((1⊕x)∧(1⊕y)) = x⊕y⊕(x∧y) ∧ ⊕ ∨ ∧ ∨ ∧ x y z

Garbled circuits: Goal 0,1 Alice knows input a Bob knows input b Bob will get to know C (a, b) ... without learning anything about Alice's input and the intermediate wire values ∧ 0,1 0,1 ⊕ ∨ 0,1 0,1 0,1 ∧ ∨ ∧ 0,1 0,1 0,1 x y z

Garbled circuits: idea 0,1 "Garble" all wire values for wire w, 0 → Kw0, 1 → Kw1 except for output wire where Kwj=j Main idea: Allow Bob to obtain only one Kwj of two garbled values corresponding to each wire ∧ for random keys, chosen by Alice 0,1 0,1 ⊕ ∨ 0,1 0,1 0,1 ∧ ∨ ∧ 0,1 0,1 0,1 x y z

More Details ∧ ⊕ ∨ ∧ ∨ ∧ x y z For each Alice's input wᵢ: K₉₀,K₉₁ For each Alice's input wᵢ: Alice sends to Bob Kwᵢaᵢ For each Bob's input wᵢ: Alice generates and helps Bob to privately obtain Kwᵢbᵢ For each internal wire w: Alice helps Bob to obtain Kwᵢbᵢ ∧ K₇₀,K₇₁ K₈₀,K₈₁ ⊕ ∨ K₄₀,K₄₁ K₅₀,K₅₁ K₆₀,K₆₁ ∧ ∨ ∧ K₁₀,K₁₁ K₃₀,K₃₁ K₂₀,K₂₁ x y z

More Details ∧ ⊕ ∨ ∧ ∨ ∧ x y z For each Alice's input wᵢ: K₉₀,K₉₁ For each Alice's input wᵢ: Alice sends to Bob Kwᵢaᵢ For each Bob's input wᵢ: Alice generates and helps Bob to privately obtain Kwᵢbᵢ For each internal wire w: Alice helps Bob to obtain Kwᵢbᵢ ∧ K₇₀,K₇₁ K₈₀,K₈₁ ⊕ ∨ K₄₀,K₄₁ K₅₀,K₅₁ K₆₀,K₆₁ ∧ ∨ ∧ K₁₀,K₁₁ K₃₀,K₃₁ K₂₀,K₂₁ x y z

More Details ∧ ⊕ ∨ ∧ ∨ ∧ x y z For each Alice's input wᵢ: K₉₀=0,K₉₁=1 For each Alice's input wᵢ: Alice sends to Bob Kwᵢaᵢ For each Bob's input wᵢ: Alice generates and helps Bob to privately obtain Kwᵢbᵢ For each internal wire w: Alice helps Bob to obtain Kwᵢbᵢ ∧ K₇₀,K₇₁ K₈₀,K₈₁ ⊕ ∨ Protocol 1 K₄₀,K₄₁ K₅₀,K₅₁ K₆₀,K₆₁ ∧ ∨ ∧ K₁₀,K₁₁ K₃₀,K₃₁ K₂₀,K₂₁ x y z Protocol 2

Quiz: Protocol 1 j K₀,K₁ Kj Let w be one of Bob's input wires Alice has K₀, K₁ Bob has j Quiz: how to transfer Kj to Bob? Answer: oblivious transfer. CPIR with extra privacy: Bob obtains only one database element j K₀,K₁ Kj

d← c^(f₁ - f₀) · Enc(f₀; r') (2, 1)-OT protocol Protocol r←ℤn* c←Enc(x; r) r'←ℤn* d← c^(f₁ - f₀) · Enc(f₀; r') c pk,sk x∈{0,1} pk f = (f₀,f₁) fᵢ∈{0,1}ᴸ M←Dec(d) d This is oblivious transfer in semihonest model. Honest Bob only obtains M = fx

remarks: OT Computation: small number of PK ops As we saw, Paillier is quite expensive, though Communication: 2 ciphertexts Note: |key| is short, say 128 bits Can use any OT protocol that works with such data

Quiz: Protocol 2 Ku0,...,Kw1 Kui,Kvj Kwk ∧ Let w be one of intermediate wires Alice has keys Ku0, Ku1, Kv0, Kv1, Kw0, Kw1 Bob has Kui, Kvj Quiz: how to transfer Kwk, k = i ∧ j, to Bob? Kw₀,Kw₁ ∧ Other gates are similar Ku₀,Ku₁ Kv₀,Kv₁ Ku0,...,Kw1 Kui,Kvj Answer: garbled gate. Alice sends to Bob {Enc(Kui;Enc(Kvj;Kwk))} Kwk

Note 2: Other gate types can be garbled similarly Garbled AND-gate G₀₀ ← AES (Ku₀, AES (Kv₀, 0²⁰ || Kw₀)) G₀₁ ← AES (Ku₀, AES (Kv₁, 0²⁰ || Kw₀)) G₁₀ ← AES (Ku₁, AES (Kv₀, 0²⁰ || Kw₀)) G₁₁ ← AES (Ku₁, AES (Kv₁, 0²⁰ || Kw₁)) G[w] ← random perm. of Gij Protocol For i' ∈ {0, 1}, j' ∈ {0, 1} K' ← AES⁻¹ (Kui, AES⁻¹ (Kvj, Gi'j')) If K' == 0²⁰ || K'' Kwk ← K''; break Return Kwk G[w] Ku0, Ku1 Kv0, Kv1 Kw0, Kw1 Kui, Kvj Note 1: this protocol is non-interactive. Alice can transfer G[w] to Bob before Bob knows Kui, Kvj. Note 2: Other gate types can be garbled similarly

Remarks: garbled gate Computation: Alice: 8 AES encryptions Bob: 4 AES decryptions in average AES is much (1000×?) faster than PK encryption! Communication: < 500 bits Can replace AES with arbitrary faster but secure block cipher

Full Garbled Circuit protocol Generate new pk for OT For all Bob's input wires i: Prepare OT query Q (bᵢ) c ← (pk, (Q (bᵢ)) for all i) Protocol For all wires w of the circuit: Generate random Kw0, Kw1 Construct G[w] if w is internal d ← (G [w]) for all internal wires w e ← (Kiaᵢ) for all Alice's input wires i For all Bob's input wires i: Let Rᵢ ← Reply (Q (bᵢ), (Ki0, Ki1)) f ← (Rᵢ) for all Bob's input wires i For all Bob's input wires i: Kibᵢ ← Answer (Rᵢ) For all internal wires w of the circuit: Kwk←GarbledGate(Kui,Kvj,G[w]) Return the key of last gate c C, a C, b (d,e,f)

security Bob's privacy: Alice sees only OT queries, so guaranteed by OT security Alice's privacy: Bob sees AES encryptions and OT replies Security guaranteed by AES security, OT security, and correctness of Alice's operation Will omit formal proof of security

Efficiency Round-complexity: 2 msg (one msg by Bob, one by Alice) --- optimal # of rounds Computation: |Bob inputs| OT-s, 8*|circuit size| AES-s Very good, since AES is fast except when circuit size is really large Communication: < 500 bits per gate, thus large Communication is linear in |circuit|, not in |size| :(

Garbled circuits Rounds: 2 Computation: |Bob's input| OT, 8*|circuit size| AES Communication: Θ (|circuit size|) Rounds Communication Computation BDD-based MPC Garbled circuits

Example: Eq Alice's input: a ∈ {0, 1}ⁿ Bob's input: b ∈ {0, 1}ⁿ ∧ = a₁ a₀ b₂ b₁ b₀ a₂ Alice's input: a ∈ {0, 1}ⁿ Bob's input: b ∈ {0, 1}ⁿ Bob's output: [b = a] Circuit size: 2n - 1 Cost: n OT, 8(2n - 1) AES Comp. dominated by OT-s

Non-cryptographic task. Will not elaborate how to optimize? Communication: linear in |circuit size| Task 1: minimize circuit size Computation is dominated, depending on circuit size, by OT-s or GarbledGate's Task 2: minimize complexity of OT-s Task 3: minimize complexity of GarbledCircuit's Non-cryptographic task. Will not elaborate Cryptographic task. Will elaborate

OT complexity minimization Use more efficient (2, 1)-OT Paillier → Elgamal, but can't go much faster OT extension: we need many expensive OT-s need to reduce the number expensive operations

Recall: κ is the security parameter ot extension If input length n is large: need to implement n >> κ expensive OT-s Question: Can we implement n OT-s by using n "cheap operations" and << n OT-s? Recall: κ is the security parameter

Recall: n OTᴸ protocols For i = 1 to n: cᵢ←Q(xᵢ) Protocol For i = 1 to n: Rᵢ ← Reply (cᵢ, (fᵢ₀, fᵢ₁)) For i = 1 to n: Mᵢ←Answer(Rᵢ) (c₁, ..., cn) (fᵢ₀, fᵢ₁)∈{0,1}ᴸ xᵢ∈{0,1} (R₁, ..., Rn)

idea: oT extension Alice obtains from Bob, by using κ << n OT protocols, a number of random bits Alice masks her input by so obtained random bits and her own random input s, and sends the masked values to Bob Bob can "unmask" only 1 / 2 of the transferred values since the rest depends on s

n OTᴸ via OT extension t¹⊕0x t²⊕0x t³⊕0x t₁₁ t₁₂ t₁₃ t₂₁ t₂₂ t₂₃ t₃₁ For i = 1 to n: For j = 1 to κ: tij← {0, 1} For i = 1 to κ: Write tⁱ = (t1i, ..., tni) Compute tⁱ ⊕ x x∈{0,1}ⁿ For i ∈ {1,...,n}: (fᵢ₀, fᵢ₁)∈{0,1}ᴸ t¹⊕0x t²⊕0x t³⊕0x t₁₁ t₁₂ t₁₃ t₂₁ t₂₂ t₂₃ t₃₁ t₃₂ t₃₃ t₄₁ t₄₂ t₄₃ t₅₁ t₅₂ t₅₃ t₆₁ t₆₂ t₆₃

Alice obtains {Aⁱ = tⁱ⊕sᵢx} by using κ OTᵐ-s n OTᴸ via OT extension For i = 1 to n: For j = 1 to κ: tij← {0, 1} For i = 1 to κ: Write tⁱ = (t1i, ..., tni) Compute tⁱ ⊕ x x∈{0,1}ⁿ For i ∈ {1,...,n}: (fᵢ₀, fᵢ₁)∈{0,1}ᴸ s ← {0, 1}^κ Alice obtains {Aⁱ = tⁱ⊕sᵢx} by using κ OTᵐ-s OT(s₁) OT(s₂) OT(s3) t¹⊕0x t¹⊕1x t²⊕0x t²⊕1x t³⊕0x t³⊕1x t₁₁ t₁₁⊕x₁ t₁₂ t₁₂⊕x₁ t₁₃ t₁₃⊕x₁ t₂₁ t₂₁⊕x₂ t₂₂ t₂₂⊕x₂ t₂₃ t₂₃⊕x₂ t₃₁ t₃₁⊕x₃ t₃₂ t₃₂⊕x₃ t₃₃ t₃₃⊕x₃ t₄₁ t₄₁⊕x₄ t₄₂ t₄₂⊕x₄ t₄₃ t₄₃⊕x₄ t₅₁ t₅₁⊕x₅ t₅₂ t₅₂⊕x₅ t₅₃ t₅₃⊕x₅ t₆₁ t₆₁⊕x₆ t₆₂ t₆₂⊕x₆ t₆₃ t₆₃⊕x₆

n OTᴸ via OT extension t¹⊕0x t¹⊕1x t²⊕0x t²⊕1x t³⊕0x t³⊕1x t₁₁ t₁₁⊕x₁ For i = 1 to n: For j = 1 to κ: tij← {0, 1} For i = 1 to κ: Write tⁱ = (t1i, ..., tni) Compute tⁱ ⊕ x x∈{0,1}ⁿ For i ∈ {1,...,n}: (fᵢ₀, fᵢ₁)∈{0,1}ᴸ s ← {0, 1}^κ Alice obtains {Aⁱ = tⁱ⊕sᵢx} by using κ OTᵐ-s OT(s₁) OT(s₂) OT(s3) Bob knows this if xᵢ = 0. Mask fᵢ₀ by it t¹⊕0x t¹⊕1x t²⊕0x t²⊕1x t³⊕0x t³⊕1x t₁₁ t₁₁⊕x₁ t₁₂ t₁₂⊕x₁ t₁₃ t₁₃⊕x₁ t₂₁ t₂₁⊕x₂ t₂₂ t₂₂⊕x₂ t₂₃ t₂₃⊕x₂ t₃₁ t₃₁⊕x₃ t₃₂ t₃₂⊕x₃ t₃₃ t₃₃⊕x₃ t₄₁ t₄₁⊕x₄ t₄₂ t₄₂⊕x₄ t₄₃ t₄₃⊕x₄ t₅₁ t₅₁⊕x₅ t₅₂ t₅₂⊕x₅ t₅₃ t₅₃⊕x₅ t₆₁ t₆₁⊕x₆ t₆₂ t₆₂⊕x₆ t₆₃ t₆₃⊕x₆ Aᵢ = tᵢ⊕xᵢs Aᵢ⊕s = tᵢ⊕(1⊕xᵢ)s Bob knows this if xᵢ = 1. Mask fᵢ₁ by it

full OT extension (q₁, ..., qκ) (R₁, ..., Rκ) Protocol For i = 1 to n: For j = 1 to κ: tij← {0, 1} For i = 1 to κ: Write tⁱ = (t1i, ..., tni) Rᵢ ← Reply (qᵢ, (tⁱ, tⁱ⊕x)) s ← {0, 1}^κ For i = 1 to κ: qᵢ ← Q (sᵢ) (q₁, ..., qκ) Protocol (R₁, ..., Rκ) (y₁₀,y₁₁, ..., yn₀,yn₁) For i = 1 to κ: Aⁱ ←Answer(Rᵢ) // = tⁱ⊕sᵢx // Aᵢ = tᵢ⊕xᵢs, Aᵢ⊕s = tᵢ⊕(1⊕xᵢ)s For i = 1 to n: yᵢ₀ ← fᵢ₀ ⊕ H (Aᵢ) yᵢ₁ ← fᵢ1 ← H (Aᵢ ⊕ s) For i = 1 to n: mᵢ← yi,xi⊕H (tᵢ) Return m x∈{0,1}ⁿ For i ∈ {1,...,n}: (fᵢ₀, fᵢ₁)∈{0,1}ᴸ

security Alice's privacy: Bob sees qᵢ and mᵢ = ... + H (...) Alice's privacy guaranteed by OT privacy and security of H (will not elaborate on latter) Bob's privacy: Alice sees {tⁱ⊕sᵢx}ᵢ - no information revealed about x since tⁱ is random

efficiency ⇒ Alice: κ OT-s of n-bit strings, 2n H-s Bob: κ OT-s of n-bit strings, n H-s If κ << n and Cost(H) << Cost(OT): huge benefit If κ << n ≈ |circuit size|: OT dominates the cost of GC OT extension makes GC many times faster ⇒

G.Gate optimization, 1 Use a more efficient symmetric encryption scheme gives speedup, but not certain how much AES is implemented in Intel hardware Replace AES with a hash function use Bitcoin hardware

G.Gate optimization, 2 Can we reduce the overhead of GarbledGate? G₀₀ ← AES (Ku₀, AES (Kv₀, 0²⁰ || Kw₀)) G₀₁ ← AES (Ku₀, AES (Kv₁, 0²⁰ || Kw₀)) G₁₀ ← AES (Ku₁, AES (Kv₀, 0²⁰ || Kw₀)) G₁₁ ← AES (Ku₁, AES (Kv₁, 0²⁰ || Kw₁)) G[w] ← random perm. of Gij Can we reduce the overhead of GarbledGate? Alice: from 8 AES to smaller number? Bob: from 8 AES⁻¹ to smaller number? For i ∈ {0, 1}, j ∈ {0, 1} K' ← AES⁻¹ (Kui, AES⁻¹ (Kvj, Gij)) If K' == 0²⁰ || K'' Kwk ← K'' break Return Kwk

FreeXOR technique Alice generates random, secret "global difference" Δ She always sets Kw1 ← Kw0⊕Δ For each XOR gate w ← u⊕v: set Kw0 ← Ku0⊕Kv0 The rest of the protocol is unchanged Security ok: since Bob never obtains both Kw0, Kw1, then Δ stays secret ⊕ Ku₀,Ku₀⊕Δ Kv₀,Kv₀⊕Δ Kw₀,Kw₀⊕Δ

FreeXOR technique For each XOR gate: set Kw0 ← Ku0 ⊕ Kv0 Ku0⊕Kv0 = Kw0 Ku1⊕Kv0 = Kw0⊕Δ = Kw1 Ku0⊕Kv1 = Kw0⊕Δ = Kw1 Ku1⊕Kv1 = Kw0⊕Δ⊕Δ = Kw0 No need to transfer G[w] for XOR gates Computation: AES * O(|non-XOR gates|) + XOR * O(|XOR gates|)

Why relevant? {XOR, AND} is a basis of all possible gates Boolean versions of + and · On "average": garbled circuits twice more efficient For many circuits, XOR gates dominate strongly garbled circuits become many times more efficient

Simplifying "aND" + ∧ Idea: AND is a symmetric operation Similar optimization possible with all symmetric gates Idea: AND is a symmetric operation x ∧ y is a function of x + y, not of x and y individually (0 ∧ 0) = 0, (0 ∧ 1) = (1 ∧ 0) = 0, (1 ∧ 1) = 1 Thus x ∧ y = f₀₀₁ (x + y) FreeAdd: use a random Δ in all + gates + Ku₀,Ku₁=Ku₀+Δ Kv₀,Kv₁=Kv₀+Δ Kw₀=Ku₀+Kv₀,Kw₁=Kw₀+Δ,Kw₂=Kw₀+2Δ f₀₀₁ Kz₀,Kz₁ symmetric FreeSym G₀ ← AES (Kw₀, 0²⁰ || Kz₀) G₁ ← AES (Kw₁, 0²⁰ || Kz₀) G₂ ← AES (Kw₂, 0²⁰ || Kz₁) G[w] ← random shuffle of Gᵢ ∧ Ku₀,Ku₁ Kv₀,Kv₁ Kw₀,Kw₁ Local computation 8 AES → 3 AES

Comparison: FreeXOr etc AND Classical 8 FreeXOR FreeSym 2 3 (not covered) 0-2

not covering in this course - just not enough time and more and more Highly parallel: after keys are computed, Alice can compute all garbled gates G [w] in parallel Many more optimizations than fit to the margins Very active research area especially active: efficiency in malicious model A GPU implementation can process hundreds/thousands of gates in parallel not covering in this course - just not enough time

GC: OUTRO Computationally very efficient Main problem: huge communication Another problem: circuit optimization In many cases, it is more natural to work in some other computational model For example: circuit for integer multiplication is large

next lecture Pairings: algebraically "one step up" from exponentiation instead of linear functions, allow to compute quadratic functions on ciphertexts, non- interactively Many, many applications - incl. efficient NIZK