 Hi, I'm Lorenz Roy. I'd like to show you our new garbling technique, sliced and diced garbling, where three halves come together to make a hole. Garbled circuits are one main technique used for secure function evaluation. For example, two parties may be trying to compute statistics on medical data from multiple sources covered by incompatible regulations. They each have a private input, and together they want to compute some function of both their inputs. For garbled circuits, one party hardcodes its inputs into the function f, while the other provides its inputs as x. These two parties are called the garbler and the evaluator. The garbler mixes up the function f to make food capital F, or sorry, I mean the garbled function, and then gives it to the evaluator for taste testing, or sorry, I mean evaluation. They also use oblivious transfer to give the evaluator its encoded inputs capital X. The evaluator runs the garbled circuits to get garbled outputs y, which are then decoded to get the output of the function. Researchers have been improving garbled circuits communication costs ever since Yao first invented them. This plot shows the cost of garbling a circuit consisting of an AND gate and an XOR gate. Beaver, Macaulay, and Rockaway introduced the point and permute optimization. Now our Pincas and Sumner saved a cybertext in each gate by using row reduction. Colesnokov and Schneider introduced a very important optimization called FreeXOR, which eliminates all communication from XOR gates. There are a couple of other papers that introduced optimizations, but unfortunately they are incompatible with FreeXOR. Zahur, Roslick, and Evans found that XORing together two half gates makes a whole AND gate, and is compatible with FreeXOR. This allowed AND gates to be garbled with only two cybertexts worth of communication. Half gates was the state of the art for six years and was even proven optimal in a stricter model. Initially we also believed it was optimal and tried to prove this more generally. However, while investigating what made our attempted proof difficult, we discovered something new. With sliced and diced garbling, an AND gate can now be garbled with just three halves of cybertext while maintaining compatibility with FreeXOR. This is a more detailed comparison to previous work. Communication and computational costs are given, along with a required security assumption. Our technique, sliced and diced garbling, is shown in bold in the bottom row. It gives the best communication cost among all schemes. Although we do use more computation, how much more depends on an optimization detailed in the paper. Like all FreeXOR schemes, we require the stronger circular correlation robust hash assumption. Now let's look at how garbled circuits work. In a garbled circuit, the function f is broken down into gates connected with wires. Here's a wire carrying one bit. Garbled will encrypt the circuit. Each wire is given two random, unguessable strings called wire labels, representing false and true. The evaluator will only ever know one of the two wire labels for each wire. It must not learn the other wire label. Each gate must provide some way for the evaluator to encrypt only the correct output wire label. To hide which wire label represents true, the garbler samples the point from the bit Pi A. The labels A0 and A1 are swapped if Pi A is one. Therefore, if the evaluator has AI, then I and Pi A are secret shares of the pointx value on that wire. FreeXOR requires the A0, XOR, A1 always be Delta, so the AI is always A0, XOR, I times Delta. Delta must be kept secret from the evaluator. This key optimization allows XOR gates to be evaluated by simply XORing the wire labels. The evaluator will need to know whether it has A0 or A1, so the first bit, called the color bit of A0 is set to 0, and if A1 is set to 1. This is safe because the evaluator doesn't know Pi A. Due to code the final output from the circuit, the evaluator sends the output wire labels to the garbler, who knows which represents true. Recall that the color bit and the point and permute bit are secret shares of the pointx value of a wire in the garbled circuit. From this viewpoint, the rest of the wire label authenticates the shares. Linear operations on secret shares can be applied for free. The same is true for garbling because we use the same Delta for all wires. If we have an XOR gate, then we can set the output wire labels to be the XOR of the two input wire labels. The evaluator can now evaluate the gate by just XORing the two input wire labels together. This requires no communication and very little computation. For this reason, garbled circuits are generally represented using AND gates and XOR gates. In a classic garbled circuit, the other gates in the circuit become encrypted lookup tables. Where given only a single wire label from each input wire, only a single output may be decrypted. The garbler gives the evaluator a encrypted gate containing the four gate ciphertexts G00 and so on. AND gates have three ways to evaluate the false and one way to evaluate the true. Let's see be the wire label representing false. Three of the four gate outputs must be c while the remaining output must be c XOR Delta to represent true. If, for example, a's point permute bit is 0 and b's is 1, then both inputs represent true when the evaluator is given a1 and b0, while in the other three cases the AND gate will be output false. When the evaluator gets inputs ai and bj, it can only decrypt cij. This is the correct output wire label. Our new garbling scheme depends on taking a linear algebraic perspective on garbled gates. We have not found any simpler description. I'll start out by deriving it for these classic garbled AND gates. The garbled gate consists of four ciphertexts. A secure way of encrypting them is to hash the input wire labels and XOR that with the output wire label. Each output wire label cij is either c, the output wire label representing false, or cx or delta, the label representing true, depending on the truth table of the gate. We are still using the example of an AND gate with point and permute bits pi a equals 0 and pi b equals 1. So the true output case is a1 b0. We arrange the equation so that the variables that the garbler solves for are on the left and the values that are already constrained are on the right. When the garbler reaches this gate, it will already know the input wire labels a01 and b01, and it will already have chosen delta. It's also the gate ciphertexts, gij, and the output wire label representing false, c. These linear equations specifying the garbled gate can be written with linear algebra instead. Here is the equation for the 00 case. For this technique, the hash gets multiplied by an AND matrix, but this matrix will get more interesting when we try to optimize garbling. We can stack multiple equations together using this notation. The 1-0 case is the true case, and so it involves delta. To represent this, add a vector that is multiplied by delta. We now get the full gate equation. The garbler can use this to find the gate ciphertexts gij and the output wire label representing false, c. There is a gate matrix v that says how c and the gate ciphertexts enter the equation. A hash matrix m is specifying how the hashes are used. A hash vector h containing all four hash evaluations, and a truth table t giving the cases where delta is used. t is just the gate's truth table, commuted to match the point and permute bits of the inputs. Although this equation shows how to garble the gate, in fact we discovered it by writing out the four ways that the gate could be evaluated. Notice that this equation is under-determined. That is, g00 is redundant and can be set to zero, as long as we solve for the false output wire label c. This optimization is called row reduction. Well, that's one optimization. Can we do any others? Can we compress the gate ciphertexts? Well, this may seem absurd, as the gate ciphertexts have been hidden using h, and you cannot compress the uniform randomness. However, we can use h in a way that reduces the entropy, allowing the gate to be compressed. Instead of hashing the input wire labels together, hash them separately, and XOR the hashes together. This still has the security property that the evaluator cannot evaluate any other case than the one it is given, because any two possible ways of evaluating the gate are separated by at least one input change, which then tashes to something that the evaluator does not know. If we multiply the all ones row vector by the vector of the combined hashes, which represents taking the XOR of all four elements, we get zero because each hashed wire label is used exactly twice. This means that there is now one linear constraint on the combined hashes, so they only have less entropy than the four. The new hashes can be written in matrix notation. The hash matrix now has rank three, because each column XORs to zero. The all ones vector, representing the constraint that the hashes XOR to zero, is the co-colonel of this hash matrix. In other words, it's a kind of witness to the hash matrix not being full rank, which is good because it means that there is a redundancy that we can compress away. This is the gate equation, now using the half gates hash. We now have one fewer ciphertext, because the hash matrix now has only rank three. Notice that the equation is now over determined, so for a solution to exist, we need the right hand side to be in the column space of the gate matrix V. This is fine for the hashes, specifically chose V as the basis for M's column space. But the truth table XORs to one, in every column of the gate matrix XORs to zero, so the truth table is not in the gate matrix's column space. Therefore, no solution can exist. To find a way of fixing this, let's switch back to the evaluator's perspective. The evaluator computes the XOR of the two hashes, and uses it to decrypt the gate ciphertext. Using the correct row of the half gates gate matrix is equivalent to computing i times g zero XOR j times g one. This equation uses the gate ciphertext and the hashes, but there's one thing it's missing. It never uses the input wire labels directly. Let's try XORing ai into the up-it when the b input has colored bit one. In other words, the XOR with j times ai. Switching back to the garbler's perspective, this becomes four equations for the four evaluation cases. Like when we were deriving the linear algebraic perspective before, we can substitute in the relationship that cij and ai have with delta. Notice that a one becomes a zero XOR delta. This additional delta term will let us fix the problem. Also like before, we can rearrange the terms so that the variables that the garbler must solve for are on the left, and the already known values are on the right. Again, we can stack these equations together into matrices. The first case only uses c, it only computes hashes h of a zero and h of b zero. Something interesting happens in the second case. We need to add another matrix, called the control matrix, to represent the fact that a zero was XORed into this output wire. The third case is the true output case, so it gets a one in the truth table. In the final case, the control matrix, not the truth table, is responsible for delta being XORed into the output, because the delta came from the evaluator XORing the output wire label of a one. In general, the control matrix R tells which inputs are XORed into the output, in which cases. Now that the truth table has been XORed with the control matrix, the result has an even number of ones in each column, no matter where the one goes in the truth table. The equation will now always be solvable. Half gates was the state of the art in gobbling AND gates, until our work. More compression will require more redundancy in the hash matrix. That is, to reduce the number of gates save attacks, you must reduce the rank of the hash matrix. The redundancy in the half gates hash matrix comes from using hashes that can be computed in two out of four cases. This diagram shows which hash calls can be computed by the evaluator, for which inputs. There are four points representing the four cases a gate can be evaluated in. Each hash is represented as alignment through the points that it can be evaluated at. For example, the lower left point is the a1 b0 case, where the evaluator can compute h of a1 and h of b0. Taking the XOR of the two inputs, using free XOR, gives another pair of true and false wire labels. What happens if we hash them? We get two new hash evaluations, which can each be computed in two out of the four cases. One can be evaluated when the inputs are the same, while the other can be evaluated when the inputs differ. E.g., in the a1 b0 case, not only can the evaluator find h of a1 and h of b0, it can also compute h of a1 XOR b0, which is the same as h of a0 XOR b1. We'd like to get more redundancy from using these extra hashes. Unfortunately, going down to rank two would be too low. The hash matrix would either have two identical rows or an all zero row. If we can't save a whole ciphertext, let's save a half. Let's put the wire labels up into two pieces. This allows much more flexibility when choosing linear combinations of hashes. In each of the four cases for the inputs a and b, there are three hashes that the evaluator can compute. Each hash function produces only half-sized output, but still takes full-sized input as otherwise we'd be having the security parameter. The three half-sized hashes are combined to make a whole wire label worth of randomness, which is used to mask the output wire label. The evaluator will compute the left half of the output with h of a, XOR h of a, XOR b, and the right half with h of b, XOR h of a, XOR b. Some other terms are needed, of course. We need to use the gate ciphertext in the control matrix. The hash term in the gate equation will now look like this. Notice that after splitting, we now have eight rows instead of four, because each case of evaluation must now produce a two-dimensional vector as the output wire label. The hashes the evaluator uses can be read off the hash matrix. E.g., let's say that the evaluator has the a0, b1 case corresponding to the third and fourth rows of the matrix. The evaluator can compute the left half of the output wire label using h of a0 and h of a0, XOR b1, and the right half using h of b1 and h of a0, XOR b1. Notice that every row of m XORs to 0, so m has rank 5. For the equation to be solvable, the right-hand side must be in the column space of the gate matrix. Therefore, we should pick a gate matrix of five columns to span the five-dimensional column space of m. Two of the columns can be the two halves of the false output wire label, because of row reduction. The other three columns must come from the gate ciphertexts. Since they are half-sized, if we can get this to work, then we have a three-halves ciphertext garbled end gate, as promised. So we need to fill out the question marks in v so that the column spaces match. It turns out that grabbing three columns from m will make v have the correct column space. Might we have reduced the security level by using a hash function with a half-sized output? To argue otherwise, assume that there is an evaluator that gets the input wire labels in the a0, b0 case. The evaluator has been corrupted and is trying to evaluate the a0, b1 case. For security, it must not be able to learn anything about the output wire labels other than the one that is supposed to evaluate. The red wire labels are the values it knows. It can only compute hashes on known inputs. These hashes have also been highlighted. The evaluator isn't able to learn anything about c01. The two hashes, h of b1 and h of a0, x or b1, which it cannot compute, are enough to completely hide both halves of the output wire label. This is true in general. Any two evaluation cases only share a single hash. The other two hashes will look completely random to a corrupt evaluator and will completely hide the output wire label. We need to derive the full gate equation in order to find the control matrices. To start off, this is how the evaluator will compute the output wire label, using parts of the gate matrix and control matrix. The partial control matrices, RIJA and RIJB, are two-by-two matrices telling the evaluator how to use the a and b inputs. For concreteness, let's assume that the evaluator has inputs a1 and b0. Introduce deltas into the equation by substituting in the equations for the input and output wire labels in terms of delta. In this example, the a1, b0 case outputs true, so the left side becomes the true wire label, cx or delta. Here's the complete gate equation. The left two columns of the gate matrix are always stacked identity matrices, as they correspond to cl and cr, which are always part of the left and right halves of the output wire label, respectively. Rows 5 and 6 correspond to the a1, b0 case shown above. The deltas on the left side of the evaluation equation, which came from this being the true output case, it turned into a two-by-two identity matrix in the truth table. The deltas on the right of the evaluation equation come from a1 being a0, x, or delta. R10a is multiplied by both a0 and delta in this equation. In the gate equation, this makes the control matrix contain r10a in both its a0 and its delta columns. We can write this equation more succinctly, using matrices and vectors we defined. Again, we need the right side of the equation to always be in the column space of v. Like half gates, the truth table causes the most trouble, because we have to pick the control matrix so that rx or t fits in the column space. However, this is a bigger issue than it was for half gates. Slicing requires creating an asymmetry, where h of a is used in the left half of the output, while h of b is used in the right. The corresponding asymmetry in the column space forces the control matrix to depend on which case output is true. The evaluator would have to be told the control matrix, but then it could find out which point in permute bits correspond to that control matrix. Leaking the point in permute bits is a big problem, as then the evaluator would know the point x values in the circuit. Our solution to this problem is called dicing. The idea is that the evaluator doesn't need to know the whole control matrix. It only needs to know rij, which tells it what to do with the input wire labels ai and bj, the one case it is evaluating. The garbler rolls dice to randomize the choice of r, so that rij leaks nothing. It then garbles the control matrix, by encrypting each rij with the input wire labels ai and bj, so that the evaluator cannot learn more than rij. For this to work, we need the distribution on control matrices that always puts rx or t in the column space. It does not leak the truth table t to the evaluator. These compressions so that we don't have to send the whole control matrix, which takes 32 bits for every gate. We require that each rij is in a linear subspace s of 2x4 matrices. It turns out that a two-dimensional subspace is optimal. With compression, each rij can be written as eight individual bits, called control bits, using a basis as this linear subspace. We put these eight bits together into a 4x2 matrix. Each row represents an evaluation case, while the columns correspond to the basis elements s1 and s2. Evaluating the gate requires three steps. First, the evaluator decrypts the garbled control bits. z contains the encrypted control bits, and zij gives the encrypted bits with the ai bj case. h' is a hash function with two-bit output. Next, the evaluator finds it's part of the control matrix using the control bits and the basis. Finally, it uses the control matrix to evaluate the gate and get the output wire label cij. We use the co-kernel to help find the control matrix distribution. The co-kernel of v is the matrix k such that kv equals zero, and k has as high a rank as possible. This means that a vector x is in the column space if and only if kx equals zero. ks3 rows, which represents three constraints on x. For half gates, the co-kernel was the all-ones row vector. We need r, x, or t to be in the column space. And the co-kernel gives a convenient way of expressing this constraint. Call it the co-kernel constraint. Let's see what the right-hand side of this constraint is. The first four columns must be zeros because the zero is stuck onto the left of t. The 2x2 identity matrix in t selects columns 5 and 6 from k to be the right two columns of the result. In general, the product can be written in this form. p is the parity of the gate, which is one for an AND gate, or for any gate for which there is an odd number of inputs that make the output be true. Notice that the last row of k is asymmetrical. This means that A and B depend on which output is supposed to return true, i.e. on the point-and-permute bits, which is what forces us to use dicing. To sample the control matrix, we first find a matrix that satisfies the co-kernel constraint by taking a linear combination of basis solutions. This is then masked by picking a random control matrix, r-dollar sign, that doesn't affect the co-kernel constraint. It must be in the subspace s. To see why this will satisfy the co-kernel constraint, multiply the result in control matrix by the co-kernel on the left. r-dollar sign disappears, and the others were chosen to give particular matrices, so that after simplification, kr will take the required value. For privacy, we also need r-dollar sign to be random enough to hide both rA and rB. We performed a computer search over all possible two-dimensional subspaces of 2x4 matrices, solving for the control matrices r-dollar sign, rA and rB to see if they work. This is the solution we found. In the middle row, the control matrices are written using the basis. Each column of a 4x2 matrix corresponds to one of the basis elements, while each row corresponds to an evaluation case. The evaluator's marginal view comes from just a single row of a linear combination of these 4x2 matrices. There is clearly enough randomization to make this uniform. A row of r-dollar sign is just two random bits. The bottom row shows the corresponding full control matrices. They satisfy the co-kernel constraints. Note that the RP does not fit in the subspace. This is allowed because the gate parity is public, so for AND gates, the evaluator can just take the decoded control matrix and XOR it with RP before using it. To summarize, there are a few key ideas we use to beat half gates. The linear algebraic perspective is powerful because it lets us put the whole garbled gate into one linear equation. More hashes allow for more redundancy in the hash matrix, and so for better compression of the gate sacred texts. Half gates are missing the third hash evaluation, H of AX or B. To take advantage of this redundancy, we had to use slicing and split all the wire labels in half. And we needed dicing to fix a technical issue with the control matrices, which would otherwise have leaked the plaintext values to the evaluator. There are several more results in our paper, which unfortunately didn't fit into the talk. If we expand the size of the control subspace to four dimensions, we can hide the gate parity P as well, keeping the entire truth table secret from the evaluator, instead of just the point and permute bits. We describe a weakening of tweakable circular correlation robust hash functions that we call randomized TCCR hashes. The new hash can be made almost as efficient as a CCR hash, but it is still tweakable enough for garbling. It is possible to save computation on some circuits by combining together hash evaluations from multiple gates. Normally the hash function is instantiated for AES, which has twice as much output as we need. So if there are two gates that share an input wire, then one hash is enough for both. We can reduce the size of the garbled control bits from 8 bits down to 3 bits by using sliced garbling again. The control bits have a structure that lets us garble them without dicing, so this does not lead to infinite recursion.