Adaptively Secure Garbled Circuits from One-Way Functions

Hemenway, Brett; Jafargholi, Zahra; Ostrovsky, Rafail; Scafuro, Alessandra; Wichs, Daniel

doi:10.1007/978-3-662-53015-3_6

Brett Hemenway¹⁵,
Zahra Jafargholi¹⁶,
Rafail Ostrovsky¹⁷,
Alessandra Scafuro^16,18 &
…
Daniel Wichs¹⁶

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 9816))

Included in the following conference series:

Annual International Cryptology Conference

3283 Accesses
38 Citations

Abstract

A garbling scheme is used to garble a circuit C and an input x in a way that reveals the output C(x) but hides everything else. In many settings, the circuit can be garbled off-line without strict efficiency constraints, but the input must be garbled very efficiently on-line, with much lower complexity than evaluating the circuit. Yao’s garbling scheme [31] has essentially optimal on-line complexity, but only achieves selective security, where the adversary must choose the input x prior to seeing the garbled circuit. It has remained an open problem to achieve adaptive security, where the adversary can choose x after seeing the garbled circuit, while preserving on-line efficiency.

In this work, we modify Yao’s scheme in a way that allows us to prove adaptive security under one-way functions. In our main instantiation we achieve on-line complexity only proportional to the width w of the circuit. Alternatively we can also get an instantiation with on-line complexity only proportional to the depth d (and the output size) of the circuit, albeit incurring in a $2^{O(d)}$ security loss in our reduction. More broadly, we relate the on-line complexity of adaptively secure garbling schemes in our framework to a certain type of pebble complexity of the circuit. As our main tool, of independent interest, we develop a new notion of somewhere equivocal encryption, which allows us to efficiently equivocate on a small subset of the message bits.

R. Ostrovsky—Supported in part by NSF grants 09165174, 1065276, 1118126 and 1136174, US-Israel BSF grant 2008411, OKAWA Foundation Research Award, IBM Faculty Research Award, Xerox Faculty Research Award, B. John Garrick Foundation Award, Teradata Research Award, Lockheed-Martin Corporation Research Award and by DARPA Safeware program. The views expressed are those of the author and do not reflect the official policy or position of the Department of Defense or the U.S. Government.

A. Scafuro—Supported by NSF grants 1012798, CNS-1414119.

D. Wichs—Supported by NSF grants CNS-1347350, CNS-1314722, CNS-1413964. This work was done in part while some of the authors were visiting the Simons Institute for the Theory of Computing, supported by the Simons Foundation and by the DIMACS/Simons Collaboration in Cryptography through NSF grant CNS-1523467.

You have full access to this open access chapter, Download conference paper PDF

Adaptive Security of Yao’s Garbled Circuits

Adaptive Security of Practical Garbling Schemes

Adaptively Indistinguishable Garbled Circuits

Keywords

1 Introduction

Garbled Circuits. A garbling scheme (also referred to as a randomized encoding) can be used to garble a circuit C and an input x to derive a garbled circuit $\widetilde{C}$ and a garbled input $\widetilde{x}$. It’s possible to evaluate $\widetilde{C}$ on $\widetilde{x}$ and get the correct output C(x). However, the garbled values $\widetilde{C},\widetilde{x}$ should not reveal anything else beyond this. In particular, there is a simulator that can simulate $\widetilde{C},\widetilde{x}$ given only C(x).

The notion of garbled circuits was introduced by Yao in (oral presentations of) [31, 32], and can be instantiated based on one-way functions. Garbled circuits have since found countless applications in diverse areas of cryptography, most notably to secure function evaluation (SFE) starting with Yao’s work, but also in parallel cryptography [5, 6], verifiable computation [7, 16], software protection [20, 22], functional encryption [19, 21, 30], key-dependent message security [3, 9], obfuscation [4] and many others. These applications rely on various efficiency/functionality properties of garbled circuits and a comprehensive study of this primitive is explored in the work of Bellare et al. [12].

On-line Complexity. In many applications, the garbled circuit $\widetilde{C}$ can be computed in an off-line pre-processing phase before the input is known, and therefore the efficiency of this procedure may not be of paramount importance. On the other hand, once the input x becomes available in the on-line phase, creating the garbled input $\widetilde{x}$ should be extremely efficient. Therefore, the main efficiency measure that we consider here is the on-line complexity, which is the time it takes to garble an input x, and hence also a bound on the size of $\widetilde{x}$. Ideally, the on-line complexity should only be linear in the input size |x| and independent of the potentially much larger circuit size |C|.^{Footnote 1}

Yao’s Scheme. Yao’s garbling scheme already achieves essentially optimal on-line complexity, where the time to garble an input x and the size of $\widetilde{x}$ are only linear in the input size |x|, independent of the circuit size.^{Footnote 2} However, it only realizes a weak notion of security called selective security, which corresponds to a setting where adversary must choose the input x before seeing the garbled circuit $\widetilde{C}$. In particular, the adversary first chooses both C and x and then gets the garbled values $\widetilde{C},\widetilde{x}$ which are either correctly computed using the “real” garbling scheme or “simulated” using only C(x). The adversary should not be able to distinguish between the real world and the simulated world.

Selective vs. Adaptive Security. Selective security is often unsatisfactory in precisely the scenarios envisioned in the off-line/on-line setting, where the garbled circuit $\widetilde{C}$ is given out first and the garbled input $\widetilde{x}$ is only given out later. In such settings, the adversary may be able to (partially) influence the choice of the input x after seeing the garbled circuit $\widetilde{C}$. Therefore, we need a stronger notion called adaptive security, defined via the following two stage game:

1.
The adversary chooses a circuit C and gets the garbled circuit $\widetilde{C}$.
2.
After seeing $\widetilde{C}$ the adversary adaptively chooses an input x and gets the garbled input $\widetilde{x}$.

In the real world $\widetilde{C},\widetilde{x}$ are computed correctly using the garbling scheme, while in the simulated world they are created by a simulator who only gets the output C(x) in step (2) of the game but does not get the input x. The adversary should not be able to distinguish these two worlds.

The work of Bellare, Hoang and Rogaway [11] gave the first thorough treatment of adaptively secure garbling schemes and showed that this notion is crucial in many applications. They point out that it remains unknown whether Yao’s garbling scheme or any of its many variants can satisfy adaptive security, and the proof techniques that work in the selective security setting do not extend to the adaptive setting. They left it as the main open problem to construct adaptively secure garbling schemes where the on-line complexity is smaller than the circuit size.^{Footnote 3}

Finally we emphasize that the problem of achieving adaptively secure garbled circuits is different from the problem of achieving adaptively secure two-party computation (with constant rounds) using an approach based on garbled circuits. The latter means that the adversary can corrupt the players adaptively. It is not known whether either problem can be reduced to the other.

1.1 Prior Approaches to Adaptive Security

Lower Bound and Yao’s Scheme. The work of Applebaum et al. [8] (see also [24]) gives a lower bound on the on-line complexity of circuit garbling in the adaptive setting, showing that the size of the garbled input $\widetilde{x}$ must exceed the output size of the circuit. This is in contrast to the selective security setting, where Yao’s garbling scheme achieves on-line complexity that depends only on the input size and not the output size. In particular, this shows that Yao’s garbling scheme cannot directly be adaptively secure.

Complexity Leveraging. It turns out that there is a simple and natural modification of Yao’s garbling scheme (i.e., by withholding the mapping of output-wire keys to output bits until the on-line phase) that would match the above lower bound and could plausibly be conjectured to provide adaptive security. In fact, one can prove that the above variant of Yao’s scheme is secure in the adaptive setting using complexity leveraging, but only at a $2^n$ security loss in the reduction, where n is the input size. There is no known proof of security that avoids this loss.^{Footnote 4}

One-Time Pad and Random-Oracles. An alternate approach, suggested by [11], is to use one-time pad encryption to encrypt a Yao garbled circuit in the off-line phase and then provide the decryption key with the garbled input in the on-line phase. Intuitively, since a one-time pad encryption is “non-committing” and the ciphertext can be equivocated to any possible message by providing a corresponding key, the adversary does not gain any advantage in seeing such a ciphertext in the off-line phase. Unfortunately, this solution blows up the on-line complexity to be at least as large as the circuit size.

The work of [11] also noted that one can replace the one-time pad encryption in the above solution with a random-oracle based encryption scheme, which can be equivocated by programming random oracle outputs. This gives an adaptively secure garbled circuit construction with optimal parameters in the random oracle model. In fact, this approach can even be used to prove security in parameter regimes that beat the lower bound of [8], and therefore we should be suspicious about it’s implications in the standard model, when the random oracle is replaced by a hash function. In particular, the construction is using the random oracle for equivocation in ways that we know to be uninstantiable in the standard model [29].

UCE-Security. Bellare et al. [10] show that a variant of Yao garbled circuits (which does not violate the lower bound of [8]) can be proven secure when instantiated with a hash function that satisfies a security notion called Universal Computational Extractor (UCE) security. However, UCE is a strong, non-standard and non-falsifiable assumption.

Heavy Hammers. Lastly, we mention two approaches that get adaptively secure garbled circuits with good on-line complexity under significantly stronger assumptions than one-way functions. The work of Boneh et al. [13] implicitly provides such schemes where the on-line complexity is proportional to the input/output size and the depth d of the circuit, under the learning with errors assumption with a modulus-to-noise ratio of $2^{\mathsf {poly}(d)}$. This translates to assuming the hardness of lattice problems with $2^{\mathsf {poly}(d)}$ approximation factors. The work of Ananth and Sahai [2] shows how to get an essentially optimal scheme, where the on-line complexity is only proportional to the input/output size of the circuit, assuming indistinguishability obfuscation. In terms of both assumptions and practical efficiency, these schemes are a far cry from Yao’s original scheme.

1.2 Our Results

In this work, we construct the first adaptively secure garbling scheme whose on-line complexity is smaller than the circuit size and which only relies on the existence of one-way functions. Our construction is an adaptation of Yao’ scheme that maintains essentially all of its desirable properties, such as having highly parallelizable circuit garbling and projective/decomposable input garbling.^{Footnote 5} In particular, our construction simply encrypts a Yao garbled circuit with a somewhere equivocal symmetric-key encryption scheme, which is a new primitive that we define and construct from one-way functions. The encrypted Yao garbled circuit is sent in the off-line phase, and the Yao garbled input along with the decryption key is sent in the on-line phase. We get various provably secure instantiations of the above approach depending on how we set the parameters of the encryption scheme.

As our main instantiation, we get a garbling scheme whose on-line complexity is $w\cdot \mathsf {poly}(\lambda )$ where w is the width of the circuit and $\lambda $ is the security parameter, but is otherwise independent of the depth d of the circuit.^{Footnote 6} Note that, if we think of the circuit as representing a Turing Machine or RAM computation, then the width w of the circuit corresponds to the maximum of the input size n, output size m, and space complexity s of the computation, meaning that our on-line complexity is $(n +m +s) \cdot \mathsf {poly}(\lambda )$, but otherwise independent of the run-time of the computation.

Alternately, we also get a different instantiation where the on-line complexity is only $(n+m+d)\cdot \mathsf {poly}(\lambda )$, where n is the input size, m is the output size, and d is the depth of the circuit, but is otherwise independent of the circuit’s width w. In this case, we also incur a $2^{O(d)}$ security loss in our reduction, but this can be a significant improvement over the naive complexity-leveraging approach which incurs a $2^n$ security loss, where n is the input size. In particular, in the case of $\mathsf {NC}^1$ circuits where $d = O(\log n)$, we get a polynomial reduction and achieve optimal on-line complexity of $(n+m)\cdot \mathsf {poly}(\lambda )$.^{Footnote 7}

More broadly, we develop a connection between constructing adaptively secure schemes in our framework and a certain type of pebble complexity of the given circuit. The size of the garbled input is proportional to the maximal number of pebbles and the number of hybrids in our reduction is proportional to the number of moves needed to pebble the circuit.

1.3 Applications of Our Results

We briefly mention how our results can be used to get concrete improvements in several applications of garbled circuits in prior works.

On-line/Off-line Two-Party Computation. One of the main uses of garbled circuits is in two-party secure computation protocols. In this setting, Alice holds an input $x_A$, Bob holds an input $x_B$ and they wish to compute $f(x_A,x_B)$. To do so, Alice creates a garbled circuit $\widetilde{C}_f$ for the function f and sends $\widetilde{C}_f$ along with her portion of the garbled input $\widetilde{x}_A$ to Bob. Bob runs an oblivious transfer (OT) protocol to get the garbled version of his input $\widetilde{x}_B$ without revealing $x_B$ to Alice. This can be done if the garbling scheme is projective/decomposable (see footnote 9) so that each bit of the garbled input only depends on one bit of the original input. Security against fully malicious parties can be obtained via zero-knowledge proofs or cut-and-choose techniques. It is possible to instantiate the above construction with selectively secure garbled circuits, by having Bob commit to $x_B$ before he gets the garbled circuit $\widetilde{C}_f$. This ensures that the choice of the input cannot depend on the garbled circuit.

However, in many cases, creating the garbled circuit $\widetilde{C}_f$ for the function f is expensive and we would like to do this off-line before the inputs $x_A,x_B$ are known to Alice and Bob. Once the inputs become known, the on-line phase should be extremely efficient, and ideally much smaller than the size of the circuit of f. This setting was recently explored in the work of Lindell and Riva [28] who showed how to solve this problem very efficiently using cut-and-choose techniques, given an adaptively secure garbling scheme with low on-line complexity. To instantiate the latter primitive, they relied on the random oracle model. Using our construction of adaptively secure garbled circuit, we can instantiate the scheme of [28] in the standard model, where the on-line complexity of the two-party computation protocol would match that of our garbling schemes.

One-Time Programs and Verifiable Computation. As noted by [11], two prior works from the literature on one-time programs [20] and verifiable computation [16] implicitly require adaptively secure garbling.^{Footnote 8} In both cases, we can plug in our construction of adaptively secure garbling to these constructions.

In the case of one-time programs, the on-line complexity of the garbling scheme translates to the number of hardware tokens needed to create the one-time program. In the case of verifiable computation, the on-line complexity of the garbling scheme translates to the complexity of the verification protocol – it is essential that this is smaller than the circuit size to make the verification protocol non-trivial.

Compact Functional Encryption. The recent work of [1] shows how to convert any selectively secure functional encryption (FE) scheme into an adaptively secure FE. However, their transformation is not compact and the ciphertext size is as large as the maximum circuit size of the allowed functions. This is true even if the selectively secure FE that they start with is compact. Implicitly, the main bottleneck in the transformation is having adaptively secure garbled circuits with low on-line complexity. The work of [2] gives an alternate and modular transformation from a selectively secure compact FE to an adaptively secure one using adaptively secure garbled circuits (actually, their main construction is for Turing Machines and relies on garbling TMs which require heavier machinery – however, it can be scaled down to work for circuits to get the above result). This transformation applies to both bounded-collusion schemes and unbounded-collusion schemes. By plugging in our construction of adaptively secure garbled circuits into the above result we get a transformation from compact selectively secure FE to adaptive FE where the ciphertext size is only proportional to the on-line complexity of our garbling scheme.

1.4 Our Techniques

In order to explain our techniques, we must first explain the difficulties in proving the adaptive security of Yao’s garbling schemes. Since these difficulties are subtle, we begin with a description of the scheme and the proof of selective security, following Lindell and Pinkas [27]. This allows us to fix a precise notation and terminology which will be needed to also explain our new construction and proof. We expect that the reader is already familiar with the basics of Yao circuits and refer to [27] for further details.

Yao’s Scheme and the Challenge of Adaptive Security. Yao’s Scheme. For each wire w in the circuit, we pick two keys $k^0_w, k^1_w$ for a symmetric-key encryption scheme. For each gate in the circuit computing a function $g:\{0,1\}^2 \rightarrow \{0,1\}$ and having input wires a, b and output wire c we create a garbled gate consisting of 4 randomly ordered ciphertexts created as:

$$\begin{aligned} \begin{array}{ccc} c_{0,0} = \mathsf {Enc}_{k^{0}_a}(\mathsf {Enc}_{k^{0}_b}( k^{g(0,0)}_c)) &{}~&{} c_{1,0} = \mathsf {Enc}_{k^{1}_a}(\mathsf {Enc}_{k^{0}_b}( k^{g(1,0)}_c)),\\ c_{0,1} = \mathsf {Enc}_{k^{0}_a}(\mathsf {Enc}_{k^{1}_b}( k^{g(0,1)}_c)) &{}~&{} c_{1,1} = \mathsf {Enc}_{k^{1}_a}(\mathsf {Enc}_{k^{1}_b}( k^{g(1,1)}_c)) \end{array} \end{aligned}$$

(1)

where $(\mathsf {Enc},\mathsf {Dec})$ is a CPA-secure encryption scheme. The garbled circuit $\widetilde{C}$ consists of all of the gabled gates, along with an output mapping $\{k^0_w \rightarrow 0, k^1_w \rightarrow 1\}$ which gives the correspondence between the keys and the bits they represent for each output wire w. To garble an n-bit value $x = x_1x_2\cdots x_n$, the garbled input $\widetilde{x}$ consists of the keys $k_{w_i}^{x_i}$ for the n input wires $w_i$.

To evaluate the garbled circuit on the garbled input, it’s possible to decrypt (exactly) one ciphertext in each garbled gate and get the key $k_w^{v(w)}$ corresponding to the bit v(w) going over the wire w during the computation C(x). Once the keys for the output wires are computed, it’s possible to recover the actual output bits by looking them up in the output mapping.

Selective Security Simulator. To prove the selective security of Yao’s scheme, we need to define a simulator that gets the output $y = y_1y_2 \cdots y_m = C(x)$ and must produce $\widetilde{C}$, $\widetilde{x}$. The simulator picks random keys $k^0_1, k^1_w$ for each wire w just like the real scheme, but it creates the garbled gates as follows:

$$\begin{aligned} \begin{array}{ccc} c_{0,0} = \mathsf {Enc}_{k^{0}_a}(\mathsf {Enc}_{k^{0}_b}( k^{0}_c)) &{}~&{} c_{1,0} = \mathsf {Enc}_{k^{1}_a}(\mathsf {Enc}_{k^{0}_b}( k^{0}_c)),\\ c_{0,1} = \mathsf {Enc}_{k^{0}_a}(\mathsf {Enc}_{k^{1}_b}( k^{0}_c)) &{}~&{} c_{1,1} = \mathsf {Enc}_{k^{1}_a}(\mathsf {Enc}_{k^{1}_b}( k^{0}_c)) \end{array} \end{aligned}$$

(2)

where all four ciphertext encrypt the same key $k^0_c$. It creates the output mapping $\{k^0_w \rightarrow y_w, k^1_w \rightarrow 1 - y_w\}$ by “programming it” so that the key $k^0_w$ corresponds to the correct output bit $y_w$ for each output wire w. This defines the simulated garbled circuit $\widetilde{C}$. To create the simulated garbled input $\widetilde{x}$ the simulator simply gives out the keys $k^0_w$ for each input wire w. Note that, when evaluating the simulated garbled circuit on the simulated garbled input, the adversary only sees the keys $k^0_w$ for every wire w.

Selective Security Hybrids. To prove indistinguishability between the real world and the simulation, there is a series of carefully defined hybrid games that switch the distribution of one garbled gate at a time, starting with the input level and proceeding up the circuit level by level. In each step we switch the distribution of the ciphertexts in the targeted gate to:

$$\begin{aligned} \begin{array}{ccc} c_{0,0} = \mathsf {Enc}_{k^{0}_a}(\mathsf {Enc}_{k^{0}_b}( k^{v(c)}_c)) &{}~&{} c_{1,0} = \mathsf {Enc}_{k^{1}_a}(\mathsf {Enc}_{k^{0}_b}( k^{v(c)}_c)),\\ c_{0,1} = \mathsf {Enc}_{k^{0}_a}(\mathsf {Enc}_{k^{1}_b}( k^{v(c)}_c)) &{}~&{} c_{1,1} = \mathsf {Enc}_{k^{1}_a}(\mathsf {Enc}_{k^{1}_b}( k^{v(c)}_c)) \end{array} \end{aligned}$$

(3)

where v(c) is the correct value of the bit going over the wire c during the computation of C(x).

Let us give names to the three modes for creating garbled gates that we defined above: (1) is called $\mathsf {RealGate}$ mode, (2) is called $\mathsf {SimGate}$ mode, and (3) is called $\mathsf {InputDepSimGate}$ mode, since the way that it is defined depends adaptively on the choice of the input x.

We can switch a gate from $\mathsf {RealGate}$ to $\mathsf {InputDepSimGate}$ mode if the gates in the previous level are in $\mathsf {InputDepSimGate}$ mode (or we are in the input level) by CPA security of encryption. In particular, we are not changing the value contained in ciphertext $c_{v(a),v(b)}$ encrypted under the keys $k_a^{v(a)}, k_b^{v(b)}$ that the adversary obtains during evaluation, but we can change the values contained in all of the other ciphertexts since the keys $k^{1-v(a)}, k^{1-v(b)}$ do not appear anywhere inside the garbled gates in the previous level.

At the end of the above sequence of hybrid games, all gates are switched from $\mathsf {RealGate}$ to $\mathsf {InputDepSimGate}$ mode and the output mapping is computed as in the real world. The resulting distribution is statistically identical to the simulation where all the gates are in $\mathsf {SimGate}$ mode and the output mapping is programmed. This is because, at any level that’s not the output, the keys $k^0_c,k^1_c$ are used completely identically in the subsequent level so there is no difference between always encrypting $k^{v(c)}_c$ ($\mathsf {InputDepSimGate}$) and $k^{0}_c$ ($\mathsf {SimGate}$). At the output level there is no difference between encrypting $k^{v(c)}_c$ and giving the real mapping $k^{v(c)}_c \rightarrow y_c$ or encrypting $k^{0}_c$ and giving the programmed mapping $k^{0}_c \rightarrow y_c$ where $y_c$ is the output bit on wire c.

Challenges in Achieving Adaptive Security. There are two issues in using the above strategy in the adaptive setting: an immediate but easy to fix problem and a more subtle but difficult to overcome problem.

The first immediate issue is that the selective simulator needs to know the output $y = C(x)$ to create the garbled circuit $\widetilde{C}$ and in particular to program the output mapping $\{k^0_w \rightarrow y_w, k^1_w \rightarrow 1 - y_w\}$ for the output wires w. However, the adaptive simulator does not get the output y until after it creates the garbled circuit $\widetilde{C}$. Therefore, we cannot (even syntactically) use the selective security simulator in the adaptive setting. This issue turns out to be easy to fix by modifying the construction to send the output-mapping as part of the garbled input $\widetilde{x}$ in the on-line phase, rather than as part of the garbled circuit $\widetilde{C}$ in the off-line phase. This modification raises on-line complexity to also being linear in the output size of the circuit, which we know to be necessary by the lower bound of [8]. With this modification, the adaptive simulator can program the output mapping after it learns the output $y = C(x)$ in the on-line phase and therefore we get a syntactically meaningful simulation strategy in the adaptive setting.

The second problem is where the true difficulty lies. Although we have a syntactically meaningful simulation strategy, the previous proof of indistinguishability of the real world and the simulation completely breaks down in the adaptive setting. Recall that the proof consisted of a sequence of hybrids where we changed one garbled gate at a time (starting from the input level) from $\mathsf {RealGate}$ mode to the $\mathsf {InputDepSimGate}$ mode. In the latter mode, the gate is created in a way that depends on the input x, but in the adaptive setting the input x is chosen adaptively after the garbled circuit is created, leading to a circularity. In other words, the distribution of $\mathsf {InputDepSimGate}$ as specified in Eq. (3) doesn’t even syntactically make sense in the adaptive setting. Therefore, although we have a syntactically meaningful simulation strategy for the adaptive setting, we do not have any syntactically meaningful sequence of intermediate hybrids to prove indistinguishability between the real world and the simulated world.

(One could hope to bypass $\mathsf {InputDepSimGate}$ mode altogether and define the hybrids by changing a gate directly from $\mathsf {RealGate}$ mode to $\mathsf {SimGate}$ mode. Unfortunately, this change is easily distinguishable already for the very first gate we would hope to change at the input level – the output value on the gate would no longer be v(w) but 0 which may result in an overall incorrect output since we have not programmed the output map yet. On the other hand, we cannot immediately jump to a hybrid where we program the output map since all of the keys and their semantics are contained under encryption in prior levels of the circuit and we haven’t argued about the security of the ciphertexts in these levels yet.)

Our Solution. Outer Encryption Layer. Our construction starts with the approach of [11] which is to encrypt the entire garbled circuit with an additional outer encryption layer in the off-line phase (this is unrelated to the encryption used to construct the garbled gates). Then, in the on-line phase, we give out the secret key for this outer encryption scheme. The approach of [11] required a symmetric-key, one-time encryption scheme which is equivocal, meaning that the ciphertext doesn’t determine the message and it is possible to come up with a secret key that can open the ciphertext to any possible message. Unfortunately, any fully equivocal encryption scheme where a ciphertext can be opened to any message (e.g., the one-time pad) must necessarily have a secret key size which is as large as the message size. In our case, this is the entire garbled circuit and therefore this ruins the on-line efficiency of the scheme. Our main idea is to use a new type of partially equivocal encryption scheme, we call somewhere equivocal.

Somewhere Equivocal Encryption. Intuitively, a somewhere equivocal encryption scheme allows us to create a simulated ciphertext which contains “holes” in some small subset of the message bit positions I chosen by the simulator, but all other message bits are fixed. The simulator can later equivocate this ciphertext and “plug the holes” with any bits it wants by deriving a corresponding secret key. An adversary cannot distinguish between seeing a real encryption of some message $m = m_1m_2 \cdots m_n$ and the real secret key, from seeing a simulated encryption created using only $(m_i)_{i \not \in I}$ with “holes” in positions I and an equivocated secret key that later plugs the holes to the correct bits $(m_i)_{i \in I}$. We show how to construct somewhere equivocal encryption using one-way functions. The size of the secret key is only proportional to the maximum number of holes $t = |I|$ that we allow, which we call the “equivocation parameter”, but can be much smaller than the message size.^{Footnote 9}

Our proof of security departs significantly from that of [11]. In particular, our simulator does not take advantage of the equivocation property of the encryption scheme at all, and in fact, our simulation strategy is identical to the adaptive simulator we outlined above for the variant of Yao’s garbling where the output map is sent in the on-line phase. However, we crucially rely on the equivocation property to carefully define a meaningful sequence of hybrids that allows us to prove the indistinguishability of the real and simulated worlds.

Hybrids for Adaptive Security. We define hybrid distributions where various garbled gates will be created in one of three modes discussed above: $\mathsf {RealGate},$ $\mathsf {SimGate}$ and $\mathsf {InputDepSimGate}$. However, to make the last option meaningful (even syntactically) in the adaptive setting, we rely on the somewhere equivocal encryption scheme. For these hybrids, when we create the encrypted garbled circuit in the off-line phase, we will simulate the outer encryption layer with a ciphertext that contains “holes” in place of all gates that are in $\mathsf {InputDepSimGate}$ mode. Only when we open the outer encryption in the on-line phase after the input x is chosen, we will “plug the holes” by sampling these gates correctly in $\mathsf {InputDepSimGate}$ mode in a way that depends on the input x. Our equivocation parameter t for the somewhere equivocal encryption scheme therefore needs to be large enough to support the maximum number of gates in $\mathsf {InputDepSimGate}$ mode that we will have in any hybrid.

Sequence of Hybrids. For our main result, we use the following sequence of hybrids to prove indistinguishability of real and simulated worlds. We start by switching the first two levels of gates (starting with the input level) to $\mathsf {InputDepSimGate}$ mode. We then switch the first level of gates to $\mathsf {SimGate}$ mode and switch the third level $\mathsf {InputDepSimGate}$ mode. We continue this process, where in each step i we maintain level i in $\mathsf {InputDepSimGate}$ mode but switch the previous level $i-1$ from $\mathsf {InputDepSimGate}$ to $\mathsf {SimGate}$ and then switch the next level $i+1$ from $\mathsf {RealGate}$ to $\mathsf {InputDepSimGate}$. Eventually all gates will be in $\mathsf {SimGate}$ mode as we wanted. We can switch a level $i-1$ from $\mathsf {InputDepSimGate}$ to $\mathsf {SimGate}$ mode when the subsequent level i is in $\mathsf {InputDepSimGate}$ mode since the keys $k^0_c,k^1_c$ for wires c crossing from level $i-1$ to i are used identically in level i and therefore there is statistically no difference between encrypting the key $k^{v(c)}_c$ ($\mathsf {InputDepSimGate}$) and $k^0_c$ ($\mathsf {SimGate}$). We can also switch a level $i+1$ from $\mathsf {RealGate}$ to $\mathsf {InputDepSimGate}$ when the previous level i is $\mathsf {InputDepSimGate}$ (or $i+1$ is the input level) by CPA security following the same argument as in the selective setting. With this strategy, at any point in time we have at most two levels in $\mathsf {InputDepSimGate}$ mode and therefore our equivocation parameter only needs to be proportional to the circuit width w.

Connection to Pebbling. We can generalize the above idea and get other meaningful sequences of hybrids with different parameters and implications. We can think of the process of switching between $\mathsf {RealGate}$, $\mathsf {SimGate}$ and $\mathsf {InputDepSimGate}$ modes as a new kind of graph pebbling game, where pebbles can be placed on the graph representing the circuit according to certain rules. Initially, all gates are in $\mathsf {RealGate}$ mode, which we associate with not having any pebble on them. We associate $\mathsf {InputDepSimGate}$ mode with having a black pebble and $\mathsf {SimGate}$ mode with having a gray pebble. The rules of the game go as follows:

We can place or remove a black pebble on a gate as long as both predecessors of that gate have black pebbles on them (or the gate is an input gate).
We can replace a black pebble with a gray pebble on a gate as long as all successors of that gate have black or gray pebbles on them (or the gate is an output gate).

The goal of the game is to end up with a gray pebble on every gate. Any such pebbling strategy leads to a sequence of hybrids that shows the indistinguishability between the real world and the simulation. The number of moves needed to complete the pebbling corresponds to the number of hybrids in our proof, and therefore the security loss of our reduction. The maximum number of black pebbles that are in play at any given time corresponds to the equivocation parameter needed for our somewhere equivocal encryption scheme.

For example, the sequence of hybrids discussed above corresponds to a pebbling strategy where the number of black pebbles used is linear in the circuit width w (but independent of the depth) and the number of moves is linear in the circuit size. We give an alternate recursive pebbling strategy where the number of black pebbles used is linear in the circuit depth d (but independent of the width) and the number of moves is $2^{O(d)}$ times the circuit size.

Constructing Somewhere Equivocal Encryption. Lastly, we discuss our construction of somewhere equivocal encryption from one-way functions, which may be of independent interest. Recall that a somewhere equivocal encryption provides a method for equivocating some small number (t out of n) of bits of the message.

Our construction is based on the techniques developed in recent constructions of distributed point functions [14, 17]. These techniques give us a way to construct a pseudorandom function (PRF) family $f_k$ with the following equivocation property: for any input x, we can create two PRF keys $k_0,k_1$ that each individually look uniformly random but such that $f_{k_0}(x') = f_{k_1}(x')$ for all $x' \ne x$ and $f_{k_0}(x) \ne f_{k_1}(x)$. The construction is based on a clever adaptation of the Goldreich-Goldwasser-Micali (GGM) PRF [18].

Using distributed point functions, we can immediately create a somewhere equivocal encryption with equivocation parameter $t=1$. We rely on a PRF family $f_k$ with the above equivocation property and with one-bit output. To encrypt a message $m= m_1m_2 \cdots m_n \in \{0,1\}^n$ we create a ciphertext $c = f_{k}(1)\oplus m_1 || f_k(2) \oplus m_2 || \cdots || f_k(n) \oplus m_n$ using the PRF outputs as a one-time pad. To create a simulated encryption with a hole in position i, the simulator samples two PRF keys $k_0,k_1$ that only differ on input $x=i$. The simulator encrypts the n-bit message by setting the unknown value in position i to $m_i := 0$ and using $k_0$. If it later wants to open this value to 0, it sets the decryption key to $k_0$ else $k_1$.

We can extend the above approach to an arbitrarily large equivocation parameter t, by using the XOR of t independently chosen PRFs with the above equivocation property. The key size will be $t \cdot \mathsf {poly}(\lambda )$.

2 Preliminaries

General Notation. For a positive integer n, we define the set $[n] := \{1,\ldots ,n\}$. We use the notation $x \leftarrow X$ for the process of sampling a value x according to the distribution X. For a vector $\overline{m}=(m_1,m_2,\cdots ,m_n)$, and a subset $P\subset [n]$, we use $(m_i)_{i\in P}$ to denote a vector containing only the values $m_i$ in positions $i \in P$ and $\bot $ symbols in all other positions. We use $(m_i)_{i\notin P}$ as shorthand for $(m_i)_{i\in [n]\setminus P}$.

Circuit Notation. A boolean circuit C consists of gates $\mathsf {gate}_1,\ldots ,\mathsf {gate}_q$ and wires $w_1, w_2, \ldots ,w_{p}$. A gate is defined by the tuple $\mathsf {gate}_i = (g, w_{a}, w_{b}, w_{c})$ where $g~:~ \{0,1\}^2 \rightarrow \{0,1\}$ is the function computed by the gate, $w_{a}, w_{b}$ are the incoming wires, and $w_{c}$ is the outgoing wire. Although each gate has a unique outgoing wire $w_c$, this wire can be used as an incoming wire to several different gates and therefore this models a circuit with fan-in 2 and unbounded fan-out. We let q denote the number of gates in the circuit, n denotes the number of input wires and m denote the number of output wires. The total number of wires is $p= n+q$ (since each wire can either be input wire or an outgoing wire of some gate). For convenience, we denote the n input wires by ${\mathsf {in}_1}, \ldots , {\mathsf {in}_n}$ and the m output wires by ${\mathsf {out}_1}, \ldots , {\mathsf {out}_m}$. For $x \in \{0,1\}^n$ we write C(x) to denote the output of evaluating the circuit C on input x.

We say C is leveled, if each gate has an associated level and any gate at level $l$ has incoming wires only from gates at level $l-1$ and outgoing wires only to gates at level $l+1$. We let the depth $d$ denote the number of levels and the width $w$ denote the maximum number of gates in any level.

A circuit C is fully specified by a list of gate tuples $\mathsf {gate}_i = (g, w_{a}, w_{b}, w_{c})$. We use $\varPhi _{\mathsf{topo}}(C)$ to refer to the topology of a circuit– which indicates how gates are connected, without specifying the function implemented by each gate. In other words, $\varPhi _{\mathsf{topo}}(C)$ is the list of sanitized gate tuples $\widehat{\mathsf {gate}}_i = (\bot , w_{a}, w_{b}, w_{c})$ where the function g that the gate implements is removed from the tuple.

3 Garbling Scheme

We now give a formal definition of a garbling scheme. There are many variants of such definitions in the literature, and we refer the reader to [12] for a comprehensive treatment.

Definition 1

A Garbling Scheme is a tuple of PPT algorithms $\mathsf {GC}=(\mathsf {GCircuit}$, $\mathsf {GInput}$, $\mathsf {Eval})$ such that:

$(\widetilde{C}, k) \mathop {\leftarrow }\limits ^{\$}\mathsf {GCircuit}(1^\lambda , C)$: takes as input a security parameter $\lambda $, a circuit $C:\{0,1\}^{n}\rightarrow \{0,1\}^{m}$, and outputs the garbled circuit $\widetilde{C}$, and key $k$.
${\tilde{x}}\leftarrow \mathsf {GInput}(k, x)$: takes as input $x\in \{0,1\}^{n}$, and key $k$ and outputs ${\tilde{x}}$.
$y = \mathsf {Eval}(\widetilde{C}, {\tilde{x}})$: given a garbled circuit $\widetilde{C}$ and a garbled input ${\tilde{x}}$ output $y\in \{0,1\}^{m}$.

Correctness. There is a negligible function $\nu $ such that for any $\lambda \in \mathbb {N}$, any circuit C and input x it holds that $ \Pr [C(x) = \mathsf {Eval}(\widetilde{C}, {\tilde{x}})] = 1 - \nu (\lambda )$, where $(\widetilde{C},k) \leftarrow \mathsf {GCircuit}(1^\lambda , C)$, ${\tilde{x}}\leftarrow \mathsf {GInput}(k, x)$.

Adaptive Security. There exists a PPT simulator $\mathsf {Sim}=(\mathsf {SimC},\mathsf {SimIn})$ such that, for any PPT adversary $\mathcal {A}$, there exists a negligible function $\nu $ such that:

$$\Pr [\mathsf {Exp}^{\mathsf {adaptive}}_{\mathcal {A},\mathsf {GC},\mathsf {Sim}}(1^{\lambda },0)=1] -\Pr [\mathsf {Exp}^{\mathsf {adaptive}}_{\mathcal {A},\mathsf {GC},\mathsf {Sim}}(1^{\lambda },1)=1] \le \nu (\lambda )$$

where the experiment $\mathsf {Exp}^{\mathsf {adaptive}}_{\mathcal {A},\mathsf {GC},\mathsf {Sim}}(1^\lambda ,b)$ is defined as follows:

1.
The adversary $\mathcal {A}$ specifies C and gets $\widetilde{C}$ where $\widetilde{C}$ is created as follows:
- if $b=0$: $(\widetilde{C},k) \leftarrow \mathsf {GCircuit}(1^\lambda , C)$,
- if $b=1$: $(\widetilde{C},{\mathsf {state}}) \leftarrow \mathsf {SimC}(1^\lambda , \varPhi _{\mathsf{topo}}(C))$, where $\varPhi _{\mathsf{topo}}(C)$ reveals the topology of C.
2.
The adversary $\mathcal {A}$ specifies x and gets ${\tilde{x}} $ created as follows:
- if $b=0$, ${\tilde{x}} \leftarrow \mathsf {GInput}(k, x)$,
- if $b=1$, ${\tilde{x}}\leftarrow \mathsf {SimIn}(C(x), {\mathsf {state}})$.
3.
Finally, the adversary outputs a bit $b'$, which is the output of the experiment.

On-line Complexity. The time it takes to garble an input x, (i.e., time complexity of $\mathsf {GInput}(\cdot , \cdot )$) is the on-line complexity of the scheme. Clearly the on-line complexity of the scheme gives a bound on the size of the garbled input $\widetilde{x}$. Ideally, the on-line complexity should be much smaller than the circuit size |C|.

Projective Scheme. A garbling scheme is projective if each bit of the garbled input $\widetilde{x}$ only depends on one bit of the actual input x. In other words, each bit of the input, is garbled independently of other bits of the input. Projective schemes are essential for two-party computation where the garbled input is transmitted using an oblivious transfer (OT) protocol. Our constructions will be projective.

Hiding Topology. A garbling scheme that satisfies the above security definition may reveal the topology of the circuit C. However, there is a way to transform any such garbling scheme into one that hides everything, including the topology of the circuit, without a significant asymptotic efficiency loss. More precisely, we rely on the fact that there is a function $\mathsf {HideTopo}(\cdot )$ that takes a circuit C as input and outputs a functionally equivalent circuit $C'$, such that for any two circuits $C_1,C_2$ of equal size, if $C_1' = \mathsf {HideTopo}(C_1)$ and $C_2' = \mathsf {HideTopo}(C_2)$, then $\varPhi _{\mathsf{topo}}(C_1') = \varPhi _{\mathsf{topo}}(C_2')$. An easy way to construct such function $\mathsf {HideTopo}$ is by setting $C'$ to be a universal circuit, with a hard-coded description of the actual circuit C. Therefore, to get a topology-hiding garbling scheme, we can simply use a topology-revealing scheme but instead of garbling the circuit C directly, we garble the circuit $\mathsf {HideTopo}(C)$.

4 Somewhere Equivocal Symmetric-Key Encryption

We introduce a new cryptographic primitive called somewhere equivocal encryption scheme. Intuitively, a somewhere equivocal encryption scheme allows one to create a simulated ciphertext which contain “holes” in some small subset of the messages in positions $I$ chosen by the simulator, but all other messages are fixed. The simulator can later equivocate this ciphertext and “plug the holes” with any message it wants by deriving a corresponding secret key.

In more detail, encryptions can be computed in two modes: real mode and simulated mode. In the real mode, a key $\mathsf {key}\leftarrow \mathsf {KeyGen}(1^{\lambda })$ is generated using the honest key generation procedure and a vector of n messages $\overline{m}=m_1, \ldots , m_{n}$ is encrypted using the honest encryption procedure $\overline{c}\leftarrow \mathsf {Enc}(\mathsf {key},\overline{m})$.

In the simulated mode, there is an encryption procedure $\mathsf {SimEnc}$ that given a set $I$ (set of holes) and only a subset of messages $(m_i)_{i\notin I}$, outputs simulated ciphertext $\overline{c}$ that is equivocal in positions $I$. In a later stage, upon learning the remaining messages $(m_i)_{i\in I}$, there exists a procedure $\mathsf {SimKey}$ that plugs the holes by generating a key $\mathsf {key}'$ that will decrypt $\overline{c}$ correctly according to $\overline{m}$.

The security property that we require is that the distributions of $\{\overline{c}, \mathsf {key}\}$ generated in the two modes are indistinguishable. To capture this property, one could envision a non-adaptive security game where and adversary $\mathcal {A}$ first selects the full vector $\overline{m}$ and the set $I$, then it receives the tuple ($\overline{c}, \mathsf {key}$) and needs to distinguish which distribution it belongs to. However, such security definition is not sufficient for our indistinguishability proof where instead we need an adversary to decide on the missing messages after she receives the ciphertext $\overline{c}$. Therefore, we consider an adaptive security definition where the security game is defined in two stages: in the first stage, the adversary chooses $I$, an incomplete vector of messages $(m_i)_{i\notin I}$, and a challenge index $j\notin I$ and receives the ciphertext $\overline{c}$. In the second stage, the adversary sends the remaining messages $(m_i)_{i\in I}$ and gets $\mathsf {key}$. The adversary knows that all positions in $I$ are equivocal and are plugged to the values $(m_i)_{i\in I}$ chosen in the second stage. The challenge is to distinguish whether the position $j$ is also equivocal or not. Note that this two-stage (adaptive) security definition is stronger than the non-adaptive security definition sketched above. For completeness, we give the simpler non-adaptive definition and prove the above implication in the full version [23].

Definition 2

A somewhere equivocal encryption scheme with block-length $s$, message-length $n$ (in blocks), and equivocation-parameter $t$ (all polynomials in the security parameter) is a tuple of probabilistic polynomial algorithms $\varPi =(\mathsf {KeyGen}$, $\mathsf {Enc}, \mathsf {Dec}$, $\mathsf {SimEnc}$, $\mathsf {SimKey})$ such that:

The key generation algorithm $\mathsf {KeyGen}$ takes as input the security parameter $1^{\lambda }$ and outputs a key: $\mathsf {key}\leftarrow \mathsf {KeyGen}(1^{\lambda })$.
The encryption algorithm $\mathsf {Enc}$ takes as input a vector of $n$ messages $\overline{m}= m_1, \ldots , m_{n}$, with $m_i\in \{0,1\}^{s}$, and a key $\mathsf {key}$, and outputs ciphertext $\overline{c}\leftarrow \mathsf {Enc}(\mathsf {key},\overline{m})$.
The decryption algorithm $\mathsf {Dec}$ takes as input ciphertext $\overline{c}$ and a key $\mathsf {key}$ and outputs a vector of messages $\overline{m}= m_1, \ldots , m_{n}$. Namely, $\overline{m}\leftarrow \mathsf {Dec}(\mathsf {key},\overline{c})$.
The simulated encryption algorithm $\mathsf {SimEnc}$ takes as input a set of indexes $I\subset [n]$, such that $|I|\le t$, and a vector of $n-|I|$ messages $ (m_i)_{i\notin I}$ and outputs ciphertext $\overline{c}$, and a state ${\mathsf {state}}$. Namely, $({\mathsf {state}},\overline{c})\leftarrow \mathsf {SimEnc}( (m_i)_{i\notin I}, I)$.
The simulated key algorithm $\mathsf {SimKey}$, takes in the variable ${\mathsf {state}}$ and messages $(m_i)_{i\in I}$ and outputs a key $\mathsf {key}'$. Namely, $\mathsf {key}'\leftarrow $ $\mathsf {SimKey}({\mathsf {state}},(m_i)_{i\in I})$.

and satisfies the following properties:

Correctness. For every $\mathsf {key}\leftarrow \mathsf {KeyGen}(1^{\lambda })$, $\overline{m}\in \{0,1\}^{s\times n}$ it holds that:
$$\mathsf {Dec}(\mathsf {key}, (\mathsf {Enc}(\mathsf {key},\overline{m}))=\overline{m}$$
Simulation with No Holes. We require that the distribution of $(\overline{c}, \mathsf {key})$ computed via $(\overline{c}, {\mathsf {state}}) \leftarrow \mathsf {SimEnc}(\overline{m}, \emptyset )$ and $\mathsf {key}\leftarrow \mathsf {SimKey}({\mathsf {state}}, \emptyset )$ to be identical to $\mathsf {key}\leftarrow \mathsf {KeyGen}(1^{\lambda })$ and $\overline{c}\leftarrow \mathsf {Enc}(\mathsf {key}, \overline{m})$. In other words, simulation when there are no holes (i.e., $I = \emptyset $) is identical to honest key generation and encryption.
Security. For any PPT adversary $\mathcal {A}$, there is a negligible function $\nu (\lambda )$ s.t.:
$$\Pr [\mathsf {Exp}^{\mathsf {simenc}}_{\mathcal {A},\varPi }(1^{\lambda },0)=1]- \Pr [\mathsf {Exp}^{\mathsf {simenc}}_{\mathcal {A},\varPi }(1^{\lambda },1)=1]\le \nu (\lambda )$$
where the experiment $\mathsf {Exp}^{\mathsf {simenc}}_{\mathcal {A},\varPi }$ is defined as follows:

Experiment $\mathsf {Exp}^{\mathsf {simenc}}_{\mathcal {A},\varPi }(1^{\lambda },b)$
1. 1.
  The adversary $\mathcal {A}$ on input $1^{\lambda }$ outputs a set $I\subseteq [n]$ s.t. $|I| < t$, vector $(m_i)_{i \notin I}$, and a challenge index $j\in [n] \setminus I$. Let $I' = I\cup j$.
2. 2.
  1. –
    If $b=0$, compute $\overline{c}$ as follows: $({\mathsf {state}},\overline{c})\leftarrow \mathsf {SimEnc}( (m_i)_{i\notin I}, I)$.
  2. –
    If $b=1$, compute $\overline{c}$ as follows: $({\mathsf {state}},\overline{c})\leftarrow \mathsf {SimEnc}( (m_i)_{i\notin I'}, I')$.
3. 3.
  Send $\overline{c}$ to the adversary $\mathcal {A}$.
4. 4.
  The adversary $\mathcal {A}$ outputs the set of remaining messages $(m_i)_{i \in I}$.
  1. –
    If $b=0$, compute $\mathsf {key}$ as follows: $\mathsf {key}\leftarrow \mathsf {SimKey}({\mathsf {state}},(m_i)_{i\in I})$.
  2. –
    If $b=1$, compute $\mathsf {key}$ as follows: $\mathsf {key}\leftarrow \mathsf {SimKey}({\mathsf {state}},(m_i)_{i\in I'})$.
5. 5.
  Send $\mathsf {key}$ to the adversary $\mathcal {A}$.
6. 6.
  $\mathcal {A}$ outputs $b'$ which is the output of the experiment.

In the full version of this paper, [23], we construct somewhere equivocal encryption from one-way functions, proving the following theorem.

Theorem 1

Assuming the existence of one-way functions, there exists a somewhere equivocal encryption scheme for any polynomial message-length n, block-length s, and equivocation parameter t, having key size $t \cdot s \cdot \mathsf {poly}(\lambda )$ and ciphertext of size $n\cdot s$ bits.

5 Adaptively Secure Garbling Scheme and Simulator

In this section we describe our garbling scheme and the simulation strategy.

5.1 Construction

Our adaptively-secure garbling scheme consists in two simple steps: (1) garble the circuit using Yao’s garbling scheme; (2) hide the garbled circuit (without the output tables) under an outer layer of encryption instantiated with a somewhere-equivocal encryption scheme. In the on-line phase, the garbled input consists of Yao’s garbled input plus the output tables. Next we provide the formal description of our scheme that contains the details of Yao’s garbling scheme.

Let C be a leveled boolean circuit with fan-in 2 and unbounded fan-out, with inputs size n, output size m, depth d and width w. Let q denote the number of gates in C. Recall that wires are uniquely identified with labels $w_1, w_2, \ldots ,w_{p}$, and a circuit C is specified by a list of gate tuples $\mathsf {gate}= (g, w_{a}, w_{b}, w_{c})$. To simplify the description of our construction, we first describe the procedure for garbling a single gate, that we denote by $\mathsf {GarbleGate}$. Let $\varGamma =(G, E,D)$ be a CPA-secure symmetric-key encryption scheme satisfying the special correctness property, that is, the decryption procedure will abort if an incorrect key is used. $ \mathsf {GarbleGate}(g, \{k^{\sigma }_{a}, k^\sigma _{b},$ $ k^{\sigma }_{c}\}_{\sigma \in \{0,1\}})$ computes 4 ciphertexts $c_{\sigma _0,\sigma _1}~:~\sigma _0,\sigma _1 \in \{0,1\}$ as defined below and outputs them in a random order as $\widetilde{g}=[c_1, c_2, c_3, c_4]$.

$$\begin{aligned} c_{0,0}\leftarrow E_{k^0_{a}}(E_{k^0_{b}}(k^{g(0,0)}_{c}))&c_{0,1}\leftarrow E_{k^0_{a}}(E_{k^1_{b}}(k^{g(0,1)}_{c}))\\ c_{1,0}\leftarrow E_{k^1_{a}}(E_{k^0_{b}}(k^{g(1,0)}_{c}))&c_{1,1}\leftarrow E_{k^1_{a}}(E_{k^0_{b}}(k^{g(1,1)}_{c}))\\ \end{aligned}$$

Let $\varPi =(\mathsf {KeyGen}$, $\mathsf {Enc}, \mathsf {Dec}$, $\mathsf {SimEnc}$, $\mathsf {SimKey})$ be a somewhere-equivocal symmetric-encryption scheme as defined in Sect. 4. Recall that in this primitive the plaintext is a vector of $n$ blocks, each of which has $s$ bits. In our construction we use the following parameters: the vector size $n= q$ is the number of gates and the block size $s= |\widetilde{g}|$ is the size of a single garbled gate. The equivocation parameter $t$ is defined by the strategy used in the security proof and will be specified later. The garbling scheme is formally described in Fig. 1.

5.2 Adaptive Simulator

The adaptive security simulator for our garbling scheme is essentially the same as the static security simulator for Yao’s scheme (as in [27]), with the only difference that the output table is sent in the on-line phase, and is computed adaptively to map to the correct output. Note that the garbled circuit simulator does not rely on the simulation properties of the somewhere equivocal encryption scheme - these are only used in the proof of indistinguishability.

More specifically, the adaptive simulator $(\mathsf {SimC}, \mathsf {SimIn})$ works as follows. In the off-line phase, $\mathsf {SimC}$ computes the garbled gates using procedure $\mathsf {GarbleSimGate}$, that generates 4 ciphertexts that encrypt the same output key. More precisely, $\mathsf {GarbleSimGate}(\{k^{\sigma }_{w_{a}}, k^{\sigma }_{w_{b}}\}_{\sigma \in \{0,1\}},k'_{w_{c}})$ takes both keys for input wires $w_{a}, w_{b}$ and a single key for the output wire $w_{c}$, that we denote by $k'_{w_{c}}$. It then outputs $\widetilde{g}_{c}=[c_1, c_2, c_3,c_4]$ where the ciphertexts, arranged in random order, are computed as follows.

$$\begin{aligned} c_{0,0}\leftarrow E_{k^0_{a}}(E_{k^0_{b}}(k'_{c}))&c_{0,1}\leftarrow E_{k^0_{a}}(E_{k^1_{b}}(k'_{c}))\\ c_{1,0}\leftarrow E_{k^1_{a}}(E_{k^0_{b}}(k'_{c}))&c_{1,1}\leftarrow E_{k^1_{a}}(E_{k^0_{b}}(k'_{c}))\\ \end{aligned}$$

The simulator invokes $\mathsf {GarbleSimGate}$ on input $k'_{c}= k^0_{c}$. It then encrypts the garbled gates so obtained by using the honest procedure for the somewhere equivocal encryption.

In the on-line phase, $\mathsf {SimIn}$, on input $y=C(x)$ adaptively computes the output tables so that the evaluator obtains the correct output. This is easily achieved by associating each bit of the output, $y_j$, to the only key encrypted in the output gate $g_{\mathsf {out}_j}$, which is $k^0_{\mathsf {out}_j}$. For the input keys, $\mathsf {SimIn}$ just sends keys $k^{0}_{{\mathsf {in}_i}}$ for each $i\in [n]$. The detailed definition of $(\mathsf {SimC}, \mathsf {SimIn})$ is provided in Fig. 2.

6 Hybrid Games

We now need to prove the indistinguishability of our garbling scheme and the simulation. We devise a modular approach for proving indistinguishability using different strategies that result in different parameters. We first provide a template for defining hybrid games, where each such hybrid game is parametrized by a circuit configuration, that is, a vector indicating the way the gates are garbled and encrypted. Then we define the rules that allow us to indistinguishably move from one configuration to another. With this framework in place, an indistinguishability proof consists of a strategy to move from the circuit configuration of the real game to the circuit configuration of the simulated game, using the allowed rules.

6.1 Template for Defining Hybrid Games

Gate/Circuit Configuration. We start by defining a gate configuration. A gate configuration is a pair (outer mode, garbling mode) indicating the way a gate is computed. The outer encryption mode can be $\{\mathsf{EquivEnc},\mathsf{BindEnc}\}$ depending on whether the outer encryption contains a “hole” in place of that gate or whether it is binding on that gate. The garbling mode can be $\{\mathsf {RealGate}$, $\mathsf {SimGate}$, $\mathsf {InputDepSimGate}\}$ which corresponds to the distributions outlined in Fig. 3. We stress that, if the garbling mode of a gate is $\mathsf {InputDepSimGate}$ then we require that the outer encryption mode is $\mathsf{EquivEnc}$. This means that there are 5 valid gate configurations for each gate.

A circuit configuration simply consists of the gate configuration for each gate in the circuit. More specifically, we represent a circuit configuration by a tuple $(I, (\mathsf {mode}_{i})_{i\in [q]})$ where

Set $I\subseteq [q]$ contains the indices of the gates i whose outer mode is $\mathsf{EquivEnc}$.
The value $\mathsf {mode}_i \in \{\mathsf {RealGate}, \mathsf {SimGate}, \mathsf {InputDepSimGate}\}$ describes the garbling mode of gate i.

A valid circuit configuration is one where all indexes i such that $\mathsf {mode}_i = \mathsf {InputDepSimGate}$ satisfy $i \in I$.

The Hybrid Game $\mathsf {Hyb}(I, (\mathsf {mode}_{i})_{i\in [q]})$. Every valid circuit configuration $I$, $(\mathsf {mode}_{i})_{i\in [q]}$ defines a hybrid game $\mathsf {Hyb}(I, (\mathsf {mode}_{i})_{i\in [q]})$ as specified formally Fig. 4 and described informally below. The hybrid game consists of two procedures: $\mathsf {GCircuit}'$ for creating the garbled circuit $\widetilde{C}$ and $\mathsf {GInput}'$ for creating the garbled input $\widetilde{x}$ respectively. The garbled circuit is created by picking random keys $k^{\sigma }_{w_j}$ for each wire $w_j$. For each gate i, such that $\mathsf {mode}_i \in \{\mathsf {RealGate}, \mathsf {SimGate}\}$ it creates a garbled gate $\widetilde{g}_i$ using the corresponding distribution as described in Fig. 3. The garbled circuit $\widetilde{C}$ is then created by simulating the outer encryption using the values $\widetilde{g}_i$ in locations $i \not \in I$ and “holes” in the locations I. The garbled input is created by first sampling the garbled gates $\widetilde{g}_i$ for each i such that $\mathsf {mode}_i = \mathsf {InputDepSimGate}$ using the corresponding distribution in Fig. 3 and using knowledge of the input x. Then the decryption key $\mathsf {key}$ is simulated by plugging in the holes in locations I with the correctly sampled garbled gates $\widetilde{g}_i$. There is some subtlety about how the input labels K[i] and the output label maps $\widetilde{d}_j$ are created when computing $\widetilde{x}$:

If all of the gates having $\mathsf {in}_i$ as an input wire are in $\mathsf {SimGate}$ mode, then $K[i] := k_{\mathsf {in}_i}^0$ else $K[i] := k_{\mathsf {in}_i}^{x_i}$.
If the unique gate having $\mathsf {out}_j$ as an output wire is in $\mathsf {SimGate}$ mode, then we give the simulated output map $\widetilde{d}_j := [(k^{y_j}_{{\mathsf {out}_j}} \rightarrow 0), (k^{1 - y_j}_{{\mathsf {out}_j}} \rightarrow 1)]$ else the real one $\widetilde{d}_j := [(k^0_{{\mathsf {out}_j}} \rightarrow 0), (k^1_{{\mathsf {out}_j}} \rightarrow 1)]$.

Real game and Simulated Game. By definition of adaptively secure garbled circuits (Definition 1), the real game $\mathsf {Exp}^{\mathsf {adaptive}}_{\mathcal {A},\mathsf {GC},\mathsf {Sim}}(1^{\lambda },0)$ is equivalent to $\mathsf {Hyb}(I = \emptyset , (\mathsf {mode}_{i} = \mathsf {RealGate})_{i\in [q]})$ and the simulated game $\mathsf {Exp}^{\mathsf {adaptive}}_{\mathcal {A},\mathsf {GC},\mathsf {Sim}}(1^{\lambda },1)$ is equivalent to $\mathsf {Hyb}(I = \emptyset , (\mathsf {mode}_{i} = \mathsf {SimGate})_{i\in [q]})$. Therefore, the main aim is to show that these hybrids are indistinguishable.^{Footnote 10}

6.2 Rules for Indistinguishable Hybrids

Next, we provide rules that allow us to move from one configuration to another and prove that the corresponding hybrid games are indistinguishable. We define three rules that allow us to do this. We define $\mathsf {mode}\mathop {=}\limits ^\mathrm{def}(\mathsf {mode}_i)_{i\in [q]}$.

Indistinguishability Rule 1: Changing the Outer Encryption Mode ${{\mathbf {\mathsf{{BindEnc}}}}\,{\varvec{\leftrightarrow }}\,{\mathbf {\mathsf{{EquivEnc}}}}}$. This rule allows to change the outer encryption of a single gate. It says that one can move from a valid circuit configuration $(I, \mathsf {mode})$ to a circuit configuration $(I', \mathsf {mode})$ where $I'=I\cup j$. Thus one more gate is now computed equivocally (and vice versa).

Lemma 1

Let $(I, \mathsf {mode})$ be any valid circuit configuration, let $j\in [q] \setminus I$ and let $I' = I\cup j$. Then $\mathsf {Hyb}(I, \mathsf {mode}) \mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}\mathsf {Hyb}(I', \mathsf {mode})$ are computationally indistinguishable as long as $\varPi = (\mathsf {KeyGen}$, $\mathsf {Enc}, \mathsf {Dec}$, $\mathsf {SimEnc}$, $\mathsf {SimKey})$ is a somewhere equivocal encryption scheme with equivocation parameter t such that $|I'| \le t$.

Proof

Towards a contradiction, assume there exists a PPT distinguisher $\mathcal {A}$ that distinguishes the distributions $H_{0} = \mathsf {Hyb}(I, \mathsf {mode}) $ and $H_{1} = \mathsf {Hyb}(I', \mathsf {mode})$ as defined in the Lemma.

We construct a distinguisher B for the security of somewhere equivocal encryption scheme as follows. Informally, adversary B is playing in experiment $\mathsf {Exp}^{\mathsf {simenc}}_{B,\varPi }(1^{\lambda },b)$ and uses her oracle access to $\mathsf {SimEnc}$ to reproduce the distribution of $H_{b}$. B, on input $I, j$ and $\mathsf {mode}=\mathsf {mode}_1, \ldots , \mathsf {mode}_{q}$ computes each garbled gate $\widetilde{g}_i$ on its own exactly as in $H_{0}$/ $H_{1}$ accordingly to $\mathsf {mode}_i$. B computes the outer encryptions of the gates by sending the gates, along with sets $I, j$ to $\mathsf {Exp}^{\mathsf {simenc}}$.

In the on-line phase, after obtaining x from $\mathcal {A}$, B computes the values for the missing gates $(\widetilde{g}_{i})_{i\in I}$ and send them to $\mathsf {Exp}^{\mathsf {simenc}}$, and obtain a key $\mathsf {key}'$. B uses such key to compute the garbled inputs $\widetilde{x}$.

Now, if B is playing the game $\mathsf {Exp}^{\mathsf {simenc}}_{B,\varPi }(1^{\lambda },b)$ with a bit b, then the view generated by B is distributed identically to $H_{b}$. Thus, B distinguishes whether it is playing the game with $b=0$ or $b=1$ with the same probability that $\mathcal {A}$ distinguishes $H_{0}$ from $H_{1}$. A more detailed description of adversary B is provided in the full version [23].

Indistinguishability Rule 2. Changing the Garbling Mode, ${{\mathbf {\mathsf{{RealGate}}}}\,\varvec{\leftrightarrow }\,{\mathbf {\mathsf{{InputDepSimGate}}}}}$. This rule allows us to change the mode of a gate j from $\mathsf {RealGate}$ to $\mathsf {InputDepSimGate}$ as long as $j \in I$ and that $\mathsf {gate}_j = (g, w_a, w_b, w_c)$ has incoming wires $w_a, w_b$ that are either input wires or are the outgoing wires of some predecessor gates both of which are in $\mathsf {InputDepSimGate}$ mode.

Double Encryption Security. For convenience, we use the notion of double encryption security, following [27]. This notion is implied by standard CPA security but is more convenient to use in our security proof of garbled circuit security. See the full version [23] for more details.

Definition 3

(Predecessor/Successor/Sibling Gates). Given a circuit C and a gate $j \in [q]$ of the form $\mathsf {gate}_{j} = (g, w_a, w_b, w_c)$ with incoming wires $w_a,w_b$ and outgoing wire $w_c$:

We define the predecessors of j, denoted by $\mathsf {Pred}(j)$, to be the set of gates whose outgoing wires are either $w_a$ or $w_b$. If $w_a,w_b$ are input wires then $\mathsf {Pred}(j) = \emptyset $, else $|\mathsf {Pred}(j)| = 2$.
We define the successors of j, denoted by $\mathsf {Succ}(j)$ to be the set of gates that contain $w_c$ as an incoming wire. If $w_c$ is an output wires then $\mathsf {Succ}(j) = \emptyset $.
We define the siblings of j, denoted by $\mathsf {Siblings}(j)$ to be the set of gates that contain either $w_a$ or $w_b$ as an incoming wire.

Lemma 2

Let $(I, \mathsf {mode}= (\mathsf {mode}_i)_{i \in [q]})$ be a valid circuit configuration and let $j \in I$ be an index such that $\mathsf {mode}_{j} = \mathsf {RealGate}$ and for all $i \in \mathsf {Pred}(j)$: $\mathsf {mode}_{i} = \mathsf {InputDepSimGate}$. Let $\mathsf {mode}' = (\mathsf {mode}'_i)_{i \in [q]}$ be defined by $\mathsf {mode}'_i = \mathsf {mode}_i$ for all $i \ne j$ and $\mathsf {mode}'_{j} =\mathsf {InputDepSimGate}$. Then the games $\mathsf {Hyb}(I, \mathsf {mode}) \mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}\mathsf {Hyb}( I, \mathsf {mode}')$ are computationally indistinguishable as long as $\varGamma =(G,E, D)$ is an encryption scheme secure under chosen double encryption.

Proof

Let $I, \mathsf {mode},j$ and $\mathsf {mode}'$ be as in the statement of the Lemma. Towards a contradiction, assume that there exists a PPT adversary $\mathcal {A}$ distinguishing distributions generated in $H^0 := \mathsf {Hyb}(I, \mathsf {mode})$ and $H^1 := \mathsf {Hyb}( I, \mathsf {mode}')$.

We construct an adversary B that breaks the CPA-security of the inner encryption scheme $\varGamma = (G, E, D)$ which is used to garble gates. More specifically, we show that B wins the chosen double encryption security game which is implied by CPA security. Informally, B, on input $\mathsf {mode}, I$ and target gate j aims to use her CPA-oracle access in $\mathsf {Exp}^{\mathsf {double}}(1^{\lambda }, b)$ to generate a distribution $H^b$. Recall that the only difference between $H^0$ and $H^1$ is in the way that the garble gate $\widetilde{g}_j$ is computed. On a high level, the reduction B will compute all garbled gates $\widetilde{g}_i$ for $i\ne j$, according to experiment $\mathsf {Hyb}(I, \mathsf {mode})$, and will compute the garbled gate $\widetilde{g}_j$ using the ciphertexts obtained as a challenge in the experiment $\mathsf {Exp}^{\mathsf {double}}(1^{\lambda }, b)$.

In more detail, let $\mathsf {gate}_j = (g, w_{a}, w_{b}, w_{c})$ be the target gate. Recall $j \in I$ and therefore the value $\widetilde{g}_j$ is only needed in the on-line phase. If the values going over the wires $w_a,w_b$ during the computation C(x) are $\alpha ,\beta $ respectively, the reduction B will know all wire keys except for $k^{1-\alpha }_{w_a}, k^{1-\beta }_{w_b}$. To create the garbled gate $\widetilde{g}_j$ it will create the ciphertext $c_{\alpha ,\beta }$ as an encryption of $k^{g(\alpha ,\beta )}_{w_c}$ on its own, but the remaining three ciphertexts $c_{\alpha ',\beta '}$ will come from the experiment $\mathsf {Exp}^{\mathsf {double}}(1^{\lambda }, b)$ as either encryptions of different values $k^{g(\alpha ',\beta ')}_{w_c}$ (real) or of the same value $k^{g(\alpha ,\beta )}_{w_c}$.

The one subtlety is that reduction needs to create encryptions under the keys $k^{1-\alpha }_{w_a}, k^{1-\beta }_{w_b}$ to create garbled gates $\widetilde{g}_i$ for gates i that are siblings of gate j. It can do that by using the encryption oracles which are given to it as part of the experiment $\mathsf {Exp}^{\mathsf {double}}(1^{\lambda }, b)$. However, since some of the sibling gates i might be in $\mathsf {RealGate}$ or $\mathsf {SimGate}$ modes, the reduction needs to create these encryptions already in the offline phase and therefore needs to know the values of $\alpha ,\beta $ in the offline phase before the input x is chosen. To deal with this, we simply have the reduction guess the bits $\alpha , \beta $ randomly in the offline phase. If in the online phase it finds out that the guess is incorrect it outputs a random bit and aborts, else continues. See the full version [23], for a detailed description of the reduction B.

Let Correct be the event that B guesses $\alpha $ and $\beta $ correctly. Then

$$\begin{aligned}&| \Pr [\mathsf {Exp}^{\mathsf {double}}_B(1^{\lambda }, 0) = 1] - \Pr [\mathsf {Exp}^{\mathsf {double}}_B(1^{\lambda }, 1) = 1] | \\&= \frac{1}{4} | \Pr [\mathsf {Exp}^{\mathsf {double}}_B(1^{\lambda }, 0) = 1 | Correct] - \Pr [\mathsf {Exp}^{\mathsf {double}}_B(1^{\lambda }, 1) = 1 | Correct ] | \\&= \frac{1}{4} | \Pr [H^0_\mathcal {A}(1^{\lambda }) = 1] - \Pr [H^1_\mathcal {A}(1^{\lambda })] | \\ {}&\Longrightarrow | \Pr [H^0_\mathcal {A}(1^{\lambda }) = 1] - \Pr [H^1_\mathcal {A}(1^{\lambda })] | \\ {}&\le 4 | \Pr [\mathsf {Exp}^{\mathsf {double}}_B(1^{\lambda }, 0) = 1] - \Pr [\mathsf {Exp}^{\mathsf {double}}_B(1^{\lambda }, 1) = 1] | \le \mathsf{negl}(\lambda ) \end{aligned}$$

which proves the Lemma.

Indistinguishability Rule 3. Changing the Garbling Mode: ${{\mathbf {\mathsf{{InputDepSimGate}}}}\,\varvec{\leftrightarrow }\,{\mathbf {\mathsf{{SimGate}}}}}$. This rule allows us to change the mode of a gate j from $\mathsf {InputDepSimGate}$ to $\mathsf {SimGate}$ under the condition that all successor gates $i \in \mathsf {Succ}(j)$ satisfy that $\mathsf {mode}_i \in \{\mathsf {InputDepSimGate}, \mathsf {SimGate}\}$.

Lemma 3

Let $(I, \mathsf {mode}= (\mathsf {mode}_i)_{i \in [q]})$ be a valid circuit configuration and let $j \in I$ be an index such that $\mathsf {mode}_{j} = \mathsf {InputDepSimGate}$ and for all $i \in \mathsf {Succ}(j)$ we have $\mathsf {mode}_i \in \{\mathsf {SimGate}, \mathsf {InputDepSimGate}\}$. Let $\mathsf {mode}' = (\mathsf {mode}'_i)_{i \in [q]}$ be defined by $\mathsf {mode}'_i = \mathsf {mode}_i$ for all $i \ne j$ and $\mathsf {mode}'_{j} =\mathsf {SimGate}$. Then the games $\mathsf {Hyb}(I, \mathsf {mode}) \equiv \mathsf {Hyb}( I, \mathsf {mode}')$ are identically distributed.

Proof

Define $H_0 := \mathsf {Hyb}(I, \mathsf {mode})$ and $H_1 := \mathsf {Hyb}( I, \mathsf {mode}')$. Let $\mathsf {gate}_j = (g, w_{a}, $ $w_{b}, w_{c})$, and let v(c) be the bit on the wire $w_{c}$ during the computation C(x), which is defined in the on-line phase.

The main difference between the hybrids is how the garbled gate $\widetilde{g}_j$ is created:

In $H_0$, we set $\widetilde{g}_{j} \leftarrow \mathsf {GarbleSimGate}((k^{\sigma }_{w_{a}}, k^{\sigma }_{w_{b}})_{\sigma \in \{0,1\}}, k^{v(c)}_{w_{c}})$.
In $H_1$, we set $\widetilde{g}_{j} \leftarrow \mathsf {GarbleSimGate}((k^{\sigma }_{w_{a}}, k^{\sigma }_{w_{b}})_{\sigma \in \{0,1\}}, k^{0}_{w_{c}})$.

If j is not an output gate, and all successor gates $i \in \mathsf {Succ}(j)$ are in $\{\mathsf {SimGate}$, $\mathsf {InputDepSimGate}\}$ modes then the keys $k^0_{w_c}$ and $k^1_{w_c}$ are treated symmetrically everywhere in the game other than in $\widetilde{g}_j$. Therefore, by symmetry, there is no difference between using $k^0_{w_c}$ and $k^{v(c)}_{w_c}$ in $\widetilde{g}_j$

If j is an output gate then the keys $k^0_{w_c}$ and $k^1_{w_c}$ are only used in $\widetilde{g}_j$ and in the output map $\widetilde{d}_j$. Therefore, by symmetry, there is no difference between using $k^{y_j}_{w_c}$ in $\widetilde{g}_j$ and setting $\widetilde{d}_j := [(k^0_{{\mathsf {out}_j}} \rightarrow 0), (k^1_{{\mathsf {out}_j}} \rightarrow 1)]$ (in $H_0$) versus using $k^{0}_{w_c}$ in $\widetilde{g}_j$ and setting $\widetilde{d}_j := [(k^{y_j}_{{\mathsf {out}_j}} \rightarrow 0), (k^{1 - y_j}_{{\mathsf {out}_j}} \rightarrow 1)]$ (in $H_1$).

One last difference between the hybrids occurs if some wire $\mathsf {in}_i$ becomes only connected to gates that are in $\mathsf {SimGate}$ in $H_1$. In this case, when we create the garbled input $\widetilde{x}$, then in $H_0$ we give $K[i] := k_{\mathsf {in}_i}^{x_i}$ but in $H_1$ we give $K[i] := k_{\mathsf {in}_i}^0$. Since the keys $k_{\mathsf {in}_i}^0,k_{\mathsf {in}_i}^1$ are treated symmetrically everywhere in the game (both in $H_0$ and $H_1$) other than in K[i], there is no difference between setting $K[i] := k_{\mathsf {in}_i}^0$ versus $K[i] := k_{\mathsf {in}_i}^{x_i}$.

7 Pebbling and Sequences of Hybrid Games

In the last section we defined hybrid games parameterized by a configuration $(I, \mathsf {mode})$. We also gave 3 rules, which describe ways that allow us to indistinguishably move from one configuration to another. Now our goal is to use the given rules so as to define a sequence of indistinguishable hybrid games that takes us from the real game $\mathsf {Hyb}(I = \emptyset , (\mathsf {mode}_i = \mathsf {RealGate})_{i \in [q]})$ to the simulation $\mathsf {Hyb}(I = \emptyset , (\mathsf {mode}_i = \mathsf {SimGate})_{i \in [q]})$.

Pebbling Game. We show that the problem of finding such sequences of hybrid games can be captured by a certain type of pebbling game on the circuit C. Each gate can either have no pebble, a black pebble, or a gray pebble on it (this will correspond to $\mathsf {RealGate}, \mathsf {InputDepSimGate}$ and $\mathsf {SimGate}$ modes respectively). Initially, the circuit starts out with no pebbles on any gate. The game consist of the following possible moves:

Rule A. We can place or remove a black pebble on a gate as long as both predecessors of that gate have black pebbles (or the gate is an input gate).
Rule B. We can replace a black pebble with a gray one, only if successors of that gate have black or gray pebbles on them (or the gate is an output gate).

A pebbling of a circuit C is a sequence of $\gamma $ moves that follow rules A and B and that end up with a gray pebble on every gate. We say that a pebbling uses t black pebbles if this is the maximal number of black pebbles on the circuit at any point in time during the game.

From Pebbling to Sequence of Hybrids. In our next theorem we prove that any pebbling of a circuit C results in a sequence of hybrids that shows indistinguishability of the real and simulated games. The number of hybrids is proportional to the number of moves in the pebbling and the equivocation parameter is proportional to the number of black pebbles it uses.

Theorem 2

Assume that there is a pebbling of the circuit C in $\gamma $ moves. Then there is a sequence of $2\cdot \gamma +1$ hybrid games, starting with the real game $\mathsf {Hyb}(I = \emptyset , (\mathsf {mode}_{i} = \mathsf {RealGate})_{i\in [q]})$ and ending with the simulated game $\mathsf {Hyb}(I = \emptyset ,$ $ (\mathsf {mode}_{i} = \mathsf {SimGate})_{i\in [q]})$ such that any two adjacent hybrid games in the sequence are indistinguishable by rules 1, 2 or 3 from the previous section. Furthermore if pebbling uses $t^*$ black pebbles then every hybrid $\mathsf {Hyb}(I, \mathsf {mode})$ in the sequence satisfies $|I| \le t^*$. In particular, indistinguishability holds as long as the equivocation parameter is at least $t^*$.

Proof

A pebble configuration specifies whether each gate contains no pebble, a black pebble, or a gray pebble. A pebbling in $\gamma $ moves gives rise to a sequence of $\gamma + 1$ pebble configurations starting with no pebbles and ending with a gray pebble on each gate. Each pebble configuration follows from the preceding one by a move that satisfies pebbling rules A or B.

We let each pebble configuration define a hybrid $\mathsf {Hyb}(I, \mathsf {mode})$ where:

For every gate $i \in [q]$, we set $\mathsf {mode}_i = \mathsf {RealGate}$ if gate i has no pebble, $\mathsf {mode}_i = \mathsf {InputDepSimGate}$ if gate i has a black pebble, and $\mathsf {mode}_i = \mathsf {SimGate}$ if gate i has a gray pebble.
We set I to be the set of gates with black pebbles on them.

Therefore a pebbling defines a sequence of hybrids $\mathsf {Hyb}_\alpha $ =$ \mathsf {Hyb}(I^\alpha , \mathsf {mode}^\alpha )$ for $\alpha = 0,\ldots , \gamma $ where $\mathsf {Hyb}_0 = \mathsf {Hyb}(\emptyset , (\mathsf {mode}^0_{i}$ = $\mathsf {RealGate})_{i\in [q]})$ is the real game and $\mathsf {Hyb}_\gamma = \mathsf {Hyb}(\emptyset , (\mathsf {mode}^\gamma _{i}$ =$ \mathsf {SimGate})_{i\in [q]})$ is the simulated game, and each $\mathsf {Hyb}_\alpha $ is induced by the pebbling configuration after $\alpha $ moves. We will need to add additional intermediate hybrids (which we call “half steps”) to ensure that each pair of consecutive hybrids is indistinguishable by rules 1, 2 or 3. We do this as follows:

Assume that move $\alpha +1$ of the pebbling applies rule A to place a black pebble on gate j.

Let $\mathsf {Hyb}_\alpha = \mathsf {Hyb}(I^\alpha , \mathsf {mode}^\alpha )$ and $\mathsf {Hyb}_{\alpha +1}$= $ \mathsf {Hyb}(I^{\alpha +1}, \mathsf {mode}^{\alpha +1})$. Then $I^{\alpha +1}$ = $I^{\alpha } \cup \{j\}$, $\mathsf {mode}^{\alpha +1}_i$ = $\mathsf {mode}^\alpha _i$ for all $i \ne j$, and $\mathsf {mode}^{\alpha }_j$ = $\mathsf {RealGate}$, $\mathsf {mode}^{\alpha +1}_j$ = $\mathsf {InputDepSimGate}$.

Define the intermediate “half-step” hybrid $\mathsf {Hyb}_{\alpha +\frac{1}{2}} $:= $ \mathsf {Hyb}(I^{\alpha +1}$, $ \mathsf {mode}^\alpha )$.

It holds that $\mathsf {Hyb}_\alpha \mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}\mathsf {Hyb}_{\alpha +\frac{1}{2}}$ by rule 1, and $\mathsf {Hyb}_{\alpha +\frac{1}{2}} \mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}\mathsf {Hyb}_{\alpha +1}$ by rule 2. The conditions needed to apply rule 2 are implied by pebbling rule A.
Assume that move $\alpha +1$ of the pebbling applies rule A to remove a black pebble from gate j.

Let $\mathsf {Hyb}_\alpha = \mathsf {Hyb}(I^\alpha , \mathsf {mode}^\alpha )$ and $\mathsf {Hyb}_{\alpha +1}$ = $\mathsf {Hyb}(I^{\alpha +1}, \mathsf {mode}^{\alpha +1})$. Then $I^{\alpha +1}$ $ = I^{\alpha } \setminus \{j\}$, $\mathsf {mode}^{\alpha +1}_i = \mathsf {mode}^\alpha _i$ for all $i \ne j$, and $\mathsf {mode}^{\alpha }_j$ = $\mathsf {InputDepSimGate}$, $ \mathsf {mode}^{\alpha +1}_j$ = $\mathsf {RealGate}$.

Define the intermediate “half-step” hybrid $\mathsf {Hyb}_{\alpha + \frac{1}{2}} := \mathsf {Hyb}(I^{\alpha }, \mathsf {mode}^{\alpha +1})$.

It holds that $\mathsf {Hyb}_\alpha \mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}\mathsf {Hyb}_{\alpha +\frac{1}{2}}$ by rule 2, and $\mathsf {Hyb}_{\alpha +\frac{1}{2}} \mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}\mathsf {Hyb}_{\alpha +1}$ by rule 1. The conditions needed to apply rule 2 are implied by pebbling rule A.
Assume that move $\alpha +1$ of the pebbling applies rule B to replace a black pebble with a gray pebble on gate j.

Let $\mathsf {Hyb}_\alpha = \mathsf {Hyb}(I^\alpha , \mathsf {mode}^\alpha )$ and $\mathsf {Hyb}_{\alpha +1}$= $\mathsf {Hyb}(I^{\alpha +1}$, $\mathsf {mode}^{\alpha +1})$. Then $I^{\alpha +1} = I^{\alpha } \setminus \{j\}$, $\mathsf {mode}^{\alpha +1}_i = \mathsf {mode}^\alpha _i$ for all $i \ne j$, and $\mathsf {mode}^{\alpha }_j$ = $\mathsf {InputDepSimGate}$, $ \mathsf {mode}^{\alpha +1}_j $ $= \mathsf {SimGate}$.

Define the intermediate “half-step” hybrid $\mathsf {Hyb}_{\alpha +\frac{1}{2}} := \mathsf {Hyb}(I^{\alpha }, \mathsf {mode}^{\alpha +1})$.

It holds that $\mathsf {Hyb}_\alpha \mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}\mathsf {Hyb}_{\alpha +\frac{1}{2}}$ by rule 3, and $\mathsf {Hyb}_{\alpha +\frac{1}{2}} \mathop {\approx }\limits ^{{\tiny {\mathrm {comp}}}}\mathsf {Hyb}_{\alpha +1}$ by rule 1. The conditions needed to apply rule 3 are implied by pebbling rule B.

Therefore the sequence $\mathsf {Hyb}_0, \mathsf {Hyb}_{\frac{1}{2}}, \mathsf {Hyb}_{1}, \mathsf {Hyb}_{1 + \frac{1}{2}},\mathsf {Hyb}_2, \ldots , \mathsf {Hyb}_\gamma $ consisting of $2\gamma +1$ hybrids satisfies the conditions of the theorem.

Combining Theorems 2 and 1 we obtain the following corollary.

Corollary 1

There exists an adaptively secure garbling scheme such that the following holds. Assuming the existence of one-way functions, there is an instantiation of the garbling scheme that has on-line complexity $(n+m+t^*)\mathsf {poly}(\lambda )$ for any circuit C that admits a pebbling with $\gamma = \mathsf {poly}(\lambda )$ moves and $t^*$ black pebbles. Furthermore, assuming the existence of sub-exponentially secure one-way functions, there is an instantiation of the garbling scheme that has on-line complexity $(n+m + t^*)\mathsf {poly}(\lambda , \log \gamma )$ for any circuit C admits a pebbling strategy with $\gamma = 2^{\mathsf {poly}(\lambda )}$ moves and $t^*$ black pebbles.

Proof

We instantiate our construction from Sect. 5 with a CPA-secure “inner encryption” $\varGamma $ having special correctness, and a somewhere-equivocal “outer encryption” $\varPi $ from Sect. 4 using an equivocation parameter $t = t^*$. Both components can be instantiated from one-way functions. Assuming that $\gamma = \mathsf {poly}(\lambda )$, Theorem 2 tells us that the resulting garbling scheme is adaptively secure as long as $\varGamma ,\varPi $ are. The on-line complexity consists of $n+m$ keys for $\varGamma $ along with the key of $\varPi $ for a total of $(n+m)\mathsf {poly}(\lambda ) + t^* \mathsf {poly}(\lambda )$ as claimed.

When $\gamma = 2^{\mathsf {poly}(\lambda )}$, then Theorem 2 tells us that the resulting garbling scheme is adaptively secure as long as the schemes $\varGamma ,\varPi $ provide a higher level of security so as to survive $2 \gamma +1$ hybrids, meaning that the distinguishing advantage for each of the schemes needs to be $2^{-(2\gamma +1)}\mathsf{negl}(\lambda )$. This can be accomplished assuming sub-exponentially secure one-way functions by setting the security parameter of $\varGamma ,\varPi $ to some $\lambda ' = \mathsf {poly}(\lambda , \log \gamma )$ and results in on-line complexity $(n+m)\mathsf {poly}(\lambda , \log \gamma ) + t^* \mathsf {poly}(\lambda , \log \gamma )$ as claimed.

7.1 Pebbling Strategies

In this section we give two pebbling strategies for arbitrary circuit with width w, depth d, and q gates. The first strategy uses O(q) moves and O(w) black pebbles. The second strategy uses $O(q 2^d)$ moves and O(d) black pebbles.

Strategy 1. To pebble the circuit proceed as follows:

$\mathsf {Pebble}(C)$:
1. 1.
  Put a black pebble on each gate at the input level (level 1).
2. 2.
  For $i=1$ to $d-1$, repeat:
  1. (a)
    Put a black pebble on each gate at level $i+1$.
  2. (b)
    For each gate at level i, replace the black pebble with a gray pebble.
  3. (c)
    $i \leftarrow i+1$
3. 3.
  For each gate at level d, replace the black pebble with a gray pebble.

This strategy uses $\gamma = 2q$ moves and $t^* = 2w$ black pebbles. By instantiating Corollary 1 with this strategy, we obtain the following corollary.

Corollary 2

Assuming the existence of one-way functions there exists an adaptively secure garbling scheme with on-line complexity $w \cdot \mathsf {poly}(\lambda )$, where w is the width of the circuit.

Strategy 2. This is a recursive strategy defined as follows.

$\mathsf {Pebble}(C)$:
- For each gate i in C starting with the gates at the top level moving to the bottom level:
  1. 1.
    $\mathsf {RecPutBlack}(C, i)$
  2. 2.
    Replace the black pebble on gate i with a gray pebble.
$\mathsf {RecPutBlack}(C,i)$: // Let $\mathsf {LeftPred}(C,i)$ and $\mathsf {RightPred}(C, i)$ are the two predecessors of gate i in C.
1. 1.
  If gate i is an input gate, put a black pebble on i and return.
2. 2.
  Run $\mathsf {RecPutBlack}(C,\mathsf {LeftPred}(C, i))$, $\mathsf {RecPutBlack}(C,\mathsf {RightPred}(C, i))$
3. 3.
  Put a black pebble on gate i.
4. 4.
  Run $\mathsf {RecRemoveBlack}( C,\mathsf {LeftPred}(C, i))$ and $\mathsf {RecRemoveBlack}(C,\mathsf {RightPred}(C, i))$
$\mathsf {RecRemoveBlack}(C,i)$: This is the same as $\mathsf {RecPutBlack}$, except that instead of putting a black pebble on gate i, in steps 1 and 3, we remove it.

To analyze the correctness of this strategy, we note the following invariants: if the circuit C is in a configuration where it does not contain any pebbles at any level below that of gate i, then (1) the procedure $\mathsf {RecPutBlack}(C,i)$ results in a configuration where a single black pebble is added to gate i, but nothing else changes, (2) the procedure $\mathsf {RecRemoveBlack}(C,i)$ results in a configuration where a single black pebble is removed from gate i, but nothing else changes. Using these two invariants the correctness of of the entire strategy follows.

To calculate the number of black pebbles used and the number of moves that the above strategy takes to pebble C, we use the following simple recursive equations. Let $\mathsf {\#PebPut}(d)$ and $\mathsf {\#PebRem}(d)$ be the number of black pebbles on gate i and below it used to execute $\mathsf {RecPutBlack}$ and $\mathsf {RecRemoveBlack}$ on a gate at level d, respectively. We have,

$$\begin{aligned} \mathsf {\#PebPut}(1)=1,&~~~ \mathsf {\#PebPut}(d) \le \max (\mathsf {\#PebPut}(d-1),\mathsf {\#PebRem}(d-1)) + 2 \\ \mathsf {\#PebRem}(1)=1,&~~~ \mathsf {\#PebRem}(d) \le \max (\mathsf {\#PebPut}(d-1),\mathsf {\#PebRem}(d-1)) +2 \end{aligned}$$

Therefore the strategy requires at most 2d black pebbles to pebble the circuit.

To calculate the number of moves it takes run $\mathsf {Pebble}(C)$, we use the following recursive equations. Let $\mathsf {\#Moves}(d)$ be the number of moves it takes to put a black pebble on, or remove a black pebble from, a gate at level d. Then

$$\begin{aligned} \mathsf {\#Moves}(1)=1,~~~\mathsf {\#Moves}(d)= 4(\mathsf {\#Moves}(d-1)) + 1 \end{aligned}$$

Hence, each call of $\mathsf {RecPutBlack}$ takes at most $4^{d}$ moves, and the total number of moves to pebble the circuit is at most $q 4^{d}$.

In summary, the above gives us a strategy to pebble any circuit with at most $\gamma = q 4^d$ moves and $t^* = 2d$ black pebbles. By instantiating Corollary 1 with the above strategy, we obtain the following corollary.

Corollary 3

Assuming the existence of (standard) one-way functions, there exists an adaptively secure garbling schemes that has on-line complexity $(n+m)\mathsf {poly}(\lambda )$ for all circuits having depth $d = O(\log \lambda )$.

Assuming the existence of sub-exponentially secure one-way functions, there exists an adaptively secure garbling scheme that has on-line complexity $(n+m)\mathsf {poly}(\lambda ,d)$, for arbitrary circuits of depth $d = \mathsf {poly}(\lambda )$.

8 Conclusions

We have shown how to achieve adaptively secure garbling schemes under one-way functions by augmenting Yao’s construction with an additional layer of somewhere-equivocal encryption. The on-line complexity in our constructions can be significantly smaller than the circuit size. In our main instantiation, the on-line complexity only scales with the width w of the circuit, which corresponds to the space complexity of the computation.

It remains as an open problem to get the optimal on-line complexity $(n+m)\mathsf {poly}(\lambda )$ which does not depend on the circuit depth or width. Currently, this is only known assuming the existence of indistinguishability obfuscation and therefore it remains open to achieve the above under one-way functions or even stronger assumptions such as DDH or LWE. It also remains open if Yao’s scheme (or more precisely, a variant of it where the output map is sent in the on-line phase) can already achieve adaptive security without relying on somewhere-equivocal encryption. We have no proof nor a counter-example. It would be interesting to see if there is some simple-to-state standard-model security assumption that one could make on the encryption scheme used to create the garbled gates in Yao’s construction (e.g., circular security, key-dependent message security, etc.), under which one could prove that the resulting garbling scheme is adaptively secure.

Notes

1.
Note that, without any other restrictions on the structure of the garbling scheme, there is a trivial scheme where $\widetilde{C}$ is empty and $\widetilde{x}= C(x)$, whose on-line complexity is proportional to |C|.
2.
More precisely, in Yao’s garbled circuits, the garbled input is of size $|x|\cdot \mathsf {poly}(\lambda )$ where $\lambda $ is the security parameter. The work of [8] shows how to reduce this to $|x| + \mathsf {poly}(\lambda )$ assuming stronger assumptions such as DDH, RSA or LWE.
3.
The adaptive security notion we described, is denoted $\mathsf {prv1}$ by [11]. They also consider a stronger variant called $\mathsf {prv2}$, where the adversary adaptively chooses bits of the input x one at a time and gets the corresponding bits of the garbled input $\widetilde{x}$. They show that there is an efficiency preserving transformation from $\mathsf {prv1}$ to $\mathsf {prv2}$ following the ideas from [20]. Therefore, in this work we can focus solely on achieving $\mathsf {prv1}$.
4.
Even if we’re willing to assume exponentially secure primitives, the use of complexity leveraging blows up parameter sizes so that the garbled input must be of size at least $n^2 \cdot \mathsf {poly}(\lambda )$ where $\lambda $ is the security parameter to get any meaningful security.
5.
Each bit of the garbled input only depends on one bit of the original input.
6.
We consider circuits made up of fan-in 2 gates with arbitrary fan-out. The circuit is composed of levels and wires can only connect gates in level i with those at the next level $i+1$. The width of the circuit is the maximal number of gates in any level and the depth is the number of levels.
7.
For $\mathsf {NC}^1$ circuits, there are perfectly (information theoretically) secure variants of Yao [25, 26] which also achieve adaptive security. However, the on-line complexity in these schemes grows exponentially in the circuit depth d whereas ours is only linear in d. For example, for a boolean $\mathsf {NC}^1$ circuit with depth $d = 100\log n$, the on-line complexity of those schemes is $O(n^{100})$ whereas ours would be O(n).
8.
The work of [20] requires an even stronger notion of adaptivity called $\mathsf {prv2}$ but this can be generically achieved given an adaptively secure scheme in our sense. See footnote 7.
9.
A different notion of partially equivocal encryption, called somewhat non-committing encryption, was introduced in [15]. The latter notion allows a ciphertext to be opened to some small, polynomial size, set of messages which can be chosen arbitrarily by the simulator at encryption time. The two notions are incomparable.
10.
Note that, the games $\mathsf {Hyb}(\cdots )$ use the simulated encryption and key generation procedures of the somewhere equivocal encryption, while the games $\mathsf {Exp}^{\mathsf {adaptive}}_{\mathcal {A},\mathsf {GC},\mathsf {Sim}}(1^{\lambda },b)$ only use the real key generation and encryption procedures. However, by definition, these are equivalent when $I = \emptyset $ (no “holes”).

References

Ananth, P., Brakerski, Z., Segev, G., Vaikuntanathan, V.: From selective to adaptive security in functional encryption. In: Gennaro, R., Robshaw, M. (eds.) CRYPTO 2015. LNCS, vol. 9216, pp. 657–677. Springer, Heidelberg (2015)
Chapter Google Scholar
Ananth, P., Sahai, A.: Functional encryption for turing machines. Cryptology ePrint Archive, Report 2015/776 (2015). http://eprint.iacr.org/
Applebaum, B.: Key-dependent message security: generic amplification and completeness. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 527–546. Springer, Heidelberg (2011)
Chapter Google Scholar
Applebaum, B.: Bootstrapping obfuscators via fast pseudorandom functions. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 162–172. Springer, Heidelberg (2014)
Google Scholar
Applebaum, B., Ishai, Y., Kushilevitz, E.: Cryptography in NC$^0$. In: 45th FOCS, pp. 166–175. IEEE Computer Society Press, October 2004
Google Scholar
Applebaum, B., Ishai, Y., Kushilevitz, E.: Computationally private randomizing polynomials and their applications. In: 20th Annual IEEE Conference on Computational Complexity (CCC 2005), San Jose, CA, USA, 11–15 June 2005, pp. 260–274. IEEE Computer Society (2005)
Google Scholar
Applebaum, B., Ishai, Y., Kushilevitz, E.: From secrecy to soundness: efficient verification via secure computation. In: Abramsky, S., Gavoille, C., Kirchner, C., Meyer auf der Heide, F., Spirakis, P.G. (eds.) ICALP 2010. LNCS, vol. 6198, pp. 152–163. Springer, Heidelberg (2010)
Chapter Google Scholar
Applebaum, B., Ishai, Y., Kushilevitz, E., Waters, B.: Encoding functions with constant online rate or how to compress garbled circuits keys. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 166–184. Springer, Heidelberg (2013)
Chapter Google Scholar
Barak, B., Haitner, I., Hofheinz, D., Ishai, Y.: Bounded key-dependent message security. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 423–444. Springer, Heidelberg (2010)
Chapter Google Scholar
Bellare, M., Hoang, V.T., Keelveedhi, S.: Instantiating random oracles via UCEs. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 398–415. Springer, Heidelberg (2013)
Chapter Google Scholar
Bellare, M., Hoang, V.T., Rogaway, P.: Adaptively secure garbling with applications to one-time programs and secure outsourcing. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 134–153. Springer, Heidelberg (2012)
Chapter Google Scholar
Bellare, M., Hoang, V.T., Rogaway, P.: Foundations of garbled circuits. In: ACM CCS 2012, pp. 784–796. ACM Press, October 2012
Google Scholar
Boneh, D., Gentry, C., Gorbunov, S., Halevi, S., Nikolaenko, V., Segev, G., Vaikuntanathan, V., Vinayagamurthy, D.: Fully key-homomorphic encryption, arithmetic circuit ABE and compact garbled circuits. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 533–556. Springer, Heidelberg (2014)
Chapter Google Scholar
Boyle, E., Gilboa, N., Ishai, Y.: Function secret sharing. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 337–367. Springer, Heidelberg (2015)
Google Scholar
Garay, J.A., Wichs, D., Zhou, H.-S.: Somewhat non-committing encryption and efficient adaptively secure oblivious transfer. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 505–523. Springer, Heidelberg (2009)
Chapter Google Scholar
Gennaro, R., Gentry, C., Parno, B.: Non-interactive verifiable computing: outsourcing computation to untrusted workers. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 465–482. Springer, Heidelberg (2010)
Chapter Google Scholar
Gilboa, N., Ishai, Y.: Distributed point functions and their applications. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 640–658. Springer, Heidelberg (2014)
Chapter Google Scholar
Goldreich, O., Goldwasser, S., Micali, S.: On the cryptographic applications of random functions. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 276–288. Springer, Heidelberg (1985)
Chapter Google Scholar
Goldwasser, S., Kalai, Y.T., Popa, R.A., Vaikuntanathan, V., Zeldovich, N.: Reusable garbled circuits and succinct functional encryption. In: Boneh, D., Roughgarden, T., Feigenbaum, J. (eds.) 45th ACM STOC, pp. 555–564. ACM Press, June 2013
Google Scholar
Goldwasser, S., Kalai, Y.T., Rothblum, G.N.: One-time programs. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 39–56. Springer, Heidelberg (2008)
Chapter Google Scholar
Gorbunov, S., Vaikuntanathan, V., Wee, H.: Functional encryption with bounded collusions via multi-party computation. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 162–179. Springer, Heidelberg (2012)
Chapter Google Scholar
Goyal, V., Ishai, Y., Sahai, A., Venkatesan, R., Wadia, A.: Founding cryptography on tamper-proof hardware tokens. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 308–326. Springer, Heidelberg (2010)
Chapter Google Scholar
Hemenway, B., Jafargholi, Z., Ostrovsky, R., Scafuro, A., Wichs, D.: Adaptively secure garbled circuits from one-way functions. IACR Cryptology ePrint Archive 2015:1250 (2015)
Google Scholar
Hubacek, P., Wichs, D.: On the communication complexity of secure function evaluation with long output. In: ITCS 2015, pp. 163–172. ACM, January 2015
Google Scholar
Ishai, Y., Kushilevitz, E.: Randomizing polynomials: a new representation with applications to round-efficient secure computation. In: 41st Annual Symposium on Foundations of Computer Science, FOCS 2000, Redondo Beach, California, USA, 12–14 November 2000, pp. 294–304 (2000)
Google Scholar
Ishai, Y., Kushilevitz, E.: Perfect constant-round secure computation via perfect randomizing polynomials. In: Widmayer, P., Triguero, F., Morales, R., Hennessy, M., Eidenbenz, S., Conejo, R. (eds.) ICALP 2002. LNCS, vol. 2380, pp. 244–256. Springer, Heidelberg (2002)
Chapter Google Scholar
Lindell, Y., Pinkas, B.: A proof of security of Yao’s protocol for two-party computation. J. Cryptology 22(2), 161–188 (2009)
Article MathSciNet MATH Google Scholar
Lindell, Y., Riva, B.: Cut-and-choose yao-based secure computation in the online/offline and batch settings. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part II. LNCS, vol. 8617, pp. 476–494. Springer, Heidelberg (2014)
Chapter Google Scholar
Nielsen, J.B.: Separating random oracle proofs from complexity theoretic proofs: the non-committing encryption case. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 111–126. Springer, Heidelberg (2002)
Chapter Google Scholar
Sahai, A., Seyalioglu, H.: Worry-free encryption: functional encryption with public keys. In: ACM CCS 2010, pp. 463–472. ACM Press, October 2010
Google Scholar
Yao, A.C.-C.: Protocols for secure computations (extended abstract). In: 23rd FOCS, pp. 160–164. IEEE Computer Society Press, November 1982
Google Scholar
Yao, A.C.-C: How to generate and exchange secrets (extended abstract). In: 27th FOCS, pp. 162–167. IEEE Computer Society Press, October 1986
Google Scholar

Download references

Author information

Authors and Affiliations

University of Pennsylvania, Philadelphia, USA
Brett Hemenway
Northeastern University, Boston, USA
Zahra Jafargholi, Alessandra Scafuro & Daniel Wichs
University of California, Los Angeles, USA
Rafail Ostrovsky
Boston University, Boston, USA
Alessandra Scafuro

Authors

Brett Hemenway
View author publications
You can also search for this author in PubMed Google Scholar
Zahra Jafargholi
View author publications
You can also search for this author in PubMed Google Scholar
Rafail Ostrovsky
View author publications
You can also search for this author in PubMed Google Scholar
Alessandra Scafuro
View author publications
You can also search for this author in PubMed Google Scholar
Daniel Wichs
View author publications
You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Alessandra Scafuro .

Editor information

Editors and Affiliations

Impinj, Inc. , Seattle, Washington, USA
Matthew Robshaw
University of Maryland , College Park, Maryland, USA
Jonathan Katz

Rights and permissions

Reprints and permissions

Copyright information

About this paper

Cite this paper

Hemenway, B., Jafargholi, Z., Ostrovsky, R., Scafuro, A., Wichs, D. (2016). Adaptively Secure Garbled Circuits from One-Way Functions. In: Robshaw, M., Katz, J. (eds) Advances in Cryptology – CRYPTO 2016. CRYPTO 2016. Lecture Notes in Computer Science(), vol 9816. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-662-53015-3_6

Download citation

DOI: https://doi.org/10.1007/978-3-662-53015-3_6
Published: 21 July 2016
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-662-53014-6
Online ISBN: 978-3-662-53015-3
eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Societies and partnerships

the International Association for Cryptologic Research (opens in a new tab)

Adaptively Secure Garbled Circuits from One-Way Functions

Abstract

Similar content being viewed by others

Adaptive Security of Yao’s Garbled Circuits

Adaptive Security of Practical Garbling Schemes

Adaptively Indistinguishable Garbled Circuits

Keywords

1 Introduction

1.1 Prior Approaches to Adaptive Security

1.2 Our Results

1.3 Applications of Our Results

1.4 Our Techniques

2 Preliminaries

3 Garbling Scheme

Definition 1

4 Somewhere Equivocal Symmetric-Key Encryption

Definition 2

Theorem 1

5 Adaptively Secure Garbling Scheme and Simulator

5.1 Construction

5.2 Adaptive Simulator

6 Hybrid Games

6.1 Template for Defining Hybrid Games

6.2 Rules for Indistinguishable Hybrids

Lemma 1

Proof

Definition 3

Lemma 2

Proof

Lemma 3

Proof

7 Pebbling and Sequences of Hybrid Games

Theorem 2

Proof

Corollary 1

Proof

7.1 Pebbling Strategies

Corollary 2

Corollary 3

8 Conclusions

Notes

References

Author information

Authors and Affiliations

Corresponding author

Editor information

Editors and Affiliations

Rights and permissions

Copyright information

About this paper

Cite this paper

Download citation

Share this paper

Publish with us

Societies and partnerships

Search

Navigation