succinct functional encryption: d reusable garbled circuits and beyond

Succinct Functional Encryption:d

Reusable Garbled Circuits and Beyond

Joint work with:

Yael Kalai Microsoft Research

Shafi GoldwasserRaluca Ada PopaVinod Vaikuntanathan Nickolai Zeldovich

MITMITU TorontoMIT

* Thanks to Raluca and Vinod for the slides.

Example: Spam Filters

𝐸 [𝑒𝑚𝑎𝑖𝑙 ]Spam filter

𝐸 [𝑒𝑚𝑎𝑖𝑙 ]E[spam?]

Need to decrypt computation result but nothing else!

Sender Receiver

FHE.Eval of filter

FHE is not enough!

Desired: Functional Encryption (FE)[Boneh-Sahai-Waters11, O’Neill11]

Allows evaluator to decrypt computation result

𝐸 [𝑥1 ] , .. ,𝐸 [𝑥𝑛]

𝑠𝑘 𝑓

ClientEvaluator

compute

Can release only one function key [Agrawal-Gorbunov-Vaikuntanathan-Wee12]

Syntax:

Outline

• Example: Spam filters• Problem we solve: Functional Encryption (under

LWE assumption)• Prior work• Main Application: Reusable Garbled Circuits• Application 2: FHE for Turing machines• Application 3: Publicly Verifiable and Secret

Delegation • Our constructions

Functional encryption for inner product functions [Katz-Sahai-Waters’08, Shen-Shi-Waters’09]

Public-index functional encryption (also known as ABE or predicate encryption)

Prior Work

[Sahai-Waters’05, Goyal-Pandey-Sahai-Waters’06, Bethencourt-Sahai-Waters’07, Goyal-Jain-Pandey-Sahai’08, Lewko-Okamoto-Sahai-Takashima-Waters’10, Waters’11, Lewko-Waters’12, Waters’12, Sahai-Waters’12, Gorbunov-Vaikuntanathan-Wee’13,…]

[Gorbunov-Vaikuntanathan-Wee’12]: Functional encryption for general functions, where grows with circuit size

(e.g. size of email encryption depends on spam filter program size)

Open question: Is there a FE scheme for general functions

with ciphertext size << circuit size?

succinct

Our contribution:Succinct functional encryption

Theorem. A FE scheme with succinct ciphertexts for general functions can be constructed from1. FHE scheme 2. public-index functional encryption scheme

Corollary. Under the sub-exp. LWE assumption, for any depth d, there is a FE scheme with succinct ciphertexts (whose size grows with d) for general functions computable by circuits of depth d.

Main Application: Reusable Garbled Circuits

Yao garbled circuits [Yao82]– Secure two-party computation [Yao86], – (Constant round) multi-party computation [BMR90], – Parallel cryptography [AIK05], – One-time programs [GKR08], – Key-dependent message (KDM) security [BHHI09, A11], – Outsourcing computation [GGP10], – Circuit-private homomorphic encryption [GHV10], – and many others

Yao Garbled Circuits[Yao 82]

Boolean Circuit C

0 1 1 0

+

xx

+

Garbled Circuit GC

0101001001110110

1101001001010011

0101001011100010

0101001111111101

Garble(C)

Garble(x)

𝒙=¿L2,1

L1,0

L1,1

L2,0

L3,1

L3,0

L4,1

L4,0

Garbled Input Input

Correctness: Given GC and , can compute C(x).

Security (Input & Circuit privacy)Given C(x) and 1|C|, can simulate (GC, ).

Efficiency: |GC| = p(|C|) and || = p(|x|)

Garbled Circuit GC

0101001001110110

1101001001010011

0101001011100010

0101001111111101

L2,1

L1,0

L1,1

L2,0

L3,1

L3,0

L4,1

L4,0

Garbled Input

Yao Garbled Circuits (Cont.)

Garbled Circuit GC

0101001001110110

1101001001010011

0101001011100010

0101001111111101

L2,1

L1,0

L1,1

L2,0

L3,1

L3,0

L4,1

L4,0

Garbled Input

Theorem: [Yao86]

If one-way functions exist, any polynomial-size circuit family can be garbled.

Yao Garbled Circuits (Cont.)

Drawback: One-time

Garbled Circuit GC

0101001001110110

1101001001010011

0101001011100010

0101001111111101

𝒈𝒙

insecure to release two encodings and

𝒈𝒙𝒙=𝟎𝟏𝟏𝟎𝒙 ′=𝟏𝟎𝟎𝟏 L2,1

L1,0

L3,1

L4,0

L1,1

L3,0

L4,1

L2,0 Can compute C(x) for unintended inputs x!No input or circuit privacy guarantees!

Main Application:Reusable Garbling

Theorem:

Under the sub-exp. LWE, there is a reusable circuit garbling scheme for poly size circuits such that:

– poly(,|C|)

– poly(where is the depth of

01010010

11010010 01010010

01010011

(: security parameter)

Application 2: FHE for Turing machines

𝐸 [result ]

Client

Program

Decrypt only the runtime of the instance, to avoid worst-case!

𝐸 [input ]

circuit size worst-case running time of program

Evaluator

Application 3: Publicly-verifiable delegation with secrecy

[Gennaro-Gentry-Parno’10]: Yao + FHE secret privately-verifiable delegation

[Parno-Raikova-Vaikuntanathan’12]: public-index FE non-secret publicly-verifiable delegation

succinct FE publicly-verifiable delegation with secrecy

Outline

public-index FE

LWE

succinct functional encryption

FHE Yao garbling

reusable garbled circuits

&

FHE with input-specific efficiency

publicly-verifiable delegation with

secrecy

+ +

1

2

implication to obfuscation

Not today

Not today

Construction of FE

Public-Index Functional Encryption (also known as ABE or predicate encryption)

𝑚 , 𝑖𝑓 𝑓 (𝑥 )=1⊥ , 𝑖𝑓 𝑓 (𝑥 )=0

leaks input to the computation

[Borgunov-Vaikuntanathan-Wee13]: Public-index functional encryption for any (a priori fixed) depth d circuit, based on sub-exp. LWE assumption.

Variant:

𝑚0 , 𝑖𝑓 𝑓 (𝑥 )=1𝑚1 ,𝑖𝑓 𝑓 (𝑥 )=0

Intuition

IDEA: Start with FHE

�̂�←FHE. Enc (𝑥 )

𝑠𝑘 𝑓← 𝑓

Not f!

IDEA: Use (one-time) Yao garbled for decryption

Intuition

1. �̂�←FHE .Enc (𝑥 )

𝑠𝑘 𝑓← 𝑓

FE.Enc of input :

FE.KeyGen for circuit f:

FE.Dec(should obtain :

2. Generate garbled circuit and labels for

2. Obtain labels for 3. Compute and get

Output

How??

=

We need..

𝐿1𝑖 , 𝑖𝑓 𝑔𝑖 (𝑥 )=1

IDEA: The variant of public-index FE provides exactly this!

if , ) = 0, get label else gets

public predicate public inputkeep one secret

Intuition

1. �̂�←FHE .Enc (𝑥 )

, where

FE.Enc of input :

FE.KeyGen for circuit f:

FE.Dec(should obtain :

2. Generate garbled circuit and labels for

2. Obtain labels for 3. Compute and get

Output

3.

Outline

reusable garbled circuits

&

FHE with input-specific efficiency

publicly-verifiable delegation with

secrecy

2

implication to obfuscation

public-index FE

succinct functional encryption

FHE Yao garbling+ +

Intuition

Garble(C):

Garble(x):

Leaks C!

IDEA: leverage secrecy of input to hide circuit

Intuition

Garble(C):

Garble(x):

Intuition

Garble(C):

Garble(x):

on input and : - Decrypt to obtain - Run

Correctness?

Security?

Reusability?

Summary

public-index FE

LWE

succinct functional encryption

FHE Yao garbling

reusable garbled circuits

&

FHE with input-specific efficiency

publicly-verifiable delegation with

secrecy

+ +

1

2

implication to obfuscation

Not today

Not today

Thank you!public-index FE

LWE

succinct functional encryption

FHE Yao garbling

reusable garbled circuits &

FHE with input-specific efficiency

publicly-verifiable delegation with secrecy

+ +1

2

implication to obfuscation