Succinct Garbling and its
Applications
Sanjam Garg
University of California at Berkeley
Nir Bitansky, Huijia Lin, Rafael Pass, Sidharth Telang
1
Garbled Circuits [Yao82]
Tons of Applications
• Constant-round secure computation [Yao82,BMR90,…]
• Private Simultaneous Messages protocols [FKN94,…]
• Parallel Cryptography [AIK05,…]
• One time programs [GKR08,…]
• Verifiable computation [GGP10,…]
• Functional Encryption [SS10,…]
• KDM-secure encryption [BHHI10,…]
• Bootstrapping obfuscators [App13, CLTV15, BGLPT15,…]
2
What are Garbled Circuits?
𝐶, 𝑥
𝐶, 𝑥
𝐶(𝑥)
Alice
Bob
𝐺𝑎𝑟𝑏𝑙𝑒 𝐶, 𝑥 : Generates 𝐶, 𝑥.
𝐸𝑣𝑎𝑙 𝐶, 𝑥 : Outputs 𝐶(𝑥).
Security: 𝐶1 , 𝐶2 , 𝑥 are such that 𝐶1 (𝑥) = 𝐶2 (𝑥)
𝐺𝑎𝑟𝑏𝑙𝑒 𝐶1 , 𝑥 ≈ 𝐺𝑎𝑟𝑏𝑙𝑒 𝐶2 , 𝑥
3
What are Garbled Circuits?
𝐶, 𝑥
𝐶, 𝑥
𝐶(𝑥)
Alice
Yao
Model
Assumption
Circuits
OWFs
Bob
Communication Alice’s work
𝐶 ⋅ 𝑝𝑜𝑙𝑦(𝑘)
𝐶 ⋅ 𝑝𝑜𝑙𝑦(𝑘)
Bob’s work
𝐶 ⋅ 𝑝𝑜𝑙𝑦(𝑘)
Can not hope to do much better than this for
circuits!
4
What about TM/RAM?
𝑇
𝑀
TM
RAM
𝐶
𝑀 ≪ 𝑇 and 𝐶 = 𝑂 𝑇 log 𝑇
𝑀 ≪ 𝑇 and 𝐶 = 𝑂 𝑇 3 log 𝑇 , 𝑇 ≪ 𝐶
• Description Size – 𝑀
• Running Time – 𝑇
• Circuit Representation – 𝐶
We know how to do it in
𝑂 𝑇 from OWFs!
[LO13, GHL+14,GLOS15]
5
Defining: Succinct Garbling
𝑀, 𝑥
𝑀, 𝑥
𝑀(𝑥)
Alice
Model
TM/RAM
Assumption
Bob
Communication Alice’s work
𝑥 , 𝑀 ,𝑘
Bob’s work
𝑥 , 𝑀 ,𝑘
6
Results on Succinct Garbling
Model
Assumption
Communication
Implausibility
[GGHW14]
Alice’s work
Bob’s work
?
𝑥 , 𝑀 ,𝑘
𝑥 , 𝑀 ,𝑘
?
Ext WE
𝑥 , 𝑀 ,𝑘
𝑥 , 𝑀 ,𝑘
𝑇 ,𝑘
𝑥 , 𝑀 , 𝑛, 𝑘
𝑥 , 𝑀 , 𝑛, 𝑘
𝑇 ,𝑘
𝑥 , 𝑀 ,𝑘
𝑥 , 𝑀 ,𝑘
|𝑇|, 𝑘
Goal
TM/RAM
GKP+13
TM
BGLPT14
CHJV14
TM/RAM iO
KLW14
TM
iO
• 𝑛 is the max memory size
• 𝑘 is the security parameter
• Ignoring log factors!
Polynomial Hardness
of 𝑖𝑂
7
Applications
1. Secure Computation with low computation cost
for one party
8
Application 1: MPC with
unbalanced load
𝑥
𝑀
𝑦
𝜋
Alice
𝜋 on input
𝑥, 𝑦 outputs a
Garble 𝑀, 𝑥, 𝑦
Bob
𝑀(𝑥, 𝑦)
Alice’s work grows with the description size of the machine
M and not with its running time. The idea builds on [IK00,
IK02]
9
Applications
1. Secure Computation with low computation cost
for one party
2. 𝑖𝑂 for TM/RAM
• Requires sub-exponential 𝑖𝑂
10
Application 2: 𝑖𝑂 for TM/RAM
11
Obfuscation - Informal
Obfuscation aims to make computer programs
``unintelligible’’ without affecting their functionality.
P
Alice
O(P)
Bob
12
Indistinguishability Obfuscation
[B+01, GR07]
𝑂
𝐶
𝑂(𝐶)
• Correctness: 𝑂(𝐶) computes 𝐶 exactly
• Efficiency: 𝑂(𝐶) at most polynomially larger than 𝐶
• Security: 𝑂(𝐶) is “unintelligible”
• Multiple notions
• Indistinguishability Obfuscation: If 𝐶1 , 𝐶2 compute
the same function (and |𝐶1 | = |𝐶2 |) then
𝑂 𝐶1 ≈ 𝑂 𝐶2
13
Positive results on 𝑖𝑂
• First realized in [GGHRSW13]
• Follow up works [BR13, BGKPS13, PST14, GLSW14,…]
• Size of obfuscation - grows with 𝑇 and 𝑇 ≫ 𝑀
• Better obfuscation – [BCP14, ABGSZ14]
• Strong computational assumptions – 𝑑𝑖𝑂 and SNARGs
• Using Succinct Garbling implies 𝑖𝑂 for TM/RAM
Runs in input
specific run-time
[GKPVZ13] !
14
Application 2: 𝑖𝑂 for TM/RAM
𝑖𝑂 𝑀 : 𝑖𝑂 𝐶 where 𝐶𝑀,𝑠 is a circuit that on input 𝑥
proceeds as follows:
1. 𝑟 ≔ 𝑃𝑅𝐹𝑠 𝑥
2. Output 𝑀, 𝑥 ≔ 𝐺𝑎𝑟𝑏𝑙𝑒 𝑀, 𝑥 using
randomness 𝑟
• Heuristic approach for this [Applebaum13] and
proof from sub-exponential security by [CLTV15]
15
Application 2: 𝑖𝑂 for TM/RAM
Security: For any two machines 𝑀1 and 𝑀2 , such that
∀𝑥 𝑀1 𝑥 = 𝑀2 𝑥 we have that 𝑖𝑂 𝑀1 ≈ 𝑖𝑂 𝑀2
≈
𝑀1
𝐶𝑀1,𝑠
𝐻0
…
𝐶𝑀1 ,𝑀2 ,𝑠,𝑖
𝐻𝑖
𝑀2
…
𝐶𝑀2,𝑠
𝐻2 𝑥
𝐶𝑀1 ,𝑀2 ,𝑠,𝑖 on input 𝑥 proceeds as follows:
1. 𝑟 ≔ 𝑃𝑅𝐹𝑠 𝑥
2. If 𝑥 < 𝑖 output 𝐺𝑎𝑟𝑏𝑙𝑒 𝑀2 , 𝑥 else
𝐺𝑎𝑟𝑏𝑙𝑒 𝑀1 , 𝑥 using randomness 𝑟
16
Application 2: 𝑖𝑂 for TM/RAM
𝐶𝑀1 ,𝑀2 ,𝑠,𝑖
𝐻𝑖
≈
𝐶𝑀1,𝑀2 ,𝑠,𝑖+1
Puncturing
[SW14]
𝐻𝑖+1
𝐶𝑀1 ,𝑀2 ,𝑠,𝑖 on input 𝑥 proceeds as follows:
1. 𝑟 ≔ 𝑃𝑅𝐹𝑠 𝑥
2. If 𝑥 < 𝑖 output 𝐺𝑎𝑟𝑏𝑙𝑒 𝑀2 , 𝑥 else
𝐺𝑎𝑟𝑏𝑙𝑒 𝑀1 , 𝑥 using randomness 𝑟
17
Application 2: 𝑖𝑂 for TM/RAM
𝐶𝑀1 ,𝑀2 ,𝑠,𝑖
≈
𝐻𝑖
random at
punctured
puncture
𝐶𝑀1,𝑀2 ,𝑠,𝑖+1
Puncturing
[SW14]
𝐻𝑖+1
𝐶𝑀1,𝑀2 ,𝑠𝑖 ,𝑟𝑖 ,𝑖 𝐶𝑀1,𝑀2 ,𝑠𝑖 ,𝑟𝑖 ,𝑖
Random
𝐶𝑀1 ,𝑀2 ,𝑠𝑖,𝑟𝑖,𝑖
𝐶𝑀1 ,𝑀2 ,𝑠,𝑖 on input 𝑥 proceeds as follows:
1. 𝑟 ≔ 𝑃𝑅𝐹𝑠 𝑥 If 𝑥 = 𝑖, 𝑟 ≔ 𝑟𝑖 else 𝑟 ∶= 𝑃𝑅𝐹𝑠𝑖 𝑥 .
2. If 𝑥 < 𝑖 output 𝐺𝑎𝑟𝑏𝑙𝑒 𝑀2 , 𝑥 else
𝐺𝑎𝑟𝑏𝑙𝑒 𝑀1 , 𝑥 using randomness 𝑟
18
Application 2: 𝑖𝑂 for TM/RAM
𝐶𝑀1 ,𝑀2 ,𝑠,𝑖
≈
𝐻𝑖
random at
punctured
puncture
𝐶𝑀1,𝑀2 ,𝑠,𝑖+1
hardcode
𝐶𝑀1,𝑀2 ,𝑠𝑖 ,𝑟𝑖 ,𝑖 𝐶𝑀1,𝑀2 ,𝑠𝑖 ,𝑟𝑖 ,𝑖 𝐶𝑀1,𝑀2 ,𝑠𝑖 ,𝑦𝑖 ,𝑖
Puncturing
[SW14]
𝐻𝑖+1
change hardcoded
𝐶𝑀1,𝑀2 ,𝑠𝑖 ,𝑦𝑖 ,𝑖
Random
𝑦𝑖 = 𝐺𝑎𝑟𝑏𝑙𝑒 𝑀1 , 𝑥
𝑦𝑖 = 𝐺𝑎𝑟𝑏𝑙𝑒 𝑀2 , 𝑥
𝐶𝑀1 ,𝑀2 ,𝑠𝑖,𝑟𝑖,𝑖 on input 𝑥 proceeds as follows:
1. If 𝑥 = 𝑖, 𝑟 ≔ 𝑟𝑖 else 𝑟 ∶= 𝑃𝑅𝐹𝑠𝑖 𝑥 .
2. If 𝑥 < 𝑖 output 𝐺𝑎𝑟𝑏𝑙𝑒 𝑀2 , 𝑥 else
𝐺𝑎𝑟𝑏𝑙𝑒 𝑀1 , 𝑥 using randomness 𝑟
If 𝑥 = 𝑖 then output 𝑦𝑖 .
19
Application 2: 𝑖𝑂 for TM/RAM
𝐶𝑀1 ,𝑀2 ,𝑠,𝑖
≈
𝐻𝑖
random at
punctured
puncture
𝐶𝑀1,𝑀2 ,𝑠,𝑖+1
hardcode
𝐶𝑀1,𝑀2 ,𝑠𝑖 ,𝑟𝑖 ,𝑖 𝐶𝑀1,𝑀2 ,𝑠𝑖 ,𝑟𝑖 ,𝑖 𝐶𝑀1,𝑀2 ,𝑠𝑖 ,𝑦𝑖 ,𝑖
Puncturing
[SW14]
𝐻𝑖+1
change hardcoded
𝐶𝑀1,𝑀2 ,𝑠𝑖 ,𝑦𝑖 ,𝑖
Random
𝑦𝑖 = 𝐺𝑎𝑟𝑏𝑙𝑒 𝑀2 , 𝑥
Reverse hybrids to get to 𝐻𝑖+1
Assuming sub-exponential 𝑖𝑂: Succinct garbling implies succinct 𝑖𝑂.
20
Applications
1. Secure Computation with low computation cost
for one party
2. 𝑖𝑂 for TM/RAM
• Requires sub-exponential 𝑖𝑂
3. Functional Encryption [BSW11,ONeill10] for
TM/RAM
• Only requires polynomial harness assumptions
• And Reusable Garbling [GKPVZ13]
21
Application 3: FE for TM/RAM
[SW06,…,O’Neil10,BSW11,GGHRSW13,BCP14,ABGSZ14…]
Prior Work: Limited to circuits [GGHRSW13] or needed
MSK strong
assumptions [BCP14,ABGSZ14].
PK
Key
Succinct Garbling enables succinct functional
encryption.
Authority
𝐸𝑛𝑐 𝑥
SK
SK’
𝑓1
𝑓2
𝑓1 (𝑥)
𝑓2 (𝑥)
22
Application 3: FE for TM/RAM
[SW06,…,O’Neil10,BSW11,GGHRSW13,BCP14,ABGSZ14…]
• Take a functional encryption for circuits and make it
MSK
output the succinct garbling.
PK
SK
Key
Authority
SK’
𝑓1
𝑓2
𝑓1 (𝑥)
𝐺𝑎𝑟𝑏𝑙𝑒(𝑓1 , 𝑥)
𝑓2 (𝑥)
𝐺𝑎𝑟𝑏𝑙𝑒(𝑓2 , 𝑥)
23
Applications
1. Secure Computation with low computation cost
for one party
Previous results needed diO
[BCP14, ABGSZ14], for which
2. 𝑖𝑂 for TM/RAM
implausibility was shown in
• Requires sub-exponential 𝑖𝑂
[GGHW14]
3. Functional Encryption [BSW11,ONeill10] for
TM/RAM
• Only requires polynomial harness assumptions
• And Reusable Garbling [GKPVZ13]
4. Publicly Verifiable Delegation
• Previous works provide schemes in weaker
preprocessing model [AIK10, GGP10, PRV12, GKPVZ13]
24
How do we do it?
25
Yao’s Garbled circuits
Security: 𝐶1 , 𝐶2 , 𝑥 are such that 𝐶1 (𝑥) = 𝐶2 (𝑥)
𝐺𝑎𝑟𝑏𝑙𝑒 𝐶1 , 𝑥 ≈ 𝐺𝑎𝑟𝑏𝑙𝑒 𝐶2 , 𝑥
26
Yao’s Garbled circuits
Key Point:
perthat
gate
only=needs
Security:
𝐶1 , 𝐶2Garbling
, 𝑥 are such
𝐶1 (𝑥)
𝐶2 (𝑥) 6
𝐺𝑎𝑟𝑏𝑙𝑒 𝐶1 , 𝑥 keys!
≈ 𝐺𝑎𝑟𝑏𝑙𝑒 𝐶2 , 𝑥
27
Garbling Turing Machines
Sample s – the
seed of a PRF.
𝑖
𝐹𝑠
𝐹𝑠
𝐹𝑠
𝐹𝑠
𝐹𝑠
𝐹𝑠
𝑜𝑢𝑡
𝑜𝑢𝑡
𝑙𝑒𝑓
𝑙𝑒𝑓
𝑟𝑖𝑔
𝑟𝑖𝑔
𝑖
𝑖
𝑖
𝑖
𝑖
𝑖
,0
,1
,0
,1
,0
,1
Similarly for
input wires.
28
Garbing Turing Machines
x
x, 𝑠
Bounded
Memory
x
∕
Heuristic Solution
𝑖
Same works for RAM programs using
garbled RAM [LO13,GHLORW14,GLOS15]!
29
Bounded Memory Security Proof
via Puncturing
Need
to remember all the wires across the layer in
Security: For any two machines 𝑀1 and 𝑀2 , and input 𝑥, if
security.
𝑀1 𝑥 = 𝑀2 𝑥 we arguing
have that Garble
𝑀1 , 𝑥 ≈ 𝐺𝑎𝑟𝑏𝑙𝑒 𝑀2 , 𝑥
≈
𝑀2 , 𝑥
𝑀1 , 𝑥
𝐶M1 ,𝑥,𝑠
…
𝐶M1,𝑀2,𝑥,𝑠,𝑖
𝐻0
𝐻𝑖
…
𝐶M2 ,𝑥,𝑠
𝐻𝑑
M1
M1
M2
M2
30
Bounded Memory Security Proof
via Puncturing
𝐻𝑖
M1
𝐻𝑖+1
M1
M2
M2
Puncture, replace random, hardcode,
change hardcoded, make pseudorandom, un-puncture
31
Extending to unbounded memory
for Turning Machines [KLW14]
x
𝐶𝑀,𝑥,𝑠
32
Conclusion and Future Work
• Succinct Garbling and Succinct Obfuscation
• Bounded memory for TM and RAM [BGLPT14, CHJV14]
• Unbounded memory for TM [KLW14]
• Open problems
• Unbounded memory for RAM
• Simpler constructions?
33
Thank You!
34