Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Fast Evaluation of S-boxes with Garbled Circuits

Erik Pohle, Aysajan Abidin, Bart Preneel

TL;DR

A projective garbling scheme that assigns $2^{n}$ values to wires in a circuit comprising XOR and unary projection gates and a generalization of FreeXOR allows the XOR of wires with $2^{n}$ values to be very efficient.

Abstract

Garbling schemes are vital primitives for privacy-preserving protocols and secure two-party computation. This paper presents a projective garbling scheme that assigns $2^n$ values to wires in a circuit comprising XOR and unary projection gates. A generalization of FreeXOR allows the XOR of wires with $2^n$ values to be very efficient. We then analyze the performance of our scheme by evaluating substitution-permutation ciphers. Using our proposal, we measure high-speed evaluation of the ciphers with a moderately increased cost in garbling and bandwidth. Theoretical analysis suggests that for evaluating the nine examined ciphers, one can expect a 4- to 70-fold improvement in evaluation performance with, at most, a 4-fold increase in garbling cost and, at most, an 8-fold increase in communication cost compared to the Half-Gates (Zahur, Rosulek and Evans; Eurocrypt'15) and ThreeHalves (Rosulek and Roy; Crypto'21) garbling schemes. In an offline/online setting, such as secure function evaluation as a service, the circuit garbling and communication to the evaluator can proceed in the offline phase. Thus, our scheme offers a fast online phase. Furthermore, we present efficient Boolean circuits for the S-boxes of TWINE and Midori64 ciphers. To our knowledge, our formulas give the smallest number of AND gates for the S-boxes of these two ciphers.

Fast Evaluation of S-boxes with Garbled Circuits

TL;DR

A projective garbling scheme that assigns values to wires in a circuit comprising XOR and unary projection gates and a generalization of FreeXOR allows the XOR of wires with values to be very efficient.

Abstract

Garbling schemes are vital primitives for privacy-preserving protocols and secure two-party computation. This paper presents a projective garbling scheme that assigns values to wires in a circuit comprising XOR and unary projection gates. A generalization of FreeXOR allows the XOR of wires with values to be very efficient. We then analyze the performance of our scheme by evaluating substitution-permutation ciphers. Using our proposal, we measure high-speed evaluation of the ciphers with a moderately increased cost in garbling and bandwidth. Theoretical analysis suggests that for evaluating the nine examined ciphers, one can expect a 4- to 70-fold improvement in evaluation performance with, at most, a 4-fold increase in garbling cost and, at most, an 8-fold increase in communication cost compared to the Half-Gates (Zahur, Rosulek and Evans; Eurocrypt'15) and ThreeHalves (Rosulek and Roy; Crypto'21) garbling schemes. In an offline/online setting, such as secure function evaluation as a service, the circuit garbling and communication to the evaluator can proceed in the offline phase. Thus, our scheme offers a fast online phase. Furthermore, we present efficient Boolean circuits for the S-boxes of TWINE and Midori64 ciphers. To our knowledge, our formulas give the smallest number of AND gates for the S-boxes of these two ciphers.
Paper Structure (39 sections, 2 theorems, 15 equations, 8 figures, 7 tables)

This paper contains 39 sections, 2 theorems, 15 equations, 8 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Technical Overview
  3. Contributions
  4. Organisation
  5. Related Work
  6. Background
  7. Garbled Circuits for Bounded Integers
  8. Security Model by Bellare, Hoang and Rogaway
  9. The Scheme
  10. Circuit Definition
  11. Gates
  12. Circuit Constructions
  13. Garbling Scheme
  14. Security
  15. (n-)TCCR Security
  16. ...and 24 more sections

Key Result

Theorem 1

Given a $\bar{n}$-TCCR secure hash function $\mathcal{H}$ and $\bar{n} \ll \kappa$, the garbling scheme $\Pi$ is prv.sim secure.

Figures (8)

  • Figure 1: For every circuit $f$ and input $x$ of the adversary's choice, the respective game function is called and the adversary outputs a choice $b'$ given $(GC,X,d)$ (resp. $(GC,X)$). The adversary wins if $b=b'$.
  • Figure 2: The new garbling scheme $\Pi$ comprises a garble, evaluation, encoding and decoding function.
  • Figure 3: Simulator $\mathcal{S}$.
  • Figure 4: Hybrid $\mathcal{G}_1$. The simulator from the perspective of the evaluator where $x$ is a black box value. Values in a box $\boxed{v_i}$ highlight the difference between $\mathcal{S}$ and $\mathcal{G}_1$.
  • Figure 5: Hybrid $\mathcal{G}_3$. We fix the encoding of $W_i^{v_i}$ to $W_i^{0^n}$. Values in a box $\boxed{0^n}$ highlight the difference between $\mathcal{G}_2$ and $\mathcal{G}_3$.
  • ...and 3 more figures

Theorems & Definitions (8)

  • Definition 1: Wire Label Offsets
  • Definition 2: Wire Label Encoding
  • Definition 3: TCCR Security Guo2020a
  • Definition 4: n-TCCR Security
  • Theorem 1
  • proof
  • Theorem 2
  • proof