succinct functional encryption: d reusable garbled circuits and beyond joint work with: yael kalai...
TRANSCRIPT
Succinct Functional Encryption:d
Reusable Garbled Circuits and Beyond
Joint work with:
Yael Kalai Microsoft Research
Shafi GoldwasserRaluca Ada PopaVinod Vaikuntanathan Nickolai Zeldovich
MITMITU TorontoMIT
* Thanks to Raluca and Vinod for the slides.
Example: Spam Filters
𝐸 [𝑒𝑚𝑎𝑖𝑙 ]Spam filter
𝐸 [𝑒𝑚𝑎𝑖𝑙 ]E[spam?]
Need to decrypt computation result but nothing else!
Sender Receiver
FHE.Eval of filter
FHE is not enough!
Desired: Functional Encryption (FE)[Boneh-Sahai-Waters11, O’Neill11]
Allows evaluator to decrypt computation result
𝐸 [𝑥1 ] , .. ,𝐸 [𝑥𝑛]
𝑠𝑘 𝑓
ClientEvaluator
compute
Can release only one function key [Agrawal-Gorbunov-Vaikuntanathan-Wee12]
Syntax:
Outline
• Example: Spam filters• Problem we solve: Functional Encryption (under
LWE assumption)• Prior work• Main Application: Reusable Garbled Circuits• Application 2: FHE for Turing machines• Application 3: Publicly Verifiable and Secret
Delegation • Our constructions
Functional encryption for inner product functions [Katz-Sahai-Waters’08, Shen-Shi-Waters’09]
Public-index functional encryption (also known as ABE or predicate encryption)
Prior Work
[Sahai-Waters’05, Goyal-Pandey-Sahai-Waters’06, Bethencourt-Sahai-Waters’07, Goyal-Jain-Pandey-Sahai’08, Lewko-Okamoto-Sahai-Takashima-Waters’10, Waters’11, Lewko-Waters’12, Waters’12, Sahai-Waters’12, Gorbunov-Vaikuntanathan-Wee’13,…]
[Gorbunov-Vaikuntanathan-Wee’12]: Functional encryption for general functions, where grows with circuit size
(e.g. size of email encryption depends on spam filter program size)
Open question: Is there a FE scheme for general functions
with ciphertext size << circuit size?
succinct
Our contribution:Succinct functional encryption
Theorem. A FE scheme with succinct ciphertexts for general functions can be constructed from1. FHE scheme 2. public-index functional encryption scheme
Corollary. Under the sub-exp. LWE assumption, for any depth d, there is a FE scheme with succinct ciphertexts (whose size grows with d) for general functions computable by circuits of depth d.
Main Application: Reusable Garbled Circuits
Yao garbled circuits [Yao82]– Secure two-party computation [Yao86], – (Constant round) multi-party computation [BMR90], – Parallel cryptography [AIK05], – One-time programs [GKR08], – Key-dependent message (KDM) security [BHHI09, A11], – Outsourcing computation [GGP10], – Circuit-private homomorphic encryption [GHV10], – and many others
Yao Garbled Circuits[Yao 82]
Boolean Circuit C
0 1 1 0
+
xx
+
Garbled Circuit GC
0101001001110110
1101001001010011
0101001011100010
0101001111111101
Garble(C)
Garble(x)
𝒙=¿L2,1
L1,0
L1,1
L2,0
L3,1
L3,0
L4,1
L4,0
Garbled Input Input
Correctness: Given GC and , can compute C(x).
Security (Input & Circuit privacy)
Given C(x) and 1|C|, can simulate (GC, ).
Efficiency: |GC| = p(|C|) and || = p(|x|)
Garbled Circuit GC
0101001001110110
1101001001010011
0101001011100010
0101001111111101
L2,1
L1,0
L1,1
L2,0
L3,1
L3,0
L4,1
L4,0
Garbled Input
Yao Garbled Circuits (Cont.)
Garbled Circuit GC
0101001001110110
1101001001010011
0101001011100010
0101001111111101
L2,1
L1,0
L1,1
L2,0
L3,1
L3,0
L4,1
L4,0
Garbled Input
Theorem: [Yao86]
If one-way functions exist, any polynomial-size circuit family can be garbled.
Yao Garbled Circuits (Cont.)
Drawback: One-time
Garbled Circuit GC
0101001001110110
1101001001010011
0101001011100010
0101001111111101
𝒈𝒙
insecure to release two encodings and
𝒈𝒙𝒙=𝟎𝟏𝟏𝟎𝒙 ′=𝟏𝟎𝟎𝟏 L2,1
L1,0
L3,1
L4,0
L1,1
L3,0
L4,1
L2,0 Can compute C(x) for unintended inputs x!No input or circuit privacy guarantees!
Main Application:Reusable Garbling
Theorem:
Under the sub-exp. LWE, there is a reusable circuit garbling scheme for poly size circuits such that:
– poly(,|C|)
– poly(where is the depth of
01010010
11010010 01010010
01010011
(: security parameter)
Application 2: FHE for Turing machines
𝐸 [result ]
Client
Program
Decrypt only the runtime of the instance, to avoid worst-case!
𝐸 [input ]
circuit size worst-case running time of program
Evaluator
Application 3: Publicly-verifiable delegation with secrecy
[Gennaro-Gentry-Parno’10]: Yao + FHE secret privately-verifiable delegation
[Parno-Raikova-Vaikuntanathan’12]: public-index FE non-secret publicly-verifiable delegation
succinct FE publicly-verifiable delegation with secrecy
Outline
public-index FE
LWE
succinct functional encryption
FHE Yao garbling
reusable garbled circuits
&
FHE with input-specific efficiency
publicly-verifiable delegation with
secrecy
+ +
1
2
implication to obfuscation
Not today
Not today
Construction of FE
Public-Index Functional Encryption (also known as ABE or predicate encryption)
𝑚 , 𝑖𝑓 𝑓 (𝑥 )=1⊥ , 𝑖𝑓 𝑓 (𝑥 )=0
leaks input to the computation
[Borgunov-Vaikuntanathan-Wee13]: Public-index functional encryption for any (a priori fixed) depth d circuit, based on sub-exp. LWE assumption.
Variant:
𝑚0 , 𝑖𝑓 𝑓 (𝑥 )=1𝑚1 ,𝑖𝑓 𝑓 (𝑥 )=0
Intuition
IDEA: Start with FHE
�̂�←FHE. Enc (𝑥 )
𝑠𝑘 𝑓← 𝑓
Not f!
IDEA: Use (one-time) Yao garbled for decryption
Intuition
1. �̂�←FHE .Enc (𝑥 )
𝑠𝑘 𝑓← 𝑓
FE.Enc of input :
FE.KeyGen for circuit f:
FE.Dec(should obtain :
2. Generate garbled circuit and labels for
2. Obtain labels for 3. Compute and get
Output
How??
=
We need..
𝐿1𝑖 , 𝑖𝑓 𝑔𝑖 (𝑥 )=1
IDEA: The variant of public-index FE provides exactly this!
if , ) = 0, get label else gets
public predicate public inputkeep one secret
Intuition
1. �̂�←FHE .Enc (𝑥 )
, where
FE.Enc of input :
FE.KeyGen for circuit f:
FE.Dec(should obtain :
2. Generate garbled circuit and labels for
2. Obtain labels for 3. Compute and get
Output
3.
Outline
reusable garbled circuits
&
FHE with input-specific efficiency
publicly-verifiable delegation with
secrecy
2
implication to obfuscation
public-index FE
succinct functional encryption
FHE Yao garbling+ +
Intuition
Garble(C):
Garble(x):
Leaks C!
IDEA: leverage secrecy of input to hide circuit
Intuition
Garble(C):
Garble(x):
Intuition
Garble(C):
Garble(x):
on input and : - Decrypt to obtain - Run
Correctness?
Security?
Reusability?
Summary
public-index FE
LWE
succinct functional encryption
FHE Yao garbling
reusable garbled circuits
&
FHE with input-specific efficiency
publicly-verifiable delegation with
secrecy
+ +
1
2
implication to obfuscation
Not today
Not today
Thank you!public-index FE
LWE
succinct functional encryption
FHE Yao garbling
reusable garbled circuits &
FHE with input-specific efficiency
publicly-verifiable delegation with secrecy
+ +1
2
implication to obfuscation