Abstract
A universal circuit (UC) is a general-purpose circuit that can simulate arbitrary circuits (up to a certain size n). At STOC 1976 Valiant presented a graph theoretic approach to the construction of UCs, where a UC is represented by an edge universal graph (EUG) and is recursively constructed using a dedicated graph object (referred to as supernode). As a main end result, Valiant constructed a 4-way supernode of size 19 and an EUG of size \(4.75n\log n\) (omitting smaller terms), which remained the most size-efficient even to this day (after more than 4 decades).
Motivated by the emerging applications of UCs in various privacy preserving computation scenarios, we revisit Valiant’s universal circuits, and propose a 4-way supernode of size 18, and an EUG of size \(4.5n\log n\). As confirmed by our implementations, we reduce the size of universal circuits (and the number of AND gates) by more than 5% in general, and thus improve upon the efficiency of UC-based cryptographic applications accordingly. Our approach to the design of optimal supernodes is computer aided (rather than by hand as in previous works), which might be of independent interest. As a complement, we give lower bounds on the size of EUGs and UCs in Valiant’s framework, which significantly improves upon the generic lower bound on UC size and therefore reduces the gap between theory and practice of universal circuits.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
As a slight abuse of abbreviation, we use UC as the shorthand for universal circuit, and the readers should not confuse it with universal composability.
- 2.
Definition 2 puts no limits on the fan-in/fan-out of EUG, but Valiant’s UC construction requires the underlying EUG to be a \(\mathsf {DAG}_2\).
- 3.
Since \(N_S\) is a common node, it cannot be an endpoint of a path. For a X-switching gate \(G_S\), there may be two paths passing through \(N_S\), for which only a single control bit is needed as paths in Q are edge-disjoint by definition.
- 4.
As a slight abuse of definition, the size of a supernode is different from that of a graph by excluding input and output nodes. As we will see, it comes in handy when composing the components to build a large EUG and calculating its size.
- 5.
\(in^{i}_j\) (\(out^{i}_j\)) denotes the j-th input (output) of the i-th supernode (denoted by \(\mathsf {SN}(k)_i\)).
- 6.
Similar to the size of supernode, we define the depth of \(\mathsf {SN}(k)\) as the length of the longest path minus 2 (i.e., excluding inputs and outputs), denoted by \(\mathsf {depth}(\mathsf {SN}(k))\).
- 7.
The search algorithm outputs a few hundred of outcomes many of which are isomorphic to each other, but our verification is by hand and is certainly not exhaustive.
- 8.
Recall that the number of AND gates of Lipmaa et al.’s circuits (Fig. 7) remains the same with Valiant’s 4-way construction since it saves only XOR gates, so the comparison does not include the Lipmaa et al.’s work.
References
Afshar, A., Mohassel, P., Pinkas, B., Riva, B.: Non-interactive secure computation based on cut-and-choose. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 387–404. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_22
Alhassan, M.Y., Günther, D., Kiss, Á., Schneider, T.: Efficient and scalable universal circuits. Cryptology ePrint Archive, Report 2019/348 (2019). https://eprint.iacr.org/2019/348
Araki, T., et al.: Optimized honest-majority MPC for malicious adversaries - breaking the 1 billion-gate per second barrier. In: 2017 IEEE Symposium on Security and Privacy (SP 2017), pp. 843–862 (2017)
Attrapadung, N.: Fully secure and succinct attribute based encryption for circuits from multi-linear maps. Cryptology ePrint Archive, Report 2014/772 (2014). https://eprint.iacr.org/2014/772
Bera, D., Fenner, S.A., Green, F., Homer, S.: Efficient universal quantum circuits. Quantum Inf. Comput. 10(1&2), 16–27 (2010). http://www.rintonpress.com/xxqic10/qic-10-12/0016-0027.pdf
Bicer, O., Bingol, M.A., Kiraz, M.S., Levi, A.: Towards practical PFE: an efficient 2-party private function evaluation protocol based on half gates. Cryptology ePrint Archive, Report 2017/415 (2017). https://eprint.iacr.org/2017/415
Cook, S.A., Hoover, H.J.: A depth-universal circuit. SIAM J. Comput. 14(4), 833–839 (1985)
Fiore, D., Gennaro, R., Pastro, V.: Efficiently verifiable computation on encrypted data. In: Proceedings of the 2014 ACM SIGSAC Conference on Computer and Communications Security (CCS 2014), pp. 844–855 (2014)
Fisch, B.A., et al.: Malicious-client security in blind seer: a scalable private DBMS. In: 2015 IEEE Symposium on Security and Privacy (SP 2015), pp. 395–410 (2015)
Galil, Z., Paul, W.J.: An efficient general purpose parallel computer. In: Proceedings of the 13th Annual ACM Symposium on Theory of Computing (STOC 1981), pp. 247–262 (1981)
Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. SIAM J. Comput. 45(3), 882–929 (2016)
Garg, S., Gentry, C., Halevi, S., Sahai, A., Waters, B.: Attribute-based encryption for circuits from multilinear maps. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013. LNCS, vol. 8043, pp. 479–499. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_27
Garg, S., Gentry, C., Halevi, S., Zhandry, M.: Fully secure attribute based encryption from multilinear maps. IACR Cryptology ePrint Archive 2014, 622 (2014). http://eprint.iacr.org/2014/622
Gennaro, R., Gentry, C., Parno, B., Raykova, M.: Quadratic span programs and succinct NIZKs without PCPs. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 626–645. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_37
Gentry, C., Halevi, S., Vaikuntanathan, V.: i-hop homomorphic encryption and rerandomizable yao circuits. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 155–172. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-14623-7_9
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Attribute-based encryption for circuits. J. ACM 62(6), 45:1–45:33 (2015)
Günther, D., Kiss, Á., Schneider, T.: More efficient universal circuit constructions. In: Takagi, T., Peyrin, T. (eds.) ASIACRYPT 2017. LNCS, vol. 10625, pp. 443–470. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-70697-9_16
Huang, Y., Katz, J., Kolesnikov, V., Kumaresan, R., Malozemoff, A.J.: Amortizing garbled circuits. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8617, pp. 458–475. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-44381-1_26
Kiss, Á., Schneider, T.: Valiant’s universal circuit is practical. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9665, pp. 699–728. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3-662-49890-3_27
Kolesnikov, V., Schneider, T.: Improved garbled circuit: free XOR gates and applications. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70583-3_40
Kolesnikov, V., Schneider, T.: A practical universal circuit construction and secure evaluation of private functions. In: Tsudik, G. (ed.) FC 2008. LNCS, vol. 5143, pp. 83–97. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85230-8_7
Lindell, Y., Riva, B.: Blazing fast 2PC in the offline/online setting with security for malicious adversaries. In: Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security (CCS 2015), pp. 579–590 (2015)
Lipmaa, H., Mohassel, P., Sadeghian, S.: Valiant’s universal circuit: Improvements, implementation, and applications. Cryptology ePrint Archive, Report 2016/017 (2016). https://eprint.iacr.org/2016/017
Malkhi, D., Nisan, N., Pinkas, B., Sella, Y.: Fairplay - secure two-party computation system. In: Proceedings of the 13th USENIX Security Symposium, pp. 287–302 (2004)
Meyer auf der Heide, F.: Efficiency of universal parallel computers. In: Theoretical Computer Science, pp. 221–241 (1983)
Mohassel, P., Sadeghian, S.: How to hide circuits in MPC an efficient framework for private function evaluation. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 557–574. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-38348-9_33
Mohassel, P., Sadeghian, S., Smart, N.P.: Actively secure private function evaluation. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014. LNCS, vol. 8874, pp. 486–505. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-45608-8_26
Pappas, V., et al.: Blind seer: a scalable private DBMS. In: 2014 IEEE Symposium on Security and Privacy (SP 2014), pp. 359–374 (2014)
Sadeghian, S.S.: New Techniques for Private Function Evaluation. Ph.D. thesis, University of Calgary (2015)
Tillich, S., Smart, N.: Circuits of basic functions suitable for MPC and FHE (2015). https://homes.esat.kuleuven.be/%7Ensmart/MPC/
Valiant, L.G.: Universal circuits (preliminary report). In: Proceedings of the 8th Annual ACM Symposium on Theory of Computing (STOC 1976), pp. 196–203 (1976)
Wegener, I.: The complexity of boolean functions. ECCC books, lectures and surveys (1987). https://bit.ly/2I7MGJi
Zhao, S.: The c++ source code of our 4-way uc implementation (2018). https://github.com/Anonymous8012/UC
Zhao, S.: A proof for that the graph in Figure 1 is a 4-way supernode. shared in a double-blind way (registration/log-in not required for upload and download) (2018). https://www.filedropper.com/sn-proof
Zhu, R., Cassel, D., Sabry, A., Huang, Y.: nanoPI: extreme-scale actively-secure multi-party computation. In: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security (CCS 2018), pp. 862–879 (2018)
Zimmerman, J.: How to obfuscate programs directly. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part II. LNCS, vol. 9057, pp. 439–467. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_15
Acknowledgments
Yu Yu was supported by the National Natural Science Foundation of China (Grant Nos. 61872236 and 61572192) and the National Cryptography Development Fund (Grant number MMJJ20170209). Jiang Zhang is supported by the National Key Research and Development Program of China (Grant No. 2017YFB0802005, 2018YFB0804105), the National Natural Science Foundation of China (Grant Nos. 6160204661932019), and the Young Elite Scientists Sponsorship Program by CAST (2016QNRC001). Yu Yu was also funded in part by the Anhui Initiative in Quantum Information Technologies (Grant number AHY150100). Shuoyao Zhao is funded by the privacy-preserving computation project from PlatON Network. We thank the anonymous reviewers of ASIACRYPT 2019 for their helpful comments.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Proofs Omitted in the Main Body
A Proofs Omitted in the Main Body
1.1 A.1 Proof of Theorem 1
To prove the graph in Fig. 4 is an \(\mathsf {EUG}_1(n)\), we need to prove that any \(\mathsf {DAG}_1(n)=(V,E)\) can be edge-embedded into it. At first, we sort the nodes of a given \(\mathsf {DAG}_1(n)\) in their topological order: \(V_1,V_2,\ldots ,V_n\). And the edge-embed mapping \(\varrho \) can be defined as: \(\varrho (V_i)\) is the i-th pole of the supernodes from top to bottom, or formally, the (i mod k)-th pole of \(\mathsf {SN}(k)_{\lceil \frac{i}{k}\rceil }\). For each node \(V_i\) in the \(\mathsf {DAG}_1(n)\), it may have a precursor-node (denote by \(V_i^{pre}\)) and a successor-node (denote by \(V_i^{suc}\)). Then we assign the \([V_i]_{in}\)-th input and the \([V_i]_{out}\)-th output of \(\mathsf {SN}(k)_{\lceil \frac{i}{k}\rceil }\) (\(in^{{\lceil \frac{i}{k}\rceil }}_{[V_i]_{in}}\) and \(out^{{\lceil \frac{i}{k}\rceil }}_{[V_i]_{out}}\)) to \(V_i\) to make sure that \([V_i]_{in}=[V_i^{pre}]_{out},[V_i]_{out}=[V_i^{suc}]_{in}\) and no inputs and outputs of supernodes are reused. The method for assignment can be find in [17]. At last, for every edge \((V_i,V_j)\in E\) (\(i<j\) due to the topological sorting), we give an edge-disjoint path from \(\varrho (V_i)\) to \(\varrho (V_j)\) as follow. Due to \(V_i^{suc}=V_j\) and \(V_j^{pre}=V_i\), we know that \([V_i]_{out}=[V_j]_{in}\), which means \(out^{{\lceil \frac{i}{k}\rceil }}_{[V_i]_{out}}\) and \(in^{{\lceil \frac{j}{k}\rceil }}_{[V_j]_{in}}\) are both in the edge-universal graph: \(\mathsf {EUG}_1({\lceil \frac{n}{k}\rceil }-1)_{[V_i]_{out}}\), so there is an edge-disjoint path from \(out^{{\lceil \frac{i}{k}\rceil }}_{[V_i]_{out}}\) to \(in^{{\lceil \frac{j}{k}\rceil }}_{[V_j]_{in}}\). As \(\mathsf {SN}(k)_{\lceil \frac{i}{k}\rceil }\) is a supernode, there must be a edge-disjoint path from \(\varrho (V_i)\) to \(out^{{\lceil \frac{i}{k}\rceil }}_{[V_i]_{out}}\). Similarly, the edge-disjoint path from \(in^{{\lceil \frac{j}{k}\rceil }}_{[V_j]_{in}}\) to \(\varrho (V_i)\) can also be found. We connect these three paths to complete edge-embedding.
Rights and permissions
Copyright information
© 2019 International Association for Cryptologic Research
About this paper
Cite this paper
Zhao, S., Yu, Y., Zhang, J., Liu, H. (2019). Valiant’s Universal Circuits Revisited: An Overall Improvement and a Lower Bound. In: Galbraith, S., Moriai, S. (eds) Advances in Cryptology – ASIACRYPT 2019. ASIACRYPT 2019. Lecture Notes in Computer Science(), vol 11921. Springer, Cham. https://doi.org/10.1007/978-3-030-34578-5_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-34578-5_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-34577-8
Online ISBN: 978-3-030-34578-5
eBook Packages: Computer ScienceComputer Science (R0)