 Thank you. I'll be talking about hashing garbled circuits for free and this is joint work with John Fan and Vlad Gulisnikov. So garbled circuits is one of the main techniques for secure computation and today a primitive in its own right. Hashing garbled circuits could potentially come up in many applications of garbled circuits like cut and choose for two-party computation, private certified functions for credentials, encrypted database systems like blinds here and so on. A natural way to hash a garbled circuit is to first generate the garbled circuit and then use a hash function like SHA on the garbled circuit string. But when we look at the relative cost of fixed key cipher garbling and hashing, the cost could vary depending on the architecture but with fast hardware AES implementations, garbling is fast and oftentimes SHA is the bottleneck. So on typical computing platforms of today, hashing a garbled circuit could cost up to six times more than that of generating a garbled circuit. So in this work, we study free hashing which allows for hashing a garbled circuit at no additional cost during the generation of the GC itself. And we see that eliminating the cost of GC hashing significantly improves performance in many applications. One of our motivating applications is an attribute-based credential verification where we have a prover with an input who wishes to prove in zero knowledge that his input satisfies a certain policy and we are interested in the setting where the verifier's policy function is also private. So standard cut and choose approaches do not seem to work here since the check circuits reveal the evaluated policy function. In a setting where a certificate authority is available, we can have the CA certify the correct generation of garbled circuits. So here is the setting we are interested in where hashed garbled circuits could be applied in a straightforward way. We have a prover verifier and a certificate authority with the signing and verification key. The CA begins by generating many seats to be used as seats of a pseudo-random generator and then garbles generates the garbled circuit for the circuit that represents the policy function of the verifier and he uses the randomness that is generated by using the seed S. Now he computes the hash of the garbled circuit, signs the hash and sends the seed and the signature to the verifier. Later in the online phase, the verifier can reconstruct the garbled circuit using the randomness generated from the seed and she sends the garbled circuit along with the CA's signature to the prover. The prover can compute the hash of the garbled circuit and he proceeds to evaluate the garbled circuit only if the signature of the CA verifies. A similar idea can be used in general cut and choose protocols. This was first formalized by Goyal Mahazal and Smith in 2008 where a party P1 uses a seed to construct many garbled circuits and instead of sending all the garbled circuits to party P2, he sends many hashes. And if the IAID garbled circuit is chosen to be a check circuit, P1 reveals the seed SI and P2 can reconstruct the IAID garbled circuit and verify the hash. So GMS and all subsequent protocols that use this idea use a collision resistant hash to trade off computation for communication and we can ask if our free hash construction can be used in all these protocols. So here is a summary of our results. We begin by giving a definition for garbled circuit hash security and then give hashed garbling constructions both for standard garbling and state of the art half gates construction. We then implement our construction and evaluate its performance and finally discuss applications of our constructions. So before I begin let us quickly recall what a garbling scheme is. So we have a tuple of algorithms garbled encode val and decode. Garbled is a randomized algorithm that takes a circuit and outputs a garbled circuit along with encoding and decoding information. The encode algorithm takes the plain text input and the encoding information and outputs a garbled input. A val takes the garbled circuit and a garbled input and gives a garbled output. Decode takes a garbled output and the decoding information and gives the plain circuit output. We want correctness that is after evaluating the garbled circuit if we decode the garbled output it should be equal to c of x and for security we want privacy that is the garbled circuit garbled input and the decoding information should reveal nothing beyond c of x and authenticity states that given the garbled circuit and the garbled input it's hard to find a garbled output that decodes to something other than c of x. In addition to these standard properties we also want verifiability which means that there is an additional algorithm called verify that takes a circuit c and a purported garbled circuit c hat and outputs one if c hat is indeed a valid garbling of c and zero otherwise. So I'll begin by giving our definition of garbled circuit hash security. The high level idea is that we take advantage of the fact that the input to hash is a garbled circuit which means it has to be evaluatable under the eval function and our definition is going to be weaker than the standard notion of collision resistance. So given a correctly generated garbled circuit and its corresponding hash the adversaries allowed to come up with another garbled circuit g c hat such that the hash collides but if that happens the guarantee is that the garbled circuit property of g c hat is broken which means g c hat will fail to evaluate. So here we have an adversary who outputs two different garbled circuits along with two different encoding information decoding information d and hash h. Now say the two garbled circuits collide in their hash. Now we have that if one of the garbled circuits say the green garbled circuit verifies then the red garbled circuit fails to evaluate that is decoding the output of eval on the red garbled circuit fails. Now the adversary is allowed to come up with green and red encoding information corresponding to the two different garbled circuits but the decoding information d is the same that is the d with respect to which the red garbled circuit fails evaluation is the same d with respect to which the green garbled circuit passes verification. And this restriction is essential for hash security because if we did not place this requirement the adversary can come up with d that simply decodes any string returned by eval to arbitrary outputs. Coming to our hash garbling constructions our high-level idea is to intertwine the generation of the hash and verification of the hash with the garbled circuit generation and evaluation. We attempt this by maintaining a running hash as the xor of all the garbled rows. So here we have an example circuit with two gates the logical values on the wires are labeled and we have two keys corresponding to the two values on the wires. So we have gt1 which is a garbled table corresponding to the AND gate here. So this encrypts the output wire labels c0 and c1 according to the functionality of the AND gate and gt2 is the garbled table corresponding to the OR gate here that encrypts the output wire label e according to the OR functionality and the garbled circuit itself consists of the garbled tables and say we set the hash to be xor of all the garbled rows. So what can an adversary do now he can for example mount the following attack say he changes one of the entries in gt1 so he changes the last row here to encrypt c0 instead of c1. Now we have a different garbled circuit gc hat but this also affects the running hash by some offset delta. Now say the adversary knows where anywhere in the circuit there exists an inactive row he can change that entry by the same offset delta which now fixes the hash and since this row is not going to be used during evaluation the adversary will not be caught. So our refinement of this approach is to now make each gate's output wire label depend on all entries of the garbled table and the intuition is that the xor hash correction will now necessarily involve modifying an active garbled table entry thus affecting the computed output wire label of the gate. So going back to our example circuit we now treat the output wire labels as temporary wire labels and change the way we define the output wire labels. So now we have the garbled tables that encrypts the temporary output wire labels and we set the real wire labels to be the temporary labels xor with all the rows of the corresponding garbled table. Again we set the hash to be the xor of all the rows and now going back to the previous attack if the adversary changes one row he modifies the hash by some offset delta but now if he changes some entry in gt2 to fix delta he also changes the translation between the temporary wire label and the real wire label but what he can now do instead is to guess which combination of values will not be used in the same garbled table and change that to fix the offset delta which fixes both the hash and the translation between the output wire label c without disrupting the translation of the output wire label e. So this works because the adversary can modify a garbled table entry and correct the disrupted hash within the same table. This works since the fix for the broken hash also fixes the translation from temporary and real wire labels. So the idea towards our final construction is to use garbled tables for computing wire labels and the hash but in different ways and this means that a fix for a broken running hash will no longer keep the output wire label valid. So again we treat the output wire labels as temporary wire labels and we have the garbled table entries encrypting temporary wire labels. Now we define the translation as follows. The output wire label c is going to be the temporary wire label xorred with some function of all the rows of the corresponding garbled table. We again set the hash to be the xor of all the garbled table rows and now we define the translation function f to be the xor of all the rows where the ire throw is offset by i bits. So our final construction uses all the garbled table rows as xor pads for computing both the garbled circuit hash and for the translation function but in a different manner and this means that a fix for the broken hash will not simultaneously keep the wire label valid. So if we have two different garbled circuits such that the hash collides then the evaluation of GC hat fails and this means that the evaluation of GC hat will deviate from the evaluation of GC with respect to some wire label and subsequently this can return to either a correct running hash or to a correct wire label but not both. We use bit shifting for our translation functions because it's both fast and easy to implement but in general we want functions fi such that the following property is satisfied. What this says is that if a garbled circuit is modified such that the xor of the rows remains the same then with high probability the xor of f of the garbled rows will change and this is sufficient to prove security of our construction. So we instantiate the key derivation functions of our garbling scheme with the Davis Mayer construction and assume that it is a random permutation. To be compatible with free xor we also assume that it's correlation robust. To prove hash security of our construction under our definition we additionally require collision resistance of Davis Mayer which can be achieved assuming that it is an ideal cipher. The current state of the art in garbling is the half gate construction of Zahur et al from 2015 and the half gate construction is compatible with free xor and uses two ciphertext to garble and AND gate. So the question is can we have a free hash construction for the half gates garbling scheme. So a half gate is an AND gate where one of the inputs is known to the parties in the clear. So say a here is known to the garbler this is a generator half gate and if one of the inputs is known to the evaluator it's an evaluator half gate. Now if we look at the following two AND gates where r here is a value that is chosen at random by the garbler and if we can arrange for the evaluator to learn ax or r in the clear then we see that the first AND gate is an evaluator half gate and the second AND gate is a generator half gate. And we can put the two half gates together by exhorting the output of the two half gates to obtain a complete AND gate here. And the half gates construction shows how to garble two half gates using one ciphertext each and we can put them together to garble a complete AND gate using two ciphertexts and we have xor for free. So now the observation is that in the half gates construction there is no inactive row which means that both ciphertexts are going to be decrypted during evaluation and is used to compute the output wire label. So if the adversary modifies any garbled row he is going to change the output wire label computed on that gate. This observation leads us to a simpler hash construction. We can set the hash of the garbled circuit to be the xor of all the ciphertexts without having to use a translation function. And in the paper we prove that this construction is secure as per our definition under the same assumptions. We implemented our construction using the libgarbo library on a system that has AES and I integrated. And this table shows numbers in cycles per gate for garbling the AES circuit. So the first column is our construction and we compare it against garbling the circuit and then using xor on it, using the xor from the open SSL library. And we note that our construction is very close to the number for just garbling the circuit itself. Coming to applications of our free hash construction. Since our construction satisfies a different notion than that of collision resistance, let's look at the difference between collision-resistant hash and free hash in the context of cut and choose protocols. So when using a collision-resistant hash, a party p1 commits to a garbled circuit by sending a hash. And he can choose the garbled circuit to either be a good or a cheating circuit. And once the hash is fixed, he cannot flip between the two designations. When using free hash, he again has similar choices. He can commit to either a good or a cheating circuit and cannot change this designation after sending the hash. But now, in addition, he can do the following. He can open both a good and a cheating garbled circuit into what we call a broken garbled circuit, which will fail evaluation. And the question is, when can p2 safely abort when he sees a broken garbled circuit? And we observe that it is safe for p2 to abort in protocols in the covert security model, where a party is allowed to deviate from the protocol but is caught with a fixed probability called the deterrence factor. This model was introduced by Armin and Lindel and further studied and subsequent works. So in these protocols, a cheating p1 can already turn a good evaluation circuit into a broken one, and p2 can safely abort independently of his input. So we see that in protocols in the covert model, using the free hash construction, we can improve the deterrence probability for the same communication complexity and get an improvement in the total execution time for the same deterrence. So here we compare execution times. We have the total number of circuits required to achieve a deterrence of 0.9. And to compute the execution time, we assume that generating a garbled circuit takes 95 seconds for a billion gate circuit. And for communication, we assume a 1Gbps channel. And we see the improvement in the second and fourth rows when using our free hash construction in the covert secure protocols. So can we apply our free hash construction to more general maliciously secure protocols? We note that it does not apply to the state of the art protocol of Lindel 13. And in general to protocols in the four gen loose technique that we saw in the previous two talks, this is because in these protocols, the cheating punishment phase relies on at least one evaluation circuit being good. And because p1 can open a good evaluation circuit as a broken one when he uses the free hash construction, p2 cannot tell if a failure in decoding is because of a hash failure or is a selective failure attack. And this effectively prevents input recovery. It also does not apply to protocols in the dual execution setting. Because again, a cheating p1 can open all good evaluation circuits as broken ones. And since the final output is the result of an equality test or of a private set intersection, the output of PSI could potentially leak bits of p2's input. Nevertheless, it can be used in protocols that is based on majority output. And moreover, when we use a collision resistant hash in cut and choose protocols, the cost of a check circuit is cheaper than the cost of an evaluation circuit in terms of communication. And this results in an optimal ratio of check and evaluation circuits that is different from half. And we show this calculation in the paper for a dual execution protocol. It remains to be seen whether our definition of hash security applies to protocols in the amortized settings. Also, our definition of hash security assumes that the adversary outputs two different garble circuits, but the topology remains the same. So we can ask if we can make our constructions work when the adversary can also change the topology of the circuit. I'll stop here. Thank you.