Fast Garbling of Circuits Under Standard Assumptions

Protocols for secure computation enable mutually distrustful parties to jointly compute on their private inputs without revealing anything but the result. Over recent years, secure computation has become practical and considerable effort has been made to make it more and more efficient. A highly important tool in the design of two-party protocols is Yao's garbled circuit construction (Yao 1986), and multiple optimizations on this primitive have led to performance improvements of orders of magnitude over the last years. However, many of these improvements come at the price of making very strong assumptions on the underlying cryptographic primitives being used (e.g., that AES is secure for related keys, that it is circular secure, and even that it behaves like a random permutation when keyed with a public fixed key). The justification behind making these strong assumptions has been that otherwise it is not possible to achieve fast garbling and thus fast secure computation. In this paper, we take a step back and examine whether it is really the case that such strong assumptions are needed. We provide new methods for garbling that are secure solely under the assumption that the primitive used (e.g., AES) is a pseudorandom function. Our results show that in many cases, the penalty incurred is not significant, and so a more conservative approach to the assumptions being used can be adopted.

[1]  Yuval Ishai,et al.  Extending Oblivious Transfers Efficiently , 2003, CRYPTO.

[2]  Jonathan Katz,et al.  Faster Secure Two-Party Computation Using Garbled Circuits , 2011, USENIX Security Symposium.

[3]  Yehuda Lindell,et al.  A Proof of Security of Yao’s Protocol for Two-Party Computation , 2009, Journal of Cryptology.

[4]  Vincent Rijmen,et al.  Known-Key Distinguishers for Some Block Ciphers , 2007, ASIACRYPT.

[5]  Jonathan Katz,et al.  On the Security of the Free-XOR Technique , 2012, IACR Cryptol. ePrint Arch..

[6]  Mihir Bellare,et al.  Efficient Garbling from a Fixed-Key Blockcipher , 2013, 2013 IEEE Symposium on Security and Privacy.

[7]  David Evans,et al.  Two Halves Make a Whole - Reducing Data Transfer in Garbled Circuits Using Half Gates , 2015, EUROCRYPT.

[8]  Abhi Shelat,et al.  Efficient Secure Computation with Garbled Circuits , 2011, ICISS.

[9]  Yehuda Lindell,et al.  More efficient oblivious transfer and extensions for faster secure computation , 2013, CCS.

[10]  Shay Gueron,et al.  Intel's New AES Instructions for Enhanced Performance and Security , 2009, FSE.

[11]  Alex Biryukov,et al.  Distinguisher and Related-Key Attack on the Full AES-256 , 2009, CRYPTO.

[12]  Abhi Shelat,et al.  Billion-Gate Secure Computation with Malicious Adversaries , 2012, USENIX Security Symposium.

[13]  Yehuda Lindell,et al.  A Proof of Yao's Protocol for Secure Two-Party Computation , 2004, Electron. Colloquium Comput. Complex..

[14]  John Black,et al.  The Ideal-Cipher Model, Revisited: An Uninstantiable Blockcipher-Based Hash Function , 2006, FSE.

[15]  Mihir Bellare,et al.  Foundations of garbled circuits , 2012, CCS.

[16]  Yehuda Lindell,et al.  Implementing Two-Party Computation Efficiently with Security Against Malicious Adversaries , 2008, SCN.

[17]  Vladimir Kolesnikov,et al.  FleXOR: Flexible garbling for XOR gates that beats free-XOR , 2014, IACR Cryptol. ePrint Arch..

[18]  Vladimir Kolesnikov,et al.  Improved Garbled Circuit: Free XOR Gates and Applications , 2008, ICALP.

[19]  Yehuda Lindell,et al.  Fast Garbling of Circuits Under Standard Assumptions , 2017, Journal of Cryptology.

[20]  Benny Pinkas,et al.  Secure Two-Party Computation is Practical , 2009, IACR Cryptol. ePrint Arch..

[21]  Moni Naor,et al.  Privacy preserving auctions and mechanism design , 1999, EC '99.

[22]  A. Yao,et al.  Fair exchange with a semi-trusted third party (extended abstract) , 1997, CCS '97.