Garbled Circuits via Structured Encryption Seny Kamara Lei Wei 1 Microsoft Research UNC-Chapel Hill Abstract. The garbled circuit technique transforms a circuit in such a way that it can be evaluated on encrypted inputs. Garbled circuits were originally introduced by Yao (FOCS '86) for the purpose of secure two-party computation but have since found many applications. In this work, we consider the problem of designing special-purpose gar- bled circuits, which are garbled circuits that handle only a specific class of functionalities. Special-purpose constructions are usually smaller than general-purpose ones and lead to more efficient two-party protocols. We propose a design framework for constructing special-purpose garbled circuits based on structured encryption schemes, which are encryption schemes that encrypt data structures in such a way that they can be queried through the use of a token. Using our framework, we show how to design more efficient garbled circuits for several graph-based func- tionalities (with applications to online social network analysis), Boolean circuits, deterministic finite automata, and branching programs. 1 Introduction Yao's garbled circuit technique transforms circuits in such a way that they can be evaluated on encrypted inputs. While garbled circuits were originally intro- duced for the purpose of two-party secure function evaluation (SFE) [19], they have since found many applications, some of which include the design of ho- momorphic encryption schemes, one-time programs, circular-secure encryption, non-interactive verifiable computation, functional encryption, and single-server- aided SFE. At a high level, the garbled circuit technique consists of: (1) a garbling proce- dure that transforms a circuit C that computes a function f, and a set of inputs x = (x1; : : : ; xn) into a garbled circuit Ce and an encoded input xe = (xe1;:::; xen); (2) an evaluation procedure that computes a garbled output ye given Ce and xe; and (3) a decoding procedure that, given ye and a set of decoding keys dk re- turns f(x). The main security property provided by garbled circuits is input privacy, which guarantees that, given (Ce; xe; dk), no information about x is re- vealed by the garbled circuit evaluation beyond what can be inferred from f(x). As shown by Yao, combining garbled circuits with oblivious transfer results in constant-round two-party SFE secure against semi-honest adversaries. The importance of the garbled circuit technique in cryptography can be at- tributed to several factors, including its security properties, its relative efficiency and, most importantly, its generality. In fact, like fully-homomorphic encryption, garbled circuits are one of the few general-purpose primitives in cryptography. 1Work done while at Microsoft Research. While generality is crucial for establishing completeness theorems and for un- derstanding the power of cryptographic techniques, it is well-known that it often comes at the price of efficiency. In fact, it is common for special-purpose con- structions (i.e., constructions that handle only a a sub-class of functionalities) to be more efficient than general-purpose constructions. Our contributions. In this work, we consider the problem of designing special- purpose garbling schemes. Given the importance of garbled circuits and the effi- ciency improvements enjoyed by special-purpose constructions, this is a natural and well-motivated problem. We make the following contributions. We introduce a general framework for designing special-purpose garbling schemes. Our framework is based on a connection between garbled circuits and the notion of structured encryption [8] which is a generalization of index-based searchable symmetric encryption (SSE) [18,10,7,9]. Roughly speaking, a struc- tured encryption scheme encrypts a data structure in such a way that it can be queried through the use of a query-specific token that does not reveal in- formation about the query. Our approach essentially reduces the problem of designing special-purpose garbled circuits to the problem of designing struc- tured encryption schemes. Consequently, improvements in either the efficiency or functionality of structured encryption can lead to similar improvements in the design of special-purpose two-party protocols in the semi-honest model and other cryptographic primitives that rely on input-private garbled circuits. While our main contributions are conceptual, we demonstrate the utility of our approach by constructing special-purpose garbling schemes for several useful functionalities. For example, using our framework with the structured encryption schemes of [8], we get special-purpose garbling schemes (and therefore two-party protocols) for several graph-based functionalities that have applications to online social networks. In addition, in the full version of this work we use our framework to construct garbling schemes for other functionalities like branching programs (BP), deterministic finite automata (DFA) and even Boolean circuits. In all cases, the garbled circuits resulting from our approach are more efficient (i.e., either smaller or with faster evaluation) than the garbled circuits that would result from applying Yao's general-purpose construction. The main building block we need to handle DFAs, BPs and Boolean circuits is a matrix encryption scheme that supports lookups, i.e., a structured encryption scheme that encrypts matrices in such a way that a location (i; j) can be queried using a token. While such a scheme is described in [8], that particular construc- tion is not appropriate for our purposes. The problem is that the scheme from [8] is only 1-dimensional in the sense that it generates a single token for a location (i; j) in the matrix. For our purposes, however, we need a 2-dimensional scheme that generates two independent tokens, i.e., one for i and one for j that can be combined to lookup location (i; j). We show how to construct such a scheme based on the 1-dimensional construction of [8] and pseudo-random synthesizers [17]. 1.1 Background on Structured Encryption Several variants of structured encryption were described in [8] but for our pur- poses we need the structure-only variant which only encrypts data structures as opposed to the standard variant which also encrypts messages. A struc- tured encryption scheme is a tuple of four polynomial-time algorithms SE = (Gen; Enc; Token; Querye) such that Gen is a probabilistic algorithm that takes as input a security parameter k and outputs a private key K. Let T be an abstract data type that maps queries q from a query space Q to an answer a from a response space R. Enc is a probabilistic algorithm that takes as input a key K, a data structure δ 2 T and outputs an encrypted data structure γ. Token is a (possibly probabilistic) algorithm that takes as input a private key K and a query q 2 Q and outputs a token τ. Querye is a deterministic algorithm that takes as input an encrypted data structure γ and a token τ and outputs an answer a 2 R. Informally, a structured encryption scheme is secure against chosen-query attacks (CQA1) if no useful information about q and δ can be recovered from γ and τ beyond what can be deduced from a. We say that a structured encryption scheme is secure against adaptive chosen-query attacks (CQA2) if this holds even when queries are made adaptively (i.e., as a function of the encrypted data structure γ and the results of previous queries and tokens). As a concrete example, consider a graph encryption scheme Graph = (Gen; Enc; Token; Neighe) that supports neighbor queries (we refer the reader to [8] for a concrete construction). With such a scheme one can encrypt the edges E of a graph G = (V; E) by computing γ Enc(K; E). A token for a vertex v 2 V can be created as τ Token(K; v) and the neighbors of v, denoted Γ (v), can be recovered by computing Neighe(γ; τ). Associative structured encryption. For our purposes, we need associative struc- tured encryption schemes which allow one to associate arbitrary strings to each output. So, with respect to our previous example, an associative graph encryp- tion scheme supporting neighbor queries would: (1) allow the encryptor to as- sociate arbitrary strings to each vertex of the graph during the encryption step; and (2) reveal these strings whenever the associated vertex is in Γ (v). More precisely, in addition to the secret key sk and the edges E, the Enc algorithm would also take as input a set of strings (sv1 ; : : : ; svjV j), where svi is associated with vertex vi. Then, the algorithm Neighe would return, in addition to Γ (v), the set fswgw2Γ (v). Due to space restrictions, we refer the reader to [8] for formal definitions of (associative) structured encryption and of the relevant security definitions. 1.2 Overview of our Framework At a high level, our framework consists of two steps. In the first step, the function f is represented as a structured circuit which is a circuit-like computational model where each gate g can query a data structure δ and where the input and output wires of g carry queries for the structures of g and g's descendent, respectively. Our notion of structured circuits is reminiscent of Naor and Nissim's circuits with lookup tables [16] though, in our setting, the contents of the data structure cannot be set during computation. In the second step, at a very high level, the structured circuit is garbled by encrypting each data structure δ with an appropriate structured encryption scheme. These encrypted structures are viewed as the garbled gates and the tokens used to query them are viewed as the encoded wire values. Note that the functionality and security properties needed to construct a garbled gate are precisely what is provided by associative structured encryption schemes.