>> Vladimir Kolesnikov: All right, so we're starting the afternoon session. It's a session about
garbled circuits, which is the most important aspect of applied multiparty computation. And the
first talk is by Mike Rosulek, who will talk about FleXOR, flexible garbling for XOR gates that
beats free XOR, and it's joint work with Payman and with me.
>> Mike Rosulek: So, hello, everyone. So like Vlad said, this is joint work with Vlad and
Payman. I'd just like to thank Payman and Seny and organizing the conference and think
Microsoft for hosting it. This has been really great so far. Hopefully, this will be the best
session so far. I'll do my best. So this is the session about garbled circuits, which are probably
familiar to most of the audience, but I'll say just a very short recap of garbled circuits. The idea
is for each wire in a circuit, we'll associate two wire labels to conceptually encode true and false.
And then for each gate in the circuit, we'll include a kind of encrypted truth table. So this
happens to be an XOR gate, so you see I have a truth table that's like 0110. That's the truth table
of XOR. And the idea is, when you're evaluating this circuit, you will know exactly one of the
two wire labels on each wire, so you'll be able to open exactly one of the four encrypted values
and open it to the appropriate wire label of the output wire. So I'm going to give a little bit of
background that you'll need to understand to understand our new result. So the first thing I want
to talk about is this idea of garbled row reduction, which was introduced actually in '99 by Naor,
Pinkas and Sumner and then expanded on by a well-known paper of Pinkas et al. So what I
described for garbled circuits is we have four ciphertexts that comprise the encrypted truth table.
The garbled row reduction is a way to kind of compress the truth tables, and here's the main
observation. Let's imagine that the first ciphertext is an all-zero string, so this is how I remember
row reduction. What happens if the first ciphertext is all zeros? Well, this is okay, as long as if
you decrypt -- I don't have a laser pointer. We can have the first ciphertext be all zeros, as long
as C0 happens to be the decryption of the all zeros ciphertext under those first keys. As long as
C0 is this exact value, then we haven't really changed anything. So that's exactly what we do.
So instead of choosing the output wire library C0 uniformly, we choose C0 to be this specific
value. That will force the first ciphertext to be all zeros, and since it's all zeros, we don't have to
include it. It will just be understood by the evaluator. So now instead of four ciphertexts, we
only need three ciphertexts per gate in the garbled circuit. There's also a more advanced
technique, which I'll mention but I won't describe, where you can reduce the truth table down to
two entries, the size of two ciphertexts instead of four, so that's row reduction. That's going to
become important in a little bit. And now I want to talk about free XOR, which we've been
hearing a lot about. So it's going to become important in this talk to take the two libraries on
each wire and XOR them together, and let me call that the offset of the wire, so that's kind of like
a fundamental conceptual idea in our work, the offset of each wire. So these wires have offsets,
A0 plus A1, etc., so every wire has some offset. And the idea behind free XOR -- in fact, I'll
usually write the wire labels like this, so the false label and then the false label plus the offset.
That'll be an easy way for me to write things. The idea behind free XOR is let's let all of the
wires in the circuit have the same offset, which has to be a secret value, so I'll call it delta. So all
three of these wires have an offset delta, and now, if you have exactly one of the wire labels for
each of these two input wires and you XOR them together, you'll only get two possible outputs.
In fact, you'll get A plus B, or you'll get A plus B plus delta, and you'll get them with the truth
value corresponding to an XOR gate. So, in fact, if the wire labels all satisfy these relations, then
you don't have to exchange any -- there's nothing to send in a garbled circuit. There's nothing to
include in a garbled circuit, no garbled truth value, so the XOR gates are free in that way. And
in fact, evaluating an XOR gate under free XOR doesn't cost any cryptographic operations,
either. You just XOR the wire labels, so they're really free in almost every sense of the world.
So free XOR is great, and this is a paper where it's not obvious that you can do better than this.
And so free XOR is great. It's used ubiquitously. It's a great improvement to garbled circuits.
But I want to point out some limitations of free XOR, and there's two that we address in this
paper. One is, if you're kind of theoretically minded, you might say that free XOR requires
random oracle, or even if you don't think it requires random oracle, it requires a circularity
assumption, which you may have some philosophical objection. But actually, when I talk about
that later, I'll even argue that even without a philosophical objection to the random oracle model,
you still might want to improve this hardness assumption. And also, free XOR is incompatible
with the kind of strong row reduction that I mentioned but didn't describe. So you can use free
XOR and use the four to three row reduction but not the four to two reduction. I'll go into more
detail about both of these, but I just want to point these out right now as limitations of the free
XOR approach. So the motivating goal of our work is can we retain most of the advantages of
free XOR but avoid some of these limitations, and the answer is yes, so let me describe. Yes,
there it is. Good. So let me describe precisely how we improve free XOR. Okay. So the
current state of the art is there's kind of two maybe incomparable ways that are like the best ways
to garble the circuit. So I'm going to show these charts. It's an empirical table, and after this
discussion on the panel, I feel like I should say something about it. What I'm listing here is the
number of ciphertexts per gate, so hopefully that's like a cut-and-dry, apples-to-apples
comparison, and I think as Yehuda indicated, these numbers correspond to the size of the garbled
circuit that you would have to send in a protocol, and in some network settings, that could be a
major bottleneck, and in some settings, maybe not. But certainly in Yehuda's slides, doing an
MPC over a wi-fi network. Perhaps, the communication complexity is the major bottleneck. So
a standard way of doing garbled circuits, you do the strong row reduction, and every gate costs
exactly two ciphertexts, so no matter what kind of a circuit it is, it costs two ciphertexts per gate.
If you're using free XOR, then XOR gates are free. There's nothing to send in the garbled circuit,
and the non-XOR gates cost three. And so for different circuits, you get different numbers.
Sometimes, free XOR is better, sometimes it's not. So hopefully ->>: Those have the same [indiscernible]?
>> Mike Rosulek: They're from a -- do you remember where they're from? They're mostly for
Nigel. Most of them, I think, are from Nigel. The AES one is super-optimized for AND gate.
>>: The four to two, an initial cost of computation there, unlike the four to three.
>> Mike Rosulek: Yes.
>>: The four to three is completely free, but the four to two?
>> Mike Rosulek: Yes.
>>: How significant is that?
>> Mike Rosulek: So we're not really considering the computation aspects. It requires you to do
some polynomial interpolation. There's a polynomial over a field of size 2 to the N, and you
need to interpolate a degree-three polynomial from two points. It's been a while since I've
implemented a polynomial interpolation, so I don't know -- even the just garble kind of things
don't implement the two-row reduction, as far as I know. So, yes, some of these improvements
do come at a cost to computation, but our work is really focused on the size of the garbled
circuit. I think we've established in the panel discussion that in different settings, different things
might be the bottleneck. Okay, so what I'm going to describe is our new system, is called
FleXOR, and instead of using this strong circularity assumption that free XOR uses, we could
instantiate our garbling scheme using the same assumption or also a weaker assumption that's
just a related key assumption, and I'll say more about that later. It comes at a cost. So we can
get rid of the circular assumption and replace it with the weaker related-key assumption, and our
garbled circuits are 10% to 15% larger. So you do pay something for having a weaker hardness
assumption, but still, philosophically, you're getting lots of the benefit of free XOR at a much
weaker assumption, so that's one instantiation of our scheme. And we can also instantiate our
scheme in a way that makes it compatible with the strong row reduction. So for this last row, all
the non-XOR gates cost two instead of three. And in some cases, we are able to beat free XOR
and in fact be the -- I've put in bold the numbers that are the best. The one that we're the most
excited about is the DES circuit. We're 30% better than free XOR in terms of just the garbled
circuit size, which was very surprising for us, that you could do a smaller garbled circuit than
free XOR.
>>: The important thing in the circuit is how many XOR gates there are, or is there something
else?
>> Mike Rosulek: There are some other structural things, which it will become clear that it's
complicated, so the structure of the circuit comes into play.
>>: The reason you say it's related is it's weaker that circular? It would be weaker on theoretical
or just on a conceptual basis? So it's [indiscernible].
>> Mike Rosulek: So when I say circular, if you're familiar with the assumption required for
free XOR, it's circular plus correlation robust. It's circular and related key. So ours is take the
assumption from CKKZ, remove the circularity. It's just correlation robustness. I'll say a little
bit more about that when I have a theorem statement to show. Yes.
>>: Is that 30% smaller [indiscernible] per generation?
>> Mike Rosulek: So we don't have an implementation. We don't know how -- we haven't
compared the speed of garbling or anything like that.
>>: As far as I know, even the two-row reduction or the plan to generate these are the same as
the three row or four row.
>> Mike Rosulek: Yes, that could totally be true. Whatever penalty you pay for the two-row
reduction in these, we use the exact same two-row reduction here, but like I said, we don't have
an implementation.
>>: So maybe just to comment, but rule of thumb, if it's a very, very fast network, then free
XOR will be better, like a gigabit one. If it's some wi-fi, then this is probably going to be better,
and somewhere in the middle is somewhere in the middle.
>> Mike Rosulek: Okay, so what is this mysterious FleXOR garbling? So it's flexible XOR. So
here's kind of our main idea. So let's talk about how to garble an XOR gate when the offsets of
the wires are different. So free XOR is what you do when all the offsets are the same. Let's
imagine that the offsets are different. Now, what do you do? Wouldn't it be nice -- I have input
wires and their offsets are delta A, delta B, which are different, and I want the output to have
offset delta C. Wouldn't it be nice if I could just wave a magic wand and transform the original
input labels into input labels that have delta C, which is the offset that I want? Right? If I could
transform them to this new offset, then I could just apply the free XOR on these translated wire
labels, and I would be very happy. But how do I get these original wire labels to these translated
wire labels with a different offset? Well, here's what I can do. I can encrypt the new wire labels
under the old wire labels. I can do that from both of these, so I just pick. For each XOR, again,
I'm going to pick new wire labels that have the offset that I want for the output and then provide
for ciphertext to translate from the old wire labels to the new wire labels. But this is really bad.
Now I've shown you how to garble an XOR gate using four ciphertexts. So if you know exactly
one of the input wire labels, then you can open exactly one of the ciphertexts and learn exactly
one of the new wire labels. Okay, but this is four ciphertexts. This is really bad. But let's use
the idea of row reduction, and in fact, we can set the first ciphertext of each of these pairs to be
all zeros, so instead of choosing the new wire labels, A-star and B-star uniformly, we can choose
them kind of implicitly, based on this row-reduction idea. And so now I've gone from four
ciphertexts to two, using the standard row reduction technique. Okay. So now I've garbled an
XOR gate using two ciphertexts, so now this is a little bit more reasonable, and then the final
observation is that, what if one of these -- so I want the output of the XOR to have offset delta C.
Well, if one of the input wires already has offset delta C, then I don't have to do anything.
There's nothing to adjust. If it already has the right offset, I don't have to do anything. And if all
three of them start out as the right offset, then I'm in the same position as free XOR. Okay. So
the summary is, the core of our method is a way to garble XOR gates that uses either zero, one or
two ciphertexts. And the number of ciphertexts depends on how many of the offsets are distinct.
Okay.
>>: Can you use zero?
>>: If they're all the same.
>> Mike Rosulek: Yes. If delta A, delta B, delta C are the same, then you just have free XOR.
There's nothing to adjust. You just natively XOR the wire labels. Okay. So I've described a
method of garbling XOR gates, and somehow the offsets of the wires affects the size of the
garbled circuit, so I need to say something about how do you choose which wires have which
offsets. So what I propose is let's group all of the wires into equivalence classes. Each
equivalence class gets the same wire offset. So here's -- I'll call that a wire ordering. So I've
labeled all of the wires in this circuit with offsets from one to four, and every wire is going to
have the offset that I've labeled it with. And I want to choose wire orderings that minimize the
costs of the XOR gates, because when the offsets match up, then the XOR gates are cheaper. If
this is the only thing I care about, then I'll just put all the wires in the same class, give all the
wires the same offset, and I'll be doing free XOR. But we want to do some things that are
impossible with free XOR, so we have some other constraints. I want to choose wire orderings,
and I want to reduce the size of the XOR gates, but I want to avoid the circularity problem of
free XOR and I want to stay compatible with the two-row reduction idea. And it turns out that
we can express these other constraint as combinatorial properties of this wire ordering, so now
we just have an optimization problem. We have a circuit, we have a directed graph, and we want
to label the edges in a particular way to reduce some objective function, and the objective
function is the total cost of the garbled circuits. So I'm going to tell you a little bit about how we
do both of these and what the combinatorial constraints look like. Okay, so the first thing I want
to talk about is removing the circularity problem -- maybe not problem, but the circularity aspect
of free XOR. Okay. So why does free XOR have this -- require a circularity assumption about
the underlying encryption or cipher? So here's a free XOR setup. All the input wires have the
same offset delta. That's free XOR. Excuse me. And I've got a garbled AND gate here. Let's
imagine that the evaluator has the false value on all these wires. That means the evaluator would
only be able to open up the first ciphertext. That's the one in red. Somewhere in the security
proof, we have to argue that the other three ciphertexts look like junk from the evaluator's point
of view. In particular, this last ciphertext should be pseudorandom or should look like a bogus
simulatable ciphertext from the evaluator's point of view. But A, B and C are known, and delta
is a secret. And you'll see that the secret value delta shows up in the context of a key and also in
the context of a plaintext. A normal encryption doesn't allow you to do that. You need to
assume that you have some sort of circular encryption where the secret can appear in the key
context and the plaintext context. It's kind of a key cycle in disguise, so that's why you need the
circularity assumption. So I want to look at our FleXOR garbling and just take account of when
we include ciphertext in the garbled circuit, when does an offset appear as a key and when does
an offset appear as a plaintext in the ciphertext? So the offset of the output wire always appears
as the plaintext, the message of the encryption, and the offset of the input wires appears as the
keys. We use the input wires as keys to encrypt the output wire. But when we're garbling an
XOR gate, actually, we don't include any ciphertext when the offsets match. So if delta I equals
delta K, we wouldn't include any ciphertext. So we wouldn't -- yes, so I'm just taking account of
when these offsets appear in ciphertext, and so sometimes we don't include ciphertext in the
FleXOR scheme. Okay, so with that in mind, let's look at this property. Suppose I had a wire
ordering that had this property among its offsets. So the offset of the output wire is always
greater than the offsets of the input wires, and that has to be a strict inequality for an AND gate,
because I'm always using the input wires to encrypt the output wires. In an XOR gate, it can be
greater than or equals, because it's okay for delta I and delta K to be the same offset, because in
that case I wouldn't include a ciphertext. It wouldn't affect any -- it wouldn't make any
circularity. So I'm trying to avoid key cycles among these delta values, and hopefully it's
relatively clear that now every time I have a ciphertext, I'm only using an offset to encrypt a
larger offset, so it never comes around to be a cyclical condition. So we showed that, if you
instantiate our FleXOR garbling scheme and you have a wire ordering that satisfies this property,
this monotone property, then you don't need the circularity assumption. You just need a related
key assumption, and I claim that if you're doing MPC in the first place, you're probably using OT
extension, so you're already assuming that you have a correlation robust hash function, and that's
essentially the same assumption that we use here. So it really kind of puts all of the components
on equal footing in terms of their underlying assumption. Unfortunately, we show that it's NPhard to find -- so there's still a lot of wiggle room here. There's a lot of wire orderings that
satisfy this monotonicity property, and different ones lead to different sizes of garbled circuits.
We want to find the one that leads to the smallest garbled circuit. We show that's an NP-hard
optimization problem, so that's kind of bad news. On the other hand, some very simple
heuristics seem to do quite well. So the table that I showed you reflected just some simple
heuristics that we came up with, and already these simple heuristics do pretty well. Okay.
>>: [Indiscernible]. Why don't you just do a heuristic to do -- so that it just satisfies the
condition of the XOR conditions?
>> Mike Rosulek: So this is if you?
>>: Monotone wire ordering is one sort of condition you could impose that would guarantee
what you want, but that's not necessary, right?
>> Mike Rosulek: We don't show that it's necessary. Maybe something very slightly weaker
would hold, like if there has to be some topological way to process the gates that doesn't mess
things up, but if there are no key cycles, there has to be some at least partial ordering of the
offsets. So something similar to this has to be there, at least, I would argue.
>>: Why is this compatible with four to two row reductions?
>> Mike Rosulek: So this part is not -- this is just kind of two independent thrusts, so kind of
view FleXOR as kind of a new way to think about free XOR type approaches. One direction you
could go is optimizing the underlying hardness assumption. The next thing I want to talk about
is compatibility with row reduction, so thank you for asking. So why can't we use four to two
row reduction with free XOR? Let's look at four to three row reduction first. When we use this
version of row reduction, it has the effect of setting one of these output wire labels to some fixed
function of the input wire labels. We don't get to choose C0 uniformly at random. C0 has to be
fixed. C1 can still be anything we want, which is nice for free XOR. When we use the four to
two row reduction, we end up setting both of these output wire labels implicitly. We have no
control over them. Their set is the output of some pseudorandom function. So we have no
control over C0 and C1, and so we have no control over their offset. We can't guarantee that, if
we want to use this in free XOR, we would need C0 XOR C1 to be our global offset delta. It's
unlikely that that's going to happen. We have no control over the output wire's offset. Okay.
But in our setting, we don't have to have all the offsets the same, so what if we had a wire
ordering where look at all of the output wires of AND gates. Suppose they all had distinct
offsets. Then, when I garble this AND gate, I'll use the two row reduction, delta I will be set
implicitly out of my control, but that's fine, because the next time I get to an AND gate, it'll have
a different output offset. I'll never have to target an AND gate to a specific offset. It'll always be
okay for the offset to just fall out of the garbling outside of my control. And there's a little fine
print in here. I encourage you to see the paper, but this is the essential idea. So we showed that
if you have a wire ordering that satisfies this safe property that I've described, then you can
garble all of the AND gates using just two ciphertexts. So that gives us a garbling scheme where
XOR gates cost zero, one or two, and AND gates always cost two. Again, we have a simple
heuristic that finds decent wire orderings that satisfy this property, and it seems to do well. So
even with our admittedly simple heuristics, these are the kinds of results that we get. So one
interesting thing I'd like to mention is that we do show some improvements over free XOR, and
we don't claim that this is even the best you could do, because we don't claim that we've found
the absolute best wire orderings for every circuit. Yes.
>>: So the last one is safe but not monitored? Have you roughly defined safe monotonic?
>> Mike Rosulek: Yes, so you can do combinations of these two.
>>: Have you tried?
>> Mike Rosulek: I don't -- we may have tried, but it wasn't very exciting. I think these are the
ones that we really want to highlight. Okay, so that's essentially what I wanted to say about
FleXOR, so just to summarize, it's a new way to garble XOR gates, resulting in zero, one or two
ciphertexts per gate. We can instantiate it in a way that makes it compatible with four to two row
reduction, which free XOR doesn't allow. We can instantiate it with a weaker underlying
primitive, which free XOR doesn't allow. Oh, my goodness. How about that for timing? And
so just before I end, this is my last slide, but I just say it again, that these numbers reflect -- we
took these circuits and we ran our heuristics to find wire orderings, and they're just heuristics. So
we don't claim that this is the limit of our FleXOR approach. Presumably, you could do better.
We don't know how much better, but that's kind of an interesting avenue to explore. So that's my
last slide, and I'll take your questions.
>>: [Indiscernible] the optimal technique? It's just NP-complete for monotone wire labels, but
you believe maybe it's NP-complete.
>> Mike Rosulek: We believe it's NP-complete to optimize anything of interest, but we only had
a proof for the monotone wire ordering case.
>>: So one question was asked [indiscernible]. One question, because David's already ->>: If you go back to the last slide, so the circuits that you started with, probably except for
desks, were highly optimized to take advantage of free XOR, and so I'm wondering if -- and so I
think you constrained yourself by not changing the circuits, but if you were willing to change the
circuit to take advantage of FleXOR, I would think you could do better.
>> Mike Rosulek: I think that's a really interesting direction. With free XOR, your objective is
clear. Get rid of as many non-XOR gates as you can. Now, starting with FleXOR and working
backwards and saying, how does a circuit have to look in order to have to play well with
FleXOR, it's a lot harder to say, but it's a really interesting question. So there could be some
interesting circuit optimization -- not only optimizing the wire ordering but optimizing the
structure of the circuit itself would be an interesting follow up.
>> Vladimir Kolesnikov: Thanks, Mike.
>> Claudio Orlandi: Thank you for organizing this great event. Thank you to Microsoft for a
PowerPoint that I'm going to use during this presentation. So this talk is -- there are two parts of
this talk. The first part is zero-knowledge from garbled circuits, and this is a paper that appeared
last year at CCS, coauthored with Marek Jawurek and Florian that is in the audience, and some
work in progress that started with this that is with Tore that is also in the audience and talked
before and Jesper Nielsen from Aarhus University. So I'm very happy -- thank you for setting up
this scene for me, because I'm going to do a lot of stuff with it. First, an announcement. We are
going to have another workshop on theory and practice of MPC nodes in Denmark, right before
EUROCRYPT, May 5th to 9th, so please come there, as well. Denmark is a great country. You
might have heard that if you are not a giraffe, you should be safe.
>>: A baby giraffe.
>> Claudio Orlandi: A baby giraffe. Oh, my God. So zero-knowledge protocols, what is zeroknowledge protocols? So this is this great, great, great idea, this revolutionary concept in
cryptography and in computer science, the idea that proofs don't have to be just something that
you read and write and I send it to you and you verify. We can interact. And moreover, we can
do this, we can prove statements in zero knowledge. I can prove you things and you don't learn
anything except that these things are true. This is this great idea from data that's the founding
fathers of cryptography and computer science. These are the kind of things that we write papers
about to get Turing awards. So that's what we are trying to do. But they're also importance in
practice. So zero knowledge is used in authentication. I want to prove you that I’m me, so I
want to prove that I have this credential, I want to prove that I know my password, but I don't
want to tell you my password. There are reasons for that. I'm not going to talk going to talk so
much about application of zero knowledge. I hope that it's not important for this audience. And
they're also an essential component in complex protocols. So given that they're important in
practice, we also care about the efficiency of generalized protocols. In the last 20 years, a lot of
examples of very efficient zero-knowledge protocols have been proposed, and those are all
essentially restricted to algebraic languages, like discrete logarithm, RSA, lattice, I want to prove
a relationship between elements of some groups. Then we can do like SNARK style protocols
where they're very efficient, but what about non-algebraic statements, what about you have some
string Y and I want to show you, I want to prove you that I know a pre-image of Y without
telling you X. So how do we do this? We have zero knowledge for MP, so go and program your
cap reduction and you'll be fine, but what about in practice? And so this work tries to fill the gap
between -- and we try to start thinking about zero knowledge in practice. So this is a workshop
on MPC, so I'm going to tell you later what is the relationship between MPC and zero knowledge
is, but actually, this was already -- there is some work already in 2007, Ishai, Kushilevitz,
Ostrovsky and Sahai. They showed how to do zero knowledge from honest majority multiparty
computation, and this is also the first step towards this beautiful -- the IPS compiler and this
beautiful MPC in the head approach that actually I don't think anyone is going to talk about at
this workshop, so you should go ahead and read this paper. So, also, there has been also other
work, so I'm not going to say anything about IKOS. I'll say something about it later. There is
also a lot of work about the efficient learning, non-interactive zero knowledge and SNARK, and
those are very nice because they're non-interactive, but they require public key operate per gate,
and thanks to Ranjit for showing that slide, we know that public key operations are more
expensive than symmetric key operations, so it's interesting to know how to construct. So we
want to do something that is more efficient than this. Also, never mind. So this is a workshop
about MPC, so why am I talking about zero knowledge? Because zero knowledge is a proper
subset of MPC. Think about it for five seconds, you've got it, right? So in two-party
computation, we have two parties, Alice and Bob. They agree on a function F, Alice has an
input X and Bob and has an input Y, and they want to compute the function F X of Y. In zero
knowledge, we have a prover, the prover has an public key input X, some statement, these two
graphs are isomorphic, and the prover also knows a witness for this W, that the verifier only
knows the statement, and then they want to compute this relation. They want to know if W is
actually a witness for the statement X. So essentially zero knowledge is the proper set of twoparty computation where only one party has a secret input. And it's kind of surprising that the
techniques that then we use to do MPC and the techniques we use to do zero knowledge are so
different. Zero knowledge is easy MPC. It's easy two-party computation, so it should be easy to
do it, and of course that's why I'm standing here, because that's true. So let me tell you about
garbled circuits. So everyone else told you about garbled circuits, looking at them from how to
garble a gate. I really like that [indiscernible] that is going to talk after me and [indiscernible],
they freed us from all this how to garble small gates. They gave us this beautiful framework, this
beautiful paper about foundation of garbled circuits, and I really like the notation, so from now
on I commit myself to always use their notation. So a garbling scheme is the following. So you
have a garbling algorithm, you give an input of function, and it outputs an encrypted version of
the function, some garbled version of the function. That's F in a box. And then there is some
encoding information E and some decoding information D. Now, if you take the encoding
information E together with input X, you can encode the input. And therefore, you get this X in
a box. Everything that is in a box you can think of as an encryption of this kind. And then there
is an evaluation procedure that if you take the function in the box and the input in the box, you
can get the output in the box. And now, with the decoding information together with the output
in the box, you can get the output in the clear. So that's garbled circuits. How do we do -- and of
course we want that Z output there should be the same as computing F on input X. Great. So the
values in a box are garbled. Think of them as encrypted value. So how do we do two-party
computation using garbled circuits? Our protocol, you have seen it before but let me tell you
again. So how do we do this? We have Alice and Bob. Bob constructs the circuit. He takes this
function F, he hardwires his input Y in it somehow, and then he garbles his function F of Y, and
then you get F Y in a box, E and D. Then Alice and Bob run this OT protocol, where Alice uses
her input X, Bob puts his encoding information E, that if you have seen the previous talks, you
know that this E is actually just two vectors of keys, so 2N keys, one for each input B, and using
the OT, this allows Alice to learn the encrypted version of X, X in a box, without learning
anything else. Then Bob sends the function in a box to Alice. Alice evaluates the encrypted
function, encrypted input, gets the encrypted output, send the encrypted output back to Bob, Bob
decrypts and everyone is happy. Just hand waving, I'm hand waving that I'll start flying soon,
but everything that is in a box essentially is encrypted, so the function F doesn't reveal any
information. F Y in a box doesn't reveal any information about Y, so everyone is happy. Of
course, the OT, Bob doesn't learn the input X, because the box doesn't have an arrow in that
direction. It's proof by image. So this works fine if Alice and Bob are semi-honest. Actually,
this works even if Alice is corrupted, essentially. So this -- most garbled schemes have this nice
property that even if Alice is corrupted, if you give Alice X in a box and F in the box, encrypted
function, encrypted input, the only thing she can really do is to evaluate the encrypted function
and the encrypted input, and so it doesn't matter what she outputs. Essentially, anything that she
outputs, it's either the right output or it makes Bob abort. Alice cannot really cheat in this
protocol. This is a nice observation, everyone knows about this. It's why we can do this nice
double execution protocol. Of course, the problem is what about Bob. Bob can cheat big time,
because Bob can garble a malicious function G that is different from F. For instance, G could be
the less significant bits of the input X, and therefore -- and because the function is inside the box,
Alice cannot tell the difference between the right function and the wrong function. So what do
we do? Well, how do we do two-party computation securely against the active adversaries?
Everyone is talking about this in this workshop, so you know about this. There are a lot of costly
solutions for two-party computation. You can throw zero knowledge on top, do cut and choose,
do all sorts of things. Can we do better for zero knowledge? Can we do better when only one
party has input? We can. So what is the main idea? The main idea is that the main issue in the
case of two-party computation is that Bob is sending this F in the box, and this F contains some
information about Y. So now Bob needs to tell Alice that this function really is the function that
they agreed on without revealing any information about Y. And this is where all this machinery
cut and choosing stuff really makes it expensive. But in zero knowledge, the verify Bob has no
secrets. The verifier has no secrets, only knows the instance of the problem we are verifying, so
the verifier has no secrets. We are not using garbled circuits to protect any of his privacy. So
after the protocol is over, Bob can tell Alice, look, this is all my randomness. This is what I did,
this is the way I garbled my function. And then Alice can simply check that actually Bob
behaved correctly, just by redoing his computation. We don't need to prove that I followed the
prove that I followed the protocol in zero knowledge. I can just -- this is my randomness. Look,
I behaved honestly. So this is the main idea behind this work, that in zero knowledge, when you
use garbled circuits and only one party has input, there is no privacy issue. After the protocol is
over, the garbling party can reveal everything and nothing and there is no problem. So let's see
now we do zero knowledge. There are a few details now that you have to fix, mainly about the
ordering. So we start as before, so now I change the input to W, because now we're doing zero
knowledge. So now we have the prover and the verifier. How do we do zero knowledge using
garbled circuits? Well, the verifier garbles the function F, the verification function F. The
prover and the verifier run the oblivious transfer, so that the prover can get an encrypted version
of his witness. Now, the prover evaluates the encrypted function and the encrypted witness and
gets the encrypted output. Of course, now, the prover doesn't want to reveal this output just yet,
because maybe this is one bit of his witness. Maybe this is not F, maybe this is G, so now this
output revealed some information, so I don't want to send you the output. And the verifier has
some randomness that he used up there that he used to garble the function, and if the verifier
sends this randomness to the prover, the prover can check that the verifier behaved correctly, but
of course I don't want to do it now, because if I do it now, now the prover can evaluate the circuit
on every input he wants, and then there is no soundness anymore. So what do we do when we -I need to send you something, you want to send me something, we do commitment. So the
prover starts by committing to his output here. The verifier reveals his randomness. The
randomness is used to garble the circuits. The prover checks that, actually, F is really the
function inside the -- he tries to re-garble the circuit F again using his randomness and checks if
the same. And if it's the same, then he's going to reveal this -- he's going to open the output.
Otherwise, he aborts. And now, if there are a lot of details on the [drag] that I'm not describing
now, but the main idea is that you should have an idea that we are achieving some kind of zero
knowledge here. Yes, so what is the efficiency of this protocol? If you look at the verifier work,
the work of the verifier is essentially the same as in passive Yao and semi-honest Yao. He runs
the OT, the garbles the circuit, then he has to check on commitment, but that's not a big deal.
What about the prover? Well, the prover works more or less as two times passive Yao. Why?
Because first he has to evaluate the function, and then he has to re-garble the function, so first
he's behaving as the circuit evaluator in Yao, and then he's acting as the circuit constructor, so his
work is essentially doubled. And the communication of the protocol is essentially the same as
passive Yao, because it's just one circuit and then a little commitment, but it's not that big.
Great, so in the CCS paper, there is also an implementation. The code is not open source, but it's
easily reproducible, because we live -- in this age, you can take all these tools, you can just go
online. You go and find GC, where is Yan? Yan released the code for the garbled circuit
implementation. Then you go on Nigel's website and you find all these nice circuits. You take
GC parsing, I don't remember who did that, and then you take a copy and do the oblivious
transfer. In a week, you have a working prototype of this protocol. Probably, it's not going to be
the fastest protocol that does this, but it shows what's going on, so don't look at the absolute
number, but look at the -- so this is a passive Yao and this is the zero knowledge for AES. And
the only thing that I really care about is that, essentially, our protocol in fact, I told you before
that it was twice as low as Yao. It turns out that is only 20% slower, because there are a lot of
other things in the protocol that communication counts more than communication, blah, blah,
blah. I don't know. So only 20% slower. So this is great news. We can do zero knowledge
essentially at the same price as passive Yao. And passive Yao these days is super-efficient. So
this here says 1.4 seconds, but where is David? For AES, semi-honest, we are like way below
one second, if you do a good implementation. So I believe these numbers, you should only look
at them as relative numbers, not in absolute numbers.
Great. So there are a few details for the crypto geeks, and there are a lot of in the audience, so let
me tell you something about it. So the first thing, we are using a commitment, and it's important
which commitment to use. In particular, the commitment should be -- the malleability issue, if
you look at the garbled circuits together with the commitment, these two objects should not -you shouldn't -- I'm sending you garbled circuits, you send me a commitment. Then I open the
garbled circuits, then you open the commitment, there are some malleability issues there that you
have to worry about, what kind of OT we should use? There are issues of selective failure attack
there, so we actually are also -- we are also checking what's going on inside the OTs. And then
the third parties, which garbling schemes can we use with this approach? So I'm not going to say
anything about the commitment. Let me say something about the OT. So the flavor of OT that
we have in the paper is this weak version of committed OT. A committed OT essentially is a
protocol where the receiver can choose some bits, the sender is notified that the bits have been
chosen. Now, the sender can transfer some messages and the receiver receives these messages.
He receives MBI, and they can keep doing this for all the input bits that they want, and then at
some point in the future, the sender can say open all. Now, I want to reveal all the secrets that I
used before, and now the receiver gets all the secrets that were used in the OT. So this allows to
get -- if you think from zero knowledge, this allows the prover to get all the input keys for all the
wires and check that the circuit evaluates the right function. And if you modify, if you take
PVW and Naor-Pinkas OT and you modify them accordingly -- I'm fine with random oracle
model. So if you take these protocols and you modify them in the random oracle model, then
you get this flavor of committed OT without that many problems. What kind of garbled circuits
can we use? Again, this nice slide with the scheme, so remember what the garbling scheme is in
my notation. Well, in [indiscernible] notation. So the properties that we want from garbled
circuits are really mimicking the properties of the zero-knowledge protocols that you all know.
So the first thing that we want is that for all input X such that F of X is equal one, then, when
both parties are honest, if you encode X with the encoding information, in this slide, the garbling
is done honestly, because the verifier is honest, if you garble the input and compute it and
evaluate the garbled function and the garbled input and then you decode, you get one. So this is
complete. Soundness says that for all X such that the statement is false, then for any polynomial
time adversary, then the adversary cannot make the verifier accept, except with small probability.
And these are standard properties that Yao garbled schemas. Then we need also something else.
We need to add one algorithm to this slide. That is this verification algorithm that says that
taking a function and the encoding information, you can re-garble and check whether this right or
not. Sorry, of course, F in a box should also be input into this box. So if you have F in a box
and the encoding information, you should be able to check whether that's the right function that
is there. And this is really mimicking that zero-knowledge property, so one way of writing this
is that no matter how the adversary garbled the circuits, if this verification algorithm says yes,
this is the right function encoded, then what you send back to the verifier, so the encrypted
function evaluated to encrypt the input should be simulatable just by having F and E. That's also
a property that Yao garbled schema has, if you think about it. So that was the first part of the
talk. Two? How much is?
>>: [Indiscernible]. I just want to make a small comment. You're looking at commitment of
oblivious transfer from oblivious transfer. So if you use this extending oblivious transfer idea,
you can get rid of the random oracle model, and maybe it will not take that large price?
>> Claudio Orlandi: I'm not sure. There are some issues of -- we can take this offline, but there
is an issue of non-commit. Yes, okay, so the simulator -- yes, we can take it offline. So that's
very nice. And now the second question is, so what kind of garbled circuit satisfied -- what are
the most efficient garbled circuits that satisfy the property that I just told you. I told you that
Yao garbled circuits satisfied this property, but if you think about it, in Yao garbled circuits, in
all these nice slides that everyone has shown, you always have these four rows, and it's important
that the circuit evaluator has two keys. He doesn't know which key he has, and now he has to
decrypt some row in the garbled gate without knowing which row it is. But in the general, so the
main idea of this ongoing work is in two-party computation, the regular garbled circuits need
really to ensure the fact that the evaluator doesn't learn any of the values from the internal wires.
So in particular, the evaluation of the garbled gates must be oblivious of the actual input. But in
zero knowledge, the prover already knows all the inputs, right? The prover is the only one that
has an input. The input is the witness. So if I know the witness, I also know all the internal
wires, right? I can evaluate the circuit on the input and just follow the values. There is no
privacy. There is nothing. If I'm the prover, I know all the values, so why should we use this
expensive garbled circuits? Let's try to optimize them. So, of course, we can optimize them.
Again, that's why I'm standing here. And I actually really like this work that we are doing. I
think the first part is -- so I really like this work on foundation of garbled circuits because it
elevates garbled circuits from being just a piece of the Yao two-party computation protocol, and
it says, look, this is much more. This is not just garbled -- garbled circuits are not only a piece of
the Yao two-party computation protocol. They're actually a cryptographic primitive in their own
right, and they can be used in other contexts. They can be used in verifiable computation, they
can be used in outsourced computation, they can be used in zero knowledge. And when you go
and look at how they can be used, then there are different properties. And so one thing that in
the foundation of garbled circuits paper, they have all separation between all the notions and
privacy, authenticity, they think that this is actually a natural separation between privacy and
authenticity, where it shows that by removing one of the requirements on the garbled circuits,
namely privacy, you can actually get more efficient garbled circuits. I think this is a very
interesting -- I like this in terms of a conceptual contribution. And it's also interesting in terms of
concrete efficiency because it gets you better constantly garbled circuits. So here I have a slide.
I'm very sorry, I had my laptop here. Yes?
>>: So the use of garbled circuits also for this outsourced verifiable computation, so you could
also apply your stuff to there, as well, or ->> Claudio Orlandi: Right. Except that I think in that case they use garbled circuits inside of
HE, so I think the concrete efficiency is already out of the door, right? But, I mean, in principle,
yes.
>>: You get a 10% improvement but ->> Claudio Orlandi: Exactly, you get 10% improvement over.
>>: It's five days instead of six days.
>> Claudio Orlandi: Five days instead of six days. So that's why I think that probably in that
work they didn't think of this because it was a feasibility result. In this work, we are looking at
the actual efficiency of zero knowledge, so we thought, how can we improve it more? So I'm
sorry that I had my laptop here, because I wanted to update the slide and have also the flex here.
Because of course, you could add one row, and we are going to add one row here saying with
FleXOR. But so here what I want to tell you is this is the previous -- this is a comparison
between our scheme, that is, this one in bold and the previous best scheme. That is the one that
Mike was presenting to you before, the one with two ciphertexts per gate. So if you look at the
communication complexity, previously what we know how to do with free XOR was -- yes,
previous. If you wanted free XOR, you needed three 2 k-bits per garbled gate, and without free
XOR, you needed 2 k-bits per gate. And what we can do is we can actually garble any circuit
using only 2 k-bits per gate if you want to the free XOR, or only k-bits per gate. So that means
for each gate in the circuit, I only send you one ciphertext, one ciphertext per gate in the circuit.
This, I really like this. But this doesn't have free XOR, and also in terms of the number of PRF
or random oracle code that you have to do to garble every gate, we go from four to two and from
four to three and four to two here. So there is actually some concrete -- there is some concrete
potential here. And if you do FleXOR, then I guess there is some other compromise there. So
how do we do this? Let me just tell you how do we do this with the free XOR. How do we
garble XOR gates with the free XOR. This was just to make the notation, but Mike already did
it, so each key, the output key is the XOR of the two input key, so Z0 is defined as L0 XOR R1,
Z1 is defined as L0 XOR R1. I cannot make the XOR. I'm not as fancy as Mike. And to
evaluate, you just take your input keys and you XOR them together. How do we do the And gate
now? We are simply using the row reduction trick again. So we define Z1 to be just the hash of
the two key. What is the idea here? The idea here is that when are you supposed to learn Z1?
You are supposed to learn Z1 if you have one and one as input, right? So I encrypt Z1 and the
L1 and the 1. I actually just define these values to be this code so I don't have to send you this
ciphertext. And then Z0 is defined accordingly to be just Z1 XOR delta. So now I have to
encrypt this Z0. When are you supposed to learn Z0, the key corresponding to that zero output
bit? Well, you can learn this if either one of your inputs bit is zero, right? We don't need to look
at both keys. One key is enough. So now the ciphertext is simply these two values, Z0 and Z0
XOR H, and so when you go and evaluate, and this is really where this is different from every
garbled scheme you have seen before, I can do an if on the input value. So I have LX, the left
key for the bit X and the right key for the bit Y, and I know what these values are. These values
are not oblivious anymore. I can look at them so I can say, if X and Y are equal one, then do
this. If X is zero, do this, if Y is zero, do this. I can branch on input bits, because I know what
the values on the internal wires are. And this is essentially the trick that we also see here, so
that's very nice. In terms of the direction, so the IKOS paper, the zero knowledge for MPC
approach, I think there is some also practical potential there, especially for arithmetic circuits,
because they use this arithmetic secret sharing-based protocols. But for Boolean circuits, they
have overheads, so I don't know which one will be better for which languages, but this is
something that we are doing to try to implement the two approaches and see what's the best zero
knowledge we can do in practice for general languages. And then other open question is look at
other applications where we used garbled schemes. Can you construct more efficient garbled
schemes for specific applications? And then a very interesting question is so this protocol is very
interactive, and you cannot do the [indiscernible] heuristic on this protocol because it's not public
[coin] protocol. So is there a way of doing some efficient non-interactive zero-knowledge
protocol where you don't need to use exponentiation per gate in the circuit? Thank you very
much.
>> Vladimir Kolesnikov: I have one minute for questions.
>>: You said at the beginning that zero knowledge has lots of uses in practice. Do you mean
that there are theoretical applications in practice, or that you actually know of practical uses in
the real world?
>> Claudio Orlandi: I think you know better than me.
>>: For example, just as a nice thing, if you could get this even in the interactive version, so
enormous credentials are designed to be used, one of the reasons why enormous credentials need
bilinear mass, generally, is because you have this thing you want to prove that you have a
signature on this thing. And those signatures are used for actual [indiscernible], so you have a
hash function inside. You could use that to prove -- you'd have an interactive anonymous
credential system, where you could prove that you have a signature embedded inside, because
even though you're proving something with a hash function, you can do reasonably efficient. I
wouldn't say that it's going to replace bilinear graphs. I’m saying you could come up with
alternatives like that that could be applied to it.
>>: I agree. I'm not aware of any uses of zero knowledge in the real world.
>>: Anonymous credentials are not in the real world? They are now.
>>: I don't think most people ->>: There are. There are a few schemes out there, and they're ->>: But who's using them?
>>: So the FIDO Alliance, which is pushing these direct anonymous themes, and you -- I don't
know how many people are using it, but we're in Microsoft, so I might as well mention
[indiscernible], so there are things that are.
>>: So I agree that they've been built. I just don't think ->> Vladimir Kolesnikov: All right. I guess no more questions, so we're moving on.
>> Viet Tung Hoang: Thanks for the introduction. So it is a joy to work with Mihir Bellare,
Sriram Keelveedhi and Phil Rogaway. So to talk about we did faster garbled circuits. So let me
give you a brief recap of how garbled circuits work. So for comparison, in ordinary circuits,
each wire carries one or two possible bits, zero or one, so when you want to evaluate a circuit,
you'll be given a bit for each input Y. You then propagate the bits through each of the gates to
get the results. So analogously, in the garbled circuits, each wire carries one of two possible
keys. One key has hidden semantic zero. The other key has hidden semantic one. The evaluator
doesn't know which key has which semantics, so when you want to evaluate a garbled circuit,
you will be given the input keys, a key for each input wire, and then by a mechanism that I
describe later, you can still propagate the keys through the garbled gates to get the output keys, a
key for each output wire. If you want the evaluator to know the correctly computed output, we
need to introduce an additional recipe to interpret the semantics of the output keys. So let me
describe the mechanism that provides keys to the garbled gates, so in the garbled gates, there are
four doubly locked boxes. So to open a box, you need to know both keys. Suppose that you
know key A and E. By trial and error, you can open the second box, and inside, you see the key
X, but opening the second box doesn't allow you to know the content of the other boxes. So I
just described garbled gates in a symbolic manner. We will see a cryptograph visualization later.
So traditionally, garbled circuits are viewed as a technique for a two-party secure function
evaluation, so when people come up with optimizations such as free XOR or garbled row
reduction, you only prove the security in two-party SFE setting, but two-party SFE is not the
only place that garbled circuits have been used. There are actually more than 30 applications for
garbled circuits. These are ranging from highly theoretical ones to practical ones. So in an
earlier work at CCS 2012, we advocate a viewpoint that sees garbled circuit as a cryptographic
primitive which is called a garbling scheme. So most of the applications for garbled circuits can
be built on top of secrecy notions that we developed. So today we build faster garbling schemes
by [indiscernible]. In this domain, it's common that a theoretical paper introduces some
technique, and then subsequent implementation combines several tricks without justifying the
compatibility. This is not an added threat, because we actually can attack some prior
implementations, and finally, we implement our garbling schemes and show that they are about
two orders of magnitude faster than prior implementations. The improvement comes from two
sources. On the theory side, we have a faster realization for the doubly locked boxes. On the
system sides, we have a better circuit representation to reduce the non-cryptographic overhead.
The source code is available online for download. Our software, which we called JustGarble,
offers only two services, garbling a circuit already used by other means and evaluating garbled
circuits. It knows nothing about oblivious transfer or MPC, so this reflects and follows the view
in our earlier work that a garbling scheme is an interesting cryptographic primitive in its own
right. So if I move on to these new garbling schemes, we need to extend the object that we
discussed, so I will start with the syntax of a garbing scheme. So given a function F from m
strings to N strings to M strings, a garbling algorithm Gb will produce an encoding version E, a
garbled function big F, and a decoding function d. Then, first, the encoding function map that it
would act to a garbled input big X. Next, the garbled function will map the garbled input to a
garbled output big Y. Finally, the decoding function will turn the garbled output to defined
output Y, as effectively the garbling algorithm factors F into a composition of e, big F and d. In
the context of Yao's garbled circuits, big F is the garbled circuits, big X is the input keys and big
Y is the output keys. So in the picture, if you look from the bottom, so e maps small x to big X,
suggesting that e is a function. But from the top, e is produced from an algorithm which is
conventionally regarded as a string, so to address this mismatch, we introduce additional
algorithms to interpret the strings f, e, big F and e as functions. So formally, a garbling scheme
is a five tuple algorithms. The first algorithm, Gb, will probabilistically affect f to e, big F and d,
and the other algorithms deterministically interpret these strings as functions, so we impose the
natural correctness condition that F is correctly factored into e, big F and d. so let's move on to
the security notion. Intuitively, privacy means that if you have the garbled function big F, the
garbled input big X and decoding function d, you can let only the defined output Y. In the
context of Yao's garbled circuit, you have the garbled circuit, the input keys and a recipe to
interpret the semantics of the output keys, you can evaluate the garbled circuits and learn the
correctly computed output, but nothing beyond that. But it is very informal, because in reality, a
garbled function will certainly leak some information about function f, so what about if I sign
information function as enough to capture exactly what is leaked? So in the context of garbled
circuits, some application allows you to build entire circuits, but some other applications will
demand leaking as little as the size of the circuit. The textbook garbling scheme of just
reviewing the topology of the circuit -- that is, the graph of how gates are connected. But in
practical garbling scheme, you use free XOR, and you link not just the topology, but which guys
are XOR. So let me define privacy formally. So let us play a little game in which the first
product is F0, F1 and input strings X0, X1. The adversaries then drop into either a yellow world
or a gray world. In the yellow world, you garble F0, X0. In the gray world, you garble F1, X1.
In either case, adversary is given a garbled function big F, the garbled input big X and decoding
function d. The adversary then tries to guess which world it's in by outputting a big B-prime. It
wins the gave if its guess is correct, but to prevent the adversary from trivially winning a game,
we require not only F0 should be equal to F1, X1, but also what is linked about F0 should be
equal to what is linked about F1, so just define an indistinguishability-based notion, but
alternatively, we can establish a base notion. The two versions of privacy are actually equivalent
for most but not all of the same information functions that we are interested in, so from now on I
will stay with the indistinguishability-based notion. So let me describe the garbling scheme Ga
that achieves privacy. It's actually similar to standard garbled circuit constructions, so a key, it's
just a k-bit string, and given two keys, you use the last bits to determine the growth in the
garbled table to open. That's a point trick, and so in particular, in each wire, one key answers
zero, the other key must answer to one. Doubly locked box is now ciphertext produced from a
primitive called a dual-key cipher, and opening the box means decrypting cipher text. The dualkey ciphertext 2 k-bit keys and auxiliary information you're going to tweak to produce a
permutation on k-bit strings. So in the context of scheme Ga, then the trick is simply the gate's
index. So traditionally, one will implement the dual-key cipher from a cryptographic hash
function such as SHA-1, but the advent of AES-IN makes it desirable to instantiate a dual-key
cipher from AES-NI to exploit the hardware support. [Kreuger], Shalat and [Sheng] realized that
and gave this construction E2, but in this construction, we use AES-36, which is slower than
AES, so I stress that. This is a security requirement, not a desired choice, because if you use
AES, then your key is only 65 bits long and the security barrier is weak. And in addition, in this
construction E2, you have to rekey the block cipher for every block cipher call. In contrast, our
dual-key cipher E3, we use a single fixed-key AES. The same AES key is used for the entire
circuits. To justify the security, we use the random permutation model in which AES with
constant key is modeled as a random permutation pie. Anybody, including adversary, has oracle
access to pie and its inverse. Then, the garbling scheme Ga, with respect to the dual-key cipher
E3 is actually security, linking just the topology of the circuits. To boost the speed further, we
would like to integrate our garbling scheme with free XOR and [garbled] reduction, but
unfortunately, this fast dual-key cipher E3 is not compatible with free XOR, so in the next slide,
I will review free XOR briefly and show how to patch our dual-key cipher to obtain a
compatibility. Recall that in scheme Ga, for each wire, two keys are random. As long as they
differ in the last bit, but in the free XOR trick introduced by Kolesnikov and Schneider, you first
choose a random key for each wire, except for the [indiscernible] of the XOR gates. You then
propagate these base keys through XOR gates by XORing the keys on the incoming wires. Next,
you choose a global random string R, and then for each wire, you XOR out to the key there to
generate another key. Finally, you generate the garbled tables for non-XOR gates. FleXOR is
really useful, because empirically, real-world circuits can be reflected to be rich in XOR gates.
For example, the circuit implementing AES, by refactoring and using free XOR, you can set a
factor of five in both communication and computation. So why free XOR is useful, it also
introduces some security subtlety. So in this, some prior implementations break down because
they are dual-key cipher E4, it's not compatible with free XOR. So in this dual-key cipher,
regardless of whether we use free XOR or not, so the incoming wires over guides must be
distinct. Otherwise, you simple send the plaintext in the clear, and there's no security
whatsoever. It's not a vulnerability yet. It's just an annoying thing that we have to deal with
when using circuits. There are no other papers in the literature that seems to recognize that. The
real security issue comes, because whether you use free XOR, because now through this thing Y,
we have the same pair of keys, and the old [indiscernible] loophole will come back and haunt
you. So while it's just very counterintuitive, because how can two different Ys end up having the
same pair of keys? So let's look at this circuit. At the first glance, it's really a good match with
free XOR. No [indiscernible], and the majority of gates are XOR gates, but let's examine it more
closely. So here in Ys 4, 5 and 6, you have the keys A XOR B, B XOR C and A XOR C,
respectively. So far, so good, but when you propagate these green keys to wire seven, you have
the key A XOR C again. So in other words, wire six and seven have the same pairs of keys. So
consequently, if you look at the garbled table of the AND gates, you can just XOR the first and
the last rows to get the secret string R and all security is lost. So given the subtlety of free XOR,
you have to be very careful when we integrate that to our garbling scheme. So indeed, our fast
dual-key cipher, it really is not compatible with free XOR. For example, consider an AND gate - so here, for simplicity, I will write row of X instead of pair of X, X XOR X, and we'd rather
[tweak], because it's just a simple gate. In this example, the adversary can simply XOR the
second and the third rows to get the secret string R, and there's no security at all. But why does it
happen? So in one row, the input row is actually the checksum of the green keys. In the other
row, the input row is the checksum of the blue keys. These two checksums happen to be the
same, because there's a symmetry in the treatment between the two incoming sides of the gates.
So one way to thwart this kind of attack is to break the symmetry. So instead of XORing A and
B, with XOR A with 2B, where doubling is a finite field multiplication. This works because the
weighted checksum of the green keys is no longer the same as the weighted checksum of the
blue keys. But this dual-key cipher, if fine, is still not safe to use in free XOR, because that's
another attack. So skip over the detail of the attack, but this happens because of a symmetry in
the treatment between the first incoming Y and the outgoing Y. So by breaking the symmetry,
we have a dual-key cipher, E6, that is compatible with free XOR, so that's the scheme Gx, the
scheme Ga with free XOR, then Gx with the dual-key cipher E6 is secure, linking just the
topology, and which guys XOR, insofar doubling is a finite-field multiplication, but it's not the
only way to interpret doubling. You can instead use logical shifts or what we call [indiscernible]
ships. These interpretations will improve running time considerably, but you lose a constant
factor in a security bound. So in addition, we can integrate garbled row reduction to our garbling
scheme. You already saw the details of that in Mike's talk, but this trick won't improve the
learning time, but you substantially save the storage for why free XOR and garbled row
reduction are well known. It's actually the first explicit [rule] that shows they're actually
compatible. So we went on to implement our garbling schemes to measure the speed. Instead of
reporting the speeds in microseconds, like previous papers, we'd use a more robust measure, the
number of clock cycles per gate, so we use the AES circuit as a benchmark, because it's always
used in recent implementations. So our experiment shows that the scheme Gax is the fastest.
The evaluating speed is about 23 cycles per gates, and garbling speed is 56 cycles per gate, so
compared to recent implementation of [indiscernible], our schemes are about two orders of
magnitude faster. So it knows that the comparison is actually unfair for KSS, because their goal
is to obtain a fast MPC for a goal. But the comparison is still relevant, because garbling is a key
component in MPC. One may also criticize the experiments because the ->>: When you say cycle per data, do you amortize over the XOR gates? Is that per AND gate or
per gate in the circuit?
>> Viet Tung Hoang: I think that they are for the total number of gates. That is why free XOR
does help. So one may criticizes the experiments because the benchmark circuit is too small, so
we experiment with the added distance circuits. It was also used as a benchmark in KSS. This
item, our garbling schemes are still a lot faster than that of KSS, but the running time increases
because the garbled circuits now no longer treat it to [L2] cash. So besides the fast dual-key
cipher, our speedup will be attributed to a better circuit representation. In fact, KSS spend most
of their running time in non-cryptographic operations. One possible reason is that it's due to
their use of complex structure throughout their circuits. So in an earlier work, we gave a
formulization for circuits themselves. At that time, the definition seemed to serve a theoretical
purpose, but when we actually implemented a simple circuit representation to programmatically
realize this definition, we found out it significantly reduced the non-cryptographic overhead, so
this component of the circuit is just an integer or an integer array, and the gates are topologically
sorted, so one can evaluate them in numerical order. So wrapping up, based on the foundations
of garbled circuits in our earlier work, we have built garbling schemes that are about two orders
of magnitude faster than prior implementations. This, again, illustrates obviously repeatedly in
cryptography, that is a good foundation that gives just a [satisfying] theory but will ultimately
lead to better schemes. That's it. Thank you.
>> Vladimir Kolesnikov: Questions?
>>: So the way you do AES gives pretty incredible times, and the question is, how much have
you spoken to block cycle people? Because it's a very nonstandard use of AES, and is this a
reasonable assumption of AES or is it not -- could you try to do anything looking at that?
>>: How it relates to standard security. Make some comments on that.
>>: There's just something very nonstandard about the block cipher. The question is whether it's
been looked at, whether you've got any feedback.
>> Viet Tung Hoang: Yes, we didn't talk to any block cipher people, which let's assume that
AES is an added cipher, so you can use AES with a constant key S, an ideal random permutation,
and actually here we used a fixed key for AES, but for [Kreuger], Shalat and [Sheng], they use
AES on related key, and indeed, AES is not designed to work on related key, and they have
attacks -- there are related key attacks on AES-256, and I think that our implementation is not
subject to that.
>>: You don't have related keys?
>> Viet Tung Hoang: You have only the same key for entire circuits, but we change the input of
the block cipher.
>> Vladimir Kolesnikov: More questions? So I had a question about maybe you guys looked
into that, so sure, it's much better to speed up the garbling, but my impression is that the
bottleneck in many cases will be the transmission of the circuit, right? Do you have comments
on that? I agree that it's good and you can offload this and the CPU and things like that. And if
you have malicious model, you can send hashes of circuit, for example, instead of entire circuit,
so you can save on transmission, so that's where your thing would help a lot. But just to give a
feeling of what you're saving overall for the secure computation ->> Viet Tung Hoang: So that depends on the setting, and I agree that in many settings, the
bottleneck is not the computation. Maybe the communication is the bottleneck, especially if you
transmit a circuit through the wi-fi. And actually, the focus in our work is not MPC, because
garbled circuits can be used for several applications, and I don't want to anticipate an application
for that.
>> Vladimir Kolesnikov: The circuits will have to be transferred, so it doesn't matter what the
application is.
>> Viet Tung Hoang: Yes, so it needs work. The focus is the running time, but yes, maybe you
can use FleXOR to intercept the storage, I guess.
>> Vladimir Kolesnikov: So my guess is that the most impact will be from malicious cut and
choose, because you don't have to send -- you have to generate circuits, but you're not sending
them, right? Because you send hash of them.
>> Viet Tung Hoang: Yes, yes.
>> Vladimir Kolesnikov: And then you send a seed, so that's the most benefit for in actual
practice.
>> Viet Tung Hoang: Yes.
>> Vladimir Kolesnikov: Okay, no more questions? So that was the end of the most interesting
session, and we'll take a short break. Thank you. Thank the speaker, too.