Abstract
The beautiful work of Applebaum, Ishai, and Kushilevitz [FOCS’11] initiated the study of arithmetic variants of Yao’s garbled circuits. An arithmetic garbling scheme is an efficient transformation that converts an arithmetic circuit \(C: \mathcal {R}^n \rightarrow \mathcal {R}^m\) over a ring \(\mathcal {R}\) into a garbled circuit \(\widehat{C}\) and n affine functions \(L_i\) for \(i \in [n]\), such that \(\widehat{C}\) and \(L_i(x_i)\) reveals only the output C(x) and no other information of x. AIK presented the first arithmetic garbling scheme supporting computation over integers from a bounded (possibly exponentially large) range, based on Learning With Errors (LWE). In contrast, converting C into a Boolean circuit and applying Yao’s garbled circuit treats the inputs as bit strings instead of ring elements, and hence is not “arithmetic”.
In this work, we present new ways to garble arithmetic circuits, which improve the state-of-the-art on efficiency, modularity, and functionality. To measure efficiency, we define the rate of a garbling scheme as the maximal ratio between the bit-length of the garbled circuit \(|\widehat{C}|\) and that of the computation tableau \(|C|\ell \) in the clear, where \(\ell \) is the bit length of wire values (e.g., Yao’s garbled circuit has rate \(O(\lambda )\)).
-
We present the first constant-rate arithmetic garbled circuit for computation over large integers based on the Decisional Composite Residuosity (DCR) assumption, significantly improving the efficiency of the schemes of Applebaum, Ishai, and Kushilevitz.
-
We construct an arithmetic garbling scheme for modular computation over \(\mathcal {R}= \mathbb {Z}_p\) for any integer modulus p, based on either DCR or LWE. The DCR-based instantiation achieves rate \(O(\lambda )\) for large p. Furthermore, our construction is modular and makes black-box use of the underlying ring and a simple key extension gadget.
-
We describe a variant of the first scheme supporting arithmetic circuits over bounded integers that are augmented with Boolean computation (e.g., truncation of an integer value, and comparison between two values), while keeping the constant rate when garbling the arithmetic part.
To the best of our knowledge, constant-rate (Boolean or arithmetic) garbling was only achieved before using the powerful primitive of indistinguishability obfuscation, or for restricted circuits with small depth.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
There have been alternative approaches that rely on strong primitives such as a combination of fully homomorphic encryption and attribute-based encryption [9, 11, 15], or indistinguishabilty obfuscation [2]. These approaches however are much more complex than Yao’s garbling and less employed in applications. See Sect. 1.2 for more discussion.
- 2.
Note that this approach is entirely impractical for any reasonable length input due to the astronomical constants involved in fast multiplication.
- 3.
This scheme reduces to Yao’s garbling by first decomposing the input elements into a bit representation using CRT. As such, this approach works as long as the inputs are integers from a bounded range and the computation can be implemented using Boolean circuits.
- 4.
In Yao’s scheme, these labels may be chosen independently and uniformly at random. In the arithmetic setting, this is infeasible as the domain may be exponentially large.
- 5.
Note that while the evaluator can efficiently evaluate the garbled circuit from the bottom-up (inputs to outputs), the garbler (as described here) proceeds from the top-down: generating labels for the output wires and then recursively generating increasingly complex keys for the wire layers below.
- 6.
Similar ideas are found in the well-known “half-gates” construction [19] of Zahur, Rosulek, and Evans for garbling boolean circuits comprised of XOR and AND gates.
- 7.
We do not need protect \(s_2\) because the corresponding ciphertext can be simulated using the ciphertext encrypted under \(s_1\) and the output label \(\textbf{c}x + \textbf{d}\).
- 8.
Formally, \(\textsf{Lin}(\textbf{s}_1)\) smudges the uniform distribution over \(\{0,\dots ,N\}\) if \(\textsf{Lin}(\textbf{s}_1)\) and \(\textsf{Lin}(\textbf{s}_1)+u\) are statistically indistinguishable, where u is sampled from \(\{0,\dots ,N\}\).
References
Abram, D., Damgård, I., Orlandi, C., Scholl, P.: An algebraic framework for silent preprocessing with trustless setup and active security. In: Dodis, Y., Shrimpton, T. (eds.) CRYPTO 2022, Part IV. LNCS, vol. 13510, pp. 421–452. Springer, Cham (2022). https://doi.org/10.1007/978-3-031-15985-5_15
Ananth, P., Jain, A., Sahai, A.: Indistinguishability obfuscation for turing machines: constant overhead and amortization. In: Katz, J., Shacham, H. (eds.) CRYPTO 2017, Part II. LNCS, vol. 10402, pp. 252–279. Springer, Heidelberg (2017). https://doi.org/10.1007/978-3-319-63715-0_9
Applebaum, B., Avron, J., Brzuska, C.: Arithmetic cryptography: extended abstract. In: Roughgarden, T. (ed.) ITCS 2015, pp. 143–151. ACM (2015). https://doi.org/10.1145/2688073.2688114
Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC\(^0\). In: 45th FOCS, pp. 166–175. IEEE (2004). https://doi.org/10.1109/FOCS.2004.20
Applebaum, B., Ishai, Y., Kushilevitz, E.: How to garble arithmetic circuits. In: Ostrovsky, R. (ed.) 52nd FOCS, pp. 120–129. IEEE (2011). https://doi.org/10.1109/FOCS.2011.40
Applebaum, B., Ishai, Y., Kushilevitz, E., Waters, B.: Encoding functions with constant online rate or how to compress garbled circuits keys. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 166–184. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_10
Ball, M., Carmer, B., Malkin, T., Rosulek, M., Schimanski, N.: Garbled neural networks are practical. IACR Cryptol. ePrint Arch, 338 (2019)
Ball, M., Malkin, T., Rosulek, M.: Garbling gadgets for Boolean and arithmetic circuits. In: Weippl, E.R., Katzenbeisser, S., Kruegel, C., Myers, A.C., Halevi, S. (eds.) ACM CCS 2016, pp. 565–577. ACM Press (2016). https://doi.org/10.1145/2976749.2978410
Boneh, D., et al.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-642-55220-5_30
Damgård, I., Jurik, M.: A generalisation, a simplification and some applications of Paillier’s probabilistic public-key system. In: Kim, K. (ed.) PKC 2001. LNCS, vol. 1992, pp. 119–136. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-44586-2_9
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: How to run turing machines on encrypted data. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 536–553. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-40084-1_30
Harvey, D., Van Der Hoeven, J.: Integer multiplication in time o (n log n). Ann. Math. 193(2), 563–617 (2021)
Ishai, Y., Wee, H.: Partial garbling schemes and their applications. In: Esparza, J., Fraigniaud, P., Husfeldt, T., Koutsoupias, E. (eds.) ICALP 2014, Part I. LNCS, vol. 8572, pp. 650–662. Springer, Heidelberg (2014). https://doi.org/10.1007/978-3-662-43948-7_54
Kolesnikov, V., Schneider, T.: Improved garbled circuit: free XOR gates and applications. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008. LNCS, vol. 5126, pp. 486–498. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-70583-3_40
Li, H., Lin, H., Luo, J.: ABE for circuits with constant-size secret keys and adaptive security. IACR Cryptol. ePrint Arch, 659 (2022). https://eprint.iacr.org/2022/659
Paillier, P.: Public-key cryptosystems based on composite degree residuosity classes. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 223–238. Springer, Heidelberg (1999). https://doi.org/10.1007/3-540-48910-X_16
Rosulek, M., Roy, L.: Three halves make a whole? beating the half-gates lower bound for garbled circuits. In: Malkin, T., Peikert, C. (eds.) CRYPTO 2021, Part I. LNCS, vol. 12825, pp. 94–124. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-84242-0_5
Yao, A.C.C.: Protocols for secure computations (extended abstract). In: 23rd FOCS, pp. 160–164. IEEE (1982). https://doi.org/10.1109/SFCS.1982.38
Zahur, S., Rosulek, M., Evans, D.: Two halves make a whole. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015, Part II. LNCS, vol. 9057, pp. 220–250. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46803-6_8
Acknowledgement
The authors would like to thank the anonymous Eurocrypt reviewers for their valuable and insightful comments.
Huijia Lin and Hanjun Li were supported by NSF grants CNS-1936825 (CAREER), CNS-2026774, a JP Morgan AI research Award, a Cisco research award, and a Simons Collaboration on the Theory of Algorithmic Fairness.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 International Association for Cryptologic Research
About this paper
Cite this paper
Ball, M., Li, H., Lin, H., Liu, T. (2023). New Ways to Garble Arithmetic Circuits. In: Hazay, C., Stam, M. (eds) Advances in Cryptology – EUROCRYPT 2023. EUROCRYPT 2023. Lecture Notes in Computer Science, vol 14005. Springer, Cham. https://doi.org/10.1007/978-3-031-30617-4_1
Download citation
DOI: https://doi.org/10.1007/978-3-031-30617-4_1
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-30616-7
Online ISBN: 978-3-031-30617-4
eBook Packages: Computer ScienceComputer Science (R0)
