Cryptographic protocols 2015, Lecture 14 Garbled Circuits

Slides:



Advertisements
Similar presentations
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Advertisements

Computer Security Set of slides 4 Dr Alexei Vernitski.
Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation
Rational Oblivious Transfer KARTIK NAYAK, XIONG FAN.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
Amortizing Garbled Circuits Yan Huang, Jonathan Katz, Alex Malozemoff (UMD) Vlad Kolesnikov (Bell Labs) Ranjit Kumaresan (Technion) Cut-and-Choose Yao-Based.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
General Cryptographic Protocols (aka secure multi-party computation) Oded Goldreich Weizmann Institute of Science.
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Oblivious Transfer based on the McEliece Assumptions
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Slide 1 Vitaly Shmatikov CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties.
Practical Techniques for Searches on Encrypted Data Yongdae Kim Written by Song, Wagner, Perrig.
Public Key Encryption and the RSA Public Key Algorithm CSCI 5857: Encoding and Encryption.
Slide 1 Vitaly Shmatikov CS 380S Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert.
Secure two-party computation: a visual way by Paolo D’Arco and Roberto De Prisco.
Slide 1 Yao’s Protocol. slide Yao’s Protocol uCompute any function securely … in the semi-honest model uFirst, convert the function into a boolean.
Privacy-Preserving Credit Checking Keith Frikken, Mikhail Atallah, and Chen Zhang Purdue University June 7, 2005.
1 Secure Multi-party Computation Minimizing Online Rounds Seung Geol Choi Columbia University Joint work with Ariel Elbaz(Columbia University) Tal Malkin(Columbia.
Secure Computation Lecture Arpita Patra. Recap >> Improving the complexity of GMW > Step I: Offline: O(n 2 c AND ) OTs; Online: i.t., no crypto.
Secure Computation (Lecture 9-10) Arpita Patra. Recap >> MPC with honest majority in i.t. settings > Protocol using (n,t)-sharing, proof of security---
Aggelos Kiayias, Nikos Leonardos, Helger Lipmaa, Kateryna Pavlyk, and Qiang Tang FIT 2016, February 6, 2016.
1 / 23 Efficient Garbling from A Fixed-key Blockcipher Applied MPC workshop February 20, 2014 Mihir Bellare UC San Diego Viet Tung Hoang UC San Diego Phillip.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Multi-Party Computation r n parties: P 1,…,P n  P i has input s i  Parties want to compute f(s 1,…,s n ) together  P i doesn’t want any information.
Cryptography Lecture 13 Arpita Patra
Garbling Techniques David Evans
A Fixed-key Blockcipher
Attacks on Public Key Encryption Algorithms
On the Size of Pairing-based Non-interactive Arguments
Public Key Encryption Systems
MPC and Verifiable Computation on Committed Data
Foundations of Secure Computation
Committed MPC Multiparty Computation from Homomorphic Commitments
Basic Network Encryption
Cryptographic protocols 2014, Lecture 2 assumptions and reductions
Secret Sharing (or, more accurately, “Secret Splitting”)
The first Few Slides stolen from Boaz Barak
Course Business I am traveling April 25-May 3rd
Cryptography CS 555 Lecture 22
Cryptographic protocols 2014, Lecture 8 multi-round and multi-party
Maliciously Secure Two-Party Computation
Cryptographic protocols 2015, Lecture 1 Introduction
Helger Lipmaa University of Tartu, Estonia
Cryptographic protocols 2014, Lecture 6
cryptographic protocols 2014, lecture 14 Groth-Sahai proofs
Security through Encryption
Cryptography Lecture 24.
cryptographic protocols 2014, lecture 12 Getting full zero knowledge
Cryptographic protocols 2016, Lecture 9 multi-party computation
Privacy Preserving analytics Private Set Intersection(PSI)
Multi-Party Computation: Second year
Cryptographic protocols 2016, Lecture 3 Key Exchange, CDH, DDH
Cryptographic protocols 2015, Lecture 3 Key Exchange, CDH, DDH
Number Representation & Operators
Malicious-Secure Private Set Intersection via Dual Execution
Cryptography Lecture 8.
Cryptographic protocols 2016, Lecture 8 multi-round protocols
MPC Scenario 1. “Privacy-protected contingency tables”
Basic Network Encryption
Helen: Maliciously Secure Coopetitive Learning for Linear Models
Oblivious Transfer.
Cryptography Lecture 16.
Identity Based Encryption from the Diffie-Hellman Assumption
ITIS 6200/8200 Chap 5 Dr. Weichao Wang.
A Light-weight Oblivious Transfer Protocol Based on Channel Noise
Presentation transcript:

Cryptographic protocols 2015, Lecture 14 Garbled Circuits helger lipmaa, university of tartu

Up to now We saw secure computation protocols with tradeoffs Rounds Communication Computation BDD-based MPC

This lecture We saw secure computation protocols with tradeoffs This time: another tradeoff Rounds Communication Computation BDD-based Multi-round Garbled circuits

Recall: Boolean circuits A computation model Every node evaluates a Boolean function on its inputs Output of circuit: top value Complexity class of all Boolean functions that can be evaluated by circuits = class of efficient Boolean functions (P/poly) ∧ ⊕ ∨ ∧ ∨ ∧ x y z

Boolean circuits Gate implements a function f:{0, 1}² → {0, 1} Circuit implements a function C: {0, 1}ⁿ → {0, 1} ∧ ⊕ ∨ ∧ ∨ ∧ x y z

Boolean circuits Fix values of input gates 0,1 Fix values of input gates Each wire w obtains recursively a value V[w]∈{0, 1} Circuit outputs the value of the output wire V[output] ∧ 0,1 0,1 ⊕ ∨ 0,1 0,1 0,1 ∧ ∨ ∧ 0,1 0,1 0,1 x y z

Boolean circuits Fix values of input gates 0,1 Fix values of input gates Each wire w obtains recursively a value V[w]∈{0, 1} Circuit outputs the value of the output wire V[output] ∧ 0,1 0,1 ⊕ ∨ 0,1 0,1 0,1 ∧ ∨ ∧ 0,1 0,1 0,1 x y z

Boolean circuits Fix values of input gates 0,1 Fix values of input gates Each wire w obtains recursively a value V[w]∈{0, 1} Circuit outputs the value of the output wire V[output] ∧ 0,1 0,1 ⊕ ∨ 0,1 0,1 0,1 ∧ ∨ ∧ 0,1 0,1 0,1 x y z

Boolean circuits Fix values of input gates 0,1 Fix values of input gates Each wire w obtains recursively a value V[w]∈{0, 1} Circuit outputs the value of the output wire V[output] ∧ 0,1 0,1 ⊕ ∨ 0,1 0,1 0,1 ∧ ∨ ∧ 0,1 0,1 0,1 x y z

Boolean circuits 0,1 Let wᵢ (m) be the value of wᵢ, given input assignment m Thus for m = 010, C (m) = 1 ∧ 0,1 0,1 ⊕ ∨ 0,1 0,1 0,1 ∧ ∨ ∧ 0,1 0,1 0,1 x y z

Boolean circuits 16 Boolean functions, so 16 possible gate types Possible basis: {∧,⊕} ¬x = 1⊕x x∨y = ¬(¬x∧¬y) = 1⊕((1⊕x)∧(1⊕y)) = x⊕y⊕(x∧y) ∧ ⊕ ∨ ∧ ∨ ∧ x y z

Garbled circuits: Goal 0,1 Alice knows input a Bob knows input b Bob will get to know C (a, b) ... without learning anything about Alice's input and the intermediate wire values ∧ 0,1 0,1 ⊕ ∨ 0,1 0,1 0,1 ∧ ∨ ∧ 0,1 0,1 0,1 x y z

Garbled circuits: idea 0,1 "Garble" all wire values for wire w, 0 → Kw0, 1 → Kw1 except for output wire where Kwj=j Main idea: Allow Bob to obtain only one Kwj of two garbled values corresponding to each wire ∧ for random keys, chosen by Alice 0,1 0,1 ⊕ ∨ 0,1 0,1 0,1 ∧ ∨ ∧ 0,1 0,1 0,1 x y z

More Details ∧ ⊕ ∨ ∧ ∨ ∧ x y z For each Alice's input wᵢ: K₉₀,K₉₁ For each Alice's input wᵢ: Alice sends to Bob Kwᵢaᵢ For each Bob's input wᵢ: Alice generates and helps Bob to privately obtain Kwᵢbᵢ For each internal wire w: Alice helps Bob to obtain Kwᵢbᵢ ∧ K₇₀,K₇₁ K₈₀,K₈₁ ⊕ ∨ K₄₀,K₄₁ K₅₀,K₅₁ K₆₀,K₆₁ ∧ ∨ ∧ K₁₀,K₁₁ K₃₀,K₃₁ K₂₀,K₂₁ x y z

More Details ∧ ⊕ ∨ ∧ ∨ ∧ x y z For each Alice's input wᵢ: K₉₀,K₉₁ For each Alice's input wᵢ: Alice sends to Bob Kwᵢaᵢ For each Bob's input wᵢ: Alice generates and helps Bob to privately obtain Kwᵢbᵢ For each internal wire w: Alice helps Bob to obtain Kwᵢbᵢ ∧ K₇₀,K₇₁ K₈₀,K₈₁ ⊕ ∨ K₄₀,K₄₁ K₅₀,K₅₁ K₆₀,K₆₁ ∧ ∨ ∧ K₁₀,K₁₁ K₃₀,K₃₁ K₂₀,K₂₁ x y z

More Details ∧ ⊕ ∨ ∧ ∨ ∧ x y z For each Alice's input wᵢ: K₉₀=0,K₉₁=1 For each Alice's input wᵢ: Alice sends to Bob Kwᵢaᵢ For each Bob's input wᵢ: Alice generates and helps Bob to privately obtain Kwᵢbᵢ For each internal wire w: Alice helps Bob to obtain Kwᵢbᵢ ∧ K₇₀,K₇₁ K₈₀,K₈₁ ⊕ ∨ Protocol 1 K₄₀,K₄₁ K₅₀,K₅₁ K₆₀,K₆₁ ∧ ∨ ∧ K₁₀,K₁₁ K₃₀,K₃₁ K₂₀,K₂₁ x y z Protocol 2

Quiz: Protocol 1 j K₀,K₁ Kj Let w be one of Bob's input wires Alice has K₀, K₁ Bob has j Quiz: how to transfer Kj to Bob? Answer: oblivious transfer. CPIR with extra privacy: Bob obtains only one database element j K₀,K₁ Kj

d← c^(f₁ - f₀) · Enc(f₀; r') (2, 1)-OT protocol Protocol r←ℤn* c←Enc(x; r) r'←ℤn* d← c^(f₁ - f₀) · Enc(f₀; r') c pk,sk x∈{0,1} pk f = (f₀,f₁) fᵢ∈{0,1}ᴸ M←Dec(d) d This is oblivious transfer in semihonest model. Honest Bob only obtains M = fx

remarks: OT Computation: small number of PK ops As we saw, Paillier is quite expensive, though Communication: 2 ciphertexts Note: |key| is short, say 128 bits Can use any OT protocol that works with such data

Quiz: Protocol 2 Ku0,...,Kw1 Kui,Kvj Kwk ∧ Let w be one of intermediate wires Alice has keys Ku0, Ku1, Kv0, Kv1, Kw0, Kw1 Bob has Kui, Kvj Quiz: how to transfer Kwk, k = i ∧ j, to Bob? Kw₀,Kw₁ ∧ Other gates are similar Ku₀,Ku₁ Kv₀,Kv₁ Ku0,...,Kw1 Kui,Kvj Answer: garbled gate. Alice sends to Bob {Enc(Kui;Enc(Kvj;Kwk))} Kwk

Note 2: Other gate types can be garbled similarly Garbled AND-gate G₀₀ ← AES (Ku₀, AES (Kv₀, 0²⁰ || Kw₀)) G₀₁ ← AES (Ku₀, AES (Kv₁, 0²⁰ || Kw₀)) G₁₀ ← AES (Ku₁, AES (Kv₀, 0²⁰ || Kw₀)) G₁₁ ← AES (Ku₁, AES (Kv₁, 0²⁰ || Kw₁)) G[w] ← random perm. of Gij Protocol For i' ∈ {0, 1}, j' ∈ {0, 1} K' ← AES⁻¹ (Kui, AES⁻¹ (Kvj, Gi'j')) If K' == 0²⁰ || K'' Kwk ← K''; break Return Kwk G[w] Ku0, Ku1 Kv0, Kv1 Kw0, Kw1 Kui, Kvj Note 1: this protocol is non-interactive. Alice can transfer G[w] to Bob before Bob knows Kui, Kvj. Note 2: Other gate types can be garbled similarly

Remarks: garbled gate Computation: Alice: 8 AES encryptions Bob: 4 AES decryptions in average AES is much (1000×?) faster than PK encryption! Communication: < 500 bits Can replace AES with arbitrary faster but secure block cipher

Full Garbled Circuit protocol Generate new pk for OT For all Bob's input wires i: Prepare OT query Q (bᵢ) c ← (pk, (Q (bᵢ)) for all i) Protocol For all wires w of the circuit: Generate random Kw0, Kw1 Construct G[w] if w is internal d ← (G [w]) for all internal wires w e ← (Kiaᵢ) for all Alice's input wires i For all Bob's input wires i: Let Rᵢ ← Reply (Q (bᵢ), (Ki0, Ki1)) f ← (Rᵢ) for all Bob's input wires i For all Bob's input wires i: Kibᵢ ← Answer (Rᵢ) For all internal wires w of the circuit: Kwk←GarbledGate(Kui,Kvj,G[w]) Return the key of last gate c C, a C, b (d,e,f)

security Bob's privacy: Alice sees only OT queries, so guaranteed by OT security Alice's privacy: Bob sees AES encryptions and OT replies Security guaranteed by AES security, OT security, and correctness of Alice's operation Will omit formal proof of security

Efficiency Round-complexity: 2 msg (one msg by Bob, one by Alice) --- optimal # of rounds Computation: |Bob inputs| OT-s, 8*|circuit size| AES-s Very good, since AES is fast except when circuit size is really large Communication: < 500 bits per gate, thus large Communication is linear in |circuit|, not in |size| :(

Garbled circuits Rounds: 2 Computation: |Bob's input| OT, 8*|circuit size| AES Communication: Θ (|circuit size|) Rounds Communication Computation BDD-based MPC Garbled circuits

Example: Eq Alice's input: a ∈ {0, 1}ⁿ Bob's input: b ∈ {0, 1}ⁿ ∧ = a₁ a₀ b₂ b₁ b₀ a₂ Alice's input: a ∈ {0, 1}ⁿ Bob's input: b ∈ {0, 1}ⁿ Bob's output: [b = a] Circuit size: 2n - 1 Cost: n OT, 8(2n - 1) AES Comp. dominated by OT-s

Non-cryptographic task. Will not elaborate how to optimize? Communication: linear in |circuit size| Task 1: minimize circuit size Computation is dominated, depending on circuit size, by OT-s or GarbledGate's Task 2: minimize complexity of OT-s Task 3: minimize complexity of GarbledCircuit's Non-cryptographic task. Will not elaborate Cryptographic task. Will elaborate

OT complexity minimization Use more efficient (2, 1)-OT Paillier → Elgamal, but can't go much faster OT extension: we need many expensive OT-s need to reduce the number expensive operations

Recall: κ is the security parameter ot extension If input length n is large: need to implement n >> κ expensive OT-s Question: Can we implement n OT-s by using n "cheap operations" and << n OT-s? Recall: κ is the security parameter

Recall: n OTᴸ protocols For i = 1 to n: cᵢ←Q(xᵢ) Protocol For i = 1 to n: Rᵢ ← Reply (cᵢ, (fᵢ₀, fᵢ₁)) For i = 1 to n: Mᵢ←Answer(Rᵢ) (c₁, ..., cn) (fᵢ₀, fᵢ₁)∈{0,1}ᴸ xᵢ∈{0,1} (R₁, ..., Rn)

idea: oT extension Alice obtains from Bob, by using κ << n OT protocols, a number of random bits Alice masks her input by so obtained random bits and her own random input s, and sends the masked values to Bob Bob can "unmask" only 1 / 2 of the transferred values since the rest depends on s

n OTᴸ via OT extension t¹⊕0x t²⊕0x t³⊕0x t₁₁ t₁₂ t₁₃ t₂₁ t₂₂ t₂₃ t₃₁ For i = 1 to n: For j = 1 to κ: tij← {0, 1} For i = 1 to κ: Write tⁱ = (t1i, ..., tni) Compute tⁱ ⊕ x x∈{0,1}ⁿ For i ∈ {1,...,n}: (fᵢ₀, fᵢ₁)∈{0,1}ᴸ t¹⊕0x t²⊕0x t³⊕0x t₁₁ t₁₂ t₁₃ t₂₁ t₂₂ t₂₃ t₃₁ t₃₂ t₃₃ t₄₁ t₄₂ t₄₃ t₅₁ t₅₂ t₅₃ t₆₁ t₆₂ t₆₃

Alice obtains {Aⁱ = tⁱ⊕sᵢx} by using κ OTᵐ-s n OTᴸ via OT extension For i = 1 to n: For j = 1 to κ: tij← {0, 1} For i = 1 to κ: Write tⁱ = (t1i, ..., tni) Compute tⁱ ⊕ x x∈{0,1}ⁿ For i ∈ {1,...,n}: (fᵢ₀, fᵢ₁)∈{0,1}ᴸ s ← {0, 1}^κ Alice obtains {Aⁱ = tⁱ⊕sᵢx} by using κ OTᵐ-s OT(s₁) OT(s₂) OT(s3) t¹⊕0x t¹⊕1x t²⊕0x t²⊕1x t³⊕0x t³⊕1x t₁₁ t₁₁⊕x₁ t₁₂ t₁₂⊕x₁ t₁₃ t₁₃⊕x₁ t₂₁ t₂₁⊕x₂ t₂₂ t₂₂⊕x₂ t₂₃ t₂₃⊕x₂ t₃₁ t₃₁⊕x₃ t₃₂ t₃₂⊕x₃ t₃₃ t₃₃⊕x₃ t₄₁ t₄₁⊕x₄ t₄₂ t₄₂⊕x₄ t₄₃ t₄₃⊕x₄ t₅₁ t₅₁⊕x₅ t₅₂ t₅₂⊕x₅ t₅₃ t₅₃⊕x₅ t₆₁ t₆₁⊕x₆ t₆₂ t₆₂⊕x₆ t₆₃ t₆₃⊕x₆

n OTᴸ via OT extension t¹⊕0x t¹⊕1x t²⊕0x t²⊕1x t³⊕0x t³⊕1x t₁₁ t₁₁⊕x₁ For i = 1 to n: For j = 1 to κ: tij← {0, 1} For i = 1 to κ: Write tⁱ = (t1i, ..., tni) Compute tⁱ ⊕ x x∈{0,1}ⁿ For i ∈ {1,...,n}: (fᵢ₀, fᵢ₁)∈{0,1}ᴸ s ← {0, 1}^κ Alice obtains {Aⁱ = tⁱ⊕sᵢx} by using κ OTᵐ-s OT(s₁) OT(s₂) OT(s3) Bob knows this if xᵢ = 0. Mask fᵢ₀ by it t¹⊕0x t¹⊕1x t²⊕0x t²⊕1x t³⊕0x t³⊕1x t₁₁ t₁₁⊕x₁ t₁₂ t₁₂⊕x₁ t₁₃ t₁₃⊕x₁ t₂₁ t₂₁⊕x₂ t₂₂ t₂₂⊕x₂ t₂₃ t₂₃⊕x₂ t₃₁ t₃₁⊕x₃ t₃₂ t₃₂⊕x₃ t₃₃ t₃₃⊕x₃ t₄₁ t₄₁⊕x₄ t₄₂ t₄₂⊕x₄ t₄₃ t₄₃⊕x₄ t₅₁ t₅₁⊕x₅ t₅₂ t₅₂⊕x₅ t₅₃ t₅₃⊕x₅ t₆₁ t₆₁⊕x₆ t₆₂ t₆₂⊕x₆ t₆₃ t₆₃⊕x₆ Aᵢ = tᵢ⊕xᵢs Aᵢ⊕s = tᵢ⊕(1⊕xᵢ)s Bob knows this if xᵢ = 1. Mask fᵢ₁ by it

full OT extension (q₁, ..., qκ) (R₁, ..., Rκ) Protocol For i = 1 to n: For j = 1 to κ: tij← {0, 1} For i = 1 to κ: Write tⁱ = (t1i, ..., tni) Rᵢ ← Reply (qᵢ, (tⁱ, tⁱ⊕x)) s ← {0, 1}^κ For i = 1 to κ: qᵢ ← Q (sᵢ) (q₁, ..., qκ) Protocol (R₁, ..., Rκ) (y₁₀,y₁₁, ..., yn₀,yn₁) For i = 1 to κ: Aⁱ ←Answer(Rᵢ) // = tⁱ⊕sᵢx // Aᵢ = tᵢ⊕xᵢs, Aᵢ⊕s = tᵢ⊕(1⊕xᵢ)s For i = 1 to n: yᵢ₀ ← fᵢ₀ ⊕ H (Aᵢ) yᵢ₁ ← fᵢ1 ← H (Aᵢ ⊕ s) For i = 1 to n: mᵢ← yi,xi⊕H (tᵢ) Return m x∈{0,1}ⁿ For i ∈ {1,...,n}: (fᵢ₀, fᵢ₁)∈{0,1}ᴸ

security Alice's privacy: Bob sees qᵢ and mᵢ = ... + H (...) Alice's privacy guaranteed by OT privacy and security of H (will not elaborate on latter) Bob's privacy: Alice sees {tⁱ⊕sᵢx}ᵢ - no information revealed about x since tⁱ is random

efficiency ⇒ Alice: κ OT-s of n-bit strings, 2n H-s Bob: κ OT-s of n-bit strings, n H-s If κ << n and Cost(H) << Cost(OT): huge benefit If κ << n ≈ |circuit size|: OT dominates the cost of GC OT extension makes GC many times faster ⇒

G.Gate optimization, 1 Use a more efficient symmetric encryption scheme gives speedup, but not certain how much AES is implemented in Intel hardware Replace AES with a hash function use Bitcoin hardware

G.Gate optimization, 2 Can we reduce the overhead of GarbledGate? G₀₀ ← AES (Ku₀, AES (Kv₀, 0²⁰ || Kw₀)) G₀₁ ← AES (Ku₀, AES (Kv₁, 0²⁰ || Kw₀)) G₁₀ ← AES (Ku₁, AES (Kv₀, 0²⁰ || Kw₀)) G₁₁ ← AES (Ku₁, AES (Kv₁, 0²⁰ || Kw₁)) G[w] ← random perm. of Gij Can we reduce the overhead of GarbledGate? Alice: from 8 AES to smaller number? Bob: from 8 AES⁻¹ to smaller number? For i ∈ {0, 1}, j ∈ {0, 1} K' ← AES⁻¹ (Kui, AES⁻¹ (Kvj, Gij)) If K' == 0²⁰ || K'' Kwk ← K'' break Return Kwk

FreeXOR technique Alice generates random, secret "global difference" Δ She always sets Kw1 ← Kw0⊕Δ For each XOR gate w ← u⊕v: set Kw0 ← Ku0⊕Kv0 The rest of the protocol is unchanged Security ok: since Bob never obtains both Kw0, Kw1, then Δ stays secret ⊕ Ku₀,Ku₀⊕Δ Kv₀,Kv₀⊕Δ Kw₀,Kw₀⊕Δ

FreeXOR technique For each XOR gate: set Kw0 ← Ku0 ⊕ Kv0 Ku0⊕Kv0 = Kw0 Ku1⊕Kv0 = Kw0⊕Δ = Kw1 Ku0⊕Kv1 = Kw0⊕Δ = Kw1 Ku1⊕Kv1 = Kw0⊕Δ⊕Δ = Kw0 No need to transfer G[w] for XOR gates Computation: AES * O(|non-XOR gates|) + XOR * O(|XOR gates|)

Why relevant? {XOR, AND} is a basis of all possible gates Boolean versions of + and · On "average": garbled circuits twice more efficient For many circuits, XOR gates dominate strongly garbled circuits become many times more efficient

Simplifying "aND" + ∧ Idea: AND is a symmetric operation Similar optimization possible with all symmetric gates Idea: AND is a symmetric operation x ∧ y is a function of x + y, not of x and y individually (0 ∧ 0) = 0, (0 ∧ 1) = (1 ∧ 0) = 0, (1 ∧ 1) = 1 Thus x ∧ y = f₀₀₁ (x + y) FreeAdd: use a random Δ in all + gates + Ku₀,Ku₁=Ku₀+Δ Kv₀,Kv₁=Kv₀+Δ Kw₀=Ku₀+Kv₀,Kw₁=Kw₀+Δ,Kw₂=Kw₀+2Δ f₀₀₁ Kz₀,Kz₁ symmetric FreeSym G₀ ← AES (Kw₀, 0²⁰ || Kz₀) G₁ ← AES (Kw₁, 0²⁰ || Kz₀) G₂ ← AES (Kw₂, 0²⁰ || Kz₁) G[w] ← random shuffle of Gᵢ ∧ Ku₀,Ku₁ Kv₀,Kv₁ Kw₀,Kw₁ Local computation 8 AES → 3 AES

Comparison: FreeXOr etc AND Classical 8 FreeXOR FreeSym 2 3 (not covered) 0-2

not covering in this course - just not enough time and more and more Highly parallel: after keys are computed, Alice can compute all garbled gates G [w] in parallel Many more optimizations than fit to the margins Very active research area especially active: efficiency in malicious model A GPU implementation can process hundreds/thousands of gates in parallel not covering in this course - just not enough time

GC: OUTRO Computationally very efficient Main problem: huge communication Another problem: circuit optimization In many cases, it is more natural to work in some other computational model For example: circuit for integer multiplication is large

next lecture Pairings: algebraically "one step up" from exponentiation instead of linear functions, allow to compute quadratic functions on ciphertexts, non- interactively Many, many applications - incl. efficient NIZK