Tweet
Tweet

Slide 1

Slide 1 text

Garbling Techniques David Evans www.cs.virginia.edu/evans Summer School on Secure Computation University of Notre Dame 9 May 2016

Slide 2

Slide 2 text

Collaborators Samee Zahur (UVA) Mike Rosulek (Oregon State)

Slide 3

Slide 3 text

Recap: Garbled Table Inputs Output x a b a1 b0 Ea1 ,b0 (x0 ) a0 b1 Ea0 ,b1 (x0 ) a1 b1 Ea1 ,b1 (x1 ) a0 b0 Ea0 ,b0 (x0 ) a0 or a1 x AND b0 or b1

Slide 4

Slide 4 text

This Lecture Inputs Output x a b a1 b0 Ea1 ,b0 (x0 ) a0 b1 Ea0 ,b1 (x0 ) a1 b1 Ea1 ,b1 (x1 ) a0 b0 Ea0 ,b0 (x0 ) 2 ciphertexts (AND) 0 ciphertexts (XOR) What to use for E Open Research Questions

Slide 5

Slide 5 text

Formalizing Garbling (CCS 2012) Garbling is a fundamental primitive

Slide 6

Slide 6 text

Garble Encode Evaluate Decode f garbled circuit F encoding info e garbled input X garbled output Y z decoding info d x

Slide 7

Slide 7 text

Garble Encode Evaluate Decode f garbled circuit F e X Y z d x Correctness property:

Slide 8

Slide 8 text

Garble Encode Evaluate Decode f garbled circuit F e X Y f(x) d x Security properties:

Slide 9

Slide 9 text

Garble Encode Evaluate Decode f garbled circuit F e X Y f(x) d x Security properties Privacy: F, X, and d leak reveals nothing beyond f(x) Obliviousness: F, X reveals nothing (new) Authenticity: given F, X, hard to find Y’ such that: Decode(Y’, d) ∉ { f(x), error }

Slide 10

Slide 10 text

Garble Encode Evaluate Decode f garbled circuit F e X Y f(x) d x Cost of Garbling Storage and Bandwidth: large functions: dominated by size of F small functions: encode also matters Computation: Garble, Evaluate Encode, Decode

Slide 11

Slide 11 text

Yao’s Garbling Scheme? FOCS 1982 FOCS 1986

Slide 12

Slide 12 text

Yao’s Garbling Scheme? FOCS 1982 FOCS 1986 Neither paper (or any other by Yao) actually describes Yao’s Garbled Circuits

Slide 13

Slide 13 text

Inputs Output x a b a1 b0 Ea1 ,b0 (x0 ) a0 b1 Ea0 ,b1 (x0 ) a1 b1 Ea1 ,b1 (x1 ) a0 b0 Ea0 ,b0 (x0 ) Simple Garbling

Slide 14

Slide 14 text

Ea1 ,b0 (x0 ) Ea0 ,b1 (x0 ) Ea1 ,b1 (x1 ) Ea0 ,b0 (x0 ) Simple Garbling

Slide 15

Slide 15 text

Ea1 ,b0 (x0 ) Ea0 ,b1 (x0 ) Ea1 ,b1 (x1 ) Ea0 ,b0 (x0 ) Simple Garbling Try all four, can tell valid encryption output

Slide 16

Slide 16 text

Ea1 ,b0 (x0 ) Ea0 ,b1 (x0 ) Ea1 ,b1 (x1 ) Ea0 ,b0 (x0 ) Single Hash Garbling

Slide 17

Slide 17 text

Ea1 ,b0 (x0 ) Ea0 ,b1 (x0 ) Ea1 ,b1 (x1 ) Ea0 ,b0 (x0 ) Single Hash Garbling How can the evaluator know which row to decrypt?

Slide 18

Slide 18 text

Point-and-Permute Enca0,,b0, (c0 ) Enca0,,b1 (c0 ) Enca0,,b0 (c0 ) Enca1,b1 (c1 ) Beaver, Micali and Rogaway [STOC 1990] Select random bit for each wire: rw Set last bit of w0 to rw , w1 to ¬ra ra = 0, rb = 0

Slide 19

Slide 19 text

Point-and-Permute Enca1,,b1, (c1 ) Enca1,,b0 (c0 ) Enca0,,b1 (c0 ) Enca0,b0 (c0 ) Beaver, Micali and Rogaway [STOC 1990] Select random bit for each wire: rw Set last bit of w0 to rw , w1 to ¬ra Order table canonically: 00/01/10/11 ra = 1, rb = 1

Slide 20

Slide 20 text

Point-and-Permute Encoding garble table entries: Input wire labels (with selection bits) Output wire label Beaver, Micali and Rogaway [STOC 1990] Enca1,,b1, (c1 ) Enca1,,b0 (c0 ) Enca0,,b1 (c0 ) Enca0,b0 (c0 ) ra = 1, rb = 1

Slide 21

Slide 21 text

Garble Encode Evaluate Decode f garbled circuit F e X Y f(x) d x

Slide 22

Slide 22 text

Garble Encode Evaluate Decode f garbled circuit F e X Y f(x) d x Bandwidth: 4 ciphertexts per gate Compute: 4 hashes per gate Compute: 1 hash per gate

Slide 23

Slide 23 text

Garbled Row Reduction Naor, Pinkas and Sumner [1999]

Slide 24

Slide 24 text

Garbled Row Reduction Naor, Pinkas and Sumner [1999]

Slide 25

Slide 25 text

Garbled Row Reduction Naor, Pinkas and Sumner [1999]

Slide 26

Slide 26 text

Garble Encode Evaluate Decode f garbled circuit F e X Y f(x) d x Bandwidth: 4 ciphertexts per gate Compute: 4 hashes per gate Compute: 1 hash per gate Basic Scheme Garbled Row Reduction

Slide 27

Slide 27 text

Garble Encode Evaluate Decode f garbled circuit F e X Y f(x) d x Bandwidth: 4 ciphertexts per gate Compute: 4 hashes per gate Compute: 1 hash per gate Basic Scheme Garbled Row Reduction Bandwidth: 3 ciphertexts per gate

Slide 28

Slide 28 text

Free-XOR Kolesnikov and Schneider [ICALP 2008] Global generator secret

Slide 29

Slide 29 text

Free-XOR Kolesnikov and Schneider [2008] Global generator secret

Slide 30

Slide 30 text

Free-XOR Kolesnikov and Schneider [2008] Global generator secret

Slide 31

Slide 31 text

Free-XOR Kolesnikov and Schneider [2008] Global generator secret XOR are free! No ciphertexts or encryption needed.

Slide 32

Slide 32 text

Security Assumptions for Free-XOR ICALP 2008 Proved secure in Random Oracle model Speculated that Correlation Robustness was sufficient TCC 2012 Correlation Robustness is not enough Proved secure with related-key and circularity assumption

Slide 33

Slide 33 text

Basic Point-and- Permute Garbled Row Reduction Free XOR Odd (AND) Generator Encryptions (H) 4 4 4 4 Evaluator Encryptions (H) 4 1 1 1 Ciphertexts Transmitted 4 4 3 3 Even (XOR) Generator Encryptions (H) 4 4 4 0 Evaluator Encryptions (H) 4 1 1 0 Ciphertexts Transmitted 4 4 3 0

Slide 34

Slide 34 text

Double Garbled Row Reduction (GRR2) Pinkas, Schneider, Smart, Williams 2009 EA0 ,B0 (C0 ) EA0 ,B1 (C1 ) EA1 ,B0 (C0 ) EA1 ,B1 (C0 ) Instead of learning output directly, need to do more work to find it

Slide 35

Slide 35 text

GRR2 Pinkas, Schneider, Smart, Williams 2009

Slide 36

Slide 36 text

Pinkas, Schneider, Smart, Williams 2009 GRR2

Slide 37

Slide 37 text

Pinkas, Schneider, Smart, Williams 2009 GRR2

Slide 38

Slide 38 text

Pinkas, Schneider, Smart, Williams 2009 GRR2 C0 = P(0) C1 = P(1)

Slide 39

Slide 39 text

Pinkas, Schneider, Smart, Williams 2009 GRR2 C0 = P(0) C1 = P(1) P(5) P(6) Garbled table:

Slide 40

Slide 40 text

Pinkas, Schneider, Smart, Williams 2009 GRR2 C0 = P(0) C1 = P(1) P(5) P(6) Garbled table: Incompatible with free-XOR

Slide 41

Slide 41 text

Basic Point-and- Permute GRR-1 Free XOR + GRR-1 + PnP GRR-2 Odd (AND) Generator Encryptions (H) 4 4 4 4 4+ Evaluator Encryptions (H) 4 1 1 1 1+ Ciphertexts Transmitted 4 4 3 3 2 Even (XOR) Generator Encryptions (H) 4 4 4 0 4+ Evaluator Encryptions (H) 4 1 1 0 1+ Ciphertexts Transmitted 4 4 3 0 2

Slide 42

Slide 42 text

FleXOR Kolesnikov, Mohassel, Rosulek 2014 S GRR-2 Gates Free-XOR Gates Single Ciphertext to Convert

Slide 43

Slide 43 text

Basic Free XOR + GRR-1 + PnP GRR-2 FleXOR Odd (AND) Generator Encryptions (H) 4 4 4+ 4+ Evaluator Encryptions (H) 4 1 1+ 1+ Ciphertexts Transmitted 4 3 2 2 Even (XOR) Generator Encryptions (H) 4 0 4+ {0, 1, 2} Evaluator Encryptions (H) 4 0 1+ {0, 1, 2} Ciphertexts Transmitted 4 0 2 {0, 1, 2}

Slide 44

Slide 44 text

Basic Free XOR + GRR-1 + PnP GRR-2 FleXOR Odd (AND) Generator Encryptions (H) 4 4 4+ 4+ Evaluator Encryptions (H) 4 1 1+ 1+ Ciphertexts Transmitted 4 3 2 2 Even (XOR) Generator Encryptions (H) 4 0 4+ {0, 1, 2} Evaluator Encryptions (H) 4 0 1+ {0, 1, 2} Ciphertexts Transmitted 4 0 2 {0, 1, 2} What cost should we be focusing on?

Slide 45

Slide 45 text

Cost of Garbling HA,B (C) SHA-256(A || B || gateID) ⊕ C ~2000/1000 ns (including network) Garbling/evaluating time per gate

Slide 46

Slide 46 text

Cost of Garbling HA,B (C) AES(kconst , K ) ⊕ K ⊕ C where K =2A⊕ 4B ⊕ gateID SHA-256(A || B || gateID) ⊕ C ~2000/1000 ns Bellare, Hoang, Keelveedhi, Rogaway 2013 “Fixed-key AES” using AES-NI ~ 15/7 ns Garbling/evaluating time per gate Actual computation cost: 12 cycles/byte ⇝ 200ns/50ns

Slide 47

Slide 47 text

Cost of Garbling HA,B (C) AES(kconst , K ) ⊕ K ⊕ C where K =2A⊕ 4B ⊕ gateID SHA-256(A || B || gateID) ⊕ C ~2000/1000 ns Bellare, Hoang, Keelveedhi, Rogaway 2013 “Fixed-key AES” using AES-NI ~ 15/7 ns Garbling/evaluating time per gate Time to transmit 80-bits at 1Gbps: 80ns Actual computation cost: 12 cycles/byte ⇝ 200ns/50ns

Slide 48

Slide 48 text

Basic Free XOR + GRR-1 + PnP GRR-2 FleXOR Odd (AND) Generator Encryptions (H) 4 4 4+ 4+ Evaluator Encryptions (H) 4 1 1+ 1+ Ciphertexts Transmitted 4 3 2 2 Even (XOR) Generator Encryptions (H) 4 0 4+ {0, 1, 2} Evaluator Encryptions (H) 4 0 1+ {0, 1, 2} Ciphertexts Transmitted 4 0 2 {0, 1, 2}

Slide 49

Slide 49 text

Half Gates Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? [NDSS 2012]

Slide 50

Slide 50 text

Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? [NDSS 2012]

Slide 51

Slide 51 text

Yan Huang, David Evans, and Jonathan Katz. Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? [NDSS 2012] Journal of the ACM, January 1968 swap gates, configured (by generator) to do random permutation

Slide 52

Slide 52 text

Generator Half Gate Known to generator (but secret to evaluator)

Slide 53

Slide 53 text

Generator Half Gate Known to generator (but secret to evaluator)

Slide 54

Slide 54 text

Generator Half Gate Known to generator (but secret to evaluator)

Slide 55

Slide 55 text

Swapper: “Generator Half Gate” Known to generator (but secret to evaluator) With Garbled Row Reduction: Only need to send one ciphertext!

Slide 56

Slide 56 text

Evaluator Half-Gate Known (semantic value) to evaluator (but secret to generator)

Slide 57

Slide 57 text

Evaluator Half-Gate Known (semantic value) to evaluator (but secret to generator)

Slide 58

Slide 58 text

Generator Half-Gates Generator knows a Evaluator Half-Gates Evaluator knows b Implementing But, we need a gate where both inputs are secret…

Slide 59

Slide 59 text

Half + Half = Full Secret Gate random bit selected by generator “leaked” unknown known unknown

Slide 60

Slide 60 text

Half + Half = Full Secret Gate random bit selected by generator “leaked” unknown known unknown

Slide 61

Slide 61 text

Half + Half = Full Secret Gate random bit selected by generator “leaked” unknown known unknown

Slide 62

Slide 62 text

Half + Half = Full Secret Gate random bit selected by generator generator half gate evaluator half gate “leaked” unknown known unknown 2 ciphertexts total!

Slide 63

Slide 63 text

How to leak r ⊕ b? random bit selected by generator generator half gate evaluator half gate “leaked” unknown known unknown 2 ciphertexts total! Use r as point-and-permute bit for B (false) Evaluator has r ⊕ b on obtained wire!

Slide 64

Slide 64 text

Basic Free XOR + GRR-1 + PnP FleXOR Half- Gates Odd (AND) Generator Encryptions (H) 4 4 4+ 4 Evaluator Encryptions (H) 4 1 1+ 2 Ciphertexts Transmitted 4 3 2 2 Even (XOR) Generator Encryptions (H) 4 0 {0, 1, 2} 0 Evaluator Encryptions (H) 4 0 {0, 1, 2} 0 Ciphertexts Transmitted 4 0 {0, 1, 2} 0

Slide 65

Slide 65 text

Edit distance: Levenstein distance between two 200-byte strings AES: 1 block of encryption and key expansion, iterated 10 times Set intersection: 1024, 32-bit integers, iterated 10 times Zahur, Rosulek, and Evans [EuroCrypt 2015]

Slide 66

Slide 66 text

Free-XOR+GRR+PnP Half Gates Generator Encryptions (H) 4 4 Evaluator Encryptions (H) 1 2 Ciphertexts Transmitted 3 2 XORs Free ✓ ✓ Bandwidth ê33% Execution Time (edit distance) ê25% Energy ê21%

Slide 67

Slide 67 text

Can we do better?

Slide 68

Slide 68 text

Optimality of Two Ciphertexts Theorem (proof in ZER15 paper): Garbling a single AND gate requires 2 ciphertexts if garbling scheme is “linear”. “linear” operations: xor, polynomial interpolation

Slide 69

Slide 69 text

How to Do Better? • Non-linear operations • Gates that are not binary – chunk-ing circuit • Boolean logic • Reusable ciphertexts • Different security assumptions • …

Slide 70

Slide 70 text

Garble Encode Evaluate Decode f garbled circuit F e X Y f(x) d x Security properties Privacy: F, X, and d leak reveals nothing beyond f(x) Obliviousness: F, X reveals nothing (new) Authenticity: given F, X, hard to find Y’ such that: Decode(Y’, d) ∉ { f(x), error }

Slide 71

Slide 71 text

David Evans [email protected] www.cs.virginia.edu/evans OblivC.org mightBeEvil.org Credits: Mike Rosulek, Samee Zahur