# Adaptively Secure Garbled Circuits from One-Way Functions

CRYPTO, pp. 149-178, 2016.

EI

Weibo:

Abstract:

A garbling scheme is used to garble a circuit C and an input x in a way that reveals the output Cx but hides everything else. In many settings, the circuit can be garbled off-line without strict efficiency constraints, but the input must be garbled very efficiently on-line, with much lower complexity than evaluating the circuit. Yao's gar...More

Code:

Data:

Introduction

- Garbled circuits have since found countless applications in diverse areas of cryptography, most notably to secure function evaluation (SFE) starting with Yao’s work, and in parallel cryptography [5,6], verifiable computation [7,16], software protection [20,22], functional encryption [19,21,30], key-dependent message security [3,9], obfuscation [4] and many others.
- These applications rely on various efficiency/functionality properties of garbled circuits and a comprehensive study of this primitive is explored in the work of Bellare et al [12]

Highlights

- Garbled circuits have since found countless applications in diverse areas of cryptography, most notably to secure function evaluation (SFE) starting with Yao’s work, and in parallel cryptography [5,6], verifiable computation [7,16], software protection [20,22], functional encryption [19,21,30], key-dependent message security [3,9], obfuscation [4] and many others
- We construct the first adaptively secure garbling scheme whose on-line complexity is smaller than the circuit size and which only relies on the existence of one-way functions
- If we think of the circuit as representing a Turing Machine or RAM computation, the width w of the circuit corresponds to the maximum of the input size n, output size m, and space complexity s of the computation, meaning that our on-line complexity is (n + m + s) · poly(λ), but otherwise independent of the run-time of the computation
- We have shown how to achieve adaptively secure garbling schemes under oneway functions by augmenting Yao’s construction with an additional layer of somewhere-equivocal encryption
- The on-line complexity only scales with the width w of the circuit, which corresponds to the space complexity of the computation

Results

- The authors construct the first adaptively secure garbling scheme whose on-line complexity is smaller than the circuit size and which only relies on the existence of one-way functions.
- The authors get a garbling scheme whose on-line complexity is w · poly(λ) where w is the width of the circuit and λ is the security parameter, but is otherwise independent of the depth d of the circuit.6.
- The authors get a garbling scheme whose on-line complexity is w · poly(λ) where w is the width of the circuit and λ is the security parameter, but is otherwise independent of the depth d of the circuit.6 Note that, if the authors think of the circuit as representing a Turing Machine or RAM computation, the width w of the circuit corresponds to the maximum of the input size n, output size m, and space complexity s of the computation, meaning that the on-line complexity is (n + m + s) · poly(λ), but otherwise independent of the run-time of the computation

Conclusion

- The authors have shown how to achieve adaptively secure garbling schemes under oneway functions by augmenting Yao’s construction with an additional layer of somewhere-equivocal encryption.
- It remains as an open problem to get the optimal on-line complexity (n + m)poly(λ) which does not depend on the circuit depth or width
- This is only known assuming the existence of indistinguishability obfuscation and it remains open to achieve the above under one-way functions or even stronger assumptions such as DDH or LWE.
- It would be interesting to see if there is some simple-to-state standard-model security assumption that one could make on the encryption scheme used to create the garbled gates in Yao’s construction, under which one could prove that the resulting garbling scheme is adaptively secure

Summary

## Introduction:

Garbled circuits have since found countless applications in diverse areas of cryptography, most notably to secure function evaluation (SFE) starting with Yao’s work, and in parallel cryptography [5,6], verifiable computation [7,16], software protection [20,22], functional encryption [19,21,30], key-dependent message security [3,9], obfuscation [4] and many others.- These applications rely on various efficiency/functionality properties of garbled circuits and a comprehensive study of this primitive is explored in the work of Bellare et al [12]
## Results:

The authors construct the first adaptively secure garbling scheme whose on-line complexity is smaller than the circuit size and which only relies on the existence of one-way functions.- The authors get a garbling scheme whose on-line complexity is w · poly(λ) where w is the width of the circuit and λ is the security parameter, but is otherwise independent of the depth d of the circuit.6.
- The authors get a garbling scheme whose on-line complexity is w · poly(λ) where w is the width of the circuit and λ is the security parameter, but is otherwise independent of the depth d of the circuit.6 Note that, if the authors think of the circuit as representing a Turing Machine or RAM computation, the width w of the circuit corresponds to the maximum of the input size n, output size m, and space complexity s of the computation, meaning that the on-line complexity is (n + m + s) · poly(λ), but otherwise independent of the run-time of the computation
## Conclusion:

The authors have shown how to achieve adaptively secure garbling schemes under oneway functions by augmenting Yao’s construction with an additional layer of somewhere-equivocal encryption.- It remains as an open problem to get the optimal on-line complexity (n + m)poly(λ) which does not depend on the circuit depth or width
- This is only known assuming the existence of indistinguishability obfuscation and it remains open to achieve the above under one-way functions or even stronger assumptions such as DDH or LWE.
- It would be interesting to see if there is some simple-to-state standard-model security assumption that one could make on the encryption scheme used to create the garbled gates in Yao’s construction, under which one could prove that the resulting garbling scheme is adaptively secure

Reference

- Ananth, P., Brakerski, Z., Segev, G., Vaikuntanathan, V.: From selective to adaptive security in functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 657–677. Springer, Heidelberg (2015)
- Ananth, P., Sahai, A.: Functional encryption for turing machines. Cryptology ePrint Archive, Report 2015/776 (2015). http://eprint.iacr.org/
- Applebaum, B.: Key-dependent message security: generic amplification and completeness. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 527– 546. Springer, Heidelberg (2011)
- Applebaum, B.: Bootstrapping obfuscators via fast pseudorandom functions. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 162– 172. Springer, Heidelberg (2014)
- Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC0. In: 45th FOCS, pp. 166–175. IEEE Computer Society Press, October 2004
- Applebaum, B., Ishai, Y., Kushilevitz, E.: Computationally private randomizing polynomials and their applications. In: 20th Annual IEEE Conference on Computational Complexity (CCC 2005), San Jose, CA, USA, 11–15 June 2005, pp. 260–274. IEEE Computer Society (2005)
- Applebaum, B., Ishai, Y., Kushilevitz, E.: From secrecy to soundness: efficient verification via secure computation. In: Abramsky, S., Gavoille, C., Kirchner, C., Meyer auf der Heide, F., Spirakis, P.G. (eds.) ICALP 2010. LNCS, vol. 6198, pp. 152–163. Springer, Heidelberg (2010)
- Applebaum, B., Ishai, Y., Kushilevitz, E., Waters, B.: Encoding functions with constant online rate or how to compress garbled circuits keys. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 166–184. Springer, Heidelberg (2013)
- Barak, B., Haitner, I., Hofheinz, D., Ishai, Y.: Bounded key-dependent message security. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 423–444.
- Bellare, M., Hoang, V.T., Keelveedhi, S.: Instantiating random oracles via UCEs. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 398–415. Springer, Heidelberg (2013)
- Bellare, M., Hoang, V.T., Rogaway, P.: Adaptively secure garbling with applications to one-time programs and secure outsourcing. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 134–153. Springer, Heidelberg (2012)
- Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. In: ACM CCS 2012, pp. 784–796. ACM Press, October 2012
- Boneh, D., Gentry, C., Gorbunov, S., Halevi, S., Nikolaenko, V., Segev, G., Vaikuntanathan, V., Vinayagamurthy, D.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014)
- Boyle, E., Gilboa, N., Ishai, Y.: Function secret sharing. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 337–367. Springer, Heidelberg (2015)
- Garay, J.A., Wichs, D., Zhou, H.-S.: Somewhat non-committing encryption and efficient adaptively secure oblivious transfer. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 505–523. Springer, Heidelberg (2009)
- Gennaro, R., Gentry, C., Parno, B.: Non-interactive verifiable computing: outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482.
- Gilboa, N., Ishai, Y.: Distributed point functions and their applications. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 640– 658. Springer, Heidelberg (2014)
- Goldreich, O., Goldwasser, S., Micali, S.: On the cryptographic applications of random functions. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 276–288. Springer, Heidelberg (1985)
- Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 555–564. ACM Press, June 2013
- Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: One-time programs. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 39–56. Springer, Heidelberg (2008)
- Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multi-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179.
- Goyal, V., Ishai, Y., Sahai, A., Venkatesan, R., Wadia, A.: Founding cryptography on tamper-proof hardware tokens. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 308–326. Springer, Heidelberg (2010)
- Hemenway, B., Jafargholi, Z., Ostrovsky, R., Scafuro, A., Wichs, D.: Adaptively secure garbled circuits from one-way functions. IACR Cryptology ePrint Archive 2015:1250 (2015)
- Hubacek, P., Wichs, D.: On the communication complexity of secure function evaluation with long output. In: ITCS 2015, pp. 163–172. ACM, January 2015
- Ishai, Y., Kushilevitz, E.: Randomizing polynomials: a new representation with applications to round-efficient secure computation. In: 41st Annual Symposium on Foundations of Computer Science, FOCS 2000, Redondo Beach, California, USA, 12–14 November 2000, pp. 294–304 (2000)
- Ishai, Y., Kushilevitz, E.: Perfect constant-round secure computation via perfect randomizing polynomials. In: Widmayer, P., Triguero, F., Morales, R., Hennessy, M., Eidenbenz, S., Conejo, R. (eds.) ICALP 2002. LNCS, vol. 2380, pp. 244–256. Springer, Heidelberg (2002)
- Lindell, Y., Pinkas, B.: A proof of security of Yao’s protocol for two-party computation. J. Cryptology 22(2), 161–188 (2009)
- Lindell, Y., Riva, B.: Cut-and-choose yao-based secure computation in the online/offline and batch settings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 476–494. Springer, Heidelberg (2014)
- Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126.
- Sahai, A., Seyalioglu, H.: Worry-free encryption: functional encryption with public keys. In: ACM CCS 2010, pp. 463–472. ACM Press, October 2010
- Yao, A.C.-C.: Protocols for secure computations (extended abstract). In: 23rd FOCS, pp. 160–164. IEEE Computer Society Press, November 1982
- Yao, A.C.-C: How to generate and exchange secrets (extended abstract). In: 27th FOCS, pp. 162–167. IEEE Computer Society Press, October 1986

Tags

Comments