Transcript Slides
Succinct Functional Encryption:
d
Reusable Garbled Circuits and Beyond
Yael Kalai
Microsoft Research
Joint work with:
Shafi Goldwasser
Raluca Ada Popa
Vinod Vaikuntanathan
Nickolai Zeldovich
* Thanks to Raluca and Vinod for the slides.
MIT
MIT
U Toronto
MIT
Example: Spam Filters
Sender
Receiver
Spam filter
πΈ[πππππ]
FHE.Eval of
filter
E[spam?]
πΈ[πππππ]
FHE is not enough!
Need to decrypt computation result but
nothing else!
Desired: Functional Encryption (FE)
[Boneh-Sahai-Waters11, OβNeill11]
Allows evaluator to decrypt computation result
Client
πΈ π₯1 , . . , πΈ[π₯π ]
π ππ
Evaluator
compute π ππ , β¦ , π ππ
Syntax:
ο§
πππΎ, πππΎ β FE. Setup 1π
ππ‘ β FE. Enc πππΎ, π₯
Can release only one
π ππ β FE. KeyGen πππΎ, π
function key
ο§
f π₯ β FE. Dec π ππ , ππ‘
ο§
ο§
[Agrawal-GorbunovVaikuntanathan-Wee12]
Outline
β’ Example: Spam filters
β’ Problem we solve: Functional Encryption (under
LWE assumption)
β’ Prior work
β’ Main Application: Reusable Garbled Circuits
β’ Application 2: FHE for Turing machines
β’ Application 3: Publicly Verifiable and Secret
Delegation
β’ Our constructions
Prior Work
ο§ Functional encryption for inner product functions
[Katz-Sahai-Watersβ08, Shen-Shi-Watersβ09]
ο§ Public-index functional encryption
(also known as ABE or predicate encryption)
[Sahai-Watersβ05, Goyal-Pandey-Sahai-Watersβ06, Bethencourt-Sahai-Watersβ07, Goyal-JainPandey-Sahaiβ08, Lewko-Okamoto-Sahai-Takashima-Watersβ10, Watersβ11, LewkoWatersβ12, Watersβ12, Sahai-Watersβ12, Gorbunov-Vaikuntanathan-Weeβ13,β¦]
ο§ [Gorbunov-Vaikuntanathan-Weeβ12]: Functional encryption for
general functions, where |πΈ π₯ | grows with circuit size
(e.g. size of email encryption depends on spam filter program size)
Open question:
Is there a FE scheme for general functions
with
ciphertext size << circuit size?
succinct
Our contribution:
Succinct functional encryption
Theorem. A FE scheme with succinct ciphertexts for general
functions can be constructed from
1. FHE scheme
2. public-index functional encryption scheme
Corollary. Under the sub-exp. LWE assumption, for any depth d,
there is a FE scheme with succinct ciphertexts (whose size grows
with d) for general functions computable by circuits of depth d.
Main Application:
Reusable Garbled Circuits
Yao garbled circuits [Yao82]
β
β
β
β
β
β
β
β
Secure two-party computation [Yao86],
(Constant round) multi-party computation [BMR90],
Parallel cryptography [AIK05],
One-time programs [GKR08],
Key-dependent message (KDM) security [BHHI09, A11],
Outsourcing computation [GGP10],
Circuit-private homomorphic encryption [GHV10],
and many others
Yao Garbled Circuits
[Yao 82]
Garbled Circuit GC
Boolean Circuit C
01010010
01110110
+
Garble(C)
x
x
01010011
11111101
+
Input π
π=
0
1
01010010
11100010
11010010
01010011
Garble(x)
1
0
Garbled Input ππ
L1,0 L2,0 L3,0 L4,0
L1,1 L2,1 L3,1 L4,1
Yao Garbled Circuits (Cont.)
ο΅ Correctness: Given GC and
ππ, can compute C(x).
ο΅ Security (Input & Circuit privacy)
Given C(x) and 1|C|, can
simulate (GC, ππ).
ο΅ Efficiency:
|GC| = p(|C|) and |ππ| = p(|x|)
Garbled Circuit GC
01010010
01110110
01010010
11100010
11010010
01010011
01010011
11111101
Garbled Input ππ
L1,0 L2,0 L3,0 L4,0
L1,1 L2,1 L3,1 L4,1
Yao Garbled Circuits (Cont.)
Garbled Circuit GC
01010010
01110110
Theorem: [Yao86]
If one-way functions exist,
any polynomial-size circuit
family can be garbled.
01010010
11100010
11010010
01010011
01010011
11111101
Garbled Input ππ
L1,0 L2,0 L3,0 L4,0
L1,1 L2,1 L3,1 L4,1
Drawback: One-time
Garbled Circuit GC
01010010
01110110
insecure to release two
encodings ππ and ππβ²
01010010
11100010
11010010
01010011
01010011
11111101
π = ππππ
πβ² = ππππ
L1,0 L2,0
L1,1 L2,1
L3,0 L4,0
L3,1 L4,1
ππ
ππ
No
Caninput
compute
or circuit
C(x) for
privacy
unintended
guarantees!
inputs x!
01010010
11010010
01010010
01010011
Main Application:
Reusable Garbling
Theorem:
Under the sub-exp. LWE, there is a reusable circuit
garbling scheme for poly size circuits such that:
β πΊπΆ =poly(π,|C|)
β ππ₯ =poly(π, |π₯|, π) where π is the depth of πΆ
(π: security parameter)
Application 2: FHE for Turing machines
Evaluator
πΈ[input]
Program
Client
πΈ[result]
circuit size β₯ worst-case
running time of program
Decrypt only the runtime of the instance, to
avoid worst-case!
Application 3:
Publicly-verifiable delegation with secrecy
ο§
[Gennaro-Gentry-Parnoβ10]: Yao + FHE
verifiable delegation
ο§
[Parno-Raikova-Vaikuntanathanβ12]: public-index FE
secret publicly-verifiable delegation
succinct FE
secret privately-
non-
publicly-verifiable delegation with secrecy
Outline
LWE
public-index FE
+
FHE
+ Yao garbling
1
succinct functional encryption
2
reusable garbled
circuits
&
implication to
obfuscation
Not
today
FHE with inputspecific efficiency
Not
today
publicly-verifiable
delegation with
secrecy
Construction of FE
Public-Index Functional Encryption
(also known as ABE or predicate encryption)
ππ‘ β Enc πππ, π₯, π
Dec π ππ , ππ‘ =
π , ππ π π₯ = 1
leaks input to
the computation
β₯ , ππ π π₯ = 0
Variant: ππ‘ β Enc πππ, π₯, π0 , π1
Dec π ππ , ππ‘ =
π0 , ππ π π₯ = 1
π1 , ππ π π₯ = 0
[Borgunov-Vaikuntanathan-Wee13]: Public-index functional encryption for
any (a priori fixed) depth d circuit, based on sub-exp. LWE assumption.
Intuition
π₯ β FHE. Enc π₯
π ππ β π
π(π₯) β FHE. Eval(π, π₯)
Not f(π)!
IDEA: Start with FHE
IDEA: Use (one-time) Yao garbled for decryption
Intuition
FE.Enc of input π₯:
1.
π₯ β FHE. Enc π₯
2. Generate garbled circuit Ξ and labels πΏπ0 , πΏπ1
Output π₯, Ξ
FE.KeyGen for circuit f:
π ππ β π
FE.Dec(π ππ , ππ‘) should obtain π(π₯):
1. ππ‘ = π(π₯) β FHE. Eval(π, π₯)
2. Obtain labels {πΏπ
ππ‘π
} for π(π₯)
3. Compute Gb. Eval Ξ, πΏπ
ππ
How??
and get π(π₯)
π
for Decπ π
We need..
if FHE. Evali (π, π₯) = 0, get label πΏπ0 , else gets πΏπ1
public predicate
keep one secret
public input
IDEA: The variant of public-index FE provides exactly this!
ο§
ππ‘ β PI. Enc π₯, πΏπ0 , πΏπ1 )
ο§
π ππ β PI. KeyGen ππ
ο§
PI. Dec π ππ , ππ‘ =
πΏπ0 , ππ ππ π₯ = 0
πΏπ1 , ππ ππ π₯ = 1
Intuition
FE.Enc of input π₯:
1.
π₯ β FHE. Enc π₯
2. Generate garbled circuit Ξ and labels πΏπ0 , πΏπ1
3. cπ‘π β PI. Enc π₯, πΏπ0 , πΏπ1 )
π
for Decπ π
Output π₯, Ξ, ct i
FE.KeyGen for circuit f:
π πππ β PI. KeyGen ππ , where ππ = FHE. Evali (π, β
)
FE.Dec(π ππ , ππ‘) should obtain π(π₯):
1. ππ‘ = π(π₯) β FHE. Eval(π, π₯)
2. Obtain labels {πΏπ
ππ‘π
} for π(π₯)
3. Compute Gb. Eval Ξ, πΏπ
ππ
and get π(π₯)
Outline
public-index FE
+
FHE
+ Yao garbling
succinct functional encryption
2
reusable garbled
circuits
&
implication to
obfuscation
FHE with inputspecific efficiency
publicly-verifiable
delegation with
secrecy
Intuition
Garble(C):
Ξ β πΉπΈ. πΎππ¦πΊππ(πΆ)
Leaks C!
Garble(x):
ππ‘ β πΉπΈ. πΈππ(π₯)
IDEA: leverage secrecy of input to hide circuit
Intuition
Garble(C):
Ξ β πΉπΈ. πΎππ¦πΊππ(πΈπππ π πΆ )
Garble(x):
ππ‘ β πΉπΈ. πΈππ(π₯, π π)
Intuition
Garble(C):
Ξ β πΉπΈ. πΎππ¦πΊππ(ππΈπππ π (πΆ) )
Garble(x):
ππ‘ β πΉπΈ. πΈππ(π₯, π π)
ππΈ on input π π and π₯:
- Decrypt E to obtain C
- Run πΆ(π₯)
Correctness?
Security?
Reusability?
Summary
LWE
public-index FE
+
FHE
+ Yao garbling
1
succinct functional encryption
2
reusable garbled
circuits
&
implication to
obfuscation
Not
today
FHE with inputspecific efficiency
Not
today
publicly-verifiable
delegation with
secrecy
Thank you!
LWE
public-index FE
+
FHE
+
Yao garbling
1
succinct functional encryption
2
reusable garbled
circuits &
implication to
obfuscation
FHE with inputspecific efficiency
publicly-verifiable
delegation with secrecy