Transcript Slides

Succinct Functional Encryption:
d
Reusable Garbled Circuits and Beyond
Yael Kalai
Microsoft Research
Joint work with:
Shafi Goldwasser
Raluca Ada Popa
Vinod Vaikuntanathan
Nickolai Zeldovich
* Thanks to Raluca and Vinod for the slides.
MIT
MIT
U Toronto
MIT
Example: Spam Filters
Sender
Receiver
Spam filter
𝐸[π‘’π‘šπ‘Žπ‘–π‘™]
FHE.Eval of
filter
E[spam?]
𝐸[π‘’π‘šπ‘Žπ‘–π‘™]
FHE is not enough!
Need to decrypt computation result but
nothing else!
Desired: Functional Encryption (FE)
[Boneh-Sahai-Waters11, O’Neill11]
Allows evaluator to decrypt computation result
Client
𝐸 π‘₯1 , . . , 𝐸[π‘₯𝑛 ]
π‘ π‘˜π‘“
Evaluator
compute 𝒇 π’™πŸ , … , 𝒇 𝒙𝒏
Syntax:

𝑀𝑆𝐾, 𝑀𝑃𝐾 ← FE. Setup 1π‘˜
𝑐𝑑 ← FE. Enc 𝑀𝑃𝐾, π‘₯
Can release only one
π‘ π‘˜π‘“ ← FE. KeyGen 𝑀𝑆𝐾, 𝑓
function key

f π‘₯ ← FE. Dec π‘ π‘˜π‘“ , 𝑐𝑑


[Agrawal-GorbunovVaikuntanathan-Wee12]
Outline
β€’ Example: Spam filters
β€’ Problem we solve: Functional Encryption (under
LWE assumption)
β€’ Prior work
β€’ Main Application: Reusable Garbled Circuits
β€’ Application 2: FHE for Turing machines
β€’ Application 3: Publicly Verifiable and Secret
Delegation
β€’ Our constructions
Prior Work
 Functional encryption for inner product functions
[Katz-Sahai-Waters’08, Shen-Shi-Waters’09]
 Public-index functional encryption
(also known as ABE or predicate encryption)
[Sahai-Waters’05, Goyal-Pandey-Sahai-Waters’06, Bethencourt-Sahai-Waters’07, Goyal-JainPandey-Sahai’08, Lewko-Okamoto-Sahai-Takashima-Waters’10, Waters’11, LewkoWaters’12, Waters’12, Sahai-Waters’12, Gorbunov-Vaikuntanathan-Wee’13,…]
 [Gorbunov-Vaikuntanathan-Wee’12]: Functional encryption for
general functions, where |𝐸 π‘₯ | grows with circuit size
(e.g. size of email encryption depends on spam filter program size)
Open question:
Is there a FE scheme for general functions
with
ciphertext size << circuit size?
succinct
Our contribution:
Succinct functional encryption
Theorem. A FE scheme with succinct ciphertexts for general
functions can be constructed from
1. FHE scheme
2. public-index functional encryption scheme
Corollary. Under the sub-exp. LWE assumption, for any depth d,
there is a FE scheme with succinct ciphertexts (whose size grows
with d) for general functions computable by circuits of depth d.
Main Application:
Reusable Garbled Circuits
Yao garbled circuits [Yao82]
–
–
–
–
–
–
–
–
Secure two-party computation [Yao86],
(Constant round) multi-party computation [BMR90],
Parallel cryptography [AIK05],
One-time programs [GKR08],
Key-dependent message (KDM) security [BHHI09, A11],
Outsourcing computation [GGP10],
Circuit-private homomorphic encryption [GHV10],
and many others
Yao Garbled Circuits
[Yao 82]
Garbled Circuit GC
Boolean Circuit C
01010010
01110110
+
Garble(C)
x
x
01010011
11111101
+
Input 𝒙
𝒙=
0
1
01010010
11100010
11010010
01010011
Garble(x)
1
0
Garbled Input π’ˆπ’™
L1,0 L2,0 L3,0 L4,0
L1,1 L2,1 L3,1 L4,1
Yao Garbled Circuits (Cont.)
 Correctness: Given GC and
π’ˆπ’™, can compute C(x).
 Security (Input & Circuit privacy)
Given C(x) and 1|C|, can
simulate (GC, π’ˆπ’™).
 Efficiency:
|GC| = p(|C|) and |π’ˆπ’™| = p(|x|)
Garbled Circuit GC
01010010
01110110
01010010
11100010
11010010
01010011
01010011
11111101
Garbled Input π’ˆπ’™
L1,0 L2,0 L3,0 L4,0
L1,1 L2,1 L3,1 L4,1
Yao Garbled Circuits (Cont.)
Garbled Circuit GC
01010010
01110110
Theorem: [Yao86]
If one-way functions exist,
any polynomial-size circuit
family can be garbled.
01010010
11100010
11010010
01010011
01010011
11111101
Garbled Input π’ˆπ’™
L1,0 L2,0 L3,0 L4,0
L1,1 L2,1 L3,1 L4,1
Drawback: One-time
Garbled Circuit GC
01010010
01110110
insecure to release two
encodings π’ˆπ’™ and π’ˆπ’™β€²
01010010
11100010
11010010
01010011
01010011
11111101
𝒙 = 𝟎𝟏𝟏𝟎
𝒙′ = 𝟏𝟎𝟎𝟏
L1,0 L2,0
L1,1 L2,1
L3,0 L4,0
L3,1 L4,1
π’ˆπ’™
π’ˆπ’™
No
Caninput
compute
or circuit
C(x) for
privacy
unintended
guarantees!
inputs x!
01010010
11010010
01010010
01010011
Main Application:
Reusable Garbling
Theorem:
Under the sub-exp. LWE, there is a reusable circuit
garbling scheme for poly size circuits such that:
– 𝐺𝐢 =poly(𝑛,|C|)
– 𝑔π‘₯ =poly(𝑛, |π‘₯|, 𝑑) where 𝑑 is the depth of 𝐢
(𝑛: security parameter)
Application 2: FHE for Turing machines
Evaluator
𝐸[input]
Program
Client
𝐸[result]
circuit size β‰₯ worst-case
running time of program
Decrypt only the runtime of the instance, to
avoid worst-case!
Application 3:
Publicly-verifiable delegation with secrecy

[Gennaro-Gentry-Parno’10]: Yao + FHE
verifiable delegation

[Parno-Raikova-Vaikuntanathan’12]: public-index FE
secret publicly-verifiable delegation
succinct FE
secret privately-
non-
publicly-verifiable delegation with secrecy
Outline
LWE
public-index FE
+
FHE
+ Yao garbling
1
succinct functional encryption
2
reusable garbled
circuits
&
implication to
obfuscation
Not
today
FHE with inputspecific efficiency
Not
today
publicly-verifiable
delegation with
secrecy
Construction of FE
Public-Index Functional Encryption
(also known as ABE or predicate encryption)
𝑐𝑑 ← Enc π‘šπ‘π‘˜, π‘₯, π‘š
Dec π‘ π‘˜π‘“ , 𝑐𝑑 =
π‘š , 𝑖𝑓 𝑓 π‘₯ = 1
leaks input to
the computation
βŠ₯ , 𝑖𝑓 𝑓 π‘₯ = 0
Variant: 𝑐𝑑 ← Enc π‘šπ‘π‘˜, π‘₯, π‘š0 , π‘š1
Dec π‘ π‘˜π‘“ , 𝑐𝑑 =
π‘š0 , 𝑖𝑓 𝑓 π‘₯ = 1
π‘š1 , 𝑖𝑓 𝑓 π‘₯ = 0
[Borgunov-Vaikuntanathan-Wee13]: Public-index functional encryption for
any (a priori fixed) depth d circuit, based on sub-exp. LWE assumption.
Intuition
π‘₯ ← FHE. Enc π‘₯
π‘ π‘˜π‘“ ← 𝑓
𝑓(π‘₯) ← FHE. Eval(𝑓, π‘₯)
Not f(𝒙)!
IDEA: Start with FHE
IDEA: Use (one-time) Yao garbled for decryption
Intuition
FE.Enc of input π‘₯:
1.
π‘₯ ← FHE. Enc π‘₯
2. Generate garbled circuit Ξ“ and labels 𝐿𝑖0 , 𝐿𝑖1
Output π‘₯, Ξ“
FE.KeyGen for circuit f:
π‘ π‘˜π‘“ ← 𝑓
FE.Dec(π‘ π‘˜π‘“ , 𝑐𝑑) should obtain 𝑓(π‘₯):
1. 𝑐𝑑 = 𝑓(π‘₯) ← FHE. Eval(𝑓, π‘₯)
2. Obtain labels {𝐿𝑖
𝑐𝑑𝑖
} for 𝑓(π‘₯)
3. Compute Gb. Eval Ξ“, 𝐿𝑖
𝑒𝑖
How??
and get 𝑓(π‘₯)
𝑖
for Decπ‘ π‘˜
We need..
if FHE. Evali (𝑓, π‘₯) = 0, get label 𝐿𝑖0 , else gets 𝐿𝑖1
public predicate
keep one secret
public input
IDEA: The variant of public-index FE provides exactly this!

𝑐𝑑 ← PI. Enc π‘₯, 𝐿𝑖0 , 𝐿𝑖1 )

π‘ π‘˜π‘“ ← PI. KeyGen 𝑔𝑖

PI. Dec π‘ π‘˜π‘“ , 𝑐𝑑 =
𝐿𝑖0 , 𝑖𝑓 𝑔𝑖 π‘₯ = 0
𝐿𝑖1 , 𝑖𝑓 𝑔𝑖 π‘₯ = 1
Intuition
FE.Enc of input π‘₯:
1.
π‘₯ ← FHE. Enc π‘₯
2. Generate garbled circuit Ξ“ and labels 𝐿𝑖0 , 𝐿𝑖1
3. c𝑑𝑖 ← PI. Enc π‘₯, 𝐿𝑖0 , 𝐿𝑖1 )
𝑖
for Decπ‘ π‘˜
Output π‘₯, Ξ“, ct i
FE.KeyGen for circuit f:
π‘ π‘˜π‘”π‘– ← PI. KeyGen 𝑔𝑖 , where 𝑔𝑖 = FHE. Evali (𝑓, β‹…)
FE.Dec(π‘ π‘˜π‘“ , 𝑐𝑑) should obtain 𝑓(π‘₯):
1. 𝑐𝑑 = 𝑓(π‘₯) ← FHE. Eval(𝑓, π‘₯)
2. Obtain labels {𝐿𝑖
𝑐𝑑𝑖
} for 𝑓(π‘₯)
3. Compute Gb. Eval Ξ“, 𝐿𝑖
𝑒𝑖
and get 𝑓(π‘₯)
Outline
public-index FE
+
FHE
+ Yao garbling
succinct functional encryption
2
reusable garbled
circuits
&
implication to
obfuscation
FHE with inputspecific efficiency
publicly-verifiable
delegation with
secrecy
Intuition
Garble(C):
Ξ“ ← 𝐹𝐸. 𝐾𝑒𝑦𝐺𝑒𝑛(𝐢)
Leaks C!
Garble(x):
𝑐𝑑 ← 𝐹𝐸. 𝐸𝑛𝑐(π‘₯)
IDEA: leverage secrecy of input to hide circuit
Intuition
Garble(C):
Ξ“ ← 𝐹𝐸. 𝐾𝑒𝑦𝐺𝑒𝑛(πΈπ‘›π‘π‘ π‘˜ 𝐢 )
Garble(x):
𝑐𝑑 ← 𝐹𝐸. 𝐸𝑛𝑐(π‘₯, π‘ π‘˜)
Intuition
Garble(C):
Ξ“ ← 𝐹𝐸. 𝐾𝑒𝑦𝐺𝑒𝑛(π‘ˆπΈπ‘›π‘π‘ π‘˜ (𝐢) )
Garble(x):
𝑐𝑑 ← 𝐹𝐸. 𝐸𝑛𝑐(π‘₯, π‘ π‘˜)
π‘ˆπΈ on input π‘ π‘˜ and π‘₯:
- Decrypt E to obtain C
- Run 𝐢(π‘₯)
Correctness?
Security?
Reusability?
Summary
LWE
public-index FE
+
FHE
+ Yao garbling
1
succinct functional encryption
2
reusable garbled
circuits
&
implication to
obfuscation
Not
today
FHE with inputspecific efficiency
Not
today
publicly-verifiable
delegation with
secrecy
Thank you!
LWE
public-index FE
+
FHE
+
Yao garbling
1
succinct functional encryption
2
reusable garbled
circuits &
implication to
obfuscation
FHE with inputspecific efficiency
publicly-verifiable
delegation with secrecy