DOCSLIB.ORG

Privacy Preserving Computations Accelerated Using FPGA Overlays

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Privacy Preserving Computations Accelerated Using FPGA Overlays Privacy Preserving Computations Accelerated using FPGA Overlays A Dissertation Presented by Xin Fang to The Department of Electrical and Computer Engineering in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Engineering Northeastern University Boston, Massachusetts August 2017 To my family. i Contents List of Figures v List of Tables vi Acknowledgments vii Abstract of the Dissertation ix 1 Introduction 1 1.1 Garbled Circuits . 1 1.1.1 An Example: Computing Average Blood Pressure . 2 1.2 Heterogeneous Reconfigurable Computing . 3 1.3 Contributions . 3 1.4 Remainder of the Dissertation . 5 2 Background 6 2.1 Garbled Circuits . 6 2.1.1 Garbled Circuits Overview . 7 2.1.2 Garbling Phase . 8 2.1.3 Evaluation Phase . 10 2.1.4 Optimization . 11 2.2 SHA-1 Algorithm . 12 2.3 Field-Programmable Gate Array . 13 2.3.1 FPGA Architecture . 13 2.3.2 FPGA Overlays . 14 2.3.3 Heterogeneous Computing Platform using FPGAs . 16 2.3.4 ProceV Board . 17 2.4 Related Work . 17 2.4.1 Garbled Circuit Algorithm Research . 17 2.4.2 Garbled Circuit Implementation . 19 2.4.3 Garbled Circuit Acceleration . 20 ii 3 System Design Methodology 23 3.1 Garbled Circuit Generation System . 24 3.2 Software Structure . 26 3.2.1 Problem Generation . 26 3.2.2 Layer Extractor . 30 3.2.3 Problem Parser . 31 3.2.4 Host Code Generation . 32 3.3 Simulation of Garbled Circuit Generation . 33 3.3.1 FPGA Overlay Architecture . 33 3.3.2 Garbled Circuit AND Overlay Cell . 34 3.3.3 Garbled Circuit XOR Overlay Cell . 36 3.3.4 Embedded Memory . 38 3.3.5 Workload Dispatcher and Data Controller . 39 3.4 Heterogeneous Computing System using ProceV Board . 42 3.4.1 Communicating between Host and FPGA . 42 3.4.2 Accessing DDR Memory On Board . 44 3.4.3 Accessing On-Chip Registers . 47 3.4.4 Workload Dispatcher and Data Controller . 47 3.4.5 AND and XOR Overlay Cells . 48 3.5 Architecture Improvement . 49 3.5.1 Hybrid Memory Hierarchy . 49 3.5.2 Host to FPGA Communication . 52 3.5.3 AND and XOR Overlay Cells . 54 3.5.4 System Parameters . 56 4 Experiments and Results 57 4.1 System Workflow . 57 4.2 Problem Analysis . 60 4.3 Simulation Results . 60 4.3.1 Testbench Generation . 60 4.3.2 Performance Results . 61 4.4 Heterogeneous Computing System Results . 63 4.4.1 Problem Analysis . 64 4.4.2 Performance Results . 66 5 Conclusion and Future work 72 5.1 Conclusion . 72 5.2 Future Work . 73 5.2.1 Performance Improvement within one Node . 73 5.2.2 Map Garbled Circuit Problem onto Multiple Nodes . 74 5.2.3 Other Platform Exploration for Garbled Circuit . 74 A Example of Garbled Circuit with Garbled Values 76 B Interface Between Host and ProceV Board 83 iii List of Acronyms 84 Bibliography 86 iv List of Figures 2.1 Yao’s Protocol . 9 2.2 A Garbled AND Gate . 11 2.3 ALM Architecture for Stratix V Family FPGAs [1] . 14 2.4 FPGA Overlay Architecture . 15 2.5 ProceV Block Diagram [2] . 18 3.1 A Garbled Circuit Generation System . 24 3.2 Software Workflow . 27 3.3 Layer Extractor Output Visualization . 31 3.4 Garbled Circuit Problem Parser . 32 3.5 Overlay Architecture for Garbled Circuit . 34 3.6 A Garbled AND Overlay Cell . 35 3.7 Optimized Garbled AND Overlay Cell . 37 3.8 A Garbled XOR Overlay Cell . 38 3.9 A Standard RAM Interface . 39 3.10 Workload Dispatcher and Data Controller Timing information . 41 3.11 Garbled Circuit AND Gate Operations Sequence . 41 3.12 Garbled Circuit XOR Gate Operations Sequence . 42 3.13 Heterogeneous Computing System with DDR Memory . 43 3.14 ProceV Board DDR Memory Interface . 46 3.15 Coarse Granularity CPU and FPGA Communication . 48 3.16 Hybrid Memory System . 50 3.17 Data transmission for XOR Operation without Check using BRAM . 53 3.18 Reduce of Number of Registers . 54 3.19 Fine Granularity CPU and FPGA Communication . 55 4.1 System of Garbled Circuits . 58 4.2 SHA-1 Message Padding . 61 v List of Tables 1.1 Garbled Circuit Time Information . 3 2.1 Comparison among Different Approaches . 21 4.1 Problem Switching Time . 59 4.2 Size of the Examples . 62 4.3 Clock Cycle Comparison . 62 4.4 Speedup compared with FlexSC . 63 4.5 Resource Utilization . 63 4.6 Gate Information for Problems . 64 4.7 Wire Information for Problems . 65 4.8 Wire Percent for Problems . 66 4.9 3 AND 1 XOR Overlay Cells Realization for Garbled Circuit . 67 4.10 Increase Number of AND Overlay Cells . 67 4.11 Results for Removing Host XOR Operation Check . 68 4.12 Directly-Used Policy using Register and DDR Hybrid Memory . 68 4.13 Directly-Used Policy using BRAM and DDR Hybrid Memory . 69 4.14 Most-Frequently-Used Policy . 69 4.15 Influence of Clock Frequency of Hardware . 69 4.16 Influence of Number of Gates . 70 4.17 Using 2 Address Registers for 3 Addresses . 70 4.18 Speedup Results . 71 vi Acknowledgments I want to express my appreciation to those who have supported me during the process of my Ph.D. study at Northeastern University. Ph.D. study is a marathon which requires the determination and endeavors to face the challenge in research and every life. Without the help and encouragement from them, I cannot think of finishing this journey while enjoying it. So I thank them at the beginning of this dissertation. First and foremost, I want to thank my research advisor Prof. Miriam Leeser who I have been working with for the last six years. Several projects are successfully finished with the help of her, including open-source variable precision floating point library, side-channel analysis and countermeasure and privacy-preserving computation using FPGA overlays. Looking back, I am deeply thankful for all the time that Prof. Leeser spends on my projects. She is very knowledgeable in many areas and so helpful that she does not hold back any things to help me improve. She comes up with insightful ideas during every one-on-one meeting. She is always there to help me. Words are powerless to express my gratitude to her. I am very thankful that Prof. Stratis Ioannidis is my co-advisor for this project. He is an expert on secure function evaluation and has made significant contributions to the garbled circuit platforms including GraphSC and applications in data mining. Exploring.
Load more

Recommended publications
  • A Fast and Verified Software Stackfor Secure Function Evaluation
    Session I4: Verifying Crypto CCS’17, October 30-November 3, 2017, Dallas, TX, USA A Fast and Verified Software Stack for Secure Function Evaluation José Bacelar Almeida Manuel Barbosa Gilles Barthe INESC TEC and INESC TEC and FCUP IMDEA Software Institute, Spain Universidade do Minho, Portugal Universidade do Porto, Portugal François Dupressoir Benjamin Grégoire Vincent Laporte University of Surrey, UK Inria Sophia-Antipolis, France IMDEA Software Institute, Spain Vitor Pereira INESC TEC and FCUP Universidade do Porto, Portugal ABSTRACT as OpenSSL,1 s2n2 and Bouncy Castle,3 as well as prototyping We present a high-assurance software stack for secure function frameworks such as CHARM [1] and SCAPI [31]. More recently, a evaluation (SFE). Our stack consists of three components: i. a veri- series of groundbreaking cryptographic engineering projects have fied compiler (CircGen) that translates C programs into Boolean emerged, that aim to bring a new generation of cryptographic proto- circuits; ii. a verified implementation of Yao’s SFE protocol based on cols to real-world applications. In this new generation of protocols, garbled circuits and oblivious transfer; and iii. transparent applica- which has matured in the last two decades, secure computation tion integration and communications via FRESCO, an open-source over encrypted data stands out as one of the technologies with the framework for secure multiparty computation (MPC). CircGen is a highest potential to change the landscape of secure ITC, namely general purpose tool that builds on CompCert, a verified optimizing by improving cloud reliability and thus opening the way for new compiler for C. It can be used in arbitrary Boolean circuit-based secure cloud-based applications.
    [Show full text]
  • Week 1: an Overview of Circuit Complexity 1 Welcome 2
    Topics in Circuit Complexity (CS354, Fall’11) Week 1: An Overview of Circuit Complexity Lecture Notes for 9/27 and 9/29 Ryan Williams 1 Welcome The area of circuit complexity has a long history, starting in the 1940’s. It is full of open problems and frontiers that seem insurmountable, yet the literature on circuit complexity is fairly large. There is much that we do know, although it is scattered across several textbooks and academic papers. I think now is a good time to look again at circuit complexity with fresh eyes, and try to see what can be done. 2 Preliminaries An n-bit Boolean function has domain f0; 1gn and co-domain f0; 1g. At a high level, the basic question asked in circuit complexity is: given a collection of “simple functions” and a target Boolean function f, how efficiently can f be computed (on all inputs) using the simple functions? Of course, efficiency can be measured in many ways. The most natural measure is that of the “size” of computation: how many copies of these simple functions are necessary to compute f? Let B be a set of Boolean functions, which we call a basis set. The fan-in of a function g 2 B is the number of inputs that g takes. (Typical choices are fan-in 2, or unbounded fan-in, meaning that g can take any number of inputs.) We define a circuit C with n inputs and size s over a basis B, as follows. C consists of a directed acyclic graph (DAG) of s + n + 2 nodes, with n sources and one sink (the sth node in some fixed topological order on the nodes).
    [Show full text]
  • Reusable Garbled Gates for New Fully Homomorphic Encryption Service Xu an Wang* Fatos Xhafa Jianfeng Ma Yunfei Cao and Dianhua T
    Int. J. Web and Grid Services, Vol. X, No. Y, XXXX Reusable garbled gates for new fully homomorphic encryption service Xu An Wang* School of Telecommunications Engineering, Xidian University, Xi’an, China and Key Laboratory of Information and Network Security, Engineering University of Chinese Armed Police Force, Xi’an, China Email: [email protected] *Corresponding author Fatos Xhafa Department of Computer Science, Technical University of Catalonia, Barcelona, Spain Email: [email protected] Jianfeng Ma School of Cyber Engineering, Xidian University, Shaanxi, China Email: [email protected] Yunfei Cao and Dianhua Tang Science and Technology on Communication Security Laboratory, Chengdu, China Email: [email protected] Email: [email protected] Abstract: In this paper, we propose a novel way to provide a fully homomorphic encryption service, namely by using garbled circuits. From a high level perspective, Garbled circuits and fully homomorphic encryption, both aim at implementing complex computation on ciphertexts. We define a new cryptographic primitive named reusable garbled gate, which comes from the area of garbled circuits, then based on this new primitive we show that it is very easy to construct a fully homomorphic encryption. However, the instantiation of reusable garbled gates is rather difficult, in fact, we can only instantiate this new primitive based on indistinguishable obfuscation. Furthermore, reusable garbled gates can be a core component for constructing the reusable garbled circuits, which can reduce the communication complexity Copyright © 200X Inderscience Enterprises Ltd. X.A. Wang et al. of them from O(n) to O(1). We believe that reusable garbled gates promise a new way to provide fully homomorphic encryption and reusable garbled circuits service fast.
    [Show full text]
  • Rigorous Cache Side Channel Mitigation Via Selective Circuit Compilation
    RiCaSi: Rigorous Cache Side Channel Mitigation via Selective Circuit Compilation B Heiko Mantel, Lukas Scheidel, Thomas Schneider, Alexandra Weber( ), Christian Weinert, and Tim Weißmantel Technical University of Darmstadt, Darmstadt, Germany {mantel,weber,weissmantel}@mais.informatik.tu-darmstadt.de, {scheidel,schneider,weinert}@encrypto.cs.tu-darmstadt.de Abstract. Cache side channels constitute a persistent threat to crypto implementations. In particular, block ciphers are prone to attacks when implemented with a simple lookup-table approach. Implementing crypto as software evaluations of circuits avoids this threat but is very costly. We propose an approach that combines program analysis and circuit compilation to support the selective hardening of regular C implemen- tations against cache side channels. We implement this approach in our toolchain RiCaSi. RiCaSi avoids unnecessary complexity and overhead if it can derive sufficiently strong security guarantees for the original implementation. If necessary, RiCaSi produces a circuit-based, hardened implementation. For this, it leverages established circuit-compilation technology from the area of secure computation. A final program analysis step ensures that the hardening is, indeed, effective. 1 Introduction Cache side channels are unintended communication channels of programs. Cache- side-channel leakage might occur if a program accesses memory addresses that depend on secret information like cryptographic keys. When these secret-depen- dent memory addresses are loaded into a shared cache, an attacker might deduce the secret information based on observing the cache. Such cache side channels are particularly dangerous for implementations of block ciphers, as shown, e.g., by attacks on implementations of DES [58,67], AES [2,11,57], and Camellia [59,67,73].
    [Show full text]
  • Reusable Garbled Circuit Implementation of AES to Avoid Power Analysis Attacks Venkata Lakshmi Sudheera Bommakanti Clemson University
    Clemson University TigerPrints All Theses Theses 8-2017 Reusable Garbled Circuit Implementation of AES to Avoid Power Analysis Attacks Venkata Lakshmi Sudheera Bommakanti Clemson University Follow this and additional works at: https://tigerprints.clemson.edu/all_theses Recommended Citation Bommakanti, Venkata Lakshmi Sudheera, "Reusable Garbled Circuit Implementation of AES to Avoid Power Analysis Attacks" (2017). All Theses. 2751. https://tigerprints.clemson.edu/all_theses/2751 This Thesis is brought to you for free and open access by the Theses at TigerPrints. It has been accepted for inclusion in All Theses by an authorized administrator of TigerPrints. For more information, please contact [email protected]. Reusable Garbled Circuit Implementation of AES to Avoid Power Analysis Attacks A Thesis Presented to the Graduate School of Clemson University In Partial Fulfillment of the Requirements for the Degree Master of Science Electrical Engineering by Venkata Lakshmi Sudheera Bommakanti August 2017 Accepted by: Dr. Richard Brooks, Committee Chair Dr. Richard Groff Dr. Rajendra Singh Abstract Unintended side-channel leaks can be exploited by attackers and achieved quickly, and using relatively inexpensive equipment. Cloud providers aren’t equipped to provide assurances of security against such attacks. One most well- known and effective of the side-channel attack is on information leaked through power consumption. Differential Power Analysis (DPA) can extract a secret key by measuring the power used while a device is executing the any algorithm. This research explores the susceptibility of current implementations of Circuit Garbling to power analysis attacks and a simple variant to obfuscate functionality and randomize the power consumption reusing the garbling keys and the garbled gates.
    [Show full text]
  • Probabilistic Boolean Logic, Arithmetic and Architectures
    PROBABILISTIC BOOLEAN LOGIC, ARITHMETIC AND ARCHITECTURES A Thesis Presented to The Academic Faculty by Lakshmi Narasimhan Barath Chakrapani In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the School of Computer Science, College of Computing Georgia Institute of Technology December 2008 PROBABILISTIC BOOLEAN LOGIC, ARITHMETIC AND ARCHITECTURES Approved by: Professor Krishna V. Palem, Advisor Professor Trevor Mudge School of Computer Science, College Department of Electrical Engineering of Computing and Computer Science Georgia Institute of Technology University of Michigan, Ann Arbor Professor Sung Kyu Lim Professor Sudhakar Yalamanchili School of Electrical and Computer School of Electrical and Computer Engineering Engineering Georgia Institute of Technology Georgia Institute of Technology Professor Gabriel H. Loh Date Approved: 24 March 2008 College of Computing Georgia Institute of Technology To my parents The source of my existence, inspiration and strength. iii ACKNOWLEDGEMENTS आचायातर् ्पादमादे पादं िशंयः ःवमेधया। पादं सॄचारयः पादं कालबमेणच॥ “One fourth (of knowledge) from the teacher, one fourth from self study, one fourth from fellow students and one fourth in due time” 1 Many people have played a profound role in the successful completion of this disser- tation and I first apologize to those whose help I might have failed to acknowledge. I express my sincere gratitude for everything you have done for me. I express my gratitude to Professor Krisha V. Palem, for his energy, support and guidance throughout the course of my graduate studies. Several key results per- taining to the semantic model and the properties of probabilistic Boolean logic were due to his brilliant insights.
    [Show full text]
  • Improved Garbled Circuit: Free XOR Gates and Applications
    Improved Garbled Circuit: Free XOR Gates and Applications Vladimir Kolesnikov1 and Thomas Schneider2? 1 Bell Laboratories, 600 Mountain Ave. Murray Hill, NJ 07974, USA [email protected] 2 Horst G¨ortzInstitute for IT-Security, Ruhr-University Bochum, Germany [email protected] Abstract. We present a new garbled circuit construction for two-party secure function evaluation (SFE). In our one-round protocol, XOR gates are evaluated \for free", which results in the corresponding improvement over the best garbled circuit implementations (e.g. Fairplay [19]). We build permutation networks [26] and Universal Circuits (UC) [25] almost exclusively of XOR gates; this results in a factor of up to 4 im- provement (in both computation and communication) of their SFE. We also improve integer addition and equality testing by factor of up to 2. We rely on the Random Oracle (RO) assumption. Our constructions are proven secure in the semi-honest model. 1 Introduction Two-party general secure function evaluation (SFE) allows two parties to evalu- ate any function on their respective inputs x and y, while maintaining privacy of both x and y. SFE is (justifiably) a subject of immense amount of research, e.g. [27,28,17]. Efficient SFE algorithms enable a variety of electronic transactions, previously impossible due to mutual mistrust of participants. Examples include auctions [21,6,8,4], contract signing [7], distributed database mining [12,16], etc. As computation and communication resources have increased, SFE has become truly practical for common use. Fairplay [19] is a full-fledged implementation of generic two-party SFE with malicious players.
    [Show full text]
  • Reaction Systems and Synchronous Digital Circuits
    molecules Article Reaction Systems and Synchronous Digital Circuits Zeyi Shang 1,2,† , Sergey Verlan 2,† , Ion Petre 3,4 and Gexiang Zhang 1,∗ 1 School of Electrical Engineering, Southwest Jiaotong University, Chengdu 611756, Sichuan, China; [email protected] 2 Laboratoire d’Algorithmique, Complexité et Logique, Université Paris Est Créteil, 94010 Créteil, France; [email protected] 3 Department of Mathematics and Statistics, University of Turku, FI-20014, Turku, Finland; ion.petre@utu.fi 4 National Institute for Research and Development in Biological Sciences, 060031 Bucharest, Romania * Correspondence: [email protected] † These authors contributed equally to this work. Received: 25 March 2019; Accepted: 28 April 2019 ; Published: 21 May 2019 Abstract: A reaction system is a modeling framework for investigating the functioning of the living cell, focused on capturing cause–effect relationships in biochemical environments. Biochemical processes in this framework are seen to interact with each other by producing the ingredients enabling and/or inhibiting other reactions. They can also be influenced by the environment seen as a systematic driver of the processes through the ingredients brought into the cellular environment. In this paper, the first attempt is made to implement reaction systems in the hardware. We first show a tight relation between reaction systems and synchronous digital circuits, generally used for digital electronics design. We describe the algorithms allowing us to translate one model to the other one, while keeping the same behavior and similar size. We also develop a compiler translating a reaction systems description into hardware circuit description using field-programming gate arrays (FPGA) technology, leading to high performance, hardware-based simulations of reaction systems.
    [Show full text]
  • Garbled Protocols and Two-Round MPC from Bilinear Maps
    58th Annual IEEE Symposium on Foundations of Computer Science Garbled Protocols and Two-Round MPC from Bilinear Maps Sanjam Garg Akshayaram Srinivasan Dept. of Computer Science Dept. of Computer Science University of California, Berkeley University of California, Berkeley Berkeley, USA Berkeley, USA Email: [email protected] Email: [email protected] Abstract—In this paper, we initiate the study of garbled (OT) protocol [57], [2], [51], [40] gives an easy solution to protocols — a generalization of Yao’s garbled circuits construc- the problem of (semi-honest) two-round secure computation tion to distributed protocols. More specifically, in a garbled in the two-party setting. However, the same problem for protocol construction, each party can independently generate a garbled protocol component along with pairs of input the multiparty setting turns out to be much harder. Beaver, labels. Additionally, it generates an encoding of its input. The Micali and Rogaway [7] show that garbled circuits can be evaluation procedure takes as input the set of all garbled used to realize a constant round multi-party computation protocol components and the labels corresponding to the input protocol. However, unlike the two-party case, this protocol encodings of all parties and outputs the entire transcript of the is not two rounds. distributed protocol. We provide constructions for garbling arbitrary protocols A. Garbled Protocols based on standard computational assumptions on bilinear maps (in the common random string model). Next, using In this paper, we introduce a generalization of Yao’s garbled protocols we obtain a general compiler that compresses construction from circuits to distributed protocols. We next any arbitrary round multiparty secure computation protocol elaborate on (i) what it means to garble a protocol, (ii) why into a two-round UC secure protocol.
    [Show full text]
  • Private Set Intersection: Are Garbled Circuits Better Than Custom Protocols?
    Private Set Intersection: Are Garbled Circuits Better than Custom Protocols? Yan Huang David Evans Jonathan Katz University of Virginia University of Maryland http://MightBeEvil.org Abstract PSI for post-processing). Many other examples are pro- vided by De Cristofaro et al. [9]. Cryptographic protocols for Private Set Intersection (PSI) Because of its importance and wide applicability, many are the basis for many important privacy-preserving ap- protocols for PSI and its variants have been proposed [7– plications. Over the past few years, intensive research has 11, 14, 15, 20, 24]. All these works develop custom PSI been devoted to designing custom protocols for PSI based protocols using asymmetric cryptography, usually with on homomorphic encryption and other public-key tech- the explicit remark that they do so because solving PSI niques, apparently due to the belief that solutions using via generic techniques (such as garbled-circuit proto- 1 generic approaches would be impractical. This paper ex- cols [39]) would be impractical. However, this claim has plores the validity of that belief. We develop three classes never been substantiated. of protocols targeted to different set sizes and domains, all The belief that generic techniques for solving PSI are based on Yao’s generic garbled-circuit method. We then inefficient may stem from several factors: a general feel- compare the performance of our protocols to the fastest ing that generic protocols are inherently slow and that custom PSI protocols in the literature. Our results show garbled circuits do not scale, or perhaps the belief that that a careful application of garbled circuits leads to solu- computing the intersection of two sets of size n requires tions that can run on million-element sets on typical desk- Q(n2)-size circuits since all pairs of elements must be tops, and that can be competitive with the fastest custom compared.
    [Show full text]
  • SOTERIA: in Search of Efficient Neural Networks for Private Inference
    SOTERIA: In Search of Efficient Neural Networks for Private Inference Anshul Aggarwal, Trevor E. Carlson, Reza Shokri, Shruti Tople National University of Singapore (NUS), Microsoft Research {anshul, trevor, reza}@comp.nus.edu.sg, [email protected] Abstract paper, we focus on private computation of inference over deep neural networks, which is the setting of machine learning-as- ML-as-a-service is gaining popularity where a cloud server a-service. Consider a server that provides a machine learning hosts a trained model and offers prediction (inference) ser- service (e.g., classification), and a client who needs to use vice to users. In this setting, our objective is to protect the the service for an inference on her data record. The server is confidentiality of both the users’ input queries as well as the not willing to share the proprietary machine learning model, model parameters at the server, with modest computation and underpinning her service, with any client. The clients are also communication overhead. Prior solutions primarily propose unwilling to share their sensitive private data with the server. fine-tuning cryptographic methods to make them efficient We consider an honest-but-curious threat model. In addition, for known fixed model architectures. The drawback with this we assume the two parties do not trust, nor include, any third line of approach is that the model itself is never designed to entity in the protocol. In this setting, our first objective is to operate with existing efficient cryptographic computations. design a secure protocol that protects the confidentiality of We observe that the network architecture, internal functions, client data as well as the prediction results against the server and parameters of a model, which are all chosen during train- who runs the computation.
    [Show full text]
  • Reducing Garbled Circuit Size While Preserving Circuit Gate Privacy ⋆
    Reducing Garbled Circuit Size While Preserving Circuit Gate Privacy ? Yongge Wang1 and Qutaibah m. Malluhi2 1 Department of SIS, UNC Charlotte, USA [email protected] 2 Department of CS, Qatar University, Qatar [email protected] Abstract. Yao's garbled circuits have been extensively used in Secure Function Evaluations (SFE). Several improvements have been proposed to improve the efficiency of garbled circuits. Kolesnikov and Schneider (2008) proposed the free-XOR technique. Naor, Pinkas, and Sumner (1999) introduced garbled row-reduction technique GRR3 to reduce each garbled gate to three ciphertexts, Pinkas et al (2009) proposed GRR2, and Zahur, Rosulek, and Evans (2015) introduced a half-gates technique to design free-XOR compatible GRR2. The GRR2, half-gates, and free- XOR garbling schemes improve efficiency by leaking locations of XOR gates in the circuit. This kind of information leakage is acceptable for SFE protocols though it maybe be unacceptable for other protocols such as Private Function Evaluation (PFE). For example, these techniques could not be used to improve the efficiency of existing non-universal- circuit-based constant round PFE protocols. The first result of this paper is a Gate Privacy preserving Garbled Row Reduction technique GPGRR2 for designing garbled circuits with at most two ciphertexts for each gar- bled gate. Compared with state-of-the-art gate-privacy-preserving gar- bling scheme GRR3, the scheme GPGRR2 reduces the garbled circuit size by a factor of at least 33%. The second result is the design of a linear (over integers) garbling scheme to garble a single odd gate to one ciphertext. Zahur, Rosulek, and Evans (2015) proved that a linear gar- bling scheme garbles each odd gate to at least 2 ciphertexts.
    [Show full text]