Presentation is loading. Please wait.

Presentation is loading. Please wait.

Garbling Techniques David Evans

Published by楷 鲍 Modified over 6 years ago

Similar presentations

Presentation on theme: "Garbling Techniques David Evans"— Presentation transcript:

1 Garbling Techniques David Evans www.cs.virginia.edu/evans
Summer School on Secure Computation University of Notre Dame 9 May 2016

2 Collaborators Samee Zahur (UVA) Mike Rosulek (Oregon State)

3 Recap: Garbled Table x a b a1 b0 Ea1,b0 (x0) a0 b1 Ea0,b1 (x0)
a0 or a1 b0 or b1 Inputs Output x a b a1 b0 Ea1,b0 (x0) a0 b1 Ea0,b1 (x0) Ea1,b1 (x1) Ea0,b0 (x0) AND x

4 This Lecture 2 ciphertexts (AND) 0 ciphertexts (XOR) What to use for E
Inputs Output x a b a1 b0 Ea1,b0 (x0) a0 b1 Ea0,b1 (x0) Ea1,b1 (x1) Ea0,b0 (x0) 2 ciphertexts (AND) 0 ciphertexts (XOR) What to use for E Open Research Questions

5 Garbling is a fundamental primitive
Formalizing Garbling (CCS 2012) Garbling is a fundamental primitive

6 Garble Encode Evaluate Decode f garbled circuit F encoding info e garbled input X garbled output Y z decoding info d x

7 garbled circuit F Evaluate Y Garble Encode X Decode f e z x d
Correctness property:

8 garbled circuit F Evaluate Y Garble Encode X Decode f e f(x) x d
Security properties:

9 garbled circuit F Evaluate Y Garble Encode X Decode f e f(x) x d
Security properties Privacy: F, X, and d leak reveals nothing beyond f(x) Obliviousness: F, X reveals nothing (new) Authenticity: given F, X, hard to find Y’ such that: Decode(Y’, d) ∉ { f(x), error }

10 garbled circuit F Evaluate Y Garble Encode X Decode f e f(x) x d
Cost of Garbling Storage and Bandwidth: large functions: dominated by size of F small functions: encode also matters Computation: Garble, Evaluate Encode, Decode

11 FOCS 1982 Yao’s Garbling Scheme? FOCS 1986

12 FOCS 1982 Yao’s Garbling Scheme? FOCS 1986 Neither paper (or any other by Yao) actually describes Yao’s Garbled Circuits

13 Simple Garbling x a b a1 b0 Ea1,b0 (x0) a0 b1 Ea0,b1 (x0) Ea1,b1 (x1)
Inputs Output x a b a1 b0 Ea1,b0 (x0) a0 b1 Ea0,b1 (x0) Ea1,b1 (x1) Ea0,b0 (x0)

14 Simple Garbling Ea1,b0 (x0) Ea0,b1 (x0) Ea1,b1 (x1) Ea0,b0 (x0)

15 Simple Garbling Ea1,b0 (x0) Ea0,b1 (x0) Ea1,b1 (x1) Ea0,b0 (x0)
Try all four, can tell valid encryption output

16 Single Hash Garbling Ea1,b0 (x0) Ea0,b1 (x0) Ea1,b1 (x1) Ea0,b0 (x0)

17 Single Hash Garbling Ea1,b0 (x0) Ea0,b1 (x0) Ea1,b1 (x1) Ea0,b0 (x0)
How can the evaluator know which row to decrypt?

18 Point-and-Permute Select random bit for each wire: rw
ra = 0, rb = 0 Select random bit for each wire: rw Set last bit of w0 to rw, w1 to ¬ra Enca0,,b0,(c0) Enca0,,b1(c0) Enca0,,b0(c0) Enca1,b1(c1) Beaver, Micali and Rogaway [STOC 1990]

19 Point-and-Permute Select random bit for each wire: rw
ra = 1, rb = 1 Select random bit for each wire: rw Set last bit of w0 to rw, w1 to ¬ra Order table canonically: 00/01/10/11 Enca1,,b1,(c1) Enca1,,b0(c0) Enca0,,b1(c0) Enca0,b0(c0) Beaver, Micali and Rogaway [STOC 1990]

20 Point-and-Permute Enca1,,b1,(c1) Enca1,,b0(c0) Enca0,,b1(c0)
ra = 1, rb = 1 Encoding garble table entries: Enca1,,b1,(c1) Enca1,,b0(c0) Enca0,,b1(c0) Enca0,b0(c0) Output wire label Input wire labels (with selection bits) Beaver, Micali and Rogaway [STOC 1990]

21 garbled circuit F Evaluate Y Garble Encode X Decode f e f(x) x d

22 garbled circuit F Evaluate Y Garble Encode X Decode f e f(x) x d
Compute: 4 hashes per gate Compute: 1 hash per gate Bandwidth: 4 ciphertexts per gate

23 Garbled Row Reduction Naor, Pinkas and Sumner [1999]

24 Garbled Row Reduction Naor, Pinkas and Sumner [1999]

25 Garbled Row Reduction Naor, Pinkas and Sumner [1999]

26 Compute: 4 hashes per gate Compute: 1 hash per gate
Garble Encode Evaluate Decode f garbled circuit F e X Y f(x) d x Basic Scheme Compute: 4 hashes per gate Compute: 1 hash per gate Bandwidth: 4 ciphertexts per gate Garbled Row Reduction

27 Compute: 4 hashes per gate Compute: 1 hash per gate
Garble Encode Evaluate Decode f garbled circuit F e X Y f(x) d x Basic Scheme Compute: 4 hashes per gate Compute: 1 hash per gate Bandwidth: 4 ciphertexts per gate Garbled Row Reduction Bandwidth: 3 ciphertexts per gate

28 Free-XOR Global generator secret Kolesnikov and Schneider [ICALP 2008]

29 Free-XOR Global generator secret Kolesnikov and Schneider [2008]

30 Free-XOR Global generator secret Kolesnikov and Schneider [2008]

31 Free-XOR XOR are free! No ciphertexts or encryption needed.
Global generator secret XOR are free! No ciphertexts or encryption needed. Kolesnikov and Schneider [2008]

32 Security Assumptions for Free-XOR
ICALP 2008 TCC 2012 Proved secure in Random Oracle model Speculated that Correlation Robustness was sufficient Correlation Robustness is not enough Proved secure with related-key and circularity assumption

33 4 1 3 Garbled Row Reduction Point-and-Permute Free XOR Basic Odd (AND)
Generator Encryptions (H) 4 Evaluator Encryptions (H) 1 Ciphertexts Transmitted 3 Even (XOR)

34 Double Garbled Row Reduction (GRR2)
EA0,B0 (C0) EA0,B1 (C1) EA1,B0 (C0) EA1,B1 (C0) Instead of learning output directly, need to do more work to find it Pinkas, Schneider, Smart, Williams 2009

35 GRR2 Pinkas, Schneider, Smart, Williams 2009

36 GRR2 Pinkas, Schneider, Smart, Williams 2009

37 GRR2 Pinkas, Schneider, Smart, Williams 2009

38 GRR2 C0 = P(0) C1 = P(1) Pinkas, Schneider, Smart, Williams 2009

39 GRR2 P(5) P(6) Garbled table: C0 = P(0) C1 = P(1)
Pinkas, Schneider, Smart, Williams 2009

40 GRR2 P(5) P(6) Incompatible with free-XOR Garbled table: C0 = P(0)
Pinkas, Schneider, Smart, Williams 2009

41 4 4+ 1 1+ 3 2 Basic Point-and-Permute GRR-1 Free XOR + GRR-1 + PnP
Odd (AND) Generator Encryptions (H) 4 4+ Evaluator Encryptions (H) 1 1+ Ciphertexts Transmitted 3 2 Even (XOR)

42 FleXOR GRR-2 Gates Free-XOR Gates Single Ciphertext to Convert S
Kolesnikov, Mohassel, Rosulek 2014

43 4 4+ 1 1+ 3 2 {0, 1, 2} Free XOR + GRR-1 + PnP GRR-2 FleXOR Basic
Odd (AND) Generator Encryptions (H) 4 4+ Evaluator Encryptions (H) 1 1+ Ciphertexts Transmitted 3 2 Even (XOR) {0, 1, 2}

44 What cost should we be focusing on?
Basic Free XOR + GRR-1 + PnP GRR-2 FleXOR Odd (AND) Generator Encryptions (H) 4 4+ Evaluator Encryptions (H) 1 1+ Ciphertexts Transmitted 3 2 Even (XOR) {0, 1, 2} What cost should we be focusing on?

45 cost to garble AES circuit
(36K gates, 6660 AND) [HEKM 2011] Cost of Garbling HA,B(C) Garbling/evaluating time per gate ~2000/1000 ns (including network) SHA-256(A || B || gateID) ⊕ C

46 Cost of Garbling HA,B(C) SHA-256(A || B || gateID) ⊕ C ~2000/1000 ns
Garbling/evaluating time per gate SHA-256(A || B || gateID) ⊕ C ~2000/1000 ns Actual computation cost: 12 cycles/byte ⇝ 200ns/50ns AES(kconst, K ) ⊕ K ⊕ C where K =2A⊕ 4B ⊕ gateID ~ 15/7 ns “Fixed-key AES” using AES-NI Bellare, Hoang, Keelveedhi, Rogaway 2013

47 cost to garble AES circuit
(36K gates, 6660 AND) [HEKM 2011] Cost of Garbling HA,B(C) Garbling/evaluating time per gate SHA-256(A || B || gateID) ⊕ C ~2000/1000 ns Actual computation cost: 12 cycles/byte ⇝ 200ns/50ns AES(kconst, K ) ⊕ K ⊕ C where K =2A⊕ 4B ⊕ gateID ~ 15/7 ns Time to transmit 80-bits at 1Gbps: 80ns “Fixed-key AES” using AES-NI Bellare, Hoang, Keelveedhi, Rogaway 2013

48 4 4+ 1 1+ 3 2 {0, 1, 2} Free XOR + GRR-1 + PnP GRR-2 FleXOR Basic
Odd (AND) Generator Encryptions (H) 4 4+ Evaluator Encryptions (H) 1 1+ Ciphertexts Transmitted 3 2 Even (XOR) {0, 1, 2}

49 Half Gates Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? [NDSS 2012]

50 Yan Huang, David Evans, and Jonathan Katz
Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? [NDSS 2012]

51 Journal of the ACM, January 1968
Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? [NDSS 2012] swap gates, configured (by generator) to do random permutation

52 Generator Half Gate Known to generator (but secret to evaluator)

53 Generator Half Gate Known to generator (but secret to evaluator)

54 Generator Half Gate Known to generator (but secret to evaluator)

55 Swapper: “Generator Half Gate”
Known to generator (but secret to evaluator) With Garbled Row Reduction: Only need to send one ciphertext!

56 Evaluator Half-Gate Known (semantic value) to evaluator
(but secret to generator)

57 Evaluator Half-Gate Known (semantic value) to evaluator
(but secret to generator)

58 Implementing Generator Half-Gates Generator knows a
Evaluator Half-Gates Evaluator knows b But, we need a gate where both inputs are secret…

59 Half + Half = Full Secret Gate
random bit selected by generator unknown known unknown “leaked”

60 Half + Half = Full Secret Gate
random bit selected by generator unknown known unknown “leaked”

61 Half + Half = Full Secret Gate
random bit selected by generator unknown known unknown “leaked”

62 Half + Half = Full Secret Gate
random bit selected by generator unknown known unknown “leaked” 2 ciphertexts total! generator half gate evaluator half gate

63 How to leak r ⊕ b? Use r as point-and-permute bit for B (false)
Evaluator has r ⊕ b on obtained wire! random bit selected by generator unknown known unknown “leaked” 2 ciphertexts total! generator half gate evaluator half gate

64 4 4+ 1 1+ 2 3 {0, 1, 2} FleXOR Basic Half-Gates Odd (AND) Even (XOR)
Free XOR + GRR-1 + PnP FleXOR Half-Gates Odd (AND) Generator Encryptions (H) 4 4+ Evaluator Encryptions (H) 1 1+ 2 Ciphertexts Transmitted 3 Even (XOR) {0, 1, 2}

65 Edit distance: Levenstein distance between two 200-byte strings
Zahur, Rosulek, and Evans [EuroCrypt 2015] Edit distance: Levenstein distance between two 200-byte strings AES: 1 block of encryption and key expansion, iterated 10 times Set intersection: 1024, 32-bit integers, iterated 10 times

66 4 1 2 3 ✓ 33% 25% 21% Free-XOR+GRR+PnP Half Gates
Generator Encryptions (H) 4 Evaluator Encryptions (H) 1 2 Ciphertexts Transmitted 3 XORs Free Bandwidth 33% Execution Time (edit distance) 25% Energy 21%

67 Can we do better?

68 Optimality of Two Ciphertexts
Theorem (proof in ZER15 paper): Garbling a single AND gate requires 2 ciphertexts if garbling scheme is “linear”. “linear” operations: xor, polynomial interpolation

69 How to Do Better? Non-linear operations
Gates that are not binary – chunk-ing circuit Boolean logic Reusable ciphertexts Different security assumptions

70 garbled circuit F Evaluate Y Garble Encode X Decode f e f(x) x d
Security properties Privacy: F, X, and d leak reveals nothing beyond f(x) Obliviousness: F, X reveals nothing (new) Authenticity: given F, X, hard to find Y’ such that: Decode(Y’, d) ∉ { f(x), error }

71 Mike Rosulek, Samee Zahur
David Evans OblivC.org mightBeEvil.org Credits: Mike Rosulek, Samee Zahur

72

73

74 Not Used

Download ppt "Garbling Techniques David Evans"

Similar presentations

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.

Mix and Match: A Simple Approach to General Secure Multiparty Computation + Markus Jakobsson Bell Laboratories Ari Juels RSA Laboratories.
Quantum Software Copy-Protection Scott Aaronson (MIT) |

Quantum Software Copy-Protection Scott Aaronson (MIT) |
Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.

Quid-Pro-Quo-tocols Strengthening Semi-Honest Protocols with Dual Execution Yan Huang 1, Jonathan Katz 2, David Evans 1 1. University of Virginia 2. University.
Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto

Gate Evaluation Secret Sharing and Secure Two-Party Computation Vladimir Kolesnikov University of Toronto
Yan Huang, David Evans, Jonathan Katz

Yan Huang, David Evans, Jonathan Katz
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Computer Interfacing and Protocols

Computer Interfacing and Protocols
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.

CS 483 – SD SECTION BY DR. DANIYAL ALGHAZZAWI (3) Information Security.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.

Introduction to Modern Cryptography, Lecture 12 Secure Multi-Party Computation.
On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)

On the Security of the “Free-XOR” Technique Ranjit Kumaresan Joint work with Seung Geol Choi, Jonathan Katz, and Hong-Sheng Zhou (UMD)
GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION

GARBLED CIRCUITS & SECURE TWO-PARTY COMPUTATION
Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.

Yan Huang, Jonathan Katz, David Evans University of Maryland, University of Virginia Efficient Secure Two-Party Computation Using Symmetric Cut-and-Choose.
1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.

1 Introduction to Secure Computation Benny Pinkas HP Labs, Princeton.
Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)

Chapter 13: Electronic Commerce and Information Security Invitation to Computer Science, C++ Version, Fourth Edition SP09: Contains security section (13.4)
Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.

Insert presenter logo here on slide master. See hidden slide 4 for directions  Session ID: Session Classification: SEUNG GEOL CHOI UNIVERSITY OF MARYLAND.
On the Practical Feasibility of Secure Distributed Computing A Case Study Gregory Neven, Frank Piessens, Bart De Decker Dept. of Computer Science, K.U.Leuven.

On the Practical Feasibility of Secure Distributed Computing A Case Study Gregory Neven, Frank Piessens, Bart De Decker Dept. of Computer Science, K.U.Leuven.
TE/CS 536 Network Security Spring 2006 – Lectures 6&7 Secret Key Cryptography.

TE/CS 536 Network Security Spring 2006 – Lectures 6&7 Secret Key Cryptography.

Similar presentations

Ads by Google