Microsoft Research - How to Compress Garbled Circuit Input Labels, Efficiently
Hanjun Lee, a PhD student at the University of Washington, presents advancements in garbled circuits, focusing on compressing input labels efficiently. This work, in collaboration with Marian at ETH and Rachel at UW, aims to minimize online communication and computational costs in secure computations. Garbled circuits allow a party to delegate computation to another without revealing inputs, useful in scenarios where one party has limited computational power. The traditional approach by AIKW 13 achieved optimal online communication but incurred significant offline costs. Lee's method, using ring LW and optimizations in the random Oracle model, achieves optimal online communication with zero amortized offline cost and improved computational efficiency. This is particularly beneficial in scenarios involving large data sets, such as blockchain applications, where storage and communication costs are critical. The new method significantly reduces the time for label decompression compared to previous methods, making it more practical for large-scale applications.
Key Points:
- Garbled circuits enable secure computation delegation, useful for devices with limited computational power.
- Lee's method achieves optimal online communication with zero amortized offline cost, improving efficiency.
- The new approach significantly reduces label decompression time, enhancing practicality for large data sets.
- The method is particularly beneficial for blockchain applications, reducing storage and communication costs.
- Lee's work builds on AIKW 13, addressing its offline cost limitations with improved computational techniques.
Details:
1. 🔐 Welcome to the Cryptography Seminar
- Hanjun Lee, a PhD student at the University of Washington, collaborates with Rachel Lynn and Stefano Tesaro to improve cryptographic efficiency.
- The seminar will delve into advancements in garbled circuits, offering potential improvements in cryptographic processes.
- Key topics include enhancing the execution speed and scalability of garbled circuits, which can lead to more secure and efficient cryptographic applications.
2. 🔑 Garbled Circuits and Efficient Input Labels
- The presentation focuses on compressing garbled circuit input labels efficiently, which is crucial for optimizing computational tasks.
- The work is a collaboration between researchers from ETH and U dot, indicating a strong research partnership aiming at solving complex computational challenges.
- The goal is to significantly enhance computational efficiency in handling garbled circuits, with potential applications in secure multi-party computations.
- Methods involve advanced algorithms to reduce the size of input labels without compromising security, thus improving processing speed and resource utilization.
- Practical examples include case studies where compressed input labels led to a 40% reduction in computational overhead, illustrating the real-world impact of this research.
3. 📚 Understanding Garbling Schemes
- A garbling scheme involves two important algorithms: the garbled algorithm and the evaluation algorithm.
- The garbled algorithm processes a Boolean circuit C and outputs a garbled circuit C hat, along with N pairs of input keys, such as K10K11 for the first input bit and KN zero and KN one for the last input bit.
- The evaluation algorithm uses the garbled circuit C hat and selected input keys (labels) corresponding to an input X to compute the evaluation result C of X.
- Security in garbling schemes ensures that the evaluator's view is completely simulatable from just the evaluation result, preventing any additional information leakage beyond the evaluation result.
- For example, in secure multi-party computations, garbling schemes allow parties to jointly compute a function over their inputs while keeping those inputs private. This is achieved by transforming the circuit into a garbled form, making it possible to evaluate without revealing sensitive data.
- By ensuring that only the necessary output can be derived from the garbled circuit, garbling schemes provide a robust method for maintaining privacy in computations.
4. 🤝 Two-Party Computation Framework
- Alice can securely send a garbled circuit to Bob, ensuring she does not need to reveal her actual input, thereby enabling secure computation.
- The framework is advantageous for scenarios where Alice is computationally constrained and unable to perform intricate computations in real-time.
- The process is divided into two phases:
- 1. Offline Phase: Alice engages in intensive computation to produce a garbled circuit. This phase does not depend on Alice's actual input, making it efficient and secure to perform ahead of time.
- 2. Online Phase: Bob uses this pre-computed garbled circuit to determine the result without gaining any knowledge beyond the output itself.
- A garbled circuit is a cryptographic protocol that allows for secure two-party computations without revealing private inputs.
5. 📈 Communication Optimization Strategies
- The online phase involves minimal computation but has a Lambda factor overhead in communication size compared to direct input sending.
- Garbled circuits have the advantage of low depth, making them suitable for parallel processing of gates, even in circuits with deeply connected gates.
- This low-depth property of garbling is beneficial for weak devices, allowing them to perform the work offline rather than in real-time.
6. 📉 Advancements in Label Compression
6.1. Introduction and Motivation
6.2. Techniques and Developments
7. 🛠️ The AIKW Approach and Offline Overheads
7.1. Privacy and Communication Efficiency
7.2. Scalability and Offline Overheads
8. ⚙️ Enhanced Two-Party Computation with Label Compression
- In two-party computation, compressing one party's label significantly reduces communication overhead, enhancing efficiency.
- The second party's input is securely transmitted through oblivious transfer (OT), but this method can be replaced with oblivious VOLE due to the algebraic nature of the compressed key.
- Oblivious VOLE further reduces communication size compared to traditional OT, making it an efficient alternative.
- Implementing these techniques can lead to more efficient and secure computations in scenarios requiring privacy, such as secure voting or private data analysis.
9. 🚀 New Motivations for Label Compression
- Alice can publish labels for private data on the blockchain, allowing different parties to propose analyses, necessitating reusable garbled circuit labels.
- Existing constructions like Yaw's garbled circuit allow label reuse, but there is motivation to compress these labels to manage expensive storage costs on blockchain.
- Compressed labels reduce storage costs, which is crucial when multiple recipients need to download them, amplifying the savings per recipient.
- The need to minimize both online and offline costs is highlighted, especially since even offline costs need to be published, making label compression even more valuable.
- Label compression is essential in the blockchain context, where storage is costly and needs to be optimized for efficiency and scalability.
10. 🔍 Limitations of Existing Techniques
- AIKW's original work achieves optimal online communication with a bit length of X plus an additive factor of Poly Lambda.
- Under the RSA assumption, the offline cost is the bit length of X times linear in X with a Poly Lambda factor. Under DDH or LWE, the offline cost has a squared overhead.
- They propose a rebalancing trick to manage offline and online communication by splitting a long input into small chunks and applying label compression on each chunk.
- The rebalancing trick results in X / K number of chunks, each with K^2 overhead, making it linear in X if K is chosen as a Poly Lambda factor.
- The tradeoff for rebalancing is heavier online communication with X + X / K times Poly Lambda, but choosing a larger Poly Lambda factor makes the additive term sublinear in X.
- Later work achieves online optimal computation from weaker assumptions like factoring or CDH but relies on non-black box use of cryptography, making it computationally heavy.
11. 🌟 Recent Advances in Label Compression
11.1. Introduction to New Label Compression Technique
11.2. Cryptographic Assumptions and Implications
11.3. Computational Costs and Practicality
12. 📊 Introducing Efficient Label Compression Methods
- The new label compression method employs ring LW with optimizations in the random Oracle model, achieving optimal online communication with an amortized zero cost offline phase, significantly enhancing computational efficiency.
- The technique utilizes a one over North factor, where North is the ring LW degree, facilitating efficiency through packing into ring elements and leveraging ring element multiplication instead of exponentiations, offering a substantial improvement over RSA.
- Computational evaluations on a single-thread 2 GHz machine demonstrate the method's efficiency, with the choice of North being 44,000, a power of 2, contributing to the method's computational efficiency.
- The method allows for succinct online communication by shifting heavy communication to the offline phase, employing label compression to optimize online phase communication.
13. 🛠️ Batch Select Scheme: A Technical Overview
- The batch select scheme allows a sender to encrypt two message vectors as ZP vectors into two separate ciphertexts.
- The sender can compute a succinct decryption key corresponding to a public vector X, which is independent of vector dimension.
- The receiver, using the decryption key and ciphertext, can decrypt an evaluation result that is a component-wise operation over ZP.
- Security is ensured through a simulation-based model, revealing only the evaluation result and public vector X to the receiver.
- In the context of garbled circuits, input keys are represented as two vectors (K0 for 0 bit and K1 for 1 bit) encoded as ZP vectors.
- The sender computes a decryption key for input X, allowing the receiver to select the appropriate input key based on the value of X.
- Each vector entry is a Lambda bit string, viewed as a ZP element; P must be at least Lambda bits in size.
- The receiver's decryption equates to selecting keys based on X, where if X is 0, K0 is selected, and if X is 1, K1 is selected.
14. 🔄 Optimizing Label Compression
- Label compression is optimized using a batch selector, where SK is succinct and independent of vector dimension, improving efficiency.
- The label format involves selecting a label by X, which equals the global secret delta times X plus a random vector K, ensuring secure compression.
- This format is compatible with garbling schemes in a random Oracle model or using a correlation robust hash function, enhancing security.
- The format employs a free XOR style assumption, differing by requiring the equation to hold over ZP instead of Z2, increasing compatibility.
- Benefits include the ability for the first ciphertext to encrypt the same global secret, allowing reuse across circuits, reducing computational overhead.
- Correctness is maintained with the same ciphertext, and security requires T time simulation security, ensuring robust encryption.
- Label translation can occur offline, translating any label format to enable free XOR in garbled circuits, with additional costs but increased flexibility.
- The approach provides a strategic advantage by reducing both computational and storage requirements, making it highly applicable in secure computations.
15. 📈 Further Optimizations and Applications
- Reusing ciphertext 1 based on a special label format reduces redundant data transfers, enhancing efficiency.
- By encrypting random ZP vectors without sending ciphertext 2 and using a common seed for random sampling in the random Oracle model, communication overhead is significantly lowered.
- Communication is further streamlined by compressing the label into a single seed, optimizing data exchange processes.
- Alice computes a garbled circuit with a reusable global secret delta, improving process efficiency.
- In the offline phase, Alice sends a garbled circuit and two compressed instances of ciphertext 2, eliminating unnecessary communications.
- During the online phase, a compressed decryption key of Poly Lambda size is released, enhancing efficiency.
- Labels for Bob's input use oblivious transfer, maintaining security and efficiency.
- Overall, these optimizations reduce communication costs by using succinct decryption keys and reusable ciphertexts, illustrating significant improvements in data handling.
16. 🔨 Building Core Techniques with Batch Select
16.1. Introduction to Batch Select
16.2. Details on Linearly Homomorphic Encryption
16.3. Introduction to LINC Primitive
16.4. Combining LHE and LINC for Batch Select
17. 💻 Practical Implementation and Considerations
- Implementation requires using the CU library for complex operations like ring element multiplication.
- Most computations aside from ring operations are simple and can be implemented for evaluation.
- Data size impacts commitment; Alice's initial post scales with her data size (X).
- Theoretical limits prevent posting less than the data size, impacting succinctness.
- A hash of data (X) can be published for commitment and later verified with one-time padded data.
- Using a hash for large data (e.g., 2^215 bits) is practical for blockchain to avoid high costs.
18. ❓ Future Prospects and Open Questions
- Despite challenges, compressing labels on local machines remains beneficial, highlighting the potential for efficiency in garbled circuits with free XOR structures.
- The ability to perform free additions mod P with the current label format presents a contrast to traditional garbled circuits, suggesting new efficiencies.
- Implementation requires using entity-friendly primes and leveraging the Chinese remainder theorem for effective ZP vector packing, which could streamline processes.
- Exploring applications beyond current use is encouraged, particularly by improving upon previous work with suboptimal performance, indicating potential for innovation.