1 Introduction

Garbled Circuits. A garbling scheme [Yao82, Yao86] can be used to garble a circuit C and an input x to derive a garbled circuit \(\widetilde{C}\) and a garbled input \(\tilde{x}\). It’s possible to evaluate \(\widetilde{C}\) on \(\tilde{x}\) and get the correct output C(x). However, the garbled values \(\widetilde{C},\tilde{x}\) should not reveal anything else beyond this. In many applications, the garbled circuit \(\widetilde{C}\) can be computed in an off-line pre-processing phase before the input is known and therefore we are not overly concerned with the efficiency of this procedure. On the other hand, once the input x becomes available in the on-line phase, creating the garbled input \(\tilde{x}\) should be extremely efficient. Therefore, the main efficiency measure that we consider here is the on-line complexity of a garbling scheme, which is the time it takes to garble an input x, and hence also a bound on the size of \(\tilde{x}\).

Security of Garbled Circuits. There are several natural notions of garbled circuit security that one can consider.

Firstly, we can consider either selective or adaptive security. For selective security, we consider a scenario where the adversary chooses the circuit C and the input x first and only then gets the garbled versions \(\widetilde{C},\tilde{x}\). For adaptive security, we consider a scenario where the adversary first gets the garbled circuit \(\widetilde{C}\) and can then adaptively chooses the input x to be garbled. Adaptive security is the natural notion in the on-line/off-line setting where we envision the garbled circuit to be created first in an earlier stage before the input is selected.

Secondly, we can consider either simulation-based or indistinguishability-based definitions of security. In the simulation-based setting, we require that the garbled circuit and the garbled input can be simulated given only the output of the computation and the topology of the circuit. In the indistinguishability-based setting, we require that the adversary cannot distinguish between a garbling of \(C_0,x_0\) or \(C_1,x_1\) as long as \(C_0(x_0) = C_1(x_1)\) and \(C_0,C_1\) have the same topology.

Prior Work. Yao’s construction of garbled circuits under one-way functions already achieves essentially optimal on-line complexity, where the time to garble an input x and the size of \(\tilde{x}\) are only linear in the input size |x|, independent of the circuit size.Footnote 1 However, it was only shown to satisfy selective simulation-based security [LP09].

Recently, the work of Hemenway et al. [HJO+16] showed how to modify Yao’s construction and get adaptive simulation-based security under one-way functions. The on-line complexity of their scheme depends linearly on a certain “pebble complexityt of the circuit, its input size n and output size m. Furthermore, they showed that the pebble complexity t is upper bounded by the circuit width which is in turn bounded by the space complexity of the computation. The work of [JW16] also shows that even Yao’s original garbled circuit construction already achieves adaptive simulation-based security via reduction with a \(2^t\) security loss as long as the mapping between output labels and the bits they represent is only given in the garbled input.

In both of the above works, the online complexity is always at least as large as the output size m. The work of Applebaum et al. [AIKW13] (see also [HW15]) gives a lower bound showing that this is inherent for adaptive simulation-secure garbled circuits.

Our Results. In this work, we show how to construct adaptively secure garbling schemes based on one-way functions, where the on-line complexity of our scheme can be smaller than the output size of the circuit. This necessarily requires us to give up on simulation-based security and instead we achieve indistinguishability-based security. In more detail, we propose a new garbling scheme which builds on top of the ideas of [HJO+16] but essentially removes the output size dependence in their construction, making the on-line complexity only linear in the pebble complexity t and the input size n, but independent of the output size m.

As an application of the above result, we consider the scenario where we garble a circuit C which consists of many disjoint boolean sub-circuits \(C_1,\ldots ,C_\ell \) which all take the same input x but do not share any other wires/gates except for the input wires. In that case, although the output size of C is \(\ell \) (which we think of as large) the pebble complexity of C is just \(t = \max \{t_i\}\) where \(t_i\) denote the pebble complexities of the individual circuits \(C_i\), and therefore is independent of the number of circuits \(\ell \). We can also think of the above as allowing us to construct an adaptively indistinguishable private-key functional encryption (FE) scheme by thinking of the garbled versions of the circuits \(C_i\) as function secret keys and the garbled input as a ciphertext. The size of the ciphertext is linear in the size of the input x and the maximal pebble complexity of the individual functions, which we can bound by their space complexity, but is independent of the number of function secret keys \(\ell \) or even their circuit size.

Finally it bears mentioning that an adaptively indistinguishable scheme is also adaptively secure under the simulation-based security definition for any efficiently invertible function.Footnote 2 Therefore for this class of functions our construction provides a simulation-based adaptively secure garbling scheme with online complexity independent of the output size.

1.1 Our Techniques

Before we can explain our techniques, we first review Yao’s garbled circuit construction, the issue with adaptive security and the technique of [HJO+16]. The discussion below is adapted from [HJO+16].

Yao’s Scheme. First, let’s start by recalling Yao’s garbled circuits. For each wire w in the circuit, we pick two keys \(k^0_w, k^1_w\) for a symmetric-key encryption scheme. For each gate in the circuit computing a function \(g:\{0,1\}^2 \rightarrow \{0,1\}\) and having input wires ab and output wire c we create a garbled gate consisting of 4 randomly ordered ciphertexts created as:

$$\begin{aligned} \begin{array}{ccc} c_{0,0} = \mathsf {Enc}_{k^{0}_a}(\mathsf {Enc}_{k^{0}_b}( k^{g(0,0)}_c)) &{}\quad &{} c_{1,0} = \mathsf {Enc}_{k^{1}_a}(\mathsf {Enc}_{k^{0}_b}( k^{g(1,0)}_c)),\\ c_{0,1} = \mathsf {Enc}_{k^{0}_a}(\mathsf {Enc}_{k^{1}_b}( k^{g(0,1)}_c)) &{}\quad &{} c_{1,1} = \mathsf {Enc}_{k^{1}_a}(\mathsf {Enc}_{k^{1}_b}( k^{g(1,1)}_c)) \end{array} \end{aligned}$$
(1)

where \((\mathsf {Enc},\mathsf {Dec})\) is a CPA-secure encryption scheme. The garbled circuit \(\widetilde{C}\) consists of all of the gabled gates, along with an output map

$$\begin{aligned} \{k^0_w \rightarrow 0, k^1_w \rightarrow 1\} \end{aligned}$$

which maps the keys to the bits they represent for each output wire w. To garble an n-bit value \(x = x_1x_2\cdots x_n\), the garbled input \(\tilde{x}\) consists of the keys \(k_{w_i}^{x_i}\) for the n input wires \(w_i\).

To evaluate the garbled circuit on the garbled input, it’s possible to decrypt exactly one ciphertext in each garbled gate and get the key \(k_w^{v(w)}\) corresponding to the bit v(w) going over the wire w during the computation C(x). Once the keys for the output wires are computed, it’s possible to recover the actual output bits by looking them up in the output map.

To prove the selective simulation-based security of Yao’s scheme, we have a simulator that gets the output \(y = y_1y_2 \cdots y_m = C(x)\) and must produce \(\widetilde{C}\), \(\tilde{x}\). The simulator picks random keys \(k^0_1, k^1_w\) for each wire w just like the real scheme, but it creates the garbled gates as follows:

$$\begin{aligned} \begin{array}{ccc} c_{0,0} = \mathsf {Enc}_{k^{0}_a}(\mathsf {Enc}_{k^{0}_b}( k^{0}_c)) &{}\quad &{} c_{1,0} = \mathsf {Enc}_{k^{1}_a}(\mathsf {Enc}_{k^{0}_b}( k^{0}_c)),\\ c_{0,1} = \mathsf {Enc}_{k^{0}_a}(\mathsf {Enc}_{k^{1}_b}( k^{0}_c)) &{}\quad &{} c_{1,1} = \mathsf {Enc}_{k^{1}_a}(\mathsf {Enc}_{k^{1}_b}( k^{0}_c)) \end{array} \end{aligned}$$
(2)

where all four ciphertext encrypt the same key \(k^0_c\). It then sets the output map as \(\{k^0_w \rightarrow y_w, k^1_w \rightarrow 1 - y_w\}\) by “programming it” so that the key \(k^0_w\) corresponds to the correct output bit \(y_w\) for each output wire w. This defines the simulated garbled circuit \(\widetilde{C}\). To create the simulated garbled input \(\tilde{x}\) the simulator simply gives out the keys \(k^0_w\) for each input wire w. Note that, when evaluating the simulated garbled circuit on the simulated garbled input, the adversary only sees the keys \(k^0_w\) for every wire w.

Proof of Security and Issues with Adaptivity. There are two main issues with proving adaptive security of Yao’s construction.

The first issue is that, in the simulation-based security setting, the simulator now cannot “program” the output map since it is given as part of the garbled circuit before the output \(y_1,\ldots ,y_m\) is defined. This can be fixed by modifying the construction and moving the output map from the garbled circuit to the garbled input, at the cost of raising the on-line complexity to depend on the output size. In the simulation-based setting we know this to be inherent, but one could hope to avoid this in the indistinguishability-based setting.

The second and more serious issue is the sequence of hybrids used to prove security. At a high level, the selective proof proceeds via a series of carefully defined hybrid games that switch the distribution of one garbled gate at a time, starting with the input level and proceeding up the circuit level by level. In addition to the two modes of creating garbled gates defined above, we also define an additional mode where the garbled gate is set to:

$$\begin{aligned} \begin{array}{ccc} c_{0,0} = \mathsf {Enc}_{k^{0}_a}(\mathsf {Enc}_{k^{0}_b}( k^{v(c)}_c)) &{}\quad &{} c_{1,0} = \mathsf {Enc}_{k^{1}_a}(\mathsf {Enc}_{k^{0}_b}( k^{v(c)}_c)),\\ c_{0,1} = \mathsf {Enc}_{k^{0}_a}(\mathsf {Enc}_{k^{1}_b}( k^{v(c)}_c)) &{}\quad &{} c_{1,1} = \mathsf {Enc}_{k^{1}_a}(\mathsf {Enc}_{k^{1}_b}( k^{v(c)}_c)) \end{array} \end{aligned}$$
(3)

where v(c) is the correct value of the bit going over the wire c during the computation of C(x). Let us give names to the three modes for creating garbled gates that we defined above: (1) is called \(\mathsf {RealGate}\) mode, (2) is called \(\mathsf {SimGate}\) mode, and (3) is called \(\mathsf {InputDepSimGate}\) mode, since the way that it is defined depends adaptively on the choice of the input x. The proof of selective security of Yao’s garbled circuits proceeds in a sequence of hybrids where the way we garble a gate goes from \(\mathsf {RealGate}\) mode to \(\mathsf {InputDepSimGate}\) mode to \(\mathsf {SimGate}\) mode in some carefully chosen order. The problem with adapting this technique to the adaptive setting is that the \(\mathsf {InputDepSimGate}\) mode is not (even syntactically) well defined; in this mode the way that we garble the gate depends on the value that the output wire takes on during the computation C(x) but in the adaptive setting the input x is not yet defined when we create the garbled circuit.

The Technique of [HJO+16]. Essentially, the work of [HJO+16] proves adaptive security by leveraging two ideas.

Firstly, they encrypt the entire Yao garbled circuit under an additional layer of encryption using a special “somewhere equivocal encryption scheme”, and give the decryption key as part of the garbled input. Such a scheme can be used to create a simulated ciphertext given only some but not all of the plaintext blocks (think of the unknown blocks as “holes”) and later create a secret key that decrypts all the known blocks correctly but “plugs the holes” with arbitrarily specified values. The size of the secret key only depends on the number of holes and not the entire size of the plaintext. By leveraging this type of encryption, they can define hybrid games where some of the gates are in \(\mathsf {InputDepSimGate}\) mode (which is not well defined when the circuit is created) by putting “holes” in place of all such gates when creating the garbled circuit and then coming up with a decryption key that opens the holes to the correct value when creating the garbled input (at which point \(\mathsf {InputDepSimGate}\) is well defined).

Secondly, the above idea requires the number of holes (and therefore the size of the garbled input) to scale with the number of gates in \(\mathsf {InputDepSimGate}\) mode in any hybrid. Therefore, to get a non-trivial result, we need a sequence of hybrids that minimizes the number of gates in \(\mathsf {InputDepSimGate}\) mode at any point in time. Recall that we start with all gates in \(\mathsf {RealGate}\) mode and want to end with all gates in \(\mathsf {SimGate}\) mode. We are allowed to make the following changes:

  • We can change a gate from \(\mathsf {RealGate}\) to \(\mathsf {InputDepSimGate}\) (and back) as long as its predecessors are in \(\mathsf {InputDepSimGate}\) mode (or it is at the input level). This is because, in this case, only one of the keys for each input wire appears in the game.

  • We can change a gate from \(\mathsf {InputDepSimGate}\) to \(\mathsf {SimGate}\) (and back) as long as all of its successors are in \(\mathsf {SimGate}\) mode (or it is at the output level). This is because the two keys associated with the output wire are used interchangeably in the game.

The work of [HJO+16] connects the above with a pebbling game over the circuit, where the goal is to change all the gates from \(\mathsf {RealGate}\) to \(\mathsf {SimGate}\) subject to the above rules while minimizing the number of gates in \(\mathsf {InputDepSimGate}\) mode at any point in time: this latter number is defined to be the pebble complexity of the circuit. For example, they show that the pebble complexity of a circuit is bounded by its width which in turn corresponds to the space complexity of the computation. The size of the garbled input in their scheme is the maximum of the pebble complexity of the circuit and the input/output size.

Our Construction and Proof Technique. One could hope to get rid of output dependence in the construction of [HJO+16] by simply sending the output map (the mapping between the keys of the output wires and the bits they represent) with the garbled circuit rather than with the garbled input. Although we know that such a construction cannot achieve adaptive simulation security, one could conjecture it to achieve adaptive indistinguishability security. Unfortunately, we do not know how to prove such a construction secure. Essentially, the issue is that the only reason we can change output gates from \(\mathsf {InputDepSimGate}\) to \(\mathsf {SimGate}\) in the proof of [HJO+16] is that we can “program” the output map after the actual output of the computation is known; if the output map is sent with the garbled circuit this is no longer possible. Instead, we come up with a modified construction which we are able to prove secure.

Our new garbling construction leverages that of [HJO+16] and proceeds as follows. To garble a circuit C we use the scheme of [HJO+16] and garble two copies of C completely independently: we call the resulting garbled circuits \(\mathsf {C_L}, \mathsf {C_R}\). These are just Yao garbled circuits (without an output map) encrypted under an additional layer of somewhere equivocal encryption. We choose one of the two garbled circuits at random to be the “active” one: \(\mathsf {active}\leftarrow \{L,R\}\). Then we merge the two garbled circuits by creating a layer of garbled “selection gates” (s-gates): for each output bit \(i \in [m]\) we create an s-gate that takes the i’th output wire from both garbled circuits, and outputs the value on the wire coming from the active circuit (the output of the garbled s-gate is a bit in the clear rather than a wire key). The garbled circuit consists of \(\widetilde{C}= (\mathsf {C_L}, \mathsf {C_R}, \widetilde{\mathsf {sgate}})\). To garbled an input x we use the scheme of [HJO+16] to garble two copies of it for the left and right garbled circuit. The evaluation procedure does the natural thing by evaluating both \(\mathsf {C_L}, \mathsf {C_R}\) respectively, and using the output wire keys on the garbled s-gates to recover the output bits in the clear. Ideas similar to the use of two circuits along with a selection layer have appeared in prior works, e.g., [PST14].

To prove security, we consider an adversary that chooses \(C_0,C_1\), gets a garbled version of \(C_b\), then adaptively chooses \(x_0,x_1\) such that \(C_0(x_0)=C_1(x_1)\), and gets a garbled version of \(x_b\). We want to show that the adversary cannot distinguish between \(b=0\) and \(b=1\). We show security via the following sequence of hybrids.

  1. 1.

    We start with the security game where the challenge bit is \(b=0\). In this case, both \(\mathsf {C_L}, \mathsf {C_R}\) garble \(C_0\) and both garbled inputs correspond to \(x_0\). Let \(\mathsf {active}\in \{L,R\}\) be the identity of the active circuit. We use the notation \(\mathsf {C_{active}}, \mathsf {C_{passive}}\) to denote the active and passive garbled circuits respectively.

  2. 2.

    We change the passive garbled circuit \(\mathsf {C_{passive}}\) and the garbled input for it to be simulated. This change essentially follows the proof of [HJO+16]. In particular, we rely on the fact that the keys associated with the bits 0 and 1 for the output wires of \(\mathsf {C_{passive}}\) are used symmetrically by the s-gates (since the s-gates are ignoring the output of the passive circuit) and therefore we can safely change the garbled output gates of \(\mathsf {C_{passive}}\) from \(\mathsf {InputDepSimGate}\) to \(\mathsf {SimGate}\).

  3. 3.

    We change the passive garbled circuit \(\mathsf {C_{passive}}\) and the garbled input for it from being simulated to being a garbling of \(C_1,x_1\). This follows from the same argument as the previous step.

  4. 4.

    We now modify the s-gates one-by-one to output the value of the passive circuit instead of the active circuit. This is the most delicate part of the proof. It essentially follows via a sequence of steps where, for each output \(i \in [m]\), we use the proof strategy of [HJO+16] to change the i’th output gate of both \(\mathsf {C_{active}}, \mathsf {C_{passive}}\) to be in \(\mathsf {InputDepSimGate}\) mode. This means that these garbled gates aren’t really created until the on-line phase when the garbled input is given out. Furthermore, when they are created in the on-line phase, each of these garbled gates only contains one key for the output wire corresponding to the correct bit going over that wire during the computation (either both corresponding to 0 or both to 1 since \(C_0(x_0)=C_1(x_1)\)). This allows us to change the encrypted value in 2 out 4 of the ciphertexts in the garbled s-gate so as to switch it from outputting the value of the active circuit to the one of the passive circuit.

  5. 5.

    We now repeat steps 2 and 3 for \(\mathsf {C_{active}}\) to switch it from a garbling \(C_0,x_0\), to simulated, to a garbling of \(C_1,x_1\). Finally, we are left with the original security game with the challenge bit \(b=1\).

The above steps – except for step 4 – rely on the adaptive security of the underlying garbling scheme in a blackbox manner. It remains an open problem whether it is possible to show a more general transformation from garbled circuits with adaptive security (and maybe other natural properties) to garbled circuits with indistinguishability based adaptive security and online complexity independent of the output size.

2 Preliminaries

General Notation. For a positive integer n, we define the set \([n] := \{1,\ldots ,n\}\). We use the notation \(x \leftarrow X\) for the process of sampling a value x according to the distribution X. For a vector \(\overline{m}=(m_1,m_2,\cdots ,m_n)\), and a subset \(P\subset [n]\), we use \((m_i)_{i\in P}\) to denote a vector containing only the values \(m_i\) in positions \(i \in P\) and \(\bot \) symbols in all other positions. We use \((m_i)_{i\notin P}\) as shorthand for \((m_i)_{i\in [n]\setminus P}\).

Circuit Notation. A boolean circuit C consists of gates \(\mathsf {gate}_1,\ldots ,\mathsf {gate}_q\) and wires \(w_1, w_2, \ldots ,w_{p}\). A gate is defined by the tuple \(\mathsf {gate}_i = (g, w_{{{a}}}, w_{{{b}}}, w_{{{c}}})\) where \(g~:~ \{0,1\}^2 \rightarrow \{0,1\}\) is the function computed by the gate, \(w_{{{a}}}, w_{{{b}}}\) are the incoming wires, and \(w_{{{c}}}\) is the outgoing wire. Although each gate has a unique outgoing wire \(w_c\), this wire can be used as an incoming wire to several different gates and therefore this models a circuit with fan-in 2 and unbounded fan-out. We let q denote the number of gates in the circuit, n denotes the number of input wires and m denote the number of output wires. The total number of wires is \(p= n+q\) (since each wire can either be input wire or an outgoing wire of some gate). For convenience, we denote the n input wires by \({\mathsf {in}_1}, \ldots , {\mathsf {in}_n}\) and the m output wires by \({\mathsf {out}_1}, \ldots , {\mathsf {out}_m}\). For \(x \in \{0,1\}^n\) we write C(x) to denote the output of evaluating the circuit C on input x.

Definition 1

Two distributions X and Y are \((T,\varepsilon )\)-indistinguishable, denote \({\mathbf {D}}_{{\tiny {T}}}\left[ {X,Y}\right] =\varepsilon \) if for any probabilistic algorithm \(\mathcal {A}\), running in time T,

$$\begin{aligned}\left| \Pr \left[ \mathcal {A}(X)=1 \right] -\Pr \left[ \mathcal {A}(Y)=1 \right] \right| \le \varepsilon . \end{aligned}$$

For two games \(\mathrm{G}\textsc {ame}\) and \(\mathrm{G}\textsc {ame}'\) we say they are \((T(\lambda ),\varepsilon (\lambda ))\)- indistinguishable, \({\mathbf {D}}_{{\tiny {T(\lambda )}}}\left[ {\mathrm{G}\textsc {ame},\mathrm{G}\textsc {ame}'}\right] =\varepsilon (\lambda )\), if for any adversary \(\mathcal {A}\) running in time \(T(\lambda )\),

$$\begin{aligned}\left| \Pr \left[ \mathrm{G}\textsc {ame}_{\mathcal {A}}=1 \right] -\Pr \left[ \mathrm{G}\textsc {ame}'_{\mathcal {A}}=1 \right] \right| \le \varepsilon (\lambda ). \end{aligned}$$

Let games \(\mathrm{G}\textsc {ame}(\lambda )\) and \(\mathrm{G}\textsc {ame}'(\lambda )\) be parametrized by the security parameter \(\lambda \). If for any polynomial function \(T(\lambda )\), there exists a negligible function \(\varepsilon (\lambda )\), such that for all \(\lambda \), \({\mathbf {D}}_{{\tiny {T(\lambda )}}}\left[ {\mathrm{G}\textsc {ame}(\lambda ),\mathrm{G}\textsc {ame}'(\lambda )}\right] \le \varepsilon (\lambda ),\) we say the two games are computationally indistinguishable and denote this by \(\mathrm{G}\textsc {ame}(\lambda ) {\mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}}\mathrm{G}\textsc {ame}'(\lambda )\).

We say C is leveled, if each gate has an associated level and any gate at level \(l\) has incoming wires only from gates at level \(l-1\) and outgoing wires only to gates at level \(l+1\). We let the depth \(d\) denote the number of levels and the width \(w\) denote the maximum number of gates in any level.

A circuit C is fully specified by a list of gate tuples \(\mathsf {gate}_i = (g, w_{{{a}}}, w_{{{b}}}, w_{{{c}}})\). We use \(\varPhi (C)\) to refer to the topology of a circuit - which indicates how gates are connected, without specifying the function implement by each gate. In other words, \(\varPhi (C)\) is the list of sanitized gate tuples \(\widehat{\mathsf {gate}}_i = (\bot , w_{{{a}}}, w_{{{b}}}, w_{{{c}}})\) where the function g that the gate implements is removed from the tuple.

3 Definitions

The bulk of this section defining what garbled circuits are and presenting Yao’s construction, is taken verbatim from [HJO+16]. We now give a formal definition of a garbling scheme. There are many variants of such definitions in the literature, and we refer the reader to [BHR12] for a comprehensive treatment.

Definition 2

A Garbling Scheme is a tuple of PPT algorithms \(\mathsf {GC}=(\mathsf {GCircuit},\) \(\mathsf {GInput}, \mathsf {Eval})\) such that:

  • \((\widetilde{C}, k) {\mathop {\leftarrow }\limits ^{\$}}\mathsf {GCircuit}(1^\lambda , C)\): takes as input a security parameter \(\lambda \), a circuit \(C:\{0,1\}^{n}\rightarrow \{0,1\}^{m}\), and outputs the garbled circuit \(\widetilde{C}\), and key \(k\).

  • \({\tilde{x}}\leftarrow \mathsf {GInput}(k, x)\): takes as input, \(x\in \{0,1\}^{n}\), and key \(k\) and outputs \({\tilde{x}}\).

  • \(y = \mathsf {Eval}(\widetilde{C}, {\tilde{x}})\): given a garbled circuit \(\widetilde{C}\) and a garbled input \({\tilde{x}}\) output \(y\in \{0,1\}^{m}\).

Correctness. There is a negligible function \(\nu \) such that for any \(\lambda \in \mathbb {N}\), any circuit C and input x it holds that \( \Pr [C(x) = \mathsf {Eval}(\widetilde{C}, {\tilde{x}})] = 1 - \nu (\lambda )\), where \((\widetilde{C},k) \leftarrow \mathsf {GCircuit}(1^\lambda , C)\), \({\tilde{x}}\leftarrow \mathsf {GInput}(k, x)\).

Adaptive Security (Based on Simulation). There exists a PPT simulator \(\mathsf {Sim}=(\mathsf {SimC},\mathsf {SimIn})\) such that, for any PPT adversary \(\mathcal {A}\), there exists a negligible function \(\varepsilon \) such that:

$$\begin{aligned}\Pr [\mathsf {Exp}^{\mathsf {adaptive}}_{\mathcal {A},\mathsf {GC},\mathsf {Sim}}({\lambda },0)=1] -\Pr [\mathsf {Exp}^{\mathsf {adaptive}}_{\mathcal {A},\mathsf {GC},\mathsf {Sim}}({\lambda },1)=1] \le \varepsilon (\lambda )\end{aligned}$$

where the experiment \(\mathsf {Exp}^{\mathsf {adaptive}}_{\mathcal {A},\mathsf {GC},\mathsf {Sim}}(\lambda ,b)\) is defined as follows:

  1. 1.

    The adversary \(\mathcal {A}\) specifies C and gets \(\widetilde{C}\) where \(\widetilde{C}\) is created as follows:

    • if \(b=0\): \((\widetilde{C},k) \leftarrow \mathsf {GCircuit}(1^\lambda , C)\),

    • if \(b=1\): \((\widetilde{C},{\mathsf {state}}) \leftarrow \mathsf {SimC}(1^\lambda , \varPhi (C))\).

  2. 2.

    The adversary \(\mathcal {A}\) specifies x and gets \({\tilde{x}} \) created as follows:

    • if \(b=0\), \({\tilde{x}} \leftarrow \mathsf {GInput}(k, x)\),

    • if \(b=1\), \({\tilde{x}}\leftarrow \mathsf {SimIn}(C(x), {\mathsf {state}})\).

  3. 3.

    Finally, the adversary outputs a bit \(b'\), which is the output of the experiment.

In other words, we say \(\mathsf {GC}\) is adaptively secure if

$$\begin{aligned}{\mathbf {D}}_{{\tiny {T(\lambda )}}}\left[ {\mathsf {Exp}^{\mathsf {adaptive}}_{\mathsf {GC},\mathsf {Sim}}({\lambda },0),\mathsf {Exp}^{\mathsf {adaptive}}_{\mathsf {GC},\mathsf {Sim}}({\lambda },1)}\right] =\varepsilon (\lambda ).\end{aligned}$$

Adaptive Security (Based on Indistinguishability). For any PPT adversary \(\mathcal {A}\), there exists a negligible function \(\varepsilon \) such that:

$$\begin{aligned} \Pr [\mathsf {Exp}^{\mathsf {adaptive}}_{\mathcal {A},\mathsf {GC},\mathsf {Ind}}({\lambda },0)=1] -\Pr [\mathsf {Exp}^{\mathsf {adaptive}}_{\mathcal {A},\mathsf {GC},\mathsf {Ind}}({\lambda },1)=1] \le \varepsilon (\lambda ) \end{aligned}$$

where the experiment \(\mathsf {Exp}^{\mathsf {adaptive}}_{\mathcal {A},\varPi ,\mathsf {Ind}}(\lambda ,b)\) is defined as follows:

  1. 1.

    \(\mathcal {A}\) specifies two circuits \(C_0, C_1\) of the same topology, and gets back \(\widetilde{C}_b \leftarrow \) \( \mathsf {GCircuit}(1^\lambda , C_b)\).

  2. 2.

    \(\mathcal {A}\) specifies \(x_0, x_1\) such that \(C_0(x_0)=C_1(x_1)\) and gets \({\tilde{x}_b} \leftarrow \mathsf {GInput}(k, x_b)\).

  3. 3.

    Finally, the adversary outputs a bit \(b'\), which is the output of the experiment.

In other words, we say \(\mathsf {GC}\) is adaptively indistinguishable if

$$\begin{aligned}{\mathbf {D}}_{{\tiny {T(\lambda )}}}\left[ {\mathsf {Exp}^{\mathsf {adaptive}}_{\mathsf {GC},\mathsf {Ind}}({\lambda },0),\mathsf {Exp}^{\mathsf {adaptive}}_{\mathsf {GC},\mathsf {Ind}}({\lambda },1)}\right] =\varepsilon (\lambda ).\end{aligned}$$

On-line Complexity. The time it takes to garble an input x, (i.e., time complexity of \(\mathsf {GInput}(\cdot , \cdot )\)) is the on-line complexity of the scheme. Clearly the on-line complexity of the scheme gives a bound on the size of the garbled input \(\tilde{x}\). Ideally, the on-line complexity should be much smaller than the circuit size |C|.

Projective Scheme. We say a garbling scheme is projective if each bit of the garbled input \(\tilde{x}\) only depends on one bit of the actual input x. In other words, each bit of the input, is garbled independently of other bits of the input. Projective schemes are essential for two-party computation where the garbled input is transmitted using an oblivious transfer (OT) protocol. Our constructions will be projective.

Hiding Topology. A garbling scheme that satisfies the above security definition may reveal the topology of the circuit C. However, there is a way to transform any such garbling scheme into one that hides everything, including the topology of the circuit, without a significant asymptotic efficiency loss. More precisely, we rely on the fact that there is a function \(\mathsf {HideTopo}(\cdot )\) that takes a circuit C as input and outputs a functionally equivalent circuit \(C'\), such that for any two circuits \(C_1,C_2\) of equal size, if \(C_1' = \mathsf {HideTopo}(C_1)\) and \(C_2' = \mathsf {HideTopo}(C_2)\), then \(\varPhi (C_1') = \varPhi (C_2')\). An easy way to construct such function \(\mathsf {HideTopo}\) is by setting \(C'\) to be a universal circuit, with a hard-coded description of the actual circuit C. Therefore, to get a topology-hiding garbling scheme, we can simply use a topology-revealing scheme but instead of garbling the circuit C directly, we garble the circuit \(\mathsf {HideTopo}(C)\).

4 Construction of [HJO+16]

In our construction (presented in the following section), we will use the construction of [HJO+16], as a building block. Furthermore we will need the details of this construction in order to proceed with the proof of security of our construction. Therefore in this section we present the construction of [HJO+16] which consists of two simple steps: (1) garble the circuit using Yao’s garbling scheme; (2) hide the garbled circuit (without the output tables) under an outer layer of encryption instantiated with a somewhere-equivocal encryption scheme. In the on-line phase, the garbled input consists of Yao’s garbled input plus the output tables. Next we provide the formal description of the scheme of [HJO+16] which contains the details of Yao’s garbling scheme.

Let C be a leveled boolean circuit with fan-in 2 and unbounded fan-out, with inputs size n, output size m, depth d and width w. Let q denote the number of gates in C. Recall that wires are uniquely identified with labels \(w_1, w_2, \ldots ,w_{p}\), and a circuit C is specified by a list of gate tuples \(\mathsf {gate}= (g, w_{{{a}}}, w_{{{b}}}, w_{{{c}}})\). The topology of the circuit \(\varPhi (C)\) consists of the sanitized gate tuples \(\widehat{\mathsf {gate}}_i = (\bot , w_{{{a}}}, w_{{{b}}}, w_{{{c}}})\). For simplicity, we implicitly assume that \(\varPhi (C)\) is public and known to the circuit evaluator without explicitly including it as part of the garbled circuit \(\widetilde{C}\). To simplify the description of our construction, we first describe the procedure for garbling a single gate, that we denote by \(\mathsf {GarbleGate}\).

Let \(\varGamma =(\mathsf {Gen}, \mathsf {Enc},\mathsf {Dec})\) be a CPA-secure symmetric-key encryption scheme satisfying the special correctness property defined in Appendix A. \(\mathsf {GarbleGate}\) is defined as follows.

  • \(\widetilde{g}\leftarrow \mathsf {GarbleGate}(g, \{k^{\sigma }_{{{a}}}, k^\sigma _{{{b}}}, k^{\sigma }_{{{c}}}\}_{\sigma \in \{0,1\}})\): This function computes 4 ciphertexts \(c_{\sigma _0,\sigma _1}~:~\sigma _0,\sigma _1 \in \{0,1\}\) as defined below and outputs them in a random order as \(\widetilde{g}=[c_1, c_2, c_3, c_4]\).

    \(c_{0,0}\leftarrow \mathsf {Enc}_{k^0_{{{a}}}}(\mathsf {Enc}_{k^0_{{{b}}}}(k^{g(0,0)}_{{{c}}})) c_{0,1}\leftarrow \mathsf {Enc}_{k^0_{{{a}}}}(\mathsf {Enc}_{k^1_{{{b}}}}(k^{g(0,1)}_{{{c}}}))\)

    \(c_{1,0}\leftarrow \mathsf {Enc}_{k^1_{{{a}}}}(\mathsf {Enc}_{k^0_{{{b}}}}(k^{g(1,0)}_{{{c}}})) c_{1,1}\leftarrow \mathsf {Enc}_{k^1_{{{a}}}}(\mathsf {Enc}_{k^0_{{{b}}}}(k^{g(1,1)}_{{{c}}}))\)

Let \(\varPi =(\mathsf {seKeyGen}\), \(\mathsf {seEnc}, \mathsf {seDec}\), \(\mathsf {SimEnc}\), \(\mathsf {SimKey})\) be a somewhere-equivocal symmetric-encryption scheme as defined in Appendix B. Recall that in this primitive the plaintext is a vector of \(n\) blocks, each of which has \(s\) bits. In this construction the following parameters are used: the vector size \(n= q\) is the number of gates and the block size \(s= |\widetilde{g}|\) is the size of a single garbled gate. The equivocation parameter \(t\) is defined by the strategy used in the security proof and will be specified later. The garbling scheme is formally described in Fig. 1.

Fig. 1.
figure 1

Adaptively secure garbling scheme: \(\mathsf {GCircuit}\) and \(\mathsf {GInput}\) functions. See Fig. 2 for function \(\mathsf {Eval}\).

Full size image
Fig. 2.
figure 2

Adaptively secure garbling scheme: \(\mathsf {Eval}\) function.

Full size image

4.1 Adaptive Simulator

The adaptive security simulator for [HJO+16] is essentially the same as the selective security simulator for Yao’s scheme (as in [LP09]), with the only difference that the output table is sent in the on-line phase, and is computed adaptively to map to the correct output. Note that the garbled circuit simulator does not rely on the simulation properties of the somewhere equivocal encryption scheme - these are only used in the proof of indistinguishability.

More specifically, the adaptive simulator \((\mathsf {SimC}, \mathsf {SimIn})\) works as follows. In the off-line phase, \(\mathsf {SimC}\) computes the garbled gates using procedure \(\mathsf {GarbleSimGate}\), that generates 4 ciphertexts that encrypt the same output key.

More precisely,

  • \(\mathsf {GarbleSimGate}(\{k^{\sigma }_{w_{{{a}}}}, k^{\sigma }_{w_{{{b}}}}\}_{\sigma \in \{0,1\}},k'_{w_{{{c}}}})\) takes both keys for input wires \(w_{{{a}}}, w_{{{b}}}\) and a single key for the output wire \(w_{{{c}}}\), that we denote by \(k'_{w_{{{c}}}}\). It then output \(\widetilde{g}_{{{c}}}=[c_1, c_2, c_3,c_4]\) where the ciphertexts, arranged in random order, are computed as follows.

    \(c_{0,0}\leftarrow \mathsf {Enc}_{k^0_{{{a}}}}(\mathsf {Enc}_{k^0_{{{b}}}}(k'_{{{c}}})) c_{1,0}\leftarrow \mathsf {Enc}_{k^1_{{{a}}}}(\mathsf {Enc}_{k^0_{{{b}}}}(k'_{{{c}}}))\)

    \(c_{0,1}\leftarrow \mathsf {Enc}_{k^0_{{{a}}}}(\mathsf {Enc}_{k^1_{{{b}}}}(k'_{{{c}}})) c_{1,1}\leftarrow \mathsf {Enc}_{k^1_{{{a}}}}(\mathsf {Enc}_{k^0_{{{b}}}}(k'_{{{c}}}))\)

The simulator invokes \(\mathsf {GarbleSimGate}\) on input \(k'_{{{c}}}= k^0_{{{c}}}\). It then encrypts the garbled gates so obtained by using the honest procedure for the somewhere equivocal encryption.

In the on-line phase, \(\mathsf {SimIn}\), on input \(y=C(x)\) adaptively computes the output tables so that the evaluator obtains the correct output. This is easily achieved by associating each bit of the output, \(y_j\), to the only key encrypted in the output gate \(g_{\mathsf {out}_j}\), which is \(k^0_{\mathsf {out}_j}\). For the input keys, \(\mathsf {SimIn}\) just sends keys \(k^{0}_{{\mathsf {in}_i}}\) for each \(i\in [n]\). The detailed definition of \((\mathsf {SimC}, \mathsf {SimIn})\) is provided in Fig. 3.

Fig. 3.
figure 3

Simulator for adaptive security.

Full size image

5 Our Construction

Let be the adaptive garbling scheme of [HJO+16], with simulator . In this section we construct a new garbling scheme, using as a building block. See Fig. 5 for a formal description of our construction. The new garbling scheme creates two copies of the garbled circuit (called \(\mathsf {C_L}, \mathsf {C_R}\)). It chooses one at random to be the “active” one (\(\mathsf {active}=R\) or \(\mathsf {active}=L\)). Then for each output bit \(i\in \left[ m \right] \), it creates a selection gate that takes the output wire i from both garbled circuits, and selects the value on the wire coming from the active circuit. We call these selection gates, s-gates, to distinguish them from the output gates of the two original garbled circuits. Let \(\ell ^b\) and \(r^b\) be the output wires of \(\mathsf {C_L}\) and \(\mathsf {C_R}\), then s-gate (for each output bit) is defined as in Fig. 4.

Fig. 4.
figure 4

s-gates. \(\mathsf {sgate}_L (\mathsf {sgate}_R)\) outputs the value associated with the wire coming form \(\mathsf {C_L}, (\mathsf {C_R})\).

Full size image

Note that \(\mathsf {C_{active}}\) and \(\mathsf {C_{passive}}\) are encrypted Yao garbled circuits. But the output wires and the output map are not encrypted and are part of the key \(k\) which is an output of .

Fig. 5.
figure 5

New garbling scheme

Full size image

6 Hybrid Games

Overview. We need to prove that \(\mathrm{G}\textsc {ame}_0=\) and are indistinguishable. Namely, we need to show a strategy to move from \(\mathrm{G}\textsc {ame}_0\), where \((\mathsf {C_{passive}}\), \(\mathsf {C_{active}})\) are both garbling of \(C_0\) and \((x_{\mathsf {active}}\), \(x_{\mathsf {passive}})\) are garblings of \(x_0\); to \(\mathrm{G}\textsc {ame}_1\) where \((\mathsf {C_{passive}}\), \(\mathsf {C_{active}})\) are garbling of \(C_1\) and \((x_{\mathsf {active}}\), \(x_{\mathsf {passive}})\) are garblings of \(x_1\).

At high-level, the proof strategy is the following: starting from \(\mathrm{G}\textsc {ame}_0\), (1) first we change \(\mathsf {C_{passive}},x_{\mathsf {passive}}\) to be the garbling of \(C_1,x_1\), (2) then we change the selection gates so that they select outputs from \(\mathsf {C_{passive}}\), (3) finally we change \(\mathsf {C_{active}},x_{\mathsf {active}}\) to be the garbling of \(C_1,x_1\).

For step (1) and (3), we switch from garbling \(C_0,x_0\) to garbling \(C_1,x_1\) by using simulated circuits, namely first we change \(\mathsf {C_{passive}}\) into a simulated circuit, and then we switch it into a real garbling of \(C_1\). Indistinguishability of this steps follows directly from the adaptive simulation-based security of the underlying garbling scheme in a black-box manner (we discuss this next in Sect. 6.1). Changing the selection gates (Step 2) instead requires a surgical proof, where we selective simulate one output gate of \(\mathsf {C_{passive}}, \mathsf {C_{active}}\) at the time, and this enable us to change (switch) the content of the selection gates, from selecting the output of \(\mathsf {C_{passive}}\) instead of \(\mathsf {C_{active}}\) (or viceversa). Following the language of [HJO+16], this means that we need to place black pebbles on the output gates of circuits \(\mathsf {C_{passive}}, \mathsf {C_{active}}\). We discuss this in details in Lemma 3.

6.1 Hybrid Games Template

The hybrid games are parameterized by the distributions of \(\mathsf {C_{active}}\), \(\mathsf {C_{passive}}\), their respective inputs \(x_\mathsf {active},x_\mathsf {passive}\) and a flag \(\alpha \in \left\{ \mathsf {active},\mathsf {passive} \right\} \) denoting the fact that s-gates are selecting the output of \(\mathsf {C}_{\alpha }\)

For example the original \(\mathrm{G}\textsc {ame}_b\) is described as:

Note that when the active and passive garbled circuit distributions are the same, it does not make a difference whether \(\alpha =\mathsf {active}\) or \(\alpha =\mathsf {passive}\). However in our hybrid argument we will sometimes set \(\alpha = \mathsf {passive}\) when these distributions are different. We use to denote a simulated circuit. Since the simulated garbling of any circuit only depends on its topology and not the function it computes, the output of the simulation has the same distribution for \(C_0\) and \(C_1\), thus for simplicity we write .

Using this template we define 4 new hybrid games: \({\mathsf {Hyb {A}} }\) through \({\mathsf {Hyb {D}} }\). See Fig. 6. The changes in these hybrids follow a two-step simulate and switch approach. In \({\mathsf {Hyb {A}} }\) the passive circuit is simulated. Note that the garbled input to a simulated circuit is created independent of the input, therefore its distribution does not change whether it’s \(x_0\) that is garbled or \(x_1\). In \({\mathsf {Hyb {B}} }\) the passive circuit is switched from simulation to real garbling of \(C_1\). Now with both active and passive circuits outputing the same value \(y=C_0(x_0)=C_1(x_1)\), we go to the next hybrid. In \({\mathsf {Hyb {C}} }\) we change the content of the s-gates to output the passive circuit. Then we turn the active circuit into a garbling of \(C_1\) with input \(x_{1}\), by first simulating it (\({\mathsf {Hyb {D}} }\)) and then changing it to a garbling of \(C_1\) with input \(x_1\) (\(\mathrm{G}\textsc {ame}_1\)). The transitions from \(\mathrm{G}\textsc {ame}_0\) to \({\mathsf {Hyb {A}} }\) then to \({\mathsf {Hyb {B}} }\) are identical to the ones going from \(\mathrm{G}\textsc {ame}_1\) to \({\mathsf {Hyb {D}} }\) and then to \({\mathsf {Hyb {C}} }\). Thus we only prove it once for \(\mathrm{G}\textsc {ame}_0 {\mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}}{\mathsf {Hyb {A}} } {\mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}}{\mathsf {Hyb {B}} }\).

Fig. 6.
figure 6

Hybrids.

Full size image

From \(\mathrm{G}\textsc {ame}_0\) to \({\mathbf {\mathsf{{HybA}}}}\) . To prove this, we are going to need a special property that is enjoyed by the garbling scheme . We define the special property below.

Definition 3

(Output-key Security). We say that an adaptively simulation-secure garbling scheme is output-key secure if it is adaptively secure even when the output keys (e.g., \(\left\{ w_{\alpha ,i} \right\} _{i\in \left[ m \right] }\)) –without the output mapping– are sent together with the garbled circuit \(\widetilde{C}\).

Proposition 1

Under the same assumptions as [HJO+16], the garbling scheme is adaptively secure and output-key secure.

[Proof Sketch]. Intuitively this is true because throughout the proof of security for we rely on the CPA security of the encryption scheme used to garble the gates, to prove the adversary does not learn the content of any gates, before getting the garbled input, and even after seeing the garbled input he can only decipher one ciphertext from each garbled gate. During these reductions, we can even let the adversary choose the keys encrypted in a garbled output gate (as in the game for the CPA security, the adversary can choose any message to be encrypted). Furthermore the output keys are not used as an encryption key somewhere else in the same garbled circuit, therefore revealing the output key does not jeopardize the adaptive security of .

Now that we have defined the property above, we can prove the following Lemma.

Lemma 1

If is adaptively secure and output-key secure, then \(\mathrm{G}\textsc {ame}_0\) and \({\mathsf {Hyb {A}} }\) are computationally indistinguishable.

Proof

If a PPT adversary \(\mathcal {A}\) distinguishes \(\mathrm{G}\textsc {ame}_0\) and \({\mathsf {Hyb {A}} }\) with advantage \(\varepsilon \), we construct adversary \(\mathcal {B}\) that breaks the adaptive security of with the same advantage \(\varepsilon \). \(\mathcal {B}\) will receive \(C_0,C_1\) from \(\mathcal {A}\), and sends \(C_0\) to its challenger, and gets back \(\widetilde{C}^*\), which is if \(b=0\) and if \(b=1\). \(\mathcal {B}\) then sets and \(\mathsf {C_{passive}}=\widetilde{C}^*\). Next, \(\mathcal {B}\) creates the s-gates so that they would reveal the output of \(\mathsf {C_{active}}\). Note that \(\mathcal {B}\) does not need the output map of \(\widetilde{C}^*\) to create s-gates, it only needs the keys encrypted in the output level gates of \(\widetilde{C}^*\). Which we assume are given as part of the garbled circuit, without jeopardizing the security of (due to output-key security). Finally \(\mathcal {B}\) sends \(\widetilde{C}=\left( \mathsf {C_L}, \mathsf {C_R}, \widetilde{\mathsf {sgate}} \right) \) to \(\mathcal {A}\) and gets back \(x_0,x_1\). \(\mathcal {B}\) sends \(x_{0}\) to the challenger and gets back \(\tilde{x}^*\) which is if \(b=0\) and \(\tilde{x}^*\leftarrow \mathsf {SimIn}(C_0(x_{0}), {\mathsf {state}})\) if \(b=1\). The reduction will set , \(\tilde{x}_\mathsf {passive}=\tilde{x}^*\) and sends \((\tilde{x}_L,\tilde{x}_R)\) to \(\mathcal {A}\) and outputs \(\mathcal {A}\)’s final output, \(b'\). Note, since \(\mathsf {SimIn}\) does not even take in the input \(x_1\) or \(x_0\), it only gets the output of the computation in order to create the appropriate output map. And in this application, the output wires are treated the same way, regardless of whether they are mapped to 0 or 1, it doesn’t matter which input is garbled by the simulator (Fig. 7).

Fig. 7.
figure 7

Reduction of Lemma 1

Full size image

Lemma 2

If is adaptively secure and output-key secure, then \({\mathsf {Hyb {A}} }\) and \({\mathsf {Hyb {B}} }\) are computationally indistinguishable.

Proof

It follows from a similar reduction to the one used in the proof of Lemma 1, with the difference that \(C_1, x_1\) are sent to the challenger instead of \(C_0, x_{0}\).

Lemmas 1 and 2 prove that:

$$\begin{aligned}\mathrm{G}\textsc {ame}_0 {\mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}}{\mathsf {Hyb {A}} } {\mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}}{\mathsf {Hyb {B}} } \text { and } {\mathsf {Hyb {C}} } {\mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}}{\mathsf {Hyb {D}} } {\mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}}\mathrm{G}\textsc {ame}_1.\end{aligned}$$

From \({\mathbf {\mathsf{{HybB}}}}\) to \({\mathbf {\mathsf{{HybC}}}}\) . Recall the distribution of hybrid \({\mathsf {Hyb {B}} }\) and \({\mathsf {Hyb {C}} }\)

The difference between these two hybrids is only in the s-gates: instead of selecting the output from \(\mathsf {C_{active}}\) (in \({\mathsf {Hyb {B}} }\)), now s-gates will select the output from \(\mathsf {C_{passive}}\) (in \({\mathsf {Hyb {C}} }\)). Recall the description of s-gate in Fig. 4. Changing the s-gates from \(\mathsf {active}\) to \(\mathsf {passive}\) entails changing 2 of the encryptions. In order to argue that these changes are indistinguishable, we must rely on the CPA security of the encryption. However the keys used to create these ciphertexts are not independent, since they are used in the garbling of the output gates of \(\mathsf {C_L}\) and \(\mathsf {C_R}\). Therefore, if we want to change even one encryption, we need to remove those keys from the correspondent gates in \(\mathsf {C_L}\) and \(\mathsf {C_R}\). In other words, those two gates need to be simulated. Now, in order to change one gate at the time from real to simulated, we need to leverage the details of the proof provided in [HJO+16].

Proof Strategy in [HJO+16]. We now give an overview of the proof strategy of [HJO+16]; we rely on specific components of the strategy in our proof. For more details see Appendix C. In [HJO+16] hybrid games are parametrized by a circuit configuration, that is, a vector indicating the way the gates are garbled. There are three modes for how each gate can be garbled: \(\mathsf {RealGate}, \mathsf {InputDepSimGate},\) \( \mathsf {SimGate}\). There are also rules that allow one to indistinguishably move from one configuration to another. These configurations/rules are summarized via a pebbling game where we associate \(\mathsf {RealGate}\) mode to a gate not having a pebble on it, \(\mathsf {InputDepSimGate}\) mode is associated with a gate having a black pebble, and \(\mathsf {SimGate}\) mode is associated with a gate having a grey pebble. The indistinguishability rules are then translated to rules for the pebbling game:

  • Pebbling Rule A. We can place or remove a black pebble on a gate as long as both predecessors of that gate have black pebbles on them (or the gate is an input gate).

  • Pebbling Rule B. We can replace a black pebble with a grey pebble on a gate as long as all successors of that gate have black or grey pebbles on them (or the gate is an output gate).

We can follow the same rules for the two garbled circuits \(\mathsf {C_{active}}\), \(\mathsf {C_{passive}}\) with one major difference: we cannot replace a black pebble with a grey pebble on the output gates (this part relied on the fact that the output map, which specified the correspondence between wire keys at the output level and the bits they correspond to, was only sent in the on-line phase; in our case this correspondence is needed to create the s-gates in the off-line phase, at least for the active circuit).

We rely on one more property (*): if a gate has an output wire w which is associated with keys \(k_w^0, k_w^1\) and we garble the gate in \(\mathsf {InputDepSimGate}\) mode then we only use one key (\(k_w^b\) where b is the bit that the wire takes on during the computation C(x)) when creating this garbled gate in the on-line phase.

Let us define \(\mathcal {C}\left[ \gamma ,t \right] \) to be the class of circuits C such that we can place a black pebble on any single output gate of C in \(\gamma \) pebbling steps and using at most t black pebbles at each step. For the following lemma, theorem and corollaries, assume:

  1. 1.

    The adversary selects \(C_0,C_1 \in \mathcal {C}\left[ \gamma ,t \right] \).

  2. 2.

    \(\varPi = (\mathsf {seKeyGen}\), \(\mathsf {seEnc}, \mathsf {seDec}\), \(\mathsf {SimEnc}\), \(\mathsf {SimKey})\) is a somewhere equivocal encryption scheme with equivocation parameter t.

  3. 3.

    \(\varGamma =(\mathsf {Gen},\mathsf {Enc}, \mathsf {Dec})\) is an encryption scheme secure under chosen double encryption.

Lemma 3

\({\mathsf {Hyb {B}} }\) and \({\mathsf {Hyb {C}} }\) are computationally indistinguishable.

Proof

Let m be the output size of the circuits \(C_0,C_1\) selected by the adversary. For \(i=1,\ldots ,m\), we rely on the following sequence of sub-hybrids:

  1. 1.

    Via a sequence of sub-sub-hybrids, change the configurations of both \(\mathsf {C_{active}}\) and \(\mathsf {C_{passive}}\) so that the i’th output gate is in \(\mathsf {InputDepSimGate}\) mode (has a black pebble on it). This follows using the same argument as in [HJO+16].

  2. 2.

    Change the i’th s-gate from \(\mathsf {sgate}_{\mathsf {active}}\) to \(\mathsf {sgate}_{\mathsf {passive}}\) (see Fig. 4). This change relies on property (*) and the CPA-security of the encryption scheme \(\varGamma \) used to garble the gates. In particular, this change requires changing the contents of the ciphertexts \(\mathsf {Enc}_{\ell ^0}(\mathsf {Enc}_{r^1}(?))\) and \(\mathsf {Enc}_{\ell _1}(\mathsf {Enc}_{r^0}(?))\) in s-gate. However, since \(C_0(x_0)= C_1(x_1)\) by property (*) the only keys that are used as plaintexts in other garbled gates in this hybrid are either \((\ell ^0, r^1)\) or \((\ell ^1,r^0)\). In either case, we can rely on encryption security to change the contents of the above two ciphertexts.

  3. 3.

    Via a sequence of sub-sub-hybrids, change the configurations of both \(\mathsf {C_{active}}\) and \(\mathsf {C_{passive}}\) back so that all gates are in \(\mathsf {RealGate}\) mode (no pebbles). This is the same as step 1 in reverse.

From Lemmas 1, 2, 3, it follows that \(\mathrm{G}\textsc {ame}_0\) and \(\mathrm{G}\textsc {ame}_1\) are computationally indistinguishable which proves our main result, summarized in the following theorem.

Theorem 1

Assuming the existence of one-way functions, is adaptively indistinguishable with online complexity \((n+t)\mathsf {poly}(\lambda )\) for all circuits in \(\mathcal {C}\left[ \mathsf {poly}(\lambda ),t \right] \).

Using the pebbling strategies from [HJO+16] summarized in Appendix D we get the following bounds.

Lemma 4

Any circuit C of depth d, width w, with input size n and output size m, is in the class \(\mathcal {C}\left[ \gamma ,t \right] \) with either of the following two settings of \(\gamma , t\):

  • \(\gamma =2^{(2d+1)}m\) steps using \(t=2d\) black pebbles.

  • \(\gamma =4\left| C \right| \) steps using \(t=2w\) black pebbles.

Plugging the above lemma into Theorem 1 we get the following corollary.

Corollary 1

Assuming the existence of one-way functions, is adaptively indistinguishable with online complexity \(n \cdot \mathsf {poly}(\lambda )\) for all circuits with either linear width \(w = O(n)\) or logarithmic depth \(d = O(\log n)\).

Note that any computation which can be performed in linear space can be represented by a circuit with linear width. Therefore the above covers all linear space computations.

7 Application: Private-Key Adaptively Secure Functional Encryption

Overview. Our new garbling scheme can be used to implement a private-key functional encryption [SW05, BSW11] based on one-way functions, with indistinguishability based security where the adversary can obtain an unbounded number of function secret keys and then adaptively a single challenge ciphertext (the formal definition is provided in Sect. 7.1).

In our scheme (described in Fig. 8), the functional keys are garbled circuits computed according to (a slightly modified version of) , and the ciphertext for a message m corresponds to the garbling of the input m. Since a single garbled input should be used to evaluate multiple garbled circuits, we slightly tweak the construction of our garbling scheme so to allow an initial state that is used upon each invocation of the garbling function. We explain this modification in greater length in Sect. 7.2.

7.1 Definition

A private-key functional encryption scheme \(\mathsf{\Pi }\), over a message space \(\mathcal {M}=\{\mathcal {M}_{\lambda }\}_{\lambda }\) and a circuit space \(\mathcal {C} =\{C_{\lambda }\}_{\lambda }\) is a tuple of PPT algorithms \((\mathsf{\Pi }.\mathsf{FE.Setup}\), \(\mathsf{\Pi }.\mathsf{FE.KeyGen}\), \(\mathsf{\Pi }.\mathsf{FE.Enc}\), \(\mathsf{FE. Dec})\) defined as follows:

  • \(\mathsf{\Pi }.\mathsf{FE.Setup}(1^{\lambda })\): The setup algorithm takes as input the unary representation of the security parameter, and outputs a secret key \(\mathsf{MSK}\).

  • \(\mathsf{\Pi }.\mathsf{FE.KeyGen}(\mathsf{MSK}, C)\): The key-generation algorithm takes as input a secret key \(\mathsf{MSK}\) and a circuit \(C\in \mathcal {C}_{\lambda }\) and outputs a functional key \(sk_{C}\).

  • \(\mathsf{\Pi }.\mathsf{FE.Enc}(\mathsf{MSK}, m)\): The encryption algorithm takes as input a secret key \(\mathsf{MSK}\) and a message \(m \in \mathcal {M}_{\lambda }\) and outputs a ciphertext \(\mathsf{CT}\).

  • \(\mathsf{\Pi }.\mathsf{FE. Dec}(sk_{C}, \mathsf{CT})\) The decryption algorithm takes as input a functional key \(sk_C\) and a ciphertext \(\mathsf{CT}\), and outputs \(m \in \mathcal {M}_{\lambda } \cup \{\bot \}\).

The correctness property requires that there exists a negligible function \(negl(\cdot )\) such that for all sufficiently large \(\lambda \in N\), for every message \(m \in \mathcal {M}_{\lambda }\), and for every circuit \(C\in \mathcal {C}_{\lambda }\) it holds that:

$$\begin{aligned}Pr [\mathsf{FE. Dec}(\mathsf{\Pi }.\mathsf{FE.KeyGen}(\mathsf{MSK}, C), \mathsf{FE.Enc}(\mathsf{MSK}, m))= C(m)] \ge 1 - negl(\lambda )\end{aligned}$$

where \(\mathsf{MSK}= \mathsf{FE.Setup}(1^{\lambda })\) and the probability is taken over the random choices of all algorithms.

Many Functions Single Message Adaptive Security. For any PPT adversary \(\mathcal {A}\), there exists a negligible function \(\varepsilon \) such that:

$$\begin{aligned} \Pr [\mathsf {Exp}^{\mathsf{Private-FE}}_{\mathcal {A},\mathsf{\Pi },\mathsf {Ind}}({\lambda },0)=1] -\Pr [\mathsf {Exp}^{\mathsf{Private-FE}}_{\mathcal {A},\mathsf{\Pi },\mathsf {Ind}}({\lambda },1)=1] \le \varepsilon (\lambda ) \end{aligned}$$

where the experiment \(\mathsf {Exp}^{\mathsf{Private-FE}}_{\mathcal {A},\,\mathsf {Ind}}(\lambda ,b)\) is defined as follows:

  1. 1.

    Query. The adversary \(\mathcal {A}\) specifies circuits \(C^1,C^2, \ldots \). It then obtain functional keys \(sk_1,sk_2,\ldots \) which are created as follow:

    • Run \(\mathsf{MSK}= \mathsf{\Pi }.\mathsf{FE.Setup}(1^{\lambda }\)).

    • Let q be the number of queries. \(\forall i \in [q]\), \(sk_i=\mathsf{\Pi }.\mathsf{FE.KeyGen}(\mathsf{MSK},C^i)\).

  2. 2.

    Challenge. The adversary \(\mathcal {A}\) specifies messages \(m_0,m_1\), such that for all \(i\in [q]\), \(C^i(m_0)= C^i(m_1)\) and obtains \(\mathsf{CT}\), which is created as follows:

    • \(\mathsf{CT}= \mathsf{\Pi }.\mathsf{FE.Enc}(\mathsf{MSK},m_b)\)

  3. 3.

    Output. Finally, the adversary outputs a bit \(b'\), which is the output of the experiment.

7.2 Construction

Our private-key functional encryption scheme is depicted in Fig. 8. The \(\mathsf{FE.Setup}\) algorithm generates the keys that need to be shared by all garbled circuits. Such keys are: (1) the keys for the input wires (i.e., \(K_L, K_R\)) (2) the keys for the outer somewhere-equivocal encryption \(\mathsf {seEnc}\) (i.e., \(\mathsf {key}_L, \mathsf {key}_R )\). The \(\mathsf{FE.Setup}\) also sets the flag \(\mathsf {active}\).

The \(\mathsf{FE.KeyGen}\) algorithm generates a garbled circuit according to procedure which is a slight modification of (shown in Fig. 4) that enables to use a single garbled input to evaluate many garbled circuits generated at different times. The modifications are: (1) instead of running procedure \(\mathsf {GCircuit}(1^\lambda , C)\) (described in Fig. 1) – which would select fresh keys for the input wires and for the outer encryption – it runs a slightly modified procedure \(\mathsf {GCircuit}^{\star }(1^\lambda ,C, Input\ keys)\) which takes such keys as an external input; (2) the encryption algorithm \(\mathsf {seEnc}\) used in \(\mathsf {GCircuit}\), is also slightly modified so that it allows blocks to be encrypted in a streaming fashion (that is, instead of having a one-time encryption of \(n\) blocks, we allow for many encryptions, where the total number of encrypted blocks is overall \({\le }N\) where N is an upperbound (e.g., \(2^\lambda \))). In Appendix B we discuss why this modification (that we call \(\mathsf {seEnc}^{\star }\)) follows naturally from the implementation of \(\mathsf {seEnc}\) provided in [HJO+16].

The \(\mathsf{FE.Enc}\) algorithm takes in input a message m and simply runs the procedure \(\mathsf {GInput}(m,Input\ keys)\) to select the keys for m. The ciphertext then consists of the keys for the garbled inputs, and the keys for the outer encryption \(\mathsf {key}_R,\mathsf {key}_L\). Note that the size of the ciphertext depends on the length of the input and the length of the keys \(\mathsf {key}_R,\mathsf {key}_L\) for somewhere-equivocal encryption. Finally the decryption algorithm simply consists of the evaluation of the garbled circuits.

Fig. 8.
figure 8

Private-key FE

Full size image

7.3 Security Proof

In this section we show that protocol in Fig. 8 is a private-key functional encryption scheme that is adaptively secure for many function queries and a single message query (according to Sect. 7.1).

Let \(\mathrm{G}\textsc {ame}_0\), be the experiment \(\mathsf {Exp}^{\mathsf{Private-FE}}_{\mathcal {A},\mathsf{\Pi },\mathsf {Ind}}({\lambda },0)\) where the adversary receives encryption of \(m_0\), and let \(\mathrm{G}\textsc {ame}_1\) be the experiment \(\mathsf {Exp}^{\mathsf{Private-FE}}_{\mathcal {A},\mathsf{\Pi },\mathsf {Ind}}({\lambda },1)\). The proof of security consists of a sequence of hybrid games from \(\mathrm{G}\textsc {ame}_0\) to \(\mathrm{G}\textsc {ame}_1\), and each hybrid is computational indistinguishable. We now argue that this sequence of hybrids follows exactly the hybrids provided in the proof of Theorem 1.

Recall that in the security experiment \(\mathsf {Exp}^{\mathsf{Private-FE}}_{\mathcal {A},\mathsf{\Pi },\mathsf {Ind}}({\lambda },b)\), \(\mathcal {A}\) sends all function queries \(C^1, C^2, \ldots ,C^q\) at the beginning in one-shot. Concretely, by instantiating the experiment with \(\mathsf{\Pi }\), when \(\mathcal {A}\) sends functional queries \(C^1, C^2, \ldots ,C^q\), she obtains:

  • Functional Keys: \(\left( [\mathsf {C_L}^1,\mathsf {C_R}^1, \mathsf{SG}^1], \ldots , [\mathsf {C_L}^q,\mathsf {C_R}^q, \mathsf{SG}^q] \right) \)

  • where \(\mathsf{SG}^j\) is the selection circuit \(\widetilde{\mathsf {sgate}}\) associated to \(\mathsf {C_L}^j,\mathsf {C_R}^j\).

  • In the challenge phase, \(\mathcal {A}\) receives the garbling of message \(m_b\). Specifically:

  • Ciphertext: \(\tilde{x}=(K_L ,\mathsf {key}_L, K_R ,\mathsf {key}_R)\)

Now, note that, because the functional keys (i.e., the garbled circuits) are sent all at once, and they will be evaluated with the same garbled input \(\tilde{x}\), we can conceptually think of \(C^1, C^2, \ldots ,C^q\) as disjoint sub-circuits (which have no wires in common) of one big circuit \(\mathbb {C}\). Let us define \(\mathbb {C} =[C^1, C^2 , \ldots , C^q ]\).

Next, we observe that the garbling function is such that garbling circuits \((C^1, C^2, \ldots ,C^q)\) one at the time will generate a garbled circuit which is equivalent to the one obtained by garbling \(\mathbb {C}\) as a single circuit. To see why, note that the garbling function operates by encrypting one gate at the time, and only connected gates have correlated keys. As \((C^1, C^2, \ldots ,C^q)\) are disjoint, they are encrypted separately regardless of whether they are presented as a single circuit \(\mathbb {C}\) or as many independent circuits. Therefore, we can group the view of adversary as follows:

  • \(\tilde{\mathbb {C}}_{L} = (\mathsf {C_L}^1, \ldots , \mathsf {C_L}^{q})\)

  • \(\tilde{\mathbb {C}}_{R} = (\mathsf {C_R}^1, \ldots , \mathsf {C_R}^{q})\)

  • \(\mathbb {S}_{L} = (\mathsf{SG}^1, \ldots , \mathsf{SG}^q)\)

  • \(\tilde{x}= (K_L ,\mathsf {key}_L,K_R ,\mathsf {key}_R)\).

Finally, recall that the flag \(\mathsf {active}\) is set once and for all in \(\mathsf{FE.Setup}\) (Fig. 8) That is, either \(L=\mathsf {active}\) and \(R=\mathsf {passive}\), or viceversa. Therefore, we can further represent the view of the adversary as follows:

  • \(\tilde{\mathbb {C}}_{\mathsf {active}}, \tilde{x}_{\mathsf {active}}\)

  • \(\tilde{\mathbb {C}}_{\mathsf {passive}},\tilde{x}_{\mathsf {passive}}\)

  • \(\mathbb {S}\)

This view fits the template of high-level hybrids shown in Fig. 6. The exact same arguments then follow to show that \(\mathrm{G}\textsc {ame}_0\) and \(\mathrm{G}\textsc {ame}_1\) are indistinguishable. In \(\mathrm{G}\textsc {ame}_b\), \(\tilde{x}_{\mathsf {active}}\) and \(\tilde{x}_{\mathsf {passive}}\) are both garbling of \(m_b\).

Following the same template, the proof strategy is to move from \(\mathrm{G}\textsc {ame}_0\), where \(\tilde{x}_{\mathsf {active}}\) and \(\tilde{x}_{\mathsf {passive}}\) are garbling of \(m_0\), to intermediate games where \(\tilde{x}_{\mathsf {passive}}\) is a garbling of \(m_1\) and finally change \(\tilde{x}_{\mathsf {active}}\) into garbling of \(m_1\) and thus reaching \(\mathrm{G}\textsc {ame}_{1}\).

Theorem 2

Assuming the existence of one-way functions, \(\mathsf{\Pi }\) is a many functions single message adaptive secure private-key functional encryption, for all circuits in \(\mathcal {C}\left[ \mathsf {poly}(\lambda ),t \right] \), with ciphertext size \((n+t)\mathsf {poly}(\lambda )\), where n is the length of the plaintext.

Proof

It follows from the proof of Theorem 2 applied to the circuit \(\mathbb {C}\) defined above.

7.4 Extensions

We leave as an extension to consider a full adaptive security definition for functional encryption where the adversary can choose the functional queries adaptively [ABSV15]. Concretely, this means that the adversary can choose functions adaptively based on the garbled circuits received so far.

To prove security of our construction in this setting, one needs to prove that the underlying garbling scheme satisfies a stronger adaptivity property that we call many-time adaptive security. That is, in the security experiment the adversary is allowed to adaptively ask for many garbled circuits and then choose an single input to evaluate all of them.

Showing that achieves this stronger property amounts to show that the underlying new somewhere-equivocal encryption scheme (Definition 6) achieves a stronger security property where the adversary can choose the plaintexts adaptively on the ciphertexts received so far.