sign in sign up
<<
Home , Antoine Joux, Garbled circuit

58th Annual IEEE Symposium on Foundations of Computer Science

Garbled Protocols and Two-Round MPC from Bilinear Maps

Sanjam Garg Akshayaram Srinivasan Dept. of Computer Science Dept. of Computer Science University of California, Berkeley University of California, Berkeley Berkeley, USA Berkeley, USA Email: [email protected] Email: [email protected]

Abstract—In this paper, we initiate the study of garbled (OT) protocol [57], [2], [51], [40] gives an easy solution to protocols — a generalization of Yao’s garbled circuits construc- the problem of (semi-honest) two-round secure computation tion to distributed protocols. More specifically, in a garbled in the two-party setting. However, the same problem for protocol construction, each party can independently generate a garbled protocol component along with pairs of input the multiparty setting turns out to be much harder. Beaver, labels. Additionally, it generates an encoding of its input. The Micali and Rogaway [7] show that garbled circuits can be evaluation procedure takes as input the set of all garbled used to realize a constant round multi-party computation protocol components and the labels corresponding to the input protocol. However, unlike the two-party case, this protocol encodings of all parties and outputs the entire transcript of the is not two rounds. distributed protocol. We provide constructions for garbling arbitrary protocols A. Garbled Protocols based on standard computational assumptions on bilinear maps (in the common random string model). Next, using In this paper, we introduce a generalization of Yao’s garbled protocols we obtain a general compiler that compresses construction from circuits to distributed protocols. We next any arbitrary round multiparty secure computation protocol elaborate on (i) what it means to garble a protocol, (ii) why into a two-round UC secure protocol. Previously, two-round this notion is interesting, and (iii) if we can realize this multiparty secure computation protocols were only known notion. assuming witness encryption or learning-with errors. Benefiting from our generic approach we also obtain protocols (i) for What does it mean to garble a protocol? Consider an the setting of random access machines (RAM programs) while arbitrary protocol Φ over n-parties P1,...,Pn with inputs keeping communication and computational costs proportional x1,...,xn, respectively. Just as in garbled circuits, a garbled to running times, while (ii) making only a black-box use of protocol construction allows each party Pi to independently the underlying group, eliminating the need for any expensive generate a garbled protocol component Φi along with input non-black-box group operations. Our results are obtained { i i } by a simple but powerful extension of the non-interactive labels labj,0, labj,1 . However, now the party Pi addition- zero-knowledge proof system of Groth, Ostrovsky and Sahai ally generates an input encoding xi. Correctness requires { } [Journal of ACM, 2012]. that the set of all garbled protocol components Φi i∈[n] Keywords-Circuit Garbling, Bilinear Maps, Universal Com- and the set of labels corresponding to the input encodings { i } ··· posability of all parties labj,zj i∈[n],j∈[|z|] where z := x1 xn can be used to generate the entire transcript of the protocol I. INTRODUCTION Φ. Detailing the security guarantee, we require the existence ⊆ Yao’s garbled circuits [60] (also see [3], [47], [9]) are of an efficient simulator Sim such that for any set H [n] { } enormously useful in . In a nutshell, Yao’s of honest parties and inputs xi i∈[n] of the parties we have construction on input a circuit C generates a garbled circuit that { } i c C along with input labels labi,0, labi,1 such that C and {Φ˜ , lab   , x } ∈ ≈ Sim(H, Φ(x ,...x ), {x } ∈ ) { } i x1 ... xn i i [n] 1 n i i H labi,xi can be used to compute C(x) and nothing more. c Over the years, Yao’s construction has found numerous where ≈ denotes computational indistinguishability and applications (to name a few [1], [7], [21], [43], [32]) and Φ(x1,...,xn) denotes the transcript of Φ. several extensions [29], [4], [49] have been investigated. Why consider Garbled Protocols? We illustrate the Furthermore, in light of their usefulness, substantial research power of garbled protocols by showing how they can be has been invested to improve the practical efficiency of these used to realize a two-round (semi-honest) multiparty secure constructions [7], [46], [55], [8], [45], [61], [39]. computation protocol. Looking ahead, our protocol is anal- Garbled circuits, while tremendously useful in the two- ogous to the construction of two-round, two party secure party setting, when used in the multiparty setting lead to computation protocol using garbled circuits. comparatively inferior solutions. For example, Yao’s garbled Take any n-party secure computation protocol Φ and let circuits along with a two-round 1-out-of-2 x1,...,xn be the respective inputs of the parties. Each party

0272-5428/17 $31.00 © 2017 IEEE 588 DOI 10.1109/FOCS.2017.60 OT { i i } any arbitrary round (malicious secure) protocol Φ starts by independently generating Φi, labj,0, labj,1 , xi . In the first round, each party distributes the generated values in the OT-hybrid model into a two-round UC secure protocol against static adversaries while only making xi to every other party. On receiving the first messages of all other parties, each party sends its second round message black box use of the underlying group. i Instantiating, this new compiler with an information Φ , {lab } (with z := x ···x ) to every other party. i j,zj 1 n theoretic protocol in the OT-hybrid model [44], [41] Finally, by correctness of garbled protocols we have that yields a two-round multiparty computation protocol each party can locally execute the garbled protocol to obtain based on bilinear maps while avoiding expensive non- the output from the transcript Φ(x1,...xn). On the other black-box use of the underlying group.3 hand, the security of the garbled protocols and Φ ensure - Extension to RAM programs: Instantiating the above that nothing else beyond the output is leaked. compilers with appropriate multi-party secure compu- Can we garble protocols? Our main result is a garbled tation protocols for RAM programs [53], [33], we also protocols construction based on standard computational as- obtain the first two-round multiparty secure RAM com- sumptions on bilinear maps [12], [42]. A bit more precisely: putation protocol (and its black-box version) without Informal Theorem. Assuming the subgroup decision as- first converting the RAM program to a circuit based on sumption or the decision linear assumption on groups with standard techniques [19], [56]. bilinear maps there exists a garbled protocol construction We note that the multi-key fully-homomorphic encryp- (in the common reference string model). tion [5], [48], [18], [50], [54], [15] based two-round se- cure computation techniques do not work for the setting We also show a modification of this construction such that of RAM programs. This is because fully-homomorphic it makes only black-box use of the underlying group and encryption techniques need interaction for disclosing avoids any expensive non-black-box group operations. what locations are accessed by the oblivious RAM B. Applications to Two-Round Multiparty Secure Computa- programs.4 On the other hand, our use of garbled tion protocols does not suffer from this limitation.5

Using the above primitive, we obtain a general compiler II. TECHNICAL OVERVIEW that converts an arbitrary (polynomial) round (semi-honest) At the heart of our garbled protocols construction is multi-party secure computation protocol into a two-round a simple but powerful extension of homomorphic proof UC secure [16] protocol against static adversaries. Previ- commitments scheme. This primitive was first considered by ously, such compilers [22], [34] were known under stronger Groth, Ostrovsky and Sahai [36] who used it to realize a non- computational assumptions such as indistinguishability ob- interactive zero-knowledge proof system based on bilinear fuscation [6], [23] or witness encryption [24].1 maps. Below we start by (i) recalling GOS construction Furthermore, instantiating this compiler with any multi- of homomorphic proof commitments, (ii) how we augment party secure computation protocol (e.g., the one by Gol- them, and (iii) use them to realize garbled protocols. Finally dreich, Micali, and Wigderson [30]) we obtain the first we give details on how to obtain two round, secure mul- two-round multiparty computation protocol based on bilin- tiparty computation protocol making black-box use of the ear maps. Prior to this work, constructions of two-round underlying group. multiparty computation protocols [50], [54], [15] were only known based on lattice assumptions such as the learning- A. Starting Point: Homomorphic Proof Commitments 2 with-errors [58]. We also obtain the following extensions: A homomorphic proof commitment scheme is a (non- - Black-Box Use of the Group: With the goal of obtain- interactive) commitment scheme com that supports homo- ing a two-round multiparty computation protocol that morphic operations and provides some additional proof makes black-box use of the underlying cryptographic properties. In particular, it is additively homomorphic, i.e., primitives, we modify our compiler from above. More com(b0 + b1; r0 + r1)=com(b0; r0) · com(b1; r1) where the specifically, building on the non-interactive OT pro- message space is over Zp. Furthermore, given a commitment tocol of Bellare and Micali [10] (based on the CDH assumption [20]), we obtain a compiler that converts 3However, unlike our non black-box protocol, the length of the common reference string of our black-box construction grows linearly with the 1 number of parties. We note that the recent constructions of lockable obfuscation [35], [59] 4 based on standard assumptions such as learning with errors is insufficient An oblivious RAM program is a RAM program compiled with an to obtain such a compiler since these works assume that the lock value has oblivious RAM scheme [52], [31]. 5 some min-entropy. Another approach would be to use garbled RAM [49], [28], [27], [26] 2In two recent works, Boyle et al. [13], [14] also obtain constructions of However, those constructions suffer from the same limitation as Yao’s two-round multiparty computation based on DDH. However, their results garbled circuits in terms of supporting multiparty protocols. Specifically, are applicable only for the setting of constant number of parties — a special garbled RAM can be used to construct two-round two-party secure compu- case of our result. Also, they assume the need for public-key infrastructure tation protocol, but the multiparty protocol is only (larger than two) constant while we just assume a common reference string. rounds [49], [25].

589 c = com(b; r), the corresponding committed value b and hr or ghr then either c or cg−1 have order 1 or q (when h randomness r, a prover can generate a NIZK proof proving is chosen in the binding mode). This is ensured by checking that b ∈{0, 1} without leaking anything else about the value if e(h, π)=e(c, cg−1). b. B. New Technical Tool: Homomorphic Proof Commitments GOS show that homomorophic proof commitments can be with Encryption used to generate NIZK proofs for arbitrary NP-statements. This is done in two steps: Armed with the above understanding of homomorphic proof commitments, we now explain how to augment them 1) First, GOS show that given three commitments c = 0 to support an encryption, decryption functionality. Specifi- com(b ; r ),c = com(b ; r ), and c = com(b ; r ) 0 0 1 1 1 2 2 2 cally, an encryptor given a commitment c and a message msg a prover given b ,b ,b and r ,r ,r can generate a 0 1 2 0 1 2 can generate a ciphertext that can be efficiently decrypted NIZK proof proving that b = NAND(b ,b ). This, 2 0 1 using a proof π certifying the fact that c is a commitment in fact, can be done very simply by just proving that to 0 or 1. Our security requirement is that if c is not a each one of b ,b ,b and b +b +2b −2 is in {0, 1}. 0 1 2 0 1 2 commitment to 0 or 1 then semantic security holds, i.e., for In other words, the prover generates a proof showing  2 all msg, msg encryptions of msg are indistinguishable from that each one c ,c ,c and c · c · c · com(−2; 0)  0 1 2 0 1 2 encryptions of msg . Note that if c is not a commitment to 0 is commitments to a value in {0, 1}. Looking at the or 1 then the prover cannot generate a proof certifying this table of a NAND gate (as GOS prove), it is not too fact. We call this primitive a homomorphic proof commit- hard to prove that these conditions are simultaneously ment with encryption. A careful reader might have noticed satisfied if and only if values b = NAND(b ,b ). 2 0 1 that the security provided by a homomorphic proof commit- 2) Using the above trick, Groth et al. provide NIZK ment with encryption is very similar to the security guarantee proofs for arbitrary NP-statements by converting them of a witness encryption [24]. Indeed, homomorphic proof to a circuit SAT instance. More specifically, given commitment with encryption is a witness encryption scheme a circuit C composed entirely of NAND gates, a for a special language. prover can prove that ∃wit such that C(wit)=1. The Next, we describe how the above abstract notion can be prover achieves this as follows: it commits to the value realized. An elegant aspect of our work is that this augmen- assigned to every wire of the circuit C on input wit tation to the homomorphic proof commitments of GOS can and proves that (i) each of the committed values is in be done without changing their construction. The encryption {0, 1}, (ii) each NAND gate in C has been computed procedure on input a commitment c = gmhr and a message correctly, and (iii) the output of the circuit is 1. − msg essentially outputs the ciphertext (hs,e(cs,cg 1)·msg) 8 Now, we very briefly describe how the GOS construction for a randomly chosen s ← Zn. To decrypt this ciphertext works in the setting of composite order groups with bilinear using a proof π =(g2m−1hr)r, compute e(hs,π) and maps. GOS commitments are generated with respect to a use it to unmask the message msg. The key idea while commitment key which can either be in the binding mode proving security is that when h is chosen in the binding or in the hiding mode and keys generated in the two modes mode, hs “loses” some information about s — specifically, are computationally indistinguishable.6 The commitment key s mod p is uniformly distributed even given hs. Further- ck consists of a description of a source group G (of order more, this entropy in s is transferred to the masking factor G G×G → G s −1 s sm(m−1) n = pq), a target group T , a bilinear map e : T e(c ,cg )=e(h ,π)e(g, g) when m is not 0 or and a group element h. In the binding mode, h is chosen 1. This allows us to argue that the message msg remains 7 G randomly from the subgroup q and in the hiding mode h hidden. is chosen randomly from G. The commitment keys in the two modes are indistinguishable from the sub-group decision C. Realizing Garbled Protocols assumption. The commitment c to a message m ∈ Zp In this subsection we highlight the key challenge in using randomness r is given by gmhr. When h is chosen constructing garbled protocols for the multiparty setting and randomly from G, c information theoretically hides m and how homomorphic proof commitments with encryption can when h is chosen from the sub-group Gq there exists unique be used to overcome this barrier. m r (m, r) ∈ Zp × Zn such that c = g h . The homomorphic The key challenge. With the goal of explaining the property is easy to observe. The proof π certifying that c challenge involved, we start by considering garbled protocols is a commitment to 0 or 1 is given by (g2m−1hr)r. The in the easy case of two parties. We will focus only on verification procedure relies on fact that if c is of the form how P1 generates its garbled protocol components as the components generated by P2 will be analogous. For the 6In particular, the commitments generated using the binding key are case of two parties, P1 can just garble the next message perfectly binding whereas the ones generated using the hiding key are perfectly hiding. 8The actual construction uses a strong randomness extractor and we avoid 7Recall that Gq is a sub-group of G with order q this in the informal overview.

590 functions of the protocol Φ (using Yao’s garbled circuits) writes the computed bit to its state. The inputs to the NAND and send them over to the P2. The only issue with this gate are given by the bits in the indices f and g of the local approach is how does P1’s garbled next message functions state of Pi∗ . Additionally, for a (pre-determined) subset of ∗ read the messages generated by P2 in the execution of Φ. rounds Bi∗ ⊆{t ∈ [T ]:(i , ·, ·)=Φi(t)}, Pi∗ outputs the A natural idea is to have P2 commit to its input x2 (and computed bit to other parties. In this case, all the parties also its randomness in case Φ is a randomized protocol) in copy this bit to their state. its input encoding x˜2 which will then be hard-coded inside We note that any protocol can be compiled to follow the garbled next-message functions. Next, P1 can generate this format at an additional cost of increasing the round garblings of next message functions in a manner so that complexity by a polynomial factor. P would be able to evaluate those garblings as long as it Garbling Scheme for Protocols. The garbled protocol 2 can prove to P1’s garbled circuit that it has been generating component Φi generated by Pi consists of a sequence of its own messages consistent with the committed input x2. T garbled circuits and a set of labels for evaluating the At a very high level this can be achieved by letting P1’s first garbled circuit in the sequence. These garbled circuits garbled next message functions output ciphertexts containing have a special structure, namely, the tth garbled circuit in th encryptions of certain labels that P2 can decrypt only if it the sequence outputs the labels for evaluating the (t +1) has been generating its own messages correctly. garbled circuit and thus starting from the first garbled circuit However, the techniques from the literature for doing we can execute every garbled circuit in the sequence. At th this based on standard assumptions involve P2’s secret state a high level, the t garbled circuit corresponds to the th in the decryption step. Consequently, these techniques fail computation done by party Pi in the t round of the even for the three party setting because the third party, say, protocol Φ. In a bit more details, the tth garbled circuit takes − P3 does not have access to P2’s secret state. Gordan et as input the local state obtained after the first t 1 rounds, al. [34] (building on Garg et al. [22]) observe that witness updates the local state and outputs the labels corresponding encryption [24] for NP can be used to solve this problem. to the updated state for evaluating the next garbled circuit. th The idea is: (i) P1 outputs a witness encryption which allows This ensures that at the end of the T evaluation, we can decryption given just a NIZK proof certifying the correctness obtain the transcript of the protocol from the final local state of computation, and (ii) P2 outputs a proof for certifying of party Pi. The encoding of an input xi is given by a set { } this very fact. Next, using the proof, P3 can decrypt P1’s of homomorphic commitments ci,k to each individual bit ciphertext while secrecy of P2’s state is also maintained. of the input xi. In this work, we show that the same intuition can be To look a bit more closely into the working of the tth realized using homomorphic proof commitments with en- garbled circuit, let us assume that Pi is the active party in cryption. However, recall that homomorphic proof com- the tth round. Our assumption on the structure of Φ implies th mitments with encryption are very weak. The encryption that in the t round, Pi has to update its local state by process cannot in “one-shot” verify that P2 generated its computing a NAND of two bits in its current state and write ∈ messages correctly. Instead, our idea for this is that P1 keeps the output to a specific location. Further, if t Bi, Pi has P2 on a “very tight leash,” making sure that P2 computes to communicate this bit to the other parties and the other every NAND gate in the execution of Φ correctly. parties have to copy this bit to their state. In particular, this The rest of this subsection is organized as follows. (1) means that the labels output by the tth garbled circuit in We start by making some assumptions on the structure of every other protocol component Φj for j = i must reflect distributed protocol Φ. We note that these assumptions can this communicated bit. The main technical challenge we be made without loss of generality. (2) Next, we give a solve is in designing a non-interactive method to realize this garbling scheme for such structured protocols. communication and also ensure at the same time that Pi Structure of Φ. Let Φ be a n-party protocol. For the computes each NAND gate correctly. This is done using purposes of this informal overview, we will assume that Φ is homomorphic proof commitment with encryption. Let us deterministic. Let T be the round complexity of the protocol. start with a method to realize the communication. We assume that each party Pi maintains a local state that Recall that by our assumption on Φ, the updated state of is updated at the end of every round. The local state is a every party can only be one of two choices. This choice is function of the input and the set of messages received from determined by the output of the NAND computation done other parties. by the active party. Let the NAND computation done in th At the beginning of the t round, every party Pi runs a round t take as input the bits in positions f and g of the ∗ 9 program Φi on input t to obtain an output (i ,f,g). Here, local state of party Pi. For simplicity, let us assume that f, ∗ i denotes the active party in round t. The active party Pi∗ g correspond to indices where the input of Pi is written. computes one NAND gate on a pair of bits of its state and Let d be a commitment to 0 using some fixed randomness (known to all parties) and let d be a commitment to 1 (again 9 We assume that Φ1(t)=Φ2(t)=...=Φn(t) for every t ∈ [T ]. using some fixed randomness). Applying the GOS trick, we

591 deduce that if the output of the NAND computation is 0 then protocol by making black-box use of a homomorphic proof 2 e0 = ci,f · ci,g · d · com(−2; 0) is a commitment to {0, 1}; commitment with encryption as well as a DDH hard group. 2 else e1 = ci,f · ci,g · d · com(−2; 0) is a commitment to Designing a protocol that makes black-box use of a {0, 1}. Now, we let every other garbled protocol component homomorphic proof commitment with encryption is some- Φj for j = i output two zero-one encryptions: one under the what straightforward. We observe that the proofs and the commitment e0 containing the set of labels of the updated ciphertexts computed within the garbled circuit can in fact state assuming that the communicated bit is 0; and the other be precomputed and hardwired in its description. Later, the under the commitment e1 assuming that the communicated garbled circuit chooses the appropriate pre-computed values bit is 1. The active party outputs a zero-one proof that either based on its inputs. We note that this pre-computation is e0 or e1 is a commitment to a message in {0, 1}. Using possible because the output of each garbled circuit depends this proof, every party can recover the correct set of labels only on a constant number of bits in its input. corresponding to the updated state. We now explain how to obtain a protocol that makes Note that the above described solution reveals the output black-box use of cryptographic operations invoked by Φ. of the NAND gate in the clear to the other parties. This Suppose Φ was an information theoretic secure MPC is necessary for the case where the bit is communicated to then the compiled protocol already makes black-box use other parties but is undesirable if the NAND is an internal of the underlying cryptographic primitives. But information computation as it might reveal some information about the theoretic secure MPC protocols can exist only if a majority secret state of party Pi. On the contrary, every other party of the parties are honest [11] and secure channels are present must somehow ensure that Pi computes this NAND gate between every pair of parties. However, the situation in the correctly. We solve this problem by augmenting the input OT hybrid model is different. There exist constructions of encoding with a commitment to a string of random bits information theoretic protocols tolerating dishonest majority i.e., the input encoding will be a homomorphic commitment and malicious behavior [44], [41] in the OT hybrid model. to every bit of xi ri where ri is a random string. To We will be using such a protocol to design our black-box prove that an internal NAND computation is done correctly, two round MPC. the active party P generates a zero-one proof that either i Let Φ be an information theoretic secure protocol in the e = c ·c ·d2·com(−2; 0) or e = c ·c ·d·com(−2; 0) 0 i,f i,g 1 i,f i,g OT hybrid model tolerating malicious behavior. At a high is a commitment to {0, 1} where d is now a commitment level, our black-box two round MPC protocol generates OT to a random bit generated as a part of the input encoding. d correlations 11 in the first round and later hardwires these denotes the commitment to the flipped bit. Now, a proof that correlations in the garbled circuits to enable Φ perform infor- either e or e contains a commitment to {0, 1} reveals the 0 1 mation theoretic OTs. We now explain how to generate such output of the NAND computation masked with the random OT correlations building on the non-interactive oblivious bit committed in d and hence completely hides the output. transfer by Bellare and Micali [10]. Note that the homomorphic property of the commitment scheme enables every party to efficiently generate d.A Let us first recall the OT protocol of Bellare and Micali downside of this approach is that the size of the input in the common random string model. The crs consists of a random group element X. The sender samples a random encoding grows with the round complexity of Φ. But using a techniques from the recent work of Cho et al. [17], we can exponent a and computes A := g and sends it over to the receiver. The receiver samples a random exponent b and make the size of the input encoding succinct i.e., grow only b with the size of the input. We won’t delve into the details. computes B := g . It then samples a random bit c and − X − X computes C0 := (1 c)B+c( B ) and C1 := cB+(1 c)( B ) and sends them over to A. Notice that by construction of D. Black-Box Two-Round MPC C0 and C1, B knows the discrete log of Cc. The sender on Instantiating the above garbled protocols construction receiving C0 and C1 sets the two random strings (s0,s1) a a b with a semi-honest secure Φ, we obtain a two-round multi- to be (C0 ,C1 ) and the receiver sets (c, sc) to be (c, A ). party computation protocol based on bilinear maps.10 How- Note that assuming the DDH assumption, the other string ever, the protocol makes non-black box use of the underlying s1−c is indistinguishable to a randomly distributed string. homomorphic proof commitment with encryption as well Building on this protocol and additionally using Groth-Sahai as cryptographic operations that Φ might invoke. In this [38] proofs to obtain malicious security, we obtain a two subsection, we explain how to obtain a two-round MPC round MPC protocol making black-box use a homomorphic proof commitment with encryption and a DDH hard group. 10For technical reasons, we need the protocol Φ to be semi-malicious [5]. The semi-malicious security is a generalization of semi-honest security 11 where the adversary is still restricted to follow the protocol but can choose Recall that OT correlations consists of a random pair of strings (s0,s1) its random coins arbitrarily. Note that the protocol described in [30] is provided to the sender and a pair (c, sc) where c is a random bit provided semi-maliciously secure. to the receiver.

592 III. ORGANIZATION case a valid commitment uniquely defines one possible In Section IV we formally define homomorphic proof message. Alternatively, the commitment key can be perfectly commitment with encryption and give a construction based hiding, in which case the commitment reveals no information on sub-group decision assumption. The construction from whatsoever about the message. We require that these two decision linear assumption appears in the full version. In kinds of keys are computationally indistinguishable. Section V, we give the definition of garbling scheme for We will consider commitments, where both the message M R protocols and in Section V-B we give a construction based space ( , +, 0), the randomizer space ( , +, 0) and the C · on any homomorphic proof commitment with encryption. commitment space ( , , 1) are finite abelian groups. The The results on extending garbled protocols to two-round UC commitment scheme should be homomorphic, i.e., for all secure MPC and two-round MPC making black-box use of messages and randomizers we have the underlying group appears in the full version. com(m1 + m2; r1 + r2)=com(m1; r1)com(m2; r2).

IV. HOMOMORPHIC PROOF COMMITMENTS WITH We will require that the message space has a generator ENCRYPTION 1, and also that it has at least order 4. The property that In this section we provide definitions of homomorphic sets homomorphic proof commitments apart from other proof commitments with encryption – namely, a homo- homomorphic commitments, is that there is a way to prove { } morphic proof commitment scheme with some additional that a commitment contains a message belonging 0, 1 . encryption and decryption functionality. We then give con- More precisely, if the key is of the perfect binding type, structions of this primitive based on the sub-group decision. then it is possible to prove that there exists an opening ∈{ }×R The construction from decision linear assumption appears in (m, r) 0, 1 . On the other hand, if it is a per- the full version. fect hiding key, then the proof will be perfectly witness- We recall the definition of homomorphic proof commit- indistinguishable, i.e., it is impossible to tell whether the ments from Groth et al. [37] for realizing non-interactive message is 0 or 1. zero-knowledge proofs. Much of the description below has In the sections that follow, we will use been taken verbatim from Groth et al. [37]. We keep the (Kbinding,Khiding, com,P01,V01) to denote a homomorphic notation identical to Groth et al. [37, Section 3] for the sake proof commitment scheme. We refer the readers to [37] for of a reader familiar with Groth et al. [37]. the formal definition. A homomorphic proof commitment scheme is a non- A. The Definition interactive commitment scheme with some special properties (Kbinding,Khiding, com,P01,V01,E01,D01) is a that we define below. Recall first that in a non-interactive homomorphic proof commitments with encryption if commitment scheme there is a key generator, which gen- (Kbinding,Khiding, com, Topen,P01,V01) is homomorphic erates a public commitment key ck. The commitment key proof commitment and E ,D are PPT algorithms such M R 01 01 ck defines a message space ck, a randomizer space ck that E on input a commitment key ck, a commitment C 01 and a commitment space ck. We will require that the key c = com(ck, m; r) and a message msg outputs a ciphertext generation algorithm is probabilistic polynomial time and ct and D01 given ck, the commitment c, the ciphertext outputs keys of length θ(λ). It will in general be obvious ct and a proof π such that V01(ck,c,π)=1outputs the which key we are using, so we will sometimes omit it in our encrypted message msg. In other words, given a proof π notation. There is an efficient commitment algorithm com such that c is a commitment to a message in {0, 1},we that takes as input the commitment key, a message and a can decrypt the ciphertext ct. Formally, we require that randomizer and outputs a commitment, c = com(m; r).We E01 and D01 satisfy the following correctness and security call (m, r) an opening of c. properties. The commitment scheme must be binding and hiding. • Perfect Correctness. For any ck (in the support of Binding means that it is infeasible to find two openings K ,K ), m ∈{0, 1}, randomness r, and with different messages of the same commitment. Hiding binding hiding proof π generated by P01(ck,m,r) and message msg, means that given a commitment it is infeasible to guess which message is inside the commitment. We want a com- Pr ct ← E01(ck, com(ck, m; r), msg) ∧ D01(ck, ct,π)=msg =1 mitment scheme that has two different flavors of keys. The commitment key can be perfectly binding, in which • Statistical Semantic-Security. For all (possibly un- bounded) adversaries A =(A , A ), 1 2 12We have been a little imprecise in this overview. In order to use · ← λ ←A Groth-Sahai proofs we cannot rely on DDH assumption as GS proofs Pr (ck, ) Kbinding(1 ); (c, msg0, msg1, st) 1(ck); assume the existence of an efficiently computable bilinear map. In the actual b ←{0, 1}; ct ← E (ck, c, msg ):A (ck, ct, st)=b ∧ construction we assume CDH is hard. 01 b 2 1 ∃ m ∈{0, 1},r ∈Rs.t. c = com(ck, m; r) ≤ + negl(λ) 2

593 k (1 ) Encrypt E01(ck, c, msg): Perfectly binding key generation Kbinding : p k log ∈{0 1} 2 1) (p, q, G, GT ,e,g) ←GBGN(1 ). Let n = pq. To encrypt msg , , ∗ px 2) Sample x ← Zq and compute h = g . 1) Choose s ← Zn. ∗ 3) Let ck =(n, G, GT ,e,g,h). 2) Choose v ←{0, 1} as the seed of RandExt. s s − 4) Let xk =(ck, q). 3) Output (v, h , RandExt(v, e(c ,cg 1)) ⊕ 5) Return (ck, xk). msg). (1k) Perfectly hiding key generation Kbinding : Decrypt D01(ck, c, π, ct): k 1) (p, q, G, GT ,e,g) ←GBGN(1 ). Let n = pq. 1) Parse ct as (v, ct1, ct2). ∗ x 2) x ← Zn and compute h = g . 2) Output RandExt(v, e(ct1,π)) ⊕ ct2. 3) Let ck =(n, G, GT ,e,g,h). 4) Let tk =(ck, x) 5) Return (ck, tk) Figure 2. Supplemental Encryption and Decryption. Commitment comck(m): The key ck defines message space Zp, randomizer space Zn and commitment space G. To commit to message m ∈ Zp do Perfect Correctness. Let c = com(ck, m; r) where m ∈ − 1) r ← Zn {0, 1}. Let ct =(v, hs, RandExt(v, e(cs,cg 1))⊕msg) and m r 2) Return comck(m; r)=g h π =(g2m−1hr)r. To prove correctness it is sufficient to ( ) − WI proof P01 ck, m, r : show that e(hs,π)=e(cs,cg 1). Given (m, r) ∈{0, 1}×Zn we make the WI proof m− r r for commitment to 0 or 1 as π =(g2 1h ) . ( ) Verification V01 ck, c, π : s −1 m r m−1 r s To verify a WI proof π of commitment c containing e(c ,cg )=e(g h ,g h ) − − − 2 0 or 1, check e(c, cg 1)=e(h, π). = e(g, g)sm(m 1)e(h, g)sr(m 1)e(g, h)smre(h, h)sr − 2 = e(h, g)sr(m 1)e(g, h)smre(h, h)sr − 2 = e(h, g)sr(2m 1)e(h, h)sr Figure 1. Homomorphic Proof Commitment from sub-group decision s 2m−1 r r taken verbatim from [37] = e(h , (g h ) ) = e(hs,π)

We say that scheme has computational semantic- Statistical Semantic Security. We first prove the follow- security if the above requirement holds only against ing claim. A λ PPT . Claim 4.2: Let (ck, ·) ← Kbinding(1 ). Let S denote the Z B. Construction from Sub-group Decision Assumption random variable uniformly distributed in n. Then S S In this subsection we give a construction of homomor- H∞(e(g, g) |(ck, h )) ≥ log p phic proof commitment with encryption from the sub-group ≡ −1 −1 decision assumption. Proof: Let q1 q mod p and p1 = p mod q.By ∈ Z At a high level, our construction Chinese remainder theorem, any s n can be expressed as ≡ ≡ (K ,K , com,P ,V ,E ,D ) is sqpp1 +spqq1 where sp s mod p and sq s mod q.As binding hiding 01 01 01 01 λ px (ck, ·) ← Kbinding(1 ), therefore we have that h = g for obtained by supplementing the homomorphic proof ∗ 2 ∈ Z ∈ Z s x(sq p p1)modn commitment scheme of Groth et al. [37], namely some x q . Thus, for any s n, h = g . Let S be uniformly distributed in Z . By Chinese re- (Kbinding,Khiding, com,P01,V01) (given in Figure 1) n mainder theorem, S ≡ S mod p and S ≡ S mod q with encryption E01 and decryption D01 operations (given p q are uniform and independent random variables in Zp and in Figure 2). The supplemental encryption/decryption 2 Z S xSq p p1 mod n algorithms make use of a (log p, negl(λ))-strong randomness q respectively. Also, h = g . Therefore, ∗ log p S S extractor RandExt : G ×{0, 1} →{0, 1} 2 . conditioned on fixing h (which fixes Sq) and ck, g is We now show correctness and security of the above still uniformly distributed over a set of size p since Sp is Z S| S ≥ construction. randomly distributed in p. Thus, H∞(e(g, g) (ck, h )) log p. Lemma 4.1: Assuming the subgroup decision assump- Consider a commitment c = com(m; r) such that m ∈ tion, the construction described in Figures 1 and 2 is a {0, 1}. Let S be a random variable uniformly distributed in Z homomorphic proof commitment with encryption. n. Then, we have that − − − 2 Proof: We note that (Kbinding,Khiding, com, e(cS,cg 1)=e(g, g)Sm(m 1)e(hS,g)r(m 1)e(g, hS)mre(h, hS)r P01,V01, Ext) is a homomorphic proof commitment scheme S as argued by Groth et al. [37]. We now prove that (E01,D01) Since m ∈{0, 1}, conditioned on fixing (h ,ck),we − satisfy perfect correctness and statistical semantic-security. infer from Claim 4.2 that H∞(e(cS,cg 1)) ≥ log p.Now,

594 relying on the fact that the output of randomness extractor is where σ ← Setup(1λ) and for each i ∈ [n] we have statistically close to uniform we conclude statistical semantic { i i } ← that (Φi, xi, labj,0, labj,1 ) Garble(σ, i, Φi,xi). security for the scheme.

V. G ARBLING PROTOCOLS B. Construction In this section we give the definition of garbling scheme In this subsection we give a construction of a garbling for protocols and give an instantiation based on a homomor- scheme for protocols from a homomorphic proof com- phic proof commitment with encryption. mitment with encryption and a garbling scheme for cir- cuits (which is implied by the existence of a commitment A. Definition scheme). The main theorem that we prove in this section is: 13 Let Φ be a n-party protocol. Let xi be the input of Theorem 5.2: Assuming the existence of a homomorphic party i and let Φi be the next-message function for party i. proof commitment with encryption there exists a construc- We define the transcript of Φ to be the set of all messages tion of garbling scheme for protocols satisfying Defini- exchanged between parties. The transcript is denoted by tion 5.1. Φ(x ,...,x ) when Φ is run with inputs x ,...,x . The 1 n 1 n Before describing the construction, we give some notation transcript is also assumed to be the output of the protocol. to describe the n-party protocol Φ and make additional Definition 5.1: A Garbling scheme for protocols is a assumptions on the structure of Φ. These assumptions can tuple of algorithms (Setup, Garble, Eval) with the following be made without loss of generality. syntax, correctness and security properties. Notation for Φ. Recall that x denotes the input of party • Setup(1λ):It is a PPT algorithm that takes as input i i and Φ denotes its next message function. We assume that the security parameter (encoded in unary) and outputs i the length of the input of each party is m. Let T be the a reference string σ. round complexity of Φ. • Garble(σ, i, Φ ,x ):It is a PPT algorithm that takes as i i Structure of Φ. We assume that each party P maintains input a reference string σ, the index i of a party, the i a local state that is updated at the end of every round. The next message function Φ and the input x and outputs i i local state is a function of the input, the random tape and – A garbled protocol component of the next Φi the set of messages received from other parties. message function Φi. th At the beginning of the t round, every party Pi runs – An encoding xi (of length e) of the input xi. ∗ 14 i i the program Φi on input t to obtain an output (i ,f,g). – A set of encoding labels {lab , lab } ∈ · for ∗ j,0 j,1 j [n e] Here, i denotes the active party in round t. The active party the input encodings of all parties. ∗ i Pi computes one NAND gate on a pair of bits of its state • Eval({Φ }, {x }, {lab   }):It is a deterministic i i x1 ... xn and writes the computed bit to its state. The inputs to the algorithm that takes as input the set of garbled protocol NAND gate are given by the bits in the indices f and g of { } { } components Φi , a set of input encodings xi and ∗ i the local state of Pi . Additionally, for a (pre-determined) the encoding labels {lab   } corresponding to the ∗ x1 ... xn subset of rounds B ∗ ⊆{t ∈ [T ]:(i , ·, ·)=Φ(t)}, P ∗ i i i input encodings x1 ... xn and outputs a string y or outputs the computed bit to other parties. In this case, all the ⊥ the symbol . parties copy this bit to their state. For the rest of the rounds • Correctness: For every protocol Φ and every set of ∗ where Pi is active, it outputs the computed bit masked with inputs {x }, i a random bit. In those rounds, every other party ignores this ← λ { i i } ← message. Pr σ Setup(1 ); (Φi, xi, labj,0, labj,1 ) To describe this structure more formally, let B := ∪iBi. Garble(σ, i, Φ ,x ) ∀ i ∈ [n]:Φ(x ,...,x )= i i 1 n Let the initial state of the party Pi be ri(xi,si) where i m s { } { } { } xi ∈{0, 1} is the input, si ∈{0, 1} be the random tape Eval( Φi , xi , labx ...xn ) =1 1 T used in the computation of Φ and ri ∈{0, 1} are the • Semi-Honest Security: There exists a PPT algorithm masking bits. We will let ri have the form Sim such that for every protocol Φ, every subset H ⊆ [n] of honest parties and every choice of inputs 0 if k ∈ [T ] ∩ B { } ri,k := xi i∈[n] of the parties we have that: { } ∈ \ uniform in 0, 1 if k [T ] B i c σ, {Φ , x , lab   } ∈ ≈ i i x1 ... xn i [n] We consider ri (xi,si) as the actual input of party Pi. λ { } Sim(1 , Φ,H, xi i∈H , Φ(x1,...,xn)) For every i ∈ [n], let yi be the state of party Pi before ∗ the beginning of round t. Let (i ,f,g):=Φi(t). The parties 13 Φ For simplicity, we assume that is deterministic. For the case where compute their updated state  at the end of round as Φ is randomized, we extend the input string of each party to include its yi t random coins so that Φ is a deterministic protocol in the inputs of the 14 parties. We assume that Φ1(t)=Φ2(t)=...=Φn(t) for every t ∈ [T ].

595 ∗ i ∗ y ∗ k = t i ,t  i ,k b) Compute label ,β,πi∗,t ← EvalCkt(P , yi∗,k := ∗ NAND(yi∗,f ,yi∗,g) k = t i i i label ) and label ← EvalCkt(Pi,t, label ) for ∈ ∗ ∨ ∗ ∗ ∗ ∗  yi t Bi NAND(yi ,f ,yi ,g)=0 every i = i . for i = i yi := ⊕ ∈ ∗ ∧ ∗ ∗ yi et t Bi NAND(yi ,f ,yi ,g)=1 c) for every i ∈ [n] do, i i) Parse label as (sti, eni, tri). where is the -th unit vector. Finally, we let ek k  = T +m+r ii) Compute df ,dg,e0,e1 exactly as in PΦ to denote the length of the local state of every party. ∗ using the tracking string ui . Remark 5.3: We observe that any protocol Φ can be re- i { i } i i iii) Parse st as stk k= t, stct0, stct1 and written to follow the above format at an additional cost of i compute st := D (ck, e , stcti ,π ∗ ). increasing the round complexity by a polynomial (in the t 01 β β i ,t i { i } computational complexity of Φ) factor. Update st := stk k∈[]. i Construction. We make use of the following fact from iv) Parse tr as {i } i i [37]. tr(j−1)+k k∈[]\{t}, trctj,0, trctj,1 . j∈[n] Fact 5.4 ([37]): Let M be the message space of a ho- For every j ∈ [n], compute M i momorphic proof commitment with encryption. Further, i ∗ tr(j−1)+t := D01(ck, eβ, trctj,β,πi ,t). is a finite cyclic group with neutral element 0 and generator i i Update tr := {tr } ∈ . 1. Let b ,b ,b ∈{0, 1}. If the order of the group is at least k k [n] 0 1 2 i ¬ ∧ v) Update label := sti, eni , tri . 4, then b2 = (b0 b1) if and only if b0 + b1 + x1...xn ∗ ∈ ∗ 2b2 − 2 ∈{0, 1} vi) Update ui ,t to β.Ift Bi , update every ∈ We give the formal description of our construction below. uj,t to β for all j [n]. i The construction uses a homomorphic proof commitment 5) Compute y := EvalCkt(Pi,T , label ) and output y. with encryption (K ,K ,P ,V ,E ,D ) and binding hiding 01 01 01 01 • Encode(σ, i, x ): a garbling scheme for circuits (GarbleCkt, EvalCkt). i 1) Choose s ←{0, 1}s as the random tape of party • Setup(1λ): i Pi in the protocol Φ. λ 1) Sample (ck, ·) ← Kbinding(1 ) and output σ := ∪ { } 2) Let B := iBi. Choose randomness ωi,k k∈[] ck as the reference string. and the initial state yi := ri(xi,si) (with length • Garble(σ, i, Φi,xi): ) as: 1) Compute (x ,y ,sk ) ← Encode(σ, i, x ) where i i i i ∈ ∩ the function Encode is described below. 0 if k [T ] B ri,k := 2) Set labeli,T +1 := (0, 0),...,(0, 0) where (0, 0) uniform in {0, 1} if k ∈ [T ] \ B is repeated  + n + n times and  := |x |. e e i 0λ if k ∈ B 3) for each t from T down to 1, ωi,k := λ i,t i,t λ uniform in {0, 1} otherwise P , label ← GarbleCkt(1 , PΦ[i, t, ski, i,t+1 ck, label ]) where PΦ is described below. ∈ i,1 { i i } 3) For each k [], compute ci,k := 4) Parse label as stk,0, stk,1 k∈[], { i i } { i i } com(ck, yi,k; ωi,k). enk,0, enk,1 k∈[ne], trk,0, trk,1 k∈[n]. { } i i i i 4) Output xi := ci,k k∈[], the initial state yi and { } ∈ { } ∈ 5) Set st := stk,yi,k k [] and tr := trk,0 k [n]. { } the secret randomness ski := ωi,k k∈[]. 6) Set the garbled protocol component Φi := • { } {i,t} i i PΦ[i, t, ski, cki , label]: P t∈[T ], st , tr , the input encoding to xi and i i Input. The state yi of party Pi, the set of encodings the encoding labels to be {en , en } ∈ . k,0 k,1 k [ne] {x } and the set of tracking strings {u } j j • Eval({Φ }, {x }, {eni }): i i x1...xn Hardcoded. The index i of the party, the ∈ { } 1) For every i [n], parse xi as ci,k k∈[].For round number t, the secret randomness ski, the ∈ λ commitment key ck and a set of labels label := every k B, check if ci,k := com(ck, 0; 0 ).If not, output ⊥. { } { } { } stk,0, stk,1 k∈[], enk,0, enk,1 k∈[nenc], trk,0, trk,1 k∈[n] . {i,t} i i 2) Parse Φi as P t∈[T ], st , tr . 1) Let (i∗,f,g):=Φ(t). i i i i i ∗ { ∗ } 3) Set label := st , en , tr and the initial 2) Parse xi as ci ,k k∈[]. x1...xn  3) Let d and d be the commitments to the bits tracking strings ui := 0 for every i ∈ [n]. f g 4) for every round t from 1 to T − 1 do: yi∗,f and yi∗,g where yi∗ is the current state of the ∗ active party. These commitments are computed as a) Let (i ,f,g):=Φ1(t). follows: for h ∈{f,g}, dh := ci∗,h if ui∗,h =0; λ else, d := com(ck,1;0 ) . h ci∗,h

596 2 − λ  ∈ 4) Compute e0 := df dgci∗,tcom(ck, 2; 0 ) and corresponding to yi,t+1 for every i [n]. Thus, even λ 2 com(ck,1;0 ) λ in this case the updated state of every party is correct e1 := df dg com(ck, −2; 0 ). ci∗,t as per the computation of Φ. Set α := NAND(yi,f ,yi,g). 5) For⎧ b ∈{0, 1}, compute stctb := Security The security of the above construction is ⎪ ∗ ⎨E01(ck, eb, stt,b) if t ∈ Bi argued in the full version of the paper. ∗ ∈ ∗ ∧ ⎪E01(ck, eb, stt,yi,t ) if t Bi i = i . ⎩ ∗ ACKNOWLEDGMENT E01(ck, eb, stt,α) if t ∈ Bi∗ ∧ i = i { } Research supported in part from 2017 AFOSR Set st := stk,yi,k k= t, stct0, stct1. { } YIP Award, DARPA/ARL SAFEWARE Award 6) Set en := enk,zk k∈[|z|] where z = x1 ... xn. 7) For b ∈{0, 1} and j ∈ [n], compute trctj,b := W911NF15C0210, AFOSR Award FA9550-15-1-0274, ∗ ∈ ∗ ∨ NSF CRII Award 1464397, and research grants by the E01(ck, eb, tr(j−1)+t,b) if (t Bi ) (j = i )Okawa Foundation, Visa Inc., and Center for Long-Term E01(ck, eb, tr(j−1)+t,uj,t ) otherwise . Cybersecurity (CLTC, UC Berkeley). The views expressed Set tr := {tr − } ∈ \{ }, trct , trct . (j 1)+k,uj,k k [] t j,0 j,1 j∈[n] ∗ are those of the author and do not reflect the official policy 8) If i = i then parse sk as {ω } ∈ .For i i,k k [] or position of the funding agencies. ω if u =0 h ∈{f,g}, set ω := i,h i,h i,h − ωi,h otherwise REFERENCES Compute πi,t := P01(ck, eβ,ρβ) where β := ⊕    [1] Mart´ın Abadi and Joan Feigenbaum. Secure circuit evalua- yi,t α, ρ0 = ωi,f + ωi,g +2ωi,t,ρ1 = ωi,f +  − tion. Journal of Cryptology, 2(1):1–12, 1990. ωi,g 2ωi,t. 9) If t = T then output label := (st, en, tr) and ∗ [2] William Aiello, Yuval Ishai, and . Priced additionally output (β,πi,t) if i = i . oblivious transfer: How to sell digital goods. In Birgit If t = T then output the transcript of the protocol Pfitzmann, editor, EUROCRYPT 2001, volume 2045 of LNCS, from the state {yi,k}k∈B. pages 119–135. Springer, Heidelberg, May 2001.

[3] Benny Applebaum, Yuval Ishai, and Eyal Kushilevitz. Cryp- Correctness. To argue correctness, it is sufficient to tography in NC0.In45th FOCS, pages 166–175. IEEE show that the local state of each party is updated correctly at Computer Society Press, October 2004. the end of every round number t. We show this by induction [4] Benny Applebaum, Yuval Ishai, and Eyal Kushilevitz. How on the number of rounds. The base case is clear. Let us to garble arithmetic circuits. In Rafail Ostrovsky, editor, assume that the hypothesis is true for the first t rounds. Let 52nd FOCS, pages 120–129. IEEE Computer Society Press, yi be the local state of party Pi at the end of round t. Let October 2011. ∗ (i ,f,g):=Φ1(t +1). We consider two cases: [5] Gilad Asharov, Abhishek Jain, Adriana Lopez-Alt,´ Eran • Case-1: t +1 ∈ Bi∗ . In this case, the local state Tromer, Vinod Vaikuntanathan, and Daniel Wichs. Multi- ∗  party computation with low communication, computation and of parties i = i does not change i.e., yi = yi.  ∗ interaction via threshold FHE. In David Pointcheval and The local state of party Pi is updated as yi∗,t+1 :=  Thomas Johansson, editors, EUROCRYPT 2012, volume 7237 ∗ ∗ ∗ NAND(yi ,f ,yi ,g) and yi∗,k = yi ,k for k = t +1. of LNCS, pages 483–501. Springer, Heidelberg, April 2012. Notice that for the case where t +1 ∈ Bi∗ , pro- gram PΦ outputs the labels corresponding to the string [6] Boaz Barak, , Russell Impagliazzo, Steven {  } Rudich, Amit Sahai, Salil P. Vadhan, and Ke Yang. On the yi,k k= t+1 in the clear and outputs two zero-one encryptions of the same label corresponding to y (im)possibility of obfuscating programs. In Joe Kilian, editor, i,t+1 CRYPTO 2001, volume 2139 of LNCS, pages 1–18. Springer, under the commitments e0 and e1 respectively. Thus, Heidelberg, August 2001. i ∗ decrypting stctβ using the proof πi ,t+1 yields the  ∈ label corresponding to yi,t+1 for every i [n]. Thus, [7] Donald Beaver, , and Phillip Rogaway. The the updated states of every party is correct as per the round complexity of secure protocols (extended abstract). In computation of Φ. 22nd ACM STOC, pages 503–513. ACM Press, May 1990.  • ∈ ∗ Case-2: t +1 Bi . In this case, yi,t+1 =  [8] Mihir Bellare, Viet Tung Hoang, Sriram Keelveedhi, and ∗ ∗ ∗ NAND(yi ,f ,yi ,g) and yi∗,k = yi ,k for k = t +1 for Phillip Rogaway. Efficient garbling from a fixed-key block- ∈ every party i [n]. The program PΦ outputs the labels cipher. In 2013 IEEE Symposium on Security and Privacy, {  } corresponding to the string yi,k k= t+1 in the clear and pages 478–492. IEEE Computer Society Press, May 2013.  outputs a zero-one encryption of the label yi,t+1 under ∈ [9] Mihir Bellare, Viet Tung Hoang, and Phillip Rogaway. Foun- the commitment eyi,t for every i [n]. Notice that by +1  dations of garbled circuits. In Ting Yu, George Danezis, and our construction yi,t+1 =0and thus β := yi,t+1. Thus, Virgil D. Gligor, editors, ACM CCS 12, pages 784–796. ACM i ∗ decrypting stctβ using the proof πi ,t+1 yields the label Press, October 2012.

597 [10] Mihir Bellare and Silvio Micali. Non-interactive oblivi- [23] Sanjam Garg, Craig Gentry, Shai Halevi, Mariana Raykova, ous transfer and spplications. In Gilles Brassard, editor, Amit Sahai, and Brent Waters. Candidate indistinguishability CRYPTO’89, volume 435 of LNCS, pages 547–557. Springer, obfuscation and functional encryption for all circuits. In 54th Heidelberg, August 1990. FOCS, pages 40–49. IEEE Computer Society Press, October 2013. [11] Michael Ben-Or, Shafi Goldwasser, and . Completeness theorems for non-cryptographic fault-tolerant [24] Sanjam Garg, Craig Gentry, Amit Sahai, and Brent Waters. distributed computation (extended abstract). In 20th ACM Witness encryption and its applications. In , STOC, pages 1–10. ACM Press, May 1988. , and Joan Feigenbaum, editors, 45th ACM STOC, pages 467–476. ACM Press, June 2013. [12] Dan Boneh and Matthew K. Franklin. Identity-based en- cryption from the Weil pairing. In Joe Kilian, editor, [25] Sanjam Garg, Divya Gupta, Peihan Miao, and Omkant CRYPTO 2001, volume 2139 of LNCS, pages 213–229. Pandey. Secure multiparty RAM computation in constant Springer, Heidelberg, August 2001. rounds. In Martin Hirt and Adam D. Smith, editors, TCC 2016-B, Part I, volume 9985 of LNCS, pages 491–520. [13] Elette Boyle, Niv Gilboa, and Yuval Ishai. Break- Springer, Heidelberg, October / November 2016. ing the circuit size barrier for secure computation under DDH. In Matthew Robshaw and Jonathan Katz, editors, [26] Sanjam Garg, Steve Lu, and Rafail Ostrovsky. Black-box CRYPTO 2016, Part I, volume 9814 of LNCS, pages 509– garbled RAM. In Venkatesan Guruswami, editor, 56th FOCS, 539. Springer, Heidelberg, August 2016. pages 210–229. IEEE Computer Society Press, October 2015.

[14] Elette Boyle, Niv Gilboa, and Yuval Ishai. Group-based [27] Sanjam Garg, Steve Lu, Rafail Ostrovsky, and Alessandra secure computation: Optimizing rounds, communication, and Scafuro. Garbled RAM from one-way functions. In Rocco A. computation. In EUROCRYPT 2017, LNCS. Springer, Hei- Servedio and Ronitt Rubinfeld, editors, 47th ACM STOC, delberg, 2017. (to appear). pages 449–458. ACM Press, June 2015.

[15] Zvika Brakerski and Renen Perlman. Lattice-based fully [28] Craig Gentry, Shai Halevi, Steve Lu, Rafail Ostrovsky, Mar- dynamic multi-key FHE with short ciphertexts. In Matthew iana Raykova, and Daniel Wichs. Garbled RAM revisited. Robshaw and Jonathan Katz, editors, CRYPTO 2016, Part I, In Phong Q. Nguyen and Elisabeth Oswald, editors, EU- volume 9814 of LNCS, pages 190–213. Springer, Heidelberg, ROCRYPT 2014, volume 8441 of LNCS, pages 405–422. August 2016. Springer, Heidelberg, May 2014.

[16] Ran Canetti. Universally composable security: A new [29] Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan. i-Hop paradigm for cryptographic protocols. In 42nd FOCS, pages homomorphic encryption and rerandomizable Yao circuits. In 136–145. IEEE Computer Society Press, October 2001. Tal Rabin, editor, CRYPTO 2010, volume 6223 of LNCS, pages 155–172. Springer, Heidelberg, August 2010. [17] Chongwon Cho, Nico Dottling,¨ Sanjam Garg, Divya Gupta, Peihan Miao, and Antigoni Polychroniadou. Laconic receiver [30] Oded Goldreich, Silvio Micali, and Avi Wigderson. How oblivious transfer and applications. Manuscript, 2017. to play any mental game or A completeness theorem for protocols with honest majority. In Alfred Aho, editor, 19th [18] Michael Clear and Ciaran McGoldrick. Multi-identity and ACM STOC, pages 218–229. ACM Press, May 1987. multi-key leveled FHE from learning with errors. In Rosario Gennaro and Matthew J. B. Robshaw, editors, CRYPTO 2015, [31] Oded Goldreich and Rafail Ostrovsky. Software protection Part II, volume 9216 of LNCS, pages 630–656. Springer, and simulation on oblivious rams. J. ACM, 43(3):431–473, Heidelberg, August 2015. 1996.

[19] Stephen A. Cook and Robert A. Reckhow. Time bounded [32] Shafi Goldwasser, Yael Tauman Kalai, and Guy N. Rothblum. random access machines. J. Comput. Syst. Sci., 7(4):354– One-time programs. In David Wagner, editor, CRYPTO 2008, 375, 1973. volume 5157 of LNCS, pages 39–56. Springer, Heidelberg, August 2008. [20] Whitfield Diffie and Martin E. Hellman. New directions in cryptography. IEEE Transactions on Information Theory, [33] S. Dov Gordon, Jonathan Katz, Vladimir Kolesnikov, Fer- 22(6):644–654, 1976. nando Krell, Tal Malkin, Mariana Raykova, and Yevgeniy Vahlis. Secure two-party computation in sublinear (amortized) [21] , Joe Kilian, and . A minimal model for time. In Ting Yu, George Danezis, and Virgil D. Gligor, secure computation (extended abstract). In 26th ACM STOC, editors, ACM CCS 12, pages 513–524. ACM Press, October pages 554–563. ACM Press, May 1994. 2012.

[22] Sanjam Garg, Craig Gentry, Shai Halevi, and Mariana [34] S. Dov Gordon, Feng-Hao Liu, and Elaine Shi. Constant- Raykova. Two-round secure MPC from indistinguishability round MPC with fairness and guarantee of output delivery. obfuscation. In Yehuda Lindell, editor, TCC 2014, volume In Rosario Gennaro and Matthew J. B. Robshaw, editors, 8349 of LNCS, pages 74–94. Springer, Heidelberg, February CRYPTO 2015, Part II, volume 9216 of LNCS, pages 63– 2014. 82. Springer, Heidelberg, August 2015.

598 [35] Rishab Goyal, Venkata Koppula, and Brent Waters. Lockable [49] Steve Lu and Rafail Ostrovsky. How to garble RAM pro- obfuscation. Cryptology ePrint Archive, Report 2017/274, grams. In Thomas Johansson and Phong Q. Nguyen, editors, 2017. http://eprint.iacr.org/2017/274. EUROCRYPT 2013, volume 7881 of LNCS, pages 719–734. Springer, Heidelberg, May 2013. [36] Jens Groth, Rafail Ostrovsky, and Amit Sahai. Perfect non- interactive zero knowledge for np. In Proceedings of Euro- [50] Pratyay Mukherjee and Daniel Wichs. Two round multiparty crypt 2006, volume 4004 of LNCS, pages 339–358. Springer, computation via multi-key FHE. In Marc Fischlin and Jean- 2006. Sebastien´ Coron, editors, EUROCRYPT 2016, Part II, volume 9666 of LNCS, pages 735–763. Springer, Heidelberg, May [37] Jens Groth, Rafail Ostrovsky, and Amit Sahai. New 2016. techniques for noninteractive zero-knowledge. J. ACM, 59(3):11:1–11:35, 2012. [51] Moni Naor and Benny Pinkas. Efficient oblivious transfer protocols. In S. Rao Kosaraju, editor, 12th SODA, pages 448– [38] Jens Groth and Amit Sahai. Efficient noninteractive proof 457. ACM-SIAM, January 2001. systems for bilinear groups. SIAM J. Comput., 41(5):1193– 1232, 2012. [52] Rafail Ostrovsky. Efficient computation on oblivious RAMs. In 22nd ACM STOC, pages 514–523. ACM Press, May 1990. [39] Shay Gueron, Yehuda Lindell, Ariel Nof, and Benny Pinkas. Fast garbling of circuits under standard assumptions. In [53] Rafail Ostrovsky and Victor Shoup. Private information Indrajit Ray, Ninghui Li, and Christopher Kruegel:, editors, storage (extended abstract). In 29th ACM STOC, pages 294– ACM CCS 15, pages 567–578. ACM Press, October 2015. 303. ACM Press, May 1997.

[40] Shai Halevi and Yael Tauman Kalai. Smooth projective [54] Chris Peikert and Sina Shiehian. Multi-key FHE from LWE, hashing and two-message oblivious transfer. Journal of revisited. In Martin Hirt and Adam D. Smith, editors, Cryptology, 25(1):158–193, January 2012. TCC 2016-B, Part II, volume 9986 of LNCS, pages 217–238. Springer, Heidelberg, October / November 2016. [41] Yuval Ishai, Manoj Prabhakaran, and Amit Sahai. Founding cryptography on oblivious transfer - efficiently. In David [55] Benny Pinkas, Thomas Schneider, Nigel P. Smart, and Wagner, editor, CRYPTO 2008, volume 5157 of LNCS, pages Stephen C. Williams. Secure two-party computation is 572–591. Springer, Heidelberg, August 2008. practical. In Mitsuru Matsui, editor, ASIACRYPT 2009, volume 5912 of LNCS, pages 250–267. Springer, Heidelberg, [42] Antoine Joux. A one round protocol for tripartite Diffie- December 2009. Hellman. Journal of Cryptology, 17(4):263–276, September 2004. [56] Nicholas Pippenger and Michael J. Fischer. Relations among complexity measures. J. ACM, 26(2):361–381, 1979. [43] Jonathan Katz and Rafail Ostrovsky. Round-optimal se- cure two-party computation. In Matthew Franklin, editor, [57] Michael O. Rabin. How to exchange secrets with oblivious CRYPTO 2004, volume 3152 of LNCS, pages 335–354. transfer, 1981. Springer, Heidelberg, August 2004. [58] Oded Regev. On lattices, learning with errors, random linear [44] Joe Kilian. Founding cryptography on oblivious transfer. In codes, and cryptography. In Harold N. Gabow and Ronald 20th ACM STOC, pages 20–31. ACM Press, May 1988. Fagin, editors, 37th ACM STOC, pages 84–93. ACM Press, May 2005. [45] Vladimir Kolesnikov, Payman Mohassel, and Mike Rosulek. FleXOR: Flexible garbling for XOR gates that beats free- [59] Daniel Wichs and Giorgos Zirdelis. Obfuscating compute- XOR. In Juan A. Garay and Rosario Gennaro, editors, and-compare programs under lwe. Cryptology ePrint Archive, CRYPTO 2014, Part II, volume 8617 of LNCS, pages 440– Report 2017/276, 2017. http://eprint.iacr.org/2017/276. 457. Springer, Heidelberg, August 2014. [60] Andrew Chi-Chih Yao. How to generate and exchange secrets [46] Vladimir Kolesnikov and Thomas Schneider. Improved (extended abstract). In 27th FOCS, pages 162–167. IEEE garbled circuit: Free XOR gates and applications. In Luca Computer Society Press, October 1986. Aceto, Ivan Damgard,˚ Leslie Ann Goldberg, Magnus´ M. Halldorsson,´ Anna Ingolfsd´ ottir,´ and Igor Walukiewicz, ed- [61] Samee Zahur, Mike Rosulek, and David Evans. Two halves itors, ICALP 2008, Part II, volume 5126 of LNCS, pages make a whole - reducing data transfer in garbled circuits using 486–498. Springer, Heidelberg, July 2008. half gates. In Elisabeth Oswald and Marc Fischlin, editors, EUROCRYPT 2015, Part II, volume 9057 of LNCS, pages [47] Yehuda Lindell and Benny Pinkas. A proof of security 220–250. Springer, Heidelberg, April 2015. of Yao’s protocol for two-party computation. Journal of Cryptology, 22(2):161–188, April 2009.

[48] Adriana Lopez-Alt,´ Eran Tromer, and Vinod Vaikuntanathan. On-the-fly multiparty computation on the cloud via multikey fully homomorphic encryption. In Howard J. Karloff and Toniann Pitassi, editors, 44th ACM STOC, pages 1219–1234. ACM Press, May 2012.

599