# Two Halves Make a Whole

eurocrypt, pp. 220-250, 2015.

Keywords:

Wei bo:

Abstract:

The well-known classical constructions of garbled circuits use four ciphertexts per gate, although various methods have been proposed to reduce this cost. The best previously known methods for optimizing AND gates (two ciphertexts; Pinkas et al., ASIACRYPT 2009) and XOR gates (zero ciphertexts; Kolesnikov and Schneider, ICALP 2008) were i...More

Code:

Data:

Introduction

- Yao’s garbled circuit technique remains one of the most promising and actively studied methods for secure multi-party computation.
- While the result is still four ciphertexts per gate, the ciphertexts no longer need to be from a CPA-secure encryption scheme.
- Rather, they can be of the form H(AB) ⊕ C, where A, B, calls to H per gate size per gate generator technique evaluator

Highlights

- Yao’s garbled circuit technique remains one of the most promising and actively studied methods for secure multi-party computation
- Each half-gate can be garbled with a single ciphertext, so our construction uses two ciphertexts for each AND gate while being compatible with free-XOR gates
- In the point-and-permute optimization, introduced by Beaver, Micali and Rogaway [3], a select bit is appended to each wire label, so that the two labels on each wire have opposite select bits
- Circuits, our work gives a 33% reduction in garbled circuit size. This leads to reductions in overall latency, as well as energy since the extra computation required to compute the hash function twice is more than offset by the energy savings of reduced bandwidth
- The association between select bits and logical truth values is random and secret, but the garbled truth table can be arranged by these public select bits

Methods

- There are many techniques that fall under the category of garbling schemes.
- The authors wish to focus on techniques based on symmetric-key primitives only.
- The authors model parties as computationally unbounded entities that can make polynomially many queries to a random oracle.
- This is the standard setting for proving lower bounds about Minicrypt.2.
- The authors say that a garbling scheme has ideal security if no adversary of the above form has advantage better than poly(k)/2k in the

Results

- The authors experimentally demonstrate that the garbling scheme leads to an overall decrease in time, bandwidth, and energy use over several benchmark applications.
- Circuits, the work gives a 33% reduction in garbled circuit size.
- This leads to reductions in overall latency, as well as energy since the extra computation required to compute the hash function twice is more than offset by the energy savings of reduced bandwidth

Conclusion

- Let them define the parity of a binary boolean gate as the number of

1s in its truth table. - XOR, for instance, has even parity, while AND has odd parity.
- The proof of Theorem 3 applies to any odd-parity gate.
- The authors are currently unable to prove a lower bound for completely arbitrary garbling schemes.
- The authors cannot rule out the possibility of garbling an AND gate with only k bits.
- The authors' lower bound shows that if such a method exists, it must use public-key primitives or be significantly non-linear

Summary

## Introduction:

Yao’s garbled circuit technique remains one of the most promising and actively studied methods for secure multi-party computation.- While the result is still four ciphertexts per gate, the ciphertexts no longer need to be from a CPA-secure encryption scheme.
- Rather, they can be of the form H(AB) ⊕ C, where A, B, calls to H per gate size per gate generator technique evaluator
## Methods:

There are many techniques that fall under the category of garbling schemes.- The authors wish to focus on techniques based on symmetric-key primitives only.
- The authors model parties as computationally unbounded entities that can make polynomially many queries to a random oracle.
- This is the standard setting for proving lower bounds about Minicrypt.2.
- The authors say that a garbling scheme has ideal security if no adversary of the above form has advantage better than poly(k)/2k in the
## Results:

The authors experimentally demonstrate that the garbling scheme leads to an overall decrease in time, bandwidth, and energy use over several benchmark applications.- Circuits, the work gives a 33% reduction in garbled circuit size.
- This leads to reductions in overall latency, as well as energy since the extra computation required to compute the hash function twice is more than offset by the energy savings of reduced bandwidth
## Conclusion:

Let them define the parity of a binary boolean gate as the number of

1s in its truth table.- XOR, for instance, has even parity, while AND has odd parity.
- The proof of Theorem 3 applies to any odd-parity gate.
- The authors are currently unable to prove a lower bound for completely arbitrary garbling schemes.
- The authors cannot rule out the possibility of garbling an AND gate with only k bits.
- The authors' lower bound shows that if such a method exists, it must use public-key primitives or be significantly non-linear

- Table1: Optimizations of garbled circuits. Size is number of “ciphertexts” (multiples of k bits)
- Table2: Optimizations of privacy-free garbled circuits. Size is number of ciphertexts (multiples of k bits). The three prior schemes are from Frederiksen, Nielsen, and Orlandi [<a class="ref-link" id="c8" href="#r8">8</a>]
- Table3: Comparison of garbled circuit size, for selected circuits of interest. Size measured in average number of ciphertexts per gate
- Table4: Resource usage for three common programs. Edit distance refers to the Levenstein distance between two 200-byte strings. AES refers to 1 block of encryption and key expansion, iterated 10 times. Set intersection is performed on set of 1024, 32-bit integers, iterated 10 times. Each of these 3 jobs were in turn executed 5 times and measured separately, and the numbers are averages over these 5 runs. Whole denotes experimental setup using free-XOR with GRR2, while Half denotes a setup using our half-gates construction
- Table5: Comparison of privacy-free garbled circuit size, for selected circuits of interest. Previous constructions and their statistics are from Frederiksen, Nielsen, and Orlandi [<a class="ref-link" id="c8" href="#r8">8</a>]. Size measured in average number of ciphertexts per gate

Funding

- Mike Rosulek was supported by NSF Award 1149647
- David Evans and Samee Zahur were supported by NSF Award

Reference

- Applebaum, B.: Garbling XOR gates “For Free” in the standard model. In: Sahai, A. (ed.) TCC 2013. LNCS, vol. 7785, pp. 162–181. Springer, Heidelberg (2013)
- Applebaum, B., Ishai, Y., Kushilevitz, E.: How to garble arithmetic circuits. In: 52nd Symposium on Foundations of Computer Science (2011)
- Beaver, D., Micali, S., Rogaway, P.: The round complexity of secure protocols. In: 22nd Symposium on Theory of Computing (1990)
- Bellare, M., Hoang, V.T., Keelveedhi, S., Rogaway, P.: Efficient garbling from a fixed-key blockcipher. In: 34th IEEE Symposium on Security and Privacy (2013)
- Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. In: 19th ACM Conference on Computer and Communications Security (2012)
- Brandao, L.T.A.N.: Secure two-party computation with reusable bit-commitments, via a cut-and-choose with forge-and-lose technique. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 441–463. Springer, Heidelberg (2013)
- Choi, S.G., Katz, J., Kumaresan, R., Zhou, H.-S.: On the security of the “FreeXOR” technique. In: Cramer, R. (ed.) TCC 2012. LNCS, vol. 7194, pp. 39–53. Springer, Heidelberg (2012)
- Frederiksen, T.K., Nielsen, J.B., Orlandi, C.: Privacy-free garbled circuits with applications to efficient zero-knowledge. In: EUROCRYPT (2014)
- Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: 45th ACM STOC (2013)
- Henecka, W., Kogl, S., Sadeghi, A.R., Schneider, T., Wehrenberg, I.: TASTY: tool for automating secure two-party computations. In: 17th ACM Conference on Computer and Communications Security (2010)
- Henecka, W., Schneider, T.: Memory efficient secure function evaluation. https://code.google.com/p/me-sfe/
- Holzer, A., Franz, M., Katzenbeisser, S., Veith, H.: Secure two-party computations in ANSI C. In: 19th ACM Conference on Computer and Communications Security (2012)
- Huang, Y., Evans, D., Katz, J.: Private set intersection: are garbled circuits better than custom protocols? In: 19th Network and Distributed System Security Symposium (2012)
- Huang, Y., Evans, D., Katz, J., Malka, L.: Faster secure two-party computation using garbled circuits. In: 20th USENIX Security Symposium (2011)
- Huang, Y., Katz, J., Evans, D.: Efficient secure two-party computation using symmetric cut-and-choose. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 18–35. Springer, Heidelberg (2013)
- Impagliazzo, R.: A personal view of average-case complexity. In: 10th Structure in Complexity Theory Conference (1995)
- Impagliazzo, R., Rudich, S.: Limits on the provable consequences of one-way permutations. In: Goldwasser, S. (ed.) CRYPTO 1988. LNCS, vol. 403, pp. 8–26. Springer, Heidelberg (1990)
- Jawurek, M., Kerschbaum, F., Orlandi, C.: Zero-knowledge using garbled circuits: how to prove non-algebraic statements efficiently. In: ACM CCS 13 (2013)
- Kolesnikov, V., Mohassel, P., Rosulek, M.: FleXOR: flexible garbling for XOR gates that beats free-XOR. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 440–457. Springer, Heidelberg (2014)
- Kolesnikov, V., Schneider, T.: Improved garbled circuit: free XOR gates and applications. In: Aceto, L., Damgard, I., Goldberg, L.A., Halldorsson, M.M., Ingolfsdottir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008)
- Kreuter, B., Shelat, A., Shen, C.: Billion-gate secure computation with malicious adversaries. In: 21st USENIX Security Symposium (2012)
- Lindell, Y.: Fast cut-and-choose based protocols for malicious and covert adversaries. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 1–17. Springer, Heidelberg (2013)
- Lindell, Y., Pinkas, B.: A proof of security of Yao’s protocol for two-party computation. Journal of Cryptology 22(2) (2009)
- Lindell, Y., Pinkas, B.: Secure two-party computation via cut-and-choose oblivious transfer. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 329–346. Springer, Heidelberg (2011)
- Lindell, Y., Pinkas, B., Smart, N.P.: Implementing two-party computation efficiently with security against malicious adversaries. In: Ostrovsky, R., De Prisco, R., Visconti, I. (eds.) SCN 2008. LNCS, vol. 5229, pp. 2–20.
- Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplay - secure two-party computation system. In: 13th USENIX Security Symposium (2004)
- Naor, M., Pinkas, B., Sumner, R.: Privacy preserving auctions and mechanism design. In: 1st ACM Conference on Electronic Commerce (1999)
- Pinkas, B., Schneider, T., Smart, N.P., Williams, S.C.: Secure two-party computation is practical. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp. 250–267. Springer, Heidelberg (2009)
- shelat, A., Shen, C.: Two-output secure computation with malicious adversaries. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 386–405. Springer, Heidelberg (2011)
- Tillich, S., Smart, N.: Circuits of basic functions suitable for MPC and FHE. http://www.cs.bris.ac.uk/Research/CryptographySecurity/MPC/
- Yao, A.C.C.: How to generate and exchange secrets. In: 27th FOCS (1986)
- Zahur, S.: Obliv-C: A lightweight compiler for data-oblivious computation (2014). https://github.com/samee/obliv-c
- Classical garbling: In a “classical” garbled circuit (with point-and-permute) optimization, the four ciphertexts comprising a garbled gate have the form H(A B) ⊕ C, where the choice of C0 or C1 depends on the association between select bits and truth values. Below is an example of the linear operation of the scheme’s operations. Highlighted entries are the positions that will vary based on a, b in Gb, or α, β in Ev.

Tags

Comments